From christopher.lamb at ch.ibm.com Sat Aug 1 07:48:55 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Sat, 1 Aug 2015 09:48:55 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt For a "how to" of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script....) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: "Matt ." To: Cc: "freeipa-users at redhat.com" Date: 31.07.2015 16:58 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by: freeipa-users-bounces at redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb : > Hi > > We use the Samba extensions for FreeIPA. Windows 7 users connect to the > "shares" using their FreeIPA credentials. The only password mgmt problem > that we have is, that the users get no notice of password expiry until > "suddenly" their Samba user (really the FreeIPA user) password is not > accepted when trying to connect to a share. Once the password is reset (via > CLI or FreeIPA WebUi), they can access the shares again. > > Chris > > > > From: Youenn PIOLET > To: "Matt ." > Cc: "freeipa-users at redhat.com" > Date: 31.07.2015 16:21 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by: freeipa-users-bounces at redhat.com > > > > Hi, > I asked the very same question a few weeks ago, but no answer yet. > http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 > > The only method I see is to install samba extensions in FreeIPA's LDAP > directory, and bind samba with LDAP. There may be a lot of difficulties > with password management doing this, that's why I'd like to get a better > solution :) > > Anyone? > > > -- > Youenn Piolet > piolet.y at gmail.com > > > 2015-07-31 16:03 GMT+02:00 Matt . : > Hi Guys, > > I'm really struggeling getting a NON AD Samba server authing against a > FreeIPA server: > > Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 > CentOS 7.1 -> FreeIPA 4.1 > > Now this seems to be the way: > > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > > But as this, which I also found on the mailinglists: > > NOTE: Only Kerberos authentication will work when accessing Samba > shares using this method. This means that Windows clients not joined > to Active Directory forest trusted by IPA would not be able to access > the shares. This is related to SSSD not yet being able to handle > NTLMSSP authentication. > > It might not be that easy to have a Samba Shares only server. > > Any idea here how to accomplish ? > > Cheers, > > Matt > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Sat Aug 1 09:29:00 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 1 Aug 2015 12:29:00 +0300 Subject: [Freeipa-users] Setting up Active Directory trusts in a secure environment In-Reply-To: <55BB84F9.1050905@fedoraproject.org> References: <55BAA6C9.90406@fedoraproject.org> <20150731075236.GJ20980@p.redhat.com> <55BB84F9.1050905@fedoraproject.org> Message-ID: <20150801092900.GB3235@redhat.com> On Fri, 31 Jul 2015, Dan Mossor wrote: >On 07/31/2015 02:52 AM, Sumit Bose wrote: >> >>Thank you for the detailed analysis. I guess the 'server was >>inaccessible' error is due to the fact that currently FreeIPA does not >>have a global catalog, because Windows typically tries to get SIDs from >>remote objects from the Global Catalog. >> >>> >>>So, to those of y'all that operate in secure environments, what trick do you >>>use to fully integrate IPA and Active Directory? >> >>With FreeIPA-4.2 the one-way trust feature is introduced. The main >>difference to the current scheme is that with one-way trust the FreeIPA >>server does not use its host credentials (host keytab) from the IPA >>domain to access the AD DC but uses the trusted domain user >>(IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from >>the AD domain it should be possible to assign the needed permissions to >>this object. >> >>Currently I have no idea how this can be solved with older version. >>Maybe there is a toll on the Windows side which lets you add SIDs >>manually into the "Access this computer from the network" policy? If >>there is one you can try to add IPA-SID-515 (where you have to replace >>IPA-SID by the IPA domain SID). >> >>HTH >> >>bye, >>Sumit >> > >I didn't think the SID was even being evaluated - the authentication >being attempted was through Kerberos, which I uderstand only uses host >keytabs, not SIDs. Am I correct in this situation? No, you are not. For starters, authentication with Kerberos deals with tickets, not keytabs. You obtain a ticket granting ticket, either with the explicit password or with credentials from the keytab. Using a ticket granting ticket you ask KDC to give a ticket towards your target service. In case of cross-forest bi-directional trust, this results roughly in a following sequence: 1. I have credentials for host/master.ipa.domain at IPA.DOMAIN 2. I obtain a ticket granting ticket, krbtgt/IPA.DOMAIN at IPA.DOMAIN 3. Using TGT I ask my KDC for a ticket for ldap/dc.ad.domain at AD.DOMAIN 3.1. Since this service is not from my realm, my KDC looks for existence of principal krbtgt/IPA.DOMAIN at AD.DOMAIN in own database 3.2. If bi-directional trust is established, my KDC has this principal in its own database and it can issue me a ticket for this service 3.4. I'm getting a ticket to krbtgt/IPA.DOMAIN at AD.DOMAIN and a referral to AD DC to complete acquisition of the ticket to ldap/dc.ad.domain at AD.DOMAIN 4. Using ticket to krbtgt/IPA.DOMAIN at AD.DOMAIN, I ask AD DC to give me a ticket to ldap/dc.ad.domain at AD.DOMAIN. 4.1. AD DC looks into content of the ticket to krbtgt/IPA.DOMAIN at AD.DOMAIN and searches there for a special record, named MS-PAC (https://msdn.microsoft.com/en-us/library/cc237917.aspx). MS-PAC contains a privilege attribute certificate issued by my KDC, explaining who is the original user in terms of the AD domain: what is his name, SID, group membership and so on. A ticket without MS-PAC will be refused immediately because AD DC cannot otherwise map kerberos principal (host/master.ipa.domain at IPA.DOMAIN) to something it needs to run own policy decision. And this is where everything is tied together. A KDC on IPA master is instructed to only issue MS-PAC records to tickets of user principals if they have SID assigned to them, _and_ to following principals: - host/master.ipa.domain at IPA.DOMAIN - cifs/master.ipa.domain at IPA.DOMAIN - HTTP/master.ipa.domain at IPA.DOMAIN for all IPA masters which were initialized with ipa-adtrust-install -- and nothing else. Any IPA client's host/client.ipa.domain at IPA.DOMAIN couldn't get MS-PAC record and couldn't talk to AD DC, for example. These special principals (host/, cifs/, HTTP/) get assigned a SID of a Domain Computers group in IPA domain (-515). Back to AD DC. 4.2. AD DC runs a policy check on who can access LDAP service. In a default setup it would be 'Authenticated users' which allows anyone with a Kerberos ticket containing a valid MS-PAC record to be granted access to LDAP service. As you have changed the policy, this does not apply anymore, and the list of SIDs AD DC will find in host/master.ipa.domain at IPA.DOMAIN ticket is checked against the list of SIDs in your policy. 4.3. As you don't have IPA SIDs in the policy, host/master.ipa.domain at IPA.DOMAIN is rejected access to LDAP service. The real problem here is in the fact that you couldn't add IPA domain SIDs to the policy. To do so, Windows UI needs to be able to resolve names of groups from IPA forest to SIDs and it is unable to do so because IPA does not provide such a service. With one-way trust IPA masters are changed to use a special object that exists in AD forest root domain. You can then assign access rights to this object (IPA$@AD.DOMAIN) using your Windows UI. -- / Alexander Bokovoy From abokovoy at redhat.com Sat Aug 1 09:33:41 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 1 Aug 2015 12:33:41 +0300 Subject: [Freeipa-users] Setting up Active Directory trusts in a secure environment In-Reply-To: <55BB9C74.3030804@fedoraproject.org> References: <55BAA6C9.90406@fedoraproject.org> <20150731075236.GJ20980@p.redhat.com> <55BB84F9.1050905@fedoraproject.org> <20150731150848.GD10777@p.redhat.com> <55BB9C74.3030804@fedoraproject.org> Message-ID: <20150801093341.GC3235@redhat.com> On Fri, 31 Jul 2015, Dan Mossor wrote: >On 07/31/2015 10:08 AM, Sumit Bose wrote: >>On Fri, Jul 31, 2015 at 09:23:53AM -0500, Dan Mossor wrote: >>>On 07/31/2015 02:52 AM, Sumit Bose wrote: >>>> >>>>Thank you for the detailed analysis. I guess the 'server was >>>>inaccessible' error is due to the fact that currently FreeIPA does not >>>>have a global catalog, because Windows typically tries to get SIDs from >>>>remote objects from the Global Catalog. >>>> >>>>> >>>>>So, to those of y'all that operate in secure environments, what trick do you >>>>>use to fully integrate IPA and Active Directory? >>>> >>>>With FreeIPA-4.2 the one-way trust feature is introduced. The main >>>>difference to the current scheme is that with one-way trust the FreeIPA >>>>server does not use its host credentials (host keytab) from the IPA >>>>domain to access the AD DC but uses the trusted domain user >>>>(IPADOM$@AD.DOMAIN) to access the AD DC. Since this is an object from >>>>the AD domain it should be possible to assign the needed permissions to >>>>this object. >>>> >>>>Currently I have no idea how this can be solved with older version. >>>>Maybe there is a toll on the Windows side which lets you add SIDs >>>>manually into the "Access this computer from the network" policy? If >>>>there is one you can try to add IPA-SID-515 (where you have to replace >>>>IPA-SID by the IPA domain SID). >>>> >>>>HTH >>>> >>>>bye, >>>>Sumit >>>> >>> >>>I didn't think the SID was even being evaluated - the authentication being >>>attempted was through Kerberos, which I uderstand only uses host keytabs, >>>not SIDs. Am I correct in this situation? >> >>yes and no :-) The keytab is used to get a TGT and then a cross-realm >>TGT from the IPA KDC. The IPA KDC will add a PAC to the TGTs which >>contains additional authorization data including SIDs. The PAC is then >>used on the Windows side to evaluate if access is granted or not. >> >>bye, >>Sumit >> > >Building on what you said regarding the one-way trust, I already have >an IPA user in Active Directory that I created when I was initially >setting this up as a synchronized domain instead of a trust. > >There are two ways I can go here - I can either revert back to the >password sync and replication, or somehow convince IPA to use that >user for the trust relationship. I suspect it will impossible without >a patch to use a user account instead of Kerberos for the trust, so >that leaves going back to the replication setup. The latter is impossible. You can try FreeIPA 4.2 with one-way trust once it becomes available to your platform. I've asked on this list two weeks ago if anyone is interested in seeing FreeIPA 4.2 released for CentOS in a test repo before it comes via official path after release of the next Red Hat Enterprise Linux update. To day I received zero responses which leaves me puzzled. -- / Alexander Bokovoy From yamakasi.014 at gmail.com Sat Aug 1 17:13:51 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 1 Aug 2015 19:13:51 +0200 Subject: [Freeipa-users] Admin password not accepted during replica install Message-ID: Hi Guys, I'm doing a replica install there my admin password for the SSH check to the master is not accepted. The password is not expired, I can use it on the GUI and even changing it in the GUI doesn't fix this. What can I check ? Cheers, Matt From yamakasi.014 at gmail.com Sat Aug 1 17:51:57 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 1 Aug 2015 19:51:57 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable. For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we "need" to move because integration has been improved. I try to keep IPA as native as I can. So this is the best way to go for now, even when this thread is such "old" ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb : > Hi Matt > > For a "how to" of Samba FreeIPA integration using schema extensions, see > this previous thread > > https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html > > That should point to this techslaves article with the detailed instructions > that we followed: > > http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ > > The main reason we went that way is that we have no AD domain, which seems > to be required by other integration paths. > > Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). > So things may be different on Ubuntu. > > As always, when changing the LDAP schema, an LDAP browser like Apache > Directory Studio is very useful to visualise what is going on and to verify > if your changes are present! (and is sometime easier to manually change > attributes rather than by LDAPMODIFY script....) > > There is another ongoing thread in this mailing list about problems with > the attribute SambaPwdLastSet. > > Chris > > > > From: "Matt ." > To: > Cc: "freeipa-users at redhat.com" > Date: 31.07.2015 16:58 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by: freeipa-users-bounces at redhat.com > > > > Hi, > > This is nice to have confirmed. > > Is it possible for you to descrive what you do ? It might be handy to > add this to the IPA documentation also with some explanation why... > > Cheers, > > Matt > > 2015-07-31 16:55 GMT+02:00 Christopher Lamb : >> Hi >> >> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >> "shares" using their FreeIPA credentials. The only password mgmt problem >> that we have is, that the users get no notice of password expiry until >> "suddenly" their Samba user (really the FreeIPA user) password is not >> accepted when trying to connect to a share. Once the password is reset > (via >> CLI or FreeIPA WebUi), they can access the shares again. >> >> Chris >> >> >> >> From: Youenn PIOLET >> To: "Matt ." >> Cc: "freeipa-users at redhat.com" >> Date: 31.07.2015 16:21 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi, >> I asked the very same question a few weeks ago, but no answer yet. >> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >> >> The only method I see is to install samba extensions in FreeIPA's LDAP >> directory, and bind samba with LDAP. There may be a lot of difficulties >> with password management doing this, that's why I'd like to get a better >> solution :) >> >> Anyone? >> >> >> -- >> Youenn Piolet >> piolet.y at gmail.com >> >> >> 2015-07-31 16:03 GMT+02:00 Matt . : >> Hi Guys, >> >> I'm really struggeling getting a NON AD Samba server authing against a >> FreeIPA server: >> >> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >> CentOS 7.1 -> FreeIPA 4.1 >> >> Now this seems to be the way: >> >> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> >> >> But as this, which I also found on the mailinglists: >> >> NOTE: Only Kerberos authentication will work when accessing Samba >> shares using this method. This means that Windows clients not joined >> to Active Directory forest trusted by IPA would not be able to access >> the shares. This is related to SSSD not yet being able to handle >> NTLMSSP authentication. >> >> It might not be that easy to have a Samba Shares only server. >> >> Any idea here how to accomplish ? >> >> Cheers, >> >> Matt >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From tde3000 at gmail.com Sat Aug 1 19:19:19 2015 From: tde3000 at gmail.com (John Stein) Date: Sat, 01 Aug 2015 19:19:19 +0000 Subject: [Freeipa-users] AD trust deployment without IPA authority over reverse lookup zone In-Reply-To: <20150727143009.GC21928@redhat.com> References: <20150727143009.GC21928@redhat.com> Message-ID: Hi, Thanks for the reply. Any Idea when will the GSSAPI-updating bug fix get to RHEL 7? Thanks again, John On Mon, Jul 27, 2015 at 5:30 PM Alexander Bokovoy wrote: > On Mon, 27 Jul 2015, John Stein wrote: > >Hi, > > > >I consider deploying IPA in my organization.The environment is > disconnected > >from the internet.I have some concerns I'm not sure how to resolve. > > > >The environment consists mostly of windows servers (thousands) and > >workstations (ten thousand) managed by AD (CORP.COM). There is also a > small > >linux environment (up to a thousand servers) that are currently not > >centerally managed (user-wise). > > > >I want to utilize IPA and the AD trust feature to implement SSO. > > > >I'd like to have a sub-domain ran by IPA (LINUX.CORP.COM). > > > >Because the environment is windows dominated, the AD is used as the > >authoritative DNS server for all forward and reverse lookup zones. > > > >The AD trust requires that both the IPA and AD will be authoritative over > >their respective forward and reverse lookup zones. However, the linux and > No. We require that *some entity* is responsible for the zones. If you > put everything in AD DNS, fine, but then you are responsible for manual > update of the zone records and that all specific records are there. > > >windows servers are spread across multiple subnets without any big-scale > >logic, therefore it is not practical to create a reverse lookup zone for > >each subnet in the IPA server as those subnets contain both linux and > >windows machines. > You cannot have machines from IPA and AD domains in the same DNS zone at > the same time. A/AAAA records of those IPA and AD machines must belong > to different DNS zones. > > This is basic requirement of Active Directory deployment -- each AD > domain is responsible for at least one DNS zone and you cannot have > machines from two different AD domains in the same DNS zone. > > >I came up with some solutions: > > > >1) Have only the AD as a DNS server and give up on ipa-client-install and > >automatic client registration. > Totally unrelated to how you handle DNS zones. ipa-client-install does > not require you to allow creation of DNS records. It can sufficiently > work with a configuration where a DNS record for the host is > pre-created. > > >2) DNS synchronization between IPA and AD. > Unrelated and is not recommended. In DNS lexicon only a single entity is > responsible for the single DNS zone. IPA cannot be authoritative at the > same time as AD. (Neither we support IPA being a slave for other DNS > server). > > >3) Have the IPA manage the forward zone (linux.corp.com), and have the > >clients update its own A record automatically upon ipa-client-install, > >while having the AD manage the reverse zones (A or B class subnets) with > me > >creating the PTR records manually. The IPA will be configured as a > >conditional forwarder for linux.corp.com, while the AD will be configured > >as a global forwarder in the IPA server. > That would work. There is a bug in nsupdate tool that prevents you from > GSSAPI-updating PTR records (over AD trust) so going with manual PTR > records would work. > > You need to make sure AD has no policy to periodically remove PTR > records for Linux machines. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Sat Aug 1 19:51:16 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 1 Aug 2015 21:51:16 +0200 Subject: [Freeipa-users] Admin password not accepted during replica install In-Reply-To: <55BD1F54.9050504@gmail.com> References: <55BD1F54.9050504@gmail.com> Message-ID: Hi, This didn't fix it yet. I wonder if there are any checks I can do as in the very past I was able to do a simple replica without any issues. Matt 2015-08-01 21:34 GMT+02:00 Janelle : > Double check you do not have "AllowGroups" set in your /etc/ssh/sshd_config > file. If you do, add the "admins" group. > > Also, make sure on the master, that the /etc/nsswitch.conf was properly > updated. Several server installs I have done, have left off the "sss" for > "passwd", "group" and "shadow". > > passwd: files sss > shadow: files sss > group: files sss > > I bet one of those will fix your problem. Restart sssd and/of sshd if you > have to make changes. > > ~Janelle > > > > > On 8/1/15 10:13 AM, Matt . wrote: >> >> Hi Guys, >> >> I'm doing a replica install there my admin password for the SSH check >> to the master is not accepted. >> >> The password is not expired, I can use it on the GUI and even changing >> it in the GUI doesn't fix this. >> >> What can I check ? >> >> Cheers, >> >> Matt >> > From janellenicole80 at gmail.com Sat Aug 1 20:02:35 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sat, 1 Aug 2015 13:02:35 -0700 Subject: [Freeipa-users] Admin password not accepted during replica install In-Reply-To: References: <55BD1F54.9050504@gmail.com> Message-ID: <55BD25DB.2020304@gmail.com> What is in the logs on the machine that is failing? Can you login to admin from anywhere? Logs are you best friend. Also, a simply "ssh -vvv" will help. ~J On 8/1/15 12:51 PM, Matt . wrote: > Hi, > > This didn't fix it yet. > > I wonder if there are any checks I can do as in the very past I was > able to do a simple replica without any issues. > > Matt > > 2015-08-01 21:34 GMT+02:00 Janelle : >> Double check you do not have "AllowGroups" set in your /etc/ssh/sshd_config >> file. If you do, add the "admins" group. >> >> Also, make sure on the master, that the /etc/nsswitch.conf was properly >> updated. Several server installs I have done, have left off the "sss" for >> "passwd", "group" and "shadow". >> >> passwd: files sss >> shadow: files sss >> group: files sss >> >> I bet one of those will fix your problem. Restart sssd and/of sshd if you >> have to make changes. >> >> ~Janelle >> >> >> >> >> On 8/1/15 10:13 AM, Matt . wrote: >>> Hi Guys, >>> >>> I'm doing a replica install there my admin password for the SSH check >>> to the master is not accepted. >>> >>> The password is not expired, I can use it on the GUI and even changing >>> it in the GUI doesn't fix this. >>> >>> What can I check ? >>> >>> Cheers, >>> >>> Matt >>> From yamakasi.014 at gmail.com Sat Aug 1 20:05:33 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 1 Aug 2015 22:05:33 +0200 Subject: [Freeipa-users] Admin password not accepted during replica install In-Reply-To: <55BD25DB.2020304@gmail.com> References: <55BD1F54.9050504@gmail.com> <55BD25DB.2020304@gmail.com> Message-ID: This actually the most important part, and the GSS Failure concerns me: debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa ((nil)), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No such file or directory debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password admin at ipa-01.domain.local's password: debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. 2015-08-01 22:02 GMT+02:00 Janelle : > What is in the logs on the machine that is failing? Can you login to admin > from anywhere? Logs are you best friend. > Also, a simply "ssh -vvv" will help. > > ~J > > > On 8/1/15 12:51 PM, Matt . wrote: >> >> Hi, >> >> This didn't fix it yet. >> >> I wonder if there are any checks I can do as in the very past I was >> able to do a simple replica without any issues. >> >> Matt >> >> 2015-08-01 21:34 GMT+02:00 Janelle : >>> >>> Double check you do not have "AllowGroups" set in your >>> /etc/ssh/sshd_config >>> file. If you do, add the "admins" group. >>> >>> Also, make sure on the master, that the /etc/nsswitch.conf was properly >>> updated. Several server installs I have done, have left off the "sss" for >>> "passwd", "group" and "shadow". >>> >>> passwd: files sss >>> shadow: files sss >>> group: files sss >>> >>> I bet one of those will fix your problem. Restart sssd and/of sshd if you >>> have to make changes. >>> >>> ~Janelle >>> >>> >>> >>> >>> On 8/1/15 10:13 AM, Matt . wrote: >>>> >>>> Hi Guys, >>>> >>>> I'm doing a replica install there my admin password for the SSH check >>>> to the master is not accepted. >>>> >>>> The password is not expired, I can use it on the GUI and even changing >>>> it in the GUI doesn't fix this. >>>> >>>> What can I check ? >>>> >>>> Cheers, >>>> >>>> Matt >>>> > From janellenicole80 at gmail.com Sat Aug 1 20:15:46 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sat, 1 Aug 2015 13:15:46 -0700 Subject: [Freeipa-users] Admin password not accepted during replica install In-Reply-To: References: <55BD1F54.9050504@gmail.com> <55BD25DB.2020304@gmail.com> Message-ID: <55BD28F2.9060007@gmail.com> lastly -- on the master - do you get the same error if you "kinit admin"? ~J On 8/1/15 1:05 PM, Matt . wrote: > This actually the most important part, and the GSS Failure concerns me: > > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /root/.ssh/id_rsa ((nil)), > debug2: key: /root/.ssh/id_dsa ((nil)), > debug2: key: /root/.ssh/id_ecdsa ((nil)), > debug2: key: /root/.ssh/id_ed25519 ((nil)), > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: preferred > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more information > No Kerberos credentials available > > debug1: Unspecified GSS failure. Minor code may provide more information > No Kerberos credentials available > > debug1: Unspecified GSS failure. Minor code may provide more information > > > debug1: Unspecified GSS failure. Minor code may provide more information > No Kerberos credentials available > > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Trying private key: /root/.ssh/id_rsa > debug3: no such identity: /root/.ssh/id_rsa: No such file or directory > debug1: Trying private key: /root/.ssh/id_dsa > debug3: no such identity: /root/.ssh/id_dsa: No such file or directory > debug1: Trying private key: /root/.ssh/id_ecdsa > debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory > debug1: Trying private key: /root/.ssh/id_ed25519 > debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > admin at ipa-01.domain.local's password: > debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) > debug2: we sent a password packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > Permission denied, please try again. > > 2015-08-01 22:02 GMT+02:00 Janelle : >> What is in the logs on the machine that is failing? Can you login to admin >> from anywhere? Logs are you best friend. >> Also, a simply "ssh -vvv" will help. >> >> ~J >> >> >> On 8/1/15 12:51 PM, Matt . wrote: >>> Hi, >>> >>> This didn't fix it yet. >>> >>> I wonder if there are any checks I can do as in the very past I was >>> able to do a simple replica without any issues. >>> >>> Matt >>> >>> 2015-08-01 21:34 GMT+02:00 Janelle : >>>> Double check you do not have "AllowGroups" set in your >>>> /etc/ssh/sshd_config >>>> file. If you do, add the "admins" group. >>>> >>>> Also, make sure on the master, that the /etc/nsswitch.conf was properly >>>> updated. Several server installs I have done, have left off the "sss" for >>>> "passwd", "group" and "shadow". >>>> >>>> passwd: files sss >>>> shadow: files sss >>>> group: files sss >>>> >>>> I bet one of those will fix your problem. Restart sssd and/of sshd if you >>>> have to make changes. >>>> >>>> ~Janelle >>>> >>>> >>>> >>>> >>>> On 8/1/15 10:13 AM, Matt . wrote: >>>>> Hi Guys, >>>>> >>>>> I'm doing a replica install there my admin password for the SSH check >>>>> to the master is not accepted. >>>>> >>>>> The password is not expired, I can use it on the GUI and even changing >>>>> it in the GUI doesn't fix this. >>>>> >>>>> What can I check ? >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> From yamakasi.014 at gmail.com Sat Aug 1 20:26:49 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 1 Aug 2015 22:26:49 +0200 Subject: [Freeipa-users] Admin password not accepted during replica install In-Reply-To: <55BD28F2.9060007@gmail.com> References: <55BD1F54.9050504@gmail.com> <55BD25DB.2020304@gmail.com> <55BD28F2.9060007@gmail.com> Message-ID: kinit admin works perfectly, that is such strange. 2015-08-01 22:15 GMT+02:00 Janelle : > lastly -- on the master - do you get the same error if you "kinit admin"? > ~J > > > On 8/1/15 1:05 PM, Matt . wrote: >> >> This actually the most important part, and the GSS Failure concerns me: >> >> debug1: SSH2_MSG_SERVICE_ACCEPT received >> debug2: key: /root/.ssh/id_rsa ((nil)), >> debug2: key: /root/.ssh/id_dsa ((nil)), >> debug2: key: /root/.ssh/id_ecdsa ((nil)), >> debug2: key: /root/.ssh/id_ed25519 ((nil)), >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,password >> debug3: start over, passed a different list >> publickey,gssapi-keyex,gssapi-with-mic,password >> debug3: preferred >> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password >> debug3: authmethod_lookup gssapi-keyex >> debug3: remaining preferred: >> gssapi-with-mic,publickey,keyboard-interactive,password >> debug3: authmethod_is_enabled gssapi-keyex >> debug1: Next authentication method: gssapi-keyex >> debug1: No valid Key exchange context >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup gssapi-with-mic >> debug3: remaining preferred: publickey,keyboard-interactive,password >> debug3: authmethod_is_enabled gssapi-with-mic >> debug1: Next authentication method: gssapi-with-mic >> debug1: Unspecified GSS failure. Minor code may provide more information >> No Kerberos credentials available >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> No Kerberos credentials available >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> No Kerberos credentials available >> >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup publickey >> debug3: remaining preferred: keyboard-interactive,password >> debug3: authmethod_is_enabled publickey >> debug1: Next authentication method: publickey >> debug1: Trying private key: /root/.ssh/id_rsa >> debug3: no such identity: /root/.ssh/id_rsa: No such file or directory >> debug1: Trying private key: /root/.ssh/id_dsa >> debug3: no such identity: /root/.ssh/id_dsa: No such file or directory >> debug1: Trying private key: /root/.ssh/id_ecdsa >> debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory >> debug1: Trying private key: /root/.ssh/id_ed25519 >> debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup password >> debug3: remaining preferred: ,password >> debug3: authmethod_is_enabled password >> debug1: Next authentication method: password >> admin at ipa-01.domain.local's password: >> debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) >> debug2: we sent a password packet, wait for reply >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,password >> Permission denied, please try again. >> >> 2015-08-01 22:02 GMT+02:00 Janelle : >>> >>> What is in the logs on the machine that is failing? Can you login to >>> admin >>> from anywhere? Logs are you best friend. >>> Also, a simply "ssh -vvv" will help. >>> >>> ~J >>> >>> >>> On 8/1/15 12:51 PM, Matt . wrote: >>>> >>>> Hi, >>>> >>>> This didn't fix it yet. >>>> >>>> I wonder if there are any checks I can do as in the very past I was >>>> able to do a simple replica without any issues. >>>> >>>> Matt >>>> >>>> 2015-08-01 21:34 GMT+02:00 Janelle : >>>>> >>>>> Double check you do not have "AllowGroups" set in your >>>>> /etc/ssh/sshd_config >>>>> file. If you do, add the "admins" group. >>>>> >>>>> Also, make sure on the master, that the /etc/nsswitch.conf was properly >>>>> updated. Several server installs I have done, have left off the "sss" >>>>> for >>>>> "passwd", "group" and "shadow". >>>>> >>>>> passwd: files sss >>>>> shadow: files sss >>>>> group: files sss >>>>> >>>>> I bet one of those will fix your problem. Restart sssd and/of sshd if >>>>> you >>>>> have to make changes. >>>>> >>>>> ~Janelle >>>>> >>>>> >>>>> >>>>> >>>>> On 8/1/15 10:13 AM, Matt . wrote: >>>>>> >>>>>> Hi Guys, >>>>>> >>>>>> I'm doing a replica install there my admin password for the SSH check >>>>>> to the master is not accepted. >>>>>> >>>>>> The password is not expired, I can use it on the GUI and even changing >>>>>> it in the GUI doesn't fix this. >>>>>> >>>>>> What can I check ? >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Matt >>>>>> > From janellenicole80 at gmail.com Sat Aug 1 20:52:27 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sat, 1 Aug 2015 13:52:27 -0700 Subject: [Freeipa-users] Admin password not accepted during replica install In-Reply-To: References: <55BD1F54.9050504@gmail.com> <55BD25DB.2020304@gmail.com> <55BD28F2.9060007@gmail.com> Message-ID: <55BD318B.1030305@gmail.com> which points to the configuration of sssd.conf and/or nsswitch.conf It is in there. If you say there are no AllowGroups in sshd, it has to be in one of those 2 places. ~J On 8/1/15 1:26 PM, Matt . wrote: > kinit admin works perfectly, that is such strange. > > 2015-08-01 22:15 GMT+02:00 Janelle : >> lastly -- on the master - do you get the same error if you "kinit admin"? >> ~J >> >> >> On 8/1/15 1:05 PM, Matt . wrote: >>> This actually the most important part, and the GSS Failure concerns me: >>> >>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>> debug2: key: /root/.ssh/id_rsa ((nil)), >>> debug2: key: /root/.ssh/id_dsa ((nil)), >>> debug2: key: /root/.ssh/id_ecdsa ((nil)), >>> debug2: key: /root/.ssh/id_ed25519 ((nil)), >>> debug1: Authentications that can continue: >>> publickey,gssapi-keyex,gssapi-with-mic,password >>> debug3: start over, passed a different list >>> publickey,gssapi-keyex,gssapi-with-mic,password >>> debug3: preferred >>> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password >>> debug3: authmethod_lookup gssapi-keyex >>> debug3: remaining preferred: >>> gssapi-with-mic,publickey,keyboard-interactive,password >>> debug3: authmethod_is_enabled gssapi-keyex >>> debug1: Next authentication method: gssapi-keyex >>> debug1: No valid Key exchange context >>> debug2: we did not send a packet, disable method >>> debug3: authmethod_lookup gssapi-with-mic >>> debug3: remaining preferred: publickey,keyboard-interactive,password >>> debug3: authmethod_is_enabled gssapi-with-mic >>> debug1: Next authentication method: gssapi-with-mic >>> debug1: Unspecified GSS failure. Minor code may provide more information >>> No Kerberos credentials available >>> >>> debug1: Unspecified GSS failure. Minor code may provide more information >>> No Kerberos credentials available >>> >>> debug1: Unspecified GSS failure. Minor code may provide more information >>> >>> >>> debug1: Unspecified GSS failure. Minor code may provide more information >>> No Kerberos credentials available >>> >>> debug2: we did not send a packet, disable method >>> debug3: authmethod_lookup publickey >>> debug3: remaining preferred: keyboard-interactive,password >>> debug3: authmethod_is_enabled publickey >>> debug1: Next authentication method: publickey >>> debug1: Trying private key: /root/.ssh/id_rsa >>> debug3: no such identity: /root/.ssh/id_rsa: No such file or directory >>> debug1: Trying private key: /root/.ssh/id_dsa >>> debug3: no such identity: /root/.ssh/id_dsa: No such file or directory >>> debug1: Trying private key: /root/.ssh/id_ecdsa >>> debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory >>> debug1: Trying private key: /root/.ssh/id_ed25519 >>> debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory >>> debug2: we did not send a packet, disable method >>> debug3: authmethod_lookup password >>> debug3: remaining preferred: ,password >>> debug3: authmethod_is_enabled password >>> debug1: Next authentication method: password >>> admin at ipa-01.domain.local's password: >>> debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) >>> debug2: we sent a password packet, wait for reply >>> debug1: Authentications that can continue: >>> publickey,gssapi-keyex,gssapi-with-mic,password >>> Permission denied, please try again. >>> >>> 2015-08-01 22:02 GMT+02:00 Janelle : >>>> What is in the logs on the machine that is failing? Can you login to >>>> admin >>>> from anywhere? Logs are you best friend. >>>> Also, a simply "ssh -vvv" will help. >>>> >>>> ~J >>>> >>>> >>>> On 8/1/15 12:51 PM, Matt . wrote: >>>>> Hi, >>>>> >>>>> This didn't fix it yet. >>>>> >>>>> I wonder if there are any checks I can do as in the very past I was >>>>> able to do a simple replica without any issues. >>>>> >>>>> Matt >>>>> >>>>> 2015-08-01 21:34 GMT+02:00 Janelle : >>>>>> Double check you do not have "AllowGroups" set in your >>>>>> /etc/ssh/sshd_config >>>>>> file. If you do, add the "admins" group. >>>>>> >>>>>> Also, make sure on the master, that the /etc/nsswitch.conf was properly >>>>>> updated. Several server installs I have done, have left off the "sss" >>>>>> for >>>>>> "passwd", "group" and "shadow". >>>>>> >>>>>> passwd: files sss >>>>>> shadow: files sss >>>>>> group: files sss >>>>>> >>>>>> I bet one of those will fix your problem. Restart sssd and/of sshd if >>>>>> you >>>>>> have to make changes. >>>>>> >>>>>> ~Janelle >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 8/1/15 10:13 AM, Matt . wrote: >>>>>>> Hi Guys, >>>>>>> >>>>>>> I'm doing a replica install there my admin password for the SSH check >>>>>>> to the master is not accepted. >>>>>>> >>>>>>> The password is not expired, I can use it on the GUI and even changing >>>>>>> it in the GUI doesn't fix this. >>>>>>> >>>>>>> What can I check ? >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Matt >>>>>>> From yamakasi.014 at gmail.com Sat Aug 1 21:05:08 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 1 Aug 2015 23:05:08 +0200 Subject: [Freeipa-users] Admin password not accepted during replica install In-Reply-To: <55BD318B.1030305@gmail.com> References: <55BD1F54.9050504@gmail.com> <55BD25DB.2020304@gmail.com> <55BD28F2.9060007@gmail.com> <55BD318B.1030305@gmail.com> Message-ID: I even checked working version (IPA clusters) and they don't even have this AllowGroups. Am I missing something ? 2015-08-01 22:52 GMT+02:00 Janelle : > which points to the configuration of sssd.conf and/or nsswitch.conf > It is in there. If you say there are no AllowGroups in sshd, it has to be in > one of those 2 places. > > ~J > > > On 8/1/15 1:26 PM, Matt . wrote: >> >> kinit admin works perfectly, that is such strange. >> >> 2015-08-01 22:15 GMT+02:00 Janelle : >>> >>> lastly -- on the master - do you get the same error if you "kinit admin"? >>> ~J >>> >>> >>> On 8/1/15 1:05 PM, Matt . wrote: >>>> >>>> This actually the most important part, and the GSS Failure concerns me: >>>> >>>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>>> debug2: key: /root/.ssh/id_rsa ((nil)), >>>> debug2: key: /root/.ssh/id_dsa ((nil)), >>>> debug2: key: /root/.ssh/id_ecdsa ((nil)), >>>> debug2: key: /root/.ssh/id_ed25519 ((nil)), >>>> debug1: Authentications that can continue: >>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>> debug3: start over, passed a different list >>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>> debug3: preferred >>>> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password >>>> debug3: authmethod_lookup gssapi-keyex >>>> debug3: remaining preferred: >>>> gssapi-with-mic,publickey,keyboard-interactive,password >>>> debug3: authmethod_is_enabled gssapi-keyex >>>> debug1: Next authentication method: gssapi-keyex >>>> debug1: No valid Key exchange context >>>> debug2: we did not send a packet, disable method >>>> debug3: authmethod_lookup gssapi-with-mic >>>> debug3: remaining preferred: publickey,keyboard-interactive,password >>>> debug3: authmethod_is_enabled gssapi-with-mic >>>> debug1: Next authentication method: gssapi-with-mic >>>> debug1: Unspecified GSS failure. Minor code may provide more >>>> information >>>> No Kerberos credentials available >>>> >>>> debug1: Unspecified GSS failure. Minor code may provide more >>>> information >>>> No Kerberos credentials available >>>> >>>> debug1: Unspecified GSS failure. Minor code may provide more >>>> information >>>> >>>> >>>> debug1: Unspecified GSS failure. Minor code may provide more >>>> information >>>> No Kerberos credentials available >>>> >>>> debug2: we did not send a packet, disable method >>>> debug3: authmethod_lookup publickey >>>> debug3: remaining preferred: keyboard-interactive,password >>>> debug3: authmethod_is_enabled publickey >>>> debug1: Next authentication method: publickey >>>> debug1: Trying private key: /root/.ssh/id_rsa >>>> debug3: no such identity: /root/.ssh/id_rsa: No such file or directory >>>> debug1: Trying private key: /root/.ssh/id_dsa >>>> debug3: no such identity: /root/.ssh/id_dsa: No such file or directory >>>> debug1: Trying private key: /root/.ssh/id_ecdsa >>>> debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory >>>> debug1: Trying private key: /root/.ssh/id_ed25519 >>>> debug3: no such identity: /root/.ssh/id_ed25519: No such file or >>>> directory >>>> debug2: we did not send a packet, disable method >>>> debug3: authmethod_lookup password >>>> debug3: remaining preferred: ,password >>>> debug3: authmethod_is_enabled password >>>> debug1: Next authentication method: password >>>> admin at ipa-01.domain.local's password: >>>> debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) >>>> debug2: we sent a password packet, wait for reply >>>> debug1: Authentications that can continue: >>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>> Permission denied, please try again. >>>> >>>> 2015-08-01 22:02 GMT+02:00 Janelle : >>>>> >>>>> What is in the logs on the machine that is failing? Can you login to >>>>> admin >>>>> from anywhere? Logs are you best friend. >>>>> Also, a simply "ssh -vvv" will help. >>>>> >>>>> ~J >>>>> >>>>> >>>>> On 8/1/15 12:51 PM, Matt . wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> This didn't fix it yet. >>>>>> >>>>>> I wonder if there are any checks I can do as in the very past I was >>>>>> able to do a simple replica without any issues. >>>>>> >>>>>> Matt >>>>>> >>>>>> 2015-08-01 21:34 GMT+02:00 Janelle : >>>>>>> >>>>>>> Double check you do not have "AllowGroups" set in your >>>>>>> /etc/ssh/sshd_config >>>>>>> file. If you do, add the "admins" group. >>>>>>> >>>>>>> Also, make sure on the master, that the /etc/nsswitch.conf was >>>>>>> properly >>>>>>> updated. Several server installs I have done, have left off the "sss" >>>>>>> for >>>>>>> "passwd", "group" and "shadow". >>>>>>> >>>>>>> passwd: files sss >>>>>>> shadow: files sss >>>>>>> group: files sss >>>>>>> >>>>>>> I bet one of those will fix your problem. Restart sssd and/of sshd if >>>>>>> you >>>>>>> have to make changes. >>>>>>> >>>>>>> ~Janelle >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 8/1/15 10:13 AM, Matt . wrote: >>>>>>>> >>>>>>>> Hi Guys, >>>>>>>> >>>>>>>> I'm doing a replica install there my admin password for the SSH >>>>>>>> check >>>>>>>> to the master is not accepted. >>>>>>>> >>>>>>>> The password is not expired, I can use it on the GUI and even >>>>>>>> changing >>>>>>>> it in the GUI doesn't fix this. >>>>>>>> >>>>>>>> What can I check ? >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Matt >>>>>>>> > From yamakasi.014 at gmail.com Sun Aug 2 11:31:51 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sun, 2 Aug 2015 13:31:51 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI <: > Hi, > > Yes I found that earlier, that looks good and even better when you > confirm this as really usable. > > For Samba 4 the IPA devs are very busy but I wonder indeed what > happends when we "need" to move because integration has been improved. > > I try to keep IPA as native as I can. > > So this is the best way to go for now, even when this thread is such "old" ? > > Thanks! > > Matt > > > 2015-08-01 9:48 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> For a "how to" of Samba FreeIPA integration using schema extensions, see >> this previous thread >> >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >> >> That should point to this techslaves article with the detailed instructions >> that we followed: >> >> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >> >> The main reason we went that way is that we have no AD domain, which seems >> to be required by other integration paths. >> >> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). >> So things may be different on Ubuntu. >> >> As always, when changing the LDAP schema, an LDAP browser like Apache >> Directory Studio is very useful to visualise what is going on and to verify >> if your changes are present! (and is sometime easier to manually change >> attributes rather than by LDAPMODIFY script....) >> >> There is another ongoing thread in this mailing list about problems with >> the attribute SambaPwdLastSet. >> >> Chris >> >> >> >> From: "Matt ." >> To: >> Cc: "freeipa-users at redhat.com" >> Date: 31.07.2015 16:58 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi, >> >> This is nice to have confirmed. >> >> Is it possible for you to descrive what you do ? It might be handy to >> add this to the IPA documentation also with some explanation why... >> >> Cheers, >> >> Matt >> >> 2015-07-31 16:55 GMT+02:00 Christopher Lamb : >>> Hi >>> >>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >>> "shares" using their FreeIPA credentials. The only password mgmt problem >>> that we have is, that the users get no notice of password expiry until >>> "suddenly" their Samba user (really the FreeIPA user) password is not >>> accepted when trying to connect to a share. Once the password is reset >> (via >>> CLI or FreeIPA WebUi), they can access the shares again. >>> >>> Chris >>> >>> >>> >>> From: Youenn PIOLET >>> To: "Matt ." >>> Cc: "freeipa-users at redhat.com" >>> Date: 31.07.2015 16:21 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> Hi, >>> I asked the very same question a few weeks ago, but no answer yet. >>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>> >>> The only method I see is to install samba extensions in FreeIPA's LDAP >>> directory, and bind samba with LDAP. There may be a lot of difficulties >>> with password management doing this, that's why I'd like to get a better >>> solution :) >>> >>> Anyone? >>> >>> >>> -- >>> Youenn Piolet >>> piolet.y at gmail.com >>> >>> >>> 2015-07-31 16:03 GMT+02:00 Matt . : >>> Hi Guys, >>> >>> I'm really struggeling getting a NON AD Samba server authing against a >>> FreeIPA server: >>> >>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>> CentOS 7.1 -> FreeIPA 4.1 >>> >>> Now this seems to be the way: >>> >>> >> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>> >>> >>> But as this, which I also found on the mailinglists: >>> >>> NOTE: Only Kerberos authentication will work when accessing Samba >>> shares using this method. This means that Windows clients not joined >>> to Active Directory forest trusted by IPA would not be able to access >>> the shares. This is related to SSSD not yet being able to handle >>> NTLMSSP authentication. >>> >>> It might not be that easy to have a Samba Shares only server. >>> >>> Any idea here how to accomplish ? >>> >>> Cheers, >>> >>> Matt >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> From janellenicole80 at gmail.com Sun Aug 2 21:59:52 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sun, 2 Aug 2015 14:59:52 -0700 Subject: [Freeipa-users] Adding SAN to default self-signed cert? Message-ID: <55BE92D8.1090008@gmail.com> Hello everyone, I was wondering if anyone knows of a way to add SAN(s) to the self-signed certificate that are installed when you installed freeipa? Or am I stuck having to do a re-install and use new certificates? If you try to run haproxy as a load balancer in front of the "ldap/http" servers, well, as you might guess the haproxy server name needs to be added somehow to the server configs so it is a SAN of the existing self-signed certs. I can't think of any way to do it, but maybe some of the pki experts here have any idea? Thank you ~Janelle From ftweedal at redhat.com Mon Aug 3 03:53:37 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 3 Aug 2015 13:53:37 +1000 Subject: [Freeipa-users] Adding SAN to default self-signed cert? In-Reply-To: <55BE92D8.1090008@gmail.com> References: <55BE92D8.1090008@gmail.com> Message-ID: <20150803035337.GC4843@dhcp-40-8.bne.redhat.com> On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote: > Hello everyone, > > I was wondering if anyone knows of a way to add SAN(s) to the self-signed > certificate that are installed when you installed freeipa? Or am I stuck > having to do a re-install and use new certificates? If you try to run > haproxy as a load balancer in front of the "ldap/http" servers, well, as you > might guess the haproxy server name needs to be added somehow to the server > configs so it is a SAN of the existing self-signed certs. I can't think of > any way to do it, but maybe some of the pki experts here have any idea? > > Thank you > ~Janelle > You do not need a SAN on the root certificate, but on the service certificates. This is supported: you first need to create a service principal for the load balancer, then issue a new service certificate with the haproxy SAN in the CSR (the getcert `-D' option can be used to add a SAN to a certmonger request). HTH, Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mkosek at redhat.com Mon Aug 3 06:47:40 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 3 Aug 2015 08:47:40 +0200 Subject: [Freeipa-users] Admin password not accepted during replica install In-Reply-To: References: <55BD1F54.9050504@gmail.com> <55BD25DB.2020304@gmail.com> <55BD28F2.9060007@gmail.com> <55BD318B.1030305@gmail.com> Message-ID: <55BF0E8C.6020400@redhat.com> When this command failed for me, it usually was a problem with SSSD on the master. The service was down, offline or simply something wrong was with it. On the master, I would try: $ id admin $ ssh admin at localhost # (with password) If that works, try manual $ ssh admin at ipa.master.server # with password and $ kinit admin #(you can use temporary krb5.conf pointing to IPA master) $ ssh admin at ipa.master.server # with password to see what's really wrong. Martin On 08/01/2015 11:05 PM, Matt . wrote: > I even checked working version (IPA clusters) and they don't even have > this AllowGroups. > > Am I missing something ? > > 2015-08-01 22:52 GMT+02:00 Janelle : >> which points to the configuration of sssd.conf and/or nsswitch.conf >> It is in there. If you say there are no AllowGroups in sshd, it has to be in >> one of those 2 places. >> >> ~J >> >> >> On 8/1/15 1:26 PM, Matt . wrote: >>> >>> kinit admin works perfectly, that is such strange. >>> >>> 2015-08-01 22:15 GMT+02:00 Janelle : >>>> >>>> lastly -- on the master - do you get the same error if you "kinit admin"? >>>> ~J >>>> >>>> >>>> On 8/1/15 1:05 PM, Matt . wrote: >>>>> >>>>> This actually the most important part, and the GSS Failure concerns me: >>>>> >>>>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>>>> debug2: key: /root/.ssh/id_rsa ((nil)), >>>>> debug2: key: /root/.ssh/id_dsa ((nil)), >>>>> debug2: key: /root/.ssh/id_ecdsa ((nil)), >>>>> debug2: key: /root/.ssh/id_ed25519 ((nil)), >>>>> debug1: Authentications that can continue: >>>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>>> debug3: start over, passed a different list >>>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>>> debug3: preferred >>>>> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password >>>>> debug3: authmethod_lookup gssapi-keyex >>>>> debug3: remaining preferred: >>>>> gssapi-with-mic,publickey,keyboard-interactive,password >>>>> debug3: authmethod_is_enabled gssapi-keyex >>>>> debug1: Next authentication method: gssapi-keyex >>>>> debug1: No valid Key exchange context >>>>> debug2: we did not send a packet, disable method >>>>> debug3: authmethod_lookup gssapi-with-mic >>>>> debug3: remaining preferred: publickey,keyboard-interactive,password >>>>> debug3: authmethod_is_enabled gssapi-with-mic >>>>> debug1: Next authentication method: gssapi-with-mic >>>>> debug1: Unspecified GSS failure. Minor code may provide more >>>>> information >>>>> No Kerberos credentials available >>>>> >>>>> debug1: Unspecified GSS failure. Minor code may provide more >>>>> information >>>>> No Kerberos credentials available >>>>> >>>>> debug1: Unspecified GSS failure. Minor code may provide more >>>>> information >>>>> >>>>> >>>>> debug1: Unspecified GSS failure. Minor code may provide more >>>>> information >>>>> No Kerberos credentials available >>>>> >>>>> debug2: we did not send a packet, disable method >>>>> debug3: authmethod_lookup publickey >>>>> debug3: remaining preferred: keyboard-interactive,password >>>>> debug3: authmethod_is_enabled publickey >>>>> debug1: Next authentication method: publickey >>>>> debug1: Trying private key: /root/.ssh/id_rsa >>>>> debug3: no such identity: /root/.ssh/id_rsa: No such file or directory >>>>> debug1: Trying private key: /root/.ssh/id_dsa >>>>> debug3: no such identity: /root/.ssh/id_dsa: No such file or directory >>>>> debug1: Trying private key: /root/.ssh/id_ecdsa >>>>> debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory >>>>> debug1: Trying private key: /root/.ssh/id_ed25519 >>>>> debug3: no such identity: /root/.ssh/id_ed25519: No such file or >>>>> directory >>>>> debug2: we did not send a packet, disable method >>>>> debug3: authmethod_lookup password >>>>> debug3: remaining preferred: ,password >>>>> debug3: authmethod_is_enabled password >>>>> debug1: Next authentication method: password >>>>> admin at ipa-01.domain.local's password: >>>>> debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) >>>>> debug2: we sent a password packet, wait for reply >>>>> debug1: Authentications that can continue: >>>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>>> Permission denied, please try again. >>>>> >>>>> 2015-08-01 22:02 GMT+02:00 Janelle : >>>>>> >>>>>> What is in the logs on the machine that is failing? Can you login to >>>>>> admin >>>>>> from anywhere? Logs are you best friend. >>>>>> Also, a simply "ssh -vvv" will help. >>>>>> >>>>>> ~J >>>>>> >>>>>> >>>>>> On 8/1/15 12:51 PM, Matt . wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> This didn't fix it yet. >>>>>>> >>>>>>> I wonder if there are any checks I can do as in the very past I was >>>>>>> able to do a simple replica without any issues. >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2015-08-01 21:34 GMT+02:00 Janelle : >>>>>>>> >>>>>>>> Double check you do not have "AllowGroups" set in your >>>>>>>> /etc/ssh/sshd_config >>>>>>>> file. If you do, add the "admins" group. >>>>>>>> >>>>>>>> Also, make sure on the master, that the /etc/nsswitch.conf was >>>>>>>> properly >>>>>>>> updated. Several server installs I have done, have left off the "sss" >>>>>>>> for >>>>>>>> "passwd", "group" and "shadow". >>>>>>>> >>>>>>>> passwd: files sss >>>>>>>> shadow: files sss >>>>>>>> group: files sss >>>>>>>> >>>>>>>> I bet one of those will fix your problem. Restart sssd and/of sshd if >>>>>>>> you >>>>>>>> have to make changes. >>>>>>>> >>>>>>>> ~Janelle >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 8/1/15 10:13 AM, Matt . wrote: >>>>>>>>> >>>>>>>>> Hi Guys, >>>>>>>>> >>>>>>>>> I'm doing a replica install there my admin password for the SSH >>>>>>>>> check >>>>>>>>> to the master is not accepted. >>>>>>>>> >>>>>>>>> The password is not expired, I can use it on the GUI and even >>>>>>>>> changing >>>>>>>>> it in the GUI doesn't fix this. >>>>>>>>> >>>>>>>>> What can I check ? >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >> > From christopher.lamb at ch.ibm.com Mon Aug 3 07:34:16 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 3 Aug 2015 09:34:16 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt When we originally integrated FreeIPA and Samba we were on 3.x for both products. We are now on 4.x for both. The FreeIPA server was a new setup, with users and hosts migrated across (not replicated). We then ran the scripts in the techslave article. I will look back and see If I can find any notes from the time we did the integration. Chris From: "Matt ." To: Cc: "freeipa-users at redhat.com" Date: 02.08.2015 13:33 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by: freeipa-users-bounces at redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI <: > Hi, > > Yes I found that earlier, that looks good and even better when you > confirm this as really usable. > > For Samba 4 the IPA devs are very busy but I wonder indeed what > happends when we "need" to move because integration has been improved. > > I try to keep IPA as native as I can. > > So this is the best way to go for now, even when this thread is such "old" ? > > Thanks! > > Matt > > > 2015-08-01 9:48 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> For a "how to" of Samba FreeIPA integration using schema extensions, see >> this previous thread >> >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >> >> That should point to this techslaves article with the detailed instructions >> that we followed: >> >> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >> >> The main reason we went that way is that we have no AD domain, which seems >> to be required by other integration paths. >> >> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). >> So things may be different on Ubuntu. >> >> As always, when changing the LDAP schema, an LDAP browser like Apache >> Directory Studio is very useful to visualise what is going on and to verify >> if your changes are present! (and is sometime easier to manually change >> attributes rather than by LDAPMODIFY script....) >> >> There is another ongoing thread in this mailing list about problems with >> the attribute SambaPwdLastSet. >> >> Chris >> >> >> >> From: "Matt ." >> To: >> Cc: "freeipa-users at redhat.com" >> Date: 31.07.2015 16:58 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi, >> >> This is nice to have confirmed. >> >> Is it possible for you to descrive what you do ? It might be handy to >> add this to the IPA documentation also with some explanation why... >> >> Cheers, >> >> Matt >> >> 2015-07-31 16:55 GMT+02:00 Christopher Lamb : >>> Hi >>> >>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >>> "shares" using their FreeIPA credentials. The only password mgmt problem >>> that we have is, that the users get no notice of password expiry until >>> "suddenly" their Samba user (really the FreeIPA user) password is not >>> accepted when trying to connect to a share. Once the password is reset >> (via >>> CLI or FreeIPA WebUi), they can access the shares again. >>> >>> Chris >>> >>> >>> >>> From: Youenn PIOLET >>> To: "Matt ." >>> Cc: "freeipa-users at redhat.com" >>> Date: 31.07.2015 16:21 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> Hi, >>> I asked the very same question a few weeks ago, but no answer yet. >>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>> >>> The only method I see is to install samba extensions in FreeIPA's LDAP >>> directory, and bind samba with LDAP. There may be a lot of difficulties >>> with password management doing this, that's why I'd like to get a better >>> solution :) >>> >>> Anyone? >>> >>> >>> -- >>> Youenn Piolet >>> piolet.y at gmail.com >>> >>> >>> 2015-07-31 16:03 GMT+02:00 Matt . : >>> Hi Guys, >>> >>> I'm really struggeling getting a NON AD Samba server authing against a >>> FreeIPA server: >>> >>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>> CentOS 7.1 -> FreeIPA 4.1 >>> >>> Now this seems to be the way: >>> >>> >> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>> >>> >>> But as this, which I also found on the mailinglists: >>> >>> NOTE: Only Kerberos authentication will work when accessing Samba >>> shares using this method. This means that Windows clients not joined >>> to Active Directory forest trusted by IPA would not be able to access >>> the shares. This is related to SSSD not yet being able to handle >>> NTLMSSP authentication. >>> >>> It might not be that easy to have a Samba Shares only server. >>> >>> Any idea here how to accomplish ? >>> >>> Cheers, >>> >>> Matt >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From christopher.lamb at ch.ibm.com Mon Aug 3 07:53:43 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 3 Aug 2015 09:53:43 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt Thankfully I saved the output from those ldapmodify commands (against FreeIPA 4.1) and was able to find it again! In our case sambagrouptype also seems to have already been present, so that should not hurt. [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI < dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com > changetype: add > add: ipaCustomFields > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > EOF SASL/GSSAPI authentication started SASL username: lamb at MY.SILLY.EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" ldap_add: Already exists (68) Chris From: "Matt ." To: Cc: "freeipa-users at redhat.com" Date: 02.08.2015 13:33 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by: freeipa-users-bounces at redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI <: > Hi, > > Yes I found that earlier, that looks good and even better when you > confirm this as really usable. > > For Samba 4 the IPA devs are very busy but I wonder indeed what > happends when we "need" to move because integration has been improved. > > I try to keep IPA as native as I can. > > So this is the best way to go for now, even when this thread is such "old" ? > > Thanks! > > Matt > > > 2015-08-01 9:48 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> For a "how to" of Samba FreeIPA integration using schema extensions, see >> this previous thread >> >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >> >> That should point to this techslaves article with the detailed instructions >> that we followed: >> >> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >> >> The main reason we went that way is that we have no AD domain, which seems >> to be required by other integration paths. >> >> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). >> So things may be different on Ubuntu. >> >> As always, when changing the LDAP schema, an LDAP browser like Apache >> Directory Studio is very useful to visualise what is going on and to verify >> if your changes are present! (and is sometime easier to manually change >> attributes rather than by LDAPMODIFY script....) >> >> There is another ongoing thread in this mailing list about problems with >> the attribute SambaPwdLastSet. >> >> Chris >> >> >> >> From: "Matt ." >> To: >> Cc: "freeipa-users at redhat.com" >> Date: 31.07.2015 16:58 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi, >> >> This is nice to have confirmed. >> >> Is it possible for you to descrive what you do ? It might be handy to >> add this to the IPA documentation also with some explanation why... >> >> Cheers, >> >> Matt >> >> 2015-07-31 16:55 GMT+02:00 Christopher Lamb : >>> Hi >>> >>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >>> "shares" using their FreeIPA credentials. The only password mgmt problem >>> that we have is, that the users get no notice of password expiry until >>> "suddenly" their Samba user (really the FreeIPA user) password is not >>> accepted when trying to connect to a share. Once the password is reset >> (via >>> CLI or FreeIPA WebUi), they can access the shares again. >>> >>> Chris >>> >>> >>> >>> From: Youenn PIOLET >>> To: "Matt ." >>> Cc: "freeipa-users at redhat.com" >>> Date: 31.07.2015 16:21 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> Hi, >>> I asked the very same question a few weeks ago, but no answer yet. >>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>> >>> The only method I see is to install samba extensions in FreeIPA's LDAP >>> directory, and bind samba with LDAP. There may be a lot of difficulties >>> with password management doing this, that's why I'd like to get a better >>> solution :) >>> >>> Anyone? >>> >>> >>> -- >>> Youenn Piolet >>> piolet.y at gmail.com >>> >>> >>> 2015-07-31 16:03 GMT+02:00 Matt . : >>> Hi Guys, >>> >>> I'm really struggeling getting a NON AD Samba server authing against a >>> FreeIPA server: >>> >>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>> CentOS 7.1 -> FreeIPA 4.1 >>> >>> Now this seems to be the way: >>> >>> >> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>> >>> >>> But as this, which I also found on the mailinglists: >>> >>> NOTE: Only Kerberos authentication will work when accessing Samba >>> shares using this method. This means that Windows clients not joined >>> to Active Directory forest trusted by IPA would not be able to access >>> the shares. This is related to SSSD not yet being able to handle >>> NTLMSSP authentication. >>> >>> It might not be that easy to have a Samba Shares only server. >>> >>> Any idea here how to accomplish ? >>> >>> Cheers, >>> >>> Matt >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From christopher.lamb at ch.ibm.com Mon Aug 3 07:58:52 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 3 Aug 2015 09:58:52 +0200 Subject: [Freeipa-users] Admin password not accepted during replica install In-Reply-To: <55BF0E8C.6020400@redhat.com> References: <55BD1F54.9050504@gmail.com> <55BD25DB.2020304@gmail.com> <55BD28F2.9060007@gmail.com> <55BD318B.1030305@gmail.com> <55BF0E8C.6020400@redhat.com> Message-ID: Have you considered clock skew? It is probably not the cause here, but is worth eliminating "just in case". A difference as small as 5 minutes between the clocks of the client and server can cause problems with authentication. Chris From: Martin Kosek To: "Matt ." , Janelle Cc: "freeipa-users at redhat.com" Date: 03.08.2015 08:49 Subject: Re: [Freeipa-users] Admin password not accepted during replica install Sent by: freeipa-users-bounces at redhat.com When this command failed for me, it usually was a problem with SSSD on the master. The service was down, offline or simply something wrong was with it. On the master, I would try: $ id admin $ ssh admin at localhost # (with password) If that works, try manual $ ssh admin at ipa.master.server # with password and $ kinit admin #(you can use temporary krb5.conf pointing to IPA master) $ ssh admin at ipa.master.server # with password to see what's really wrong. Martin On 08/01/2015 11:05 PM, Matt . wrote: > I even checked working version (IPA clusters) and they don't even have > this AllowGroups. > > Am I missing something ? > > 2015-08-01 22:52 GMT+02:00 Janelle : >> which points to the configuration of sssd.conf and/or nsswitch.conf >> It is in there. If you say there are no AllowGroups in sshd, it has to be in >> one of those 2 places. >> >> ~J >> >> >> On 8/1/15 1:26 PM, Matt . wrote: >>> >>> kinit admin works perfectly, that is such strange. >>> >>> 2015-08-01 22:15 GMT+02:00 Janelle : >>>> >>>> lastly -- on the master - do you get the same error if you "kinit admin"? >>>> ~J >>>> >>>> >>>> On 8/1/15 1:05 PM, Matt . wrote: >>>>> >>>>> This actually the most important part, and the GSS Failure concerns me: >>>>> >>>>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>>>> debug2: key: /root/.ssh/id_rsa ((nil)), >>>>> debug2: key: /root/.ssh/id_dsa ((nil)), >>>>> debug2: key: /root/.ssh/id_ecdsa ((nil)), >>>>> debug2: key: /root/.ssh/id_ed25519 ((nil)), >>>>> debug1: Authentications that can continue: >>>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>>> debug3: start over, passed a different list >>>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>>> debug3: preferred >>>>> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password >>>>> debug3: authmethod_lookup gssapi-keyex >>>>> debug3: remaining preferred: >>>>> gssapi-with-mic,publickey,keyboard-interactive,password >>>>> debug3: authmethod_is_enabled gssapi-keyex >>>>> debug1: Next authentication method: gssapi-keyex >>>>> debug1: No valid Key exchange context >>>>> debug2: we did not send a packet, disable method >>>>> debug3: authmethod_lookup gssapi-with-mic >>>>> debug3: remaining preferred: publickey,keyboard-interactive,password >>>>> debug3: authmethod_is_enabled gssapi-with-mic >>>>> debug1: Next authentication method: gssapi-with-mic >>>>> debug1: Unspecified GSS failure. Minor code may provide more >>>>> information >>>>> No Kerberos credentials available >>>>> >>>>> debug1: Unspecified GSS failure. Minor code may provide more >>>>> information >>>>> No Kerberos credentials available >>>>> >>>>> debug1: Unspecified GSS failure. Minor code may provide more >>>>> information >>>>> >>>>> >>>>> debug1: Unspecified GSS failure. Minor code may provide more >>>>> information >>>>> No Kerberos credentials available >>>>> >>>>> debug2: we did not send a packet, disable method >>>>> debug3: authmethod_lookup publickey >>>>> debug3: remaining preferred: keyboard-interactive,password >>>>> debug3: authmethod_is_enabled publickey >>>>> debug1: Next authentication method: publickey >>>>> debug1: Trying private key: /root/.ssh/id_rsa >>>>> debug3: no such identity: /root/.ssh/id_rsa: No such file or directory >>>>> debug1: Trying private key: /root/.ssh/id_dsa >>>>> debug3: no such identity: /root/.ssh/id_dsa: No such file or directory >>>>> debug1: Trying private key: /root/.ssh/id_ecdsa >>>>> debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory >>>>> debug1: Trying private key: /root/.ssh/id_ed25519 >>>>> debug3: no such identity: /root/.ssh/id_ed25519: No such file or >>>>> directory >>>>> debug2: we did not send a packet, disable method >>>>> debug3: authmethod_lookup password >>>>> debug3: remaining preferred: ,password >>>>> debug3: authmethod_is_enabled password >>>>> debug1: Next authentication method: password >>>>> admin at ipa-01.domain.local's password: >>>>> debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) >>>>> debug2: we sent a password packet, wait for reply >>>>> debug1: Authentications that can continue: >>>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>>> Permission denied, please try again. >>>>> >>>>> 2015-08-01 22:02 GMT+02:00 Janelle : >>>>>> >>>>>> What is in the logs on the machine that is failing? Can you login to >>>>>> admin >>>>>> from anywhere? Logs are you best friend. >>>>>> Also, a simply "ssh -vvv" will help. >>>>>> >>>>>> ~J >>>>>> >>>>>> >>>>>> On 8/1/15 12:51 PM, Matt . wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> This didn't fix it yet. >>>>>>> >>>>>>> I wonder if there are any checks I can do as in the very past I was >>>>>>> able to do a simple replica without any issues. >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2015-08-01 21:34 GMT+02:00 Janelle : >>>>>>>> >>>>>>>> Double check you do not have "AllowGroups" set in your >>>>>>>> /etc/ssh/sshd_config >>>>>>>> file. If you do, add the "admins" group. >>>>>>>> >>>>>>>> Also, make sure on the master, that the /etc/nsswitch.conf was >>>>>>>> properly >>>>>>>> updated. Several server installs I have done, have left off the "sss" >>>>>>>> for >>>>>>>> "passwd", "group" and "shadow". >>>>>>>> >>>>>>>> passwd: files sss >>>>>>>> shadow: files sss >>>>>>>> group: files sss >>>>>>>> >>>>>>>> I bet one of those will fix your problem. Restart sssd and/of sshd if >>>>>>>> you >>>>>>>> have to make changes. >>>>>>>> >>>>>>>> ~Janelle >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 8/1/15 10:13 AM, Matt . wrote: >>>>>>>>> >>>>>>>>> Hi Guys, >>>>>>>>> >>>>>>>>> I'm doing a replica install there my admin password for the SSH >>>>>>>>> check >>>>>>>>> to the master is not accepted. >>>>>>>>> >>>>>>>>> The password is not expired, I can use it on the GUI and even >>>>>>>>> changing >>>>>>>>> it in the GUI doesn't fix this. >>>>>>>>> >>>>>>>>> What can I check ? >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Mon Aug 3 08:14:48 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 3 Aug 2015 10:14:48 +0200 Subject: [Freeipa-users] Is there any delay after applied rules to user? In-Reply-To: <55BADB32.5010405@xtremenitro.org> References: <20150729143950.GD3188@hendrix.arn.redhat.com> <55B8EB32.8040507@xtremenitro.org> <20150730071813.GI32525@hendrix.redhat.com> <20150730073330.GJ32525@hendrix.redhat.com> <55BA140B.4080400@xtremenitro.org> <20150730135451.GO32525@hendrix.redhat.com> <55BA39AF.7060208@xtremenitro.org> <20150730184725.GA10365@hendrix.redhat.com> <55BADB32.5010405@xtremenitro.org> Message-ID: <20150803081448.GU3520@hendrix.arn.redhat.com> On Fri, Jul 31, 2015 at 09:19:30AM +0700, Dewangga Bachrul Alam wrote: > Hello! > > Sorry for making you confused. > > The main problem is the cache on ipa server/client. How long the cache > remain active and refresh with correct policy/rules. See man sssd-sudo for explanation of the sudo lookups. > > Whenever I set the sudo rules, modify another configuration (policy, > etc), it's always have delay. The best would be to run one such example with logs to see what queries did exactly sssd run and to also rule out sssd going offline later in the process. > > And until now, the global_policy still didn't use correct configuration. > It's still using min 0, max 0 configuration (I set this policy > yesterday, and was revert it back to min 1 max 90 on yesterday too) > > Any hints? > > On 07/31/2015 01:47 AM, Jakub Hrozek wrote: > > On Thu, Jul 30, 2015 at 09:50:23PM +0700, Dewangga Bachrul Alam wrote: > >> Hello! > >> > >> I don't know start from where to tracking down this issue. I found > >> another something interesting. > >> > >> 1. Set `global_policy` password expired (both min and max) to 0 (zero) > >> 2. Add user called `dummy` > >> 3. Set global_policy password expired min (1) and max (90). > >> 4. Add user called `dummy2` > >> > >> Both user dummy and dummy2 have same password expiration :D > >> This problem is same with assign sudo/group to user. > >> > >> I was set debug_level = 7 to following section in sssd.conf : > >> > >> [domain/mydomain.co.id] > >> .. debug_level = 7 .. > >> > >> [sssd] > >> .. debug_level = 7 .. > >> > >> [sudo] > >> .. debug_level = 7 .. > >> > >> I didn't find any related information about the 4 step above. > > > > I'm sorry, but I'm getting a bit confused about what is and what is not > > the problem. Can we take a step back and see what works in your > > environment and what does not? > > > > Can you describe the workflow? > > From yamakasi.014 at gmail.com Mon Aug 3 10:17:18 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 3 Aug 2015 12:17:18 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Chris, Thanks for that verification! It seems that: /usr/share/ipa/ui/group.js Is not there on IPA.4.1, also there is no .js at all on the whole system. Any idea there ? Thanks again! Matt 2015-08-03 9:53 GMT+02:00 Christopher Lamb : > Hi Matt > > Thankfully I saved the output from those ldapmodify commands (against > FreeIPA 4.1) and was able to find it again! > > In our case sambagrouptype also seems to have already been present, so that > should not hurt. > > [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >> changetype: add >> add: ipaCustomFields >> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >> EOF > SASL/GSSAPI authentication started > SASL username: lamb at MY.SILLY.EXAMPLE.COM > SASL SSF: 56 > SASL data security layer installed. > adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" > ldap_add: Already exists (68) > > Chris > > > > > From: "Matt ." > To: > Cc: "freeipa-users at redhat.com" > Date: 02.08.2015 13:33 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by: freeipa-users-bounces at redhat.com > > > > Chris, > > Are you doing this on 3.x or also 4.x ? > > As the following already exists: > > ldapmodify -Y GSSAPI < dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > changetype: add > add: ipaCustomFields > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > EOF > > > And I'm unsure about the pyton files are they are sligtly different on 4.1 > > > Thanks! > > > 2015-08-01 19:51 GMT+02:00 Matt . : >> Hi, >> >> Yes I found that earlier, that looks good and even better when you >> confirm this as really usable. >> >> For Samba 4 the IPA devs are very busy but I wonder indeed what >> happends when we "need" to move because integration has been improved. >> >> I try to keep IPA as native as I can. >> >> So this is the best way to go for now, even when this thread is such > "old" ? >> >> Thanks! >> >> Matt >> >> >> 2015-08-01 9:48 GMT+02:00 Christopher Lamb : >>> Hi Matt >>> >>> For a "how to" of Samba FreeIPA integration using schema extensions, see >>> this previous thread >>> >>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>> >>> That should point to this techslaves article with the detailed > instructions >>> that we followed: >>> >>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>> >>> The main reason we went that way is that we have no AD domain, which > seems >>> to be required by other integration paths. >>> >>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now > 7.x). >>> So things may be different on Ubuntu. >>> >>> As always, when changing the LDAP schema, an LDAP browser like Apache >>> Directory Studio is very useful to visualise what is going on and to > verify >>> if your changes are present! (and is sometime easier to manually change >>> attributes rather than by LDAPMODIFY script....) >>> >>> There is another ongoing thread in this mailing list about problems with >>> the attribute SambaPwdLastSet. >>> >>> Chris >>> >>> >>> >>> From: "Matt ." >>> To: >>> Cc: "freeipa-users at redhat.com" >>> Date: 31.07.2015 16:58 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> Hi, >>> >>> This is nice to have confirmed. >>> >>> Is it possible for you to descrive what you do ? It might be handy to >>> add this to the IPA documentation also with some explanation why... >>> >>> Cheers, >>> >>> Matt >>> >>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb > : >>>> Hi >>>> >>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >>>> "shares" using their FreeIPA credentials. The only password mgmt > problem >>>> that we have is, that the users get no notice of password expiry until >>>> "suddenly" their Samba user (really the FreeIPA user) password is not >>>> accepted when trying to connect to a share. Once the password is reset >>> (via >>>> CLI or FreeIPA WebUi), they can access the shares again. >>>> >>>> Chris >>>> >>>> >>>> >>>> From: Youenn PIOLET >>>> To: "Matt ." >>>> Cc: "freeipa-users at redhat.com" >>>> Date: 31.07.2015 16:21 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>> Sent by: freeipa-users-bounces at redhat.com >>>> >>>> >>>> >>>> Hi, >>>> I asked the very same question a few weeks ago, but no answer yet. >>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>> >>>> The only method I see is to install samba extensions in FreeIPA's LDAP >>>> directory, and bind samba with LDAP. There may be a lot of difficulties >>>> with password management doing this, that's why I'd like to get a > better >>>> solution :) >>>> >>>> Anyone? >>>> >>>> >>>> -- >>>> Youenn Piolet >>>> piolet.y at gmail.com >>>> >>>> >>>> 2015-07-31 16:03 GMT+02:00 Matt . : >>>> Hi Guys, >>>> >>>> I'm really struggeling getting a NON AD Samba server authing against > a >>>> FreeIPA server: >>>> >>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>> CentOS 7.1 -> FreeIPA 4.1 >>>> >>>> Now this seems to be the way: >>>> >>>> >>> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>> >>>> >>>> But as this, which I also found on the mailinglists: >>>> >>>> NOTE: Only Kerberos authentication will work when accessing Samba >>>> shares using this method. This means that Windows clients not joined >>>> to Active Directory forest trusted by IPA would not be able to access >>>> the shares. This is related to SSSD not yet being able to handle >>>> NTLMSSP authentication. >>>> >>>> It might not be that easy to have a Samba Shares only server. >>>> >>>> Any idea here how to accomplish ? >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From yamakasi.014 at gmail.com Mon Aug 3 10:43:36 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 3 Aug 2015 12:43:36 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: In my previous reply, I ment "no group.js at all" . 2015-08-03 12:17 GMT+02:00 Matt . : > Hi Chris, > > Thanks for that verification! > > It seems that: > > /usr/share/ipa/ui/group.js > > Is not there on IPA.4.1, also there is no .js at all on the whole system. > > Any idea there ? > > Thanks again! > > Matt > > 2015-08-03 9:53 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> Thankfully I saved the output from those ldapmodify commands (against >> FreeIPA 4.1) and was able to find it again! >> >> In our case sambagrouptype also seems to have already been present, so that >> should not hurt. >> >> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>> changetype: add >>> add: ipaCustomFields >>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> EOF >> SASL/GSSAPI authentication started >> SASL username: lamb at MY.SILLY.EXAMPLE.COM >> SASL SSF: 56 >> SASL data security layer installed. >> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >> ldap_add: Already exists (68) >> >> Chris >> >> >> >> >> From: "Matt ." >> To: >> Cc: "freeipa-users at redhat.com" >> Date: 02.08.2015 13:33 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Chris, >> >> Are you doing this on 3.x or also 4.x ? >> >> As the following already exists: >> >> ldapmodify -Y GSSAPI <> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >> changetype: add >> add: ipaCustomFields >> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >> EOF >> >> >> And I'm unsure about the pyton files are they are sligtly different on 4.1 >> >> >> Thanks! >> >> >> 2015-08-01 19:51 GMT+02:00 Matt . : >>> Hi, >>> >>> Yes I found that earlier, that looks good and even better when you >>> confirm this as really usable. >>> >>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>> happends when we "need" to move because integration has been improved. >>> >>> I try to keep IPA as native as I can. >>> >>> So this is the best way to go for now, even when this thread is such >> "old" ? >>> >>> Thanks! >>> >>> Matt >>> >>> >>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb : >>>> Hi Matt >>>> >>>> For a "how to" of Samba FreeIPA integration using schema extensions, see >>>> this previous thread >>>> >>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>> >>>> That should point to this techslaves article with the detailed >> instructions >>>> that we followed: >>>> >>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>> >>>> The main reason we went that way is that we have no AD domain, which >> seems >>>> to be required by other integration paths. >>>> >>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now >> 7.x). >>>> So things may be different on Ubuntu. >>>> >>>> As always, when changing the LDAP schema, an LDAP browser like Apache >>>> Directory Studio is very useful to visualise what is going on and to >> verify >>>> if your changes are present! (and is sometime easier to manually change >>>> attributes rather than by LDAPMODIFY script....) >>>> >>>> There is another ongoing thread in this mailing list about problems with >>>> the attribute SambaPwdLastSet. >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." >>>> To: >>>> Cc: "freeipa-users at redhat.com" >>>> Date: 31.07.2015 16:58 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>>> Sent by: freeipa-users-bounces at redhat.com >>>> >>>> >>>> >>>> Hi, >>>> >>>> This is nice to have confirmed. >>>> >>>> Is it possible for you to descrive what you do ? It might be handy to >>>> add this to the IPA documentation also with some explanation why... >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >> : >>>>> Hi >>>>> >>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >>>>> "shares" using their FreeIPA credentials. The only password mgmt >> problem >>>>> that we have is, that the users get no notice of password expiry until >>>>> "suddenly" their Samba user (really the FreeIPA user) password is not >>>>> accepted when trying to connect to a share. Once the password is reset >>>> (via >>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> From: Youenn PIOLET >>>>> To: "Matt ." >>>>> Cc: "freeipa-users at redhat.com" >>>>> Date: 31.07.2015 16:21 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>>> Sent by: freeipa-users-bounces at redhat.com >>>>> >>>>> >>>>> >>>>> Hi, >>>>> I asked the very same question a few weeks ago, but no answer yet. >>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>> >>>>> The only method I see is to install samba extensions in FreeIPA's LDAP >>>>> directory, and bind samba with LDAP. There may be a lot of difficulties >>>>> with password management doing this, that's why I'd like to get a >> better >>>>> solution :) >>>>> >>>>> Anyone? >>>>> >>>>> >>>>> -- >>>>> Youenn Piolet >>>>> piolet.y at gmail.com >>>>> >>>>> >>>>> 2015-07-31 16:03 GMT+02:00 Matt . : >>>>> Hi Guys, >>>>> >>>>> I'm really struggeling getting a NON AD Samba server authing against >> a >>>>> FreeIPA server: >>>>> >>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>> >>>>> Now this seems to be the way: >>>>> >>>>> >>>> >> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>> >>>>> >>>>> But as this, which I also found on the mailinglists: >>>>> >>>>> NOTE: Only Kerberos authentication will work when accessing Samba >>>>> shares using this method. This means that Windows clients not joined >>>>> to Active Directory forest trusted by IPA would not be able to access >>>>> the shares. This is related to SSSD not yet being able to handle >>>>> NTLMSSP authentication. >>>>> >>>>> It might not be that easy to have a Samba Shares only server. >>>>> >>>>> Any idea here how to accomplish ? >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> From christopher.lamb at ch.ibm.com Mon Aug 3 11:20:16 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 3 Aug 2015 13:20:16 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: HI Matt It looks like I skipped that step ... (And as we already had samba groups in place, did not need to make new ones via the WebUI). However a quick google trawled up this old thread that has a possible answer from Peter. (I have not tested it yet myself). https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html Chris From: "Matt ." To: Cc: "freeipa-users at redhat.com" Date: 03.08.2015 12:45 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by: freeipa-users-bounces at redhat.com In my previous reply, I ment "no group.js at all" . 2015-08-03 12:17 GMT+02:00 Matt . : > Hi Chris, > > Thanks for that verification! > > It seems that: > > /usr/share/ipa/ui/group.js > > Is not there on IPA.4.1, also there is no .js at all on the whole system. > > Any idea there ? > > Thanks again! > > Matt > > 2015-08-03 9:53 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> Thankfully I saved the output from those ldapmodify commands (against >> FreeIPA 4.1) and was able to find it again! >> >> In our case sambagrouptype also seems to have already been present, so that >> should not hurt. >> >> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>> changetype: add >>> add: ipaCustomFields >>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> EOF >> SASL/GSSAPI authentication started >> SASL username: lamb at MY.SILLY.EXAMPLE.COM >> SASL SSF: 56 >> SASL data security layer installed. >> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >> ldap_add: Already exists (68) >> >> Chris >> >> >> >> >> From: "Matt ." >> To: >> Cc: "freeipa-users at redhat.com" >> Date: 02.08.2015 13:33 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Chris, >> >> Are you doing this on 3.x or also 4.x ? >> >> As the following already exists: >> >> ldapmodify -Y GSSAPI <> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >> changetype: add >> add: ipaCustomFields >> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >> EOF >> >> >> And I'm unsure about the pyton files are they are sligtly different on 4.1 >> >> >> Thanks! >> >> >> 2015-08-01 19:51 GMT+02:00 Matt . : >>> Hi, >>> >>> Yes I found that earlier, that looks good and even better when you >>> confirm this as really usable. >>> >>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>> happends when we "need" to move because integration has been improved. >>> >>> I try to keep IPA as native as I can. >>> >>> So this is the best way to go for now, even when this thread is such >> "old" ? >>> >>> Thanks! >>> >>> Matt >>> >>> >>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb : >>>> Hi Matt >>>> >>>> For a "how to" of Samba FreeIPA integration using schema extensions, see >>>> this previous thread >>>> >>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>> >>>> That should point to this techslaves article with the detailed >> instructions >>>> that we followed: >>>> >>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>> >>>> The main reason we went that way is that we have no AD domain, which >> seems >>>> to be required by other integration paths. >>>> >>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now >> 7.x). >>>> So things may be different on Ubuntu. >>>> >>>> As always, when changing the LDAP schema, an LDAP browser like Apache >>>> Directory Studio is very useful to visualise what is going on and to >> verify >>>> if your changes are present! (and is sometime easier to manually change >>>> attributes rather than by LDAPMODIFY script....) >>>> >>>> There is another ongoing thread in this mailing list about problems with >>>> the attribute SambaPwdLastSet. >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." >>>> To: >>>> Cc: "freeipa-users at redhat.com" >>>> Date: 31.07.2015 16:58 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>>> Sent by: freeipa-users-bounces at redhat.com >>>> >>>> >>>> >>>> Hi, >>>> >>>> This is nice to have confirmed. >>>> >>>> Is it possible for you to descrive what you do ? It might be handy to >>>> add this to the IPA documentation also with some explanation why... >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >> : >>>>> Hi >>>>> >>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >>>>> "shares" using their FreeIPA credentials. The only password mgmt >> problem >>>>> that we have is, that the users get no notice of password expiry until >>>>> "suddenly" their Samba user (really the FreeIPA user) password is not >>>>> accepted when trying to connect to a share. Once the password is reset >>>> (via >>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> From: Youenn PIOLET >>>>> To: "Matt ." >>>>> Cc: "freeipa-users at redhat.com" >>>>> Date: 31.07.2015 16:21 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>>> Sent by: freeipa-users-bounces at redhat.com >>>>> >>>>> >>>>> >>>>> Hi, >>>>> I asked the very same question a few weeks ago, but no answer yet. >>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>> >>>>> The only method I see is to install samba extensions in FreeIPA's LDAP >>>>> directory, and bind samba with LDAP. There may be a lot of difficulties >>>>> with password management doing this, that's why I'd like to get a >> better >>>>> solution :) >>>>> >>>>> Anyone? >>>>> >>>>> >>>>> -- >>>>> Youenn Piolet >>>>> piolet.y at gmail.com >>>>> >>>>> >>>>> 2015-07-31 16:03 GMT+02:00 Matt . : >>>>> Hi Guys, >>>>> >>>>> I'm really struggeling getting a NON AD Samba server authing against >> a >>>>> FreeIPA server: >>>>> >>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>> >>>>> Now this seems to be the way: >>>>> >>>>> >>>> >> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>> >>>>> >>>>> But as this, which I also found on the mailinglists: >>>>> >>>>> NOTE: Only Kerberos authentication will work when accessing Samba >>>>> shares using this method. This means that Windows clients not joined >>>>> to Active Directory forest trusted by IPA would not be able to access >>>>> the shares. This is related to SSSD not yet being able to handle >>>>> NTLMSSP authentication. >>>>> >>>>> It might not be that easy to have a Samba Shares only server. >>>>> >>>>> Any idea here how to accomplish ? >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From yamakasi.014 at gmail.com Mon Aug 3 14:02:59 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 3 Aug 2015 16:02:59 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, OK, I have a Samba Group Type now in my groups details list and also in the groups settings tab. I'm not 100% how this is managed. I have Grouptype 4, in the groups overview it's still empty. But how to manage this between samba and ipa ? What should be the reference between the group(names) ? Thanks again! Matt 2015-08-03 13:20 GMT+02:00 Christopher Lamb : > HI Matt > > It looks like I skipped that step ... (And as we already had samba groups > in place, did not need to make new ones via the WebUI). > > However a quick google trawled up this old thread that has a possible > answer from Peter. (I have not tested it yet myself). > > https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html > > Chris > > > > From: "Matt ." > To: > Cc: "freeipa-users at redhat.com" > Date: 03.08.2015 12:45 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by: freeipa-users-bounces at redhat.com > > > > In my previous reply, I ment "no group.js at all" . > > > 2015-08-03 12:17 GMT+02:00 Matt . : >> Hi Chris, >> >> Thanks for that verification! >> >> It seems that: >> >> /usr/share/ipa/ui/group.js >> >> Is not there on IPA.4.1, also there is no .js at all on the whole system. >> >> Any idea there ? >> >> Thanks again! >> >> Matt >> >> 2015-08-03 9:53 GMT+02:00 Christopher Lamb : >>> Hi Matt >>> >>> Thankfully I saved the output from those ldapmodify commands (against >>> FreeIPA 4.1) and was able to find it again! >>> >>> In our case sambagrouptype also seems to have already been present, so > that >>> should not hurt. >>> >>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>> changetype: add >>>> add: ipaCustomFields >>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>> EOF >>> SASL/GSSAPI authentication started >>> SASL username: lamb at MY.SILLY.EXAMPLE.COM >>> SASL SSF: 56 >>> SASL data security layer installed. >>> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>> ldap_add: Already exists (68) >>> >>> Chris >>> >>> >>> >>> >>> From: "Matt ." >>> To: >>> Cc: "freeipa-users at redhat.com" >>> Date: 02.08.2015 13:33 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> Chris, >>> >>> Are you doing this on 3.x or also 4.x ? >>> >>> As the following already exists: >>> >>> ldapmodify -Y GSSAPI <>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>> changetype: add >>> add: ipaCustomFields >>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> EOF >>> >>> >>> And I'm unsure about the pyton files are they are sligtly different on > 4.1 >>> >>> >>> Thanks! >>> >>> >>> 2015-08-01 19:51 GMT+02:00 Matt . : >>>> Hi, >>>> >>>> Yes I found that earlier, that looks good and even better when you >>>> confirm this as really usable. >>>> >>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>> happends when we "need" to move because integration has been improved. >>>> >>>> I try to keep IPA as native as I can. >>>> >>>> So this is the best way to go for now, even when this thread is such >>> "old" ? >>>> >>>> Thanks! >>>> >>>> Matt >>>> >>>> >>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb > : >>>>> Hi Matt >>>>> >>>>> For a "how to" of Samba FreeIPA integration using schema extensions, > see >>>>> this previous thread >>>>> >>>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>>> >>>>> That should point to this techslaves article with the detailed >>> instructions >>>>> that we followed: >>>>> >>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>>> >>>>> The main reason we went that way is that we have no AD domain, which >>> seems >>>>> to be required by other integration paths. >>>>> >>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now >>> 7.x). >>>>> So things may be different on Ubuntu. >>>>> >>>>> As always, when changing the LDAP schema, an LDAP browser like Apache >>>>> Directory Studio is very useful to visualise what is going on and to >>> verify >>>>> if your changes are present! (and is sometime easier to manually > change >>>>> attributes rather than by LDAPMODIFY script....) >>>>> >>>>> There is another ongoing thread in this mailing list about problems > with >>>>> the attribute SambaPwdLastSet. >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> From: "Matt ." >>>>> To: >>>>> Cc: "freeipa-users at redhat.com" >>>>> Date: 31.07.2015 16:58 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>>> Sent by: freeipa-users-bounces at redhat.com >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> This is nice to have confirmed. >>>>> >>>>> Is it possible for you to descrive what you do ? It might be handy to >>>>> add this to the IPA documentation also with some explanation why... >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >>> : >>>>>> Hi >>>>>> >>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to > the >>>>>> "shares" using their FreeIPA credentials. The only password mgmt >>> problem >>>>>> that we have is, that the users get no notice of password expiry > until >>>>>> "suddenly" their Samba user (really the FreeIPA user) password is not >>>>>> accepted when trying to connect to a share. Once the password is > reset >>>>> (via >>>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>>> From: Youenn PIOLET >>>>>> To: "Matt ." >>>>>> Cc: "freeipa-users at redhat.com" >>>>>> Date: 31.07.2015 16:21 >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> I asked the very same question a few weeks ago, but no answer yet. >>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>>> >>>>>> The only method I see is to install samba extensions in FreeIPA's > LDAP >>>>>> directory, and bind samba with LDAP. There may be a lot of > difficulties >>>>>> with password management doing this, that's why I'd like to get a >>> better >>>>>> solution :) >>>>>> >>>>>> Anyone? >>>>>> >>>>>> >>>>>> -- >>>>>> Youenn Piolet >>>>>> piolet.y at gmail.com >>>>>> >>>>>> >>>>>> 2015-07-31 16:03 GMT+02:00 Matt . : >>>>>> Hi Guys, >>>>>> >>>>>> I'm really struggeling getting a NON AD Samba server authing > against >>> a >>>>>> FreeIPA server: >>>>>> >>>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>>> >>>>>> Now this seems to be the way: >>>>>> >>>>>> >>>>> >>> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>> >>>>>> >>>>>> But as this, which I also found on the mailinglists: >>>>>> >>>>>> NOTE: Only Kerberos authentication will work when accessing Samba >>>>>> shares using this method. This means that Windows clients not > joined >>>>>> to Active Directory forest trusted by IPA would not be able to > access >>>>>> the shares. This is related to SSSD not yet being able to handle >>>>>> NTLMSSP authentication. >>>>>> >>>>>> It might not be that easy to have a Samba Shares only server. >>>>>> >>>>>> Any idea here how to accomplish ? >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Matt >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From christopher.lamb at ch.ibm.com Mon Aug 3 15:17:49 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 3 Aug 2015 17:17:49 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt It sounds like you now have prepared FreeIPA for Samba I assume you have already configured Samba to authenticate via FreeIPA (changes to the [global] section of your smb.conf file, secrets.tdb etc. Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, with SambaGroupType = 4) For example: In FreeIPA under cn=accounts, cn=users we have a group called "smb-junit". This group has (among others) the attribute SambaGroupType = 4 We can then use the name of the group in the smb.conf file [junit] comment = JUnit Share path = /samba/junit browseable = no valid users = @smb-junit write list = @smb-junit force group = smb-junit create mask = 0770 Ciao Chris From: "Matt ." To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: "freeipa-users at redhat.com" , Petr Vobornik Date: 03.08.2015 16:03 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, I have a Samba Group Type now in my groups details list and also in the groups settings tab. I'm not 100% how this is managed. I have Grouptype 4, in the groups overview it's still empty. But how to manage this between samba and ipa ? What should be the reference between the group(names) ? Thanks again! Matt 2015-08-03 13:20 GMT+02:00 Christopher Lamb : > HI Matt > > It looks like I skipped that step ... (And as we already had samba groups > in place, did not need to make new ones via the WebUI). > > However a quick google trawled up this old thread that has a possible > answer from Peter. (I have not tested it yet myself). > > https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html > > Chris > > > > From: "Matt ." > To: > Cc: "freeipa-users at redhat.com" > Date: 03.08.2015 12:45 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by: freeipa-users-bounces at redhat.com > > > > In my previous reply, I ment "no group.js at all" . > > > 2015-08-03 12:17 GMT+02:00 Matt . : >> Hi Chris, >> >> Thanks for that verification! >> >> It seems that: >> >> /usr/share/ipa/ui/group.js >> >> Is not there on IPA.4.1, also there is no .js at all on the whole system. >> >> Any idea there ? >> >> Thanks again! >> >> Matt >> >> 2015-08-03 9:53 GMT+02:00 Christopher Lamb : >>> Hi Matt >>> >>> Thankfully I saved the output from those ldapmodify commands (against >>> FreeIPA 4.1) and was able to find it again! >>> >>> In our case sambagrouptype also seems to have already been present, so > that >>> should not hurt. >>> >>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>> changetype: add >>>> add: ipaCustomFields >>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>> EOF >>> SASL/GSSAPI authentication started >>> SASL username: lamb at MY.SILLY.EXAMPLE.COM >>> SASL SSF: 56 >>> SASL data security layer installed. >>> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>> ldap_add: Already exists (68) >>> >>> Chris >>> >>> >>> >>> >>> From: "Matt ." >>> To: >>> Cc: "freeipa-users at redhat.com" >>> Date: 02.08.2015 13:33 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> Chris, >>> >>> Are you doing this on 3.x or also 4.x ? >>> >>> As the following already exists: >>> >>> ldapmodify -Y GSSAPI <>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>> changetype: add >>> add: ipaCustomFields >>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> EOF >>> >>> >>> And I'm unsure about the pyton files are they are sligtly different on > 4.1 >>> >>> >>> Thanks! >>> >>> >>> 2015-08-01 19:51 GMT+02:00 Matt . : >>>> Hi, >>>> >>>> Yes I found that earlier, that looks good and even better when you >>>> confirm this as really usable. >>>> >>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>> happends when we "need" to move because integration has been improved. >>>> >>>> I try to keep IPA as native as I can. >>>> >>>> So this is the best way to go for now, even when this thread is such >>> "old" ? >>>> >>>> Thanks! >>>> >>>> Matt >>>> >>>> >>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb > : >>>>> Hi Matt >>>>> >>>>> For a "how to" of Samba FreeIPA integration using schema extensions, > see >>>>> this previous thread >>>>> >>>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>>> >>>>> That should point to this techslaves article with the detailed >>> instructions >>>>> that we followed: >>>>> >>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>>> >>>>> The main reason we went that way is that we have no AD domain, which >>> seems >>>>> to be required by other integration paths. >>>>> >>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now >>> 7.x). >>>>> So things may be different on Ubuntu. >>>>> >>>>> As always, when changing the LDAP schema, an LDAP browser like Apache >>>>> Directory Studio is very useful to visualise what is going on and to >>> verify >>>>> if your changes are present! (and is sometime easier to manually > change >>>>> attributes rather than by LDAPMODIFY script....) >>>>> >>>>> There is another ongoing thread in this mailing list about problems > with >>>>> the attribute SambaPwdLastSet. >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> From: "Matt ." >>>>> To: >>>>> Cc: "freeipa-users at redhat.com" >>>>> Date: 31.07.2015 16:58 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>>> Sent by: freeipa-users-bounces at redhat.com >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> This is nice to have confirmed. >>>>> >>>>> Is it possible for you to descrive what you do ? It might be handy to >>>>> add this to the IPA documentation also with some explanation why... >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >>> : >>>>>> Hi >>>>>> >>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to > the >>>>>> "shares" using their FreeIPA credentials. The only password mgmt >>> problem >>>>>> that we have is, that the users get no notice of password expiry > until >>>>>> "suddenly" their Samba user (really the FreeIPA user) password is not >>>>>> accepted when trying to connect to a share. Once the password is > reset >>>>> (via >>>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>>> From: Youenn PIOLET >>>>>> To: "Matt ." >>>>>> Cc: "freeipa-users at redhat.com" >>>>>> Date: 31.07.2015 16:21 >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> I asked the very same question a few weeks ago, but no answer yet. >>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>>> >>>>>> The only method I see is to install samba extensions in FreeIPA's > LDAP >>>>>> directory, and bind samba with LDAP. There may be a lot of > difficulties >>>>>> with password management doing this, that's why I'd like to get a >>> better >>>>>> solution :) >>>>>> >>>>>> Anyone? >>>>>> >>>>>> >>>>>> -- >>>>>> Youenn Piolet >>>>>> piolet.y at gmail.com >>>>>> >>>>>> >>>>>> 2015-07-31 16:03 GMT+02:00 Matt . : >>>>>> Hi Guys, >>>>>> >>>>>> I'm really struggeling getting a NON AD Samba server authing > against >>> a >>>>>> FreeIPA server: >>>>>> >>>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>>> >>>>>> Now this seems to be the way: >>>>>> >>>>>> >>>>> >>> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>> >>>>>> >>>>>> But as this, which I also found on the mailinglists: >>>>>> >>>>>> NOTE: Only Kerberos authentication will work when accessing Samba >>>>>> shares using this method. This means that Windows clients not > joined >>>>>> to Active Directory forest trusted by IPA would not be able to > access >>>>>> the shares. This is related to SSSD not yet being able to handle >>>>>> NTLMSSP authentication. >>>>>> >>>>>> It might not be that easy to have a Samba Shares only server. >>>>>> >>>>>> Any idea here how to accomplish ? >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Matt >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From danofsatx at gmail.com Mon Aug 3 17:07:53 2015 From: danofsatx at gmail.com (Dan Mossor) Date: Mon, 3 Aug 2015 12:07:53 -0500 Subject: [Freeipa-users] [QUERY] CentOS 7 repo for FreeIPA 4.2.0 testing In-Reply-To: <20150716145826.GR21928@redhat.com> References: <20150716145826.GR21928@redhat.com> Message-ID: <55BF9FE9.1020101@fedoraproject.org> On 07/16/2015 09:58 AM, Alexander Bokovoy wrote: > Hello! > > FreeIPA team has recently released 4.2.0 version[1] which adds a number > of features community members were asking for: > > - User certificates > - Vault to store user secrets > - One-way trust to Active Directory > - User life-cycle management for integration with external process > workflows > - [many other enhancements and improvements] > > Development of these features required coordinating changes across > multiple projects. We have provided the packages for Fedora through our > COPR repository[2]. The repository includes multiple packages, and > relies on multiple others updated in Fedora repositories since Fedora > 22. > > FreeIPA and other teams at Red Hat are currently working on integrating > FreeIPA 4.2 release into Red Hat Enterprise Linux 7 update. While > traditionally CentOS users had to wait for a Red Hat Enterprise Linux > release, in time for 7.1 update we tried something new with a COPR > repository providing FreeIPA 4.1 for CentOS before Red Hat Enterprise > Linux 7.1 was released. The repository proved to be a success -- both > for quality of bug reports we've got and ability to reach out to you. > > With COPR repository for CentOS 7 we've also got experience to manage > expectations of support and maintenance for the FreeIPA 4.1 packages in > the view of upcoming Red Hat Enterprise Linux release. The packages in > the COPR repository would expire when the Red Hat Enterprise Linux > update comes to CentOS and to people who used the repository it would > mean a need to handle upgrades. > > We are considering to repeat COPR experiment with FreeIPA 4.2 for CentOS 7. > However, this time we also are relying on updated packages which are > beyond the maintenance of FreeIPA, SSSD, Dogtag, and 389-ds teams. Some > of the updates in those packages include ABI changes. Maintaining our > own rebuilds of these packages in the COPR repository would put > additional burden on the upstream developers and later on you -- when > CentOS 7 updated versions of those packages would come through the > official channels. > > Thus, we would like to ask you, whether having a separate COPR > repository for FreeIPA 4.2 would make sense for CentOS 7 users. > The repository will expire with the release of CentOS 7 updates and no > upgrade path would be provided for the bits. Of course, FreeIPA > replication should work and to move forward you would need to deploy > replicas with formal CentOS bits into the same environment and phase out > the replicas running bits coming from the COPR repository. This path is > intended but not guaranteed. It might happen that further development > would reveal issues and bugs that might make such migration path broken > and impossible to fix. In this case upstream will make reasonable > efforts but would provide no guarantee that the issue will be addressed. > > Does it make sense and worth proceeding with creating a CentOS COPR repo > with upstream bits? Tell us! > > [1] http://www.freeipa.org/page/Releases/4.2.0 > [2] https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2 > > > I apologize for not responding sooner. Yes, this would be of great interest to me, but I can accept if there is no other demand and I need to wait for the "official" release. -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA From harenberg at physik.uni-wuppertal.de Tue Aug 4 05:31:21 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Tue, 04 Aug 2015 07:31:21 +0200 Subject: [Freeipa-users] sssd (CentOS6) known to be unstable? Message-ID: <55C04E29.5020601@physik.uni-wuppertal.de> Dear all, is the sssd shipped with CentOS6 known to be unstable? In our cluster approx. 4-5 nodes out of about 200 are dying on a daily basis: [root at wn113 ~]# /etc/init.d/sssd status sssd dead but subsys locked [root at wn113 ~]# /etc/init.d/sssd stop [root at wn113 ~]# /etc/init.d/sssd start Starting sssd: [ OK ] [root at wn113 ~]# rpm -qi sssd Name : sssd Relocations: (not relocatable) Version : 1.11.6 Vendor: CentOS Release : 30.el6_6.4 Build Date: Wed 18 Mar 2015 07:28:15 PM CET Install Date: Tue 21 Jul 2015 10:23:51 AM CEST Build Host: c6b9.bsys.dev.centos.org Group : Applications/System Source RPM: sssd-1.11.6-30.el6_6.4.src.rpm Size : 35147 License: GPLv3+ Signature : RSA/SHA1, Wed 18 Mar 2015 07:54:33 PM CET, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon Description : Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. The sssd subpackage is a meta-package that contains the deamon as well as all the existing back ends. [root at wn113 ~]# Is it worth trying to build the latest stable version instead of the one shipped by the vendor? Best regards Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From harenberg at physik.uni-wuppertal.de Tue Aug 4 05:56:35 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Tue, 04 Aug 2015 07:56:35 +0200 Subject: [Freeipa-users] sssd (CentOS6) known to be unstable? In-Reply-To: <55C04E29.5020601@physik.uni-wuppertal.de> References: <55C04E29.5020601@physik.uni-wuppertal.de> Message-ID: <55C05413.90709@physik.uni-wuppertal.de> just realized that it's probably not an instablity, but some process is killing sssd: [root at wn113 sssd]# zcat sssd.log-20150804.gz (Mon Aug 3 20:30:55 2015) [sssd] [mt_svc_sigkill] (0x0010): [pleiades.uni-wuppertal.de][5957] is not responding to SIGTERM. Sending SIGKILL. (Mon Aug 3 20:31:31 2015) [sssd] [mt_svc_sigkill] (0x0010): [nss][7211] is not responding to SIGTERM. Sending SIGKILL. (Mon Aug 3 20:31:43 2015) [sssd] [mt_svc_exit_handler] (0x0010): Process [nss], definitely stopped! [root at wn113 log]# grep sssd messages Aug 3 20:31:36 wn113 sssd[nss]: Starting up Aug 3 20:31:36 wn113 sssd[be[pleiades.uni-wuppertal.de]]: Starting up Aug 3 20:31:39 wn113 sssd[nss]: Starting up Aug 3 20:31:43 wn113 sssd[nss]: Starting up Aug 3 20:32:33 wn113 sssd[be[pleiades.uni-wuppertal.de]]: Shutting down Aug 3 20:32:33 wn113 sssd[pac]: Shutting down Aug 3 20:32:33 wn113 sssd[ssh]: Shutting down Aug 3 20:32:34 wn113 sssd[pam]: Shutting down Aug 3 20:32:34 wn113 sssd[sudo]: Shutting down No one of the admins were logged in during that time and also "last" doesn't show any login. sssd was installed as a dependency from ipa-client and was autoconfigured by ipa-client-install. The config file looks normal to me: [domain/pleiades.uni-wuppertal.de] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = pleiades.uni-wuppertal.de id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = wn113.pleiades.uni-wuppertal.de chpass_provider = ipa ipa_server = _srv_, ipa2.pleiades.uni-wuppertal.de, ipa.pleiades.uni-wuppertal.de ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = pleiades.uni-wuppertal.de [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] sssd.conf (END) Anybody seen something like this already? Best regards Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From lslebodn at redhat.com Tue Aug 4 06:17:02 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 4 Aug 2015 08:17:02 +0200 Subject: [Freeipa-users] sssd (CentOS6) known to be unstable? In-Reply-To: <55C05413.90709@physik.uni-wuppertal.de> References: <55C04E29.5020601@physik.uni-wuppertal.de> <55C05413.90709@physik.uni-wuppertal.de> Message-ID: <20150804061702.GB15393@mail.corp.redhat.com> On (04/08/15 07:56), Torsten Harenberg wrote: >just realized that it's probably not an instablity, but some process is >killing sssd: > >[root at wn113 sssd]# zcat sssd.log-20150804.gz >(Mon Aug 3 20:30:55 2015) [sssd] [mt_svc_sigkill] (0x0010): >[pleiades.uni-wuppertal.de][5957] is not responding to SIGTERM. Sending >SIGKILL. >(Mon Aug 3 20:31:31 2015) [sssd] [mt_svc_sigkill] (0x0010): [nss][7211] >is not responding to SIGTERM. Sending SIGKILL. This line says that the process sssd_nss was busy with some task and was not responding to ping from the monitor process (sssd) Therefore it was restarted. >No one of the admins were logged in during that time and also "last" >doesn't show any login. > >sssd was installed as a dependency from ipa-client and was >autoconfigured by ipa-client-install. The config file looks normal to me: > >[domain/pleiades.uni-wuppertal.de] > >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = pleiades.uni-wuppertal.de >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = wn113.pleiades.uni-wuppertal.de >chpass_provider = ipa >ipa_server = _srv_, ipa2.pleiades.uni-wuppertal.de, >ipa.pleiades.uni-wuppertal.de >ldap_tls_cacert = /etc/ipa/ca.crt >[sssd] >services = nss, sudo, pam, ssh >config_file_version = 2 > >domains = pleiades.uni-wuppertal.de >[nss] >homedir_substring = /home > >[pam] > >[sudo] > >[autofs] > >[ssh] > >[pac] > >[ifp] > >sssd.conf (END) > > >Anybody seen something like this already? It's hard to say. Without full log files. I would recommend to follow intructions from upstream wiki[1]. In 1st mail you mention using newer version of sssd. You can try the latest upstream version[2] oryou can wait for CentOS6.7 LS [1] https://fedorahosted.org/sssd/wiki/Troubleshooting [2] https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ From Markus.Moj at mc.ingenico.com Tue Aug 4 09:12:16 2015 From: Markus.Moj at mc.ingenico.com (Markus.Moj at mc.ingenico.com) Date: Tue, 4 Aug 2015 09:12:16 +0000 Subject: [Freeipa-users] FreeIPA user ID differs Message-ID: Hi @all, I?ve encountered a strange "error". I?ve created a user with a generated UID from the predefined range. After creation I?ve had to manipulate the UID to fit an old NIS configuration and set the UID to the old NIS value. FreeIPA shows the correct UID as well as ldapsearch. But if I logon onto a host and enter `id ` I receive the old UID, GID and groups information instead of the corrected one. Maybe someone can help me out to pinpoint the error and to fix it. Cheers, Markus -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Tue Aug 4 09:26:58 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 4 Aug 2015 11:26:58 +0200 Subject: [Freeipa-users] FreeIPA user ID differs In-Reply-To: References: Message-ID: Markus Have you checked both the cn=accounts and cn=compat trees?. Users and groups are stored in both, and both would need manipulation... Ciao Chris From: To: Date: 04.08.2015 11:14 Subject: [Freeipa-users] FreeIPA user ID differs Sent by: freeipa-users-bounces at redhat.com Hi @all, I?ve encountered a strange ?error?. I?ve created a user with a generated UID from the predefined range. After creation I?ve had to manipulate the UID to fit an old NIS configuration and set the UID to the old NIS value. FreeIPA shows the correct UID as well as ldapsearch. But if I logon onto a host and enter `id ` I receive the old UID, GID and groups information instead of the corrected one. Maybe someone can help me out to pinpoint the error and to fix it. Cheers, Markus-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From Duncan.Innes at virginmoney.com Tue Aug 4 09:57:34 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 4 Aug 2015 10:57:34 +0100 Subject: [Freeipa-users] FreeIPA and sudo Defaults Message-ID: <56343345B145C043AE990701E3D193950BD1FCF1@EXVS2.nrplc.localnet> Hi folks, Struggling with creating a sudo rule in IPA that will allow my foreman-proxy to run specific commands. When I put the following into /etc/sudoers.d/foreman: [root at puppet01 ~]# cat /etc/sudoers.d/foreman foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:foreman-proxy !requiretty innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:innesd !requiretty [root at puppet01 ~]# [innesd at puppet01 ~]$ sudo -l Matching Defaults entries for innesd on this host: !requiretty User innesd may run the following commands on this host: (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick * (root) /bin/su [innesd at puppet01 ~]$ Both my user and the foreman-proxy can run the relevant commands both on the command line and remotely. IT Security are not happy with local sudo rules being condifured around the network, so I'm trying to create the same configuration via IPA. When I try to get the same rule into IPA, my user can run the command in a tty, but the foreman-proxy user is refused. This looks to be down to the lack of !requiretty coming through for the users: [root at ipa01 ~]# ipa sudorule-show foreman-proxy Rule name: foreman-proxy Enabled: TRUE User category: all Hosts: puppet02.example.com, puppet01.example.com, puppet03.example.com, puppet04.example.com Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * Sudo Option: !authenticate, !requiretty [root at ipa01 ~]# and once I've removed the #includedir option from my local sudoers file, I get the following as my user: [innesd at puppet01 ~]$ sudo -l User innesd may run the following commands on this host: (root) /bin/su (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * [innesd at puppet01 ~]$ where the noticeable difference is that the !requiretty isn't listed under any "Matching Defaults entries" for my user. With the rule set up like this, I can run the command in a tty, but the foreman-proxy user is denied when the command is run without a tty. How do I go about setting the Defaults for the foreman-proxy user? Once my testing is done, I'd like to move the rule to run only against the foreman-proxy external user rather than all users. And a small follow-up question: how long should I expect it to take for a change to the sudo rule on my IPA server to become available on the client? I keep doing sss_cache -E to clear the cache, but it still seems to take it's own sweet time to be changed on the client. It's not a huge wait - just a bit of a pain when I'm testing these changes. Thanks in advance, Duncan Innes This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Duncan.Innes at virginmoney.com Tue Aug 4 11:09:47 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 4 Aug 2015 12:09:47 +0100 Subject: [Freeipa-users] FreeIPA and sudo Defaults In-Reply-To: <56343345B145C043AE990701E3D193950BD1FCF1@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950BD1FCF1@EXVS2.nrplc.localnet> Message-ID: <56343345B145C043AE990701E3D193950BD1FCF3@EXVS2.nrplc.localnet> Information: IPA server and client both running on RHEL 6.7 fully patched. IPA server version: ipa-server-3.0.0-47.el6.x86_64 sssd client version: sssd-1.12.4-47.el6.x86_64 IPA server hosts dozens of sudo rules that work as expected. This is the first rule, however, that needs the !requiretty in the Defaults for the user. Thanks D ________________________________ From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Innes, Duncan Sent: 04 August 2015 10:58 To: freeipa-users at redhat.com Subject: [Freeipa-users] FreeIPA and sudo Defaults Hi folks, Struggling with creating a sudo rule in IPA that will allow my foreman-proxy to run specific commands. When I put the following into /etc/sudoers.d/foreman: [root at puppet01 ~]# cat /etc/sudoers.d/foreman foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:foreman-proxy !requiretty innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:innesd !requiretty [root at puppet01 ~]# [innesd at puppet01 ~]$ sudo -l Matching Defaults entries for innesd on this host: !requiretty User innesd may run the following commands on this host: (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick * (root) /bin/su [innesd at puppet01 ~]$ Both my user and the foreman-proxy can run the relevant commands both on the command line and remotely. IT Security are not happy with local sudo rules being condifured around the network, so I'm trying to create the same configuration via IPA. When I try to get the same rule into IPA, my user can run the command in a tty, but the foreman-proxy user is refused. This looks to be down to the lack of !requiretty coming through for the users: [root at ipa01 ~]# ipa sudorule-show foreman-proxy Rule name: foreman-proxy Enabled: TRUE User category: all Hosts: puppet02.example.com, puppet01.example.com, puppet03.example.com, puppet04.example.com Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * Sudo Option: !authenticate, !requiretty [root at ipa01 ~]# and once I've removed the #includedir option from my local sudoers file, I get the following as my user: [innesd at puppet01 ~]$ sudo -l User innesd may run the following commands on this host: (root) /bin/su (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * [innesd at puppet01 ~]$ where the noticeable difference is that the !requiretty isn't listed under any "Matching Defaults entries" for my user. With the rule set up like this, I can run the command in a tty, but the foreman-proxy user is denied when the command is run without a tty. How do I go about setting the Defaults for the foreman-proxy user? Once my testing is done, I'd like to move the rule to run only against the foreman-proxy external user rather than all users. And a small follow-up question: how long should I expect it to take for a change to the sudo rule on my IPA server to become available on the client? I keep doing sss_cache -E to clear the cache, but it still seems to take it's own sweet time to be changed on the client. It's not a huge wait - just a bit of a pain when I'm testing these changes. Thanks in advance, Duncan Innes This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Tue Aug 4 11:31:52 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 4 Aug 2015 13:31:52 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find "such user" as that sounds quite known as it has no UID. >From your config I see you use DM, this should work ? Thanks! Matt 2015-08-04 13:15 GMT+02:00 Matt . : > Hi Chris, > > Thanks for the heads up, indeed local is 4 I see now when I add a > group from the GUI, great thanks! > > But do you use Directory Manager as ldap admin user or some other > admin account ? > > I'm not sure id DM is needed and it should get that deep into IPA. > Also when starting samba it cannot find "such user" as that sounds > quite known as it has no UID. > > From your config I see you use DM, this should work ? > > Thanks! > > Matt > > 2015-08-03 17:17 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> It sounds like you now have prepared FreeIPA for Samba >> >> I assume you have already configured Samba to authenticate via FreeIPA >> (changes to the [global] section of your smb.conf file, secrets.tdb etc. >> >> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, >> with SambaGroupType = 4) >> >> For example: >> >> In FreeIPA under cn=accounts, cn=users we have a group called "smb-junit". >> >> This group has (among others) the attribute SambaGroupType = 4 >> >> We can then use the name of the group in the smb.conf file >> >> [junit] >> comment = JUnit Share >> path = /samba/junit >> browseable = no >> valid users = @smb-junit >> write list = @smb-junit >> force group = smb-junit >> create mask = 0770 >> >> >> Ciao >> >> Chris >> >> >> >> From: "Matt ." >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> Cc: "freeipa-users at redhat.com" , Petr >> Vobornik >> Date: 03.08.2015 16:03 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi, >> >> OK, I have a Samba Group Type now in my groups details list and also >> in the groups settings tab. >> >> I'm not 100% how this is managed. I have Grouptype 4, in the groups >> overview it's still empty. But how to manage this between samba and >> ipa ? What should be the reference between the group(names) ? >> >> Thanks again! >> >> Matt >> >> 2015-08-03 13:20 GMT+02:00 Christopher Lamb : >>> HI Matt >>> >>> It looks like I skipped that step ... (And as we already had samba groups >>> in place, did not need to make new ones via the WebUI). >>> >>> However a quick google trawled up this old thread that has a possible >>> answer from Peter. (I have not tested it yet myself). >>> >>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html >>> >>> Chris >>> >>> >>> >>> From: "Matt ." >>> To: >>> Cc: "freeipa-users at redhat.com" >>> Date: 03.08.2015 12:45 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> In my previous reply, I ment "no group.js at all" . >>> >>> >>> 2015-08-03 12:17 GMT+02:00 Matt . : >>>> Hi Chris, >>>> >>>> Thanks for that verification! >>>> >>>> It seems that: >>>> >>>> /usr/share/ipa/ui/group.js >>>> >>>> Is not there on IPA.4.1, also there is no .js at all on the whole >> system. >>>> >>>> Any idea there ? >>>> >>>> Thanks again! >>>> >>>> Matt >>>> >>>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb >> : >>>>> Hi Matt >>>>> >>>>> Thankfully I saved the output from those ldapmodify commands (against >>>>> FreeIPA 4.1) and was able to find it again! >>>>> >>>>> In our case sambagrouptype also seems to have already been present, so >>> that >>>>> should not hurt. >>>>> >>>>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>> changetype: add >>>>>> add: ipaCustomFields >>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>> EOF >>>>> SASL/GSSAPI authentication started >>>>> SASL username: lamb at MY.SILLY.EXAMPLE.COM >>>>> SASL SSF: 56 >>>>> SASL data security layer installed. >>>>> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>>>> ldap_add: Already exists (68) >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> >>>>> From: "Matt ." >>>>> To: >>>>> Cc: "freeipa-users at redhat.com" >>>>> Date: 02.08.2015 13:33 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>>> Sent by: freeipa-users-bounces at redhat.com >>>>> >>>>> >>>>> >>>>> Chris, >>>>> >>>>> Are you doing this on 3.x or also 4.x ? >>>>> >>>>> As the following already exists: >>>>> >>>>> ldapmodify -Y GSSAPI <>>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>> changetype: add >>>>> add: ipaCustomFields >>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>> EOF >>>>> >>>>> >>>>> And I'm unsure about the pyton files are they are sligtly different on >>> 4.1 >>>>> >>>>> >>>>> Thanks! >>>>> >>>>> >>>>> 2015-08-01 19:51 GMT+02:00 Matt . : >>>>>> Hi, >>>>>> >>>>>> Yes I found that earlier, that looks good and even better when you >>>>>> confirm this as really usable. >>>>>> >>>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>>>> happends when we "need" to move because integration has been improved. >>>>>> >>>>>> I try to keep IPA as native as I can. >>>>>> >>>>>> So this is the best way to go for now, even when this thread is such >>>>> "old" ? >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Matt >>>>>> >>>>>> >>>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb >>> : >>>>>>> Hi Matt >>>>>>> >>>>>>> For a "how to" of Samba FreeIPA integration using schema extensions, >>> see >>>>>>> this previous thread >>>>>>> >>>>>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>>>>> >>>>>>> That should point to this techslaves article with the detailed >>>>> instructions >>>>>>> that we followed: >>>>>>> >>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>>>>> >>>>>>> The main reason we went that way is that we have no AD domain, which >>>>> seems >>>>>>> to be required by other integration paths. >>>>>>> >>>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now >>>>> 7.x). >>>>>>> So things may be different on Ubuntu. >>>>>>> >>>>>>> As always, when changing the LDAP schema, an LDAP browser like Apache >>>>>>> Directory Studio is very useful to visualise what is going on and to >>>>> verify >>>>>>> if your changes are present! (and is sometime easier to manually >>> change >>>>>>> attributes rather than by LDAPMODIFY script....) >>>>>>> >>>>>>> There is another ongoing thread in this mailing list about problems >>> with >>>>>>> the attribute SambaPwdLastSet. >>>>>>> >>>>>>> Chris >>>>>>> >>>>>>> >>>>>>> >>>>>>> From: "Matt ." >>>>>>> To: >>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>> Date: 31.07.2015 16:58 >>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> This is nice to have confirmed. >>>>>>> >>>>>>> Is it possible for you to descrive what you do ? It might be handy to >>>>>>> add this to the IPA documentation also with some explanation why... >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >>>>> : >>>>>>>> Hi >>>>>>>> >>>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to >>> the >>>>>>>> "shares" using their FreeIPA credentials. The only password mgmt >>>>> problem >>>>>>>> that we have is, that the users get no notice of password expiry >>> until >>>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is >> not >>>>>>>> accepted when trying to connect to a share. Once the password is >>> reset >>>>>>> (via >>>>>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>>>>> >>>>>>>> Chris >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> From: Youenn PIOLET >>>>>>>> To: "Matt ." >>>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>>> Date: 31.07.2015 16:21 >>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>>> IPA >>>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> I asked the very same question a few weeks ago, but no answer yet. >>>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>>>>> >>>>>>>> The only method I see is to install samba extensions in FreeIPA's >>> LDAP >>>>>>>> directory, and bind samba with LDAP. There may be a lot of >>> difficulties >>>>>>>> with password management doing this, that's why I'd like to get a >>>>> better >>>>>>>> solution :) >>>>>>>> >>>>>>>> Anyone? >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Youenn Piolet >>>>>>>> piolet.y at gmail.com >>>>>>>> >>>>>>>> >>>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . : >>>>>>>> Hi Guys, >>>>>>>> >>>>>>>> I'm really struggeling getting a NON AD Samba server authing >>> against >>>>> a >>>>>>>> FreeIPA server: >>>>>>>> >>>>>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>>>>> >>>>>>>> Now this seems to be the way: >>>>>>>> >>>>>>>> >>>>>>> >>>>> >>> >> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>>>> >>>>>>>> >>>>>>>> But as this, which I also found on the mailinglists: >>>>>>>> >>>>>>>> NOTE: Only Kerberos authentication will work when accessing Samba >>>>>>>> shares using this method. This means that Windows clients not >>> joined >>>>>>>> to Active Directory forest trusted by IPA would not be able to >>> access >>>>>>>> the shares. This is related to SSSD not yet being able to handle >>>>>>>> NTLMSSP authentication. >>>>>>>> >>>>>>>> It might not be that easy to have a Samba Shares only server. >>>>>>>> >>>>>>>> Any idea here how to accomplish ? >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >> >> >> >> From Duncan.Innes at virginmoney.com Tue Aug 4 11:40:29 2015 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 4 Aug 2015 12:40:29 +0100 Subject: [Freeipa-users] FreeIPA and sudo Defaults In-Reply-To: <56343345B145C043AE990701E3D193950BD1FCF3@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950BD1FCF1@EXVS2.nrplc.localnet> <56343345B145C043AE990701E3D193950BD1FCF3@EXVS2.nrplc.localnet> Message-ID: <56343345B145C043AE990701E3D193950BD1FCF5@EXVS2.nrplc.localnet> More information: [root at puppet01 ~]# cat /etc/sssd/sssd.conf [domain/example.com] cache_credentials = True krb5_realm = EXAMPLE.COM ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = puppet01.example.com chpass_provider = ipa ipa_server = ipa01.example.com, ipa02.example.com ldap_tls_cacert = /etc/ipa/ca.crt ldap_network_timeout = 2 ldap_opt_timeout = 2 ldap_search_timeout = 2 ldap_user_extra_attrs = email:mail, firstname:givenname, lastname:sn, ou [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = example.com [nss] filter_users = root,apache,postgres,oracle,tomcat,puppet,foreman,foreman-proxy filter_groups = root,apache,postgres,oracle,tomcat,puppet,foreman-proxy homedir_substring = /home [pam] [sudo] [autofs] [ssh] We don't use _srv_ as we have no control over the DNS servers. [root at puppet01 ~]# cat /etc/nsswitch.conf | grep -v \# passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files aliases: files nisplus sudoers: files sss [root at puppet01 ~]# The client runs sudo successfully for other rules that are in place. ________________________________ From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Innes, Duncan Sent: 04 August 2015 12:10 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA and sudo Defaults Information: IPA server and client both running on RHEL 6.7 fully patched. IPA server version: ipa-server-3.0.0-47.el6.x86_64 sssd client version: sssd-1.12.4-47.el6.x86_64 IPA server hosts dozens of sudo rules that work as expected. This is the first rule, however, that needs the !requiretty in the Defaults for the user. Thanks D ________________________________ From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Innes, Duncan Sent: 04 August 2015 10:58 To: freeipa-users at redhat.com Subject: [Freeipa-users] FreeIPA and sudo Defaults Hi folks, Struggling with creating a sudo rule in IPA that will allow my foreman-proxy to run specific commands. When I put the following into /etc/sudoers.d/foreman: [root at puppet01 ~]# cat /etc/sudoers.d/foreman foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:foreman-proxy !requiretty innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * Defaults:innesd !requiretty [root at puppet01 ~]# [innesd at puppet01 ~]$ sudo -l Matching Defaults entries for innesd on this host: !requiretty User innesd may run the following commands on this host: (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick * (root) /bin/su [innesd at puppet01 ~]$ Both my user and the foreman-proxy can run the relevant commands both on the command line and remotely. IT Security are not happy with local sudo rules being condifured around the network, so I'm trying to create the same configuration via IPA. When I try to get the same rule into IPA, my user can run the command in a tty, but the foreman-proxy user is refused. This looks to be down to the lack of !requiretty coming through for the users: [root at ipa01 ~]# ipa sudorule-show foreman-proxy Rule name: foreman-proxy Enabled: TRUE User category: all Hosts: puppet02.example.com, puppet01.example.com, puppet03.example.com, puppet04.example.com Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * Sudo Option: !authenticate, !requiretty [root at ipa01 ~]# and once I've removed the #includedir option from my local sudoers file, I get the following as my user: [innesd at puppet01 ~]$ sudo -l User innesd may run the following commands on this host: (root) /bin/su (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * [innesd at puppet01 ~]$ where the noticeable difference is that the !requiretty isn't listed under any "Matching Defaults entries" for my user. With the rule set up like this, I can run the command in a tty, but the foreman-proxy user is denied when the command is run without a tty. How do I go about setting the Defaults for the foreman-proxy user? Once my testing is done, I'd like to move the rule to run only against the foreman-proxy external user rather than all users. And a small follow-up question: how long should I expect it to take for a change to the sudo rule on my IPA server to become available on the client? I keep doing sss_cache -E to clear the cache, but it still seems to take it's own sweet time to be changed on the client. It's not a huge wait - just a bit of a pain when I'm testing these changes. Thanks in advance, Duncan Innes This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Tue Aug 4 12:16:41 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 4 Aug 2015 14:16:41 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt >From our smb.conf file: [global] security = user passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com ldap suffix = dc=my,dc=silly,dc=example,dc=com ldap admin dn = cn=Directory Manager So yes, we use Directory Manager, it works for us. I have not tried with a less powerful user, but it is conceivable that a lesser user may not see all the required attributes, resulting in "no such user" errors. Chris From: "Matt ." To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: "freeipa-users at redhat.com" Date: 04.08.2015 13:32 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find "such user" as that sounds quite known as it has no UID. >From your config I see you use DM, this should work ? Thanks! Matt 2015-08-04 13:15 GMT+02:00 Matt . : > Hi Chris, > > Thanks for the heads up, indeed local is 4 I see now when I add a > group from the GUI, great thanks! > > But do you use Directory Manager as ldap admin user or some other > admin account ? > > I'm not sure id DM is needed and it should get that deep into IPA. > Also when starting samba it cannot find "such user" as that sounds > quite known as it has no UID. > > From your config I see you use DM, this should work ? > > Thanks! > > Matt > > 2015-08-03 17:17 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> It sounds like you now have prepared FreeIPA for Samba >> >> I assume you have already configured Samba to authenticate via FreeIPA >> (changes to the [global] section of your smb.conf file, secrets.tdb etc. >> >> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, >> with SambaGroupType = 4) >> >> For example: >> >> In FreeIPA under cn=accounts, cn=users we have a group called "smb-junit". >> >> This group has (among others) the attribute SambaGroupType = 4 >> >> We can then use the name of the group in the smb.conf file >> >> [junit] >> comment = JUnit Share >> path = /samba/junit >> browseable = no >> valid users = @smb-junit >> write list = @smb-junit >> force group = smb-junit >> create mask = 0770 >> >> >> Ciao >> >> Chris >> >> >> >> From: "Matt ." >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> Cc: "freeipa-users at redhat.com" , Petr >> Vobornik >> Date: 03.08.2015 16:03 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi, >> >> OK, I have a Samba Group Type now in my groups details list and also >> in the groups settings tab. >> >> I'm not 100% how this is managed. I have Grouptype 4, in the groups >> overview it's still empty. But how to manage this between samba and >> ipa ? What should be the reference between the group(names) ? >> >> Thanks again! >> >> Matt >> >> 2015-08-03 13:20 GMT+02:00 Christopher Lamb : >>> HI Matt >>> >>> It looks like I skipped that step ... (And as we already had samba groups >>> in place, did not need to make new ones via the WebUI). >>> >>> However a quick google trawled up this old thread that has a possible >>> answer from Peter. (I have not tested it yet myself). >>> >>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html >>> >>> Chris >>> >>> >>> >>> From: "Matt ." >>> To: >>> Cc: "freeipa-users at redhat.com" >>> Date: 03.08.2015 12:45 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> In my previous reply, I ment "no group.js at all" . >>> >>> >>> 2015-08-03 12:17 GMT+02:00 Matt . : >>>> Hi Chris, >>>> >>>> Thanks for that verification! >>>> >>>> It seems that: >>>> >>>> /usr/share/ipa/ui/group.js >>>> >>>> Is not there on IPA.4.1, also there is no .js at all on the whole >> system. >>>> >>>> Any idea there ? >>>> >>>> Thanks again! >>>> >>>> Matt >>>> >>>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb >> : >>>>> Hi Matt >>>>> >>>>> Thankfully I saved the output from those ldapmodify commands (against >>>>> FreeIPA 4.1) and was able to find it again! >>>>> >>>>> In our case sambagrouptype also seems to have already been present, so >>> that >>>>> should not hurt. >>>>> >>>>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>> changetype: add >>>>>> add: ipaCustomFields >>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>> EOF >>>>> SASL/GSSAPI authentication started >>>>> SASL username: lamb at MY.SILLY.EXAMPLE.COM >>>>> SASL SSF: 56 >>>>> SASL data security layer installed. >>>>> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>>>> ldap_add: Already exists (68) >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> >>>>> From: "Matt ." >>>>> To: >>>>> Cc: "freeipa-users at redhat.com" >>>>> Date: 02.08.2015 13:33 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>>> Sent by: freeipa-users-bounces at redhat.com >>>>> >>>>> >>>>> >>>>> Chris, >>>>> >>>>> Are you doing this on 3.x or also 4.x ? >>>>> >>>>> As the following already exists: >>>>> >>>>> ldapmodify -Y GSSAPI <>>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>> changetype: add >>>>> add: ipaCustomFields >>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>> EOF >>>>> >>>>> >>>>> And I'm unsure about the pyton files are they are sligtly different on >>> 4.1 >>>>> >>>>> >>>>> Thanks! >>>>> >>>>> >>>>> 2015-08-01 19:51 GMT+02:00 Matt . : >>>>>> Hi, >>>>>> >>>>>> Yes I found that earlier, that looks good and even better when you >>>>>> confirm this as really usable. >>>>>> >>>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>>>> happends when we "need" to move because integration has been improved. >>>>>> >>>>>> I try to keep IPA as native as I can. >>>>>> >>>>>> So this is the best way to go for now, even when this thread is such >>>>> "old" ? >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Matt >>>>>> >>>>>> >>>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb >>> : >>>>>>> Hi Matt >>>>>>> >>>>>>> For a "how to" of Samba FreeIPA integration using schema extensions, >>> see >>>>>>> this previous thread >>>>>>> >>>>>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>>>>> >>>>>>> That should point to this techslaves article with the detailed >>>>> instructions >>>>>>> that we followed: >>>>>>> >>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>>>>> >>>>>>> The main reason we went that way is that we have no AD domain, which >>>>> seems >>>>>>> to be required by other integration paths. >>>>>>> >>>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now >>>>> 7.x). >>>>>>> So things may be different on Ubuntu. >>>>>>> >>>>>>> As always, when changing the LDAP schema, an LDAP browser like Apache >>>>>>> Directory Studio is very useful to visualise what is going on and to >>>>> verify >>>>>>> if your changes are present! (and is sometime easier to manually >>> change >>>>>>> attributes rather than by LDAPMODIFY script....) >>>>>>> >>>>>>> There is another ongoing thread in this mailing list about problems >>> with >>>>>>> the attribute SambaPwdLastSet. >>>>>>> >>>>>>> Chris >>>>>>> >>>>>>> >>>>>>> >>>>>>> From: "Matt ." >>>>>>> To: >>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>> Date: 31.07.2015 16:58 >>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> This is nice to have confirmed. >>>>>>> >>>>>>> Is it possible for you to descrive what you do ? It might be handy to >>>>>>> add this to the IPA documentation also with some explanation why... >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >>>>> : >>>>>>>> Hi >>>>>>>> >>>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to >>> the >>>>>>>> "shares" using their FreeIPA credentials. The only password mgmt >>>>> problem >>>>>>>> that we have is, that the users get no notice of password expiry >>> until >>>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is >> not >>>>>>>> accepted when trying to connect to a share. Once the password is >>> reset >>>>>>> (via >>>>>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>>>>> >>>>>>>> Chris >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> From: Youenn PIOLET >>>>>>>> To: "Matt ." >>>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>>> Date: 31.07.2015 16:21 >>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>>> IPA >>>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> I asked the very same question a few weeks ago, but no answer yet. >>>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>>>>> >>>>>>>> The only method I see is to install samba extensions in FreeIPA's >>> LDAP >>>>>>>> directory, and bind samba with LDAP. There may be a lot of >>> difficulties >>>>>>>> with password management doing this, that's why I'd like to get a >>>>> better >>>>>>>> solution :) >>>>>>>> >>>>>>>> Anyone? >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Youenn Piolet >>>>>>>> piolet.y at gmail.com >>>>>>>> >>>>>>>> >>>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . : >>>>>>>> Hi Guys, >>>>>>>> >>>>>>>> I'm really struggeling getting a NON AD Samba server authing >>> against >>>>> a >>>>>>>> FreeIPA server: >>>>>>>> >>>>>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>>>>> >>>>>>>> Now this seems to be the way: >>>>>>>> >>>>>>>> >>>>>>> >>>>> >>> >> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>>>> >>>>>>>> >>>>>>>> But as this, which I also found on the mailinglists: >>>>>>>> >>>>>>>> NOTE: Only Kerberos authentication will work when accessing Samba >>>>>>>> shares using this method. This means that Windows clients not >>> joined >>>>>>>> to Active Directory forest trusted by IPA would not be able to >>> access >>>>>>>> the shares. This is related to SSSD not yet being able to handle >>>>>>>> NTLMSSP authentication. >>>>>>>> >>>>>>>> It might not be that easy to have a Samba Shares only server. >>>>>>>> >>>>>>>> Any idea here how to accomplish ? >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >> >> >> >> From jhrozek at redhat.com Tue Aug 4 12:34:58 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 4 Aug 2015 14:34:58 +0200 Subject: [Freeipa-users] FreeIPA and sudo Defaults In-Reply-To: <56343345B145C043AE990701E3D193950BD1FCF1@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950BD1FCF1@EXVS2.nrplc.localnet> Message-ID: <20150804123458.GF5197@hendrix.arn.redhat.com> On Tue, Aug 04, 2015 at 10:57:34AM +0100, Innes, Duncan wrote: > Hi folks, > > Struggling with creating a sudo rule in IPA that will allow my > foreman-proxy to run specific commands. When I put the following into > /etc/sudoers.d/foreman: > > [root at puppet01 ~]# cat /etc/sudoers.d/foreman > foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet > kick * > Defaults:foreman-proxy !requiretty > innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * > Defaults:innesd !requiretty > [root at puppet01 ~]# > > [innesd at puppet01 ~]$ sudo -l > Matching Defaults entries for innesd on this host: > !requiretty > > User innesd may run the following commands on this host: > (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick > * > (root) /bin/su > [innesd at puppet01 ~]$ > > Both my user and the foreman-proxy can run the relevant commands both on > the command line and remotely. > > IT Security are not happy with local sudo rules being condifured around > the network, so I'm trying to create the same configuration via IPA. > > When I try to get the same rule into IPA, my user can run the command in > a tty, but the foreman-proxy user is refused. This looks to be down to > the lack of !requiretty coming through for the users: > > [root at ipa01 ~]# ipa sudorule-show foreman-proxy > Rule name: foreman-proxy > Enabled: TRUE > User category: all > Hosts: puppet02.example.com, puppet01.example.com, > puppet03.example.com, puppet04.example.com > Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * > Sudo Option: !authenticate, !requiretty > [root at ipa01 ~]# I'm adding Pavel Brezina who might have some hints. From tlau at tetrioncapital.com Tue Aug 4 13:10:42 2015 From: tlau at tetrioncapital.com (Thomas Lau) Date: Tue, 4 Aug 2015 21:10:42 +0800 Subject: [Freeipa-users] IPA client enrollment check Message-ID: Does anyone know how could I check if client enrolled or not? trying to automate enrollment process by using generic tool since I am using Ubuntu, only ipa-client-install available. From yamakasi.014 at gmail.com Tue Aug 4 13:32:52 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 4 Aug 2015 15:32:52 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Chris, A puppet run added another passdb backend, that was causing my issue. What I still experience is: [2015/08/04 15:29:45.477783, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'username' in passdb. [2015/08/04 15:29:45.478026, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [username] -> [username] FAILED with error NT_STATUS_NO_SUCH_USER I also wonder if I shall still sync the users local, or is it needed ? Thanks again, Matt 2015-08-04 14:16 GMT+02:00 Christopher Lamb : > Hi Matt > > From our smb.conf file: > > [global] > security = user > passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com > ldap suffix = dc=my,dc=silly,dc=example,dc=com > ldap admin dn = cn=Directory Manager > > So yes, we use Directory Manager, it works for us. I have not tried with a > less powerful user, but it is conceivable that a lesser user may not see > all the required attributes, resulting in "no such user" errors. > > Chris > > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM at IBMCH > Cc: "freeipa-users at redhat.com" > Date: 04.08.2015 13:32 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > Thanks for the heads up, indeed local is 4 I see now when I add a > group from the GUI, great thanks! > > But do you use Directory Manager as ldap admin user or some other > admin account ? > > I'm not sure id DM is needed and it should get that deep into IPA. > Also when starting samba it cannot find "such user" as that sounds > quite known as it has no UID. > > From your config I see you use DM, this should work ? > > Thanks! > > > Matt > > 2015-08-04 13:15 GMT+02:00 Matt . : >> Hi Chris, >> >> Thanks for the heads up, indeed local is 4 I see now when I add a >> group from the GUI, great thanks! >> >> But do you use Directory Manager as ldap admin user or some other >> admin account ? >> >> I'm not sure id DM is needed and it should get that deep into IPA. >> Also when starting samba it cannot find "such user" as that sounds >> quite known as it has no UID. >> >> From your config I see you use DM, this should work ? >> >> Thanks! >> >> Matt >> >> 2015-08-03 17:17 GMT+02:00 Christopher Lamb > : >>> Hi Matt >>> >>> It sounds like you now have prepared FreeIPA for Samba >>> >>> I assume you have already configured Samba to authenticate via FreeIPA >>> (changes to the [global] section of your smb.conf file, secrets.tdb etc. >>> >>> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, >>> with SambaGroupType = 4) >>> >>> For example: >>> >>> In FreeIPA under cn=accounts, cn=users we have a group called > "smb-junit". >>> >>> This group has (among others) the attribute SambaGroupType = 4 >>> >>> We can then use the name of the group in the smb.conf file >>> >>> [junit] >>> comment = JUnit Share >>> path = /samba/junit >>> browseable = no >>> valid users = @smb-junit >>> write list = @smb-junit >>> force group = smb-junit >>> create mask = 0770 >>> >>> >>> Ciao >>> >>> Chris >>> >>> >>> >>> From: "Matt ." >>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>> Cc: "freeipa-users at redhat.com" , Petr >>> Vobornik >>> Date: 03.08.2015 16:03 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi, >>> >>> OK, I have a Samba Group Type now in my groups details list and also >>> in the groups settings tab. >>> >>> I'm not 100% how this is managed. I have Grouptype 4, in the groups >>> overview it's still empty. But how to manage this between samba and >>> ipa ? What should be the reference between the group(names) ? >>> >>> Thanks again! >>> >>> Matt >>> >>> 2015-08-03 13:20 GMT+02:00 Christopher Lamb > : >>>> HI Matt >>>> >>>> It looks like I skipped that step ... (And as we already had samba > groups >>>> in place, did not need to make new ones via the WebUI). >>>> >>>> However a quick google trawled up this old thread that has a possible >>>> answer from Peter. (I have not tested it yet myself). >>>> >>>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." >>>> To: >>>> Cc: "freeipa-users at redhat.com" >>>> Date: 03.08.2015 12:45 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>> Sent by: freeipa-users-bounces at redhat.com >>>> >>>> >>>> >>>> In my previous reply, I ment "no group.js at all" . >>>> >>>> >>>> 2015-08-03 12:17 GMT+02:00 Matt . : >>>>> Hi Chris, >>>>> >>>>> Thanks for that verification! >>>>> >>>>> It seems that: >>>>> >>>>> /usr/share/ipa/ui/group.js >>>>> >>>>> Is not there on IPA.4.1, also there is no .js at all on the whole >>> system. >>>>> >>>>> Any idea there ? >>>>> >>>>> Thanks again! >>>>> >>>>> Matt >>>>> >>>>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb >>> : >>>>>> Hi Matt >>>>>> >>>>>> Thankfully I saved the output from those ldapmodify commands (against >>>>>> FreeIPA 4.1) and was able to find it again! >>>>>> >>>>>> In our case sambagrouptype also seems to have already been present, > so >>>> that >>>>>> should not hurt. >>>>>> >>>>>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>>>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>> changetype: add >>>>>>> add: ipaCustomFields >>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> EOF >>>>>> SASL/GSSAPI authentication started >>>>>> SASL username: lamb at MY.SILLY.EXAMPLE.COM >>>>>> SASL SSF: 56 >>>>>> SASL data security layer installed. >>>>>> adding new entry > "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>>>>> ldap_add: Already exists (68) >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> From: "Matt ." >>>>>> To: >>>>>> Cc: "freeipa-users at redhat.com" >>>>>> Date: 02.08.2015 13:33 >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>> >>>>>> >>>>>> >>>>>> Chris, >>>>>> >>>>>> Are you doing this on 3.x or also 4.x ? >>>>>> >>>>>> As the following already exists: >>>>>> >>>>>> ldapmodify -Y GSSAPI <>>>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>> changetype: add >>>>>> add: ipaCustomFields >>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>> EOF >>>>>> >>>>>> >>>>>> And I'm unsure about the pyton files are they are sligtly different > on >>>> 4.1 >>>>>> >>>>>> >>>>>> Thanks! >>>>>> >>>>>> >>>>>> 2015-08-01 19:51 GMT+02:00 Matt . : >>>>>>> Hi, >>>>>>> >>>>>>> Yes I found that earlier, that looks good and even better when you >>>>>>> confirm this as really usable. >>>>>>> >>>>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>>>>> happends when we "need" to move because integration has been > improved. >>>>>>> >>>>>>> I try to keep IPA as native as I can. >>>>>>> >>>>>>> So this is the best way to go for now, even when this thread is such >>>>>> "old" ? >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> >>>>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb >>>> : >>>>>>>> Hi Matt >>>>>>>> >>>>>>>> For a "how to" of Samba FreeIPA integration using schema > extensions, >>>> see >>>>>>>> this previous thread >>>>>>>> >>>>>>>> > https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>>>>>> >>>>>>>> That should point to this techslaves article with the detailed >>>>>> instructions >>>>>>>> that we followed: >>>>>>>> >>>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>>>>>> >>>>>>>> The main reason we went that way is that we have no AD domain, > which >>>>>> seems >>>>>>>> to be required by other integration paths. >>>>>>>> >>>>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, > now >>>>>> 7.x). >>>>>>>> So things may be different on Ubuntu. >>>>>>>> >>>>>>>> As always, when changing the LDAP schema, an LDAP browser like > Apache >>>>>>>> Directory Studio is very useful to visualise what is going on and > to >>>>>> verify >>>>>>>> if your changes are present! (and is sometime easier to manually >>>> change >>>>>>>> attributes rather than by LDAPMODIFY script....) >>>>>>>> >>>>>>>> There is another ongoing thread in this mailing list about problems >>>> with >>>>>>>> the attribute SambaPwdLastSet. >>>>>>>> >>>>>>>> Chris >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> From: "Matt ." >>>>>>>> To: >>>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>>> Date: 31.07.2015 16:58 >>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>> IPA >>>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> This is nice to have confirmed. >>>>>>>> >>>>>>>> Is it possible for you to descrive what you do ? It might be handy > to >>>>>>>> add this to the IPA documentation also with some explanation why... >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >>>>>> : >>>>>>>>> Hi >>>>>>>>> >>>>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect > to >>>> the >>>>>>>>> "shares" using their FreeIPA credentials. The only password mgmt >>>>>> problem >>>>>>>>> that we have is, that the users get no notice of password expiry >>>> until >>>>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is >>> not >>>>>>>>> accepted when trying to connect to a share. Once the password is >>>> reset >>>>>>>> (via >>>>>>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>>>>>> >>>>>>>>> Chris >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> From: Youenn PIOLET >>>>>>>>> To: "Matt ." >>>>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>>>> Date: 31.07.2015 16:21 >>>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>>>> IPA >>>>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> I asked the very same question a few weeks ago, but no answer yet. >>>>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>>>>>> >>>>>>>>> The only method I see is to install samba extensions in FreeIPA's >>>> LDAP >>>>>>>>> directory, and bind samba with LDAP. There may be a lot of >>>> difficulties >>>>>>>>> with password management doing this, that's why I'd like to get a >>>>>> better >>>>>>>>> solution :) >>>>>>>>> >>>>>>>>> Anyone? >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Youenn Piolet >>>>>>>>> piolet.y at gmail.com >>>>>>>>> >>>>>>>>> >>>>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . : >>>>>>>>> Hi Guys, >>>>>>>>> >>>>>>>>> I'm really struggeling getting a NON AD Samba server authing >>>> against >>>>>> a >>>>>>>>> FreeIPA server: >>>>>>>>> >>>>>>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>>>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>>>>>> >>>>>>>>> Now this seems to be the way: >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>>>>> >>>>>>>>> >>>>>>>>> But as this, which I also found on the mailinglists: >>>>>>>>> >>>>>>>>> NOTE: Only Kerberos authentication will work when accessing > Samba >>>>>>>>> shares using this method. This means that Windows clients not >>>> joined >>>>>>>>> to Active Directory forest trusted by IPA would not be able to >>>> access >>>>>>>>> the shares. This is related to SSSD not yet being able to handle >>>>>>>>> NTLMSSP authentication. >>>>>>>>> >>>>>>>>> It might not be that easy to have a Samba Shares only server. >>>>>>>>> >>>>>>>>> Any idea here how to accomplish ? >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>>> >>>>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >>> >>> >>> >>> > > > > From janellenicole80 at gmail.com Tue Aug 4 14:11:57 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 4 Aug 2015 07:11:57 -0700 Subject: [Freeipa-users] FreeIPA user ID differs In-Reply-To: References: Message-ID: <55C0C82D.1040104@gmail.com> I too have seen this same unique "bug". My guess is, you have compatibility mode enabled AND you used the GUI to manipulate the group memberships. I have found this to be buggy. Using CLI based commands did not have the same results. However, once the 2 trees - "cn=accounts" and "cn=compat" are no longer in sync, I have found the only way to fix this is with ldapmodify commands, since neither the GUI nor the command line tools believe the users are in the groups in question anymore. ~Janelle On 8/4/15 2:26 AM, Christopher Lamb wrote: > Markus > > Have you checked both the cn=accounts and cn=compat trees?. Users and > groups are stored in both, and both would need manipulation... > > Ciao > > Chris > > > > From: > To: > Date: 04.08.2015 11:14 > Subject: [Freeipa-users] FreeIPA user ID differs > Sent by: freeipa-users-bounces at redhat.com > > > > Hi @all, > > I?ve encountered a strange ?error?. I?ve created a user with a generated > UID from the predefined range. After creation I?ve had to manipulate the > UID to fit an old NIS configuration and set the UID to the old NIS value. > FreeIPA shows the correct UID as well as ldapsearch. But if I logon onto a > host and enter `id ` I receive the old UID, GID and groups > information instead of the corrected one. > > Maybe someone can help me out to pinpoint the error and to fix it. > > Cheers, > Markus-- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From janellenicole80 at gmail.com Tue Aug 4 14:29:13 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 4 Aug 2015 07:29:13 -0700 Subject: [Freeipa-users] approving certs? Message-ID: <55C0CC39.8010408@gmail.com> Hello, Well, I am more used to working with openssl directly, so I am a little confused when using FreeIPA and certmonger. I assume that when a certificate is in this state: status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes That it needs to be approved, but I am not sure where that is. I see all the "cert" commands, but don't see anything relating to approvals? Am I missing something obvious here? Thank you ~J From janellenicole80 at gmail.com Tue Aug 4 15:01:13 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 4 Aug 2015 08:01:13 -0700 Subject: [Freeipa-users] Adding SAN to default self-signed cert? In-Reply-To: <20150803035337.GC4843@dhcp-40-8.bne.redhat.com> References: <55BE92D8.1090008@gmail.com> <20150803035337.GC4843@dhcp-40-8.bne.redhat.com> Message-ID: <55C0D3B9.40004@gmail.com> Trying to figure this out: ipa host-add haproxy.example.com ipa service-add HTTP/haproxy.example.com at EXAMPLE.COM ipa service-add LDAP/haproxy.example.com at EXAMPLE.COM ipa-getcert request -d /tmp -n haproxy-cert -K LDAP/haproxy.example.com -N 'CN=haproxy.example.com,O=EXAMPLE.COM" ^^^^^ this is where I am confused, because if I created a cert request for the new service, then why am I putting the name of the haproxy in the SAN? Unless I am completely misreading your suggestion? Thank you ~J On 8/2/15 8:53 PM, Fraser Tweedale wrote: > On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote: >> Hello everyone, >> >> I was wondering if anyone knows of a way to add SAN(s) to the self-signed >> certificate that are installed when you installed freeipa? Or am I stuck >> having to do a re-install and use new certificates? If you try to run >> haproxy as a load balancer in front of the "ldap/http" servers, well, as you >> might guess the haproxy server name needs to be added somehow to the server >> configs so it is a SAN of the existing self-signed certs. I can't think of >> any way to do it, but maybe some of the pki experts here have any idea? >> >> Thank you >> ~Janelle >> > You do not need a SAN on the root certificate, but on the service > certificates. This is supported: you first need to create a service > principal for the load balancer, then issue a new service > certificate with the haproxy SAN in the CSR (the getcert `-D' option > can be used to add a SAN to a certmonger request). > > HTH, > Fraser > >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From rlocke at redhat.com Tue Aug 4 15:01:22 2015 From: rlocke at redhat.com (Robert Locke) Date: Tue, 04 Aug 2015 11:01:22 -0400 Subject: [Freeipa-users] IdM Password Expiration Message-ID: <1438700482.23059.10.camel@localhost.localdomain> Hey folks, I have been using the following to adjust the Password Expiration of accounts in IdM/IPA: echo "$ADMIN_PASS" | kinit admin echo -e "dn: uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify \nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 20300101000000Z \n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS This has worked nicely for me. My "new" problem is that the admin account itself expires after 90 days. I thought since ldapsearch does show the admin account, that simply substituting the uid might work. echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com \nchangetype: modify\nreplace: krbPasswordExpiration \nkrbPasswordExpiration: 20300101000000Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS My attempts to adjust the admin account in this similar fashion have been not surprisingly unsuccessful. Suggestions/pointers? --Rob -- Robert Locke Google Voice: (203) 794-6007 Senior Curriculum Developer rlocke at redhat.com GnuPG: A334 CAB1 451A 6083 CDD8 40FE A5DE E418 82E0 0780 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From janellenicole80 at gmail.com Tue Aug 4 15:29:25 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 4 Aug 2015 08:29:25 -0700 Subject: [Freeipa-users] Keeping a Tuesday fun - replication? without replication? Message-ID: <55C0DA55.20906@gmail.com> Hello again, Just to keep your Tuesday fun, is this possible: 16 servers. ipa-replica-manage list <---- shows all 16 1 of the servers broke a couple of weeks ago and was removed with "clean-ruv" but STILL shows up in the replica list, but not a single master has a replica agreement with it, so there is no way to delete it since trying to do "ipa-replica-manage del" with any options, including force, from ANY servers says there is no replica agreement. How is this possible and how do I get rid of the phantom replica? and I did try --cleanup and it took it, but did nothing. And there is NOTHING in the logs?? To further clarify, it is not a CA either, and never was. Very confusing indeed. I just like to keep the developers on their toes. :-) ~Janelle From rcritten at redhat.com Tue Aug 4 15:40:05 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Aug 2015 11:40:05 -0400 Subject: [Freeipa-users] Keeping a Tuesday fun - replication? without replication? In-Reply-To: <55C0DA55.20906@gmail.com> References: <55C0DA55.20906@gmail.com> Message-ID: <55C0DCD5.6080401@redhat.com> Janelle wrote: > Hello again, > > Just to keep your Tuesday fun, is this possible: > > 16 servers. > ipa-replica-manage list <---- shows all 16 > > 1 of the servers broke a couple of weeks ago and was removed with > "clean-ruv" but STILL shows up in the replica list, but not a single > master has a replica agreement with it, so there is no way to delete it > since trying to do "ipa-replica-manage del" with any options, including > force, from ANY servers says there is no replica agreement. How is this > possible and how do I get rid of the phantom replica? and I did try > --cleanup and it took it, but did nothing. And there is NOTHING in the > logs?? > > To further clarify, it is not a CA either, and never was. > > Very confusing indeed. I just like to keep the developers on their toes. > :-) list shows the those entries in cn=masters,cn=ipa,cn=etc,$SUFFIX. It doesn't show agreements or topology. What output do you see when --cleanup is used? You should check the 389-ds access log after this is run as well to see what searches and mods were attempted. rob From christopher.lamb at ch.ibm.com Tue Aug 4 15:45:19 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 4 Aug 2015 17:45:19 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt I assume [username] is a real username, identical to that in the FreeIPA cn=accounts, cn=users tree? (i.e. you anonymised the log extract). You user should be a member of the appropriate samba groups that you setup in FreeIPA. You should check that the user attribute SambaPwdLastSet is set to a positive value (e.g. 1). If not you get an error in the Samba logs - I would need to play around again with a test user to find out the exact error. I don't understand what you mean about syncing the users local, but we did not need to do anything like that. Chris From: "Matt ." To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: "freeipa-users at redhat.com" Date: 04.08.2015 15:33 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, A puppet run added another passdb backend, that was causing my issue. What I still experience is: [2015/08/04 15:29:45.477783, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'username' in passdb. [2015/08/04 15:29:45.478026, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [username] -> [username] FAILED with error NT_STATUS_NO_SUCH_USER I also wonder if I shall still sync the users local, or is it needed ? Thanks again, Matt 2015-08-04 14:16 GMT+02:00 Christopher Lamb : > Hi Matt > > From our smb.conf file: > > [global] > security = user > passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com > ldap suffix = dc=my,dc=silly,dc=example,dc=com > ldap admin dn = cn=Directory Manager > > So yes, we use Directory Manager, it works for us. I have not tried with a > less powerful user, but it is conceivable that a lesser user may not see > all the required attributes, resulting in "no such user" errors. > > Chris > > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM at IBMCH > Cc: "freeipa-users at redhat.com" > Date: 04.08.2015 13:32 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > Thanks for the heads up, indeed local is 4 I see now when I add a > group from the GUI, great thanks! > > But do you use Directory Manager as ldap admin user or some other > admin account ? > > I'm not sure id DM is needed and it should get that deep into IPA. > Also when starting samba it cannot find "such user" as that sounds > quite known as it has no UID. > > From your config I see you use DM, this should work ? > > Thanks! > > > Matt > > 2015-08-04 13:15 GMT+02:00 Matt . : >> Hi Chris, >> >> Thanks for the heads up, indeed local is 4 I see now when I add a >> group from the GUI, great thanks! >> >> But do you use Directory Manager as ldap admin user or some other >> admin account ? >> >> I'm not sure id DM is needed and it should get that deep into IPA. >> Also when starting samba it cannot find "such user" as that sounds >> quite known as it has no UID. >> >> From your config I see you use DM, this should work ? >> >> Thanks! >> >> Matt >> >> 2015-08-03 17:17 GMT+02:00 Christopher Lamb > : >>> Hi Matt >>> >>> It sounds like you now have prepared FreeIPA for Samba >>> >>> I assume you have already configured Samba to authenticate via FreeIPA >>> (changes to the [global] section of your smb.conf file, secrets.tdb etc. >>> >>> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, >>> with SambaGroupType = 4) >>> >>> For example: >>> >>> In FreeIPA under cn=accounts, cn=users we have a group called > "smb-junit". >>> >>> This group has (among others) the attribute SambaGroupType = 4 >>> >>> We can then use the name of the group in the smb.conf file >>> >>> [junit] >>> comment = JUnit Share >>> path = /samba/junit >>> browseable = no >>> valid users = @smb-junit >>> write list = @smb-junit >>> force group = smb-junit >>> create mask = 0770 >>> >>> >>> Ciao >>> >>> Chris >>> >>> >>> >>> From: "Matt ." >>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>> Cc: "freeipa-users at redhat.com" , Petr >>> Vobornik >>> Date: 03.08.2015 16:03 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi, >>> >>> OK, I have a Samba Group Type now in my groups details list and also >>> in the groups settings tab. >>> >>> I'm not 100% how this is managed. I have Grouptype 4, in the groups >>> overview it's still empty. But how to manage this between samba and >>> ipa ? What should be the reference between the group(names) ? >>> >>> Thanks again! >>> >>> Matt >>> >>> 2015-08-03 13:20 GMT+02:00 Christopher Lamb > : >>>> HI Matt >>>> >>>> It looks like I skipped that step ... (And as we already had samba > groups >>>> in place, did not need to make new ones via the WebUI). >>>> >>>> However a quick google trawled up this old thread that has a possible >>>> answer from Peter. (I have not tested it yet myself). >>>> >>>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." >>>> To: >>>> Cc: "freeipa-users at redhat.com" >>>> Date: 03.08.2015 12:45 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>> Sent by: freeipa-users-bounces at redhat.com >>>> >>>> >>>> >>>> In my previous reply, I ment "no group.js at all" . >>>> >>>> >>>> 2015-08-03 12:17 GMT+02:00 Matt . : >>>>> Hi Chris, >>>>> >>>>> Thanks for that verification! >>>>> >>>>> It seems that: >>>>> >>>>> /usr/share/ipa/ui/group.js >>>>> >>>>> Is not there on IPA.4.1, also there is no .js at all on the whole >>> system. >>>>> >>>>> Any idea there ? >>>>> >>>>> Thanks again! >>>>> >>>>> Matt >>>>> >>>>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb >>> : >>>>>> Hi Matt >>>>>> >>>>>> Thankfully I saved the output from those ldapmodify commands (against >>>>>> FreeIPA 4.1) and was able to find it again! >>>>>> >>>>>> In our case sambagrouptype also seems to have already been present, > so >>>> that >>>>>> should not hurt. >>>>>> >>>>>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>>>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>> changetype: add >>>>>>> add: ipaCustomFields >>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> EOF >>>>>> SASL/GSSAPI authentication started >>>>>> SASL username: lamb at MY.SILLY.EXAMPLE.COM >>>>>> SASL SSF: 56 >>>>>> SASL data security layer installed. >>>>>> adding new entry > "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>>>>> ldap_add: Already exists (68) >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> From: "Matt ." >>>>>> To: >>>>>> Cc: "freeipa-users at redhat.com" >>>>>> Date: 02.08.2015 13:33 >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>> >>>>>> >>>>>> >>>>>> Chris, >>>>>> >>>>>> Are you doing this on 3.x or also 4.x ? >>>>>> >>>>>> As the following already exists: >>>>>> >>>>>> ldapmodify -Y GSSAPI <>>>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>> changetype: add >>>>>> add: ipaCustomFields >>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>> EOF >>>>>> >>>>>> >>>>>> And I'm unsure about the pyton files are they are sligtly different > on >>>> 4.1 >>>>>> >>>>>> >>>>>> Thanks! >>>>>> >>>>>> >>>>>> 2015-08-01 19:51 GMT+02:00 Matt . : >>>>>>> Hi, >>>>>>> >>>>>>> Yes I found that earlier, that looks good and even better when you >>>>>>> confirm this as really usable. >>>>>>> >>>>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>>>>> happends when we "need" to move because integration has been > improved. >>>>>>> >>>>>>> I try to keep IPA as native as I can. >>>>>>> >>>>>>> So this is the best way to go for now, even when this thread is such >>>>>> "old" ? >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> >>>>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb >>>> : >>>>>>>> Hi Matt >>>>>>>> >>>>>>>> For a "how to" of Samba FreeIPA integration using schema > extensions, >>>> see >>>>>>>> this previous thread >>>>>>>> >>>>>>>> > https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>>>>>> >>>>>>>> That should point to this techslaves article with the detailed >>>>>> instructions >>>>>>>> that we followed: >>>>>>>> >>>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>>>>>> >>>>>>>> The main reason we went that way is that we have no AD domain, > which >>>>>> seems >>>>>>>> to be required by other integration paths. >>>>>>>> >>>>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, > now >>>>>> 7.x). >>>>>>>> So things may be different on Ubuntu. >>>>>>>> >>>>>>>> As always, when changing the LDAP schema, an LDAP browser like > Apache >>>>>>>> Directory Studio is very useful to visualise what is going on and > to >>>>>> verify >>>>>>>> if your changes are present! (and is sometime easier to manually >>>> change >>>>>>>> attributes rather than by LDAPMODIFY script....) >>>>>>>> >>>>>>>> There is another ongoing thread in this mailing list about problems >>>> with >>>>>>>> the attribute SambaPwdLastSet. >>>>>>>> >>>>>>>> Chris >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> From: "Matt ." >>>>>>>> To: >>>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>>> Date: 31.07.2015 16:58 >>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>> IPA >>>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> This is nice to have confirmed. >>>>>>>> >>>>>>>> Is it possible for you to descrive what you do ? It might be handy > to >>>>>>>> add this to the IPA documentation also with some explanation why... >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >>>>>> : >>>>>>>>> Hi >>>>>>>>> >>>>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect > to >>>> the >>>>>>>>> "shares" using their FreeIPA credentials. The only password mgmt >>>>>> problem >>>>>>>>> that we have is, that the users get no notice of password expiry >>>> until >>>>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is >>> not >>>>>>>>> accepted when trying to connect to a share. Once the password is >>>> reset >>>>>>>> (via >>>>>>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>>>>>> >>>>>>>>> Chris >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> From: Youenn PIOLET >>>>>>>>> To: "Matt ." >>>>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>>>> Date: 31.07.2015 16:21 >>>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>>>> IPA >>>>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> I asked the very same question a few weeks ago, but no answer yet. >>>>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>>>>>> >>>>>>>>> The only method I see is to install samba extensions in FreeIPA's >>>> LDAP >>>>>>>>> directory, and bind samba with LDAP. There may be a lot of >>>> difficulties >>>>>>>>> with password management doing this, that's why I'd like to get a >>>>>> better >>>>>>>>> solution :) >>>>>>>>> >>>>>>>>> Anyone? >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Youenn Piolet >>>>>>>>> piolet.y at gmail.com >>>>>>>>> >>>>>>>>> >>>>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . : >>>>>>>>> Hi Guys, >>>>>>>>> >>>>>>>>> I'm really struggeling getting a NON AD Samba server authing >>>> against >>>>>> a >>>>>>>>> FreeIPA server: >>>>>>>>> >>>>>>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>>>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>>>>>> >>>>>>>>> Now this seems to be the way: >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>>>>> >>>>>>>>> >>>>>>>>> But as this, which I also found on the mailinglists: >>>>>>>>> >>>>>>>>> NOTE: Only Kerberos authentication will work when accessing > Samba >>>>>>>>> shares using this method. This means that Windows clients not >>>> joined >>>>>>>>> to Active Directory forest trusted by IPA would not be able to >>>> access >>>>>>>>> the shares. This is related to SSSD not yet being able to handle >>>>>>>>> NTLMSSP authentication. >>>>>>>>> >>>>>>>>> It might not be that easy to have a Samba Shares only server. >>>>>>>>> >>>>>>>>> Any idea here how to accomplish ? >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>>> >>>>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >>> >>> >>> >>> > > > > From yamakasi.014 at gmail.com Tue Aug 4 15:55:42 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 4 Aug 2015 17:55:42 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, Yes, log is anonymised. It's strange, my user doesn't have a SambaPwdLastSet, also when I change it's password it doesn't get it in ldap. There must be something going wrong I guess. Matt 2015-08-04 17:45 GMT+02:00 Christopher Lamb : > Hi Matt > > I assume [username] is a real username, identical to that in the FreeIPA > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > > You user should be a member of the appropriate samba groups that you setup > in FreeIPA. > > You should check that the user attribute SambaPwdLastSet is set to a > positive value (e.g. 1). If not you get an error in the Samba logs - I > would need to play around again with a test user to find out the exact > error. > > I don't understand what you mean about syncing the users local, but we did > not need to do anything like that. > > Chris > > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM at IBMCH > Cc: "freeipa-users at redhat.com" > Date: 04.08.2015 15:33 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > A puppet run added another passdb backend, that was causing my issue. > > What I still experience is: > > > [2015/08/04 15:29:45.477783, 3] > ../source3/auth/check_samsec.c:399(check_sam_security) > check_sam_security: Couldn't find user 'username' in passdb. > [2015/08/04 15:29:45.478026, 2] > ../source3/auth/auth.c:288(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [username] -> > [username] FAILED with error NT_STATUS_NO_SUCH_USER > > > I also wonder if I shall still sync the users local, or is it needed ? > > Thanks again, > > Matt > > 2015-08-04 14:16 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> From our smb.conf file: >> >> [global] >> security = user >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >> ldap admin dn = cn=Directory Manager >> >> So yes, we use Directory Manager, it works for us. I have not tried with > a >> less powerful user, but it is conceivable that a lesser user may not see >> all the required attributes, resulting in "no such user" errors. >> >> Chris >> >> >> >> >> From: "Matt ." >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> Cc: "freeipa-users at redhat.com" >> Date: 04.08.2015 13:32 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi Chris, >> >> Thanks for the heads up, indeed local is 4 I see now when I add a >> group from the GUI, great thanks! >> >> But do you use Directory Manager as ldap admin user or some other >> admin account ? >> >> I'm not sure id DM is needed and it should get that deep into IPA. >> Also when starting samba it cannot find "such user" as that sounds >> quite known as it has no UID. >> >> From your config I see you use DM, this should work ? >> >> Thanks! >> >> >> Matt >> >> 2015-08-04 13:15 GMT+02:00 Matt . : >>> Hi Chris, >>> >>> Thanks for the heads up, indeed local is 4 I see now when I add a >>> group from the GUI, great thanks! >>> >>> But do you use Directory Manager as ldap admin user or some other >>> admin account ? >>> >>> I'm not sure id DM is needed and it should get that deep into IPA. >>> Also when starting samba it cannot find "such user" as that sounds >>> quite known as it has no UID. >>> >>> From your config I see you use DM, this should work ? >>> >>> Thanks! >>> >>> Matt >>> >>> 2015-08-03 17:17 GMT+02:00 Christopher Lamb >> : >>>> Hi Matt >>>> >>>> It sounds like you now have prepared FreeIPA for Samba >>>> >>>> I assume you have already configured Samba to authenticate via FreeIPA >>>> (changes to the [global] section of your smb.conf file, secrets.tdb > etc. >>>> >>>> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, >>>> with SambaGroupType = 4) >>>> >>>> For example: >>>> >>>> In FreeIPA under cn=accounts, cn=users we have a group called >> "smb-junit". >>>> >>>> This group has (among others) the attribute SambaGroupType = 4 >>>> >>>> We can then use the name of the group in the smb.conf file >>>> >>>> [junit] >>>> comment = JUnit Share >>>> path = /samba/junit >>>> browseable = no >>>> valid users = @smb-junit >>>> write list = @smb-junit >>>> force group = smb-junit >>>> create mask = 0770 >>>> >>>> >>>> Ciao >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> Cc: "freeipa-users at redhat.com" , Petr >>>> Vobornik >>>> Date: 03.08.2015 16:03 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>> >>>> >>>> >>>> Hi, >>>> >>>> OK, I have a Samba Group Type now in my groups details list and also >>>> in the groups settings tab. >>>> >>>> I'm not 100% how this is managed. I have Grouptype 4, in the groups >>>> overview it's still empty. But how to manage this between samba and >>>> ipa ? What should be the reference between the group(names) ? >>>> >>>> Thanks again! >>>> >>>> Matt >>>> >>>> 2015-08-03 13:20 GMT+02:00 Christopher Lamb >> : >>>>> HI Matt >>>>> >>>>> It looks like I skipped that step ... (And as we already had samba >> groups >>>>> in place, did not need to make new ones via the WebUI). >>>>> >>>>> However a quick google trawled up this old thread that has a possible >>>>> answer from Peter. (I have not tested it yet myself). >>>>> >>>>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> From: "Matt ." >>>>> To: >>>>> Cc: "freeipa-users at redhat.com" >>>>> Date: 03.08.2015 12:45 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>>> Sent by: freeipa-users-bounces at redhat.com >>>>> >>>>> >>>>> >>>>> In my previous reply, I ment "no group.js at all" . >>>>> >>>>> >>>>> 2015-08-03 12:17 GMT+02:00 Matt . : >>>>>> Hi Chris, >>>>>> >>>>>> Thanks for that verification! >>>>>> >>>>>> It seems that: >>>>>> >>>>>> /usr/share/ipa/ui/group.js >>>>>> >>>>>> Is not there on IPA.4.1, also there is no .js at all on the whole >>>> system. >>>>>> >>>>>> Any idea there ? >>>>>> >>>>>> Thanks again! >>>>>> >>>>>> Matt >>>>>> >>>>>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb >>>> : >>>>>>> Hi Matt >>>>>>> >>>>>>> Thankfully I saved the output from those ldapmodify commands > (against >>>>>>> FreeIPA 4.1) and was able to find it again! >>>>>>> >>>>>>> In our case sambagrouptype also seems to have already been present, >> so >>>>> that >>>>>>> should not hurt. >>>>>>> >>>>>>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <>>>>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>>> changetype: add >>>>>>>> add: ipaCustomFields >>>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>>> EOF >>>>>>> SASL/GSSAPI authentication started >>>>>>> SASL username: lamb at MY.SILLY.EXAMPLE.COM >>>>>>> SASL SSF: 56 >>>>>>> SASL data security layer installed. >>>>>>> adding new entry >> "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>>>>>> ldap_add: Already exists (68) >>>>>>> >>>>>>> Chris >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> From: "Matt ." >>>>>>> To: >>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>> Date: 02.08.2015 13:33 >>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>> IPA >>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> Chris, >>>>>>> >>>>>>> Are you doing this on 3.x or also 4.x ? >>>>>>> >>>>>>> As the following already exists: >>>>>>> >>>>>>> ldapmodify -Y GSSAPI <>>>>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>> changetype: add >>>>>>> add: ipaCustomFields >>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> EOF >>>>>>> >>>>>>> >>>>>>> And I'm unsure about the pyton files are they are sligtly different >> on >>>>> 4.1 >>>>>>> >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> >>>>>>> 2015-08-01 19:51 GMT+02:00 Matt . : >>>>>>>> Hi, >>>>>>>> >>>>>>>> Yes I found that earlier, that looks good and even better when you >>>>>>>> confirm this as really usable. >>>>>>>> >>>>>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>>>>>> happends when we "need" to move because integration has been >> improved. >>>>>>>> >>>>>>>> I try to keep IPA as native as I can. >>>>>>>> >>>>>>>> So this is the best way to go for now, even when this thread is > such >>>>>>> "old" ? >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> >>>>>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb >>>>> : >>>>>>>>> Hi Matt >>>>>>>>> >>>>>>>>> For a "how to" of Samba FreeIPA integration using schema >> extensions, >>>>> see >>>>>>>>> this previous thread >>>>>>>>> >>>>>>>>> >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>>>>>>> >>>>>>>>> That should point to this techslaves article with the detailed >>>>>>> instructions >>>>>>>>> that we followed: >>>>>>>>> >>>>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>>>>>>> >>>>>>>>> The main reason we went that way is that we have no AD domain, >> which >>>>>>> seems >>>>>>>>> to be required by other integration paths. >>>>>>>>> >>>>>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, >> now >>>>>>> 7.x). >>>>>>>>> So things may be different on Ubuntu. >>>>>>>>> >>>>>>>>> As always, when changing the LDAP schema, an LDAP browser like >> Apache >>>>>>>>> Directory Studio is very useful to visualise what is going on and >> to >>>>>>> verify >>>>>>>>> if your changes are present! (and is sometime easier to manually >>>>> change >>>>>>>>> attributes rather than by LDAPMODIFY script....) >>>>>>>>> >>>>>>>>> There is another ongoing thread in this mailing list about > problems >>>>> with >>>>>>>>> the attribute SambaPwdLastSet. >>>>>>>>> >>>>>>>>> Chris >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> From: "Matt ." >>>>>>>>> To: >>>>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>>>> Date: 31.07.2015 16:58 >>>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> against >>>>> IPA >>>>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> This is nice to have confirmed. >>>>>>>>> >>>>>>>>> Is it possible for you to descrive what you do ? It might be handy >> to >>>>>>>>> add this to the IPA documentation also with some explanation > why... >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >>>>>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >>>>>>> : >>>>>>>>>> Hi >>>>>>>>>> >>>>>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect >> to >>>>> the >>>>>>>>>> "shares" using their FreeIPA credentials. The only password mgmt >>>>>>> problem >>>>>>>>>> that we have is, that the users get no notice of password expiry >>>>> until >>>>>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is >>>> not >>>>>>>>>> accepted when trying to connect to a share. Once the password is >>>>> reset >>>>>>>>> (via >>>>>>>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>>>>>>> >>>>>>>>>> Chris >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> From: Youenn PIOLET >>>>>>>>>> To: "Matt ." >>>>>>>>>> Cc: "freeipa-users at redhat.com" >>>>>>>>>> Date: 31.07.2015 16:21 >>>>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> against >>>>>>> IPA >>>>>>>>>> Sent by: freeipa-users-bounces at redhat.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> I asked the very same question a few weeks ago, but no answer > yet. >>>>>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>>>>>>> >>>>>>>>>> The only method I see is to install samba extensions in FreeIPA's >>>>> LDAP >>>>>>>>>> directory, and bind samba with LDAP. There may be a lot of >>>>> difficulties >>>>>>>>>> with password management doing this, that's why I'd like to get a >>>>>>> better >>>>>>>>>> solution :) >>>>>>>>>> >>>>>>>>>> Anyone? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Youenn Piolet >>>>>>>>>> piolet.y at gmail.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . : >>>>>>>>>> Hi Guys, >>>>>>>>>> >>>>>>>>>> I'm really struggeling getting a NON AD Samba server authing >>>>> against >>>>>>> a >>>>>>>>>> FreeIPA server: >>>>>>>>>> >>>>>>>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>>>>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>>>>>>> >>>>>>>>>> Now this seems to be the way: >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>>> >> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> But as this, which I also found on the mailinglists: >>>>>>>>>> >>>>>>>>>> NOTE: Only Kerberos authentication will work when accessing >> Samba >>>>>>>>>> shares using this method. This means that Windows clients not >>>>> joined >>>>>>>>>> to Active Directory forest trusted by IPA would not be able to >>>>> access >>>>>>>>>> the shares. This is related to SSSD not yet being able to > handle >>>>>>>>>> NTLMSSP authentication. >>>>>>>>>> >>>>>>>>>> It might not be that easy to have a Samba Shares only server. >>>>>>>>>> >>>>>>>>>> Any idea here how to accomplish ? >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> >>>>>>>>>> Matt >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >> >> >> >> > > > > From lkrispen at redhat.com Tue Aug 4 16:06:36 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 04 Aug 2015 18:06:36 +0200 Subject: [Freeipa-users] Keeping a Tuesday fun - replication? without replication? In-Reply-To: <55C0DCD5.6080401@redhat.com> References: <55C0DA55.20906@gmail.com> <55C0DCD5.6080401@redhat.com> Message-ID: <55C0E30C.2060602@redhat.com> On 08/04/2015 05:40 PM, Rob Crittenden wrote: > Janelle wrote: >> Hello again, >> >> Just to keep your Tuesday fun, is this possible: >> >> 16 servers. >> ipa-replica-manage list <---- shows all 16 >> >> 1 of the servers broke a couple of weeks ago and was removed with >> "clean-ruv" but STILL shows up in the replica list, but not a single >> master has a replica agreement with it, so there is no way to delete it >> since trying to do "ipa-replica-manage del" with any options, including >> force, from ANY servers says there is no replica agreement. How is this >> possible and how do I get rid of the phantom replica? and I did try >> --cleanup and it took it, but did nothing. And there is NOTHING in the >> logs?? >> >> To further clarify, it is not a CA either, and never was. >> >> Very confusing indeed. I just like to keep the developers on their toes. >> :-) don't know if I want to know the answer, but is it contained in the ruvs ? > > list shows the those entries in cn=masters,cn=ipa,cn=etc,$SUFFIX. It > doesn't show agreements or topology. > > What output do you see when --cleanup is used? > > You should check the 389-ds access log after this is run as well to > see what searches and mods were attempted. > > rob > From janellenicole80 at gmail.com Tue Aug 4 16:14:40 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 4 Aug 2015 09:14:40 -0700 Subject: [Freeipa-users] Keeping a Tuesday fun - replication? without replication? In-Reply-To: <55C0E30C.2060602@redhat.com> References: <55C0DA55.20906@gmail.com> <55C0DCD5.6080401@redhat.com> <55C0E30C.2060602@redhat.com> Message-ID: <55C0E4F0.7070708@gmail.com> On 8/4/15 9:06 AM, Ludwig Krispenz wrote: > > On 08/04/2015 05:40 PM, Rob Crittenden wrote: >> Janelle wrote: >>> Hello again, >>> >>> Just to keep your Tuesday fun, is this possible: >>> >>> 16 servers. >>> ipa-replica-manage list <---- shows all 16 >>> >>> 1 of the servers broke a couple of weeks ago and was removed with >>> "clean-ruv" but STILL shows up in the replica list, but not a single >>> master has a replica agreement with it, so there is no way to delete it >>> since trying to do "ipa-replica-manage del" with any options, including >>> force, from ANY servers says there is no replica agreement. How is this >>> possible and how do I get rid of the phantom replica? and I did try >>> --cleanup and it took it, but did nothing. And there is NOTHING in the >>> logs?? >>> >>> To further clarify, it is not a CA either, and never was. >>> >>> Very confusing indeed. I just like to keep the developers on their >>> toes. >>> :-) > don't know if I want to know the answer, but is it contained in the > ruvs ? No. That is why I am baffled. I want to re-add the server to help with loading, but obviously if it still shows up - so weird. Looks like ldapmodify is going to be required. I don't even have any strange CSN/replicas that can't be decoded in list-ruv ~J >> >> list shows the those entries in cn=masters,cn=ipa,cn=etc,$SUFFIX. It >> doesn't show agreements or topology. >> >> What output do you see when --cleanup is used? >> >> You should check the 389-ds access log after this is run as well to >> see what searches and mods were attempted. >> >> rob >> > From rcritten at redhat.com Tue Aug 4 16:16:31 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Aug 2015 12:16:31 -0400 Subject: [Freeipa-users] Keeping a Tuesday fun - replication? without replication? In-Reply-To: <55C0E4F0.7070708@gmail.com> References: <55C0DA55.20906@gmail.com> <55C0DCD5.6080401@redhat.com> <55C0E30C.2060602@redhat.com> <55C0E4F0.7070708@gmail.com> Message-ID: <55C0E55F.5030009@redhat.com> Janelle wrote: > > > On 8/4/15 9:06 AM, Ludwig Krispenz wrote: >> >> On 08/04/2015 05:40 PM, Rob Crittenden wrote: >>> Janelle wrote: >>>> Hello again, >>>> >>>> Just to keep your Tuesday fun, is this possible: >>>> >>>> 16 servers. >>>> ipa-replica-manage list <---- shows all 16 >>>> >>>> 1 of the servers broke a couple of weeks ago and was removed with >>>> "clean-ruv" but STILL shows up in the replica list, but not a single >>>> master has a replica agreement with it, so there is no way to delete it >>>> since trying to do "ipa-replica-manage del" with any options, including >>>> force, from ANY servers says there is no replica agreement. How is this >>>> possible and how do I get rid of the phantom replica? and I did try >>>> --cleanup and it took it, but did nothing. And there is NOTHING in the >>>> logs?? >>>> >>>> To further clarify, it is not a CA either, and never was. >>>> >>>> Very confusing indeed. I just like to keep the developers on their >>>> toes. >>>> :-) >> don't know if I want to know the answer, but is it contained in the >> ruvs ? > No. That is why I am baffled. I want to re-add the server to help with > loading, but obviously if it still shows up - so weird. Looks like > ldapmodify is going to be required. I don't even have any strange > CSN/replicas that can't be decoded in list-ruv Like I said, this has nothing to do with replication or replication agreements. It pulls the list from cn=masters. You can try to delete entries manually but you run the risk of missing something. rob > > ~J >>> >>> list shows the those entries in cn=masters,cn=ipa,cn=etc,$SUFFIX. It >>> doesn't show agreements or topology. >>> >>> What output do you see when --cleanup is used? >>> >>> You should check the 389-ds access log after this is run as well to >>> see what searches and mods were attempted. >>> >>> rob >>> >> > From piolet.y at gmail.com Tue Aug 4 16:55:50 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Tue, 4 Aug 2015 18:55:50 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi there, I have difficulties to follow you at this point :) Here is what I've done and what I've understood: ## SMB Side - Testparm OK - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. - pdbedit -Lv output is all successfull but I can see there is a filter : (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have sambaSamAccount. ## LDAP / FreeIPA side - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA server to get samba LDAP extensions. - I can see samba classes exist in LDAP but are not used on my group objects nor my user objects - I have add sambaSamAccount in FreeIPA default user classes, and sambaGroupMapping to default group classes. In that state I can't create user nor groups anymore, as new samba attributes are needed for instantiation. - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' but I don't get what it does. - I tried to add the samba.js plugin. It works, and adds the "local" option when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 (domain). It doesn't work and tells that sambagrouptype attribute doesn't exist (but it should now I put sambaGroupType class by default...) ## Questions 0) Can I ask samba not to search sambaSamAccount and use unix / posix instead? I guess no. 1) How to generate the user/group SIDs ? They are requested to add sambaSamAccount classes. This article doesn't seem relevant since we don't use domain controller http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html and netgetlocalsid returns an error. 2) How to fix samba.js plugin? 3) I guess an equivalent of samba.js is needed for user creation, where can I find it? 4) Is your setup working with Windows 8 / Windows 10 and not only Windows 7? Thanks a lot for your previous and future answers -- Youenn Piolet piolet.y at gmail.com 2015-08-04 17:55 GMT+02:00 Matt . : > Hi, > > Yes, log is anonymised. > > It's strange, my user doesn't have a SambaPwdLastSet, also when I > change it's password it doesn't get it in ldap. > > There must be something going wrong I guess. > > Matt > > 2015-08-04 17:45 GMT+02:00 Christopher Lamb : > > Hi Matt > > > > I assume [username] is a real username, identical to that in the FreeIPA > > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > > > > You user should be a member of the appropriate samba groups that you > setup > > in FreeIPA. > > > > You should check that the user attribute SambaPwdLastSet is set to a > > positive value (e.g. 1). If not you get an error in the Samba logs - I > > would need to play around again with a test user to find out the exact > > error. > > > > I don't understand what you mean about syncing the users local, but we > did > > not need to do anything like that. > > > > Chris > > > > > > > > > > From: "Matt ." > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > Cc: "freeipa-users at redhat.com" > > Date: 04.08.2015 15:33 > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > > > > > Hi Chris, > > > > A puppet run added another passdb backend, that was causing my issue. > > > > What I still experience is: > > > > > > [2015/08/04 15:29:45.477783, 3] > > ../source3/auth/check_samsec.c:399(check_sam_security) > > check_sam_security: Couldn't find user 'username' in passdb. > > [2015/08/04 15:29:45.478026, 2] > > ../source3/auth/auth.c:288(auth_check_ntlm_password) > > check_ntlm_password: Authentication for user [username] -> > > [username] FAILED with error NT_STATUS_NO_SUCH_USER > > > > > > I also wonder if I shall still sync the users local, or is it needed ? > > > > Thanks again, > > > > Matt > > > > 2015-08-04 14:16 GMT+02:00 Christopher Lamb >: > >> Hi Matt > >> > >> From our smb.conf file: > >> > >> [global] > >> security = user > >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com > >> ldap suffix = dc=my,dc=silly,dc=example,dc=com > >> ldap admin dn = cn=Directory Manager > >> > >> So yes, we use Directory Manager, it works for us. I have not tried with > > a > >> less powerful user, but it is conceivable that a lesser user may not see > >> all the required attributes, resulting in "no such user" errors. > >> > >> Chris > >> > >> > >> > >> > >> From: "Matt ." > >> To: Christopher Lamb/Switzerland/IBM at IBMCH > >> Cc: "freeipa-users at redhat.com" > >> Date: 04.08.2015 13:32 > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > >> > >> > >> > >> Hi Chris, > >> > >> Thanks for the heads up, indeed local is 4 I see now when I add a > >> group from the GUI, great thanks! > >> > >> But do you use Directory Manager as ldap admin user or some other > >> admin account ? > >> > >> I'm not sure id DM is needed and it should get that deep into IPA. > >> Also when starting samba it cannot find "such user" as that sounds > >> quite known as it has no UID. > >> > >> From your config I see you use DM, this should work ? > >> > >> Thanks! > >> > >> > >> Matt > >> > >> > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue Aug 4 17:28:55 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 04 Aug 2015 19:28:55 +0200 Subject: [Freeipa-users] Keeping a Tuesday fun - replication? without replication? In-Reply-To: <55C0E4F0.7070708@gmail.com> References: <55C0DA55.20906@gmail.com> <55C0DCD5.6080401@redhat.com> <55C0E30C.2060602@redhat.com> <55C0E4F0.7070708@gmail.com> Message-ID: <55C0F657.3070905@redhat.com> Hi On 08/04/2015 06:14 PM, Janelle wrote: > > > On 8/4/15 9:06 AM, Ludwig Krispenz wrote: >> >> On 08/04/2015 05:40 PM, Rob Crittenden wrote: >>> Janelle wrote: >>>> Hello again, >>>> >>>> Just to keep your Tuesday fun, is this possible: >>>> >>>> 16 servers. >>>> ipa-replica-manage list <---- shows all 16 >>>> >>>> 1 of the servers broke a couple of weeks ago and was removed with >>>> "clean-ruv" but STILL shows up in the replica list, but not a single >>>> master has a replica agreement with it, so there is no way to >>>> delete it >>>> since trying to do "ipa-replica-manage del" with any options, >>>> including >>>> force, from ANY servers says there is no replica agreement. How is >>>> this >>>> possible and how do I get rid of the phantom replica? and I did try >>>> --cleanup and it took it, but did nothing. And there is NOTHING in the >>>> logs?? >>>> >>>> To further clarify, it is not a CA either, and never was. >>>> >>>> Very confusing indeed. I just like to keep the developers on their >>>> toes. >>>> :-) >> don't know if I want to know the answer, but is it contained in the >> ruvs ? > No. That is why I am baffled. I want to re-add the server to help with > loading, but obviously if it still shows up - so weird. Looks like > ldapmodify is going to be required. I don't even have any strange > CSN/replicas that can't be decoded in list-ruv you probably did run into this issue: https://fedorahosted.org/freeipa/ticket/5019 ioa-replica-manage del failed to delete the master because it did not remove all services before. If you want to do it by ldapmodify, check what services are there below the master entry and remove these befor removing the master > > ~J >>> >>> list shows the those entries in cn=masters,cn=ipa,cn=etc,$SUFFIX. It >>> doesn't show agreements or topology. >>> >>> What output do you see when --cleanup is used? >>> >>> You should check the 389-ds access log after this is run as well to >>> see what searches and mods were attempted. >>> >>> rob >>> >> > From nalin at redhat.com Tue Aug 4 18:33:32 2015 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 4 Aug 2015 14:33:32 -0400 Subject: [Freeipa-users] approving certs? In-Reply-To: <55C0CC39.8010408@gmail.com> References: <55C0CC39.8010408@gmail.com> Message-ID: <20150804183332.GA8491@redhat.com> On Tue, Aug 04, 2015 at 07:29:13AM -0700, Janelle wrote: > Hello, > > Well, I am more used to working with openssl directly, so I am a little > confused when using FreeIPA and certmonger. I assume that when a > certificate is in this state: > > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > > That it needs to be approved, but I am not sure where that is. I see all the > "cert" commands, but don't see anything relating to approvals? Am I missing > something obvious here? That state means that certmonger went to use the private key (most often for generating a signing request), but couldn't, either because the PIN it was given can't be used to decrypt the private key, or because it's having trouble reading the file in which it's been told the PIN is kept. If there's a PIN file (the -p flag), check the SELinux labeling of the file. Otherwise, check that the value that's specified (with the -P flag) is correct -- if there isn't one, then there should be. HTH, Nalin From jpazdziora at redhat.com Tue Aug 4 19:06:05 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 4 Aug 2015 21:06:05 +0200 Subject: [Freeipa-users] Unable to install ipa-server-trust-ad In-Reply-To: References: Message-ID: <20150804190605.GB1422@redhat.com> On Wed, Jul 22, 2015 at 01:36:27PM -0400, Carlos Ra?l Laguna wrote: > > i am using fedora 22 server with copr repos enabled for freeipa 4.2, > according with the documentation i execute sudo dnf install -y > "*ipa-server" "*ipa-server-trust-ad" bind bind-dyndb-ldap however the > following error occurs > > Error: package freeipa-server-trust-ad-4.1.4-2.fc22.x86_64 requires > samba-python, but none of the providers can be installed > > i clean the metadata and try again but no change . Any help will be great Carlos, I'm sorry it took me so long to check this. On my Fedora 22, the samba-python-4.2.2-1.fc22 is available from Fedora 22 updates repo. Could you please check your /etc/yum.repos.d/fedora-updates.repo to see if you have updates enabled? I have hit https://fedorahosted.org/freeipa/ticket/5180 and https://bugzilla.redhat.com/show_bug.cgi?id=1250228 when attempting the installation today but that should be fairly easy to workaround by not having krb5-devel installed from updates when you start the installation, and it does not seem related to the samba-python issue you see. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From christopher.lamb at ch.ibm.com Tue Aug 4 19:22:45 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 4 Aug 2015 21:22:45 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt, Youeen Just to set the background properly, I did not invent this process. I know only a little about FreeIPA, and almost nothing about Samba, but I guess I was lucky enough to get the integration working on a Sunday afternoon. (I did have an older FreeIPA 3.x / Samba 3.x installation as a reference). It sounds like we need to step back, and look at the test user and group in the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. My FreeIPA / Samba Users have the following Samba extensions in FreeIPA (cn=accounts, cn=users): * objectClass: sambasamaccount * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA (cn=accounts, cn=groups): * objectClass: sambaGroupMapping * Attributes: sambaGroupType, sambaSID The Users must belong to one or more of the samba groups that you have setup. If you don't have something similar to the above (which sounds like it is the case), then something went wrong applying the extensions. It would be worth testing comparing a new user / group created post adding the extensions to a previous existing user. i.e. are the extensions missing on existing users / groups? are the extensions missing on new users / groups? Cheers Chris From: Youenn PIOLET To: "Matt ." Cc: Christopher Lamb/Switzerland/IBM at IBMCH, "freeipa-users at redhat.com" Date: 04.08.2015 18:56 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi there, I have difficulties to follow you at this point :) Here is what I've done and what I've understood: ## SMB Side - Testparm OK - I've got the same?NT_STATUS_NO_SUCH_USER when I try to connect. - pdbedit -Lv output is all successfull but I can see there is a filter : (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have sambaSamAccount. ## LDAP / FreeIPA side - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA server to get samba LDAP extensions. - I can see samba classes exist in LDAP but are not used on my group objects nor my user objects - I have add sambaSamAccount in FreeIPA default user classes, and?sambaGroupMapping to default group classes. In that state I can't create user nor groups anymore, as new samba attributes are needed for instantiation. - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' but I don't get what it does. - I tried to add the samba.js plugin. It works, and adds the "local" option when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 (domain). It doesn't work and tells that sambagrouptype attribute doesn't exist (but it should now I put?sambaGroupType class by default...) ## Questions 0) Can I ask samba not to search sambaSamAccount and use unix / posix instead? I guess no. 1) How to generate the user/group SIDs ? They are requested to add sambaSamAccount classes. This article doesn't seem relevant since we don't use domain controller http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html and netgetlocalsid returns an error. 2) How to fix samba.js plugin? 3) I guess an equivalent of samba.js is needed for user creation, where can I find it? 4) Is your setup working with Windows 8 / Windows 10 and not only Windows 7? Thanks a lot for your previous and future answers -- Youenn Piolet piolet.y at gmail.com 2015-08-04 17:55 GMT+02:00 Matt . : Hi, Yes, log is anonymised. It's strange, my user doesn't have a SambaPwdLastSet, also when I change it's password it doesn't get it in ldap. There must be something going wrong I guess. Matt 2015-08-04 17:45 GMT+02:00 Christopher Lamb : > Hi Matt > > I assume [username] is a real username, identical to that in the FreeIPA > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > > You user should be a member of the appropriate samba groups that you setup > in FreeIPA. > > You should check that the user attribute SambaPwdLastSet is set to a > positive value (e.g. 1). If not you get an error in the Samba logs - I > would need to play around again with a test user to find out the exact > error. > > I don't understand what you mean about syncing the users local, but we did > not need to do anything like that. > > Chris > > > > > From:? ?"Matt ." > To:? ? ?Christopher Lamb/Switzerland/IBM at IBMCH > Cc:? ? ?"freeipa-users at redhat.com" > Date:? ?04.08.2015 15:33 > Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > A puppet run added another passdb backend, that was causing my issue. > > What I still experience is: > > > [2015/08/04 15:29:45.477783,? 3] > ../source3/auth/check_samsec.c:399(check_sam_security) >? ?check_sam_security: Couldn't find user 'username' in passdb. > [2015/08/04 15:29:45.478026,? 2] > ../source3/auth/auth.c:288(auth_check_ntlm_password) >? ?check_ntlm_password:? Authentication for user [username] -> > [username] FAILED with error NT_STATUS_NO_SUCH_USER > > > I also wonder if I shall still sync the users local, or is it needed ? > > Thanks again, > > Matt > > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < christopher.lamb at ch.ibm.com>: >> Hi Matt >> >> From our smb.conf file: >> >> [global] >>? ? security = user >>? ? passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com >>? ? ldap suffix = dc=my,dc=silly,dc=example,dc=com >>? ? ldap admin dn = cn=Directory Manager >> >> So yes, we use Directory Manager, it works for us. I have not tried with > a >> less powerful user, but it is conceivable that a lesser user may not see >> all the required attributes, resulting in "no such user" errors. >> >> Chris >> >> >> >> >> From:? ?"Matt ." >> To:? ? ?Christopher Lamb/Switzerland/IBM at IBMCH >> Cc:? ? ?"freeipa-users at redhat.com" >> Date:? ?04.08.2015 13:32 >> Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi Chris, >> >> Thanks for the heads up, indeed local is 4 I see now when I add a >> group from the GUI, great thanks! >> >> But do you use Directory Manager as ldap admin user or some other >> admin account ? >> >> I'm not sure id DM is needed and it should get that deep into IPA. >> Also when starting samba it cannot find "such user" as that sounds >> quite known as it has no UID. >> >> From your config I see you use DM, this should work ? >> >> Thanks! >> >> >> Matt >> >> > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From yamakasi.014 at gmail.com Tue Aug 4 23:00:55 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Wed, 5 Aug 2015 01:00:55 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI <: > Hi Matt, Youeen > > Just to set the background properly, I did not invent this process. I know > only a little about FreeIPA, and almost nothing about Samba, but I guess I > was lucky enough to get the integration working on a Sunday afternoon. (I > did have an older FreeIPA 3.x / Samba 3.x installation as a reference). > > It sounds like we need to step back, and look at the test user and group in > the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. > > My FreeIPA / Samba Users have the following Samba extensions in FreeIPA > (cn=accounts, cn=users): > > * objectClass: sambasamaccount > > * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet > > My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA > (cn=accounts, cn=groups): > > * objectClass: sambaGroupMapping > > * Attributes: sambaGroupType, sambaSID > > The Users must belong to one or more of the samba groups that you have > setup. > > If you don't have something similar to the above (which sounds like it is > the case), then something went wrong applying the extensions. It would be > worth testing comparing a new user / group created post adding the > extensions to a previous existing user. > > i.e. > are the extensions missing on existing users / groups? > are the extensions missing on new users / groups? > > Cheers > > Chris > > > > > > From: Youenn PIOLET > To: "Matt ." > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > "freeipa-users at redhat.com" > Date: 04.08.2015 18:56 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi there, > > I have difficulties to follow you at this point :) > Here is what I've done and what I've understood: > > ## SMB Side > - Testparm OK > - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. > - pdbedit -Lv output is all successfull but I can see there is a filter : > (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have > sambaSamAccount. > > ## LDAP / FreeIPA side > - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA > server to get samba LDAP extensions. > - I can see samba classes exist in LDAP but are not used on my group > objects nor my user objects > - I have add sambaSamAccount in FreeIPA default user classes, > and sambaGroupMapping to default group classes. In that state I can't > create user nor groups anymore, as new samba attributes are needed for > instantiation. > - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' > but I don't get what it does. > - I tried to add the samba.js plugin. It works, and adds the "local" option > when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 > (domain). It doesn't work and tells that sambagrouptype attribute doesn't > exist (but it should now I put sambaGroupType class by default...) > > ## Questions > 0) Can I ask samba not to search sambaSamAccount and use unix / posix > instead? I guess no. > 1) How to generate the user/group SIDs ? They are requested to add > sambaSamAccount classes. > This article doesn't seem relevant since we don't use domain controller > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html > and netgetlocalsid returns an error. > 2) How to fix samba.js plugin? > 3) I guess an equivalent of samba.js is needed for user creation, where can > I find it? > 4) Is your setup working with Windows 8 / Windows 10 and not only Windows > 7? > > Thanks a lot for your previous and future answers > > -- > Youenn Piolet > piolet.y at gmail.com > > > 2015-08-04 17:55 GMT+02:00 Matt . : > Hi, > > Yes, log is anonymised. > > It's strange, my user doesn't have a SambaPwdLastSet, also when I > change it's password it doesn't get it in ldap. > > There must be something going wrong I guess. > > Matt > > 2015-08-04 17:45 GMT+02:00 Christopher Lamb >: > > Hi Matt > > > > I assume [username] is a real username, identical to that in the > FreeIPA > > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > > > > You user should be a member of the appropriate samba groups that you > setup > > in FreeIPA. > > > > You should check that the user attribute SambaPwdLastSet is set to a > > positive value (e.g. 1). If not you get an error in the Samba logs - I > > would need to play around again with a test user to find out the exact > > error. > > > > I don't understand what you mean about syncing the users local, but we > did > > not need to do anything like that. > > > > Chris > > > > > > > > > > From: "Matt ." > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > Cc: "freeipa-users at redhat.com" > > Date: 04.08.2015 15:33 > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA > > > > > > > > Hi Chris, > > > > A puppet run added another passdb backend, that was causing my issue. > > > > What I still experience is: > > > > > > [2015/08/04 15:29:45.477783, 3] > > ../source3/auth/check_samsec.c:399(check_sam_security) > > check_sam_security: Couldn't find user 'username' in passdb. > > [2015/08/04 15:29:45.478026, 2] > > ../source3/auth/auth.c:288(auth_check_ntlm_password) > > check_ntlm_password: Authentication for user [username] -> > > [username] FAILED with error NT_STATUS_NO_SUCH_USER > > > > > > I also wonder if I shall still sync the users local, or is it needed ? > > > > Thanks again, > > > > Matt > > > > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < > christopher.lamb at ch.ibm.com>: > >> Hi Matt > >> > >> From our smb.conf file: > >> > >> [global] > >> security = user > >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com > >> ldap suffix = dc=my,dc=silly,dc=example,dc=com > >> ldap admin dn = cn=Directory Manager > >> > >> So yes, we use Directory Manager, it works for us. I have not tried > with > > a > >> less powerful user, but it is conceivable that a lesser user may not > see > >> all the required attributes, resulting in "no such user" errors. > >> > >> Chris > >> > >> > >> > >> > >> From: "Matt ." > >> To: Christopher Lamb/Switzerland/IBM at IBMCH > >> Cc: "freeipa-users at redhat.com" > >> Date: 04.08.2015 13:32 > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA > >> > >> > >> > >> Hi Chris, > >> > >> Thanks for the heads up, indeed local is 4 I see now when I add a > >> group from the GUI, great thanks! > >> > >> But do you use Directory Manager as ldap admin user or some other > >> admin account ? > >> > >> I'm not sure id DM is needed and it should get that deep into IPA. > >> Also when starting samba it cannot find "such user" as that sounds > >> quite known as it has no UID. > >> > >> From your config I see you use DM, this should work ? > >> > >> Thanks! > >> > >> > >> Matt > >> > >> > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > From christopher.lamb at ch.ibm.com Wed Aug 5 05:29:53 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 5 Aug 2015 07:29:53 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt I also got the same result at that step, but can see nothing in Apache Directory Studio. As I am using existing Samba / FreeIPA groups migrated across, they probably were migrated with all the required attributes. Looking more closely at that LDIF: I wonder should it not be: ldapmodify -Y GSSAPI < To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: Youenn PIOLET , "freeipa-users at redhat.com" Date: 05.08.2015 01:01 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI <: > Hi Matt, Youeen > > Just to set the background properly, I did not invent this process. I know > only a little about FreeIPA, and almost nothing about Samba, but I guess I > was lucky enough to get the integration working on a Sunday afternoon. (I > did have an older FreeIPA 3.x / Samba 3.x installation as a reference). > > It sounds like we need to step back, and look at the test user and group in > the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. > > My FreeIPA / Samba Users have the following Samba extensions in FreeIPA > (cn=accounts, cn=users): > > * objectClass: sambasamaccount > > * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet > > My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA > (cn=accounts, cn=groups): > > * objectClass: sambaGroupMapping > > * Attributes: sambaGroupType, sambaSID > > The Users must belong to one or more of the samba groups that you have > setup. > > If you don't have something similar to the above (which sounds like it is > the case), then something went wrong applying the extensions. It would be > worth testing comparing a new user / group created post adding the > extensions to a previous existing user. > > i.e. > are the extensions missing on existing users / groups? > are the extensions missing on new users / groups? > > Cheers > > Chris > > > > > > From: Youenn PIOLET > To: "Matt ." > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > "freeipa-users at redhat.com" > Date: 04.08.2015 18:56 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi there, > > I have difficulties to follow you at this point :) > Here is what I've done and what I've understood: > > ## SMB Side > - Testparm OK > - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. > - pdbedit -Lv output is all successfull but I can see there is a filter : > (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have > sambaSamAccount. > > ## LDAP / FreeIPA side > - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA > server to get samba LDAP extensions. > - I can see samba classes exist in LDAP but are not used on my group > objects nor my user objects > - I have add sambaSamAccount in FreeIPA default user classes, > and sambaGroupMapping to default group classes. In that state I can't > create user nor groups anymore, as new samba attributes are needed for > instantiation. > - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' > but I don't get what it does. > - I tried to add the samba.js plugin. It works, and adds the "local" option > when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 > (domain). It doesn't work and tells that sambagrouptype attribute doesn't > exist (but it should now I put sambaGroupType class by default...) > > ## Questions > 0) Can I ask samba not to search sambaSamAccount and use unix / posix > instead? I guess no. > 1) How to generate the user/group SIDs ? They are requested to add > sambaSamAccount classes. > This article doesn't seem relevant since we don't use domain controller > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html > and netgetlocalsid returns an error. > 2) How to fix samba.js plugin? > 3) I guess an equivalent of samba.js is needed for user creation, where can > I find it? > 4) Is your setup working with Windows 8 / Windows 10 and not only Windows > 7? > > Thanks a lot for your previous and future answers > > -- > Youenn Piolet > piolet.y at gmail.com > > > 2015-08-04 17:55 GMT+02:00 Matt . : > Hi, > > Yes, log is anonymised. > > It's strange, my user doesn't have a SambaPwdLastSet, also when I > change it's password it doesn't get it in ldap. > > There must be something going wrong I guess. > > Matt > > 2015-08-04 17:45 GMT+02:00 Christopher Lamb >: > > Hi Matt > > > > I assume [username] is a real username, identical to that in the > FreeIPA > > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > > > > You user should be a member of the appropriate samba groups that you > setup > > in FreeIPA. > > > > You should check that the user attribute SambaPwdLastSet is set to a > > positive value (e.g. 1). If not you get an error in the Samba logs - I > > would need to play around again with a test user to find out the exact > > error. > > > > I don't understand what you mean about syncing the users local, but we > did > > not need to do anything like that. > > > > Chris > > > > > > > > > > From: "Matt ." > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > Cc: "freeipa-users at redhat.com" > > Date: 04.08.2015 15:33 > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA > > > > > > > > Hi Chris, > > > > A puppet run added another passdb backend, that was causing my issue. > > > > What I still experience is: > > > > > > [2015/08/04 15:29:45.477783, 3] > > ../source3/auth/check_samsec.c:399(check_sam_security) > > check_sam_security: Couldn't find user 'username' in passdb. > > [2015/08/04 15:29:45.478026, 2] > > ../source3/auth/auth.c:288(auth_check_ntlm_password) > > check_ntlm_password: Authentication for user [username] -> > > [username] FAILED with error NT_STATUS_NO_SUCH_USER > > > > > > I also wonder if I shall still sync the users local, or is it needed ? > > > > Thanks again, > > > > Matt > > > > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < > christopher.lamb at ch.ibm.com>: > >> Hi Matt > >> > >> From our smb.conf file: > >> > >> [global] > >> security = user > >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com > >> ldap suffix = dc=my,dc=silly,dc=example,dc=com > >> ldap admin dn = cn=Directory Manager > >> > >> So yes, we use Directory Manager, it works for us. I have not tried > with > > a > >> less powerful user, but it is conceivable that a lesser user may not > see > >> all the required attributes, resulting in "no such user" errors. > >> > >> Chris > >> > >> > >> > >> > >> From: "Matt ." > >> To: Christopher Lamb/Switzerland/IBM at IBMCH > >> Cc: "freeipa-users at redhat.com" > >> Date: 04.08.2015 13:32 > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA > >> > >> > >> > >> Hi Chris, > >> > >> Thanks for the heads up, indeed local is 4 I see now when I add a > >> group from the GUI, great thanks! > >> > >> But do you use Directory Manager as ldap admin user or some other > >> admin account ? > >> > >> I'm not sure id DM is needed and it should get that deep into IPA. > >> Also when starting samba it cannot find "such user" as that sounds > >> quite known as it has no UID. > >> > >> From your config I see you use DM, this should work ? > >> > >> Thanks! > >> > >> > >> Matt > >> > >> > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > From christopher.lamb at ch.ibm.com Wed Aug 5 05:51:11 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 5 Aug 2015 07:51:11 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt If I use Apache Directory Studio to add an attribute ipaCustomFields to cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: #!RESULT OK #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy #!DATE 2015-08-05T05:45:04.608 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true After that I then have a visible attribute ipaCustomFields as expected. When adding the attribute, the wizard offered me "ipaCustomFields" as attribute type in a drop down list. Once we get this cracked, we really must write a how-to on the FreeIPA Wiki. Chris From: Christopher Lamb/Switzerland/IBM at IBMCH To: "Matt ." Cc: "freeipa-users at redhat.com" Date: 05.08.2015 07:31 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by: freeipa-users-bounces at redhat.com Hi Matt I also got the same result at that step, but can see nothing in Apache Directory Studio. As I am using existing Samba / FreeIPA groups migrated across, they probably were migrated with all the required attributes. Looking more closely at that LDIF: I wonder should it not be: ldapmodify -Y GSSAPI < To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: Youenn PIOLET , "freeipa-users at redhat.com" Date: 05.08.2015 01:01 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI <: > Hi Matt, Youeen > > Just to set the background properly, I did not invent this process. I know > only a little about FreeIPA, and almost nothing about Samba, but I guess I > was lucky enough to get the integration working on a Sunday afternoon. (I > did have an older FreeIPA 3.x / Samba 3.x installation as a reference). > > It sounds like we need to step back, and look at the test user and group in > the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. > > My FreeIPA / Samba Users have the following Samba extensions in FreeIPA > (cn=accounts, cn=users): > > * objectClass: sambasamaccount > > * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet > > My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA > (cn=accounts, cn=groups): > > * objectClass: sambaGroupMapping > > * Attributes: sambaGroupType, sambaSID > > The Users must belong to one or more of the samba groups that you have > setup. > > If you don't have something similar to the above (which sounds like it is > the case), then something went wrong applying the extensions. It would be > worth testing comparing a new user / group created post adding the > extensions to a previous existing user. > > i.e. > are the extensions missing on existing users / groups? > are the extensions missing on new users / groups? > > Cheers > > Chris > > > > > > From: Youenn PIOLET > To: "Matt ." > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > "freeipa-users at redhat.com" > Date: 04.08.2015 18:56 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi there, > > I have difficulties to follow you at this point :) > Here is what I've done and what I've understood: > > ## SMB Side > - Testparm OK > - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. > - pdbedit -Lv output is all successfull but I can see there is a filter : > (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have > sambaSamAccount. > > ## LDAP / FreeIPA side > - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA > server to get samba LDAP extensions. > - I can see samba classes exist in LDAP but are not used on my group > objects nor my user objects > - I have add sambaSamAccount in FreeIPA default user classes, > and sambaGroupMapping to default group classes. In that state I can't > create user nor groups anymore, as new samba attributes are needed for > instantiation. > - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' > but I don't get what it does. > - I tried to add the samba.js plugin. It works, and adds the "local" option > when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 > (domain). It doesn't work and tells that sambagrouptype attribute doesn't > exist (but it should now I put sambaGroupType class by default...) > > ## Questions > 0) Can I ask samba not to search sambaSamAccount and use unix / posix > instead? I guess no. > 1) How to generate the user/group SIDs ? They are requested to add > sambaSamAccount classes. > This article doesn't seem relevant since we don't use domain controller > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html > and netgetlocalsid returns an error. > 2) How to fix samba.js plugin? > 3) I guess an equivalent of samba.js is needed for user creation, where can > I find it? > 4) Is your setup working with Windows 8 / Windows 10 and not only Windows > 7? > > Thanks a lot for your previous and future answers > > -- > Youenn Piolet > piolet.y at gmail.com > > > 2015-08-04 17:55 GMT+02:00 Matt . : > Hi, > > Yes, log is anonymised. > > It's strange, my user doesn't have a SambaPwdLastSet, also when I > change it's password it doesn't get it in ldap. > > There must be something going wrong I guess. > > Matt > > 2015-08-04 17:45 GMT+02:00 Christopher Lamb >: > > Hi Matt > > > > I assume [username] is a real username, identical to that in the > FreeIPA > > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > > > > You user should be a member of the appropriate samba groups that you > setup > > in FreeIPA. > > > > You should check that the user attribute SambaPwdLastSet is set to a > > positive value (e.g. 1). If not you get an error in the Samba logs - I > > would need to play around again with a test user to find out the exact > > error. > > > > I don't understand what you mean about syncing the users local, but we > did > > not need to do anything like that. > > > > Chris > > > > > > > > > > From: "Matt ." > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > Cc: "freeipa-users at redhat.com" > > Date: 04.08.2015 15:33 > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA > > > > > > > > Hi Chris, > > > > A puppet run added another passdb backend, that was causing my issue. > > > > What I still experience is: > > > > > > [2015/08/04 15:29:45.477783, 3] > > ../source3/auth/check_samsec.c:399(check_sam_security) > > check_sam_security: Couldn't find user 'username' in passdb. > > [2015/08/04 15:29:45.478026, 2] > > ../source3/auth/auth.c:288(auth_check_ntlm_password) > > check_ntlm_password: Authentication for user [username] -> > > [username] FAILED with error NT_STATUS_NO_SUCH_USER > > > > > > I also wonder if I shall still sync the users local, or is it needed ? > > > > Thanks again, > > > > Matt > > > > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < > christopher.lamb at ch.ibm.com>: > >> Hi Matt > >> > >> From our smb.conf file: > >> > >> [global] > >> security = user > >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com > >> ldap suffix = dc=my,dc=silly,dc=example,dc=com > >> ldap admin dn = cn=Directory Manager > >> > >> So yes, we use Directory Manager, it works for us. I have not tried > with > > a > >> less powerful user, but it is conceivable that a lesser user may not > see > >> all the required attributes, resulting in "no such user" errors. > >> > >> Chris > >> > >> > >> > >> > >> From: "Matt ." > >> To: Christopher Lamb/Switzerland/IBM at IBMCH > >> Cc: "freeipa-users at redhat.com" > >> Date: 04.08.2015 13:32 > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA > >> > >> > >> > >> Hi Chris, > >> > >> Thanks for the heads up, indeed local is 4 I see now when I add a > >> group from the GUI, great thanks! > >> > >> But do you use Directory Manager as ldap admin user or some other > >> admin account ? > >> > >> I'm not sure id DM is needed and it should get that deep into IPA. > >> Also when starting samba it cannot find "such user" as that sounds > >> quite known as it has no UID. > >> > >> From your config I see you use DM, this should work ? > >> > >> Thanks! > >> > >> > >> Matt > >> > >> > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From ftweedal at redhat.com Wed Aug 5 06:36:48 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 5 Aug 2015 16:36:48 +1000 Subject: [Freeipa-users] Adding SAN to default self-signed cert? In-Reply-To: <55C0D3B9.40004@gmail.com> References: <55BE92D8.1090008@gmail.com> <20150803035337.GC4843@dhcp-40-8.bne.redhat.com> <55C0D3B9.40004@gmail.com> Message-ID: <20150805063648.GQ4843@dhcp-40-8.bne.redhat.com> On Tue, Aug 04, 2015 at 08:01:13AM -0700, Janelle wrote: > Trying to figure this out: > > ipa host-add haproxy.example.com > ipa service-add HTTP/haproxy.example.com at EXAMPLE.COM > ipa service-add LDAP/haproxy.example.com at EXAMPLE.COM > > ipa-getcert request -d /tmp -n haproxy-cert -K LDAP/haproxy.example.com -N > 'CN=haproxy.example.com,O=EXAMPLE.COM" > > ^^^^^ this is where I am confused, because if I created a cert request for > the new service, then why am I putting the name of the haproxy in the SAN? > Unless I am completely misreading your suggestion? > You need to add haproxy.example.com as a SAN of the IPA host, or vice-versa. Also, the service in the SAN must be "managed by" the host on which the certificate is issued (i.e. the host in the CN). You can do this in the web UI: Services > {service} > Hosts > Add. I do not know of a way to do this via CLI - if someone knows a way please shout out! So if the IPA service is `HTTP/ipa.example.com' and load balancer service `HTTP/haproxy.example.com' is managed by host `ipa.example.com', you can run: ipa-getcert request {nssdb-options} -n haproxy-cert \ -K HTTP/ipa.example.com \ -N CN=ipa.example.com \ -D haproxy.ipa.local -K gives principal, -N gives DN and and -D gives dNSName SAN. HTH, Fraser > Thank you > ~J > > On 8/2/15 8:53 PM, Fraser Tweedale wrote: > >On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote: > >>Hello everyone, > >> > >>I was wondering if anyone knows of a way to add SAN(s) to the self-signed > >>certificate that are installed when you installed freeipa? Or am I stuck > >>having to do a re-install and use new certificates? If you try to run > >>haproxy as a load balancer in front of the "ldap/http" servers, well, as you > >>might guess the haproxy server name needs to be added somehow to the server > >>configs so it is a SAN of the existing self-signed certs. I can't think of > >>any way to do it, but maybe some of the pki experts here have any idea? > >> > >>Thank you > >>~Janelle > >> > >You do not need a SAN on the root certificate, but on the service > >certificates. This is supported: you first need to create a service > >principal for the load balancer, then issue a new service > >certificate with the haproxy SAN in the CSR (the getcert `-D' option > >can be used to add a SAN to a certmonger request). > > > >HTH, > >Fraser > > > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > From lslebodn at redhat.com Wed Aug 5 07:48:22 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 5 Aug 2015 09:48:22 +0200 Subject: [Freeipa-users] FreeIPA user ID differs In-Reply-To: <55C0C82D.1040104@gmail.com> References: <55C0C82D.1040104@gmail.com> Message-ID: <20150805074821.GI17453@mail.corp.redhat.com> On (04/08/15 07:11), Janelle wrote: >I too have seen this same unique "bug". My guess is, you have compatibility >mode enabled AND you used the GUI to manipulate the group memberships. I have >found this to be buggy. Using CLI based commands did not have the same >results. However, once the 2 trees - "cn=accounts" and "cn=compat" are no >longer in sync, I have found the only way to fix this is with ldapmodify >commands, since neither the GUI nor the command line tools believe the users >are in the groups in question anymore. > It really sounds like a bug. Did you try to call "id user" on ipa server? I'm curious which uid/gid are returned from sssd. If the uid/gid are correct does it help to restart directory server (or ipa)? LS From dkupka at redhat.com Wed Aug 5 08:31:28 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 5 Aug 2015 10:31:28 +0200 Subject: [Freeipa-users] IdM Password Expiration In-Reply-To: <1438700482.23059.10.camel@localhost.localdomain> References: <1438700482.23059.10.camel@localhost.localdomain> Message-ID: <55C1C9E0.7060100@redhat.com> On 04/08/15 17:01, Robert Locke wrote: > Hey folks, > > I have been using the following to adjust the Password Expiration of > accounts in IdM/IPA: > echo "$ADMIN_PASS" | kinit admin > echo -e "dn: > uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify > \nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 20300101000000Z > \n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS > > This has worked nicely for me. > > My "new" problem is that the admin account itself expires after 90 days. > I thought since ldapsearch does show the admin account, that simply > substituting the uid might work. > > echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com > \nchangetype: modify\nreplace: krbPasswordExpiration > \nkrbPasswordExpiration: 20300101000000Z\n" | ldapmodify -x -D > 'cn=Directory Manager' -w $ADMIN_PASS > > My attempts to adjust the admin account in this similar fashion have > been not surprisingly unsuccessful. > > Suggestions/pointers? > > --Rob > > > Hello, I just tried to set krbPasswordExpiration attribute for admin and it worked as expected: $ ipa user-show admin --all dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com User login: admin ... krbpasswordexpiration: 20200101000000Z ... $ echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify\nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 20300101000000Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $DM_PASS modifying entry "uid=admin,cn=users,cn=accounts,dc=example,dc=com" $ ipa user-show admin --all dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com User login: admin ... krbpasswordexpiration: 20300101000000Z ... Could you provide more information about what is failing? Only thing that comes to my mind is that you're using $ADMIN_PASS variable where Directory Manager password is required but I know it's just name of the variable. -- David Kupka From pbrezina at redhat.com Wed Aug 5 09:10:10 2015 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Wed, 05 Aug 2015 11:10:10 +0200 Subject: [Freeipa-users] FreeIPA and sudo Defaults In-Reply-To: <56343345B145C043AE990701E3D193950BD1FCF1@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193950BD1FCF1@EXVS2.nrplc.localnet> Message-ID: <55C1D2F2.3050403@redhat.com> On 08/04/2015 11:57 AM, Innes, Duncan wrote: > Hi folks, > Struggling with creating a sudo rule in IPA that will allow my > foreman-proxy to run specific commands. When I put the following into > /etc/sudoers.d/foreman: > [root at puppet01 ~]# cat /etc/sudoers.d/foreman > foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * > Defaults:foreman-proxy !requiretty > innesd ALL = NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * > Defaults:innesd !requiretty > [root at puppet01 ~]# > > [innesd at puppet01 ~]$ sudo -l > Matching Defaults entries for innesd on this host: > !requiretty > User innesd may run the following commands on this host: > (root) NOPASSWD: /usr/bin/puppet cert *, (root) /usr/bin/puppet kick * > (root) /bin/su > [innesd at puppet01 ~]$ > Both my user and the foreman-proxy can run the relevant commands both on > the command line and remotely. > IT Security are not happy with local sudo rules being condifured around > the network, so I'm trying to create the same configuration via IPA. > When I try to get the same rule into IPA, my user can run the command in > a tty, but the foreman-proxy user is refused. This looks to be down to > the lack of !requiretty coming through for the users: > [root at ipa01 ~]# ipa sudorule-show foreman-proxy > Rule name: foreman-proxy > Enabled: TRUE > User category: all > Hosts: puppet02.example.com, puppet01.example.com, > puppet03.example.com, puppet04.example.com > Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * > Sudo Option: !authenticate, !requiretty > [root at ipa01 ~]# > and once I've removed the #includedir option from my local sudoers file, > I get the following as my user: > [innesd at puppet01 ~]$ sudo -l > User innesd may run the following commands on this host: > (root) /bin/su > (root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick * > [innesd at puppet01 ~]$ > where the noticeable difference is that the !requiretty isn't listed > under any "Matching Defaults entries" for my user. With the rule set up > like this, I can run the command in a tty, but the foreman-proxy user is > denied when the command is run without a tty. > How do I go about setting the Defaults for the foreman-proxy user? Once > my testing is done, I'd like to move the rule to run only against the > foreman-proxy external user rather than all users. Can you also provide sudo logs please? > And a small follow-up question: how long should I expect it to take for > a change to the sudo rule on my IPA server to become available on the > client? I keep doing sss_cache -E to clear the cache, but it still > seems to take it's own sweet time to be changed on the client. It's not > a huge wait - just a bit of a pain when I'm testing these changes. Please, set entry_cache_sudo_timeout = 0 in your domain for testing purpose. You can also look at ldap_sudo_full_refresh_interval and ldap_sudo_smart_refresh_interval that says how often sssd searches for new/modified rules. > Thanks in advance, > Duncan Innes From yamakasi.014 at gmail.com Wed Aug 5 09:10:45 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Wed, 5 Aug 2015 11:10:45 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Chris. Yes, Apache Studio did that but I was not sure why it complained it was "already" there. I'm still getting: IPA Error 4205: ObjectclassViolation missing attribute "sambaGroupType" required by object class "sambaGroupMapping" When adding a user. I also see "class" as fielname under my "Last name", this is not OK also. We sure need to make some howto, I think we can nail this down :) Thanks for the heads up! Matthijs 2015-08-05 7:51 GMT+02:00 Christopher Lamb : > Hi Matt > > If I use Apache Directory Studio to add an attribute ipaCustomFields to > cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: > > #!RESULT OK > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy > #!DATE 2015-08-05T05:45:04.608 > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com > changetype: modify > add: ipaCustomFields > ipaCustomFields: Samba Group Type,sambagrouptype,true > > After that I then have a visible attribute ipaCustomFields as expected. > > When adding the attribute, the wizard offered me "ipaCustomFields" as > attribute type in a drop down list. > > Once we get this cracked, we really must write a how-to on the FreeIPA > Wiki. > > Chris > > > > From: Christopher Lamb/Switzerland/IBM at IBMCH > To: "Matt ." > Cc: "freeipa-users at redhat.com" > Date: 05.08.2015 07:31 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by: freeipa-users-bounces at redhat.com > > > > Hi Matt > > I also got the same result at that step, but can see nothing in Apache > Directory Studio. > > As I am using existing Samba / FreeIPA groups migrated across, they > probably were migrated with all the required attributes. > > Looking more closely at that LDIF: I wonder should it not be: > > ldapmodify -Y GSSAPI < dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > changetype: modify > add: ipaCustomFields > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > EOF > > i.e. changetype: modify, instead of changetype add ? > > I don't want to play around with my prod directory - I will setup an EL 7.1 > VM and install FreeIPA 4.x and Samba 4.x That will allow me to play around > more destructively. > > Chris > > > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM at IBMCH > Cc: Youenn PIOLET , "freeipa-users at redhat.com" > > Date: 05.08.2015 01:01 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > I'm at the right path, but my issue is that: > > ldapmodify -Y GSSAPI < dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > changetype: add > add: ipaCustomFields > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > EOF > > Does say it exists, my ldap explorer doesn't show it, and when I add > it manually as an attribute it still fails when I add a user on this > sambagrouptype as it's needed by the other attributes > > So that is my issue I think so far. > > Any clue about that ? > > No problem "you don't know something or are no guru" we are all > learning! :) > > Cheers, > > Matt > > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb : >> Hi Matt, Youeen >> >> Just to set the background properly, I did not invent this process. I > know >> only a little about FreeIPA, and almost nothing about Samba, but I guess > I >> was lucky enough to get the integration working on a Sunday afternoon. (I >> did have an older FreeIPA 3.x / Samba 3.x installation as a reference). >> >> It sounds like we need to step back, and look at the test user and group > in >> the FreeIPA LDAP tree. I find using an LDAP browser makes this much > easier. >> >> My FreeIPA / Samba Users have the following Samba extensions in FreeIPA >> (cn=accounts, cn=users): >> >> * objectClass: sambasamaccount >> >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >> >> My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA >> (cn=accounts, cn=groups): >> >> * objectClass: sambaGroupMapping >> >> * Attributes: sambaGroupType, sambaSID >> >> The Users must belong to one or more of the samba groups that you have >> setup. >> >> If you don't have something similar to the above (which sounds like it is >> the case), then something went wrong applying the extensions. It would be >> worth testing comparing a new user / group created post adding the >> extensions to a previous existing user. >> >> i.e. >> are the extensions missing on existing users / groups? >> are the extensions missing on new users / groups? >> >> Cheers >> >> Chris >> >> >> >> >> >> From: Youenn PIOLET >> To: "Matt ." >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >> "freeipa-users at redhat.com" >> Date: 04.08.2015 18:56 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi there, >> >> I have difficulties to follow you at this point :) >> Here is what I've done and what I've understood: >> >> ## SMB Side >> - Testparm OK >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. >> - pdbedit -Lv output is all successfull but I can see there is a filter : >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have >> sambaSamAccount. >> >> ## LDAP / FreeIPA side >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA >> server to get samba LDAP extensions. >> - I can see samba classes exist in LDAP but are not used on my group >> objects nor my user objects >> - I have add sambaSamAccount in FreeIPA default user classes, >> and sambaGroupMapping to default group classes. In that state I can't >> create user nor groups anymore, as new samba attributes are needed for >> instantiation. >> - I have add in etc ipaCustomFields: 'Samba Group > Type,sambagrouptype,true' >> but I don't get what it does. >> - I tried to add the samba.js plugin. It works, and adds the "local" > option >> when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or > 2 >> (domain). It doesn't work and tells that sambagrouptype attribute doesn't >> exist (but it should now I put sambaGroupType class by default...) >> >> ## Questions >> 0) Can I ask samba not to search sambaSamAccount and use unix / posix >> instead? I guess no. >> 1) How to generate the user/group SIDs ? They are requested to add >> sambaSamAccount classes. >> This article doesn't seem relevant since we don't use domain controller >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >> and netgetlocalsid returns an error. >> 2) How to fix samba.js plugin? >> 3) I guess an equivalent of samba.js is needed for user creation, where > can >> I find it? >> 4) Is your setup working with Windows 8 / Windows 10 and not only Windows >> 7? >> >> Thanks a lot for your previous and future answers >> >> -- >> Youenn Piolet >> piolet.y at gmail.com >> >> >> 2015-08-04 17:55 GMT+02:00 Matt . : >> Hi, >> >> Yes, log is anonymised. >> >> It's strange, my user doesn't have a SambaPwdLastSet, also when I >> change it's password it doesn't get it in ldap. >> >> There must be something going wrong I guess. >> >> Matt >> >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb > > >: >> > Hi Matt >> > >> > I assume [username] is a real username, identical to that in the >> FreeIPA >> > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). >> > >> > You user should be a member of the appropriate samba groups that you >> setup >> > in FreeIPA. >> > >> > You should check that the user attribute SambaPwdLastSet is set to a >> > positive value (e.g. 1). If not you get an error in the Samba logs - > I >> > would need to play around again with a test user to find out the > exact >> > error. >> > >> > I don't understand what you mean about syncing the users local, but > we >> did >> > not need to do anything like that. >> > >> > Chris >> > >> > >> > >> > >> > From: "Matt ." >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >> > Cc: "freeipa-users at redhat.com" >> > Date: 04.08.2015 15:33 >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >> > >> > >> > >> > Hi Chris, >> > >> > A puppet run added another passdb backend, that was causing my issue. >> > >> > What I still experience is: >> > >> > >> > [2015/08/04 15:29:45.477783, 3] >> > ../source3/auth/check_samsec.c:399(check_sam_security) >> > check_sam_security: Couldn't find user 'username' in passdb. >> > [2015/08/04 15:29:45.478026, 2] >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >> > check_ntlm_password: Authentication for user [username] -> >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >> > >> > >> > I also wonder if I shall still sync the users local, or is it > needed ? >> > >> > Thanks again, >> > >> > Matt >> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >> christopher.lamb at ch.ibm.com>: >> >> Hi Matt >> >> >> >> From our smb.conf file: >> >> >> >> [global] >> >> security = user >> >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >> >> ldap admin dn = cn=Directory Manager >> >> >> >> So yes, we use Directory Manager, it works for us. I have not tried >> with >> > a >> >> less powerful user, but it is conceivable that a lesser user may not >> see >> >> all the required attributes, resulting in "no such user" errors. >> >> >> >> Chris >> >> >> >> >> >> >> >> >> >> From: "Matt ." >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> >> Cc: "freeipa-users at redhat.com" >> >> Date: 04.08.2015 13:32 >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >> >> >> >> >> >> >> >> Hi Chris, >> >> >> >> Thanks for the heads up, indeed local is 4 I see now when I add a >> >> group from the GUI, great thanks! >> >> >> >> But do you use Directory Manager as ldap admin user or some other >> >> admin account ? >> >> >> >> I'm not sure id DM is needed and it should get that deep into IPA. >> >> Also when starting samba it cannot find "such user" as that sounds >> >> quite known as it has no UID. >> >> >> >> From your config I see you use DM, this should work ? >> >> >> >> Thanks! >> >> >> >> >> >> Matt >> >> >> >> >> > >> > >> > >> > >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From Markus.Moj at mc.ingenico.com Wed Aug 5 12:14:51 2015 From: Markus.Moj at mc.ingenico.com (Markus.Moj at mc.ingenico.com) Date: Wed, 5 Aug 2015 12:14:51 +0000 Subject: [Freeipa-users] FreeIPA user ID differs In-Reply-To: References: Message-ID: Hi Christopher, how to update the compat tree accordingly? Our developers edited the values in FreeIPA but don?t see the nis id?s and therefore can?t edit them. -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Dienstag, 4. August 2015 11:27 An: Moj, Markus Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] FreeIPA user ID differs Markus Have you checked both the cn=accounts and cn=compat trees?. Users and groups are stored in both, and both would need manipulation... Ciao Chris From: To: Date: 04.08.2015 11:14 Subject: [Freeipa-users] FreeIPA user ID differs Sent by: freeipa-users-bounces at redhat.com Hi @all, I?ve encountered a strange ?error?. I?ve created a user with a generated UID from the predefined range. After creation I?ve had to manipulate the UID to fit an old NIS configuration and set the UID to the old NIS value. FreeIPA shows the correct UID as well as ldapsearch. But if I logon onto a host and enter `id ` I receive the old UID, GID and groups information instead of the corrected one. Maybe someone can help me out to pinpoint the error and to fix it. Cheers, Markus-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From loris at lgs.com.ve Wed Aug 5 12:24:16 2015 From: loris at lgs.com.ve (Loris Santamaria) Date: Wed, 05 Aug 2015 07:54:16 -0430 Subject: [Freeipa-users] FreeIPA user ID differs In-Reply-To: References: Message-ID: <1438777456.32449.2.camel@lgs.com.ve> Hi, the compat tree is generated dynamically based on the cn=accounts tree and from information retrieved by server-mode SSSD. If the compat tree gets out of sync, a restart of the ipa server and SSSD should fix it. Best regards El mi?, 05-08-2015 a las 12:14 +0000, Markus.Moj at mc.ingenico.com escribi?: > Hi Christopher, > > how to update the compat tree accordingly? Our developers edited the > values in FreeIPA but don?t see the nis id?s and therefore can?t edit > them. > > -----Urspr?ngliche Nachricht----- > Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] > Gesendet: Dienstag, 4. August 2015 11:27 > An: Moj, Markus > Cc: freeipa-users at redhat.com > Betreff: Re: [Freeipa-users] FreeIPA user ID differs > > Markus > > Have you checked both the cn=accounts and cn=compat trees?. Users > and groups are stored in both, and both would need manipulation... > > Ciao > > Chris > > > > From: > To: > Date: 04.08.2015 11:14 > Subject: [Freeipa-users] FreeIPA user ID differs > Sent by: freeipa-users-bounces at redhat.com > > > > Hi @all, > > I?ve encountered a strange ?error?. I?ve created a user with a > generated UID from the predefined range. After creation I?ve had to > manipulate the UID to fit an old NIS configuration and set the UID to > the old NIS value. > FreeIPA shows the correct UID as well as ldapsearch. But if I logon > onto a host and enter `id ` I receive the old UID, GID and > groups information instead of the corrected one. > > Maybe someone can help me out to pinpoint the error and to fix it. > > Cheers, > Markus-- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5693 bytes Desc: not available URL: From christopher.lamb at ch.ibm.com Wed Aug 5 12:38:01 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 5 Aug 2015 14:38:01 +0200 Subject: [Freeipa-users] FreeIPA user ID differs In-Reply-To: <1438777456.32449.2.camel@lgs.com.ve> References: <1438777456.32449.2.camel@lgs.com.ve> Message-ID: Check also that the compat tree plugin is enabled, and enable it if not: ipa-compat-manage status ipa-compat-manage enable ipactl restart Cheers, Chris From: Loris Santamaria To: freeipa-users at redhat.com Date: 05.08.2015 14:26 Subject: Re: [Freeipa-users] FreeIPA user ID differs Sent by: freeipa-users-bounces at redhat.com Hi, the compat tree is generated dynamically based on the cn=accounts tree and from information retrieved by server-mode SSSD. If the compat tree gets out of sync, a restart of the ipa server and SSSD should fix it. Best regards El mi?, 05-08-2015 a las 12:14 +0000, Markus.Moj at mc.ingenico.com escribi?: > Hi Christopher, > > how to update the compat tree accordingly? Our developers edited the > values in FreeIPA but don?t see the nis id?s and therefore can?t edit > them. > > -----Urspr?ngliche Nachricht----- > Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] > Gesendet: Dienstag, 4. August 2015 11:27 > An: Moj, Markus > Cc: freeipa-users at redhat.com > Betreff: Re: [Freeipa-users] FreeIPA user ID differs > > Markus > > Have you checked both the cn=accounts and cn=compat trees?. Users > and groups are stored in both, and both would need manipulation... > > Ciao > > Chris > > > > From: > To: > Date: 04.08.2015 11:14 > Subject: [Freeipa-users] FreeIPA user ID differs > Sent by: freeipa-users-bounces at redhat.com > > > > Hi @all, > > I?ve encountered a strange ?error?. I?ve created a user with a > generated UID from the predefined range. After creation I?ve had to > manipulate the UID to fit an old NIS configuration and set the UID to > the old NIS value. > FreeIPA shows the correct UID as well as ldapsearch. But if I logon > onto a host and enter `id ` I receive the old UID, GID and > groups information instead of the corrected one. > > Maybe someone can help me out to pinpoint the error and to fix it. > > Cheers, > Markus-- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford [attachment "smime.p7s" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From Markus.Moj at mc.ingenico.com Wed Aug 5 12:51:23 2015 From: Markus.Moj at mc.ingenico.com (Markus.Moj at mc.ingenico.com) Date: Wed, 5 Aug 2015 12:51:23 +0000 Subject: [Freeipa-users] FreeIPA user ID differs In-Reply-To: References: <1438777456.32449.2.camel@lgs.com.ve> Message-ID: Hi Christopher, Hi Loris, The plugin is enabled ipa-compat-manage status Plugin Enabled When I request the id of a posix user on the freeipa server then I receive the output I expact with correct uid, gid and groups. But on a connected host, with freeipa client tools, I receive the old values. Are these values stored somewhere ? -----Urspr?ngliche Nachricht----- Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] Gesendet: Mittwoch, 5. August 2015 14:38 An: Moj, Markus; Loris Santamaria Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] FreeIPA user ID differs Check also that the compat tree plugin is enabled, and enable it if not: ipa-compat-manage status ipa-compat-manage enable ipactl restart Cheers, Chris From: Loris Santamaria To: freeipa-users at redhat.com Date: 05.08.2015 14:26 Subject: Re: [Freeipa-users] FreeIPA user ID differs Sent by: freeipa-users-bounces at redhat.com Hi, the compat tree is generated dynamically based on the cn=accounts tree and from information retrieved by server-mode SSSD. If the compat tree gets out of sync, a restart of the ipa server and SSSD should fix it. Best regards El mi?, 05-08-2015 a las 12:14 +0000, Markus.Moj at mc.ingenico.com escribi?: > Hi Christopher, > > how to update the compat tree accordingly? Our developers edited the > values in FreeIPA but don?t see the nis id?s and therefore can?t edit > them. > > -----Urspr?ngliche Nachricht----- > Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] > Gesendet: Dienstag, 4. August 2015 11:27 > An: Moj, Markus > Cc: freeipa-users at redhat.com > Betreff: Re: [Freeipa-users] FreeIPA user ID differs > > Markus > > Have you checked both the cn=accounts and cn=compat trees?. Users and > groups are stored in both, and both would need manipulation... > > Ciao > > Chris > > > > From: > To: > Date: 04.08.2015 11:14 > Subject: [Freeipa-users] FreeIPA user ID differs > Sent by: freeipa-users-bounces at redhat.com > > > > Hi @all, > > I?ve encountered a strange ?error?. I?ve created a user with a > generated UID from the predefined range. After creation I?ve had to > manipulate the UID to fit an old NIS configuration and set the UID to > the old NIS value. > FreeIPA shows the correct UID as well as ldapsearch. But if I logon > onto a host and enter `id ` I receive the old UID, GID and > groups information instead of the corrected one. > > Maybe someone can help me out to pinpoint the error and to fix it. > > Cheers, > Markus-- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford [attachment "smime.p7s" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From piolet.y at gmail.com Wed Aug 5 12:50:48 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Wed, 5 Aug 2015 14:50:48 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi guys, Thank you so much your previous answers. I realised my SID were stored in ipaNTsecurityidentifier, thanks to ipa-adtrust-install --add-sids I found an other way to configure smb here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa It works perfectly. I'm using module ipasam.so I have manually scp to the samba server, Samba is set to use kerberos + ldapsam via this ipasam module. Following the instructions, I created a user role allowing service principal to read ipaNTHash value from the LDAP. ipaNTHash are generated each time a user changes his password. Authentication works perfectly on Windows 7, 8 and 10. For more details, the previously linked thread is quite clear. Cheers -- Youenn Piolet piolet.y at gmail.com 2015-08-05 11:10 GMT+02:00 Matt . : > Hi Chris. > > Yes, Apache Studio did that but I was not sure why it complained it > was "already" there. > > I'm still getting: > > IPA Error 4205: ObjectclassViolation > > missing attribute "sambaGroupType" required by object class > "sambaGroupMapping" > > When adding a user. > > I also see "class" as fielname under my "Last name", this is not OK also. > > > > We sure need to make some howto, I think we can nail this down :) > > Thanks for the heads up! > > Matthijs > > 2015-08-05 7:51 GMT+02:00 Christopher Lamb : > > Hi Matt > > > > If I use Apache Directory Studio to add an attribute ipaCustomFields to > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown > below: > > > > #!RESULT OK > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy > > #!DATE 2015-08-05T05:45:04.608 > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com > > changetype: modify > > add: ipaCustomFields > > ipaCustomFields: Samba Group Type,sambagrouptype,true > > > > After that I then have a visible attribute ipaCustomFields as expected. > > > > When adding the attribute, the wizard offered me "ipaCustomFields" as > > attribute type in a drop down list. > > > > Once we get this cracked, we really must write a how-to on the FreeIPA > > Wiki. > > > > Chris > > > > > > > > From: Christopher Lamb/Switzerland/IBM at IBMCH > > To: "Matt ." > > Cc: "freeipa-users at redhat.com" > > Date: 05.08.2015 07:31 > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > Sent by: freeipa-users-bounces at redhat.com > > > > > > > > Hi Matt > > > > I also got the same result at that step, but can see nothing in Apache > > Directory Studio. > > > > As I am using existing Samba / FreeIPA groups migrated across, they > > probably were migrated with all the required attributes. > > > > Looking more closely at that LDIF: I wonder should it not be: > > > > ldapmodify -Y GSSAPI < > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > > changetype: modify > > add: ipaCustomFields > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > > EOF > > > > i.e. changetype: modify, instead of changetype add ? > > > > I don't want to play around with my prod directory - I will setup an EL > 7.1 > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to play > around > > more destructively. > > > > Chris > > > > > > > > > > > > From: "Matt ." > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > Cc: Youenn PIOLET , " > freeipa-users at redhat.com" > > > > Date: 05.08.2015 01:01 > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against IPA > > > > > > > > Hi Chris, > > > > I'm at the right path, but my issue is that: > > > > ldapmodify -Y GSSAPI < > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > > changetype: add > > add: ipaCustomFields > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > > EOF > > > > Does say it exists, my ldap explorer doesn't show it, and when I add > > it manually as an attribute it still fails when I add a user on this > > sambagrouptype as it's needed by the other attributes > > > > So that is my issue I think so far. > > > > Any clue about that ? > > > > No problem "you don't know something or are no guru" we are all > > learning! :) > > > > Cheers, > > > > Matt > > > > > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb >: > >> Hi Matt, Youeen > >> > >> Just to set the background properly, I did not invent this process. I > > know > >> only a little about FreeIPA, and almost nothing about Samba, but I guess > > I > >> was lucky enough to get the integration working on a Sunday afternoon. > (I > >> did have an older FreeIPA 3.x / Samba 3.x installation as a reference). > >> > >> It sounds like we need to step back, and look at the test user and group > > in > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this much > > easier. > >> > >> My FreeIPA / Samba Users have the following Samba extensions in FreeIPA > >> (cn=accounts, cn=users): > >> > >> * objectClass: sambasamaccount > >> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet > >> > >> My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA > >> (cn=accounts, cn=groups): > >> > >> * objectClass: sambaGroupMapping > >> > >> * Attributes: sambaGroupType, sambaSID > >> > >> The Users must belong to one or more of the samba groups that you have > >> setup. > >> > >> If you don't have something similar to the above (which sounds like it > is > >> the case), then something went wrong applying the extensions. It would > be > >> worth testing comparing a new user / group created post adding the > >> extensions to a previous existing user. > >> > >> i.e. > >> are the extensions missing on existing users / groups? > >> are the extensions missing on new users / groups? > >> > >> Cheers > >> > >> Chris > >> > >> > >> > >> > >> > >> From: Youenn PIOLET > >> To: "Matt ." > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > >> "freeipa-users at redhat.com" > >> Date: 04.08.2015 18:56 > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > >> > >> > >> > >> Hi there, > >> > >> I have difficulties to follow you at this point :) > >> Here is what I've done and what I've understood: > >> > >> ## SMB Side > >> - Testparm OK > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. > >> - pdbedit -Lv output is all successfull but I can see there is a filter > : > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have > >> sambaSamAccount. > >> > >> ## LDAP / FreeIPA side > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA > >> server to get samba LDAP extensions. > >> - I can see samba classes exist in LDAP but are not used on my group > >> objects nor my user objects > >> - I have add sambaSamAccount in FreeIPA default user classes, > >> and sambaGroupMapping to default group classes. In that state I can't > >> create user nor groups anymore, as new samba attributes are needed for > >> instantiation. > >> - I have add in etc ipaCustomFields: 'Samba Group > > Type,sambagrouptype,true' > >> but I don't get what it does. > >> - I tried to add the samba.js plugin. It works, and adds the "local" > > option > >> when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or > > 2 > >> (domain). It doesn't work and tells that sambagrouptype attribute > doesn't > >> exist (but it should now I put sambaGroupType class by default...) > >> > >> ## Questions > >> 0) Can I ask samba not to search sambaSamAccount and use unix / posix > >> instead? I guess no. > >> 1) How to generate the user/group SIDs ? They are requested to add > >> sambaSamAccount classes. > >> This article doesn't seem relevant since we don't use domain controller > >> > > > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html > >> and netgetlocalsid returns an error. > >> 2) How to fix samba.js plugin? > >> 3) I guess an equivalent of samba.js is needed for user creation, where > > can > >> I find it? > >> 4) Is your setup working with Windows 8 / Windows 10 and not only > Windows > >> 7? > >> > >> Thanks a lot for your previous and future answers > >> > >> -- > >> Youenn Piolet > >> piolet.y at gmail.com > >> > >> > >> 2015-08-04 17:55 GMT+02:00 Matt . : > >> Hi, > >> > >> Yes, log is anonymised. > >> > >> It's strange, my user doesn't have a SambaPwdLastSet, also when I > >> change it's password it doesn't get it in ldap. > >> > >> There must be something going wrong I guess. > >> > >> Matt > >> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb > > >> >: > >> > Hi Matt > >> > > >> > I assume [username] is a real username, identical to that in the > >> FreeIPA > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > >> > > >> > You user should be a member of the appropriate samba groups that you > >> setup > >> > in FreeIPA. > >> > > >> > You should check that the user attribute SambaPwdLastSet is set to a > >> > positive value (e.g. 1). If not you get an error in the Samba logs - > > I > >> > would need to play around again with a test user to find out the > > exact > >> > error. > >> > > >> > I don't understand what you mean about syncing the users local, but > > we > >> did > >> > not need to do anything like that. > >> > > >> > Chris > >> > > >> > > >> > > >> > > >> > From: "Matt ." > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH > >> > Cc: "freeipa-users at redhat.com" > >> > Date: 04.08.2015 15:33 > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > >> IPA > >> > > >> > > >> > > >> > Hi Chris, > >> > > >> > A puppet run added another passdb backend, that was causing my > issue. > >> > > >> > What I still experience is: > >> > > >> > > >> > [2015/08/04 15:29:45.477783, 3] > >> > ../source3/auth/check_samsec.c:399(check_sam_security) > >> > check_sam_security: Couldn't find user 'username' in passdb. > >> > [2015/08/04 15:29:45.478026, 2] > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) > >> > check_ntlm_password: Authentication for user [username] -> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER > >> > > >> > > >> > I also wonder if I shall still sync the users local, or is it > > needed ? > >> > > >> > Thanks again, > >> > > >> > Matt > >> > > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < > >> christopher.lamb at ch.ibm.com>: > >> >> Hi Matt > >> >> > >> >> From our smb.conf file: > >> >> > >> >> [global] > >> >> security = user > >> >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com > >> >> ldap admin dn = cn=Directory Manager > >> >> > >> >> So yes, we use Directory Manager, it works for us. I have not tried > >> with > >> > a > >> >> less powerful user, but it is conceivable that a lesser user may > not > >> see > >> >> all the required attributes, resulting in "no such user" errors. > >> >> > >> >> Chris > >> >> > >> >> > >> >> > >> >> > >> >> From: "Matt ." > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH > >> >> Cc: "freeipa-users at redhat.com" > >> >> Date: 04.08.2015 13:32 > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against > >> IPA > >> >> > >> >> > >> >> > >> >> Hi Chris, > >> >> > >> >> Thanks for the heads up, indeed local is 4 I see now when I add a > >> >> group from the GUI, great thanks! > >> >> > >> >> But do you use Directory Manager as ldap admin user or some other > >> >> admin account ? > >> >> > >> >> I'm not sure id DM is needed and it should get that deep into IPA. > >> >> Also when starting samba it cannot find "such user" as that sounds > >> >> quite known as it has no UID. > >> >> > >> >> From your config I see you use DM, this should work ? > >> >> > >> >> Thanks! > >> >> > >> >> > >> >> Matt > >> >> > >> >> > >> > > >> > > >> > > >> > > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > >> > >> > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Aug 5 12:57:13 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 05 Aug 2015 08:57:13 -0400 Subject: [Freeipa-users] FreeIPA user ID differs In-Reply-To: References: <1438777456.32449.2.camel@lgs.com.ve> Message-ID: <55C20829.7020303@redhat.com> Markus.Moj at mc.ingenico.com wrote: > Hi Christopher, Hi Loris, > > The plugin is enabled > > ipa-compat-manage status > Plugin Enabled > > When I request the id of a posix user on the freeipa server then I receive the output I expact with correct uid, gid and groups. But on a connected host, with freeipa client tools, I receive the old values. Are these values stored somewhere ? sssd has its own cache. See the sssd man pages for all the knobs and sss_cache for wiping it. rob > > -----Urspr?ngliche Nachricht----- > Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] > Gesendet: Mittwoch, 5. August 2015 14:38 > An: Moj, Markus; Loris Santamaria > Cc: freeipa-users at redhat.com > Betreff: Re: [Freeipa-users] FreeIPA user ID differs > > Check also that the compat tree plugin is enabled, and enable it if not: > > ipa-compat-manage status > > ipa-compat-manage enable > > ipactl restart > > Cheers, > > Chris > > > From: Loris Santamaria > To: freeipa-users at redhat.com > Date: 05.08.2015 14:26 > Subject: Re: [Freeipa-users] FreeIPA user ID differs > Sent by: freeipa-users-bounces at redhat.com > > > > Hi, the compat tree is generated dynamically based on the cn=accounts tree and from information retrieved by server-mode SSSD. > > If the compat tree gets out of sync, a restart of the ipa server and SSSD should fix it. > > Best regards > > El mi?, 05-08-2015 a las 12:14 +0000, Markus.Moj at mc.ingenico.com > escribi?: >> Hi Christopher, >> >> how to update the compat tree accordingly? Our developers edited the >> values in FreeIPA but don?t see the nis id?s and therefore can?t edit >> them. >> >> -----Urspr?ngliche Nachricht----- >> Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] >> Gesendet: Dienstag, 4. August 2015 11:27 >> An: Moj, Markus >> Cc: freeipa-users at redhat.com >> Betreff: Re: [Freeipa-users] FreeIPA user ID differs >> >> Markus >> >> Have you checked both the cn=accounts and cn=compat trees?. Users and >> groups are stored in both, and both would need manipulation... >> >> Ciao >> >> Chris >> >> >> >> From: >> To: >> Date: 04.08.2015 11:14 >> Subject: [Freeipa-users] FreeIPA user ID differs >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi @all, >> >> I?ve encountered a strange ?error?. I?ve created a user with a >> generated UID from the predefined range. After creation I?ve had to >> manipulate the UID to fit an old NIS configuration and set the UID to >> the old NIS value. >> FreeIPA shows the correct UID as well as ldapsearch. But if I logon >> onto a host and enter `id ` I receive the old UID, GID and >> groups information instead of the corrected one. >> >> Maybe someone can help me out to pinpoint the error and to fix it. >> >> Cheers, >> Markus-- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > -- > Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve > Links Global Services, C.A. http://www.lgs.com.ve > Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve > ------------------------------------------------------------ > "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford [attachment "smime.p7s" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From Markus.Moj at mc.ingenico.com Wed Aug 5 13:02:00 2015 From: Markus.Moj at mc.ingenico.com (Markus.Moj at mc.ingenico.com) Date: Wed, 5 Aug 2015 13:02:00 +0000 Subject: [Freeipa-users] FreeIPA user ID differs In-Reply-To: <55C20829.7020303@redhat.com> References: <1438777456.32449.2.camel@lgs.com.ve> <55C20829.7020303@redhat.com> Message-ID: Hey, I?ve wiped sss_cache before I tried again and restarted the service. Nevertheless the problem still persists. Beyond the problem is only located on one FreeIPA host. Other hosts have received the updates or see the correct values. -----Urspr?ngliche Nachricht----- Von: Rob Crittenden [mailto:rcritten at redhat.com] Gesendet: Mittwoch, 5. August 2015 14:57 An: Moj, Markus; christopher.lamb at ch.ibm.com; loris at lgs.com.ve Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] FreeIPA user ID differs Markus.Moj at mc.ingenico.com wrote: > Hi Christopher, Hi Loris, > > The plugin is enabled > > ipa-compat-manage status > Plugin Enabled > > When I request the id of a posix user on the freeipa server then I receive the output I expact with correct uid, gid and groups. But on a connected host, with freeipa client tools, I receive the old values. Are these values stored somewhere ? sssd has its own cache. See the sssd man pages for all the knobs and sss_cache for wiping it. rob > > -----Urspr?ngliche Nachricht----- > Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] > Gesendet: Mittwoch, 5. August 2015 14:38 > An: Moj, Markus; Loris Santamaria > Cc: freeipa-users at redhat.com > Betreff: Re: [Freeipa-users] FreeIPA user ID differs > > Check also that the compat tree plugin is enabled, and enable it if not: > > ipa-compat-manage status > > ipa-compat-manage enable > > ipactl restart > > Cheers, > > Chris > > > From: Loris Santamaria > To: freeipa-users at redhat.com > Date: 05.08.2015 14:26 > Subject: Re: [Freeipa-users] FreeIPA user ID differs > Sent by: freeipa-users-bounces at redhat.com > > > > Hi, the compat tree is generated dynamically based on the cn=accounts tree and from information retrieved by server-mode SSSD. > > If the compat tree gets out of sync, a restart of the ipa server and SSSD should fix it. > > Best regards > > El mi?, 05-08-2015 a las 12:14 +0000, Markus.Moj at mc.ingenico.com > escribi?: >> Hi Christopher, >> >> how to update the compat tree accordingly? Our developers edited the >> values in FreeIPA but don?t see the nis id?s and therefore can?t edit >> them. >> >> -----Urspr?ngliche Nachricht----- >> Von: Christopher Lamb [mailto:christopher.lamb at ch.ibm.com] >> Gesendet: Dienstag, 4. August 2015 11:27 >> An: Moj, Markus >> Cc: freeipa-users at redhat.com >> Betreff: Re: [Freeipa-users] FreeIPA user ID differs >> >> Markus >> >> Have you checked both the cn=accounts and cn=compat trees?. Users >> and groups are stored in both, and both would need manipulation... >> >> Ciao >> >> Chris >> >> >> >> From: >> To: >> Date: 04.08.2015 11:14 >> Subject: [Freeipa-users] FreeIPA user ID differs >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi @all, >> >> I?ve encountered a strange ?error?. I?ve created a user with a >> generated UID from the predefined range. After creation I?ve had to >> manipulate the UID to fit an old NIS configuration and set the UID to >> the old NIS value. >> FreeIPA shows the correct UID as well as ldapsearch. But if I logon >> onto a host and enter `id ` I receive the old UID, GID and >> groups information instead of the corrected one. >> >> Maybe someone can help me out to pinpoint the error and to fix it. >> >> Cheers, >> Markus-- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > -- > Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve > Links Global Services, C.A. http://www.lgs.com.ve > Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve > ------------------------------------------------------------ > "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford [attachment "smime.p7s" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From christopher.lamb at ch.ibm.com Wed Aug 5 13:18:27 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 5 Aug 2015 15:18:27 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Youenn Good news that you have got an integration working Now you have got it going, and the solution is fresh in your mind, how about adding a How-to page on this solution to the FreeIPA wiki? Chris From: Youenn PIOLET To: "Matt ." Cc: Christopher Lamb/Switzerland/IBM at IBMCH, "freeipa-users at redhat.com" Date: 05.08.2015 14:51 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi guys, Thank you so much your previous answers. I realised my SID were stored in ipaNTsecurityidentifier, thanks to ipa-adtrust-install --add-sids I found an other way to configure smb here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa It works perfectly. I'm using module ipasam.so I have manually scp to the samba server, Samba is set to use kerberos + ldapsam via this ipasam module. Following the instructions, I created a user role allowing service principal to read ipaNTHash value from the LDAP. ipaNTHash are generated each time a user changes his password. Authentication works perfectly on Windows 7, 8 and 10. For more details, the previously linked thread is quite clear. Cheers -- Youenn Piolet piolet.y at gmail.com 2015-08-05 11:10 GMT+02:00 Matt . : Hi Chris. Yes, Apache Studio did that but I was not sure why it complained it was "already" there. I'm still getting: IPA Error 4205: ObjectclassViolation missing attribute "sambaGroupType" required by object class "sambaGroupMapping" When adding a user. I also see "class" as fielname under my "Last name", this is not OK also. We sure need to make some howto, I think we can nail this down :) Thanks for the heads up! Matthijs 2015-08-05 7:51 GMT+02:00 Christopher Lamb : > Hi Matt > > If I use Apache Directory Studio to add an attribute ipaCustomFields to > cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: > > #!RESULT OK > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy > #!DATE 2015-08-05T05:45:04.608 > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com > changetype: modify > add: ipaCustomFields > ipaCustomFields: Samba Group Type,sambagrouptype,true > > After that I then have a visible attribute ipaCustomFields as expected. > > When adding the attribute, the wizard offered me "ipaCustomFields" as > attribute type in a drop down list. > > Once we get this cracked, we really must write a how-to on the FreeIPA > Wiki. > > Chris > > > > From:? ?Christopher Lamb/Switzerland/IBM at IBMCH > To:? ? ?"Matt ." > Cc:? ? ?"freeipa-users at redhat.com" > Date:? ?05.08.2015 07:31 > Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by:? ? ? ? freeipa-users-bounces at redhat.com > > > > Hi Matt > > I also got the same result at that step, but can see nothing in Apache > Directory Studio. > > As I am using existing Samba / FreeIPA groups migrated across, they > probably were migrated with all the required attributes. > > Looking more closely at that LDIF: I wonder should it not be: > > ldapmodify -Y GSSAPI < dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > changetype: modify > add: ipaCustomFields > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > EOF > > i.e. changetype: modify, instead of changetype add ? > > I don't want to play around with my prod directory - I will setup an EL 7.1 > VM and install FreeIPA 4.x and Samba 4.x That will allow me to play around > more destructively. > > Chris > > > > > > From:? ? ? ? ? ? "Matt ." > To:? ? ? ? ? ? ? Christopher Lamb/Switzerland/IBM at IBMCH > Cc:? ? ? ? ? ? ? Youenn PIOLET , " freeipa-users at redhat.com" >? ? ? ? ? ? ? > Date:? ? ? ? ? ? 05.08.2015 01:01 > Subject:? ? ? ? ? ? ? ? ?Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > I'm at the right path, but my issue is that: > > ldapmodify -Y GSSAPI < dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > changetype: add > add: ipaCustomFields > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > EOF > > Does say it exists, my ldap explorer doesn't show it, and when I add > it manually as an attribute it still fails when I add a user on this > sambagrouptype as it's needed by the other attributes > > So that is my issue I think so far. > > Any clue about that ? > > No problem "you don't know something or are no guru" we are all > learning! :) > > Cheers, > > Matt > > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < christopher.lamb at ch.ibm.com>: >> Hi Matt, Youeen >> >> Just to set the background properly, I did not invent this process. I > know >> only a little about FreeIPA, and almost nothing about Samba, but I guess > I >> was lucky enough to get the integration working on a Sunday afternoon. (I >> did have an older FreeIPA 3.x / Samba 3.x installation as a reference). >> >> It sounds like we need to step back, and look at the test user and group > in >> the FreeIPA LDAP tree. I find using an LDAP browser makes this much > easier. >> >> My FreeIPA / Samba Users have the following Samba extensions in FreeIPA >> (cn=accounts, cn=users): >> >> * objectClass: sambasamaccount >> >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >> >> My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA >> (cn=accounts, cn=groups): >> >> * objectClass: sambaGroupMapping >> >> * Attributes: sambaGroupType, sambaSID >> >> The Users must belong to one or more of the samba groups that you have >> setup. >> >> If you don't have something similar to the above (which sounds like it is >> the case), then something went wrong applying the extensions. It would be >> worth testing comparing a new user / group created post adding the >> extensions to a previous existing user. >> >> i.e. >> are the extensions missing on existing users / groups? >> are the extensions missing on new users / groups? >> >> Cheers >> >> Chris >> >> >> >> >> >> From:? ?Youenn PIOLET >> To:? ? ?"Matt ." >> Cc:? ? ?Christopher Lamb/Switzerland/IBM at IBMCH, >>? ? ? ? ? ? ?"freeipa-users at redhat.com" >> Date:? ?04.08.2015 18:56 >> Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi there, >> >> I have difficulties to follow you at this point :) >> Here is what I've done and what I've understood: >> >> ## SMB Side >> - Testparm OK >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. >> - pdbedit -Lv output is all successfull but I can see there is a filter : >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have >> sambaSamAccount. >> >> ## LDAP / FreeIPA side >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA >> server to get samba LDAP extensions. >> - I can see samba classes exist in LDAP but are not used on my group >> objects nor my user objects >> - I have add sambaSamAccount in FreeIPA default user classes, >> and sambaGroupMapping to default group classes. In that state I can't >> create user nor groups anymore, as new samba attributes are needed for >> instantiation. >> - I have add in etc ipaCustomFields: 'Samba Group > Type,sambagrouptype,true' >> but I don't get what it does. >> - I tried to add the samba.js plugin. It works, and adds the "local" > option >> when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or > 2 >> (domain). It doesn't work and tells that sambagrouptype attribute doesn't >> exist (but it should now I put sambaGroupType class by default...) >> >> ## Questions >> 0) Can I ask samba not to search sambaSamAccount and use unix / posix >> instead? I guess no. >> 1) How to generate the user/group SIDs ? They are requested to add >> sambaSamAccount classes. >> This article doesn't seem relevant since we don't use domain controller >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >> and netgetlocalsid returns an error. >> 2) How to fix samba.js plugin? >> 3) I guess an equivalent of samba.js is needed for user creation, where > can >> I find it? >> 4) Is your setup working with Windows 8 / Windows 10 and not only Windows >> 7? >> >> Thanks a lot for your previous and future answers >> >> -- >> Youenn Piolet >> piolet.y at gmail.com >> >> >> 2015-08-04 17:55 GMT+02:00 Matt . : >>? ?Hi, >> >>? ?Yes, log is anonymised. >> >>? ?It's strange, my user doesn't have a SambaPwdLastSet, also when I >>? ?change it's password it doesn't get it in ldap. >> >>? ?There must be something going wrong I guess. >> >>? ?Matt >> >>? ?2015-08-04 17:45 GMT+02:00 Christopher Lamb > >? ?>: >>? ?> Hi Matt >>? ?> >>? ?> I assume [username] is a real username, identical to that in the >>? ?FreeIPA >>? ?> cn=accounts, cn=users tree? (i.e. you anonymised the log extract). >>? ?> >>? ?> You user should be a member of the appropriate samba groups that you >>? ?setup >>? ?> in FreeIPA. >>? ?> >>? ?> You should check that the user attribute SambaPwdLastSet is set to a >>? ?> positive value (e.g. 1). If not you get an error in the Samba logs - > I >>? ?> would need to play around again with a test user to find out the > exact >>? ?> error. >>? ?> >>? ?> I don't understand what you mean about syncing the users local, but > we >>? ?did >>? ?> not need to do anything like that. >>? ?> >>? ?> Chris >>? ?> >>? ?> >>? ?> >>? ?> >>? ?> From:? ?"Matt ." >>? ?> To:? ? ?Christopher Lamb/Switzerland/IBM at IBMCH >>? ?> Cc:? ? ?"freeipa-users at redhat.com" >>? ?> Date:? ?04.08.2015 15:33 >>? ?> Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth against >>? ?IPA >>? ?> >>? ?> >>? ?> >>? ?> Hi Chris, >>? ?> >>? ?> A puppet run added another passdb backend, that was causing my issue. >>? ?> >>? ?> What I still experience is: >>? ?> >>? ?> >>? ?> [2015/08/04 15:29:45.477783,? 3] >>? ?> ../source3/auth/check_samsec.c:399(check_sam_security) >>? ?>? ?check_sam_security: Couldn't find user 'username' in passdb. >>? ?> [2015/08/04 15:29:45.478026,? 2] >>? ?> ../source3/auth/auth.c:288(auth_check_ntlm_password) >>? ?>? ?check_ntlm_password:? Authentication for user [username] -> >>? ?> [username] FAILED with error NT_STATUS_NO_SUCH_USER >>? ?> >>? ?> >>? ?> I also wonder if I shall still sync the users local, or is it > needed ? >>? ?> >>? ?> Thanks again, >>? ?> >>? ?> Matt >>? ?> >>? ?> 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>? ?christopher.lamb at ch.ibm.com>: >>? ?>> Hi Matt >>? ?>> >>? ?>> From our smb.conf file: >>? ?>> >>? ?>> [global] >>? ?>>? ? security = user >>? ?>>? ? passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com >>? ?>>? ? ldap suffix = dc=my,dc=silly,dc=example,dc=com >>? ?>>? ? ldap admin dn = cn=Directory Manager >>? ?>> >>? ?>> So yes, we use Directory Manager, it works for us. I have not tried >>? ?with >>? ?> a >>? ?>> less powerful user, but it is conceivable that a lesser user may not >>? ?see >>? ?>> all the required attributes, resulting in "no such user" errors. >>? ?>> >>? ?>> Chris >>? ?>> >>? ?>> >>? ?>> >>? ?>> >>? ?>> From:? ?"Matt ." >>? ?>> To:? ? ?Christopher Lamb/Switzerland/IBM at IBMCH >>? ?>> Cc:? ? ?"freeipa-users at redhat.com" >>? ?>> Date:? ?04.08.2015 13:32 >>? ?>> Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth against >>? ?IPA >>? ?>> >>? ?>> >>? ?>> >>? ?>> Hi Chris, >>? ?>> >>? ?>> Thanks for the heads up, indeed local is 4 I see now when I add a >>? ?>> group from the GUI, great thanks! >>? ?>> >>? ?>> But do you use Directory Manager as ldap admin user or some other >>? ?>> admin account ? >>? ?>> >>? ?>> I'm not sure id DM is needed and it should get that deep into IPA. >>? ?>> Also when starting samba it cannot find "such user" as that sounds >>? ?>> quite known as it has no UID. >>? ?>> >>? ?>> From your config I see you use DM, this should work ? >>? ?>> >>? ?>> Thanks! >>? ?>> >>? ?>> >>? ?>> Matt >>? ?>> >>? ?>> >>? ?> >>? ?> >>? ?> >>? ?> >> >>? ?-- >>? ?Manage your subscription for the Freeipa-users mailing list: >>? ?https://www.redhat.com/mailman/listinfo/freeipa-users >>? ?Go to http://freeipa.org for more info on the project >> >> >> > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From lslebodn at redhat.com Wed Aug 5 13:20:22 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 5 Aug 2015 15:20:22 +0200 Subject: [Freeipa-users] FreeIPA user ID differs In-Reply-To: References: <1438777456.32449.2.camel@lgs.com.ve> <55C20829.7020303@redhat.com> Message-ID: <20150805132022.GL17453@mail.corp.redhat.com> On (05/08/15 13:02), Markus.Moj at mc.ingenico.com wrote: >Hey, > >I?ve wiped sss_cache before I tried again and restarted the service. sss_cache just invalidate cache. It does not wipe out it. It means that sssd must not return value from cache but it shoudl refresh it from LDAP server >Nevertheless the problem still persists. Beyond the problem is only located >on one FreeIPA host. Other hosts have received the updates >or see the correct values. What do you mean by "FreeIPA host"? Is it ipa server/replica or ipa client? As it was already mantioned int is thread the compat tree is generated dynamically based on the cn=accounts tree and from information retrieved by server-mode SSSD. I would suggest try following steps 1) invalidate sssd cache on ipa server 2) check UID/GID on ipa server (id, getent passwd, getent group ...) 3) check compat tree with ldapsearch 4) invalidate sssd cache on ipa client 5) check UID/GID on ipa client (id, getent passwd, getent group ...) LS From justeank at yahoo.com Mon Aug 3 16:08:05 2015 From: justeank at yahoo.com (Justean) Date: Mon, 3 Aug 2015 16:08:05 +0000 (UTC) Subject: [Freeipa-users] Change default email format Message-ID: <848253850.568408.1438618085033.JavaMail.yahoo@mail.yahoo.com> Good morning, I was wondering if there is a way to change the way freeipa builds a user's email address by default. Currently it takes the username and appends the domain name but I would like it to take the form firstname.lastname at domainname.com Thank you. Sipazzo -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrei.brajnicov at gmail.com Wed Aug 5 13:42:51 2015 From: andrei.brajnicov at gmail.com (andrei.brajnicov) Date: Wed, 05 Aug 2015 16:42:51 +0300 Subject: [Freeipa-users] AD trust established but users can't login Message-ID: <55C212DB.1000604@gmail.com> Hello. My mission is to install an FreeIPA instance as subdomain of AD, and to allow AD users to login to some Linux servers. I Installed and configured it, but i meet a problem, AD users are not allowed to login to FreeIPA . A piece of everything: AD = adexample.com ( 2008R2 ) IPA =ipa.adexample.com # ipa --version VERSION: 4.1.0, API_VERSION: 2.112 # sssd --version 1.12.2 # hostname otp1tst86.ipa.adexample.com # uname -a Linux otp1tst86.ipa.adexample.com 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux # klist Ticket cache: KEYRING:persistent:0:krb_ccache_1nRCjmt Default principal: Administrator at ADEXAMPLE.COM Valid starting Expires Service principal 08/05/2015 16:30:32 08/06/2015 02:14:53 krbtgt/IPA.ADEXAMPLE.COM at ADEXAMPLE.COM renew until 08/06/2015 16:14:50 08/05/2015 16:14:53 08/06/2015 02:14:53 krbtgt/ADEXAMPLE.COM at ADEXAMPLE.COM renew until 08/06/2015 16:14:50 # cat sssd.conf [domain/ipa.adexample.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.adexample.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = otp1tst86.ipa.adexample.com chpass_provider = ipa ipa_server = otp1tst86.ipa.adexample.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa [sssd] services = nss, sudo, pam, ssh, pac config_file_version = 2 sudo_provider = ldap ldap_uri = ldap://otp1tst86.ipa.adexample.com ldap_sudo_search_base = ou=sudoers,dc=ipa, dc=adexample,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/otp1tst86.ipa.adexample.com ldap_sasl_realm = IPA.ADEXAMPLE.COM krb5_server = otp1tst86.ipa.adexample.com domains = ipa.adexample.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] # egrep "^[^#]" /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss hosts: files dns wins bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus sudoers: files sss Here I can see AD users. # wbinfo -ug ADEXAMPLE\administrator ADEXAMPLE\guest ADEXAMPLE\krbtgt ADEXAMPLE\abrajnicov ADEXAMPLE\ipa$ ADEXAMPLE\kuzea admins editors default smb group ad_admins ADEXAMPLE\domain computers ADEXAMPLE\domain controllers ADEXAMPLE\schema admins ADEXAMPLE\enterprise admins ADEXAMPLE\domain admins ADEXAMPLE\domain users ADEXAMPLE\domain guests ADEXAMPLE\group policy creator owners ADEXAMPLE\read-only domain controllers ADEXAMPLE\enterprise read-only domain controllers ADEXAMPLE\dnsupdateproxy [root at otp1tst86 ~]# id admin at IPA.ADEXAMPLE.COM uid=1466400000(admin) gid=1466400000(admins) groups=1466400000(admins) [root at otp1tst86 ~]# id kuzea at ADEXAMPLE.COM id: kuzea at ADEXAMPLE.COM: no such user So you can see that AD users is not visible to sssd. # cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPA.ADEXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.ADEXAMPLE.COM = { kdc = otp1tst86.ipa.adexample.com:88 master_kdc = otp1tst86.ipa.adexample.com:88 admin_server = otp1tst86.ipa.adexample.com:749 default_domain = ipa.adexample.com pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@ADEXAMPLE.COM/@adexample.com/ auth_to_local = DEFAULT } [domain_realm] .ipa.adexample.com = IPA.ADEXAMPLE.COM ipa.adexample.com = IPA.ADEXAMPLE.COM .adexample.com = ADEXAMPLE.COM adexample.com = ADEXAMPLE.COM [dbmodules] IPA.ADEXAMPLE.COM = { db_library = ipadb.so } # wbinfo -n 'adexample\Domain Admins' S-1-5-21-4094320520-3357938610-121029971-512 SID_DOM_GROUP (2) But when I try to login to a server using ssh I meet these error: Aug 05 16:40:28 otp1tst86.ipa.adexample.com sshd[3997]: Invalid user kuzea at adexample.com from ::1 Aug 05 16:40:28 otp1tst86.ipa.adexample.com sshd[3997]: input_userauth_request: invalid user kuzea at adexample.com [preauth] Aug 05 16:40:34 otp1tst86.ipa.adexample.com sshd[3997]: pam_unix(sshd:auth): check pass; user unknown Aug 05 16:40:34 otp1tst86.ipa.adexample.com sshd[3997]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost Aug 05 16:40:37 otp1tst86.ipa.adexample.com sshd[3997]: Failed password for invalid user kuzea at adexample.com from ::1 port 32809 ssh2 I don't know if these information is sufficient. But I hope that someone will help me to troubleshoot the problem. From rlocke at redhat.com Wed Aug 5 13:55:19 2015 From: rlocke at redhat.com (Robert Locke) Date: Wed, 05 Aug 2015 09:55:19 -0400 Subject: [Freeipa-users] IdM Password Expiration In-Reply-To: <55C1C9E0.7060100@redhat.com> References: <1438700482.23059.10.camel@localhost.localdomain> <55C1C9E0.7060100@redhat.com> Message-ID: <1438782919.1187.8.camel@localhost.localdomain> On Wed, 2015-08-05 at 10:31 +0200, David Kupka wrote: > On 04/08/15 17:01, Robert Locke wrote: > > Hey folks, > > > > I have been using the following to adjust the Password Expiration of > > accounts in IdM/IPA: > > echo "$ADMIN_PASS" | kinit admin > > echo -e "dn: > > uid=rheluseri,cn=users,cn=accounts,dc=example,dc=com\nchangetype: modify > > \nreplace: krbPasswordExpiration\nkrbPasswordExpiration: 20300101000000Z > > \n" | ldapmodify -x -D 'cn=Directory Manager' -w $ADMIN_PASS > > > > This has worked nicely for me. > > > > My "new" problem is that the admin account itself expires after 90 days. > > I thought since ldapsearch does show the admin account, that simply > > substituting the uid might work. > > > > echo -e "dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com > > \nchangetype: modify\nreplace: krbPasswordExpiration > > \nkrbPasswordExpiration: 20300101000000Z\n" | ldapmodify -x -D > > 'cn=Directory Manager' -w $ADMIN_PASS > > > > My attempts to adjust the admin account in this similar fashion have > > been not surprisingly unsuccessful. > > > > Suggestions/pointers? > > > > --Rob > > > > > > > Hello, > I just tried to set krbPasswordExpiration attribute for admin and it > worked as expected: > > $ ipa user-show admin --all > dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com > User login: admin > ... > krbpasswordexpiration: 20200101000000Z > ... > > $ echo -e "dn: > uid=admin,cn=users,cn=accounts,dc=example,dc=com\nchangetype: > modify\nreplace: krbPasswordExpiration\nkrbPasswordExpiration: > 20300101000000Z\n" | ldapmodify -x -D 'cn=Directory Manager' -w $DM_PASS > modifying entry "uid=admin,cn=users,cn=accounts,dc=example,dc=com" > > $ ipa user-show admin --all > dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com > User login: admin > ... > krbpasswordexpiration: 20300101000000Z > ... > > Could you provide more information about what is failing? Only thing > that comes to my mind is that you're using $ADMIN_PASS variable where > Directory Manager password is required but I know it's just name of the > variable. > You're right. It was my mistake. My reality is that $ADMIN_PASS is used to set both the Directory Manager and admin passwords initially during ipa-server-install. When I was faced with having to change the admin password, I failed to realize that the Directory Manager password had remained the same, so all my "testing" was simply using the wrong new password of admin when I simply needed to use the old password of Directory Manager. Sorry for the noise. And thanks for checking it on me. --Rob -- Robert Locke Google Voice: (203) 794-6007 Senior Curriculum Developer rlocke at redhat.com GnuPG: A334 CAB1 451A 6083 CDD8 40FE A5DE E418 82E0 0780 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jhrozek at redhat.com Wed Aug 5 14:11:53 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 5 Aug 2015 16:11:53 +0200 Subject: [Freeipa-users] AD trust established but users can't login In-Reply-To: <55C212DB.1000604@gmail.com> References: <55C212DB.1000604@gmail.com> Message-ID: <20150805141153.GG5197@hendrix.arn.redhat.com> On Wed, Aug 05, 2015 at 04:42:51PM +0300, andrei.brajnicov wrote: > I don't know if these information is sufficient. But I hope that someone > will help me to troubleshoot the problem. Are you able to: getent passwd kuzea at adexample.com on the server? If not, can you enable debugging in all sections of sssd.conf, retry the lookup and post sssd logs here? From yamakasi.014 at gmail.com Wed Aug 5 15:40:29 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Wed, 5 Aug 2015 17:40:29 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, This sounds great to me too, but a howto would help to make it more clear about what you have done here. The thread confuses me a little bit. Can you paste your commands so we can test out too and report back ? Thanks! Matt 2015-08-05 15:18 GMT+02:00 Christopher Lamb : > Hi Youenn > > Good news that you have got an integration working > > Now you have got it going, and the solution is fresh in your mind, how > about adding a How-to page on this solution to the FreeIPA wiki? > > Chris > > > > From: Youenn PIOLET > To: "Matt ." > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > "freeipa-users at redhat.com" > Date: 05.08.2015 14:51 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi guys, > > Thank you so much your previous answers. > I realised my SID were stored in ipaNTsecurityidentifier, thanks to > ipa-adtrust-install --add-sids > > I found an other way to configure smb here: > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > It works perfectly. > > I'm using module ipasam.so I have manually scp to the samba server, > Samba is set to use kerberos + ldapsam via this ipasam module. > Following the instructions, I created a user role allowing service > principal to read ipaNTHash value from the LDAP. > ipaNTHash are generated each time a user changes his password. > Authentication works perfectly on Windows 7, 8 and 10. > > For more details, the previously linked thread is quite clear. > > Cheers > > -- > Youenn Piolet > piolet.y at gmail.com > > > 2015-08-05 11:10 GMT+02:00 Matt . : > Hi Chris. > > Yes, Apache Studio did that but I was not sure why it complained it > was "already" there. > > I'm still getting: > > IPA Error 4205: ObjectclassViolation > > missing attribute "sambaGroupType" required by object class > "sambaGroupMapping" > > When adding a user. > > I also see "class" as fielname under my "Last name", this is not OK also. > > > > We sure need to make some howto, I think we can nail this down :) > > Thanks for the heads up! > > Matthijs > > 2015-08-05 7:51 GMT+02:00 Christopher Lamb : > > Hi Matt > > > > If I use Apache Directory Studio to add an attribute ipaCustomFields to > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown > below: > > > > #!RESULT OK > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy > > #!DATE 2015-08-05T05:45:04.608 > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com > > changetype: modify > > add: ipaCustomFields > > ipaCustomFields: Samba Group Type,sambagrouptype,true > > > > After that I then have a visible attribute ipaCustomFields as expected. > > > > When adding the attribute, the wizard offered me "ipaCustomFields" as > > attribute type in a drop down list. > > > > Once we get this cracked, we really must write a how-to on the FreeIPA > > Wiki. > > > > Chris > > > > > > > > From: Christopher Lamb/Switzerland/IBM at IBMCH > > To: "Matt ." > > Cc: "freeipa-users at redhat.com" > > Date: 05.08.2015 07:31 > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA > > Sent by: freeipa-users-bounces at redhat.com > > > > > > > > Hi Matt > > > > I also got the same result at that step, but can see nothing in Apache > > Directory Studio. > > > > As I am using existing Samba / FreeIPA groups migrated across, they > > probably were migrated with all the required attributes. > > > > Looking more closely at that LDIF: I wonder should it not be: > > > > ldapmodify -Y GSSAPI < > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > > changetype: modify > > add: ipaCustomFields > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > > EOF > > > > i.e. changetype: modify, instead of changetype add ? > > > > I don't want to play around with my prod directory - I will setup an EL > 7.1 > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to play > around > > more destructively. > > > > Chris > > > > > > > > > > > > From: "Matt ." > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > Cc: Youenn PIOLET , " > freeipa-users at redhat.com" > > > > Date: 05.08.2015 01:01 > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against IPA > > > > > > > > Hi Chris, > > > > I'm at the right path, but my issue is that: > > > > ldapmodify -Y GSSAPI < > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > > changetype: add > > add: ipaCustomFields > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > > EOF > > > > Does say it exists, my ldap explorer doesn't show it, and when I add > > it manually as an attribute it still fails when I add a user on this > > sambagrouptype as it's needed by the other attributes > > > > So that is my issue I think so far. > > > > Any clue about that ? > > > > No problem "you don't know something or are no guru" we are all > > learning! :) > > > > Cheers, > > > > Matt > > > > > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < > christopher.lamb at ch.ibm.com>: > >> Hi Matt, Youeen > >> > >> Just to set the background properly, I did not invent this process. I > > know > >> only a little about FreeIPA, and almost nothing about Samba, but I > guess > > I > >> was lucky enough to get the integration working on a Sunday afternoon. > (I > >> did have an older FreeIPA 3.x / Samba 3.x installation as a > reference). > >> > >> It sounds like we need to step back, and look at the test user and > group > > in > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this much > > easier. > >> > >> My FreeIPA / Samba Users have the following Samba extensions in > FreeIPA > >> (cn=accounts, cn=users): > >> > >> * objectClass: sambasamaccount > >> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet > >> > >> My FreeIPA / Samba Groups have the following Samba extensions in > FreeIPA > >> (cn=accounts, cn=groups): > >> > >> * objectClass: sambaGroupMapping > >> > >> * Attributes: sambaGroupType, sambaSID > >> > >> The Users must belong to one or more of the samba groups that you have > >> setup. > >> > >> If you don't have something similar to the above (which sounds like it > is > >> the case), then something went wrong applying the extensions. It would > be > >> worth testing comparing a new user / group created post adding the > >> extensions to a previous existing user. > >> > >> i.e. > >> are the extensions missing on existing users / groups? > >> are the extensions missing on new users / groups? > >> > >> Cheers > >> > >> Chris > >> > >> > >> > >> > >> > >> From: Youenn PIOLET > >> To: "Matt ." > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > >> "freeipa-users at redhat.com" > >> Date: 04.08.2015 18:56 > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA > >> > >> > >> > >> Hi there, > >> > >> I have difficulties to follow you at this point :) > >> Here is what I've done and what I've understood: > >> > >> ## SMB Side > >> - Testparm OK > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. > >> - pdbedit -Lv output is all successfull but I can see there is a > filter : > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have > >> sambaSamAccount. > >> > >> ## LDAP / FreeIPA side > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA > >> server to get samba LDAP extensions. > >> - I can see samba classes exist in LDAP but are not used on my group > >> objects nor my user objects > >> - I have add sambaSamAccount in FreeIPA default user classes, > >> and sambaGroupMapping to default group classes. In that state I can't > >> create user nor groups anymore, as new samba attributes are needed for > >> instantiation. > >> - I have add in etc ipaCustomFields: 'Samba Group > > Type,sambagrouptype,true' > >> but I don't get what it does. > >> - I tried to add the samba.js plugin. It works, and adds the "local" > > option > >> when creating a group in FreeIPA, supposed to set sambagrouptype to 4 > or > > 2 > >> (domain). It doesn't work and tells that sambagrouptype attribute > doesn't > >> exist (but it should now I put sambaGroupType class by default...) > >> > >> ## Questions > >> 0) Can I ask samba not to search sambaSamAccount and use unix / posix > >> instead? I guess no. > >> 1) How to generate the user/group SIDs ? They are requested to add > >> sambaSamAccount classes. > >> This article doesn't seem relevant since we don't use domain > controller > >> > > > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html > > >> and netgetlocalsid returns an error. > >> 2) How to fix samba.js plugin? > >> 3) I guess an equivalent of samba.js is needed for user creation, > where > > can > >> I find it? > >> 4) Is your setup working with Windows 8 / Windows 10 and not only > Windows > >> 7? > >> > >> Thanks a lot for your previous and future answers > >> > >> -- > >> Youenn Piolet > >> piolet.y at gmail.com > >> > >> > >> 2015-08-04 17:55 GMT+02:00 Matt . : > >> Hi, > >> > >> Yes, log is anonymised. > >> > >> It's strange, my user doesn't have a SambaPwdLastSet, also when I > >> change it's password it doesn't get it in ldap. > >> > >> There must be something going wrong I guess. > >> > >> Matt > >> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb > > >> >: > >> > Hi Matt > >> > > >> > I assume [username] is a real username, identical to that in the > >> FreeIPA > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > >> > > >> > You user should be a member of the appropriate samba groups that > you > >> setup > >> > in FreeIPA. > >> > > >> > You should check that the user attribute SambaPwdLastSet is set to > a > >> > positive value (e.g. 1). If not you get an error in the Samba logs > - > > I > >> > would need to play around again with a test user to find out the > > exact > >> > error. > >> > > >> > I don't understand what you mean about syncing the users local, > but > > we > >> did > >> > not need to do anything like that. > >> > > >> > Chris > >> > > >> > > >> > > >> > > >> > From: "Matt ." > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH > >> > Cc: "freeipa-users at redhat.com" > >> > Date: 04.08.2015 15:33 > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against > >> IPA > >> > > >> > > >> > > >> > Hi Chris, > >> > > >> > A puppet run added another passdb backend, that was causing my > issue. > >> > > >> > What I still experience is: > >> > > >> > > >> > [2015/08/04 15:29:45.477783, 3] > >> > ../source3/auth/check_samsec.c:399(check_sam_security) > >> > check_sam_security: Couldn't find user 'username' in passdb. > >> > [2015/08/04 15:29:45.478026, 2] > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) > >> > check_ntlm_password: Authentication for user [username] -> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER > >> > > >> > > >> > I also wonder if I shall still sync the users local, or is it > > needed ? > >> > > >> > Thanks again, > >> > > >> > Matt > >> > > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < > >> christopher.lamb at ch.ibm.com>: > >> >> Hi Matt > >> >> > >> >> From our smb.conf file: > >> >> > >> >> [global] > >> >> security = user > >> >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com > >> >> ldap admin dn = cn=Directory Manager > >> >> > >> >> So yes, we use Directory Manager, it works for us. I have not > tried > >> with > >> > a > >> >> less powerful user, but it is conceivable that a lesser user may > not > >> see > >> >> all the required attributes, resulting in "no such user" errors. > >> >> > >> >> Chris > >> >> > >> >> > >> >> > >> >> > >> >> From: "Matt ." > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH > >> >> Cc: "freeipa-users at redhat.com" > >> >> Date: 04.08.2015 13:32 > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against > >> IPA > >> >> > >> >> > >> >> > >> >> Hi Chris, > >> >> > >> >> Thanks for the heads up, indeed local is 4 I see now when I add a > >> >> group from the GUI, great thanks! > >> >> > >> >> But do you use Directory Manager as ldap admin user or some other > >> >> admin account ? > >> >> > >> >> I'm not sure id DM is needed and it should get that deep into > IPA. > >> >> Also when starting samba it cannot find "such user" as that > sounds > >> >> quite known as it has no UID. > >> >> > >> >> From your config I see you use DM, this should work ? > >> >> > >> >> Thanks! > >> >> > >> >> > >> >> Matt > >> >> > >> >> > >> > > >> > > >> > > >> > > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > >> > >> > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > From abokovoy at redhat.com Wed Aug 5 19:29:15 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Aug 2015 22:29:15 +0300 Subject: [Freeipa-users] Change default email format In-Reply-To: <848253850.568408.1438618085033.JavaMail.yahoo@mail.yahoo.com> References: <848253850.568408.1438618085033.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20150805192915.GQ31709@redhat.com> On Mon, 03 Aug 2015, Justean wrote: >Good morning, I was wondering if there is a way to change the way >freeipa builds a user's email address by default. Currently it takes >the username and appends the domain name but I would like it to take >the form firstname.lastname at domainname.com It is not possible to redefine email's format via configuration so you need to write some code. Luckily, you can amend existing code without touching it. Below is an example: ----------------------------------------------------------------------- /usr/lib/python2.7/site-packages/ipalib/plugins/user-ext-mail-format.py ----------------------------------------------------------------------- from ipalib.plugins.user import user_add def override_default_mail_cb(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): if not 'mail' in entry_attrs: name = {'givenname': entry_attrs.get('givenname').lower(), 'sn': entry_attrs.get('sn').lower()} mail = "{givenname}.{sn}".format(**name) entry_attrs['mail'] = self.obj.normalize_and_validate_email(mail) return dn user_add.register_pre_callback(override_default_mail_cb, first=True) ----------------------------------------------------------------------- What this Python code does? It adds a callback to user-add method in IPA that is run before other callbacks (first=True). The callback is then checks if mail attribute was already specified by the administrator when calling 'ipa user-add' (Web UI calls this for you). If not, it derives mail format from lower-cased versions of first and last names of the user (known as 'givenname' and 'sn' attributes in LDAP correspondingly). It then sets mail attribute to a full email format via self.obj.normalize_and_validate_email() function which will pick up the default DNS domain value and construct correct email. You need to maintain this plugin extension on all IPA masters used for creating users. Best way to do that is by packaging the plugin in an RPM and installing it on IPA masters. You also need to restart httpd service on IPA master to apply the plugin. It is used like this: # systemctl restart httpd # ipa user-add some.user --first Some --last User ---------------------- Added user "some.user" ---------------------- User login: some.user First name: Some Last name: User Full name: Some User Display name: Some User Initials: SU Home directory: /home/some.user GECOS: Some User Login shell: /bin/sh Kerberos principal: some.user at EXAMPLE.COM Email address: some.user at example.com UID: 1634400022 GID: 1634400022 Password: False Member of groups: ipausers Kerberos keys available: False # ipa user-add another.user --first Another --last User --email a.user ------------------------- Added user "another.user" ------------------------- User login: another.user First name: Another Last name: User Full name: Another User Display name: Another User Initials: AU Home directory: /home/another.user GECOS: Another User Login shell: /bin/sh Kerberos principal: another.user at EXAMPLE.COM Email address: a.user at example.com UID: 1634400021 GID: 1634400021 Password: False Member of groups: ipausers Kerberos keys available: False Command line options and LDAP attribute names are not always the same. You can use 'ipa show-mappings user-add' to see how CLI options map to LDAP attributes. -- / Alexander Bokovoy From abokovoy at redhat.com Wed Aug 5 19:40:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Aug 2015 22:40:44 +0300 Subject: [Freeipa-users] Change default email format In-Reply-To: <20150805192915.GQ31709@redhat.com> References: <848253850.568408.1438618085033.JavaMail.yahoo@mail.yahoo.com> <20150805192915.GQ31709@redhat.com> Message-ID: <20150805194044.GR31709@redhat.com> On Wed, 05 Aug 2015, Alexander Bokovoy wrote: >On Mon, 03 Aug 2015, Justean wrote: >>Good morning, I was wondering if there is a way to change the way >>freeipa builds a user's email address by default. Currently it takes >>the username and appends the domain name but I would like it to take >>the form firstname.lastname at domainname.com >It is not possible to redefine email's format via configuration so you >need to write some code. Luckily, you can amend existing code without >touching it. > >Below is an example: >----------------------------------------------------------------------- >/usr/lib/python2.7/site-packages/ipalib/plugins/user-ext-mail-format.py >----------------------------------------------------------------------- >from ipalib.plugins.user import user_add > >def override_default_mail_cb(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): > if not 'mail' in entry_attrs: > name = {'givenname': entry_attrs.get('givenname').lower(), > 'sn': entry_attrs.get('sn').lower()} > mail = "{givenname}.{sn}".format(**name) > entry_attrs['mail'] = self.obj.normalize_and_validate_email(mail) > return dn > >user_add.register_pre_callback(override_default_mail_cb, first=True) >----------------------------------------------------------------------- > >What this Python code does? It adds a callback to user-add method in IPA >that is run before other callbacks (first=True). The callback is then >checks if mail attribute was already specified by the administrator >when calling 'ipa user-add' (Web UI calls this for you). If not, it >derives mail format from lower-cased versions of first and last names of >the user (known as 'givenname' and 'sn' attributes in LDAP >correspondingly). It then sets mail attribute to a full email format via >self.obj.normalize_and_validate_email() function which will pick up the >default DNS domain value and construct correct email. > >You need to maintain this plugin extension on all IPA masters used for >creating users. Best way to do that is by packaging the plugin in an RPM >and installing it on IPA masters. > >You also need to restart httpd service on IPA master to apply the >plugin. > >It is used like this: > ># systemctl restart httpd ># ipa user-add some.user --first Some --last User >---------------------- >Added user "some.user" >---------------------- > User login: some.user > First name: Some > Last name: User > Full name: Some User > Display name: Some User > Initials: SU > Home directory: /home/some.user > GECOS: Some User > Login shell: /bin/sh > Kerberos principal: some.user at EXAMPLE.COM > Email address: some.user at example.com > UID: 1634400022 > GID: 1634400022 > Password: False > Member of groups: ipausers > Kerberos keys available: False Actually, I realized because I gave the same user login as 'FirstName.LastName', it might be less apparent that the code works. Let's try with another user: # ipa user-add foo.bar --first Some --last User -------------------- Added user "foo.bar" -------------------- User login: foo.bar First name: Some Last name: User Full name: Some User Display name: Some User Initials: SU Home directory: /home/foo.bar GECOS: Some User Login shell: /bin/sh Kerberos principal: foo.bar at EXAMPLE.COM Email address: some.user at example.com UID: 1634400023 GID: 1634400023 Password: False Member of groups: ipausers Kerberos keys available: False -- / Alexander Bokovoy From justeank at yahoo.com Thu Aug 6 02:41:02 2015 From: justeank at yahoo.com (Justean) Date: Thu, 6 Aug 2015 02:41:02 +0000 (UTC) Subject: [Freeipa-users] Change default email format In-Reply-To: <20150805194044.GR31709@redhat.com> References: <20150805194044.GR31709@redhat.com> Message-ID: <245495308.476769.1438828862452.JavaMail.yahoo@mail.yahoo.com> Wow, thank you so much for such a complete explanation. I appreciate the effort. I am out for the next day or so but will try and implement this as soon as I can.Thank you again and I will let you know the results. From: Alexander Bokovoy To: Justean Cc: "freeipa-users at redhat.com" Sent: Wednesday, August 5, 2015 12:40 PM Subject: Re: [Freeipa-users] Change default email format On Wed, 05 Aug 2015, Alexander Bokovoy wrote: >On Mon, 03 Aug 2015, Justean wrote: >>Good morning, I was wondering if there is a way to change the way >>freeipa builds a user's email address by default. Currently it takes >>the username and appends the domain name but I would like it to take >>the form firstname.lastname at domainname.com >It is not possible to redefine email's format via configuration so you >need to write some code. Luckily, you can amend existing code without >touching it. > >Below is an example: >----------------------------------------------------------------------- >/usr/lib/python2.7/site-packages/ipalib/plugins/user-ext-mail-format.py >----------------------------------------------------------------------- >from ipalib.plugins.user import user_add > >def override_default_mail_cb(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): >? if not 'mail' in entry_attrs: >? ? ? ? name = {'givenname': entry_attrs.get('givenname').lower(), >? ? ? ? ? ? ? ? 'sn': entry_attrs.get('sn').lower()} >? ? ? ? mail = "{givenname}.{sn}".format(**name) >? ? ? ? entry_attrs['mail'] = self.obj.normalize_and_validate_email(mail) >? return dn > >user_add.register_pre_callback(override_default_mail_cb, first=True) >----------------------------------------------------------------------- > >What this Python code does? It adds a callback to user-add method in IPA >that is run before other callbacks (first=True). The callback is then >checks if mail attribute was already specified by the administrator >when calling 'ipa user-add' (Web UI calls this for you). If not, it >derives mail format from lower-cased versions of first and last names of >the user (known as 'givenname' and 'sn' attributes in LDAP >correspondingly). It then sets mail attribute to a full email format via >self.obj.normalize_and_validate_email() function which will pick up the >default DNS domain value and construct correct email. > >You need to maintain this plugin extension on all IPA masters used for >creating users. Best way to do that is by packaging the plugin in an RPM >and installing it on IPA masters. > >You also need to restart httpd service on IPA master to apply the >plugin. > >It is used like this: > ># systemctl restart httpd ># ipa user-add some.user --first Some --last User >---------------------- >Added user "some.user" >---------------------- > User login: some.user > First name: Some > Last name: User > Full name: Some User > Display name: Some User > Initials: SU > Home directory: /home/some.user > GECOS: Some User > Login shell: /bin/sh > Kerberos principal: some.user at EXAMPLE.COM > Email address: some.user at example.com > UID: 1634400022 > GID: 1634400022 > Password: False > Member of groups: ipausers > Kerberos keys available: False Actually, I realized because I gave the same user login as 'FirstName.LastName', it might be less apparent that the code works. Let's try with another user: # ipa user-add foo.bar --first Some --last User -------------------- Added user "foo.bar" -------------------- ? User login: foo.bar ? First name: Some ? Last name: User ? Full name: Some User ? Display name: Some User ? Initials: SU ? Home directory: /home/foo.bar ? GECOS: Some User ? Login shell: /bin/sh ? Kerberos principal: foo.bar at EXAMPLE.COM ? Email address: some.user at example.com ? UID: 1634400023 ? GID: 1634400023 ? Password: False ? Member of groups: ipausers ? Kerberos keys available: False -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Thu Aug 6 04:35:16 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Thu, 6 Aug 2015 04:35:16 +0000 Subject: [Freeipa-users] Problem with replica, again... Message-ID: <5367bab6e715497ba6b16573f763061f@sib-ums05.Megafon.ru> Hello! In the middle of July, one of our 19 replicas hangs, and it was noticed only yesterday. All affords to re-initialize it failed - right after start of dirsrv it hangs with the same message in log: [06/Aug/2015:10:30:39 +0600] DSRetroclPlugin - replog: an error occured while adding change number 46861, dn = changenumber=46861,cn=changelog: Operations error. [06/Aug/2015:10:30:39 +0600] retrocl-plugin - retrocl_postob: operation failure [1] [06/Aug/2015:10:30:39 +0600] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 So I cannot remove this replica gracefully - it is a zombie now. What is the most clean way to restore this server, how I can re-install it with minimal problems for my IPA domain? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From harenberg at physik.uni-wuppertal.de Thu Aug 6 05:37:09 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Thu, 06 Aug 2015 07:37:09 +0200 Subject: [Freeipa-users] sssd (CentOS6) known to be unstable? In-Reply-To: <20150804061702.GB15393@mail.corp.redhat.com> References: <55C04E29.5020601@physik.uni-wuppertal.de> <55C05413.90709@physik.uni-wuppertal.de> <20150804061702.GB15393@mail.corp.redhat.com> Message-ID: <55C2F285.2070700@physik.uni-wuppertal.de> Thanks for the hints and the pointers. We found that this (Thu Aug 6 03:30:01 2015) [sssd[nss]] [id_callback] (0x0010): The Monitor returned an error [org.freedesktop.DBus.Error.NoReply] and this always happens when there are jobs with heavy disc IO and the nodes (see plot attached from this particular node. SGE then goes into error state with wnfg055/messages:08/06/2015 03:26:36| main|wnfg055|E|can't start job "5538749": can't get password entry for user "___". Either user does not exist or error with NIS/LDAP etc. (user name replaced) Is there any way of telling sssd to wait longer for an answer? We already tried to get the load down but it's difficult to identify which jobs are causing this, we have a large variety of users with many different applications. Best regards Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From harenberg at physik.uni-wuppertal.de Thu Aug 6 05:47:57 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Thu, 06 Aug 2015 07:47:57 +0200 Subject: [Freeipa-users] sssd (CentOS6) known to be unstable? In-Reply-To: <55C2F285.2070700@physik.uni-wuppertal.de> References: <55C04E29.5020601@physik.uni-wuppertal.de> <55C05413.90709@physik.uni-wuppertal.de> <20150804061702.GB15393@mail.corp.redhat.com> <55C2F285.2070700@physik.uni-wuppertal.de> Message-ID: <55C2F50D.5020603@physik.uni-wuppertal.de> Am 06.08.15 um 07:37 schrieb Torsten Harenberg: > (see plot attached forgot the attachment -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> -------------- next part -------------- A non-text attachment was scrubbed... Name: wnfg055_sssd_dead_diskuti Type: image/png Size: 60061 bytes Desc: not available URL: From jhrozek at redhat.com Thu Aug 6 06:18:03 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 6 Aug 2015 08:18:03 +0200 Subject: [Freeipa-users] sssd (CentOS6) known to be unstable? In-Reply-To: <55C2F285.2070700@physik.uni-wuppertal.de> References: <55C04E29.5020601@physik.uni-wuppertal.de> <55C05413.90709@physik.uni-wuppertal.de> <20150804061702.GB15393@mail.corp.redhat.com> <55C2F285.2070700@physik.uni-wuppertal.de> Message-ID: <20150806061803.GB17727@Jakubs-MacBook-Pro.local> On Thu, Aug 06, 2015 at 07:37:09AM +0200, Torsten Harenberg wrote: > Thanks for the hints and the pointers. > > We found that this > > (Thu Aug 6 03:30:01 2015) [sssd[nss]] [id_callback] (0x0010): The > Monitor returned an error [org.freedesktop.DBus.Error.NoReply] > > and this always happens when there are jobs with heavy disc IO and the > nodes (see plot attached from this particular node. > > SGE then goes into error state with > > wnfg055/messages:08/06/2015 03:26:36| main|wnfg055|E|can't start job > "5538749": can't get password entry for user "___". Either user does not > exist or error with NIS/LDAP etc. > > (user name replaced) > > Is there any way of telling sssd to wait longer for an answer? Yes, you can add a 'timeout' parameter to the domain section of sssd.conf. The default value is 10, you can try maybe 20. From christopher.lamb at ch.ibm.com Thu Aug 6 06:50:59 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Thu, 6 Aug 2015 08:50:59 +0200 Subject: [Freeipa-users] FreeIPA Server install fails on configuration of client side components Message-ID: Hi In order to better assist on another thread in this list, I installed FreeIPA Server in a throwaway VM. Unfortunately the FreeIPA Server Install repeatedly fails with: Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'my.silly.example.com' '--server' 'tst-ldap.my.silly.example.com' '--realm' 'MY.SILLY.EXAMPLE.COM' '--hostname' 'tst-ldap.my.silly.example.com'' returned non-zero exit status 1 [root at tst-ldap etc]# This is on a newly setup OEL 7.1 VM, in a VirtualBox VM hosted on OSX 10.10.5. Googling shows similar errors on second install of FreeIPA Server. I get it on first install. (I roll-backed the VM after every failed attempt). Some points that may or may not be relevant: 1) ipa --version VERSION: 4.1.0, API_VERSION: 2.112 2) Part way through the install I get ?WARNING: Your system is running out of entropy, you may experience long delays? 2) I have a Fedora repository enabled? 3) The domain I used ?my.silly.example.com? is a "Mickey Mouse" domain, not resolvable to anything real via DNS, but is part of the fully qualified hostname of the vm. 4) The only obvious ?ERROR? I can find is in the ipaclient-install.log ERROR Cannot connect to the server due to generic error: cannot connect to 'https://tst-ldap.my.silly.example.com/ipa/json': Internal Server Error 5) yum info ipa-server Installierte Pakete Name : ipa-server Architektur : x86_64 Version : 4.1.0 Ausgabe : 18.0.1.el7_1.3 Gr??e : 4.2 M Quelle : installed Aus Quelle : ol7_latest Any ideas? Chris [root at tst-ldap etc]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [tst-ldap.my.silly.example.com]: The domain name has been determined based on the host name. Please confirm the domain name [my.silly.example.com]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [MY.SILLY.EXAMPLE.COM]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): The IPA Master Server will be configured with: Hostname: tst-ldap.my.silly.example.com IP address(es): 10.0.2.15 Domain name: my.silly.example.com Realm name: MY.SILLY.EXAMPLE.COM Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [9/27]: creating RA agent certificate database [10/27]: importing CA chain to RA certificate database [11/27]: fixing RA database permissions [12/27]: setting up signing cert profile [13/27]: set certificate subject base [14/27]: enabling Subject Key Identifier [15/27]: enabling Subject Alternative Name [16/27]: enabling CRL and OCSP extensions for certificates [17/27]: setting audit signing renewal to 2 years [18/27]: configuring certificate server to start on boot [19/27]: restarting certificate server [20/27]: requesting RA certificate from CA [21/27]: issuing RA agent certificate [22/27]: adding RA agent as a trusted user [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [25/27]: configure RA certificate renewal [26/27]: configure Server-Cert certificate renewal [27/27]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container WARNING: Your system is running out of entropy, you may experience long delays [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd): Estimated time 1 minute [1/16]: setting mod_nss port to 443 [2/16]: setting mod_nss protocol list to TLSv1.0 - TLSv1.1 [3/16]: setting mod_nss password file [4/16]: enabling mod_nss renegotiate [5/16]: adding URL rewriting rules [6/16]: configuring httpd [7/16]: configure certmonger for renewals [8/16]: setting up ssl [9/16]: importing CA certificates from LDAP [10/16]: setting up browser autoconfig [11/16]: publish CA cert [12/16]: creating a keytab for httpd [13/16]: clean up any existing httpd ccache [14/16]: configuring SELinux for httpd [15/16]: restarting httpd [16/16]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting Directory server to apply updates [1/2]: stopping directory server [2/2]: starting directory server Done. Restarting the directory server Restarting the KDC Restarting the certificate server Sample zone file for bind has been created in /tmp/sample.zone.jboVcP.db Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'my.silly.example.com' '--server' 'tst-ldap.my.silly.example.com' '--realm' 'MY.SILLY.EXAMPLE.COM' '--hostname' 'tst-ldap.my.silly.example.com'' returned non-zero exit status 1 [root at tst-ldap etc]# more /etc/hostname tst-ldap.my.silly.example.com (See attached file: ipa-installlogs.zip) -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-installlogs.zip Type: application/zip Size: 118497 bytes Desc: not available URL: From mkosek at redhat.com Thu Aug 6 07:55:09 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 6 Aug 2015 09:55:09 +0200 Subject: [Freeipa-users] IPA client enrollment check In-Reply-To: References: Message-ID: <55C312DD.8020405@redhat.com> On 08/04/2015 03:10 PM, Thomas Lau wrote: > Does anyone know how could I check if client enrolled or not? > > trying to automate enrollment process by using generic tool since I am > using Ubuntu, only ipa-client-install available. Hello Thomas, I am not aware of some general API/CLI for that. ipa-client-install just checks if there is any file in /var/lib/ipa-client/sysrestore or /etc/ipa/default.conf exists. If you would like some tool to handle it better (maybe "ipa-client-install --is-installed"?), please file an RFE or ideally send patches, it should not be that difficult to implement :-) From lslebodn at redhat.com Thu Aug 6 08:16:28 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 6 Aug 2015 10:16:28 +0200 Subject: [Freeipa-users] sssd (CentOS6) known to be unstable? In-Reply-To: <55C2F50D.5020603@physik.uni-wuppertal.de> References: <55C04E29.5020601@physik.uni-wuppertal.de> <55C05413.90709@physik.uni-wuppertal.de> <20150804061702.GB15393@mail.corp.redhat.com> <55C2F285.2070700@physik.uni-wuppertal.de> <55C2F50D.5020603@physik.uni-wuppertal.de> Message-ID: <20150806081628.GA3199@mail.corp.redhat.com> On (06/08/15 07:47), Torsten Harenberg wrote: >Am 06.08.15 um 07:37 schrieb Torsten Harenberg: >> (see plot attached > >forgot the attachment > Is the high IO caused by sssd or by other aplication? If it is casued by other application then you can mount directory with sss cache (/var/lib/sss or just the /var/lib/sss/db) to the different device/disk or filesystem. You can use tmpfs if you do not care about offline authentication. LS From jhrozek at redhat.com Thu Aug 6 09:08:36 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 6 Aug 2015 11:08:36 +0200 Subject: [Freeipa-users] IPA client enrollment check In-Reply-To: <55C312DD.8020405@redhat.com> References: <55C312DD.8020405@redhat.com> Message-ID: <20150806090836.GB20299@hendrix.redhat.com> On Thu, Aug 06, 2015 at 09:55:09AM +0200, Martin Kosek wrote: > On 08/04/2015 03:10 PM, Thomas Lau wrote: > > Does anyone know how could I check if client enrolled or not? > > > > trying to automate enrollment process by using generic tool since I am > > using Ubuntu, only ipa-client-install available. > > Hello Thomas, > > I am not aware of some general API/CLI for that. ipa-client-install just checks > if there is any file in /var/lib/ipa-client/sysrestore or /etc/ipa/default.conf > exists. > > If you would like some tool to handle it better (maybe "ipa-client-install > --is-installed"?), please file an RFE or ideally send patches, it should not be > that difficult to implement :-) What about kinit-ing with keytab and searching the record of the computer account (self) in IPA? From piolet.y at gmail.com Thu Aug 6 10:23:05 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Thu, 6 Aug 2015 12:23:05 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check ipaNTHash values are here on user objects - create a CIFS service for your samba server - Create user roles/permissions as described here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa so that CIFS service will be able to read ipaNTsecurityidentifier and ipaNTHash attributes in LDAP (ACI) - SCP ipasam.so module to your cifs server (this is the magic trick) : scp /usr/lib64/samba/pdb/ipasam.so root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile it. On SAMBA Server side (CentOS 7...) - Install server keytab file for CIFS - check ipasam.so is here. - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI uid=admin ipaNTHash` thanks to kerberos - make your smb.conf following the linked thread and restart service I don't know if it works in Ubuntu. I know sssd has evolved quickly and ipasam may use quite recent functionalities, the best is to just try. You can read in previous thread : "If you insist on Ubuntu you need to get ipasam somewhere, most likely to compile it yourself". Make sure your user has ipaNTHash attribute :) You may want to debug authentication on samba server, I usually do this: `tail -f /var/log/samba/log* | grep Cheers -- Youenn Piolet piolet.y at gmail.com 2015-08-05 17:40 GMT+02:00 Matt . : > Hi, > > This sounds great to me too, but a howto would help to make it more > clear about what you have done here. The thread confuses me a little > bit. > > Can you paste your commands so we can test out too and report back ? > > Thanks! > > Matt > > 2015-08-05 15:18 GMT+02:00 Christopher Lamb : > > Hi Youenn > > > > Good news that you have got an integration working > > > > Now you have got it going, and the solution is fresh in your mind, how > > about adding a How-to page on this solution to the FreeIPA wiki? > > > > Chris > > > > > > > > From: Youenn PIOLET > > To: "Matt ." > > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > > "freeipa-users at redhat.com" > > Date: 05.08.2015 14:51 > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > > > > > Hi guys, > > > > Thank you so much your previous answers. > > I realised my SID were stored in ipaNTsecurityidentifier, thanks to > > ipa-adtrust-install --add-sids > > > > I found an other way to configure smb here: > > > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > > It works perfectly. > > > > I'm using module ipasam.so I have manually scp to the samba server, > > Samba is set to use kerberos + ldapsam via this ipasam module. > > Following the instructions, I created a user role allowing service > > principal to read ipaNTHash value from the LDAP. > > ipaNTHash are generated each time a user changes his password. > > Authentication works perfectly on Windows 7, 8 and 10. > > > > For more details, the previously linked thread is quite clear. > > > > Cheers > > > > -- > > Youenn Piolet > > piolet.y at gmail.com > > > > > > 2015-08-05 11:10 GMT+02:00 Matt . : > > Hi Chris. > > > > Yes, Apache Studio did that but I was not sure why it complained it > > was "already" there. > > > > I'm still getting: > > > > IPA Error 4205: ObjectclassViolation > > > > missing attribute "sambaGroupType" required by object class > > "sambaGroupMapping" > > > > When adding a user. > > > > I also see "class" as fielname under my "Last name", this is not OK > also. > > > > > > > > We sure need to make some howto, I think we can nail this down :) > > > > Thanks for the heads up! > > > > Matthijs > > > > 2015-08-05 7:51 GMT+02:00 Christopher Lamb < > christopher.lamb at ch.ibm.com>: > > > Hi Matt > > > > > > If I use Apache Directory Studio to add an attribute ipaCustomFields > to > > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown > > below: > > > > > > #!RESULT OK > > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy > > > #!DATE 2015-08-05T05:45:04.608 > > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com > > > changetype: modify > > > add: ipaCustomFields > > > ipaCustomFields: Samba Group Type,sambagrouptype,true > > > > > > After that I then have a visible attribute ipaCustomFields as > expected. > > > > > > When adding the attribute, the wizard offered me "ipaCustomFields" as > > > attribute type in a drop down list. > > > > > > Once we get this cracked, we really must write a how-to on the > FreeIPA > > > Wiki. > > > > > > Chris > > > > > > > > > > > > From: Christopher Lamb/Switzerland/IBM at IBMCH > > > To: "Matt ." > > > Cc: "freeipa-users at redhat.com" > > > Date: 05.08.2015 07:31 > > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > > IPA > > > Sent by: freeipa-users-bounces at redhat.com > > > > > > > > > > > > Hi Matt > > > > > > I also got the same result at that step, but can see nothing in > Apache > > > Directory Studio. > > > > > > As I am using existing Samba / FreeIPA groups migrated across, they > > > probably were migrated with all the required attributes. > > > > > > Looking more closely at that LDIF: I wonder should it not be: > > > > > > ldapmodify -Y GSSAPI < > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > > > changetype: modify > > > add: ipaCustomFields > > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > > > EOF > > > > > > i.e. changetype: modify, instead of changetype add ? > > > > > > I don't want to play around with my prod directory - I will setup an > EL > > 7.1 > > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to play > > around > > > more destructively. > > > > > > Chris > > > > > > > > > > > > > > > > > > From: "Matt ." > > > To: Christopher Lamb/Switzerland/IBM at IBMCH > > > Cc: Youenn PIOLET , " > > freeipa-users at redhat.com" > > > > > > Date: 05.08.2015 01:01 > > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > > against IPA > > > > > > > > > > > > Hi Chris, > > > > > > I'm at the right path, but my issue is that: > > > > > > ldapmodify -Y GSSAPI < > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > > > changetype: add > > > add: ipaCustomFields > > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > > > EOF > > > > > > Does say it exists, my ldap explorer doesn't show it, and when I add > > > it manually as an attribute it still fails when I add a user on this > > > sambagrouptype as it's needed by the other attributes > > > > > > So that is my issue I think so far. > > > > > > Any clue about that ? > > > > > > No problem "you don't know something or are no guru" we are all > > > learning! :) > > > > > > Cheers, > > > > > > Matt > > > > > > > > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < > > christopher.lamb at ch.ibm.com>: > > >> Hi Matt, Youeen > > >> > > >> Just to set the background properly, I did not invent this process. > I > > > know > > >> only a little about FreeIPA, and almost nothing about Samba, but I > > guess > > > I > > >> was lucky enough to get the integration working on a Sunday > afternoon. > > (I > > >> did have an older FreeIPA 3.x / Samba 3.x installation as a > > reference). > > >> > > >> It sounds like we need to step back, and look at the test user and > > group > > > in > > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this much > > > easier. > > >> > > >> My FreeIPA / Samba Users have the following Samba extensions in > > FreeIPA > > >> (cn=accounts, cn=users): > > >> > > >> * objectClass: sambasamaccount > > >> > > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet > > >> > > >> My FreeIPA / Samba Groups have the following Samba extensions in > > FreeIPA > > >> (cn=accounts, cn=groups): > > >> > > >> * objectClass: sambaGroupMapping > > >> > > >> * Attributes: sambaGroupType, sambaSID > > >> > > >> The Users must belong to one or more of the samba groups that you > have > > >> setup. > > >> > > >> If you don't have something similar to the above (which sounds like > it > > is > > >> the case), then something went wrong applying the extensions. It > would > > be > > >> worth testing comparing a new user / group created post adding the > > >> extensions to a previous existing user. > > >> > > >> i.e. > > >> are the extensions missing on existing users / groups? > > >> are the extensions missing on new users / groups? > > >> > > >> Cheers > > >> > > >> Chris > > >> > > >> > > >> > > >> > > >> > > >> From: Youenn PIOLET > > >> To: "Matt ." > > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > > >> "freeipa-users at redhat.com" > > >> Date: 04.08.2015 18:56 > > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > > IPA > > >> > > >> > > >> > > >> Hi there, > > >> > > >> I have difficulties to follow you at this point :) > > >> Here is what I've done and what I've understood: > > >> > > >> ## SMB Side > > >> - Testparm OK > > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. > > >> - pdbedit -Lv output is all successfull but I can see there is a > > filter : > > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't > have > > >> sambaSamAccount. > > >> > > >> ## LDAP / FreeIPA side > > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my > FreeIPA > > >> server to get samba LDAP extensions. > > >> - I can see samba classes exist in LDAP but are not used on my group > > >> objects nor my user objects > > >> - I have add sambaSamAccount in FreeIPA default user classes, > > >> and sambaGroupMapping to default group classes. In that state I > can't > > >> create user nor groups anymore, as new samba attributes are needed > for > > >> instantiation. > > >> - I have add in etc ipaCustomFields: 'Samba Group > > > Type,sambagrouptype,true' > > >> but I don't get what it does. > > >> - I tried to add the samba.js plugin. It works, and adds the "local" > > > option > > >> when creating a group in FreeIPA, supposed to set sambagrouptype to > 4 > > or > > > 2 > > >> (domain). It doesn't work and tells that sambagrouptype attribute > > doesn't > > >> exist (but it should now I put sambaGroupType class by default...) > > >> > > >> ## Questions > > >> 0) Can I ask samba not to search sambaSamAccount and use unix / > posix > > >> instead? I guess no. > > >> 1) How to generate the user/group SIDs ? They are requested to add > > >> sambaSamAccount classes. > > >> This article doesn't seem relevant since we don't use domain > > controller > > >> > > > > > > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html > > > > >> and netgetlocalsid returns an error. > > >> 2) How to fix samba.js plugin? > > >> 3) I guess an equivalent of samba.js is needed for user creation, > > where > > > can > > >> I find it? > > >> 4) Is your setup working with Windows 8 / Windows 10 and not only > > Windows > > >> 7? > > >> > > >> Thanks a lot for your previous and future answers > > >> > > >> -- > > >> Youenn Piolet > > >> piolet.y at gmail.com > > >> > > >> > > >> 2015-08-04 17:55 GMT+02:00 Matt . : > > >> Hi, > > >> > > >> Yes, log is anonymised. > > >> > > >> It's strange, my user doesn't have a SambaPwdLastSet, also when I > > >> change it's password it doesn't get it in ldap. > > >> > > >> There must be something going wrong I guess. > > >> > > >> Matt > > >> > > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb > > > > >> >: > > >> > Hi Matt > > >> > > > >> > I assume [username] is a real username, identical to that in the > > >> FreeIPA > > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log > extract). > > >> > > > >> > You user should be a member of the appropriate samba groups that > > you > > >> setup > > >> > in FreeIPA. > > >> > > > >> > You should check that the user attribute SambaPwdLastSet is set > to > > a > > >> > positive value (e.g. 1). If not you get an error in the Samba > logs > > - > > > I > > >> > would need to play around again with a test user to find out the > > > exact > > >> > error. > > >> > > > >> > I don't understand what you mean about syncing the users local, > > but > > > we > > >> did > > >> > not need to do anything like that. > > >> > > > >> > Chris > > >> > > > >> > > > >> > > > >> > > > >> > From: "Matt ." > > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH > > >> > Cc: "freeipa-users at redhat.com" > > >> > Date: 04.08.2015 15:33 > > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > > against > > >> IPA > > >> > > > >> > > > >> > > > >> > Hi Chris, > > >> > > > >> > A puppet run added another passdb backend, that was causing my > > issue. > > >> > > > >> > What I still experience is: > > >> > > > >> > > > >> > [2015/08/04 15:29:45.477783, 3] > > >> > ../source3/auth/check_samsec.c:399(check_sam_security) > > >> > check_sam_security: Couldn't find user 'username' in passdb. > > >> > [2015/08/04 15:29:45.478026, 2] > > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) > > >> > check_ntlm_password: Authentication for user [username] -> > > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER > > >> > > > >> > > > >> > I also wonder if I shall still sync the users local, or is it > > > needed ? > > >> > > > >> > Thanks again, > > >> > > > >> > Matt > > >> > > > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < > > >> christopher.lamb at ch.ibm.com>: > > >> >> Hi Matt > > >> >> > > >> >> From our smb.conf file: > > >> >> > > >> >> [global] > > >> >> security = user > > >> >> passdb backend = ldapsam:ldap:// > xxx-ldap2.my.silly.example.com > > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com > > >> >> ldap admin dn = cn=Directory Manager > > >> >> > > >> >> So yes, we use Directory Manager, it works for us. I have not > > tried > > >> with > > >> > a > > >> >> less powerful user, but it is conceivable that a lesser user > may > > not > > >> see > > >> >> all the required attributes, resulting in "no such user" > errors. > > >> >> > > >> >> Chris > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> From: "Matt ." > > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH > > >> >> Cc: "freeipa-users at redhat.com" > > >> >> Date: 04.08.2015 13:32 > > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > > against > > >> IPA > > >> >> > > >> >> > > >> >> > > >> >> Hi Chris, > > >> >> > > >> >> Thanks for the heads up, indeed local is 4 I see now when I > add a > > >> >> group from the GUI, great thanks! > > >> >> > > >> >> But do you use Directory Manager as ldap admin user or some > other > > >> >> admin account ? > > >> >> > > >> >> I'm not sure id DM is needed and it should get that deep into > > IPA. > > >> >> Also when starting samba it cannot find "such user" as that > > sounds > > >> >> quite known as it has no UID. > > >> >> > > >> >> From your config I see you use DM, this should work ? > > >> >> > > >> >> Thanks! > > >> >> > > >> >> > > >> >> Matt > > >> >> > > >> >> > > >> > > > >> > > > >> > > > >> > > > >> > > >> -- > > >> Manage your subscription for the Freeipa-users mailing list: > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> Go to http://freeipa.org for more info on the project > > >> > > >> > > >> > > > > > > > > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Thu Aug 6 12:42:07 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Thu, 6 Aug 2015 14:42:07 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : > Hey guys, > > I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) > > General idea: > > On FreeIPA (4.1) > - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier > attribude, also known as SID) > - regenerate each user password to build ipaNTHash attribute, not here by > default on users > - use your ldap browser to check ipaNTHash values are here on user objects > - create a CIFS service for your samba server > - Create user roles/permissions as described here: > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > so that CIFS service will be able to read ipaNTsecurityidentifier and > ipaNTHash attributes in LDAP (ACI) > - SCP ipasam.so module to your cifs server (this is the magic trick) : scp > /usr/lib64/samba/pdb/ipasam.so > root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile > it. > > On SAMBA Server side (CentOS 7...) > - Install server keytab file for CIFS > - check ipasam.so is here. > - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI > uid=admin ipaNTHash` thanks to kerberos > - make your smb.conf following the linked thread and restart service > > I don't know if it works in Ubuntu. I know sssd has evolved quickly and > ipasam may use quite recent functionalities, the best is to just try. You > can read in previous thread : "If you insist on Ubuntu you need to get > ipasam somewhere, most likely to compile it yourself". > > Make sure your user has ipaNTHash attribute :) > > You may want to debug authentication on samba server, I usually do this: > `tail -f /var/log/samba/log* | grep > > Cheers > -- > Youenn Piolet > piolet.y at gmail.com > > > 2015-08-05 17:40 GMT+02:00 Matt . : >> >> Hi, >> >> This sounds great to me too, but a howto would help to make it more >> clear about what you have done here. The thread confuses me a little >> bit. >> >> Can you paste your commands so we can test out too and report back ? >> >> Thanks! >> >> Matt >> >> 2015-08-05 15:18 GMT+02:00 Christopher Lamb : >> > Hi Youenn >> > >> > Good news that you have got an integration working >> > >> > Now you have got it going, and the solution is fresh in your mind, how >> > about adding a How-to page on this solution to the FreeIPA wiki? >> > >> > Chris >> > >> > >> > >> > From: Youenn PIOLET >> > To: "Matt ." >> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >> > "freeipa-users at redhat.com" >> > Date: 05.08.2015 14:51 >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> > >> > >> > >> > Hi guys, >> > >> > Thank you so much your previous answers. >> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to >> > ipa-adtrust-install --add-sids >> > >> > I found an other way to configure smb here: >> > >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >> > It works perfectly. >> > >> > I'm using module ipasam.so I have manually scp to the samba server, >> > Samba is set to use kerberos + ldapsam via this ipasam module. >> > Following the instructions, I created a user role allowing service >> > principal to read ipaNTHash value from the LDAP. >> > ipaNTHash are generated each time a user changes his password. >> > Authentication works perfectly on Windows 7, 8 and 10. >> > >> > For more details, the previously linked thread is quite clear. >> > >> > Cheers >> > >> > -- >> > Youenn Piolet >> > piolet.y at gmail.com >> > >> > >> > 2015-08-05 11:10 GMT+02:00 Matt . : >> > Hi Chris. >> > >> > Yes, Apache Studio did that but I was not sure why it complained it >> > was "already" there. >> > >> > I'm still getting: >> > >> > IPA Error 4205: ObjectclassViolation >> > >> > missing attribute "sambaGroupType" required by object class >> > "sambaGroupMapping" >> > >> > When adding a user. >> > >> > I also see "class" as fielname under my "Last name", this is not OK >> > also. >> > >> > >> > >> > We sure need to make some howto, I think we can nail this down :) >> > >> > Thanks for the heads up! >> > >> > Matthijs >> > >> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >> > : >> > > Hi Matt >> > > >> > > If I use Apache Directory Studio to add an attribute ipaCustomFields >> > to >> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown >> > below: >> > > >> > > #!RESULT OK >> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >> > > #!DATE 2015-08-05T05:45:04.608 >> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >> > > changetype: modify >> > > add: ipaCustomFields >> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >> > > >> > > After that I then have a visible attribute ipaCustomFields as >> > expected. >> > > >> > > When adding the attribute, the wizard offered me "ipaCustomFields" >> > as >> > > attribute type in a drop down list. >> > > >> > > Once we get this cracked, we really must write a how-to on the >> > FreeIPA >> > > Wiki. >> > > >> > > Chris >> > > >> > > >> > > >> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >> > > To: "Matt ." >> > > Cc: "freeipa-users at redhat.com" >> > > Date: 05.08.2015 07:31 >> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> > IPA >> > > Sent by: freeipa-users-bounces at redhat.com >> > > >> > > >> > > >> > > Hi Matt >> > > >> > > I also got the same result at that step, but can see nothing in >> > Apache >> > > Directory Studio. >> > > >> > > As I am using existing Samba / FreeIPA groups migrated across, they >> > > probably were migrated with all the required attributes. >> > > >> > > Looking more closely at that LDIF: I wonder should it not be: >> > > >> > > ldapmodify -Y GSSAPI <> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >> > > changetype: modify >> > > add: ipaCustomFields >> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >> > > EOF >> > > >> > > i.e. changetype: modify, instead of changetype add ? >> > > >> > > I don't want to play around with my prod directory - I will setup an >> > EL >> > 7.1 >> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to play >> > around >> > > more destructively. >> > > >> > > Chris >> > > >> > > >> > > >> > > >> > > >> > > From: "Matt ." >> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >> > > Cc: Youenn PIOLET , " >> > freeipa-users at redhat.com" >> > > >> > > Date: 05.08.2015 01:01 >> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >> > Auth >> > against IPA >> > > >> > > >> > > >> > > Hi Chris, >> > > >> > > I'm at the right path, but my issue is that: >> > > >> > > ldapmodify -Y GSSAPI <> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >> > > changetype: add >> > > add: ipaCustomFields >> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >> > > EOF >> > > >> > > Does say it exists, my ldap explorer doesn't show it, and when I add >> > > it manually as an attribute it still fails when I add a user on this >> > > sambagrouptype as it's needed by the other attributes >> > > >> > > So that is my issue I think so far. >> > > >> > > Any clue about that ? >> > > >> > > No problem "you don't know something or are no guru" we are all >> > > learning! :) >> > > >> > > Cheers, >> > > >> > > Matt >> > > >> > > >> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >> > christopher.lamb at ch.ibm.com>: >> > >> Hi Matt, Youeen >> > >> >> > >> Just to set the background properly, I did not invent this process. >> > I >> > > know >> > >> only a little about FreeIPA, and almost nothing about Samba, but I >> > guess >> > > I >> > >> was lucky enough to get the integration working on a Sunday >> > afternoon. >> > (I >> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >> > reference). >> > >> >> > >> It sounds like we need to step back, and look at the test user and >> > group >> > > in >> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this much >> > > easier. >> > >> >> > >> My FreeIPA / Samba Users have the following Samba extensions in >> > FreeIPA >> > >> (cn=accounts, cn=users): >> > >> >> > >> * objectClass: sambasamaccount >> > >> >> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >> > >> >> > >> My FreeIPA / Samba Groups have the following Samba extensions in >> > FreeIPA >> > >> (cn=accounts, cn=groups): >> > >> >> > >> * objectClass: sambaGroupMapping >> > >> >> > >> * Attributes: sambaGroupType, sambaSID >> > >> >> > >> The Users must belong to one or more of the samba groups that you >> > have >> > >> setup. >> > >> >> > >> If you don't have something similar to the above (which sounds like >> > it >> > is >> > >> the case), then something went wrong applying the extensions. It >> > would >> > be >> > >> worth testing comparing a new user / group created post adding the >> > >> extensions to a previous existing user. >> > >> >> > >> i.e. >> > >> are the extensions missing on existing users / groups? >> > >> are the extensions missing on new users / groups? >> > >> >> > >> Cheers >> > >> >> > >> Chris >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> From: Youenn PIOLET >> > >> To: "Matt ." >> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >> > >> "freeipa-users at redhat.com" >> > >> Date: 04.08.2015 18:56 >> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> > against >> > IPA >> > >> >> > >> >> > >> >> > >> Hi there, >> > >> >> > >> I have difficulties to follow you at this point :) >> > >> Here is what I've done and what I've understood: >> > >> >> > >> ## SMB Side >> > >> - Testparm OK >> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. >> > >> - pdbedit -Lv output is all successfull but I can see there is a >> > filter : >> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't >> > have >> > >> sambaSamAccount. >> > >> >> > >> ## LDAP / FreeIPA side >> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >> > FreeIPA >> > >> server to get samba LDAP extensions. >> > >> - I can see samba classes exist in LDAP but are not used on my >> > group >> > >> objects nor my user objects >> > >> - I have add sambaSamAccount in FreeIPA default user classes, >> > >> and sambaGroupMapping to default group classes. In that state I >> > can't >> > >> create user nor groups anymore, as new samba attributes are needed >> > for >> > >> instantiation. >> > >> - I have add in etc ipaCustomFields: 'Samba Group >> > > Type,sambagrouptype,true' >> > >> but I don't get what it does. >> > >> - I tried to add the samba.js plugin. It works, and adds the >> > "local" >> > > option >> > >> when creating a group in FreeIPA, supposed to set sambagrouptype to >> > 4 >> > or >> > > 2 >> > >> (domain). It doesn't work and tells that sambagrouptype attribute >> > doesn't >> > >> exist (but it should now I put sambaGroupType class by default...) >> > >> >> > >> ## Questions >> > >> 0) Can I ask samba not to search sambaSamAccount and use unix / >> > posix >> > >> instead? I guess no. >> > >> 1) How to generate the user/group SIDs ? They are requested to add >> > >> sambaSamAccount classes. >> > >> This article doesn't seem relevant since we don't use domain >> > controller >> > >> >> > > >> > >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >> > >> > >> and netgetlocalsid returns an error. >> > >> 2) How to fix samba.js plugin? >> > >> 3) I guess an equivalent of samba.js is needed for user creation, >> > where >> > > can >> > >> I find it? >> > >> 4) Is your setup working with Windows 8 / Windows 10 and not only >> > Windows >> > >> 7? >> > >> >> > >> Thanks a lot for your previous and future answers >> > >> >> > >> -- >> > >> Youenn Piolet >> > >> piolet.y at gmail.com >> > >> >> > >> >> > >> 2015-08-04 17:55 GMT+02:00 Matt . : >> > >> Hi, >> > >> >> > >> Yes, log is anonymised. >> > >> >> > >> It's strange, my user doesn't have a SambaPwdLastSet, also when I >> > >> change it's password it doesn't get it in ldap. >> > >> >> > >> There must be something going wrong I guess. >> > >> >> > >> Matt >> > >> >> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >> > > > > >> >: >> > >> > Hi Matt >> > >> > >> > >> > I assume [username] is a real username, identical to that in >> > the >> > >> FreeIPA >> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >> > extract). >> > >> > >> > >> > You user should be a member of the appropriate samba groups >> > that >> > you >> > >> setup >> > >> > in FreeIPA. >> > >> > >> > >> > You should check that the user attribute SambaPwdLastSet is set >> > to >> > a >> > >> > positive value (e.g. 1). If not you get an error in the Samba >> > logs >> > - >> > > I >> > >> > would need to play around again with a test user to find out >> > the >> > > exact >> > >> > error. >> > >> > >> > >> > I don't understand what you mean about syncing the users local, >> > but >> > > we >> > >> did >> > >> > not need to do anything like that. >> > >> > >> > >> > Chris >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > From: "Matt ." >> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >> > >> > Cc: "freeipa-users at redhat.com" >> > >> > Date: 04.08.2015 15:33 >> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> > against >> > >> IPA >> > >> > >> > >> > >> > >> > >> > >> > Hi Chris, >> > >> > >> > >> > A puppet run added another passdb backend, that was causing my >> > issue. >> > >> > >> > >> > What I still experience is: >> > >> > >> > >> > >> > >> > [2015/08/04 15:29:45.477783, 3] >> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >> > >> > check_sam_security: Couldn't find user 'username' in passdb. >> > >> > [2015/08/04 15:29:45.478026, 2] >> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >> > >> > check_ntlm_password: Authentication for user [username] -> >> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >> > >> > >> > >> > >> > >> > I also wonder if I shall still sync the users local, or is it >> > > needed ? >> > >> > >> > >> > Thanks again, >> > >> > >> > >> > Matt >> > >> > >> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >> > >> christopher.lamb at ch.ibm.com>: >> > >> >> Hi Matt >> > >> >> >> > >> >> From our smb.conf file: >> > >> >> >> > >> >> [global] >> > >> >> security = user >> > >> >> passdb backend = >> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >> > >> >> ldap admin dn = cn=Directory Manager >> > >> >> >> > >> >> So yes, we use Directory Manager, it works for us. I have not >> > tried >> > >> with >> > >> > a >> > >> >> less powerful user, but it is conceivable that a lesser user >> > may >> > not >> > >> see >> > >> >> all the required attributes, resulting in "no such user" >> > errors. >> > >> >> >> > >> >> Chris >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> From: "Matt ." >> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> > >> >> Cc: "freeipa-users at redhat.com" >> > >> >> Date: 04.08.2015 13:32 >> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> > against >> > >> IPA >> > >> >> >> > >> >> >> > >> >> >> > >> >> Hi Chris, >> > >> >> >> > >> >> Thanks for the heads up, indeed local is 4 I see now when I >> > add a >> > >> >> group from the GUI, great thanks! >> > >> >> >> > >> >> But do you use Directory Manager as ldap admin user or some >> > other >> > >> >> admin account ? >> > >> >> >> > >> >> I'm not sure id DM is needed and it should get that deep into >> > IPA. >> > >> >> Also when starting samba it cannot find "such user" as that >> > sounds >> > >> >> quite known as it has no UID. >> > >> >> >> > >> >> From your config I see you use DM, this should work ? >> > >> >> >> > >> >> Thanks! >> > >> >> >> > >> >> >> > >> >> Matt >> > >> >> >> > >> >> >> > >> > >> > >> > >> > >> > >> > >> > >> > >> >> > >> -- >> > >> Manage your subscription for the Freeipa-users mailing list: >> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> Go to http://freeipa.org for more info on the project >> > >> >> > >> >> > >> >> > > >> > > >> > > >> > > >> > > -- >> > > Manage your subscription for the Freeipa-users mailing list: >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Go to http://freeipa.org for more info on the project >> > > >> > > >> > > >> > > >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> > >> > >> > > > From rcritten at redhat.com Thu Aug 6 19:49:28 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Aug 2015 15:49:28 -0400 Subject: [Freeipa-users] FreeIPA Server install fails on configuration of client side components In-Reply-To: References: Message-ID: <55C3BA48.5000208@redhat.com> Christopher Lamb wrote: > > Hi > > In order to better assist on another thread in this list, I installed > FreeIPA Server in a throwaway VM. > > Unfortunately the FreeIPA Server Install repeatedly fails with: > > Configuration of client side components failed! > ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' > '--on-master' '--unattended' '--domain' 'my.silly.example.com' '--server' > 'tst-ldap.my.silly.example.com' '--realm' 'MY.SILLY.EXAMPLE.COM' > '--hostname' 'tst-ldap.my.silly.example.com'' returned non-zero exit status > 1 > [root at tst-ldap etc]# > > This is on a newly setup OEL 7.1 VM, in a VirtualBox VM hosted on OSX > 10.10.5. > > Googling shows similar errors on second install of FreeIPA Server. I get it > on first install. (I roll-backed the VM after every failed attempt). > > Some points that may or may not be relevant: > > 1) ipa --version > VERSION: 4.1.0, API_VERSION: 2.112 > > 2) Part way through the install I get ?WARNING: Your system is running out > of entropy, you may experience long delays? > > 2) I have a Fedora repository enabled? > > 3) The domain I used ?my.silly.example.com? is a "Mickey Mouse" domain, not > resolvable to anything real via DNS, but is part of the fully qualified > hostname of the vm. > > 4) The only obvious ?ERROR? I can find is in the ipaclient-install.log > ERROR Cannot connect to the server due to generic error: cannot connect to > 'https://tst-ldap.my.silly.example.com/ipa/json': Internal Server Error Looks like that is the cause of the install failure. You can find details on that in /var/log/httpd/error_log. That is where I'd start looking. rob From lists at fahrendorf.de Thu Aug 6 14:22:28 2015 From: lists at fahrendorf.de (Martin (Lists)) Date: Thu, 06 Aug 2015 16:22:28 +0200 Subject: [Freeipa-users] thousands DSRetroclPlugin mesages In-Reply-To: <5543D225.9090204@fahrendorf.de> References: <553CA688.9040009@fahrendorf.de> <554213B0.5090604@redhat.com> <5543D225.9090204@fahrendorf.de> Message-ID: <1464392.6qLjaVH2EB@kate.fahrendorf.de> Am Freitag, 1. Mai 2015, 21:21:09 schrieb Martin: > Sorry, first post went to Ludwig only. Now to the list as well. > > Am 30.04.2015 um 13:36 schrieb Ludwig Krispenz: > >>> indicating that trimming works. > >> > >> As it seems my trimming is broken, at least partially. Is there > >> something I can adjust? > > > > no, it seems to be ok, IPA configures the "changelog maxage" as 2d, so > > if changelog trimming runs, it removes changes older than two days, then > > it "sleeps" for this time and then runs again, so the changes could pile > > up to four days, then get trimmed and so on ... > > > >>> you said "thousands" of messages, how frequent are they really ? > >> > >> On every reboot I got these messages. I do not get them during normal > >> opperation. > > > > how frequently do you reboot ? maybe you only see the trimming after > > startup > > I reboot with almost every kernel update for fedora 21 (so about every > month). > > >> Something odd I observed after the last two reboots: ns-slapd runs my > >> hard disk for several minutes (about 15 minutes) after the reboot. This > >> is the time it takes to log all these change record messages. > > So my question remains: What does the ldap server do with all these > data? Is it possible to run trimming manually before shutdown? Or can I > do some other things the get this messages away? > > >> Kindly > >> Martin OK, next step. After two reboots without this showing up I had the thousand changelog messages again. I am still wondering what I can do to reduce this. kindly Martin From christopher.lamb at ch.ibm.com Thu Aug 6 15:32:16 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Thu, 6 Aug 2015 17:32:16 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: @Youenn. Thanks for the clarification. At least 3 Integration paths, so we may end up with 3 Wiki how-tos: @Matt I now have a throwaway VM with FreeIPA 4.1 Server installed, that I can play around with over the next few days, but as this is "in my free time, on the train on the way home" type activity, I don't know how fast I will be. From: Youenn PIOLET To: "Matt ." Cc: Christopher Lamb/Switzerland/IBM at IBMCH, "freeipa-users at redhat.com" Date: 06.08.2015 17:16 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, There is no Active Directory in my solution, just freeipa adtrust extensions - necessary to generate SIDs. To me, there are 3 integration paths: - ldapsam module without AD, using LDAP directly : you need samba extensions in FreeIPA's LDAP, that's what you tried to achieve in this thread. - kerberos module with AD, this is the tutorial from the official documentation https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA but it won't work on Windows if you don't have domain because of?NTLM problems - ipasam module, the solution I used: half LDAP (to read NTHash/SID), half Kerberos (to bind samba to the LDAP). In all solutions, extra schemas are needed for FreeIPA directory. `ipa-adtrust-install` can install these extensions, or you can do it manually. I prefer the IPA automatic way to LDIF's :) ipa-adtrust-install also generate automaticaly SID and Password Hash needed by CIFS when you add an user or a group in FreeIPA.?No need to patch interface to generate correct attributes. What I also understood: ipa-adtrust-install doesn't use the good old samba extensions (with things like sambaSID, sambaGroupType, sambaSamAccount, etc.) but new ipaNTHash/ipaNTsecurityIdentifier values. This must be the reason why ldapsam solution doesn't work directly after a ipa-adtrust-install. To ask CIFS service to read them instead of the classic ones, we use ipasam. @Matt . You're currently trying ldapsam solution. The problem is to make FreeIPA interface able to work with samba "good old extensions". Theses extensions contain the classes like "sambaSamAccount" or "sambaGroupMapping". To make CIFS able to read groups from LDAP, groups need to instanciate some samba classes (same for users). When you instanciate the class?sambaGroupMapping, the value?sambaGroupType is compulsory, but FreeIPA doesn't build the value correctly, even with the group.js patch previously linked. I think some dev is needed to fix this if you want to do it this way. To my opinion, the 'ipasam' way is much more easier, and seems to be the way redhat/devs/freeipa want to support in the future. Cheers, -- Youenn Piolet piolet.y at gmail.com 2015-08-06 16:19 GMT+02:00 Matt . : Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute "sambaGroupType" required by object class "sambaGroupMapping" Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb : > Hi Matt > > As far as I can make out, there are at least 2 viable Samba / FreeIPA > integration paths. > > The route I took is suited where there is no Active Directory involved: In > my case all the Windows, OSX and Linux clients are islands that sit on the > same network. > > The route that Youenn has taken (unless I have got completely the wrong end > of the stick) requires Active Directory in the architecture. > > Chris > > > > From:? ?"Matt ." > To:? ? ?Youenn PIOLET > Cc:? ? ?Christopher Lamb/Switzerland/IBM at IBMCH, >? ? ? ? ? ? ?"freeipa-users at redhat.com" > Date:? ?06.08.2015 14:42 > Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi, > > OK, this sounds already quite logical, but I'm still refering to the > old howto we found earlier, does that one still apply somewhere or not > at all ? > > Thanks, > > Matt > > > > 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >> Hey guys, >> >> I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) >> >> General idea: >> >> On FreeIPA (4.1) >> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >> attribude, also known as SID) >> - regenerate each user password to build ipaNTHash attribute, not here by >> default on users >> - use your ldap browser to check ipaNTHash values are here on user > objects >> - create a CIFS service for your samba server >> - Create user roles/permissions as described here: >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> so that CIFS service will be able to read ipaNTsecurityidentifier and >> ipaNTHash attributes in LDAP (ACI) >> - SCP ipasam.so module to your cifs server (this is the magic trick) : > scp >> /usr/lib64/samba/pdb/ipasam.so >> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to > recompile >> it. >> >> On SAMBA Server side (CentOS 7...) >> - Install server keytab file for CIFS >> - check ipasam.so is here. >> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI >> uid=admin ipaNTHash` thanks to kerberos >> - make your smb.conf following the linked thread and restart service >> >> I don't know if it works in Ubuntu. I know sssd has evolved quickly and >> ipasam may use quite recent functionalities, the best is to just try. You >> can read in previous thread : "If you insist on Ubuntu you need to get >> ipasam somewhere, most likely to compile it yourself". >> >> Make sure your user has ipaNTHash attribute :) >> >> You may want to debug authentication on samba server, I usually do this: >> `tail -f /var/log/samba/log* | grep >> >> Cheers >> -- >> Youenn Piolet >> piolet.y at gmail.com >> >> >> 2015-08-05 17:40 GMT+02:00 Matt . : >>> >>> Hi, >>> >>> This sounds great to me too, but a howto would help to make it more >>> clear about what you have done here. The thread confuses me a little >>> bit. >>> >>> Can you paste your commands so we can test out too and report back ? >>> >>> Thanks! >>> >>> Matt >>> >>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb > : >>> > Hi Youenn >>> > >>> > Good news that you have got an integration working >>> > >>> > Now you have got it going, and the solution is fresh in your mind, how >>> > about adding a How-to page on this solution to the FreeIPA wiki? >>> > >>> > Chris >>> > >>> > >>> > >>> > From:? ?Youenn PIOLET >>> > To:? ? ?"Matt ." >>> > Cc:? ? ?Christopher Lamb/Switzerland/IBM at IBMCH, >>> >? ? ? ? ? ? ?"freeipa-users at redhat.com" >>> > Date:? ?05.08.2015 14:51 >>> > Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>> > >>> > >>> > >>> > Hi guys, >>> > >>> > Thank you so much your previous answers. >>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to >>> > ipa-adtrust-install --add-sids >>> > >>> > I found an other way to configure smb here: >>> > >>> > > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >>> > It works perfectly. >>> > >>> > I'm using module ipasam.so I have manually scp to the samba server, >>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>> > Following the instructions, I created a user role allowing service >>> > principal to read ipaNTHash value from the LDAP. >>> > ipaNTHash are generated each time a user changes his password. >>> > Authentication works perfectly on Windows 7, 8 and 10. >>> > >>> > For more details, the previously linked thread is quite clear. >>> > >>> > Cheers >>> > >>> > -- >>> > Youenn Piolet >>> > piolet.y at gmail.com >>> > >>> > >>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>> >? ?Hi Chris. >>> > >>> >? ?Yes, Apache Studio did that but I was not sure why it complained it >>> >? ?was "already" there. >>> > >>> >? ?I'm still getting: >>> > >>> >? ?IPA Error 4205: ObjectclassViolation >>> > >>> >? ?missing attribute "sambaGroupType" required by object class >>> >? ?"sambaGroupMapping" >>> > >>> >? ?When adding a user. >>> > >>> >? ?I also see "class" as fielname under my "Last name", this is not OK >>> > also. >>> > >>> > >>> > >>> >? ?We sure need to make some howto, I think we can nail this down :) >>> > >>> >? ?Thanks for the heads up! >>> > >>> >? ?Matthijs >>> > >>> >? ?2015-08-05 7:51 GMT+02:00 Christopher Lamb >>> > : >>> >? ?> Hi Matt >>> >? ?> >>> >? ?> If I use Apache Directory Studio to add an attribute > ipaCustomFields >>> > to >>> >? ?> cn=ipaConfig,cn=etc, the operation it performs is a modify, as > shown >>> >? ?below: >>> >? ?> >>> >? ?> #!RESULT OK >>> >? ?> #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>> >? ?> #!DATE 2015-08-05T05:45:04.608 >>> >? ?> dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>> >? ?> changetype: modify >>> >? ?> add: ipaCustomFields >>> >? ?> ipaCustomFields: Samba Group Type,sambagrouptype,true >>> >? ?> >>> >? ?> After that I then have a visible attribute ipaCustomFields as >>> > expected. >>> >? ?> >>> >? ?> When adding the attribute, the wizard offered me "ipaCustomFields" >>> > as >>> >? ?> attribute type in a drop down list. >>> >? ?> >>> >? ?> Once we get this cracked, we really must write a how-to on the >>> > FreeIPA >>> >? ?> Wiki. >>> >? ?> >>> >? ?> Chris >>> >? ?> >>> >? ?> >>> >? ?> >>> >? ?> From:? ?Christopher Lamb/Switzerland/IBM at IBMCH >>> >? ?> To:? ? ?"Matt ." >>> >? ?> Cc:? ? ?"freeipa-users at redhat.com" >>> >? ?> Date:? ?05.08.2015 07:31 >>> >? ?> Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>> >? ?IPA >>> >? ?> Sent by:? ? ? ? freeipa-users-bounces at redhat.com >>> >? ?> >>> >? ?> >>> >? ?> >>> >? ?> Hi Matt >>> >? ?> >>> >? ?> I also got the same result at that step, but can see nothing in >>> > Apache >>> >? ?> Directory Studio. >>> >? ?> >>> >? ?> As I am using existing Samba / FreeIPA groups migrated across, > they >>> >? ?> probably were migrated with all the required attributes. >>> >? ?> >>> >? ?> Looking more closely at that LDIF: I wonder should it not be: >>> >? ?> >>> >? ?> ldapmodify -Y GSSAPI <>> >? ?> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>> >? ?> changetype: modify >>> >? ?> add: ipaCustomFields >>> >? ?> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> >? ?> EOF >>> >? ?> >>> >? ?> i.e. changetype: modify, instead of changetype add ? >>> >? ?> >>> >? ?> I don't want to play around with my prod directory - I will setup > an >>> > EL >>> >? ?7.1 >>> >? ?> VM and install FreeIPA 4.x and Samba 4.x That will allow me to > play >>> >? ?around >>> >? ?> more destructively. >>> >? ?> >>> >? ?> Chris >>> >? ?> >>> >? ?> >>> >? ?> >>> >? ?> >>> >? ?> >>> >? ?> From:? ? ? ? ? ? "Matt ." >>> >? ?> To:? ? ? ? ? ? ? Christopher Lamb/Switzerland/IBM at IBMCH >>> >? ?> Cc:? ? ? ? ? ? ? Youenn PIOLET , " >>> >? ?freeipa-users at redhat.com" >>> >? ?>? ? ? ? ? ? ? >>> >? ?> Date:? ? ? ? ? ? 05.08.2015 01:01 >>> >? ?> Subject:? ? ? ? ? ? ? ? ?Re: [Freeipa-users] Ubuntu Samba Server >>> > Auth >>> >? ?against IPA >>> >? ?> >>> >? ?> >>> >? ?> >>> >? ?> Hi Chris, >>> >? ?> >>> >? ?> I'm at the right path, but my issue is that: >>> >? ?> >>> >? ?> ldapmodify -Y GSSAPI <>> >? ?> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>> >? ?> changetype: add >>> >? ?> add: ipaCustomFields >>> >? ?> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> >? ?> EOF >>> >? ?> >>> >? ?> Does say it exists, my ldap explorer doesn't show it, and when I > add >>> >? ?> it manually as an attribute it still fails when I add a user on > this >>> >? ?> sambagrouptype as it's needed by the other attributes >>> >? ?> >>> >? ?> So that is my issue I think so far. >>> >? ?> >>> >? ?> Any clue about that ? >>> >? ?> >>> >? ?> No problem "you don't know something or are no guru" we are all >>> >? ?> learning! :) >>> >? ?> >>> >? ?> Cheers, >>> >? ?> >>> >? ?> Matt >>> >? ?> >>> >? ?> >>> >? ?> 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>> >? ?christopher.lamb at ch.ibm.com>: >>> >? ?>> Hi Matt, Youeen >>> >? ?>> >>> >? ?>> Just to set the background properly, I did not invent this > process. >>> > I >>> >? ?> know >>> >? ?>> only a little about FreeIPA, and almost nothing about Samba, but > I >>> >? ?guess >>> >? ?> I >>> >? ?>> was lucky enough to get the integration working on a Sunday >>> > afternoon. >>> >? ?(I >>> >? ?>> did have an older FreeIPA 3.x / Samba 3.x installation as a >>> >? ?reference). >>> >? ?>> >>> >? ?>> It sounds like we need to step back, and look at the test user > and >>> >? ?group >>> >? ?> in >>> >? ?>> the FreeIPA LDAP tree. I find using an LDAP browser makes this > much >>> >? ?> easier. >>> >? ?>> >>> >? ?>> My FreeIPA / Samba Users have the following Samba extensions in >>> >? ?FreeIPA >>> >? ?>> (cn=accounts, cn=users): >>> >? ?>> >>> >? ?>> * objectClass: sambasamaccount >>> >? ?>> >>> >? ?>> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>> >? ?>> >>> >? ?>> My FreeIPA / Samba Groups have the following Samba extensions in >>> >? ?FreeIPA >>> >? ?>> (cn=accounts, cn=groups): >>> >? ?>> >>> >? ?>> * objectClass: sambaGroupMapping >>> >? ?>> >>> >? ?>> * Attributes: sambaGroupType, sambaSID >>> >? ?>> >>> >? ?>> The Users must belong to one or more of the samba groups that you >>> > have >>> >? ?>> setup. >>> >? ?>> >>> >? ?>> If you don't have something similar to the above (which sounds > like >>> > it >>> >? ?is >>> >? ?>> the case), then something went wrong applying the extensions. It >>> > would >>> >? ?be >>> >? ?>> worth testing comparing a new user / group created post adding > the >>> >? ?>> extensions to a previous existing user. >>> >? ?>> >>> >? ?>> i.e. >>> >? ?>> are the extensions missing on existing users / groups? >>> >? ?>> are the extensions missing on new users / groups? >>> >? ?>> >>> >? ?>> Cheers >>> >? ?>> >>> >? ?>> Chris >>> >? ?>> >>> >? ?>> >>> >? ?>> >>> >? ?>> >>> >? ?>> >>> >? ?>> From:? ?Youenn PIOLET >>> >? ?>> To:? ? ?"Matt ." >>> >? ?>> Cc:? ? ?Christopher Lamb/Switzerland/IBM at IBMCH, >>> >? ?>>? ? ? ? ? ? ?"freeipa-users at redhat.com" < freeipa-users at redhat.com> >>> >? ?>> Date:? ?04.08.2015 18:56 >>> >? ?>> Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth >>> > against >>> >? ?IPA >>> >? ?>> >>> >? ?>> >>> >? ?>> >>> >? ?>> Hi there, >>> >? ?>> >>> >? ?>> I have difficulties to follow you at this point :) >>> >? ?>> Here is what I've done and what I've understood: >>> >? ?>> >>> >? ?>> ## SMB Side >>> >? ?>> - Testparm OK >>> >? ?>> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. >>> >? ?>> - pdbedit -Lv output is all successfull but I can see there is a >>> >? ?filter : >>> >? ?>> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't >>> > have >>> >? ?>> sambaSamAccount. >>> >? ?>> >>> >? ?>> ## LDAP / FreeIPA side >>> >? ?>> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >>> > FreeIPA >>> >? ?>> server to get samba LDAP extensions. >>> >? ?>> - I can see samba classes exist in LDAP but are not used on my >>> > group >>> >? ?>> objects nor my user objects >>> >? ?>> - I have add sambaSamAccount in FreeIPA default user classes, >>> >? ?>> and sambaGroupMapping to default group classes. In that state I >>> > can't >>> >? ?>> create user nor groups anymore, as new samba attributes are > needed >>> > for >>> >? ?>> instantiation. >>> >? ?>> - I have add in etc ipaCustomFields: 'Samba Group >>> >? ?> Type,sambagrouptype,true' >>> >? ?>> but I don't get what it does. >>> >? ?>> - I tried to add the samba.js plugin. It works, and adds the >>> > "local" >>> >? ?> option >>> >? ?>> when creating a group in FreeIPA, supposed to set sambagrouptype > to >>> > 4 >>> >? ?or >>> >? ?> 2 >>> >? ?>> (domain). It doesn't work and tells that sambagrouptype attribute >>> >? ?doesn't >>> >? ?>> exist (but it should now I put sambaGroupType class by > default...) >>> >? ?>> >>> >? ?>> ## Questions >>> >? ?>> 0) Can I ask samba not to search sambaSamAccount and use unix / >>> > posix >>> >? ?>> instead? I guess no. >>> >? ?>> 1) How to generate the user/group SIDs ? They are requested to > add >>> >? ?>> sambaSamAccount classes. >>> >? ?>> This article doesn't seem relevant since we don't use domain >>> >? ?controller >>> >? ?>> >>> >? ?> >>> > >>> > > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>> > >>> >? ?>> and netgetlocalsid returns an error. >>> >? ?>> 2) How to fix samba.js plugin? >>> >? ?>> 3) I guess an equivalent of samba.js is needed for user creation, >>> >? ?where >>> >? ?> can >>> >? ?>> I find it? >>> >? ?>> 4) Is your setup working with Windows 8 / Windows 10 and not only >>> >? ?Windows >>> >? ?>> 7? >>> >? ?>> >>> >? ?>> Thanks a lot for your previous and future answers >>> >? ?>> >>> >? ?>> -- >>> >? ?>> Youenn Piolet >>> >? ?>> piolet.y at gmail.com >>> >? ?>> >>> >? ?>> >>> >? ?>> 2015-08-04 17:55 GMT+02:00 Matt . : >>> >? ?>>? ?Hi, >>> >? ?>> >>> >? ?>>? ?Yes, log is anonymised. >>> >? ?>> >>> >? ?>>? ?It's strange, my user doesn't have a SambaPwdLastSet, also when > I >>> >? ?>>? ?change it's password it doesn't get it in ldap. >>> >? ?>> >>> >? ?>>? ?There must be something going wrong I guess. >>> >? ?>> >>> >? ?>>? ?Matt >>> >? ?>> >>> >? ?>>? ?2015-08-04 17:45 GMT+02:00 Christopher Lamb >>> >? ?> >> >? ?>>? ?>: >>> >? ?>>? ?> Hi Matt >>> >? ?>>? ?> >>> >? ?>>? ?> I assume [username] is a real username, identical to that in >>> > the >>> >? ?>>? ?FreeIPA >>> >? ?>>? ?> cn=accounts, cn=users tree? (i.e. you anonymised the log >>> > extract). >>> >? ?>>? ?> >>> >? ?>>? ?> You user should be a member of the appropriate samba groups >>> > that >>> >? ?you >>> >? ?>>? ?setup >>> >? ?>>? ?> in FreeIPA. >>> >? ?>>? ?> >>> >? ?>>? ?> You should check that the user attribute SambaPwdLastSet is > set >>> > to >>> >? ?a >>> >? ?>>? ?> positive value (e.g. 1). If not you get an error in the Samba >>> > logs >>> >? ?- >>> >? ?> I >>> >? ?>>? ?> would need to play around again with a test user to find out >>> > the >>> >? ?> exact >>> >? ?>>? ?> error. >>> >? ?>>? ?> >>> >? ?>>? ?> I don't understand what you mean about syncing the users > local, >>> >? ?but >>> >? ?> we >>> >? ?>>? ?did >>> >? ?>>? ?> not need to do anything like that. >>> >? ?>>? ?> >>> >? ?>>? ?> Chris >>> >? ?>>? ?> >>> >? ?>>? ?> >>> >? ?>>? ?> >>> >? ?>>? ?> >>> >? ?>>? ?> From:? ?"Matt ." >>> >? ?>>? ?> To:? ? ?Christopher Lamb/Switzerland/IBM at IBMCH >>> >? ?>>? ?> Cc:? ? ?"freeipa-users at redhat.com" < freeipa-users at redhat.com> >>> >? ?>>? ?> Date:? ?04.08.2015 15:33 >>> >? ?>>? ?> Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth >>> >? ?against >>> >? ?>>? ?IPA >>> >? ?>>? ?> >>> >? ?>>? ?> >>> >? ?>>? ?> >>> >? ?>>? ?> Hi Chris, >>> >? ?>>? ?> >>> >? ?>>? ?> A puppet run added another passdb backend, that was causing > my >>> >? ?issue. >>> >? ?>>? ?> >>> >? ?>>? ?> What I still experience is: >>> >? ?>>? ?> >>> >? ?>>? ?> >>> >? ?>>? ?> [2015/08/04 15:29:45.477783,? 3] >>> >? ?>>? ?> ../source3/auth/check_samsec.c:399(check_sam_security) >>> >? ?>>? ?>? ?check_sam_security: Couldn't find user 'username' in > passdb. >>> >? ?>>? ?> [2015/08/04 15:29:45.478026,? 2] >>> >? ?>>? ?> ../source3/auth/auth.c:288(auth_check_ntlm_password) >>> >? ?>>? ?>? ?check_ntlm_password:? Authentication for user [username] -> >>> >? ?>>? ?> [username] FAILED with error NT_STATUS_NO_SUCH_USER >>> >? ?>>? ?> >>> >? ?>>? ?> >>> >? ?>>? ?> I also wonder if I shall still sync the users local, or is it >>> >? ?> needed ? >>> >? ?>>? ?> >>> >? ?>>? ?> Thanks again, >>> >? ?>>? ?> >>> >? ?>>? ?> Matt >>> >? ?>>? ?> >>> >? ?>>? ?> 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>> >? ?>>? ?christopher.lamb at ch.ibm.com>: >>> >? ?>>? ?>> Hi Matt >>> >? ?>>? ?>> >>> >? ?>>? ?>> From our smb.conf file: >>> >? ?>>? ?>> >>> >? ?>>? ?>> [global] >>> >? ?>>? ?>>? ? security = user >>> >? ?>>? ?>>? ? passdb backend = >>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>> >? ?>>? ?>>? ? ldap suffix = dc=my,dc=silly,dc=example,dc=com >>> >? ?>>? ?>>? ? ldap admin dn = cn=Directory Manager >>> >? ?>>? ?>> >>> >? ?>>? ?>> So yes, we use Directory Manager, it works for us. I have > not >>> >? ?tried >>> >? ?>>? ?with >>> >? ?>>? ?> a >>> >? ?>>? ?>> less powerful user, but it is conceivable that a lesser user >>> > may >>> >? ?not >>> >? ?>>? ?see >>> >? ?>>? ?>> all the required attributes, resulting in "no such user" >>> > errors. >>> >? ?>>? ?>> >>> >? ?>>? ?>> Chris >>> >? ?>>? ?>> >>> >? ?>>? ?>> >>> >? ?>>? ?>> >>> >? ?>>? ?>> >>> >? ?>>? ?>> From:? ?"Matt ." >>> >? ?>>? ?>> To:? ? ?Christopher Lamb/Switzerland/IBM at IBMCH >>> >? ?>>? ?>> Cc:? ? ?"freeipa-users at redhat.com" > >>> >? ?>>? ?>> Date:? ?04.08.2015 13:32 >>> >? ?>>? ?>> Subject:? ? ? ? Re: [Freeipa-users] Ubuntu Samba Server Auth >>> >? ?against >>> >? ?>>? ?IPA >>> >? ?>>? ?>> >>> >? ?>>? ?>> >>> >? ?>>? ?>> >>> >? ?>>? ?>> Hi Chris, >>> >? ?>>? ?>> >>> >? ?>>? ?>> Thanks for the heads up, indeed local is 4 I see now when I >>> > add a >>> >? ?>>? ?>> group from the GUI, great thanks! >>> >? ?>>? ?>> >>> >? ?>>? ?>> But do you use Directory Manager as ldap admin user or some >>> > other >>> >? ?>>? ?>> admin account ? >>> >? ?>>? ?>> >>> >? ?>>? ?>> I'm not sure id DM is needed and it should get that deep > into >>> >? ?IPA. >>> >? ?>>? ?>> Also when starting samba it cannot find "such user" as that >>> >? ?sounds >>> >? ?>>? ?>> quite known as it has no UID. >>> >? ?>>? ?>> >>> >? ?>>? ?>> From your config I see you use DM, this should work ? >>> >? ?>>? ?>> >>> >? ?>>? ?>> Thanks! >>> >? ?>>? ?>> >>> >? ?>>? ?>> >>> >? ?>>? ?>> Matt >>> >? ?>>? ?>> >>> >? ?>>? ?>> >>> >? ?>>? ?> >>> >? ?>>? ?> >>> >? ?>>? ?> >>> >? ?>>? ?> >>> >? ?>> >>> >? ?>>? ?-- >>> >? ?>>? ?Manage your subscription for the Freeipa-users mailing list: >>> >? ?>>? ?https://www.redhat.com/mailman/listinfo/freeipa-users >>> >? ?>>? ?Go to http://freeipa.org for more info on the project >>> >? ?>> >>> >? ?>> >>> >? ?>> >>> >? ?> >>> >? ?> >>> >? ?> >>> >? ?> >>> >? ?> -- >>> >? ?> Manage your subscription for the Freeipa-users mailing list: >>> >? ?> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >? ?> Go to http://freeipa.org for more info on the project >>> >? ?> >>> >? ?> >>> >? ?> >>> >? ?> >>> > >>> >? ?-- >>> >? ?Manage your subscription for the Freeipa-users mailing list: >>> >? ?https://www.redhat.com/mailman/listinfo/freeipa-users >>> >? ?Go to http://freeipa.org for more info on the project >>> > >>> > >>> > >> >> > > > > From david.dejaeghere at gmail.com Thu Aug 6 22:10:31 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Fri, 7 Aug 2015 00:10:31 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: <553885CB.3090505@redhat.com> References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> <552BD271.5010608@redhat.com> <552D5298.6040608@redhat.com> <552DF829.4060209@redhat.com> <55310A2A.9060701@redhat.com> <553885CB.3090505@redhat.com> Message-ID: Hello Guys, I was able to resolve this today. My webserver and dirsrv certificate were expired yesterday and trying to replace them gave me the same error "ERROR: (SEC_ERROR_LIBRARY_FAILURE) security library failure." So I tried some things to resolve this. The trick was to replace /etc/ipa/ca.crt with the godaddy file "gdig2" which only has 1 certificare. This file you can get while downloading your certificate from godaddy. Then I had to add the bundle from godaddy, file gd_bundle-g2-g1 into my server cert. This made both the command ipa-server-certinstall and ipa-replicate-prepare finish as expected! Hope this helps. I saw somebody else with a very similar issue. Kind Regards, D 2015-04-23 7:40 GMT+02:00 Jan Cholasta : > Hi, > > yes, you can definitely use a different certificate in the meantime, > although it can't be self-signed. > > Honza > > Dne 20.4.2015 v 14:17 David Dejaeghere napsal(a): > >> Hi, >> >> Let me know how I can assist. >> In the meantime could I setup a replica using a different certificate? >> Self signed or anything like that? >> >> Regards, >> >> D >> >> 2015-04-17 15:27 GMT+02:00 Jan Cholasta > >: >> >> Hi, >> >> I don't have any new information. I'm trying to reproduce the >> problem but had no luck so far. >> >> Honza >> >> Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a): >> >> Hi, >> >> Any more things I can try out? How do we proceed? >> >> Kind Regards, >> >> D >> >> 2015-04-15 11:48 GMT+02:00 David Dejaeghere >> >> > >>: >> >> Hi Honza, >> >> That gave me the exact same output. Any ideas? >> >> Regards, >> >> D >> >> 2015-04-15 7:33 GMT+02:00 Jan Cholasta > >> >>: >> >> >> Hi, >> >> Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a): >> >> David Dejaeghere wrote: >> >> Hi Rob, >> >> So you want to output of the command using pk12 >> with >> server cert and >> key? or with the ca chain in there too? >> >> >> Oddly enough it is failing in exactly the same >> place. Those >> GoDaddy CA >> certs are still being loaded from somewhere, I'm >> not sure >> where, and I >> suspect that is the source of the problem. >> >> >> They are in the default CA certificate bundle (in the >> ca-certificate package). I guess NSS loads it >> automatically. >> >> >> I'm going to forward the log to a colleague who has >> worked >> on this code >> more recently than I have. Maybe he will have an >> idea. >> >> >> Could you try if the following works? >> >> # mv >> /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt >> /root/ca-bundle.trust.crt >> >> # update-ca-trust >> >> # ipa-replica-prepare ... >> >> # mv /root/ca-bundle.trust.crt >> /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt >> >> # update-ca-trust >> >> >> rob >> >> >> Honza >> >> -- >> Jan Cholasta >> >> >> >> >> >> -- >> Jan Cholasta >> >> >> > > -- > Jan Cholasta > -------------- next part -------------- An HTML attachment was scrubbed... URL: From piolet.y at gmail.com Thu Aug 6 15:15:15 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Thu, 6 Aug 2015 17:15:15 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, There is no Active Directory in my solution, just freeipa adtrust extensions - necessary to generate SIDs. To me, there are 3 integration paths: - ldapsam module without AD, using LDAP directly : you need samba extensions in FreeIPA's LDAP, that's what you tried to achieve in this thread. - kerberos module with AD, this is the tutorial from the official documentation https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA but it won't work on Windows if you don't have domain because of NTLM problems - ipasam module, the solution I used: half LDAP (to read NTHash/SID), half Kerberos (to bind samba to the LDAP). In all solutions, extra schemas are needed for FreeIPA directory. `ipa-adtrust-install` can install these extensions, or you can do it manually. I prefer the IPA automatic way to LDIF's :) ipa-adtrust-install also generate automaticaly SID and Password Hash needed by CIFS when you add an user or a group in FreeIPA. No need to patch interface to generate correct attributes. What I also understood: ipa-adtrust-install doesn't use the good old samba extensions (with things like sambaSID, sambaGroupType, sambaSamAccount, etc.) but new ipaNTHash/ipaNTsecurityIdentifier values. This must be the reason why ldapsam solution doesn't work directly after a ipa-adtrust-install. To ask CIFS service to read them instead of the classic ones, we use ipasam. @Matt . You're currently trying ldapsam solution. The problem is to make FreeIPA interface able to work with samba "good old extensions". Theses extensions contain the classes like "sambaSamAccount" or "sambaGroupMapping". To make CIFS able to read groups from LDAP, groups need to instanciate some samba classes (same for users). When you instanciate the class sambaGroupMapping, the value sambaGroupType is compulsory, but FreeIPA doesn't build the value correctly, even with the group.js patch previously linked. I think some dev is needed to fix this if you want to do it this way. To my opinion, the 'ipasam' way is much more easier, and seems to be the way redhat/devs/freeipa want to support in the future. Cheers, -- Youenn Piolet piolet.y at gmail.com 2015-08-06 16:19 GMT+02:00 Matt . : > Hi Chris, > > OK, than we might create two different versions of the wiki, I think > this is nice. > > I'm still figuring out why I get that: > > IPA Error 4205: ObjectclassViolation > > missing attribute "sambaGroupType" required by object class > "sambaGroupMapping" > > Matt > > 2015-08-06 16:09 GMT+02:00 Christopher Lamb : > > Hi Matt > > > > As far as I can make out, there are at least 2 viable Samba / FreeIPA > > integration paths. > > > > The route I took is suited where there is no Active Directory involved: > In > > my case all the Windows, OSX and Linux clients are islands that sit on > the > > same network. > > > > The route that Youenn has taken (unless I have got completely the wrong > end > > of the stick) requires Active Directory in the architecture. > > > > Chris > > > > > > > > From: "Matt ." > > To: Youenn PIOLET > > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > > "freeipa-users at redhat.com" > > Date: 06.08.2015 14:42 > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > > > > > Hi, > > > > OK, this sounds already quite logical, but I'm still refering to the > > old howto we found earlier, does that one still apply somewhere or not > > at all ? > > > > Thanks, > > > > Matt > > > > > > > > 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : > >> Hey guys, > >> > >> I'll try to make a tutorial soon, sorry I'm quite in a rush these days > :) > >> > >> General idea: > >> > >> On FreeIPA (4.1) > >> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier > >> attribude, also known as SID) > >> - regenerate each user password to build ipaNTHash attribute, not here > by > >> default on users > >> - use your ldap browser to check ipaNTHash values are here on user > > objects > >> - create a CIFS service for your samba server > >> - Create user roles/permissions as described here: > >> > > > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > > > >> so that CIFS service will be able to read ipaNTsecurityidentifier and > >> ipaNTHash attributes in LDAP (ACI) > >> - SCP ipasam.so module to your cifs server (this is the magic trick) : > > scp > >> /usr/lib64/samba/pdb/ipasam.so > >> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to > > recompile > >> it. > >> > >> On SAMBA Server side (CentOS 7...) > >> - Install server keytab file for CIFS > >> - check ipasam.so is here. > >> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI > >> uid=admin ipaNTHash` thanks to kerberos > >> - make your smb.conf following the linked thread and restart service > >> > >> I don't know if it works in Ubuntu. I know sssd has evolved quickly and > >> ipasam may use quite recent functionalities, the best is to just try. > You > >> can read in previous thread : "If you insist on Ubuntu you need to get > >> ipasam somewhere, most likely to compile it yourself". > >> > >> Make sure your user has ipaNTHash attribute :) > >> > >> You may want to debug authentication on samba server, I usually do this: > >> `tail -f /var/log/samba/log* | grep > >> > >> Cheers > >> -- > >> Youenn Piolet > >> piolet.y at gmail.com > >> > >> > >> 2015-08-05 17:40 GMT+02:00 Matt . : > >>> > >>> Hi, > >>> > >>> This sounds great to me too, but a howto would help to make it more > >>> clear about what you have done here. The thread confuses me a little > >>> bit. > >>> > >>> Can you paste your commands so we can test out too and report back ? > >>> > >>> Thanks! > >>> > >>> Matt > >>> > >>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb > > : > >>> > Hi Youenn > >>> > > >>> > Good news that you have got an integration working > >>> > > >>> > Now you have got it going, and the solution is fresh in your mind, > how > >>> > about adding a How-to page on this solution to the FreeIPA wiki? > >>> > > >>> > Chris > >>> > > >>> > > >>> > > >>> > From: Youenn PIOLET > >>> > To: "Matt ." > >>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > >>> > "freeipa-users at redhat.com" > >>> > Date: 05.08.2015 14:51 > >>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > > IPA > >>> > > >>> > > >>> > > >>> > Hi guys, > >>> > > >>> > Thank you so much your previous answers. > >>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to > >>> > ipa-adtrust-install --add-sids > >>> > > >>> > I found an other way to configure smb here: > >>> > > >>> > > > > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > > > >>> > It works perfectly. > >>> > > >>> > I'm using module ipasam.so I have manually scp to the samba server, > >>> > Samba is set to use kerberos + ldapsam via this ipasam module. > >>> > Following the instructions, I created a user role allowing service > >>> > principal to read ipaNTHash value from the LDAP. > >>> > ipaNTHash are generated each time a user changes his password. > >>> > Authentication works perfectly on Windows 7, 8 and 10. > >>> > > >>> > For more details, the previously linked thread is quite clear. > >>> > > >>> > Cheers > >>> > > >>> > -- > >>> > Youenn Piolet > >>> > piolet.y at gmail.com > >>> > > >>> > > >>> > 2015-08-05 11:10 GMT+02:00 Matt . : > >>> > Hi Chris. > >>> > > >>> > Yes, Apache Studio did that but I was not sure why it complained it > >>> > was "already" there. > >>> > > >>> > I'm still getting: > >>> > > >>> > IPA Error 4205: ObjectclassViolation > >>> > > >>> > missing attribute "sambaGroupType" required by object class > >>> > "sambaGroupMapping" > >>> > > >>> > When adding a user. > >>> > > >>> > I also see "class" as fielname under my "Last name", this is not OK > >>> > also. > >>> > > >>> > > >>> > > >>> > We sure need to make some howto, I think we can nail this down :) > >>> > > >>> > Thanks for the heads up! > >>> > > >>> > Matthijs > >>> > > >>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb > >>> > : > >>> > > Hi Matt > >>> > > > >>> > > If I use Apache Directory Studio to add an attribute > > ipaCustomFields > >>> > to > >>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as > > shown > >>> > below: > >>> > > > >>> > > #!RESULT OK > >>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy > >>> > > #!DATE 2015-08-05T05:45:04.608 > >>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com > >>> > > changetype: modify > >>> > > add: ipaCustomFields > >>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true > >>> > > > >>> > > After that I then have a visible attribute ipaCustomFields as > >>> > expected. > >>> > > > >>> > > When adding the attribute, the wizard offered me > "ipaCustomFields" > >>> > as > >>> > > attribute type in a drop down list. > >>> > > > >>> > > Once we get this cracked, we really must write a how-to on the > >>> > FreeIPA > >>> > > Wiki. > >>> > > > >>> > > Chris > >>> > > > >>> > > > >>> > > > >>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH > >>> > > To: "Matt ." > >>> > > Cc: "freeipa-users at redhat.com" > >>> > > Date: 05.08.2015 07:31 > >>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > > against > >>> > IPA > >>> > > Sent by: freeipa-users-bounces at redhat.com > >>> > > > >>> > > > >>> > > > >>> > > Hi Matt > >>> > > > >>> > > I also got the same result at that step, but can see nothing in > >>> > Apache > >>> > > Directory Studio. > >>> > > > >>> > > As I am using existing Samba / FreeIPA groups migrated across, > > they > >>> > > probably were migrated with all the required attributes. > >>> > > > >>> > > Looking more closely at that LDIF: I wonder should it not be: > >>> > > > >>> > > ldapmodify -Y GSSAPI < >>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > >>> > > changetype: modify > >>> > > add: ipaCustomFields > >>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > >>> > > EOF > >>> > > > >>> > > i.e. changetype: modify, instead of changetype add ? > >>> > > > >>> > > I don't want to play around with my prod directory - I will setup > > an > >>> > EL > >>> > 7.1 > >>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to > > play > >>> > around > >>> > > more destructively. > >>> > > > >>> > > Chris > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > From: "Matt ." > >>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH > >>> > > Cc: Youenn PIOLET , " > >>> > freeipa-users at redhat.com" > >>> > > > >>> > > Date: 05.08.2015 01:01 > >>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server > >>> > Auth > >>> > against IPA > >>> > > > >>> > > > >>> > > > >>> > > Hi Chris, > >>> > > > >>> > > I'm at the right path, but my issue is that: > >>> > > > >>> > > ldapmodify -Y GSSAPI < >>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > >>> > > changetype: add > >>> > > add: ipaCustomFields > >>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > >>> > > EOF > >>> > > > >>> > > Does say it exists, my ldap explorer doesn't show it, and when I > > add > >>> > > it manually as an attribute it still fails when I add a user on > > this > >>> > > sambagrouptype as it's needed by the other attributes > >>> > > > >>> > > So that is my issue I think so far. > >>> > > > >>> > > Any clue about that ? > >>> > > > >>> > > No problem "you don't know something or are no guru" we are all > >>> > > learning! :) > >>> > > > >>> > > Cheers, > >>> > > > >>> > > Matt > >>> > > > >>> > > > >>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < > >>> > christopher.lamb at ch.ibm.com>: > >>> > >> Hi Matt, Youeen > >>> > >> > >>> > >> Just to set the background properly, I did not invent this > > process. > >>> > I > >>> > > know > >>> > >> only a little about FreeIPA, and almost nothing about Samba, but > > I > >>> > guess > >>> > > I > >>> > >> was lucky enough to get the integration working on a Sunday > >>> > afternoon. > >>> > (I > >>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a > >>> > reference). > >>> > >> > >>> > >> It sounds like we need to step back, and look at the test user > > and > >>> > group > >>> > > in > >>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this > > much > >>> > > easier. > >>> > >> > >>> > >> My FreeIPA / Samba Users have the following Samba extensions in > >>> > FreeIPA > >>> > >> (cn=accounts, cn=users): > >>> > >> > >>> > >> * objectClass: sambasamaccount > >>> > >> > >>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet > >>> > >> > >>> > >> My FreeIPA / Samba Groups have the following Samba extensions in > >>> > FreeIPA > >>> > >> (cn=accounts, cn=groups): > >>> > >> > >>> > >> * objectClass: sambaGroupMapping > >>> > >> > >>> > >> * Attributes: sambaGroupType, sambaSID > >>> > >> > >>> > >> The Users must belong to one or more of the samba groups that > you > >>> > have > >>> > >> setup. > >>> > >> > >>> > >> If you don't have something similar to the above (which sounds > > like > >>> > it > >>> > is > >>> > >> the case), then something went wrong applying the extensions. It > >>> > would > >>> > be > >>> > >> worth testing comparing a new user / group created post adding > > the > >>> > >> extensions to a previous existing user. > >>> > >> > >>> > >> i.e. > >>> > >> are the extensions missing on existing users / groups? > >>> > >> are the extensions missing on new users / groups? > >>> > >> > >>> > >> Cheers > >>> > >> > >>> > >> Chris > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> From: Youenn PIOLET > >>> > >> To: "Matt ." > >>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > >>> > >> "freeipa-users at redhat.com" < > freeipa-users at redhat.com> > >>> > >> Date: 04.08.2015 18:56 > >>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > >>> > against > >>> > IPA > >>> > >> > >>> > >> > >>> > >> > >>> > >> Hi there, > >>> > >> > >>> > >> I have difficulties to follow you at this point :) > >>> > >> Here is what I've done and what I've understood: > >>> > >> > >>> > >> ## SMB Side > >>> > >> - Testparm OK > >>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to > connect. > >>> > >> - pdbedit -Lv output is all successfull but I can see there is a > >>> > filter : > >>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't > >>> > have > >>> > >> sambaSamAccount. > >>> > >> > >>> > >> ## LDAP / FreeIPA side > >>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my > >>> > FreeIPA > >>> > >> server to get samba LDAP extensions. > >>> > >> - I can see samba classes exist in LDAP but are not used on my > >>> > group > >>> > >> objects nor my user objects > >>> > >> - I have add sambaSamAccount in FreeIPA default user classes, > >>> > >> and sambaGroupMapping to default group classes. In that state I > >>> > can't > >>> > >> create user nor groups anymore, as new samba attributes are > > needed > >>> > for > >>> > >> instantiation. > >>> > >> - I have add in etc ipaCustomFields: 'Samba Group > >>> > > Type,sambagrouptype,true' > >>> > >> but I don't get what it does. > >>> > >> - I tried to add the samba.js plugin. It works, and adds the > >>> > "local" > >>> > > option > >>> > >> when creating a group in FreeIPA, supposed to set sambagrouptype > > to > >>> > 4 > >>> > or > >>> > > 2 > >>> > >> (domain). It doesn't work and tells that sambagrouptype > attribute > >>> > doesn't > >>> > >> exist (but it should now I put sambaGroupType class by > > default...) > >>> > >> > >>> > >> ## Questions > >>> > >> 0) Can I ask samba not to search sambaSamAccount and use unix / > >>> > posix > >>> > >> instead? I guess no. > >>> > >> 1) How to generate the user/group SIDs ? They are requested to > > add > >>> > >> sambaSamAccount classes. > >>> > >> This article doesn't seem relevant since we don't use domain > >>> > controller > >>> > >> > >>> > > > >>> > > >>> > > > > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html > >>> > > >>> > >> and netgetlocalsid returns an error. > >>> > >> 2) How to fix samba.js plugin? > >>> > >> 3) I guess an equivalent of samba.js is needed for user > creation, > >>> > where > >>> > > can > >>> > >> I find it? > >>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not > only > >>> > Windows > >>> > >> 7? > >>> > >> > >>> > >> Thanks a lot for your previous and future answers > >>> > >> > >>> > >> -- > >>> > >> Youenn Piolet > >>> > >> piolet.y at gmail.com > >>> > >> > >>> > >> > >>> > >> 2015-08-04 17:55 GMT+02:00 Matt . : > >>> > >> Hi, > >>> > >> > >>> > >> Yes, log is anonymised. > >>> > >> > >>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also > when > > I > >>> > >> change it's password it doesn't get it in ldap. > >>> > >> > >>> > >> There must be something going wrong I guess. > >>> > >> > >>> > >> Matt > >>> > >> > >>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb > >>> > > >>> > >> >: > >>> > >> > Hi Matt > >>> > >> > > >>> > >> > I assume [username] is a real username, identical to that in > >>> > the > >>> > >> FreeIPA > >>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log > >>> > extract). > >>> > >> > > >>> > >> > You user should be a member of the appropriate samba groups > >>> > that > >>> > you > >>> > >> setup > >>> > >> > in FreeIPA. > >>> > >> > > >>> > >> > You should check that the user attribute SambaPwdLastSet is > > set > >>> > to > >>> > a > >>> > >> > positive value (e.g. 1). If not you get an error in the > Samba > >>> > logs > >>> > - > >>> > > I > >>> > >> > would need to play around again with a test user to find out > >>> > the > >>> > > exact > >>> > >> > error. > >>> > >> > > >>> > >> > I don't understand what you mean about syncing the users > > local, > >>> > but > >>> > > we > >>> > >> did > >>> > >> > not need to do anything like that. > >>> > >> > > >>> > >> > Chris > >>> > >> > > >>> > >> > > >>> > >> > > >>> > >> > > >>> > >> > From: "Matt ." > >>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH > >>> > >> > Cc: "freeipa-users at redhat.com" < > freeipa-users at redhat.com> > >>> > >> > Date: 04.08.2015 15:33 > >>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > >>> > against > >>> > >> IPA > >>> > >> > > >>> > >> > > >>> > >> > > >>> > >> > Hi Chris, > >>> > >> > > >>> > >> > A puppet run added another passdb backend, that was causing > > my > >>> > issue. > >>> > >> > > >>> > >> > What I still experience is: > >>> > >> > > >>> > >> > > >>> > >> > [2015/08/04 15:29:45.477783, 3] > >>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) > >>> > >> > check_sam_security: Couldn't find user 'username' in > > passdb. > >>> > >> > [2015/08/04 15:29:45.478026, 2] > >>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) > >>> > >> > check_ntlm_password: Authentication for user [username] > -> > >>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER > >>> > >> > > >>> > >> > > >>> > >> > I also wonder if I shall still sync the users local, or is > it > >>> > > needed ? > >>> > >> > > >>> > >> > Thanks again, > >>> > >> > > >>> > >> > Matt > >>> > >> > > >>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < > >>> > >> christopher.lamb at ch.ibm.com>: > >>> > >> >> Hi Matt > >>> > >> >> > >>> > >> >> From our smb.conf file: > >>> > >> >> > >>> > >> >> [global] > >>> > >> >> security = user > >>> > >> >> passdb backend = > >>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com > >>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com > >>> > >> >> ldap admin dn = cn=Directory Manager > >>> > >> >> > >>> > >> >> So yes, we use Directory Manager, it works for us. I have > > not > >>> > tried > >>> > >> with > >>> > >> > a > >>> > >> >> less powerful user, but it is conceivable that a lesser > user > >>> > may > >>> > not > >>> > >> see > >>> > >> >> all the required attributes, resulting in "no such user" > >>> > errors. > >>> > >> >> > >>> > >> >> Chris > >>> > >> >> > >>> > >> >> > >>> > >> >> > >>> > >> >> > >>> > >> >> From: "Matt ." > >>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH > >>> > >> >> Cc: "freeipa-users at redhat.com" > > > >>> > >> >> Date: 04.08.2015 13:32 > >>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server > Auth > >>> > against > >>> > >> IPA > >>> > >> >> > >>> > >> >> > >>> > >> >> > >>> > >> >> Hi Chris, > >>> > >> >> > >>> > >> >> Thanks for the heads up, indeed local is 4 I see now when I > >>> > add a > >>> > >> >> group from the GUI, great thanks! > >>> > >> >> > >>> > >> >> But do you use Directory Manager as ldap admin user or some > >>> > other > >>> > >> >> admin account ? > >>> > >> >> > >>> > >> >> I'm not sure id DM is needed and it should get that deep > > into > >>> > IPA. > >>> > >> >> Also when starting samba it cannot find "such user" as that > >>> > sounds > >>> > >> >> quite known as it has no UID. > >>> > >> >> > >>> > >> >> From your config I see you use DM, this should work ? > >>> > >> >> > >>> > >> >> Thanks! > >>> > >> >> > >>> > >> >> > >>> > >> >> Matt > >>> > >> >> > >>> > >> >> > >>> > >> > > >>> > >> > > >>> > >> > > >>> > >> > > >>> > >> > >>> > >> -- > >>> > >> Manage your subscription for the Freeipa-users mailing list: > >>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> > >> Go to http://freeipa.org for more info on the project > >>> > >> > >>> > >> > >>> > >> > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > -- > >>> > > Manage your subscription for the Freeipa-users mailing list: > >>> > > https://www.redhat.com/mailman/listinfo/freeipa-users > >>> > > Go to http://freeipa.org for more info on the project > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > >>> > -- > >>> > Manage your subscription for the Freeipa-users mailing list: > >>> > https://www.redhat.com/mailman/listinfo/freeipa-users > >>> > Go to http://freeipa.org for more info on the project > >>> > > >>> > > >>> > > >> > >> > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Thu Aug 6 14:09:07 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Thu, 6 Aug 2015 16:09:07 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: "Matt ." To: Youenn PIOLET Cc: Christopher Lamb/Switzerland/IBM at IBMCH, "freeipa-users at redhat.com" Date: 06.08.2015 14:42 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : > Hey guys, > > I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) > > General idea: > > On FreeIPA (4.1) > - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier > attribude, also known as SID) > - regenerate each user password to build ipaNTHash attribute, not here by > default on users > - use your ldap browser to check ipaNTHash values are here on user objects > - create a CIFS service for your samba server > - Create user roles/permissions as described here: > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > so that CIFS service will be able to read ipaNTsecurityidentifier and > ipaNTHash attributes in LDAP (ACI) > - SCP ipasam.so module to your cifs server (this is the magic trick) : scp > /usr/lib64/samba/pdb/ipasam.so > root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile > it. > > On SAMBA Server side (CentOS 7...) > - Install server keytab file for CIFS > - check ipasam.so is here. > - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI > uid=admin ipaNTHash` thanks to kerberos > - make your smb.conf following the linked thread and restart service > > I don't know if it works in Ubuntu. I know sssd has evolved quickly and > ipasam may use quite recent functionalities, the best is to just try. You > can read in previous thread : "If you insist on Ubuntu you need to get > ipasam somewhere, most likely to compile it yourself". > > Make sure your user has ipaNTHash attribute :) > > You may want to debug authentication on samba server, I usually do this: > `tail -f /var/log/samba/log* | grep > > Cheers > -- > Youenn Piolet > piolet.y at gmail.com > > > 2015-08-05 17:40 GMT+02:00 Matt . : >> >> Hi, >> >> This sounds great to me too, but a howto would help to make it more >> clear about what you have done here. The thread confuses me a little >> bit. >> >> Can you paste your commands so we can test out too and report back ? >> >> Thanks! >> >> Matt >> >> 2015-08-05 15:18 GMT+02:00 Christopher Lamb : >> > Hi Youenn >> > >> > Good news that you have got an integration working >> > >> > Now you have got it going, and the solution is fresh in your mind, how >> > about adding a How-to page on this solution to the FreeIPA wiki? >> > >> > Chris >> > >> > >> > >> > From: Youenn PIOLET >> > To: "Matt ." >> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >> > "freeipa-users at redhat.com" >> > Date: 05.08.2015 14:51 >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> > >> > >> > >> > Hi guys, >> > >> > Thank you so much your previous answers. >> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to >> > ipa-adtrust-install --add-sids >> > >> > I found an other way to configure smb here: >> > >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >> > It works perfectly. >> > >> > I'm using module ipasam.so I have manually scp to the samba server, >> > Samba is set to use kerberos + ldapsam via this ipasam module. >> > Following the instructions, I created a user role allowing service >> > principal to read ipaNTHash value from the LDAP. >> > ipaNTHash are generated each time a user changes his password. >> > Authentication works perfectly on Windows 7, 8 and 10. >> > >> > For more details, the previously linked thread is quite clear. >> > >> > Cheers >> > >> > -- >> > Youenn Piolet >> > piolet.y at gmail.com >> > >> > >> > 2015-08-05 11:10 GMT+02:00 Matt . : >> > Hi Chris. >> > >> > Yes, Apache Studio did that but I was not sure why it complained it >> > was "already" there. >> > >> > I'm still getting: >> > >> > IPA Error 4205: ObjectclassViolation >> > >> > missing attribute "sambaGroupType" required by object class >> > "sambaGroupMapping" >> > >> > When adding a user. >> > >> > I also see "class" as fielname under my "Last name", this is not OK >> > also. >> > >> > >> > >> > We sure need to make some howto, I think we can nail this down :) >> > >> > Thanks for the heads up! >> > >> > Matthijs >> > >> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >> > : >> > > Hi Matt >> > > >> > > If I use Apache Directory Studio to add an attribute ipaCustomFields >> > to >> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown >> > below: >> > > >> > > #!RESULT OK >> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >> > > #!DATE 2015-08-05T05:45:04.608 >> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >> > > changetype: modify >> > > add: ipaCustomFields >> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >> > > >> > > After that I then have a visible attribute ipaCustomFields as >> > expected. >> > > >> > > When adding the attribute, the wizard offered me "ipaCustomFields" >> > as >> > > attribute type in a drop down list. >> > > >> > > Once we get this cracked, we really must write a how-to on the >> > FreeIPA >> > > Wiki. >> > > >> > > Chris >> > > >> > > >> > > >> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >> > > To: "Matt ." >> > > Cc: "freeipa-users at redhat.com" >> > > Date: 05.08.2015 07:31 >> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> > IPA >> > > Sent by: freeipa-users-bounces at redhat.com >> > > >> > > >> > > >> > > Hi Matt >> > > >> > > I also got the same result at that step, but can see nothing in >> > Apache >> > > Directory Studio. >> > > >> > > As I am using existing Samba / FreeIPA groups migrated across, they >> > > probably were migrated with all the required attributes. >> > > >> > > Looking more closely at that LDIF: I wonder should it not be: >> > > >> > > ldapmodify -Y GSSAPI <> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >> > > changetype: modify >> > > add: ipaCustomFields >> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >> > > EOF >> > > >> > > i.e. changetype: modify, instead of changetype add ? >> > > >> > > I don't want to play around with my prod directory - I will setup an >> > EL >> > 7.1 >> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to play >> > around >> > > more destructively. >> > > >> > > Chris >> > > >> > > >> > > >> > > >> > > >> > > From: "Matt ." >> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >> > > Cc: Youenn PIOLET , " >> > freeipa-users at redhat.com" >> > > >> > > Date: 05.08.2015 01:01 >> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >> > Auth >> > against IPA >> > > >> > > >> > > >> > > Hi Chris, >> > > >> > > I'm at the right path, but my issue is that: >> > > >> > > ldapmodify -Y GSSAPI <> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >> > > changetype: add >> > > add: ipaCustomFields >> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >> > > EOF >> > > >> > > Does say it exists, my ldap explorer doesn't show it, and when I add >> > > it manually as an attribute it still fails when I add a user on this >> > > sambagrouptype as it's needed by the other attributes >> > > >> > > So that is my issue I think so far. >> > > >> > > Any clue about that ? >> > > >> > > No problem "you don't know something or are no guru" we are all >> > > learning! :) >> > > >> > > Cheers, >> > > >> > > Matt >> > > >> > > >> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >> > christopher.lamb at ch.ibm.com>: >> > >> Hi Matt, Youeen >> > >> >> > >> Just to set the background properly, I did not invent this process. >> > I >> > > know >> > >> only a little about FreeIPA, and almost nothing about Samba, but I >> > guess >> > > I >> > >> was lucky enough to get the integration working on a Sunday >> > afternoon. >> > (I >> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >> > reference). >> > >> >> > >> It sounds like we need to step back, and look at the test user and >> > group >> > > in >> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this much >> > > easier. >> > >> >> > >> My FreeIPA / Samba Users have the following Samba extensions in >> > FreeIPA >> > >> (cn=accounts, cn=users): >> > >> >> > >> * objectClass: sambasamaccount >> > >> >> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >> > >> >> > >> My FreeIPA / Samba Groups have the following Samba extensions in >> > FreeIPA >> > >> (cn=accounts, cn=groups): >> > >> >> > >> * objectClass: sambaGroupMapping >> > >> >> > >> * Attributes: sambaGroupType, sambaSID >> > >> >> > >> The Users must belong to one or more of the samba groups that you >> > have >> > >> setup. >> > >> >> > >> If you don't have something similar to the above (which sounds like >> > it >> > is >> > >> the case), then something went wrong applying the extensions. It >> > would >> > be >> > >> worth testing comparing a new user / group created post adding the >> > >> extensions to a previous existing user. >> > >> >> > >> i.e. >> > >> are the extensions missing on existing users / groups? >> > >> are the extensions missing on new users / groups? >> > >> >> > >> Cheers >> > >> >> > >> Chris >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> From: Youenn PIOLET >> > >> To: "Matt ." >> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >> > >> "freeipa-users at redhat.com" >> > >> Date: 04.08.2015 18:56 >> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> > against >> > IPA >> > >> >> > >> >> > >> >> > >> Hi there, >> > >> >> > >> I have difficulties to follow you at this point :) >> > >> Here is what I've done and what I've understood: >> > >> >> > >> ## SMB Side >> > >> - Testparm OK >> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. >> > >> - pdbedit -Lv output is all successfull but I can see there is a >> > filter : >> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't >> > have >> > >> sambaSamAccount. >> > >> >> > >> ## LDAP / FreeIPA side >> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >> > FreeIPA >> > >> server to get samba LDAP extensions. >> > >> - I can see samba classes exist in LDAP but are not used on my >> > group >> > >> objects nor my user objects >> > >> - I have add sambaSamAccount in FreeIPA default user classes, >> > >> and sambaGroupMapping to default group classes. In that state I >> > can't >> > >> create user nor groups anymore, as new samba attributes are needed >> > for >> > >> instantiation. >> > >> - I have add in etc ipaCustomFields: 'Samba Group >> > > Type,sambagrouptype,true' >> > >> but I don't get what it does. >> > >> - I tried to add the samba.js plugin. It works, and adds the >> > "local" >> > > option >> > >> when creating a group in FreeIPA, supposed to set sambagrouptype to >> > 4 >> > or >> > > 2 >> > >> (domain). It doesn't work and tells that sambagrouptype attribute >> > doesn't >> > >> exist (but it should now I put sambaGroupType class by default...) >> > >> >> > >> ## Questions >> > >> 0) Can I ask samba not to search sambaSamAccount and use unix / >> > posix >> > >> instead? I guess no. >> > >> 1) How to generate the user/group SIDs ? They are requested to add >> > >> sambaSamAccount classes. >> > >> This article doesn't seem relevant since we don't use domain >> > controller >> > >> >> > > >> > >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >> > >> > >> and netgetlocalsid returns an error. >> > >> 2) How to fix samba.js plugin? >> > >> 3) I guess an equivalent of samba.js is needed for user creation, >> > where >> > > can >> > >> I find it? >> > >> 4) Is your setup working with Windows 8 / Windows 10 and not only >> > Windows >> > >> 7? >> > >> >> > >> Thanks a lot for your previous and future answers >> > >> >> > >> -- >> > >> Youenn Piolet >> > >> piolet.y at gmail.com >> > >> >> > >> >> > >> 2015-08-04 17:55 GMT+02:00 Matt . : >> > >> Hi, >> > >> >> > >> Yes, log is anonymised. >> > >> >> > >> It's strange, my user doesn't have a SambaPwdLastSet, also when I >> > >> change it's password it doesn't get it in ldap. >> > >> >> > >> There must be something going wrong I guess. >> > >> >> > >> Matt >> > >> >> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >> > > > > >> >: >> > >> > Hi Matt >> > >> > >> > >> > I assume [username] is a real username, identical to that in >> > the >> > >> FreeIPA >> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >> > extract). >> > >> > >> > >> > You user should be a member of the appropriate samba groups >> > that >> > you >> > >> setup >> > >> > in FreeIPA. >> > >> > >> > >> > You should check that the user attribute SambaPwdLastSet is set >> > to >> > a >> > >> > positive value (e.g. 1). If not you get an error in the Samba >> > logs >> > - >> > > I >> > >> > would need to play around again with a test user to find out >> > the >> > > exact >> > >> > error. >> > >> > >> > >> > I don't understand what you mean about syncing the users local, >> > but >> > > we >> > >> did >> > >> > not need to do anything like that. >> > >> > >> > >> > Chris >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > From: "Matt ." >> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >> > >> > Cc: "freeipa-users at redhat.com" >> > >> > Date: 04.08.2015 15:33 >> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> > against >> > >> IPA >> > >> > >> > >> > >> > >> > >> > >> > Hi Chris, >> > >> > >> > >> > A puppet run added another passdb backend, that was causing my >> > issue. >> > >> > >> > >> > What I still experience is: >> > >> > >> > >> > >> > >> > [2015/08/04 15:29:45.477783, 3] >> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >> > >> > check_sam_security: Couldn't find user 'username' in passdb. >> > >> > [2015/08/04 15:29:45.478026, 2] >> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >> > >> > check_ntlm_password: Authentication for user [username] -> >> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >> > >> > >> > >> > >> > >> > I also wonder if I shall still sync the users local, or is it >> > > needed ? >> > >> > >> > >> > Thanks again, >> > >> > >> > >> > Matt >> > >> > >> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >> > >> christopher.lamb at ch.ibm.com>: >> > >> >> Hi Matt >> > >> >> >> > >> >> From our smb.conf file: >> > >> >> >> > >> >> [global] >> > >> >> security = user >> > >> >> passdb backend = >> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >> > >> >> ldap admin dn = cn=Directory Manager >> > >> >> >> > >> >> So yes, we use Directory Manager, it works for us. I have not >> > tried >> > >> with >> > >> > a >> > >> >> less powerful user, but it is conceivable that a lesser user >> > may >> > not >> > >> see >> > >> >> all the required attributes, resulting in "no such user" >> > errors. >> > >> >> >> > >> >> Chris >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> From: "Matt ." >> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> > >> >> Cc: "freeipa-users at redhat.com" >> > >> >> Date: 04.08.2015 13:32 >> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> > against >> > >> IPA >> > >> >> >> > >> >> >> > >> >> >> > >> >> Hi Chris, >> > >> >> >> > >> >> Thanks for the heads up, indeed local is 4 I see now when I >> > add a >> > >> >> group from the GUI, great thanks! >> > >> >> >> > >> >> But do you use Directory Manager as ldap admin user or some >> > other >> > >> >> admin account ? >> > >> >> >> > >> >> I'm not sure id DM is needed and it should get that deep into >> > IPA. >> > >> >> Also when starting samba it cannot find "such user" as that >> > sounds >> > >> >> quite known as it has no UID. >> > >> >> >> > >> >> From your config I see you use DM, this should work ? >> > >> >> >> > >> >> Thanks! >> > >> >> >> > >> >> >> > >> >> Matt >> > >> >> >> > >> >> >> > >> > >> > >> > >> > >> > >> > >> > >> > >> >> > >> -- >> > >> Manage your subscription for the Freeipa-users mailing list: >> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> Go to http://freeipa.org for more info on the project >> > >> >> > >> >> > >> >> > > >> > > >> > > >> > > >> > > -- >> > > Manage your subscription for the Freeipa-users mailing list: >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Go to http://freeipa.org for more info on the project >> > > >> > > >> > > >> > > >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> > >> > >> > > > From harenberg at physik.uni-wuppertal.de Fri Aug 7 11:44:48 2015 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Fri, 07 Aug 2015 13:44:48 +0200 Subject: [Freeipa-users] sssd (CentOS6) known to be unstable? In-Reply-To: <20150806081628.GA3199@mail.corp.redhat.com> References: <55C04E29.5020601@physik.uni-wuppertal.de> <55C05413.90709@physik.uni-wuppertal.de> <20150804061702.GB15393@mail.corp.redhat.com> <55C2F285.2070700@physik.uni-wuppertal.de> <55C2F50D.5020603@physik.uni-wuppertal.de> <20150806081628.GA3199@mail.corp.redhat.com> Message-ID: <55C49A30.6030507@physik.uni-wuppertal.de> Am 06.08.15 um 10:16 schrieb Lukas Slebodnik: > On (06/08/15 07:47), Torsten Harenberg wrote: >> Am 06.08.15 um 07:37 schrieb Torsten Harenberg: >>> (see plot attached >> >> forgot the attachment >> > Is the high IO caused by sssd or by other aplication? > > If it is casued by other application then you can mount > directory with sss cache (/var/lib/sss or just the /var/lib/sss/db) > to the different device/disk or filesystem. > You can use tmpfs if you do not care about offline authentication. > > Thanks Lukas, that was a very good hint. Yes, the high IO was the payload of some user. We immediately implemented a tmpfs solution yesterday and the system is still stable :). Thanks again Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From roccas at gmail.com Fri Aug 7 13:25:41 2015 From: roccas at gmail.com (Marcelo Roccasalva) Date: Fri, 7 Aug 2015 10:25:41 -0300 Subject: [Freeipa-users] migrating openldap 2 Message-ID: Hi, I need to migrate an ldap tree from openldap 2 (including qmail schema). Which would be the shortest path? -- Marcelo "?No ser? acaso que esta vida moderna est? teniendo m?s de moderna que de vida?" (Mafalda) -------------- next part -------------- An HTML attachment was scrubbed... URL: From mored.berdat at sancred.com.br Thu Aug 6 20:31:18 2015 From: mored.berdat at sancred.com.br (Mored Berdat) Date: Thu, 06 Aug 2015 17:31:18 -0300 Subject: [Freeipa-users] Xfce/Mate desktop - FreeIPA client Message-ID: <55C3C416.9090905@sancred.com.br> Hi List My name is Mored Berdat, sysadmin. I use debian 8 desktop in LTSP (Fat-client) and regular desktops with Xfce. I am applying a Hardening Procedures and recently researched about FreeIPA. -- It's possible to Xfce users change passwords? -- When I apply a new policy on FreeIPA, Xfce users can see the alert, example "Your password expired, change now"? -- About Mate Desktop Environment, the tools for change Password, Username attributes will work with FreeIPA? Thanks -- Grato. Mored Berdat SANCRED Sist. Nac. de Recup. de Cred. Ltda. Telefone: (19) 3512-0200 sancred.com.br Aviso: Esta mensagem ? destinada exclusivamente para a(s) pessoa(s) a quem ? dirigida, podendo conter informa??o confidencial e legalmente protegida. Se voc? n?o for destinat?rio desta mensagem, desde j? fica notificado de abster-se a divulgar, copiar, distribuir, examinar ou, de qualquer forma, utilizar a informa??o contida nesta mensagem, por ser ilegal. Caso voc? tenha recebido esta mensagem por engano, pedimos que responda essa mensagem informando o acontecido. From jhrozek at redhat.com Fri Aug 7 14:01:55 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 7 Aug 2015 16:01:55 +0200 Subject: [Freeipa-users] Xfce/Mate desktop - FreeIPA client In-Reply-To: <55C3C416.9090905@sancred.com.br> References: <55C3C416.9090905@sancred.com.br> Message-ID: <20150807140155.GC12658@hendrix.redhat.com> On Thu, Aug 06, 2015 at 05:31:18PM -0300, Mored Berdat wrote: > Hi List > > My name is Mored Berdat, sysadmin. I use debian 8 desktop in LTSP > (Fat-client) and regular desktops with Xfce. I am applying a Hardening > Procedures and recently researched about FreeIPA. > > -- It's possible to Xfce users change passwords? Yes, just configure PAM for your login manager as appropriate. Gnome uses GDM, not sure what your configuration uses.. > > -- When I apply a new policy on FreeIPA, Xfce users can see the alert, > example "Your password expired, change now"? I'm not sure what do you mean my new policy, but newly created users are created with expired password by dfault. > > -- About Mate Desktop Environment, the tools for change Password, Username > attributes will work with FreeIPA? What tools in particular do you have in mind? The ipa user-* tools or the passwd tool? The former talks to the IPA server over RPC, the latter through PAM and SSSD. From bahanw042014 at gmail.com Fri Aug 7 14:25:29 2015 From: bahanw042014 at gmail.com (bahan w) Date: Fri, 7 Aug 2015 16:25:29 +0200 Subject: [Freeipa-users] Concerning the krb5.conf Message-ID: Hello ! We are using freeipa version 3 and we are encountering a problem in our environment. We have one master kdc and two replicas. On the different linux servers on our environment, we have the following krb5.conf (I modified the hostname for NDA) : ### #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] = { kdc = host1.:88 kdc = host2.:88 kdc = host3.:88 master_kdc = host2.:88 admin_server = host2.:749 default_domain pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] . = = . = = ### host1 is a physical machine host2 and host3 are VM. So I have some questions : Q1 - Does it make sense to put the line master_kdc and admin_server to the host2, which is a VM instead of the host1 which is a physical machine ? Q2 - When I try to connect to the UI of host1, I can enter my login/password and it works. When I try to connect to the UI of host2, I have an error message saying my password is incorrect. When I try to connect to the UI of host3, it works. Does it mean host1 and host3 are synchronized but host2 is not ? Q3. Does the two last lines make sense ? I mean what is the exact usage of the paragraph [domain_realm] ? Does it mean : if I try to connect to a server with the domain listed in this list, then I will try to contact the realm associated ? Thank you in advance for your answers. Best regards. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Thu Aug 6 14:19:42 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Thu, 6 Aug 2015 16:19:42 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute "sambaGroupType" required by object class "sambaGroupMapping" Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb : > Hi Matt > > As far as I can make out, there are at least 2 viable Samba / FreeIPA > integration paths. > > The route I took is suited where there is no Active Directory involved: In > my case all the Windows, OSX and Linux clients are islands that sit on the > same network. > > The route that Youenn has taken (unless I have got completely the wrong end > of the stick) requires Active Directory in the architecture. > > Chris > > > > From: "Matt ." > To: Youenn PIOLET > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > "freeipa-users at redhat.com" > Date: 06.08.2015 14:42 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi, > > OK, this sounds already quite logical, but I'm still refering to the > old howto we found earlier, does that one still apply somewhere or not > at all ? > > Thanks, > > Matt > > > > 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >> Hey guys, >> >> I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) >> >> General idea: >> >> On FreeIPA (4.1) >> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >> attribude, also known as SID) >> - regenerate each user password to build ipaNTHash attribute, not here by >> default on users >> - use your ldap browser to check ipaNTHash values are here on user > objects >> - create a CIFS service for your samba server >> - Create user roles/permissions as described here: >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> so that CIFS service will be able to read ipaNTsecurityidentifier and >> ipaNTHash attributes in LDAP (ACI) >> - SCP ipasam.so module to your cifs server (this is the magic trick) : > scp >> /usr/lib64/samba/pdb/ipasam.so >> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to > recompile >> it. >> >> On SAMBA Server side (CentOS 7...) >> - Install server keytab file for CIFS >> - check ipasam.so is here. >> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI >> uid=admin ipaNTHash` thanks to kerberos >> - make your smb.conf following the linked thread and restart service >> >> I don't know if it works in Ubuntu. I know sssd has evolved quickly and >> ipasam may use quite recent functionalities, the best is to just try. You >> can read in previous thread : "If you insist on Ubuntu you need to get >> ipasam somewhere, most likely to compile it yourself". >> >> Make sure your user has ipaNTHash attribute :) >> >> You may want to debug authentication on samba server, I usually do this: >> `tail -f /var/log/samba/log* | grep >> >> Cheers >> -- >> Youenn Piolet >> piolet.y at gmail.com >> >> >> 2015-08-05 17:40 GMT+02:00 Matt . : >>> >>> Hi, >>> >>> This sounds great to me too, but a howto would help to make it more >>> clear about what you have done here. The thread confuses me a little >>> bit. >>> >>> Can you paste your commands so we can test out too and report back ? >>> >>> Thanks! >>> >>> Matt >>> >>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb > : >>> > Hi Youenn >>> > >>> > Good news that you have got an integration working >>> > >>> > Now you have got it going, and the solution is fresh in your mind, how >>> > about adding a How-to page on this solution to the FreeIPA wiki? >>> > >>> > Chris >>> > >>> > >>> > >>> > From: Youenn PIOLET >>> > To: "Matt ." >>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>> > "freeipa-users at redhat.com" >>> > Date: 05.08.2015 14:51 >>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>> > >>> > >>> > >>> > Hi guys, >>> > >>> > Thank you so much your previous answers. >>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to >>> > ipa-adtrust-install --add-sids >>> > >>> > I found an other way to configure smb here: >>> > >>> > > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >>> > It works perfectly. >>> > >>> > I'm using module ipasam.so I have manually scp to the samba server, >>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>> > Following the instructions, I created a user role allowing service >>> > principal to read ipaNTHash value from the LDAP. >>> > ipaNTHash are generated each time a user changes his password. >>> > Authentication works perfectly on Windows 7, 8 and 10. >>> > >>> > For more details, the previously linked thread is quite clear. >>> > >>> > Cheers >>> > >>> > -- >>> > Youenn Piolet >>> > piolet.y at gmail.com >>> > >>> > >>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>> > Hi Chris. >>> > >>> > Yes, Apache Studio did that but I was not sure why it complained it >>> > was "already" there. >>> > >>> > I'm still getting: >>> > >>> > IPA Error 4205: ObjectclassViolation >>> > >>> > missing attribute "sambaGroupType" required by object class >>> > "sambaGroupMapping" >>> > >>> > When adding a user. >>> > >>> > I also see "class" as fielname under my "Last name", this is not OK >>> > also. >>> > >>> > >>> > >>> > We sure need to make some howto, I think we can nail this down :) >>> > >>> > Thanks for the heads up! >>> > >>> > Matthijs >>> > >>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>> > : >>> > > Hi Matt >>> > > >>> > > If I use Apache Directory Studio to add an attribute > ipaCustomFields >>> > to >>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as > shown >>> > below: >>> > > >>> > > #!RESULT OK >>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>> > > #!DATE 2015-08-05T05:45:04.608 >>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>> > > changetype: modify >>> > > add: ipaCustomFields >>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>> > > >>> > > After that I then have a visible attribute ipaCustomFields as >>> > expected. >>> > > >>> > > When adding the attribute, the wizard offered me "ipaCustomFields" >>> > as >>> > > attribute type in a drop down list. >>> > > >>> > > Once we get this cracked, we really must write a how-to on the >>> > FreeIPA >>> > > Wiki. >>> > > >>> > > Chris >>> > > >>> > > >>> > > >>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>> > > To: "Matt ." >>> > > Cc: "freeipa-users at redhat.com" >>> > > Date: 05.08.2015 07:31 >>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>> > IPA >>> > > Sent by: freeipa-users-bounces at redhat.com >>> > > >>> > > >>> > > >>> > > Hi Matt >>> > > >>> > > I also got the same result at that step, but can see nothing in >>> > Apache >>> > > Directory Studio. >>> > > >>> > > As I am using existing Samba / FreeIPA groups migrated across, > they >>> > > probably were migrated with all the required attributes. >>> > > >>> > > Looking more closely at that LDIF: I wonder should it not be: >>> > > >>> > > ldapmodify -Y GSSAPI <>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>> > > changetype: modify >>> > > add: ipaCustomFields >>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> > > EOF >>> > > >>> > > i.e. changetype: modify, instead of changetype add ? >>> > > >>> > > I don't want to play around with my prod directory - I will setup > an >>> > EL >>> > 7.1 >>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to > play >>> > around >>> > > more destructively. >>> > > >>> > > Chris >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > From: "Matt ." >>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>> > > Cc: Youenn PIOLET , " >>> > freeipa-users at redhat.com" >>> > > >>> > > Date: 05.08.2015 01:01 >>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>> > Auth >>> > against IPA >>> > > >>> > > >>> > > >>> > > Hi Chris, >>> > > >>> > > I'm at the right path, but my issue is that: >>> > > >>> > > ldapmodify -Y GSSAPI <>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>> > > changetype: add >>> > > add: ipaCustomFields >>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> > > EOF >>> > > >>> > > Does say it exists, my ldap explorer doesn't show it, and when I > add >>> > > it manually as an attribute it still fails when I add a user on > this >>> > > sambagrouptype as it's needed by the other attributes >>> > > >>> > > So that is my issue I think so far. >>> > > >>> > > Any clue about that ? >>> > > >>> > > No problem "you don't know something or are no guru" we are all >>> > > learning! :) >>> > > >>> > > Cheers, >>> > > >>> > > Matt >>> > > >>> > > >>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>> > christopher.lamb at ch.ibm.com>: >>> > >> Hi Matt, Youeen >>> > >> >>> > >> Just to set the background properly, I did not invent this > process. >>> > I >>> > > know >>> > >> only a little about FreeIPA, and almost nothing about Samba, but > I >>> > guess >>> > > I >>> > >> was lucky enough to get the integration working on a Sunday >>> > afternoon. >>> > (I >>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >>> > reference). >>> > >> >>> > >> It sounds like we need to step back, and look at the test user > and >>> > group >>> > > in >>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this > much >>> > > easier. >>> > >> >>> > >> My FreeIPA / Samba Users have the following Samba extensions in >>> > FreeIPA >>> > >> (cn=accounts, cn=users): >>> > >> >>> > >> * objectClass: sambasamaccount >>> > >> >>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>> > >> >>> > >> My FreeIPA / Samba Groups have the following Samba extensions in >>> > FreeIPA >>> > >> (cn=accounts, cn=groups): >>> > >> >>> > >> * objectClass: sambaGroupMapping >>> > >> >>> > >> * Attributes: sambaGroupType, sambaSID >>> > >> >>> > >> The Users must belong to one or more of the samba groups that you >>> > have >>> > >> setup. >>> > >> >>> > >> If you don't have something similar to the above (which sounds > like >>> > it >>> > is >>> > >> the case), then something went wrong applying the extensions. It >>> > would >>> > be >>> > >> worth testing comparing a new user / group created post adding > the >>> > >> extensions to a previous existing user. >>> > >> >>> > >> i.e. >>> > >> are the extensions missing on existing users / groups? >>> > >> are the extensions missing on new users / groups? >>> > >> >>> > >> Cheers >>> > >> >>> > >> Chris >>> > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > >> From: Youenn PIOLET >>> > >> To: "Matt ." >>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>> > >> "freeipa-users at redhat.com" >>> > >> Date: 04.08.2015 18:56 >>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> > against >>> > IPA >>> > >> >>> > >> >>> > >> >>> > >> Hi there, >>> > >> >>> > >> I have difficulties to follow you at this point :) >>> > >> Here is what I've done and what I've understood: >>> > >> >>> > >> ## SMB Side >>> > >> - Testparm OK >>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. >>> > >> - pdbedit -Lv output is all successfull but I can see there is a >>> > filter : >>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't >>> > have >>> > >> sambaSamAccount. >>> > >> >>> > >> ## LDAP / FreeIPA side >>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >>> > FreeIPA >>> > >> server to get samba LDAP extensions. >>> > >> - I can see samba classes exist in LDAP but are not used on my >>> > group >>> > >> objects nor my user objects >>> > >> - I have add sambaSamAccount in FreeIPA default user classes, >>> > >> and sambaGroupMapping to default group classes. In that state I >>> > can't >>> > >> create user nor groups anymore, as new samba attributes are > needed >>> > for >>> > >> instantiation. >>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>> > > Type,sambagrouptype,true' >>> > >> but I don't get what it does. >>> > >> - I tried to add the samba.js plugin. It works, and adds the >>> > "local" >>> > > option >>> > >> when creating a group in FreeIPA, supposed to set sambagrouptype > to >>> > 4 >>> > or >>> > > 2 >>> > >> (domain). It doesn't work and tells that sambagrouptype attribute >>> > doesn't >>> > >> exist (but it should now I put sambaGroupType class by > default...) >>> > >> >>> > >> ## Questions >>> > >> 0) Can I ask samba not to search sambaSamAccount and use unix / >>> > posix >>> > >> instead? I guess no. >>> > >> 1) How to generate the user/group SIDs ? They are requested to > add >>> > >> sambaSamAccount classes. >>> > >> This article doesn't seem relevant since we don't use domain >>> > controller >>> > >> >>> > > >>> > >>> > > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>> > >>> > >> and netgetlocalsid returns an error. >>> > >> 2) How to fix samba.js plugin? >>> > >> 3) I guess an equivalent of samba.js is needed for user creation, >>> > where >>> > > can >>> > >> I find it? >>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not only >>> > Windows >>> > >> 7? >>> > >> >>> > >> Thanks a lot for your previous and future answers >>> > >> >>> > >> -- >>> > >> Youenn Piolet >>> > >> piolet.y at gmail.com >>> > >> >>> > >> >>> > >> 2015-08-04 17:55 GMT+02:00 Matt . : >>> > >> Hi, >>> > >> >>> > >> Yes, log is anonymised. >>> > >> >>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also when > I >>> > >> change it's password it doesn't get it in ldap. >>> > >> >>> > >> There must be something going wrong I guess. >>> > >> >>> > >> Matt >>> > >> >>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>> > > >> > >> >: >>> > >> > Hi Matt >>> > >> > >>> > >> > I assume [username] is a real username, identical to that in >>> > the >>> > >> FreeIPA >>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >>> > extract). >>> > >> > >>> > >> > You user should be a member of the appropriate samba groups >>> > that >>> > you >>> > >> setup >>> > >> > in FreeIPA. >>> > >> > >>> > >> > You should check that the user attribute SambaPwdLastSet is > set >>> > to >>> > a >>> > >> > positive value (e.g. 1). If not you get an error in the Samba >>> > logs >>> > - >>> > > I >>> > >> > would need to play around again with a test user to find out >>> > the >>> > > exact >>> > >> > error. >>> > >> > >>> > >> > I don't understand what you mean about syncing the users > local, >>> > but >>> > > we >>> > >> did >>> > >> > not need to do anything like that. >>> > >> > >>> > >> > Chris >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > From: "Matt ." >>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>> > >> > Cc: "freeipa-users at redhat.com" >>> > >> > Date: 04.08.2015 15:33 >>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> > against >>> > >> IPA >>> > >> > >>> > >> > >>> > >> > >>> > >> > Hi Chris, >>> > >> > >>> > >> > A puppet run added another passdb backend, that was causing > my >>> > issue. >>> > >> > >>> > >> > What I still experience is: >>> > >> > >>> > >> > >>> > >> > [2015/08/04 15:29:45.477783, 3] >>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>> > >> > check_sam_security: Couldn't find user 'username' in > passdb. >>> > >> > [2015/08/04 15:29:45.478026, 2] >>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>> > >> > check_ntlm_password: Authentication for user [username] -> >>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>> > >> > >>> > >> > >>> > >> > I also wonder if I shall still sync the users local, or is it >>> > > needed ? >>> > >> > >>> > >> > Thanks again, >>> > >> > >>> > >> > Matt >>> > >> > >>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>> > >> christopher.lamb at ch.ibm.com>: >>> > >> >> Hi Matt >>> > >> >> >>> > >> >> From our smb.conf file: >>> > >> >> >>> > >> >> [global] >>> > >> >> security = user >>> > >> >> passdb backend = >>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>> > >> >> ldap admin dn = cn=Directory Manager >>> > >> >> >>> > >> >> So yes, we use Directory Manager, it works for us. I have > not >>> > tried >>> > >> with >>> > >> > a >>> > >> >> less powerful user, but it is conceivable that a lesser user >>> > may >>> > not >>> > >> see >>> > >> >> all the required attributes, resulting in "no such user" >>> > errors. >>> > >> >> >>> > >> >> Chris >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> From: "Matt ." >>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>> > >> >> Cc: "freeipa-users at redhat.com" > >>> > >> >> Date: 04.08.2015 13:32 >>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> > against >>> > >> IPA >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> Hi Chris, >>> > >> >> >>> > >> >> Thanks for the heads up, indeed local is 4 I see now when I >>> > add a >>> > >> >> group from the GUI, great thanks! >>> > >> >> >>> > >> >> But do you use Directory Manager as ldap admin user or some >>> > other >>> > >> >> admin account ? >>> > >> >> >>> > >> >> I'm not sure id DM is needed and it should get that deep > into >>> > IPA. >>> > >> >> Also when starting samba it cannot find "such user" as that >>> > sounds >>> > >> >> quite known as it has no UID. >>> > >> >> >>> > >> >> From your config I see you use DM, this should work ? >>> > >> >> >>> > >> >> Thanks! >>> > >> >> >>> > >> >> >>> > >> >> Matt >>> > >> >> >>> > >> >> >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> >>> > >> -- >>> > >> Manage your subscription for the Freeipa-users mailing list: >>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>> > >> Go to http://freeipa.org for more info on the project >>> > >> >>> > >> >>> > >> >>> > > >>> > > >>> > > >>> > > >>> > > -- >>> > > Manage your subscription for the Freeipa-users mailing list: >>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>> > > Go to http://freeipa.org for more info on the project >>> > > >>> > > >>> > > >>> > > >>> > >>> > -- >>> > Manage your subscription for the Freeipa-users mailing list: >>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>> > Go to http://freeipa.org for more info on the project >>> > >>> > >>> > >> >> > > > > From abokovoy at redhat.com Fri Aug 7 21:05:10 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 8 Aug 2015 00:05:10 +0300 Subject: [Freeipa-users] Concerning the krb5.conf In-Reply-To: References: Message-ID: <20150807210510.GC22106@redhat.com> On Fri, 07 Aug 2015, bahan w wrote: >Hello ! > >We are using freeipa version 3 and we are encountering a problem in our >environment. >We have one master kdc and two replicas. > >On the different linux servers on our environment, we have the following >krb5.conf (I modified the hostname for NDA) : > >### >#File modified by ipa-client-install > >includedir /var/lib/sss/pubconf/krb5.include.d/ > >[libdefaults] > default_realm = > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > >[realms] > = { > kdc = host1.:88 > kdc = host2.:88 > kdc = host3.:88 > master_kdc = host2.:88 > admin_server = host2.:749 > default_domain > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > >[domain_realm] > . = > = > . = > = >### > >host1 is a physical machine >host2 and host3 are VM. > >So I have some questions : >Q1 - Does it make sense to put the line master_kdc and admin_server to the >host2, which is a VM instead of the host1 which is a physical machine ? According to manual page of 'krb5.conf', ------- master_kdc: Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user's password has just been changed, and the updated database has not been propagated to the slave servers yet. ------- 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day actions in IPA. >Q2 - When I try to connect to the UI of host1, I can enter my >login/password and it works. When I try to connect to the UI of host2, I >have an error message saying my password is incorrect. When I try to >connect to the UI of host3, it works. Does it mean host1 and host3 are >synchronized but host2 is not ? Most likely, yes. >Q3. Does the two last lines make sense ? I mean what is the exact usage of >the paragraph [domain_realm] ? Does it mean : if I try to connect to a >server with the domain listed in this list, then I will try to contact the >realm associated ? Since you disabled DNS discovery of realm based on the DNS domain, Kerberos library will perform some logic to find out which realm corresponds to the domain. domain_realm section helps here. krb5.conf manual page has clear explanation how the section is designed to work. -- / Alexander Bokovoy From abokovoy at redhat.com Fri Aug 7 21:09:28 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 8 Aug 2015 00:09:28 +0300 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: <20150807210928.GD22106@redhat.com> On Thu, 06 Aug 2015, Christopher Lamb wrote: >Hi Matt > >As far as I can make out, there are at least 2 viable Samba / FreeIPA >integration paths. > >The route I took is suited where there is no Active Directory involved: In >my case all the Windows, OSX and Linux clients are islands that sit on the >same network. > >The route that Youenn has taken (unless I have got completely the wrong end >of the stick) requires Active Directory in the architecture. Yes, you are at the wrong end of the stick. You don't need AD in the architecture here. You can reuse IPA design for AD integration via trust for normal Samba integration but use ipasam.so instead of ldapsam.so. This is what Youenn did. The only way we don't support it (yet) is because we think doing a longer term solution via SSSD and NTLMSSP support is better scalability vise -- your SSSD client is already having LDAP connection and is already holding identity mappings in the cache so there is no need to run separate LDAP connection in smbd/winbindd for that and cache the same data in a different way. -- / Alexander Bokovoy From yamakasi.014 at gmail.com Fri Aug 7 21:27:14 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 7 Aug 2015 23:27:14 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: <20150807210928.GD22106@redhat.com> References: <20150807210928.GD22106@redhat.com> Message-ID: Hi Alexander, Yes this is know, but it's not usable yet, at least not on an Ubuntu Samba server as far as I know ? If so, maybe you can help us out here to clear this up how to do it. Thanks! Matt 2015-08-07 23:09 GMT+02:00 Alexander Bokovoy : > On Thu, 06 Aug 2015, Christopher Lamb wrote: >> >> Hi Matt >> >> As far as I can make out, there are at least 2 viable Samba / FreeIPA >> integration paths. >> >> The route I took is suited where there is no Active Directory involved: In >> my case all the Windows, OSX and Linux clients are islands that sit on the >> same network. >> >> The route that Youenn has taken (unless I have got completely the wrong >> end >> of the stick) requires Active Directory in the architecture. > > Yes, you are at the wrong end of the stick. You don't need AD in the > architecture here. You can reuse IPA design for AD integration via trust > for normal Samba integration but use ipasam.so instead of ldapsam.so. > This is what Youenn did. The only way we don't support it (yet) is > because we think doing a longer term solution via SSSD and NTLMSSP > support is better scalability vise -- your SSSD client is already having > LDAP connection and is already holding identity mappings in the cache so > there is no need to run separate LDAP connection in smbd/winbindd for > that and cache the same data in a different way. > > -- > / Alexander Bokovoy From abokovoy at redhat.com Fri Aug 7 21:37:03 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 8 Aug 2015 00:37:03 +0300 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: <20150807210928.GD22106@redhat.com> Message-ID: <20150807213703.GE22106@redhat.com> On Fri, 07 Aug 2015, Matt . wrote: >Hi Alexander, > >Yes this is know, but it's not usable yet, at least not on an Ubuntu >Samba server as far as I know ? > >If so, maybe you can help us out here to clear this up how to do it. Sorry, I cannot help you with Ubuntu setup, you need to figure it out yourself. I did write original instructions Youenn referred to, so I know they work well and Youenn's configuration just proves that. Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided Samba build this way. Anything you would do, you'd be out of supported way -- either when you modify IPA LDAP schema or when build Samba in Ubuntu with MIT Kerberos. I don't want to spend time on digging up unsupported configuration details when the same time could be spent on improving FreeIPA 4.2 and bringing SSSD+Samba setup closer to where we want to have it. Maybe it sounds harsh but we have to decide what battles we think are more important and to me this one is more important even considering my spare time. >Thanks! > >Matt > >2015-08-07 23:09 GMT+02:00 Alexander Bokovoy : >> On Thu, 06 Aug 2015, Christopher Lamb wrote: >>> >>> Hi Matt >>> >>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>> integration paths. >>> >>> The route I took is suited where there is no Active Directory involved: In >>> my case all the Windows, OSX and Linux clients are islands that sit on the >>> same network. >>> >>> The route that Youenn has taken (unless I have got completely the wrong >>> end >>> of the stick) requires Active Directory in the architecture. >> >> Yes, you are at the wrong end of the stick. You don't need AD in the >> architecture here. You can reuse IPA design for AD integration via trust >> for normal Samba integration but use ipasam.so instead of ldapsam.so. >> This is what Youenn did. The only way we don't support it (yet) is >> because we think doing a longer term solution via SSSD and NTLMSSP >> support is better scalability vise -- your SSSD client is already having >> LDAP connection and is already holding identity mappings in the cache so >> there is no need to run separate LDAP connection in smbd/winbindd for >> that and cache the same data in a different way. >> >> -- >> / Alexander Bokovoy > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From yamakasi.014 at gmail.com Fri Aug 7 21:49:24 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 7 Aug 2015 23:49:24 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: <20150807213703.GE22106@redhat.com> References: <20150807210928.GD22106@redhat.com> <20150807213703.GE22106@redhat.com> Message-ID: Hi Alexander, Yes I'm on the same path, but for now I would like to get it working on Ubuntu for the time being. Are you sure Ubuntu is no MIT ? We have discusses that some time ago on IRC and it seemed to be that Ubuntu was build against MIT. Cheers, Matt 2015-08-07 23:37 GMT+02:00 Alexander Bokovoy : > On Fri, 07 Aug 2015, Matt . wrote: >> >> Hi Alexander, >> >> Yes this is know, but it's not usable yet, at least not on an Ubuntu >> Samba server as far as I know ? >> >> If so, maybe you can help us out here to clear this up how to do it. > > Sorry, I cannot help you with Ubuntu setup, you need to figure it out > yourself. I did write original instructions Youenn referred to, so I > know they work well and Youenn's configuration just proves that. > > Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so > against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided > Samba build this way. > > Anything you would do, you'd be out of supported way -- either when you > modify IPA LDAP schema or when build Samba in Ubuntu with MIT Kerberos. > I don't want to spend time on digging up unsupported configuration > details when the same time could be spent on improving FreeIPA 4.2 and > bringing SSSD+Samba setup closer to where we want to have it. Maybe it > sounds harsh but we have to decide what battles we think are more > important and to me this one is more important even considering my spare > time. > >> Thanks! >> >> Matt >> >> 2015-08-07 23:09 GMT+02:00 Alexander Bokovoy : >>> >>> On Thu, 06 Aug 2015, Christopher Lamb wrote: >>>> >>>> >>>> Hi Matt >>>> >>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>>> integration paths. >>>> >>>> The route I took is suited where there is no Active Directory involved: >>>> In >>>> my case all the Windows, OSX and Linux clients are islands that sit on >>>> the >>>> same network. >>>> >>>> The route that Youenn has taken (unless I have got completely the wrong >>>> end >>>> of the stick) requires Active Directory in the architecture. >>> >>> >>> Yes, you are at the wrong end of the stick. You don't need AD in the >>> architecture here. You can reuse IPA design for AD integration via trust >>> for normal Samba integration but use ipasam.so instead of ldapsam.so. >>> This is what Youenn did. The only way we don't support it (yet) is >>> because we think doing a longer term solution via SSSD and NTLMSSP >>> support is better scalability vise -- your SSSD client is already having >>> LDAP connection and is already holding identity mappings in the cache so >>> there is no need to run separate LDAP connection in smbd/winbindd for >>> that and cache the same data in a different way. >>> >>> -- >>> / Alexander Bokovoy >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > -- > / Alexander Bokovoy From christopher.lamb at ch.ibm.com Sat Aug 8 08:52:52 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Sat, 8 Aug 2015 10:52:52 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: <20150807210928.GD22106@redhat.com> References: <20150807210928.GD22106@redhat.com> Message-ID: Hi Alexander As this particular stick has many ends, it is easy to grab the wrong one! 8-) So it sounds like there are / will be at least four integration paths to integrate Samba and FreeIPA. For clarity my current understanding is as follows: 1) The longer term path via SSSD and NTLMSSP 1.1) Documentation: Not yet documented, as under development 1.2) Viability 4.x/4.x: In development, not yet available. (??? Any idea of a possible timeline ???) 1.3) Schema Extensions: Will this path use the AD Trust Extensions? ipasam module? 1.4) Active Directory: Will this path work without AD (like 2) below)? 1.5) Other: Should be more scalable (less duplication of function e.g. connections, caches) 2) A path using the IPASAM module + AD Trust Extensions to the FreeIPA schema, 2.1) Documentation: Is currently best documented further back in this thread (post(s) from Youeen) 2.2) Viability 4.x/4.x: Is viable for FreeIPA 4.x / Samba 4.x. This is the path successfully tested / implemented by Youeen. However, while viable, this solution is not actively supported, as efforts are focussed on 1) above. 2.3) Schema Extensions: Requires schema extensions (ipa-adtrust-install). 2.4) Active Directory: Despite the AD extensions, NO Active Directory required in the architecture. 2.5) Other: half LDAP (to read NTHash/SID), half Kerberos (to bind samba to the LDAP). 3) A path using the LDAPSAM module + Samba Extensions to the FreeIPA schema. 3.1) Documentation: Is best documented under http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/, (although this article contains some small errors). 3.2) Viability 4.x/4.x: May no longer be fully viable for FreeIPA 4.x / Samba 4.x, or only viable with some quirks / workarounds. 3.3) Schema Extensions: Requires schema extensions via LDAPMODIFY / LDAPADD scripts + changes to FreeIPA python scripts and WebUI 3.4) Active Directory: NO Active Directory required in the architecture. (Samba clients can be ?islands?). 3.5) Other: Is the path that I am currently using in production (originally with 3.x/3.x, now with 4.x/4.x) 4) A path using the kerberos module and Active Directory + AD Trust Extensions to the FreeIPA schema. 4.1) Documentation: Is documented under: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA 4.2) Viability 4.x/4.x: ??? The article above mentions FreeIPA 3.3 +, but also RHEL 7.1 preferred / sssd 1.12.2+, which suggests 4.x / 4.x. 4.3) Schema Extensions: Requires schema extensions (ipa-adtrust-install) 4.4) Active Directory: Requires Active Directory + Domain in the architecture. (i.e. Samba clients are NOT ?islands?). If we can confirm / correct the above, it can serve as the basis for a FreeIPA Wiki Page, with child How-to articles for each of the viable solutions. As I am using solution 3) in production, yet other have problems getting it working at all, I have now set up a throwaway VM running FreeIPA 4.1 and Samba 4.1.12, and can experiment freely with 3), and after that with 2). Cheers Chris From: Alexander Bokovoy To: Christopher Lamb/Switzerland/IBM at IBMCH Cc: "Matt ." , "freeipa-users at redhat.com" Date: 07.08.2015 23:09 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA On Thu, 06 Aug 2015, Christopher Lamb wrote: >Hi Matt > >As far as I can make out, there are at least 2 viable Samba / FreeIPA >integration paths. > >The route I took is suited where there is no Active Directory involved: In >my case all the Windows, OSX and Linux clients are islands that sit on the >same network. > >The route that Youenn has taken (unless I have got completely the wrong end >of the stick) requires Active Directory in the architecture. Yes, you are at the wrong end of the stick. You don't need AD in the architecture here. You can reuse IPA design for AD integration via trust for normal Samba integration but use ipasam.so instead of ldapsam.so. This is what Youenn did. The only way we don't support it (yet) is because we think doing a longer term solution via SSSD and NTLMSSP support is better scalability vise -- your SSSD client is already having LDAP connection and is already holding identity mappings in the cache so there is no need to run separate LDAP connection in smbd/winbindd for that and cache the same data in a different way. -- / Alexander Bokovoy From abokovoy at redhat.com Sat Aug 8 09:49:17 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 8 Aug 2015 05:49:17 -0400 (EDT) Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: <20150807210928.GD22106@redhat.com> Message-ID: <916803052.8893340.1439027357096.JavaMail.zimbra@redhat.com> ----- Original Message ----- > Hi Alexander > > As this particular stick has many ends, it is easy to grab the wrong one! > 8-) > > So it sounds like there are / will be at least four integration paths to > integrate Samba and FreeIPA. For clarity my current understanding is as > follows: > > 1) The longer term path via SSSD and NTLMSSP > 1.1) Documentation: Not yet documented, as under development > 1.2) Viability 4.x/4.x: In development, not yet available. (??? > Any idea of a possible timeline ???) > 1.3) Schema Extensions: Will this path use the AD Trust Extensions? > ipasam module? > 1.4) Active Directory: Will this path work without AD (like 2) below)? > 1.5) Other: Should be more scalable (less duplication of > function e.g. connections, caches) > > 2) A path using the IPASAM module + AD Trust Extensions to the FreeIPA > schema, > 2.1) Documentation: Is currently best documented further back in > this thread (post(s) from Youeen) > 2.2) Viability 4.x/4.x: Is viable for FreeIPA 4.x / Samba 4.x. > This is the path successfully tested / implemented by Youeen. However, > while viable, this solution is not actively supported, as efforts are > focussed on 1) above. > 2.3) Schema Extensions: Requires schema extensions > (ipa-adtrust-install). > 2.4) Active Directory: Despite the AD extensions, NO Active Directory > required in the architecture. > 2.5) Other: half LDAP (to read NTHash/SID), half Kerberos > (to bind samba to the LDAP). > > 3) A path using the LDAPSAM module + Samba Extensions to the FreeIPA > schema. > 3.1) Documentation: Is best documented under > http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/, > (although this article contains some small errors). > 3.2) Viability 4.x/4.x: May no longer be fully viable for FreeIPA > 4.x / Samba 4.x, or only viable with some quirks / workarounds. > 3.3) Schema Extensions: Requires schema extensions via LDAPMODIFY / > LDAPADD scripts + changes to FreeIPA python scripts and WebUI > 3.4) Active Directory: NO Active Directory required in the > architecture. (Samba clients can be ?islands?). > 3.5) Other: Is the path that I am currently using in > production (originally with 3.x/3.x, now with 4.x/4.x) > > 4) A path using the kerberos module and Active Directory + AD Trust > Extensions to the FreeIPA schema. > 4.1) Documentation: Is documented under: > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > 4.2) Viability 4.x/4.x: ??? The article above mentions FreeIPA 3.3 > +, but also RHEL 7.1 preferred / sssd 1.12.2+, which suggests 4.x / 4.x. > 4.3) Schema Extensions: Requires schema extensions > (ipa-adtrust-install) > 4.4) Active Directory: Requires Active Directory + Domain in the > architecture. (i.e. Samba clients are NOT ?islands?). > > If we can confirm / correct the above, it can serve as the basis for a > FreeIPA Wiki Page, with child How-to articles for each of the viable > solutions. > > As I am using solution 3) in production, yet other have problems getting it > working at all, I have now set up a throwaway VM running FreeIPA 4.1 and > Samba 4.1.12, and can experiment freely with 3), and after that with 2). (1), (2), and (4) are the same. You enable FreeIPA with ipa-adtrust-install and then you configure some IPA client as a Samba file server. The way you configure it depends on (1) or (2) or (4) but really, (2) and (4) are the same and (1) requires ipa-adtrust-install-based configuration because SSSD relies on the same LDAP schema for IPA and SIDs. There is nothing wrong with (3) except that you are responsible yourself in maintaining the schema extensions and configuration, and generate SIDs, etc. I need to update the code in Samba upstream to merge some of ipasam features to ldapsam and maybe make it aware of IPA schema/ability to switch using IPA schema so that the configuration could be simplified. At least authenticating with kerberos is something I'd like to push back to Samba's ldapsam. > > Cheers > > Chris > > > > > > > From: Alexander Bokovoy > To: Christopher Lamb/Switzerland/IBM at IBMCH > Cc: "Matt ." , "freeipa-users at redhat.com" > > Date: 07.08.2015 23:09 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > On Thu, 06 Aug 2015, Christopher Lamb wrote: > >Hi Matt > > > >As far as I can make out, there are at least 2 viable Samba / FreeIPA > >integration paths. > > > >The route I took is suited where there is no Active Directory involved: In > >my case all the Windows, OSX and Linux clients are islands that sit on the > >same network. > > > >The route that Youenn has taken (unless I have got completely the wrong > end > >of the stick) requires Active Directory in the architecture. > Yes, you are at the wrong end of the stick. You don't need AD in the > architecture here. You can reuse IPA design for AD integration via trust > for normal Samba integration but use ipasam.so instead of ldapsam.so. > This is what Youenn did. The only way we don't support it (yet) is > because we think doing a longer term solution via SSSD and NTLMSSP > support is better scalability vise -- your SSSD client is already having > LDAP connection and is already holding identity mappings in the cache so > there is no need to run separate LDAP connection in smbd/winbindd for > that and cache the same data in a different way. > > -- > / Alexander Bokovoy > > > -- / Alexander Bokovoy From yamakasi.014 at gmail.com Sat Aug 8 14:14:42 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 8 Aug 2015 16:14:42 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: <916803052.8893340.1439027357096.JavaMail.zimbra@redhat.com> References: <20150807210928.GD22106@redhat.com> <916803052.8893340.1439027357096.JavaMail.zimbra@redhat.com> Message-ID: OK, This is known, as this is RHEL based. But I wonder what "the best" was should be for Debian/Ubuntu based systems for now where we can simply migrate to the via SSSD and NTLMSSP solution in the past. That is my concern to the options given above. Matt 2015-08-08 11:49 GMT+02:00 Alexander Bokovoy : > > > ----- Original Message ----- >> Hi Alexander >> >> As this particular stick has many ends, it is easy to grab the wrong one! >> 8-) >> >> So it sounds like there are / will be at least four integration paths to >> integrate Samba and FreeIPA. For clarity my current understanding is as >> follows: >> >> 1) The longer term path via SSSD and NTLMSSP >> 1.1) Documentation: Not yet documented, as under development >> 1.2) Viability 4.x/4.x: In development, not yet available. (??? >> Any idea of a possible timeline ???) >> 1.3) Schema Extensions: Will this path use the AD Trust Extensions? >> ipasam module? >> 1.4) Active Directory: Will this path work without AD (like 2) below)? >> 1.5) Other: Should be more scalable (less duplication of >> function e.g. connections, caches) >> >> 2) A path using the IPASAM module + AD Trust Extensions to the FreeIPA >> schema, >> 2.1) Documentation: Is currently best documented further back in >> this thread (post(s) from Youeen) >> 2.2) Viability 4.x/4.x: Is viable for FreeIPA 4.x / Samba 4.x. >> This is the path successfully tested / implemented by Youeen. However, >> while viable, this solution is not actively supported, as efforts are >> focussed on 1) above. >> 2.3) Schema Extensions: Requires schema extensions >> (ipa-adtrust-install). >> 2.4) Active Directory: Despite the AD extensions, NO Active Directory >> required in the architecture. >> 2.5) Other: half LDAP (to read NTHash/SID), half Kerberos >> (to bind samba to the LDAP). >> >> 3) A path using the LDAPSAM module + Samba Extensions to the FreeIPA >> schema. >> 3.1) Documentation: Is best documented under >> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/, >> (although this article contains some small errors). >> 3.2) Viability 4.x/4.x: May no longer be fully viable for FreeIPA >> 4.x / Samba 4.x, or only viable with some quirks / workarounds. >> 3.3) Schema Extensions: Requires schema extensions via LDAPMODIFY / >> LDAPADD scripts + changes to FreeIPA python scripts and WebUI >> 3.4) Active Directory: NO Active Directory required in the >> architecture. (Samba clients can be ?islands?). >> 3.5) Other: Is the path that I am currently using in >> production (originally with 3.x/3.x, now with 4.x/4.x) >> >> 4) A path using the kerberos module and Active Directory + AD Trust >> Extensions to the FreeIPA schema. >> 4.1) Documentation: Is documented under: >> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> 4.2) Viability 4.x/4.x: ??? The article above mentions FreeIPA 3.3 >> +, but also RHEL 7.1 preferred / sssd 1.12.2+, which suggests 4.x / 4.x. >> 4.3) Schema Extensions: Requires schema extensions >> (ipa-adtrust-install) >> 4.4) Active Directory: Requires Active Directory + Domain in the >> architecture. (i.e. Samba clients are NOT ?islands?). >> >> If we can confirm / correct the above, it can serve as the basis for a >> FreeIPA Wiki Page, with child How-to articles for each of the viable >> solutions. >> >> As I am using solution 3) in production, yet other have problems getting it >> working at all, I have now set up a throwaway VM running FreeIPA 4.1 and >> Samba 4.1.12, and can experiment freely with 3), and after that with 2). > (1), (2), and (4) are the same. You enable FreeIPA with ipa-adtrust-install and then you configure some IPA client as a Samba file server. The way you configure it depends on (1) or (2) or (4) but really, (2) and (4) are the same and (1) requires ipa-adtrust-install-based configuration because SSSD relies on the same LDAP schema for IPA and SIDs. > > There is nothing wrong with (3) except that you are responsible yourself in maintaining the schema extensions and configuration, and generate SIDs, etc. > > I need to update the code in Samba upstream to merge some of ipasam features to ldapsam and maybe make it aware of IPA schema/ability to switch using IPA schema so that the configuration could be simplified. > At least authenticating with kerberos is something I'd like to push back to Samba's ldapsam. > > >> >> Cheers >> >> Chris >> >> >> >> >> >> >> From: Alexander Bokovoy >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> Cc: "Matt ." , "freeipa-users at redhat.com" >> >> Date: 07.08.2015 23:09 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> On Thu, 06 Aug 2015, Christopher Lamb wrote: >> >Hi Matt >> > >> >As far as I can make out, there are at least 2 viable Samba / FreeIPA >> >integration paths. >> > >> >The route I took is suited where there is no Active Directory involved: In >> >my case all the Windows, OSX and Linux clients are islands that sit on the >> >same network. >> > >> >The route that Youenn has taken (unless I have got completely the wrong >> end >> >of the stick) requires Active Directory in the architecture. >> Yes, you are at the wrong end of the stick. You don't need AD in the >> architecture here. You can reuse IPA design for AD integration via trust >> for normal Samba integration but use ipasam.so instead of ldapsam.so. >> This is what Youenn did. The only way we don't support it (yet) is >> because we think doing a longer term solution via SSSD and NTLMSSP >> support is better scalability vise -- your SSSD client is already having >> LDAP connection and is already holding identity mappings in the cache so >> there is no need to run separate LDAP connection in smbd/winbindd for >> that and cache the same data in a different way. >> >> -- >> / Alexander Bokovoy >> >> >> > > -- > / Alexander Bokovoy From jhrozek at redhat.com Sun Aug 9 07:11:41 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 9 Aug 2015 09:11:41 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: <20150807210928.GD22106@redhat.com> <20150807213703.GE22106@redhat.com> Message-ID: <20150809071141.GA10628@hendrix.redhat.com> On Fri, Aug 07, 2015 at 11:49:24PM +0200, Matt . wrote: > Hi Alexander, > > Yes I'm on the same path, but for now I would like to get it working > on Ubuntu for the time being. > > Are you sure Ubuntu is no MIT ? We have discusses that some time ago > on IRC and it seemed to be that Ubuntu was build against MIT. I talked to the Ubuntu maintainer last week and he said that: * SSSD is built against MIT. * Samba against Heimdal. From yamakasi.014 at gmail.com Sun Aug 9 08:23:50 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sun, 9 Aug 2015 10:23:50 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: <20150809071141.GA10628@hendrix.redhat.com> References: <20150807210928.GD22106@redhat.com> <20150807213703.GE22106@redhat.com> <20150809071141.GA10628@hendrix.redhat.com> Message-ID: Hi, Yes that is known for SSSD, but there must be another way maybe ? I wonder what the future is there, as it seems there is non when this is not changed I guess. 2015-08-09 9:11 GMT+02:00 Jakub Hrozek : > On Fri, Aug 07, 2015 at 11:49:24PM +0200, Matt . wrote: >> Hi Alexander, >> >> Yes I'm on the same path, but for now I would like to get it working >> on Ubuntu for the time being. >> >> Are you sure Ubuntu is no MIT ? We have discusses that some time ago >> on IRC and it seemed to be that Ubuntu was build against MIT. > > I talked to the Ubuntu maintainer last week and he said that: > * SSSD is built against MIT. > * Samba against Heimdal. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From christopher.lamb at ch.ibm.com Sun Aug 9 09:50:19 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Sun, 9 Aug 2015 11:50:19 +0200 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: <20150720135232.GH21928@redhat.com> References: <20150428170157.GA26437@redhat.com> <20150428181100.GE26437@redhat.com> <20150428183655.GF26437@redhat.com> <55ACFBF4.4090707@redhat.com> <20150720135232.GH21928@redhat.com> Message-ID: Hi having done some more experimentation with creating users, changing passwords, and the attribute sambaPwdLast set, it is time to reactivate this old thread. I have a newly setup FreeIPA 4.1 Server configured with the "good old" Samba schema extensions for FreeIPA. I have established the following: 1) user created via CLI with no initial password given: # ipa user-add usr1--first=Aunt --last=Agatha # ipa group-add-member smbgrp --users=usr1 --> The user has neither the smbPwdLastSet nor sambaNTPassword attributes --> NOT OK 2) Now set an initial pwd for the same user # ipa user-mod usr1 --password --> The user has sambaNTPassword, but NOT smbPwdLastSet 3) user created via CLI with initial password given: # ipa user-add usr2--first=Bertie --last=Wooster # ipa group-add-member smbgrp --users=usr2 --> The user has both the smbPwdLastSet nor sambaNTPassword attributes. smbPwdLastSet = 0 --> OK 4) Now let usr2 set his real password: # su usr2 # kinit usr2 --> The user has both the smbPwdLastSet nor sambaNTPassword attributes. smbPwdLastSet remains = 0 --> NOT OK, smbPwdLastSet should now be a positive number! At this stage usr2 cannot access Samba shares. Of course, I can use an LDAP browser or CLI commands to set smbPwdLastSet=1, but that is easily forgotten. The next test (result still open) is to set what happens with smbPwdLastSet on password expiry. To do this I have created a fast expiring password group policy, added usr2 to that group, and then let usr2 change his password to ensure the new policy is active. # ipa group-add fastexpire --desc="group with a fast expiring pwd policy" # ipa group-add-member fastexpire --users=usr2 # ipa pwpolicy-add fastexpire --minlife=0 --maxlife=1 --history=1 --priority=1 # su usr2 # ipa user-mod usr2 --password Results of this test tomorrow .... Chris From: Alexander Bokovoy To: Rob Crittenden Cc: Christopher Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com Date: 20.07.2015 15:52 Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet On Mon, 20 Jul 2015, Rob Crittenden wrote: >Christopher Lamb wrote: >>Hi Alexander >> >>This issue got overtaken by others, and slipped off my radar for a bit... >> >>While the solution suggested earlier in this thread at >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>sounds interesting (and we are running the correct versions of OEL 7.1 and >>SSSD), it seems to require the Windows clients to be members of an Active >>Diretory trusted by IPA. >> >>Unfortunately there is no AD in our architecture - our Windows and OSX >>clients are effectively islands. That would seem to leave us stuck with >>sambaPwdLastSet. >> >>After a user has had his password reset via the IPA WebUi to a temporary >>value, the user then logs on using the temporary password, and is asked to >>enter a new password. At his point sambaPwdLastSet should be set to a >>positive value. However our testing indicates that it is not. We have tried >>3 techniques: >> >>1) User connects to LDAP server via remote ssh. >> >>2) kinit >> >>3) su - over an existing ssh session with another user (e.g. mine) >> >>In all three cases the user is able to set their password, but >>sambaPwdLastSet remains set to 0. >> >>As a workaround we use Apache Directory Studio to manually set >>sambaPwdLastSet once the user has changed his password. >> >>Chris > >AFAICT the user needs the sambaSamAccount objectclass in order for >this to work. Is that the case? Yes, exactly. This object class is not used by IPA integration with Samba, so we don't give it to users by default. The code in IPA password plugin checks if there is an object class named SambaSamAccount on the user entry and then manipulates sambaPwdLastSet as required. -- / Alexander Bokovoy From jhrozek at redhat.com Sun Aug 9 10:33:35 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 9 Aug 2015 12:33:35 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: <20150807210928.GD22106@redhat.com> <20150807213703.GE22106@redhat.com> <20150809071141.GA10628@hendrix.redhat.com> Message-ID: <20150809103335.GA27012@hendrix.redhat.com> On Sun, Aug 09, 2015 at 10:23:50AM +0200, Matt . wrote: > Hi, > > Yes that is known for SSSD, but there must be another way maybe ? > > I wonder what the future is there, as it seems there is non when this > is not changed I guess. The future is MIT according to the recent development and commits to samba git tree :-) From yamakasi.014 at gmail.com Sun Aug 9 12:34:12 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sun, 9 Aug 2015 14:34:12 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: <20150809103335.GA27012@hendrix.redhat.com> References: <20150807210928.GD22106@redhat.com> <20150807213703.GE22106@redhat.com> <20150809071141.GA10628@hendrix.redhat.com> <20150809103335.GA27012@hendrix.redhat.com> Message-ID: Hi, Yes I understood, but this seems to take at least some months before it will be "usable". There is no release target date yet ? Cheers, Matt 2015-08-09 12:33 GMT+02:00 Jakub Hrozek : > On Sun, Aug 09, 2015 at 10:23:50AM +0200, Matt . wrote: >> Hi, >> >> Yes that is known for SSSD, but there must be another way maybe ? >> >> I wonder what the future is there, as it seems there is non when this >> is not changed I guess. > > The future is MIT according to the recent development and commits to samba > git tree :-) From yamakasi.014 at gmail.com Sun Aug 9 14:45:41 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sun, 9 Aug 2015 16:45:41 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb : > Hi Matt > > My test integration of FreeIPA 4.x and Samba 4.x with the "good old Samba > Schema extensions) is up and working, almost flawlessly. > > I can add users and groups via the FreeIPA CLI, and they get the correct > ObjectClasses / attributes required for Samba. > > So far I have not yet bothered to try the extensions to the WebUI, because > it is currently giving me the classic "Your session has expired. Please > re-login." error which renders the WebUI useless. > > The only problem I have so far encountered managing Samba / FreeIPA users > via FreeIPA CLI commands is with the handling of the attribute > sambaPwdLastSet. This is the subject of an existing thread, also updated > today. > > There is also an existing alternative to hacking group.py, using "Class of > Service" (Cos) documented in this thread from February 2015 > https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html. > I have not yet tried it, but it sounds reasonable. > > Chris > > > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM at IBMCH > Cc: "freeipa-users at redhat.com" , Youenn > PIOLET > Date: 06.08.2015 16:19 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > OK, than we might create two different versions of the wiki, I think > this is nice. > > I'm still figuring out why I get that: > > IPA Error 4205: ObjectclassViolation > > missing attribute "sambaGroupType" required by object class > "sambaGroupMapping" > > Matt > > 2015-08-06 16:09 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> As far as I can make out, there are at least 2 viable Samba / FreeIPA >> integration paths. >> >> The route I took is suited where there is no Active Directory involved: > In >> my case all the Windows, OSX and Linux clients are islands that sit on > the >> same network. >> >> The route that Youenn has taken (unless I have got completely the wrong > end >> of the stick) requires Active Directory in the architecture. >> >> Chris >> >> >> >> From: "Matt ." >> To: Youenn PIOLET >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >> "freeipa-users at redhat.com" >> Date: 06.08.2015 14:42 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi, >> >> OK, this sounds already quite logical, but I'm still refering to the >> old howto we found earlier, does that one still apply somewhere or not >> at all ? >> >> Thanks, >> >> Matt >> >> >> >> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>> Hey guys, >>> >>> I'll try to make a tutorial soon, sorry I'm quite in a rush these > days :) >>> >>> General idea: >>> >>> On FreeIPA (4.1) >>> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >>> attribude, also known as SID) >>> - regenerate each user password to build ipaNTHash attribute, not here > by >>> default on users >>> - use your ldap browser to check ipaNTHash values are here on user >> objects >>> - create a CIFS service for your samba server >>> - Create user roles/permissions as described here: >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> so that CIFS service will be able to read ipaNTsecurityidentifier and >>> ipaNTHash attributes in LDAP (ACI) >>> - SCP ipasam.so module to your cifs server (this is the magic trick) : >> scp >>> /usr/lib64/samba/pdb/ipasam.so >>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >> recompile >>> it. >>> >>> On SAMBA Server side (CentOS 7...) >>> - Install server keytab file for CIFS >>> - check ipasam.so is here. >>> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI >>> uid=admin ipaNTHash` thanks to kerberos >>> - make your smb.conf following the linked thread and restart service >>> >>> I don't know if it works in Ubuntu. I know sssd has evolved quickly and >>> ipasam may use quite recent functionalities, the best is to just try. > You >>> can read in previous thread : "If you insist on Ubuntu you need to get >>> ipasam somewhere, most likely to compile it yourself". >>> >>> Make sure your user has ipaNTHash attribute :) >>> >>> You may want to debug authentication on samba server, I usually do this: >>> `tail -f /var/log/samba/log* | grep >>> >>> Cheers >>> -- >>> Youenn Piolet >>> piolet.y at gmail.com >>> >>> >>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>> >>>> Hi, >>>> >>>> This sounds great to me too, but a howto would help to make it more >>>> clear about what you have done here. The thread confuses me a little >>>> bit. >>>> >>>> Can you paste your commands so we can test out too and report back ? >>>> >>>> Thanks! >>>> >>>> Matt >>>> >>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >> : >>>> > Hi Youenn >>>> > >>>> > Good news that you have got an integration working >>>> > >>>> > Now you have got it going, and the solution is fresh in your mind, > how >>>> > about adding a How-to page on this solution to the FreeIPA wiki? >>>> > >>>> > Chris >>>> > >>>> > >>>> > >>>> > From: Youenn PIOLET >>>> > To: "Matt ." >>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> > "freeipa-users at redhat.com" >>>> > Date: 05.08.2015 14:51 >>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>> > >>>> > >>>> > >>>> > Hi guys, >>>> > >>>> > Thank you so much your previous answers. >>>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to >>>> > ipa-adtrust-install --add-sids >>>> > >>>> > I found an other way to configure smb here: >>>> > >>>> > >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>>> > It works perfectly. >>>> > >>>> > I'm using module ipasam.so I have manually scp to the samba server, >>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>>> > Following the instructions, I created a user role allowing service >>>> > principal to read ipaNTHash value from the LDAP. >>>> > ipaNTHash are generated each time a user changes his password. >>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>> > >>>> > For more details, the previously linked thread is quite clear. >>>> > >>>> > Cheers >>>> > >>>> > -- >>>> > Youenn Piolet >>>> > piolet.y at gmail.com >>>> > >>>> > >>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>> > Hi Chris. >>>> > >>>> > Yes, Apache Studio did that but I was not sure why it complained it >>>> > was "already" there. >>>> > >>>> > I'm still getting: >>>> > >>>> > IPA Error 4205: ObjectclassViolation >>>> > >>>> > missing attribute "sambaGroupType" required by object class >>>> > "sambaGroupMapping" >>>> > >>>> > When adding a user. >>>> > >>>> > I also see "class" as fielname under my "Last name", this is not OK >>>> > also. >>>> > >>>> > >>>> > >>>> > We sure need to make some howto, I think we can nail this down :) >>>> > >>>> > Thanks for the heads up! >>>> > >>>> > Matthijs >>>> > >>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>> > : >>>> > > Hi Matt >>>> > > >>>> > > If I use Apache Directory Studio to add an attribute >> ipaCustomFields >>>> > to >>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as >> shown >>>> > below: >>>> > > >>>> > > #!RESULT OK >>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>> > > #!DATE 2015-08-05T05:45:04.608 >>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>> > > changetype: modify >>>> > > add: ipaCustomFields >>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>> > > >>>> > > After that I then have a visible attribute ipaCustomFields as >>>> > expected. >>>> > > >>>> > > When adding the attribute, the wizard offered me > "ipaCustomFields" >>>> > as >>>> > > attribute type in a drop down list. >>>> > > >>>> > > Once we get this cracked, we really must write a how-to on the >>>> > FreeIPA >>>> > > Wiki. >>>> > > >>>> > > Chris >>>> > > >>>> > > >>>> > > >>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>> > > To: "Matt ." >>>> > > Cc: "freeipa-users at redhat.com" >>>> > > Date: 05.08.2015 07:31 >>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> against >>>> > IPA >>>> > > Sent by: freeipa-users-bounces at redhat.com >>>> > > >>>> > > >>>> > > >>>> > > Hi Matt >>>> > > >>>> > > I also got the same result at that step, but can see nothing in >>>> > Apache >>>> > > Directory Studio. >>>> > > >>>> > > As I am using existing Samba / FreeIPA groups migrated across, >> they >>>> > > probably were migrated with all the required attributes. >>>> > > >>>> > > Looking more closely at that LDIF: I wonder should it not be: >>>> > > >>>> > > ldapmodify -Y GSSAPI <>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>> > > changetype: modify >>>> > > add: ipaCustomFields >>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>> > > EOF >>>> > > >>>> > > i.e. changetype: modify, instead of changetype add ? >>>> > > >>>> > > I don't want to play around with my prod directory - I will setup >> an >>>> > EL >>>> > 7.1 >>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to >> play >>>> > around >>>> > > more destructively. >>>> > > >>>> > > Chris >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > From: "Matt ." >>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> > > Cc: Youenn PIOLET , " >>>> > freeipa-users at redhat.com" >>>> > > >>>> > > Date: 05.08.2015 01:01 >>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>> > Auth >>>> > against IPA >>>> > > >>>> > > >>>> > > >>>> > > Hi Chris, >>>> > > >>>> > > I'm at the right path, but my issue is that: >>>> > > >>>> > > ldapmodify -Y GSSAPI <>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>> > > changetype: add >>>> > > add: ipaCustomFields >>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>> > > EOF >>>> > > >>>> > > Does say it exists, my ldap explorer doesn't show it, and when I >> add >>>> > > it manually as an attribute it still fails when I add a user on >> this >>>> > > sambagrouptype as it's needed by the other attributes >>>> > > >>>> > > So that is my issue I think so far. >>>> > > >>>> > > Any clue about that ? >>>> > > >>>> > > No problem "you don't know something or are no guru" we are all >>>> > > learning! :) >>>> > > >>>> > > Cheers, >>>> > > >>>> > > Matt >>>> > > >>>> > > >>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>> > christopher.lamb at ch.ibm.com>: >>>> > >> Hi Matt, Youeen >>>> > >> >>>> > >> Just to set the background properly, I did not invent this >> process. >>>> > I >>>> > > know >>>> > >> only a little about FreeIPA, and almost nothing about Samba, but >> I >>>> > guess >>>> > > I >>>> > >> was lucky enough to get the integration working on a Sunday >>>> > afternoon. >>>> > (I >>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >>>> > reference). >>>> > >> >>>> > >> It sounds like we need to step back, and look at the test user >> and >>>> > group >>>> > > in >>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this >> much >>>> > > easier. >>>> > >> >>>> > >> My FreeIPA / Samba Users have the following Samba extensions in >>>> > FreeIPA >>>> > >> (cn=accounts, cn=users): >>>> > >> >>>> > >> * objectClass: sambasamaccount >>>> > >> >>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>>> > >> >>>> > >> My FreeIPA / Samba Groups have the following Samba extensions in >>>> > FreeIPA >>>> > >> (cn=accounts, cn=groups): >>>> > >> >>>> > >> * objectClass: sambaGroupMapping >>>> > >> >>>> > >> * Attributes: sambaGroupType, sambaSID >>>> > >> >>>> > >> The Users must belong to one or more of the samba groups that > you >>>> > have >>>> > >> setup. >>>> > >> >>>> > >> If you don't have something similar to the above (which sounds >> like >>>> > it >>>> > is >>>> > >> the case), then something went wrong applying the extensions. It >>>> > would >>>> > be >>>> > >> worth testing comparing a new user / group created post adding >> the >>>> > >> extensions to a previous existing user. >>>> > >> >>>> > >> i.e. >>>> > >> are the extensions missing on existing users / groups? >>>> > >> are the extensions missing on new users / groups? >>>> > >> >>>> > >> Cheers >>>> > >> >>>> > >> Chris >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> From: Youenn PIOLET >>>> > >> To: "Matt ." >>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> > >> "freeipa-users at redhat.com" > >>>> > >> Date: 04.08.2015 18:56 >>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> > against >>>> > IPA >>>> > >> >>>> > >> >>>> > >> >>>> > >> Hi there, >>>> > >> >>>> > >> I have difficulties to follow you at this point :) >>>> > >> Here is what I've done and what I've understood: >>>> > >> >>>> > >> ## SMB Side >>>> > >> - Testparm OK >>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to > connect. >>>> > >> - pdbedit -Lv output is all successfull but I can see there is a >>>> > filter : >>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't >>>> > have >>>> > >> sambaSamAccount. >>>> > >> >>>> > >> ## LDAP / FreeIPA side >>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >>>> > FreeIPA >>>> > >> server to get samba LDAP extensions. >>>> > >> - I can see samba classes exist in LDAP but are not used on my >>>> > group >>>> > >> objects nor my user objects >>>> > >> - I have add sambaSamAccount in FreeIPA default user classes, >>>> > >> and sambaGroupMapping to default group classes. In that state I >>>> > can't >>>> > >> create user nor groups anymore, as new samba attributes are >> needed >>>> > for >>>> > >> instantiation. >>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>> > > Type,sambagrouptype,true' >>>> > >> but I don't get what it does. >>>> > >> - I tried to add the samba.js plugin. It works, and adds the >>>> > "local" >>>> > > option >>>> > >> when creating a group in FreeIPA, supposed to set sambagrouptype >> to >>>> > 4 >>>> > or >>>> > > 2 >>>> > >> (domain). It doesn't work and tells that sambagrouptype > attribute >>>> > doesn't >>>> > >> exist (but it should now I put sambaGroupType class by >> default...) >>>> > >> >>>> > >> ## Questions >>>> > >> 0) Can I ask samba not to search sambaSamAccount and use unix / >>>> > posix >>>> > >> instead? I guess no. >>>> > >> 1) How to generate the user/group SIDs ? They are requested to >> add >>>> > >> sambaSamAccount classes. >>>> > >> This article doesn't seem relevant since we don't use domain >>>> > controller >>>> > >> >>>> > > >>>> > >>>> > >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>> > >>>> > >> and netgetlocalsid returns an error. >>>> > >> 2) How to fix samba.js plugin? >>>> > >> 3) I guess an equivalent of samba.js is needed for user > creation, >>>> > where >>>> > > can >>>> > >> I find it? >>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not > only >>>> > Windows >>>> > >> 7? >>>> > >> >>>> > >> Thanks a lot for your previous and future answers >>>> > >> >>>> > >> -- >>>> > >> Youenn Piolet >>>> > >> piolet.y at gmail.com >>>> > >> >>>> > >> >>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . : >>>> > >> Hi, >>>> > >> >>>> > >> Yes, log is anonymised. >>>> > >> >>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also > when >> I >>>> > >> change it's password it doesn't get it in ldap. >>>> > >> >>>> > >> There must be something going wrong I guess. >>>> > >> >>>> > >> Matt >>>> > >> >>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>> > > >>> > >> >: >>>> > >> > Hi Matt >>>> > >> > >>>> > >> > I assume [username] is a real username, identical to that in >>>> > the >>>> > >> FreeIPA >>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >>>> > extract). >>>> > >> > >>>> > >> > You user should be a member of the appropriate samba groups >>>> > that >>>> > you >>>> > >> setup >>>> > >> > in FreeIPA. >>>> > >> > >>>> > >> > You should check that the user attribute SambaPwdLastSet is >> set >>>> > to >>>> > a >>>> > >> > positive value (e.g. 1). If not you get an error in the > Samba >>>> > logs >>>> > - >>>> > > I >>>> > >> > would need to play around again with a test user to find out >>>> > the >>>> > > exact >>>> > >> > error. >>>> > >> > >>>> > >> > I don't understand what you mean about syncing the users >> local, >>>> > but >>>> > > we >>>> > >> did >>>> > >> > not need to do anything like that. >>>> > >> > >>>> > >> > Chris >>>> > >> > >>>> > >> > >>>> > >> > >>>> > >> > >>>> > >> > From: "Matt ." >>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> > >> > Cc: "freeipa-users at redhat.com" > >>>> > >> > Date: 04.08.2015 15:33 >>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> > against >>>> > >> IPA >>>> > >> > >>>> > >> > >>>> > >> > >>>> > >> > Hi Chris, >>>> > >> > >>>> > >> > A puppet run added another passdb backend, that was causing >> my >>>> > issue. >>>> > >> > >>>> > >> > What I still experience is: >>>> > >> > >>>> > >> > >>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>>> > >> > check_sam_security: Couldn't find user 'username' in >> passdb. >>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>>> > >> > check_ntlm_password: Authentication for user [username] > -> >>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>>> > >> > >>>> > >> > >>>> > >> > I also wonder if I shall still sync the users local, or is > it >>>> > > needed ? >>>> > >> > >>>> > >> > Thanks again, >>>> > >> > >>>> > >> > Matt >>>> > >> > >>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>> > >> christopher.lamb at ch.ibm.com>: >>>> > >> >> Hi Matt >>>> > >> >> >>>> > >> >> From our smb.conf file: >>>> > >> >> >>>> > >> >> [global] >>>> > >> >> security = user >>>> > >> >> passdb backend = >>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>> > >> >> ldap admin dn = cn=Directory Manager >>>> > >> >> >>>> > >> >> So yes, we use Directory Manager, it works for us. I have >> not >>>> > tried >>>> > >> with >>>> > >> > a >>>> > >> >> less powerful user, but it is conceivable that a lesser > user >>>> > may >>>> > not >>>> > >> see >>>> > >> >> all the required attributes, resulting in "no such user" >>>> > errors. >>>> > >> >> >>>> > >> >> Chris >>>> > >> >> >>>> > >> >> >>>> > >> >> >>>> > >> >> >>>> > >> >> From: "Matt ." >>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> > >> >> Cc: "freeipa-users at redhat.com" >> >>>> > >> >> Date: 04.08.2015 13:32 >>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server > Auth >>>> > against >>>> > >> IPA >>>> > >> >> >>>> > >> >> >>>> > >> >> >>>> > >> >> Hi Chris, >>>> > >> >> >>>> > >> >> Thanks for the heads up, indeed local is 4 I see now when I >>>> > add a >>>> > >> >> group from the GUI, great thanks! >>>> > >> >> >>>> > >> >> But do you use Directory Manager as ldap admin user or some >>>> > other >>>> > >> >> admin account ? >>>> > >> >> >>>> > >> >> I'm not sure id DM is needed and it should get that deep >> into >>>> > IPA. >>>> > >> >> Also when starting samba it cannot find "such user" as that >>>> > sounds >>>> > >> >> quite known as it has no UID. >>>> > >> >> >>>> > >> >> From your config I see you use DM, this should work ? >>>> > >> >> >>>> > >> >> Thanks! >>>> > >> >> >>>> > >> >> >>>> > >> >> Matt >>>> > >> >> >>>> > >> >> >>>> > >> > >>>> > >> > >>>> > >> > >>>> > >> > >>>> > >> >>>> > >> -- >>>> > >> Manage your subscription for the Freeipa-users mailing list: >>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > >> Go to http://freeipa.org for more info on the project >>>> > >> >>>> > >> >>>> > >> >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > -- >>>> > > Manage your subscription for the Freeipa-users mailing list: >>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > > Go to http://freeipa.org for more info on the project >>>> > > >>>> > > >>>> > > >>>> > > >>>> > >>>> > -- >>>> > Manage your subscription for the Freeipa-users mailing list: >>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > Go to http://freeipa.org for more info on the project >>>> > >>>> > >>>> > >>> >>> >> >> >> >> > > > > From yamakasi.014 at gmail.com Sun Aug 9 19:17:00 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Sun, 9 Aug 2015 21:17:00 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, Yes I know about "anything" but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb : > Hi Matt > > I am on OEL 7.1. - so anything that works on that should be good for RHEL > and Centos 7.x > > I intend to add a how-to to the FreeIPA Wiki over the next few days. As we > have suggested earlier, we will likely end up with several, one for each of > the possible integration paths. > > Chris > > > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM at IBMCH, > "freeipa-users at redhat.com" > Date: 09.08.2015 16:45 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > This sounds great! > > What are you using now, both CentOS ? So Samba and FreeIPA ? > > Maybe it's good to explain which way you used now in steps too, so we > can combine or create multiple howto's ? > > At least we are going somewhere! > > Thanks, > > Matt > > 2015-08-09 14:54 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> My test integration of FreeIPA 4.x and Samba 4.x with the "good old Samba >> Schema extensions) is up and working, almost flawlessly. >> >> I can add users and groups via the FreeIPA CLI, and they get the correct >> ObjectClasses / attributes required for Samba. >> >> So far I have not yet bothered to try the extensions to the WebUI, > because >> it is currently giving me the classic "Your session has expired. Please >> re-login." error which renders the WebUI useless. >> >> The only problem I have so far encountered managing Samba / FreeIPA users >> via FreeIPA CLI commands is with the handling of the attribute >> sambaPwdLastSet. This is the subject of an existing thread, also updated >> today. >> >> There is also an existing alternative to hacking group.py, using "Class > of >> Service" (Cos) documented in this thread from February 2015 >> https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html > . >> I have not yet tried it, but it sounds reasonable. >> >> Chris >> >> >> >> >> >> From: "Matt ." >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> Cc: "freeipa-users at redhat.com" , Youenn >> PIOLET >> Date: 06.08.2015 16:19 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi Chris, >> >> OK, than we might create two different versions of the wiki, I think >> this is nice. >> >> I'm still figuring out why I get that: >> >> IPA Error 4205: ObjectclassViolation >> >> missing attribute "sambaGroupType" required by object class >> "sambaGroupMapping" >> >> Matt >> >> 2015-08-06 16:09 GMT+02:00 Christopher Lamb > : >>> Hi Matt >>> >>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>> integration paths. >>> >>> The route I took is suited where there is no Active Directory involved: >> In >>> my case all the Windows, OSX and Linux clients are islands that sit on >> the >>> same network. >>> >>> The route that Youenn has taken (unless I have got completely the wrong >> end >>> of the stick) requires Active Directory in the architecture. >>> >>> Chris >>> >>> >>> >>> From: "Matt ." >>> To: Youenn PIOLET >>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>> "freeipa-users at redhat.com" >>> Date: 06.08.2015 14:42 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi, >>> >>> OK, this sounds already quite logical, but I'm still refering to the >>> old howto we found earlier, does that one still apply somewhere or not >>> at all ? >>> >>> Thanks, >>> >>> Matt >>> >>> >>> >>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>>> Hey guys, >>>> >>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >> days :) >>>> >>>> General idea: >>>> >>>> On FreeIPA (4.1) >>>> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >>>> attribude, also known as SID) >>>> - regenerate each user password to build ipaNTHash attribute, not here >> by >>>> default on users >>>> - use your ldap browser to check ipaNTHash values are here on user >>> objects >>>> - create a CIFS service for your samba server >>>> - Create user roles/permissions as described here: >>>> >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> >>>> so that CIFS service will be able to read ipaNTsecurityidentifier and >>>> ipaNTHash attributes in LDAP (ACI) >>>> - SCP ipasam.so module to your cifs server (this is the magic trick) : >>> scp >>>> /usr/lib64/samba/pdb/ipasam.so >>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >>> recompile >>>> it. >>>> >>>> On SAMBA Server side (CentOS 7...) >>>> - Install server keytab file for CIFS >>>> - check ipasam.so is here. >>>> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI >>>> uid=admin ipaNTHash` thanks to kerberos >>>> - make your smb.conf following the linked thread and restart service >>>> >>>> I don't know if it works in Ubuntu. I know sssd has evolved quickly and >>>> ipasam may use quite recent functionalities, the best is to just try. >> You >>>> can read in previous thread : "If you insist on Ubuntu you need to get >>>> ipasam somewhere, most likely to compile it yourself". >>>> >>>> Make sure your user has ipaNTHash attribute :) >>>> >>>> You may want to debug authentication on samba server, I usually do > this: >>>> `tail -f /var/log/samba/log* | grep >>>> >>>> Cheers >>>> -- >>>> Youenn Piolet >>>> piolet.y at gmail.com >>>> >>>> >>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>>> >>>>> Hi, >>>>> >>>>> This sounds great to me too, but a howto would help to make it more >>>>> clear about what you have done here. The thread confuses me a little >>>>> bit. >>>>> >>>>> Can you paste your commands so we can test out too and report back ? >>>>> >>>>> Thanks! >>>>> >>>>> Matt >>>>> >>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>> : >>>>> > Hi Youenn >>>>> > >>>>> > Good news that you have got an integration working >>>>> > >>>>> > Now you have got it going, and the solution is fresh in your mind, >> how >>>>> > about adding a How-to page on this solution to the FreeIPA wiki? >>>>> > >>>>> > Chris >>>>> > >>>>> > >>>>> > >>>>> > From: Youenn PIOLET >>>>> > To: "Matt ." >>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>> > "freeipa-users at redhat.com" >>>>> > Date: 05.08.2015 14:51 >>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>> > >>>>> > >>>>> > >>>>> > Hi guys, >>>>> > >>>>> > Thank you so much your previous answers. >>>>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to >>>>> > ipa-adtrust-install --add-sids >>>>> > >>>>> > I found an other way to configure smb here: >>>>> > >>>>> > >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> >>>>> > It works perfectly. >>>>> > >>>>> > I'm using module ipasam.so I have manually scp to the samba server, >>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>>>> > Following the instructions, I created a user role allowing service >>>>> > principal to read ipaNTHash value from the LDAP. >>>>> > ipaNTHash are generated each time a user changes his password. >>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>>> > >>>>> > For more details, the previously linked thread is quite clear. >>>>> > >>>>> > Cheers >>>>> > >>>>> > -- >>>>> > Youenn Piolet >>>>> > piolet.y at gmail.com >>>>> > >>>>> > >>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>>> > Hi Chris. >>>>> > >>>>> > Yes, Apache Studio did that but I was not sure why it complained > it >>>>> > was "already" there. >>>>> > >>>>> > I'm still getting: >>>>> > >>>>> > IPA Error 4205: ObjectclassViolation >>>>> > >>>>> > missing attribute "sambaGroupType" required by object class >>>>> > "sambaGroupMapping" >>>>> > >>>>> > When adding a user. >>>>> > >>>>> > I also see "class" as fielname under my "Last name", this is not > OK >>>>> > also. >>>>> > >>>>> > >>>>> > >>>>> > We sure need to make some howto, I think we can nail this down :) >>>>> > >>>>> > Thanks for the heads up! >>>>> > >>>>> > Matthijs >>>>> > >>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>>> > : >>>>> > > Hi Matt >>>>> > > >>>>> > > If I use Apache Directory Studio to add an attribute >>> ipaCustomFields >>>>> > to >>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as >>> shown >>>>> > below: >>>>> > > >>>>> > > #!RESULT OK >>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>> > > changetype: modify >>>>> > > add: ipaCustomFields >>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>>> > > >>>>> > > After that I then have a visible attribute ipaCustomFields as >>>>> > expected. >>>>> > > >>>>> > > When adding the attribute, the wizard offered me >> "ipaCustomFields" >>>>> > as >>>>> > > attribute type in a drop down list. >>>>> > > >>>>> > > Once we get this cracked, we really must write a how-to on the >>>>> > FreeIPA >>>>> > > Wiki. >>>>> > > >>>>> > > Chris >>>>> > > >>>>> > > >>>>> > > >>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>>> > > To: "Matt ." >>>>> > > Cc: "freeipa-users at redhat.com" >>>>> > > Date: 05.08.2015 07:31 >>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> against >>>>> > IPA >>>>> > > Sent by: freeipa-users-bounces at redhat.com >>>>> > > >>>>> > > >>>>> > > >>>>> > > Hi Matt >>>>> > > >>>>> > > I also got the same result at that step, but can see nothing in >>>>> > Apache >>>>> > > Directory Studio. >>>>> > > >>>>> > > As I am using existing Samba / FreeIPA groups migrated across, >>> they >>>>> > > probably were migrated with all the required attributes. >>>>> > > >>>>> > > Looking more closely at that LDIF: I wonder should it not be: >>>>> > > >>>>> > > ldapmodify -Y GSSAPI <>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>> > > changetype: modify >>>>> > > add: ipaCustomFields >>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>> > > EOF >>>>> > > >>>>> > > i.e. changetype: modify, instead of changetype add ? >>>>> > > >>>>> > > I don't want to play around with my prod directory - I will > setup >>> an >>>>> > EL >>>>> > 7.1 >>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to >>> play >>>>> > around >>>>> > > more destructively. >>>>> > > >>>>> > > Chris >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > From: "Matt ." >>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>> > > Cc: Youenn PIOLET , " >>>>> > freeipa-users at redhat.com" >>>>> > > >>>>> > > Date: 05.08.2015 01:01 >>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>>> > Auth >>>>> > against IPA >>>>> > > >>>>> > > >>>>> > > >>>>> > > Hi Chris, >>>>> > > >>>>> > > I'm at the right path, but my issue is that: >>>>> > > >>>>> > > ldapmodify -Y GSSAPI <>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>> > > changetype: add >>>>> > > add: ipaCustomFields >>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>> > > EOF >>>>> > > >>>>> > > Does say it exists, my ldap explorer doesn't show it, and when I >>> add >>>>> > > it manually as an attribute it still fails when I add a user on >>> this >>>>> > > sambagrouptype as it's needed by the other attributes >>>>> > > >>>>> > > So that is my issue I think so far. >>>>> > > >>>>> > > Any clue about that ? >>>>> > > >>>>> > > No problem "you don't know something or are no guru" we are all >>>>> > > learning! :) >>>>> > > >>>>> > > Cheers, >>>>> > > >>>>> > > Matt >>>>> > > >>>>> > > >>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>>> > christopher.lamb at ch.ibm.com>: >>>>> > >> Hi Matt, Youeen >>>>> > >> >>>>> > >> Just to set the background properly, I did not invent this >>> process. >>>>> > I >>>>> > > know >>>>> > >> only a little about FreeIPA, and almost nothing about Samba, > but >>> I >>>>> > guess >>>>> > > I >>>>> > >> was lucky enough to get the integration working on a Sunday >>>>> > afternoon. >>>>> > (I >>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >>>>> > reference). >>>>> > >> >>>>> > >> It sounds like we need to step back, and look at the test user >>> and >>>>> > group >>>>> > > in >>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this >>> much >>>>> > > easier. >>>>> > >> >>>>> > >> My FreeIPA / Samba Users have the following Samba extensions in >>>>> > FreeIPA >>>>> > >> (cn=accounts, cn=users): >>>>> > >> >>>>> > >> * objectClass: sambasamaccount >>>>> > >> >>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>>>> > >> >>>>> > >> My FreeIPA / Samba Groups have the following Samba extensions > in >>>>> > FreeIPA >>>>> > >> (cn=accounts, cn=groups): >>>>> > >> >>>>> > >> * objectClass: sambaGroupMapping >>>>> > >> >>>>> > >> * Attributes: sambaGroupType, sambaSID >>>>> > >> >>>>> > >> The Users must belong to one or more of the samba groups that >> you >>>>> > have >>>>> > >> setup. >>>>> > >> >>>>> > >> If you don't have something similar to the above (which sounds >>> like >>>>> > it >>>>> > is >>>>> > >> the case), then something went wrong applying the extensions. > It >>>>> > would >>>>> > be >>>>> > >> worth testing comparing a new user / group created post adding >>> the >>>>> > >> extensions to a previous existing user. >>>>> > >> >>>>> > >> i.e. >>>>> > >> are the extensions missing on existing users / groups? >>>>> > >> are the extensions missing on new users / groups? >>>>> > >> >>>>> > >> Cheers >>>>> > >> >>>>> > >> Chris >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> From: Youenn PIOLET >>>>> > >> To: "Matt ." >>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>> > >> "freeipa-users at redhat.com" >> >>>>> > >> Date: 04.08.2015 18:56 >>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>> > against >>>>> > IPA >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> Hi there, >>>>> > >> >>>>> > >> I have difficulties to follow you at this point :) >>>>> > >> Here is what I've done and what I've understood: >>>>> > >> >>>>> > >> ## SMB Side >>>>> > >> - Testparm OK >>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >> connect. >>>>> > >> - pdbedit -Lv output is all successfull but I can see there is > a >>>>> > filter : >>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users > don't >>>>> > have >>>>> > >> sambaSamAccount. >>>>> > >> >>>>> > >> ## LDAP / FreeIPA side >>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >>>>> > FreeIPA >>>>> > >> server to get samba LDAP extensions. >>>>> > >> - I can see samba classes exist in LDAP but are not used on my >>>>> > group >>>>> > >> objects nor my user objects >>>>> > >> - I have add sambaSamAccount in FreeIPA default user classes, >>>>> > >> and sambaGroupMapping to default group classes. In that state I >>>>> > can't >>>>> > >> create user nor groups anymore, as new samba attributes are >>> needed >>>>> > for >>>>> > >> instantiation. >>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>>> > > Type,sambagrouptype,true' >>>>> > >> but I don't get what it does. >>>>> > >> - I tried to add the samba.js plugin. It works, and adds the >>>>> > "local" >>>>> > > option >>>>> > >> when creating a group in FreeIPA, supposed to set > sambagrouptype >>> to >>>>> > 4 >>>>> > or >>>>> > > 2 >>>>> > >> (domain). It doesn't work and tells that sambagrouptype >> attribute >>>>> > doesn't >>>>> > >> exist (but it should now I put sambaGroupType class by >>> default...) >>>>> > >> >>>>> > >> ## Questions >>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use unix / >>>>> > posix >>>>> > >> instead? I guess no. >>>>> > >> 1) How to generate the user/group SIDs ? They are requested to >>> add >>>>> > >> sambaSamAccount classes. >>>>> > >> This article doesn't seem relevant since we don't use domain >>>>> > controller >>>>> > >> >>>>> > > >>>>> > >>>>> > >>> >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>>> > >>>>> > >> and netgetlocalsid returns an error. >>>>> > >> 2) How to fix samba.js plugin? >>>>> > >> 3) I guess an equivalent of samba.js is needed for user >> creation, >>>>> > where >>>>> > > can >>>>> > >> I find it? >>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not >> only >>>>> > Windows >>>>> > >> 7? >>>>> > >> >>>>> > >> Thanks a lot for your previous and future answers >>>>> > >> >>>>> > >> -- >>>>> > >> Youenn Piolet >>>>> > >> piolet.y at gmail.com >>>>> > >> >>>>> > >> >>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . : >>>>> > >> Hi, >>>>> > >> >>>>> > >> Yes, log is anonymised. >>>>> > >> >>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also >> when >>> I >>>>> > >> change it's password it doesn't get it in ldap. >>>>> > >> >>>>> > >> There must be something going wrong I guess. >>>>> > >> >>>>> > >> Matt >>>>> > >> >>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>>> > > >>>> > >> >: >>>>> > >> > Hi Matt >>>>> > >> > >>>>> > >> > I assume [username] is a real username, identical to that > in >>>>> > the >>>>> > >> FreeIPA >>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >>>>> > extract). >>>>> > >> > >>>>> > >> > You user should be a member of the appropriate samba groups >>>>> > that >>>>> > you >>>>> > >> setup >>>>> > >> > in FreeIPA. >>>>> > >> > >>>>> > >> > You should check that the user attribute SambaPwdLastSet is >>> set >>>>> > to >>>>> > a >>>>> > >> > positive value (e.g. 1). If not you get an error in the >> Samba >>>>> > logs >>>>> > - >>>>> > > I >>>>> > >> > would need to play around again with a test user to find > out >>>>> > the >>>>> > > exact >>>>> > >> > error. >>>>> > >> > >>>>> > >> > I don't understand what you mean about syncing the users >>> local, >>>>> > but >>>>> > > we >>>>> > >> did >>>>> > >> > not need to do anything like that. >>>>> > >> > >>>>> > >> > Chris >>>>> > >> > >>>>> > >> > >>>>> > >> > >>>>> > >> > >>>>> > >> > From: "Matt ." >>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>> > >> > Cc: "freeipa-users at redhat.com" >> >>>>> > >> > Date: 04.08.2015 15:33 >>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server > Auth >>>>> > against >>>>> > >> IPA >>>>> > >> > >>>>> > >> > >>>>> > >> > >>>>> > >> > Hi Chris, >>>>> > >> > >>>>> > >> > A puppet run added another passdb backend, that was causing >>> my >>>>> > issue. >>>>> > >> > >>>>> > >> > What I still experience is: >>>>> > >> > >>>>> > >> > >>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>>>> > >> > check_sam_security: Couldn't find user 'username' in >>> passdb. >>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>>>> > >> > check_ntlm_password: Authentication for user [username] >> -> >>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>>>> > >> > >>>>> > >> > >>>>> > >> > I also wonder if I shall still sync the users local, or is >> it >>>>> > > needed ? >>>>> > >> > >>>>> > >> > Thanks again, >>>>> > >> > >>>>> > >> > Matt >>>>> > >> > >>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>>> > >> christopher.lamb at ch.ibm.com>: >>>>> > >> >> Hi Matt >>>>> > >> >> >>>>> > >> >> From our smb.conf file: >>>>> > >> >> >>>>> > >> >> [global] >>>>> > >> >> security = user >>>>> > >> >> passdb backend = >>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>>> > >> >> ldap admin dn = cn=Directory Manager >>>>> > >> >> >>>>> > >> >> So yes, we use Directory Manager, it works for us. I have >>> not >>>>> > tried >>>>> > >> with >>>>> > >> > a >>>>> > >> >> less powerful user, but it is conceivable that a lesser >> user >>>>> > may >>>>> > not >>>>> > >> see >>>>> > >> >> all the required attributes, resulting in "no such user" >>>>> > errors. >>>>> > >> >> >>>>> > >> >> Chris >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> From: "Matt ." >>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>> > >> >> Cc: "freeipa-users at redhat.com" >>> >>>>> > >> >> Date: 04.08.2015 13:32 >>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >> Auth >>>>> > against >>>>> > >> IPA >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> Hi Chris, >>>>> > >> >> >>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now when > I >>>>> > add a >>>>> > >> >> group from the GUI, great thanks! >>>>> > >> >> >>>>> > >> >> But do you use Directory Manager as ldap admin user or > some >>>>> > other >>>>> > >> >> admin account ? >>>>> > >> >> >>>>> > >> >> I'm not sure id DM is needed and it should get that deep >>> into >>>>> > IPA. >>>>> > >> >> Also when starting samba it cannot find "such user" as > that >>>>> > sounds >>>>> > >> >> quite known as it has no UID. >>>>> > >> >> >>>>> > >> >> From your config I see you use DM, this should work ? >>>>> > >> >> >>>>> > >> >> Thanks! >>>>> > >> >> >>>>> > >> >> >>>>> > >> >> Matt >>>>> > >> >> >>>>> > >> >> >>>>> > >> > >>>>> > >> > >>>>> > >> > >>>>> > >> > >>>>> > >> >>>>> > >> -- >>>>> > >> Manage your subscription for the Freeipa-users mailing list: >>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> > >> Go to http://freeipa.org for more info on the project >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > -- >>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> > > Go to http://freeipa.org for more info on the project >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > >>>>> > -- >>>>> > Manage your subscription for the Freeipa-users mailing list: >>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> > Go to http://freeipa.org for more info on the project >>>>> > >>>>> > >>>>> > >>>> >>>> >>> >>> >>> >>> >> >> >> >> > > > > From christopher.lamb at ch.ibm.com Mon Aug 10 09:16:47 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 10 Aug 2015 11:16:47 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: The next route I will try - is the one Youeen took, using ipa-adtrust From: "Matt ." To: Christopher Lamb/Switzerland/IBM at IBMCH, "freeipa-users at redhat.com" Date: 10.08.2015 10:03 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a "ipa-adtrust-install --add-sids" it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb : > ldapsam + the samba extensions, pretty much as described in the Techslaves > article. Once I have a draft for the wiki page, I will mail you. > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM at IBMCH, > "freeipa-users at redhat.com" > Date: 09.08.2015 21:17 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi, > > Yes I know about "anything" but which way did you use now ? > > > > 2015-08-09 20:56 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> I am on OEL 7.1. - so anything that works on that should be good for RHEL >> and Centos 7.x >> >> I intend to add a how-to to the FreeIPA Wiki over the next few days. As > we >> have suggested earlier, we will likely end up with several, one for each > of >> the possible integration paths. >> >> Chris >> >> >> >> >> >> From: "Matt ." >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >> "freeipa-users at redhat.com" >> Date: 09.08.2015 16:45 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi Chris, >> >> This sounds great! >> >> What are you using now, both CentOS ? So Samba and FreeIPA ? >> >> Maybe it's good to explain which way you used now in steps too, so we >> can combine or create multiple howto's ? >> >> At least we are going somewhere! >> >> Thanks, >> >> Matt >> >> 2015-08-09 14:54 GMT+02:00 Christopher Lamb > : >>> Hi Matt >>> >>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old > Samba >>> Schema extensions) is up and working, almost flawlessly. >>> >>> I can add users and groups via the FreeIPA CLI, and they get the correct >>> ObjectClasses / attributes required for Samba. >>> >>> So far I have not yet bothered to try the extensions to the WebUI, >> because >>> it is currently giving me the classic "Your session has expired. Please >>> re-login." error which renders the WebUI useless. >>> >>> The only problem I have so far encountered managing Samba / FreeIPA > users >>> via FreeIPA CLI commands is with the handling of the attribute >>> sambaPwdLastSet. This is the subject of an existing thread, also updated >>> today. >>> >>> There is also an existing alternative to hacking group.py, using "Class >> of >>> Service" (Cos) documented in this thread from February 2015 >>> > https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >> . >>> I have not yet tried it, but it sounds reasonable. >>> >>> Chris >>> >>> >>> >>> >>> >>> From: "Matt ." >>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>> Cc: "freeipa-users at redhat.com" , Youenn >>> PIOLET >>> Date: 06.08.2015 16:19 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi Chris, >>> >>> OK, than we might create two different versions of the wiki, I think >>> this is nice. >>> >>> I'm still figuring out why I get that: >>> >>> IPA Error 4205: ObjectclassViolation >>> >>> missing attribute "sambaGroupType" required by object class >>> "sambaGroupMapping" >>> >>> Matt >>> >>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >> : >>>> Hi Matt >>>> >>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>>> integration paths. >>>> >>>> The route I took is suited where there is no Active Directory involved: >>> In >>>> my case all the Windows, OSX and Linux clients are islands that sit on >>> the >>>> same network. >>>> >>>> The route that Youenn has taken (unless I have got completely the wrong >>> end >>>> of the stick) requires Active Directory in the architecture. >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." >>>> To: Youenn PIOLET >>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> "freeipa-users at redhat.com" >>>> Date: 06.08.2015 14:42 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>> >>>> >>>> >>>> Hi, >>>> >>>> OK, this sounds already quite logical, but I'm still refering to the >>>> old howto we found earlier, does that one still apply somewhere or not >>>> at all ? >>>> >>>> Thanks, >>>> >>>> Matt >>>> >>>> >>>> >>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>>>> Hey guys, >>>>> >>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >>> days :) >>>>> >>>>> General idea: >>>>> >>>>> On FreeIPA (4.1) >>>>> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >>>>> attribude, also known as SID) >>>>> - regenerate each user password to build ipaNTHash attribute, not here >>> by >>>>> default on users >>>>> - use your ldap browser to check ipaNTHash values are here on user >>>> objects >>>>> - create a CIFS service for your samba server >>>>> - Create user roles/permissions as described here: >>>>> >>>> >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> >>>> >>>>> so that CIFS service will be able to read ipaNTsecurityidentifier and >>>>> ipaNTHash attributes in LDAP (ACI) >>>>> - SCP ipasam.so module to your cifs server (this is the magic trick) : >>>> scp >>>>> /usr/lib64/samba/pdb/ipasam.so >>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >>>> recompile >>>>> it. >>>>> >>>>> On SAMBA Server side (CentOS 7...) >>>>> - Install server keytab file for CIFS >>>>> - check ipasam.so is here. >>>>> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI >>>>> uid=admin ipaNTHash` thanks to kerberos >>>>> - make your smb.conf following the linked thread and restart service >>>>> >>>>> I don't know if it works in Ubuntu. I know sssd has evolved quickly > and >>>>> ipasam may use quite recent functionalities, the best is to just try. >>> You >>>>> can read in previous thread : "If you insist on Ubuntu you need to get >>>>> ipasam somewhere, most likely to compile it yourself". >>>>> >>>>> Make sure your user has ipaNTHash attribute :) >>>>> >>>>> You may want to debug authentication on samba server, I usually do >> this: >>>>> `tail -f /var/log/samba/log* | grep >>>>> >>>>> Cheers >>>>> -- >>>>> Youenn Piolet >>>>> piolet.y at gmail.com >>>>> >>>>> >>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>>>> >>>>>> Hi, >>>>>> >>>>>> This sounds great to me too, but a howto would help to make it more >>>>>> clear about what you have done here. The thread confuses me a little >>>>>> bit. >>>>>> >>>>>> Can you paste your commands so we can test out too and report back ? >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Matt >>>>>> >>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>> : >>>>>> > Hi Youenn >>>>>> > >>>>>> > Good news that you have got an integration working >>>>>> > >>>>>> > Now you have got it going, and the solution is fresh in your mind, >>> how >>>>>> > about adding a How-to page on this solution to the FreeIPA wiki? >>>>>> > >>>>>> > Chris >>>>>> > >>>>>> > >>>>>> > >>>>>> > From: Youenn PIOLET >>>>>> > To: "Matt ." >>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>> > "freeipa-users at redhat.com" >>>>>> > Date: 05.08.2015 14:51 >>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>> IPA >>>>>> > >>>>>> > >>>>>> > >>>>>> > Hi guys, >>>>>> > >>>>>> > Thank you so much your previous answers. >>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to >>>>>> > ipa-adtrust-install --add-sids >>>>>> > >>>>>> > I found an other way to configure smb here: >>>>>> > >>>>>> > >>>> >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> >>>> >>>>>> > It works perfectly. >>>>>> > >>>>>> > I'm using module ipasam.so I have manually scp to the samba server, >>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>>>>> > Following the instructions, I created a user role allowing service >>>>>> > principal to read ipaNTHash value from the LDAP. >>>>>> > ipaNTHash are generated each time a user changes his password. >>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>>>> > >>>>>> > For more details, the previously linked thread is quite clear. >>>>>> > >>>>>> > Cheers >>>>>> > >>>>>> > -- >>>>>> > Youenn Piolet >>>>>> > piolet.y at gmail.com >>>>>> > >>>>>> > >>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>>>> > Hi Chris. >>>>>> > >>>>>> > Yes, Apache Studio did that but I was not sure why it complained >> it >>>>>> > was "already" there. >>>>>> > >>>>>> > I'm still getting: >>>>>> > >>>>>> > IPA Error 4205: ObjectclassViolation >>>>>> > >>>>>> > missing attribute "sambaGroupType" required by object class >>>>>> > "sambaGroupMapping" >>>>>> > >>>>>> > When adding a user. >>>>>> > >>>>>> > I also see "class" as fielname under my "Last name", this is not >> OK >>>>>> > also. >>>>>> > >>>>>> > >>>>>> > >>>>>> > We sure need to make some howto, I think we can nail this down :) >>>>>> > >>>>>> > Thanks for the heads up! >>>>>> > >>>>>> > Matthijs >>>>>> > >>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>>>> > : >>>>>> > > Hi Matt >>>>>> > > >>>>>> > > If I use Apache Directory Studio to add an attribute >>>> ipaCustomFields >>>>>> > to >>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as >>>> shown >>>>>> > below: >>>>>> > > >>>>>> > > #!RESULT OK >>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>> > > changetype: modify >>>>>> > > add: ipaCustomFields >>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>>>> > > >>>>>> > > After that I then have a visible attribute ipaCustomFields as >>>>>> > expected. >>>>>> > > >>>>>> > > When adding the attribute, the wizard offered me >>> "ipaCustomFields" >>>>>> > as >>>>>> > > attribute type in a drop down list. >>>>>> > > >>>>>> > > Once we get this cracked, we really must write a how-to on the >>>>>> > FreeIPA >>>>>> > > Wiki. >>>>>> > > >>>>>> > > Chris >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>> > > To: "Matt ." >>>>>> > > Cc: "freeipa-users at redhat.com" >>>>>> > > Date: 05.08.2015 07:31 >>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> against >>>>>> > IPA >>>>>> > > Sent by: freeipa-users-bounces at redhat.com >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > Hi Matt >>>>>> > > >>>>>> > > I also got the same result at that step, but can see nothing in >>>>>> > Apache >>>>>> > > Directory Studio. >>>>>> > > >>>>>> > > As I am using existing Samba / FreeIPA groups migrated across, >>>> they >>>>>> > > probably were migrated with all the required attributes. >>>>>> > > >>>>>> > > Looking more closely at that LDIF: I wonder should it not be: >>>>>> > > >>>>>> > > ldapmodify -Y GSSAPI <>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>> > > changetype: modify >>>>>> > > add: ipaCustomFields >>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>> > > EOF >>>>>> > > >>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>>>> > > >>>>>> > > I don't want to play around with my prod directory - I will >> setup >>>> an >>>>>> > EL >>>>>> > 7.1 >>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to >>>> play >>>>>> > around >>>>>> > > more destructively. >>>>>> > > >>>>>> > > Chris >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > From: "Matt ." >>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>> > > Cc: Youenn PIOLET , " >>>>>> > freeipa-users at redhat.com" >>>>>> > > >>>>>> > > Date: 05.08.2015 01:01 >>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba > Server >>>>>> > Auth >>>>>> > against IPA >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > Hi Chris, >>>>>> > > >>>>>> > > I'm at the right path, but my issue is that: >>>>>> > > >>>>>> > > ldapmodify -Y GSSAPI <>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>> > > changetype: add >>>>>> > > add: ipaCustomFields >>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>> > > EOF >>>>>> > > >>>>>> > > Does say it exists, my ldap explorer doesn't show it, and when > I >>>> add >>>>>> > > it manually as an attribute it still fails when I add a user on >>>> this >>>>>> > > sambagrouptype as it's needed by the other attributes >>>>>> > > >>>>>> > > So that is my issue I think so far. >>>>>> > > >>>>>> > > Any clue about that ? >>>>>> > > >>>>>> > > No problem "you don't know something or are no guru" we are all >>>>>> > > learning! :) >>>>>> > > >>>>>> > > Cheers, >>>>>> > > >>>>>> > > Matt >>>>>> > > >>>>>> > > >>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>>>> > christopher.lamb at ch.ibm.com>: >>>>>> > >> Hi Matt, Youeen >>>>>> > >> >>>>>> > >> Just to set the background properly, I did not invent this >>>> process. >>>>>> > I >>>>>> > > know >>>>>> > >> only a little about FreeIPA, and almost nothing about Samba, >> but >>>> I >>>>>> > guess >>>>>> > > I >>>>>> > >> was lucky enough to get the integration working on a Sunday >>>>>> > afternoon. >>>>>> > (I >>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >>>>>> > reference). >>>>>> > >> >>>>>> > >> It sounds like we need to step back, and look at the test user >>>> and >>>>>> > group >>>>>> > > in >>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this >>>> much >>>>>> > > easier. >>>>>> > >> >>>>>> > >> My FreeIPA / Samba Users have the following Samba extensions > in >>>>>> > FreeIPA >>>>>> > >> (cn=accounts, cn=users): >>>>>> > >> >>>>>> > >> * objectClass: sambasamaccount >>>>>> > >> >>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>>>>> > >> >>>>>> > >> My FreeIPA / Samba Groups have the following Samba extensions >> in >>>>>> > FreeIPA >>>>>> > >> (cn=accounts, cn=groups): >>>>>> > >> >>>>>> > >> * objectClass: sambaGroupMapping >>>>>> > >> >>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>>>> > >> >>>>>> > >> The Users must belong to one or more of the samba groups that >>> you >>>>>> > have >>>>>> > >> setup. >>>>>> > >> >>>>>> > >> If you don't have something similar to the above (which sounds >>>> like >>>>>> > it >>>>>> > is >>>>>> > >> the case), then something went wrong applying the extensions. >> It >>>>>> > would >>>>>> > be >>>>>> > >> worth testing comparing a new user / group created post adding >>>> the >>>>>> > >> extensions to a previous existing user. >>>>>> > >> >>>>>> > >> i.e. >>>>>> > >> are the extensions missing on existing users / groups? >>>>>> > >> are the extensions missing on new users / groups? >>>>>> > >> >>>>>> > >> Cheers >>>>>> > >> >>>>>> > >> Chris >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> From: Youenn PIOLET >>>>>> > >> To: "Matt ." >>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>> > >> "freeipa-users at redhat.com" >>> >>>>>> > >> Date: 04.08.2015 18:56 >>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>>> > against >>>>>> > IPA >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> Hi there, >>>>>> > >> >>>>>> > >> I have difficulties to follow you at this point :) >>>>>> > >> Here is what I've done and what I've understood: >>>>>> > >> >>>>>> > >> ## SMB Side >>>>>> > >> - Testparm OK >>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >>> connect. >>>>>> > >> - pdbedit -Lv output is all successfull but I can see there is >> a >>>>>> > filter : >>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users >> don't >>>>>> > have >>>>>> > >> sambaSamAccount. >>>>>> > >> >>>>>> > >> ## LDAP / FreeIPA side >>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >>>>>> > FreeIPA >>>>>> > >> server to get samba LDAP extensions. >>>>>> > >> - I can see samba classes exist in LDAP but are not used on my >>>>>> > group >>>>>> > >> objects nor my user objects >>>>>> > >> - I have add sambaSamAccount in FreeIPA default user classes, >>>>>> > >> and sambaGroupMapping to default group classes. In that state > I >>>>>> > can't >>>>>> > >> create user nor groups anymore, as new samba attributes are >>>> needed >>>>>> > for >>>>>> > >> instantiation. >>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>>>> > > Type,sambagrouptype,true' >>>>>> > >> but I don't get what it does. >>>>>> > >> - I tried to add the samba.js plugin. It works, and adds the >>>>>> > "local" >>>>>> > > option >>>>>> > >> when creating a group in FreeIPA, supposed to set >> sambagrouptype >>>> to >>>>>> > 4 >>>>>> > or >>>>>> > > 2 >>>>>> > >> (domain). It doesn't work and tells that sambagrouptype >>> attribute >>>>>> > doesn't >>>>>> > >> exist (but it should now I put sambaGroupType class by >>>> default...) >>>>>> > >> >>>>>> > >> ## Questions >>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use > unix / >>>>>> > posix >>>>>> > >> instead? I guess no. >>>>>> > >> 1) How to generate the user/group SIDs ? They are requested to >>>> add >>>>>> > >> sambaSamAccount classes. >>>>>> > >> This article doesn't seem relevant since we don't use domain >>>>>> > controller >>>>>> > >> >>>>>> > > >>>>>> > >>>>>> > >>>> >>> >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>>>> > >>>>>> > >> and netgetlocalsid returns an error. >>>>>> > >> 2) How to fix samba.js plugin? >>>>>> > >> 3) I guess an equivalent of samba.js is needed for user >>> creation, >>>>>> > where >>>>>> > > can >>>>>> > >> I find it? >>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not >>> only >>>>>> > Windows >>>>>> > >> 7? >>>>>> > >> >>>>>> > >> Thanks a lot for your previous and future answers >>>>>> > >> >>>>>> > >> -- >>>>>> > >> Youenn Piolet >>>>>> > >> piolet.y at gmail.com >>>>>> > >> >>>>>> > >> >>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . : >>>>>> > >> Hi, >>>>>> > >> >>>>>> > >> Yes, log is anonymised. >>>>>> > >> >>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also >>> when >>>> I >>>>>> > >> change it's password it doesn't get it in ldap. >>>>>> > >> >>>>>> > >> There must be something going wrong I guess. >>>>>> > >> >>>>>> > >> Matt >>>>>> > >> >>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>>>> > > >>>>> > >> >: >>>>>> > >> > Hi Matt >>>>>> > >> > >>>>>> > >> > I assume [username] is a real username, identical to that >> in >>>>>> > the >>>>>> > >> FreeIPA >>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >>>>>> > extract). >>>>>> > >> > >>>>>> > >> > You user should be a member of the appropriate samba > groups >>>>>> > that >>>>>> > you >>>>>> > >> setup >>>>>> > >> > in FreeIPA. >>>>>> > >> > >>>>>> > >> > You should check that the user attribute SambaPwdLastSet > is >>>> set >>>>>> > to >>>>>> > a >>>>>> > >> > positive value (e.g. 1). If not you get an error in the >>> Samba >>>>>> > logs >>>>>> > - >>>>>> > > I >>>>>> > >> > would need to play around again with a test user to find >> out >>>>>> > the >>>>>> > > exact >>>>>> > >> > error. >>>>>> > >> > >>>>>> > >> > I don't understand what you mean about syncing the users >>>> local, >>>>>> > but >>>>>> > > we >>>>>> > >> did >>>>>> > >> > not need to do anything like that. >>>>>> > >> > >>>>>> > >> > Chris >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > From: "Matt ." >>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>> > >> > Cc: "freeipa-users at redhat.com" >>> >>>>>> > >> > Date: 04.08.2015 15:33 >>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server >> Auth >>>>>> > against >>>>>> > >> IPA >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > Hi Chris, >>>>>> > >> > >>>>>> > >> > A puppet run added another passdb backend, that was > causing >>>> my >>>>>> > issue. >>>>>> > >> > >>>>>> > >> > What I still experience is: >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>>>>> > >> > check_sam_security: Couldn't find user 'username' in >>>> passdb. >>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>>>>> > >> > check_ntlm_password: Authentication for user [username] >>> -> >>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > I also wonder if I shall still sync the users local, or is >>> it >>>>>> > > needed ? >>>>>> > >> > >>>>>> > >> > Thanks again, >>>>>> > >> > >>>>>> > >> > Matt >>>>>> > >> > >>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>>>> > >> christopher.lamb at ch.ibm.com>: >>>>>> > >> >> Hi Matt >>>>>> > >> >> >>>>>> > >> >> From our smb.conf file: >>>>>> > >> >> >>>>>> > >> >> [global] >>>>>> > >> >> security = user >>>>>> > >> >> passdb backend = >>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>>>> > >> >> >>>>>> > >> >> So yes, we use Directory Manager, it works for us. I have >>>> not >>>>>> > tried >>>>>> > >> with >>>>>> > >> > a >>>>>> > >> >> less powerful user, but it is conceivable that a lesser >>> user >>>>>> > may >>>>>> > not >>>>>> > >> see >>>>>> > >> >> all the required attributes, resulting in "no such user" >>>>>> > errors. >>>>>> > >> >> >>>>>> > >> >> Chris >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> From: "Matt ." >>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>> > >> >> Cc: "freeipa-users at redhat.com" >>>> >>>>>> > >> >> Date: 04.08.2015 13:32 >>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >>> Auth >>>>>> > against >>>>>> > >> IPA >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> Hi Chris, >>>>>> > >> >> >>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now when >> I >>>>>> > add a >>>>>> > >> >> group from the GUI, great thanks! >>>>>> > >> >> >>>>>> > >> >> But do you use Directory Manager as ldap admin user or >> some >>>>>> > other >>>>>> > >> >> admin account ? >>>>>> > >> >> >>>>>> > >> >> I'm not sure id DM is needed and it should get that deep >>>> into >>>>>> > IPA. >>>>>> > >> >> Also when starting samba it cannot find "such user" as >> that >>>>>> > sounds >>>>>> > >> >> quite known as it has no UID. >>>>>> > >> >> >>>>>> > >> >> From your config I see you use DM, this should work ? >>>>>> > >> >> >>>>>> > >> >> Thanks! >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> Matt >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> >>>>>> > >> -- >>>>>> > >> Manage your subscription for the Freeipa-users mailing list: >>>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> > >> Go to http://freeipa.org for more info on the project >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > -- >>>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> > > Go to http://freeipa.org for more info on the project >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > >>>>>> > -- >>>>>> > Manage your subscription for the Freeipa-users mailing list: >>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> > Go to http://freeipa.org for more info on the project >>>>>> > >>>>>> > >>>>>> > >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> > > > > From yamakasi.014 at gmail.com Mon Aug 10 08:03:07 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 10 Aug 2015 10:03:07 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a "ipa-adtrust-install --add-sids" it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb : > ldapsam + the samba extensions, pretty much as described in the Techslaves > article. Once I have a draft for the wiki page, I will mail you. > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM at IBMCH, > "freeipa-users at redhat.com" > Date: 09.08.2015 21:17 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi, > > Yes I know about "anything" but which way did you use now ? > > > > 2015-08-09 20:56 GMT+02:00 Christopher Lamb : >> Hi Matt >> >> I am on OEL 7.1. - so anything that works on that should be good for RHEL >> and Centos 7.x >> >> I intend to add a how-to to the FreeIPA Wiki over the next few days. As > we >> have suggested earlier, we will likely end up with several, one for each > of >> the possible integration paths. >> >> Chris >> >> >> >> >> >> From: "Matt ." >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >> "freeipa-users at redhat.com" >> Date: 09.08.2015 16:45 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi Chris, >> >> This sounds great! >> >> What are you using now, both CentOS ? So Samba and FreeIPA ? >> >> Maybe it's good to explain which way you used now in steps too, so we >> can combine or create multiple howto's ? >> >> At least we are going somewhere! >> >> Thanks, >> >> Matt >> >> 2015-08-09 14:54 GMT+02:00 Christopher Lamb > : >>> Hi Matt >>> >>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old > Samba >>> Schema extensions) is up and working, almost flawlessly. >>> >>> I can add users and groups via the FreeIPA CLI, and they get the correct >>> ObjectClasses / attributes required for Samba. >>> >>> So far I have not yet bothered to try the extensions to the WebUI, >> because >>> it is currently giving me the classic "Your session has expired. Please >>> re-login." error which renders the WebUI useless. >>> >>> The only problem I have so far encountered managing Samba / FreeIPA > users >>> via FreeIPA CLI commands is with the handling of the attribute >>> sambaPwdLastSet. This is the subject of an existing thread, also updated >>> today. >>> >>> There is also an existing alternative to hacking group.py, using "Class >> of >>> Service" (Cos) documented in this thread from February 2015 >>> > https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >> . >>> I have not yet tried it, but it sounds reasonable. >>> >>> Chris >>> >>> >>> >>> >>> >>> From: "Matt ." >>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>> Cc: "freeipa-users at redhat.com" , Youenn >>> PIOLET >>> Date: 06.08.2015 16:19 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi Chris, >>> >>> OK, than we might create two different versions of the wiki, I think >>> this is nice. >>> >>> I'm still figuring out why I get that: >>> >>> IPA Error 4205: ObjectclassViolation >>> >>> missing attribute "sambaGroupType" required by object class >>> "sambaGroupMapping" >>> >>> Matt >>> >>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >> : >>>> Hi Matt >>>> >>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>>> integration paths. >>>> >>>> The route I took is suited where there is no Active Directory involved: >>> In >>>> my case all the Windows, OSX and Linux clients are islands that sit on >>> the >>>> same network. >>>> >>>> The route that Youenn has taken (unless I have got completely the wrong >>> end >>>> of the stick) requires Active Directory in the architecture. >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." >>>> To: Youenn PIOLET >>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> "freeipa-users at redhat.com" >>>> Date: 06.08.2015 14:42 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>> >>>> >>>> >>>> Hi, >>>> >>>> OK, this sounds already quite logical, but I'm still refering to the >>>> old howto we found earlier, does that one still apply somewhere or not >>>> at all ? >>>> >>>> Thanks, >>>> >>>> Matt >>>> >>>> >>>> >>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>>>> Hey guys, >>>>> >>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >>> days :) >>>>> >>>>> General idea: >>>>> >>>>> On FreeIPA (4.1) >>>>> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >>>>> attribude, also known as SID) >>>>> - regenerate each user password to build ipaNTHash attribute, not here >>> by >>>>> default on users >>>>> - use your ldap browser to check ipaNTHash values are here on user >>>> objects >>>>> - create a CIFS service for your samba server >>>>> - Create user roles/permissions as described here: >>>>> >>>> >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> >>>> >>>>> so that CIFS service will be able to read ipaNTsecurityidentifier and >>>>> ipaNTHash attributes in LDAP (ACI) >>>>> - SCP ipasam.so module to your cifs server (this is the magic trick) : >>>> scp >>>>> /usr/lib64/samba/pdb/ipasam.so >>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >>>> recompile >>>>> it. >>>>> >>>>> On SAMBA Server side (CentOS 7...) >>>>> - Install server keytab file for CIFS >>>>> - check ipasam.so is here. >>>>> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI >>>>> uid=admin ipaNTHash` thanks to kerberos >>>>> - make your smb.conf following the linked thread and restart service >>>>> >>>>> I don't know if it works in Ubuntu. I know sssd has evolved quickly > and >>>>> ipasam may use quite recent functionalities, the best is to just try. >>> You >>>>> can read in previous thread : "If you insist on Ubuntu you need to get >>>>> ipasam somewhere, most likely to compile it yourself". >>>>> >>>>> Make sure your user has ipaNTHash attribute :) >>>>> >>>>> You may want to debug authentication on samba server, I usually do >> this: >>>>> `tail -f /var/log/samba/log* | grep >>>>> >>>>> Cheers >>>>> -- >>>>> Youenn Piolet >>>>> piolet.y at gmail.com >>>>> >>>>> >>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>>>> >>>>>> Hi, >>>>>> >>>>>> This sounds great to me too, but a howto would help to make it more >>>>>> clear about what you have done here. The thread confuses me a little >>>>>> bit. >>>>>> >>>>>> Can you paste your commands so we can test out too and report back ? >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Matt >>>>>> >>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>> : >>>>>> > Hi Youenn >>>>>> > >>>>>> > Good news that you have got an integration working >>>>>> > >>>>>> > Now you have got it going, and the solution is fresh in your mind, >>> how >>>>>> > about adding a How-to page on this solution to the FreeIPA wiki? >>>>>> > >>>>>> > Chris >>>>>> > >>>>>> > >>>>>> > >>>>>> > From: Youenn PIOLET >>>>>> > To: "Matt ." >>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>> > "freeipa-users at redhat.com" >>>>>> > Date: 05.08.2015 14:51 >>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>> IPA >>>>>> > >>>>>> > >>>>>> > >>>>>> > Hi guys, >>>>>> > >>>>>> > Thank you so much your previous answers. >>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to >>>>>> > ipa-adtrust-install --add-sids >>>>>> > >>>>>> > I found an other way to configure smb here: >>>>>> > >>>>>> > >>>> >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> >>>> >>>>>> > It works perfectly. >>>>>> > >>>>>> > I'm using module ipasam.so I have manually scp to the samba server, >>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>>>>> > Following the instructions, I created a user role allowing service >>>>>> > principal to read ipaNTHash value from the LDAP. >>>>>> > ipaNTHash are generated each time a user changes his password. >>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>>>> > >>>>>> > For more details, the previously linked thread is quite clear. >>>>>> > >>>>>> > Cheers >>>>>> > >>>>>> > -- >>>>>> > Youenn Piolet >>>>>> > piolet.y at gmail.com >>>>>> > >>>>>> > >>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>>>> > Hi Chris. >>>>>> > >>>>>> > Yes, Apache Studio did that but I was not sure why it complained >> it >>>>>> > was "already" there. >>>>>> > >>>>>> > I'm still getting: >>>>>> > >>>>>> > IPA Error 4205: ObjectclassViolation >>>>>> > >>>>>> > missing attribute "sambaGroupType" required by object class >>>>>> > "sambaGroupMapping" >>>>>> > >>>>>> > When adding a user. >>>>>> > >>>>>> > I also see "class" as fielname under my "Last name", this is not >> OK >>>>>> > also. >>>>>> > >>>>>> > >>>>>> > >>>>>> > We sure need to make some howto, I think we can nail this down :) >>>>>> > >>>>>> > Thanks for the heads up! >>>>>> > >>>>>> > Matthijs >>>>>> > >>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>>>> > : >>>>>> > > Hi Matt >>>>>> > > >>>>>> > > If I use Apache Directory Studio to add an attribute >>>> ipaCustomFields >>>>>> > to >>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as >>>> shown >>>>>> > below: >>>>>> > > >>>>>> > > #!RESULT OK >>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>> > > changetype: modify >>>>>> > > add: ipaCustomFields >>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>>>> > > >>>>>> > > After that I then have a visible attribute ipaCustomFields as >>>>>> > expected. >>>>>> > > >>>>>> > > When adding the attribute, the wizard offered me >>> "ipaCustomFields" >>>>>> > as >>>>>> > > attribute type in a drop down list. >>>>>> > > >>>>>> > > Once we get this cracked, we really must write a how-to on the >>>>>> > FreeIPA >>>>>> > > Wiki. >>>>>> > > >>>>>> > > Chris >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>> > > To: "Matt ." >>>>>> > > Cc: "freeipa-users at redhat.com" >>>>>> > > Date: 05.08.2015 07:31 >>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> against >>>>>> > IPA >>>>>> > > Sent by: freeipa-users-bounces at redhat.com >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > Hi Matt >>>>>> > > >>>>>> > > I also got the same result at that step, but can see nothing in >>>>>> > Apache >>>>>> > > Directory Studio. >>>>>> > > >>>>>> > > As I am using existing Samba / FreeIPA groups migrated across, >>>> they >>>>>> > > probably were migrated with all the required attributes. >>>>>> > > >>>>>> > > Looking more closely at that LDIF: I wonder should it not be: >>>>>> > > >>>>>> > > ldapmodify -Y GSSAPI <>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>> > > changetype: modify >>>>>> > > add: ipaCustomFields >>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>> > > EOF >>>>>> > > >>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>>>> > > >>>>>> > > I don't want to play around with my prod directory - I will >> setup >>>> an >>>>>> > EL >>>>>> > 7.1 >>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to >>>> play >>>>>> > around >>>>>> > > more destructively. >>>>>> > > >>>>>> > > Chris >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > From: "Matt ." >>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>> > > Cc: Youenn PIOLET , " >>>>>> > freeipa-users at redhat.com" >>>>>> > > >>>>>> > > Date: 05.08.2015 01:01 >>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba > Server >>>>>> > Auth >>>>>> > against IPA >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > Hi Chris, >>>>>> > > >>>>>> > > I'm at the right path, but my issue is that: >>>>>> > > >>>>>> > > ldapmodify -Y GSSAPI <>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>> > > changetype: add >>>>>> > > add: ipaCustomFields >>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>> > > EOF >>>>>> > > >>>>>> > > Does say it exists, my ldap explorer doesn't show it, and when > I >>>> add >>>>>> > > it manually as an attribute it still fails when I add a user on >>>> this >>>>>> > > sambagrouptype as it's needed by the other attributes >>>>>> > > >>>>>> > > So that is my issue I think so far. >>>>>> > > >>>>>> > > Any clue about that ? >>>>>> > > >>>>>> > > No problem "you don't know something or are no guru" we are all >>>>>> > > learning! :) >>>>>> > > >>>>>> > > Cheers, >>>>>> > > >>>>>> > > Matt >>>>>> > > >>>>>> > > >>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>>>> > christopher.lamb at ch.ibm.com>: >>>>>> > >> Hi Matt, Youeen >>>>>> > >> >>>>>> > >> Just to set the background properly, I did not invent this >>>> process. >>>>>> > I >>>>>> > > know >>>>>> > >> only a little about FreeIPA, and almost nothing about Samba, >> but >>>> I >>>>>> > guess >>>>>> > > I >>>>>> > >> was lucky enough to get the integration working on a Sunday >>>>>> > afternoon. >>>>>> > (I >>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >>>>>> > reference). >>>>>> > >> >>>>>> > >> It sounds like we need to step back, and look at the test user >>>> and >>>>>> > group >>>>>> > > in >>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this >>>> much >>>>>> > > easier. >>>>>> > >> >>>>>> > >> My FreeIPA / Samba Users have the following Samba extensions > in >>>>>> > FreeIPA >>>>>> > >> (cn=accounts, cn=users): >>>>>> > >> >>>>>> > >> * objectClass: sambasamaccount >>>>>> > >> >>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>>>>> > >> >>>>>> > >> My FreeIPA / Samba Groups have the following Samba extensions >> in >>>>>> > FreeIPA >>>>>> > >> (cn=accounts, cn=groups): >>>>>> > >> >>>>>> > >> * objectClass: sambaGroupMapping >>>>>> > >> >>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>>>> > >> >>>>>> > >> The Users must belong to one or more of the samba groups that >>> you >>>>>> > have >>>>>> > >> setup. >>>>>> > >> >>>>>> > >> If you don't have something similar to the above (which sounds >>>> like >>>>>> > it >>>>>> > is >>>>>> > >> the case), then something went wrong applying the extensions. >> It >>>>>> > would >>>>>> > be >>>>>> > >> worth testing comparing a new user / group created post adding >>>> the >>>>>> > >> extensions to a previous existing user. >>>>>> > >> >>>>>> > >> i.e. >>>>>> > >> are the extensions missing on existing users / groups? >>>>>> > >> are the extensions missing on new users / groups? >>>>>> > >> >>>>>> > >> Cheers >>>>>> > >> >>>>>> > >> Chris >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> From: Youenn PIOLET >>>>>> > >> To: "Matt ." >>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>> > >> "freeipa-users at redhat.com" >>> >>>>>> > >> Date: 04.08.2015 18:56 >>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>>> > against >>>>>> > IPA >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> Hi there, >>>>>> > >> >>>>>> > >> I have difficulties to follow you at this point :) >>>>>> > >> Here is what I've done and what I've understood: >>>>>> > >> >>>>>> > >> ## SMB Side >>>>>> > >> - Testparm OK >>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >>> connect. >>>>>> > >> - pdbedit -Lv output is all successfull but I can see there is >> a >>>>>> > filter : >>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users >> don't >>>>>> > have >>>>>> > >> sambaSamAccount. >>>>>> > >> >>>>>> > >> ## LDAP / FreeIPA side >>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >>>>>> > FreeIPA >>>>>> > >> server to get samba LDAP extensions. >>>>>> > >> - I can see samba classes exist in LDAP but are not used on my >>>>>> > group >>>>>> > >> objects nor my user objects >>>>>> > >> - I have add sambaSamAccount in FreeIPA default user classes, >>>>>> > >> and sambaGroupMapping to default group classes. In that state > I >>>>>> > can't >>>>>> > >> create user nor groups anymore, as new samba attributes are >>>> needed >>>>>> > for >>>>>> > >> instantiation. >>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>>>> > > Type,sambagrouptype,true' >>>>>> > >> but I don't get what it does. >>>>>> > >> - I tried to add the samba.js plugin. It works, and adds the >>>>>> > "local" >>>>>> > > option >>>>>> > >> when creating a group in FreeIPA, supposed to set >> sambagrouptype >>>> to >>>>>> > 4 >>>>>> > or >>>>>> > > 2 >>>>>> > >> (domain). It doesn't work and tells that sambagrouptype >>> attribute >>>>>> > doesn't >>>>>> > >> exist (but it should now I put sambaGroupType class by >>>> default...) >>>>>> > >> >>>>>> > >> ## Questions >>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use > unix / >>>>>> > posix >>>>>> > >> instead? I guess no. >>>>>> > >> 1) How to generate the user/group SIDs ? They are requested to >>>> add >>>>>> > >> sambaSamAccount classes. >>>>>> > >> This article doesn't seem relevant since we don't use domain >>>>>> > controller >>>>>> > >> >>>>>> > > >>>>>> > >>>>>> > >>>> >>> >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>>>> > >>>>>> > >> and netgetlocalsid returns an error. >>>>>> > >> 2) How to fix samba.js plugin? >>>>>> > >> 3) I guess an equivalent of samba.js is needed for user >>> creation, >>>>>> > where >>>>>> > > can >>>>>> > >> I find it? >>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not >>> only >>>>>> > Windows >>>>>> > >> 7? >>>>>> > >> >>>>>> > >> Thanks a lot for your previous and future answers >>>>>> > >> >>>>>> > >> -- >>>>>> > >> Youenn Piolet >>>>>> > >> piolet.y at gmail.com >>>>>> > >> >>>>>> > >> >>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . : >>>>>> > >> Hi, >>>>>> > >> >>>>>> > >> Yes, log is anonymised. >>>>>> > >> >>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also >>> when >>>> I >>>>>> > >> change it's password it doesn't get it in ldap. >>>>>> > >> >>>>>> > >> There must be something going wrong I guess. >>>>>> > >> >>>>>> > >> Matt >>>>>> > >> >>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>>>> > > >>>>> > >> >: >>>>>> > >> > Hi Matt >>>>>> > >> > >>>>>> > >> > I assume [username] is a real username, identical to that >> in >>>>>> > the >>>>>> > >> FreeIPA >>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >>>>>> > extract). >>>>>> > >> > >>>>>> > >> > You user should be a member of the appropriate samba > groups >>>>>> > that >>>>>> > you >>>>>> > >> setup >>>>>> > >> > in FreeIPA. >>>>>> > >> > >>>>>> > >> > You should check that the user attribute SambaPwdLastSet > is >>>> set >>>>>> > to >>>>>> > a >>>>>> > >> > positive value (e.g. 1). If not you get an error in the >>> Samba >>>>>> > logs >>>>>> > - >>>>>> > > I >>>>>> > >> > would need to play around again with a test user to find >> out >>>>>> > the >>>>>> > > exact >>>>>> > >> > error. >>>>>> > >> > >>>>>> > >> > I don't understand what you mean about syncing the users >>>> local, >>>>>> > but >>>>>> > > we >>>>>> > >> did >>>>>> > >> > not need to do anything like that. >>>>>> > >> > >>>>>> > >> > Chris >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > From: "Matt ." >>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>> > >> > Cc: "freeipa-users at redhat.com" >>> >>>>>> > >> > Date: 04.08.2015 15:33 >>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server >> Auth >>>>>> > against >>>>>> > >> IPA >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > Hi Chris, >>>>>> > >> > >>>>>> > >> > A puppet run added another passdb backend, that was > causing >>>> my >>>>>> > issue. >>>>>> > >> > >>>>>> > >> > What I still experience is: >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>>>>> > >> > check_sam_security: Couldn't find user 'username' in >>>> passdb. >>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>>>>> > >> > check_ntlm_password: Authentication for user [username] >>> -> >>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > I also wonder if I shall still sync the users local, or is >>> it >>>>>> > > needed ? >>>>>> > >> > >>>>>> > >> > Thanks again, >>>>>> > >> > >>>>>> > >> > Matt >>>>>> > >> > >>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>>>> > >> christopher.lamb at ch.ibm.com>: >>>>>> > >> >> Hi Matt >>>>>> > >> >> >>>>>> > >> >> From our smb.conf file: >>>>>> > >> >> >>>>>> > >> >> [global] >>>>>> > >> >> security = user >>>>>> > >> >> passdb backend = >>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>>>> > >> >> >>>>>> > >> >> So yes, we use Directory Manager, it works for us. I have >>>> not >>>>>> > tried >>>>>> > >> with >>>>>> > >> > a >>>>>> > >> >> less powerful user, but it is conceivable that a lesser >>> user >>>>>> > may >>>>>> > not >>>>>> > >> see >>>>>> > >> >> all the required attributes, resulting in "no such user" >>>>>> > errors. >>>>>> > >> >> >>>>>> > >> >> Chris >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> From: "Matt ." >>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>> > >> >> Cc: "freeipa-users at redhat.com" >>>> >>>>>> > >> >> Date: 04.08.2015 13:32 >>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >>> Auth >>>>>> > against >>>>>> > >> IPA >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> Hi Chris, >>>>>> > >> >> >>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now when >> I >>>>>> > add a >>>>>> > >> >> group from the GUI, great thanks! >>>>>> > >> >> >>>>>> > >> >> But do you use Directory Manager as ldap admin user or >> some >>>>>> > other >>>>>> > >> >> admin account ? >>>>>> > >> >> >>>>>> > >> >> I'm not sure id DM is needed and it should get that deep >>>> into >>>>>> > IPA. >>>>>> > >> >> Also when starting samba it cannot find "such user" as >> that >>>>>> > sounds >>>>>> > >> >> quite known as it has no UID. >>>>>> > >> >> >>>>>> > >> >> From your config I see you use DM, this should work ? >>>>>> > >> >> >>>>>> > >> >> Thanks! >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> >> Matt >>>>>> > >> >> >>>>>> > >> >> >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> >>>>>> > >> -- >>>>>> > >> Manage your subscription for the Freeipa-users mailing list: >>>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> > >> Go to http://freeipa.org for more info on the project >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > -- >>>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> > > Go to http://freeipa.org for more info on the project >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > >>>>>> > -- >>>>>> > Manage your subscription for the Freeipa-users mailing list: >>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> > Go to http://freeipa.org for more info on the project >>>>>> > >>>>>> > >>>>>> > >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> > > > > From bahanw042014 at gmail.com Mon Aug 10 09:34:23 2015 From: bahanw042014 at gmail.com (bahan w) Date: Mon, 10 Aug 2015 11:34:23 +0200 Subject: [Freeipa-users] Concerning the krb5.conf In-Reply-To: <20150807210510.GC22106@redhat.com> References: <20150807210510.GC22106@redhat.com> Message-ID: Hello. I don't know if you receive my previous mail, but thank you for your answer. I have two additionnal question then : - Concerning the master_kdc line, is it better to put here the physical machine or even to remove it if it is optional ? - Do you know how I can check which one of these three servers is currently used per server with this krb5.conf ? I need to check how I can resynchronize the last server. Best regards. Bahan On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy wrote: > On Fri, 07 Aug 2015, bahan w wrote: > >> Hello ! >> >> We are using freeipa version 3 and we are encountering a problem in our >> environment. >> We have one master kdc and two replicas. >> >> On the different linux servers on our environment, we have the following >> krb5.conf (I modified the hostname for NDA) : >> >> ### >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = >> dns_lookup_realm = false >> dns_lookup_kdc = false >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> = { >> kdc = host1.:88 >> kdc = host2.:88 >> kdc = host3.:88 >> master_kdc = host2.:88 >> admin_server = host2.:749 >> default_domain >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> [domain_realm] >> . = >> = >> . = >> = >> ### >> >> host1 is a physical machine >> host2 and host3 are VM. >> >> So I have some questions : >> Q1 - Does it make sense to put the line master_kdc and admin_server to the >> host2, which is a VM instead of the host1 which is a physical machine ? >> > According to manual page of 'krb5.conf', > ------- > master_kdc: > Identifies the master KDC(s). Currently, this tag is used in only > one case: If an attempt to get credentials fails because of an invalid > password, the client software will attempt to contact the master KDC, in > case the user's password has just been changed, and the updated database > has not been propagated to the slave servers yet. > ------- > > 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day > actions in IPA. > > > Q2 - When I try to connect to the UI of host1, I can enter my >> login/password and it works. When I try to connect to the UI of host2, I >> have an error message saying my password is incorrect. When I try to >> connect to the UI of host3, it works. Does it mean host1 and host3 are >> synchronized but host2 is not ? >> > Most likely, yes. > > > Q3. Does the two last lines make sense ? I mean what is the exact usage of >> the paragraph [domain_realm] ? Does it mean : if I try to connect to a >> server with the domain listed in this list, then I will try to contact the >> realm associated ? >> > Since you disabled DNS discovery of realm based on the DNS domain, > Kerberos library will perform some logic to find out which realm > corresponds to the domain. domain_realm section helps here. > > krb5.conf manual page has clear explanation how the section is designed > to work. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From brosen at mail.sdsu.edu Mon Aug 10 20:05:31 2015 From: brosen at mail.sdsu.edu (Burke Rosen) Date: Mon, 10 Aug 2015 13:05:31 -0700 Subject: [Freeipa-users] Sudden replication failure Message-ID: <55C9040B.4010502@mail.sdsu.edu> Hello, I'm running two replicated freeIPA servers. One of them spontaneously failed. After taking the misbehaving server down, the remaining replicant handled everything fine. I restored the system to its original working state by uninstalling ipa-server from the non-functional server and re-replicating from the working server. All is well, but I am trying to figure out what might have caused the problem in the first place. Below are first few (presumably) relevant lines of the the error log. Can someone help me interpret them? Thank you, -Burke Rosen [08/Aug/2015:04:11:06 -0700] repl_version_plugin_recv_acquire_cb - [file ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing replication. This server: "20100614120000" remote server: "(null)". [08/Aug/2015:04:11:08 -0700] NSMMReplicationPlugin - agmt="cn=meToip133.kmlab.local" (ip133:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [08/Aug/2015:04:11:12 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [08/Aug/2015:04:11:12 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) [08/Aug/2015:04:11:18 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [08/Aug/2015:04:11:19 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) [08/Aug/2015:04:11:30 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [08/Aug/2015:04:11:30 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) From dewanggaba at xtremenitro.org Tue Aug 11 02:09:50 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Tue, 11 Aug 2015 09:09:50 +0700 Subject: [Freeipa-users] Different domain enrollment Message-ID: <55C9596E.4040100@xtremenitro.org> Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using mydomain.co.id, the dns discover was sucessfully. The problem come if the client hostname using different domain, for example anotherdomain.com, the dns discovery was failed. Is there any way to solve it? Should I enter it manually? From abokovoy at redhat.com Tue Aug 11 06:43:10 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 11 Aug 2015 09:43:10 +0300 Subject: [Freeipa-users] Different domain enrollment In-Reply-To: <55C9596E.4040100@xtremenitro.org> References: <55C9596E.4040100@xtremenitro.org> Message-ID: <20150811064310.GO22106@redhat.com> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >Hello! > >I'm having problem with different hostname with primary domain on ipa >server. For example, my primary domain is mydomain.co.id, and then if >the server hostname using mydomain.co.id, the dns discover was sucessfully. > >The problem come if the client hostname using different domain, for >example anotherdomain.com, the dns discovery was failed. Is there any >way to solve it? Should I enter it manually? Details of autodiscovery and suggestions how to configure are explained in the man page for ipa-client-install, section on DNS autodiscovery. -- / Alexander Bokovoy From abokovoy at redhat.com Tue Aug 11 06:45:16 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 11 Aug 2015 09:45:16 +0300 Subject: [Freeipa-users] Concerning the krb5.conf In-Reply-To: References: <20150807210510.GC22106@redhat.com> Message-ID: <20150811064516.GP22106@redhat.com> On Mon, 10 Aug 2015, bahan w wrote: >Hello. > >I don't know if you receive my previous mail, but thank you for your answer. > >I have two additionnal question then : >- Concerning the master_kdc line, is it better to put here the physical >machine or even to remove it if it is optional ? I don't think it ever matters as it only used for fallback reasons. >- Do you know how I can check which one of these three servers is currently >used per server with this krb5.conf ? I need to check how I can >resynchronize the last server. set KRB5_TRACE=/dev/stderr in the execution environment and all Kerberos code will start explaining what it does. For example, KRB5_TRACE=/dev/stderr kinit will show which server kinit will contact. > >Best regards. > >Bahan > >On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy >wrote: > >> On Fri, 07 Aug 2015, bahan w wrote: >> >>> Hello ! >>> >>> We are using freeipa version 3 and we are encountering a problem in our >>> environment. >>> We have one master kdc and two replicas. >>> >>> On the different linux servers on our environment, we have the following >>> krb5.conf (I modified the hostname for NDA) : >>> >>> ### >>> #File modified by ipa-client-install >>> >>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>> >>> [libdefaults] >>> default_realm = >>> dns_lookup_realm = false >>> dns_lookup_kdc = false >>> rdns = false >>> ticket_lifetime = 24h >>> forwardable = yes >>> >>> [realms] >>> = { >>> kdc = host1.:88 >>> kdc = host2.:88 >>> kdc = host3.:88 >>> master_kdc = host2.:88 >>> admin_server = host2.:749 >>> default_domain >>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>> } >>> >>> [domain_realm] >>> . = >>> = >>> . = >>> = >>> ### >>> >>> host1 is a physical machine >>> host2 and host3 are VM. >>> >>> So I have some questions : >>> Q1 - Does it make sense to put the line master_kdc and admin_server to the >>> host2, which is a VM instead of the host1 which is a physical machine ? >>> >> According to manual page of 'krb5.conf', >> ------- >> master_kdc: >> Identifies the master KDC(s). Currently, this tag is used in only >> one case: If an attempt to get credentials fails because of an invalid >> password, the client software will attempt to contact the master KDC, in >> case the user's password has just been changed, and the updated database >> has not been propagated to the slave servers yet. >> ------- >> >> 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day >> actions in IPA. >> >> >> Q2 - When I try to connect to the UI of host1, I can enter my >>> login/password and it works. When I try to connect to the UI of host2, I >>> have an error message saying my password is incorrect. When I try to >>> connect to the UI of host3, it works. Does it mean host1 and host3 are >>> synchronized but host2 is not ? >>> >> Most likely, yes. >> >> >> Q3. Does the two last lines make sense ? I mean what is the exact usage of >>> the paragraph [domain_realm] ? Does it mean : if I try to connect to a >>> server with the domain listed in this list, then I will try to contact the >>> realm associated ? >>> >> Since you disabled DNS discovery of realm based on the DNS domain, >> Kerberos library will perform some logic to find out which realm >> corresponds to the domain. domain_realm section helps here. >> >> krb5.conf manual page has clear explanation how the section is designed >> to work. >> >> -- >> / Alexander Bokovoy >> >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From bahanw042014 at gmail.com Tue Aug 11 06:50:19 2015 From: bahanw042014 at gmail.com (bahan w) Date: Tue, 11 Aug 2015 08:50:19 +0200 Subject: [Freeipa-users] Concerning the krb5.conf In-Reply-To: <20150811064516.GP22106@redhat.com> References: <20150807210510.GC22106@redhat.com> <20150811064516.GP22106@redhat.com> Message-ID: Wow thank you Alexander for this information ! Best regards. Gwenael Le Barzic Le 11 ao?t 2015 08:45, "Alexander Bokovoy" a ?crit : > On Mon, 10 Aug 2015, bahan w wrote: > >> Hello. >> >> I don't know if you receive my previous mail, but thank you for your >> answer. >> >> I have two additionnal question then : >> - Concerning the master_kdc line, is it better to put here the physical >> machine or even to remove it if it is optional ? >> > I don't think it ever matters as it only used for fallback reasons. > > - Do you know how I can check which one of these three servers is currently >> used per server with this krb5.conf ? I need to check how I can >> resynchronize the last server. >> > set KRB5_TRACE=/dev/stderr in the execution environment and all > Kerberos code will start explaining what it does. > > For example, > KRB5_TRACE=/dev/stderr kinit > will show which server kinit will contact. > > >> Best regards. >> >> Bahan >> >> On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy >> wrote: >> >> On Fri, 07 Aug 2015, bahan w wrote: >>> >>> Hello ! >>>> >>>> We are using freeipa version 3 and we are encountering a problem in our >>>> environment. >>>> We have one master kdc and two replicas. >>>> >>>> On the different linux servers on our environment, we have the following >>>> krb5.conf (I modified the hostname for NDA) : >>>> >>>> ### >>>> #File modified by ipa-client-install >>>> >>>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>>> >>>> [libdefaults] >>>> default_realm = >>>> dns_lookup_realm = false >>>> dns_lookup_kdc = false >>>> rdns = false >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> >>>> [realms] >>>> = { >>>> kdc = host1.:88 >>>> kdc = host2.:88 >>>> kdc = host3.:88 >>>> master_kdc = host2.:88 >>>> admin_server = host2.:749 >>>> default_domain >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> } >>>> >>>> [domain_realm] >>>> . = >>>> = >>>> . = >>>> = >>>> ### >>>> >>>> host1 is a physical machine >>>> host2 and host3 are VM. >>>> >>>> So I have some questions : >>>> Q1 - Does it make sense to put the line master_kdc and admin_server to >>>> the >>>> host2, which is a VM instead of the host1 which is a physical machine ? >>>> >>>> According to manual page of 'krb5.conf', >>> ------- >>> master_kdc: >>> Identifies the master KDC(s). Currently, this tag is used in only >>> one case: If an attempt to get credentials fails because of an invalid >>> password, the client software will attempt to contact the master KDC, in >>> case the user's password has just been changed, and the updated database >>> has not been propagated to the slave servers yet. >>> ------- >>> >>> 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day >>> actions in IPA. >>> >>> >>> Q2 - When I try to connect to the UI of host1, I can enter my >>> >>>> login/password and it works. When I try to connect to the UI of host2, I >>>> have an error message saying my password is incorrect. When I try to >>>> connect to the UI of host3, it works. Does it mean host1 and host3 are >>>> synchronized but host2 is not ? >>>> >>>> Most likely, yes. >>> >>> >>> Q3. Does the two last lines make sense ? I mean what is the exact usage >>> of >>> >>>> the paragraph [domain_realm] ? Does it mean : if I try to connect to a >>>> server with the domain listed in this list, then I will try to contact >>>> the >>>> realm associated ? >>>> >>>> Since you disabled DNS discovery of realm based on the DNS domain, >>> Kerberos library will perform some logic to find out which realm >>> corresponds to the domain. domain_realm section helps here. >>> >>> krb5.conf manual page has clear explanation how the section is designed >>> to work. >>> >>> -- >>> / Alexander Bokovoy >>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dewanggaba at xtremenitro.org Tue Aug 11 08:12:45 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Tue, 11 Aug 2015 15:12:45 +0700 Subject: [Freeipa-users] Different domain enrollment In-Reply-To: <20150811064310.GO22106@redhat.com> References: <55C9596E.4040100@xtremenitro.org> <20150811064310.GO22106@redhat.com> Message-ID: <55C9AE7D.30803@xtremenitro.org> Hello! On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: > On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >> Hello! >> >> I'm having problem with different hostname with primary domain on ipa >> server. For example, my primary domain is mydomain.co.id, and then if >> the server hostname using mydomain.co.id, the dns discover was >> sucessfully. >> >> The problem come if the client hostname using different domain, for >> example anotherdomain.com, the dns discovery was failed. Is there any >> way to solve it? Should I enter it manually? > Details of autodiscovery and suggestions how to configure are explained > in the man page for ipa-client-install, section on DNS autodiscovery. Thanks for your hints, but I have another question after read the man pages. The best practice register client to ipa server is using --domain or add similar DNS record? I've tried to create new record on anotherdomain.com. (eg. original dns record was _ldap._tcp.mydomain.co.id, and IP create new record for _ldap._tcp.anotherdomain.com). New dns record on anotherdomain.com is "_ldap._tcp, _ntp._udp, _kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp, _kerberos-master._udp, _kerberos-master._tcp". anotherdomain.com $ ipa-client-install Discovery was successful! Hostname: spectre.anotherdomain.com Realm: MYDOMAIN.CO.ID DNS Domain: anotherdomain.com IPA Server: ipa.anotherdomain.com BaseDN: dc=merahciptamedia,dc=co,dc=id Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for admin at MERAHCIPTAMEDIA.CO.ID: Unable to download CA cert from LDAP. Do you want to download the CA cert from http://ipa.anotherdomain.com/ipa/config/ca.crt? (this is INSECURE) [no]: Is it safe? Or just use --domain parameter? From seli.irithyl at gmail.com Tue Aug 11 08:37:16 2015 From: seli.irithyl at gmail.com (seli irithyl) Date: Tue, 11 Aug 2015 10:37:16 +0200 Subject: [Freeipa-users] IDM/ipa slow login Message-ID: Hi, I inherited a server (the guy that built it left) running centos 7 and Identity Management (Kerberos, 389DS, ...) with NFS. Everything concerning login (with network accounts) is very slow ( several seconds) I already solved a lot of problems on this server(DNS, NTP, firewall, ...), but I am neither a sysadmin nor a linux guru and I don't know where and what to look for ? Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ... Thanks for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: From rlzele58 at gmail.com Tue Aug 11 11:08:31 2015 From: rlzele58 at gmail.com (Roberto Lucarelli) Date: Tue, 11 Aug 2015 13:08:31 +0200 Subject: [Freeipa-users] Problem with sudo -r Message-ID: Hello, i configured Freeipa server and sudo client is ok but now i want deny users to launch command passwd and sudo -r . My configuration provide that all commands are enable . I can not configure specific commands because users must manage many services such as postfix, apache, mysql etc and they must have access to different folders with different users and groups . Do you have any recommendations ? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Aug 11 11:25:14 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 11 Aug 2015 14:25:14 +0300 Subject: [Freeipa-users] Different domain enrollment In-Reply-To: <55C9AE7D.30803@xtremenitro.org> References: <55C9596E.4040100@xtremenitro.org> <20150811064310.GO22106@redhat.com> <55C9AE7D.30803@xtremenitro.org> Message-ID: <20150811112514.GR22106@redhat.com> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >Hello! > >On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: >> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >>> Hello! >>> >>> I'm having problem with different hostname with primary domain on ipa >>> server. For example, my primary domain is mydomain.co.id, and then if >>> the server hostname using mydomain.co.id, the dns discover was >>> sucessfully. >>> >>> The problem come if the client hostname using different domain, for >>> example anotherdomain.com, the dns discovery was failed. Is there any >>> way to solve it? Should I enter it manually? >> Details of autodiscovery and suggestions how to configure are explained >> in the man page for ipa-client-install, section on DNS autodiscovery. > >Thanks for your hints, but I have another question after read the man >pages. The best practice register client to ipa server is using --domain >or add similar DNS record? You still would need _kerberos TXT record for runtime Kerberos realm detection unless your krb5.conf would contain domain_realms entry for your DNS domain. Using --domain option is, of course, easy. >I've tried to create new record on anotherdomain.com. (eg. original dns >record was _ldap._tcp.mydomain.co.id, and IP create new record for >_ldap._tcp.anotherdomain.com). > >New dns record on anotherdomain.com is "_ldap._tcp, _ntp._udp, >_kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp, >_kerberos-master._udp, _kerberos-master._tcp". > >anotherdomain.com $ ipa-client-install >Discovery was successful! >Hostname: spectre.anotherdomain.com >Realm: MYDOMAIN.CO.ID >DNS Domain: anotherdomain.com >IPA Server: ipa.anotherdomain.com >BaseDN: dc=merahciptamedia,dc=co,dc=id > >Continue to configure the system with these values? [no]: yes >Synchronizing time with KDC... >Unable to sync time with IPA NTP server, assuming the time is in sync. >Please check that 123 UDP port is opened. >User authorized to enroll computers: admin >Password for admin at MERAHCIPTAMEDIA.CO.ID: >Unable to download CA cert from LDAP. >Do you want to download the CA cert from >http://ipa.anotherdomain.com/ipa/config/ca.crt? >(this is INSECURE) [no]: > >Is it safe? Or just use --domain parameter? I don't think 'Unable to download CA cert from LDAP' is connected to the problem you have but you should be able to see what was the issue in /var/log/ipaclient-install.log. -- / Alexander Bokovoy From jhrozek at redhat.com Tue Aug 11 11:39:55 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Aug 2015 13:39:55 +0200 Subject: [Freeipa-users] IDM/ipa slow login In-Reply-To: References: Message-ID: <20150811113955.GX3609@hendrix.redhat.com> On Tue, Aug 11, 2015 at 10:37:16AM +0200, seli irithyl wrote: > Hi, > > I inherited a server (the guy that built it left) running centos 7 and > Identity Management (Kerberos, 389DS, ...) with NFS. > Everything concerning login (with network accounts) is very slow ( several > seconds) > I already solved a lot of problems on this server(DNS, NTP, firewall, ...), > but I am neither a sysadmin nor a linux guru and I don't know where and > what to look for ? > Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ... Can you define "slow" better? Can you estimate how big is your environment? I would start by comparing the time it takes to search the entry in LDAP or kinit with login through GDM or SSH. Then, if the times differ, look into SSSD. Some pointers are here: https://fedorahosted.org/sssd/wiki/Troubleshooting From jhrozek at redhat.com Tue Aug 11 11:42:08 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Aug 2015 13:42:08 +0200 Subject: [Freeipa-users] Problem with sudo -r In-Reply-To: References: Message-ID: <20150811114208.GY3609@hendrix.redhat.com> On Tue, Aug 11, 2015 at 01:08:31PM +0200, Roberto Lucarelli wrote: > Hello, > i configured Freeipa server and sudo client is ok but now i want deny > users to launch command passwd and sudo -r . > My configuration provide that all commands are enable . > > I can not configure specific commands because users must manage many > services such as postfix, apache, mysql etc and they must have access to > different folders with different users and groups . > > Do you have any recommendations ? I'm not sure this is possible with the ipa CLI. Also keep in mind that allowing specific commands is generally preferable. Denying specific commands and allowing the rest calls for trouble IMO.. From yks0000 at gmail.com Tue Aug 11 15:13:49 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Tue, 11 Aug 2015 20:43:49 +0530 Subject: [Freeipa-users] Error while Enrolling Client Message-ID: Hi Team, While registering to IPA Server we are getting below error. Any suggestion Please. [root at client ~]# ipa-client-install --mkhomedir --no-ntp Discovery was successful! Hostname: client.domain.int Realm: domain.INT DNS Domain: domain.int IPA Server: ldap.domain.int BaseDN: dc=domain,dc=int Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for admin at domain.INT: Enrolled in IPA realm domain.INT Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm domain.INT trying https://ldap.domain.int/ipa/xml Forwarding 'env' to server u'https://ldap.domain.int/ipa/xml' Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2567, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2553, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2346, in install remote_env = api.Command['env'](server=True)['result'] File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1076, in run return self.forward(*args, **options) File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 772, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 731, in forward raise error(message=e.faultString) ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Aug 11 15:51:22 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Aug 2015 17:51:22 +0200 Subject: [Freeipa-users] Error while Enrolling Client In-Reply-To: References: Message-ID: <20150811155122.GB3609@hendrix.redhat.com> On Tue, Aug 11, 2015 at 08:43:49PM +0530, Yogesh Sharma wrote: > Hi Team, > > While registering to IPA Server we are getting below error. Any suggestion > Please. > > [root at client ~]# ipa-client-install --mkhomedir --no-ntp > Discovery was successful! > Hostname: client.domain.int > Realm: domain.INT > DNS Domain: domain.int > IPA Server: ldap.domain.int > BaseDN: dc=domain,dc=int > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Please check that 123 UDP port is opened. > Password for admin at domain.INT: > Enrolled in IPA realm domain.INT > Attempting to get host TGT... > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm domain.INT > trying https://ldap.domain.int/ipa/xml > Forwarding 'env' to server u'https://ldap.domain.int/ipa/xml' > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 2567, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 2553, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 2346, in install > remote_env = api.Command['env'](server=True)['result'] > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in > __call__ > ret = self.run(*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1076, in > run > return self.forward(*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 772, in > forward > return self.Backend.xmlclient.forward(self.name, *args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 731, in > forward > raise error(message=e.faultString) > ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Ticket not yet valid) ~~~~~~~~~~~~~~~~~~~~ Check the time on your machines.. From yks0000 at gmail.com Tue Aug 11 15:51:33 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Tue, 11 Aug 2015 21:21:33 +0530 Subject: [Freeipa-users] Error while Enrolling Client In-Reply-To: References: Message-ID: This has been fixed. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Tue, Aug 11, 2015 at 8:43 PM, Yogesh Sharma wrote: > Hi Team, > > While registering to IPA Server we are getting below error. Any suggestion > Please. > > [root at client ~]# ipa-client-install --mkhomedir --no-ntp > Discovery was successful! > Hostname: client.domain.int > Realm: domain.INT > DNS Domain: domain.int > IPA Server: ldap.domain.int > BaseDN: dc=domain,dc=int > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Please check that 123 UDP port is opened. > Password for admin at domain.INT: > Enrolled in IPA realm domain.INT > Attempting to get host TGT... > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm domain.INT > trying https://ldap.domain.int/ipa/xml > Forwarding 'env' to server u'https://ldap.domain.int/ipa/xml' > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 2567, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 2553, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 2346, in install > remote_env = api.Command['env'](server=True)['result'] > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in > __call__ > ret = self.run(*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1076, > in run > return self.forward(*args, **options) > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 772, in > forward > return self.Backend.xmlclient.forward(self.name, *args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 731, in > forward > raise error(message=e.faultString) > ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Ticket not yet valid) > > > > *Best Regards,* > > *__________________________________________* > > *Yogesh Sharma* > *Email: yks0000 at gmail.com | Web: www.initd.in > * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Tue Aug 11 15:59:46 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Tue, 11 Aug 2015 21:29:46 +0530 Subject: [Freeipa-users] Error while Enrolling Client In-Reply-To: <20150811155122.GB3609@hendrix.redhat.com> References: <20150811155122.GB3609@hendrix.redhat.com> Message-ID: Yes Jakub...That was the issue. We have fixed it and update to List. Thanks Jakub. Would like to have one suggestion. We have implemented sudo, but every time we need to restart sssd to take the changes. We have try implementing the cache timeout also, but not working as expected. Any other config changes required? *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Tue, Aug 11, 2015 at 9:21 PM, Jakub Hrozek wrote: > On Tue, Aug 11, 2015 at 08:43:49PM +0530, Yogesh Sharma wrote: > > Hi Team, > > > > While registering to IPA Server we are getting below error. Any > suggestion > > Please. > > > > [root at client ~]# ipa-client-install --mkhomedir --no-ntp > > Discovery was successful! > > Hostname: client.domain.int > > Realm: domain.INT > > DNS Domain: domain.int > > IPA Server: ldap.domain.int > > BaseDN: dc=domain,dc=int > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Synchronizing time with KDC... > > Unable to sync time with IPA NTP server, assuming the time is in sync. > > Please check that 123 UDP port is opened. > > Password for admin at domain.INT: > > Enrolled in IPA realm domain.INT > > Attempting to get host TGT... > > Created /etc/ipa/default.conf > > New SSSD config will be created > > Configured sudoers in /etc/nsswitch.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm domain.INT > > trying https://ldap.domain.int/ipa/xml > > Forwarding 'env' to server u'https://ldap.domain.int/ipa/xml' > > Traceback (most recent call last): > > File "/usr/sbin/ipa-client-install", line 2567, in > > sys.exit(main()) > > File "/usr/sbin/ipa-client-install", line 2553, in main > > rval = install(options, env, fstore, statestore) > > File "/usr/sbin/ipa-client-install", line 2346, in install > > remote_env = api.Command['env'](server=True)['result'] > > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, > in > > __call__ > > ret = self.run(*args, **options) > > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1076, > in > > run > > return self.forward(*args, **options) > > File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 772, > in > > forward > > return self.Backend.xmlclient.forward(self.name, *args, **kw) > > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 731, in > > forward > > raise error(message=e.faultString) > > ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: > > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > > information (Ticket not yet valid) > ~~~~~~~~~~~~~~~~~~~~ > Check the time on your machines.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Aug 11 18:53:36 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Aug 2015 20:53:36 +0200 Subject: [Freeipa-users] Error while Enrolling Client In-Reply-To: References: <20150811155122.GB3609@hendrix.redhat.com> Message-ID: <20150811185336.GE3609@hendrix.redhat.com> On Tue, Aug 11, 2015 at 09:29:46PM +0530, Yogesh Sharma wrote: > Yes Jakub...That was the issue. We have fixed it and update to List. > > Thanks Jakub. > > Would like to have one suggestion. > > We have implemented sudo, but every time we need to restart sssd to take > the changes. We have try implementing the cache timeout also, but not > working as expected. > > Any other config changes required? No, this is not expected. Can you get logs after you've added the sudo rule but before the client is restarted in order to capture the issue? It would be best to add debug_level=7 to sudo, nss and domain sections. From roberto.cornacchia at gmail.com Wed Aug 12 00:46:16 2015 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Wed, 12 Aug 2015 02:46:16 +0200 Subject: [Freeipa-users] Kerberized NFS with Synology NAS Message-ID: Hi, I am trying to use a Synology NAS station in my FreeIPA domain to host automounted home directories (not created automatically for now). I got almost everything working, but I seem to have a problem with kerberized nfs. The NAS logs in the LDAP domain and seems happy with the kerberos principal that I uploaded. * If I use plain nfs4 without krb5 - /etc/exports - /volume1/shared_homes 192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) then I can mount it and use it (it even works with automount). But only using all_squash. Not useful: * If I use krb5 - /etc/exports - /volume1/shared_homes 192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100) then I can kinit with an LDAP user, mount it with sec=krb5, but I get "nobody" as file owner. This is done from a FC22 client, perfectly enrolled in freeIPA. The client's log contains several of such errors: gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Any tip to help me understand what the problem is? Roberto -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Wed Aug 12 05:52:06 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 12 Aug 2015 07:52:06 +0200 Subject: [Freeipa-users] Error while Enrolling Client In-Reply-To: <20150811185336.GE3609@hendrix.redhat.com> References: <20150811155122.GB3609@hendrix.redhat.com> <20150811185336.GE3609@hendrix.redhat.com> Message-ID: <20150812055205.GD10466@mail.corp.redhat.com> On (11/08/15 20:53), Jakub Hrozek wrote: >On Tue, Aug 11, 2015 at 09:29:46PM +0530, Yogesh Sharma wrote: >> Yes Jakub...That was the issue. We have fixed it and update to List. >> >> Thanks Jakub. >> >> Would like to have one suggestion. >> >> We have implemented sudo, but every time we need to restart sssd to take >> the changes. We have try implementing the cache timeout also, but not >> working as expected. >> >> Any other config changes required? > >No, this is not expected. Can you get logs after you've added the sudo >rule but before the client is restarted in order to capture the issue? >It would be best to add debug_level=7 to sudo, nss and domain sections. > I thought it is an side effect of sudo rule caching mechanism and periodic tasks. So it might be an expected behaviour. Periodic task are fired few seconds after start of sssd. It might explain why restarting sssd works. @see more details in man sssd-sudo -> "THE SUDO RULE CACHING MECHANISM" LS From yks0000 at gmail.com Wed Aug 12 07:37:00 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Wed, 12 Aug 2015 13:07:00 +0530 Subject: [Freeipa-users] Error while Enrolling Client In-Reply-To: <20150812055205.GD10466@mail.corp.redhat.com> References: <20150811155122.GB3609@hendrix.redhat.com> <20150811185336.GE3609@hendrix.redhat.com> <20150812055205.GD10466@mail.corp.redhat.com> Message-ID: Thanks Jakub/Lukas, Setting the right cache timeout fix the issue. "man sssd-sudo" really helped us. Thanks again for the suggestion. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Wed, Aug 12, 2015 at 11:22 AM, Lukas Slebodnik wrote: > On (11/08/15 20:53), Jakub Hrozek wrote: > >On Tue, Aug 11, 2015 at 09:29:46PM +0530, Yogesh Sharma wrote: > >> Yes Jakub...That was the issue. We have fixed it and update to List. > >> > >> Thanks Jakub. > >> > >> Would like to have one suggestion. > >> > >> We have implemented sudo, but every time we need to restart sssd to take > >> the changes. We have try implementing the cache timeout also, but not > >> working as expected. > >> > >> Any other config changes required? > > > >No, this is not expected. Can you get logs after you've added the sudo > >rule but before the client is restarted in order to capture the issue? > >It would be best to add debug_level=7 to sudo, nss and domain sections. > > > I thought it is an side effect of sudo rule caching mechanism > and periodic tasks. So it might be an expected behaviour. > > Periodic task are fired few seconds after start of sssd. > It might explain why restarting sssd works. > > @see more details in man sssd-sudo -> "THE SUDO RULE CACHING MECHANISM" > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tlau at tetrioncapital.com Wed Aug 12 07:48:17 2015 From: tlau at tetrioncapital.com (Thomas Lau) Date: Wed, 12 Aug 2015 15:48:17 +0800 Subject: [Freeipa-users] IPA client enrollment check In-Reply-To: <55C312DD.8020405@redhat.com> References: <55C312DD.8020405@redhat.com> Message-ID: Hi, I am using script to check /etc/ipa/default.conf now, it works pretty well. Thanks. On Thu, Aug 6, 2015 at 3:55 PM, Martin Kosek wrote: > On 08/04/2015 03:10 PM, Thomas Lau wrote: >> Does anyone know how could I check if client enrolled or not? >> >> trying to automate enrollment process by using generic tool since I am >> using Ubuntu, only ipa-client-install available. > > Hello Thomas, > > I am not aware of some general API/CLI for that. ipa-client-install just checks > if there is any file in /var/lib/ipa-client/sysrestore or /etc/ipa/default.conf > exists. > > If you would like some tool to handle it better (maybe "ipa-client-install > --is-installed"?), please file an RFE or ideally send patches, it should not be > that difficult to implement :-) -- Thomas Lau Director of Infrastructure Tetrion Capital Limited Direct: +852-3976-8903 Mobile: +852-9323-9670 Address: Suite 2716, Two IFC, Central, Hong Kong From roberto.cornacchia at gmail.com Wed Aug 12 11:33:25 2015 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Wed, 12 Aug 2015 13:33:25 +0200 Subject: [Freeipa-users] Kerberized NFS with Synology NAS In-Reply-To: References: Message-ID: Enabled verbose output for rpc.idmapd as well, and now I see: nfsidmap[5034]: nss_getpwnam: name 'test1_l at localdomain' does not map into domain 'hq.spinque.com' On 12 August 2015 at 12:28, Roberto Cornacchia wrote: > I have used > > RPCGSSDARGS="-vvv" > RPCSVCGSSDARGS="-vvv" > > in /etc/sysconfig/nfs , as suggested in http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html > > In the excerpt below, taken during the mount, meson is the client, spinque03 is the nfs server (synology). > > It still doesn't tell me much, perhaps I'm missing something? > > > rpc.gssd[838]: handling gssd upcall (nfs/clnt19) > rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0 > enctypes=18,17,16,23,3,1,2 ' > rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19) > rpc.gssd[3328]: process_krb5_upcall: service is '' > rpc.gssd[3328]: Full hostname for 'spinque03.hq.spinque.com' is ' > spinque03.hq.spinque.com' > rpc.gssd[3328]: Full hostname for 'meson.hq.spinque.com' is ' > meson.hq.spinque.com' > rpc.gssd[3328]: No key table entry found for MESON$@HQ.SPINQUE.COM while > getting keytab entry for 'MESON$@HQ.SPINQUE.COM' > rpc.gssd[3328]: No key table entry found for root/ > meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for 'root/ > meson.hq.spinque.com at HQ.SPINQUE.COM' > rpc.gssd[3328]: No key table entry found for nfs/ > meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for 'nfs/ > meson.hq.spinque.com at HQ.SPINQUE.COM' > rpc.gssd[3328]: Success getting keytab entry for 'host/ > meson.hq.spinque.com at HQ.SPINQUE.COM' > rpc.gssd[3328]: Successfully obtained machine credentials for principal > 'host/meson.hq.spinque.com at HQ.SPINQUE.COM' stored in ccache 'FILE:/tmp/ > krb5ccmachine_HQ.SPINQUE.COM' > rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/ > krb5ccmachine_HQ.SPINQUE.COM' are good until 1439461246 > rpc.gssd[3328]: using FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM as > credentials cache for machine creds > rpc.gssd[3328]: using environment variable to select krb5 ccache FILE:/tmp/ > krb5ccmachine_HQ.SPINQUE.COM > gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. > Minor code may provide more information, No credentials cache found > gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified > GSS failure. Minor code may provide more information, No credentials cache > found > rpc.gssd[3328]: creating tcp client for server spinque03.hq.spinque.com > rpc.gssd[3328]: DEBUG: port already set to 2049 > rpc.gssd[3328]: creating context with server nfs at spinque03.hq.spinque.com > rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version! > rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1 > rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with enctype > 18 and size 32 > rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor= > nfs at spinque03.hq.spinque.com > rpc.gssd[838]: handling gssd upcall (nfs/clnt19) > rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005 > enctypes=18,17,16,23,3,1,2 ' > rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19) > rpc.gssd[3337]: process_krb5_upcall: service is '' > gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. > Minor code may provide more information, No credentials cache found > gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified > GSS failure. Minor code may provide more information, No credentials cache > found > rpc.gssd[3337]: creating tcp client for server spinque03.hq.spinque.com > rpc.gssd[3337]: DEBUG: port already set to 2049 > rpc.gssd[3337]: creating context with server nfs at spinque03.hq.spinque.com > rpc.gssd[3337]: DEBUG: serialize_krb5_ctx: lucid version! > rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: protocol 1 > rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: serializing key with enctype > 18 and size 32 > rpc.gssd[3337]: doing downcall: lifetime_rec=85675 acceptor= > nfs at spinque03.hq.spinque.com > > > On 12 August 2015 at 02:46, Roberto Cornacchia < > roberto.cornacchia at gmail.com> wrote: > >> Hi, >> >> I am trying to use a Synology NAS station in my FreeIPA domain to host >> automounted home directories (not created automatically for now). >> >> I got almost everything working, but I seem to have a problem with >> kerberized nfs. >> >> The NAS logs in the LDAP domain and seems happy with the kerberos >> principal that I uploaded. >> >> >> >> * If I use plain nfs4 without krb5 >> >> - /etc/exports - >> /volume1/shared_homes >> 192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) >> >> then I can mount it and use it (it even works with automount). But only >> using all_squash. Not useful: >> >> >> * If I use krb5 >> >> - /etc/exports - >> /volume1/shared_homes >> 192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100) >> >> then I can kinit with an LDAP user, mount it with sec=krb5, but I get >> "nobody" as file owner. >> >> This is done from a FC22 client, perfectly enrolled in freeIPA. >> >> The client's log contains several of such errors: >> >> gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >> Minor code may provide more information, No credentials cache found >> >> >> Any tip to help me understand what the problem is? >> Roberto >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dewanggaba at xtremenitro.org Wed Aug 12 12:20:54 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Wed, 12 Aug 2015 19:20:54 +0700 Subject: [Freeipa-users] Different domain enrollment In-Reply-To: <20150811112514.GR22106@redhat.com> References: <55C9596E.4040100@xtremenitro.org> <20150811064310.GO22106@redhat.com> <55C9AE7D.30803@xtremenitro.org> <20150811112514.GR22106@redhat.com> Message-ID: <55CB3A26.3030401@xtremenitro.org> Hello! On 08/11/2015 06:25 PM, Alexander Bokovoy wrote: > On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >> Hello! >> >> On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: >>> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >>>> Hello! >>>> >>>> I'm having problem with different hostname with primary domain on ipa >>>> server. For example, my primary domain is mydomain.co.id, and then if >>>> the server hostname using mydomain.co.id, the dns discover was >>>> sucessfully. >>>> >>>> The problem come if the client hostname using different domain, for >>>> example anotherdomain.com, the dns discovery was failed. Is there any >>>> way to solve it? Should I enter it manually? >>> Details of autodiscovery and suggestions how to configure are explained >>> in the man page for ipa-client-install, section on DNS autodiscovery. >> >> Thanks for your hints, but I have another question after read the man >> pages. The best practice register client to ipa server is using --domain >> or add similar DNS record? > You still would need _kerberos TXT record for runtime Kerberos realm > detection unless your krb5.conf would contain domain_realms entry for > your DNS domain. > > Using --domain option is, of course, easy. > > Yes, using --domain is very easy. >> I've tried to create new record on anotherdomain.com. (eg. original dns >> record was _ldap._tcp.mydomain.co.id, and IP create new record for >> _ldap._tcp.anotherdomain.com). >> >> New dns record on anotherdomain.com is "_ldap._tcp, _ntp._udp, >> _kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp, >> _kerberos-master._udp, _kerberos-master._tcp". >> >> anotherdomain.com $ ipa-client-install >> Discovery was successful! >> Hostname: spectre.anotherdomain.com >> Realm: MYDOMAIN.CO.ID >> DNS Domain: anotherdomain.com >> IPA Server: ipa.anotherdomain.com >> BaseDN: dc=merahciptamedia,dc=co,dc=id >> >> Continue to configure the system with these values? [no]: yes >> Synchronizing time with KDC... >> Unable to sync time with IPA NTP server, assuming the time is in sync. >> Please check that 123 UDP port is opened. >> User authorized to enroll computers: admin >> Password for admin at MERAHCIPTAMEDIA.CO.ID: >> Unable to download CA cert from LDAP. >> Do you want to download the CA cert from >> http://ipa.anotherdomain.com/ipa/config/ca.crt? >> (this is INSECURE) [no]: >> >> Is it safe? Or just use --domain parameter? > I don't think 'Unable to download CA cert from LDAP' is connected to the > problem you have but you should be able to see what was the issue in > /var/log/ipaclient-install.log. > I think the client can't download the ca cert from LDAP because ca.crt was registered on mydomain.co.id (not anotherdomain.com). For the flexibility and my limited knowledge, it is better to use --domain (for now) :D From dewanggaba at xtremenitro.org Wed Aug 12 12:30:52 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Wed, 12 Aug 2015 19:30:52 +0700 Subject: [Freeipa-users] Sudo command not working Message-ID: <55CB3C7C.7040909@xtremenitro.org> Hello! I'm having problem with sudo command, the sudo command was sucessfully initiated. But user still requested for password. For example : ipa-client $ sudo -l Matching Defaults entries for subhan on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User subhan may run the following commands on this host: (subhan) NOPASSWD: /bin/tail, /usr/bin/tail ipa-server $ ipa user-show subhan User login: subhan First name: [REMOVED] Last name: [REMOVED] Home directory: /home/subhan Login shell: /bin/bash Email address: [REMOVED] UID: 642000007 GID: 642000007 Job Title: Developer Account disabled: False Password: False Member of groups: g_gmt_developer, developer Member of Sudo rule: gmt_developer Member of HBAC rule: gmt_webserver Kerberos keys available: False SSH public key fingerprint: [REMOVED] ipa-server $ ipa sudocmd-find ----------------------- 2 Sudo Commands matched ----------------------- Sudo Command: /bin/tail Sudo Command Groups: reading-files Sudo Command: /usr/bin/tail Sudo Command Groups: reading-files ipa-server $ ipa sudorule-show gmt_developer Rule name: gmt_developer Enabled: TRUE Users: subhan User Groups: g_gmt_developer Host Groups: gmt_webserver Sudo Allow Command Groups: reading-files RunAs Users: subhan Sudo Option: !authenticate ipa-client $ sudo tail -f /var/log/nginx/access.log [sudo] password for subhan: ipa-client $ sudo tail /var/log/nginx/access.log [sudo] password for subhan: There's nothing information from sssd_sudo.log about this issue. ipa-server $ cat /etc/sssd/sssd.conf ... snip ... [sudo] debug_level = 7 ... snip ... FYI, running on IPA Server 4.1.4 on EL7. $ ipa --version VERSION: 4.1.4, API_VERSION: 2.114 $ uname -a Linux [REMOVED] 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Any hints to debug and solve this issue? Any help are appreciated. :) From jhrozek at redhat.com Wed Aug 12 12:36:49 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 12 Aug 2015 14:36:49 +0200 Subject: [Freeipa-users] Sudo command not working In-Reply-To: <55CB3C7C.7040909@xtremenitro.org> References: <55CB3C7C.7040909@xtremenitro.org> Message-ID: <20150812123649.GX3609@hendrix.redhat.com> On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote: > Hello! > > I'm having problem with sudo command, the sudo command was sucessfully > initiated. But user still requested for password. For example : > > ipa-client $ sudo -l > Matching Defaults entries for subhan on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User subhan may run the following commands on this host: > (subhan) NOPASSWD: /bin/tail, /usr/bin/tail > > ipa-server $ ipa user-show subhan > User login: subhan > First name: [REMOVED] > Last name: [REMOVED] > Home directory: /home/subhan > Login shell: /bin/bash > Email address: [REMOVED] > UID: 642000007 > GID: 642000007 > Job Title: Developer > Account disabled: False > Password: False > Member of groups: g_gmt_developer, developer > Member of Sudo rule: gmt_developer > Member of HBAC rule: gmt_webserver > Kerberos keys available: False > SSH public key fingerprint: [REMOVED] > > ipa-server $ ipa sudocmd-find > ----------------------- > 2 Sudo Commands matched > ----------------------- > Sudo Command: /bin/tail > Sudo Command Groups: reading-files > > Sudo Command: /usr/bin/tail > Sudo Command Groups: reading-files > > ipa-server $ ipa sudorule-show gmt_developer > Rule name: gmt_developer > Enabled: TRUE > Users: subhan > User Groups: g_gmt_developer > Host Groups: gmt_webserver > Sudo Allow Command Groups: reading-files > RunAs Users: subhan > Sudo Option: !authenticate > > > ipa-client $ sudo tail -f /var/log/nginx/access.log > [sudo] password for subhan: > ipa-client $ sudo tail /var/log/nginx/access.log > [sudo] password for subhan: > > There's nothing information from sssd_sudo.log about this issue. In general sssd acts as a cache of the sudo rules, the decision to auth or not is done by sudo. So on the sssd side you can make sure the sudo option value was fetched, but you'll probably get a more useful debugging from sudo itself. From dewanggaba at xtremenitro.org Wed Aug 12 12:44:15 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Wed, 12 Aug 2015 19:44:15 +0700 Subject: [Freeipa-users] Sudo command not working In-Reply-To: <20150812123649.GX3609@hendrix.redhat.com> References: <55CB3C7C.7040909@xtremenitro.org> <20150812123649.GX3609@hendrix.redhat.com> Message-ID: <55CB3F9F.3070904@xtremenitro.org> Hello! On 08/12/2015 07:36 PM, Jakub Hrozek wrote: > On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote: >> Hello! >> >> I'm having problem with sudo command, the sudo command was sucessfully >> initiated. But user still requested for password. For example : >> >> ipa-client $ sudo -l >> Matching Defaults entries for subhan on this host: >> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >> >> User subhan may run the following commands on this host: >> (subhan) NOPASSWD: /bin/tail, /usr/bin/tail >> >> ipa-server $ ipa user-show subhan >> User login: subhan >> First name: [REMOVED] >> Last name: [REMOVED] >> Home directory: /home/subhan >> Login shell: /bin/bash >> Email address: [REMOVED] >> UID: 642000007 >> GID: 642000007 >> Job Title: Developer >> Account disabled: False >> Password: False >> Member of groups: g_gmt_developer, developer >> Member of Sudo rule: gmt_developer >> Member of HBAC rule: gmt_webserver >> Kerberos keys available: False >> SSH public key fingerprint: [REMOVED] >> >> ipa-server $ ipa sudocmd-find >> ----------------------- >> 2 Sudo Commands matched >> ----------------------- >> Sudo Command: /bin/tail >> Sudo Command Groups: reading-files >> >> Sudo Command: /usr/bin/tail >> Sudo Command Groups: reading-files >> >> ipa-server $ ipa sudorule-show gmt_developer >> Rule name: gmt_developer >> Enabled: TRUE >> Users: subhan >> User Groups: g_gmt_developer >> Host Groups: gmt_webserver >> Sudo Allow Command Groups: reading-files >> RunAs Users: subhan >> Sudo Option: !authenticate >> >> >> ipa-client $ sudo tail -f /var/log/nginx/access.log >> [sudo] password for subhan: >> ipa-client $ sudo tail /var/log/nginx/access.log >> [sudo] password for subhan: >> >> There's nothing information from sssd_sudo.log about this issue. > > In general sssd acts as a cache of the sudo rules, the decision to auth > or not is done by sudo. So on the sssd side you can make sure the sudo > option value was fetched, but you'll probably get a more useful > debugging from sudo itself. > Here is the sudo message from /var/log/secure : Aug 12 19:41:05 rosaliaindah su: pam_unix(su-l:session): session opened for user subhan by dewangga(uid=0) Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): auth could not identify password for [subhan] Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): authentication failure; logname=dewangga uid=642000007 euid=0 tty=/dev/pts/0 ruser=subhan rhost= user=subhan Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): received for user subhan: 7 (Authentication failure) Aug 12 19:41:14 rosaliaindah sudo: subhan : command not allowed ; TTY=pts/0 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/tail -f /var/log/nginx/error.log The sudo option (!authenticate) should be working, because I can invoke `sudo -l` command without password. So I think sssd is not the problem. CMIIW. :) From jhrozek at redhat.com Wed Aug 12 14:26:14 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 12 Aug 2015 16:26:14 +0200 Subject: [Freeipa-users] Sudo command not working In-Reply-To: <55CB3F9F.3070904@xtremenitro.org> References: <55CB3C7C.7040909@xtremenitro.org> <20150812123649.GX3609@hendrix.redhat.com> <55CB3F9F.3070904@xtremenitro.org> Message-ID: <20150812142614.GY3609@hendrix.redhat.com> On Wed, Aug 12, 2015 at 07:44:15PM +0700, Dewangga Bachrul Alam wrote: > Hello! > > On 08/12/2015 07:36 PM, Jakub Hrozek wrote: > > On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote: > >> Hello! > >> > >> I'm having problem with sudo command, the sudo command was sucessfully > >> initiated. But user still requested for password. For example : > >> > >> ipa-client $ sudo -l > >> Matching Defaults entries for subhan on this host: > >> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > >> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > >> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > >> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > >> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > >> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > >> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > >> > >> User subhan may run the following commands on this host: > >> (subhan) NOPASSWD: /bin/tail, /usr/bin/tail > >> > >> ipa-server $ ipa user-show subhan > >> User login: subhan > >> First name: [REMOVED] > >> Last name: [REMOVED] > >> Home directory: /home/subhan > >> Login shell: /bin/bash > >> Email address: [REMOVED] > >> UID: 642000007 > >> GID: 642000007 > >> Job Title: Developer > >> Account disabled: False > >> Password: False > >> Member of groups: g_gmt_developer, developer > >> Member of Sudo rule: gmt_developer > >> Member of HBAC rule: gmt_webserver > >> Kerberos keys available: False > >> SSH public key fingerprint: [REMOVED] > >> > >> ipa-server $ ipa sudocmd-find > >> ----------------------- > >> 2 Sudo Commands matched > >> ----------------------- > >> Sudo Command: /bin/tail > >> Sudo Command Groups: reading-files > >> > >> Sudo Command: /usr/bin/tail > >> Sudo Command Groups: reading-files > >> > >> ipa-server $ ipa sudorule-show gmt_developer > >> Rule name: gmt_developer > >> Enabled: TRUE > >> Users: subhan > >> User Groups: g_gmt_developer > >> Host Groups: gmt_webserver > >> Sudo Allow Command Groups: reading-files > >> RunAs Users: subhan > >> Sudo Option: !authenticate > >> > >> > >> ipa-client $ sudo tail -f /var/log/nginx/access.log > >> [sudo] password for subhan: > >> ipa-client $ sudo tail /var/log/nginx/access.log > >> [sudo] password for subhan: > >> > >> There's nothing information from sssd_sudo.log about this issue. > > > > In general sssd acts as a cache of the sudo rules, the decision to auth > > or not is done by sudo. So on the sssd side you can make sure the sudo > > option value was fetched, but you'll probably get a more useful > > debugging from sudo itself. > > > > Here is the sudo message from /var/log/secure : > > Aug 12 19:41:05 rosaliaindah su: pam_unix(su-l:session): session opened > for user subhan by dewangga(uid=0) > Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed > Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): auth could not > identify password for [subhan] > Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): authentication > failure; logname=dewangga uid=642000007 euid=0 tty=/dev/pts/0 > ruser=subhan rhost= user=subhan > Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): received for user > subhan: 7 (Authentication failure) > Aug 12 19:41:14 rosaliaindah sudo: subhan : command not allowed ; > TTY=pts/0 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/tail -f > /var/log/nginx/error.log > > The sudo option (!authenticate) should be working, because I can invoke > `sudo -l` command without password. So I think sssd is not the problem. > CMIIW. :) Look into man sudo.conf, depending on your sudo version the options to enable debugging for sudo differ. From roberto.cornacchia at gmail.com Wed Aug 12 10:28:30 2015 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Wed, 12 Aug 2015 12:28:30 +0200 Subject: [Freeipa-users] Kerberized NFS with Synology NAS In-Reply-To: References: Message-ID: I have used RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv" in /etc/sysconfig/nfs , as suggested in http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html In the excerpt below, taken during the mount, meson is the client, spinque03 is the nfs server (synology). It still doesn't tell me much, perhaps I'm missing something? rpc.gssd[838]: handling gssd upcall (nfs/clnt19) rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19) rpc.gssd[3328]: process_krb5_upcall: service is '' rpc.gssd[3328]: Full hostname for 'spinque03.hq.spinque.com' is ' spinque03.hq.spinque.com' rpc.gssd[3328]: Full hostname for 'meson.hq.spinque.com' is ' meson.hq.spinque.com' rpc.gssd[3328]: No key table entry found for MESON$@HQ.SPINQUE.COM while getting keytab entry for 'MESON$@HQ.SPINQUE.COM' rpc.gssd[3328]: No key table entry found for root/ meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for 'root/ meson.hq.spinque.com at HQ.SPINQUE.COM' rpc.gssd[3328]: No key table entry found for nfs/ meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for 'nfs/ meson.hq.spinque.com at HQ.SPINQUE.COM' rpc.gssd[3328]: Success getting keytab entry for 'host/ meson.hq.spinque.com at HQ.SPINQUE.COM' rpc.gssd[3328]: Successfully obtained machine credentials for principal 'host/meson.hq.spinque.com at HQ.SPINQUE.COM' stored in ccache 'FILE:/tmp/ krb5ccmachine_HQ.SPINQUE.COM' rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/ krb5ccmachine_HQ.SPINQUE.COM' are good until 1439461246 rpc.gssd[3328]: using FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM as credentials cache for machine creds rpc.gssd[3328]: using environment variable to select krb5 ccache FILE:/tmp/ krb5ccmachine_HQ.SPINQUE.COM gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found rpc.gssd[3328]: creating tcp client for server spinque03.hq.spinque.com rpc.gssd[3328]: DEBUG: port already set to 2049 rpc.gssd[3328]: creating context with server nfs at spinque03.hq.spinque.com rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version! rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1 rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor= nfs at spinque03.hq.spinque.com rpc.gssd[838]: handling gssd upcall (nfs/clnt19) rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005 enctypes=18,17,16,23,3,1,2 ' rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19) rpc.gssd[3337]: process_krb5_upcall: service is '' gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found rpc.gssd[3337]: creating tcp client for server spinque03.hq.spinque.com rpc.gssd[3337]: DEBUG: port already set to 2049 rpc.gssd[3337]: creating context with server nfs at spinque03.hq.spinque.com rpc.gssd[3337]: DEBUG: serialize_krb5_ctx: lucid version! rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: protocol 1 rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 rpc.gssd[3337]: doing downcall: lifetime_rec=85675 acceptor= nfs at spinque03.hq.spinque.com On 12 August 2015 at 02:46, Roberto Cornacchia wrote: > Hi, > > I am trying to use a Synology NAS station in my FreeIPA domain to host > automounted home directories (not created automatically for now). > > I got almost everything working, but I seem to have a problem with > kerberized nfs. > > The NAS logs in the LDAP domain and seems happy with the kerberos > principal that I uploaded. > > > > * If I use plain nfs4 without krb5 > > - /etc/exports - > /volume1/shared_homes > 192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) > > then I can mount it and use it (it even works with automount). But only > using all_squash. Not useful: > > > * If I use krb5 > > - /etc/exports - > /volume1/shared_homes > 192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100) > > then I can kinit with an LDAP user, mount it with sec=krb5, but I get > "nobody" as file owner. > > This is done from a FC22 client, perfectly enrolled in freeIPA. > > The client's log contains several of such errors: > > gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. > Minor code may provide more information, No credentials cache found > > > Any tip to help me understand what the problem is? > Roberto > -------------- next part -------------- An HTML attachment was scrubbed... URL: From seli.irithyl at gmail.com Wed Aug 12 15:21:50 2015 From: seli.irithyl at gmail.com (seli irithyl) Date: Wed, 12 Aug 2015 17:21:50 +0200 Subject: [Freeipa-users] IDM/ipa slow login In-Reply-To: <20150811113955.GX3609@hendrix.redhat.com> References: <20150811113955.GX3609@hendrix.redhat.com> Message-ID: if I ssh with an ipa user, authentication hangs on "we sent a gssapi-with-mic packet, wait for reply" from 5s to 10s if I ssh with local user, auth is nearly immediate (less than 1s) >From a client : [test at argon ~]$ time id test uid=1713400050(test) gid=1713400050(test) groups=1713400050(test),1713400004(bioinfo) real 0m2.269s user 0m0.001s sys 0m0.004s [test at argon ~]$ time id test uid=1713400050(test) gid=1713400050(test) groups=1713400050(test),1713400004(bioinfo) real 0m0.005s user 0m0.002s sys 0m0.003s [test at argon ~]$ time ipa user-find test -------------- 1 user matched -------------- User login: test First name: test Last name: user Home directory: /home/test Login shell: /bin/bash Email address: test at bioinf.local UID: 1713400050 GID: 1713400050 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- real 0m1.464s user 0m0.348s sys 0m0.062s Following the guide you sent me: On the server: [root at lead sssd]# systemctl status sssd sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) Drop-In: /etc/systemd/system/sssd.service.d ??journal.conf Active: active (running) since Wed 2015-08-12 16:55:50 CEST; 11min ago Process: 6495 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) Main PID: 6496 (sssd) CGroup: /system.slice/sssd.service ??6496 /usr/sbin/sssd -D -f ??6497 /usr/libexec/sssd/sssd_be --domain bioinf.local --uid 0 --gid 0 --debug-to-files ??6498 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files ??6499 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files ??6500 /usr/libexec/sssd/sssd_autofs --uid 0 --gid 0 --debug-to-files ??6501 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files ??6502 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files ??6503 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files Aug 12 16:55:50 lead.bioinf.local sssd[autofs][6500]: Starting up Aug 12 16:55:50 lead.bioinf.local sssd[pam][6499]: Starting up Aug 12 16:55:50 lead.bioinf.local sssd[sudo][6502]: Starting up Aug 12 16:55:50 lead.bioinf.local sssd[ssh][6501]: Starting up Aug 12 16:55:50 lead.bioinf.local sssd[pac][6503]: Starting up Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1 Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1 Aug 12 16:55:50 lead.bioinf.local systemd[1]: Started System Security Services Daemon. Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1 Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step 2 [root at lead sssd]# more /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files aliases: files [root at lead sssd]# date Wed Aug 12 17:09:50 CEST 2015 [root at lead sssd]# systemctl restart sssd [root at lead sssd]# getent passwd test test:*:1713400050:1713400050:test user:/home/test:/bin/bash sssd_nss.log: (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Wed Aug 12 17:09:56 2015) [sssd[nss]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Wed Aug 12 17:09:56 2015) [sssd[nss]] [confdb_get_domain_internal] (0x0400): No enumeration for [bioinf.local]! (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x7ff00ae60ec0 (Wed Aug 12 17:09:56 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1) (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x7ff00ae60b00 (Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS) (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sysdb_domain_init_internal] (0x0200): DB File for bioinf.local: /var/lib/sss/db/cache_bioinf.local.ldb (Wed Aug 12 17:09:56 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_process_init] (0x0400): Responder Initialization complete (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/root] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'polkitd' matched without domain, user is polkitd (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/polkitd] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'avahi' matched without domain, user is avahi (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/avahi] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'colord' matched without domain, user is colord (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/colord] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'rtkit' matched without domain, user is rtkit (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/rtkit] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'pulse' matched without domain, user is pulse (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/pulse] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'gdm' matched without domain, user is gdm (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/gdm] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'postfix' matched without domain, user is postfix (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/postfix] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/root] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'polkitd' matched without domain, user is polkitd (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/polkitd] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'avahi' matched without domain, user is avahi (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/avahi] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'colord' matched without domain, user is colord (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/colord] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'rtkit' matched without domain, user is rtkit (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/rtkit] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'pulse' matched without domain, user is pulse (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/pulse] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'gdm' matched without domain, user is gdm (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/gdm] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'postfix' matched without domain, user is postfix (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/postfix] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /sbin/nologin in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/bin/sh in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/bin/bash in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/sbin/nologin in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/tcsh in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/csh in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P[^@]+)@?(?P[^@]*$)]. (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS Initialization complete (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff00a44a670:domains at bioinf.local] (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [bioinf.local][] (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff00a44a670:domains at bioinf.local] (Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Aug 12 17:09:56 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Aug 12 17:09:59 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff00a44a670:domains at bioinf.local] (Wed Aug 12 17:10:01 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [bioinf.local]! (negative cache) (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [root]. (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): User [root] does not exist in [bioinf.local]! (negative cache) (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [root], fail! (Wed Aug 12 17:10:01 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Aug 12 17:10:02 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [test]. (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'test' matched without domain, user is test (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [] (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [test at bioinf.local] (Wed Aug 12 17:10:02 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [test at bioinf.local] (Wed Aug 12 17:10:02 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! sssd.conf: [sssd] debug_level = 6 config_file_version = 2 services = nss, pam, autofs, ssh, sudo domains = bioinf.local [nss] debug_level = 6 filter_users = root, polkitd, avahi, colord, rtkit, pulse, gdm, postfix filter_groups = root, polkitd, avahi, colord, rtkit, pulse, gdm, postfix reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] debug_level = 6 [domain/bioinf.local] enumerate = false debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = bioinf.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = lead.bioinf.local chpass_provider = ipa ipa_server = _srv_, lead.bioinf.local ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_lifetime = 1d krb5_renewable_lifetime = 7d krb5_renew_interval = 3600 [ssh] debug_level = 6 [autofs] debug_level = 6 [sudo] On Tue, Aug 11, 2015 at 1:39 PM, Jakub Hrozek wrote: > On Tue, Aug 11, 2015 at 10:37:16AM +0200, seli irithyl wrote: > > Hi, > > > > I inherited a server (the guy that built it left) running centos 7 and > > Identity Management (Kerberos, 389DS, ...) with NFS. > > Everything concerning login (with network accounts) is very slow ( > several > > seconds) > > I already solved a lot of problems on this server(DNS, NTP, firewall, > ...), > > but I am neither a sysadmin nor a linux guru and I don't know where and > > what to look for ? > > Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ... > > Can you define "slow" better? Can you estimate how big is your > environment? > > I would start by comparing the time it takes to search the entry in LDAP > or kinit with login through GDM or SSH. Then, if the times differ, look > into SSSD. Some pointers are here: > https://fedorahosted.org/sssd/wiki/Troubleshooting > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Wed Aug 12 17:00:16 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Wed, 12 Aug 2015 19:00:16 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb : > The next route I will try - is the one Youeen took, using ipa-adtrust > > > > From: "Matt ." > To: Christopher Lamb/Switzerland/IBM at IBMCH, > "freeipa-users at redhat.com" > Date: 10.08.2015 10:03 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > Okay this is good to hear. > > But don't we want a IPA managed Scheme ? > > When I did a "ipa-adtrust-install --add-sids" it also wanted a local > installed Samba and I wonder why. > > Good that we make some progres on making it all clear. > > Cheers, > > Matt > > 2015-08-10 6:12 GMT+02:00 Christopher Lamb : >> ldapsam + the samba extensions, pretty much as described in the > Techslaves >> article. Once I have a draft for the wiki page, I will mail you. >> >> >> >> From: "Matt ." >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >> "freeipa-users at redhat.com" >> Date: 09.08.2015 21:17 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi, >> >> Yes I know about "anything" but which way did you use now ? >> >> >> >> 2015-08-09 20:56 GMT+02:00 Christopher Lamb > : >>> Hi Matt >>> >>> I am on OEL 7.1. - so anything that works on that should be good for > RHEL >>> and Centos 7.x >>> >>> I intend to add a how-to to the FreeIPA Wiki over the next few days. As >> we >>> have suggested earlier, we will likely end up with several, one for each >> of >>> the possible integration paths. >>> >>> Chris >>> >>> >>> >>> >>> >>> From: "Matt ." >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>> "freeipa-users at redhat.com" >>> Date: 09.08.2015 16:45 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi Chris, >>> >>> This sounds great! >>> >>> What are you using now, both CentOS ? So Samba and FreeIPA ? >>> >>> Maybe it's good to explain which way you used now in steps too, so we >>> can combine or create multiple howto's ? >>> >>> At least we are going somewhere! >>> >>> Thanks, >>> >>> Matt >>> >>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >> : >>>> Hi Matt >>>> >>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old >> Samba >>>> Schema extensions) is up and working, almost flawlessly. >>>> >>>> I can add users and groups via the FreeIPA CLI, and they get the > correct >>>> ObjectClasses / attributes required for Samba. >>>> >>>> So far I have not yet bothered to try the extensions to the WebUI, >>> because >>>> it is currently giving me the classic "Your session has expired. Please >>>> re-login." error which renders the WebUI useless. >>>> >>>> The only problem I have so far encountered managing Samba / FreeIPA >> users >>>> via FreeIPA CLI commands is with the handling of the attribute >>>> sambaPwdLastSet. This is the subject of an existing thread, also > updated >>>> today. >>>> >>>> There is also an existing alternative to hacking group.py, using "Class >>> of >>>> Service" (Cos) documented in this thread from February 2015 >>>> >> https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >>> . >>>> I have not yet tried it, but it sounds reasonable. >>>> >>>> Chris >>>> >>>> >>>> >>>> >>>> >>>> From: "Matt ." >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> Cc: "freeipa-users at redhat.com" , Youenn >>>> PIOLET >>>> Date: 06.08.2015 16:19 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>> >>>> >>>> >>>> Hi Chris, >>>> >>>> OK, than we might create two different versions of the wiki, I think >>>> this is nice. >>>> >>>> I'm still figuring out why I get that: >>>> >>>> IPA Error 4205: ObjectclassViolation >>>> >>>> missing attribute "sambaGroupType" required by object class >>>> "sambaGroupMapping" >>>> >>>> Matt >>>> >>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >>> : >>>>> Hi Matt >>>>> >>>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>>>> integration paths. >>>>> >>>>> The route I took is suited where there is no Active Directory > involved: >>>> In >>>>> my case all the Windows, OSX and Linux clients are islands that sit on >>>> the >>>>> same network. >>>>> >>>>> The route that Youenn has taken (unless I have got completely the > wrong >>>> end >>>>> of the stick) requires Active Directory in the architecture. >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> From: "Matt ." >>>>> To: Youenn PIOLET >>>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>> "freeipa-users at redhat.com" >>>>> Date: 06.08.2015 14:42 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> OK, this sounds already quite logical, but I'm still refering to the >>>>> old howto we found earlier, does that one still apply somewhere or not >>>>> at all ? >>>>> >>>>> Thanks, >>>>> >>>>> Matt >>>>> >>>>> >>>>> >>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>>>>> Hey guys, >>>>>> >>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >>>> days :) >>>>>> >>>>>> General idea: >>>>>> >>>>>> On FreeIPA (4.1) >>>>>> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >>>>>> attribude, also known as SID) >>>>>> - regenerate each user password to build ipaNTHash attribute, not > here >>>> by >>>>>> default on users >>>>>> - use your ldap browser to check ipaNTHash values are here on user >>>>> objects >>>>>> - create a CIFS service for your samba server >>>>>> - Create user roles/permissions as described here: >>>>>> >>>>> >>>> >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> >>>> >>>>> >>>>>> so that CIFS service will be able to read ipaNTsecurityidentifier and >>>>>> ipaNTHash attributes in LDAP (ACI) >>>>>> - SCP ipasam.so module to your cifs server (this is the magic > trick) : >>>>> scp >>>>>> /usr/lib64/samba/pdb/ipasam.so >>>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >>>>> recompile >>>>>> it. >>>>>> >>>>>> On SAMBA Server side (CentOS 7...) >>>>>> - Install server keytab file for CIFS >>>>>> - check ipasam.so is here. >>>>>> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI >>>>>> uid=admin ipaNTHash` thanks to kerberos >>>>>> - make your smb.conf following the linked thread and restart service >>>>>> >>>>>> I don't know if it works in Ubuntu. I know sssd has evolved quickly >> and >>>>>> ipasam may use quite recent functionalities, the best is to just try. >>>> You >>>>>> can read in previous thread : "If you insist on Ubuntu you need to > get >>>>>> ipasam somewhere, most likely to compile it yourself". >>>>>> >>>>>> Make sure your user has ipaNTHash attribute :) >>>>>> >>>>>> You may want to debug authentication on samba server, I usually do >>> this: >>>>>> `tail -f /var/log/samba/log* | grep >>>>>> >>>>>> Cheers >>>>>> -- >>>>>> Youenn Piolet >>>>>> piolet.y at gmail.com >>>>>> >>>>>> >>>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> This sounds great to me too, but a howto would help to make it more >>>>>>> clear about what you have done here. The thread confuses me a little >>>>>>> bit. >>>>>>> >>>>>>> Can you paste your commands so we can test out too and report back ? >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>>> : >>>>>>> > Hi Youenn >>>>>>> > >>>>>>> > Good news that you have got an integration working >>>>>>> > >>>>>>> > Now you have got it going, and the solution is fresh in your mind, >>>> how >>>>>>> > about adding a How-to page on this solution to the FreeIPA wiki? >>>>>>> > >>>>>>> > Chris >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > From: Youenn PIOLET >>>>>>> > To: "Matt ." >>>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>> > "freeipa-users at redhat.com" >>>>>>> > Date: 05.08.2015 14:51 >>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> against >>>>> IPA >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > Hi guys, >>>>>>> > >>>>>>> > Thank you so much your previous answers. >>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks > to >>>>>>> > ipa-adtrust-install --add-sids >>>>>>> > >>>>>>> > I found an other way to configure smb here: >>>>>>> > >>>>>>> > >>>>> >>>> >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> >>>> >>>>> >>>>>>> > It works perfectly. >>>>>>> > >>>>>>> > I'm using module ipasam.so I have manually scp to the samba > server, >>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>>>>>> > Following the instructions, I created a user role allowing service >>>>>>> > principal to read ipaNTHash value from the LDAP. >>>>>>> > ipaNTHash are generated each time a user changes his password. >>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>>>>> > >>>>>>> > For more details, the previously linked thread is quite clear. >>>>>>> > >>>>>>> > Cheers >>>>>>> > >>>>>>> > -- >>>>>>> > Youenn Piolet >>>>>>> > piolet.y at gmail.com >>>>>>> > >>>>>>> > >>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>>>>> > Hi Chris. >>>>>>> > >>>>>>> > Yes, Apache Studio did that but I was not sure why it complained >>> it >>>>>>> > was "already" there. >>>>>>> > >>>>>>> > I'm still getting: >>>>>>> > >>>>>>> > IPA Error 4205: ObjectclassViolation >>>>>>> > >>>>>>> > missing attribute "sambaGroupType" required by object class >>>>>>> > "sambaGroupMapping" >>>>>>> > >>>>>>> > When adding a user. >>>>>>> > >>>>>>> > I also see "class" as fielname under my "Last name", this is not >>> OK >>>>>>> > also. >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > We sure need to make some howto, I think we can nail this > down :) >>>>>>> > >>>>>>> > Thanks for the heads up! >>>>>>> > >>>>>>> > Matthijs >>>>>>> > >>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>>>>> > : >>>>>>> > > Hi Matt >>>>>>> > > >>>>>>> > > If I use Apache Directory Studio to add an attribute >>>>> ipaCustomFields >>>>>>> > to >>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as >>>>> shown >>>>>>> > below: >>>>>>> > > >>>>>>> > > #!RESULT OK >>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>> > > changetype: modify >>>>>>> > > add: ipaCustomFields >>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>>>>> > > >>>>>>> > > After that I then have a visible attribute ipaCustomFields as >>>>>>> > expected. >>>>>>> > > >>>>>>> > > When adding the attribute, the wizard offered me >>>> "ipaCustomFields" >>>>>>> > as >>>>>>> > > attribute type in a drop down list. >>>>>>> > > >>>>>>> > > Once we get this cracked, we really must write a how-to on the >>>>>>> > FreeIPA >>>>>>> > > Wiki. >>>>>>> > > >>>>>>> > > Chris >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>> > > To: "Matt ." >>>>>>> > > Cc: "freeipa-users at redhat.com" >>>>>>> > > Date: 05.08.2015 07:31 >>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>> against >>>>>>> > IPA >>>>>>> > > Sent by: freeipa-users-bounces at redhat.com >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > Hi Matt >>>>>>> > > >>>>>>> > > I also got the same result at that step, but can see nothing > in >>>>>>> > Apache >>>>>>> > > Directory Studio. >>>>>>> > > >>>>>>> > > As I am using existing Samba / FreeIPA groups migrated across, >>>>> they >>>>>>> > > probably were migrated with all the required attributes. >>>>>>> > > >>>>>>> > > Looking more closely at that LDIF: I wonder should it not be: >>>>>>> > > >>>>>>> > > ldapmodify -Y GSSAPI <>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>> > > changetype: modify >>>>>>> > > add: ipaCustomFields >>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> > > EOF >>>>>>> > > >>>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>>>>> > > >>>>>>> > > I don't want to play around with my prod directory - I will >>> setup >>>>> an >>>>>>> > EL >>>>>>> > 7.1 >>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to >>>>> play >>>>>>> > around >>>>>>> > > more destructively. >>>>>>> > > >>>>>>> > > Chris >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > From: "Matt ." >>>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>> > > Cc: Youenn PIOLET , " >>>>>>> > freeipa-users at redhat.com" >>>>>>> > > >>>>>>> > > Date: 05.08.2015 01:01 >>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba >> Server >>>>>>> > Auth >>>>>>> > against IPA >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > Hi Chris, >>>>>>> > > >>>>>>> > > I'm at the right path, but my issue is that: >>>>>>> > > >>>>>>> > > ldapmodify -Y GSSAPI <>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>> > > changetype: add >>>>>>> > > add: ipaCustomFields >>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> > > EOF >>>>>>> > > >>>>>>> > > Does say it exists, my ldap explorer doesn't show it, and when >> I >>>>> add >>>>>>> > > it manually as an attribute it still fails when I add a user > on >>>>> this >>>>>>> > > sambagrouptype as it's needed by the other attributes >>>>>>> > > >>>>>>> > > So that is my issue I think so far. >>>>>>> > > >>>>>>> > > Any clue about that ? >>>>>>> > > >>>>>>> > > No problem "you don't know something or are no guru" we are > all >>>>>>> > > learning! :) >>>>>>> > > >>>>>>> > > Cheers, >>>>>>> > > >>>>>>> > > Matt >>>>>>> > > >>>>>>> > > >>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>>>>> > christopher.lamb at ch.ibm.com>: >>>>>>> > >> Hi Matt, Youeen >>>>>>> > >> >>>>>>> > >> Just to set the background properly, I did not invent this >>>>> process. >>>>>>> > I >>>>>>> > > know >>>>>>> > >> only a little about FreeIPA, and almost nothing about Samba, >>> but >>>>> I >>>>>>> > guess >>>>>>> > > I >>>>>>> > >> was lucky enough to get the integration working on a Sunday >>>>>>> > afternoon. >>>>>>> > (I >>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >>>>>>> > reference). >>>>>>> > >> >>>>>>> > >> It sounds like we need to step back, and look at the test > user >>>>> and >>>>>>> > group >>>>>>> > > in >>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes > this >>>>> much >>>>>>> > > easier. >>>>>>> > >> >>>>>>> > >> My FreeIPA / Samba Users have the following Samba extensions >> in >>>>>>> > FreeIPA >>>>>>> > >> (cn=accounts, cn=users): >>>>>>> > >> >>>>>>> > >> * objectClass: sambasamaccount >>>>>>> > >> >>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>>>>>> > >> >>>>>>> > >> My FreeIPA / Samba Groups have the following Samba extensions >>> in >>>>>>> > FreeIPA >>>>>>> > >> (cn=accounts, cn=groups): >>>>>>> > >> >>>>>>> > >> * objectClass: sambaGroupMapping >>>>>>> > >> >>>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>>>>> > >> >>>>>>> > >> The Users must belong to one or more of the samba groups that >>>> you >>>>>>> > have >>>>>>> > >> setup. >>>>>>> > >> >>>>>>> > >> If you don't have something similar to the above (which > sounds >>>>> like >>>>>>> > it >>>>>>> > is >>>>>>> > >> the case), then something went wrong applying the extensions. >>> It >>>>>>> > would >>>>>>> > be >>>>>>> > >> worth testing comparing a new user / group created post > adding >>>>> the >>>>>>> > >> extensions to a previous existing user. >>>>>>> > >> >>>>>>> > >> i.e. >>>>>>> > >> are the extensions missing on existing users / groups? >>>>>>> > >> are the extensions missing on new users / groups? >>>>>>> > >> >>>>>>> > >> Cheers >>>>>>> > >> >>>>>>> > >> Chris >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> From: Youenn PIOLET >>>>>>> > >> To: "Matt ." >>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>> > >> "freeipa-users at redhat.com" >>>> >>>>>>> > >> Date: 04.08.2015 18:56 >>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>>>> > against >>>>>>> > IPA >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> Hi there, >>>>>>> > >> >>>>>>> > >> I have difficulties to follow you at this point :) >>>>>>> > >> Here is what I've done and what I've understood: >>>>>>> > >> >>>>>>> > >> ## SMB Side >>>>>>> > >> - Testparm OK >>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >>>> connect. >>>>>>> > >> - pdbedit -Lv output is all successfull but I can see there > is >>> a >>>>>>> > filter : >>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users >>> don't >>>>>>> > have >>>>>>> > >> sambaSamAccount. >>>>>>> > >> >>>>>>> > >> ## LDAP / FreeIPA side >>>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >>>>>>> > FreeIPA >>>>>>> > >> server to get samba LDAP extensions. >>>>>>> > >> - I can see samba classes exist in LDAP but are not used on > my >>>>>>> > group >>>>>>> > >> objects nor my user objects >>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user classes, >>>>>>> > >> and sambaGroupMapping to default group classes. In that state >> I >>>>>>> > can't >>>>>>> > >> create user nor groups anymore, as new samba attributes are >>>>> needed >>>>>>> > for >>>>>>> > >> instantiation. >>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>>>>> > > Type,sambagrouptype,true' >>>>>>> > >> but I don't get what it does. >>>>>>> > >> - I tried to add the samba.js plugin. It works, and adds the >>>>>>> > "local" >>>>>>> > > option >>>>>>> > >> when creating a group in FreeIPA, supposed to set >>> sambagrouptype >>>>> to >>>>>>> > 4 >>>>>>> > or >>>>>>> > > 2 >>>>>>> > >> (domain). It doesn't work and tells that sambagrouptype >>>> attribute >>>>>>> > doesn't >>>>>>> > >> exist (but it should now I put sambaGroupType class by >>>>> default...) >>>>>>> > >> >>>>>>> > >> ## Questions >>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use >> unix / >>>>>>> > posix >>>>>>> > >> instead? I guess no. >>>>>>> > >> 1) How to generate the user/group SIDs ? They are requested > to >>>>> add >>>>>>> > >> sambaSamAccount classes. >>>>>>> > >> This article doesn't seem relevant since we don't use domain >>>>>>> > controller >>>>>>> > >> >>>>>>> > > >>>>>>> > >>>>>>> > >>>>> >>>> >>> >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>>>>> > >>>>>>> > >> and netgetlocalsid returns an error. >>>>>>> > >> 2) How to fix samba.js plugin? >>>>>>> > >> 3) I guess an equivalent of samba.js is needed for user >>>> creation, >>>>>>> > where >>>>>>> > > can >>>>>>> > >> I find it? >>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not >>>> only >>>>>>> > Windows >>>>>>> > >> 7? >>>>>>> > >> >>>>>>> > >> Thanks a lot for your previous and future answers >>>>>>> > >> >>>>>>> > >> -- >>>>>>> > >> Youenn Piolet >>>>>>> > >> piolet.y at gmail.com >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . : >>>>>>> > >> Hi, >>>>>>> > >> >>>>>>> > >> Yes, log is anonymised. >>>>>>> > >> >>>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also >>>> when >>>>> I >>>>>>> > >> change it's password it doesn't get it in ldap. >>>>>>> > >> >>>>>>> > >> There must be something going wrong I guess. >>>>>>> > >> >>>>>>> > >> Matt >>>>>>> > >> >>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>>>>> > > >>>>>> > >> >: >>>>>>> > >> > Hi Matt >>>>>>> > >> > >>>>>>> > >> > I assume [username] is a real username, identical to that >>> in >>>>>>> > the >>>>>>> > >> FreeIPA >>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >>>>>>> > extract). >>>>>>> > >> > >>>>>>> > >> > You user should be a member of the appropriate samba >> groups >>>>>>> > that >>>>>>> > you >>>>>>> > >> setup >>>>>>> > >> > in FreeIPA. >>>>>>> > >> > >>>>>>> > >> > You should check that the user attribute SambaPwdLastSet >> is >>>>> set >>>>>>> > to >>>>>>> > a >>>>>>> > >> > positive value (e.g. 1). If not you get an error in the >>>> Samba >>>>>>> > logs >>>>>>> > - >>>>>>> > > I >>>>>>> > >> > would need to play around again with a test user to find >>> out >>>>>>> > the >>>>>>> > > exact >>>>>>> > >> > error. >>>>>>> > >> > >>>>>>> > >> > I don't understand what you mean about syncing the users >>>>> local, >>>>>>> > but >>>>>>> > > we >>>>>>> > >> did >>>>>>> > >> > not need to do anything like that. >>>>>>> > >> > >>>>>>> > >> > Chris >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > From: "Matt ." >>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>> > >> > Cc: "freeipa-users at redhat.com" >>>> >>>>>>> > >> > Date: 04.08.2015 15:33 >>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>> Auth >>>>>>> > against >>>>>>> > >> IPA >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > Hi Chris, >>>>>>> > >> > >>>>>>> > >> > A puppet run added another passdb backend, that was >> causing >>>>> my >>>>>>> > issue. >>>>>>> > >> > >>>>>>> > >> > What I still experience is: >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>>>>>> > >> > check_sam_security: Couldn't find user 'username' in >>>>> passdb. >>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>>>>>> > >> > check_ntlm_password: Authentication for user > [username] >>>> -> >>>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > I also wonder if I shall still sync the users local, or > is >>>> it >>>>>>> > > needed ? >>>>>>> > >> > >>>>>>> > >> > Thanks again, >>>>>>> > >> > >>>>>>> > >> > Matt >>>>>>> > >> > >>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>>>>> > >> christopher.lamb at ch.ibm.com>: >>>>>>> > >> >> Hi Matt >>>>>>> > >> >> >>>>>>> > >> >> From our smb.conf file: >>>>>>> > >> >> >>>>>>> > >> >> [global] >>>>>>> > >> >> security = user >>>>>>> > >> >> passdb backend = >>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>>>>> > >> >> >>>>>>> > >> >> So yes, we use Directory Manager, it works for us. I > have >>>>> not >>>>>>> > tried >>>>>>> > >> with >>>>>>> > >> > a >>>>>>> > >> >> less powerful user, but it is conceivable that a lesser >>>> user >>>>>>> > may >>>>>>> > not >>>>>>> > >> see >>>>>>> > >> >> all the required attributes, resulting in "no such user" >>>>>>> > errors. >>>>>>> > >> >> >>>>>>> > >> >> Chris >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> From: "Matt ." >>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>> > >> >> Cc: "freeipa-users at redhat.com" >>>>> >>>>>>> > >> >> Date: 04.08.2015 13:32 >>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>> Auth >>>>>>> > against >>>>>>> > >> IPA >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> Hi Chris, >>>>>>> > >> >> >>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now > when >>> I >>>>>>> > add a >>>>>>> > >> >> group from the GUI, great thanks! >>>>>>> > >> >> >>>>>>> > >> >> But do you use Directory Manager as ldap admin user or >>> some >>>>>>> > other >>>>>>> > >> >> admin account ? >>>>>>> > >> >> >>>>>>> > >> >> I'm not sure id DM is needed and it should get that deep >>>>> into >>>>>>> > IPA. >>>>>>> > >> >> Also when starting samba it cannot find "such user" as >>> that >>>>>>> > sounds >>>>>>> > >> >> quite known as it has no UID. >>>>>>> > >> >> >>>>>>> > >> >> From your config I see you use DM, this should work ? >>>>>>> > >> >> >>>>>>> > >> >> Thanks! >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> Matt >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> >>>>>>> > >> -- >>>>>>> > >> Manage your subscription for the Freeipa-users mailing > list: >>>>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> > >> Go to http://freeipa.org for more info on the project >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > -- >>>>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> > > Go to http://freeipa.org for more info on the project >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > >>>>>>> > -- >>>>>>> > Manage your subscription for the Freeipa-users mailing list: >>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> > Go to http://freeipa.org for more info on the project >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> > > > > From yamakasi.014 at gmail.com Wed Aug 12 20:15:01 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Wed, 12 Aug 2015 22:15:01 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . : > HI GUys, > > I'm testing this out and I think I almost setup, this on a CentOS samba server. > > I'm using the ipa-adtrust way of Youeen but it seems we still need to > add (objectclass=sambaSamAccount)) ? > > Info is welcome! > > I will report back when I have it working. > > Thanks! > > Matt > > 2015-08-10 11:16 GMT+02:00 Christopher Lamb : >> The next route I will try - is the one Youeen took, using ipa-adtrust >> >> >> >> From: "Matt ." >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >> "freeipa-users at redhat.com" >> Date: 10.08.2015 10:03 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi Chris, >> >> Okay this is good to hear. >> >> But don't we want a IPA managed Scheme ? >> >> When I did a "ipa-adtrust-install --add-sids" it also wanted a local >> installed Samba and I wonder why. >> >> Good that we make some progres on making it all clear. >> >> Cheers, >> >> Matt >> >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb : >>> ldapsam + the samba extensions, pretty much as described in the >> Techslaves >>> article. Once I have a draft for the wiki page, I will mail you. >>> >>> >>> >>> From: "Matt ." >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>> "freeipa-users at redhat.com" >>> Date: 09.08.2015 21:17 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi, >>> >>> Yes I know about "anything" but which way did you use now ? >>> >>> >>> >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb >> : >>>> Hi Matt >>>> >>>> I am on OEL 7.1. - so anything that works on that should be good for >> RHEL >>>> and Centos 7.x >>>> >>>> I intend to add a how-to to the FreeIPA Wiki over the next few days. As >>> we >>>> have suggested earlier, we will likely end up with several, one for each >>> of >>>> the possible integration paths. >>>> >>>> Chris >>>> >>>> >>>> >>>> >>>> >>>> From: "Matt ." >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> "freeipa-users at redhat.com" >>>> Date: 09.08.2015 16:45 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>>> >>>> >>>> >>>> Hi Chris, >>>> >>>> This sounds great! >>>> >>>> What are you using now, both CentOS ? So Samba and FreeIPA ? >>>> >>>> Maybe it's good to explain which way you used now in steps too, so we >>>> can combine or create multiple howto's ? >>>> >>>> At least we are going somewhere! >>>> >>>> Thanks, >>>> >>>> Matt >>>> >>>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >>> : >>>>> Hi Matt >>>>> >>>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old >>> Samba >>>>> Schema extensions) is up and working, almost flawlessly. >>>>> >>>>> I can add users and groups via the FreeIPA CLI, and they get the >> correct >>>>> ObjectClasses / attributes required for Samba. >>>>> >>>>> So far I have not yet bothered to try the extensions to the WebUI, >>>> because >>>>> it is currently giving me the classic "Your session has expired. Please >>>>> re-login." error which renders the WebUI useless. >>>>> >>>>> The only problem I have so far encountered managing Samba / FreeIPA >>> users >>>>> via FreeIPA CLI commands is with the handling of the attribute >>>>> sambaPwdLastSet. This is the subject of an existing thread, also >> updated >>>>> today. >>>>> >>>>> There is also an existing alternative to hacking group.py, using "Class >>>> of >>>>> Service" (Cos) documented in this thread from February 2015 >>>>> >>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >>>> . >>>>> I have not yet tried it, but it sounds reasonable. >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> From: "Matt ." >>>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>> Cc: "freeipa-users at redhat.com" , Youenn >>>>> PIOLET >>>>> Date: 06.08.2015 16:19 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>>> >>>>> >>>>> >>>>> Hi Chris, >>>>> >>>>> OK, than we might create two different versions of the wiki, I think >>>>> this is nice. >>>>> >>>>> I'm still figuring out why I get that: >>>>> >>>>> IPA Error 4205: ObjectclassViolation >>>>> >>>>> missing attribute "sambaGroupType" required by object class >>>>> "sambaGroupMapping" >>>>> >>>>> Matt >>>>> >>>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >>>> : >>>>>> Hi Matt >>>>>> >>>>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>>>>> integration paths. >>>>>> >>>>>> The route I took is suited where there is no Active Directory >> involved: >>>>> In >>>>>> my case all the Windows, OSX and Linux clients are islands that sit on >>>>> the >>>>>> same network. >>>>>> >>>>>> The route that Youenn has taken (unless I have got completely the >> wrong >>>>> end >>>>>> of the stick) requires Active Directory in the architecture. >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>>> From: "Matt ." >>>>>> To: Youenn PIOLET >>>>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>> "freeipa-users at redhat.com" >>>>>> Date: 06.08.2015 14:42 >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> OK, this sounds already quite logical, but I'm still refering to the >>>>>> old howto we found earlier, does that one still apply somewhere or not >>>>>> at all ? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Matt >>>>>> >>>>>> >>>>>> >>>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>>>>>> Hey guys, >>>>>>> >>>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >>>>> days :) >>>>>>> >>>>>>> General idea: >>>>>>> >>>>>>> On FreeIPA (4.1) >>>>>>> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >>>>>>> attribude, also known as SID) >>>>>>> - regenerate each user password to build ipaNTHash attribute, not >> here >>>>> by >>>>>>> default on users >>>>>>> - use your ldap browser to check ipaNTHash values are here on user >>>>>> objects >>>>>>> - create a CIFS service for your samba server >>>>>>> - Create user roles/permissions as described here: >>>>>>> >>>>>> >>>>> >>>> >>> >> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >> >>> >>>> >>>>> >>>>>> >>>>>>> so that CIFS service will be able to read ipaNTsecurityidentifier and >>>>>>> ipaNTHash attributes in LDAP (ACI) >>>>>>> - SCP ipasam.so module to your cifs server (this is the magic >> trick) : >>>>>> scp >>>>>>> /usr/lib64/samba/pdb/ipasam.so >>>>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >>>>>> recompile >>>>>>> it. >>>>>>> >>>>>>> On SAMBA Server side (CentOS 7...) >>>>>>> - Install server keytab file for CIFS >>>>>>> - check ipasam.so is here. >>>>>>> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI >>>>>>> uid=admin ipaNTHash` thanks to kerberos >>>>>>> - make your smb.conf following the linked thread and restart service >>>>>>> >>>>>>> I don't know if it works in Ubuntu. I know sssd has evolved quickly >>> and >>>>>>> ipasam may use quite recent functionalities, the best is to just try. >>>>> You >>>>>>> can read in previous thread : "If you insist on Ubuntu you need to >> get >>>>>>> ipasam somewhere, most likely to compile it yourself". >>>>>>> >>>>>>> Make sure your user has ipaNTHash attribute :) >>>>>>> >>>>>>> You may want to debug authentication on samba server, I usually do >>>> this: >>>>>>> `tail -f /var/log/samba/log* | grep >>>>>>> >>>>>>> Cheers >>>>>>> -- >>>>>>> Youenn Piolet >>>>>>> piolet.y at gmail.com >>>>>>> >>>>>>> >>>>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> This sounds great to me too, but a howto would help to make it more >>>>>>>> clear about what you have done here. The thread confuses me a little >>>>>>>> bit. >>>>>>>> >>>>>>>> Can you paste your commands so we can test out too and report back ? >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>>>> : >>>>>>>> > Hi Youenn >>>>>>>> > >>>>>>>> > Good news that you have got an integration working >>>>>>>> > >>>>>>>> > Now you have got it going, and the solution is fresh in your mind, >>>>> how >>>>>>>> > about adding a How-to page on this solution to the FreeIPA wiki? >>>>>>>> > >>>>>>>> > Chris >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > From: Youenn PIOLET >>>>>>>> > To: "Matt ." >>>>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>>> > "freeipa-users at redhat.com" >>>>>>>> > Date: 05.08.2015 14:51 >>>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> against >>>>>> IPA >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Hi guys, >>>>>>>> > >>>>>>>> > Thank you so much your previous answers. >>>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks >> to >>>>>>>> > ipa-adtrust-install --add-sids >>>>>>>> > >>>>>>>> > I found an other way to configure smb here: >>>>>>>> > >>>>>>>> > >>>>>> >>>>> >>>> >>> >> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >> >>> >>>> >>>>> >>>>>> >>>>>>>> > It works perfectly. >>>>>>>> > >>>>>>>> > I'm using module ipasam.so I have manually scp to the samba >> server, >>>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>>>>>>> > Following the instructions, I created a user role allowing service >>>>>>>> > principal to read ipaNTHash value from the LDAP. >>>>>>>> > ipaNTHash are generated each time a user changes his password. >>>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>>>>>> > >>>>>>>> > For more details, the previously linked thread is quite clear. >>>>>>>> > >>>>>>>> > Cheers >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Youenn Piolet >>>>>>>> > piolet.y at gmail.com >>>>>>>> > >>>>>>>> > >>>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>>>>>> > Hi Chris. >>>>>>>> > >>>>>>>> > Yes, Apache Studio did that but I was not sure why it complained >>>> it >>>>>>>> > was "already" there. >>>>>>>> > >>>>>>>> > I'm still getting: >>>>>>>> > >>>>>>>> > IPA Error 4205: ObjectclassViolation >>>>>>>> > >>>>>>>> > missing attribute "sambaGroupType" required by object class >>>>>>>> > "sambaGroupMapping" >>>>>>>> > >>>>>>>> > When adding a user. >>>>>>>> > >>>>>>>> > I also see "class" as fielname under my "Last name", this is not >>>> OK >>>>>>>> > also. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > We sure need to make some howto, I think we can nail this >> down :) >>>>>>>> > >>>>>>>> > Thanks for the heads up! >>>>>>>> > >>>>>>>> > Matthijs >>>>>>>> > >>>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>>>>>> > : >>>>>>>> > > Hi Matt >>>>>>>> > > >>>>>>>> > > If I use Apache Directory Studio to add an attribute >>>>>> ipaCustomFields >>>>>>>> > to >>>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as >>>>>> shown >>>>>>>> > below: >>>>>>>> > > >>>>>>>> > > #!RESULT OK >>>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>>> > > changetype: modify >>>>>>>> > > add: ipaCustomFields >>>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>>>>>> > > >>>>>>>> > > After that I then have a visible attribute ipaCustomFields as >>>>>>>> > expected. >>>>>>>> > > >>>>>>>> > > When adding the attribute, the wizard offered me >>>>> "ipaCustomFields" >>>>>>>> > as >>>>>>>> > > attribute type in a drop down list. >>>>>>>> > > >>>>>>>> > > Once we get this cracked, we really must write a how-to on the >>>>>>>> > FreeIPA >>>>>>>> > > Wiki. >>>>>>>> > > >>>>>>>> > > Chris >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>>> > > To: "Matt ." >>>>>>>> > > Cc: "freeipa-users at redhat.com" >>>>>>>> > > Date: 05.08.2015 07:31 >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>>> against >>>>>>>> > IPA >>>>>>>> > > Sent by: freeipa-users-bounces at redhat.com >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > Hi Matt >>>>>>>> > > >>>>>>>> > > I also got the same result at that step, but can see nothing >> in >>>>>>>> > Apache >>>>>>>> > > Directory Studio. >>>>>>>> > > >>>>>>>> > > As I am using existing Samba / FreeIPA groups migrated across, >>>>>> they >>>>>>>> > > probably were migrated with all the required attributes. >>>>>>>> > > >>>>>>>> > > Looking more closely at that LDIF: I wonder should it not be: >>>>>>>> > > >>>>>>>> > > ldapmodify -Y GSSAPI <>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>>> > > changetype: modify >>>>>>>> > > add: ipaCustomFields >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>>> > > EOF >>>>>>>> > > >>>>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>>>>>> > > >>>>>>>> > > I don't want to play around with my prod directory - I will >>>> setup >>>>>> an >>>>>>>> > EL >>>>>>>> > 7.1 >>>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to >>>>>> play >>>>>>>> > around >>>>>>>> > > more destructively. >>>>>>>> > > >>>>>>>> > > Chris >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > From: "Matt ." >>>>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>>> > > Cc: Youenn PIOLET , " >>>>>>>> > freeipa-users at redhat.com" >>>>>>>> > > >>>>>>>> > > Date: 05.08.2015 01:01 >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba >>> Server >>>>>>>> > Auth >>>>>>>> > against IPA >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > Hi Chris, >>>>>>>> > > >>>>>>>> > > I'm at the right path, but my issue is that: >>>>>>>> > > >>>>>>>> > > ldapmodify -Y GSSAPI <>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>>> > > changetype: add >>>>>>>> > > add: ipaCustomFields >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>>> > > EOF >>>>>>>> > > >>>>>>>> > > Does say it exists, my ldap explorer doesn't show it, and when >>> I >>>>>> add >>>>>>>> > > it manually as an attribute it still fails when I add a user >> on >>>>>> this >>>>>>>> > > sambagrouptype as it's needed by the other attributes >>>>>>>> > > >>>>>>>> > > So that is my issue I think so far. >>>>>>>> > > >>>>>>>> > > Any clue about that ? >>>>>>>> > > >>>>>>>> > > No problem "you don't know something or are no guru" we are >> all >>>>>>>> > > learning! :) >>>>>>>> > > >>>>>>>> > > Cheers, >>>>>>>> > > >>>>>>>> > > Matt >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>>>>>> > christopher.lamb at ch.ibm.com>: >>>>>>>> > >> Hi Matt, Youeen >>>>>>>> > >> >>>>>>>> > >> Just to set the background properly, I did not invent this >>>>>> process. >>>>>>>> > I >>>>>>>> > > know >>>>>>>> > >> only a little about FreeIPA, and almost nothing about Samba, >>>> but >>>>>> I >>>>>>>> > guess >>>>>>>> > > I >>>>>>>> > >> was lucky enough to get the integration working on a Sunday >>>>>>>> > afternoon. >>>>>>>> > (I >>>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >>>>>>>> > reference). >>>>>>>> > >> >>>>>>>> > >> It sounds like we need to step back, and look at the test >> user >>>>>> and >>>>>>>> > group >>>>>>>> > > in >>>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes >> this >>>>>> much >>>>>>>> > > easier. >>>>>>>> > >> >>>>>>>> > >> My FreeIPA / Samba Users have the following Samba extensions >>> in >>>>>>>> > FreeIPA >>>>>>>> > >> (cn=accounts, cn=users): >>>>>>>> > >> >>>>>>>> > >> * objectClass: sambasamaccount >>>>>>>> > >> >>>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>>>>>>> > >> >>>>>>>> > >> My FreeIPA / Samba Groups have the following Samba extensions >>>> in >>>>>>>> > FreeIPA >>>>>>>> > >> (cn=accounts, cn=groups): >>>>>>>> > >> >>>>>>>> > >> * objectClass: sambaGroupMapping >>>>>>>> > >> >>>>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>>>>>> > >> >>>>>>>> > >> The Users must belong to one or more of the samba groups that >>>>> you >>>>>>>> > have >>>>>>>> > >> setup. >>>>>>>> > >> >>>>>>>> > >> If you don't have something similar to the above (which >> sounds >>>>>> like >>>>>>>> > it >>>>>>>> > is >>>>>>>> > >> the case), then something went wrong applying the extensions. >>>> It >>>>>>>> > would >>>>>>>> > be >>>>>>>> > >> worth testing comparing a new user / group created post >> adding >>>>>> the >>>>>>>> > >> extensions to a previous existing user. >>>>>>>> > >> >>>>>>>> > >> i.e. >>>>>>>> > >> are the extensions missing on existing users / groups? >>>>>>>> > >> are the extensions missing on new users / groups? >>>>>>>> > >> >>>>>>>> > >> Cheers >>>>>>>> > >> >>>>>>>> > >> Chris >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> From: Youenn PIOLET >>>>>>>> > >> To: "Matt ." >>>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>>>>> > >> "freeipa-users at redhat.com" >>>>> >>>>>>>> > >> Date: 04.08.2015 18:56 >>>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>>>>> > against >>>>>>>> > IPA >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> Hi there, >>>>>>>> > >> >>>>>>>> > >> I have difficulties to follow you at this point :) >>>>>>>> > >> Here is what I've done and what I've understood: >>>>>>>> > >> >>>>>>>> > >> ## SMB Side >>>>>>>> > >> - Testparm OK >>>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >>>>> connect. >>>>>>>> > >> - pdbedit -Lv output is all successfull but I can see there >> is >>>> a >>>>>>>> > filter : >>>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users >>>> don't >>>>>>>> > have >>>>>>>> > >> sambaSamAccount. >>>>>>>> > >> >>>>>>>> > >> ## LDAP / FreeIPA side >>>>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >>>>>>>> > FreeIPA >>>>>>>> > >> server to get samba LDAP extensions. >>>>>>>> > >> - I can see samba classes exist in LDAP but are not used on >> my >>>>>>>> > group >>>>>>>> > >> objects nor my user objects >>>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user classes, >>>>>>>> > >> and sambaGroupMapping to default group classes. In that state >>> I >>>>>>>> > can't >>>>>>>> > >> create user nor groups anymore, as new samba attributes are >>>>>> needed >>>>>>>> > for >>>>>>>> > >> instantiation. >>>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>>>>>> > > Type,sambagrouptype,true' >>>>>>>> > >> but I don't get what it does. >>>>>>>> > >> - I tried to add the samba.js plugin. It works, and adds the >>>>>>>> > "local" >>>>>>>> > > option >>>>>>>> > >> when creating a group in FreeIPA, supposed to set >>>> sambagrouptype >>>>>> to >>>>>>>> > 4 >>>>>>>> > or >>>>>>>> > > 2 >>>>>>>> > >> (domain). It doesn't work and tells that sambagrouptype >>>>> attribute >>>>>>>> > doesn't >>>>>>>> > >> exist (but it should now I put sambaGroupType class by >>>>>> default...) >>>>>>>> > >> >>>>>>>> > >> ## Questions >>>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use >>> unix / >>>>>>>> > posix >>>>>>>> > >> instead? I guess no. >>>>>>>> > >> 1) How to generate the user/group SIDs ? They are requested >> to >>>>>> add >>>>>>>> > >> sambaSamAccount classes. >>>>>>>> > >> This article doesn't seem relevant since we don't use domain >>>>>>>> > controller >>>>>>>> > >> >>>>>>>> > > >>>>>>>> > >>>>>>>> > >>>>>> >>>>> >>>> >>> >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>>>>>> > >>>>>>>> > >> and netgetlocalsid returns an error. >>>>>>>> > >> 2) How to fix samba.js plugin? >>>>>>>> > >> 3) I guess an equivalent of samba.js is needed for user >>>>> creation, >>>>>>>> > where >>>>>>>> > > can >>>>>>>> > >> I find it? >>>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not >>>>> only >>>>>>>> > Windows >>>>>>>> > >> 7? >>>>>>>> > >> >>>>>>>> > >> Thanks a lot for your previous and future answers >>>>>>>> > >> >>>>>>>> > >> -- >>>>>>>> > >> Youenn Piolet >>>>>>>> > >> piolet.y at gmail.com >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . : >>>>>>>> > >> Hi, >>>>>>>> > >> >>>>>>>> > >> Yes, log is anonymised. >>>>>>>> > >> >>>>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also >>>>> when >>>>>> I >>>>>>>> > >> change it's password it doesn't get it in ldap. >>>>>>>> > >> >>>>>>>> > >> There must be something going wrong I guess. >>>>>>>> > >> >>>>>>>> > >> Matt >>>>>>>> > >> >>>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>>>>>> > > >>>>>>> > >> >: >>>>>>>> > >> > Hi Matt >>>>>>>> > >> > >>>>>>>> > >> > I assume [username] is a real username, identical to that >>>> in >>>>>>>> > the >>>>>>>> > >> FreeIPA >>>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >>>>>>>> > extract). >>>>>>>> > >> > >>>>>>>> > >> > You user should be a member of the appropriate samba >>> groups >>>>>>>> > that >>>>>>>> > you >>>>>>>> > >> setup >>>>>>>> > >> > in FreeIPA. >>>>>>>> > >> > >>>>>>>> > >> > You should check that the user attribute SambaPwdLastSet >>> is >>>>>> set >>>>>>>> > to >>>>>>>> > a >>>>>>>> > >> > positive value (e.g. 1). If not you get an error in the >>>>> Samba >>>>>>>> > logs >>>>>>>> > - >>>>>>>> > > I >>>>>>>> > >> > would need to play around again with a test user to find >>>> out >>>>>>>> > the >>>>>>>> > > exact >>>>>>>> > >> > error. >>>>>>>> > >> > >>>>>>>> > >> > I don't understand what you mean about syncing the users >>>>>> local, >>>>>>>> > but >>>>>>>> > > we >>>>>>>> > >> did >>>>>>>> > >> > not need to do anything like that. >>>>>>>> > >> > >>>>>>>> > >> > Chris >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > From: "Matt ." >>>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>>> > >> > Cc: "freeipa-users at redhat.com" >>>>> >>>>>>>> > >> > Date: 04.08.2015 15:33 >>>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>> Auth >>>>>>>> > against >>>>>>>> > >> IPA >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > Hi Chris, >>>>>>>> > >> > >>>>>>>> > >> > A puppet run added another passdb backend, that was >>> causing >>>>>> my >>>>>>>> > issue. >>>>>>>> > >> > >>>>>>>> > >> > What I still experience is: >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>>>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>>>>>>> > >> > check_sam_security: Couldn't find user 'username' in >>>>>> passdb. >>>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>>>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>>>>>>> > >> > check_ntlm_password: Authentication for user >> [username] >>>>> -> >>>>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > I also wonder if I shall still sync the users local, or >> is >>>>> it >>>>>>>> > > needed ? >>>>>>>> > >> > >>>>>>>> > >> > Thanks again, >>>>>>>> > >> > >>>>>>>> > >> > Matt >>>>>>>> > >> > >>>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>>>>>> > >> christopher.lamb at ch.ibm.com>: >>>>>>>> > >> >> Hi Matt >>>>>>>> > >> >> >>>>>>>> > >> >> From our smb.conf file: >>>>>>>> > >> >> >>>>>>>> > >> >> [global] >>>>>>>> > >> >> security = user >>>>>>>> > >> >> passdb backend = >>>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>>>>>> > >> >> >>>>>>>> > >> >> So yes, we use Directory Manager, it works for us. I >> have >>>>>> not >>>>>>>> > tried >>>>>>>> > >> with >>>>>>>> > >> > a >>>>>>>> > >> >> less powerful user, but it is conceivable that a lesser >>>>> user >>>>>>>> > may >>>>>>>> > not >>>>>>>> > >> see >>>>>>>> > >> >> all the required attributes, resulting in "no such user" >>>>>>>> > errors. >>>>>>>> > >> >> >>>>>>>> > >> >> Chris >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> From: "Matt ." >>>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>>>>> > >> >> Cc: "freeipa-users at redhat.com" >>>>>> >>>>>>>> > >> >> Date: 04.08.2015 13:32 >>>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>>> Auth >>>>>>>> > against >>>>>>>> > >> IPA >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> Hi Chris, >>>>>>>> > >> >> >>>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now >> when >>>> I >>>>>>>> > add a >>>>>>>> > >> >> group from the GUI, great thanks! >>>>>>>> > >> >> >>>>>>>> > >> >> But do you use Directory Manager as ldap admin user or >>>> some >>>>>>>> > other >>>>>>>> > >> >> admin account ? >>>>>>>> > >> >> >>>>>>>> > >> >> I'm not sure id DM is needed and it should get that deep >>>>>> into >>>>>>>> > IPA. >>>>>>>> > >> >> Also when starting samba it cannot find "such user" as >>>> that >>>>>>>> > sounds >>>>>>>> > >> >> quite known as it has no UID. >>>>>>>> > >> >> >>>>>>>> > >> >> From your config I see you use DM, this should work ? >>>>>>>> > >> >> >>>>>>>> > >> >> Thanks! >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> Matt >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> >>>>>>>> > >> -- >>>>>>>> > >> Manage your subscription for the Freeipa-users mailing >> list: >>>>>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> > >> Go to http://freeipa.org for more info on the project >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > -- >>>>>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> > > Go to http://freeipa.org for more info on the project >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Manage your subscription for the Freeipa-users mailing list: >>>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> > Go to http://freeipa.org for more info on the project >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> From dewanggaba at xtremenitro.org Thu Aug 13 08:01:40 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Thu, 13 Aug 2015 15:01:40 +0700 Subject: [Freeipa-users] Sudo command not working In-Reply-To: <20150812142614.GY3609@hendrix.redhat.com> References: <55CB3C7C.7040909@xtremenitro.org> <20150812123649.GX3609@hendrix.redhat.com> <55CB3F9F.3070904@xtremenitro.org> <20150812142614.GY3609@hendrix.redhat.com> Message-ID: <55CC4EE4.7050904@xtremenitro.org> Hello! Should I reboot the machine after changing sudo.conf file? On 08/12/2015 09:26 PM, Jakub Hrozek wrote: > On Wed, Aug 12, 2015 at 07:44:15PM +0700, Dewangga Bachrul Alam wrote: >> Hello! >> >> On 08/12/2015 07:36 PM, Jakub Hrozek wrote: >>> On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote: >>>> Hello! >>>> >>>> I'm having problem with sudo command, the sudo command was sucessfully >>>> initiated. But user still requested for password. For example : >>>> >>>> ipa-client $ sudo -l >>>> Matching Defaults entries for subhan on this host: >>>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS >>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 >>>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE >>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY >>>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL >>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", >>>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >>>> >>>> User subhan may run the following commands on this host: >>>> (subhan) NOPASSWD: /bin/tail, /usr/bin/tail >>>> >>>> ipa-server $ ipa user-show subhan >>>> User login: subhan >>>> First name: [REMOVED] >>>> Last name: [REMOVED] >>>> Home directory: /home/subhan >>>> Login shell: /bin/bash >>>> Email address: [REMOVED] >>>> UID: 642000007 >>>> GID: 642000007 >>>> Job Title: Developer >>>> Account disabled: False >>>> Password: False >>>> Member of groups: g_gmt_developer, developer >>>> Member of Sudo rule: gmt_developer >>>> Member of HBAC rule: gmt_webserver >>>> Kerberos keys available: False >>>> SSH public key fingerprint: [REMOVED] >>>> >>>> ipa-server $ ipa sudocmd-find >>>> ----------------------- >>>> 2 Sudo Commands matched >>>> ----------------------- >>>> Sudo Command: /bin/tail >>>> Sudo Command Groups: reading-files >>>> >>>> Sudo Command: /usr/bin/tail >>>> Sudo Command Groups: reading-files >>>> >>>> ipa-server $ ipa sudorule-show gmt_developer >>>> Rule name: gmt_developer >>>> Enabled: TRUE >>>> Users: subhan >>>> User Groups: g_gmt_developer >>>> Host Groups: gmt_webserver >>>> Sudo Allow Command Groups: reading-files >>>> RunAs Users: subhan >>>> Sudo Option: !authenticate >>>> >>>> >>>> ipa-client $ sudo tail -f /var/log/nginx/access.log >>>> [sudo] password for subhan: >>>> ipa-client $ sudo tail /var/log/nginx/access.log >>>> [sudo] password for subhan: >>>> >>>> There's nothing information from sssd_sudo.log about this issue. >>> >>> In general sssd acts as a cache of the sudo rules, the decision to auth >>> or not is done by sudo. So on the sssd side you can make sure the sudo >>> option value was fetched, but you'll probably get a more useful >>> debugging from sudo itself. >>> >> >> Here is the sudo message from /var/log/secure : >> >> Aug 12 19:41:05 rosaliaindah su: pam_unix(su-l:session): session opened >> for user subhan by dewangga(uid=0) >> Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed >> Aug 12 19:41:14 rosaliaindah sudo: pam_unix(sudo:auth): auth could not >> identify password for [subhan] >> Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): authentication >> failure; logname=dewangga uid=642000007 euid=0 tty=/dev/pts/0 >> ruser=subhan rhost= user=subhan >> Aug 12 19:41:14 rosaliaindah sudo: pam_sss(sudo:auth): received for user >> subhan: 7 (Authentication failure) >> Aug 12 19:41:14 rosaliaindah sudo: subhan : command not allowed ; >> TTY=pts/0 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/tail -f >> /var/log/nginx/error.log >> >> The sudo option (!authenticate) should be working, because I can invoke >> `sudo -l` command without password. So I think sssd is not the problem. >> CMIIW. :) > > Look into man sudo.conf, depending on your sudo version the options to > enable debugging for sudo differ. > From jhrozek at redhat.com Thu Aug 13 08:09:07 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 13 Aug 2015 10:09:07 +0200 Subject: [Freeipa-users] Sudo command not working In-Reply-To: <55CC4EE4.7050904@xtremenitro.org> References: <55CB3C7C.7040909@xtremenitro.org> <20150812123649.GX3609@hendrix.redhat.com> <55CB3F9F.3070904@xtremenitro.org> <20150812142614.GY3609@hendrix.redhat.com> <55CC4EE4.7050904@xtremenitro.org> Message-ID: <20150813080907.GD18390@hendrix.redhat.com> On Thu, Aug 13, 2015 at 03:01:40PM +0700, Dewangga Bachrul Alam wrote: > Hello! > > Should I reboot the machine after changing sudo.conf file? No, it's read by sudo on every invocation. There is no sudo deamon or such. From dewanggaba at xtremenitro.org Thu Aug 13 08:39:20 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Thu, 13 Aug 2015 15:39:20 +0700 Subject: [Freeipa-users] Having problem with pwd_expiration Message-ID: <55CC57B8.409@xtremenitro.org> Hello! I've been discovered something about pwd_expiration on freeipa 4.1.4, I got a line from sssd_DOMAIN.log : ... snip ... (Thu Aug 13 12:25:39 2015) [sssd[be[mydomain.co.id]]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 ... snip ... $ ipa pwpolicy-find Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 The password policy should be available on next 90 days after I creating the password, isn't it? But I tried to login, the password was expired. $ sudo su - [sudo] password for subhan: Password expired. Change your password now. sudo: Account or password is expired, reset your password and try again Current Password: New password: Retype new password: sudo: pam_chauthtok: Authentication token manipulation error Every time I reset the password from ipa server, the password always expired before 90 days (based on global_policy). Got this from /var/log/secure (on ipa client): Aug 13 15:23:59 rosaliaindah sudo: pam_sss(sudo:auth): received for user subhan: 12 (Authentication token is no longer valid; new one required) Aug 13 15:24:01 rosaliaindah sudo: pam_sss(sudo:account): User info message: Password expired. Change your password now. Aug 13 15:24:01 rosaliaindah sudo: subhan : Account or password is expired, reset your password and try again ; TTY=pts/2 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/su - Aug 13 15:24:01 rosaliaindah sudo: pam_unix(sudo:chauthtok): user "subhan" does not exist in /etc/passwd Aug 13 15:24:09 rosaliaindah sudo: pam_unix(sudo:chauthtok): user "subhan" does not exist in /etc/passwd Aug 13 15:24:10 rosaliaindah sudo: pam_sss(sudo:chauthtok): Password change failed for user subhan: 22 (Authentication token lock busy) Aug 13 15:24:10 rosaliaindah sudo: subhan : pam_chauthtok: Authentication token manipulation error ; TTY=pts/2 ; PWD=/home/subhan ; USER=root ; COMMAND=/bin/su - Aug 13 15:24:11 rosaliaindah sudo: pam_unix(sudo:auth): conversation failed Aug 13 15:24:11 rosaliaindah sudo: pam_unix(sudo:auth): auth could not identify password for [subhan] Got clue form http://www.redhat.com/archives/freeipa-users/2015-January/msg00183.html, but still no luck. I add krb5_auth_timeout = 30s to sssd.conf. Note: krb5_child.log shows nothing. From piolet.y at gmail.com Thu Aug 13 08:53:50 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Thu, 13 Aug 2015 10:53:50 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/<.....>/samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piolet.y at gmail.com 2015-08-12 22:15 GMT+02:00 Matt . : > Hi, > > OK the default IPA way works great actually when testing it as described > here: > > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > On the samba server I can auth and see my share where I want to connect to. > > The issue is, on Windows I cannot auth, even when I do DOMAIN\username > as username > > So, the IPA way should work. > > Any comments here ? > > Cheers, > > Matt > > 2015-08-12 19:00 GMT+02:00 Matt . : > > HI GUys, > > > > I'm testing this out and I think I almost setup, this on a CentOS samba > server. > > > > I'm using the ipa-adtrust way of Youeen but it seems we still need to > > add (objectclass=sambaSamAccount)) ? > > > > Info is welcome! > > > > I will report back when I have it working. > > > > Thanks! > > > > Matt > > > > 2015-08-10 11:16 GMT+02:00 Christopher Lamb >: > >> The next route I will try - is the one Youeen took, using ipa-adtrust > >> > >> > >> > >> From: "Matt ." > >> To: Christopher Lamb/Switzerland/IBM at IBMCH, > >> "freeipa-users at redhat.com" > >> Date: 10.08.2015 10:03 > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > >> > >> > >> > >> Hi Chris, > >> > >> Okay this is good to hear. > >> > >> But don't we want a IPA managed Scheme ? > >> > >> When I did a "ipa-adtrust-install --add-sids" it also wanted a local > >> installed Samba and I wonder why. > >> > >> Good that we make some progres on making it all clear. > >> > >> Cheers, > >> > >> Matt > >> > >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb >: > >>> ldapsam + the samba extensions, pretty much as described in the > >> Techslaves > >>> article. Once I have a draft for the wiki page, I will mail you. > >>> > >>> > >>> > >>> From: "Matt ." > >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, > >>> "freeipa-users at redhat.com" > >>> Date: 09.08.2015 21:17 > >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA > >>> > >>> > >>> > >>> Hi, > >>> > >>> Yes I know about "anything" but which way did you use now ? > >>> > >>> > >>> > >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb > >> : > >>>> Hi Matt > >>>> > >>>> I am on OEL 7.1. - so anything that works on that should be good for > >> RHEL > >>>> and Centos 7.x > >>>> > >>>> I intend to add a how-to to the FreeIPA Wiki over the next few days. > As > >>> we > >>>> have suggested earlier, we will likely end up with several, one for > each > >>> of > >>>> the possible integration paths. > >>>> > >>>> Chris > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> From: "Matt ." > >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH, > >>>> "freeipa-users at redhat.com" > >>>> Date: 09.08.2015 16:45 > >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA > >>>> > >>>> > >>>> > >>>> Hi Chris, > >>>> > >>>> This sounds great! > >>>> > >>>> What are you using now, both CentOS ? So Samba and FreeIPA ? > >>>> > >>>> Maybe it's good to explain which way you used now in steps too, so we > >>>> can combine or create multiple howto's ? > >>>> > >>>> At least we are going somewhere! > >>>> > >>>> Thanks, > >>>> > >>>> Matt > >>>> > >>>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb > >>> : > >>>>> Hi Matt > >>>>> > >>>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old > >>> Samba > >>>>> Schema extensions) is up and working, almost flawlessly. > >>>>> > >>>>> I can add users and groups via the FreeIPA CLI, and they get the > >> correct > >>>>> ObjectClasses / attributes required for Samba. > >>>>> > >>>>> So far I have not yet bothered to try the extensions to the WebUI, > >>>> because > >>>>> it is currently giving me the classic "Your session has expired. > Please > >>>>> re-login." error which renders the WebUI useless. > >>>>> > >>>>> The only problem I have so far encountered managing Samba / FreeIPA > >>> users > >>>>> via FreeIPA CLI commands is with the handling of the attribute > >>>>> sambaPwdLastSet. This is the subject of an existing thread, also > >> updated > >>>>> today. > >>>>> > >>>>> There is also an existing alternative to hacking group.py, using > "Class > >>>> of > >>>>> Service" (Cos) documented in this thread from February 2015 > >>>>> > >>> > https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html > >>>> . > >>>>> I have not yet tried it, but it sounds reasonable. > >>>>> > >>>>> Chris > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> From: "Matt ." > >>>>> To: Christopher Lamb/Switzerland/IBM at IBMCH > >>>>> Cc: "freeipa-users at redhat.com" , > Youenn > >>>>> PIOLET > >>>>> Date: 06.08.2015 16:19 > >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > >> IPA > >>>>> > >>>>> > >>>>> > >>>>> Hi Chris, > >>>>> > >>>>> OK, than we might create two different versions of the wiki, I think > >>>>> this is nice. > >>>>> > >>>>> I'm still figuring out why I get that: > >>>>> > >>>>> IPA Error 4205: ObjectclassViolation > >>>>> > >>>>> missing attribute "sambaGroupType" required by object class > >>>>> "sambaGroupMapping" > >>>>> > >>>>> Matt > >>>>> > >>>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb > >>>> : > >>>>>> Hi Matt > >>>>>> > >>>>>> As far as I can make out, there are at least 2 viable Samba / > FreeIPA > >>>>>> integration paths. > >>>>>> > >>>>>> The route I took is suited where there is no Active Directory > >> involved: > >>>>> In > >>>>>> my case all the Windows, OSX and Linux clients are islands that sit > on > >>>>> the > >>>>>> same network. > >>>>>> > >>>>>> The route that Youenn has taken (unless I have got completely the > >> wrong > >>>>> end > >>>>>> of the stick) requires Active Directory in the architecture. > >>>>>> > >>>>>> Chris > >>>>>> > >>>>>> > >>>>>> > >>>>>> From: "Matt ." > >>>>>> To: Youenn PIOLET > >>>>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > >>>>>> "freeipa-users at redhat.com" > >>>>>> Date: 06.08.2015 14:42 > >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > >>> IPA > >>>>>> > >>>>>> > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>> OK, this sounds already quite logical, but I'm still refering to the > >>>>>> old howto we found earlier, does that one still apply somewhere or > not > >>>>>> at all ? > >>>>>> > >>>>>> Thanks, > >>>>>> > >>>>>> Matt > >>>>>> > >>>>>> > >>>>>> > >>>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : > >>>>>>> Hey guys, > >>>>>>> > >>>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these > >>>>> days :) > >>>>>>> > >>>>>>> General idea: > >>>>>>> > >>>>>>> On FreeIPA (4.1) > >>>>>>> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier > >>>>>>> attribude, also known as SID) > >>>>>>> - regenerate each user password to build ipaNTHash attribute, not > >> here > >>>>> by > >>>>>>> default on users > >>>>>>> - use your ldap browser to check ipaNTHash values are here on user > >>>>>> objects > >>>>>>> - create a CIFS service for your samba server > >>>>>>> - Create user roles/permissions as described here: > >>>>>>> > >>>>>> > >>>>> > >>>> > >>> > >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> > >>> > >>>> > >>>>> > >>>>>> > >>>>>>> so that CIFS service will be able to read ipaNTsecurityidentifier > and > >>>>>>> ipaNTHash attributes in LDAP (ACI) > >>>>>>> - SCP ipasam.so module to your cifs server (this is the magic > >> trick) : > >>>>>> scp > >>>>>>> /usr/lib64/samba/pdb/ipasam.so > >>>>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to > >>>>>> recompile > >>>>>>> it. > >>>>>>> > >>>>>>> On SAMBA Server side (CentOS 7...) > >>>>>>> - Install server keytab file for CIFS > >>>>>>> - check ipasam.so is here. > >>>>>>> - check you can read password hash in LDAP with `ldapsearch -Y > GSSAPI > >>>>>>> uid=admin ipaNTHash` thanks to kerberos > >>>>>>> - make your smb.conf following the linked thread and restart > service > >>>>>>> > >>>>>>> I don't know if it works in Ubuntu. I know sssd has evolved quickly > >>> and > >>>>>>> ipasam may use quite recent functionalities, the best is to just > try. > >>>>> You > >>>>>>> can read in previous thread : "If you insist on Ubuntu you need to > >> get > >>>>>>> ipasam somewhere, most likely to compile it yourself". > >>>>>>> > >>>>>>> Make sure your user has ipaNTHash attribute :) > >>>>>>> > >>>>>>> You may want to debug authentication on samba server, I usually do > >>>> this: > >>>>>>> `tail -f /var/log/samba/log* | grep > >>>>>>> > >>>>>>> Cheers > >>>>>>> -- > >>>>>>> Youenn Piolet > >>>>>>> piolet.y at gmail.com > >>>>>>> > >>>>>>> > >>>>>>> 2015-08-05 17:40 GMT+02:00 Matt . : > >>>>>>>> > >>>>>>>> Hi, > >>>>>>>> > >>>>>>>> This sounds great to me too, but a howto would help to make it > more > >>>>>>>> clear about what you have done here. The thread confuses me a > little > >>>>>>>> bit. > >>>>>>>> > >>>>>>>> Can you paste your commands so we can test out too and report > back ? > >>>>>>>> > >>>>>>>> Thanks! > >>>>>>>> > >>>>>>>> Matt > >>>>>>>> > >>>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb > >>>>>> : > >>>>>>>> > Hi Youenn > >>>>>>>> > > >>>>>>>> > Good news that you have got an integration working > >>>>>>>> > > >>>>>>>> > Now you have got it going, and the solution is fresh in your > mind, > >>>>> how > >>>>>>>> > about adding a How-to page on this solution to the FreeIPA wiki? > >>>>>>>> > > >>>>>>>> > Chris > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > From: Youenn PIOLET > >>>>>>>> > To: "Matt ." > >>>>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > >>>>>>>> > "freeipa-users at redhat.com" < > freeipa-users at redhat.com> > >>>>>>>> > Date: 05.08.2015 14:51 > >>>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > >>> against > >>>>>> IPA > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > Hi guys, > >>>>>>>> > > >>>>>>>> > Thank you so much your previous answers. > >>>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks > >> to > >>>>>>>> > ipa-adtrust-install --add-sids > >>>>>>>> > > >>>>>>>> > I found an other way to configure smb here: > >>>>>>>> > > >>>>>>>> > > >>>>>> > >>>>> > >>>> > >>> > >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> > >>> > >>>> > >>>>> > >>>>>> > >>>>>>>> > It works perfectly. > >>>>>>>> > > >>>>>>>> > I'm using module ipasam.so I have manually scp to the samba > >> server, > >>>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. > >>>>>>>> > Following the instructions, I created a user role allowing > service > >>>>>>>> > principal to read ipaNTHash value from the LDAP. > >>>>>>>> > ipaNTHash are generated each time a user changes his password. > >>>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. > >>>>>>>> > > >>>>>>>> > For more details, the previously linked thread is quite clear. > >>>>>>>> > > >>>>>>>> > Cheers > >>>>>>>> > > >>>>>>>> > -- > >>>>>>>> > Youenn Piolet > >>>>>>>> > piolet.y at gmail.com > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : > >>>>>>>> > Hi Chris. > >>>>>>>> > > >>>>>>>> > Yes, Apache Studio did that but I was not sure why it > complained > >>>> it > >>>>>>>> > was "already" there. > >>>>>>>> > > >>>>>>>> > I'm still getting: > >>>>>>>> > > >>>>>>>> > IPA Error 4205: ObjectclassViolation > >>>>>>>> > > >>>>>>>> > missing attribute "sambaGroupType" required by object class > >>>>>>>> > "sambaGroupMapping" > >>>>>>>> > > >>>>>>>> > When adding a user. > >>>>>>>> > > >>>>>>>> > I also see "class" as fielname under my "Last name", this is > not > >>>> OK > >>>>>>>> > also. > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > We sure need to make some howto, I think we can nail this > >> down :) > >>>>>>>> > > >>>>>>>> > Thanks for the heads up! > >>>>>>>> > > >>>>>>>> > Matthijs > >>>>>>>> > > >>>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb > >>>>>>>> > : > >>>>>>>> > > Hi Matt > >>>>>>>> > > > >>>>>>>> > > If I use Apache Directory Studio to add an attribute > >>>>>> ipaCustomFields > >>>>>>>> > to > >>>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, > as > >>>>>> shown > >>>>>>>> > below: > >>>>>>>> > > > >>>>>>>> > > #!RESULT OK > >>>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy > >>>>>>>> > > #!DATE 2015-08-05T05:45:04.608 > >>>>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com > >>>>>>>> > > changetype: modify > >>>>>>>> > > add: ipaCustomFields > >>>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true > >>>>>>>> > > > >>>>>>>> > > After that I then have a visible attribute ipaCustomFields > as > >>>>>>>> > expected. > >>>>>>>> > > > >>>>>>>> > > When adding the attribute, the wizard offered me > >>>>> "ipaCustomFields" > >>>>>>>> > as > >>>>>>>> > > attribute type in a drop down list. > >>>>>>>> > > > >>>>>>>> > > Once we get this cracked, we really must write a how-to on > the > >>>>>>>> > FreeIPA > >>>>>>>> > > Wiki. > >>>>>>>> > > > >>>>>>>> > > Chris > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH > >>>>>>>> > > To: "Matt ." > >>>>>>>> > > Cc: "freeipa-users at redhat.com" < > freeipa-users at redhat.com> > >>>>>>>> > > Date: 05.08.2015 07:31 > >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > >>>>>> against > >>>>>>>> > IPA > >>>>>>>> > > Sent by: freeipa-users-bounces at redhat.com > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > Hi Matt > >>>>>>>> > > > >>>>>>>> > > I also got the same result at that step, but can see nothing > >> in > >>>>>>>> > Apache > >>>>>>>> > > Directory Studio. > >>>>>>>> > > > >>>>>>>> > > As I am using existing Samba / FreeIPA groups migrated > across, > >>>>>> they > >>>>>>>> > > probably were migrated with all the required attributes. > >>>>>>>> > > > >>>>>>>> > > Looking more closely at that LDIF: I wonder should it not > be: > >>>>>>>> > > > >>>>>>>> > > ldapmodify -Y GSSAPI < >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > >>>>>>>> > > changetype: modify > >>>>>>>> > > add: ipaCustomFields > >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > >>>>>>>> > > EOF > >>>>>>>> > > > >>>>>>>> > > i.e. changetype: modify, instead of changetype add ? > >>>>>>>> > > > >>>>>>>> > > I don't want to play around with my prod directory - I will > >>>> setup > >>>>>> an > >>>>>>>> > EL > >>>>>>>> > 7.1 > >>>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me > to > >>>>>> play > >>>>>>>> > around > >>>>>>>> > > more destructively. > >>>>>>>> > > > >>>>>>>> > > Chris > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > From: "Matt ." > >>>>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH > >>>>>>>> > > Cc: Youenn PIOLET , " > >>>>>>>> > freeipa-users at redhat.com" > >>>>>>>> > > > >>>>>>>> > > Date: 05.08.2015 01:01 > >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba > >>> Server > >>>>>>>> > Auth > >>>>>>>> > against IPA > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > Hi Chris, > >>>>>>>> > > > >>>>>>>> > > I'm at the right path, but my issue is that: > >>>>>>>> > > > >>>>>>>> > > ldapmodify -Y GSSAPI < >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld > >>>>>>>> > > changetype: add > >>>>>>>> > > add: ipaCustomFields > >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" > >>>>>>>> > > EOF > >>>>>>>> > > > >>>>>>>> > > Does say it exists, my ldap explorer doesn't show it, and > when > >>> I > >>>>>> add > >>>>>>>> > > it manually as an attribute it still fails when I add a user > >> on > >>>>>> this > >>>>>>>> > > sambagrouptype as it's needed by the other attributes > >>>>>>>> > > > >>>>>>>> > > So that is my issue I think so far. > >>>>>>>> > > > >>>>>>>> > > Any clue about that ? > >>>>>>>> > > > >>>>>>>> > > No problem "you don't know something or are no guru" we are > >> all > >>>>>>>> > > learning! :) > >>>>>>>> > > > >>>>>>>> > > Cheers, > >>>>>>>> > > > >>>>>>>> > > Matt > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < > >>>>>>>> > christopher.lamb at ch.ibm.com>: > >>>>>>>> > >> Hi Matt, Youeen > >>>>>>>> > >> > >>>>>>>> > >> Just to set the background properly, I did not invent this > >>>>>> process. > >>>>>>>> > I > >>>>>>>> > > know > >>>>>>>> > >> only a little about FreeIPA, and almost nothing about > Samba, > >>>> but > >>>>>> I > >>>>>>>> > guess > >>>>>>>> > > I > >>>>>>>> > >> was lucky enough to get the integration working on a Sunday > >>>>>>>> > afternoon. > >>>>>>>> > (I > >>>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a > >>>>>>>> > reference). > >>>>>>>> > >> > >>>>>>>> > >> It sounds like we need to step back, and look at the test > >> user > >>>>>> and > >>>>>>>> > group > >>>>>>>> > > in > >>>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes > >> this > >>>>>> much > >>>>>>>> > > easier. > >>>>>>>> > >> > >>>>>>>> > >> My FreeIPA / Samba Users have the following Samba > extensions > >>> in > >>>>>>>> > FreeIPA > >>>>>>>> > >> (cn=accounts, cn=users): > >>>>>>>> > >> > >>>>>>>> > >> * objectClass: sambasamaccount > >>>>>>>> > >> > >>>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet > >>>>>>>> > >> > >>>>>>>> > >> My FreeIPA / Samba Groups have the following Samba > extensions > >>>> in > >>>>>>>> > FreeIPA > >>>>>>>> > >> (cn=accounts, cn=groups): > >>>>>>>> > >> > >>>>>>>> > >> * objectClass: sambaGroupMapping > >>>>>>>> > >> > >>>>>>>> > >> * Attributes: sambaGroupType, sambaSID > >>>>>>>> > >> > >>>>>>>> > >> The Users must belong to one or more of the samba groups > that > >>>>> you > >>>>>>>> > have > >>>>>>>> > >> setup. > >>>>>>>> > >> > >>>>>>>> > >> If you don't have something similar to the above (which > >> sounds > >>>>>> like > >>>>>>>> > it > >>>>>>>> > is > >>>>>>>> > >> the case), then something went wrong applying the > extensions. > >>>> It > >>>>>>>> > would > >>>>>>>> > be > >>>>>>>> > >> worth testing comparing a new user / group created post > >> adding > >>>>>> the > >>>>>>>> > >> extensions to a previous existing user. > >>>>>>>> > >> > >>>>>>>> > >> i.e. > >>>>>>>> > >> are the extensions missing on existing users / groups? > >>>>>>>> > >> are the extensions missing on new users / groups? > >>>>>>>> > >> > >>>>>>>> > >> Cheers > >>>>>>>> > >> > >>>>>>>> > >> Chris > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> From: Youenn PIOLET > >>>>>>>> > >> To: "Matt ." > >>>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > >>>>>>>> > >> "freeipa-users at redhat.com" > >>>>> > >>>>>>>> > >> Date: 04.08.2015 18:56 > >>>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server > Auth > >>>>>>>> > against > >>>>>>>> > IPA > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> Hi there, > >>>>>>>> > >> > >>>>>>>> > >> I have difficulties to follow you at this point :) > >>>>>>>> > >> Here is what I've done and what I've understood: > >>>>>>>> > >> > >>>>>>>> > >> ## SMB Side > >>>>>>>> > >> - Testparm OK > >>>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to > >>>>> connect. > >>>>>>>> > >> - pdbedit -Lv output is all successfull but I can see there > >> is > >>>> a > >>>>>>>> > filter : > >>>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users > >>>> don't > >>>>>>>> > have > >>>>>>>> > >> sambaSamAccount. > >>>>>>>> > >> > >>>>>>>> > >> ## LDAP / FreeIPA side > >>>>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on > my > >>>>>>>> > FreeIPA > >>>>>>>> > >> server to get samba LDAP extensions. > >>>>>>>> > >> - I can see samba classes exist in LDAP but are not used on > >> my > >>>>>>>> > group > >>>>>>>> > >> objects nor my user objects > >>>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user > classes, > >>>>>>>> > >> and sambaGroupMapping to default group classes. In that > state > >>> I > >>>>>>>> > can't > >>>>>>>> > >> create user nor groups anymore, as new samba attributes are > >>>>>> needed > >>>>>>>> > for > >>>>>>>> > >> instantiation. > >>>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group > >>>>>>>> > > Type,sambagrouptype,true' > >>>>>>>> > >> but I don't get what it does. > >>>>>>>> > >> - I tried to add the samba.js plugin. It works, and adds > the > >>>>>>>> > "local" > >>>>>>>> > > option > >>>>>>>> > >> when creating a group in FreeIPA, supposed to set > >>>> sambagrouptype > >>>>>> to > >>>>>>>> > 4 > >>>>>>>> > or > >>>>>>>> > > 2 > >>>>>>>> > >> (domain). It doesn't work and tells that sambagrouptype > >>>>> attribute > >>>>>>>> > doesn't > >>>>>>>> > >> exist (but it should now I put sambaGroupType class by > >>>>>> default...) > >>>>>>>> > >> > >>>>>>>> > >> ## Questions > >>>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use > >>> unix / > >>>>>>>> > posix > >>>>>>>> > >> instead? I guess no. > >>>>>>>> > >> 1) How to generate the user/group SIDs ? They are requested > >> to > >>>>>> add > >>>>>>>> > >> sambaSamAccount classes. > >>>>>>>> > >> This article doesn't seem relevant since we don't use > domain > >>>>>>>> > controller > >>>>>>>> > >> > >>>>>>>> > > > >>>>>>>> > > >>>>>>>> > > >>>>>> > >>>>> > >>>> > >>> > >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html > >>>>>>>> > > >>>>>>>> > >> and netgetlocalsid returns an error. > >>>>>>>> > >> 2) How to fix samba.js plugin? > >>>>>>>> > >> 3) I guess an equivalent of samba.js is needed for user > >>>>> creation, > >>>>>>>> > where > >>>>>>>> > > can > >>>>>>>> > >> I find it? > >>>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and > not > >>>>> only > >>>>>>>> > Windows > >>>>>>>> > >> 7? > >>>>>>>> > >> > >>>>>>>> > >> Thanks a lot for your previous and future answers > >>>>>>>> > >> > >>>>>>>> > >> -- > >>>>>>>> > >> Youenn Piolet > >>>>>>>> > >> piolet.y at gmail.com > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . >: > >>>>>>>> > >> Hi, > >>>>>>>> > >> > >>>>>>>> > >> Yes, log is anonymised. > >>>>>>>> > >> > >>>>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, > also > >>>>> when > >>>>>> I > >>>>>>>> > >> change it's password it doesn't get it in ldap. > >>>>>>>> > >> > >>>>>>>> > >> There must be something going wrong I guess. > >>>>>>>> > >> > >>>>>>>> > >> Matt > >>>>>>>> > >> > >>>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb > >>>>>>>> > > >>>>>>>> > >> >: > >>>>>>>> > >> > Hi Matt > >>>>>>>> > >> > > >>>>>>>> > >> > I assume [username] is a real username, identical to > that > >>>> in > >>>>>>>> > the > >>>>>>>> > >> FreeIPA > >>>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the > log > >>>>>>>> > extract). > >>>>>>>> > >> > > >>>>>>>> > >> > You user should be a member of the appropriate samba > >>> groups > >>>>>>>> > that > >>>>>>>> > you > >>>>>>>> > >> setup > >>>>>>>> > >> > in FreeIPA. > >>>>>>>> > >> > > >>>>>>>> > >> > You should check that the user attribute > SambaPwdLastSet > >>> is > >>>>>> set > >>>>>>>> > to > >>>>>>>> > a > >>>>>>>> > >> > positive value (e.g. 1). If not you get an error in the > >>>>> Samba > >>>>>>>> > logs > >>>>>>>> > - > >>>>>>>> > > I > >>>>>>>> > >> > would need to play around again with a test user to > find > >>>> out > >>>>>>>> > the > >>>>>>>> > > exact > >>>>>>>> > >> > error. > >>>>>>>> > >> > > >>>>>>>> > >> > I don't understand what you mean about syncing the > users > >>>>>> local, > >>>>>>>> > but > >>>>>>>> > > we > >>>>>>>> > >> did > >>>>>>>> > >> > not need to do anything like that. > >>>>>>>> > >> > > >>>>>>>> > >> > Chris > >>>>>>>> > >> > > >>>>>>>> > >> > > >>>>>>>> > >> > > >>>>>>>> > >> > > >>>>>>>> > >> > From: "Matt ." > >>>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH > >>>>>>>> > >> > Cc: "freeipa-users at redhat.com" > >>>>> > >>>>>>>> > >> > Date: 04.08.2015 15:33 > >>>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server > >>>> Auth > >>>>>>>> > against > >>>>>>>> > >> IPA > >>>>>>>> > >> > > >>>>>>>> > >> > > >>>>>>>> > >> > > >>>>>>>> > >> > Hi Chris, > >>>>>>>> > >> > > >>>>>>>> > >> > A puppet run added another passdb backend, that was > >>> causing > >>>>>> my > >>>>>>>> > issue. > >>>>>>>> > >> > > >>>>>>>> > >> > What I still experience is: > >>>>>>>> > >> > > >>>>>>>> > >> > > >>>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] > >>>>>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) > >>>>>>>> > >> > check_sam_security: Couldn't find user 'username' in > >>>>>> passdb. > >>>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] > >>>>>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) > >>>>>>>> > >> > check_ntlm_password: Authentication for user > >> [username] > >>>>> -> > >>>>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER > >>>>>>>> > >> > > >>>>>>>> > >> > > >>>>>>>> > >> > I also wonder if I shall still sync the users local, or > >> is > >>>>> it > >>>>>>>> > > needed ? > >>>>>>>> > >> > > >>>>>>>> > >> > Thanks again, > >>>>>>>> > >> > > >>>>>>>> > >> > Matt > >>>>>>>> > >> > > >>>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < > >>>>>>>> > >> christopher.lamb at ch.ibm.com>: > >>>>>>>> > >> >> Hi Matt > >>>>>>>> > >> >> > >>>>>>>> > >> >> From our smb.conf file: > >>>>>>>> > >> >> > >>>>>>>> > >> >> [global] > >>>>>>>> > >> >> security = user > >>>>>>>> > >> >> passdb backend = > >>>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com > >>>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com > >>>>>>>> > >> >> ldap admin dn = cn=Directory Manager > >>>>>>>> > >> >> > >>>>>>>> > >> >> So yes, we use Directory Manager, it works for us. I > >> have > >>>>>> not > >>>>>>>> > tried > >>>>>>>> > >> with > >>>>>>>> > >> > a > >>>>>>>> > >> >> less powerful user, but it is conceivable that a > lesser > >>>>> user > >>>>>>>> > may > >>>>>>>> > not > >>>>>>>> > >> see > >>>>>>>> > >> >> all the required attributes, resulting in "no such > user" > >>>>>>>> > errors. > >>>>>>>> > >> >> > >>>>>>>> > >> >> Chris > >>>>>>>> > >> >> > >>>>>>>> > >> >> > >>>>>>>> > >> >> > >>>>>>>> > >> >> > >>>>>>>> > >> >> From: "Matt ." > >>>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH > >>>>>>>> > >> >> Cc: "freeipa-users at redhat.com" > >>>>>> > >>>>>>>> > >> >> Date: 04.08.2015 13:32 > >>>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba > Server > >>>>> Auth > >>>>>>>> > against > >>>>>>>> > >> IPA > >>>>>>>> > >> >> > >>>>>>>> > >> >> > >>>>>>>> > >> >> > >>>>>>>> > >> >> Hi Chris, > >>>>>>>> > >> >> > >>>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now > >> when > >>>> I > >>>>>>>> > add a > >>>>>>>> > >> >> group from the GUI, great thanks! > >>>>>>>> > >> >> > >>>>>>>> > >> >> But do you use Directory Manager as ldap admin user or > >>>> some > >>>>>>>> > other > >>>>>>>> > >> >> admin account ? > >>>>>>>> > >> >> > >>>>>>>> > >> >> I'm not sure id DM is needed and it should get that > deep > >>>>>> into > >>>>>>>> > IPA. > >>>>>>>> > >> >> Also when starting samba it cannot find "such user" as > >>>> that > >>>>>>>> > sounds > >>>>>>>> > >> >> quite known as it has no UID. > >>>>>>>> > >> >> > >>>>>>>> > >> >> From your config I see you use DM, this should work ? > >>>>>>>> > >> >> > >>>>>>>> > >> >> Thanks! > >>>>>>>> > >> >> > >>>>>>>> > >> >> > >>>>>>>> > >> >> Matt > >>>>>>>> > >> >> > >>>>>>>> > >> >> > >>>>>>>> > >> > > >>>>>>>> > >> > > >>>>>>>> > >> > > >>>>>>>> > >> > > >>>>>>>> > >> > >>>>>>>> > >> -- > >>>>>>>> > >> Manage your subscription for the Freeipa-users mailing > >> list: > >>>>>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>>> > >> Go to http://freeipa.org for more info on the project > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > -- > >>>>>>>> > > Manage your subscription for the Freeipa-users mailing list: > >>>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>>> > > Go to http://freeipa.org for more info on the project > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > >>>>>>>> > -- > >>>>>>>> > Manage your subscription for the Freeipa-users mailing list: > >>>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>>> > Go to http://freeipa.org for more info on the project > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>> > >>>> > >>>> > >>>> > >>> > >>> > >>> > >>> > >> > >> > >> > >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dewanggaba at xtremenitro.org Thu Aug 13 09:14:00 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Thu, 13 Aug 2015 16:14:00 +0700 Subject: [Freeipa-users] Sudo command not working In-Reply-To: <20150813080907.GD18390@hendrix.redhat.com> References: <55CB3C7C.7040909@xtremenitro.org> <20150812123649.GX3609@hendrix.redhat.com> <55CB3F9F.3070904@xtremenitro.org> <20150812142614.GY3609@hendrix.redhat.com> <55CC4EE4.7050904@xtremenitro.org> <20150813080907.GD18390@hendrix.redhat.com> Message-ID: <55CC5FD8.3090209@xtremenitro.org> Hello! On 08/13/2015 03:09 PM, Jakub Hrozek wrote: > On Thu, Aug 13, 2015 at 03:01:40PM +0700, Dewangga Bachrul Alam wrote: >> Hello! >> >> Should I reboot the machine after changing sudo.conf file? > > No, it's read by sudo on every invocation. There is no sudo deamon or > such. > Yes, I found the problem :) Missconfig on `As Whom` category, the current user should not be insert there :D Got the clue from sudo debug. ... snip ... Aug 13 15:48:06 sudo[26020] searching SSSD/LDAP for sudoers entries Aug 13 15:48:06 sudo[26020] sssd/ldap sudoRunAsUser 'subhan' ... not ... snip ... Thanks Jakub. From lslebodn at redhat.com Thu Aug 13 09:43:10 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 13 Aug 2015 11:43:10 +0200 Subject: [Freeipa-users] Having problem with pwd_expiration In-Reply-To: <55CC57B8.409@xtremenitro.org> References: <55CC57B8.409@xtremenitro.org> Message-ID: <20150813094310.GL2793@mail.corp.redhat.com> On (13/08/15 15:39), Dewangga Bachrul Alam wrote: >Hello! > >I've been discovered something about pwd_expiration on freeipa 4.1.4, >I got a line from sssd_DOMAIN.log : > >... snip ... >(Thu Aug 13 12:25:39 2015) [sssd[be[mydomain.co.id]]] >[confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 >... snip ... > >$ ipa pwpolicy-find > Group: global_policy > Max lifetime (days): 90 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 8 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > >The password policy should be available on next 90 days after I creating >the password, isn't it? But I tried to login, the password was expired. > >$ sudo su - >[sudo] password for subhan: >Password expired. Change your password now. >sudo: Account or password is expired, reset your password and try again >Current Password: >New password: >Retype new password: >sudo: pam_chauthtok: Authentication token manipulation error > >Every time I reset the password from ipa server, the password always >expired before 90 days (based on global_policy). > If you reset password from web UI (or command line) then the user need to change that password. It's by design. The administrator should not know your password. However, situation is different if the password was changed with command line utility "passwd". LS From yamakasi.014 at gmail.com Thu Aug 13 10:02:16 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Thu, 13 Aug 2015 12:02:16 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Youenn, OK thanks! this takes me a little but futher now and I see some good stuff in my logging. I'm testing on a Windows 10 Machine which is not member of an AD or so, so that might be my issue for now ? When testing on the samba box itself as my user I get: [myusername at smb-01 ~]$ smbclient //smb-01.domain.local/shares ... Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD ... SPNEGO login failed: NT_STATUS_WRONG_PASSWORD Maybe I have an issue with encrypted passwords ? When we have this all working, I think we have a howto :D Thanks! Matt 2015-08-13 10:53 GMT+02:00 Youenn PIOLET : > Hi Matt > > - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? > sambaSamAccount is not needed anymore that way. > - Default IPA Way : won't work if your Windows is not part of a domain > controller. DOMAIN\username may work for some users using Windows 7 - not 8 > nor 10 (it did for me but I was the only one at the office... quite useless) > > This config may work on your CentOS (for the ipasam way): > workgroup = TEST > realm = TEST.NET > kerberos method = dedicated keytab > dedicated keytab file = FILE:/<.....>/samba.keytab > create krb5 conf = no > security = user > encrypt passwords = true > passdb backend = ipasam:ldaps://youripa.test.net > ldapsam:trusted = yes > ldapsuffix = test.net > ldap user suffix = cn=users,cn=accounts > ldap group suffix = cn=groups,cn=accounts > > > -- > Youenn Piolet > piolet.y at gmail.com > > > 2015-08-12 22:15 GMT+02:00 Matt . : >> >> Hi, >> >> OK the default IPA way works great actually when testing it as described >> here: >> >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> >> On the samba server I can auth and see my share where I want to connect >> to. >> >> The issue is, on Windows I cannot auth, even when I do DOMAIN\username >> as username >> >> So, the IPA way should work. >> >> Any comments here ? >> >> Cheers, >> >> Matt >> >> 2015-08-12 19:00 GMT+02:00 Matt . : >> > HI GUys, >> > >> > I'm testing this out and I think I almost setup, this on a CentOS samba >> > server. >> > >> > I'm using the ipa-adtrust way of Youeen but it seems we still need to >> > add (objectclass=sambaSamAccount)) ? >> > >> > Info is welcome! >> > >> > I will report back when I have it working. >> > >> > Thanks! >> > >> > Matt >> > >> > 2015-08-10 11:16 GMT+02:00 Christopher Lamb >> > : >> >> The next route I will try - is the one Youeen took, using ipa-adtrust >> >> >> >> >> >> >> >> From: "Matt ." >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >> >> "freeipa-users at redhat.com" >> >> Date: 10.08.2015 10:03 >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> >> IPA >> >> >> >> >> >> >> >> Hi Chris, >> >> >> >> Okay this is good to hear. >> >> >> >> But don't we want a IPA managed Scheme ? >> >> >> >> When I did a "ipa-adtrust-install --add-sids" it also wanted a local >> >> installed Samba and I wonder why. >> >> >> >> Good that we make some progres on making it all clear. >> >> >> >> Cheers, >> >> >> >> Matt >> >> >> >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb >> >> : >> >>> ldapsam + the samba extensions, pretty much as described in the >> >> Techslaves >> >>> article. Once I have a draft for the wiki page, I will mail you. >> >>> >> >>> >> >>> >> >>> From: "Matt ." >> >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >> >>> "freeipa-users at redhat.com" >> >>> Date: 09.08.2015 21:17 >> >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> >>> IPA >> >>> >> >>> >> >>> >> >>> Hi, >> >>> >> >>> Yes I know about "anything" but which way did you use now ? >> >>> >> >>> >> >>> >> >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb >> >> : >> >>>> Hi Matt >> >>>> >> >>>> I am on OEL 7.1. - so anything that works on that should be good for >> >> RHEL >> >>>> and Centos 7.x >> >>>> >> >>>> I intend to add a how-to to the FreeIPA Wiki over the next few days. >> >>>> As >> >>> we >> >>>> have suggested earlier, we will likely end up with several, one for >> >>>> each >> >>> of >> >>>> the possible integration paths. >> >>>> >> >>>> Chris >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> From: "Matt ." >> >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >> >>>> "freeipa-users at redhat.com" >> >>>> Date: 09.08.2015 16:45 >> >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> >>>> IPA >> >>>> >> >>>> >> >>>> >> >>>> Hi Chris, >> >>>> >> >>>> This sounds great! >> >>>> >> >>>> What are you using now, both CentOS ? So Samba and FreeIPA ? >> >>>> >> >>>> Maybe it's good to explain which way you used now in steps too, so we >> >>>> can combine or create multiple howto's ? >> >>>> >> >>>> At least we are going somewhere! >> >>>> >> >>>> Thanks, >> >>>> >> >>>> Matt >> >>>> >> >>>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >> >>> : >> >>>>> Hi Matt >> >>>>> >> >>>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old >> >>> Samba >> >>>>> Schema extensions) is up and working, almost flawlessly. >> >>>>> >> >>>>> I can add users and groups via the FreeIPA CLI, and they get the >> >> correct >> >>>>> ObjectClasses / attributes required for Samba. >> >>>>> >> >>>>> So far I have not yet bothered to try the extensions to the WebUI, >> >>>> because >> >>>>> it is currently giving me the classic "Your session has expired. >> >>>>> Please >> >>>>> re-login." error which renders the WebUI useless. >> >>>>> >> >>>>> The only problem I have so far encountered managing Samba / FreeIPA >> >>> users >> >>>>> via FreeIPA CLI commands is with the handling of the attribute >> >>>>> sambaPwdLastSet. This is the subject of an existing thread, also >> >> updated >> >>>>> today. >> >>>>> >> >>>>> There is also an existing alternative to hacking group.py, using >> >>>>> "Class >> >>>> of >> >>>>> Service" (Cos) documented in this thread from February 2015 >> >>>>> >> >>> >> >>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >> >>>> . >> >>>>> I have not yet tried it, but it sounds reasonable. >> >>>>> >> >>>>> Chris >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> From: "Matt ." >> >>>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >> >>>>> Cc: "freeipa-users at redhat.com" , >> >>>>> Youenn >> >>>>> PIOLET >> >>>>> Date: 06.08.2015 16:19 >> >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> >> IPA >> >>>>> >> >>>>> >> >>>>> >> >>>>> Hi Chris, >> >>>>> >> >>>>> OK, than we might create two different versions of the wiki, I think >> >>>>> this is nice. >> >>>>> >> >>>>> I'm still figuring out why I get that: >> >>>>> >> >>>>> IPA Error 4205: ObjectclassViolation >> >>>>> >> >>>>> missing attribute "sambaGroupType" required by object class >> >>>>> "sambaGroupMapping" >> >>>>> >> >>>>> Matt >> >>>>> >> >>>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >> >>>> : >> >>>>>> Hi Matt >> >>>>>> >> >>>>>> As far as I can make out, there are at least 2 viable Samba / >> >>>>>> FreeIPA >> >>>>>> integration paths. >> >>>>>> >> >>>>>> The route I took is suited where there is no Active Directory >> >> involved: >> >>>>> In >> >>>>>> my case all the Windows, OSX and Linux clients are islands that sit >> >>>>>> on >> >>>>> the >> >>>>>> same network. >> >>>>>> >> >>>>>> The route that Youenn has taken (unless I have got completely the >> >> wrong >> >>>>> end >> >>>>>> of the stick) requires Active Directory in the architecture. >> >>>>>> >> >>>>>> Chris >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> From: "Matt ." >> >>>>>> To: Youenn PIOLET >> >>>>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >> >>>>>> "freeipa-users at redhat.com" >> >>>>>> Date: 06.08.2015 14:42 >> >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> >>>>>> against >> >>> IPA >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> Hi, >> >>>>>> >> >>>>>> OK, this sounds already quite logical, but I'm still refering to >> >>>>>> the >> >>>>>> old howto we found earlier, does that one still apply somewhere or >> >>>>>> not >> >>>>>> at all ? >> >>>>>> >> >>>>>> Thanks, >> >>>>>> >> >>>>>> Matt >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >> >>>>>>> Hey guys, >> >>>>>>> >> >>>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >> >>>>> days :) >> >>>>>>> >> >>>>>>> General idea: >> >>>>>>> >> >>>>>>> On FreeIPA (4.1) >> >>>>>>> - `ipa-adtrust-install --add-sids` (creates >> >>>>>>> ipaNTsecurityidentifier >> >>>>>>> attribude, also known as SID) >> >>>>>>> - regenerate each user password to build ipaNTHash attribute, not >> >> here >> >>>>> by >> >>>>>>> default on users >> >>>>>>> - use your ldap browser to check ipaNTHash values are here on user >> >>>>>> objects >> >>>>>>> - create a CIFS service for your samba server >> >>>>>>> - Create user roles/permissions as described here: >> >>>>>>> >> >>>>>> >> >>>>> >> >>>> >> >>> >> >> >> >> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >> >> >> >>> >> >>>> >> >>>>> >> >>>>>> >> >>>>>>> so that CIFS service will be able to read ipaNTsecurityidentifier >> >>>>>>> and >> >>>>>>> ipaNTHash attributes in LDAP (ACI) >> >>>>>>> - SCP ipasam.so module to your cifs server (this is the magic >> >> trick) : >> >>>>>> scp >> >>>>>>> /usr/lib64/samba/pdb/ipasam.so >> >>>>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >> >>>>>> recompile >> >>>>>>> it. >> >>>>>>> >> >>>>>>> On SAMBA Server side (CentOS 7...) >> >>>>>>> - Install server keytab file for CIFS >> >>>>>>> - check ipasam.so is here. >> >>>>>>> - check you can read password hash in LDAP with `ldapsearch -Y >> >>>>>>> GSSAPI >> >>>>>>> uid=admin ipaNTHash` thanks to kerberos >> >>>>>>> - make your smb.conf following the linked thread and restart >> >>>>>>> service >> >>>>>>> >> >>>>>>> I don't know if it works in Ubuntu. I know sssd has evolved >> >>>>>>> quickly >> >>> and >> >>>>>>> ipasam may use quite recent functionalities, the best is to just >> >>>>>>> try. >> >>>>> You >> >>>>>>> can read in previous thread : "If you insist on Ubuntu you need to >> >> get >> >>>>>>> ipasam somewhere, most likely to compile it yourself". >> >>>>>>> >> >>>>>>> Make sure your user has ipaNTHash attribute :) >> >>>>>>> >> >>>>>>> You may want to debug authentication on samba server, I usually do >> >>>> this: >> >>>>>>> `tail -f /var/log/samba/log* | grep >> >>>>>>> >> >>>>>>> Cheers >> >>>>>>> -- >> >>>>>>> Youenn Piolet >> >>>>>>> piolet.y at gmail.com >> >>>>>>> >> >>>>>>> >> >>>>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >> >>>>>>>> >> >>>>>>>> Hi, >> >>>>>>>> >> >>>>>>>> This sounds great to me too, but a howto would help to make it >> >>>>>>>> more >> >>>>>>>> clear about what you have done here. The thread confuses me a >> >>>>>>>> little >> >>>>>>>> bit. >> >>>>>>>> >> >>>>>>>> Can you paste your commands so we can test out too and report >> >>>>>>>> back ? >> >>>>>>>> >> >>>>>>>> Thanks! >> >>>>>>>> >> >>>>>>>> Matt >> >>>>>>>> >> >>>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >> >>>>>> : >> >>>>>>>> > Hi Youenn >> >>>>>>>> > >> >>>>>>>> > Good news that you have got an integration working >> >>>>>>>> > >> >>>>>>>> > Now you have got it going, and the solution is fresh in your >> >>>>>>>> > mind, >> >>>>> how >> >>>>>>>> > about adding a How-to page on this solution to the FreeIPA >> >>>>>>>> > wiki? >> >>>>>>>> > >> >>>>>>>> > Chris >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > From: Youenn PIOLET >> >>>>>>>> > To: "Matt ." >> >>>>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >> >>>>>>>> > "freeipa-users at redhat.com" >> >>>>>>>> > >> >>>>>>>> > Date: 05.08.2015 14:51 >> >>>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> >>> against >> >>>>>> IPA >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > Hi guys, >> >>>>>>>> > >> >>>>>>>> > Thank you so much your previous answers. >> >>>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, >> >>>>>>>> > thanks >> >> to >> >>>>>>>> > ipa-adtrust-install --add-sids >> >>>>>>>> > >> >>>>>>>> > I found an other way to configure smb here: >> >>>>>>>> > >> >>>>>>>> > >> >>>>>> >> >>>>> >> >>>> >> >>> >> >> >> >> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >> >> >> >>> >> >>>> >> >>>>> >> >>>>>> >> >>>>>>>> > It works perfectly. >> >>>>>>>> > >> >>>>>>>> > I'm using module ipasam.so I have manually scp to the samba >> >> server, >> >>>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >> >>>>>>>> > Following the instructions, I created a user role allowing >> >>>>>>>> > service >> >>>>>>>> > principal to read ipaNTHash value from the LDAP. >> >>>>>>>> > ipaNTHash are generated each time a user changes his password. >> >>>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >> >>>>>>>> > >> >>>>>>>> > For more details, the previously linked thread is quite clear. >> >>>>>>>> > >> >>>>>>>> > Cheers >> >>>>>>>> > >> >>>>>>>> > -- >> >>>>>>>> > Youenn Piolet >> >>>>>>>> > piolet.y at gmail.com >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >> >>>>>>>> > Hi Chris. >> >>>>>>>> > >> >>>>>>>> > Yes, Apache Studio did that but I was not sure why it >> >>>>>>>> > complained >> >>>> it >> >>>>>>>> > was "already" there. >> >>>>>>>> > >> >>>>>>>> > I'm still getting: >> >>>>>>>> > >> >>>>>>>> > IPA Error 4205: ObjectclassViolation >> >>>>>>>> > >> >>>>>>>> > missing attribute "sambaGroupType" required by object class >> >>>>>>>> > "sambaGroupMapping" >> >>>>>>>> > >> >>>>>>>> > When adding a user. >> >>>>>>>> > >> >>>>>>>> > I also see "class" as fielname under my "Last name", this is >> >>>>>>>> > not >> >>>> OK >> >>>>>>>> > also. >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > We sure need to make some howto, I think we can nail this >> >> down :) >> >>>>>>>> > >> >>>>>>>> > Thanks for the heads up! >> >>>>>>>> > >> >>>>>>>> > Matthijs >> >>>>>>>> > >> >>>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >> >>>>>>>> > : >> >>>>>>>> > > Hi Matt >> >>>>>>>> > > >> >>>>>>>> > > If I use Apache Directory Studio to add an attribute >> >>>>>> ipaCustomFields >> >>>>>>>> > to >> >>>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, >> >>>>>>>> > as >> >>>>>> shown >> >>>>>>>> > below: >> >>>>>>>> > > >> >>>>>>>> > > #!RESULT OK >> >>>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >> >>>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >> >>>>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >> >>>>>>>> > > changetype: modify >> >>>>>>>> > > add: ipaCustomFields >> >>>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >> >>>>>>>> > > >> >>>>>>>> > > After that I then have a visible attribute ipaCustomFields >> >>>>>>>> > as >> >>>>>>>> > expected. >> >>>>>>>> > > >> >>>>>>>> > > When adding the attribute, the wizard offered me >> >>>>> "ipaCustomFields" >> >>>>>>>> > as >> >>>>>>>> > > attribute type in a drop down list. >> >>>>>>>> > > >> >>>>>>>> > > Once we get this cracked, we really must write a how-to on >> >>>>>>>> > the >> >>>>>>>> > FreeIPA >> >>>>>>>> > > Wiki. >> >>>>>>>> > > >> >>>>>>>> > > Chris >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >> >>>>>>>> > > To: "Matt ." >> >>>>>>>> > > Cc: "freeipa-users at redhat.com" >> >>>>>>>> > >> >>>>>>>> > > Date: 05.08.2015 07:31 >> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >> >>>>>>>> > Auth >> >>>>>> against >> >>>>>>>> > IPA >> >>>>>>>> > > Sent by: freeipa-users-bounces at redhat.com >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > Hi Matt >> >>>>>>>> > > >> >>>>>>>> > > I also got the same result at that step, but can see >> >>>>>>>> > nothing >> >> in >> >>>>>>>> > Apache >> >>>>>>>> > > Directory Studio. >> >>>>>>>> > > >> >>>>>>>> > > As I am using existing Samba / FreeIPA groups migrated >> >>>>>>>> > across, >> >>>>>> they >> >>>>>>>> > > probably were migrated with all the required attributes. >> >>>>>>>> > > >> >>>>>>>> > > Looking more closely at that LDIF: I wonder should it not >> >>>>>>>> > be: >> >>>>>>>> > > >> >>>>>>>> > > ldapmodify -Y GSSAPI <> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >> >>>>>>>> > > changetype: modify >> >>>>>>>> > > add: ipaCustomFields >> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >> >>>>>>>> > > EOF >> >>>>>>>> > > >> >>>>>>>> > > i.e. changetype: modify, instead of changetype add ? >> >>>>>>>> > > >> >>>>>>>> > > I don't want to play around with my prod directory - I will >> >>>> setup >> >>>>>> an >> >>>>>>>> > EL >> >>>>>>>> > 7.1 >> >>>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me >> >>>>>>>> > to >> >>>>>> play >> >>>>>>>> > around >> >>>>>>>> > > more destructively. >> >>>>>>>> > > >> >>>>>>>> > > Chris >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > From: "Matt ." >> >>>>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >> >>>>>>>> > > Cc: Youenn PIOLET , " >> >>>>>>>> > freeipa-users at redhat.com" >> >>>>>>>> > > >> >>>>>>>> > > Date: 05.08.2015 01:01 >> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba >> >>> Server >> >>>>>>>> > Auth >> >>>>>>>> > against IPA >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > Hi Chris, >> >>>>>>>> > > >> >>>>>>>> > > I'm at the right path, but my issue is that: >> >>>>>>>> > > >> >>>>>>>> > > ldapmodify -Y GSSAPI <> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >> >>>>>>>> > > changetype: add >> >>>>>>>> > > add: ipaCustomFields >> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >> >>>>>>>> > > EOF >> >>>>>>>> > > >> >>>>>>>> > > Does say it exists, my ldap explorer doesn't show it, and >> >>>>>>>> > when >> >>> I >> >>>>>> add >> >>>>>>>> > > it manually as an attribute it still fails when I add a >> >>>>>>>> > user >> >> on >> >>>>>> this >> >>>>>>>> > > sambagrouptype as it's needed by the other attributes >> >>>>>>>> > > >> >>>>>>>> > > So that is my issue I think so far. >> >>>>>>>> > > >> >>>>>>>> > > Any clue about that ? >> >>>>>>>> > > >> >>>>>>>> > > No problem "you don't know something or are no guru" we are >> >> all >> >>>>>>>> > > learning! :) >> >>>>>>>> > > >> >>>>>>>> > > Cheers, >> >>>>>>>> > > >> >>>>>>>> > > Matt >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >> >>>>>>>> > christopher.lamb at ch.ibm.com>: >> >>>>>>>> > >> Hi Matt, Youeen >> >>>>>>>> > >> >> >>>>>>>> > >> Just to set the background properly, I did not invent this >> >>>>>> process. >> >>>>>>>> > I >> >>>>>>>> > > know >> >>>>>>>> > >> only a little about FreeIPA, and almost nothing about >> >>>>>>>> > Samba, >> >>>> but >> >>>>>> I >> >>>>>>>> > guess >> >>>>>>>> > > I >> >>>>>>>> > >> was lucky enough to get the integration working on a >> >>>>>>>> > Sunday >> >>>>>>>> > afternoon. >> >>>>>>>> > (I >> >>>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as >> >>>>>>>> > a >> >>>>>>>> > reference). >> >>>>>>>> > >> >> >>>>>>>> > >> It sounds like we need to step back, and look at the test >> >> user >> >>>>>> and >> >>>>>>>> > group >> >>>>>>>> > > in >> >>>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes >> >> this >> >>>>>> much >> >>>>>>>> > > easier. >> >>>>>>>> > >> >> >>>>>>>> > >> My FreeIPA / Samba Users have the following Samba >> >>>>>>>> > extensions >> >>> in >> >>>>>>>> > FreeIPA >> >>>>>>>> > >> (cn=accounts, cn=users): >> >>>>>>>> > >> >> >>>>>>>> > >> * objectClass: sambasamaccount >> >>>>>>>> > >> >> >>>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >> >>>>>>>> > >> >> >>>>>>>> > >> My FreeIPA / Samba Groups have the following Samba >> >>>>>>>> > extensions >> >>>> in >> >>>>>>>> > FreeIPA >> >>>>>>>> > >> (cn=accounts, cn=groups): >> >>>>>>>> > >> >> >>>>>>>> > >> * objectClass: sambaGroupMapping >> >>>>>>>> > >> >> >>>>>>>> > >> * Attributes: sambaGroupType, sambaSID >> >>>>>>>> > >> >> >>>>>>>> > >> The Users must belong to one or more of the samba groups >> >>>>>>>> > that >> >>>>> you >> >>>>>>>> > have >> >>>>>>>> > >> setup. >> >>>>>>>> > >> >> >>>>>>>> > >> If you don't have something similar to the above (which >> >> sounds >> >>>>>> like >> >>>>>>>> > it >> >>>>>>>> > is >> >>>>>>>> > >> the case), then something went wrong applying the >> >>>>>>>> > extensions. >> >>>> It >> >>>>>>>> > would >> >>>>>>>> > be >> >>>>>>>> > >> worth testing comparing a new user / group created post >> >> adding >> >>>>>> the >> >>>>>>>> > >> extensions to a previous existing user. >> >>>>>>>> > >> >> >>>>>>>> > >> i.e. >> >>>>>>>> > >> are the extensions missing on existing users / groups? >> >>>>>>>> > >> are the extensions missing on new users / groups? >> >>>>>>>> > >> >> >>>>>>>> > >> Cheers >> >>>>>>>> > >> >> >>>>>>>> > >> Chris >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> From: Youenn PIOLET >> >>>>>>>> > >> To: "Matt ." >> >>>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >> >>>>>>>> > >> "freeipa-users at redhat.com" >> >>>>> >> >>>>>>>> > >> Date: 04.08.2015 18:56 >> >>>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >> >>>>>>>> > Auth >> >>>>>>>> > against >> >>>>>>>> > IPA >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> Hi there, >> >>>>>>>> > >> >> >>>>>>>> > >> I have difficulties to follow you at this point :) >> >>>>>>>> > >> Here is what I've done and what I've understood: >> >>>>>>>> > >> >> >>>>>>>> > >> ## SMB Side >> >>>>>>>> > >> - Testparm OK >> >>>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >> >>>>> connect. >> >>>>>>>> > >> - pdbedit -Lv output is all successfull but I can see >> >>>>>>>> > there >> >> is >> >>>> a >> >>>>>>>> > filter : >> >>>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users >> >>>> don't >> >>>>>>>> > have >> >>>>>>>> > >> sambaSamAccount. >> >>>>>>>> > >> >> >>>>>>>> > >> ## LDAP / FreeIPA side >> >>>>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on >> >>>>>>>> > my >> >>>>>>>> > FreeIPA >> >>>>>>>> > >> server to get samba LDAP extensions. >> >>>>>>>> > >> - I can see samba classes exist in LDAP but are not used >> >>>>>>>> > on >> >> my >> >>>>>>>> > group >> >>>>>>>> > >> objects nor my user objects >> >>>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user >> >>>>>>>> > classes, >> >>>>>>>> > >> and sambaGroupMapping to default group classes. In that >> >>>>>>>> > state >> >>> I >> >>>>>>>> > can't >> >>>>>>>> > >> create user nor groups anymore, as new samba attributes >> >>>>>>>> > are >> >>>>>> needed >> >>>>>>>> > for >> >>>>>>>> > >> instantiation. >> >>>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >> >>>>>>>> > > Type,sambagrouptype,true' >> >>>>>>>> > >> but I don't get what it does. >> >>>>>>>> > >> - I tried to add the samba.js plugin. It works, and adds >> >>>>>>>> > the >> >>>>>>>> > "local" >> >>>>>>>> > > option >> >>>>>>>> > >> when creating a group in FreeIPA, supposed to set >> >>>> sambagrouptype >> >>>>>> to >> >>>>>>>> > 4 >> >>>>>>>> > or >> >>>>>>>> > > 2 >> >>>>>>>> > >> (domain). It doesn't work and tells that sambagrouptype >> >>>>> attribute >> >>>>>>>> > doesn't >> >>>>>>>> > >> exist (but it should now I put sambaGroupType class by >> >>>>>> default...) >> >>>>>>>> > >> >> >>>>>>>> > >> ## Questions >> >>>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use >> >>> unix / >> >>>>>>>> > posix >> >>>>>>>> > >> instead? I guess no. >> >>>>>>>> > >> 1) How to generate the user/group SIDs ? They are >> >>>>>>>> > requested >> >> to >> >>>>>> add >> >>>>>>>> > >> sambaSamAccount classes. >> >>>>>>>> > >> This article doesn't seem relevant since we don't use >> >>>>>>>> > domain >> >>>>>>>> > controller >> >>>>>>>> > >> >> >>>>>>>> > > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>> >> >>>>> >> >>>> >> >>> >> >> >> >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >> >>>>>>>> > >> >>>>>>>> > >> and netgetlocalsid returns an error. >> >>>>>>>> > >> 2) How to fix samba.js plugin? >> >>>>>>>> > >> 3) I guess an equivalent of samba.js is needed for user >> >>>>> creation, >> >>>>>>>> > where >> >>>>>>>> > > can >> >>>>>>>> > >> I find it? >> >>>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and >> >>>>>>>> > not >> >>>>> only >> >>>>>>>> > Windows >> >>>>>>>> > >> 7? >> >>>>>>>> > >> >> >>>>>>>> > >> Thanks a lot for your previous and future answers >> >>>>>>>> > >> >> >>>>>>>> > >> -- >> >>>>>>>> > >> Youenn Piolet >> >>>>>>>> > >> piolet.y at gmail.com >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . >> >>>>>>>> > : >> >>>>>>>> > >> Hi, >> >>>>>>>> > >> >> >>>>>>>> > >> Yes, log is anonymised. >> >>>>>>>> > >> >> >>>>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, >> >>>>>>>> > also >> >>>>> when >> >>>>>> I >> >>>>>>>> > >> change it's password it doesn't get it in ldap. >> >>>>>>>> > >> >> >>>>>>>> > >> There must be something going wrong I guess. >> >>>>>>>> > >> >> >>>>>>>> > >> Matt >> >>>>>>>> > >> >> >>>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >> >>>>>>>> > > > >>>>>>>> > >> >: >> >>>>>>>> > >> > Hi Matt >> >>>>>>>> > >> > >> >>>>>>>> > >> > I assume [username] is a real username, identical to >> >>>>>>>> > that >> >>>> in >> >>>>>>>> > the >> >>>>>>>> > >> FreeIPA >> >>>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the >> >>>>>>>> > log >> >>>>>>>> > extract). >> >>>>>>>> > >> > >> >>>>>>>> > >> > You user should be a member of the appropriate samba >> >>> groups >> >>>>>>>> > that >> >>>>>>>> > you >> >>>>>>>> > >> setup >> >>>>>>>> > >> > in FreeIPA. >> >>>>>>>> > >> > >> >>>>>>>> > >> > You should check that the user attribute >> >>>>>>>> > SambaPwdLastSet >> >>> is >> >>>>>> set >> >>>>>>>> > to >> >>>>>>>> > a >> >>>>>>>> > >> > positive value (e.g. 1). If not you get an error in >> >>>>>>>> > the >> >>>>> Samba >> >>>>>>>> > logs >> >>>>>>>> > - >> >>>>>>>> > > I >> >>>>>>>> > >> > would need to play around again with a test user to >> >>>>>>>> > find >> >>>> out >> >>>>>>>> > the >> >>>>>>>> > > exact >> >>>>>>>> > >> > error. >> >>>>>>>> > >> > >> >>>>>>>> > >> > I don't understand what you mean about syncing the >> >>>>>>>> > users >> >>>>>> local, >> >>>>>>>> > but >> >>>>>>>> > > we >> >>>>>>>> > >> did >> >>>>>>>> > >> > not need to do anything like that. >> >>>>>>>> > >> > >> >>>>>>>> > >> > Chris >> >>>>>>>> > >> > >> >>>>>>>> > >> > >> >>>>>>>> > >> > >> >>>>>>>> > >> > >> >>>>>>>> > >> > From: "Matt ." >> >>>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >> >>>>>>>> > >> > Cc: "freeipa-users at redhat.com" >> >>>>> >> >>>>>>>> > >> > Date: 04.08.2015 15:33 >> >>>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba >> >>>>>>>> > Server >> >>>> Auth >> >>>>>>>> > against >> >>>>>>>> > >> IPA >> >>>>>>>> > >> > >> >>>>>>>> > >> > >> >>>>>>>> > >> > >> >>>>>>>> > >> > Hi Chris, >> >>>>>>>> > >> > >> >>>>>>>> > >> > A puppet run added another passdb backend, that was >> >>> causing >> >>>>>> my >> >>>>>>>> > issue. >> >>>>>>>> > >> > >> >>>>>>>> > >> > What I still experience is: >> >>>>>>>> > >> > >> >>>>>>>> > >> > >> >>>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >> >>>>>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >> >>>>>>>> > >> > check_sam_security: Couldn't find user 'username' in >> >>>>>> passdb. >> >>>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >> >>>>>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >> >>>>>>>> > >> > check_ntlm_password: Authentication for user >> >> [username] >> >>>>> -> >> >>>>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >> >>>>>>>> > >> > >> >>>>>>>> > >> > >> >>>>>>>> > >> > I also wonder if I shall still sync the users local, >> >>>>>>>> > or >> >> is >> >>>>> it >> >>>>>>>> > > needed ? >> >>>>>>>> > >> > >> >>>>>>>> > >> > Thanks again, >> >>>>>>>> > >> > >> >>>>>>>> > >> > Matt >> >>>>>>>> > >> > >> >>>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >> >>>>>>>> > >> christopher.lamb at ch.ibm.com>: >> >>>>>>>> > >> >> Hi Matt >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> From our smb.conf file: >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> [global] >> >>>>>>>> > >> >> security = user >> >>>>>>>> > >> >> passdb backend = >> >>>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >> >>>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >> >>>>>>>> > >> >> ldap admin dn = cn=Directory Manager >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> So yes, we use Directory Manager, it works for us. I >> >> have >> >>>>>> not >> >>>>>>>> > tried >> >>>>>>>> > >> with >> >>>>>>>> > >> > a >> >>>>>>>> > >> >> less powerful user, but it is conceivable that a >> >>>>>>>> > lesser >> >>>>> user >> >>>>>>>> > may >> >>>>>>>> > not >> >>>>>>>> > >> see >> >>>>>>>> > >> >> all the required attributes, resulting in "no such >> >>>>>>>> > user" >> >>>>>>>> > errors. >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> Chris >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> From: "Matt ." >> >>>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >> >>>>>>>> > >> >> Cc: "freeipa-users at redhat.com" >> >>>>>> >> >>>>>>>> > >> >> Date: 04.08.2015 13:32 >> >>>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba >> >>>>>>>> > Server >> >>>>> Auth >> >>>>>>>> > against >> >>>>>>>> > >> IPA >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> Hi Chris, >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now >> >> when >> >>>> I >> >>>>>>>> > add a >> >>>>>>>> > >> >> group from the GUI, great thanks! >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> But do you use Directory Manager as ldap admin user >> >>>>>>>> > or >> >>>> some >> >>>>>>>> > other >> >>>>>>>> > >> >> admin account ? >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> I'm not sure id DM is needed and it should get that >> >>>>>>>> > deep >> >>>>>> into >> >>>>>>>> > IPA. >> >>>>>>>> > >> >> Also when starting samba it cannot find "such user" >> >>>>>>>> > as >> >>>> that >> >>>>>>>> > sounds >> >>>>>>>> > >> >> quite known as it has no UID. >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> From your config I see you use DM, this should work ? >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> Thanks! >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> Matt >> >>>>>>>> > >> >> >> >>>>>>>> > >> >> >> >>>>>>>> > >> > >> >>>>>>>> > >> > >> >>>>>>>> > >> > >> >>>>>>>> > >> > >> >>>>>>>> > >> >> >>>>>>>> > >> -- >> >>>>>>>> > >> Manage your subscription for the Freeipa-users mailing >> >> list: >> >>>>>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >>>>>>>> > >> Go to http://freeipa.org for more info on the project >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > -- >> >>>>>>>> > > Manage your subscription for the Freeipa-users mailing >> >>>>>>>> > list: >> >>>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> >>>>>>>> > > Go to http://freeipa.org for more info on the project >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > > >> >>>>>>>> > >> >>>>>>>> > -- >> >>>>>>>> > Manage your subscription for the Freeipa-users mailing list: >> >>>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >> >>>>>>>> > Go to http://freeipa.org for more info on the project >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>> >> >>>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>> >> >>> >> >>> >> >>> >> >> >> >> >> >> >> >> > > From seli.irithyl at gmail.com Thu Aug 13 10:12:03 2015 From: seli.irithyl at gmail.com (seli irithyl) Date: Thu, 13 Aug 2015 12:12:03 +0200 Subject: [Freeipa-users] IDM/ipa slow login In-Reply-To: References: <20150811113955.GX3609@hendrix.redhat.com> Message-ID: In the logs, there is lots of warnings concerning pki tomcat server : Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP Server. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting system-pki\x2dtomcatd.slice. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice system-pki\x2dtomcatd.slice. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat Server. Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server pki-tomcat... Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server pki-tomcat. Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine used: /usr/bin/java Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: org.apache.catalina.startup.Bootstrap Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base Aug 13 09:51:57 lead.bioinf.local server[5213]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djav Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.tomcat.util.digester.SetPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.tomcat.util.digester.SetPropertiesRule begin Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.coyote.AbstractProtocol init Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing ProtocolHandler ["http-bio-8080"] Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.coyote.AbstractProtocol init Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing ProtocolHandler ["http-bio-8443"] Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.coyote.AbstractProtocol init Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.catalina.startup.Catalina load Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization processed in 995 ms Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.catalina.core.StandardService startInternal Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service Catalina Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.catalina.core.StandardEngine startInternal Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet Engine: Apache Tomcat/7.0.54 Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.catalina.startup.HostConfig deployDescriptor Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Aug 13 09:51:59 lead.bioinf.local server[5213]: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Aug 13 09:51:59 lead.bioinf.local server[5213]: SSLAuthenticatorWithFallback: Setting container Aug 13 09:52:01 lead.bioinf.local server[5213]: SSLAuthenticatorWithFallback: Initializing authenticators Aug 13 09:52:01 lead.bioinf.local server[5213]: SSLAuthenticatorWithFallback: Starting authenticators Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM org.apache.catalina.startup.HostConfig deployDescriptor Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 13,391 ms Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM org.apache.catalina.startup.HostConfig deployDescriptor Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.jasper.EmbeddedServletOptions Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir you specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is unusable. Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.catalina.startup.HostConfig deployDescriptor Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 2,683 ms Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.coyote.AbstractProtocol start Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting ProtocolHandler ["http-bio-8080"] Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.coyote.AbstractProtocol start Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting ProtocolHandler ["http-bio-8443"] Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.coyote.AbstractProtocol start Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.catalina.startup.Catalina start Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in 17320 ms May this be related to my slow login problem ? On Wed, Aug 12, 2015 at 5:21 PM, seli irithyl wrote: > > if I ssh with an ipa user, authentication hangs on "we sent a > gssapi-with-mic packet, wait for reply" from 5s to 10s > if I ssh with local user, auth is nearly immediate (less than 1s) > > > From a client : > [test at argon ~]$ time id test > uid=1713400050(test) gid=1713400050(test) > groups=1713400050(test),1713400004(bioinfo) > > real 0m2.269s > user 0m0.001s > sys 0m0.004s > > [test at argon ~]$ time id test > uid=1713400050(test) gid=1713400050(test) > groups=1713400050(test),1713400004(bioinfo) > > real 0m0.005s > user 0m0.002s > sys 0m0.003s > > > [test at argon ~]$ time ipa user-find test > -------------- > 1 user matched > -------------- > User login: test > First name: test > Last name: user > Home directory: /home/test > Login shell: /bin/bash > Email address: test at bioinf.local > UID: 1713400050 > GID: 1713400050 > Account disabled: False > Password: True > Kerberos keys available: True > ---------------------------- > Number of entries returned 1 > ---------------------------- > > real 0m1.464s > user 0m0.348s > sys 0m0.062s > > > Following the guide you sent me: > On the server: > > [root at lead sssd]# systemctl status sssd > sssd.service - System Security Services Daemon > Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) > Drop-In: /etc/systemd/system/sssd.service.d > ??journal.conf > Active: active (running) since Wed 2015-08-12 16:55:50 CEST; 11min ago > Process: 6495 ExecStart=/usr/sbin/sssd -D -f (code=exited, > status=0/SUCCESS) > Main PID: 6496 (sssd) > CGroup: /system.slice/sssd.service > ??6496 /usr/sbin/sssd -D -f > ??6497 /usr/libexec/sssd/sssd_be --domain bioinf.local --uid 0 > --gid 0 --debug-to-files > ??6498 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 > --debug-to-files > ??6499 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 > --debug-to-files > ??6500 /usr/libexec/sssd/sssd_autofs --uid 0 --gid 0 > --debug-to-files > ??6501 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 > --debug-to-files > ??6502 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 > --debug-to-files > ??6503 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 > --debug-to-files > > Aug 12 16:55:50 lead.bioinf.local sssd[autofs][6500]: Starting up > Aug 12 16:55:50 lead.bioinf.local sssd[pam][6499]: Starting up > Aug 12 16:55:50 lead.bioinf.local sssd[sudo][6502]: Starting up > Aug 12 16:55:50 lead.bioinf.local sssd[ssh][6501]: Starting up > Aug 12 16:55:50 lead.bioinf.local sssd[pac][6503]: Starting up > Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1 > Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1 > Aug 12 16:55:50 lead.bioinf.local systemd[1]: Started System Security > Services Daemon. > Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1 > Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step 2 > > > [root at lead sssd]# more /etc/nsswitch.conf > passwd: files sss > shadow: files sss > group: files sss > #initgroups: files > > #hosts: db files nisplus nis dns > hosts: files dns > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > > netgroup: files sss > > publickey: nisplus > > automount: files > > aliases: files > > > [root at lead sssd]# date > Wed Aug 12 17:09:50 CEST 2015 > [root at lead sssd]# systemctl restart sssd > [root at lead sssd]# getent passwd test > test:*:1713400050:1713400050:test user:/home/test:/bin/bash > > > sssd_nss.log: > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_responder_ctx_destructor] > (0x0400): Responder is being shut down > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [server_setup] (0x0400): CONFDB: > /var/lib/sss/db/config.ldb > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [confdb_get_domain_internal] > (0x0400): No enumeration for [bioinf.local]! > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection] (0x0400): > Adding connection 0x7ff00ae60ec0 > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): > Sending ID: (nss,1) > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args] > (0x0100): Using re > [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using > fq format [%1$s@%2$s]. > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection] (0x0400): > Adding connection 0x7ff00ae60b00 > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_common_send_id] (0x0100): > Sending ID to DP: (1,NSS) > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sysdb_domain_init_internal] > (0x0200): DB File for bioinf.local: /var/lib/sss/db/cache_bioinf.local.ldb > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable to > register control with rootdse! > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_process_init] (0x0400): > Responder Initialization complete > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'root' matched without domain, user is root > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/bioinf.local/root] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'polkitd' matched without domain, user is polkitd > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/bioinf.local/polkitd] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'avahi' matched without domain, user is avahi > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/bioinf.local/avahi] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'colord' matched without domain, user is colord > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/bioinf.local/colord] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'rtkit' matched without domain, user is rtkit > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/bioinf.local/rtkit] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'pulse' matched without domain, user is pulse > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/bioinf.local/pulse] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'gdm' matched without domain, user is gdm > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/bioinf.local/gdm] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'postfix' matched without domain, user is postfix > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/bioinf.local/postfix] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'root' matched without domain, user is root > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/GROUP/bioinf.local/root] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'polkitd' matched without domain, user is polkitd > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/GROUP/bioinf.local/polkitd] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'avahi' matched without domain, user is avahi > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/GROUP/bioinf.local/avahi] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'colord' matched without domain, user is colord > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/GROUP/bioinf.local/colord] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'rtkit' matched without domain, user is rtkit > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/GROUP/bioinf.local/rtkit] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'pulse' matched without domain, user is pulse > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/GROUP/bioinf.local/pulse] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'gdm' matched without domain, user is gdm > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/GROUP/bioinf.local/gdm] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'postfix' matched without domain, user is postfix > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/GROUP/bioinf.local/postfix] to negative cache permanently > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /bin/sh in /etc/shells > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /bin/bash in /etc/shells > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /sbin/nologin in /etc/shells > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /usr/bin/sh in /etc/shells > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /usr/bin/bash in /etc/shells > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /usr/sbin/nologin in /etc/shells > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /bin/tcsh in /etc/shells > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /bin/csh in /etc/shells > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): > Maximum file descriptors set to [8192] > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args] > (0x0100): Using re [(?P[^@]+)@?(?P[^@]*$)]. > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using > fq format [%1$s@%2$s]. > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS > Initialization complete > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x7ff00a44a670:domains at bioinf.local] > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): > Sending get domains request for [bioinf.local][] > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x7ff00a44a670:domains at bioinf.local] > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id > ack and version (1) from DP > (Wed Aug 12 17:09:56 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack > and version (1) from Monitor > (Wed Aug 12 17:09:59 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x7ff00a44a670:domains at bioinf.local] > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [accept_fd_handler] (0x0400): > Client connected! > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): > Running command [17] with input [root]. > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'root' matched without domain, user is root > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [root] from [] > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): > User [root] does not exist in [bioinf.local]! (negative cache) > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): > No matching domain found for [root], fail! > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): > Running command [38] with input [root]. > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'root' matched without domain, user is root > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [root] from [] > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search] > (0x0400): User [root] does not exist in [bioinf.local]! (negative cache) > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search] > (0x0080): No matching domain found for [root], fail! > (Wed Aug 12 17:10:01 2015) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! > (Wed Aug 12 17:10:02 2015) [sssd[nss]] [accept_fd_handler] (0x0400): > Client connected! > (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): > Running command [17] with input [test]. > (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'test' matched without domain, user is test > (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [test] from [] > (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [test at bioinf.local] > (Wed Aug 12 17:10:02 2015) [sssd[nss]] [check_cache] (0x0400): Cached > entry is valid, returning.. > (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): > Returning info for user [test at bioinf.local] > (Wed Aug 12 17:10:02 2015) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! > > sssd.conf: > [sssd] > debug_level = 6 > config_file_version = 2 > services = nss, pam, autofs, ssh, sudo > domains = bioinf.local > > [nss] > debug_level = 6 > filter_users = root, polkitd, avahi, colord, rtkit, pulse, gdm, postfix > filter_groups = root, polkitd, avahi, colord, rtkit, pulse, gdm, postfix > reconnection_retries = 3 > entry_cache_timeout = 300 > entry_cache_nowait_percentage = 75 > > [pam] > debug_level = 6 > > [domain/bioinf.local] > enumerate = false > debug_level = 6 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = bioinf.local > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = lead.bioinf.local > chpass_provider = ipa > ipa_server = _srv_, lead.bioinf.local > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_lifetime = 1d > krb5_renewable_lifetime = 7d > krb5_renew_interval = 3600 > > > [ssh] > debug_level = 6 > > [autofs] > debug_level = 6 > > [sudo] > > > On Tue, Aug 11, 2015 at 1:39 PM, Jakub Hrozek wrote: > >> On Tue, Aug 11, 2015 at 10:37:16AM +0200, seli irithyl wrote: >> > Hi, >> > >> > I inherited a server (the guy that built it left) running centos 7 and >> > Identity Management (Kerberos, 389DS, ...) with NFS. >> > Everything concerning login (with network accounts) is very slow ( >> several >> > seconds) >> > I already solved a lot of problems on this server(DNS, NTP, firewall, >> ...), >> > but I am neither a sysadmin nor a linux guru and I don't know where and >> > what to look for ? >> > Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ... >> >> Can you define "slow" better? Can you estimate how big is your >> environment? >> >> I would start by comparing the time it takes to search the entry in LDAP >> or kinit with login through GDM or SSH. Then, if the times differ, look >> into SSSD. Some pointers are here: >> https://fedorahosted.org/sssd/wiki/Troubleshooting >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dewanggaba at xtremenitro.org Thu Aug 13 10:47:38 2015 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Thu, 13 Aug 2015 17:47:38 +0700 Subject: [Freeipa-users] Having problem with pwd_expiration In-Reply-To: <20150813094310.GL2793@mail.corp.redhat.com> References: <55CC57B8.409@xtremenitro.org> <20150813094310.GL2793@mail.corp.redhat.com> Message-ID: <55CC75CA.6090108@xtremenitro.org> Hello! On 08/13/2015 04:43 PM, Lukas Slebodnik wrote: > On (13/08/15 15:39), Dewangga Bachrul Alam wrote: >> Hello! >> >> I've been discovered something about pwd_expiration on freeipa 4.1.4, >> I got a line from sssd_DOMAIN.log : >> >> ... snip ... >> (Thu Aug 13 12:25:39 2015) [sssd[be[mydomain.co.id]]] >> [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 >> ... snip ... >> >> $ ipa pwpolicy-find >> Group: global_policy >> Max lifetime (days): 90 >> Min lifetime (hours): 1 >> History size: 0 >> Character classes: 0 >> Min length: 8 >> Max failures: 6 >> Failure reset interval: 60 >> Lockout duration: 600 >> >> The password policy should be available on next 90 days after I creating >> the password, isn't it? But I tried to login, the password was expired. >> >> $ sudo su - >> [sudo] password for subhan: >> Password expired. Change your password now. >> sudo: Account or password is expired, reset your password and try again >> Current Password: >> New password: >> Retype new password: >> sudo: pam_chauthtok: Authentication token manipulation error >> >> Every time I reset the password from ipa server, the password always >> expired before 90 days (based on global_policy). >> > If you reset password from web UI (or command line) > then the user need to change that password. > It's by design. The administrator should not know your password. > Yes, you're right, but the user complain that the password expired and the user asking to change password, but it was error "Authentication token manipulation error" > However, > situation is different if the password was changed with command line utility > "passwd". > > LS > I've tried both of them (web ui & CLI), still no luck. Screenshoot attached, the password expired not follow the global_policy. I've create another new user, it was same with user `subhan`. The password expired not follow global_policy. -------------- next part -------------- A non-text attachment was scrubbed... Name: subhan.png Type: image/png Size: 156850 bytes Desc: not available URL: From jhrozek at redhat.com Thu Aug 13 11:05:30 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 13 Aug 2015 13:05:30 +0200 Subject: [Freeipa-users] IDM/ipa slow login In-Reply-To: References: <20150811113955.GX3609@hendrix.redhat.com> Message-ID: <20150813110530.GF18390@hendrix.redhat.com> On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote: > In the logs, there is lots of warnings concerning pki tomcat server : > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP > Server. > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting > system-pki\x2dtomcatd.slice. > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice > system-pki\x2dtomcatd.slice. > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server. > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat > Server. > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server > pki-tomcat... > Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server > pki-tomcat. > Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine used: > /usr/bin/java > Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used: > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: > org.apache.catalina.startup.Bootstrap > Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: > -DRESTEASY_LIB=/usr/share/java/resteasy-base > Aug 13 09:51:57 lead.bioinf.local server[5213]: options used: > -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > -Djav > Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'enableOCSP' to 'false' did not find a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not find > a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a > matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspCacheSize' to '1000' did not find a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspMinCacheEntryDuration' to '60' did not find a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspTimeout' to '10' did not find a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'strictCiphers' to 'true' did not find a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching > property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ssl2Ciphers' to > '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ssl3Ciphers' to > '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'tlsCiphers' to > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' > did not find a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find > a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did > not find a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching > property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching > property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'sslRangeCiphers' to > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.tomcat.util.digester.SetPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > 'xmlValidation' to 'false' did not find a matching property. > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > org.apache.tomcat.util.digester.SetPropertiesRule begin > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > 'xmlNamespaceAware' to 'false' did not find a matching property. > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > org.apache.coyote.AbstractProtocol init > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > ProtocolHandler ["http-bio-8080"] > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > org.apache.coyote.AbstractProtocol init > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > ProtocolHandler ["http-bio-8443"] > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > org.apache.coyote.AbstractProtocol init > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > org.apache.catalina.startup.Catalina load > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization > processed in 995 ms > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > org.apache.catalina.core.StandardService startInternal > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service > Catalina > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > org.apache.catalina.core.StandardEngine startInternal > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet > Engine: Apache Tomcat/7.0.54 > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > org.apache.catalina.startup.HostConfig deployDescriptor > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > Aug 13 09:51:59 lead.bioinf.local server[5213]: > SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback > Aug 13 09:51:59 lead.bioinf.local server[5213]: > SSLAuthenticatorWithFallback: Setting container > Aug 13 09:52:01 lead.bioinf.local server[5213]: > SSLAuthenticatorWithFallback: Initializing authenticators > Aug 13 09:52:01 lead.bioinf.local server[5213]: > SSLAuthenticatorWithFallback: Starting authenticators > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > org.apache.catalina.startup.HostConfig deployDescriptor > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has > finished in 13,391 ms > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > org.apache.catalina.startup.HostConfig deployDescriptor > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > org.apache.jasper.EmbeddedServletOptions > Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir you > specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is unusable. > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > org.apache.catalina.startup.HostConfig deployDescriptor > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has > finished in 2,683 ms > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > org.apache.coyote.AbstractProtocol start > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > ProtocolHandler ["http-bio-8080"] > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > org.apache.coyote.AbstractProtocol start > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > ProtocolHandler ["http-bio-8443"] > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > org.apache.coyote.AbstractProtocol start > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > org.apache.catalina.startup.Catalina start > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in > 17320 ms > > May this be related to my slow login problem ? I don't think so. You really need to look into the sssd domain log, check what requests (getAccountInfo) take the longest. From yamakasi.014 at gmail.com Thu Aug 13 11:09:31 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Thu, 13 Aug 2015 13:09:31 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi, I might have found somthing which I already seen in the logs. I did a smbpasswd my username on the samba server, it connects to ldap very well. I give my new password and get the following: smbldap_search_ext: base => [dc=my,dc=domain], filter => [(&(objectClass=ipaNTGroupAttrs)(|(ipaNTSecurityIdentifier=S-1----my--sid---)))], scope => [2] Attribute [displayName] not found. Could not retrieve 'displayName' attribute from cn=Default SMB Group,cn=groups,cn=accounts,dc=my,dc=domain Sid S-1----my--sid--- -> MYDOMAIN\Default SMB Group(2) So something is missing! Thanks so far guys! Cheers, Matt 2015-08-13 12:02 GMT+02:00 Matt . : > Hi Youenn, > > OK thanks! this takes me a little but futher now and I see some good > stuff in my logging. > > I'm testing on a Windows 10 Machine which is not member of an AD or > so, so that might be my issue for now ? > > When testing on the samba box itself as my user I get: > > > [myusername at smb-01 ~]$ smbclient //smb-01.domain.local/shares > > ... > Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD > ... > SPNEGO login failed: NT_STATUS_WRONG_PASSWORD > > > Maybe I have an issue with encrypted passwords ? > > > When we have this all working, I think we have a howto :D > > Thanks! > > Matt > > 2015-08-13 10:53 GMT+02:00 Youenn PIOLET : >> Hi Matt >> >> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? >> sambaSamAccount is not needed anymore that way. >> - Default IPA Way : won't work if your Windows is not part of a domain >> controller. DOMAIN\username may work for some users using Windows 7 - not 8 >> nor 10 (it did for me but I was the only one at the office... quite useless) >> >> This config may work on your CentOS (for the ipasam way): >> workgroup = TEST >> realm = TEST.NET >> kerberos method = dedicated keytab >> dedicated keytab file = FILE:/<.....>/samba.keytab >> create krb5 conf = no >> security = user >> encrypt passwords = true >> passdb backend = ipasam:ldaps://youripa.test.net >> ldapsam:trusted = yes >> ldapsuffix = test.net >> ldap user suffix = cn=users,cn=accounts >> ldap group suffix = cn=groups,cn=accounts >> >> >> -- >> Youenn Piolet >> piolet.y at gmail.com >> >> >> 2015-08-12 22:15 GMT+02:00 Matt . : >>> >>> Hi, >>> >>> OK the default IPA way works great actually when testing it as described >>> here: >>> >>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>> >>> On the samba server I can auth and see my share where I want to connect >>> to. >>> >>> The issue is, on Windows I cannot auth, even when I do DOMAIN\username >>> as username >>> >>> So, the IPA way should work. >>> >>> Any comments here ? >>> >>> Cheers, >>> >>> Matt >>> >>> 2015-08-12 19:00 GMT+02:00 Matt . : >>> > HI GUys, >>> > >>> > I'm testing this out and I think I almost setup, this on a CentOS samba >>> > server. >>> > >>> > I'm using the ipa-adtrust way of Youeen but it seems we still need to >>> > add (objectclass=sambaSamAccount)) ? >>> > >>> > Info is welcome! >>> > >>> > I will report back when I have it working. >>> > >>> > Thanks! >>> > >>> > Matt >>> > >>> > 2015-08-10 11:16 GMT+02:00 Christopher Lamb >>> > : >>> >> The next route I will try - is the one Youeen took, using ipa-adtrust >>> >> >>> >> >>> >> >>> >> From: "Matt ." >>> >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>> >> "freeipa-users at redhat.com" >>> >> Date: 10.08.2015 10:03 >>> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> >> IPA >>> >> >>> >> >>> >> >>> >> Hi Chris, >>> >> >>> >> Okay this is good to hear. >>> >> >>> >> But don't we want a IPA managed Scheme ? >>> >> >>> >> When I did a "ipa-adtrust-install --add-sids" it also wanted a local >>> >> installed Samba and I wonder why. >>> >> >>> >> Good that we make some progres on making it all clear. >>> >> >>> >> Cheers, >>> >> >>> >> Matt >>> >> >>> >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb >>> >> : >>> >>> ldapsam + the samba extensions, pretty much as described in the >>> >> Techslaves >>> >>> article. Once I have a draft for the wiki page, I will mail you. >>> >>> >>> >>> >>> >>> >>> >>> From: "Matt ." >>> >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>> >>> "freeipa-users at redhat.com" >>> >>> Date: 09.08.2015 21:17 >>> >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> >>> IPA >>> >>> >>> >>> >>> >>> >>> >>> Hi, >>> >>> >>> >>> Yes I know about "anything" but which way did you use now ? >>> >>> >>> >>> >>> >>> >>> >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb >>> >> : >>> >>>> Hi Matt >>> >>>> >>> >>>> I am on OEL 7.1. - so anything that works on that should be good for >>> >> RHEL >>> >>>> and Centos 7.x >>> >>>> >>> >>>> I intend to add a how-to to the FreeIPA Wiki over the next few days. >>> >>>> As >>> >>> we >>> >>>> have suggested earlier, we will likely end up with several, one for >>> >>>> each >>> >>> of >>> >>>> the possible integration paths. >>> >>>> >>> >>>> Chris >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> From: "Matt ." >>> >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>> >>>> "freeipa-users at redhat.com" >>> >>>> Date: 09.08.2015 16:45 >>> >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> >>>> IPA >>> >>>> >>> >>>> >>> >>>> >>> >>>> Hi Chris, >>> >>>> >>> >>>> This sounds great! >>> >>>> >>> >>>> What are you using now, both CentOS ? So Samba and FreeIPA ? >>> >>>> >>> >>>> Maybe it's good to explain which way you used now in steps too, so we >>> >>>> can combine or create multiple howto's ? >>> >>>> >>> >>>> At least we are going somewhere! >>> >>>> >>> >>>> Thanks, >>> >>>> >>> >>>> Matt >>> >>>> >>> >>>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >>> >>> : >>> >>>>> Hi Matt >>> >>>>> >>> >>>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old >>> >>> Samba >>> >>>>> Schema extensions) is up and working, almost flawlessly. >>> >>>>> >>> >>>>> I can add users and groups via the FreeIPA CLI, and they get the >>> >> correct >>> >>>>> ObjectClasses / attributes required for Samba. >>> >>>>> >>> >>>>> So far I have not yet bothered to try the extensions to the WebUI, >>> >>>> because >>> >>>>> it is currently giving me the classic "Your session has expired. >>> >>>>> Please >>> >>>>> re-login." error which renders the WebUI useless. >>> >>>>> >>> >>>>> The only problem I have so far encountered managing Samba / FreeIPA >>> >>> users >>> >>>>> via FreeIPA CLI commands is with the handling of the attribute >>> >>>>> sambaPwdLastSet. This is the subject of an existing thread, also >>> >> updated >>> >>>>> today. >>> >>>>> >>> >>>>> There is also an existing alternative to hacking group.py, using >>> >>>>> "Class >>> >>>> of >>> >>>>> Service" (Cos) documented in this thread from February 2015 >>> >>>>> >>> >>> >>> >>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >>> >>>> . >>> >>>>> I have not yet tried it, but it sounds reasonable. >>> >>>>> >>> >>>>> Chris >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> From: "Matt ." >>> >>>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>> >>>>> Cc: "freeipa-users at redhat.com" , >>> >>>>> Youenn >>> >>>>> PIOLET >>> >>>>> Date: 06.08.2015 16:19 >>> >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> >> IPA >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> Hi Chris, >>> >>>>> >>> >>>>> OK, than we might create two different versions of the wiki, I think >>> >>>>> this is nice. >>> >>>>> >>> >>>>> I'm still figuring out why I get that: >>> >>>>> >>> >>>>> IPA Error 4205: ObjectclassViolation >>> >>>>> >>> >>>>> missing attribute "sambaGroupType" required by object class >>> >>>>> "sambaGroupMapping" >>> >>>>> >>> >>>>> Matt >>> >>>>> >>> >>>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >>> >>>> : >>> >>>>>> Hi Matt >>> >>>>>> >>> >>>>>> As far as I can make out, there are at least 2 viable Samba / >>> >>>>>> FreeIPA >>> >>>>>> integration paths. >>> >>>>>> >>> >>>>>> The route I took is suited where there is no Active Directory >>> >> involved: >>> >>>>> In >>> >>>>>> my case all the Windows, OSX and Linux clients are islands that sit >>> >>>>>> on >>> >>>>> the >>> >>>>>> same network. >>> >>>>>> >>> >>>>>> The route that Youenn has taken (unless I have got completely the >>> >> wrong >>> >>>>> end >>> >>>>>> of the stick) requires Active Directory in the architecture. >>> >>>>>> >>> >>>>>> Chris >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> From: "Matt ." >>> >>>>>> To: Youenn PIOLET >>> >>>>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>> >>>>>> "freeipa-users at redhat.com" >>> >>>>>> Date: 06.08.2015 14:42 >>> >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> >>>>>> against >>> >>> IPA >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> Hi, >>> >>>>>> >>> >>>>>> OK, this sounds already quite logical, but I'm still refering to >>> >>>>>> the >>> >>>>>> old howto we found earlier, does that one still apply somewhere or >>> >>>>>> not >>> >>>>>> at all ? >>> >>>>>> >>> >>>>>> Thanks, >>> >>>>>> >>> >>>>>> Matt >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>> >>>>>>> Hey guys, >>> >>>>>>> >>> >>>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >>> >>>>> days :) >>> >>>>>>> >>> >>>>>>> General idea: >>> >>>>>>> >>> >>>>>>> On FreeIPA (4.1) >>> >>>>>>> - `ipa-adtrust-install --add-sids` (creates >>> >>>>>>> ipaNTsecurityidentifier >>> >>>>>>> attribude, also known as SID) >>> >>>>>>> - regenerate each user password to build ipaNTHash attribute, not >>> >> here >>> >>>>> by >>> >>>>>>> default on users >>> >>>>>>> - use your ldap browser to check ipaNTHash values are here on user >>> >>>>>> objects >>> >>>>>>> - create a CIFS service for your samba server >>> >>>>>>> - Create user roles/permissions as described here: >>> >>>>>>> >>> >>>>>> >>> >>>>> >>> >>>> >>> >>> >>> >> >>> >> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >>> >> >>> >>> >>> >>>> >>> >>>>> >>> >>>>>> >>> >>>>>>> so that CIFS service will be able to read ipaNTsecurityidentifier >>> >>>>>>> and >>> >>>>>>> ipaNTHash attributes in LDAP (ACI) >>> >>>>>>> - SCP ipasam.so module to your cifs server (this is the magic >>> >> trick) : >>> >>>>>> scp >>> >>>>>>> /usr/lib64/samba/pdb/ipasam.so >>> >>>>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >>> >>>>>> recompile >>> >>>>>>> it. >>> >>>>>>> >>> >>>>>>> On SAMBA Server side (CentOS 7...) >>> >>>>>>> - Install server keytab file for CIFS >>> >>>>>>> - check ipasam.so is here. >>> >>>>>>> - check you can read password hash in LDAP with `ldapsearch -Y >>> >>>>>>> GSSAPI >>> >>>>>>> uid=admin ipaNTHash` thanks to kerberos >>> >>>>>>> - make your smb.conf following the linked thread and restart >>> >>>>>>> service >>> >>>>>>> >>> >>>>>>> I don't know if it works in Ubuntu. I know sssd has evolved >>> >>>>>>> quickly >>> >>> and >>> >>>>>>> ipasam may use quite recent functionalities, the best is to just >>> >>>>>>> try. >>> >>>>> You >>> >>>>>>> can read in previous thread : "If you insist on Ubuntu you need to >>> >> get >>> >>>>>>> ipasam somewhere, most likely to compile it yourself". >>> >>>>>>> >>> >>>>>>> Make sure your user has ipaNTHash attribute :) >>> >>>>>>> >>> >>>>>>> You may want to debug authentication on samba server, I usually do >>> >>>> this: >>> >>>>>>> `tail -f /var/log/samba/log* | grep >>> >>>>>>> >>> >>>>>>> Cheers >>> >>>>>>> -- >>> >>>>>>> Youenn Piolet >>> >>>>>>> piolet.y at gmail.com >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>> >>>>>>>> >>> >>>>>>>> Hi, >>> >>>>>>>> >>> >>>>>>>> This sounds great to me too, but a howto would help to make it >>> >>>>>>>> more >>> >>>>>>>> clear about what you have done here. The thread confuses me a >>> >>>>>>>> little >>> >>>>>>>> bit. >>> >>>>>>>> >>> >>>>>>>> Can you paste your commands so we can test out too and report >>> >>>>>>>> back ? >>> >>>>>>>> >>> >>>>>>>> Thanks! >>> >>>>>>>> >>> >>>>>>>> Matt >>> >>>>>>>> >>> >>>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>> >>>>>> : >>> >>>>>>>> > Hi Youenn >>> >>>>>>>> > >>> >>>>>>>> > Good news that you have got an integration working >>> >>>>>>>> > >>> >>>>>>>> > Now you have got it going, and the solution is fresh in your >>> >>>>>>>> > mind, >>> >>>>> how >>> >>>>>>>> > about adding a How-to page on this solution to the FreeIPA >>> >>>>>>>> > wiki? >>> >>>>>>>> > >>> >>>>>>>> > Chris >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>>>> > From: Youenn PIOLET >>> >>>>>>>> > To: "Matt ." >>> >>>>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>> >>>>>>>> > "freeipa-users at redhat.com" >>> >>>>>>>> > >>> >>>>>>>> > Date: 05.08.2015 14:51 >>> >>>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> >>> against >>> >>>>>> IPA >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>>>> > Hi guys, >>> >>>>>>>> > >>> >>>>>>>> > Thank you so much your previous answers. >>> >>>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, >>> >>>>>>>> > thanks >>> >> to >>> >>>>>>>> > ipa-adtrust-install --add-sids >>> >>>>>>>> > >>> >>>>>>>> > I found an other way to configure smb here: >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>> >>> >>>>> >>> >>>> >>> >>> >>> >> >>> >> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >>> >> >>> >>> >>> >>>> >>> >>>>> >>> >>>>>> >>> >>>>>>>> > It works perfectly. >>> >>>>>>>> > >>> >>>>>>>> > I'm using module ipasam.so I have manually scp to the samba >>> >> server, >>> >>>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>> >>>>>>>> > Following the instructions, I created a user role allowing >>> >>>>>>>> > service >>> >>>>>>>> > principal to read ipaNTHash value from the LDAP. >>> >>>>>>>> > ipaNTHash are generated each time a user changes his password. >>> >>>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>> >>>>>>>> > >>> >>>>>>>> > For more details, the previously linked thread is quite clear. >>> >>>>>>>> > >>> >>>>>>>> > Cheers >>> >>>>>>>> > >>> >>>>>>>> > -- >>> >>>>>>>> > Youenn Piolet >>> >>>>>>>> > piolet.y at gmail.com >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>> >>>>>>>> > Hi Chris. >>> >>>>>>>> > >>> >>>>>>>> > Yes, Apache Studio did that but I was not sure why it >>> >>>>>>>> > complained >>> >>>> it >>> >>>>>>>> > was "already" there. >>> >>>>>>>> > >>> >>>>>>>> > I'm still getting: >>> >>>>>>>> > >>> >>>>>>>> > IPA Error 4205: ObjectclassViolation >>> >>>>>>>> > >>> >>>>>>>> > missing attribute "sambaGroupType" required by object class >>> >>>>>>>> > "sambaGroupMapping" >>> >>>>>>>> > >>> >>>>>>>> > When adding a user. >>> >>>>>>>> > >>> >>>>>>>> > I also see "class" as fielname under my "Last name", this is >>> >>>>>>>> > not >>> >>>> OK >>> >>>>>>>> > also. >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>>>> > We sure need to make some howto, I think we can nail this >>> >> down :) >>> >>>>>>>> > >>> >>>>>>>> > Thanks for the heads up! >>> >>>>>>>> > >>> >>>>>>>> > Matthijs >>> >>>>>>>> > >>> >>>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>> >>>>>>>> > : >>> >>>>>>>> > > Hi Matt >>> >>>>>>>> > > >>> >>>>>>>> > > If I use Apache Directory Studio to add an attribute >>> >>>>>> ipaCustomFields >>> >>>>>>>> > to >>> >>>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, >>> >>>>>>>> > as >>> >>>>>> shown >>> >>>>>>>> > below: >>> >>>>>>>> > > >>> >>>>>>>> > > #!RESULT OK >>> >>>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>> >>>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>> >>>>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>> >>>>>>>> > > changetype: modify >>> >>>>>>>> > > add: ipaCustomFields >>> >>>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>> >>>>>>>> > > >>> >>>>>>>> > > After that I then have a visible attribute ipaCustomFields >>> >>>>>>>> > as >>> >>>>>>>> > expected. >>> >>>>>>>> > > >>> >>>>>>>> > > When adding the attribute, the wizard offered me >>> >>>>> "ipaCustomFields" >>> >>>>>>>> > as >>> >>>>>>>> > > attribute type in a drop down list. >>> >>>>>>>> > > >>> >>>>>>>> > > Once we get this cracked, we really must write a how-to on >>> >>>>>>>> > the >>> >>>>>>>> > FreeIPA >>> >>>>>>>> > > Wiki. >>> >>>>>>>> > > >>> >>>>>>>> > > Chris >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>> >>>>>>>> > > To: "Matt ." >>> >>>>>>>> > > Cc: "freeipa-users at redhat.com" >>> >>>>>>>> > >>> >>>>>>>> > > Date: 05.08.2015 07:31 >>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>> >>>>>>>> > Auth >>> >>>>>> against >>> >>>>>>>> > IPA >>> >>>>>>>> > > Sent by: freeipa-users-bounces at redhat.com >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > Hi Matt >>> >>>>>>>> > > >>> >>>>>>>> > > I also got the same result at that step, but can see >>> >>>>>>>> > nothing >>> >> in >>> >>>>>>>> > Apache >>> >>>>>>>> > > Directory Studio. >>> >>>>>>>> > > >>> >>>>>>>> > > As I am using existing Samba / FreeIPA groups migrated >>> >>>>>>>> > across, >>> >>>>>> they >>> >>>>>>>> > > probably were migrated with all the required attributes. >>> >>>>>>>> > > >>> >>>>>>>> > > Looking more closely at that LDIF: I wonder should it not >>> >>>>>>>> > be: >>> >>>>>>>> > > >>> >>>>>>>> > > ldapmodify -Y GSSAPI <>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>> >>>>>>>> > > changetype: modify >>> >>>>>>>> > > add: ipaCustomFields >>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> >>>>>>>> > > EOF >>> >>>>>>>> > > >>> >>>>>>>> > > i.e. changetype: modify, instead of changetype add ? >>> >>>>>>>> > > >>> >>>>>>>> > > I don't want to play around with my prod directory - I will >>> >>>> setup >>> >>>>>> an >>> >>>>>>>> > EL >>> >>>>>>>> > 7.1 >>> >>>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me >>> >>>>>>>> > to >>> >>>>>> play >>> >>>>>>>> > around >>> >>>>>>>> > > more destructively. >>> >>>>>>>> > > >>> >>>>>>>> > > Chris >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > From: "Matt ." >>> >>>>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>> >>>>>>>> > > Cc: Youenn PIOLET , " >>> >>>>>>>> > freeipa-users at redhat.com" >>> >>>>>>>> > > >>> >>>>>>>> > > Date: 05.08.2015 01:01 >>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba >>> >>> Server >>> >>>>>>>> > Auth >>> >>>>>>>> > against IPA >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > Hi Chris, >>> >>>>>>>> > > >>> >>>>>>>> > > I'm at the right path, but my issue is that: >>> >>>>>>>> > > >>> >>>>>>>> > > ldapmodify -Y GSSAPI <>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>> >>>>>>>> > > changetype: add >>> >>>>>>>> > > add: ipaCustomFields >>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> >>>>>>>> > > EOF >>> >>>>>>>> > > >>> >>>>>>>> > > Does say it exists, my ldap explorer doesn't show it, and >>> >>>>>>>> > when >>> >>> I >>> >>>>>> add >>> >>>>>>>> > > it manually as an attribute it still fails when I add a >>> >>>>>>>> > user >>> >> on >>> >>>>>> this >>> >>>>>>>> > > sambagrouptype as it's needed by the other attributes >>> >>>>>>>> > > >>> >>>>>>>> > > So that is my issue I think so far. >>> >>>>>>>> > > >>> >>>>>>>> > > Any clue about that ? >>> >>>>>>>> > > >>> >>>>>>>> > > No problem "you don't know something or are no guru" we are >>> >> all >>> >>>>>>>> > > learning! :) >>> >>>>>>>> > > >>> >>>>>>>> > > Cheers, >>> >>>>>>>> > > >>> >>>>>>>> > > Matt >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>> >>>>>>>> > christopher.lamb at ch.ibm.com>: >>> >>>>>>>> > >> Hi Matt, Youeen >>> >>>>>>>> > >> >>> >>>>>>>> > >> Just to set the background properly, I did not invent this >>> >>>>>> process. >>> >>>>>>>> > I >>> >>>>>>>> > > know >>> >>>>>>>> > >> only a little about FreeIPA, and almost nothing about >>> >>>>>>>> > Samba, >>> >>>> but >>> >>>>>> I >>> >>>>>>>> > guess >>> >>>>>>>> > > I >>> >>>>>>>> > >> was lucky enough to get the integration working on a >>> >>>>>>>> > Sunday >>> >>>>>>>> > afternoon. >>> >>>>>>>> > (I >>> >>>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as >>> >>>>>>>> > a >>> >>>>>>>> > reference). >>> >>>>>>>> > >> >>> >>>>>>>> > >> It sounds like we need to step back, and look at the test >>> >> user >>> >>>>>> and >>> >>>>>>>> > group >>> >>>>>>>> > > in >>> >>>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes >>> >> this >>> >>>>>> much >>> >>>>>>>> > > easier. >>> >>>>>>>> > >> >>> >>>>>>>> > >> My FreeIPA / Samba Users have the following Samba >>> >>>>>>>> > extensions >>> >>> in >>> >>>>>>>> > FreeIPA >>> >>>>>>>> > >> (cn=accounts, cn=users): >>> >>>>>>>> > >> >>> >>>>>>>> > >> * objectClass: sambasamaccount >>> >>>>>>>> > >> >>> >>>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>> >>>>>>>> > >> >>> >>>>>>>> > >> My FreeIPA / Samba Groups have the following Samba >>> >>>>>>>> > extensions >>> >>>> in >>> >>>>>>>> > FreeIPA >>> >>>>>>>> > >> (cn=accounts, cn=groups): >>> >>>>>>>> > >> >>> >>>>>>>> > >> * objectClass: sambaGroupMapping >>> >>>>>>>> > >> >>> >>>>>>>> > >> * Attributes: sambaGroupType, sambaSID >>> >>>>>>>> > >> >>> >>>>>>>> > >> The Users must belong to one or more of the samba groups >>> >>>>>>>> > that >>> >>>>> you >>> >>>>>>>> > have >>> >>>>>>>> > >> setup. >>> >>>>>>>> > >> >>> >>>>>>>> > >> If you don't have something similar to the above (which >>> >> sounds >>> >>>>>> like >>> >>>>>>>> > it >>> >>>>>>>> > is >>> >>>>>>>> > >> the case), then something went wrong applying the >>> >>>>>>>> > extensions. >>> >>>> It >>> >>>>>>>> > would >>> >>>>>>>> > be >>> >>>>>>>> > >> worth testing comparing a new user / group created post >>> >> adding >>> >>>>>> the >>> >>>>>>>> > >> extensions to a previous existing user. >>> >>>>>>>> > >> >>> >>>>>>>> > >> i.e. >>> >>>>>>>> > >> are the extensions missing on existing users / groups? >>> >>>>>>>> > >> are the extensions missing on new users / groups? >>> >>>>>>>> > >> >>> >>>>>>>> > >> Cheers >>> >>>>>>>> > >> >>> >>>>>>>> > >> Chris >>> >>>>>>>> > >> >>> >>>>>>>> > >> >>> >>>>>>>> > >> >>> >>>>>>>> > >> >>> >>>>>>>> > >> >>> >>>>>>>> > >> From: Youenn PIOLET >>> >>>>>>>> > >> To: "Matt ." >>> >>>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>> >>>>>>>> > >> "freeipa-users at redhat.com" >>> >>>>> >>> >>>>>>>> > >> Date: 04.08.2015 18:56 >>> >>>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >>> >>>>>>>> > Auth >>> >>>>>>>> > against >>> >>>>>>>> > IPA >>> >>>>>>>> > >> >>> >>>>>>>> > >> >>> >>>>>>>> > >> >>> >>>>>>>> > >> Hi there, >>> >>>>>>>> > >> >>> >>>>>>>> > >> I have difficulties to follow you at this point :) >>> >>>>>>>> > >> Here is what I've done and what I've understood: >>> >>>>>>>> > >> >>> >>>>>>>> > >> ## SMB Side >>> >>>>>>>> > >> - Testparm OK >>> >>>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >>> >>>>> connect. >>> >>>>>>>> > >> - pdbedit -Lv output is all successfull but I can see >>> >>>>>>>> > there >>> >> is >>> >>>> a >>> >>>>>>>> > filter : >>> >>>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users >>> >>>> don't >>> >>>>>>>> > have >>> >>>>>>>> > >> sambaSamAccount. >>> >>>>>>>> > >> >>> >>>>>>>> > >> ## LDAP / FreeIPA side >>> >>>>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on >>> >>>>>>>> > my >>> >>>>>>>> > FreeIPA >>> >>>>>>>> > >> server to get samba LDAP extensions. >>> >>>>>>>> > >> - I can see samba classes exist in LDAP but are not used >>> >>>>>>>> > on >>> >> my >>> >>>>>>>> > group >>> >>>>>>>> > >> objects nor my user objects >>> >>>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user >>> >>>>>>>> > classes, >>> >>>>>>>> > >> and sambaGroupMapping to default group classes. In that >>> >>>>>>>> > state >>> >>> I >>> >>>>>>>> > can't >>> >>>>>>>> > >> create user nor groups anymore, as new samba attributes >>> >>>>>>>> > are >>> >>>>>> needed >>> >>>>>>>> > for >>> >>>>>>>> > >> instantiation. >>> >>>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>> >>>>>>>> > > Type,sambagrouptype,true' >>> >>>>>>>> > >> but I don't get what it does. >>> >>>>>>>> > >> - I tried to add the samba.js plugin. It works, and adds >>> >>>>>>>> > the >>> >>>>>>>> > "local" >>> >>>>>>>> > > option >>> >>>>>>>> > >> when creating a group in FreeIPA, supposed to set >>> >>>> sambagrouptype >>> >>>>>> to >>> >>>>>>>> > 4 >>> >>>>>>>> > or >>> >>>>>>>> > > 2 >>> >>>>>>>> > >> (domain). It doesn't work and tells that sambagrouptype >>> >>>>> attribute >>> >>>>>>>> > doesn't >>> >>>>>>>> > >> exist (but it should now I put sambaGroupType class by >>> >>>>>> default...) >>> >>>>>>>> > >> >>> >>>>>>>> > >> ## Questions >>> >>>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use >>> >>> unix / >>> >>>>>>>> > posix >>> >>>>>>>> > >> instead? I guess no. >>> >>>>>>>> > >> 1) How to generate the user/group SIDs ? They are >>> >>>>>>>> > requested >>> >> to >>> >>>>>> add >>> >>>>>>>> > >> sambaSamAccount classes. >>> >>>>>>>> > >> This article doesn't seem relevant since we don't use >>> >>>>>>>> > domain >>> >>>>>>>> > controller >>> >>>>>>>> > >> >>> >>>>>>>> > > >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>> >>> >>>>> >>> >>>> >>> >>> >>> >> >>> >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>> >>>>>>>> > >>> >>>>>>>> > >> and netgetlocalsid returns an error. >>> >>>>>>>> > >> 2) How to fix samba.js plugin? >>> >>>>>>>> > >> 3) I guess an equivalent of samba.js is needed for user >>> >>>>> creation, >>> >>>>>>>> > where >>> >>>>>>>> > > can >>> >>>>>>>> > >> I find it? >>> >>>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and >>> >>>>>>>> > not >>> >>>>> only >>> >>>>>>>> > Windows >>> >>>>>>>> > >> 7? >>> >>>>>>>> > >> >>> >>>>>>>> > >> Thanks a lot for your previous and future answers >>> >>>>>>>> > >> >>> >>>>>>>> > >> -- >>> >>>>>>>> > >> Youenn Piolet >>> >>>>>>>> > >> piolet.y at gmail.com >>> >>>>>>>> > >> >>> >>>>>>>> > >> >>> >>>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . >>> >>>>>>>> > : >>> >>>>>>>> > >> Hi, >>> >>>>>>>> > >> >>> >>>>>>>> > >> Yes, log is anonymised. >>> >>>>>>>> > >> >>> >>>>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, >>> >>>>>>>> > also >>> >>>>> when >>> >>>>>> I >>> >>>>>>>> > >> change it's password it doesn't get it in ldap. >>> >>>>>>>> > >> >>> >>>>>>>> > >> There must be something going wrong I guess. >>> >>>>>>>> > >> >>> >>>>>>>> > >> Matt >>> >>>>>>>> > >> >>> >>>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>> >>>>>>>> > > >> >>>>>>>> > >> >: >>> >>>>>>>> > >> > Hi Matt >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > I assume [username] is a real username, identical to >>> >>>>>>>> > that >>> >>>> in >>> >>>>>>>> > the >>> >>>>>>>> > >> FreeIPA >>> >>>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the >>> >>>>>>>> > log >>> >>>>>>>> > extract). >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > You user should be a member of the appropriate samba >>> >>> groups >>> >>>>>>>> > that >>> >>>>>>>> > you >>> >>>>>>>> > >> setup >>> >>>>>>>> > >> > in FreeIPA. >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > You should check that the user attribute >>> >>>>>>>> > SambaPwdLastSet >>> >>> is >>> >>>>>> set >>> >>>>>>>> > to >>> >>>>>>>> > a >>> >>>>>>>> > >> > positive value (e.g. 1). If not you get an error in >>> >>>>>>>> > the >>> >>>>> Samba >>> >>>>>>>> > logs >>> >>>>>>>> > - >>> >>>>>>>> > > I >>> >>>>>>>> > >> > would need to play around again with a test user to >>> >>>>>>>> > find >>> >>>> out >>> >>>>>>>> > the >>> >>>>>>>> > > exact >>> >>>>>>>> > >> > error. >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > I don't understand what you mean about syncing the >>> >>>>>>>> > users >>> >>>>>> local, >>> >>>>>>>> > but >>> >>>>>>>> > > we >>> >>>>>>>> > >> did >>> >>>>>>>> > >> > not need to do anything like that. >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > Chris >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > From: "Matt ." >>> >>>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>> >>>>>>>> > >> > Cc: "freeipa-users at redhat.com" >>> >>>>> >>> >>>>>>>> > >> > Date: 04.08.2015 15:33 >>> >>>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba >>> >>>>>>>> > Server >>> >>>> Auth >>> >>>>>>>> > against >>> >>>>>>>> > >> IPA >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > Hi Chris, >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > A puppet run added another passdb backend, that was >>> >>> causing >>> >>>>>> my >>> >>>>>>>> > issue. >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > What I still experience is: >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>> >>>>>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>> >>>>>>>> > >> > check_sam_security: Couldn't find user 'username' in >>> >>>>>> passdb. >>> >>>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>> >>>>>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>> >>>>>>>> > >> > check_ntlm_password: Authentication for user >>> >> [username] >>> >>>>> -> >>> >>>>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > I also wonder if I shall still sync the users local, >>> >>>>>>>> > or >>> >> is >>> >>>>> it >>> >>>>>>>> > > needed ? >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > Thanks again, >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > Matt >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>> >>>>>>>> > >> christopher.lamb at ch.ibm.com>: >>> >>>>>>>> > >> >> Hi Matt >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> From our smb.conf file: >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> [global] >>> >>>>>>>> > >> >> security = user >>> >>>>>>>> > >> >> passdb backend = >>> >>>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>> >>>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>> >>>>>>>> > >> >> ldap admin dn = cn=Directory Manager >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> So yes, we use Directory Manager, it works for us. I >>> >> have >>> >>>>>> not >>> >>>>>>>> > tried >>> >>>>>>>> > >> with >>> >>>>>>>> > >> > a >>> >>>>>>>> > >> >> less powerful user, but it is conceivable that a >>> >>>>>>>> > lesser >>> >>>>> user >>> >>>>>>>> > may >>> >>>>>>>> > not >>> >>>>>>>> > >> see >>> >>>>>>>> > >> >> all the required attributes, resulting in "no such >>> >>>>>>>> > user" >>> >>>>>>>> > errors. >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> Chris >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> From: "Matt ." >>> >>>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>> >>>>>>>> > >> >> Cc: "freeipa-users at redhat.com" >>> >>>>>> >>> >>>>>>>> > >> >> Date: 04.08.2015 13:32 >>> >>>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba >>> >>>>>>>> > Server >>> >>>>> Auth >>> >>>>>>>> > against >>> >>>>>>>> > >> IPA >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> Hi Chris, >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now >>> >> when >>> >>>> I >>> >>>>>>>> > add a >>> >>>>>>>> > >> >> group from the GUI, great thanks! >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> But do you use Directory Manager as ldap admin user >>> >>>>>>>> > or >>> >>>> some >>> >>>>>>>> > other >>> >>>>>>>> > >> >> admin account ? >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> I'm not sure id DM is needed and it should get that >>> >>>>>>>> > deep >>> >>>>>> into >>> >>>>>>>> > IPA. >>> >>>>>>>> > >> >> Also when starting samba it cannot find "such user" >>> >>>>>>>> > as >>> >>>> that >>> >>>>>>>> > sounds >>> >>>>>>>> > >> >> quite known as it has no UID. >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> From your config I see you use DM, this should work ? >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> Thanks! >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> Matt >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> >> >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > >>> >>>>>>>> > >> > >>> >>>>>>>> > >> >>> >>>>>>>> > >> -- >>> >>>>>>>> > >> Manage your subscription for the Freeipa-users mailing >>> >> list: >>> >>>>>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>>>>>>> > >> Go to http://freeipa.org for more info on the project >>> >>>>>>>> > >> >>> >>>>>>>> > >> >>> >>>>>>>> > >> >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > -- >>> >>>>>>>> > > Manage your subscription for the Freeipa-users mailing >>> >>>>>>>> > list: >>> >>>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>>>>>>> > > Go to http://freeipa.org for more info on the project >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > > >>> >>>>>>>> > >>> >>>>>>>> > -- >>> >>>>>>>> > Manage your subscription for the Freeipa-users mailing list: >>> >>>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>>>>>>> > Go to http://freeipa.org for more info on the project >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>>>> > >>> >>>>>>> >>> >>>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >>> >> >>> >> >>> >> >> >> From roberto.cornacchia at gmail.com Thu Aug 13 10:11:19 2015 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Thu, 13 Aug 2015 12:11:19 +0200 Subject: [Freeipa-users] Kerberized NFS with Synology NAS In-Reply-To: References: Message-ID: After some more investigation, I feel the problem I described can be considered off topic, sorry about that. Initially I had the impression it could have been more freeIPA-related. It is sometimes difficult to tell whether the issue would show up regardless of using freeIPA or not. Should anyone be curious, these are my findings about using a Synology disk station for NFSv4+krb5 exports in my freeIPA domain: - Still no idea why I see all those "Unspecified GSS failure" from gssproxy on the client side. Google tells me that many before me have wondered about it. Has anyone a clue? - The NFS4+krb5 mounting works, but what I ran into is the "nobody" issue. NFSv4 relies on idmapd to map users correctly, but this goes wrong, hence the "nobody" issue - One first problem is that I had not set the domain. My bad. Fixed and got one step further. in idmapd.conf: Domain = hq.spinque.com - The second problem is that idmapd.conf in my synology says: Method=nsswitch GSS-Methods=static,synomap No idea what "synomap" would be, but I guess GSS-Methods should be more like "static,nsswitch,synomap" Indeed, everything works fine if I make static mappings for each LDAP user to a local user in Synology. But that's not how I want it. - Problem with all this is: no matter how I change these files, the next time I would save something from the Synology UI, these files would be overwritten Frustrating :( On 12 August 2015 at 13:33, Roberto Cornacchia wrote: > Enabled verbose output for rpc.idmapd as well, and now I see: > > nfsidmap[5034]: nss_getpwnam: name 'test1_l at localdomain' does not map > into domain 'hq.spinque.com' > > > On 12 August 2015 at 12:28, Roberto Cornacchia < > roberto.cornacchia at gmail.com> wrote: > >> I have used >> >> RPCGSSDARGS="-vvv" >> RPCSVCGSSDARGS="-vvv" >> >> in /etc/sysconfig/nfs , as suggested in http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >> >> In the excerpt below, taken during the mount, meson is the client, spinque03 is the nfs server (synology). >> >> It still doesn't tell me much, perhaps I'm missing something? >> >> >> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) >> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0 >> enctypes=18,17,16,23,3,1,2 ' >> rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19) >> rpc.gssd[3328]: process_krb5_upcall: service is '' >> rpc.gssd[3328]: Full hostname for 'spinque03.hq.spinque.com' is ' >> spinque03.hq.spinque.com' >> rpc.gssd[3328]: Full hostname for 'meson.hq.spinque.com' is ' >> meson.hq.spinque.com' >> rpc.gssd[3328]: No key table entry found for MESON$@HQ.SPINQUE.COM while >> getting keytab entry for 'MESON$@HQ.SPINQUE.COM' >> rpc.gssd[3328]: No key table entry found for root/ >> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for 'root/ >> meson.hq.spinque.com at HQ.SPINQUE.COM' >> rpc.gssd[3328]: No key table entry found for nfs/ >> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for 'nfs/ >> meson.hq.spinque.com at HQ.SPINQUE.COM' >> rpc.gssd[3328]: Success getting keytab entry for 'host/ >> meson.hq.spinque.com at HQ.SPINQUE.COM' >> rpc.gssd[3328]: Successfully obtained machine credentials for principal >> 'host/meson.hq.spinque.com at HQ.SPINQUE.COM' stored in ccache 'FILE:/tmp/ >> krb5ccmachine_HQ.SPINQUE.COM' >> rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/ >> krb5ccmachine_HQ.SPINQUE.COM' are good until 1439461246 >> rpc.gssd[3328]: using FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM as >> credentials cache for machine creds >> rpc.gssd[3328]: using environment variable to select krb5 ccache >> FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM >> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >> Minor code may provide more information, No credentials cache found >> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified >> GSS failure. Minor code may provide more information, No credentials cache >> found >> rpc.gssd[3328]: creating tcp client for server spinque03.hq.spinque.com >> rpc.gssd[3328]: DEBUG: port already set to 2049 >> rpc.gssd[3328]: creating context with server nfs at spinque03.hq.spinque.com >> rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version! >> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1 >> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with enctype >> 18 and size 32 >> rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor= >> nfs at spinque03.hq.spinque.com >> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) >> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005 >> enctypes=18,17,16,23,3,1,2 ' >> rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19) >> rpc.gssd[3337]: process_krb5_upcall: service is '' >> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >> Minor code may provide more information, No credentials cache found >> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified >> GSS failure. Minor code may provide more information, No credentials cache >> found >> rpc.gssd[3337]: creating tcp client for server spinque03.hq.spinque.com >> rpc.gssd[3337]: DEBUG: port already set to 2049 >> rpc.gssd[3337]: creating context with server nfs at spinque03.hq.spinque.com >> rpc.gssd[3337]: DEBUG: serialize_krb5_ctx: lucid version! >> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: protocol 1 >> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: serializing key with enctype >> 18 and size 32 >> rpc.gssd[3337]: doing downcall: lifetime_rec=85675 acceptor= >> nfs at spinque03.hq.spinque.com >> >> >> On 12 August 2015 at 02:46, Roberto Cornacchia < >> roberto.cornacchia at gmail.com> wrote: >> >>> Hi, >>> >>> I am trying to use a Synology NAS station in my FreeIPA domain to host >>> automounted home directories (not created automatically for now). >>> >>> I got almost everything working, but I seem to have a problem with >>> kerberized nfs. >>> >>> The NAS logs in the LDAP domain and seems happy with the kerberos >>> principal that I uploaded. >>> >>> >>> >>> * If I use plain nfs4 without krb5 >>> >>> - /etc/exports - >>> /volume1/shared_homes >>> 192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) >>> >>> then I can mount it and use it (it even works with automount). But only >>> using all_squash. Not useful: >>> >>> >>> * If I use krb5 >>> >>> - /etc/exports - >>> /volume1/shared_homes >>> 192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100) >>> >>> then I can kinit with an LDAP user, mount it with sec=krb5, but I get >>> "nobody" as file owner. >>> >>> This is done from a FC22 client, perfectly enrolled in freeIPA. >>> >>> The client's log contains several of such errors: >>> >>> gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >>> Minor code may provide more information, No credentials cache found >>> >>> >>> Any tip to help me understand what the problem is? >>> Roberto >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From seli.irithyl at gmail.com Thu Aug 13 14:23:52 2015 From: seli.irithyl at gmail.com (seli irithyl) Date: Thu, 13 Aug 2015 16:23:52 +0200 Subject: [Freeipa-users] IDM/ipa slow login In-Reply-To: <20150813110530.GF18390@hendrix.redhat.com> References: <20150811113955.GX3609@hendrix.redhat.com> <20150813110530.GF18390@hendrix.redhat.com> Message-ID: Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=test)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test at BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object bioinfo (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] (0x0400): Processing group test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] (0x0400): Storing info for group test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] (0x0400): Processing group test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] (0x0400): No members for group [test] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:bioinf.local:52e6beb4-158e-11e5-b14d-000af77e6812))][cn=Default Trust View,cn=views,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): domain: bioinf.local (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): user: test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): service: sshd (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): tty: ssh (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): ruser: (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): rhost: copper.bioinf.local (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): priv: 1 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): cli_pid: 44307 (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): logon name: not set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_access_send] (0x0400): Performing access check for user [test] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [test] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=lead.bioinf.local))][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local] using OpenLDAP deref (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACService)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACServiceGroup)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=bioinf,dc=local][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))][cn=hbac,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [child_sig_handler] (0x0100): child [44309] finished successfully. (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler_callback] (0x0100): Sending result [0][bioinf.local] (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler_callback] (0x0100): Sent result [0][bioinf.local] (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): domain: bioinf.local (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): user: test (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): service: sshd (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): tty: ssh (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): ruser: (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): rhost: copper.bioinf.local (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): priv: 1 (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): cli_pid: 44307 (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): logon name: not set (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] (0x0100): Sending result [0][bioinf.local] why is there such message : Could not parse domain SID from [(null)] ? I thought SID was related to AD ? Is it normal that: some messages seems duplicated ? SELinux user maps were not found ? (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] (0x0400): No members for group [test] Looking in the UI, the "test" group does not exist Moreover the "trust admins" and "ipausers" dont have GID Thanks for all On Thu, Aug 13, 2015 at 1:05 PM, Jakub Hrozek wrote: > On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote: > > In the logs, there is lots of warnings concerning pki tomcat server : > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP > > Server. > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting > > system-pki\x2dtomcatd.slice. > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice > > system-pki\x2dtomcatd.slice. > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server. > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat > > Server. > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server > > pki-tomcat... > > Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server > > pki-tomcat. > > Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine > used: > > /usr/bin/java > > Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used: > > > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > > Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: > > org.apache.catalina.startup.Bootstrap > > Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: > > -DRESTEASY_LIB=/usr/share/java/resteasy-base > > Aug 13 09:51:57 lead.bioinf.local server[5213]: options used: > > -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat > > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > > > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > > -Djav > > Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'enableOCSP' to 'false' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not > find > > a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not > find a > > matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspCacheSize' to '1000' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspMinCacheEntryDuration' to '60' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspTimeout' to '10' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'strictCiphers' to 'true' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching > > property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ssl2Ciphers' to > > > '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ssl3Ciphers' to > > > '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'tlsCiphers' to > > > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'serverCertNickFile' to > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' > > did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not > find > > a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did > > not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching > > property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching > property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching > > property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'sslRangeCiphers' to > > > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > 'xmlValidation' to 'false' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > 'xmlNamespaceAware' to 'false' did not find a matching property. > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.coyote.AbstractProtocol init > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > ProtocolHandler ["http-bio-8080"] > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.coyote.AbstractProtocol init > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > ProtocolHandler ["http-bio-8443"] > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.coyote.AbstractProtocol init > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.catalina.startup.Catalina load > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization > > processed in 995 ms > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.catalina.core.StandardService startInternal > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service > > Catalina > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.catalina.core.StandardEngine startInternal > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet > > Engine: Apache Tomcat/7.0.54 > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.catalina.startup.HostConfig deployDescriptor > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > > Aug 13 09:51:59 lead.bioinf.local server[5213]: > > SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback > > Aug 13 09:51:59 lead.bioinf.local server[5213]: > > SSLAuthenticatorWithFallback: Setting container > > Aug 13 09:52:01 lead.bioinf.local server[5213]: > > SSLAuthenticatorWithFallback: Initializing authenticators > > Aug 13 09:52:01 lead.bioinf.local server[5213]: > > SSLAuthenticatorWithFallback: Starting authenticators > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > > org.apache.catalina.startup.HostConfig deployDescriptor > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > has > > finished in 13,391 ms > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > > org.apache.catalina.startup.HostConfig deployDescriptor > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.jasper.EmbeddedServletOptions > > Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir > you > > specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is > unusable. > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.catalina.startup.HostConfig deployDescriptor > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml > has > > finished in 2,683 ms > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.coyote.AbstractProtocol start > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > ProtocolHandler ["http-bio-8080"] > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.coyote.AbstractProtocol start > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > ProtocolHandler ["http-bio-8443"] > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.coyote.AbstractProtocol start > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.catalina.startup.Catalina start > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in > > 17320 ms > > > > May this be related to my slow login problem ? > > I don't think so. You really need to look into the sssd domain log, > check what requests (getAccountInfo) take the longest. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Aug 13 14:34:57 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 13 Aug 2015 17:34:57 +0300 Subject: [Freeipa-users] Kerberized NFS with Synology NAS In-Reply-To: References: Message-ID: <20150813143457.GG22106@redhat.com> On Thu, 13 Aug 2015, Roberto Cornacchia wrote: >After some more investigation, I feel the problem I described can be >considered off topic, sorry about that. Initially I had the impression it >could have been more freeIPA-related. >It is sometimes difficult to tell whether the issue would show up >regardless of using freeIPA or not. > >Should anyone be curious, these are my findings about using a Synology disk >station for NFSv4+krb5 exports in my freeIPA domain: > >- Still no idea why I see all those "Unspecified GSS failure" from gssproxy >on the client side. Google tells me that many before me have wondered about >it. Has anyone a clue? > >- The NFS4+krb5 mounting works, but what I ran into is the "nobody" issue. >NFSv4 relies on idmapd to map users correctly, but this goes wrong, hence >the "nobody" issue > >- One first problem is that I had not set the domain. My bad. Fixed and got >one step further. > in idmapd.conf: Domain = hq.spinque.com > >- The second problem is that idmapd.conf in my synology says: > Method=nsswitch > GSS-Methods=static,synomap > > No idea what "synomap" would be, but I guess GSS-Methods should be more >like "static,nsswitch,synomap" > Indeed, everything works fine if I make static mappings for each LDAP >user to a local user in Synology. But that's not how I want it. > >- Problem with all this is: no matter how I change these files, the next >time I would save something from the Synology UI, these files would be >overwritten > >Frustrating :( I would only suggest you to raise the problem with Synology support and convince them adding SSSD build and use it. SSSD has nfsidmap module 'sss' that does the right job on mapping based on what SSSD knows about Kerberos principals and user mapping for the domain. > > > >On 12 August 2015 at 13:33, Roberto Cornacchia > wrote: > >> Enabled verbose output for rpc.idmapd as well, and now I see: >> >> nfsidmap[5034]: nss_getpwnam: name 'test1_l at localdomain' does not map >> into domain 'hq.spinque.com' >> >> >> On 12 August 2015 at 12:28, Roberto Cornacchia < >> roberto.cornacchia at gmail.com> wrote: >> >>> I have used >>> >>> RPCGSSDARGS="-vvv" >>> RPCSVCGSSDARGS="-vvv" >>> >>> in /etc/sysconfig/nfs , as suggested in http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >>> >>> In the excerpt below, taken during the mount, meson is the client, spinque03 is the nfs server (synology). >>> >>> It still doesn't tell me much, perhaps I'm missing something? >>> >>> >>> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) >>> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0 >>> enctypes=18,17,16,23,3,1,2 ' >>> rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19) >>> rpc.gssd[3328]: process_krb5_upcall: service is '' >>> rpc.gssd[3328]: Full hostname for 'spinque03.hq.spinque.com' is ' >>> spinque03.hq.spinque.com' >>> rpc.gssd[3328]: Full hostname for 'meson.hq.spinque.com' is ' >>> meson.hq.spinque.com' >>> rpc.gssd[3328]: No key table entry found for MESON$@HQ.SPINQUE.COM while >>> getting keytab entry for 'MESON$@HQ.SPINQUE.COM' >>> rpc.gssd[3328]: No key table entry found for root/ >>> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for 'root/ >>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>> rpc.gssd[3328]: No key table entry found for nfs/ >>> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for 'nfs/ >>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>> rpc.gssd[3328]: Success getting keytab entry for 'host/ >>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>> rpc.gssd[3328]: Successfully obtained machine credentials for principal >>> 'host/meson.hq.spinque.com at HQ.SPINQUE.COM' stored in ccache 'FILE:/tmp/ >>> krb5ccmachine_HQ.SPINQUE.COM' >>> rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/ >>> krb5ccmachine_HQ.SPINQUE.COM' are good until 1439461246 >>> rpc.gssd[3328]: using FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM as >>> credentials cache for machine creds >>> rpc.gssd[3328]: using environment variable to select krb5 ccache >>> FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM >>> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >>> Minor code may provide more information, No credentials cache found >>> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified >>> GSS failure. Minor code may provide more information, No credentials cache >>> found >>> rpc.gssd[3328]: creating tcp client for server spinque03.hq.spinque.com >>> rpc.gssd[3328]: DEBUG: port already set to 2049 >>> rpc.gssd[3328]: creating context with server nfs at spinque03.hq.spinque.com >>> rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version! >>> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1 >>> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with enctype >>> 18 and size 32 >>> rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor= >>> nfs at spinque03.hq.spinque.com >>> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) >>> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005 >>> enctypes=18,17,16,23,3,1,2 ' >>> rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19) >>> rpc.gssd[3337]: process_krb5_upcall: service is '' >>> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >>> Minor code may provide more information, No credentials cache found >>> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified >>> GSS failure. Minor code may provide more information, No credentials cache >>> found >>> rpc.gssd[3337]: creating tcp client for server spinque03.hq.spinque.com >>> rpc.gssd[3337]: DEBUG: port already set to 2049 >>> rpc.gssd[3337]: creating context with server nfs at spinque03.hq.spinque.com >>> rpc.gssd[3337]: DEBUG: serialize_krb5_ctx: lucid version! >>> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: protocol 1 >>> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: serializing key with enctype >>> 18 and size 32 >>> rpc.gssd[3337]: doing downcall: lifetime_rec=85675 acceptor= >>> nfs at spinque03.hq.spinque.com >>> >>> >>> On 12 August 2015 at 02:46, Roberto Cornacchia < >>> roberto.cornacchia at gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I am trying to use a Synology NAS station in my FreeIPA domain to host >>>> automounted home directories (not created automatically for now). >>>> >>>> I got almost everything working, but I seem to have a problem with >>>> kerberized nfs. >>>> >>>> The NAS logs in the LDAP domain and seems happy with the kerberos >>>> principal that I uploaded. >>>> >>>> >>>> >>>> * If I use plain nfs4 without krb5 >>>> >>>> - /etc/exports - >>>> /volume1/shared_homes >>>> 192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) >>>> >>>> then I can mount it and use it (it even works with automount). But only >>>> using all_squash. Not useful: >>>> >>>> >>>> * If I use krb5 >>>> >>>> - /etc/exports - >>>> /volume1/shared_homes >>>> 192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100) >>>> >>>> then I can kinit with an LDAP user, mount it with sec=krb5, but I get >>>> "nobody" as file owner. >>>> >>>> This is done from a FC22 client, perfectly enrolled in freeIPA. >>>> >>>> The client's log contains several of such errors: >>>> >>>> gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >>>> Minor code may provide more information, No credentials cache found >>>> >>>> >>>> Any tip to help me understand what the problem is? >>>> Roberto >>>> >>> >>> >> >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From roccas at gmail.com Thu Aug 13 15:01:39 2015 From: roccas at gmail.com (Marcelo Roccasalva) Date: Thu, 13 Aug 2015 12:01:39 -0300 Subject: [Freeipa-users] time restricted access Message-ID: Hello, I've installed freeIPA 4.1.0 under CentOS 7 and I need to restric authentication to one or more time ranges but I failed to find such a configuration... TIA -- Marcelo "?No ser? acaso que esta vida moderna est? teniendo m?s de moderna que de vida?" (Mafalda) -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Thu Aug 13 15:11:59 2015 From: dkupka at redhat.com (David Kupka) Date: Thu, 13 Aug 2015 17:11:59 +0200 Subject: [Freeipa-users] time restricted access In-Reply-To: References: Message-ID: <55CCB3BF.9020802@redhat.com> On 13/08/15 17:01, Marcelo Roccasalva wrote: > Hello, > > I've installed freeIPA 4.1.0 under CentOS 7 and I need to restric > authentication to one or more time ranges but I failed to find such a > configuration... > > TIA > > > Hello, you're probably looking for "Time-Based Account Policies". This is currently WIP, you can find more on freeipa-devel list. -- David Kupka From rcritten at redhat.com Thu Aug 13 15:49:20 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Aug 2015 11:49:20 -0400 Subject: [Freeipa-users] Having problem with pwd_expiration In-Reply-To: <55CC75CA.6090108@xtremenitro.org> References: <55CC57B8.409@xtremenitro.org> <20150813094310.GL2793@mail.corp.redhat.com> <55CC75CA.6090108@xtremenitro.org> Message-ID: <55CCBC80.2030404@redhat.com> Dewangga Bachrul Alam wrote: > I've tried both of them (web ui & CLI), still no luck. > Screenshoot attached, the password expired not follow the global_policy. > > I've create another new user, it was same with user `subhan`. The > password expired not follow global_policy. > http://www.freeipa.org/page/New_Passwords_Expired rob From yks0000 at gmail.com Thu Aug 13 16:16:42 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Thu, 13 Aug 2015 21:46:42 +0530 Subject: [Freeipa-users] IPA Server Replication Info Message-ID: Hi, I am working to setup a IPA Env in our Infra. 1 . I would like to how IPA handles failover if Master Node goes down. Is sssd manage it? 2. While the Master Node is down, can I register a client to replica server i.e. via AutoDiscovery as IPA does. 3. What if my Master Node does not came up ever due to system crash. In this case, if I create a new node , can I make it as master, if so what would happen to client which were already registered. Please suggest as I would like to know how we can do failover if any things goes wrong. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Thu Aug 13 16:58:57 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 13 Aug 2015 09:58:57 -0700 Subject: [Freeipa-users] users- ssh keys self service Message-ID: <55CCCCD1.60300@gmail.com> Hi, So I still have been unable to find the problem with blank screens for users when they login to the gui and can not manage anything other than OTP. Out of the box, vanilla install of FreeOTP on RHEL 7.x and using IPA 4.1.4, a user logs in, you see ALL the fields for a split second, before they go blank and there is no way to bring them back. This is over course frustrating since users can not add their SSH keys. They can change there PW, since that is on the ACTION button, which remains visible. Are there any troubleshooting suggestions for this? I have not customized anything. Thank you ~J From janellenicole80 at gmail.com Thu Aug 13 19:25:54 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 13 Aug 2015 12:25:54 -0700 Subject: [Freeipa-users] users- ssh keys self service In-Reply-To: <55CCCCD1.60300@gmail.com> References: <55CCCCD1.60300@gmail.com> Message-ID: <55CCEF42.3060605@gmail.com> AHA!!! The problem is found, but the solution eludes me. Any user "migrated" in compat mode has the problem. NEW users do not. Thoughts? Ideas? troubleshooting? What do I need to make visible for users to edit their settings? ~J On 8/13/15 9:58 AM, Janelle wrote: > Hi, > > So I still have been unable to find the problem with blank screens for > users when they login to the gui and can not manage anything other > than OTP. Out of the box, vanilla install of FreeOTP on RHEL 7.x and > using IPA 4.1.4, a user logs in, you see ALL the fields for a split > second, before they go blank and there is no way to bring them back. > This is over course frustrating since users can not add their SSH > keys. They can change there PW, since that is on the ACTION button, > which remains visible. > > Are there any troubleshooting suggestions for this? I have not > customized anything. > > Thank you > ~J From anguyen at SCIRES.COM Thu Aug 13 16:38:30 2015 From: anguyen at SCIRES.COM (Nguyen, Alicia) Date: Thu, 13 Aug 2015 16:38:30 +0000 Subject: [Freeipa-users] ipa directory inconsistencies Message-ID: Hi, I'm having an issue re-adding a client to freeipa (same hostname). When I removed the client from the domain I uninstalled freeipa on the client (using ipa-client-install --uninstall), removed the keytab, and ran ipa host-del FQDN on the the freeipa master. Everything has been rebooted. I cannot re-add the client to the domain (running ipa-client-install) and receive this error : "Joining realm failed. RPC failed @ server. Hostname already exists." If I look in the UI I see the hostname under hosts, but it does not show the host as enrolled and throws an error that the host doesn't exist. Running ipa host-find FQDN shows 1 host matched. Running ipa host-show FQDN says the hosts doesn't exist. If I run ipa del-host FQDN I receive an error that the host was not found. If I run ipa host-add FQDN I receive an error that the host already exists. Please Advise, I'm wondering if there is some record in LDAP that is maybe causing this problem. Thanks, Alicia ________________________________ CONFIDENTIALITY NOTICE: This email constitutes an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. 2510, and its disclosure is strictly limited to the named recipient(s) intended by the sender of this message. This email, and any attachments, may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, any copying, using, disclosing or distributing to others the information in this email and attachments is STRICTLY PROHIBITED. If you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts or hard copies of the email and attachments. EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements. From nikola at krzalic.com Tue Aug 11 14:47:54 2015 From: nikola at krzalic.com (=?UTF-8?B?Tmlrb2xhIEtyxb5hbGnEhw==?=) Date: Tue, 11 Aug 2015 16:47:54 +0200 Subject: [Freeipa-users] reverse DNS lookup does not work Message-ID: reverse DNS lookup stopped working after I broke some replication agreements (perhaps unrelated, but worth mentioning). Regular A records resolve fine. The records can be seen in LDAP (using ldapsearch with GSSAPI after kinit -t /etc/named.keytab): the zone: # 0.63.10.in-addr.arpa., dns, ipa.example.net dn: idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net idnsUpdatePolicy: grant IPA.example.NET krb5-self * PTR; grant IPA.example.NET krb5-self * SSHFP; idnsAllowDynUpdate: TRUE idnsForwarders: 172.23.1.5 idnsAllowSyncPTR: TRUE idnsSOAserial: 1439302482 idnsSOArName: hostmaster.ipa.example.net. idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: ldap1.example.lan. idnsSOAminimum: 3600 objectClass: idnszone objectClass: top objectClass: idnsrecord idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOArefresh: 3600 idnsAllowQuery: any; idnsName: 0.63.10.in-addr.arpa. idnsSOAmName: ldap1.example.lan. the entry: # 68, 0.63.10.in-addr.arpa., dns, ipa.example.net dn: idnsname=68,idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net objectClass: top objectClass: idnsrecord cNAMERecord: ds02.example.lan. idnsName: 68 but the reverse dns lookup fails anyway: [root at ldap1 ~]# dig -x 10.63.0.68 ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> -x 10.63.0.68 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59911 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;68.0.63.10.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 10.in-addr.arpa. 86400 IN SOA 10.in-addr.arpa. . 0 28800 7200 604800 86400 ;; Query time: 4 msec ;; SERVER: 172.23.1.5#53(172.23.1.5) ;; WHEN: Tue Aug 11 14:40:08 UTC 2015 ;; MSG SIZE rcvd: 87 [root at ldap1 ~]# Any thoughts? -- S po?tovanjem / Regards, Nikola Kr?ali?. From rcritten at redhat.com Thu Aug 13 20:11:33 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Aug 2015 16:11:33 -0400 Subject: [Freeipa-users] ipa directory inconsistencies In-Reply-To: References: Message-ID: <55CCF9F5.9080707@redhat.com> Nguyen, Alicia wrote: > Hi, > > I'm having an issue re-adding a client to freeipa (same hostname). When I removed the client from the domain I uninstalled freeipa on the client (using ipa-client-install --uninstall), removed the keytab, and ran ipa host-del FQDN on the the freeipa master. Everything has been rebooted. I cannot re-add the client to the domain (running ipa-client-install) and receive this error : "Joining realm failed. RPC failed @ server. Hostname already exists." > > If I look in the UI I see the hostname under hosts, but it does not show the host as enrolled and throws an error that the host doesn't exist. > Running ipa host-find FQDN shows 1 host matched. > Running ipa host-show FQDN says the hosts doesn't exist. > If I run ipa del-host FQDN I receive an error that the host was not found. > If I run ipa host-add FQDN I receive an error that the host already exists. > > Please Advise, I'm wondering if there is some record in LDAP that is maybe causing this problem. Sounds like you have a replication conflict entry for this host. See https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html rob From john.obaterspok at gmail.com Thu Aug 13 20:57:28 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Thu, 13 Aug 2015 22:57:28 +0200 Subject: [Freeipa-users] IDM/ipa slow login In-Reply-To: References: <20150811113955.GX3609@hendrix.redhat.com> <20150813110530.GF18390@hendrix.redhat.com> Message-ID: Hi Seli, In /etc/sssd/sssd.conf add below: selinux_provider=none to the domain section. Then restart sssd. -- john 2015-08-13 16:23 GMT+02:00 seli irithyl : > Here's the sssd_domain log part during an ssh > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] > (0x0200): Got request for [0x3][1][name=test] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_initgr_next_base] (0x0400): Searching for users with base > [cn=accounts,dc=bioinf,dc=local] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(uid=test)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > (0x0400): Save user > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object test > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > (0x0400): Processing user test > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > (0x0400): Adding original memberOf attributes to [test]. > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > (0x0400): Adding user principal [test at BIOINF.LOCAL] to attributes of > [test]. > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > (0x0400): Storing info for user test > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object test > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object ipausers > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object bioinfo > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=bioinf,dc=local] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_nested_group_recv] (0x0400): 0 users found in the hash table > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] > (0x0400): Processing group test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_process_ghost_members] (0x0400): The group has 0 members > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_process_ghost_members] (0x0400): Group has 0 members > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] > (0x0400): Storing info for group test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > (0x0400): Processing group test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > (0x0400): Failed to get group sid > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > (0x0400): No members for group [test] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:bioinf.local:52e6beb4-158e-11e5-b14d-000af77e6812))][cn=Default > Trust View,cn=views,cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), > no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > (0x0100): Got request with the following data > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): command: PAM_ACCT_MGMT > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): domain: bioinf.local > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): user: test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): service: sshd > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): tty: ssh > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): ruser: > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): rhost: copper.bioinf.local > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): authtok type: 0 > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): priv: 1 > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): cli_pid: 44307 > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): logon name: not set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_access_send] > (0x0400): Performing access check for user [test] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user > [test] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=lead.bioinf.local))][cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry > [fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local] using > OpenLDAP deref > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no > filter][fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_hbac_service_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACService)] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACService)][cn=hbac,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACServiceGroup)] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: > [cn=hbac,dc=bioinf,dc=local][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))][cn=hbac,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > (0x0200): Category is set to 'all'. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > (0x0200): Category is set to 'all'. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > (0x0200): Category is set to 'all'. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > [allow_all] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_get_selinux_send] > (0x0400): Retrieving SELinux user mapping > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with > following parameters: > [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [write_pipe_handler] > (0x0400): All data has been sent! > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [child_sig_handler] > (0x0100): child [44309] finished successfully. > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) > [Success] > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > [be_pam_handler_callback] (0x0100): Sending result [0][bioinf.local] > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > [be_pam_handler_callback] (0x0100): Sent result [0][bioinf.local] > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > (0x0100): Got request with the following data > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): command: PAM_OPEN_SESSION > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): domain: bioinf.local > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): user: test > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): service: sshd > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): tty: ssh > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): ruser: > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): rhost: copper.bioinf.local > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): authtok type: 0 > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): priv: 1 > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): cli_pid: 44307 > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): logon name: not set > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > (0x0100): Sending result [0][bioinf.local] > > why is there such message : Could not parse domain SID from [(null)] ? I > thought SID was related to AD ? > Is it normal that: > some messages seems duplicated ? > SELinux user maps were not found ? > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > (0x0400): No members for group [test] > Looking in the UI, the "test" group does not exist > Moreover the "trust admins" and "ipausers" dont have GID > > Thanks for all > > On Thu, Aug 13, 2015 at 1:05 PM, Jakub Hrozek wrote: > >> On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote: >> > In the logs, there is lots of warnings concerning pki tomcat server : >> > >> > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP >> > Server. >> > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting >> > system-pki\x2dtomcatd.slice. >> > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice >> > system-pki\x2dtomcatd.slice. >> > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat >> Server. >> > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat >> > Server. >> > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server >> > pki-tomcat... >> > Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server >> > pki-tomcat. >> > Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine >> used: >> > /usr/bin/java >> > Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used: >> > >> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar >> > Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: >> > org.apache.catalina.startup.Bootstrap >> > Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: >> > -DRESTEASY_LIB=/usr/share/java/resteasy-base >> > Aug 13 09:51:57 lead.bioinf.local server[5213]: options used: >> > -Dcatalina.base=/var/lib/pki/pki-tomcat >> -Dcatalina.home=/usr/share/tomcat >> > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp >> > >> -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties >> > -Djav >> > Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'enableOCSP' to 'false' did not find a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not >> find >> > a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not >> find a >> > matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'ocspCacheSize' to '1000' did not find a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'ocspMinCacheEntryDuration' to '60' did not find a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'ocspTimeout' to '10' did not find a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'strictCiphers' to 'true' did not find a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching >> > property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'ssl2Ciphers' to >> > >> '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'ssl3Ciphers' to >> > >> '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'tlsCiphers' to >> > >> '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'serverCertNickFile' to >> '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' >> > did not find a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not >> find >> > a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' >> did >> > not find a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching >> > property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching >> property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching >> > property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.catalina.startup.SetAllPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > 'sslRangeCiphers' to >> > >> '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.tomcat.util.digester.SetPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property >> > 'xmlValidation' to 'false' did not find a matching property. >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM >> > org.apache.tomcat.util.digester.SetPropertiesRule begin >> > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: >> > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property >> > 'xmlNamespaceAware' to 'false' did not find a matching property. >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM >> > org.apache.coyote.AbstractProtocol init >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing >> > ProtocolHandler ["http-bio-8080"] >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM >> > org.apache.coyote.AbstractProtocol init >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing >> > ProtocolHandler ["http-bio-8443"] >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher >> > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher >> > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher >> > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher >> > "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher >> > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher >> > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher >> > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher >> > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM >> > org.apache.coyote.AbstractProtocol init >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing >> > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM >> > org.apache.catalina.startup.Catalina load >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization >> > processed in 995 ms >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM >> > org.apache.catalina.core.StandardService startInternal >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service >> > Catalina >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM >> > org.apache.catalina.core.StandardEngine startInternal >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet >> > Engine: Apache Tomcat/7.0.54 >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM >> > org.apache.catalina.startup.HostConfig deployDescriptor >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying >> > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: >> > SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback >> > Aug 13 09:51:59 lead.bioinf.local server[5213]: >> > SSLAuthenticatorWithFallback: Setting container >> > Aug 13 09:52:01 lead.bioinf.local server[5213]: >> > SSLAuthenticatorWithFallback: Initializing authenticators >> > Aug 13 09:52:01 lead.bioinf.local server[5213]: >> > SSLAuthenticatorWithFallback: Starting authenticators >> > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM >> > org.apache.catalina.startup.HostConfig deployDescriptor >> > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of >> > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml >> has >> > finished in 13,391 ms >> > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM >> > org.apache.catalina.startup.HostConfig deployDescriptor >> > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying >> > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM >> > org.apache.jasper.EmbeddedServletOptions >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir >> you >> > specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is >> unusable. >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM >> > org.apache.catalina.startup.HostConfig deployDescriptor >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of >> > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml >> has >> > finished in 2,683 ms >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM >> > org.apache.coyote.AbstractProtocol start >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting >> > ProtocolHandler ["http-bio-8080"] >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM >> > org.apache.coyote.AbstractProtocol start >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting >> > ProtocolHandler ["http-bio-8443"] >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM >> > org.apache.coyote.AbstractProtocol start >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting >> > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM >> > org.apache.catalina.startup.Catalina start >> > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in >> > 17320 ms >> > >> > May this be related to my slow login problem ? >> >> I don't think so. You really need to look into the sssd domain log, >> check what requests (getAccountInfo) take the longest. >> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From piolet.y at gmail.com Thu Aug 13 16:49:09 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Thu, 13 Aug 2015 18:49:09 +0200 Subject: [Freeipa-users] Kerberized NFS and home automount issues Message-ID: Hi, I'm currently trying to configure automount for home directories with Kerberized NFSv4. I'm struggling with two issues that may or may not be related: 1) Can't read my home directory. I have to type kinit manually first on each integrated client for this to work. I think it is related to the latest versions of sssd on Centos 7 / Fedora 21 (1.12.2-58), ipa of maybe nss, a 1 or 2 months outdate centos was working first and got broken after an update. 2) Can't create home directories for new users : Permission denied for oddjob-mkhomedir script. I can also experience this as root : can't mkdir /home/someuser, permission denied (see my mount chain in freeipa below). Related to NFSv4? Here is my setup and various information: - I'm not using selinux - Exports : /home.shared *(rw,sec=krb5:krb5i:krb5p) - Mount chain : * -fstype=nfs4,sec=krb5i,rw,proto=tcp,port=2049,rsize=8192,wsize=8192 home01.net:/home.shared/& - Experienced on Centos 7 and Fedora 21 - FreeIPA server 4.1.4 - I used ipa-client-automount on clients and server. - Same behavior with/without a dedicated service principal on client - Some errors in NFS server logs : rpc.gssd - WARNING: can't create tcp rpc_clnt to server for user with uid 0: RPC: Remote system error - No route to host <-- at different times oddjobd: Error org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not determine security context for '1:<###>' <-- before oddjob-mkhomedir on new user Have you got the same problems and did you manage to fix them? Thanks by advance, -- Youenn Piolet piolet.y at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Fri Aug 14 05:14:11 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 13 Aug 2015 22:14:11 -0700 Subject: [Freeipa-users] Kerberized NFS and home automount issues In-Reply-To: References: Message-ID: Where are you trying to create the home directories ? Is your NFS server the same as the IPA server ? You can only create home directories on the NFS home server unless the nfs-client sees the export option "no_root_squash". That is not recommended though. On Thu, Aug 13, 2015 at 9:49 AM, Youenn PIOLET wrote: > Hi, > > I'm currently trying to configure automount for home directories with > Kerberized NFSv4. > I'm struggling with two issues that may or may not be related: > > 1) Can't read my home directory. I have to type kinit manually first on > each integrated client for this to work. I think it is related to the > latest versions of sssd on Centos 7 / Fedora 21 (1.12.2-58), ipa of maybe > nss, a 1 or 2 months outdate centos was working first and got broken after > an update. > > 2) Can't create home directories for new users : Permission denied for > oddjob-mkhomedir script. I can also experience this as root : can't mkdir > /home/someuser, permission denied (see my mount chain in freeipa below). > Related to NFSv4? > > Here is my setup and various information: > - I'm not using selinux > - Exports : > /home.shared *(rw,sec=krb5:krb5i:krb5p) > - Mount chain : > * -fstype=nfs4,sec=krb5i,rw,proto=tcp,port=2049,rsize=8192,wsize=8192 > home01.net:/home.shared/& > - Experienced on Centos 7 and Fedora 21 > - FreeIPA server 4.1.4 > - I used ipa-client-automount on clients and server. > - Same behavior with/without a dedicated service principal on client > - Some errors in NFS server logs : > rpc.gssd - WARNING: can't create tcp rpc_clnt to server > for user with uid 0: RPC: Remote system error - No route to host <-- at > different times > oddjobd: Error > org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not > determine security context for '1:<###>' <-- before oddjob-mkhomedir on new > user > > Have you got the same problems and did you manage to fix them? > > Thanks by advance, > -- > Youenn Piolet > piolet.y at gmail.com > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Fri Aug 14 08:12:58 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 13:42:58 +0530 Subject: [Freeipa-users] IPA Client Unattended Registration Issue Message-ID: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: *ipa-client-install --server=ipa.initd.int --domain=initd.int --realm=INITD.INT --password=xxxxxxxxxx --mkhomedir --no-ntp --unattended* However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Aug 14 08:16:46 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 14 Aug 2015 10:16:46 +0200 Subject: [Freeipa-users] reverse DNS lookup does not work In-Reply-To: References: Message-ID: <55CDA3EE.4040106@redhat.com> On 08/11/2015 04:47 PM, Nikola Kr?ali? wrote: > reverse DNS lookup stopped working after I broke some replication > agreements (perhaps unrelated, but worth mentioning). Regular A > records resolve fine. > The records can be seen in LDAP (using ldapsearch with GSSAPI after > kinit -t /etc/named.keytab): > > the zone: > > # 0.63.10.in-addr.arpa., dns, ipa.example.net > dn: idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net > idnsUpdatePolicy: grant IPA.example.NET krb5-self * PTR; grant IPA.example.NET > krb5-self * SSHFP; > idnsAllowDynUpdate: TRUE > idnsForwarders: 172.23.1.5 > idnsAllowSyncPTR: TRUE > idnsSOAserial: 1439302482 > idnsSOArName: hostmaster.ipa.example.net. > idnsZoneActive: TRUE > idnsSOAexpire: 1209600 > nSRecord: ldap1.example.lan. > idnsSOAminimum: 3600 > objectClass: idnszone > objectClass: top > objectClass: idnsrecord > idnsAllowTransfer: none; > idnsSOAretry: 900 > idnsSOArefresh: 3600 > idnsAllowQuery: any; > idnsName: 0.63.10.in-addr.arpa. > idnsSOAmName: ldap1.example.lan. > > the entry: > # 68, 0.63.10.in-addr.arpa., dns, ipa.example.net > dn: idnsname=68,idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net > objectClass: top > objectClass: idnsrecord > cNAMERecord: ds02.example.lan. > idnsName: 68 > > but the reverse dns lookup fails anyway: > > [root at ldap1 ~]# dig -x 10.63.0.68 > > ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> -x 10.63.0.68 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59911 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;68.0.63.10.in-addr.arpa. IN PTR > > ;; AUTHORITY SECTION: > 10.in-addr.arpa. 86400 IN SOA 10.in-addr.arpa. . 0 28800 7200 604800 86400 > > ;; Query time: 4 msec > ;; SERVER: 172.23.1.5#53(172.23.1.5) > ;; WHEN: Tue Aug 11 14:40:08 UTC 2015 > ;; MSG SIZE rcvd: 87 > > [root at ldap1 ~]# > > Any thoughts? > Hello, It seems that DNS delegation doesn't work or you asked non IPA DNS server. Do you have the right server in resolv.conf? (dig sent query to 172.23.1.5) Do you have reverse zone 10.in-addr.arpa. configured on IPA DNS, does it have proper delegation to 0.63.10.in-addr.arpa zone. Do you use IPA 3.x or IPA 4.x? If 3.x there might be issue with forwarding, because the zone 0.63.10.in-addr.arpa works as forward zone and forwards queries to server 172.23.1.5, that return NXDOMAIN for that zone. From jhrozek at redhat.com Fri Aug 14 08:24:50 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Aug 2015 10:24:50 +0200 Subject: [Freeipa-users] IPA Server Replication Info In-Reply-To: References: Message-ID: <20150814082450.GI4449@hendrix.redhat.com> On Thu, Aug 13, 2015 at 09:46:42PM +0530, Yogesh Sharma wrote: > Hi, > > I am working to setup a IPA Env in our Infra. > > 1 . I would like to how IPA handles failover if Master Node goes down. Is > sssd manage it? Yes. See man sssd-ipa, section failover. > > 2. While the Master Node is down, can I register a client to replica server > i.e. via AutoDiscovery as IPA does. Maybe the IPA developers would answer the other questions better, but my understanding is that since all IPA servers are masters, then this should be fine as long as you prevent replication conflicts. > > 3. What if my Master Node does not came up ever due to system crash. In > this case, if I create a new node , can I make it as master, if so what > would happen to client which were already registered. The data is replicated..so yes, the clients are also replicated to other IPA servers.. From mbasti at redhat.com Fri Aug 14 08:54:11 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 14 Aug 2015 10:54:11 +0200 Subject: [Freeipa-users] IPA Client Unattended Registration Issue In-Reply-To: References: Message-ID: <55CDACB3.3000908@redhat.com> On 08/14/2015 10:12 AM, Yogesh Sharma wrote: > Hi, > > We use Chef to perform the basic system setup once we launch new server. > > We are updating our cookbook to include ipa-client-install once we run > our base cookbook via chef-client. > > For unattended ipa-client installation, we are passing below parameters: > > > /ipa-client-install --server=ipa.initd.int > --domain=initd.int --realm=INITD.INT > --password=xxxxxxxxxx --mkhomedir --no-ntp > --unattended/ > > > However, we always get password incorrect error, though we are sure it > is correct: > > > Joining realm failed: Incorrect password. > > Installation failed. Rolling back changes. > IPA client is not configured on this system. Hello, please add --principal option probably --principal admin --pasword without --principal option requires bulk password (ipa-client-install -h) HTH Martin > > > /Best Regards,/ > /__________________________________________ > / > /Yogesh Sharma > / > /Email: yks0000 at gmail.com | Web: > www.initd.in / > / > / > /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Aug 14 09:02:01 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 14 Aug 2015 11:02:01 +0200 Subject: [Freeipa-users] IPA Client Unattended Registration Issue In-Reply-To: <55CDACB3.3000908@redhat.com> References: <55CDACB3.3000908@redhat.com> Message-ID: <55CDAE89.2070307@redhat.com> On 08/14/2015 10:54 AM, Martin Basti wrote: > > > On 08/14/2015 10:12 AM, Yogesh Sharma wrote: >> Hi, >> >> We use Chef to perform the basic system setup once we launch new server. >> >> We are updating our cookbook to include ipa-client-install once we >> run our base cookbook via chef-client. >> >> For unattended ipa-client installation, we are passing below parameters: >> >> >> /ipa-client-install --server=ipa.initd.int >> --domain=initd.int --realm=INITD.INT >> --password=xxxxxxxxxx --mkhomedir --no-ntp >> --unattended/ >> >> >> However, we always get password incorrect error, though we are sure >> it is correct: >> >> >> Joining realm failed: Incorrect password. >> >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. > > Hello, please add --principal option > > probably --principal admin > > --pasword without --principal option requires bulk password > (ipa-client-install -h) > > HTH > Martin Or if you want to use bulk password, you must add host with bulk password before [ipaserver]$ ipa host-add client.initd.int --password=bulkpassword [client.initd.int]$ ipa-client-install .... --password=bulkpassword HTH Martin >> >> >> /Best Regards,/ >> /__________________________________________ >> / >> /Yogesh Sharma >> / >> /Email: yks0000 at gmail.com | Web: www.initd.in / >> / >> / >> /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ >> >> >> >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Fri Aug 14 08:41:10 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 14:11:10 +0530 Subject: [Freeipa-users] IPA Server Replication Info In-Reply-To: <20150814082450.GI4449@hendrix.redhat.com> References: <20150814082450.GI4449@hendrix.redhat.com> Message-ID: Thanks Jakub. >From your answer 2, would both DNS will work as Master if we use IPA DNS. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Fri, Aug 14, 2015 at 1:54 PM, Jakub Hrozek wrote: > On Thu, Aug 13, 2015 at 09:46:42PM +0530, Yogesh Sharma wrote: > > Hi, > > > > I am working to setup a IPA Env in our Infra. > > > > 1 . I would like to how IPA handles failover if Master Node goes down. Is > > sssd manage it? > > Yes. See man sssd-ipa, section failover. > > > > > 2. While the Master Node is down, can I register a client to replica > server > > i.e. via AutoDiscovery as IPA does. > > Maybe the IPA developers would answer the other questions better, but my > understanding is that since all IPA servers are masters, then this > should be fine as long as you prevent replication conflicts. > > > > > 3. What if my Master Node does not came up ever due to system crash. In > > this case, if I create a new node , can I make it as master, if so what > > would happen to client which were already registered. > > The data is replicated..so yes, the clients are also replicated to other > IPA servers.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From piolet.y at gmail.com Fri Aug 14 10:02:31 2015 From: piolet.y at gmail.com (Youenn PIOLET) Date: Fri, 14 Aug 2015 12:02:31 +0200 Subject: [Freeipa-users] Kerberized NFS and home automount issues In-Reply-To: References: Message-ID: Hi, I didn't know it was only possible to create home on the home nfs server :) I changed my implementation on home nfs server to make a flat /home directory (not mounted with autofs from an other directory of the same server) 2) is now solved: I disabled autofs on the home nfs server, moved files and mkhomedir now works perfectly. 1) the issue seems to be solved after this, but not instantaneously. I still see errors on NFS server logs: WARNING: can't create tcp rpc_clnt to server for user with uid 0: RPC: Remote system error - No route to host but it seems to be working. After creating a new user, I had to wait a few seconds/minutes for home to be fetchable by autofs. Thanks a lot. -- Youenn Piolet piolet.y at gmail.com 2015-08-14 7:14 GMT+02:00 Prasun Gera : > Where are you trying to create the home directories ? Is your NFS server > the same as the IPA server ? You can only create home directories on the > NFS home server unless the nfs-client sees the export option > "no_root_squash". That is not recommended though. > > On Thu, Aug 13, 2015 at 9:49 AM, Youenn PIOLET wrote: > >> Hi, >> >> I'm currently trying to configure automount for home directories with >> Kerberized NFSv4. >> I'm struggling with two issues that may or may not be related: >> >> 1) Can't read my home directory. I have to type kinit manually first on >> each integrated client for this to work. I think it is related to the >> latest versions of sssd on Centos 7 / Fedora 21 (1.12.2-58), ipa of maybe >> nss, a 1 or 2 months outdate centos was working first and got broken after >> an update. >> >> 2) Can't create home directories for new users : Permission denied for >> oddjob-mkhomedir script. I can also experience this as root : can't mkdir >> /home/someuser, permission denied (see my mount chain in freeipa below). >> Related to NFSv4? >> >> Here is my setup and various information: >> - I'm not using selinux >> - Exports : >> /home.shared *(rw,sec=krb5:krb5i:krb5p) >> - Mount chain : >> * -fstype=nfs4,sec=krb5i,rw,proto=tcp,port=2049,rsize=8192,wsize=8192 >> home01.net:/home.shared/& >> - Experienced on Centos 7 and Fedora 21 >> - FreeIPA server 4.1.4 >> - I used ipa-client-automount on clients and server. >> - Same behavior with/without a dedicated service principal on client >> - Some errors in NFS server logs : >> rpc.gssd - WARNING: can't create tcp rpc_clnt to server >> for user with uid 0: RPC: Remote system error - No route to host <-- at >> different times >> oddjobd: Error >> org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not >> determine security context for '1:<###>' <-- before oddjob-mkhomedir on new >> user >> >> Have you got the same problems and did you manage to fix them? >> >> Thanks by advance, >> -- >> Youenn Piolet >> piolet.y at gmail.com >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Fri Aug 14 10:07:40 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 15:37:40 +0530 Subject: [Freeipa-users] PTR record not adding to IPA DNS Message-ID: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Aug 14 10:15:21 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 14 Aug 2015 12:15:21 +0200 Subject: [Freeipa-users] PTR record not adding to IPA DNS In-Reply-To: References: Message-ID: <55CDBFB9.1090805@redhat.com> On 08/14/2015 12:07 PM, Yogesh Sharma wrote: > Hi, > > Upon client registration , PTR records are not getting added to > reverse Zone in IPA DNS. > > > /Best Regards,/ > /__________________________________________ > / > /Yogesh Sharma > / > /Email: yks0000 at gmail.com | Web: > www.initd.in / > / > / > /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ > > > > > > Hello, Please provide more info about configuration of zones. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Fri Aug 14 10:38:12 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 14 Aug 2015 12:38:12 +0200 Subject: [Freeipa-users] users- ssh keys self service In-Reply-To: <55CCEF42.3060605@gmail.com> References: <55CCCCD1.60300@gmail.com> <55CCEF42.3060605@gmail.com> Message-ID: <55CDC514.20803@redhat.com> On 08/13/2015 09:25 PM, Janelle wrote: > AHA!!! > > The problem is found, but the solution eludes me. > Any user "migrated" in compat mode has the problem. NEW users do not. > Thoughts? Ideas? troubleshooting? What do I need to make visible for > users to edit their settings? How does the migrated user and a new user differ in your environment? E.g. do they have different object classes? > > ~J > > On 8/13/15 9:58 AM, Janelle wrote: >> Hi, >> >> So I still have been unable to find the problem with blank screens for >> users when they login to the gui and can not manage anything other >> than OTP. Out of the box, vanilla install of FreeOTP on RHEL 7.x and >> using IPA 4.1.4, a user logs in, you see ALL the fields for a split >> second, before they go blank and there is no way to bring them back. >> This is over course frustrating since users can not add their SSH >> keys. They can change there PW, since that is on the ACTION button, >> which remains visible. >> >> Are there any troubleshooting suggestions for this? I have not >> customized anything. >> >> Thank you >> ~J > -- Petr Vobornik From yks0000 at gmail.com Fri Aug 14 10:57:36 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 16:27:36 +0530 Subject: [Freeipa-users] PTR record not adding to IPA DNS In-Reply-To: <55CDBFB9.1090805@redhat.com> References: <55CDBFB9.1090805@redhat.com> Message-ID: Forward zone: initd.int Reverse: 32.16.172.in-addr.arpa. CIDR of our DHCP: 172.16.32.0/20 *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti wrote: > > > On 08/14/2015 12:07 PM, Yogesh Sharma wrote: > > Hi, > > Upon client registration , PTR records are not getting added to reverse > Zone in IPA DNS. > > > *Best Regards,* > > *__________________________________________ * > > *Yogesh Sharma * > *Email: yks0000 at gmail.com | Web: > www.initd.in * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > > > Hello, > > Please provide more info about configuration of zones. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Aug 14 11:00:46 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 14 Aug 2015 13:00:46 +0200 Subject: [Freeipa-users] PTR record not adding to IPA DNS In-Reply-To: References: <55CDBFB9.1090805@redhat.com> Message-ID: <55CDCA5E.6020705@redhat.com> On 08/14/2015 12:57 PM, Yogesh Sharma wrote: > Forward zone: initd.int > Reverse: 32.16.172.in-addr.arpa. > > CIDR of our DHCP: 172.16.32.0/20 Please paste here output of following commands: ipa dnszone-show initd.int --all ipa dnszone-show 32.16.172.in-addr.arpa --all > > /Best Regards,/ > /__________________________________________ > / > /Yogesh Sharma > / > /Email: yks0000 at gmail.com | Web: > www.initd.in / > / > / > /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ > > > > > > On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti > wrote: > > > > On 08/14/2015 12:07 PM, Yogesh Sharma wrote: >> Hi, >> >> Upon client registration , PTR records are not getting added to >> reverse Zone in IPA DNS. >> >> >> /Best Regards,/ >> /__________________________________________ >> / >> /Yogesh Sharma >> / >> /Email: yks0000 at gmail.com | Web: >> www.initd.in / >> / >> / >> /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ >> >> >> >> >> >> > Hello, > > Please provide more info about configuration of zones. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Fri Aug 14 11:13:19 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 16:43:19 +0530 Subject: [Freeipa-users] PTR record not adding to IPA DNS In-Reply-To: <55CDCA5E.6020705@redhat.com> References: <55CDBFB9.1090805@redhat.com> <55CDCA5E.6020705@redhat.com> Message-ID: Please find the output: ipa dnszone-show initd.int --all dn: idnsname=initd.int.,cn=dns,dc=initd,dc=int Zone name: initd.int. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int. SOA serial: 1439547047 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-self * A; grant initd.INT krb5-self * AAAA; grant initd.INT krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord dn: idnsname=32.16.172.in-addr.arpa.,cn=dns,dc=initd,dc=int Zone name: 32.16.172.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int. SOA serial: 1439543674 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-subdomain 32.16.172.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti wrote: > > > On 08/14/2015 12:57 PM, Yogesh Sharma wrote: > > Forward zone: initd.int > Reverse: 32.16.172.in-addr.arpa. > > CIDR of our DHCP: 172.16.32.0/20 > > Please paste here output of following commands: > > ipa dnszone-show initd.int --all > > ipa dnszone-show 32.16.172.in-addr.arpa --all > > > > *Best Regards,* > > *__________________________________________ * > > *Yogesh Sharma * > *Email: yks0000 at gmail.com | Web: > www.initd.in * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > > On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti wrote: > >> >> >> On 08/14/2015 12:07 PM, Yogesh Sharma wrote: >> >> Hi, >> >> Upon client registration , PTR records are not getting added to reverse >> Zone in IPA DNS. >> >> >> *Best Regards,* >> >> *__________________________________________ * >> >> *Yogesh Sharma * >> *Email: yks0000 at gmail.com | Web: >> www.initd.in * >> >> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* >> >> >> >> >> >> >> Hello, >> >> Please provide more info about configuration of zones. >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Aug 14 11:22:30 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 14 Aug 2015 13:22:30 +0200 Subject: [Freeipa-users] PTR record not adding to IPA DNS In-Reply-To: References: <55CDBFB9.1090805@redhat.com> <55CDCA5E.6020705@redhat.com> Message-ID: <55CDCF76.4040902@redhat.com> On 08/14/2015 01:13 PM, Yogesh Sharma wrote: > Please find the output: > > ipa dnszone-show initd.int --all > > > dn: idnsname=initd.int .,cn=dns,dc=initd,dc=int > Zone name: initd.int . > Active zone: TRUE > Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int > . > Administrator e-mail address: hostmaster.initd.int > . > SOA serial: 1439547047 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant initd.INT krb5-self * A; grant initd.INT > krb5-self * AAAA; grant initd.INT krb5-self * SSHFP; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > nsrecord: ipa-inf-prd-ng2-01.initd.int > . > objectclass: idnszone, top, idnsrecord > > I don't see this line in output of initd.int Allow PTR sync: TRUE Didi you enabled synchronization of ptr records? ipa dnszone-mod initd.int --allow-sync-ptr=TRUE Martin > > dn: idnsname=32.16.172.in-addr.arpa.,cn=dns,dc=initd,dc=int > Zone name: 32.16.172.in-addr.arpa. > Active zone: TRUE > Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int > . > Administrator e-mail address: hostmaster.initd.int > . > SOA serial: 1439543674 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant initd.INT krb5-subdomain > 32.16.172.in-addr.arpa. PTR; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > nsrecord: ipa-inf-prd-ng2-01.initd.int > . > objectclass: idnszone, top, idnsrecord > > > /Best Regards,/ > /__________________________________________ > / > /Yogesh Sharma > / > /Email: yks0000 at gmail.com | Web: > www.initd.in / > / > / > /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ > > > > > > On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti > wrote: > > > > On 08/14/2015 12:57 PM, Yogesh Sharma wrote: >> Forward zone: initd.int >> Reverse: 32.16.172.in-addr.arpa. >> >> CIDR of our DHCP: 172.16.32.0/20 > Please paste here output of following commands: > > ipa dnszone-show initd.int --all > > ipa dnszone-show 32.16.172.in-addr.arpa --all > > >> >> /Best Regards,/ >> /__________________________________________ >> / >> /Yogesh Sharma >> / >> /Email: yks0000 at gmail.com | Web: >> www.initd.in / >> / >> / >> /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ >> >> >> >> >> >> On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti > > wrote: >> >> >> >> On 08/14/2015 12:07 PM, Yogesh Sharma wrote: >>> Hi, >>> >>> Upon client registration , PTR records are not getting added >>> to reverse Zone in IPA DNS. >>> >>> >>> /Best Regards,/ >>> /__________________________________________ >>> / >>> /Yogesh Sharma >>> / >>> /Email: yks0000 at gmail.com | Web: >>> www.initd.in / >>> / >>> / >>> /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ >>> >>> >>> >>> >>> >>> >>> >> Hello, >> >> Please provide more info about configuration of zones. >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Aug 14 11:50:48 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 14 Aug 2015 13:50:48 +0200 Subject: [Freeipa-users] IPA Client Unattended Registration Issue In-Reply-To: <55CDAE89.2070307@redhat.com> References: <55CDACB3.3000908@redhat.com> <55CDAE89.2070307@redhat.com> Message-ID: <55CDD618.4090605@redhat.com> Please provide feedback if this (and which) solution works for you, this may help for other users too. Martin On 08/14/2015 11:02 AM, Martin Basti wrote: > > > On 08/14/2015 10:54 AM, Martin Basti wrote: >> >> >> On 08/14/2015 10:12 AM, Yogesh Sharma wrote: >>> Hi, >>> >>> We use Chef to perform the basic system setup once we launch new >>> server. >>> >>> We are updating our cookbook to include ipa-client-install once we >>> run our base cookbook via chef-client. >>> >>> For unattended ipa-client installation, we are passing below parameters: >>> >>> >>> /ipa-client-install --server=ipa.initd.int >>> --domain=initd.int --realm=INITD.INT >>> --password=xxxxxxxxxx --mkhomedir --no-ntp >>> --unattended/ >>> >>> >>> However, we always get password incorrect error, though we are sure >>> it is correct: >>> >>> >>> Joining realm failed: Incorrect password. >>> >>> Installation failed. Rolling back changes. >>> IPA client is not configured on this system. >> >> Hello, please add --principal option >> >> probably --principal admin >> >> --pasword without --principal option requires bulk password >> (ipa-client-install -h) >> >> HTH >> Martin > Or if you want to use bulk password, you must add host with bulk > password before > > [ipaserver]$ ipa host-add client.initd.int --password=bulkpassword > [client.initd.int]$ ipa-client-install .... --password=bulkpassword > > HTH > Martin >>> >>> >>> /Best Regards,/ >>> /__________________________________________ >>> / >>> /Yogesh Sharma >>> / >>> /Email: yks0000 at gmail.com | Web: www.initd.in / >>> / >>> / >>> /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ >>> >>> >>> >>> >>> >>> >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Fri Aug 14 11:58:46 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 14 Aug 2015 13:58:46 +0200 Subject: [Freeipa-users] Windows users, Samba Shares -> FreeIPA Message-ID: Hi People, In reference to my earlier thread about Samba Shares -> IPA Auth for whatever user I'm kinda confused what out options are now (for Windows users) I have tried all kinds of things and can't get teh right feeling about how to auth shares for mixed environments. So to start a fresh discussion about "what's best", What's best ? The ksetup as known on the IPA pages doesn't let me login on Windows 10, so if people can share their working ways for the current version with would be great! Thanks, Matt From yks0000 at gmail.com Fri Aug 14 11:46:44 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 17:16:44 +0530 Subject: [Freeipa-users] PTR record not adding to IPA DNS In-Reply-To: <55CDCF76.4040902@redhat.com> References: <55CDBFB9.1090805@redhat.com> <55CDCA5E.6020705@redhat.com> <55CDCF76.4040902@redhat.com> Message-ID: Thanks Martin. Redhat Rock :) *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Fri, Aug 14, 2015 at 4:52 PM, Martin Basti wrote: > > > On 08/14/2015 01:13 PM, Yogesh Sharma wrote: > > Please find the output: > > ipa dnszone-show initd.int --all > > > dn: idnsname=initd.int.,cn=dns,dc=initd,dc=int > Zone name: initd.int. > Active zone: TRUE > Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. > Administrator e-mail address: hostmaster.initd.int. > SOA serial: 1439547047 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant initd.INT krb5-self * A; grant initd.INT > krb5-self * AAAA; grant initd.INT krb5-self * SSHFP; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > nsrecord: ipa-inf-prd-ng2-01.initd.int. > objectclass: idnszone, top, idnsrecord > > > I don't see this line in output of initd.int > Allow PTR sync: TRUE > > Didi you enabled synchronization of ptr records? > > > ipa dnszone-mod initd.int --allow-sync-ptr=TRUE > > Martin > > > > dn: idnsname=32.16.172.in-addr.arpa.,cn=dns,dc=initd,dc=int > Zone name: 32.16.172.in-addr.arpa. > Active zone: TRUE > Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. > Administrator e-mail address: hostmaster.initd.int. > SOA serial: 1439543674 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant initd.INT krb5-subdomain > 32.16.172.in-addr.arpa. PTR; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > nsrecord: ipa-inf-prd-ng2-01.initd.int. > objectclass: idnszone, top, idnsrecord > > > *Best Regards,* > > *__________________________________________ * > > *Yogesh Sharma * > *Email: yks0000 at gmail.com | Web: > www.initd.in * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > > On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti wrote: > >> >> >> On 08/14/2015 12:57 PM, Yogesh Sharma wrote: >> >> Forward zone: initd.int >> Reverse: 32.16.172.in-addr.arpa. >> >> CIDR of our DHCP: 172.16.32.0/20 >> >> Please paste here output of following commands: >> >> ipa dnszone-show initd.int --all >> >> ipa dnszone-show 32.16.172.in-addr.arpa --all >> >> >> >> *Best Regards,* >> >> *__________________________________________ * >> >> *Yogesh Sharma * >> *Email: yks0000 at gmail.com | Web: >> www.initd.in * >> >> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* >> >> >> >> >> >> On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti < >> mbasti at redhat.com> wrote: >> >>> >>> >>> On 08/14/2015 12:07 PM, Yogesh Sharma wrote: >>> >>> Hi, >>> >>> Upon client registration , PTR records are not getting added to reverse >>> Zone in IPA DNS. >>> >>> >>> *Best Regards,* >>> >>> *__________________________________________ * >>> >>> *Yogesh Sharma * >>> *Email: yks0000 at gmail.com | >>> Web: www.initd.in * >>> >>> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* >>> >>> >>> >>> >>> >>> >>> Hello, >>> >>> Please provide more info about configuration of zones. >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Fri Aug 14 12:01:56 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 17:31:56 +0530 Subject: [Freeipa-users] IPA Client Unattended Registration Issue In-Reply-To: <55CDD618.4090605@redhat.com> References: <55CDACB3.3000908@redhat.com> <55CDAE89.2070307@redhat.com> <55CDD618.4090605@redhat.com> Message-ID: Thanks Martin, This works and apologies for not confirming the solution. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Fri, Aug 14, 2015 at 5:20 PM, Martin Basti wrote: > Please provide feedback if this (and which) solution works for you, this > may help for other users too. > Martin > > On 08/14/2015 11:02 AM, Martin Basti wrote: > > > > On 08/14/2015 10:54 AM, Martin Basti wrote: > > > > On 08/14/2015 10:12 AM, Yogesh Sharma wrote: > > Hi, > > We use Chef to perform the basic system setup once we launch new server. > > We are updating our cookbook to include ipa-client-install once we run our > base cookbook via chef-client. > > For unattended ipa-client installation, we are passing below parameters: > > > *ipa-client-install --server=ipa.initd.int > --domain=initd.int --realm=INITD.INT > --password=xxxxxxxxxx --mkhomedir --no-ntp --unattended* > > > However, we always get password incorrect error, though we are sure it is > correct: > > > Joining realm failed: Incorrect password. > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > Hello, please add --principal option > > probably --principal admin > > --pasword without --principal option requires bulk password > (ipa-client-install -h) > > HTH > Martin > > Or if you want to use bulk password, you must add host with bulk password > before > > [ipaserver]$ ipa host-add client.initd.int --password=bulkpassword > [client.initd.int]$ ipa-client-install .... --password=bulkpassword > > HTH > Martin > > > > *Best Regards,* > > *__________________________________________ * > > *Yogesh Sharma * > *Email: yks0000 at gmail.com | Web: > www.initd.in * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Aug 14 12:11:23 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 14 Aug 2015 14:11:23 +0200 Subject: [Freeipa-users] PTR record not adding to IPA DNS [SOLVED] In-Reply-To: References: <55CDBFB9.1090805@redhat.com> <55CDCA5E.6020705@redhat.com> <55CDCF76.4040902@redhat.com> Message-ID: <55CDDAEB.5040405@redhat.com> On 08/14/2015 01:46 PM, Yogesh Sharma wrote: > Thanks Martin. Redhat Rock :) You are welcome! > > /Best Regards,/ > /__________________________________________ > / > /Yogesh Sharma > / > /Email: yks0000 at gmail.com | Web: > www.initd.in / > / > / > /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ > > > > > > On Fri, Aug 14, 2015 at 4:52 PM, Martin Basti > wrote: > > > > On 08/14/2015 01:13 PM, Yogesh Sharma wrote: >> Please find the output: >> >> ipa dnszone-show initd.int --all >> >> >> dn: idnsname=initd.int .,cn=dns,dc=initd,dc=int >> Zone name: initd.int . >> Active zone: TRUE >> Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int >> . >> Administrator e-mail address: hostmaster.initd.int >> . >> SOA serial: 1439547047 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> BIND update policy: grant initd.INT krb5-self * A; grant >> initd.INT krb5-self * AAAA; grant initd.INT krb5-self * SSHFP; >> Dynamic update: TRUE >> Allow query: any; >> Allow transfer: none; >> nsrecord: ipa-inf-prd-ng2-01.initd.int >> . >> objectclass: idnszone, top, idnsrecord >> >> > I don't see this line in output of initd.int > Allow PTR sync: TRUE > > Didi you enabled synchronization of ptr records? > > > ipa dnszone-mod initd.int --allow-sync-ptr=TRUE > > Martin >> >> dn: idnsname=32.16.172.in-addr.arpa.,cn=dns,dc=initd,dc=int >> Zone name: 32.16.172.in-addr.arpa. >> Active zone: TRUE >> Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int >> . >> Administrator e-mail address: hostmaster.initd.int >> . >> SOA serial: 1439543674 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> BIND update policy: grant initd.INT krb5-subdomain >> 32.16.172.in-addr.arpa. PTR; >> Dynamic update: TRUE >> Allow query: any; >> Allow transfer: none; >> nsrecord: ipa-inf-prd-ng2-01.initd.int >> . >> objectclass: idnszone, top, idnsrecord >> >> >> /Best Regards,/ >> /__________________________________________ >> / >> /Yogesh Sharma >> / >> /Email: yks0000 at gmail.com | Web: >> www.initd.in / >> / >> / >> /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ >> >> >> >> >> >> On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti > > wrote: >> >> >> >> On 08/14/2015 12:57 PM, Yogesh Sharma wrote: >>> Forward zone: initd.int >>> Reverse: 32.16.172.in-addr.arpa. >>> >>> CIDR of our DHCP: 172.16.32.0/20 >> Please paste here output of following commands: >> >> ipa dnszone-show initd.int --all >> >> ipa dnszone-show 32.16.172.in-addr.arpa --all >> >> >>> >>> /Best Regards,/ >>> /__________________________________________ >>> / >>> /Yogesh Sharma >>> / >>> /Email: yks0000 at gmail.com | Web: >>> www.initd.in / >>> / >>> / >>> /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ >>> >>> >>> >>> >>> >>> >>> On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti >>> > wrote: >>> >>> >>> >>> On 08/14/2015 12:07 PM, Yogesh Sharma wrote: >>>> Hi, >>>> >>>> Upon client registration , PTR records are not getting >>>> added to reverse Zone in IPA DNS. >>>> >>>> >>>> /Best Regards,/ >>>> /__________________________________________ >>>> / >>>> /Yogesh Sharma >>>> / >>>> /Email: yks0000 at gmail.com | >>>> Web: www.initd.in / >>>> / >>>> / >>>> /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> Hello, >>> >>> Please provide more info about configuration of zones. >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Aug 14 12:11:51 2015 From: mbasti at redhat.com (Martin Basti) Date: Fri, 14 Aug 2015 14:11:51 +0200 Subject: [Freeipa-users] IPA Client Unattended Registration Issue [SOLVED] In-Reply-To: References: <55CDACB3.3000908@redhat.com> <55CDAE89.2070307@redhat.com> <55CDD618.4090605@redhat.com> Message-ID: <55CDDB07.4030602@redhat.com> On 08/14/2015 02:01 PM, Yogesh Sharma wrote: > Thanks Martin, This works and apologies for not confirming the solution. You are welcome! > > /Best Regards,/ > /__________________________________________ > / > /Yogesh Sharma > / > /Email: yks0000 at gmail.com | Web: > www.initd.in / > / > / > /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ > > > > > > On Fri, Aug 14, 2015 at 5:20 PM, Martin Basti > wrote: > > Please provide feedback if this (and which) solution works for > you, this may help for other users too. > Martin > > On 08/14/2015 11:02 AM, Martin Basti wrote: >> >> >> On 08/14/2015 10:54 AM, Martin Basti wrote: >>> >>> >>> On 08/14/2015 10:12 AM, Yogesh Sharma wrote: >>>> Hi, >>>> >>>> We use Chef to perform the basic system setup once we launch >>>> new server. >>>> >>>> We are updating our cookbook to include ipa-client-install once >>>> we run our base cookbook via chef-client. >>>> >>>> For unattended ipa-client installation, we are passing below >>>> parameters: >>>> >>>> >>>> /ipa-client-install --server=ipa.initd.int >>>> --domain=initd.int >>>> --realm=INITD.INT --password=xxxxxxxxxx >>>> --mkhomedir --no-ntp --unattended/ >>>> >>>> >>>> However, we always get password incorrect error, though we are >>>> sure it is correct: >>>> >>>> >>>> Joining realm failed: Incorrect password. >>>> >>>> Installation failed. Rolling back changes. >>>> IPA client is not configured on this system. >>> >>> Hello, please add --principal option >>> >>> probably --principal admin >>> >>> --pasword without --principal option requires bulk password >>> (ipa-client-install -h) >>> >>> HTH >>> Martin >> Or if you want to use bulk password, you must add host with bulk >> password before >> >> [ipaserver]$ ipa host-add client.initd.int >> --password=bulkpassword >> [client.initd.int ]$ ipa-client-install >> .... --password=bulkpassword >> >> HTH >> Martin >>>> >>>> >>>> /Best Regards,/ >>>> /__________________________________________ >>>> / >>>> /Yogesh Sharma >>>> / >>>> /Email: yks0000 at gmail.com | Web: >>>> www.initd.in / >>>> / >>>> / >>>> /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Fri Aug 14 09:49:29 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 15:19:29 +0530 Subject: [Freeipa-users] IPA Client Unattended Registration Issue In-Reply-To: <55CDAE89.2070307@redhat.com> References: <55CDACB3.3000908@redhat.com> <55CDAE89.2070307@redhat.com> Message-ID: Thanks Martin, It worked. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Fri, Aug 14, 2015 at 2:32 PM, Martin Basti wrote: > > > On 08/14/2015 10:54 AM, Martin Basti wrote: > > > > On 08/14/2015 10:12 AM, Yogesh Sharma wrote: > > Hi, > > We use Chef to perform the basic system setup once we launch new server. > > We are updating our cookbook to include ipa-client-install once we run our > base cookbook via chef-client. > > For unattended ipa-client installation, we are passing below parameters: > > > *ipa-client-install --server=ipa.initd.int > --domain=initd.int --realm=INITD.INT > --password=xxxxxxxxxx --mkhomedir --no-ntp --unattended* > > > However, we always get password incorrect error, though we are sure it is > correct: > > > Joining realm failed: Incorrect password. > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > Hello, please add --principal option > > probably --principal admin > > --pasword without --principal option requires bulk password > (ipa-client-install -h) > > HTH > Martin > > Or if you want to use bulk password, you must add host with bulk password > before > > [ipaserver]$ ipa host-add client.initd.int --password=bulkpassword > [client.initd.int]$ ipa-client-install .... --password=bulkpassword > > HTH > Martin > > > > *Best Regards,* > > *__________________________________________ * > > *Yogesh Sharma * > *Email: yks0000 at gmail.com | Web: > www.initd.in * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christof.schulze at ww.uni-erlangen.de Fri Aug 14 12:53:28 2015 From: christof.schulze at ww.uni-erlangen.de (Christof Schulze) Date: Fri, 14 Aug 2015 14:53:28 +0200 Subject: [Freeipa-users] Additional subject for self-signed CA (E, OU, L, ST) In-Reply-To: <55B07FDC.5080803@physik.uni-wuppertal.de> References: <55AF5D2D.2090002@physik.uni-wuppertal.de> <20150722092240.GU21928@redhat.com> <55AF64CD.6010306@physik.uni-wuppertal.de> <55AFB0B8.4010002@redhat.com> <55AFCCFB.1010502@physik.uni-wuppertal.de> <55AFD1F8.1090708@redhat.com> <55B07FDC.5080803@physik.uni-wuppertal.de> Message-ID: <55CDE4C8.80601@ww.uni-erlangen.de> Hallo, I know I already read about it already in this list but can't find it any more. How can I set additional subject fields like OU, Country, email and others for a new created self-signed CA (new IPA server 4.1 on centos7) and all following service certificates? C. Schulze -- Christof Schulze Institute of Materials Simulation (WW8) Department of Materials Science Friedrich-Alexander-University Erlangen-N?rnberg Dr.-Mack-Str. 77, 90762 F?rth, Germany Tel: 0911/65078-65069 Email: christof.schulze at fau.de From yks0000 at gmail.com Fri Aug 14 13:35:48 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 19:05:48 +0530 Subject: [Freeipa-users] Sudo Rule Not working with UserGroup Message-ID: Hi, We have moved to next step and working to configuring the Sudo Rule. When we add individual users to sudo rules, it works perfectly. However as soon as we add usergroup to sudo rules, It stop working. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Fri Aug 14 13:37:27 2015 From: janellenicole80 at gmail.com (Janelle) Date: Fri, 14 Aug 2015 06:37:27 -0700 Subject: [Freeipa-users] first time web UI access? Message-ID: <55CDEF17.5030801@gmail.com> I am curious if anyone else ever sees a problem with first time IPA WEB UI access and the full screen not loading. It requires a reload sometimes once or twice to get it to load properly. Has anyone seen this before? thank you Janelle From jhrozek at redhat.com Fri Aug 14 13:42:15 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Aug 2015 15:42:15 +0200 Subject: [Freeipa-users] Sudo Rule Not working with UserGroup In-Reply-To: References: Message-ID: <20150814134215.GF4856@hendrix.redhat.com> On Fri, Aug 14, 2015 at 07:05:48PM +0530, Yogesh Sharma wrote: > Hi, > > We have moved to next step and working to configuring the Sudo Rule. > > When we add individual users to sudo rules, it works perfectly. However as > soon as we add usergroup to sudo rules, It stop working. I'm sorry, but it's not possible to help without seeing the logs. In this case, the sudo logs. From jhrozek at redhat.com Fri Aug 14 13:47:09 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Aug 2015 15:47:09 +0200 Subject: [Freeipa-users] IPA Server Replication Info In-Reply-To: References: <20150814082450.GI4449@hendrix.redhat.com> Message-ID: <20150814134709.GG4856@hendrix.redhat.com> On Fri, Aug 14, 2015 at 02:11:10PM +0530, Yogesh Sharma wrote: > Thanks Jakub. > > From your answer 2, would both DNS will work as Master if we use IPA DNS. Well, you need to configure /etc/resolv.conf to point to the replica as well. btw resolv.conf typically supports up to three nameservers. From yks0000 at gmail.com Fri Aug 14 15:07:27 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 20:37:27 +0530 Subject: [Freeipa-users] Sudo Rule Not working with UserGroup In-Reply-To: <20150814134215.GF4856@hendrix.redhat.com> References: <20150814134215.GF4856@hendrix.redhat.com> Message-ID: It has started working. Not sure what happened, but seems to be issue with cache time out again. Thanks Jakub. I will update more if I am able to replicate the issue again. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Fri, Aug 14, 2015 at 7:12 PM, Jakub Hrozek wrote: > On Fri, Aug 14, 2015 at 07:05:48PM +0530, Yogesh Sharma wrote: > > Hi, > > > > We have moved to next step and working to configuring the Sudo Rule. > > > > When we add individual users to sudo rules, it works perfectly. However > as > > soon as we add usergroup to sudo rules, It stop working. > > I'm sorry, but it's not possible to help without seeing the logs. > In this case, the sudo logs. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Fri Aug 14 15:08:56 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Fri, 14 Aug 2015 20:38:56 +0530 Subject: [Freeipa-users] IPA Server Replication Info In-Reply-To: <20150814134709.GG4856@hendrix.redhat.com> References: <20150814082450.GI4449@hendrix.redhat.com> <20150814134709.GG4856@hendrix.redhat.com> Message-ID: Okay. So both the DNS is Master. Thanks Jakub, this can be closed. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Fri, Aug 14, 2015 at 7:17 PM, Jakub Hrozek wrote: > On Fri, Aug 14, 2015 at 02:11:10PM +0530, Yogesh Sharma wrote: > > Thanks Jakub. > > > > From your answer 2, would both DNS will work as Master if we use IPA DNS. > > Well, you need to configure /etc/resolv.conf to point to the replica as > well. > > btw resolv.conf typically supports up to three nameservers. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Fri Aug 14 21:25:16 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 14 Aug 2015 14:25:16 -0700 Subject: [Freeipa-users] users- ssh keys self service In-Reply-To: <55CDC514.20803@redhat.com> References: <55CCCCD1.60300@gmail.com> <55CCEF42.3060605@gmail.com> <55CDC514.20803@redhat.com> Message-ID: Did you try the */ipa/migration/* url for migrated users ? On Fri, Aug 14, 2015 at 3:38 AM, Petr Vobornik wrote: > On 08/13/2015 09:25 PM, Janelle wrote: > >> AHA!!! >> >> The problem is found, but the solution eludes me. >> Any user "migrated" in compat mode has the problem. NEW users do not. >> Thoughts? Ideas? troubleshooting? What do I need to make visible for >> users to edit their settings? >> > > How does the migrated user and a new user differ in your environment? > > E.g. do they have different object classes? > > >> ~J >> >> On 8/13/15 9:58 AM, Janelle wrote: >> >>> Hi, >>> >>> So I still have been unable to find the problem with blank screens for >>> users when they login to the gui and can not manage anything other >>> than OTP. Out of the box, vanilla install of FreeOTP on RHEL 7.x and >>> using IPA 4.1.4, a user logs in, you see ALL the fields for a split >>> second, before they go blank and there is no way to bring them back. >>> This is over course frustrating since users can not add their SSH >>> keys. They can change there PW, since that is on the ACTION button, >>> which remains visible. >>> >>> Are there any troubleshooting suggestions for this? I have not >>> customized anything. >>> >>> Thank you >>> ~J >>> >> >> > > -- > Petr Vobornik > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Sat Aug 15 10:27:33 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Sat, 15 Aug 2015 15:57:33 +0530 Subject: [Freeipa-users] IPA User Group Auto membership Message-ID: Team,, We are having issue in configuring Auto Membership for Usergroup i.e. when ever we add/update a user to IPA , it should get added to a group on the basis of his/her Job Title. Below is the rule: [root at ipa-inf-prd-ng2-02 ~]# ipa automember-find dbausers Grouping Type: group --------------- 1 rules matched --------------- Description: DBA Auto membership Automember Rule: dbausers Inclusive Regex: title=(.*)((?i)(DBA))(.*) ---------------------------- Number of entries returned 1 ---------------------------- [root at ipa-inf-prd-ng2-02 ~]# We are setting Job Title as "Sr. DBA Mgr" , "DBA II" etc, However it is not working. We have tested the regex, and it seems to be working while testing it. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sat Aug 15 14:10:57 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 15 Aug 2015 10:10:57 -0400 Subject: [Freeipa-users] IPA User Group Auto membership In-Reply-To: References: Message-ID: <55CF4871.50009@redhat.com> Yogesh Sharma wrote: > Team,, > > We are having issue in configuring Auto Membership for Usergroup i.e. > when ever we add/update a user to IPA , it should get added to a group > on the basis of his/her Job Title. > > Below is the rule: > > [root at ipa-inf-prd-ng2-02 ~]# ipa automember-find dbausers > Grouping Type: group > --------------- > 1 rules matched > --------------- > Description: DBA Auto membership > Automember Rule: dbausers > Inclusive Regex: title=(.*)((?i)(DBA))(.*) > ---------------------------- > Number of entries returned 1 > ---------------------------- > [root at ipa-inf-prd-ng2-02 ~]# > > > We are setting Job Title as "Sr. DBA Mgr" , "DBA II" etc, However it is > not working. > > We have tested the regex, and it seems to be working while testing it. The rules only apply to new entries. In order to apply rules to existing entries run: ipa automember-rebuild --type=group rob From sipazzo at yahoo.com Sat Aug 15 15:16:34 2015 From: sipazzo at yahoo.com (sipazzo) Date: Sat, 15 Aug 2015 15:16:34 +0000 (UTC) Subject: [Freeipa-users] HBAC rules not applying to Solaris clients Message-ID: <341260557.2630046.1439651794815.JavaMail.yahoo@mail.yahoo.com> Hi I am using freeipa 3.0.0-47 in a mixed environment with rhel5-7 clients, Solaris 10 clients and a handful of Solaris 11 clients. I followed this guide in setting up the solaris clients: 3.8.?Configuring a Solaris System as a FreeIPA Client | ? | | ? | ? | ? | ? | ? | | 3.8.?Configuring a Solaris System as a FreeIPA ClientFreeIPA provides an example profile for configuring Solaris 10 as a FreeIPA client. This can be loaded using ldapclient and the init command: [root at solaris ~]# ldapclient init ipa.example.com | | | | View on docs.fedoraproject.org | Preview by Yahoo | | | | ? | and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The "allow-all" rule has been disabled, my nsswitch.conf file looks good and I have tried different configs of pam.d, including the provided example to try to resolve the issue. Am I missing some steps? -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Sat Aug 15 15:22:06 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Sat, 15 Aug 2015 20:52:06 +0530 Subject: [Freeipa-users] IPA User Group Auto membership In-Reply-To: <55CF4871.50009@redhat.com> References: <55CF4871.50009@redhat.com> Message-ID: Hi Rob, My concern was for new entries only. -Yogesh Sharma (Sent from my HTC) On 15-Aug-2015 7:40 pm, "Rob Crittenden" wrote: > Yogesh Sharma wrote: > >> Team,, >> >> We are having issue in configuring Auto Membership for Usergroup i.e. >> when ever we add/update a user to IPA , it should get added to a group >> on the basis of his/her Job Title. >> >> Below is the rule: >> >> [root at ipa-inf-prd-ng2-02 ~]# ipa automember-find dbausers >> Grouping Type: group >> --------------- >> 1 rules matched >> --------------- >> Description: DBA Auto membership >> Automember Rule: dbausers >> Inclusive Regex: title=(.*)((?i)(DBA))(.*) >> ---------------------------- >> Number of entries returned 1 >> ---------------------------- >> [root at ipa-inf-prd-ng2-02 ~]# >> >> >> We are setting Job Title as "Sr. DBA Mgr" , "DBA II" etc, However it is >> not working. >> >> We have tested the regex, and it seems to be working while testing it. >> > > The rules only apply to new entries. In order to apply rules to existing > entries run: ipa automember-rebuild --type=group > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sat Aug 15 15:24:12 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 15 Aug 2015 11:24:12 -0400 Subject: [Freeipa-users] HBAC rules not applying to Solaris clients In-Reply-To: <341260557.2630046.1439651794815.JavaMail.yahoo@mail.yahoo.com> References: <341260557.2630046.1439651794815.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55CF599C.8010109@redhat.com> sipazzo wrote: > Hi I am using freeipa 3.0.0-47 in a mixed environment with rhel5-7 > clients, Solaris 10 clients and a handful of Solaris 11 clients. I > followed this guide in setting up the solaris clients: 3.8. Configuring > a Solaris System as a FreeIPA Client > > > > > > 3.8. Configuring a Solaris System as a FreeIPA Client > > FreeIPA provides an example profile for configuring Solaris 10 as a > FreeIPA client. This can be loaded using ldapclient and the init > command: [root at solaris ~]# ldapclient init ipa.example.com > View on docs.fedoraproject.org > > > Preview by Yahoo > > and my users are able to authenticate to the directory but the hbac > rules are not being applied. Any user whether given access or not can > login to the Solaris systems. The "allow-all" rule has been disabled, my > nsswitch.conf file looks good and I have tried different configs of > pam.d, including the provided example to try to resolve the issue. Am I > missing some steps? HBAC enforcement is provided by sssd so doesn't work in Solaris. rob From natxo.asenjo at gmail.com Sat Aug 15 17:05:34 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sat, 15 Aug 2015 19:05:34 +0200 Subject: [Freeipa-users] HBAC rules not applying to Solaris clients In-Reply-To: <55CF599C.8010109@redhat.com> References: <341260557.2630046.1439651794815.JavaMail.yahoo@mail.yahoo.com> <55CF599C.8010109@redhat.com> Message-ID: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden wrote: > sipazzo wrote: > >> >> and my users are able to authenticate to the directory but the hbac >> rules are not being applied. Any user whether given access or not can >> login to the Solaris systems. The "allow-all" rule has been disabled, my >> nsswitch.conf file looks good and I have tried different configs of >> pam.d, including the provided example to try to resolve the issue. Am I >> missing some steps? >> > > HBAC enforcement is provided by sssd so doesn't work in Solaris. > one might try using solaris' RBAC system: http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html You would have to distribute your changes to all solaris systems. There is a RBAC ldap schema http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, but I have never tried using it with freeipa. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From harvero at gmail.com Sat Aug 15 17:46:36 2015 From: harvero at gmail.com (Bob) Date: Sat, 15 Aug 2015 13:46:36 -0400 Subject: [Freeipa-users] HBAC rules not applying to Solaris clients In-Reply-To: References: <341260557.2630046.1439651794815.JavaMail.yahoo@mail.yahoo.com> <55CF599C.8010109@redhat.com> Message-ID: For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file. On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo wrote: > > > On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden > wrote: > >> sipazzo wrote: >> >>> >>> and my users are able to authenticate to the directory but the hbac >>> rules are not being applied. Any user whether given access or not can >>> login to the Solaris systems. The "allow-all" rule has been disabled, my >>> nsswitch.conf file looks good and I have tried different configs of >>> pam.d, including the provided example to try to resolve the issue. Am I >>> missing some steps? >>> >> >> HBAC enforcement is provided by sssd so doesn't work in Solaris. >> > > one might try using solaris' RBAC system: > > > http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html > > You would have to distribute your changes to all solaris systems. > > There is a RBAC ldap schema > http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for > solaris, but I have never tried using it with freeipa. > > -- > Groeten, > natxo > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Sun Aug 16 06:18:14 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Sun, 16 Aug 2015 11:48:14 +0530 Subject: [Freeipa-users] IPA User Group Auto membership In-Reply-To: References: <55CF4871.50009@redhat.com> Message-ID: Same is working when I use userclass instead of title as because options to set title is available only after creating user where as we can set the userclass while creating user from UI. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Sat, Aug 15, 2015 at 8:52 PM, Yogesh Sharma wrote: > Hi Rob, > > My concern was for new entries only. > > -Yogesh Sharma > > (Sent from my HTC) > On 15-Aug-2015 7:40 pm, "Rob Crittenden" wrote: > >> Yogesh Sharma wrote: >> >>> Team,, >>> >>> We are having issue in configuring Auto Membership for Usergroup i.e. >>> when ever we add/update a user to IPA , it should get added to a group >>> on the basis of his/her Job Title. >>> >>> Below is the rule: >>> >>> [root at ipa-inf-prd-ng2-02 ~]# ipa automember-find dbausers >>> Grouping Type: group >>> --------------- >>> 1 rules matched >>> --------------- >>> Description: DBA Auto membership >>> Automember Rule: dbausers >>> Inclusive Regex: title=(.*)((?i)(DBA))(.*) >>> ---------------------------- >>> Number of entries returned 1 >>> ---------------------------- >>> [root at ipa-inf-prd-ng2-02 ~]# >>> >>> >>> We are setting Job Title as "Sr. DBA Mgr" , "DBA II" etc, However it is >>> not working. >>> >>> We have tested the regex, and it seems to be working while testing it. >>> >> >> The rules only apply to new entries. In order to apply rules to existing >> entries run: ipa automember-rebuild --type=group >> >> rob >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Sun Aug 16 16:09:16 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 16 Aug 2015 18:09:16 +0200 Subject: [Freeipa-users] IDM/ipa slow login In-Reply-To: References: <20150811113955.GX3609@hendrix.redhat.com> <20150813110530.GF18390@hendrix.redhat.com> Message-ID: <8F7BD718-6F38-4B4C-AA14-47C7CFCC45E9@redhat.com> > On 13 Aug 2015, at 22:57, John Obaterspok wrote: > > Hi Seli, > > In /etc/sssd/sssd.conf add below: > selinux_provider=none Hmm, good idea. I forgot the version OP was using, but yet -- at one point we had a bug where the selinux_child would be invoked even if the context didn't change which would be slow. We fixed that error since, but chances are Seli is still running the affected version. > to the domain section. Then restart sssd. > > -- john > > > 2015-08-13 16:23 GMT+02:00 seli irithyl : > Here's the sssd_domain log part during an ssh > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=test)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test at BIOINF.LOCAL] to attributes of [test]. > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object ipausers > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object bioinfo > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=bioinf,dc=local] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] (0x0400): Processing group test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_process_ghost_members] (0x0400): The group has 0 members > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_process_ghost_members] (0x0400): Group has 0 members > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] (0x0400): Storing info for group test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] (0x0400): Processing group test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] (0x0400): Failed to get group sid > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] (0x0400): No members for group [test] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:bioinf.local:52e6beb4-158e-11e5-b14d-000af77e6812))][cn=Default Trust View,cn=views,cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_pam_handler] (0x0100): Got request with the following data > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): domain: bioinf.local > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): user: test > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): service: sshd > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): tty: ssh > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): ruser: > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): rhost: copper.bioinf.local > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): authtok type: 0 > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): priv: 1 > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): cli_pid: 44307 > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): logon name: not set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_access_send] (0x0400): Performing access check for user [test] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [test] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=lead.bioinf.local))][cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local] using OpenLDAP deref > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACService)] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACServiceGroup)] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=bioinf,dc=local][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))][cn=hbac,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] (0x0200): Category is set to 'all'. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] (0x0200): Category is set to 'all'. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] (0x0200): Category is set to 'all'. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local] > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local]. > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [write_pipe_handler] (0x0400): All data has been sent! > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [child_sig_handler] (0x0100): child [44309] finished successfully. > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [read_pipe_handler] (0x0400): EOF received, client finished > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler_callback] (0x0100): Sending result [0][bioinf.local] > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler_callback] (0x0100): Sent result [0][bioinf.local] > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] (0x0100): Got request with the following data > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): domain: bioinf.local > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): user: test > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): service: sshd > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): tty: ssh > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): ruser: > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): rhost: copper.bioinf.local > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): authtok type: 0 > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): priv: 1 > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): cli_pid: 44307 > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] (0x0100): logon name: not set > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] (0x0100): Sending result [0][bioinf.local] > > why is there such message : Could not parse domain SID from [(null)] ? I thought SID was related to AD ? > Is it normal that: > some messages seems duplicated ? > SELinux user maps were not found ? > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] (0x0400): No members for group [test] > Looking in the UI, the "test" group does not exist > Moreover the "trust admins" and "ipausers" dont have GID > > Thanks for all > > On Thu, Aug 13, 2015 at 1:05 PM, Jakub Hrozek wrote: > On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote: > > In the logs, there is lots of warnings concerning pki tomcat server : > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP > > Server. > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting > > system-pki\x2dtomcatd.slice. > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice > > system-pki\x2dtomcatd.slice. > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server. > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat > > Server. > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server > > pki-tomcat... > > Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server > > pki-tomcat. > > Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine used: > > /usr/bin/java > > Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used: > > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > > Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: > > org.apache.catalina.startup.Bootstrap > > Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: > > -DRESTEASY_LIB=/usr/share/java/resteasy-base > > Aug 13 09:51:57 lead.bioinf.local server[5213]: options used: > > -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat > > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > > -Djav > > Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'enableOCSP' to 'false' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not find > > a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a > > matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspCacheSize' to '1000' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspMinCacheEntryDuration' to '60' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ocspTimeout' to '10' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'strictCiphers' to 'true' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching > > property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ssl2Ciphers' to > > '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'ssl3Ciphers' to > > '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'tlsCiphers' to > > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' > > did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find > > a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did > > not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching > > property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching > > property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'sslRangeCiphers' to > > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > 'xmlValidation' to 'false' did not find a matching property. > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > 'xmlNamespaceAware' to 'false' did not find a matching property. > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.coyote.AbstractProtocol init > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > ProtocolHandler ["http-bio-8080"] > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.coyote.AbstractProtocol init > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > ProtocolHandler ["http-bio-8443"] > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.coyote.AbstractProtocol init > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.catalina.startup.Catalina load > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization > > processed in 995 ms > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.catalina.core.StandardService startInternal > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service > > Catalina > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.catalina.core.StandardEngine startInternal > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet > > Engine: Apache Tomcat/7.0.54 > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > org.apache.catalina.startup.HostConfig deployDescriptor > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > > Aug 13 09:51:59 lead.bioinf.local server[5213]: > > SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback > > Aug 13 09:51:59 lead.bioinf.local server[5213]: > > SSLAuthenticatorWithFallback: Setting container > > Aug 13 09:52:01 lead.bioinf.local server[5213]: > > SSLAuthenticatorWithFallback: Initializing authenticators > > Aug 13 09:52:01 lead.bioinf.local server[5213]: > > SSLAuthenticatorWithFallback: Starting authenticators > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > > org.apache.catalina.startup.HostConfig deployDescriptor > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has > > finished in 13,391 ms > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > > org.apache.catalina.startup.HostConfig deployDescriptor > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.jasper.EmbeddedServletOptions > > Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir you > > specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is unusable. > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.catalina.startup.HostConfig deployDescriptor > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has > > finished in 2,683 ms > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.coyote.AbstractProtocol start > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > ProtocolHandler ["http-bio-8080"] > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.coyote.AbstractProtocol start > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > ProtocolHandler ["http-bio-8443"] > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.coyote.AbstractProtocol start > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > org.apache.catalina.startup.Catalina start > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in > > 17320 ms > > > > May this be related to my slow login problem ? > > I don't think so. You really need to look into the sssd domain log, > check what requests (getAccountInfo) take the longest. > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From seli.irithyl at gmail.com Mon Aug 17 07:57:00 2015 From: seli.irithyl at gmail.com (seli irithyl) Date: Mon, 17 Aug 2015 09:57:00 +0200 Subject: [Freeipa-users] IDM/ipa slow login In-Reply-To: <8F7BD718-6F38-4B4C-AA14-47C7CFCC45E9@redhat.com> References: <20150811113955.GX3609@hendrix.redhat.com> <20150813110530.GF18390@hendrix.redhat.com> <8F7BD718-6F38-4B4C-AA14-47C7CFCC45E9@redhat.com> Message-ID: Hi John, Jakub, I added "selinux_provider = none" to the sssd.conf (as recommended by john) and then restarted the service .... and it seems to solve the problem (almost) !!! Logins are near as fast as when using local users. What are the consequences when I add this line concerning security ? Jakub, you're talking about a bug, is there's a patch to remove it or do I have to wait for an sssd/ipa upgrade ? Maybe I'll try to understand why is it complaining "Could not parse domain SID from [(null)]" and looking for groups that does not exist in the ldap database. Anyway, thanks a lot for your time and help ! seli On Sun, Aug 16, 2015 at 6:09 PM, Jakub Hrozek wrote: > > > On 13 Aug 2015, at 22:57, John Obaterspok > wrote: > > > > Hi Seli, > > > > In /etc/sssd/sssd.conf add below: > > selinux_provider=none > > Hmm, good idea. I forgot the version OP was using, but yet -- at one point > we had a bug where the selinux_child would be invoked even if the context > didn't change which would be slow. We fixed that error since, but chances > are Seli is still running the affected version. > > > to the domain section. Then restart sssd. > > > > -- john > > > > > > 2015-08-13 16:23 GMT+02:00 seli irithyl : > > Here's the sssd_domain log part during an ssh > > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_initgr_next_base] (0x0400): Searching for users with base > [cn=accounts,dc=bioinf,dc=local] > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(uid=test)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > (0x0400): Save user > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object test > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > (0x0400): Processing user test > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > (0x0400): Adding original memberOf attributes to [test]. > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > (0x0400): Adding user principal [test at BIOINF.LOCAL] to attributes of > [test]. > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > (0x0400): Storing info for user test > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object test > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object ipausers > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object bioinfo > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=bioinf,dc=local] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_nested_group_recv] (0x0400): 0 users found in the hash table > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object test > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] > (0x0400): Processing group test > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_process_ghost_members] (0x0400): The group has 0 members > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_process_ghost_members] (0x0400): Group has 0 members > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] > (0x0400): Storing info for group test > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_primary_name] (0x0400): Processing object test > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > (0x0400): Processing group test > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > (0x0400): Failed to get group sid > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > (0x0400): No members for group [test] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:bioinf.local:52e6beb4-158e-11e5-b14d-000af77e6812))][cn=Default > Trust View,cn=views,cn=accounts,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), > no errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > (0x0100): Got request with the following data > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): command: PAM_ACCT_MGMT > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): domain: bioinf.local > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): user: test > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): service: sshd > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): tty: ssh > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): ruser: > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): rhost: copper.bioinf.local > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): authtok type: 0 > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): newauthtok type: 0 > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): priv: 1 > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): cli_pid: 44307 > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): logon name: not set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_access_send] > (0x0400): Performing access check for user [test] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user > [test] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=lead.bioinf.local))][cn=accounts,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry > [fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local] using > OpenLDAP deref > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no > filter][fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_hbac_service_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACService)] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACService)][cn=hbac,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACServiceGroup)] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: > [cn=hbac,dc=bioinf,dc=local][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))][cn=hbac,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > (0x0200): Category is set to 'all'. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > (0x0200): Category is set to 'all'. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > (0x0200): Category is set to 'all'. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > [allow_all] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with > following parameters: > [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local] > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local]. > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [write_pipe_handler] > (0x0400): All data has been sent! > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [child_sig_handler] > (0x0100): child [44309] finished successfully. > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [read_pipe_handler] > (0x0400): EOF received, client finished > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) > [Success] > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > [be_pam_handler_callback] (0x0100): Sending result [0][bioinf.local] > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > [be_pam_handler_callback] (0x0100): Sent result [0][bioinf.local] > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > (0x0100): Got request with the following data > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): command: PAM_OPEN_SESSION > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): domain: bioinf.local > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): user: test > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): service: sshd > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): tty: ssh > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): ruser: > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): rhost: copper.bioinf.local > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): authtok type: 0 > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): newauthtok type: 0 > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): priv: 1 > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): cli_pid: 44307 > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > (0x0100): logon name: not set > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > (0x0100): Sending result [0][bioinf.local] > > > > why is there such message : Could not parse domain SID from [(null)] ? I > thought SID was related to AD ? > > Is it normal that: > > some messages seems duplicated ? > > SELinux user maps were not found ? > > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > (0x0400): No members for group [test] > > Looking in the UI, the "test" group does not exist > > Moreover the "trust admins" and "ipausers" dont have GID > > > > Thanks for all > > > > On Thu, Aug 13, 2015 at 1:05 PM, Jakub Hrozek > wrote: > > On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote: > > > In the logs, there is lots of warnings concerning pki tomcat server : > > > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP > > > Server. > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting > > > system-pki\x2dtomcatd.slice. > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice > > > system-pki\x2dtomcatd.slice. > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat > Server. > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat > > > Server. > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat > Server > > > pki-tomcat... > > > Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server > > > pki-tomcat. > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine > used: > > > /usr/bin/java > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used: > > > > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: > > > org.apache.catalina.startup.Bootstrap > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: > > > -DRESTEASY_LIB=/usr/share/java/resteasy-base > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: options used: > > > -Dcatalina.base=/var/lib/pki/pki-tomcat > -Dcatalina.home=/usr/share/tomcat > > > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > > > > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > > > -Djav > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'enableOCSP' to 'false' did not find a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not > find > > > a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not > find a > > > matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'ocspCacheSize' to '1000' did not find a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'ocspMinCacheEntryDuration' to '60' did not find a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'ocspTimeout' to '10' did not find a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'strictCiphers' to 'true' did not find a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching > > > property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'ssl2Ciphers' to > > > > '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'ssl3Ciphers' to > > > > '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'tlsCiphers' to > > > > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'serverCertNickFile' to > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' > > > did not find a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not > find > > > a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' > did > > > not find a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching > > > property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching > property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching > > > property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'sslRangeCiphers' to > > > > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > > 'xmlValidation' to 'false' did not find a matching property. > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > > 'xmlNamespaceAware' to 'false' did not find a matching property. > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > org.apache.coyote.AbstractProtocol init > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > > ProtocolHandler ["http-bio-8080"] > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > org.apache.coyote.AbstractProtocol init > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > > ProtocolHandler ["http-bio-8443"] > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > org.apache.coyote.AbstractProtocol init > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > org.apache.catalina.startup.Catalina load > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization > > > processed in 995 ms > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > org.apache.catalina.core.StandardService startInternal > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service > > > Catalina > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > org.apache.catalina.core.StandardEngine startInternal > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet > > > Engine: Apache Tomcat/7.0.54 > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying > > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: > > > SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: > > > SSLAuthenticatorWithFallback: Setting container > > > Aug 13 09:52:01 lead.bioinf.local server[5213]: > > > SSLAuthenticatorWithFallback: Initializing authenticators > > > Aug 13 09:52:01 lead.bioinf.local server[5213]: > > > SSLAuthenticatorWithFallback: Starting authenticators > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of > > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > has > > > finished in 13,391 ms > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying > > > configuration descriptor > /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > org.apache.jasper.EmbeddedServletOptions > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir > you > > > specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is > unusable. > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of > > > configuration descriptor > /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has > > > finished in 2,683 ms > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > org.apache.coyote.AbstractProtocol start > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > > ProtocolHandler ["http-bio-8080"] > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > org.apache.coyote.AbstractProtocol start > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > > ProtocolHandler ["http-bio-8443"] > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > org.apache.coyote.AbstractProtocol start > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > org.apache.catalina.startup.Catalina start > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in > > > 17320 ms > > > > > > May this be related to my slow login problem ? > > > > I don't think so. You really need to look into the sssd domain log, > > check what requests (getAccountInfo) take the longest. > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Aug 17 08:29:26 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 17 Aug 2015 10:29:26 +0200 Subject: [Freeipa-users] IDM/ipa slow login In-Reply-To: References: <20150811113955.GX3609@hendrix.redhat.com> <20150813110530.GF18390@hendrix.redhat.com> <8F7BD718-6F38-4B4C-AA14-47C7CFCC45E9@redhat.com> Message-ID: <20150817082926.GB10322@hendrix.arn.redhat.com> On Mon, Aug 17, 2015 at 09:57:00AM +0200, seli irithyl wrote: > Hi John, Jakub, > > I added "selinux_provider = none" to the sssd.conf (as recommended by john) > and then restarted the service .... and it seems to solve the problem > (almost) !!! John, thank you very much for suggesting this option. > Logins are near as fast as when using local users. > What are the consequences when I add this line concerning security ? The SELinux usermap set on the IPA server would not be reflected on the IPA client. > Jakub, you're talking about a bug, is there's a patch to remove it or do I > have to wait for an sssd/ipa upgrade ? I don't follow, there is a bug in the code, so yes, it needs to be fixed by SSSD update. The bug was fixed in 6.7 already: https://bugzilla.redhat.com/show_bug.cgi?id=1211728 but in the RHEL-7 stream, it's so far only planned for 7.2: https://bugzilla.redhat.com/show_bug.cgi?id=1210854 Feel free to raise the RHEL-7 bug with RH support if you need it released sooner.. > Maybe I'll try to understand why is it complaining "Could not parse domain > SID from [(null)]" and looking for groups that does not exist in the ldap > database. That's fine, we should probably fix the debug message, but it's expected that IPA users don't have a SID. > Anyway, thanks a lot for your time and help ! > > > seli > > On Sun, Aug 16, 2015 at 6:09 PM, Jakub Hrozek wrote: > > > > > > On 13 Aug 2015, at 22:57, John Obaterspok > > wrote: > > > > > > Hi Seli, > > > > > > In /etc/sssd/sssd.conf add below: > > > selinux_provider=none > > > > Hmm, good idea. I forgot the version OP was using, but yet -- at one point > > we had a bug where the selinux_child would be invoked even if the context > > didn't change which would be slow. We fixed that error since, but chances > > are Seli is still running the affected version. > > > > > to the domain section. Then restart sssd. > > > > > > -- john > > > > > > > > > 2015-08-13 16:23 GMT+02:00 seli irithyl : > > > Here's the sssd_domain log part during an ssh > > > > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_initgr_next_base] (0x0400): Searching for users with base > > [cn=accounts,dc=bioinf,dc=local] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(uid=test)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > > (0x0400): Save user > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object test > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > > (0x0400): Processing user test > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > > (0x0400): Adding original memberOf attributes to [test]. > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > > (0x0400): Adding user principal [test at BIOINF.LOCAL] to attributes of > > [test]. > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > > (0x0400): Storing info for user test > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object test > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object ipausers > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object bioinfo > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > > [cn=accounts,dc=bioinf,dc=local] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_nested_group_recv] (0x0400): 0 users found in the hash table > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] > > (0x0400): Processing group test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_process_ghost_members] (0x0400): The group has 0 members > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_process_ghost_members] (0x0400): Group has 0 members > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] > > (0x0400): Storing info for group test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > > (0x0400): Processing group test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > > (0x0400): Failed to get group sid > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > > (0x0400): No members for group [test] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:bioinf.local:52e6beb4-158e-11e5-b14d-000af77e6812))][cn=Default > > Trust View,cn=views,cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), > > no errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [acctinfo_callback] > > (0x0100): Request processed. Returned 0,0,Success > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > > (0x0100): Got request with the following data > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): command: PAM_ACCT_MGMT > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): domain: bioinf.local > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): user: test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): service: sshd > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): tty: ssh > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): ruser: > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): rhost: copper.bioinf.local > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): authtok type: 0 > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): newauthtok type: 0 > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): priv: 1 > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): cli_pid: 44307 > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): logon name: not set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_access_send] > > (0x0400): Performing access check for user [test] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user > > [test] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(objectClass=ipaHost)(fqdn=lead.bioinf.local))][cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_x_deref_search_send] (0x0400): Dereferencing entry > > [fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local] using > > OpenLDAP deref > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no > > filter][fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_x_deref_parse_entry] (0x0400): Got deref control > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > > control parsed > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_hbac_service_info_next] (0x0400): Sending request for next search > > base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACService)] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(objectClass=ipaHBACService)][cn=hbac,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search > > base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACServiceGroup)] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: > > [cn=hbac,dc=bioinf,dc=local][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))][cn=hbac,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > > (0x0200): Category is set to 'all'. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > > (0x0200): Category is set to 'all'. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > > (0x0200): Category is set to 'all'. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > > [allow_all] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > > [Success] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with > > following parameters: > > [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [write_pipe_handler] > > (0x0400): All data has been sent! > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [child_sig_handler] > > (0x0100): child [44309] finished successfully. > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [read_pipe_handler] > > (0x0400): EOF received, client finished > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) > > [Success] > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > > [be_pam_handler_callback] (0x0100): Sending result [0][bioinf.local] > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > > [be_pam_handler_callback] (0x0100): Sent result [0][bioinf.local] > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > > (0x0100): Got request with the following data > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): command: PAM_OPEN_SESSION > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): domain: bioinf.local > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): user: test > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): service: sshd > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): tty: ssh > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): ruser: > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): rhost: copper.bioinf.local > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): authtok type: 0 > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): newauthtok type: 0 > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): priv: 1 > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): cli_pid: 44307 > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): logon name: not set > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > > (0x0100): Sending result [0][bioinf.local] > > > > > > why is there such message : Could not parse domain SID from [(null)] ? I > > thought SID was related to AD ? > > > Is it normal that: > > > some messages seems duplicated ? > > > SELinux user maps were not found ? > > > > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > > (0x0400): No members for group [test] > > > Looking in the UI, the "test" group does not exist > > > Moreover the "trust admins" and "ipausers" dont have GID > > > > > > Thanks for all > > > > > > On Thu, Aug 13, 2015 at 1:05 PM, Jakub Hrozek > > wrote: > > > On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote: > > > > In the logs, there is lots of warnings concerning pki tomcat server : > > > > > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP > > > > Server. > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting > > > > system-pki\x2dtomcatd.slice. > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice > > > > system-pki\x2dtomcatd.slice. > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat > > Server. > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat > > > > Server. > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat > > Server > > > > pki-tomcat... > > > > Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server > > > > pki-tomcat. > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine > > used: > > > > /usr/bin/java > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used: > > > > > > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: > > > > org.apache.catalina.startup.Bootstrap > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: > > > > -DRESTEASY_LIB=/usr/share/java/resteasy-base > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: options used: > > > > -Dcatalina.base=/var/lib/pki/pki-tomcat > > -Dcatalina.home=/usr/share/tomcat > > > > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > > > > > > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > > > > -Djav > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'enableOCSP' to 'false' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not > > find > > > > a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not > > find a > > > > matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspCacheSize' to '1000' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspMinCacheEntryDuration' to '60' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspTimeout' to '10' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'strictCiphers' to 'true' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching > > > > property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ssl2Ciphers' to > > > > > > '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ssl3Ciphers' to > > > > > > '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'tlsCiphers' to > > > > > > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'serverCertNickFile' to > > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' > > > > did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not > > find > > > > a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' > > did > > > > not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching > > > > property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching > > property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching > > > > property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'sslRangeCiphers' to > > > > > > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > > > 'xmlValidation' to 'false' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > > > 'xmlNamespaceAware' to 'false' did not find a matching property. > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.coyote.AbstractProtocol init > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > > > ProtocolHandler ["http-bio-8080"] > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.coyote.AbstractProtocol init > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > > > ProtocolHandler ["http-bio-8443"] > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.coyote.AbstractProtocol init > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.catalina.startup.Catalina load > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization > > > > processed in 995 ms > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.catalina.core.StandardService startInternal > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service > > > > Catalina > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.catalina.core.StandardEngine startInternal > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet > > > > Engine: Apache Tomcat/7.0.54 > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying > > > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: > > > > SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: > > > > SSLAuthenticatorWithFallback: Setting container > > > > Aug 13 09:52:01 lead.bioinf.local server[5213]: > > > > SSLAuthenticatorWithFallback: Initializing authenticators > > > > Aug 13 09:52:01 lead.bioinf.local server[5213]: > > > > SSLAuthenticatorWithFallback: Starting authenticators > > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of > > > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > > has > > > > finished in 13,391 ms > > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying > > > > configuration descriptor > > /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.jasper.EmbeddedServletOptions > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir > > you > > > > specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is > > unusable. > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of > > > > configuration descriptor > > /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has > > > > finished in 2,683 ms > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.coyote.AbstractProtocol start > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > > > ProtocolHandler ["http-bio-8080"] > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.coyote.AbstractProtocol start > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > > > ProtocolHandler ["http-bio-8443"] > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.coyote.AbstractProtocol start > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.catalina.startup.Catalina start > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in > > > > 17320 ms > > > > > > > > May this be related to my slow login problem ? > > > > > > I don't think so. You really need to look into the sssd domain log, > > > check what requests (getAccountInfo) take the longest. > > > > > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > From baghery.jone at gmail.com Mon Aug 17 10:32:03 2015 From: baghery.jone at gmail.com (alireza baghery) Date: Mon, 17 Aug 2015 03:32:03 -0700 Subject: [Freeipa-users] not login users AD (2008R2 ) on linux Message-ID: hi i install CentOS 6.5 and IPA 3.0.0..37 and Trust with Windows 2008 R2 everyting OK and user AD Login on Linux but i install replicator ipa three week ago and two days User AD can not login on Linux but User IPA can Login on Linux ===Error on '/var/log/secure Aug 17 14:48:20 dwn1 sshd[51694]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= rdpadmin_34.infotechpsp.net user=abagheri at infotechpsp.net Aug 17 14:48:20 dwn1 sshd[51694]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= rdpadmin_34.infotechpsp.net user=abagheri at infotechpsp.net Aug 17 14:48:20 dwn1 sshd[51694]: pam_sss(sshd:auth): received for user abagheri at infotechpsp.net: 4 (System error) Aug 17 14:48:22 dwn1 sshd[51694]: Failed password for abagheri at infotechpsp.net from 172.26.26.34 port 51168 ssh2 ========= and configure sssd not change -------------- next part -------------- An HTML attachment was scrubbed... URL: From linux at ramyallam.com Mon Aug 17 11:18:02 2015 From: linux at ramyallam.com (Ramy Allam) Date: Mon, 17 Aug 2015 13:18:02 +0200 Subject: [Freeipa-users] ipa v4 on CentOS6 Message-ID: Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS 6 machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support OTP authentication. I tried to install ipa-client from source but it raises that error root at client [/usr/local/src/freeipa-4.1.4/ipa-client]# make install Making install in ../asn1 make[1]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1' Making install in asn1c make[2]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[3]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[3]: Nothing to be done for `install-exec-am'. /bin/mkdir -p '.' /usr/bin/install -c -m 644 Int32.h GetKeytabControl.h GKNewKeys.h GKCurrentKeys.h GKReply.h KrbKey.h TypeValuePair.h '.' /usr/bin/install: `Int32.h' and `./Int32.h' are the same file /usr/bin/install: `GetKeytabControl.h' and `./GetKeytabControl.h' are the same file /usr/bin/install: `GKNewKeys.h' and `./GKNewKeys.h' are the same file /usr/bin/install: `GKCurrentKeys.h' and `./GKCurrentKeys.h' are the same file /usr/bin/install: `GKReply.h' and `./GKReply.h' are the same file /usr/bin/install: `KrbKey.h' and `./KrbKey.h' are the same file /usr/bin/install: `TypeValuePair.h' and `./TypeValuePair.h' are the same file make[3]: *** [install-IPAASN1HEADERS] Error 1 make[3]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[2]: *** [install-am] Error 2 make[2]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[1]: *** [install-recursive] Error 1 make[1]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1' make: *** [install-recursive] Error 1 Waiting your kind reply. Best Regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Aug 17 11:37:32 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 17 Aug 2015 14:37:32 +0300 Subject: [Freeipa-users] ipa v4 on CentOS6 In-Reply-To: References: Message-ID: <20150817113732.GO22106@redhat.com> On Mon, 17 Aug 2015, Ramy Allam wrote: >Hello, > >I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. >And need to setup ipa-4.1.0 on a CentOS 6 machine. > >CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 >please ? Nowhere. Read this thread: https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html >The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't >support OTP authentication. Regardless of IPA version, the lack of OTP authentication will not be fixed with a backport of IPA4. OTP authentication needs newer Kerberos library with changed ABI so it will not appear on RHEL6/CentOS6. Ideally you need newer SSSD which understands newer Kerberos API for pre-auth conversations and may be even more. This is definitely going outside of any sensible support scope, upstream or downstream. -- / Alexander Bokovoy From lslebodn at redhat.com Mon Aug 17 12:00:35 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 17 Aug 2015 14:00:35 +0200 Subject: [Freeipa-users] ipa v4 on CentOS6 In-Reply-To: <20150817113732.GO22106@redhat.com> References: <20150817113732.GO22106@redhat.com> Message-ID: <20150817120035.GC31554@mail.corp.redhat.com> On (17/08/15 14:37), Alexander Bokovoy wrote: >On Mon, 17 Aug 2015, Ramy Allam wrote: >>Hello, >> >>I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. >>And need to setup ipa-4.1.0 on a CentOS 6 machine. >> >>CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 >>please ? >Nowhere. Read this thread: >https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html > >>The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't >>support OTP authentication. >Regardless of IPA version, the lack of OTP authentication will not be >fixed with a backport of IPA4. OTP authentication needs newer Kerberos >library with changed ABI so it will not appear on RHEL6/CentOS6. > >Ideally you need newer SSSD which understands newer Kerberos API for >pre-auth conversations and may be even more. This is definitely going >outside of any sensible support scope, upstream or downstream. > rhel6.7 already contains sufficient version of sssd sssd-1.12.4-4x.el6 It just does not contain separate prompting for password and token. https://fedorahosted.org/sssd/ticket/2335 I'm also not aware of dependency on special feature from libkrb5 on sssd side. At least, we do not detect it at compile time. SSSD is not a blocker for rhel6 client with ipa-server-4.1. LS From abokovoy at redhat.com Mon Aug 17 12:33:25 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 17 Aug 2015 15:33:25 +0300 Subject: [Freeipa-users] ipa v4 on CentOS6 In-Reply-To: <20150817120035.GC31554@mail.corp.redhat.com> References: <20150817113732.GO22106@redhat.com> <20150817120035.GC31554@mail.corp.redhat.com> Message-ID: <20150817123325.GP22106@redhat.com> On Mon, 17 Aug 2015, Lukas Slebodnik wrote: >On (17/08/15 14:37), Alexander Bokovoy wrote: >>On Mon, 17 Aug 2015, Ramy Allam wrote: >>>Hello, >>> >>>I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. >>>And need to setup ipa-4.1.0 on a CentOS 6 machine. >>> >>>CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 >>>please ? >>Nowhere. Read this thread: >>https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html >> >>>The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't >>>support OTP authentication. >>Regardless of IPA version, the lack of OTP authentication will not be >>fixed with a backport of IPA4. OTP authentication needs newer Kerberos >>library with changed ABI so it will not appear on RHEL6/CentOS6. >> >>Ideally you need newer SSSD which understands newer Kerberos API for >>pre-auth conversations and may be even more. This is definitely going >>outside of any sensible support scope, upstream or downstream. >> >rhel6.7 already contains sufficient version of sssd >sssd-1.12.4-4x.el6 > >It just does not contain separate prompting for password and token. >https://fedorahosted.org/sssd/ticket/2335 > >I'm also not aware of dependency on special feature from libkrb5 on sssd side. >At least, we do not detect it at compile time. > >SSSD is not a blocker for rhel6 client with ipa-server-4.1. See krb5_responder_otp_*(), the API is available in MIT Kerberos 1.11+ CentOS 6 has 1.10.3 at most, it doesn't have API needed for OTP conversations, I don't see it backported in 1.10.3-42.el6 either. I wonder how src/providers/krb5/krb5_child.c is compiled with the absence of these functions? -- / Alexander Bokovoy From linux at ramyallam.com Mon Aug 17 11:15:51 2015 From: linux at ramyallam.com (Ramy Allam) Date: Mon, 17 Aug 2015 13:15:51 +0200 Subject: [Freeipa-users] ipa v4 on CentOS6 Message-ID: Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS *6* machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support OTP authentication. I tried to install ipa-client from source but it raises that error root at client [/usr/local/src/freeipa-4.1.4/ipa-client]# make install Making install in ../asn1 make[1]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1' Making install in asn1c make[2]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[3]: Entering directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[3]: Nothing to be done for `install-exec-am'. /bin/mkdir -p '.' /usr/bin/install -c -m 644 Int32.h GetKeytabControl.h GKNewKeys.h GKCurrentKeys.h GKReply.h KrbKey.h TypeValuePair.h '.' /usr/bin/install: `Int32.h' and `./Int32.h' are the same file /usr/bin/install: `GetKeytabControl.h' and `./GetKeytabControl.h' are the same file /usr/bin/install: `GKNewKeys.h' and `./GKNewKeys.h' are the same file /usr/bin/install: `GKCurrentKeys.h' and `./GKCurrentKeys.h' are the same file /usr/bin/install: `GKReply.h' and `./GKReply.h' are the same file /usr/bin/install: `KrbKey.h' and `./KrbKey.h' are the same file /usr/bin/install: `TypeValuePair.h' and `./TypeValuePair.h' are the same file make[3]: *** [install-IPAASN1HEADERS] Error 1 make[3]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[2]: *** [install-am] Error 2 make[2]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1/asn1c' make[1]: *** [install-recursive] Error 1 make[1]: Leaving directory `/usr/local/src/freeipa-4.1.4/asn1' make: *** [install-recursive] Error 1 Waiting your kind reply. Best Regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Aug 17 12:59:49 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 17 Aug 2015 15:59:49 +0300 Subject: [Freeipa-users] ipa v4 on CentOS6 In-Reply-To: <20150817123325.GP22106@redhat.com> References: <20150817113732.GO22106@redhat.com> <20150817120035.GC31554@mail.corp.redhat.com> <20150817123325.GP22106@redhat.com> Message-ID: <20150817125949.GQ22106@redhat.com> On Mon, 17 Aug 2015, Alexander Bokovoy wrote: >On Mon, 17 Aug 2015, Lukas Slebodnik wrote: >>On (17/08/15 14:37), Alexander Bokovoy wrote: >>>On Mon, 17 Aug 2015, Ramy Allam wrote: >>>>Hello, >>>> >>>>I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. >>>>And need to setup ipa-4.1.0 on a CentOS 6 machine. >>>> >>>>CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 >>>>please ? >>>Nowhere. Read this thread: >>>https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html >>> >>>>The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't >>>>support OTP authentication. >>>Regardless of IPA version, the lack of OTP authentication will not be >>>fixed with a backport of IPA4. OTP authentication needs newer Kerberos >>>library with changed ABI so it will not appear on RHEL6/CentOS6. >>> >>>Ideally you need newer SSSD which understands newer Kerberos API for >>>pre-auth conversations and may be even more. This is definitely going >>>outside of any sensible support scope, upstream or downstream. >>> >>rhel6.7 already contains sufficient version of sssd >>sssd-1.12.4-4x.el6 >> >>It just does not contain separate prompting for password and token. >>https://fedorahosted.org/sssd/ticket/2335 >> >>I'm also not aware of dependency on special feature from libkrb5 on sssd side. >>At least, we do not detect it at compile time. >> >>SSSD is not a blocker for rhel6 client with ipa-server-4.1. >See krb5_responder_otp_*(), the API is available in MIT Kerberos >1.11+ CentOS 6 has 1.10.3 at most, it doesn't have API needed for OTP >conversations, I don't see it backported in 1.10.3-42.el6 either. > >I wonder how src/providers/krb5/krb5_child.c is compiled with the >absence of these functions? We cleared this with Lukas -- the code has conditional checks for HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER which allow it being compiled against older libkrb5 at the cost of not supporting OTP conversations. Rebuilding newer libkrb5 for RHEL6 is something that would be left for those who want it to support. -- / Alexander Bokovoy From janellenicole80 at gmail.com Mon Aug 17 17:04:02 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 17 Aug 2015 10:04:02 -0700 Subject: [Freeipa-users] first time web UI access? In-Reply-To: <55CDEF17.5030801@gmail.com> References: <55CDEF17.5030801@gmail.com> Message-ID: <55D21402.4050807@gmail.com> Hi, Apparently no one has ever seen this? :-( ~J On 8/14/15 6:37 AM, Janelle wrote: > I am curious if anyone else ever sees a problem with first time IPA > WEB UI access and the full screen not loading. It requires a reload > sometimes once or twice to get it to load properly. Has anyone seen > this before? > > thank you > Janelle From yoshi314 at gmail.com Mon Aug 17 17:54:42 2015 From: yoshi314 at gmail.com (marcin kowalski) Date: Mon, 17 Aug 2015 19:54:42 +0200 Subject: [Freeipa-users] first time web UI access? In-Reply-To: <55D21402.4050807@gmail.com> References: <55CDEF17.5030801@gmail.com> <55D21402.4050807@gmail.com> Message-ID: I had issues on fedora with main screen crashing in various way. Going into specific subsystem directly works. There was no such problem when building package on debian and running it there, though. 2015-08-17 19:04 GMT+02:00 Janelle : > Hi, > > Apparently no one has ever seen this? :-( > > ~J > > > On 8/14/15 6:37 AM, Janelle wrote: > >> I am curious if anyone else ever sees a problem with first time IPA WEB >> UI access and the full screen not loading. It requires a reload sometimes >> once or twice to get it to load properly. Has anyone seen this before? >> >> thank you >> Janelle >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sipazzo at yahoo.com Mon Aug 17 18:22:01 2015 From: sipazzo at yahoo.com (sipazzo) Date: Mon, 17 Aug 2015 18:22:01 +0000 (UTC) Subject: [Freeipa-users] HBAC rules not applying to Solaris clients In-Reply-To: References: Message-ID: <2131949818.6073068.1439835721811.JavaMail.yahoo@mail.yahoo.com> Ok thanks all. I will look into pam_list, integrating with the Solaris RBAC is probably beyond me as I am not that Solaris savvy and there is no documentation on using it with freeipa that I see. I tried using AllowGroups in sshd_config on Solaris to restrict access but it only seems to work with primary group membership. Is this expected? From reading documentation it should work with secondary/supplementary documentation as well. Let me know if you have found a way around that please. From: Bob To: Natxo Asenjo Cc: Freeipa-users Sent: Saturday, August 15, 2015 10:46 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file. On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The "allow-all" rule has been disabled, my nsswitch.conf file looks good and I have tried different configs of pam.d, including the provided example to try to resolve the issue. Am I missing some steps? HBAC enforcement is provided by sssd so doesn't work in Solaris. one might try using solaris' RBAC system: http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html You would have to distribute your changes to all solaris systems. There is a RBAC ldap schema http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, but I have never tried using it with freeipa. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Aug 17 19:04:30 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 17 Aug 2015 21:04:30 +0200 Subject: [Freeipa-users] not login users AD (2008R2 ) on linux In-Reply-To: References: Message-ID: <20150817190430.GC2938@hendrix.redhat.com> On Mon, Aug 17, 2015 at 03:32:03AM -0700, alireza baghery wrote: > hi > i install CentOS 6.5 and IPA 3.0.0..37 centos 6.5 is quite old, 6.7 was released just some time ago. Please upgrade. > and Trust with Windows 2008 R2 I would also sugguest to go with RHEL-7 based server.. > everyting OK and user AD Login on Linux > but i install replicator ipa three week ago > and two days User AD can not login on Linux > but User IPA can Login on Linux > ===Error on '/var/log/secure > > Aug 17 14:48:20 dwn1 sshd[51694]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= > rdpadmin_34.infotechpsp.net user=abagheri at infotechpsp.net > Aug 17 14:48:20 dwn1 sshd[51694]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= > rdpadmin_34.infotechpsp.net user=abagheri at infotechpsp.net > Aug 17 14:48:20 dwn1 sshd[51694]: pam_sss(sshd:auth): received for user > abagheri at infotechpsp.net: 4 (System error) > Aug 17 14:48:22 dwn1 sshd[51694]: Failed password for > abagheri at infotechpsp.net from 172.26.26.34 port 51168 ssh2 > ========= > and configure sssd not change Please follow: https://fedorahosted.org/sssd/wiki/Troubleshooting From orion at cora.nwra.com Mon Aug 17 21:09:57 2015 From: orion at cora.nwra.com (Orion Poplawski) Date: Mon, 17 Aug 2015 15:09:57 -0600 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> <552BD271.5010608@redhat.com> <552D5298.6040608@redhat.com> <552DF829.4060209@redhat.com> <55310A2A.9060701@redhat.com> <553885CB.3090505@redhat.com> Message-ID: <55D24DA5.6020108@cora.nwra.com> On 08/06/2015 04:10 PM, David Dejaeghere wrote: > Hello Guys, > > I was able to resolve this today. > My webserver and dirsrv certificate were expired yesterday and trying to > replace them gave me the same error "ERROR: (SEC_ERROR_LIBRARY_FAILURE) > security library failure." > So I tried some things to resolve this. > The trick was to replace /etc/ipa/ca.crt with the godaddy file "gdig2" which > only has 1 certificare. This file you can get while downloading your > certificate from godaddy. Then I had to add the bundle from godaddy, file > gd_bundle-g2-g1 into my server cert. > This made both the command ipa-server-certinstall and ipa-replicate-prepare > finish as expected! > > Hope this helps. I saw somebody else with a very similar issue. > > Kind Regards, > > D Yeah, the source of this issue appears to be a wrong /etc/ipa/ca.crt created during ipa-server-install. I was able to work around it with: ipa-certupdate Which wrote out a correct /etc/ipa/ca.crt. See https://fedorahosted.org/freeipa/ticket/5117#comment:16 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 http://www.nwra.com From gjn at gjn.priv.at Tue Aug 18 11:02:49 2015 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Tue, 18 Aug 2015 13:02:49 +0200 Subject: [Freeipa-users] FreeIPA certificate for Outlook Message-ID: <4120373.qUfmRXBAUy@techz> Hello, is it possible to export a CA / certificate for a windows client "outlook" when yes, can any tell me the correct file? Thanks for a answer -- mit freundlichen Gr?ssen / best regards, G?nther J. Niederwimmer -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Aug 18 11:51:13 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 18 Aug 2015 13:51:13 +0200 Subject: [Freeipa-users] FreeIPA certificate for Outlook In-Reply-To: <4120373.qUfmRXBAUy@techz> References: <4120373.qUfmRXBAUy@techz> Message-ID: <55D31C31.2090600@redhat.com> On 08/18/2015 01:02 PM, G?nther J. Niederwimmer wrote: > > Hello, > > is it possible to export a CA / certificate for a windows client "outlook" > > when yes, can any tell me the correct file? > > Thanks for a answer > > -- > > mit freundlichen Gr?ssen / best regards, > > G?nther J. Niederwimmer > > > Hi, IPA CA certificate is located here /etc/ipa/ca.crt on server HTH Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Aug 18 12:52:28 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 18 Aug 2015 08:52:28 -0400 Subject: [Freeipa-users] FreeIPA certificate for Outlook In-Reply-To: <55D31C31.2090600@redhat.com> References: <4120373.qUfmRXBAUy@techz> <55D31C31.2090600@redhat.com> Message-ID: <1439902348.2990.23.camel@willson.usersys.redhat.com> On Tue, 2015-08-18 at 13:51 +0200, Martin Basti wrote: > > On 08/18/2015 01:02 PM, G?nther J. Niederwimmer wrote: > > > > Hello, > > > > is it possible to export a CA / certificate for a windows client "outlook" > > > > when yes, can any tell me the correct file? > > > > Thanks for a answer > > > > -- > > > > mit freundlichen Gr?ssen / best regards, > > > > G?nther J. Niederwimmer > > > > > > > Hi, > > IPA CA certificate is located here /etc/ipa/ca.crt on server It is also available from http[s]://ipa.server.name/ipa/config/ca.crt HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Tue Aug 18 18:26:47 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 18 Aug 2015 20:26:47 +0200 Subject: [Freeipa-users] migrating openldap 2 In-Reply-To: References: Message-ID: <55D378E7.3070403@redhat.com> On 08/07/2015 03:25 PM, Marcelo Roccasalva wrote: > Hi, > > I need to migrate an ldap tree from openldap 2 (including qmail schema). Which > would be the shortest path? I see there was no reply to the mail. I would suggest including more details about what you are trying to achieve. FreeIPA does not handle GMail schema natively, so if you just want to dump the date there for some reason, you can use the standard LDIF export and import commands. From mkosek at redhat.com Tue Aug 18 18:39:26 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 18 Aug 2015 20:39:26 +0200 Subject: [Freeipa-users] Sudden replication failure In-Reply-To: <55C9040B.4010502@mail.sdsu.edu> References: <55C9040B.4010502@mail.sdsu.edu> Message-ID: <55D37BDE.6050901@redhat.com> On 08/10/2015 10:05 PM, Burke Rosen wrote: > Hello, > > I'm running two replicated freeIPA servers. One of them spontaneously failed. > After taking the misbehaving server down, the remaining replicant handled > everything fine. I restored the system to its original working state by > uninstalling ipa-server from the non-functional server and re-replicating from > the working server. All is well, but I am trying to figure out what might have > caused the problem in the first place. Below are first few (presumably) > relevant lines of the the error log. Can someone help me interpret them? > > Thank you, > > -Burke Rosen > > This line is interesting: > [08/Aug/2015:04:11:06 -0700] repl_version_plugin_recv_acquire_cb - [file > ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing replication. > This server: "20100614120000" remote server: "(null)". But I wonder how it is possible this was triggered, we did not bump the data version in IPA Replica version plugin since 2010 as you can see. So for some reason, it seems that the version was not passed correctly when the connection between replicas was being established. I guess we will not find out the root cause, given you successfully rebuilt the server. I am still CCing Ludwig and Thierry for reference. From mkosek at redhat.com Tue Aug 18 18:45:41 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 18 Aug 2015 20:45:41 +0200 Subject: [Freeipa-users] time restricted access In-Reply-To: <55CCB3BF.9020802@redhat.com> References: <55CCB3BF.9020802@redhat.com> Message-ID: <55D37D55.2030608@redhat.com> On 08/13/2015 05:11 PM, David Kupka wrote: > On 13/08/15 17:01, Marcelo Roccasalva wrote: >> Hello, >> >> I've installed freeIPA 4.1.0 under CentOS 7 and I need to restric >> authentication to one or more time ranges but I failed to find such a >> configuration... >> >> TIA >> >> >> > > Hello, > you're probably looking for "Time-Based Account Policies". This is currently > WIP, you can find more on freeipa-devel list. Yup. If you just want to subscribe and wait for results, you can add yourself to CC in https://fedorahosted.org/freeipa/ticket/547 Martin From peterwood.sd at gmail.com Tue Aug 18 18:47:16 2015 From: peterwood.sd at gmail.com (Wood Peter) Date: Tue, 18 Aug 2015 11:47:16 -0700 Subject: [Freeipa-users] Different shell for different systems Message-ID: Is it possible to setup different user shell for different systems? I want users to have /bin/bash on all systems but I'd like them to get /usr/bin/git-shell on some systems that serve git repositories. Any idea how to achieve that? Thank you, -- Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Aug 18 19:02:14 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 18 Aug 2015 21:02:14 +0200 Subject: [Freeipa-users] ipa v4 on CentOS6 In-Reply-To: References: Message-ID: <55D38136.3040205@redhat.com> On 08/17/2015 01:15 PM, Ramy Allam wrote: > Hello, > > I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And > need to setup ipa-4.1.0 on a CentOS *6* machine. > > CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? > > The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support > OTP authentication. Hello, We do not plan backporting FreeIPA 4.0+ on CentOS-6, there is simply too many dependencies that are not there. Running purely on CentOS-7.1 looks as the least painful way to me. You can still of course have clients (SSSD) on CentOS-6. Jakub, can you please remind me what are the limitation with regards to SSSD&OTP on RHEL-6? Advanced conversations like https://fedorahosted.org/sssd/ticket/2335 will not be possible of course, that's expected. From mkosek at redhat.com Tue Aug 18 19:05:14 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 18 Aug 2015 21:05:14 +0200 Subject: [Freeipa-users] HBAC rules not applying to Solaris clients In-Reply-To: References: <341260557.2630046.1439651794815.JavaMail.yahoo@mail.yahoo.com> <55CF599C.8010109@redhat.com> Message-ID: <55D381EA.8040806@redhat.com> On 08/15/2015 07:05 PM, Natxo Asenjo wrote: > > > On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden > wrote: > > sipazzo wrote: > > > and my users are able to authenticate to the directory but the hbac > rules are not being applied. Any user whether given access or not can > login to the Solaris systems. The "allow-all" rule has been disabled, my > nsswitch.conf file looks good and I have tried different configs of > pam.d, including the provided example to try to resolve the issue. Am I > missing some steps? > > > HBAC enforcement is provided by sssd so doesn't work in Solaris. > > > one might try using solaris' RBAC system: > > http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html > > You would have to distribute your changes to all solaris systems. > > There is a RBAC ldap schema > http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, > but I have never tried using it with freeipa. > > -- > Groeten, > natxo Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project: https://github.com/jhrozek/pam_hbac :-) Martin From dkupka at redhat.com Tue Aug 18 19:06:16 2015 From: dkupka at redhat.com (David Kupka) Date: Tue, 18 Aug 2015 21:06:16 +0200 Subject: [Freeipa-users] Different shell for different systems In-Reply-To: References: Message-ID: <55D38228.3030804@redhat.com> On 18/08/15 20:47, Wood Peter wrote: > Is it possible to setup different user shell for different systems? > > I want users to have /bin/bash on all systems but I'd like them to get > /usr/bin/git-shell on some systems that serve git repositories. > > Any idea how to achieve that? > > Thank you, > > -- Peter > > > Hello, I think that it should be possible with ID View (http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views) but I'm not familiar with it. -- David Kupka From yks0000 at gmail.com Tue Aug 18 19:14:24 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Wed, 19 Aug 2015 00:44:24 +0530 Subject: [Freeipa-users] Public Key Authentication Failing Message-ID: Team. We are using public key authentication instead of password. It was working fine but a day latter it has stopped working. The same key is working for if change the username. For eg: Initially we created a user - ipa1 with ssh public key, but after sometime it has stopped working, now the same key is working if we create ipa2 user but with ipa1 user it fail to accept the keys. Below are ssh logs of failed attempt: root at yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa vg4381 at 172.16.32.24 -vv OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com, ssh-rsa-cert-v00 at openssh.com,ssh-rsa, ecdsa-sha2-nistp256-cert-v01 at openssh.com, ecdsa-sha2-nistp384-cert-v01 at openssh.com, ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com, ssh-dss-cert-v01 at openssh.com,ssh-dss-cert-v00 at openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com, hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com, hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com, hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com, umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com, hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com, hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com, hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com, umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com ,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com ,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: setup hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: bits set: 1554/3072 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 78:1f:15:bf:d3:fb:1a:49:44:8c:3a:28:b0:1f:6b:15 debug1: Host '172.16.32.24' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:2258 debug2: bits set: 1553/3072 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x7f646fa5b830), explicit debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Offering RSA public key: /root/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: Next authentication method: password *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Tue Aug 18 19:53:37 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Wed, 19 Aug 2015 01:23:37 +0530 Subject: [Freeipa-users] Public Key Authentication Failing In-Reply-To: References: Message-ID: Majority of sssd logs are filled with below error: (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma wrote: > Team. > > We are using public key authentication instead of password. It was working > fine but a day latter it has stopped working. The same key is working for > if change the username. > > For eg: > > Initially we created a user - ipa1 with ssh public key, but after sometime > it has stopped working, now the same key is working if we create ipa2 user > but with ipa1 user it fail to accept the keys. > > > > Below are ssh logs of failed attempt: > > root at yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa > vg4381 at 172.16.32.24 -vv > OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 19: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22. > debug1: Connection established. > debug1: permanently_set_uid: 0/0 > debug1: identity file /root/.ssh/id_rsa type 1 > debug1: identity file /root/.ssh/id_rsa-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2 > debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 > debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 > debug2: fd 3 setting O_NONBLOCK > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org > ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com, > ssh-rsa-cert-v00 at openssh.com,ssh-rsa, > ecdsa-sha2-nistp256-cert-v01 at openssh.com, > ecdsa-sha2-nistp384-cert-v01 at openssh.com, > ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com, > ssh-dss-cert-v01 at openssh.com,ssh-dss-cert-v00 at openssh.com > ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, > aes128-gcm at openssh.com,aes256-gcm at openssh.com, > chacha20-poly1305 at openssh.com > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, > rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, > aes128-gcm at openssh.com,aes256-gcm at openssh.com, > chacha20-poly1305 at openssh.com > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, > rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com, > hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com > ,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com, > hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com, > umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, > hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com, > hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com > ,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com, > hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com, > umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, > hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, > rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, > rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com > ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com > ,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com > ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com > ,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: setup hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: setup hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug2: bits set: 1554/3072 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Server host key: RSA > 78:1f:15:bf:d3:fb:1a:49:44:8c:3a:28:b0:1f:6b:15 > debug1: Host '172.16.32.24' is known and matches the RSA host key. > debug1: Found key in /root/.ssh/known_hosts:2258 > debug2: bits set: 1553/3072 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /root/.ssh/id_rsa (0x7f646fa5b830), explicit > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more information > No Kerberos credentials available > > debug1: Unspecified GSS failure. Minor code may provide more information > No Kerberos credentials available > > debug1: Unspecified GSS failure. Minor code may provide more information > > > debug1: Unspecified GSS failure. Minor code may provide more information > No Kerberos credentials available > > debug2: we did not send a packet, disable method > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /root/.ssh/id_rsa > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug2: we did not send a packet, disable method > debug1: Next authentication method: password > > *Best Regards,* > > *__________________________________________* > > *Yogesh Sharma* > *Email: yks0000 at gmail.com | Web: www.initd.in > * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Tue Aug 18 20:41:40 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 18 Aug 2015 13:41:40 -0700 Subject: [Freeipa-users] freeipa on http? Message-ID: <55D39884.9060102@gmail.com> Hi, Is there a way to force freeipa web server to accept http requests and not redirect to https? Reason is simple - offloading SSL to a load balancer on the front end. (this is for web only, not the LDAP or Kerberos) Thank you ~J From rcritten at redhat.com Tue Aug 18 20:55:29 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 18 Aug 2015 16:55:29 -0400 Subject: [Freeipa-users] freeipa on http? In-Reply-To: <55D39884.9060102@gmail.com> References: <55D39884.9060102@gmail.com> Message-ID: <55D39BC1.4070905@redhat.com> Janelle wrote: > Hi, > > Is there a way to force freeipa web server to accept http requests and > not redirect to https? Reason is simple - offloading SSL to a load > balancer on the front end. (this is for web only, not the LDAP or Kerberos) > > Thank you > ~J > You could try disabling the rewrite rules to do this in /etc/httpd/conf.d/ipa-rewrite.conf. rob From janellenicole80 at gmail.com Tue Aug 18 21:58:50 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 18 Aug 2015 14:58:50 -0700 Subject: [Freeipa-users] freeipa on http? In-Reply-To: <55D39BC1.4070905@redhat.com> References: <55D39884.9060102@gmail.com> <55D39BC1.4070905@redhat.com> Message-ID: <55D3AA9A.1050303@gmail.com> Tried that -- but it gives a blank screen. I will try playing with it some more. At least I know we are thinking in the same ballpark Thank you ~J On 8/18/15 1:55 PM, Rob Crittenden wrote: > Janelle wrote: >> Hi, >> >> Is there a way to force freeipa web server to accept http requests and >> not redirect to https? Reason is simple - offloading SSL to a load >> balancer on the front end. (this is for web only, not the LDAP or >> Kerberos) >> >> Thank you >> ~J >> > > You could try disabling the rewrite rules to do this in > /etc/httpd/conf.d/ipa-rewrite.conf. > > rob From simo at redhat.com Tue Aug 18 22:01:50 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 18 Aug 2015 18:01:50 -0400 Subject: [Freeipa-users] freeipa on http? In-Reply-To: <55D3AA9A.1050303@gmail.com> References: <55D39884.9060102@gmail.com> <55D39BC1.4070905@redhat.com> <55D3AA9A.1050303@gmail.com> Message-ID: <1439935310.2990.43.camel@willson.usersys.redhat.com> The load balancer would have to have the exact same name (for the clients) as the IPA server, which may be challenging depending on the network configuration you have. On Tue, 2015-08-18 at 14:58 -0700, Janelle wrote: > Tried that -- but it gives a blank screen. I will try playing with it > some more. At least I know we are thinking in the same ballpark > Thank you > ~J > > > On 8/18/15 1:55 PM, Rob Crittenden wrote: > > Janelle wrote: > >> Hi, > >> > >> Is there a way to force freeipa web server to accept http requests and > >> not redirect to https? Reason is simple - offloading SSL to a load > >> balancer on the front end. (this is for web only, not the LDAP or > >> Kerberos) > >> > >> Thank you > >> ~J > >> > > > > You could try disabling the rewrite rules to do this in > > /etc/httpd/conf.d/ipa-rewrite.conf. > > > > rob > -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Aug 18 22:02:22 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 18 Aug 2015 18:02:22 -0400 Subject: [Freeipa-users] freeipa on http? In-Reply-To: <1439935310.2990.43.camel@willson.usersys.redhat.com> References: <55D39884.9060102@gmail.com> <55D39BC1.4070905@redhat.com> <55D3AA9A.1050303@gmail.com> <1439935310.2990.43.camel@willson.usersys.redhat.com> Message-ID: <1439935342.2990.44.camel@willson.usersys.redhat.com> On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote: > The load balancer would have to have the exact same name (for the > clients) as the IPA server, which may be challenging depending on the > network configuration you have. More on that issue here: http://ssimo.org/blog/id_019.html > On Tue, 2015-08-18 at 14:58 -0700, Janelle wrote: > > Tried that -- but it gives a blank screen. I will try playing with it > > some more. At least I know we are thinking in the same ballpark > > Thank you > > ~J > > > > > > On 8/18/15 1:55 PM, Rob Crittenden wrote: > > > Janelle wrote: > > >> Hi, > > >> > > >> Is there a way to force freeipa web server to accept http requests and > > >> not redirect to https? Reason is simple - offloading SSL to a load > > >> balancer on the front end. (this is for web only, not the LDAP or > > >> Kerberos) > > >> > > >> Thank you > > >> ~J > > >> > > > > > > You could try disabling the rewrite rules to do this in > > > /etc/httpd/conf.d/ipa-rewrite.conf. > > > > > > rob > > > > > -- > Simo Sorce * Red Hat, Inc * New York > -- Simo Sorce * Red Hat, Inc * New York From peterwood.sd at gmail.com Tue Aug 18 23:35:44 2015 From: peterwood.sd at gmail.com (Peter Wood) Date: Tue, 18 Aug 2015 16:35:44 -0700 Subject: [Freeipa-users] Different shell for different systems In-Reply-To: <55D38228.3030804@redhat.com> References: <55D38228.3030804@redhat.com> Message-ID: Exactly what I needed. Thank you David. On Tue, Aug 18, 2015 at 12:06 PM, David Kupka wrote: > On 18/08/15 20:47, Wood Peter wrote: > >> Is it possible to setup different user shell for different systems? >> >> I want users to have /bin/bash on all systems but I'd like them to get >> /usr/bin/git-shell on some systems that serve git repositories. >> >> Any idea how to achieve that? >> >> Thank you, >> >> -- Peter >> >> >> >> > Hello, > I think that it should be possible with ID View ( > http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views) > but I'm not familiar with it. > > -- > David Kupka > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Wed Aug 19 00:44:22 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 18 Aug 2015 17:44:22 -0700 Subject: [Freeipa-users] freeipa on http? In-Reply-To: <1439935342.2990.44.camel@willson.usersys.redhat.com> References: <55D39884.9060102@gmail.com> <55D39BC1.4070905@redhat.com> <55D3AA9A.1050303@gmail.com> <1439935310.2990.43.camel@willson.usersys.redhat.com> <1439935342.2990.44.camel@willson.usersys.redhat.com> Message-ID: <55D3D166.40208@gmail.com> Simo, I read your blog sometime ago and do like it. However in this case, this is only for HTTPS, not kerberos, so the names do not have to match. It is for users managing accounts across any number of hosts. But thank you. ~J On 8/18/15 3:02 PM, Simo Sorce wrote: > On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote: >> The load balancer would have to have the exact same name (for the >> clients) as the IPA server, which may be challenging depending on the >> network configuration you have. > More on that issue here: > http://ssimo.org/blog/id_019.html > >> On Tue, 2015-08-18 at 14:58 -0700, Janelle wrote: >>> Tried that -- but it gives a blank screen. I will try playing with it >>> some more. At least I know we are thinking in the same ballpark >>> Thank you >>> ~J >>> >>> >>> On 8/18/15 1:55 PM, Rob Crittenden wrote: >>>> Janelle wrote: >>>>> Hi, >>>>> >>>>> Is there a way to force freeipa web server to accept http requests and >>>>> not redirect to https? Reason is simple - offloading SSL to a load >>>>> balancer on the front end. (this is for web only, not the LDAP or >>>>> Kerberos) >>>>> >>>>> Thank you >>>>> ~J >>>>> >>>> You could try disabling the rewrite rules to do this in >>>> /etc/httpd/conf.d/ipa-rewrite.conf. >>>> >>>> rob >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> > From simo at redhat.com Wed Aug 19 02:14:54 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 18 Aug 2015 22:14:54 -0400 Subject: [Freeipa-users] freeipa on http? In-Reply-To: <55D3D166.40208@gmail.com> References: <55D39884.9060102@gmail.com> <55D39BC1.4070905@redhat.com> <55D3AA9A.1050303@gmail.com> <1439935310.2990.43.camel@willson.usersys.redhat.com> <1439935342.2990.44.camel@willson.usersys.redhat.com> <55D3D166.40208@gmail.com> Message-ID: <1439950494.2990.46.camel@willson.usersys.redhat.com> On Tue, 2015-08-18 at 17:44 -0700, Janelle wrote: > Simo, > > I read your blog sometime ago and do like it. However in this case, this > is only for HTTPS, not kerberos, so the names do not have to match. It > is for users managing accounts across any number of hosts. But thank you. There is still the problem of the referer, but should be easy to fix with a rewrite rule. Simo. > ~J > > On 8/18/15 3:02 PM, Simo Sorce wrote: > > On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote: > >> The load balancer would have to have the exact same name (for the > >> clients) as the IPA server, which may be challenging depending on the > >> network configuration you have. > > More on that issue here: > > http://ssimo.org/blog/id_019.html > > > >> On Tue, 2015-08-18 at 14:58 -0700, Janelle wrote: > >>> Tried that -- but it gives a blank screen. I will try playing with it > >>> some more. At least I know we are thinking in the same ballpark > >>> Thank you > >>> ~J > >>> > >>> > >>> On 8/18/15 1:55 PM, Rob Crittenden wrote: > >>>> Janelle wrote: > >>>>> Hi, > >>>>> > >>>>> Is there a way to force freeipa web server to accept http requests and > >>>>> not redirect to https? Reason is simple - offloading SSL to a load > >>>>> balancer on the front end. (this is for web only, not the LDAP or > >>>>> Kerberos) > >>>>> > >>>>> Thank you > >>>>> ~J > >>>>> > >>>> You could try disabling the rewrite rules to do this in > >>>> /etc/httpd/conf.d/ipa-rewrite.conf. > >>>> > >>>> rob > >> > >> -- > >> Simo Sorce * Red Hat, Inc * New York > >> > > > -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Wed Aug 19 07:22:20 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 19 Aug 2015 09:22:20 +0200 Subject: [Freeipa-users] ipa v4 on CentOS6 In-Reply-To: <55D38136.3040205@redhat.com> References: <55D38136.3040205@redhat.com> Message-ID: <20150819072220.GG30576@hendrix.arn.redhat.com> On Tue, Aug 18, 2015 at 09:02:14PM +0200, Martin Kosek wrote: > On 08/17/2015 01:15 PM, Ramy Allam wrote: > >Hello, > > > >I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And > >need to setup ipa-4.1.0 on a CentOS *6* machine. > > > >CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? > > > >The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support > >OTP authentication. > > Hello, > > We do not plan backporting FreeIPA 4.0+ on CentOS-6, there is simply too > many dependencies that are not there. Running purely on CentOS-7.1 looks as > the least painful way to me. > > You can still of course have clients (SSSD) on CentOS-6. Jakub, can you > please remind me what are the limitation with regards to SSSD&OTP on RHEL-6? The SSSD code is there, but the Kerberos library version is the limit. We can't rebase to a newer one but at the same time it's impossible to backport the changes. Sorry, but new features sometimes require using a new system.. > > Advanced conversations like https://fedorahosted.org/sssd/ticket/2335 will > not be possible of course, that's expected. From jhrozek at redhat.com Wed Aug 19 07:23:05 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 19 Aug 2015 09:23:05 +0200 Subject: [Freeipa-users] HBAC rules not applying to Solaris clients In-Reply-To: <55D381EA.8040806@redhat.com> References: <341260557.2630046.1439651794815.JavaMail.yahoo@mail.yahoo.com> <55CF599C.8010109@redhat.com> <55D381EA.8040806@redhat.com> Message-ID: <20150819072305.GH30576@hendrix.arn.redhat.com> On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote: > On 08/15/2015 07:05 PM, Natxo Asenjo wrote: > > > > > >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden >> wrote: > > > > sipazzo wrote: > > > > > > and my users are able to authenticate to the directory but the hbac > > rules are not being applied. Any user whether given access or not can > > login to the Solaris systems. The "allow-all" rule has been disabled, my > > nsswitch.conf file looks good and I have tried different configs of > > pam.d, including the provided example to try to resolve the issue. Am I > > missing some steps? > > > > > > HBAC enforcement is provided by sssd so doesn't work in Solaris. > > > > > >one might try using solaris' RBAC system: > > > >http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html > > > >You would have to distribute your changes to all solaris systems. > > > >There is a RBAC ldap schema > >http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, > >but I have never tried using it with freeipa. > > > >-- > >Groeten, > >natxo > > Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project: > > https://github.com/jhrozek/pam_hbac btw I have quite a few changes from the last weeks, so yes, I'm still working on this, but the progress is slow, RHEL maintenance tends to eat most time.. From tbordaz at redhat.com Wed Aug 19 07:25:34 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 19 Aug 2015 09:25:34 +0200 Subject: [Freeipa-users] Sudden replication failure In-Reply-To: <55D37BDE.6050901@redhat.com> References: <55C9040B.4010502@mail.sdsu.edu> <55D37BDE.6050901@redhat.com> Message-ID: <55D42F6E.2030708@redhat.com> On 08/18/2015 08:39 PM, Martin Kosek wrote: > On 08/10/2015 10:05 PM, Burke Rosen wrote: >> Hello, >> >> I'm running two replicated freeIPA servers. One of them spontaneously >> failed. >> After taking the misbehaving server down, the remaining replicant >> handled >> everything fine. I restored the system to its original working state by >> uninstalling ipa-server from the non-functional server and >> re-replicating from >> the working server. All is well, but I am trying to figure out what >> might have >> caused the problem in the first place. Below are first few (presumably) >> relevant lines of the the error log. Can someone help me interpret them? >> >> Thank you, >> >> -Burke Rosen >> >> > > This line is interesting: > >> [08/Aug/2015:04:11:06 -0700] repl_version_plugin_recv_acquire_cb - [file >> ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing >> replication. >> This server: "20100614120000" remote server: "(null)". > > But I wonder how it is possible this was triggered, we did not bump > the data version in IPA Replica version plugin since 2010 as you can > see. So for some reason, it seems that the version was not passed > correctly when the connection between replicas was being established. > > I guess we will not find out the root cause, given you successfully > rebuilt the server. I am still CCing Ludwig and Thierry for reference. > Hello, The DS master (or replica) sent a start-replication session with an empty GUID payload (added by ipa plugin). It should happen if you mixed DS and/or IPA version, is it the case ? thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Wed Aug 19 10:13:32 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Wed, 19 Aug 2015 15:43:32 +0530 Subject: [Freeipa-users] Public Key Authentication Failing + Failed to Authenticate New User with Public Key Message-ID: Any suggestion please. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Wed, Aug 19, 2015 at 1:37 PM, Yogesh Sharma wrote: > Re-Enrolling the server has fixed it, but what has caused this, is still > an issue. > > *Best Regards,* > > *__________________________________________* > > *Yogesh Sharma* > *Email: yks0000 at gmail.com | Web: www.initd.in > * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > > On Wed, Aug 19, 2015 at 1:23 AM, Yogesh Sharma wrote: > >> Majority of sssd logs are filled with below error: >> >> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] >> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >> domain SID from [(null)] >> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] >> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >> domain SID from [(null)] >> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] >> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse >> domain SID from [(null)] >> >> >> *Best Regards,* >> >> *__________________________________________* >> >> *Yogesh Sharma* >> *Email: yks0000 at gmail.com | Web: www.initd.in >> * >> >> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* >> >> >> >> >> >> On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma >> wrote: >> >>> Team. >>> >>> We are using public key authentication instead of password. It was >>> working fine but a day latter it has stopped working. The same key is >>> working for if change the username. >>> >>> For eg: >>> >>> Initially we created a user - ipa1 with ssh public key, but after >>> sometime it has stopped working, now the same key is working if we create >>> ipa2 user but with ipa1 user it fail to accept the keys. >>> >>> >>> >>> Below are ssh logs of failed attempt: >>> >>> root at yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa >>> vg4381 at 172.16.32.24 -vv >>> OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 >>> debug1: Reading configuration data /etc/ssh/ssh_config >>> debug1: /etc/ssh/ssh_config line 19: Applying options for * >>> debug2: ssh_connect: needpriv 0 >>> debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22. >>> debug1: Connection established. >>> debug1: permanently_set_uid: 0/0 >>> debug1: identity file /root/.ssh/id_rsa type 1 >>> debug1: identity file /root/.ssh/id_rsa-cert type -1 >>> debug1: Enabling compatibility mode for protocol 2.0 >>> debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2 >>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 >>> debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 >>> debug2: fd 3 setting O_NONBLOCK >>> debug1: SSH2_MSG_KEXINIT sent >>> debug1: SSH2_MSG_KEXINIT received >>> debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org >>> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 >>> debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com, >>> ssh-rsa-cert-v00 at openssh.com,ssh-rsa, >>> ecdsa-sha2-nistp256-cert-v01 at openssh.com, >>> ecdsa-sha2-nistp384-cert-v01 at openssh.com, >>> ecdsa-sha2-nistp521-cert-v01 at openssh.com, >>> ssh-ed25519-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com, >>> ssh-dss-cert-v00 at openssh.com >>> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss >>> debug2: kex_parse_kexinit: >>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, >>> aes128-gcm at openssh.com,aes256-gcm at openssh.com, >>> chacha20-poly1305 at openssh.com >>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, >>> rijndael-cbc at lysator.liu.se >>> debug2: kex_parse_kexinit: >>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, >>> aes128-gcm at openssh.com,aes256-gcm at openssh.com, >>> chacha20-poly1305 at openssh.com >>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, >>> rijndael-cbc at lysator.liu.se >>> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com, >>> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com, >>> umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com, >>> hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com, >>> hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com >>> ,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com >>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com >>> ,hmac-sha1-96,hmac-md5-96 >>> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com, >>> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com, >>> umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com, >>> hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com, >>> hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com >>> ,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com >>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com >>> ,hmac-sha1-96,hmac-md5-96 >>> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib >>> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib >>> debug2: kex_parse_kexinit: >>> debug2: kex_parse_kexinit: >>> debug2: kex_parse_kexinit: first_kex_follows 0 >>> debug2: kex_parse_kexinit: reserved 0 >>> debug2: kex_parse_kexinit: >>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 >>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >>> debug2: kex_parse_kexinit: >>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, >>> rijndael-cbc at lysator.liu.se >>> debug2: kex_parse_kexinit: >>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, >>> rijndael-cbc at lysator.liu.se >>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com >>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com >>> ,hmac-sha1-96,hmac-md5-96 >>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com >>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com >>> ,hmac-sha1-96,hmac-md5-96 >>> debug2: kex_parse_kexinit: none,zlib at openssh.com >>> debug2: kex_parse_kexinit: none,zlib at openssh.com >>> debug2: kex_parse_kexinit: >>> debug2: kex_parse_kexinit: >>> debug2: kex_parse_kexinit: first_kex_follows 0 >>> debug2: kex_parse_kexinit: reserved 0 >>> debug2: mac_setup: setup hmac-md5 >>> debug1: kex: server->client aes128-ctr hmac-md5 none >>> debug2: mac_setup: setup hmac-md5 >>> debug1: kex: client->server aes128-ctr hmac-md5 none >>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent >>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >>> debug2: bits set: 1554/3072 >>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >>> debug1: Server host key: RSA >>> 78:1f:15:bf:d3:fb:1a:49:44:8c:3a:28:b0:1f:6b:15 >>> debug1: Host '172.16.32.24' is known and matches the RSA host key. >>> debug1: Found key in /root/.ssh/known_hosts:2258 >>> debug2: bits set: 1553/3072 >>> debug1: ssh_rsa_verify: signature correct >>> debug2: kex_derive_keys >>> debug2: set_newkeys: mode 1 >>> debug1: SSH2_MSG_NEWKEYS sent >>> debug1: expecting SSH2_MSG_NEWKEYS >>> debug2: set_newkeys: mode 0 >>> debug1: SSH2_MSG_NEWKEYS received >>> debug1: Roaming not allowed by server >>> debug1: SSH2_MSG_SERVICE_REQUEST sent >>> debug2: service_accept: ssh-userauth >>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>> debug2: key: /root/.ssh/id_rsa (0x7f646fa5b830), explicit >>> debug1: Authentications that can continue: >>> publickey,gssapi-keyex,gssapi-with-mic,password >>> debug1: Next authentication method: gssapi-keyex >>> debug1: No valid Key exchange context >>> debug2: we did not send a packet, disable method >>> debug1: Next authentication method: gssapi-with-mic >>> debug1: Unspecified GSS failure. Minor code may provide more information >>> No Kerberos credentials available >>> >>> debug1: Unspecified GSS failure. Minor code may provide more information >>> No Kerberos credentials available >>> >>> debug1: Unspecified GSS failure. Minor code may provide more information >>> >>> >>> debug1: Unspecified GSS failure. Minor code may provide more information >>> No Kerberos credentials available >>> >>> debug2: we did not send a packet, disable method >>> debug1: Next authentication method: publickey >>> debug1: Offering RSA public key: /root/.ssh/id_rsa >>> debug2: we sent a publickey packet, wait for reply >>> debug1: Authentications that can continue: >>> publickey,gssapi-keyex,gssapi-with-mic,password >>> debug2: we did not send a packet, disable method >>> debug1: Next authentication method: password >>> >>> *Best Regards,* >>> >>> *__________________________________________* >>> >>> *Yogesh Sharma* >>> *Email: yks0000 at gmail.com | Web: www.initd.in >>> * >>> >>> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* >>> >>> >>> >>> >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From linux at ramyallam.com Wed Aug 19 10:47:56 2015 From: linux at ramyallam.com (Ramy Allam) Date: Wed, 19 Aug 2015 12:47:56 +0200 Subject: [Freeipa-users] ipa v4 on CentOS6 In-Reply-To: <20150819072220.GG30576@hendrix.arn.redhat.com> References: <55D38136.3040205@redhat.com> <20150819072220.GG30576@hendrix.arn.redhat.com> Message-ID: Thanks for the valuable information. I will use CentOS7 for both client and server. Hope you all the best. On Wed, Aug 19, 2015 at 9:22 AM, Jakub Hrozek wrote: > On Tue, Aug 18, 2015 at 09:02:14PM +0200, Martin Kosek wrote: > > On 08/17/2015 01:15 PM, Ramy Allam wrote: > > >Hello, > > > > > >I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 > machine. And > > >need to setup ipa-4.1.0 on a CentOS *6* machine. > > > > > >CentOS 6 repo has ipa-client-3 available. Where can i find v4 for > CentOS 6 please ? > > > > > >The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't > support > > >OTP authentication. > > > > Hello, > > > > We do not plan backporting FreeIPA 4.0+ on CentOS-6, there is simply too > > many dependencies that are not there. Running purely on CentOS-7.1 looks > as > > the least painful way to me. > > > > You can still of course have clients (SSSD) on CentOS-6. Jakub, can you > > please remind me what are the limitation with regards to SSSD&OTP on > RHEL-6? > > The SSSD code is there, but the Kerberos library version is the limit. We > can't rebase to a newer one but at the same time it's impossible to > backport > the changes. > > Sorry, but new features sometimes require using a new system.. > > > > > Advanced conversations like https://fedorahosted.org/sssd/ticket/2335 > will > > not be possible of course, that's expected. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Wed Aug 19 08:07:57 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Wed, 19 Aug 2015 13:37:57 +0530 Subject: [Freeipa-users] Public Key Authentication Failing In-Reply-To: References: Message-ID: Re-Enrolling the server has fixed it, but what has caused this, is still an issue. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* On Wed, Aug 19, 2015 at 1:23 AM, Yogesh Sharma wrote: > Majority of sssd logs are filled with below error: > > (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > > > *Best Regards,* > > *__________________________________________* > > *Yogesh Sharma* > *Email: yks0000 at gmail.com | Web: www.initd.in > * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > > > On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma wrote: > >> Team. >> >> We are using public key authentication instead of password. It was >> working fine but a day latter it has stopped working. The same key is >> working for if change the username. >> >> For eg: >> >> Initially we created a user - ipa1 with ssh public key, but after >> sometime it has stopped working, now the same key is working if we create >> ipa2 user but with ipa1 user it fail to accept the keys. >> >> >> >> Below are ssh logs of failed attempt: >> >> root at yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa >> vg4381 at 172.16.32.24 -vv >> OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: /etc/ssh/ssh_config line 19: Applying options for * >> debug2: ssh_connect: needpriv 0 >> debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22. >> debug1: Connection established. >> debug1: permanently_set_uid: 0/0 >> debug1: identity file /root/.ssh/id_rsa type 1 >> debug1: identity file /root/.ssh/id_rsa-cert type -1 >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2 >> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 >> debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 >> debug2: fd 3 setting O_NONBLOCK >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org >> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 >> debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com, >> ssh-rsa-cert-v00 at openssh.com,ssh-rsa, >> ecdsa-sha2-nistp256-cert-v01 at openssh.com, >> ecdsa-sha2-nistp384-cert-v01 at openssh.com, >> ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com >> ,ssh-dss-cert-v01 at openssh.com,ssh-dss-cert-v00 at openssh.com >> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss >> debug2: kex_parse_kexinit: >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, >> aes128-gcm at openssh.com,aes256-gcm at openssh.com, >> chacha20-poly1305 at openssh.com >> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, >> rijndael-cbc at lysator.liu.se >> debug2: kex_parse_kexinit: >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, >> aes128-gcm at openssh.com,aes256-gcm at openssh.com, >> chacha20-poly1305 at openssh.com >> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, >> rijndael-cbc at lysator.liu.se >> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com, >> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com, >> umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com, >> hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com, >> hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com >> ,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com >> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com >> ,hmac-sha1-96,hmac-md5-96 >> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com, >> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com, >> umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com, >> hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com, >> hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com >> ,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com >> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com >> ,hmac-sha1-96,hmac-md5-96 >> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib >> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: first_kex_follows 0 >> debug2: kex_parse_kexinit: reserved 0 >> debug2: kex_parse_kexinit: >> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >> debug2: kex_parse_kexinit: >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, >> rijndael-cbc at lysator.liu.se >> debug2: kex_parse_kexinit: >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, >> rijndael-cbc at lysator.liu.se >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com >> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com >> ,hmac-sha1-96,hmac-md5-96 >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com >> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com >> ,hmac-sha1-96,hmac-md5-96 >> debug2: kex_parse_kexinit: none,zlib at openssh.com >> debug2: kex_parse_kexinit: none,zlib at openssh.com >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: first_kex_follows 0 >> debug2: kex_parse_kexinit: reserved 0 >> debug2: mac_setup: setup hmac-md5 >> debug1: kex: server->client aes128-ctr hmac-md5 none >> debug2: mac_setup: setup hmac-md5 >> debug1: kex: client->server aes128-ctr hmac-md5 none >> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >> debug2: bits set: 1554/3072 >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >> debug1: Server host key: RSA >> 78:1f:15:bf:d3:fb:1a:49:44:8c:3a:28:b0:1f:6b:15 >> debug1: Host '172.16.32.24' is known and matches the RSA host key. >> debug1: Found key in /root/.ssh/known_hosts:2258 >> debug2: bits set: 1553/3072 >> debug1: ssh_rsa_verify: signature correct >> debug2: kex_derive_keys >> debug2: set_newkeys: mode 1 >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug2: set_newkeys: mode 0 >> debug1: SSH2_MSG_NEWKEYS received >> debug1: Roaming not allowed by server >> debug1: SSH2_MSG_SERVICE_REQUEST sent >> debug2: service_accept: ssh-userauth >> debug1: SSH2_MSG_SERVICE_ACCEPT received >> debug2: key: /root/.ssh/id_rsa (0x7f646fa5b830), explicit >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,password >> debug1: Next authentication method: gssapi-keyex >> debug1: No valid Key exchange context >> debug2: we did not send a packet, disable method >> debug1: Next authentication method: gssapi-with-mic >> debug1: Unspecified GSS failure. Minor code may provide more information >> No Kerberos credentials available >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> No Kerberos credentials available >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> No Kerberos credentials available >> >> debug2: we did not send a packet, disable method >> debug1: Next authentication method: publickey >> debug1: Offering RSA public key: /root/.ssh/id_rsa >> debug2: we sent a publickey packet, wait for reply >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,password >> debug2: we did not send a packet, disable method >> debug1: Next authentication method: password >> >> *Best Regards,* >> >> *__________________________________________* >> >> *Yogesh Sharma* >> *Email: yks0000 at gmail.com | Web: www.initd.in >> * >> >> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* >> >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bahanw042014 at gmail.com Wed Aug 19 14:41:04 2015 From: bahanw042014 at gmail.com (bahan w) Date: Wed, 19 Aug 2015 16:41:04 +0200 Subject: [Freeipa-users] Cannot uninstall ipa-server Message-ID: Hello. After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to uninstall it, but the uninstallation hangs at the following step : ### ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services ### It hangs forever. Anyway to perform the uninstallation manually ? I throught I saw a method somewhere concerning the removal of the files contained in the following folders : ### /var/lib/ipa/sysrestore /var/lib/ipa-client/sysrestore ### Is it true ? Best regards. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Wed Aug 19 14:57:51 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 19 Aug 2015 07:57:51 -0700 Subject: [Freeipa-users] Cannot uninstall ipa-server In-Reply-To: References: Message-ID: <55D4996F.7040309@gmail.com> ipa-server-install --uninstall --unattended ~J On 8/19/15 7:41 AM, bahan w wrote: > Hello. > > After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to > uninstall it, but the uninstallation hangs at the following step : > > ### > ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? [no]: yes > Shutting down all IPA services > > ### > > It hangs forever. > > Anyway to perform the uninstallation manually ? I throught I saw a > method somewhere concerning the removal of the files contained in the > following folders : > > ### > /var/lib/ipa/sysrestore > /var/lib/ipa-client/sysrestore > ### > > Is it true ? > > Best regards. > > Bahan > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sipazzo at yahoo.com Wed Aug 19 18:27:35 2015 From: sipazzo at yahoo.com (sipazzo) Date: Wed, 19 Aug 2015 18:27:35 +0000 (UTC) Subject: [Freeipa-users] HBAC rules not applying to Solaris clients In-Reply-To: <20150819072305.GH30576@hendrix.arn.redhat.com> References: <20150819072305.GH30576@hendrix.arn.redhat.com> Message-ID: <1816458786.7491329.1440008855702.JavaMail.yahoo@mail.yahoo.com> Ah I would love to help but have only?been a?Unix sysadmin for a couple years now (came from Windows side of house) and have little coding ability. Still happy to? help in any way I can though if you can find a place/need for me. You have all been very?helpful to me so I?would like to give back if I can. ? From: Jakub Hrozek To: Martin Kosek Cc: Freeipa-users Sent: Wednesday, August 19, 2015 12:23 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote: > On 08/15/2015 07:05 PM, Natxo Asenjo wrote: > > > > > >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden >> wrote: > > > >? ? sipazzo wrote: > > > > > >? ? ? ? and my users are able to authenticate to the directory but the hbac > >? ? ? ? rules are not being applied. Any user whether given access or not can > >? ? ? ? login to the Solaris systems. The "allow-all" rule has been disabled, my > >? ? ? ? nsswitch.conf file looks good and I have tried different configs of > >? ? ? ? pam.d, including the provided example to try to resolve the issue. Am I > >? ? ? ? missing some steps? > > > > > >? ? HBAC enforcement is provided by sssd so doesn't work in Solaris. > > > > > >one might try using solaris' RBAC system: > > > >http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html > > > >You would have to distribute your changes to all solaris systems. > > > >There is a RBAC ldap schema > >http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, > >but I have never tried using it with freeipa. > > > >-- > >Groeten, > >natxo > > Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project: > > https://github.com/jhrozek/pam_hbac btw I have quite a few changes from the last weeks, so yes, I'm still working on this, but the progress is slow, RHEL maintenance tends to eat most time.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Aug 19 20:58:20 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Aug 2015 16:58:20 -0400 Subject: [Freeipa-users] Cannot uninstall ipa-server In-Reply-To: <55D4996F.7040309@gmail.com> References: <55D4996F.7040309@gmail.com> Message-ID: <55D4EDEC.7040005@redhat.com> Janelle wrote: > ipa-server-install --uninstall --unattended I don't think it is the prompt that's hanging. I'd either wait to see whether it clears things up itself or try to figure out what service is hanging. Some of the timeouts are 5 minutes IIRC so it may take a while in the worse case scenario. The files/directories you refer to are the hints that the uninstaller uses to know how to restore the system to as close to pre-install condition as possible. I don't know that it is all that consumable if done manually. rob > > ~J > > On 8/19/15 7:41 AM, bahan w wrote: >> Hello. >> >> After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to >> uninstall it, but the uninstallation hangs at the following step : >> >> ### >> ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? [no]: yes >> Shutting down all IPA services >> >> ### >> >> It hangs forever. >> >> Anyway to perform the uninstallation manually ? I throught I saw a >> method somewhere concerning the removal of the files contained in the >> following folders : >> >> ### >> /var/lib/ipa/sysrestore >> /var/lib/ipa-client/sysrestore >> ### >> >> Is it true ? >> >> Best regards. >> >> Bahan >> >> > > > From sipazzo at yahoo.com Wed Aug 19 21:31:24 2015 From: sipazzo at yahoo.com (sipazzo) Date: Wed, 19 Aug 2015 21:31:24 +0000 (UTC) Subject: [Freeipa-users] HBAC rules not applying to Solaris clients In-Reply-To: References: Message-ID: <900349588.7600905.1440019884564.JavaMail.yahoo@mail.yahoo.com> Thanks Bob, I?have tried to implement this and cannot seem to get it to work for me even?though it seems straightforward. I tried both with using a user.allow file and?adding the netgroup to /etc/passwd as well as moving lines around in the pam.conf and many different versions of pam.conf but it results in either everyone being able to login or no one being able to login.?Do you mind sharing your pam.conf with me? I have the following relevant entries in nsswitch.conf passwd: files ldapgroup: files ldapshadow: files ldapnetgroup: ldap From: Bob To: Natxo Asenjo Cc: Freeipa-users Sent: Saturday, August 15, 2015 10:46 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file. On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The "allow-all" rule has been disabled, my nsswitch.conf file looks good and I have tried different configs of pam.d, including the provided example to try to resolve the issue. Am I missing some steps? HBAC enforcement is provided by sssd so doesn't work in Solaris. one might try using solaris' RBAC system: http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html You would have to distribute your changes to all solaris systems. There is a RBAC ldap schema http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, but I have never tried using it with freeipa. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Thu Aug 20 06:12:32 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Thu, 20 Aug 2015 08:12:32 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: HI Guys, Anyone still a working clue/test here ? I didn't came further as it seems there need to be some domain join / match following the freeipa devs. Thanks! Matt 2015-08-13 13:09 GMT+02:00 Matt . : > Hi, > > I might have found somthing which I already seen in the logs. > > I did a smbpasswd my username on the samba server, it connects to ldap > very well. I give my new password and get the following: > > smbldap_search_ext: base => [dc=my,dc=domain], filter => > [(&(objectClass=ipaNTGroupAttrs)(|(ipaNTSecurityIdentifier=S-1----my--sid---)))], > scope => [2] > Attribute [displayName] not found. > Could not retrieve 'displayName' attribute from cn=Default SMB > Group,cn=groups,cn=accounts,dc=my,dc=domain > Sid S-1----my--sid--- -> MYDOMAIN\Default SMB Group(2) > > So something is missing! > > Thanks so far guys! > > Cheers, > > Matt > > 2015-08-13 12:02 GMT+02:00 Matt . : >> Hi Youenn, >> >> OK thanks! this takes me a little but futher now and I see some good >> stuff in my logging. >> >> I'm testing on a Windows 10 Machine which is not member of an AD or >> so, so that might be my issue for now ? >> >> When testing on the samba box itself as my user I get: >> >> >> [myusername at smb-01 ~]$ smbclient //smb-01.domain.local/shares >> >> ... >> Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD >> ... >> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD >> >> >> Maybe I have an issue with encrypted passwords ? >> >> >> When we have this all working, I think we have a howto :D >> >> Thanks! >> >> Matt >> >> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET : >>> Hi Matt >>> >>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? >>> sambaSamAccount is not needed anymore that way. >>> - Default IPA Way : won't work if your Windows is not part of a domain >>> controller. DOMAIN\username may work for some users using Windows 7 - not 8 >>> nor 10 (it did for me but I was the only one at the office... quite useless) >>> >>> This config may work on your CentOS (for the ipasam way): >>> workgroup = TEST >>> realm = TEST.NET >>> kerberos method = dedicated keytab >>> dedicated keytab file = FILE:/<.....>/samba.keytab >>> create krb5 conf = no >>> security = user >>> encrypt passwords = true >>> passdb backend = ipasam:ldaps://youripa.test.net >>> ldapsam:trusted = yes >>> ldapsuffix = test.net >>> ldap user suffix = cn=users,cn=accounts >>> ldap group suffix = cn=groups,cn=accounts >>> >>> >>> -- >>> Youenn Piolet >>> piolet.y at gmail.com >>> >>> >>> 2015-08-12 22:15 GMT+02:00 Matt . : >>>> >>>> Hi, >>>> >>>> OK the default IPA way works great actually when testing it as described >>>> here: >>>> >>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>> >>>> On the samba server I can auth and see my share where I want to connect >>>> to. >>>> >>>> The issue is, on Windows I cannot auth, even when I do DOMAIN\username >>>> as username >>>> >>>> So, the IPA way should work. >>>> >>>> Any comments here ? >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-08-12 19:00 GMT+02:00 Matt . : >>>> > HI GUys, >>>> > >>>> > I'm testing this out and I think I almost setup, this on a CentOS samba >>>> > server. >>>> > >>>> > I'm using the ipa-adtrust way of Youeen but it seems we still need to >>>> > add (objectclass=sambaSamAccount)) ? >>>> > >>>> > Info is welcome! >>>> > >>>> > I will report back when I have it working. >>>> > >>>> > Thanks! >>>> > >>>> > Matt >>>> > >>>> > 2015-08-10 11:16 GMT+02:00 Christopher Lamb >>>> > : >>>> >> The next route I will try - is the one Youeen took, using ipa-adtrust >>>> >> >>>> >> >>>> >> >>>> >> From: "Matt ." >>>> >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >> "freeipa-users at redhat.com" >>>> >> Date: 10.08.2015 10:03 >>>> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>> >> IPA >>>> >> >>>> >> >>>> >> >>>> >> Hi Chris, >>>> >> >>>> >> Okay this is good to hear. >>>> >> >>>> >> But don't we want a IPA managed Scheme ? >>>> >> >>>> >> When I did a "ipa-adtrust-install --add-sids" it also wanted a local >>>> >> installed Samba and I wonder why. >>>> >> >>>> >> Good that we make some progres on making it all clear. >>>> >> >>>> >> Cheers, >>>> >> >>>> >> Matt >>>> >> >>>> >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb >>>> >> : >>>> >>> ldapsam + the samba extensions, pretty much as described in the >>>> >> Techslaves >>>> >>> article. Once I have a draft for the wiki page, I will mail you. >>>> >>> >>>> >>> >>>> >>> >>>> >>> From: "Matt ." >>>> >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >>> "freeipa-users at redhat.com" >>>> >>> Date: 09.08.2015 21:17 >>>> >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>> >>> IPA >>>> >>> >>>> >>> >>>> >>> >>>> >>> Hi, >>>> >>> >>>> >>> Yes I know about "anything" but which way did you use now ? >>>> >>> >>>> >>> >>>> >>> >>>> >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb >>>> >> : >>>> >>>> Hi Matt >>>> >>>> >>>> >>>> I am on OEL 7.1. - so anything that works on that should be good for >>>> >> RHEL >>>> >>>> and Centos 7.x >>>> >>>> >>>> >>>> I intend to add a how-to to the FreeIPA Wiki over the next few days. >>>> >>>> As >>>> >>> we >>>> >>>> have suggested earlier, we will likely end up with several, one for >>>> >>>> each >>>> >>> of >>>> >>>> the possible integration paths. >>>> >>>> >>>> >>>> Chris >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> From: "Matt ." >>>> >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >>>> "freeipa-users at redhat.com" >>>> >>>> Date: 09.08.2015 16:45 >>>> >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>> >>>> IPA >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Hi Chris, >>>> >>>> >>>> >>>> This sounds great! >>>> >>>> >>>> >>>> What are you using now, both CentOS ? So Samba and FreeIPA ? >>>> >>>> >>>> >>>> Maybe it's good to explain which way you used now in steps too, so we >>>> >>>> can combine or create multiple howto's ? >>>> >>>> >>>> >>>> At least we are going somewhere! >>>> >>>> >>>> >>>> Thanks, >>>> >>>> >>>> >>>> Matt >>>> >>>> >>>> >>>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >>>> >>> : >>>> >>>>> Hi Matt >>>> >>>>> >>>> >>>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old >>>> >>> Samba >>>> >>>>> Schema extensions) is up and working, almost flawlessly. >>>> >>>>> >>>> >>>>> I can add users and groups via the FreeIPA CLI, and they get the >>>> >> correct >>>> >>>>> ObjectClasses / attributes required for Samba. >>>> >>>>> >>>> >>>>> So far I have not yet bothered to try the extensions to the WebUI, >>>> >>>> because >>>> >>>>> it is currently giving me the classic "Your session has expired. >>>> >>>>> Please >>>> >>>>> re-login." error which renders the WebUI useless. >>>> >>>>> >>>> >>>>> The only problem I have so far encountered managing Samba / FreeIPA >>>> >>> users >>>> >>>>> via FreeIPA CLI commands is with the handling of the attribute >>>> >>>>> sambaPwdLastSet. This is the subject of an existing thread, also >>>> >> updated >>>> >>>>> today. >>>> >>>>> >>>> >>>>> There is also an existing alternative to hacking group.py, using >>>> >>>>> "Class >>>> >>>> of >>>> >>>>> Service" (Cos) documented in this thread from February 2015 >>>> >>>>> >>>> >>> >>>> >>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >>>> >>>> . >>>> >>>>> I have not yet tried it, but it sounds reasonable. >>>> >>>>> >>>> >>>>> Chris >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> From: "Matt ." >>>> >>>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> >>>>> Cc: "freeipa-users at redhat.com" , >>>> >>>>> Youenn >>>> >>>>> PIOLET >>>> >>>>> Date: 06.08.2015 16:19 >>>> >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>> >> IPA >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> Hi Chris, >>>> >>>>> >>>> >>>>> OK, than we might create two different versions of the wiki, I think >>>> >>>>> this is nice. >>>> >>>>> >>>> >>>>> I'm still figuring out why I get that: >>>> >>>>> >>>> >>>>> IPA Error 4205: ObjectclassViolation >>>> >>>>> >>>> >>>>> missing attribute "sambaGroupType" required by object class >>>> >>>>> "sambaGroupMapping" >>>> >>>>> >>>> >>>>> Matt >>>> >>>>> >>>> >>>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >>>> >>>> : >>>> >>>>>> Hi Matt >>>> >>>>>> >>>> >>>>>> As far as I can make out, there are at least 2 viable Samba / >>>> >>>>>> FreeIPA >>>> >>>>>> integration paths. >>>> >>>>>> >>>> >>>>>> The route I took is suited where there is no Active Directory >>>> >> involved: >>>> >>>>> In >>>> >>>>>> my case all the Windows, OSX and Linux clients are islands that sit >>>> >>>>>> on >>>> >>>>> the >>>> >>>>>> same network. >>>> >>>>>> >>>> >>>>>> The route that Youenn has taken (unless I have got completely the >>>> >> wrong >>>> >>>>> end >>>> >>>>>> of the stick) requires Active Directory in the architecture. >>>> >>>>>> >>>> >>>>>> Chris >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> From: "Matt ." >>>> >>>>>> To: Youenn PIOLET >>>> >>>>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >>>>>> "freeipa-users at redhat.com" >>>> >>>>>> Date: 06.08.2015 14:42 >>>> >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> >>>>>> against >>>> >>> IPA >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> Hi, >>>> >>>>>> >>>> >>>>>> OK, this sounds already quite logical, but I'm still refering to >>>> >>>>>> the >>>> >>>>>> old howto we found earlier, does that one still apply somewhere or >>>> >>>>>> not >>>> >>>>>> at all ? >>>> >>>>>> >>>> >>>>>> Thanks, >>>> >>>>>> >>>> >>>>>> Matt >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>>> >>>>>>> Hey guys, >>>> >>>>>>> >>>> >>>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >>>> >>>>> days :) >>>> >>>>>>> >>>> >>>>>>> General idea: >>>> >>>>>>> >>>> >>>>>>> On FreeIPA (4.1) >>>> >>>>>>> - `ipa-adtrust-install --add-sids` (creates >>>> >>>>>>> ipaNTsecurityidentifier >>>> >>>>>>> attribude, also known as SID) >>>> >>>>>>> - regenerate each user password to build ipaNTHash attribute, not >>>> >> here >>>> >>>>> by >>>> >>>>>>> default on users >>>> >>>>>>> - use your ldap browser to check ipaNTHash values are here on user >>>> >>>>>> objects >>>> >>>>>>> - create a CIFS service for your samba server >>>> >>>>>>> - Create user roles/permissions as described here: >>>> >>>>>>> >>>> >>>>>> >>>> >>>>> >>>> >>>> >>>> >>> >>>> >> >>>> >> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >>>> >> >>>> >>> >>>> >>>> >>>> >>>>> >>>> >>>>>> >>>> >>>>>>> so that CIFS service will be able to read ipaNTsecurityidentifier >>>> >>>>>>> and >>>> >>>>>>> ipaNTHash attributes in LDAP (ACI) >>>> >>>>>>> - SCP ipasam.so module to your cifs server (this is the magic >>>> >> trick) : >>>> >>>>>> scp >>>> >>>>>>> /usr/lib64/samba/pdb/ipasam.so >>>> >>>>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >>>> >>>>>> recompile >>>> >>>>>>> it. >>>> >>>>>>> >>>> >>>>>>> On SAMBA Server side (CentOS 7...) >>>> >>>>>>> - Install server keytab file for CIFS >>>> >>>>>>> - check ipasam.so is here. >>>> >>>>>>> - check you can read password hash in LDAP with `ldapsearch -Y >>>> >>>>>>> GSSAPI >>>> >>>>>>> uid=admin ipaNTHash` thanks to kerberos >>>> >>>>>>> - make your smb.conf following the linked thread and restart >>>> >>>>>>> service >>>> >>>>>>> >>>> >>>>>>> I don't know if it works in Ubuntu. I know sssd has evolved >>>> >>>>>>> quickly >>>> >>> and >>>> >>>>>>> ipasam may use quite recent functionalities, the best is to just >>>> >>>>>>> try. >>>> >>>>> You >>>> >>>>>>> can read in previous thread : "If you insist on Ubuntu you need to >>>> >> get >>>> >>>>>>> ipasam somewhere, most likely to compile it yourself". >>>> >>>>>>> >>>> >>>>>>> Make sure your user has ipaNTHash attribute :) >>>> >>>>>>> >>>> >>>>>>> You may want to debug authentication on samba server, I usually do >>>> >>>> this: >>>> >>>>>>> `tail -f /var/log/samba/log* | grep >>>> >>>>>>> >>>> >>>>>>> Cheers >>>> >>>>>>> -- >>>> >>>>>>> Youenn Piolet >>>> >>>>>>> piolet.y at gmail.com >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>> >>>>>>>> >>>> >>>>>>>> Hi, >>>> >>>>>>>> >>>> >>>>>>>> This sounds great to me too, but a howto would help to make it >>>> >>>>>>>> more >>>> >>>>>>>> clear about what you have done here. The thread confuses me a >>>> >>>>>>>> little >>>> >>>>>>>> bit. >>>> >>>>>>>> >>>> >>>>>>>> Can you paste your commands so we can test out too and report >>>> >>>>>>>> back ? >>>> >>>>>>>> >>>> >>>>>>>> Thanks! >>>> >>>>>>>> >>>> >>>>>>>> Matt >>>> >>>>>>>> >>>> >>>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>> >>>>>> : >>>> >>>>>>>> > Hi Youenn >>>> >>>>>>>> > >>>> >>>>>>>> > Good news that you have got an integration working >>>> >>>>>>>> > >>>> >>>>>>>> > Now you have got it going, and the solution is fresh in your >>>> >>>>>>>> > mind, >>>> >>>>> how >>>> >>>>>>>> > about adding a How-to page on this solution to the FreeIPA >>>> >>>>>>>> > wiki? >>>> >>>>>>>> > >>>> >>>>>>>> > Chris >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > From: Youenn PIOLET >>>> >>>>>>>> > To: "Matt ." >>>> >>>>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >>>>>>>> > "freeipa-users at redhat.com" >>>> >>>>>>>> > >>>> >>>>>>>> > Date: 05.08.2015 14:51 >>>> >>>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> >>> against >>>> >>>>>> IPA >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > Hi guys, >>>> >>>>>>>> > >>>> >>>>>>>> > Thank you so much your previous answers. >>>> >>>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, >>>> >>>>>>>> > thanks >>>> >> to >>>> >>>>>>>> > ipa-adtrust-install --add-sids >>>> >>>>>>>> > >>>> >>>>>>>> > I found an other way to configure smb here: >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>> >>>> >>>>> >>>> >>>> >>>> >>> >>>> >> >>>> >> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >>>> >> >>>> >>> >>>> >>>> >>>> >>>>> >>>> >>>>>> >>>> >>>>>>>> > It works perfectly. >>>> >>>>>>>> > >>>> >>>>>>>> > I'm using module ipasam.so I have manually scp to the samba >>>> >> server, >>>> >>>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>>> >>>>>>>> > Following the instructions, I created a user role allowing >>>> >>>>>>>> > service >>>> >>>>>>>> > principal to read ipaNTHash value from the LDAP. >>>> >>>>>>>> > ipaNTHash are generated each time a user changes his password. >>>> >>>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>> >>>>>>>> > >>>> >>>>>>>> > For more details, the previously linked thread is quite clear. >>>> >>>>>>>> > >>>> >>>>>>>> > Cheers >>>> >>>>>>>> > >>>> >>>>>>>> > -- >>>> >>>>>>>> > Youenn Piolet >>>> >>>>>>>> > piolet.y at gmail.com >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>> >>>>>>>> > Hi Chris. >>>> >>>>>>>> > >>>> >>>>>>>> > Yes, Apache Studio did that but I was not sure why it >>>> >>>>>>>> > complained >>>> >>>> it >>>> >>>>>>>> > was "already" there. >>>> >>>>>>>> > >>>> >>>>>>>> > I'm still getting: >>>> >>>>>>>> > >>>> >>>>>>>> > IPA Error 4205: ObjectclassViolation >>>> >>>>>>>> > >>>> >>>>>>>> > missing attribute "sambaGroupType" required by object class >>>> >>>>>>>> > "sambaGroupMapping" >>>> >>>>>>>> > >>>> >>>>>>>> > When adding a user. >>>> >>>>>>>> > >>>> >>>>>>>> > I also see "class" as fielname under my "Last name", this is >>>> >>>>>>>> > not >>>> >>>> OK >>>> >>>>>>>> > also. >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > We sure need to make some howto, I think we can nail this >>>> >> down :) >>>> >>>>>>>> > >>>> >>>>>>>> > Thanks for the heads up! >>>> >>>>>>>> > >>>> >>>>>>>> > Matthijs >>>> >>>>>>>> > >>>> >>>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>> >>>>>>>> > : >>>> >>>>>>>> > > Hi Matt >>>> >>>>>>>> > > >>>> >>>>>>>> > > If I use Apache Directory Studio to add an attribute >>>> >>>>>> ipaCustomFields >>>> >>>>>>>> > to >>>> >>>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, >>>> >>>>>>>> > as >>>> >>>>>> shown >>>> >>>>>>>> > below: >>>> >>>>>>>> > > >>>> >>>>>>>> > > #!RESULT OK >>>> >>>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>> >>>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>> >>>>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>> >>>>>>>> > > changetype: modify >>>> >>>>>>>> > > add: ipaCustomFields >>>> >>>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>> >>>>>>>> > > >>>> >>>>>>>> > > After that I then have a visible attribute ipaCustomFields >>>> >>>>>>>> > as >>>> >>>>>>>> > expected. >>>> >>>>>>>> > > >>>> >>>>>>>> > > When adding the attribute, the wizard offered me >>>> >>>>> "ipaCustomFields" >>>> >>>>>>>> > as >>>> >>>>>>>> > > attribute type in a drop down list. >>>> >>>>>>>> > > >>>> >>>>>>>> > > Once we get this cracked, we really must write a how-to on >>>> >>>>>>>> > the >>>> >>>>>>>> > FreeIPA >>>> >>>>>>>> > > Wiki. >>>> >>>>>>>> > > >>>> >>>>>>>> > > Chris >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>> >>>>>>>> > > To: "Matt ." >>>> >>>>>>>> > > Cc: "freeipa-users at redhat.com" >>>> >>>>>>>> > >>>> >>>>>>>> > > Date: 05.08.2015 07:31 >>>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>> >>>>>>>> > Auth >>>> >>>>>> against >>>> >>>>>>>> > IPA >>>> >>>>>>>> > > Sent by: freeipa-users-bounces at redhat.com >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > Hi Matt >>>> >>>>>>>> > > >>>> >>>>>>>> > > I also got the same result at that step, but can see >>>> >>>>>>>> > nothing >>>> >> in >>>> >>>>>>>> > Apache >>>> >>>>>>>> > > Directory Studio. >>>> >>>>>>>> > > >>>> >>>>>>>> > > As I am using existing Samba / FreeIPA groups migrated >>>> >>>>>>>> > across, >>>> >>>>>> they >>>> >>>>>>>> > > probably were migrated with all the required attributes. >>>> >>>>>>>> > > >>>> >>>>>>>> > > Looking more closely at that LDIF: I wonder should it not >>>> >>>>>>>> > be: >>>> >>>>>>>> > > >>>> >>>>>>>> > > ldapmodify -Y GSSAPI <>>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>> >>>>>>>> > > changetype: modify >>>> >>>>>>>> > > add: ipaCustomFields >>>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>> >>>>>>>> > > EOF >>>> >>>>>>>> > > >>>> >>>>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>> >>>>>>>> > > >>>> >>>>>>>> > > I don't want to play around with my prod directory - I will >>>> >>>> setup >>>> >>>>>> an >>>> >>>>>>>> > EL >>>> >>>>>>>> > 7.1 >>>> >>>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me >>>> >>>>>>>> > to >>>> >>>>>> play >>>> >>>>>>>> > around >>>> >>>>>>>> > > more destructively. >>>> >>>>>>>> > > >>>> >>>>>>>> > > Chris >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > From: "Matt ." >>>> >>>>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> >>>>>>>> > > Cc: Youenn PIOLET , " >>>> >>>>>>>> > freeipa-users at redhat.com" >>>> >>>>>>>> > > >>>> >>>>>>>> > > Date: 05.08.2015 01:01 >>>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba >>>> >>> Server >>>> >>>>>>>> > Auth >>>> >>>>>>>> > against IPA >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > Hi Chris, >>>> >>>>>>>> > > >>>> >>>>>>>> > > I'm at the right path, but my issue is that: >>>> >>>>>>>> > > >>>> >>>>>>>> > > ldapmodify -Y GSSAPI <>>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>> >>>>>>>> > > changetype: add >>>> >>>>>>>> > > add: ipaCustomFields >>>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>> >>>>>>>> > > EOF >>>> >>>>>>>> > > >>>> >>>>>>>> > > Does say it exists, my ldap explorer doesn't show it, and >>>> >>>>>>>> > when >>>> >>> I >>>> >>>>>> add >>>> >>>>>>>> > > it manually as an attribute it still fails when I add a >>>> >>>>>>>> > user >>>> >> on >>>> >>>>>> this >>>> >>>>>>>> > > sambagrouptype as it's needed by the other attributes >>>> >>>>>>>> > > >>>> >>>>>>>> > > So that is my issue I think so far. >>>> >>>>>>>> > > >>>> >>>>>>>> > > Any clue about that ? >>>> >>>>>>>> > > >>>> >>>>>>>> > > No problem "you don't know something or are no guru" we are >>>> >> all >>>> >>>>>>>> > > learning! :) >>>> >>>>>>>> > > >>>> >>>>>>>> > > Cheers, >>>> >>>>>>>> > > >>>> >>>>>>>> > > Matt >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>> >>>>>>>> > christopher.lamb at ch.ibm.com>: >>>> >>>>>>>> > >> Hi Matt, Youeen >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Just to set the background properly, I did not invent this >>>> >>>>>> process. >>>> >>>>>>>> > I >>>> >>>>>>>> > > know >>>> >>>>>>>> > >> only a little about FreeIPA, and almost nothing about >>>> >>>>>>>> > Samba, >>>> >>>> but >>>> >>>>>> I >>>> >>>>>>>> > guess >>>> >>>>>>>> > > I >>>> >>>>>>>> > >> was lucky enough to get the integration working on a >>>> >>>>>>>> > Sunday >>>> >>>>>>>> > afternoon. >>>> >>>>>>>> > (I >>>> >>>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as >>>> >>>>>>>> > a >>>> >>>>>>>> > reference). >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> It sounds like we need to step back, and look at the test >>>> >> user >>>> >>>>>> and >>>> >>>>>>>> > group >>>> >>>>>>>> > > in >>>> >>>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes >>>> >> this >>>> >>>>>> much >>>> >>>>>>>> > > easier. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> My FreeIPA / Samba Users have the following Samba >>>> >>>>>>>> > extensions >>>> >>> in >>>> >>>>>>>> > FreeIPA >>>> >>>>>>>> > >> (cn=accounts, cn=users): >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> * objectClass: sambasamaccount >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> My FreeIPA / Samba Groups have the following Samba >>>> >>>>>>>> > extensions >>>> >>>> in >>>> >>>>>>>> > FreeIPA >>>> >>>>>>>> > >> (cn=accounts, cn=groups): >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> * objectClass: sambaGroupMapping >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> The Users must belong to one or more of the samba groups >>>> >>>>>>>> > that >>>> >>>>> you >>>> >>>>>>>> > have >>>> >>>>>>>> > >> setup. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> If you don't have something similar to the above (which >>>> >> sounds >>>> >>>>>> like >>>> >>>>>>>> > it >>>> >>>>>>>> > is >>>> >>>>>>>> > >> the case), then something went wrong applying the >>>> >>>>>>>> > extensions. >>>> >>>> It >>>> >>>>>>>> > would >>>> >>>>>>>> > be >>>> >>>>>>>> > >> worth testing comparing a new user / group created post >>>> >> adding >>>> >>>>>> the >>>> >>>>>>>> > >> extensions to a previous existing user. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> i.e. >>>> >>>>>>>> > >> are the extensions missing on existing users / groups? >>>> >>>>>>>> > >> are the extensions missing on new users / groups? >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Cheers >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Chris >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> From: Youenn PIOLET >>>> >>>>>>>> > >> To: "Matt ." >>>> >>>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >>>>>>>> > >> "freeipa-users at redhat.com" >>>> >>>>> >>>> >>>>>>>> > >> Date: 04.08.2015 18:56 >>>> >>>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>> >>>>>>>> > Auth >>>> >>>>>>>> > against >>>> >>>>>>>> > IPA >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Hi there, >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> I have difficulties to follow you at this point :) >>>> >>>>>>>> > >> Here is what I've done and what I've understood: >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> ## SMB Side >>>> >>>>>>>> > >> - Testparm OK >>>> >>>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >>>> >>>>> connect. >>>> >>>>>>>> > >> - pdbedit -Lv output is all successfull but I can see >>>> >>>>>>>> > there >>>> >> is >>>> >>>> a >>>> >>>>>>>> > filter : >>>> >>>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users >>>> >>>> don't >>>> >>>>>>>> > have >>>> >>>>>>>> > >> sambaSamAccount. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> ## LDAP / FreeIPA side >>>> >>>>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on >>>> >>>>>>>> > my >>>> >>>>>>>> > FreeIPA >>>> >>>>>>>> > >> server to get samba LDAP extensions. >>>> >>>>>>>> > >> - I can see samba classes exist in LDAP but are not used >>>> >>>>>>>> > on >>>> >> my >>>> >>>>>>>> > group >>>> >>>>>>>> > >> objects nor my user objects >>>> >>>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user >>>> >>>>>>>> > classes, >>>> >>>>>>>> > >> and sambaGroupMapping to default group classes. In that >>>> >>>>>>>> > state >>>> >>> I >>>> >>>>>>>> > can't >>>> >>>>>>>> > >> create user nor groups anymore, as new samba attributes >>>> >>>>>>>> > are >>>> >>>>>> needed >>>> >>>>>>>> > for >>>> >>>>>>>> > >> instantiation. >>>> >>>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>> >>>>>>>> > > Type,sambagrouptype,true' >>>> >>>>>>>> > >> but I don't get what it does. >>>> >>>>>>>> > >> - I tried to add the samba.js plugin. It works, and adds >>>> >>>>>>>> > the >>>> >>>>>>>> > "local" >>>> >>>>>>>> > > option >>>> >>>>>>>> > >> when creating a group in FreeIPA, supposed to set >>>> >>>> sambagrouptype >>>> >>>>>> to >>>> >>>>>>>> > 4 >>>> >>>>>>>> > or >>>> >>>>>>>> > > 2 >>>> >>>>>>>> > >> (domain). It doesn't work and tells that sambagrouptype >>>> >>>>> attribute >>>> >>>>>>>> > doesn't >>>> >>>>>>>> > >> exist (but it should now I put sambaGroupType class by >>>> >>>>>> default...) >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> ## Questions >>>> >>>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use >>>> >>> unix / >>>> >>>>>>>> > posix >>>> >>>>>>>> > >> instead? I guess no. >>>> >>>>>>>> > >> 1) How to generate the user/group SIDs ? They are >>>> >>>>>>>> > requested >>>> >> to >>>> >>>>>> add >>>> >>>>>>>> > >> sambaSamAccount classes. >>>> >>>>>>>> > >> This article doesn't seem relevant since we don't use >>>> >>>>>>>> > domain >>>> >>>>>>>> > controller >>>> >>>>>>>> > >> >>>> >>>>>>>> > > >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>> >>>> >>>>> >>>> >>>> >>>> >>> >>>> >> >>>> >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>> >>>>>>>> > >>>> >>>>>>>> > >> and netgetlocalsid returns an error. >>>> >>>>>>>> > >> 2) How to fix samba.js plugin? >>>> >>>>>>>> > >> 3) I guess an equivalent of samba.js is needed for user >>>> >>>>> creation, >>>> >>>>>>>> > where >>>> >>>>>>>> > > can >>>> >>>>>>>> > >> I find it? >>>> >>>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and >>>> >>>>>>>> > not >>>> >>>>> only >>>> >>>>>>>> > Windows >>>> >>>>>>>> > >> 7? >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Thanks a lot for your previous and future answers >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> -- >>>> >>>>>>>> > >> Youenn Piolet >>>> >>>>>>>> > >> piolet.y at gmail.com >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . >>>> >>>>>>>> > : >>>> >>>>>>>> > >> Hi, >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Yes, log is anonymised. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, >>>> >>>>>>>> > also >>>> >>>>> when >>>> >>>>>> I >>>> >>>>>>>> > >> change it's password it doesn't get it in ldap. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> There must be something going wrong I guess. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Matt >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>> >>>>>>>> > > >>> >>>>>>>> > >> >: >>>> >>>>>>>> > >> > Hi Matt >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > I assume [username] is a real username, identical to >>>> >>>>>>>> > that >>>> >>>> in >>>> >>>>>>>> > the >>>> >>>>>>>> > >> FreeIPA >>>> >>>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the >>>> >>>>>>>> > log >>>> >>>>>>>> > extract). >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > You user should be a member of the appropriate samba >>>> >>> groups >>>> >>>>>>>> > that >>>> >>>>>>>> > you >>>> >>>>>>>> > >> setup >>>> >>>>>>>> > >> > in FreeIPA. >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > You should check that the user attribute >>>> >>>>>>>> > SambaPwdLastSet >>>> >>> is >>>> >>>>>> set >>>> >>>>>>>> > to >>>> >>>>>>>> > a >>>> >>>>>>>> > >> > positive value (e.g. 1). If not you get an error in >>>> >>>>>>>> > the >>>> >>>>> Samba >>>> >>>>>>>> > logs >>>> >>>>>>>> > - >>>> >>>>>>>> > > I >>>> >>>>>>>> > >> > would need to play around again with a test user to >>>> >>>>>>>> > find >>>> >>>> out >>>> >>>>>>>> > the >>>> >>>>>>>> > > exact >>>> >>>>>>>> > >> > error. >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > I don't understand what you mean about syncing the >>>> >>>>>>>> > users >>>> >>>>>> local, >>>> >>>>>>>> > but >>>> >>>>>>>> > > we >>>> >>>>>>>> > >> did >>>> >>>>>>>> > >> > not need to do anything like that. >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > Chris >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > From: "Matt ." >>>> >>>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> >>>>>>>> > >> > Cc: "freeipa-users at redhat.com" >>>> >>>>> >>>> >>>>>>>> > >> > Date: 04.08.2015 15:33 >>>> >>>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba >>>> >>>>>>>> > Server >>>> >>>> Auth >>>> >>>>>>>> > against >>>> >>>>>>>> > >> IPA >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > Hi Chris, >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > A puppet run added another passdb backend, that was >>>> >>> causing >>>> >>>>>> my >>>> >>>>>>>> > issue. >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > What I still experience is: >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>> >>>>>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>>> >>>>>>>> > >> > check_sam_security: Couldn't find user 'username' in >>>> >>>>>> passdb. >>>> >>>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>> >>>>>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>>> >>>>>>>> > >> > check_ntlm_password: Authentication for user >>>> >> [username] >>>> >>>>> -> >>>> >>>>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > I also wonder if I shall still sync the users local, >>>> >>>>>>>> > or >>>> >> is >>>> >>>>> it >>>> >>>>>>>> > > needed ? >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > Thanks again, >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > Matt >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>> >>>>>>>> > >> christopher.lamb at ch.ibm.com>: >>>> >>>>>>>> > >> >> Hi Matt >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> From our smb.conf file: >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> [global] >>>> >>>>>>>> > >> >> security = user >>>> >>>>>>>> > >> >> passdb backend = >>>> >>>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>> >>>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>> >>>>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> So yes, we use Directory Manager, it works for us. I >>>> >> have >>>> >>>>>> not >>>> >>>>>>>> > tried >>>> >>>>>>>> > >> with >>>> >>>>>>>> > >> > a >>>> >>>>>>>> > >> >> less powerful user, but it is conceivable that a >>>> >>>>>>>> > lesser >>>> >>>>> user >>>> >>>>>>>> > may >>>> >>>>>>>> > not >>>> >>>>>>>> > >> see >>>> >>>>>>>> > >> >> all the required attributes, resulting in "no such >>>> >>>>>>>> > user" >>>> >>>>>>>> > errors. >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> Chris >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> From: "Matt ." >>>> >>>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> >>>>>>>> > >> >> Cc: "freeipa-users at redhat.com" >>>> >>>>>> >>>> >>>>>>>> > >> >> Date: 04.08.2015 13:32 >>>> >>>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba >>>> >>>>>>>> > Server >>>> >>>>> Auth >>>> >>>>>>>> > against >>>> >>>>>>>> > >> IPA >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> Hi Chris, >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now >>>> >> when >>>> >>>> I >>>> >>>>>>>> > add a >>>> >>>>>>>> > >> >> group from the GUI, great thanks! >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> But do you use Directory Manager as ldap admin user >>>> >>>>>>>> > or >>>> >>>> some >>>> >>>>>>>> > other >>>> >>>>>>>> > >> >> admin account ? >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> I'm not sure id DM is needed and it should get that >>>> >>>>>>>> > deep >>>> >>>>>> into >>>> >>>>>>>> > IPA. >>>> >>>>>>>> > >> >> Also when starting samba it cannot find "such user" >>>> >>>>>>>> > as >>>> >>>> that >>>> >>>>>>>> > sounds >>>> >>>>>>>> > >> >> quite known as it has no UID. >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> From your config I see you use DM, this should work ? >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> Thanks! >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> Matt >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> -- >>>> >>>>>>>> > >> Manage your subscription for the Freeipa-users mailing >>>> >> list: >>>> >>>>>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>>>>>> > >> Go to http://freeipa.org for more info on the project >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > -- >>>> >>>>>>>> > > Manage your subscription for the Freeipa-users mailing >>>> >>>>>>>> > list: >>>> >>>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>>>>>> > > Go to http://freeipa.org for more info on the project >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > >>>> >>>>>>>> > -- >>>> >>>>>>>> > Manage your subscription for the Freeipa-users mailing list: >>>> >>>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>>>>>> > Go to http://freeipa.org for more info on the project >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> >> >>>> >> >>>> >> >>>> >> >>> >>> From christopher.lamb at ch.ibm.com Thu Aug 20 06:49:38 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Thu, 20 Aug 2015 08:49:38 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Matt Once I got Samba and FreeIPA integrated (by the "good old extensions" path), I always use FreeIPA to administer users. I have never tried the samba tools like smbpasswd. I still have a wiki how-to in the works, but I had to focus on some other issues for a while. Chris From: "Matt ." To: Youenn PIOLET Cc: Christopher Lamb/Switzerland/IBM at IBMCH, "freeipa-users at redhat.com" Date: 20.08.2015 08:12 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA HI Guys, Anyone still a working clue/test here ? I didn't came further as it seems there need to be some domain join / match following the freeipa devs. Thanks! Matt 2015-08-13 13:09 GMT+02:00 Matt . : > Hi, > > I might have found somthing which I already seen in the logs. > > I did a smbpasswd my username on the samba server, it connects to ldap > very well. I give my new password and get the following: > > smbldap_search_ext: base => [dc=my,dc=domain], filter => > [(&(objectClass=ipaNTGroupAttrs)(| (ipaNTSecurityIdentifier=S-1----my--sid---)))], > scope => [2] > Attribute [displayName] not found. > Could not retrieve 'displayName' attribute from cn=Default SMB > Group,cn=groups,cn=accounts,dc=my,dc=domain > Sid S-1----my--sid--- -> MYDOMAIN\Default SMB Group(2) > > So something is missing! > > Thanks so far guys! > > Cheers, > > Matt > > 2015-08-13 12:02 GMT+02:00 Matt . : >> Hi Youenn, >> >> OK thanks! this takes me a little but futher now and I see some good >> stuff in my logging. >> >> I'm testing on a Windows 10 Machine which is not member of an AD or >> so, so that might be my issue for now ? >> >> When testing on the samba box itself as my user I get: >> >> >> [myusername at smb-01 ~]$ smbclient //smb-01.domain.local/shares >> >> ... >> Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD >> ... >> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD >> >> >> Maybe I have an issue with encrypted passwords ? >> >> >> When we have this all working, I think we have a howto :D >> >> Thanks! >> >> Matt >> >> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET : >>> Hi Matt >>> >>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? >>> sambaSamAccount is not needed anymore that way. >>> - Default IPA Way : won't work if your Windows is not part of a domain >>> controller. DOMAIN\username may work for some users using Windows 7 - not 8 >>> nor 10 (it did for me but I was the only one at the office... quite useless) >>> >>> This config may work on your CentOS (for the ipasam way): >>> workgroup = TEST >>> realm = TEST.NET >>> kerberos method = dedicated keytab >>> dedicated keytab file = FILE:/<.....>/samba.keytab >>> create krb5 conf = no >>> security = user >>> encrypt passwords = true >>> passdb backend = ipasam:ldaps://youripa.test.net >>> ldapsam:trusted = yes >>> ldapsuffix = test.net >>> ldap user suffix = cn=users,cn=accounts >>> ldap group suffix = cn=groups,cn=accounts >>> >>> >>> -- >>> Youenn Piolet >>> piolet.y at gmail.com >>> >>> >>> 2015-08-12 22:15 GMT+02:00 Matt . : >>>> >>>> Hi, >>>> >>>> OK the default IPA way works great actually when testing it as described >>>> here: >>>> >>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>> >>>> On the samba server I can auth and see my share where I want to connect >>>> to. >>>> >>>> The issue is, on Windows I cannot auth, even when I do DOMAIN\username >>>> as username >>>> >>>> So, the IPA way should work. >>>> >>>> Any comments here ? >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-08-12 19:00 GMT+02:00 Matt . : >>>> > HI GUys, >>>> > >>>> > I'm testing this out and I think I almost setup, this on a CentOS samba >>>> > server. >>>> > >>>> > I'm using the ipa-adtrust way of Youeen but it seems we still need to >>>> > add (objectclass=sambaSamAccount)) ? >>>> > >>>> > Info is welcome! >>>> > >>>> > I will report back when I have it working. >>>> > >>>> > Thanks! >>>> > >>>> > Matt >>>> > >>>> > 2015-08-10 11:16 GMT+02:00 Christopher Lamb >>>> > : >>>> >> The next route I will try - is the one Youeen took, using ipa-adtrust >>>> >> >>>> >> >>>> >> >>>> >> From: "Matt ." >>>> >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >> "freeipa-users at redhat.com" >>>> >> Date: 10.08.2015 10:03 >>>> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>> >> IPA >>>> >> >>>> >> >>>> >> >>>> >> Hi Chris, >>>> >> >>>> >> Okay this is good to hear. >>>> >> >>>> >> But don't we want a IPA managed Scheme ? >>>> >> >>>> >> When I did a "ipa-adtrust-install --add-sids" it also wanted a local >>>> >> installed Samba and I wonder why. >>>> >> >>>> >> Good that we make some progres on making it all clear. >>>> >> >>>> >> Cheers, >>>> >> >>>> >> Matt >>>> >> >>>> >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb >>>> >> : >>>> >>> ldapsam + the samba extensions, pretty much as described in the >>>> >> Techslaves >>>> >>> article. Once I have a draft for the wiki page, I will mail you. >>>> >>> >>>> >>> >>>> >>> >>>> >>> From: "Matt ." >>>> >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >>> "freeipa-users at redhat.com" >>>> >>> Date: 09.08.2015 21:17 >>>> >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>> >>> IPA >>>> >>> >>>> >>> >>>> >>> >>>> >>> Hi, >>>> >>> >>>> >>> Yes I know about "anything" but which way did you use now ? >>>> >>> >>>> >>> >>>> >>> >>>> >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb >>>> >> : >>>> >>>> Hi Matt >>>> >>>> >>>> >>>> I am on OEL 7.1. - so anything that works on that should be good for >>>> >> RHEL >>>> >>>> and Centos 7.x >>>> >>>> >>>> >>>> I intend to add a how-to to the FreeIPA Wiki over the next few days. >>>> >>>> As >>>> >>> we >>>> >>>> have suggested earlier, we will likely end up with several, one for >>>> >>>> each >>>> >>> of >>>> >>>> the possible integration paths. >>>> >>>> >>>> >>>> Chris >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> From: "Matt ." >>>> >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >>>> "freeipa-users at redhat.com" >>>> >>>> Date: 09.08.2015 16:45 >>>> >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>> >>>> IPA >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Hi Chris, >>>> >>>> >>>> >>>> This sounds great! >>>> >>>> >>>> >>>> What are you using now, both CentOS ? So Samba and FreeIPA ? >>>> >>>> >>>> >>>> Maybe it's good to explain which way you used now in steps too, so we >>>> >>>> can combine or create multiple howto's ? >>>> >>>> >>>> >>>> At least we are going somewhere! >>>> >>>> >>>> >>>> Thanks, >>>> >>>> >>>> >>>> Matt >>>> >>>> >>>> >>>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >>>> >>> : >>>> >>>>> Hi Matt >>>> >>>>> >>>> >>>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old >>>> >>> Samba >>>> >>>>> Schema extensions) is up and working, almost flawlessly. >>>> >>>>> >>>> >>>>> I can add users and groups via the FreeIPA CLI, and they get the >>>> >> correct >>>> >>>>> ObjectClasses / attributes required for Samba. >>>> >>>>> >>>> >>>>> So far I have not yet bothered to try the extensions to the WebUI, >>>> >>>> because >>>> >>>>> it is currently giving me the classic "Your session has expired. >>>> >>>>> Please >>>> >>>>> re-login." error which renders the WebUI useless. >>>> >>>>> >>>> >>>>> The only problem I have so far encountered managing Samba / FreeIPA >>>> >>> users >>>> >>>>> via FreeIPA CLI commands is with the handling of the attribute >>>> >>>>> sambaPwdLastSet. This is the subject of an existing thread, also >>>> >> updated >>>> >>>>> today. >>>> >>>>> >>>> >>>>> There is also an existing alternative to hacking group.py, using >>>> >>>>> "Class >>>> >>>> of >>>> >>>>> Service" (Cos) documented in this thread from February 2015 >>>> >>>>> >>>> >>> >>>> >>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >>>> >>>> . >>>> >>>>> I have not yet tried it, but it sounds reasonable. >>>> >>>>> >>>> >>>>> Chris >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> From: "Matt ." >>>> >>>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> >>>>> Cc: "freeipa-users at redhat.com" , >>>> >>>>> Youenn >>>> >>>>> PIOLET >>>> >>>>> Date: 06.08.2015 16:19 >>>> >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>> >> IPA >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> Hi Chris, >>>> >>>>> >>>> >>>>> OK, than we might create two different versions of the wiki, I think >>>> >>>>> this is nice. >>>> >>>>> >>>> >>>>> I'm still figuring out why I get that: >>>> >>>>> >>>> >>>>> IPA Error 4205: ObjectclassViolation >>>> >>>>> >>>> >>>>> missing attribute "sambaGroupType" required by object class >>>> >>>>> "sambaGroupMapping" >>>> >>>>> >>>> >>>>> Matt >>>> >>>>> >>>> >>>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >>>> >>>> : >>>> >>>>>> Hi Matt >>>> >>>>>> >>>> >>>>>> As far as I can make out, there are at least 2 viable Samba / >>>> >>>>>> FreeIPA >>>> >>>>>> integration paths. >>>> >>>>>> >>>> >>>>>> The route I took is suited where there is no Active Directory >>>> >> involved: >>>> >>>>> In >>>> >>>>>> my case all the Windows, OSX and Linux clients are islands that sit >>>> >>>>>> on >>>> >>>>> the >>>> >>>>>> same network. >>>> >>>>>> >>>> >>>>>> The route that Youenn has taken (unless I have got completely the >>>> >> wrong >>>> >>>>> end >>>> >>>>>> of the stick) requires Active Directory in the architecture. >>>> >>>>>> >>>> >>>>>> Chris >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> From: "Matt ." >>>> >>>>>> To: Youenn PIOLET >>>> >>>>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >>>>>> "freeipa-users at redhat.com" >>>> >>>>>> Date: 06.08.2015 14:42 >>>> >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> >>>>>> against >>>> >>> IPA >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> Hi, >>>> >>>>>> >>>> >>>>>> OK, this sounds already quite logical, but I'm still refering to >>>> >>>>>> the >>>> >>>>>> old howto we found earlier, does that one still apply somewhere or >>>> >>>>>> not >>>> >>>>>> at all ? >>>> >>>>>> >>>> >>>>>> Thanks, >>>> >>>>>> >>>> >>>>>> Matt >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>>> >>>>>>> Hey guys, >>>> >>>>>>> >>>> >>>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >>>> >>>>> days :) >>>> >>>>>>> >>>> >>>>>>> General idea: >>>> >>>>>>> >>>> >>>>>>> On FreeIPA (4.1) >>>> >>>>>>> - `ipa-adtrust-install --add-sids` (creates >>>> >>>>>>> ipaNTsecurityidentifier >>>> >>>>>>> attribude, also known as SID) >>>> >>>>>>> - regenerate each user password to build ipaNTHash attribute, not >>>> >> here >>>> >>>>> by >>>> >>>>>>> default on users >>>> >>>>>>> - use your ldap browser to check ipaNTHash values are here on user >>>> >>>>>> objects >>>> >>>>>>> - create a CIFS service for your samba server >>>> >>>>>>> - Create user roles/permissions as described here: >>>> >>>>>>> >>>> >>>>>> >>>> >>>>> >>>> >>>> >>>> >>> >>>> >> >>>> >> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >>>> >> >>>> >>> >>>> >>>> >>>> >>>>> >>>> >>>>>> >>>> >>>>>>> so that CIFS service will be able to read ipaNTsecurityidentifier >>>> >>>>>>> and >>>> >>>>>>> ipaNTHash attributes in LDAP (ACI) >>>> >>>>>>> - SCP ipasam.so module to your cifs server (this is the magic >>>> >> trick) : >>>> >>>>>> scp >>>> >>>>>>> /usr/lib64/samba/pdb/ipasam.so >>>> >>>>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >>>> >>>>>> recompile >>>> >>>>>>> it. >>>> >>>>>>> >>>> >>>>>>> On SAMBA Server side (CentOS 7...) >>>> >>>>>>> - Install server keytab file for CIFS >>>> >>>>>>> - check ipasam.so is here. >>>> >>>>>>> - check you can read password hash in LDAP with `ldapsearch -Y >>>> >>>>>>> GSSAPI >>>> >>>>>>> uid=admin ipaNTHash` thanks to kerberos >>>> >>>>>>> - make your smb.conf following the linked thread and restart >>>> >>>>>>> service >>>> >>>>>>> >>>> >>>>>>> I don't know if it works in Ubuntu. I know sssd has evolved >>>> >>>>>>> quickly >>>> >>> and >>>> >>>>>>> ipasam may use quite recent functionalities, the best is to just >>>> >>>>>>> try. >>>> >>>>> You >>>> >>>>>>> can read in previous thread : "If you insist on Ubuntu you need to >>>> >> get >>>> >>>>>>> ipasam somewhere, most likely to compile it yourself". >>>> >>>>>>> >>>> >>>>>>> Make sure your user has ipaNTHash attribute :) >>>> >>>>>>> >>>> >>>>>>> You may want to debug authentication on samba server, I usually do >>>> >>>> this: >>>> >>>>>>> `tail -f /var/log/samba/log* | grep >>>> >>>>>>> >>>> >>>>>>> Cheers >>>> >>>>>>> -- >>>> >>>>>>> Youenn Piolet >>>> >>>>>>> piolet.y at gmail.com >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>> >>>>>>>> >>>> >>>>>>>> Hi, >>>> >>>>>>>> >>>> >>>>>>>> This sounds great to me too, but a howto would help to make it >>>> >>>>>>>> more >>>> >>>>>>>> clear about what you have done here. The thread confuses me a >>>> >>>>>>>> little >>>> >>>>>>>> bit. >>>> >>>>>>>> >>>> >>>>>>>> Can you paste your commands so we can test out too and report >>>> >>>>>>>> back ? >>>> >>>>>>>> >>>> >>>>>>>> Thanks! >>>> >>>>>>>> >>>> >>>>>>>> Matt >>>> >>>>>>>> >>>> >>>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>> >>>>>> : >>>> >>>>>>>> > Hi Youenn >>>> >>>>>>>> > >>>> >>>>>>>> > Good news that you have got an integration working >>>> >>>>>>>> > >>>> >>>>>>>> > Now you have got it going, and the solution is fresh in your >>>> >>>>>>>> > mind, >>>> >>>>> how >>>> >>>>>>>> > about adding a How-to page on this solution to the FreeIPA >>>> >>>>>>>> > wiki? >>>> >>>>>>>> > >>>> >>>>>>>> > Chris >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > From: Youenn PIOLET >>>> >>>>>>>> > To: "Matt ." >>>> >>>>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >>>>>>>> > "freeipa-users at redhat.com" >>>> >>>>>>>> > >>>> >>>>>>>> > Date: 05.08.2015 14:51 >>>> >>>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>> >>> against >>>> >>>>>> IPA >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > Hi guys, >>>> >>>>>>>> > >>>> >>>>>>>> > Thank you so much your previous answers. >>>> >>>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, >>>> >>>>>>>> > thanks >>>> >> to >>>> >>>>>>>> > ipa-adtrust-install --add-sids >>>> >>>>>>>> > >>>> >>>>>>>> > I found an other way to configure smb here: >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>> >>>> >>>>> >>>> >>>> >>>> >>> >>>> >> >>>> >> http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa >>>> >> >>>> >>> >>>> >>>> >>>> >>>>> >>>> >>>>>> >>>> >>>>>>>> > It works perfectly. >>>> >>>>>>>> > >>>> >>>>>>>> > I'm using module ipasam.so I have manually scp to the samba >>>> >> server, >>>> >>>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>>> >>>>>>>> > Following the instructions, I created a user role allowing >>>> >>>>>>>> > service >>>> >>>>>>>> > principal to read ipaNTHash value from the LDAP. >>>> >>>>>>>> > ipaNTHash are generated each time a user changes his password. >>>> >>>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>> >>>>>>>> > >>>> >>>>>>>> > For more details, the previously linked thread is quite clear. >>>> >>>>>>>> > >>>> >>>>>>>> > Cheers >>>> >>>>>>>> > >>>> >>>>>>>> > -- >>>> >>>>>>>> > Youenn Piolet >>>> >>>>>>>> > piolet.y at gmail.com >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>> >>>>>>>> > Hi Chris. >>>> >>>>>>>> > >>>> >>>>>>>> > Yes, Apache Studio did that but I was not sure why it >>>> >>>>>>>> > complained >>>> >>>> it >>>> >>>>>>>> > was "already" there. >>>> >>>>>>>> > >>>> >>>>>>>> > I'm still getting: >>>> >>>>>>>> > >>>> >>>>>>>> > IPA Error 4205: ObjectclassViolation >>>> >>>>>>>> > >>>> >>>>>>>> > missing attribute "sambaGroupType" required by object class >>>> >>>>>>>> > "sambaGroupMapping" >>>> >>>>>>>> > >>>> >>>>>>>> > When adding a user. >>>> >>>>>>>> > >>>> >>>>>>>> > I also see "class" as fielname under my "Last name", this is >>>> >>>>>>>> > not >>>> >>>> OK >>>> >>>>>>>> > also. >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > We sure need to make some howto, I think we can nail this >>>> >> down :) >>>> >>>>>>>> > >>>> >>>>>>>> > Thanks for the heads up! >>>> >>>>>>>> > >>>> >>>>>>>> > Matthijs >>>> >>>>>>>> > >>>> >>>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>> >>>>>>>> > : >>>> >>>>>>>> > > Hi Matt >>>> >>>>>>>> > > >>>> >>>>>>>> > > If I use Apache Directory Studio to add an attribute >>>> >>>>>> ipaCustomFields >>>> >>>>>>>> > to >>>> >>>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, >>>> >>>>>>>> > as >>>> >>>>>> shown >>>> >>>>>>>> > below: >>>> >>>>>>>> > > >>>> >>>>>>>> > > #!RESULT OK >>>> >>>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>> >>>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>> >>>>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>> >>>>>>>> > > changetype: modify >>>> >>>>>>>> > > add: ipaCustomFields >>>> >>>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>> >>>>>>>> > > >>>> >>>>>>>> > > After that I then have a visible attribute ipaCustomFields >>>> >>>>>>>> > as >>>> >>>>>>>> > expected. >>>> >>>>>>>> > > >>>> >>>>>>>> > > When adding the attribute, the wizard offered me >>>> >>>>> "ipaCustomFields" >>>> >>>>>>>> > as >>>> >>>>>>>> > > attribute type in a drop down list. >>>> >>>>>>>> > > >>>> >>>>>>>> > > Once we get this cracked, we really must write a how-to on >>>> >>>>>>>> > the >>>> >>>>>>>> > FreeIPA >>>> >>>>>>>> > > Wiki. >>>> >>>>>>>> > > >>>> >>>>>>>> > > Chris >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>> >>>>>>>> > > To: "Matt ." >>>> >>>>>>>> > > Cc: "freeipa-users at redhat.com" >>>> >>>>>>>> > >>>> >>>>>>>> > > Date: 05.08.2015 07:31 >>>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>> >>>>>>>> > Auth >>>> >>>>>> against >>>> >>>>>>>> > IPA >>>> >>>>>>>> > > Sent by: freeipa-users-bounces at redhat.com >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > Hi Matt >>>> >>>>>>>> > > >>>> >>>>>>>> > > I also got the same result at that step, but can see >>>> >>>>>>>> > nothing >>>> >> in >>>> >>>>>>>> > Apache >>>> >>>>>>>> > > Directory Studio. >>>> >>>>>>>> > > >>>> >>>>>>>> > > As I am using existing Samba / FreeIPA groups migrated >>>> >>>>>>>> > across, >>>> >>>>>> they >>>> >>>>>>>> > > probably were migrated with all the required attributes. >>>> >>>>>>>> > > >>>> >>>>>>>> > > Looking more closely at that LDIF: I wonder should it not >>>> >>>>>>>> > be: >>>> >>>>>>>> > > >>>> >>>>>>>> > > ldapmodify -Y GSSAPI <>>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>> >>>>>>>> > > changetype: modify >>>> >>>>>>>> > > add: ipaCustomFields >>>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>> >>>>>>>> > > EOF >>>> >>>>>>>> > > >>>> >>>>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>> >>>>>>>> > > >>>> >>>>>>>> > > I don't want to play around with my prod directory - I will >>>> >>>> setup >>>> >>>>>> an >>>> >>>>>>>> > EL >>>> >>>>>>>> > 7.1 >>>> >>>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me >>>> >>>>>>>> > to >>>> >>>>>> play >>>> >>>>>>>> > around >>>> >>>>>>>> > > more destructively. >>>> >>>>>>>> > > >>>> >>>>>>>> > > Chris >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > From: "Matt ." >>>> >>>>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> >>>>>>>> > > Cc: Youenn PIOLET , " >>>> >>>>>>>> > freeipa-users at redhat.com" >>>> >>>>>>>> > > >>>> >>>>>>>> > > Date: 05.08.2015 01:01 >>>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba >>>> >>> Server >>>> >>>>>>>> > Auth >>>> >>>>>>>> > against IPA >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > Hi Chris, >>>> >>>>>>>> > > >>>> >>>>>>>> > > I'm at the right path, but my issue is that: >>>> >>>>>>>> > > >>>> >>>>>>>> > > ldapmodify -Y GSSAPI <>>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>> >>>>>>>> > > changetype: add >>>> >>>>>>>> > > add: ipaCustomFields >>>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>> >>>>>>>> > > EOF >>>> >>>>>>>> > > >>>> >>>>>>>> > > Does say it exists, my ldap explorer doesn't show it, and >>>> >>>>>>>> > when >>>> >>> I >>>> >>>>>> add >>>> >>>>>>>> > > it manually as an attribute it still fails when I add a >>>> >>>>>>>> > user >>>> >> on >>>> >>>>>> this >>>> >>>>>>>> > > sambagrouptype as it's needed by the other attributes >>>> >>>>>>>> > > >>>> >>>>>>>> > > So that is my issue I think so far. >>>> >>>>>>>> > > >>>> >>>>>>>> > > Any clue about that ? >>>> >>>>>>>> > > >>>> >>>>>>>> > > No problem "you don't know something or are no guru" we are >>>> >> all >>>> >>>>>>>> > > learning! :) >>>> >>>>>>>> > > >>>> >>>>>>>> > > Cheers, >>>> >>>>>>>> > > >>>> >>>>>>>> > > Matt >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>> >>>>>>>> > christopher.lamb at ch.ibm.com>: >>>> >>>>>>>> > >> Hi Matt, Youeen >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Just to set the background properly, I did not invent this >>>> >>>>>> process. >>>> >>>>>>>> > I >>>> >>>>>>>> > > know >>>> >>>>>>>> > >> only a little about FreeIPA, and almost nothing about >>>> >>>>>>>> > Samba, >>>> >>>> but >>>> >>>>>> I >>>> >>>>>>>> > guess >>>> >>>>>>>> > > I >>>> >>>>>>>> > >> was lucky enough to get the integration working on a >>>> >>>>>>>> > Sunday >>>> >>>>>>>> > afternoon. >>>> >>>>>>>> > (I >>>> >>>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as >>>> >>>>>>>> > a >>>> >>>>>>>> > reference). >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> It sounds like we need to step back, and look at the test >>>> >> user >>>> >>>>>> and >>>> >>>>>>>> > group >>>> >>>>>>>> > > in >>>> >>>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes >>>> >> this >>>> >>>>>> much >>>> >>>>>>>> > > easier. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> My FreeIPA / Samba Users have the following Samba >>>> >>>>>>>> > extensions >>>> >>> in >>>> >>>>>>>> > FreeIPA >>>> >>>>>>>> > >> (cn=accounts, cn=users): >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> * objectClass: sambasamaccount >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> My FreeIPA / Samba Groups have the following Samba >>>> >>>>>>>> > extensions >>>> >>>> in >>>> >>>>>>>> > FreeIPA >>>> >>>>>>>> > >> (cn=accounts, cn=groups): >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> * objectClass: sambaGroupMapping >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> The Users must belong to one or more of the samba groups >>>> >>>>>>>> > that >>>> >>>>> you >>>> >>>>>>>> > have >>>> >>>>>>>> > >> setup. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> If you don't have something similar to the above (which >>>> >> sounds >>>> >>>>>> like >>>> >>>>>>>> > it >>>> >>>>>>>> > is >>>> >>>>>>>> > >> the case), then something went wrong applying the >>>> >>>>>>>> > extensions. >>>> >>>> It >>>> >>>>>>>> > would >>>> >>>>>>>> > be >>>> >>>>>>>> > >> worth testing comparing a new user / group created post >>>> >> adding >>>> >>>>>> the >>>> >>>>>>>> > >> extensions to a previous existing user. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> i.e. >>>> >>>>>>>> > >> are the extensions missing on existing users / groups? >>>> >>>>>>>> > >> are the extensions missing on new users / groups? >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Cheers >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Chris >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> From: Youenn PIOLET >>>> >>>>>>>> > >> To: "Matt ." >>>> >>>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>> >>>>>>>> > >> "freeipa-users at redhat.com" >>>> >>>>> >>>> >>>>>>>> > >> Date: 04.08.2015 18:56 >>>> >>>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>> >>>>>>>> > Auth >>>> >>>>>>>> > against >>>> >>>>>>>> > IPA >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Hi there, >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> I have difficulties to follow you at this point :) >>>> >>>>>>>> > >> Here is what I've done and what I've understood: >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> ## SMB Side >>>> >>>>>>>> > >> - Testparm OK >>>> >>>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >>>> >>>>> connect. >>>> >>>>>>>> > >> - pdbedit -Lv output is all successfull but I can see >>>> >>>>>>>> > there >>>> >> is >>>> >>>> a >>>> >>>>>>>> > filter : >>>> >>>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users >>>> >>>> don't >>>> >>>>>>>> > have >>>> >>>>>>>> > >> sambaSamAccount. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> ## LDAP / FreeIPA side >>>> >>>>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on >>>> >>>>>>>> > my >>>> >>>>>>>> > FreeIPA >>>> >>>>>>>> > >> server to get samba LDAP extensions. >>>> >>>>>>>> > >> - I can see samba classes exist in LDAP but are not used >>>> >>>>>>>> > on >>>> >> my >>>> >>>>>>>> > group >>>> >>>>>>>> > >> objects nor my user objects >>>> >>>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user >>>> >>>>>>>> > classes, >>>> >>>>>>>> > >> and sambaGroupMapping to default group classes. In that >>>> >>>>>>>> > state >>>> >>> I >>>> >>>>>>>> > can't >>>> >>>>>>>> > >> create user nor groups anymore, as new samba attributes >>>> >>>>>>>> > are >>>> >>>>>> needed >>>> >>>>>>>> > for >>>> >>>>>>>> > >> instantiation. >>>> >>>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>> >>>>>>>> > > Type,sambagrouptype,true' >>>> >>>>>>>> > >> but I don't get what it does. >>>> >>>>>>>> > >> - I tried to add the samba.js plugin. It works, and adds >>>> >>>>>>>> > the >>>> >>>>>>>> > "local" >>>> >>>>>>>> > > option >>>> >>>>>>>> > >> when creating a group in FreeIPA, supposed to set >>>> >>>> sambagrouptype >>>> >>>>>> to >>>> >>>>>>>> > 4 >>>> >>>>>>>> > or >>>> >>>>>>>> > > 2 >>>> >>>>>>>> > >> (domain). It doesn't work and tells that sambagrouptype >>>> >>>>> attribute >>>> >>>>>>>> > doesn't >>>> >>>>>>>> > >> exist (but it should now I put sambaGroupType class by >>>> >>>>>> default...) >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> ## Questions >>>> >>>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use >>>> >>> unix / >>>> >>>>>>>> > posix >>>> >>>>>>>> > >> instead? I guess no. >>>> >>>>>>>> > >> 1) How to generate the user/group SIDs ? They are >>>> >>>>>>>> > requested >>>> >> to >>>> >>>>>> add >>>> >>>>>>>> > >> sambaSamAccount classes. >>>> >>>>>>>> > >> This article doesn't seem relevant since we don't use >>>> >>>>>>>> > domain >>>> >>>>>>>> > controller >>>> >>>>>>>> > >> >>>> >>>>>>>> > > >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>> >>>> >>>>> >>>> >>>> >>>> >>> >>>> >> >>>> >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>> >>>>>>>> > >>>> >>>>>>>> > >> and netgetlocalsid returns an error. >>>> >>>>>>>> > >> 2) How to fix samba.js plugin? >>>> >>>>>>>> > >> 3) I guess an equivalent of samba.js is needed for user >>>> >>>>> creation, >>>> >>>>>>>> > where >>>> >>>>>>>> > > can >>>> >>>>>>>> > >> I find it? >>>> >>>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and >>>> >>>>>>>> > not >>>> >>>>> only >>>> >>>>>>>> > Windows >>>> >>>>>>>> > >> 7? >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Thanks a lot for your previous and future answers >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> -- >>>> >>>>>>>> > >> Youenn Piolet >>>> >>>>>>>> > >> piolet.y at gmail.com >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . >>>> >>>>>>>> > : >>>> >>>>>>>> > >> Hi, >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Yes, log is anonymised. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, >>>> >>>>>>>> > also >>>> >>>>> when >>>> >>>>>> I >>>> >>>>>>>> > >> change it's password it doesn't get it in ldap. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> There must be something going wrong I guess. >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> Matt >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>> >>>>>>>> > > >>> >>>>>>>> > >> >: >>>> >>>>>>>> > >> > Hi Matt >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > I assume [username] is a real username, identical to >>>> >>>>>>>> > that >>>> >>>> in >>>> >>>>>>>> > the >>>> >>>>>>>> > >> FreeIPA >>>> >>>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the >>>> >>>>>>>> > log >>>> >>>>>>>> > extract). >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > You user should be a member of the appropriate samba >>>> >>> groups >>>> >>>>>>>> > that >>>> >>>>>>>> > you >>>> >>>>>>>> > >> setup >>>> >>>>>>>> > >> > in FreeIPA. >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > You should check that the user attribute >>>> >>>>>>>> > SambaPwdLastSet >>>> >>> is >>>> >>>>>> set >>>> >>>>>>>> > to >>>> >>>>>>>> > a >>>> >>>>>>>> > >> > positive value (e.g. 1). If not you get an error in >>>> >>>>>>>> > the >>>> >>>>> Samba >>>> >>>>>>>> > logs >>>> >>>>>>>> > - >>>> >>>>>>>> > > I >>>> >>>>>>>> > >> > would need to play around again with a test user to >>>> >>>>>>>> > find >>>> >>>> out >>>> >>>>>>>> > the >>>> >>>>>>>> > > exact >>>> >>>>>>>> > >> > error. >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > I don't understand what you mean about syncing the >>>> >>>>>>>> > users >>>> >>>>>> local, >>>> >>>>>>>> > but >>>> >>>>>>>> > > we >>>> >>>>>>>> > >> did >>>> >>>>>>>> > >> > not need to do anything like that. >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > Chris >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > From: "Matt ." >>>> >>>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> >>>>>>>> > >> > Cc: "freeipa-users at redhat.com" >>>> >>>>> >>>> >>>>>>>> > >> > Date: 04.08.2015 15:33 >>>> >>>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba >>>> >>>>>>>> > Server >>>> >>>> Auth >>>> >>>>>>>> > against >>>> >>>>>>>> > >> IPA >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > Hi Chris, >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > A puppet run added another passdb backend, that was >>>> >>> causing >>>> >>>>>> my >>>> >>>>>>>> > issue. >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > What I still experience is: >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>> >>>>>>>> > >> > ../source3/auth/check_samsec.c:399 (check_sam_security) >>>> >>>>>>>> > >> > check_sam_security: Couldn't find user 'username' in >>>> >>>>>> passdb. >>>> >>>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>> >>>>>>>> > >> > ../source3/auth/auth.c:288 (auth_check_ntlm_password) >>>> >>>>>>>> > >> > check_ntlm_password: Authentication for user >>>> >> [username] >>>> >>>>> -> >>>> >>>>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > I also wonder if I shall still sync the users local, >>>> >>>>>>>> > or >>>> >> is >>>> >>>>> it >>>> >>>>>>>> > > needed ? >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > Thanks again, >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > Matt >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>> >>>>>>>> > >> christopher.lamb at ch.ibm.com>: >>>> >>>>>>>> > >> >> Hi Matt >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> From our smb.conf file: >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> [global] >>>> >>>>>>>> > >> >> security = user >>>> >>>>>>>> > >> >> passdb backend = >>>> >>>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>> >>>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>> >>>>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> So yes, we use Directory Manager, it works for us. I >>>> >> have >>>> >>>>>> not >>>> >>>>>>>> > tried >>>> >>>>>>>> > >> with >>>> >>>>>>>> > >> > a >>>> >>>>>>>> > >> >> less powerful user, but it is conceivable that a >>>> >>>>>>>> > lesser >>>> >>>>> user >>>> >>>>>>>> > may >>>> >>>>>>>> > not >>>> >>>>>>>> > >> see >>>> >>>>>>>> > >> >> all the required attributes, resulting in "no such >>>> >>>>>>>> > user" >>>> >>>>>>>> > errors. >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> Chris >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> From: "Matt ." >>>> >>>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>> >>>>>>>> > >> >> Cc: "freeipa-users at redhat.com" >>>> >>>>>> >>>> >>>>>>>> > >> >> Date: 04.08.2015 13:32 >>>> >>>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba >>>> >>>>>>>> > Server >>>> >>>>> Auth >>>> >>>>>>>> > against >>>> >>>>>>>> > >> IPA >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> Hi Chris, >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now >>>> >> when >>>> >>>> I >>>> >>>>>>>> > add a >>>> >>>>>>>> > >> >> group from the GUI, great thanks! >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> But do you use Directory Manager as ldap admin user >>>> >>>>>>>> > or >>>> >>>> some >>>> >>>>>>>> > other >>>> >>>>>>>> > >> >> admin account ? >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> I'm not sure id DM is needed and it should get that >>>> >>>>>>>> > deep >>>> >>>>>> into >>>> >>>>>>>> > IPA. >>>> >>>>>>>> > >> >> Also when starting samba it cannot find "such user" >>>> >>>>>>>> > as >>>> >>>> that >>>> >>>>>>>> > sounds >>>> >>>>>>>> > >> >> quite known as it has no UID. >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> From your config I see you use DM, this should work ? >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> Thanks! >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> Matt >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> >> >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> > >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> -- >>>> >>>>>>>> > >> Manage your subscription for the Freeipa-users mailing >>>> >> list: >>>> >>>>>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>>>>>> > >> Go to http://freeipa.org for more info on the project >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > >> >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > -- >>>> >>>>>>>> > > Manage your subscription for the Freeipa-users mailing >>>> >>>>>>>> > list: >>>> >>>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>>>>>> > > Go to http://freeipa.org for more info on the project >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > > >>>> >>>>>>>> > >>>> >>>>>>>> > -- >>>> >>>>>>>> > Manage your subscription for the Freeipa-users mailing list: >>>> >>>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>>>>>> > Go to http://freeipa.org for more info on the project >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>>> > >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> >> >>>> >> >>>> >> >>>> >> >>> >>> From roberto.cornacchia at gmail.com Thu Aug 20 09:08:44 2015 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Thu, 20 Aug 2015 11:08:44 +0200 Subject: [Freeipa-users] Kerberized NFS with Synology NAS In-Reply-To: <20150813143457.GG22106@redhat.com> References: <20150813143457.GG22106@redhat.com> Message-ID: I had Synology support inspect my configuration. They said that the authorization for the mapping looks for attribute "GSSAuthName" in LDAP, but doesn't find it. Therefore, they fall back to mapping it to nobody. Does this make sense to you? Is it true that GSSAuthName attribute isn't there? On 13 August 2015 at 16:34, Alexander Bokovoy wrote: > On Thu, 13 Aug 2015, Roberto Cornacchia wrote: > >> After some more investigation, I feel the problem I described can be >> considered off topic, sorry about that. Initially I had the impression it >> could have been more freeIPA-related. >> It is sometimes difficult to tell whether the issue would show up >> regardless of using freeIPA or not. >> >> Should anyone be curious, these are my findings about using a Synology >> disk >> station for NFSv4+krb5 exports in my freeIPA domain: >> >> - Still no idea why I see all those "Unspecified GSS failure" from >> gssproxy >> on the client side. Google tells me that many before me have wondered >> about >> it. Has anyone a clue? >> >> - The NFS4+krb5 mounting works, but what I ran into is the "nobody" issue. >> NFSv4 relies on idmapd to map users correctly, but this goes wrong, hence >> the "nobody" issue >> >> - One first problem is that I had not set the domain. My bad. Fixed and >> got >> one step further. >> in idmapd.conf: Domain = hq.spinque.com >> >> - The second problem is that idmapd.conf in my synology says: >> Method=nsswitch >> GSS-Methods=static,synomap >> >> No idea what "synomap" would be, but I guess GSS-Methods should be more >> like "static,nsswitch,synomap" >> Indeed, everything works fine if I make static mappings for each LDAP >> user to a local user in Synology. But that's not how I want it. >> >> - Problem with all this is: no matter how I change these files, the next >> time I would save something from the Synology UI, these files would be >> overwritten >> >> Frustrating :( >> > I would only suggest you to raise the problem with Synology support and > convince them adding SSSD build and use it. SSSD has nfsidmap module > 'sss' that does the right job on mapping based on what SSSD knows about > Kerberos principals and user mapping for the domain. > > > > > >> >> >> On 12 August 2015 at 13:33, Roberto Cornacchia < >> roberto.cornacchia at gmail.com >> >>> wrote: >>> >> >> Enabled verbose output for rpc.idmapd as well, and now I see: >>> >>> nfsidmap[5034]: nss_getpwnam: name 'test1_l at localdomain' does not map >>> into domain 'hq.spinque.com' >>> >>> >>> On 12 August 2015 at 12:28, Roberto Cornacchia < >>> roberto.cornacchia at gmail.com> wrote: >>> >>> I have used >>>> >>>> RPCGSSDARGS="-vvv" >>>> RPCSVCGSSDARGS="-vvv" >>>> >>>> in /etc/sysconfig/nfs , as suggested in >>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >>>> >>>> In the excerpt below, taken during the mount, meson is the client, >>>> spinque03 is the nfs server (synology). >>>> >>>> It still doesn't tell me much, perhaps I'm missing something? >>>> >>>> >>>> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) >>>> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0 >>>> enctypes=18,17,16,23,3,1,2 ' >>>> rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19) >>>> rpc.gssd[3328]: process_krb5_upcall: service is '' >>>> rpc.gssd[3328]: Full hostname for 'spinque03.hq.spinque.com' is ' >>>> spinque03.hq.spinque.com' >>>> rpc.gssd[3328]: Full hostname for 'meson.hq.spinque.com' is ' >>>> meson.hq.spinque.com' >>>> rpc.gssd[3328]: No key table entry found for MESON$@HQ.SPINQUE.COM >>>> while >>>> getting keytab entry for 'MESON$@HQ.SPINQUE.COM' >>>> rpc.gssd[3328]: No key table entry found for root/ >>>> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for >>>> 'root/ >>>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>>> rpc.gssd[3328]: No key table entry found for nfs/ >>>> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for >>>> 'nfs/ >>>> >>>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>>> rpc.gssd[3328]: Success getting keytab entry for 'host/ >>>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>>> rpc.gssd[3328]: Successfully obtained machine credentials for principal >>>> 'host/meson.hq.spinque.com at HQ.SPINQUE.COM' stored in ccache 'FILE:/tmp/ >>>> krb5ccmachine_HQ.SPINQUE.COM' >>>> rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/ >>>> krb5ccmachine_HQ.SPINQUE.COM' are good until 1439461246 >>>> rpc.gssd[3328]: using FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM as >>>> credentials cache for machine creds >>>> rpc.gssd[3328]: using environment variable to select krb5 ccache >>>> FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM >>>> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >>>> Minor code may provide more information, No credentials cache found >>>> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) >>>> Unspecified >>>> GSS failure. Minor code may provide more information, No credentials >>>> cache >>>> found >>>> rpc.gssd[3328]: creating tcp client for server spinque03.hq.spinque.com >>>> rpc.gssd[3328]: DEBUG: port already set to 2049 >>>> rpc.gssd[3328]: creating context with server >>>> nfs at spinque03.hq.spinque.com >>>> rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version! >>>> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1 >>>> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with >>>> enctype >>>> 18 and size 32 >>>> rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor= >>>> nfs at spinque03.hq.spinque.com >>>> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) >>>> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005 >>>> enctypes=18,17,16,23,3,1,2 ' >>>> rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19) >>>> rpc.gssd[3337]: process_krb5_upcall: service is '' >>>> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >>>> Minor code may provide more information, No credentials cache found >>>> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) >>>> Unspecified >>>> GSS failure. Minor code may provide more information, No credentials >>>> cache >>>> found >>>> rpc.gssd[3337]: creating tcp client for server spinque03.hq.spinque.com >>>> rpc.gssd[3337]: DEBUG: port already set to 2049 >>>> rpc.gssd[3337]: creating context with server >>>> nfs at spinque03.hq.spinque.com >>>> rpc.gssd[3337]: DEBUG: serialize_krb5_ctx: lucid version! >>>> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: protocol 1 >>>> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: serializing key with >>>> enctype >>>> 18 and size 32 >>>> rpc.gssd[3337]: doing downcall: lifetime_rec=85675 acceptor= >>>> nfs at spinque03.hq.spinque.com >>>> >>>> >>>> On 12 August 2015 at 02:46, Roberto Cornacchia < >>>> roberto.cornacchia at gmail.com> wrote: >>>> >>>> Hi, >>>>> >>>>> I am trying to use a Synology NAS station in my FreeIPA domain to host >>>>> automounted home directories (not created automatically for now). >>>>> >>>>> I got almost everything working, but I seem to have a problem with >>>>> kerberized nfs. >>>>> >>>>> The NAS logs in the LDAP domain and seems happy with the kerberos >>>>> principal that I uploaded. >>>>> >>>>> >>>>> >>>>> * If I use plain nfs4 without krb5 >>>>> >>>>> - /etc/exports - >>>>> /volume1/shared_homes >>>>> >>>>> 192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) >>>>> >>>>> then I can mount it and use it (it even works with automount). But only >>>>> using all_squash. Not useful: >>>>> >>>>> >>>>> * If I use krb5 >>>>> >>>>> - /etc/exports - >>>>> /volume1/shared_homes >>>>> >>>>> 192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100) >>>>> >>>>> then I can kinit with an LDAP user, mount it with sec=krb5, but I get >>>>> "nobody" as file owner. >>>>> >>>>> This is done from a FC22 client, perfectly enrolled in freeIPA. >>>>> >>>>> The client's log contains several of such errors: >>>>> >>>>> gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >>>>> Minor code may provide more information, No credentials cache found >>>>> >>>>> >>>>> Any tip to help me understand what the problem is? >>>>> Roberto >>>>> >>>>> >>>> >>>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Aug 20 09:32:34 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 20 Aug 2015 12:32:34 +0300 Subject: [Freeipa-users] Kerberized NFS with Synology NAS In-Reply-To: References: <20150813143457.GG22106@redhat.com> Message-ID: <20150820093234.GP22106@redhat.com> On Thu, 20 Aug 2015, Roberto Cornacchia wrote: >I had Synology support inspect my configuration. > >They said that the authorization for the mapping looks for attribute >"GSSAuthName" in LDAP, but doesn't find it. Therefore, they fall back to >mapping it to nobody. > >Does this make sense to you? Is it true that GSSAuthName attribute isn't >there? FreeIPA does not use UMich LDAP schema developed for NFS. Instead, as we store Kerberos principals in LDAP, for each Kerberos principal there is always krbPrincipalName attribute available. But on SSSD clients we instead recommend using SSSD-based identity mapping in /etc/idmap.conf (using sss module) as it is relying on SSSD caching capabilities and in general is more performance efficient. For direct use of UMich LDAP module in NFSv4 idmap you would have idmapd module to query LDAP server on each GSSAPI connection and since there is no state umich_ldap.so module, it will re-connect to LDAP every time which is highly inefficient. That's why I recommended to suggest Synology to integrate SSSD in their OS and have real benefits in improved Kerberos/AD/LDAP/FreeIPA support. > > > >On 13 August 2015 at 16:34, Alexander Bokovoy wrote: > >> On Thu, 13 Aug 2015, Roberto Cornacchia wrote: >> >>> After some more investigation, I feel the problem I described can be >>> considered off topic, sorry about that. Initially I had the impression it >>> could have been more freeIPA-related. >>> It is sometimes difficult to tell whether the issue would show up >>> regardless of using freeIPA or not. >>> >>> Should anyone be curious, these are my findings about using a Synology >>> disk >>> station for NFSv4+krb5 exports in my freeIPA domain: >>> >>> - Still no idea why I see all those "Unspecified GSS failure" from >>> gssproxy >>> on the client side. Google tells me that many before me have wondered >>> about >>> it. Has anyone a clue? >>> >>> - The NFS4+krb5 mounting works, but what I ran into is the "nobody" issue. >>> NFSv4 relies on idmapd to map users correctly, but this goes wrong, hence >>> the "nobody" issue >>> >>> - One first problem is that I had not set the domain. My bad. Fixed and >>> got >>> one step further. >>> in idmapd.conf: Domain = hq.spinque.com >>> >>> - The second problem is that idmapd.conf in my synology says: >>> Method=nsswitch >>> GSS-Methods=static,synomap >>> >>> No idea what "synomap" would be, but I guess GSS-Methods should be more >>> like "static,nsswitch,synomap" >>> Indeed, everything works fine if I make static mappings for each LDAP >>> user to a local user in Synology. But that's not how I want it. >>> >>> - Problem with all this is: no matter how I change these files, the next >>> time I would save something from the Synology UI, these files would be >>> overwritten >>> >>> Frustrating :( >>> >> I would only suggest you to raise the problem with Synology support and >> convince them adding SSSD build and use it. SSSD has nfsidmap module >> 'sss' that does the right job on mapping based on what SSSD knows about >> Kerberos principals and user mapping for the domain. >> >> >> >> >> >>> >>> >>> On 12 August 2015 at 13:33, Roberto Cornacchia < >>> roberto.cornacchia at gmail.com >>> >>>> wrote: >>>> >>> >>> Enabled verbose output for rpc.idmapd as well, and now I see: >>>> >>>> nfsidmap[5034]: nss_getpwnam: name 'test1_l at localdomain' does not map >>>> into domain 'hq.spinque.com' >>>> >>>> >>>> On 12 August 2015 at 12:28, Roberto Cornacchia < >>>> roberto.cornacchia at gmail.com> wrote: >>>> >>>> I have used >>>>> >>>>> RPCGSSDARGS="-vvv" >>>>> RPCSVCGSSDARGS="-vvv" >>>>> >>>>> in /etc/sysconfig/nfs , as suggested in >>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >>>>> >>>>> In the excerpt below, taken during the mount, meson is the client, >>>>> spinque03 is the nfs server (synology). >>>>> >>>>> It still doesn't tell me much, perhaps I'm missing something? >>>>> >>>>> >>>>> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) >>>>> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0 >>>>> enctypes=18,17,16,23,3,1,2 ' >>>>> rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19) >>>>> rpc.gssd[3328]: process_krb5_upcall: service is '' >>>>> rpc.gssd[3328]: Full hostname for 'spinque03.hq.spinque.com' is ' >>>>> spinque03.hq.spinque.com' >>>>> rpc.gssd[3328]: Full hostname for 'meson.hq.spinque.com' is ' >>>>> meson.hq.spinque.com' >>>>> rpc.gssd[3328]: No key table entry found for MESON$@HQ.SPINQUE.COM >>>>> while >>>>> getting keytab entry for 'MESON$@HQ.SPINQUE.COM' >>>>> rpc.gssd[3328]: No key table entry found for root/ >>>>> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for >>>>> 'root/ >>>>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>>>> rpc.gssd[3328]: No key table entry found for nfs/ >>>>> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for >>>>> 'nfs/ >>>>> >>>>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>>>> rpc.gssd[3328]: Success getting keytab entry for 'host/ >>>>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>>>> rpc.gssd[3328]: Successfully obtained machine credentials for principal >>>>> 'host/meson.hq.spinque.com at HQ.SPINQUE.COM' stored in ccache 'FILE:/tmp/ >>>>> krb5ccmachine_HQ.SPINQUE.COM' >>>>> rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/ >>>>> krb5ccmachine_HQ.SPINQUE.COM' are good until 1439461246 >>>>> rpc.gssd[3328]: using FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM as >>>>> credentials cache for machine creds >>>>> rpc.gssd[3328]: using environment variable to select krb5 ccache >>>>> FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM >>>>> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >>>>> Minor code may provide more information, No credentials cache found >>>>> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) >>>>> Unspecified >>>>> GSS failure. Minor code may provide more information, No credentials >>>>> cache >>>>> found >>>>> rpc.gssd[3328]: creating tcp client for server spinque03.hq.spinque.com >>>>> rpc.gssd[3328]: DEBUG: port already set to 2049 >>>>> rpc.gssd[3328]: creating context with server >>>>> nfs at spinque03.hq.spinque.com >>>>> rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version! >>>>> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1 >>>>> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with >>>>> enctype >>>>> 18 and size 32 >>>>> rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor= >>>>> nfs at spinque03.hq.spinque.com >>>>> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) >>>>> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005 >>>>> enctypes=18,17,16,23,3,1,2 ' >>>>> rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19) >>>>> rpc.gssd[3337]: process_krb5_upcall: service is '' >>>>> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >>>>> Minor code may provide more information, No credentials cache found >>>>> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) >>>>> Unspecified >>>>> GSS failure. Minor code may provide more information, No credentials >>>>> cache >>>>> found >>>>> rpc.gssd[3337]: creating tcp client for server spinque03.hq.spinque.com >>>>> rpc.gssd[3337]: DEBUG: port already set to 2049 >>>>> rpc.gssd[3337]: creating context with server >>>>> nfs at spinque03.hq.spinque.com >>>>> rpc.gssd[3337]: DEBUG: serialize_krb5_ctx: lucid version! >>>>> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: protocol 1 >>>>> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: serializing key with >>>>> enctype >>>>> 18 and size 32 >>>>> rpc.gssd[3337]: doing downcall: lifetime_rec=85675 acceptor= >>>>> nfs at spinque03.hq.spinque.com >>>>> >>>>> >>>>> On 12 August 2015 at 02:46, Roberto Cornacchia < >>>>> roberto.cornacchia at gmail.com> wrote: >>>>> >>>>> Hi, >>>>>> >>>>>> I am trying to use a Synology NAS station in my FreeIPA domain to host >>>>>> automounted home directories (not created automatically for now). >>>>>> >>>>>> I got almost everything working, but I seem to have a problem with >>>>>> kerberized nfs. >>>>>> >>>>>> The NAS logs in the LDAP domain and seems happy with the kerberos >>>>>> principal that I uploaded. >>>>>> >>>>>> >>>>>> >>>>>> * If I use plain nfs4 without krb5 >>>>>> >>>>>> - /etc/exports - >>>>>> /volume1/shared_homes >>>>>> >>>>>> 192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) >>>>>> >>>>>> then I can mount it and use it (it even works with automount). But only >>>>>> using all_squash. Not useful: >>>>>> >>>>>> >>>>>> * If I use krb5 >>>>>> >>>>>> - /etc/exports - >>>>>> /volume1/shared_homes >>>>>> >>>>>> 192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100) >>>>>> >>>>>> then I can kinit with an LDAP user, mount it with sec=krb5, but I get >>>>>> "nobody" as file owner. >>>>>> >>>>>> This is done from a FC22 client, perfectly enrolled in freeIPA. >>>>>> >>>>>> The client's log contains several of such errors: >>>>>> >>>>>> gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. >>>>>> Minor code may provide more information, No credentials cache found >>>>>> >>>>>> >>>>>> Any tip to help me understand what the problem is? >>>>>> Roberto >>>>>> >>>>>> >>>>> >>>>> >>>> >> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> -- >> / Alexander Bokovoy >> >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From roberto.cornacchia at gmail.com Thu Aug 20 09:45:22 2015 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Thu, 20 Aug 2015 11:45:22 +0200 Subject: [Freeipa-users] Kerberized NFS with Synology NAS In-Reply-To: <20150820093234.GP22106@redhat.com> References: <20150813143457.GG22106@redhat.com> <20150820093234.GP22106@redhat.com> Message-ID: Thanks Alexander, That's the confirmation I was looking for. Indeed the Synology guy admitted it was their limitation. I have already made a feature request for SSSD. I guess for now I will just get it running with sec=sys. Best regards, Roberto On 20 August 2015 at 11:32, Alexander Bokovoy wrote: > On Thu, 20 Aug 2015, Roberto Cornacchia wrote: > >> I had Synology support inspect my configuration. >> >> They said that the authorization for the mapping looks for attribute >> "GSSAuthName" in LDAP, but doesn't find it. Therefore, they fall back to >> mapping it to nobody. >> >> Does this make sense to you? Is it true that GSSAuthName attribute isn't >> there? >> > FreeIPA does not use UMich LDAP schema developed for NFS. Instead, as we > store > Kerberos principals in LDAP, for each Kerberos principal there is always > krbPrincipalName attribute available. > > But on SSSD clients we instead recommend using SSSD-based identity > mapping in /etc/idmap.conf (using sss module) as it is relying on SSSD > caching capabilities and in general is more performance efficient. For > direct use of UMich LDAP module in NFSv4 idmap you would have idmapd > module to query LDAP server on each GSSAPI connection and since there is > no state umich_ldap.so module, it will re-connect to LDAP every time > which is highly inefficient. > > That's why I recommended to suggest Synology to integrate SSSD in their > OS and have real benefits in improved Kerberos/AD/LDAP/FreeIPA support. > > > >> >> >> On 13 August 2015 at 16:34, Alexander Bokovoy >> wrote: >> >> On Thu, 13 Aug 2015, Roberto Cornacchia wrote: >>> >>> After some more investigation, I feel the problem I described can be >>>> considered off topic, sorry about that. Initially I had the impression >>>> it >>>> could have been more freeIPA-related. >>>> It is sometimes difficult to tell whether the issue would show up >>>> regardless of using freeIPA or not. >>>> >>>> Should anyone be curious, these are my findings about using a Synology >>>> disk >>>> station for NFSv4+krb5 exports in my freeIPA domain: >>>> >>>> - Still no idea why I see all those "Unspecified GSS failure" from >>>> gssproxy >>>> on the client side. Google tells me that many before me have wondered >>>> about >>>> it. Has anyone a clue? >>>> >>>> - The NFS4+krb5 mounting works, but what I ran into is the "nobody" >>>> issue. >>>> NFSv4 relies on idmapd to map users correctly, but this goes wrong, >>>> hence >>>> the "nobody" issue >>>> >>>> - One first problem is that I had not set the domain. My bad. Fixed and >>>> got >>>> one step further. >>>> in idmapd.conf: Domain = hq.spinque.com >>>> >>>> - The second problem is that idmapd.conf in my synology says: >>>> Method=nsswitch >>>> GSS-Methods=static,synomap >>>> >>>> No idea what "synomap" would be, but I guess GSS-Methods should be more >>>> like "static,nsswitch,synomap" >>>> Indeed, everything works fine if I make static mappings for each LDAP >>>> user to a local user in Synology. But that's not how I want it. >>>> >>>> - Problem with all this is: no matter how I change these files, the next >>>> time I would save something from the Synology UI, these files would be >>>> overwritten >>>> >>>> Frustrating :( >>>> >>>> I would only suggest you to raise the problem with Synology support and >>> convince them adding SSSD build and use it. SSSD has nfsidmap module >>> 'sss' that does the right job on mapping based on what SSSD knows about >>> Kerberos principals and user mapping for the domain. >>> >>> >>> >>> >>> >>> >>>> >>>> On 12 August 2015 at 13:33, Roberto Cornacchia < >>>> roberto.cornacchia at gmail.com >>>> >>>> wrote: >>>>> >>>>> >>>> Enabled verbose output for rpc.idmapd as well, and now I see: >>>> >>>>> >>>>> nfsidmap[5034]: nss_getpwnam: name 'test1_l at localdomain' does not map >>>>> into domain 'hq.spinque.com' >>>>> >>>>> >>>>> On 12 August 2015 at 12:28, Roberto Cornacchia < >>>>> roberto.cornacchia at gmail.com> wrote: >>>>> >>>>> I have used >>>>> >>>>>> >>>>>> RPCGSSDARGS="-vvv" >>>>>> RPCSVCGSSDARGS="-vvv" >>>>>> >>>>>> in /etc/sysconfig/nfs , as suggested in >>>>>> >>>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >>>>>> >>>>>> In the excerpt below, taken during the mount, meson is the client, >>>>>> spinque03 is the nfs server (synology). >>>>>> >>>>>> It still doesn't tell me much, perhaps I'm missing something? >>>>>> >>>>>> >>>>>> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) >>>>>> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=0 >>>>>> enctypes=18,17,16,23,3,1,2 ' >>>>>> rpc.gssd[3328]: handling krb5 upcall (nfs/clnt19) >>>>>> rpc.gssd[3328]: process_krb5_upcall: service is '' >>>>>> rpc.gssd[3328]: Full hostname for 'spinque03.hq.spinque.com' is ' >>>>>> spinque03.hq.spinque.com' >>>>>> rpc.gssd[3328]: Full hostname for 'meson.hq.spinque.com' is ' >>>>>> meson.hq.spinque.com' >>>>>> rpc.gssd[3328]: No key table entry found for MESON$@HQ.SPINQUE.COM >>>>>> while >>>>>> getting keytab entry for 'MESON$@HQ.SPINQUE.COM' >>>>>> rpc.gssd[3328]: No key table entry found for root/ >>>>>> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for >>>>>> 'root/ >>>>>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>>>>> rpc.gssd[3328]: No key table entry found for nfs/ >>>>>> meson.hq.spinque.com at HQ.SPINQUE.COM while getting keytab entry for >>>>>> 'nfs/ >>>>>> >>>>>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>>>>> rpc.gssd[3328]: Success getting keytab entry for 'host/ >>>>>> meson.hq.spinque.com at HQ.SPINQUE.COM' >>>>>> rpc.gssd[3328]: Successfully obtained machine credentials for >>>>>> principal >>>>>> 'host/meson.hq.spinque.com at HQ.SPINQUE.COM' stored in ccache >>>>>> 'FILE:/tmp/ >>>>>> krb5ccmachine_HQ.SPINQUE.COM' >>>>>> rpc.gssd[3328]: INFO: Credentials in CC 'FILE:/tmp/ >>>>>> krb5ccmachine_HQ.SPINQUE.COM' are good until 1439461246 >>>>>> rpc.gssd[3328]: using FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM as >>>>>> credentials cache for machine creds >>>>>> rpc.gssd[3328]: using environment variable to select krb5 ccache >>>>>> FILE:/tmp/krb5ccmachine_HQ.SPINQUE.COM >>>>>> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS >>>>>> failure. >>>>>> Minor code may provide more information, No credentials cache found >>>>>> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) >>>>>> Unspecified >>>>>> GSS failure. Minor code may provide more information, No credentials >>>>>> cache >>>>>> found >>>>>> rpc.gssd[3328]: creating tcp client for server >>>>>> spinque03.hq.spinque.com >>>>>> rpc.gssd[3328]: DEBUG: port already set to 2049 >>>>>> rpc.gssd[3328]: creating context with server >>>>>> nfs at spinque03.hq.spinque.com >>>>>> rpc.gssd[3328]: DEBUG: serialize_krb5_ctx: lucid version! >>>>>> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: protocol 1 >>>>>> rpc.gssd[3328]: prepare_krb5_rfc4121_buffer: serializing key with >>>>>> enctype >>>>>> 18 and size 32 >>>>>> rpc.gssd[3328]: doing downcall: lifetime_rec=86399 acceptor= >>>>>> nfs at spinque03.hq.spinque.com >>>>>> rpc.gssd[838]: handling gssd upcall (nfs/clnt19) >>>>>> rpc.gssd[838]: handle_gssd_upcall: 'mech=krb5 uid=1005 >>>>>> enctypes=18,17,16,23,3,1,2 ' >>>>>> rpc.gssd[3337]: handling krb5 upcall (nfs/clnt19) >>>>>> rpc.gssd[3337]: process_krb5_upcall: service is '' >>>>>> gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS >>>>>> failure. >>>>>> Minor code may provide more information, No credentials cache found >>>>>> gssproxy[798]: gssproxy[809]: (OID: { 1 2 840 113554 1 2 2 }) >>>>>> Unspecified >>>>>> GSS failure. Minor code may provide more information, No credentials >>>>>> cache >>>>>> found >>>>>> rpc.gssd[3337]: creating tcp client for server >>>>>> spinque03.hq.spinque.com >>>>>> rpc.gssd[3337]: DEBUG: port already set to 2049 >>>>>> rpc.gssd[3337]: creating context with server >>>>>> nfs at spinque03.hq.spinque.com >>>>>> rpc.gssd[3337]: DEBUG: serialize_krb5_ctx: lucid version! >>>>>> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: protocol 1 >>>>>> rpc.gssd[3337]: prepare_krb5_rfc4121_buffer: serializing key with >>>>>> enctype >>>>>> 18 and size 32 >>>>>> rpc.gssd[3337]: doing downcall: lifetime_rec=85675 acceptor= >>>>>> nfs at spinque03.hq.spinque.com >>>>>> >>>>>> >>>>>> On 12 August 2015 at 02:46, Roberto Cornacchia < >>>>>> roberto.cornacchia at gmail.com> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>>> >>>>>>> I am trying to use a Synology NAS station in my FreeIPA domain to >>>>>>> host >>>>>>> automounted home directories (not created automatically for now). >>>>>>> >>>>>>> I got almost everything working, but I seem to have a problem with >>>>>>> kerberized nfs. >>>>>>> >>>>>>> The NAS logs in the LDAP domain and seems happy with the kerberos >>>>>>> principal that I uploaded. >>>>>>> >>>>>>> >>>>>>> >>>>>>> * If I use plain nfs4 without krb5 >>>>>>> >>>>>>> - /etc/exports - >>>>>>> /volume1/shared_homes >>>>>>> >>>>>>> >>>>>>> 192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) >>>>>>> >>>>>>> then I can mount it and use it (it even works with automount). But >>>>>>> only >>>>>>> using all_squash. Not useful: >>>>>>> >>>>>>> >>>>>>> * If I use krb5 >>>>>>> >>>>>>> - /etc/exports - >>>>>>> /volume1/shared_homes >>>>>>> >>>>>>> >>>>>>> 192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100) >>>>>>> >>>>>>> then I can kinit with an LDAP user, mount it with sec=krb5, but I get >>>>>>> "nobody" as file owner. >>>>>>> >>>>>>> This is done from a FC22 client, perfectly enrolled in freeIPA. >>>>>>> >>>>>>> The client's log contains several of such errors: >>>>>>> >>>>>>> gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS >>>>>>> failure. >>>>>>> Minor code may provide more information, No credentials cache found >>>>>>> >>>>>>> >>>>>>> Any tip to help me understand what the problem is? >>>>>>> Roberto >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> -- >>> >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>> >>> -- >>> / Alexander Bokovoy >>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From detlev.habicht at ims.uni-hannover.de Thu Aug 20 09:57:42 2015 From: detlev.habicht at ims.uni-hannover.de (Detlev Habicht) Date: Thu, 20 Aug 2015 11:57:42 +0200 Subject: [Freeipa-users] private groups Message-ID: <50393E1C-AA36-42AC-959D-23DBC62B8DCE@ims.uni-hannover.de> Hi all, i am new using IPA and learning IPA i am also learning some other things new for me. Migrating our system to IPA i found some problems with private groups. We don?t used it up to now. Trying to disable this feature with ipa-managed-entries -e ?UPG Definition? -p xxx disable crashed my database. I don?t know why. After this i can?t create new users. For this problem i have no more information. But i have a question: Can i delete a private group after creating an user? How can i do this? And can i later create a private group again for this user? How? Thanx for any help! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From bahanw042014 at gmail.com Thu Aug 20 10:36:37 2015 From: bahanw042014 at gmail.com (bahan w) Date: Thu, 20 Aug 2015 12:36:37 +0200 Subject: [Freeipa-users] How to modify the logging dir Message-ID: Hello. I send you this mail because I'm looking for a way to modify the logging dir of the different components embedded with FreeIPA. I already check here : http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html But I cannot see how to modify the logging dir of sssd ? Is that possible ? I checked lighlty the man of sssd.conf but didn't find a way to modify the logging dir. Best regards. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Aug 20 10:54:46 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 20 Aug 2015 12:54:46 +0200 Subject: [Freeipa-users] private groups In-Reply-To: <50393E1C-AA36-42AC-959D-23DBC62B8DCE@ims.uni-hannover.de> References: <50393E1C-AA36-42AC-959D-23DBC62B8DCE@ims.uni-hannover.de> Message-ID: <55D5B1F6.60808@redhat.com> On 08/20/2015 11:57 AM, Detlev Habicht wrote: > Hi all, > > i am new using IPA and learning IPA i am also learning some > other things new for me. > > Migrating our system to IPA i found some problems with private groups. > We don?t used it up to now. > > Trying to disable this feature with > > ipa-managed-entries -e ?UPG Definition? -p xxx disable > > crashed my database. By crashed, you mean that Directory Server process crashed? If yes, it would be really interesting to get a stack trace, steps in http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debug_crashes This would allow 389-DS developers to fix the bug. > I don?t know why. After this i can?t > create new users. IIRC, you would need to turn the default "ipausers" group into POSIX group (group-mod --posix), to let it be used it instead of the user private groups. But this depends on the error you are getting. > > For this problem i have no more information. > > But i have a question: > > Can i delete a private group after creating an user? How can i do this? You can use "group-detach" command and then "group-del" on the detached managed group. > > And can i later create a private group again for this user? How? Hmm... You could do group-add command with the right GID, I do not know about single command doing that. > > Thanx for any help! > > Detlev > > > -- > Detlev | Institut fuer Mikroelektronische Systeme > Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de > --------+-------- Handy +49 172 5415752 --------------------------- > > > > > > From detlev.habicht at ims.uni-hannover.de Thu Aug 20 11:01:12 2015 From: detlev.habicht at ims.uni-hannover.de (Detlev Habicht) Date: Thu, 20 Aug 2015 13:01:12 +0200 Subject: [Freeipa-users] private groups In-Reply-To: <55D5B1F6.60808@redhat.com> References: <50393E1C-AA36-42AC-959D-23DBC62B8DCE@ims.uni-hannover.de> <55D5B1F6.60808@redhat.com> Message-ID: <82349CCA-4E18-4730-B1C9-65EE8FCD5C82@ims.uni-hannover.de> Well, it is not really a server crash ? the server is running, but i cannot create new users. But i will try it again and will send the results. Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- Am 20.08.2015 um 12:54 schrieb Martin Kosek : > On 08/20/2015 11:57 AM, Detlev Habicht wrote: >> Hi all, >> >> i am new using IPA and learning IPA i am also learning some >> other things new for me. >> >> Migrating our system to IPA i found some problems with private groups. >> We don?t used it up to now. >> >> Trying to disable this feature with >> >> ipa-managed-entries -e ?UPG Definition? -p xxx disable >> >> crashed my database. > > By crashed, you mean that Directory Server process crashed? If yes, it would be > really interesting to get a stack trace, steps in > > http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debug_crashes > > This would allow 389-DS developers to fix the bug. > >> I don?t know why. After this i can?t >> create new users. > > IIRC, you would need to turn the default "ipausers" group into POSIX group > (group-mod --posix), to let it be used it instead of the user private groups. > But this depends on the error you are getting. > >> >> For this problem i have no more information. >> >> But i have a question: >> >> Can i delete a private group after creating an user? How can i do this? > > You can use "group-detach" command and then "group-del" on the detached managed > group. > >> >> And can i later create a private group again for this user? How? > > Hmm... You could do group-add command with the right GID, I do not know about > single command doing that. > >> >> Thanx for any help! >> >> Detlev >> >> >> -- >> Detlev | Institut fuer Mikroelektronische Systeme >> Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de >> --------+-------- Handy +49 172 5415752 --------------------------- >> >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.dejaeghere at gmail.com Thu Aug 20 11:48:53 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Thu, 20 Aug 2015 13:48:53 +0200 Subject: [Freeipa-users] Dns SOA MNAME not resolving from LDAP data Message-ID: Hi, I noticed that changing the authoritarive nameserver in FreeIPA reflects correctly to its directory data but bind will not resolve the soa record with the updated mname details. For example I add a zone test.be and change the mname record. [root at ns02 ~]# ipa dnszone-add Zone name: test.be Zone name: test.be. Active zone: TRUE * Authoritative nameserver: ns02.tokiogroup.be .* Administrator e-mail address: hostmaster SOA serial: 1440070999 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TOKIOGROUP.BE krb5-self * A; grant TOKIOGROUP.BE krb5-self * AAAA; grant TOKIOGROUP.BE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root at ns02 ~]# ipa dnszone-mod --nameserver anaconda-ks.cfg .bash_logout .bashrc .ipa/ .ssh/ .bash_history .bash_profile .cshrc .pki/ .tcshrc [root at ns02 ~]# ipa dnszone-mod --name-server* ns7.tokiogroup.be *. Zone name: test.be ipa: WARNING: Semantic of setting Authoritative nameserver was changed. It is used only for setting the SOA MNAME attribute. NS record(s) can be edited in zone apex - '@'. Zone name: test.be. Active zone: TRUE *Authoritative nameserver: ns7.tokiogroup.be .* Administrator e-mail address: hostmaster SOA serial: 1440071001 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; [root at ns02 ~]# nslookup > set q=SOA > test.be Server: 127.0.0.1 Address: 127.0.0.1#53 test.be * origin = ns02.tokiogroup.be * mail addr = hostmaster.test.be serial = 1440071001 refresh = 3600 retry = 900 expire = 1209600 minimum = 3600 As you can see the SOA record still shows the original default value. Kind Regards, David Dejaeghere -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Aug 20 12:22:49 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 20 Aug 2015 14:22:49 +0200 Subject: [Freeipa-users] Dns SOA MNAME not resolving from LDAP data In-Reply-To: References: Message-ID: <55D5C699.6080205@redhat.com> On 08/20/2015 01:48 PM, David Dejaeghere wrote: > Hi, > > I noticed that changing the authoritarive nameserver in FreeIPA > reflects correctly to its directory data but bind will not resolve the > soa record with the updated mname details. > > For example I add a zone test.be and change the mname > record. > > [root at ns02 ~]# ipa dnszone-add > Zone name: test.be > Zone name: test.be . > Active zone: TRUE > * Authoritative nameserver: ns02.tokiogroup.be > .* > Administrator e-mail address: hostmaster > SOA serial: 1440070999 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant TOKIOGROUP.BE > krb5-self * A; grant TOKIOGROUP.BE krb5-self * > AAAA; grant TOKIOGROUP.BE krb5-self * > SSHFP; > Dynamic update: FALSE > Allow query: any; > Allow transfer: none; > [root at ns02 ~]# ipa dnszone-mod --nameserver > anaconda-ks.cfg .bash_logout .bashrc .ipa/ .ssh/ > .bash_history .bash_profile .cshrc .pki/ .tcshrc > > > [root at ns02 ~]# ipa dnszone-mod --name-server*ns7.tokiogroup.be > *. > Zone name: test.be > ipa: WARNING: Semantic of setting Authoritative nameserver was > changed. It is used only for setting the SOA MNAME attribute. > NS record(s) can be edited in zone apex - '@'. > Zone name: test.be . > Active zone: TRUE > *Authoritative nameserver: ns7.tokiogroup.be .* > Administrator e-mail address: hostmaster > SOA serial: 1440071001 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > Allow query: any; > Allow transfer: none; > > > [root at ns02 ~]# nslookup > > set q=SOA > > test.be > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > test.be > *origin = ns02.tokiogroup.be * > mail addr = hostmaster.test.be > serial = 1440071001 > refresh = 3600 > retry = 900 > expire = 1209600 > minimum = 3600 > > As you can see the SOA record still shows the original default value. > > Kind Regards, > > David Dejaeghere > > Thank you for this bug report. I opened bind-dyndb-ldap ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/159 Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Thu Aug 20 12:26:43 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 20 Aug 2015 14:26:43 +0200 Subject: [Freeipa-users] freeipa on http? In-Reply-To: <55D3AA9A.1050303@gmail.com> References: <55D39884.9060102@gmail.com> <55D39BC1.4070905@redhat.com> <55D3AA9A.1050303@gmail.com> Message-ID: <20150820122643.GA28859@redhat.com> On Tue, Aug 18, 2015 at 02:58:50PM -0700, Janelle wrote: > Tried that -- but it gives a blank screen. I will try playing with it some > more. At least I know we are thinking in the same ballpark I was able to set this up just fine with freeipa-server-4.1.4-4.fc22.x86_64. You need to disable the # Redirect to the secure port if not displaying an error or retrieving # configuration. RewriteCond %{SERVER_PORT} !^443$ RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl) RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$ RewriteRule ^/ipa/(.*) https://ipa.example.test/ipa/$1 [L,R=301,NC] part on the IPA server or you will get infinite redirection loop. Also you will need to test it through that SSL proxy, not directly against http://ipa.example.test/, or authentication on the WebUI will not work -- the session cookie is marked as Secure so the browser will not store it when it comes via http, plus the UI checks referer to start with https://. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From mbasti at redhat.com Thu Aug 20 12:32:00 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 20 Aug 2015 14:32:00 +0200 Subject: [Freeipa-users] Dns SOA MNAME not resolving from LDAP data In-Reply-To: <55D5C699.6080205@redhat.com> References: <55D5C699.6080205@redhat.com> Message-ID: <55D5C8C0.80009@redhat.com> On 08/20/2015 02:22 PM, Martin Basti wrote: > > > On 08/20/2015 01:48 PM, David Dejaeghere wrote: >> Hi, >> >> I noticed that changing the authoritarive nameserver in FreeIPA >> reflects correctly to its directory data but bind will not resolve >> the soa record with the updated mname details. >> >> For example I add a zone test.be and change the >> mname record. >> >> [root at ns02 ~]# ipa dnszone-add >> Zone name: test.be >> Zone name: test.be . >> Active zone: TRUE >> * Authoritative nameserver: ns02.tokiogroup.be >> .* >> Administrator e-mail address: hostmaster >> SOA serial: 1440070999 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> BIND update policy: grant TOKIOGROUP.BE >> krb5-self * A; grant TOKIOGROUP.BE krb5-self * >> AAAA; grant TOKIOGROUP.BE krb5-self * >> SSHFP; >> Dynamic update: FALSE >> Allow query: any; >> Allow transfer: none; >> [root at ns02 ~]# ipa dnszone-mod --nameserver >> anaconda-ks.cfg .bash_logout .bashrc .ipa/ .ssh/ >> .bash_history .bash_profile .cshrc .pki/ .tcshrc >> >> >> [root at ns02 ~]# ipa dnszone-mod --name-server*ns7.tokiogroup.be >> *. >> Zone name: test.be >> ipa: WARNING: Semantic of setting Authoritative nameserver was >> changed. It is used only for setting the SOA MNAME attribute. >> NS record(s) can be edited in zone apex - '@'. >> Zone name: test.be . >> Active zone: TRUE >> *Authoritative nameserver: ns7.tokiogroup.be .* >> Administrator e-mail address: hostmaster >> SOA serial: 1440071001 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> Allow query: any; >> Allow transfer: none; >> >> >> [root at ns02 ~]# nslookup >> > set q=SOA >> > test.be >> Server: 127.0.0.1 >> Address: 127.0.0.1#53 >> >> test.be >> *origin = ns02.tokiogroup.be * >> mail addr = hostmaster.test.be >> serial = 1440071001 >> refresh = 3600 >> retry = 900 >> expire = 1209600 >> minimum = 3600 >> >> As you can see the SOA record still shows the original default value. >> >> Kind Regards, >> >> David Dejaeghere >> >> > > Thank you for this bug report. > I opened bind-dyndb-ldap ticket > https://fedorahosted.org/bind-dyndb-ldap/ticket/159 > > Martin > > I maybe found why do you have this issue, do you have fake_mname configured in bind_dyndb_ldap section of named.conf? If yes then remove this option to use SOA MNAME from LDAP. Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From yks0000 at gmail.com Thu Aug 20 13:19:10 2015 From: yks0000 at gmail.com (Yogesh Sharma) Date: Thu, 20 Aug 2015 18:49:10 +0530 Subject: [Freeipa-users] Question on FreeIPA OpenSSH PubKey Authentication Message-ID: Hi, I was reading this slide " https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf" to troubleshoot an issue which we are facing while IPA to allow user using public Key authentication and had few questions: 1. Where does IPA stores the User Public Keys, I can fetch them using sss_ssh_authorizedkeys but would be good if I we can know from where it fetches the keys. Is it in LDAP DB. 2. When I registered new users with PubKey Authentication, some of them are working fine and some got prompted for Password (this also happen when we update their public key). This usually happens when either SSH is not able to pick the private key (id_rsa) or if there is some permission issue with .ssh or authorized_keys file. I am trying to find this in IPA environment as why this is happening for certain users only though it is picking the right private_key and client side. SSSD logs and secure logs does not have much to say except authentication failed. 3. I have checked the sshd config and does not seems to be an issue. KerberosAuthentication no PubkeyAuthentication yes UsePAM yes GSSAPIAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys 4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server has this Configure ssh in /etc/ssh/ssh_config Get known_hosts from SSSD GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h A suggestion can really help us moving forward. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000 at gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Aug 20 13:35:22 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 20 Aug 2015 16:35:22 +0300 Subject: [Freeipa-users] Question on FreeIPA OpenSSH PubKey Authentication In-Reply-To: References: Message-ID: <20150820133522.GT22106@redhat.com> On Thu, 20 Aug 2015, Yogesh Sharma wrote: >Hi, > >I was reading this slide " >https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf" > >to troubleshoot an issue which we are facing while IPA to allow user using >public Key authentication and had few questions: > >1. Where does IPA stores the User Public Keys, I can fetch them >using sss_ssh_authorizedkeys but would be good if I we can know from where >it fetches the keys. Is it in LDAP DB. They are stored in the user entry in LDAP. Use 'ipa user-show --raw --all' to see it. >2. When I registered new users with PubKey Authentication, some of them are >working fine and some got prompted for Password (this also happen when we >update their public key). This usually happens when either SSH is not able >to pick the private key (id_rsa) or if there is some permission issue with >.ssh or authorized_keys file. I am trying to find this in IPA environment >as why this is happening for certain users only though it is picking the >right private_key and client side. SSSD logs and secure logs does not have >much to say except authentication failed. private keys are used by SSH client, so you can enable debugging output when using SSH client to see if it has issues with file system access. This has nothing to do with FreeIPA at all. >4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that >add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server >has this > >Configure ssh in /etc/ssh/ssh_config >Get known_hosts from SSSD >GlobalKnownHostsFile >/var/lib/sss/pubconf/known_hosts >ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h This part is automatically configured if you choose to configure SSSD and SSSD has support for knownhostsproxy. See ipa-client/ipa-install/ipa-client-install:configure_ssh_config() (or directly in /sbin/ipa-client-install). -- / Alexander Bokovoy From detlev.habicht at ims.uni-hannover.de Thu Aug 20 09:45:51 2015 From: detlev.habicht at ims.uni-hannover.de (Detlev Habicht) Date: Thu, 20 Aug 2015 11:45:51 +0200 Subject: [Freeipa-users] Questions to "compat" LDAP suffix Message-ID: Hi all, i am very new using and testing IPA and i have some questions, which are not really IPA topics. But perhaps someone can help me and send me a link, where i can read and learn such things: I see in the LDAP tree a suffix like this: cn=users,cn=compat,dc=ims,dc=intern And of course this: cn=users,cn=accounts,dc=ims,dc=intern I don?t understand the reason for ?cn=compat?. Where do i find some infos to understand this concept? Thanx. Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Aug 20 13:48:41 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Aug 2015 09:48:41 -0400 Subject: [Freeipa-users] private groups In-Reply-To: <55D5B1F6.60808@redhat.com> References: <50393E1C-AA36-42AC-959D-23DBC62B8DCE@ims.uni-hannover.de> <55D5B1F6.60808@redhat.com> Message-ID: <55D5DAB9.3050006@redhat.com> Martin Kosek wrote: > On 08/20/2015 11:57 AM, Detlev Habicht wrote: >> Hi all, >> >> i am new using IPA and learning IPA i am also learning some >> other things new for me. >> >> Migrating our system to IPA i found some problems with private groups. >> We don?t used it up to now. >> >> Trying to disable this feature with >> >> ipa-managed-entries -e ?UPG Definition? -p xxx disable >> >> crashed my database. > > By crashed, you mean that Directory Server process crashed? If yes, it would be > really interesting to get a stack trace, steps in > > http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debug_crashes > > This would allow 389-DS developers to fix the bug. > >> I don?t know why. After this i can?t >> create new users. > > IIRC, you would need to turn the default "ipausers" group into POSIX group > (group-mod --posix), to let it be used it instead of the user private groups. > But this depends on the error you are getting. > >> >> For this problem i have no more information. >> >> But i have a question: >> >> Can i delete a private group after creating an user? How can i do this? > > You can use "group-detach" command and then "group-del" on the detached managed > group. > >> >> And can i later create a private group again for this user? How? > > Hmm... You could do group-add command with the right GID, I do not know about > single command doing that. There is no way to create the same kind of UPG for an existing user as can be done for a new user. The managed entries plugin manages the linkage between the user and group and IPA currently doesn't provide a way to create a linkage after the fact. You can create a group with the same gid with : ipa group-add myuser --gid , but this isn't exactly "private". A private group doesn't allow members. One of the other features of UPG is that when the user is deleted, the group is also deleted. This would not happen in the case of manually created private groups. rob From rcritten at redhat.com Thu Aug 20 14:02:02 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Aug 2015 10:02:02 -0400 Subject: [Freeipa-users] Questions to "compat" LDAP suffix In-Reply-To: References: Message-ID: <55D5DDDA.2000100@redhat.com> Detlev Habicht wrote: > Hi all, > > i am very new using and testing IPA and i have some questions, > which are not really IPA topics. But perhaps someone can help > me and send me a link, where i can read and learn such things: > > I see in the LDAP tree a suffix like this: > > cn=users,cn=compat,dc=ims,dc=intern > > And of course this: > > cn=users,cn=accounts,dc=ims,dc=intern > > I don?t understand the reason for ?cn=compat?. > Where do i find some infos to understand this concept? It is the schema comppatibility tree. IPA servers the 2307bis schema. Some clients (Solaris) want 2307 so need to use the cn=compat tree instead. It is also being leveraged for providing separate views for entries. You can find more information on this in /usr/share/doc/slapi-nis/ipa/sch-ipa.txt Documentation on the plugin can be found in /usr/share/doc/slapi-nis. The basic rule of thumb though is to search in the right container for the right kind of entry rather than searching from the base. rob From rcritten at redhat.com Thu Aug 20 14:33:19 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Aug 2015 10:33:19 -0400 Subject: [Freeipa-users] How to modify the logging dir In-Reply-To: References: Message-ID: <55D5E52F.3030101@redhat.com> bahan w wrote: > Hello. > > I send you this mail because I'm looking for a way to modify the logging > dir of the different components embedded with FreeIPA. > > I already check here : > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html > > But I cannot see how to modify the logging dir of sssd ? > Is that possible ? I checked lighlty the man of sssd.conf but didn't > find a way to modify the logging dir. > May I ask why you want to change the logging directory? And for which services, all of them? rob From hpcadmin at hamilton.edu Thu Aug 20 15:03:32 2015 From: hpcadmin at hamilton.edu (HPC Admin) Date: Thu, 20 Aug 2015 11:03:32 -0400 Subject: [Freeipa-users] how to get directory services to listen on ipv4 interface? Message-ID: Hello, I've been searching around trying to figure out about the ipv4 vs the ipv6 interfaces for a freeipa server. According to the instructions I see that: FreeIPA uses Samba as part of its Active Directory integration and Samba *requires enabled IPv6 stack* on the machine. Adding *ipv6.disable=1* to the kernel commandline disables the whole IPv6 stack and breaks Samba. Adding *ipv6.disable_ipv6=1* will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices. This is recommeneded approach for cases when you don't use IPv6 networking. I am only using ipv4 on our network. So I managed to set this up and this helped remove some of the services that were running on ipv6. I've configured freeipa server and can verify that the DNS part of the server is working as I can query it with DIG. I also notice this is working because bind is listening on the ipv4 and ipv6 interfaces. This is also true for sshd. It's on both interfaces so I can log in with ssh. I can even (locally on the ipa server) issue ldapsearch commands against the ldap database. The problem comes from when I try to add a client or query the server with ldap commands on another machine. What I suspect is that even though I disabled ipv6 it looks like the directory server is still ONLY listening to on the ipv6 interface as there isn't anything listed for ipv4. So I suspect this is why I can't query it remotely as it's only on ipv6. netstat -ln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8009 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN tcp 0 0 :53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp6 0 0 :::389 :::* LISTEN tcp6 0 0 :::749 :::* LISTEN tcp6 0 0 :::464 :::* LISTEN tcp6 0 0 :::53 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::88 :::* LISTEN tcp6 0 0 :::636 :::* LISTEN udp 0 0 :53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 0.0.0.0:88 0.0.0.0:* udp 0 0 :123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 0.0.0.0:27861 0.0.0.0:* udp 0 0 0.0.0.0:464 0.0.0.0:* udp6 0 0 :::53734 :::* udp6 0 0 :::53 :::* udp6 0 0 :::123 :::* raw6 0 0 :::58 :::* 7 This is a CentOS 7 box with freeipa-server-4.1.4-1.el7.centos.x86_64 installed. I tried to find possibly where there might be a setting to tell the 389 server to listen on ipv4 but I can't seem to figure out how to do that. Google searches aren't generally coming up with anything real useful either. Anyone have any idea's on what to do here? Thanks in advance! -Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.dejaeghere at gmail.com Thu Aug 20 13:14:43 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Thu, 20 Aug 2015 15:14:43 +0200 Subject: [Freeipa-users] Dns SOA MNAME not resolving from LDAP data In-Reply-To: <55D5D176.3090907@redhat.com> References: <55D5C699.6080205@redhat.com> <55D5C8C0.80009@redhat.com> <55D5CA30.9040009@redhat.com> <55D5D176.3090907@redhat.com> Message-ID: The reason I hit this issue was because I am testing out a setup where ldap etc are running on a private subnet but is hosting public zones. Therefor I change the nameservers of these zones and the primary nameserver soa record to a public reachable hostname. I agree this is no issue for the majority of users. There already is a warning in the UI and IPA CLI. It might be good to add an extra line to this warning regarding the fake_mname, altought this might also cause confusion. Regards, David 2015-08-20 15:09 GMT+02:00 Martin Basti : > > > On 08/20/2015 02:46 PM, David Dejaeghere wrote: > > confirmed working. > Does this default value make any sense if this value is changeable in the > UI and using the IPA client? > > Kind Regards, > > David > > > IMHO (I'm not 100% sure) > > IPA DNS are master servers, which contains only authoritative zones. > Each DNS server contains the same copy of zones synchronized with LDAP > database, and each server is authoritative for that zone (multimaster DNS > topology). > So there is no reason to have listed different server than IPA DNS as > authoritative servers. > > This works for majority users. > > This also works as fallback (on local network only without caching) when > one replica is down, the one of IPA DNS servers left, may act as > authoritative servers (primary master for DDNS). > > I agree that this is tricky (I forgot about fake_mname too) for users who > want to change it, we may show warning for user or somehow let him know > that fake_mname is used. > > Martin > > > 2015-08-20 14:38 GMT+02:00 Martin Basti : > >> >> >> On 08/20/2015 02:35 PM, David Dejaeghere wrote: >> >> Aha, >> >> Correct. But i never set this. This option seems to be set by default. >> I verified this issue on multiple installs. It seems they all have this >> option set by default? >> >> Can i safely change named.conf without fearing my modifications will be >> lost on an update? >> >> Kind Regards, >> >> David >> >> (Adding freeipa-users back) >> >> I checked code, it is default. >> >> You can change named.conf, upgrade will not replace it. >> >> Martin >> >> >> 2015-08-20 14:32 GMT+02:00 Martin Basti < >> mbasti at redhat.com>: >> >>> >>> On 08/20/2015 02:22 PM, Martin Basti wrote: >>> >>> >>> >>> On 08/20/2015 01:48 PM, David Dejaeghere wrote: >>> >>> Hi, >>> >>> I noticed that changing the authoritarive nameserver in FreeIPA reflects >>> correctly to its directory data but bind will not resolve the soa record >>> with the updated mname details. >>> >>> For example I add a zone test.be and change the mname record. >>> >>> [root at ns02 ~]# ipa dnszone-add >>> Zone name: test.be >>> Zone name: test.be. >>> Active zone: TRUE >>> * Authoritative nameserver: ns02.tokiogroup.be >>> .* >>> Administrator e-mail address: hostmaster >>> SOA serial: 1440070999 >>> SOA refresh: 3600 >>> SOA retry: 900 >>> SOA expire: 1209600 >>> SOA minimum: 3600 >>> BIND update policy: grant TOKIOGROUP.BE krb5-self * A; grant >>> TOKIOGROUP.BE krb5-self * AAAA; grant TOKIOGROUP.BE krb5-self * >>> SSHFP; >>> Dynamic update: FALSE >>> Allow query: any; >>> Allow transfer: none; >>> [root at ns02 ~]# ipa dnszone-mod --nameserver >>> anaconda-ks.cfg .bash_logout .bashrc .ipa/ .ssh/ >>> .bash_history .bash_profile .cshrc .pki/ >>> .tcshrc >>> >>> >>> [root at ns02 ~]# ipa dnszone-mod --name-server* ns7.tokiogroup.be >>> *. >>> Zone name: test.be >>> ipa: WARNING: Semantic of setting Authoritative nameserver was changed. >>> It is used only for setting the SOA MNAME attribute. >>> NS record(s) can be edited in zone apex - '@'. >>> Zone name: test.be. >>> Active zone: TRUE >>> *Authoritative nameserver: ns7.tokiogroup.be >>> .* >>> Administrator e-mail address: hostmaster >>> SOA serial: 1440071001 >>> SOA refresh: 3600 >>> SOA retry: 900 >>> SOA expire: 1209600 >>> SOA minimum: 3600 >>> Allow query: any; >>> Allow transfer: none; >>> >>> >>> [root at ns02 ~]# nslookup >>> > set q=SOA >>> > test.be >>> Server: 127.0.0.1 >>> Address: 127.0.0.1#53 >>> >>> test.be >>> * origin = ns02.tokiogroup.be * >>> mail addr = hostmaster.test.be >>> serial = 1440071001 >>> refresh = 3600 >>> retry = 900 >>> expire = 1209600 >>> minimum = 3600 >>> >>> As you can see the SOA record still shows the original default value. >>> >>> Kind Regards, >>> >>> David Dejaeghere >>> >>> >>> >>> Thank you for this bug report. >>> I opened bind-dyndb-ldap ticket >>> >>> https://fedorahosted.org/bind-dyndb-ldap/ticket/159 >>> >>> Martin >>> >>> >>> I maybe found why do you have this issue, >>> >>> do you have fake_mname configured in bind_dyndb_ldap section of >>> named.conf? >>> If yes then remove this option to use SOA MNAME from LDAP. >>> >>> Martin >>> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Aug 20 15:32:37 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 20 Aug 2015 17:32:37 +0200 Subject: [Freeipa-users] Dns SOA MNAME not resolving from LDAP data In-Reply-To: References: <55D5C699.6080205@redhat.com> <55D5C8C0.80009@redhat.com> <55D5CA30.9040009@redhat.com> <55D5D176.3090907@redhat.com> Message-ID: <55D5F315.6040300@redhat.com> On 08/20/2015 03:14 PM, David Dejaeghere wrote: > The reason I hit this issue was because I am testing out a setup where > ldap etc are running on a private subnet but is hosting public zones. > Therefor I change the nameservers of these zones and the primary > nameserver soa record to a public reachable hostname. > > I agree this is no issue for the majority of users. > > There already is a warning in the UI and IPA CLI. It might be good to > add an extra line to this warning regarding the fake_mname, altought > this might also cause confusion. > > Regards, > > David I agree, ticket filed: https://fedorahosted.org/freeipa/ticket/5241 > > 2015-08-20 15:09 GMT+02:00 Martin Basti >: > > > > On 08/20/2015 02:46 PM, David Dejaeghere wrote: >> confirmed working. >> Does this default value make any sense if this value is >> changeable in the UI and using the IPA client? >> >> Kind Regards, >> >> David > > IMHO (I'm not 100% sure) > > IPA DNS are master servers, which contains only authoritative zones. > Each DNS server contains the same copy of zones synchronized with > LDAP database, and each server is authoritative for that zone > (multimaster DNS topology). > So there is no reason to have listed different server than IPA DNS > as authoritative servers. > > This works for majority users. > > This also works as fallback (on local network only without > caching) when one replica is down, the one of IPA DNS servers > left, may act as authoritative servers (primary master for DDNS). > > I agree that this is tricky (I forgot about fake_mname too) for > users who want to change it, we may show warning for user or > somehow let him know that fake_mname is used. > > Martin > >> >> 2015-08-20 14:38 GMT+02:00 Martin Basti > >: >> >> >> >> On 08/20/2015 02:35 PM, David Dejaeghere wrote: >>> Aha, >>> >>> Correct. But i never set this. This option seems to be set >>> by default. >>> I verified this issue on multiple installs. It seems they >>> all have this option set by default? >>> >>> Can i safely change named.conf without fearing my >>> modifications will be lost on an update? >>> >>> Kind Regards, >>> >>> David >> (Adding freeipa-users back) >> >> I checked code, it is default. >> >> You can change named.conf, upgrade will not replace it. >> >> Martin >> >>> >>> 2015-08-20 14:32 GMT+02:00 Martin Basti >> >: >>> >>> >>> On 08/20/2015 02:22 PM, Martin Basti wrote: >>>> >>>> >>>> On 08/20/2015 01:48 PM, David Dejaeghere wrote: >>>>> Hi, >>>>> >>>>> I noticed that changing the authoritarive nameserver >>>>> in FreeIPA reflects correctly to its directory data >>>>> but bind will not resolve the soa record with the >>>>> updated mname details. >>>>> >>>>> For example I add a zone test.be and >>>>> change the mname record. >>>>> >>>>> [root at ns02 ~]# ipa dnszone-add >>>>> Zone name: test.be >>>>> Zone name: test.be . >>>>> Active zone: TRUE >>>>> *Authoritative nameserver: ns02.tokiogroup.be >>>>> .* >>>>> Administrator e-mail address: hostmaster >>>>> SOA serial: 1440070999 >>>>> SOA refresh: 3600 >>>>> SOA retry: 900 >>>>> SOA expire: 1209600 >>>>> SOA minimum: 3600 >>>>> BIND update policy: grant TOKIOGROUP.BE >>>>> krb5-self * A; grant >>>>> TOKIOGROUP.BE krb5-self * AAAA; >>>>> grant TOKIOGROUP.BE krb5-self * >>>>> SSHFP; >>>>> Dynamic update: FALSE >>>>> Allow query: any; >>>>> Allow transfer: none; >>>>> [root at ns02 ~]# ipa dnszone-mod --nameserver >>>>> anaconda-ks.cfg .bash_logout .bashrc .ipa/ .ssh/ >>>>> .bash_history .bash_profile .cshrc .pki/ .tcshrc >>>>> >>>>> >>>>> [root at ns02 ~]# ipa dnszone-mod >>>>> --name-server*ns7.tokiogroup.be >>>>> *. >>>>> Zone name: test.be >>>>> ipa: WARNING: Semantic of setting Authoritative >>>>> nameserver was changed. It is used only for setting >>>>> the SOA MNAME attribute. >>>>> NS record(s) can be edited in zone apex - '@'. >>>>> Zone name: test.be . >>>>> Active zone: TRUE >>>>> *Authoritative nameserver: ns7.tokiogroup.be >>>>> .* >>>>> Administrator e-mail address: hostmaster >>>>> SOA serial: 1440071001 >>>>> SOA refresh: 3600 >>>>> SOA retry: 900 >>>>> SOA expire: 1209600 >>>>> SOA minimum: 3600 >>>>> Allow query: any; >>>>> Allow transfer: none; >>>>> >>>>> >>>>> [root at ns02 ~]# nslookup >>>>> > set q=SOA >>>>> > test.be >>>>> Server: 127.0.0.1 >>>>> Address: 127.0.0.1#53 >>>>> >>>>> test.be >>>>> *origin = ns02.tokiogroup.be * >>>>> mail addr = hostmaster.test.be >>>>> >>>>> serial = 1440071001 >>>>> refresh = 3600 >>>>> retry = 900 >>>>> expire = 1209600 >>>>> minimum = 3600 >>>>> >>>>> As you can see the SOA record still shows the original >>>>> default value. >>>>> >>>>> Kind Regards, >>>>> >>>>> David Dejaeghere >>>>> >>>>> >>>> >>>> Thank you for this bug report. >>>> I opened bind-dyndb-ldap ticket >>>> https://fedorahosted.org/bind-dyndb-ldap/ticket/159 >>>> >>>> Martin >>>> >>>> >>> I maybe found why do you have this issue, >>> >>> do you have fake_mname configured in bind_dyndb_ldap >>> section of named.conf? >>> If yes then remove this option to use SOA MNAME from LDAP. >>> >>> Martin >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Thu Aug 20 20:15:48 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Thu, 20 Aug 2015 22:15:48 +0200 Subject: [Freeipa-users] Ubuntu Samba Server Auth against IPA In-Reply-To: References: Message-ID: Hi Chris, Would be great to see! If I have it working and we have 2-3 testcases I think we can add it to the IPA docs! Keep me updated! Thanks Matt 2015-08-20 8:49 GMT+02:00 Christopher Lamb : > Matt > > Once I got Samba and FreeIPA integrated (by the "good old extensions" > path), I always use FreeIPA to administer users. I have never tried the > samba tools like smbpasswd. > > I still have a wiki how-to in the works, but I had to focus on some other > issues for a while. > > Chris > > > > From: "Matt ." > To: Youenn PIOLET > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, > "freeipa-users at redhat.com" > Date: 20.08.2015 08:12 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > HI Guys, > > Anyone still a working clue/test here ? > > I didn't came further as it seems there need to be some domain join / > match following the freeipa devs. > > Thanks! > > Matt > > 2015-08-13 13:09 GMT+02:00 Matt . : >> Hi, >> >> I might have found somthing which I already seen in the logs. >> >> I did a smbpasswd my username on the samba server, it connects to ldap >> very well. I give my new password and get the following: >> >> smbldap_search_ext: base => [dc=my,dc=domain], filter => >> [(&(objectClass=ipaNTGroupAttrs)(| > (ipaNTSecurityIdentifier=S-1----my--sid---)))], >> scope => [2] >> Attribute [displayName] not found. >> Could not retrieve 'displayName' attribute from cn=Default SMB >> Group,cn=groups,cn=accounts,dc=my,dc=domain >> Sid S-1----my--sid--- -> MYDOMAIN\Default SMB Group(2) >> >> So something is missing! >> >> Thanks so far guys! >> >> Cheers, >> >> Matt >> >> 2015-08-13 12:02 GMT+02:00 Matt . : >>> Hi Youenn, >>> >>> OK thanks! this takes me a little but futher now and I see some good >>> stuff in my logging. >>> >>> I'm testing on a Windows 10 Machine which is not member of an AD or >>> so, so that might be my issue for now ? >>> >>> When testing on the samba box itself as my user I get: >>> >>> >>> [myusername at smb-01 ~]$ smbclient //smb-01.domain.local/shares >>> >>> ... >>> Checking NTLMSSP password for MSP\myusername failed: > NT_STATUS_WRONG_PASSWORD >>> ... >>> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD >>> >>> >>> Maybe I have an issue with encrypted passwords ? >>> >>> >>> When we have this all working, I think we have a howto :D >>> >>> Thanks! >>> >>> Matt >>> >>> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET : >>>> Hi Matt >>>> >>>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? >>>> sambaSamAccount is not needed anymore that way. >>>> - Default IPA Way : won't work if your Windows is not part of a domain >>>> controller. DOMAIN\username may work for some users using Windows 7 - > not 8 >>>> nor 10 (it did for me but I was the only one at the office... quite > useless) >>>> >>>> This config may work on your CentOS (for the ipasam way): >>>> workgroup = TEST >>>> realm = TEST.NET >>>> kerberos method = dedicated keytab >>>> dedicated keytab file = FILE:/<.....>/samba.keytab >>>> create krb5 conf = no >>>> security = user >>>> encrypt passwords = true >>>> passdb backend = ipasam:ldaps://youripa.test.net >>>> ldapsam:trusted = yes >>>> ldapsuffix = test.net >>>> ldap user suffix = cn=users,cn=accounts >>>> ldap group suffix = cn=groups,cn=accounts >>>> >>>> >>>> -- >>>> Youenn Piolet >>>> piolet.y at gmail.com >>>> >>>> >>>> 2015-08-12 22:15 GMT+02:00 Matt . : >>>>> >>>>> Hi, >>>>> >>>>> OK the default IPA way works great actually when testing it as > described >>>>> here: >>>>> >>>>> > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>> >>>>> On the samba server I can auth and see my share where I want to > connect >>>>> to. >>>>> >>>>> The issue is, on Windows I cannot auth, even when I do DOMAIN\username >>>>> as username >>>>> >>>>> So, the IPA way should work. >>>>> >>>>> Any comments here ? >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> 2015-08-12 19:00 GMT+02:00 Matt . : >>>>> > HI GUys, >>>>> > >>>>> > I'm testing this out and I think I almost setup, this on a CentOS > samba >>>>> > server. >>>>> > >>>>> > I'm using the ipa-adtrust way of Youeen but it seems we still need > to >>>>> > add (objectclass=sambaSamAccount)) ? >>>>> > >>>>> > Info is welcome! >>>>> > >>>>> > I will report back when I have it working. >>>>> > >>>>> > Thanks! >>>>> > >>>>> > Matt >>>>> > >>>>> > 2015-08-10 11:16 GMT+02:00 Christopher Lamb >>>>> > : >>>>> >> The next route I will try - is the one Youeen took, using > ipa-adtrust >>>>> >> >>>>> >> >>>>> >> >>>>> >> From: "Matt ." >>>>> >> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>> >> "freeipa-users at redhat.com" >>>>> >> Date: 10.08.2015 10:03 >>>>> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>>> >> IPA >>>>> >> >>>>> >> >>>>> >> >>>>> >> Hi Chris, >>>>> >> >>>>> >> Okay this is good to hear. >>>>> >> >>>>> >> But don't we want a IPA managed Scheme ? >>>>> >> >>>>> >> When I did a "ipa-adtrust-install --add-sids" it also wanted a > local >>>>> >> installed Samba and I wonder why. >>>>> >> >>>>> >> Good that we make some progres on making it all clear. >>>>> >> >>>>> >> Cheers, >>>>> >> >>>>> >> Matt >>>>> >> >>>>> >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb >>>>> >> : >>>>> >>> ldapsam + the samba extensions, pretty much as described in the >>>>> >> Techslaves >>>>> >>> article. Once I have a draft for the wiki page, I will mail you. >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> From: "Matt ." >>>>> >>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>> >>> "freeipa-users at redhat.com" >>>>> >>> Date: 09.08.2015 21:17 >>>>> >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>>> >>> IPA >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> Hi, >>>>> >>> >>>>> >>> Yes I know about "anything" but which way did you use now ? >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb >>>>> >> : >>>>> >>>> Hi Matt >>>>> >>>> >>>>> >>>> I am on OEL 7.1. - so anything that works on that should be good > for >>>>> >> RHEL >>>>> >>>> and Centos 7.x >>>>> >>>> >>>>> >>>> I intend to add a how-to to the FreeIPA Wiki over the next few > days. >>>>> >>>> As >>>>> >>> we >>>>> >>>> have suggested earlier, we will likely end up with several, one > for >>>>> >>>> each >>>>> >>> of >>>>> >>>> the possible integration paths. >>>>> >>>> >>>>> >>>> Chris >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> From: "Matt ." >>>>> >>>> To: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>> >>>> "freeipa-users at redhat.com" >>>>> >>>> Date: 09.08.2015 16:45 >>>>> >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>>> >>>> IPA >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> Hi Chris, >>>>> >>>> >>>>> >>>> This sounds great! >>>>> >>>> >>>>> >>>> What are you using now, both CentOS ? So Samba and FreeIPA ? >>>>> >>>> >>>>> >>>> Maybe it's good to explain which way you used now in steps too, > so we >>>>> >>>> can combine or create multiple howto's ? >>>>> >>>> >>>>> >>>> At least we are going somewhere! >>>>> >>>> >>>>> >>>> Thanks, >>>>> >>>> >>>>> >>>> Matt >>>>> >>>> >>>>> >>>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >>>>> >>> : >>>>> >>>>> Hi Matt >>>>> >>>>> >>>>> >>>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good > old >>>>> >>> Samba >>>>> >>>>> Schema extensions) is up and working, almost flawlessly. >>>>> >>>>> >>>>> >>>>> I can add users and groups via the FreeIPA CLI, and they get the >>>>> >> correct >>>>> >>>>> ObjectClasses / attributes required for Samba. >>>>> >>>>> >>>>> >>>>> So far I have not yet bothered to try the extensions to the > WebUI, >>>>> >>>> because >>>>> >>>>> it is currently giving me the classic "Your session has expired. >>>>> >>>>> Please >>>>> >>>>> re-login." error which renders the WebUI useless. >>>>> >>>>> >>>>> >>>>> The only problem I have so far encountered managing Samba / > FreeIPA >>>>> >>> users >>>>> >>>>> via FreeIPA CLI commands is with the handling of the attribute >>>>> >>>>> sambaPwdLastSet. This is the subject of an existing thread, also >>>>> >> updated >>>>> >>>>> today. >>>>> >>>>> >>>>> >>>>> There is also an existing alternative to hacking group.py, using >>>>> >>>>> "Class >>>>> >>>> of >>>>> >>>>> Service" (Cos) documented in this thread from February 2015 >>>>> >>>>> >>>>> >>> >>>>> >>> > https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >>>>> >>>> . >>>>> >>>>> I have not yet tried it, but it sounds reasonable. >>>>> >>>>> >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> From: "Matt ." >>>>> >>>>> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>> >>>>> Cc: "freeipa-users at redhat.com" , >>>>> >>>>> Youenn >>>>> >>>>> PIOLET >>>>> >>>>> Date: 06.08.2015 16:19 >>>>> >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>>> >> IPA >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Hi Chris, >>>>> >>>>> >>>>> >>>>> OK, than we might create two different versions of the wiki, I > think >>>>> >>>>> this is nice. >>>>> >>>>> >>>>> >>>>> I'm still figuring out why I get that: >>>>> >>>>> >>>>> >>>>> IPA Error 4205: ObjectclassViolation >>>>> >>>>> >>>>> >>>>> missing attribute "sambaGroupType" required by object class >>>>> >>>>> "sambaGroupMapping" >>>>> >>>>> >>>>> >>>>> Matt >>>>> >>>>> >>>>> >>>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >>>>> >>>> : >>>>> >>>>>> Hi Matt >>>>> >>>>>> >>>>> >>>>>> As far as I can make out, there are at least 2 viable Samba / >>>>> >>>>>> FreeIPA >>>>> >>>>>> integration paths. >>>>> >>>>>> >>>>> >>>>>> The route I took is suited where there is no Active Directory >>>>> >> involved: >>>>> >>>>> In >>>>> >>>>>> my case all the Windows, OSX and Linux clients are islands that > sit >>>>> >>>>>> on >>>>> >>>>> the >>>>> >>>>>> same network. >>>>> >>>>>> >>>>> >>>>>> The route that Youenn has taken (unless I have got completely > the >>>>> >> wrong >>>>> >>>>> end >>>>> >>>>>> of the stick) requires Active Directory in the architecture. >>>>> >>>>>> >>>>> >>>>>> Chris >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> From: "Matt ." >>>>> >>>>>> To: Youenn PIOLET >>>>> >>>>>> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>> >>>>>> "freeipa-users at redhat.com" > >>>>> >>>>>> Date: 06.08.2015 14:42 >>>>> >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>> >>>>>> against >>>>> >>> IPA >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> Hi, >>>>> >>>>>> >>>>> >>>>>> OK, this sounds already quite logical, but I'm still refering > to >>>>> >>>>>> the >>>>> >>>>>> old howto we found earlier, does that one still apply somewhere > or >>>>> >>>>>> not >>>>> >>>>>> at all ? >>>>> >>>>>> >>>>> >>>>>> Thanks, >>>>> >>>>>> >>>>> >>>>>> Matt >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET : >>>>> >>>>>>> Hey guys, >>>>> >>>>>>> >>>>> >>>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush > these >>>>> >>>>> days :) >>>>> >>>>>>> >>>>> >>>>>>> General idea: >>>>> >>>>>>> >>>>> >>>>>>> On FreeIPA (4.1) >>>>> >>>>>>> - `ipa-adtrust-install --add-sids` (creates >>>>> >>>>>>> ipaNTsecurityidentifier >>>>> >>>>>>> attribude, also known as SID) >>>>> >>>>>>> - regenerate each user password to build ipaNTHash attribute, > not >>>>> >> here >>>>> >>>>> by >>>>> >>>>>>> default on users >>>>> >>>>>>> - use your ldap browser to check ipaNTHash values are here on > user >>>>> >>>>>> objects >>>>> >>>>>>> - create a CIFS service for your samba server >>>>> >>>>>>> - Create user roles/permissions as described here: >>>>> >>>>>>> >>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>>> >>> >>>>> >> >>>>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >>>>> >> >>>>> >>> >>>>> >>>> >>>>> >>>>> >>>>> >>>>>> >>>>> >>>>>>> so that CIFS service will be able to read > ipaNTsecurityidentifier >>>>> >>>>>>> and >>>>> >>>>>>> ipaNTHash attributes in LDAP (ACI) >>>>> >>>>>>> - SCP ipasam.so module to your cifs server (this is the magic >>>>> >> trick) : >>>>> >>>>>> scp >>>>> >>>>>>> /usr/lib64/samba/pdb/ipasam.so >>>>> >>>>>>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also > try to >>>>> >>>>>> recompile >>>>> >>>>>>> it. >>>>> >>>>>>> >>>>> >>>>>>> On SAMBA Server side (CentOS 7...) >>>>> >>>>>>> - Install server keytab file for CIFS >>>>> >>>>>>> - check ipasam.so is here. >>>>> >>>>>>> - check you can read password hash in LDAP with `ldapsearch -Y >>>>> >>>>>>> GSSAPI >>>>> >>>>>>> uid=admin ipaNTHash` thanks to kerberos >>>>> >>>>>>> - make your smb.conf following the linked thread and restart >>>>> >>>>>>> service >>>>> >>>>>>> >>>>> >>>>>>> I don't know if it works in Ubuntu. I know sssd has evolved >>>>> >>>>>>> quickly >>>>> >>> and >>>>> >>>>>>> ipasam may use quite recent functionalities, the best is to > just >>>>> >>>>>>> try. >>>>> >>>>> You >>>>> >>>>>>> can read in previous thread : "If you insist on Ubuntu you > need to >>>>> >> get >>>>> >>>>>>> ipasam somewhere, most likely to compile it yourself". >>>>> >>>>>>> >>>>> >>>>>>> Make sure your user has ipaNTHash attribute :) >>>>> >>>>>>> >>>>> >>>>>>> You may want to debug authentication on samba server, I > usually do >>>>> >>>> this: >>>>> >>>>>>> `tail -f /var/log/samba/log* | grep >>>>> >>>>>>> >>>>> >>>>>>> Cheers >>>>> >>>>>>> -- >>>>> >>>>>>> Youenn Piolet >>>>> >>>>>>> piolet.y at gmail.com >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> 2015-08-05 17:40 GMT+02:00 Matt . : >>>>> >>>>>>>> >>>>> >>>>>>>> Hi, >>>>> >>>>>>>> >>>>> >>>>>>>> This sounds great to me too, but a howto would help to make > it >>>>> >>>>>>>> more >>>>> >>>>>>>> clear about what you have done here. The thread confuses me a >>>>> >>>>>>>> little >>>>> >>>>>>>> bit. >>>>> >>>>>>>> >>>>> >>>>>>>> Can you paste your commands so we can test out too and report >>>>> >>>>>>>> back ? >>>>> >>>>>>>> >>>>> >>>>>>>> Thanks! >>>>> >>>>>>>> >>>>> >>>>>>>> Matt >>>>> >>>>>>>> >>>>> >>>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>>> >>>>>> : >>>>> >>>>>>>> > Hi Youenn >>>>> >>>>>>>> > >>>>> >>>>>>>> > Good news that you have got an integration working >>>>> >>>>>>>> > >>>>> >>>>>>>> > Now you have got it going, and the solution is fresh in > your >>>>> >>>>>>>> > mind, >>>>> >>>>> how >>>>> >>>>>>>> > about adding a How-to page on this solution to the FreeIPA >>>>> >>>>>>>> > wiki? >>>>> >>>>>>>> > >>>>> >>>>>>>> > Chris >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>>>> > From: Youenn PIOLET >>>>> >>>>>>>> > To: "Matt ." >>>>> >>>>>>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>> >>>>>>>> > "freeipa-users at redhat.com" >>>>> >>>>>>>> > >>>>> >>>>>>>> > Date: 05.08.2015 14:51 >>>>> >>>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server > Auth >>>>> >>> against >>>>> >>>>>> IPA >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>>>> > Hi guys, >>>>> >>>>>>>> > >>>>> >>>>>>>> > Thank you so much your previous answers. >>>>> >>>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, >>>>> >>>>>>>> > thanks >>>>> >> to >>>>> >>>>>>>> > ipa-adtrust-install --add-sids >>>>> >>>>>>>> > >>>>> >>>>>>>> > I found an other way to configure smb here: >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>>> >>> >>>>> >> >>>>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >>>>> >> >>>>> >>> >>>>> >>>> >>>>> >>>>> >>>>> >>>>>> >>>>> >>>>>>>> > It works perfectly. >>>>> >>>>>>>> > >>>>> >>>>>>>> > I'm using module ipasam.so I have manually scp to the samba >>>>> >> server, >>>>> >>>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam > module. >>>>> >>>>>>>> > Following the instructions, I created a user role allowing >>>>> >>>>>>>> > service >>>>> >>>>>>>> > principal to read ipaNTHash value from the LDAP. >>>>> >>>>>>>> > ipaNTHash are generated each time a user changes his > password. >>>>> >>>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>>> >>>>>>>> > >>>>> >>>>>>>> > For more details, the previously linked thread is quite > clear. >>>>> >>>>>>>> > >>>>> >>>>>>>> > Cheers >>>>> >>>>>>>> > >>>>> >>>>>>>> > -- >>>>> >>>>>>>> > Youenn Piolet >>>>> >>>>>>>> > piolet.y at gmail.com >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . : >>>>> >>>>>>>> > Hi Chris. >>>>> >>>>>>>> > >>>>> >>>>>>>> > Yes, Apache Studio did that but I was not sure why it >>>>> >>>>>>>> > complained >>>>> >>>> it >>>>> >>>>>>>> > was "already" there. >>>>> >>>>>>>> > >>>>> >>>>>>>> > I'm still getting: >>>>> >>>>>>>> > >>>>> >>>>>>>> > IPA Error 4205: ObjectclassViolation >>>>> >>>>>>>> > >>>>> >>>>>>>> > missing attribute "sambaGroupType" required by object > class >>>>> >>>>>>>> > "sambaGroupMapping" >>>>> >>>>>>>> > >>>>> >>>>>>>> > When adding a user. >>>>> >>>>>>>> > >>>>> >>>>>>>> > I also see "class" as fielname under my "Last name", this > is >>>>> >>>>>>>> > not >>>>> >>>> OK >>>>> >>>>>>>> > also. >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>>>> > We sure need to make some howto, I think we can nail this >>>>> >> down :) >>>>> >>>>>>>> > >>>>> >>>>>>>> > Thanks for the heads up! >>>>> >>>>>>>> > >>>>> >>>>>>>> > Matthijs >>>>> >>>>>>>> > >>>>> >>>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>>> >>>>>>>> > : >>>>> >>>>>>>> > > Hi Matt >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > If I use Apache Directory Studio to add an attribute >>>>> >>>>>> ipaCustomFields >>>>> >>>>>>>> > to >>>>> >>>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a > modify, >>>>> >>>>>>>> > as >>>>> >>>>>> shown >>>>> >>>>>>>> > below: >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > #!RESULT OK >>>>> >>>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>>> >>>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>>> >>>>>>>> > > dn: > cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>> >>>>>>>> > > changetype: modify >>>>> >>>>>>>> > > add: ipaCustomFields >>>>> >>>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > After that I then have a visible attribute > ipaCustomFields >>>>> >>>>>>>> > as >>>>> >>>>>>>> > expected. >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > When adding the attribute, the wizard offered me >>>>> >>>>> "ipaCustomFields" >>>>> >>>>>>>> > as >>>>> >>>>>>>> > > attribute type in a drop down list. >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Once we get this cracked, we really must write a how-to > on >>>>> >>>>>>>> > the >>>>> >>>>>>>> > FreeIPA >>>>> >>>>>>>> > > Wiki. >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Chris >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH >>>>> >>>>>>>> > > To: "Matt ." >>>>> >>>>>>>> > > Cc: "freeipa-users at redhat.com" >>>>> >>>>>>>> > >>>>> >>>>>>>> > > Date: 05.08.2015 07:31 >>>>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>>> >>>>>>>> > Auth >>>>> >>>>>> against >>>>> >>>>>>>> > IPA >>>>> >>>>>>>> > > Sent by: freeipa-users-bounces at redhat.com >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Hi Matt >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > I also got the same result at that step, but can see >>>>> >>>>>>>> > nothing >>>>> >> in >>>>> >>>>>>>> > Apache >>>>> >>>>>>>> > > Directory Studio. >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > As I am using existing Samba / FreeIPA groups migrated >>>>> >>>>>>>> > across, >>>>> >>>>>> they >>>>> >>>>>>>> > > probably were migrated with all the required > attributes. >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Looking more closely at that LDIF: I wonder should it > not >>>>> >>>>>>>> > be: >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > ldapmodify -Y GSSAPI <>>>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>> >>>>>>>> > > changetype: modify >>>>> >>>>>>>> > > add: ipaCustomFields >>>>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>> >>>>>>>> > > EOF >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > I don't want to play around with my prod directory - I > will >>>>> >>>> setup >>>>> >>>>>> an >>>>> >>>>>>>> > EL >>>>> >>>>>>>> > 7.1 >>>>> >>>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will > allow me >>>>> >>>>>>>> > to >>>>> >>>>>> play >>>>> >>>>>>>> > around >>>>> >>>>>>>> > > more destructively. >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Chris >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > From: "Matt ." >>>>> >>>>>>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>> >>>>>>>> > > Cc: Youenn PIOLET , " >>>>> >>>>>>>> > freeipa-users at redhat.com" >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Date: 05.08.2015 01:01 >>>>> >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu > Samba >>>>> >>> Server >>>>> >>>>>>>> > Auth >>>>> >>>>>>>> > against IPA >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Hi Chris, >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > I'm at the right path, but my issue is that: >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > ldapmodify -Y GSSAPI <>>>> >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>> >>>>>>>> > > changetype: add >>>>> >>>>>>>> > > add: ipaCustomFields >>>>> >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>> >>>>>>>> > > EOF >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Does say it exists, my ldap explorer doesn't show it, > and >>>>> >>>>>>>> > when >>>>> >>> I >>>>> >>>>>> add >>>>> >>>>>>>> > > it manually as an attribute it still fails when I add a >>>>> >>>>>>>> > user >>>>> >> on >>>>> >>>>>> this >>>>> >>>>>>>> > > sambagrouptype as it's needed by the other attributes >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > So that is my issue I think so far. >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Any clue about that ? >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > No problem "you don't know something or are no guru" we > are >>>>> >> all >>>>> >>>>>>>> > > learning! :) >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Cheers, >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > Matt >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>>> >>>>>>>> > christopher.lamb at ch.ibm.com>: >>>>> >>>>>>>> > >> Hi Matt, Youeen >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> Just to set the background properly, I did not invent > this >>>>> >>>>>> process. >>>>> >>>>>>>> > I >>>>> >>>>>>>> > > know >>>>> >>>>>>>> > >> only a little about FreeIPA, and almost nothing about >>>>> >>>>>>>> > Samba, >>>>> >>>> but >>>>> >>>>>> I >>>>> >>>>>>>> > guess >>>>> >>>>>>>> > > I >>>>> >>>>>>>> > >> was lucky enough to get the integration working on a >>>>> >>>>>>>> > Sunday >>>>> >>>>>>>> > afternoon. >>>>> >>>>>>>> > (I >>>>> >>>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation > as >>>>> >>>>>>>> > a >>>>> >>>>>>>> > reference). >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> It sounds like we need to step back, and look at the > test >>>>> >> user >>>>> >>>>>> and >>>>> >>>>>>>> > group >>>>> >>>>>>>> > > in >>>>> >>>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser > makes >>>>> >> this >>>>> >>>>>> much >>>>> >>>>>>>> > > easier. >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> My FreeIPA / Samba Users have the following Samba >>>>> >>>>>>>> > extensions >>>>> >>> in >>>>> >>>>>>>> > FreeIPA >>>>> >>>>>>>> > >> (cn=accounts, cn=users): >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> * objectClass: sambasamaccount >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, > sambaPwdLastSet >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> My FreeIPA / Samba Groups have the following Samba >>>>> >>>>>>>> > extensions >>>>> >>>> in >>>>> >>>>>>>> > FreeIPA >>>>> >>>>>>>> > >> (cn=accounts, cn=groups): >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> * objectClass: sambaGroupMapping >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> The Users must belong to one or more of the samba > groups >>>>> >>>>>>>> > that >>>>> >>>>> you >>>>> >>>>>>>> > have >>>>> >>>>>>>> > >> setup. >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> If you don't have something similar to the above > (which >>>>> >> sounds >>>>> >>>>>> like >>>>> >>>>>>>> > it >>>>> >>>>>>>> > is >>>>> >>>>>>>> > >> the case), then something went wrong applying the >>>>> >>>>>>>> > extensions. >>>>> >>>> It >>>>> >>>>>>>> > would >>>>> >>>>>>>> > be >>>>> >>>>>>>> > >> worth testing comparing a new user / group created > post >>>>> >> adding >>>>> >>>>>> the >>>>> >>>>>>>> > >> extensions to a previous existing user. >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> i.e. >>>>> >>>>>>>> > >> are the extensions missing on existing users / groups? >>>>> >>>>>>>> > >> are the extensions missing on new users / groups? >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> Cheers >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> Chris >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> From: Youenn PIOLET >>>>> >>>>>>>> > >> To: "Matt ." >>>>> >>>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH, >>>>> >>>>>>>> > >> "freeipa-users at redhat.com" >>>>> >>>>> >>>>> >>>>>>>> > >> Date: 04.08.2015 18:56 >>>>> >>>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba > Server >>>>> >>>>>>>> > Auth >>>>> >>>>>>>> > against >>>>> >>>>>>>> > IPA >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> Hi there, >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> I have difficulties to follow you at this point :) >>>>> >>>>>>>> > >> Here is what I've done and what I've understood: >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> ## SMB Side >>>>> >>>>>>>> > >> - Testparm OK >>>>> >>>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try > to >>>>> >>>>> connect. >>>>> >>>>>>>> > >> - pdbedit -Lv output is all successfull but I can see >>>>> >>>>>>>> > there >>>>> >> is >>>>> >>>> a >>>>> >>>>>>>> > filter : >>>>> >>>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the > users >>>>> >>>> don't >>>>> >>>>>>>> > have >>>>> >>>>>>>> > >> sambaSamAccount. >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> ## LDAP / FreeIPA side >>>>> >>>>>>>> > >> - Since SMB server uses LDAP, I did > ipa-adtrust-install on >>>>> >>>>>>>> > my >>>>> >>>>>>>> > FreeIPA >>>>> >>>>>>>> > >> server to get samba LDAP extensions. >>>>> >>>>>>>> > >> - I can see samba classes exist in LDAP but are not > used >>>>> >>>>>>>> > on >>>>> >> my >>>>> >>>>>>>> > group >>>>> >>>>>>>> > >> objects nor my user objects >>>>> >>>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user >>>>> >>>>>>>> > classes, >>>>> >>>>>>>> > >> and sambaGroupMapping to default group classes. In > that >>>>> >>>>>>>> > state >>>>> >>> I >>>>> >>>>>>>> > can't >>>>> >>>>>>>> > >> create user nor groups anymore, as new samba > attributes >>>>> >>>>>>>> > are >>>>> >>>>>> needed >>>>> >>>>>>>> > for >>>>> >>>>>>>> > >> instantiation. >>>>> >>>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>>> >>>>>>>> > > Type,sambagrouptype,true' >>>>> >>>>>>>> > >> but I don't get what it does. >>>>> >>>>>>>> > >> - I tried to add the samba.js plugin. It works, and > adds >>>>> >>>>>>>> > the >>>>> >>>>>>>> > "local" >>>>> >>>>>>>> > > option >>>>> >>>>>>>> > >> when creating a group in FreeIPA, supposed to set >>>>> >>>> sambagrouptype >>>>> >>>>>> to >>>>> >>>>>>>> > 4 >>>>> >>>>>>>> > or >>>>> >>>>>>>> > > 2 >>>>> >>>>>>>> > >> (domain). It doesn't work and tells that > sambagrouptype >>>>> >>>>> attribute >>>>> >>>>>>>> > doesn't >>>>> >>>>>>>> > >> exist (but it should now I put sambaGroupType class by >>>>> >>>>>> default...) >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> ## Questions >>>>> >>>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and > use >>>>> >>> unix / >>>>> >>>>>>>> > posix >>>>> >>>>>>>> > >> instead? I guess no. >>>>> >>>>>>>> > >> 1) How to generate the user/group SIDs ? They are >>>>> >>>>>>>> > requested >>>>> >> to >>>>> >>>>>> add >>>>> >>>>>>>> > >> sambaSamAccount classes. >>>>> >>>>>>>> > >> This article doesn't seem relevant since we don't use >>>>> >>>>>>>> > domain >>>>> >>>>>>>> > controller >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > > >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>>> >>> >>>>> >> >>>>> >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>>> >>>>>>>> > >>>>> >>>>>>>> > >> and netgetlocalsid returns an error. >>>>> >>>>>>>> > >> 2) How to fix samba.js plugin? >>>>> >>>>>>>> > >> 3) I guess an equivalent of samba.js is needed for > user >>>>> >>>>> creation, >>>>> >>>>>>>> > where >>>>> >>>>>>>> > > can >>>>> >>>>>>>> > >> I find it? >>>>> >>>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 > and >>>>> >>>>>>>> > not >>>>> >>>>> only >>>>> >>>>>>>> > Windows >>>>> >>>>>>>> > >> 7? >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> Thanks a lot for your previous and future answers >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> -- >>>>> >>>>>>>> > >> Youenn Piolet >>>>> >>>>>>>> > >> piolet.y at gmail.com >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . >>>>> >>>>>>>> > : >>>>> >>>>>>>> > >> Hi, >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> Yes, log is anonymised. >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> It's strange, my user doesn't have a > SambaPwdLastSet, >>>>> >>>>>>>> > also >>>>> >>>>> when >>>>> >>>>>> I >>>>> >>>>>>>> > >> change it's password it doesn't get it in ldap. >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> There must be something going wrong I guess. >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> Matt >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>>> >>>>>>>> > > >>>> >>>>>>>> > >> >: >>>>> >>>>>>>> > >> > Hi Matt >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > I assume [username] is a real username, identical > to >>>>> >>>>>>>> > that >>>>> >>>> in >>>>> >>>>>>>> > the >>>>> >>>>>>>> > >> FreeIPA >>>>> >>>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised > the >>>>> >>>>>>>> > log >>>>> >>>>>>>> > extract). >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > You user should be a member of the appropriate > samba >>>>> >>> groups >>>>> >>>>>>>> > that >>>>> >>>>>>>> > you >>>>> >>>>>>>> > >> setup >>>>> >>>>>>>> > >> > in FreeIPA. >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > You should check that the user attribute >>>>> >>>>>>>> > SambaPwdLastSet >>>>> >>> is >>>>> >>>>>> set >>>>> >>>>>>>> > to >>>>> >>>>>>>> > a >>>>> >>>>>>>> > >> > positive value (e.g. 1). If not you get an error > in >>>>> >>>>>>>> > the >>>>> >>>>> Samba >>>>> >>>>>>>> > logs >>>>> >>>>>>>> > - >>>>> >>>>>>>> > > I >>>>> >>>>>>>> > >> > would need to play around again with a test user > to >>>>> >>>>>>>> > find >>>>> >>>> out >>>>> >>>>>>>> > the >>>>> >>>>>>>> > > exact >>>>> >>>>>>>> > >> > error. >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > I don't understand what you mean about syncing the >>>>> >>>>>>>> > users >>>>> >>>>>> local, >>>>> >>>>>>>> > but >>>>> >>>>>>>> > > we >>>>> >>>>>>>> > >> did >>>>> >>>>>>>> > >> > not need to do anything like that. >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > Chris >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > From: "Matt ." >>>>> >>>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>> >>>>>>>> > >> > Cc: "freeipa-users at redhat.com" >>>>> >>>>> >>>>> >>>>>>>> > >> > Date: 04.08.2015 15:33 >>>>> >>>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba >>>>> >>>>>>>> > Server >>>>> >>>> Auth >>>>> >>>>>>>> > against >>>>> >>>>>>>> > >> IPA >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > Hi Chris, >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > A puppet run added another passdb backend, that > was >>>>> >>> causing >>>>> >>>>>> my >>>>> >>>>>>>> > issue. >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > What I still experience is: >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>>> >>>>>>>> > >> > ../source3/auth/check_samsec.c:399 > (check_sam_security) >>>>> >>>>>>>> > >> > check_sam_security: Couldn't find user > 'username' in >>>>> >>>>>> passdb. >>>>> >>>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>>> >>>>>>>> > >> > ../source3/auth/auth.c:288 > (auth_check_ntlm_password) >>>>> >>>>>>>> > >> > check_ntlm_password: Authentication for user >>>>> >> [username] >>>>> >>>>> -> >>>>> >>>>>>>> > >> > [username] FAILED with error > NT_STATUS_NO_SUCH_USER >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > I also wonder if I shall still sync the users > local, >>>>> >>>>>>>> > or >>>>> >> is >>>>> >>>>> it >>>>> >>>>>>>> > > needed ? >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > Thanks again, >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > Matt >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>>> >>>>>>>> > >> christopher.lamb at ch.ibm.com>: >>>>> >>>>>>>> > >> >> Hi Matt >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> From our smb.conf file: >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> [global] >>>>> >>>>>>>> > >> >> security = user >>>>> >>>>>>>> > >> >> passdb backend = >>>>> >>>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>>> >>>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>>> >>>>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> So yes, we use Directory Manager, it works for > us. I >>>>> >> have >>>>> >>>>>> not >>>>> >>>>>>>> > tried >>>>> >>>>>>>> > >> with >>>>> >>>>>>>> > >> > a >>>>> >>>>>>>> > >> >> less powerful user, but it is conceivable that a >>>>> >>>>>>>> > lesser >>>>> >>>>> user >>>>> >>>>>>>> > may >>>>> >>>>>>>> > not >>>>> >>>>>>>> > >> see >>>>> >>>>>>>> > >> >> all the required attributes, resulting in "no > such >>>>> >>>>>>>> > user" >>>>> >>>>>>>> > errors. >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> Chris >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> From: "Matt ." >>>>> >>>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH >>>>> >>>>>>>> > >> >> Cc: "freeipa-users at redhat.com" >>>>> >>>>>> >>>>> >>>>>>>> > >> >> Date: 04.08.2015 13:32 >>>>> >>>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba >>>>> >>>>>>>> > Server >>>>> >>>>> Auth >>>>> >>>>>>>> > against >>>>> >>>>>>>> > >> IPA >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> Hi Chris, >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see > now >>>>> >> when >>>>> >>>> I >>>>> >>>>>>>> > add a >>>>> >>>>>>>> > >> >> group from the GUI, great thanks! >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> But do you use Directory Manager as ldap admin > user >>>>> >>>>>>>> > or >>>>> >>>> some >>>>> >>>>>>>> > other >>>>> >>>>>>>> > >> >> admin account ? >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> I'm not sure id DM is needed and it should get > that >>>>> >>>>>>>> > deep >>>>> >>>>>> into >>>>> >>>>>>>> > IPA. >>>>> >>>>>>>> > >> >> Also when starting samba it cannot find "such > user" >>>>> >>>>>>>> > as >>>>> >>>> that >>>>> >>>>>>>> > sounds >>>>> >>>>>>>> > >> >> quite known as it has no UID. >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> From your config I see you use DM, this should > work ? >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> Thanks! >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> Matt >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> >> >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> > >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> -- >>>>> >>>>>>>> > >> Manage your subscription for the Freeipa-users > mailing >>>>> >> list: >>>>> >>>>>>>> > >> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>>>>> > >> Go to http://freeipa.org for more info on the > project >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > >> >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > -- >>>>> >>>>>>>> > > Manage your subscription for the Freeipa-users mailing >>>>> >>>>>>>> > list: >>>>> >>>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>>>>> > > Go to http://freeipa.org for more info on the project >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > > >>>>> >>>>>>>> > >>>>> >>>>>>>> > -- >>>>> >>>>>>>> > Manage your subscription for the Freeipa-users mailing > list: >>>>> >>>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>>>>> > Go to http://freeipa.org for more info on the project >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>>>> > >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>> >>>> > > > > From cmohler at oberlin.edu Thu Aug 20 20:21:55 2015 From: cmohler at oberlin.edu (Chris Mohler) Date: Thu, 20 Aug 2015 16:21:55 -0400 Subject: [Freeipa-users] Users can't login on some systems. Message-ID: <55D636E3.2050602@oberlin.edu> Hi List, I'm still fairly new to this list and administrating FreeIPA. I had a very old version of freeipa and had all sorts of odd issues with it. I had 47 ubuntu clients attached to the domain. I setup a newer freeipa server version: 4.1.4 I recreated all my user accounts by hand I did not migrate any of them. I then removed the 47 clients from the old domain #ipa-client-install --uninstall Then I reinstalled each client #ipa-client-install --domain=cs.oberlin.edu --realm=CS.OBERLIN.EDU -p admin -W --hostname `hostname` -N it finished without errors on all my systems. two of my systems will not let any ipa users login via ssh or the console. the rest of them work fine. After keying in the password I get the following. Permission denied, please try again. id (username) shows the UID and GID and Groups correctly. getent passwd shows only my local accounts I don't have enumerate on. kinit also works. _my auth.log shows this_ pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN pam_sss(sshd:auth): received for user : 7 (Authentication failure) I know it's the correct password as it works on the other clients. _I get this in krb5_child.log_ [[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): cmd [241] uid [66133] gid [100] validate [true] enterprise principal [false] offline [false] UPN [@CS.OBERLIN.EDU] (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XXXXXX] keytab: [/etc/krb5.keytab] (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/occs.cs.oberlin.edu at CS.OBERLIN.EDU] (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [match_principal] (0x1000): Principal matched to the sample (host/occs.cs.oberlin.edu at CS.OBERLIN.EDU). (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main] (0x0400): Will perform online auth (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [CS.OBERLIN.EDU] (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [validate_tgt] (0x0400): TGT verified using key for [host/occs.cs.oberlin.edu at CS.OBERLIN.EDU]. (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [become_user] (0x0200): Trying to become user [66133][100]. (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [k5c_send_data] (0x0200): Received error code 0 (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main] (0x0400): krb5_child completed successfully (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [main] (0x0400): krb5_child started. (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [unpack_buffer] (0x1000): total buffer size: [127] (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [unpack_buffer] (0x0100): cmd [241] uid [66133] gid [100] validate [true] enterprise principal [false] offline [false] UPN [@CS.OBERLIN.EDU] _sssd.conf on the broken machine_ [domain/cs.oberlin.edu] debug_level=8 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = cs.oberlin.edu id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = occs.cs.oberlin.edu chpass_provider = ipa ipa_server = _srv_, ipa1.cs.oberlin.edu ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 debug_level=8 domains = cs.oberlin.edu [nss] debug_level=8 [pam] debug_level=8 [sudo] [autofs] [ssh] debug_level=8 [pac] _The broken systems sssd_nss.log _[nss_cmd_getpwnam_search] (0x0400): Returning info for user [HIDDEN at cs.oberlin.edu] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [HIDDEN]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN' matched without domain, user is HIDDEN [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [HIDDEN] from [] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/cs.oberlin.edu/HIDDEN] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [HIDDEN at cs.oberlin.edu] [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. Any suggestions on how I can get users to login to this machine? Thanks, -Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Thu Aug 20 23:19:51 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 20 Aug 2015 16:19:51 -0700 Subject: [Freeipa-users] Users can't login on some systems. In-Reply-To: <55D636E3.2050602@oberlin.edu> References: <55D636E3.2050602@oberlin.edu> Message-ID: Did you clear out /var/lib/sss/db between re-installation of the client? There was a bug which might not have been fixed downstream yet. On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler wrote: > Hi List, > I'm still fairly new to this list and administrating FreeIPA. > > I had a very old version of freeipa and had all sorts of odd issues with > it. I had 47 ubuntu clients attached to the domain. > > I setup a newer freeipa server version: 4.1.4 > I recreated all my user accounts by hand I did not migrate any of them. > I then removed the 47 clients from the old domain > > #ipa-client-install --uninstall > > Then I reinstalled each client > > #ipa-client-install --domain=cs.oberlin.edu --realm=CS.OBERLIN.EDU -p > admin -W --hostname `hostname` -N > > it finished without errors on all my systems. > > two of my systems will not let any ipa users login via ssh or the console. > the rest of them work fine. > After keying in the password I get the following. > > Permission denied, please try again. > > id (username) shows the UID and GID and Groups correctly. > getent passwd shows only my local accounts I don't have enumerate on. > kinit also works. > > *my auth.log shows this* > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh > ruser= rhost=132.162.201.237 user=HIDDEN > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh > ruser= rhost=132.162.201.237 user=HIDDEN > pam_sss(sshd:auth): received for user : 7 (Authentication failure) > > I know it's the correct password as it works on the other clients. > > *I get this in krb5_child.log* > > [[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): cmd [241] uid > [66133] gid [100] validate [true] enterprise principal [false] offline > [false] UPN [@CS.OBERLIN.EDU] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XXXXXX] keytab: > [/etc/krb5.keytab] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [ > host/occs.cs.oberlin.edu at CS.OBERLIN.EDU] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [match_principal] > (0x1000): Principal matched to the sample ( > host/occs.cs.oberlin.edu at CS.OBERLIN.EDU). > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main] (0x0400): > Will perform online auth > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [CS.OBERLIN.EDU] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [validate_tgt] > (0x0400): TGT verified using key for [ > host/occs.cs.oberlin.edu at CS.OBERLIN.EDU]. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [become_user] > (0x0200): Trying to become user [66133][100]. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [k5c_send_data] > (0x0200): Received error code 0 > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main] (0x0400): > krb5_child completed successfully > (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [main] (0x0400): > krb5_child started. > (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [unpack_buffer] > (0x1000): total buffer size: [127] > (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [unpack_buffer] > (0x0100): cmd [241] uid [66133] gid [100] validate [true] enterprise > principal [false] offline [false] UPN [@CS.OBERLIN.EDU] > > *sssd.conf on the broken machine* > > [domain/cs.oberlin.edu] > debug_level=8 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = cs.oberlin.edu > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = occs.cs.oberlin.edu > chpass_provider = ipa > ipa_server = _srv_, ipa1.cs.oberlin.edu > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, pam, ssh > config_file_version = 2 > debug_level=8 > domains = cs.oberlin.edu > [nss] > debug_level=8 > [pam] > debug_level=8 > [sudo] > > [autofs] > > [ssh] > debug_level=8 > [pac] > > > > *The broken systems sssd_nss.log *[nss_cmd_getpwnam_search] (0x0400): > Returning info for user [HIDDEN at cs.oberlin.edu] > [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input > [HIDDEN]. > [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN' matched > without domain, user is HIDDEN > [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain > [(null)] > [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [HIDDEN] from > [] > [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for > [NCE/USER/cs.oberlin.edu/HIDDEN] > [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ > HIDDEN at cs.oberlin.edu] > [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. > > Any suggestions on how I can get users to login to this machine? > > Thanks, > -Chris > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmohler at oberlin.edu Thu Aug 20 23:29:48 2015 From: cmohler at oberlin.edu (Chris Mohler) Date: Thu, 20 Aug 2015 19:29:48 -0400 Subject: [Freeipa-users] Users can't login on some systems. In-Reply-To: References: <55D636E3.2050602@oberlin.edu> Message-ID: <55D662EC.5080406@oberlin.edu> Thanks for the reply, I did not clear out /var/lib/sss/db before re-installation. I'll give it a try. I'll stop the service clear the db then restart and see if that helps. If not I'll uninstall the client remove the db and then reinstall the client. Unless it's too late and anyone has a better idea. -Chris On 8/20/2015 7:19 PM, Prasun Gera wrote: > Did you clear out /var/lib/sss/db between re-installation of the > client? There was a bug which might not have been fixed downstream yet. > > On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler > wrote: > > Hi List, > I'm still fairly new to this list and administrating FreeIPA. > > I had a very old version of freeipa and had all sorts of odd > issues with it. I had 47 ubuntu clients attached to the domain. > > I setup a newer freeipa server version: 4.1.4 > I recreated all my user accounts by hand I did not migrate any of > them. > I then removed the 47 clients from the old domain > > #ipa-client-install --uninstall > > Then I reinstalled each client > > #ipa-client-install --domain=cs.oberlin.edu > --realm=CS.OBERLIN.EDU > -p admin -W --hostname `hostname` -N > > it finished without errors on all my systems. > > two of my systems will not let any ipa users login via ssh or the > console. the rest of them work fine. > After keying in the password I get the following. > > Permission denied, please try again. > > id (username) shows the UID and GID and Groups correctly. > getent passwd shows only my local accounts I don't have enumerate on. > kinit also works. > > _my auth.log shows this_ > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 > tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 > tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN > pam_sss(sshd:auth): received for user : 7 (Authentication failure) > > I know it's the correct password as it works on the other clients. > > _I get this in krb5_child.log_ > > [[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): cmd [241] > uid [66133] gid [100] validate [true] enterprise principal [false] > offline [false] UPN [@CS.OBERLIN.EDU ] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XXXXXX] > keytab: [/etc/krb5.keytab] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] > from environment. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set > to [true] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/occs.cs.oberlin.edu at CS.OBERLIN.EDU > ] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [match_principal] (0x1000): Principal matched to the sample > (host/occs.cs.oberlin.edu at CS.OBERLIN.EDU > ). > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [check_fast_ccache] (0x0200): FAST TGT is still valid. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main] > (0x0400): Will perform online auth > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [tgt_req_child] (0x1000): Attempting to get a TGT > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [get_and_save_tgt] (0x0400): Attempting kinit for realm > [CS.OBERLIN.EDU ] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [validate_tgt] (0x0400): TGT verified using key for > [host/occs.cs.oberlin.edu at CS.OBERLIN.EDU > ]. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [become_user] (0x0200): Trying to become user [66133][100]. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [k5c_send_data] (0x0200): Received error code 0 > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main] > (0x0400): krb5_child completed successfully > (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [main] > (0x0400): krb5_child started. > (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] > [unpack_buffer] (0x1000): total buffer size: [127] > (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] > [unpack_buffer] (0x0100): cmd [241] uid [66133] gid [100] validate > [true] enterprise principal [false] offline [false] UPN > [@CS.OBERLIN.EDU ] > > _sssd.conf on the broken machine_ > > [domain/cs.oberlin.edu ] > debug_level=8 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = cs.oberlin.edu > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = occs.cs.oberlin.edu > chpass_provider = ipa > ipa_server = _srv_, ipa1.cs.oberlin.edu > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, pam, ssh > config_file_version = 2 > debug_level=8 > domains = cs.oberlin.edu > [nss] > debug_level=8 > [pam] > debug_level=8 > [sudo] > > [autofs] > > [ssh] > debug_level=8 > [pac] > > _The broken systems sssd_nss.log > > _[nss_cmd_getpwnam_search] (0x0400): Returning info for user > [HIDDEN at cs.oberlin.edu ] > [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with > input [HIDDEN]. > [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN' > matched without domain, user is HIDDEN > [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default > domain [(null)] > [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for > [HIDDEN] from [] > [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative > cache for [NCE/USER/cs.oberlin.edu/HIDDEN >