AD trust and ACL on OUs
by Sigbjorn Lie-Soland
Hi list,
I have an issue with an AD one-way trust to IPA, where the AD is
configured with a very specific set of ACL's on the various OUs where
the user accounts live. Authenticated Users cannot search for all users
in the AD LDAP directory. This is done as the AD is hosting a
multi-tenant environment, and there exists a requirement for different
customers accounts not to be visible by everyone.
The issue for IPA is when SSSD is attempting to look up the users
details in AD via LDAP, using it's trust account
(cn=IPADOM$,cn=Users,dc=ad,dc=local). This trust account does not have
the required permissions to search for all the users in the AD LDAP
tree, the AD user is not found by SSSD, and is denied logon access.
As the IPADOM$ account is a special trust account, it is not possible to
add this account to the AD group which is normally used to grant access
to service accounts to read the entire AD LDAP directory.
I have verified the issue by kinit a TGT using the
/var/lib/sss/keytabs/AD-TRUST.keytab, and using ldapsearch -Y GSSAPI to
query for the exact ldap query I noticed failing in the sssd log
/var/log/sssd/sssd_ipa.dns.domain.log. The result is user is *not* found.
If I kinit administrator(a)AD.DOMAIN and run the exact same LDAP query
using ldapsearch -Y GSSAPI, the user *is* found.
If (for testing purposes) the "Authenticated Users" group is granted
access on the OU's containing the AD users, IPA+trust+SSSD works, is
able to find the user, and the AD user is able to log on to Linux.
Any attempt to add the IPADOM$ account to the OU's ACL has failed, as
the user is an hidden account in AD.
So I wonder if it is possible to specify a different AD LDAP account for
SSSD to use for it's LDAP trust lookups towards AD? Or perhaps there is
a better way to solve this issue?
Any pointers and advice is greatly appreciated.
Regards,
Siggi
6 years, 9 months
FreeIPA NFS4 Kerberos and Autofs Errors mounting user home directories
by Kofi ANSA AKUFO
Dear All
I am having difficulty getting freeipa server (centos 7..3) and clients
(centos7.3 and debian 9) to working.
Scenario
ipasvr2.inetcom.lan (centos7.3 hosting freeipa server)
nfs2.inetcom.lan (centos 7.3 freeipa client also running nfs server)
vpn.inetcom.lan (debian 9 freeipa client hosting open vpn)
Clients are are to realm and I cal acquire and list tickets on both clients
and server.
The issue is userdirs mapping is not working when user logs into the
ipasvr2 or vpn hosts. They are able to login but their userdirs are not
mapped. However the directories are mounted when they login to the nfs2
host. Below are the logs from /var/log/krb5kdc.log
Aug 26 03:14:24 ipasvr2.inetcom.lan krb5kdc[2454](info): closing down fd 12
Aug 26 03:14:24 ipasvr2.inetcom.lan krb5kdc[2453](info): TGS_REQ (3 etypes
{18 1 23}) 10.7.7.4: ISSUE: authtime 1503717264, etypes {rep=18 tkt=18
ses=18}, host/ipasvr2.inetcom.lan(a)INETCOM.LAN for
ldap/ipasvr2.inetcom.lan(a)INETCOM.LAN
Aug 26 03:14:24 ipasvr2.inetcom.lan krb5kdc[2453](info): closing down fd 12
Aug 26 03:14:38 ipasvr2.inetcom.lan krb5kdc[2456](info): AS_REQ (3 etypes
{18 1 23}) 10.7.7.8: NEEDED_PREAUTH: host/nfs2.inetcom.lan(a)INETCOM.LAN for
krbtgt/INETCOM.LAN(a)INETCOM.LAN, Additional pre-authentication required
Aug 26 03:14:38 ipasvr2.inetcom.lan krb5kdc[2456](info): closing down fd 12
Aug 26 03:14:38 ipasvr2.inetcom.lan krb5kdc[2454](info): AS_REQ (3 etypes
{18 1 23}) 10.7.7.8: ISSUE: authtime 1503717278, etypes {rep=18 tkt=18
ses=18}, host/nfs2.inetcom.lan(a)INETCOM.LAN for
krbtgt/INETCOM.LAN(a)INETCOM.LAN
Aug 26 03:14:38 ipasvr2.inetcom.lan krb5kdc[2454](info): closing down fd 12
Aug 26 03:14:38 ipasvr2.inetcom.lan krb5kdc[2455](info): TGS_REQ (3 etypes
{18 1 23}) 10.7.7.8: ISSUE: authtime 1503717278, etypes {rep=18 tkt=18
ses=18}, host/nfs2.inetcom.lan(a)INETCOM.LAN for
ldap/ipasvr2.inetcom.lan(a)INETCOM.LAN
Aug 26 03:14:38 ipasvr2.inetcom.lan krb5kdc[2455](info): closing down fd 12
and this from /var/log/messages
Aug 26 03:18:41 ipasvr2 automount[1228]: handle_packet_missing_indirect:
token 93, name admin, request pid 3113
Aug 26 03:18:41 ipasvr2 automount[1228]: dev_ioctl_send_fail: token = 93
Aug 26 03:18:41 ipasvr2 automount[1228]: handle_packet: type = 3
Aug 26 03:18:41 ipasvr2 automount[1228]: handle_packet_missing_indirect:
token 94, name admin, request pid 3113
Aug 26 03:18:41 ipasvr2 automount[1228]: dev_ioctl_send_fail: token = 94
Freeipa version 4.4.0
grateful to assist to resolve issue.
cheers
6 years, 9 months
Host does not have corresponding DNS A/AAAA record error when running ipa service-add
by Arnold Werschky
Hello all,
We're trying to install integrate a samba server with ipa.
Our install is going well, until we get to the command:
#> ipa service-add cifs/myshare.my.domain
I get the response:
#> ipa: ERROR: Host 'myshare.my.domain' does not have corresponding DNS A/AAAA record
Which is not true, because this command:
#> ipa dnsrecord-find my.domain myshare
returns:
Record name: myshare
A record: 10.X.XX.XXX
SSHFP record: 1 1 HASH, 1 2 HASH, 3 1
HASH, 3 2 HASH, 4 1
HASH, 4 2 HASH
----------------------------
Number of entries returned 1
----------------------------
Any ideas where to turn from here?
I'm running redhat 7.4 with latest updates, ipa-server-4.5.0-21.el7
6 years, 9 months
Centos/Redhat 7.4
by Lachlan Musicman
What version of IPA is available in 7.4?
cheers
L.
------
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
together. "
*Greg Bloom* @greggish
https://twitter.com/greggish/status/873177525903609857
6 years, 9 months
FreeIPA vault with ActiveDirectory user
by Bjoern Klimpel
Hi,
We use the following environment: OS CentOS 7.3 / latest FreeIPA 4.4.0
Is it possible to get access with an active directory user to the FreeIPA vault ?
If yes do you got a hint for me how to do this or where i can find documentation?
with best regards
Björn
6 years, 9 months
site server lookup query
by Craig H Silva (CenITex)
The circumstances/environment are a little unusual.
We have a secure zone in which Windows AD has read-only domain controllers as a security measure which we use to authenticate against. The read-write DC's are firewalled off but are assigned the core roles (I'm more linux than Windows - I forget what roles they are).
So we have a rhel 7.2 system sssd -1.13.0-40 and it has the following in its sssd.conf:
dns_discovery_domain = XX-XXX-XXX-PRIV._sites.domain.xx.xx.xx
ad_site = XX-XXX-XXX-PRIV
ad_enable_dns_sites = true
and it happily identifies the RODC's in the site XX-XXX-XXX-PRIV with SRV query to _ldap._tcp. XX-XXX-XXX-PRIV._sites. domain.xx.xx.xx
On the other hand we have a SLES 12 Sp2 system in the same zone and when we configure it the same way, it cannot discover the RODC's in the XX-XXX-XXX-PRIV site, so we have worked around by putting them in as ad_servers.
The sles 12 sp2 version of sssd is sssd-1.11.5.1
Our preference is to not have to rely on hardcoded server addresses so the rhel config is preferred and I imagine the SLES one will catch up as the updated versions are released on SLES, however I was wondering how AD site discovery worked and whether my assumption that the firewall is blocking that discovery (i. e. putting the site into dns_discovery_domain setting) is correct.
Cheers
Craig Silva
Specialist Engineer
CenItex | Level 15, 80 Collins Street, Melbourne 3000
ph: +61 3 8688 1297 | mob: +61 429 365 609 | email: craig.silva(a)cenitex.vic.gov.au<mailto:craig.silva@cenitex.vic.gov.au> | www.cenitex.vic.gov.au<http://www.cenitex.vic.gov.au/>
Supporting a modern, agile and productive public sector through what we value: Accountability, Collaboration, Respect, Initiative, Courage.
_________________________________________________________________________________________
Any personal or sensitive information contained in this email and attachments must be handled in accordance with the Victorian Privacy and Data Protection Act 2014, the Health Records Act 2001 or the Privacy Act 1988 (Commonwealth), as applicable.
This email, including all attachments, is confidential. If you are not the intended recipient, you must not disclose, distribute, copy or use the information contained in this email or attachments. Any confidentiality or privilege is not waived or lost because this email has been sent to you in error. If you have received it in error, please let us know by reply email, delete it from your system and destroy any copies.
6 years, 9 months
password and keytab weirdness
by Kat
Hi all,
Has anyone seen this before:
1. User created, and being used for logins, no issues. Works just fine.
2. At one point, keytab file is retrieved via getkeytab, which also works.
3. After the keytab is retrieved, the password no longer seems to work???
Weirdness - am I missing something here? This can be repeated with any
user set to retrieve their keytab.
-K
6 years, 9 months
Preauthentication failed - what does this mean?
by Detlev Habicht
Hi,
i have maybe an IPA server which is a little bit broken (My NFS services don’t work, i can’t mount - the rest is working.).
I see this messages:
ipa-client-install:
Kerberos authentication failed: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed
Installation failed. Force set so not rolling back changes.
krb5kdc.log:
Aug 23 10:49:26 pipa.ims.intern krb5kdc[2333](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.75.57.122: NEEDED_PREAUTH: host/pxe-122.ims.intern(a)IMS.INTERN for krbtgt/IMS.INTERN(a)IMS.INTERN, Additional pre-authentication required
Aug 23 10:49:26 pipa.ims.intern krb5kdc[2334](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.75.57.122: PREAUTH_FAILED: host/pxe-122.ims.intern(a)IMS.INTERN for krbtgt/IMS.INTERN(a)IMS.INTERN, Preauthentication failed
What does this mean? What can be broken on the IPA server?
Thanx for any help!
Detlev
--
Detlev | Institut fuer Mikroelektronische Systeme
Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
--------+-------- Handy +49 172 5415752 ---------------------------
6 years, 9 months
Free IPA/LDAP migration
by Ed Aiduc
Hi! I'am a newbie here.. I just have a question with regards to LDAP.
I have two free ipa server, one with ldap and the other one has no ldap on it, I wanted to transfer/migrate the ldap config from one server to another server with no ldap, is it possible?
I'm searching the internet but can't find any source I can use to as reference.
Hoping for your kind response.
Thank you!
6 years, 9 months
VPN -> Radius -> IPA Using two factor authentication
by Gabriel Faber
Hi All,
I'm trying to set up a Cisco/Meraki VPN appliance to authenticate to
FreeIPA using two factor authentication (I have Google Authenticator and
Yubikey set up and working in FreeIPA)
Meraki can do Radius to authenticate a user
I've set up a FreeRadius server and set it up to use FreeIPA as the
authentication source
I tried the following as the back end in Radius:
LDAP: can authenticate both with password and password+OTP, but if I
want to enforce OTP on VPN, I need to enforce OTP on all users, which is
not what we want
Kerberos: I've set up a 'vpn' principle and can enforce 2FA on it
First I got 'ERROR: krb5 : Error verifying credentials (-1765328174):
Generic preauthentication failure', so I set up 'Anonymous kerberos'
(which is an adventure by itself), but it's still not working
It might be possible to use Radius -> PAM, but I'm not sure how
Any help appreciated,
Gabriel
P.s. Meraki Wireless (WPA2-Enterprise) and 802.1x port security work
fine against the Radius server (No 2FA required)
--
Gabriel Faber
Senior Operations Engineer
SoundHound Inc.
408-441-3267
6 years, 9 months