FreeIPA PPC64LE builds
by Pieter Baele
Anyone an idea what the timeline/roadmap is for FreeIPA ipa-server PPC64LE
build for Centos 7 (or RH IDM on RHEL 7/8)
I only see some packages for PowerPC on Fedora and Ubuntu....
5 years, 6 months
Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials
by Alexander Bokovoy
On ti, 13 marras 2018, Mustafa Karci via FreeIPA-users wrote:
>Dear Alexander,
>
>The main intention is to setup a freeipa-server with a trust domain to
>a Windows 2019 AD server. So for all windows env we would like to use
>Windows 2019AD server and for all our Linux based server we would like
>to use FreeIPA-server.
>
>From this point we have setup a basic Windows2019 AD domain with the
>following realm ad.srv.world And the FreeIPA server has the following
>realm ipa.srv.world
>
>The Windowd 2019 server also acts as the DNS server, where the
>freeipa-server has his own dns rules and forwarding rule enabled to
>zone ad.srv.world (windows 2019 DNS server).
>
>
>From the ipa-server run the following command
>
>ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx
>
>All seems working ok on the ipa-server. But when trying to add the
>freeipa server to a windows 2019 AD im getting the following error:
>
>ipa trust-add --type=ad ad.srv.world --admin Administrator --password
>Active Directory domain administrator's password:
>ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials
>
>Already tried to change permission on the AD site, but group policy
>domain admin should be enough to setup a trused domain between these
>two.
No, this is not (at least not yet) an AD side. You need to look into
Samba logs. Your excerpts from the logs below show that Samba is capable
to authenticate the connection from IPA framework properly and
understands that this is a constrained delegation use (HTTP/...
service principal acts on behalf of 'admin' user principal). However, it
is not able to validate that 'admin' user has enough permissions to
perform what is needed:
>Successfully validated Kerberos PAC
> pac_data: struct PAC_DATA
> num_buffers : 0x00000005 (5)
> version : 0x00000000 (0)
> buffers: ARRAY(5)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_LOGON_INFO (1)
> _ndr_size : 0x000001a8 (424)
> info : *
> info : union PAC_INFO(case 1)
> logon_info: struct PAC_LOGON_INFO_CTR
> info : *
> info: struct PAC_LOGON_INFO
> info3: struct netr_SamInfo3
> base: struct netr_SamBaseInfo
> logon_time : NTTIME(0)
> logoff_time : Thu Jan 1 01:00:00 AM 1970 CET
> kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET
> last_password_change : Fri Nov 2 04:41:05 PM 2018 CET
> allow_password_change : NTTIME(0)
> force_password_change : Thu Jan 1 01:00:00 AM 1970 CET
> account_name: struct lsa_String
> length : 0x000a (10)
> size : 0x000a (10)
> string : *
> string : 'admin'
> full_name: struct lsa_String
> length : 0x001a (26)
> size : 0x001a (26)
> string : *
> string : 'Administrator'
> logon_script: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> profile_path: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> home_directory: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> home_drive: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> logon_count : 0x0000 (0)
> bad_password_count : 0x0000 (0)
> rid : 0x000001f4 (500)
> primary_gid : 0x00000200 (512)
> groups: struct samr_RidWithAttributeArray
> count : 0x00000000 (0)
> rids : *
> rids: ARRAY(0)
> user_flags : 0x00000000 (0)
> 0: NETLOGON_GUEST
> 0: NETLOGON_NOENCRYPTION
> 0: NETLOGON_CACHED_ACCOUNT
> 0: NETLOGON_USED_LM_PASSWORD
> 0: NETLOGON_EXTRA_SIDS
> 0: NETLOGON_SUBAUTH_SESSION_KEY
> 0: NETLOGON_SERVER_TRUST_ACCOUNT
> 0: NETLOGON_NTLMV2_ENABLED
> 0: NETLOGON_RESOURCE_GROUPS
> 0: NETLOGON_PROFILE_PATH_RETURNED
> 0: NETLOGON_GRACE_LOGON
> key: struct netr_UserSessionKey
> key: ARRAY(16): <REDACTED SECRET VALUES>
> logon_server: struct lsa_StringLarge
> length : 0x0006 (6)
> size : 0x0008 (8)
> string : *
> string : 'DLP'
> logon_domain: struct lsa_StringLarge
>
>
>
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_LOGON_NAME (10)
> _ndr_size : 0x00000014 (20)
> info : *
> info : union PAC_INFO(case 10)
> logon_name: struct PAC_LOGON_NAME
> logon_time : Mon Nov 12 04:01:01 PM 2018 CET
> size : 0x000a (10)
> account_name : 'admin'
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_CONSTRAINED_DELEGATION (11)
> _ndr_size : 0x000000d8 (216)
> info : *
> info : union PAC_INFO(case 11)
> constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR
> info : *
> info: struct PAC_CONSTRAINED_DELEGATION
> proxy_target: struct lsa_String
> length : 0x0048 (72)
> size : 0x0048 (72)
> string : *
> string : 'HTTP/dlp.ipa.srv.world(a)IPA.SRV.WORLD'
> num_transited_services : 0x00000001 (1)
> transited_services : *
> transited_services: ARRAY(1)
> transited_services: struct lsa_String
> length : 0x0048 (72)
> size : 0x0048 (72)
> string : *
> string : 'cifs/dlp.ipa.srv.world(a)IPA.SRV.WORLD'
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_SRV_CHECKSUM (6)
> _ndr_size : 0x00000010 (16)
> info : *
> info : union PAC_INFO(case 6)
> srv_cksum: struct PAC_SIGNATURE_DATA
> type : 0x00000010 (16)
> signature : DATA_BLOB length=12
> [0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_KDC_CHECKSUM (7)
> _ndr_size : 0x00000010 (16)
> info : *
> info : union PAC_INFO(case 7)
> kdc_cksum: struct PAC_SIGNATURE_DATA
> type : 0x00000010 (16)
> signature : DATA_BLOB length=12
>
>
>im a bit stuck with this issue.
Can I see logs after this place? Smbd/winbindd should go on to resolve
'admin' user using a system and then build a local NT token for it. That
one should have a RID 512 in it, like MS-PAC record above.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
5 years, 6 months
Re: ipa.service "fails" to start
by Florence Blanc-Renaud
On 10/19/18 6:49 AM, Z D via FreeIPA-users wrote:
> Hi there,
>
> This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7.
>
> After reboot I couldn't start ipa service via systemctl, hence I run
> "ipactl start --ignore-service-failures" and this was kind of
> successful. I still have some discrepancies, and looking for
> troubleshooting ideas.
>
> 1. "systemctl status ipa.service" reads that service failed
> 2. "systemctl status pki-tomcatd.target" reads that PKI Tomcat Server
> is running.
Hi,
The PKI service status can be found using "systemctl status
pki-tomcatd(a)pki-tomcat.service".
More details on the differences between targets and units can be found
in the man pages for systemd.unit(5) and systemd.target(5).
> 3.
> # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: STOPPED <---- !!
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
To troubleshoot, you can have a look at the output of
# systemctl status pki-tomcatd(a)pki-tomcat.service
and the logs in /var/log/pki/pki-tomcat/ca/debug.
I would start by checking if some certificates expired with getcert list
(check the status, should be MONITORING, and the expires: <date>).
HTH,
flo
>
> Well, why pki-tomcatd reads 'stopped' and how to make systemctl to
> recognize that ipa service is running, thanks in advance,
>
> Zarko
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
5 years, 6 months
LDAP - Zammad -> not offering all fields
by Tobi Berninger
Hey,
i have an freeipa 4.5.4 on an Centos 7 up and running.
I allready binded that ipa trough an ldap on an nextcloud installation.
Now i try to do the same with an zammad. Sadly it doesnt offers me the
right fields (first name, last name, mail and many more are missing)
I set up an extra ldap sysaccount just for that reason, as it was described
here: https://www.freeipa.org/page/HowTo/LDAP
Any ideas what i was doing wrong?
Others users in the zammad forum told me that zammad is offering them the
fields i need, so i am quite convinced that the error is in an
missconfiguration on my side. Sadly i didnt set the server up, i just try
to keep it running.
Thank u all for ur help and i apoligze for my english...
5 years, 6 months
Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials
by Mustafa Karci
Dear Alexander,
The main intention is to setup a freeipa-server with a trust domain to a Windows 2019 AD server. So for all windows env we would like to use Windows 2019AD server and for all our Linux based server we would like to use FreeIPA-server.
From this point we have setup a basic Windows2019 AD domain with the following realm ad.srv.world
And the FreeIPA server has the following realm ipa.srv.world
The Windowd 2019 server also acts as the DNS server, where the freeipa-server has his own dns rules and forwarding rule enabled to zone ad.srv.world (windows 2019 DNS server).
From the ipa-server run the following command
ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx
All seems working ok on the ipa-server. But when trying to add the freeipa server to a windows 2019 AD im getting the following error:
ipa trust-add --type=ad ad.srv.world --admin Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials
Already tried to change permission on the AD site, but group policy domain admin should be enough to setup a trused domain between these two.
kinit admin
Password for admin(a)IPA.SRV.WORLD<mailto:admin@IPA.SRV.WORLD>:
klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin(a)IPA.SRV.WORLD
Valid starting Expires Service principal
11/13/2018 11:12:38 11/14/2018 11:12:36 krbtgt/IPA.SRV.WORLD(a)IPA.SRV.WORL
smbclient -L dlp.ipa.srv.world -k -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
lp_load_ex: changing to config backend registry
Initialising global parameters
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
added interface eth0 ip=10.50.1.103 bcast=10.50.1.255 netmask=255.255.255.0
Client started (version 4.7.1).
Connecting to 10.50.1.103 at port 445
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
SPNEGO login failed: {Access Denied} A proc
ipa/default.conf
[global]
host = dlp.ipa.srv.world
basedn = dc=ipa,dc=srv,dc=world
realm = IPA.SRV.WORLD
domain = ipa.srv.world
xmlrpc_uri = https://dlp.ipa.srv.world/ipa/xml
ldap_uri = ldapi://%2fvar%2frun%2fslapd-IPA-SRV-WORLD.socket
enable_ra = True
ra_plugin = dogtag
dogtag_version = 10
mode = production
krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.SRV.WORLD
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.SRV.WORLD = {
kdc = dlp.ipa.srv.world:88
master_kdc = dlp.ipa.srv.world:88
admin_server = dlp.ipa.srv.world:749
default_domain = ipa.srv.world
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ipa.srv.world = IPA.SRV.WORLD
ipa.srv.world = IPA.SRV.WORLD
dlp.ipa.srv.world = IPA.SRV.WORLD
[dbmodules]
IPA.SRV.WORLD = {
db_library = ipadb.so
}
/var/log/http/*
rpc reply data:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ........ ........
[0020] 01 00 00 00 03 00 00 00 4B 00 00 00 4B 00 00 00 ........ K...K...
[0030] 05 00 13 00 0D 78 57 34 12 34 12 CD AB EF 00 01 .....xW4 .4......
[0040] 23 45 67 89 AB 00 00 02 00 00 00 13 00 0D 04 5D #Eg..... .......]
[0050] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 ........ ..+.H`..
[0060] 02 00 00 00 01 00 0B 02 00 00 00 01 00 07 02 00 ........ ........
[0070] C0 00 01 00 09 04 00 0A 32 01 67 00 00 00 00 00 ........ 2.g.....
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dee40
s4_tevent: Cancel immediate event 0x7f45cc3dee40 "tevent_req_trigger"
Mapped to DCERPC endpoint 49152
added interface eth0 ip= xx.xx.xx.xxx bcast= xx.xx.xx.255 netmask=255.255.255.0
added interface eth0 ip= xx.xx.xx.xxx bcast= xx.xx.xx.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name dlp.ipa.srv.world<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
s4_tevent: Added timed event "composite_trigger": 0x7f45cc3c41f0
s4_tevent: Running timer event 0x7f45cc3c41f0 "composite_trigger"
s4_tevent: Ending timer event 0x7f45cc3c41f0 "composite_trigger"
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for admin(a)IPA.SRV.WORLD will expire in 86359 secs
GSS client Update(krb5)(1) Update failed: Unspecified GSS failure. Minor code may provide more information: Credential cache is empty
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dde50
s4_tevent: Cancel immediate event 0x7f45cc3dde50 "tevent_req_trigger"
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for host/DLP.IPA.SRV.WORLD failed (next[(null)]): NT_STATUS_LOGON_FAILURE
Failed to setup SPNEGO negTokenInit request: NT_STATUS_LOGON_FAILURE
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dd540
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f45cc3dd540
Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for ncacn_ip_tcp: xx.xx.xx.xxx [49152,print,target_hostname=dlp.ipa.srv.world,abstract_syntax=12345778-1234-abcd-ef00-0123456789ab/0x00000000,localaddress=xx.xx.xx.xxx] NT_STATUS_LOGON_FAILURE
s4_tevent: Destroying timer event 0x7f45cc3b9670 "dcerpc_connect_timeout_handler"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3c5ef0
s4_tevent: Cancel immediate event 0x7f45cc3c5ef0 "tevent_req_trigger"
[Tue Nov 13 10:51:04.693630 2018] [:error] [pid 24146] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
[Tue Nov 13 10:51:04.693675 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Tue Nov 13 10:51:04.693689 2018] [:error] [pid 24146] result = command(*args, **options)
[Tue Nov 13 10:51:04.693700 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Tue Nov 13 10:51:04.693711 2018] [:error] [pid 24146] return self.__do_call(*args, **options)
[Tue Nov 13 10:51:04.693722 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Tue Nov 13 10:51:04.693733 2018] [:error] [pid 24146] ret = self.run(*args, **options)
[Tue Nov 13 10:51:04.693743 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Tue Nov 13 10:51:04.693754 2018] [:error] [pid 24146] return self.execute(*args, **options)
[Tue Nov 13 10:51:04.693765 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 726, in execute
[Tue Nov 13 10:51:04.693776 2018] [:error] [pid 24146] full_join = self.validate_options(*keys, **options)
[Tue Nov 13 10:51:04.693786 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 829, in validate_options
[Tue Nov 13 10:51:04.693797 2018] [:error] [pid 24146] self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api)
[Tue Nov 13 10:51:04.693808 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1557, in __init__
[Tue Nov 13 10:51:04.693818 2018] [:error] [pid 24146] self.__populate_local_domain()
[Tue Nov 13 10:51:04.693829 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1570, in __populate_local_domain
[Tue Nov 13 10:51:04.693840 2018] [:error] [pid 24146] ld.retrieve(installutils.get_fqdn())
[Tue Nov 13 10:51:04.693850 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 960, in retrieve
[Tue Nov 13 10:51:04.693861 2018] [:error] [pid 24146] self.init_lsa_pipe(remote_host)
[Tue Nov 13 10:51:04.693900 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 879, in init_lsa_pipe
[Tue Nov 13 10:51:04.693922 2018] [:error] [pid 24146] % dict(host=remote_host))
[Tue Nov 13 10:51:04.693933 2018] [:error] [pid 24146] ACIError: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials
[Tue Nov 13 10:51:04.693944 2018] [:error] [pid 24146]
[Tue Nov 13 10:51:04.694550 2018] [:error] [pid 24146] ipa: INFO: [jsonserver_session] admin(a)IPA.SRV.WORLD: trust_add/1(u'ad.srv.world', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.228'): ACIError
[Tue Nov 13 10:51:04.696944 2018] [:error] [pid 24146] ipa: DEBUG: Destroyed connection context.ldap2_139937313614032
/var/log/samba/*
10:51:04.514558, 1, pid=26847, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:419(ndr_print_debug)
&global_blob: struct smbXsrv_session_globalB
version : SMBXSRV_VERSION_0 (0)
seqnum : 0x00000001 (1)
info : union smbXsrv_session_globalU(case 0)
info0 : *
info0: struct smbXsrv_session_global0
db_rec : *
session_global_id : 0x7990abe5 (2039524325)
session_wire_id : 0x000000007990abe5 (2039524325)
creation_time : Tue Nov 13 10:51:05 AM 2018 CET
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
auth_time : NTTIME(0)
auth_session_info_seqnum : 0x00000000 (0)
auth_session_info : NULL
connection_dialect : 0x0311 (785)
signing_flags : 0x00 (0)
0: SMBXSRV_SIGNING_REQUIRED
0: SMBXSRV_PROCESSED_SIGNED_PACKET
0: SMBXSRV_PROCESSED_UNSIGNED_PACKET
encryption_flags : 0x00 (0)
0: SMBXSRV_ENCRYPTION_REQUIRED
0: SMBXSRV_ENCRYPTION_DESIRED
0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET
0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET
num_channels : 0x00000001 (1)
channels: ARRAY(1)
channels: struct smbXsrv_channel_global0
server_id: struct server_id
pid : 0x00000000000068df (26847)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807)
local_address : 'ipv4:10.50.1.103:445'
remote_address : 'ipv4:10.50.1.103:56404'
remote_name : '10.50.1.103'
auth_session_info_seqnum : 0x00000000 (0)
connection : *
encryption_cipher : 0x0000 (0)
[2018/11/13 10:51:04.515148, 5, pid=26847, effective(0, 0), real(0, 0)]
018/11/13 10:51:04.515354, 1, pid=26847, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:419(ndr_print_debug)
&session_blob: struct smbXsrv_sessionB
version : SMBXSRV_VERSION_0 (0)
reserved : 0x00000000 (0)
info : union smbXsrv_sessionU(case 0)
info0 : *
info0: struct smbXsrv_session
table : *
db_rec : NULL
client : *
local_id : 0x7990abe5 (2039524325)
global : *
global: struct smbXsrv_session_global0
db_rec : NULL
session_global_id : 0x7990abe5 (2039524325)
session_wire_id : 0x000000007990abe5 (2039524325)
creation_time : Tue Nov 13 10:51:05 AM 2018 CET
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
auth_time : NTTIME(0)
auth_session_info_seqnum : 0x00000000 (0)
auth_session_info : NULL
connection_dialect : 0x0311 (785)
signing_flags : 0x00 (0)
0: SMBXSRV_SIGNING_REQUIRED
0: SMBXSRV_PROCESSED_SIGNED_PACKET
0: SMBXSRV_PROCESSED_UNSIGNED_PACKET
encryption_flags : 0x00 (0)
0: SMBXSRV_ENCRYPTION_REQUIRED
0: SMBXSRV_ENCRYPTION_DESIRED
0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET
0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET
num_channels : 0x00000001 (1)
channels: ARRAY(1)
channels: struct smbXsrv_channel_global0
server_id: struct server_id
pid : 0x00000000000068df (26847)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807)
local_address : 'ipv4:10.50.1.103:445'
remote_address : 'ipv4:10.50.1.103:56404'
remote_name : '10.50.1.103'
auth_session_info_seqnum : 0x00000000 (0)
connection : *
encryption_cipher : 0x0000 (0)
status : NT_STATUS_MORE_PROCESSING_REQUIRED
idle_time : Tue Nov 13 10:51:05 AM 2018 CET
nonce_high_random : 0x0000000000000000 (0)
nonce_high_max : 0x0000000000000000 (0)
nonce_high : 0x0000000000000000 (0)
nonce_low : 0x0000000000000000 (0)
compat : NULL
tcon_table : *
pending_auth : NULL
version : SMBXSRV_VERSION_0 (0)
reserved : 0x00000000 (0)
info : union smbXsrv_sessionU(case 0)
info0 : *
info0: struct smbXsrv_session
table : *
db_rec : NULL
client : *
local_id : 0x7990abe5 (2039524325)
global : *
global: struct smbXsrv_session_global0
db_rec : NULL
session_global_id : 0x7990abe5 (2039524325)
session_wire_id : 0x000000007990abe5 (2039524325)
creation_time : Tue Nov 13 10:51:05 AM 2018 CET
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
auth_time : NTTIME(0)
auth_session_info_seqnum : 0x00000000 (0)
auth_session_info : NULL
connection_dialect : 0x0311 (785)
signing_flags : 0x00 (0)
0: SMBXSRV_SIGNING_REQUIRED
0: SMBXSRV_PROCESSED_SIGNED_PACKET
0: SMBXSRV_PROCESSED_UNSIGNED_PACKET
encryption_flags : 0x00 (0)
0: SMBXSRV_ENCRYPTION_REQUIRED
0: SMBXSRV_ENCRYPTION_DESIRED
0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET
0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET
num_channels : 0x00000001 (1)
channels: ARRAY(1)
channels: struct smbXsrv_channel_global0
server_id: struct server_id
pid : 0x00000000000068df (26847)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807)
local_address : 'ipv4:10.50.1.103:445'
remote_address : 'ipv4:10.50.1.103:56404'
remote_name : '10.50.1.103'
auth_session_info_seqnum : 0x00000000 (0)
connection : *
encryption_cipher : 0x0000 (0)
status : NT_STATUS_MORE_PROCESSING_REQUIRED
idle_time : Tue Nov 13 10:51:05 AM 2018 CET
nonce_high_random : 0x0000000000000000 (0)
nonce_high_max : 0x0000000000000000 (0)
nonce_high : 0x0000000000000000 (0)
nonce_low : 0x0000000000000000 (0)
compat : NULL
tcon_table : *
pending_auth : *
pending_auth: struct smbXsrv_session_auth0
prev : *
next : NULL
session : *
connection : *
gensec : *
preauth : *
in_flags : 0x00 (0)
in_security_mode : 0x03 (3)
creation_time : Tue Nov 13 10:51:05 AM 2018 CET
idle_time : Tue Nov 13 10:51:05 AM 2018 CET
Successfully validated Kerberos PAC
pac_data: struct PAC_DATA
num_buffers : 0x00000005 (5)
version : 0x00000000 (0)
buffers: ARRAY(5)
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_INFO (1)
_ndr_size : 0x000001a8 (424)
info : *
info : union PAC_INFO(case 1)
logon_info: struct PAC_LOGON_INFO_CTR
info : *
info: struct PAC_LOGON_INFO
info3: struct netr_SamInfo3
base: struct netr_SamBaseInfo
logon_time : NTTIME(0)
logoff_time : Thu Jan 1 01:00:00 AM 1970 CET
kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET
last_password_change : Fri Nov 2 04:41:05 PM 2018 CET
allow_password_change : NTTIME(0)
force_password_change : Thu Jan 1 01:00:00 AM 1970 CET
account_name: struct lsa_String
length : 0x000a (10)
size : 0x000a (10)
string : *
string : 'admin'
full_name: struct lsa_String
length : 0x001a (26)
size : 0x001a (26)
string : *
string : 'Administrator'
logon_script: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
profile_path: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
home_directory: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
home_drive: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
rid : 0x000001f4 (500)
primary_gid : 0x00000200 (512)
groups: struct samr_RidWithAttributeArray
count : 0x00000000 (0)
rids : *
rids: ARRAY(0)
user_flags : 0x00000000 (0)
0: NETLOGON_GUEST
0: NETLOGON_NOENCRYPTION
0: NETLOGON_CACHED_ACCOUNT
0: NETLOGON_USED_LM_PASSWORD
0: NETLOGON_EXTRA_SIDS
0: NETLOGON_SUBAUTH_SESSION_KEY
0: NETLOGON_SERVER_TRUST_ACCOUNT
0: NETLOGON_NTLMV2_ENABLED
0: NETLOGON_RESOURCE_GROUPS
0: NETLOGON_PROFILE_PATH_RETURNED
0: NETLOGON_GRACE_LOGON
key: struct netr_UserSessionKey
key: ARRAY(16): <REDACTED SECRET VALUES>
logon_server: struct lsa_StringLarge
length : 0x0006 (6)
size : 0x0008 (8)
string : *
string : 'DLP'
logon_domain: struct lsa_StringLarge
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_NAME (10)
_ndr_size : 0x00000014 (20)
info : *
info : union PAC_INFO(case 10)
logon_name: struct PAC_LOGON_NAME
logon_time : Mon Nov 12 04:01:01 PM 2018 CET
size : 0x000a (10)
account_name : 'admin'
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_CONSTRAINED_DELEGATION (11)
_ndr_size : 0x000000d8 (216)
info : *
info : union PAC_INFO(case 11)
constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR
info : *
info: struct PAC_CONSTRAINED_DELEGATION
proxy_target: struct lsa_String
length : 0x0048 (72)
size : 0x0048 (72)
string : *
string : 'HTTP/dlp.ipa.srv.world(a)IPA.SRV.WORLD'
num_transited_services : 0x00000001 (1)
transited_services : *
transited_services: ARRAY(1)
transited_services: struct lsa_String
length : 0x0048 (72)
size : 0x0048 (72)
string : *
string : 'cifs/dlp.ipa.srv.world(a)IPA.SRV.WORLD'
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_SRV_CHECKSUM (6)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 6)
srv_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
[0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_KDC_CHECKSUM (7)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 7)
kdc_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
im a bit stuck with this issue.
Kind regards
5 years, 6 months
How to import ca.crt in Chrome
by Kees Bakker
Hi,
When I import my FreeIPA's ca.crt in Google Chrome I'm getting
an error:
Certification Authority Import Error
Unable to parse file
How should I import the CERT in Google Chrome (version 71)?
BTW. The import works fine in Firefox (version 53)
--
Kees
5 years, 6 months
Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials
by Alexander Bokovoy
On ma, 12 marras 2018, Mustafa Karci via FreeIPA-users wrote:
>Dear Alexander,
>
>Is this issue still ongoing? Still getting the following error when
>freeipa server tries to join a Windows 2019 AD server.
>
>ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied
>your credentials
Could you please provide more details? The original thread was about
Samba AD and you are talking about Windows 2019 AD server.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
5 years, 6 months
Creating proxy users for PWM. Which is better DN?
by Joyce Babu
I am trying to setup PWM for allowing users to reset their password. I found the following guide on setting up PWM with FreeIPA
https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 .
The above guide creates the pwmproxy and pwmtest users under cn=users,cn=accounts,dc=example,dc=com.
uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com
uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com
But FreeIPA documentation does not recommend creating such accounts as normal user accounts.
https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
Is it better to create the above accounts under cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo?
Or does PWM require that the pwm users also be created under the same base dn?
5 years, 6 months
sftp file broswer causes 4 (System Error)
by Aaron Hicks
Hello the list,
We just had a bit of fuss involved user logins. We're using sssd 1.16.1 on a
client and FreeIPA 4.5.4 (ok, it's really RHIdM)
We had a lot of users having issues logging and/or resetting their passwords
on a host with 2FA enabled, and it turns out when they're using an advanced
SSH client (e.g. MobaXterm) that also starts a SFTP session they can't login
and we see error like:
Sep 11 00:09:05 lander sshd[27408]: pam_sss(sshd:auth): received for user
testuser: 4 (System error)
Sep 11 00:09:06 lander sshd[27380]: error: PAM: Authentication failure for
testuser from remote.local
If the SFTP file browser is disabled, or it's protocol is set to use SCP
then logins progress normally.
In FreeIPA we've enabled 2FA on a per-host basis and the HBAC rule only
allows sshd services, so if these were the cause of the '4 (System error)'
failures then it'd be much better if the error reports were more meaningful.
Does anyone have any advice on setting up SFTP so that it works (and
ideally, doesn't need repeated entry of credentials).
Regards,
Aaron
5 years, 6 months