sssd version 2.2.3 issues with AD Trust View
by iulian roman
Hello everybody,
I have an IPA setup with AD trust configured and Trust View defined on the IPA server. Everything works properly on Ubuntu 18 clients with sssd 1.16.1 but it doesn't on Ubuntu 20 with sssd version 2.2.3. I can list /query the AD accounts which are not part of the default Trust View, but not those accounts which have the id overriden in the Trust View.
Is that a known issue, or any idea what do I need to change /where to look ?
2 years, 11 months
Consumer failed to replay change Operations error (1)
by Alfred Victor
Hi FreeIPA,
We have some replication messages in our slapd errors log which look very
like the ones discussed here:
https://bugzilla.redhat.com/show_bug.cgi?id=1574602
I took a look and we do have the MemberOf plugin, but our version of 389-ds
newer:
*389-ds-base-1.3.10.2-10.el7_9.x86_64*
Hoping someone might have a suggestion for what we might do to get rid of
these log messages, or what the root cause may be/impact? They've been
going since at least a couple of weeks ago:
[15/Jun/2021:18:57:26.362094959 -0500] - WARN - NSMMReplicationPlugin
- repl5_inc_update_from_op_result -
agmt="cn=redactedauth0001.redacted.com-to-redactedauth0003.redacted.com"
(redactedauth0003:389): Consumer failed to replay change (uniqueid
d5896001-39a111eb-8868efc8-91dc0b98, CSN 60c93bc2000400250000):
Operations error (1). Will retry later.
I looked for this same uniqueid (they are ALL the same uniqueID) and
found this which is interesting and references a specific cn and
"optype":
>
> [03/Jun/2021:15:45:43.332068775 -0500] - ERR - NSMMReplicationPlugin - write_changelog_and_ruv - Can't add a change for cn=admin,cn=groups,cn=accounts,dc=redacted,dc=com (uniqid: d5896001-39a111eb-8868efc8-91dc0b98, optype: 8) to changelog csn 60b93f93005200230000
Alfred
2 years, 11 months
IPA RA expired, other certificates renewed
by Jan Bundesmann
Hi there,
I need some suggestions for a certificate related problem.
The setup has 2 servers, let's call them ldap1 and ldap2 with ldap1 being the primary system with the CA.
The certificates were to expire on june 15.
I checked on june 1st and on ldap1 certmonger had renewed all certificates, on ldap2 certmonger was not running.
So, I restarted the certmonger service and it began its work. `getcert list` shows three certificates (it's ipa 4.4, so that's probably correct)
Quite soon, the first certificate was renewed (HTTP/ldap2, ...) I assume that's the one for the web UI. A second one (ldap/ldap2...) is still valid until december. I assume that's why all the ldap related stuff and replication is still working.
But the cn=IPA RA expired one week ago (may 24th).
I have no ipa-certs-fix, would setting back the system clock still work? The HTTP/ldap2 certificate was not yet valid when the IPA RA certificate expired.
Or put the the other round: what happens if i don't renew this certificate - that's not quite clear to me. Currently, the system ist working fine, replication works and in 2022 the hardware will be replaced, so we will setup new replicas anyways. But, that's after the expiration date of the ldap/ldap2 certificate.
I hope this is understandable and thanks in advance for any hint.
2 years, 11 months
Doc suggestion: explicitly advise 'non-desktop' spins for freeipa-server*
by Harry G. Coin
Might the 'edition' (server, desktop, iot, whatnot) of the distribution
used in testing freeipa-server* be explicitly stated in the 'getting
started' docs as being 'approved' for freeipa-server use? The better
to avoid interactions with un-interaction-tested packages / security
libraries generally seen only in user/special-purpose distros. (re:
dnssec / bind9 / smart-card interaction)
HC
2 years, 11 months
AD Trust Types
by Ronald Wimmer
Quite some time ago I added a trust to another AD domain. IIRC I added
an "external trust" for a reason I do not remember.
What is the "Non-transitive external trust to a domain in another Active
Directory forest" trust type for? Could I not just have added another
"Active Directory domain" trust?
Any clarification on this matter would be highly appreciated!
Cheers,
Ronald
2 years, 11 months
DNS Locations and external DNS
by Ronald Wimmer
Is it sufficient to create DNS locations in IPA and do a ipa
dns-update-system-records --dry-run in order to populate new DNS Zone
information to the external DNS system?
Apart from adding IPA clients to their respective locations, there is
nothing to do regarding DNS locations on IPA clients, right?
Cheers,
Ronald
2 years, 11 months
Cant login via AD user
by Konstantin Ignatev
Good day.
IPA - 4.9.4.
OS - Fedora 34.
I have established a trust relationship with the AD domain.
The list of domains is easily obtained by the command ipa trust-fetch-domains "example.com"
I can get a ticket using kinit username(a)example.com in CLI.
I can not log into the server using the AD account from UI.
With exactly the same installation but on the Centos 7 + IPA 4.6.8 there are no similar problemsю
In /var/log/httpd/error_log
[Sun Jun 13 15:51:14.045718 2021] [wsgi:error] [pid 2312:tid 2815] [remote 172.17.51.252:8946] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844988): KDC returned error string: PROCESS_TGS
In /var/log/krb5kdc.log
Jun 13 15:51:13 freeipa-master.ipa.example.com krb5kdc[2256](info): AS_REQ (3 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23)}) 172.17.252.121: REFERRAL: aduser\@example.com(a)IPA.EXAMPLE.COM for krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM, Realm not local to KDC
/etc/krb.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
[realms]
IPA.EXAMPLE.COM = {
kdc = freeipa-master.ipa.example.com:88
master_kdc = freeipa-master.ipa.example.com:88
admin_server = freeipa-master.ipa.example.com:749
default_domain = ipa.example.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
auth_to_local = RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@EXAMPLE.COM/@example.com/
auth_to_local = DEFAULT
}
[domain_realm]
.ipa.example.com = IPA.EXAMPLE.COM
ipa.example.com = IPA.EXAMPLE.COM
freeipa-master.ipa.example.com = IPA.EXAMPLE.COM
[dbmodules]
IPA.EXAMPLE.COM = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
/etc/sssd/sssd.conf
[domain/ipa.example.com]
krb5_use_kdcinfo = False
krb5_use_fast = never
id_provider = ipa
ipa_server_mode = True
ipa_server = freeipa-master.ipa.example.com
ipa_domain = ipa.example.com
ipa_hostname = freeipa-master.ipa.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ifp, ssh, sudo
domains = ipa.example.com
[nss]
homedir_substring = /home
memcache_timeout = 600
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
allowed_uids = ipaapi, root
[secrets]
[session_recording]
I would be grateful for any help
2 years, 11 months
Cant login via AD from UI Freeipa
by Константин
Good day.
IPA - 4.9.4.
OS - Fedora 34.
I have established a trust relationship with the AD domain.
The list of domains is easily obtained by the command ipa
trust-fetch-domains "example.com"
I can get a ticket using kinit username(a)example.com in CLI.
I can not log into the server using the AD account from UI.
With exactly the same installation but on the Centos 7 + IPA 4.6.8 there
are no similar problemsю
In /var/log/httpd/error_log
[Sun Jun 13 15:51:14.045718 2021] [wsgi:error] [pid 2312:tid 2815] [remote
172.17.51.252:8946] ipa: INFO: 401 Unauthorized: Major (851968):
Unspecified GSS failure. Minor code may provide more information, Minor
(2598844988): KDC returned error string: PROCESS_TGS
In /var/log/krb5kdc.log
Jun 13 15:51:13 freeipa-master.ipa.example.com krb5kdc[2256](info): AS_REQ
(3 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23)}) 172.17.252.121: REFERRAL: aduser\@
example.com(a)IPA.EXAMPLE.COM for krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM,
Realm not local to KDC
/etc/krb.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5
des-cbc-md5 des-cbc-crc
[realms]
IPA.EXAMPLE.COM = {
kdc = freeipa-master.ipa.example.com:88
master_kdc = freeipa-master.ipa.example.com:88
admin_server = freeipa-master.ipa.example.com:749
default_domain = ipa.example.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
auth_to_local = RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@
EXAMPLE.COM/@example.com/
auth_to_local = DEFAULT
}
[domain_realm]
.ipa.example.com = IPA.EXAMPLE.COM
ipa.example.com = IPA.EXAMPLE.COM
freeipa-master.ipa.example.com = IPA.EXAMPLE.COM
[dbmodules]
IPA.EXAMPLE.COM = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
/etc/sssd/sssd.conf
[domain/ipa.example.com]
krb5_use_kdcinfo = False
krb5_use_fast = never
id_provider = ipa
ipa_server_mode = True
ipa_server = freeipa-master.ipa.example.com
ipa_domain = ipa.example.com
ipa_hostname = freeipa-master.ipa.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ifp, ssh, sudo
domains = ipa.example.com
[nss]
homedir_substring = /home
memcache_timeout = 600
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
allowed_uids = ipaapi, root
[secrets]
[session_recording]
I would be grateful for any help
2 years, 11 months
Redhat Idm/IPA cross domain trust problems
by thing.thing@gmail.com
Hi,
I have RH's version of freeipa
(ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64) working fine. RHEL8, RHEL7,
Debian10.9, Ubuntu20LTS and Centos7 clients work perfectly OK to IPA OK for users in
IPA..
For the cross domain trust however only RHEL8 and RHEL7 work. Debian10.9, Ubuntu20LTS and
Centos7 fail for the AD user who cannot ssh in.
Is there any config I need to do to get 3rd party Linux to work with a trust? Just
wondering if I have missed a package? config? steps?
or does it just not work?
rhel7 secure log showing success,
8><----
Jun 9 16:40:55 rhel7a sshd[9339]: pam_sss(sshd:auth): authentication success; logname=
uid=0 euid=0 tty=ssh ruser= rhost=v1.ods.vuw.ac.nz user=linuxuser2(a)vuwtest.ac.nz
Jun 9 16:41:04 rhel7a sshd[9336]: Accepted keyboard-interactive/pam for
linuxuser2(a)vuwtest.ac.nz from 10.100.32.67 port 48
Jun 9 16:41:04 rhel7a sshd[9336]: pam_unix(sshd:session): session opened for user
linuxuser2(a)vuwtest.ac.nz by (uid=0)
[root@rhel7a ~]#
8><---
centos7 secure log,
8><---
[root@centos7a ~]# tail -50f /var/log/secure
Jun 9 17:15:24 centos7a sshd[1812]: Invalid user linuxuser2(a)vuwtest.ac.nz from
10.100.32.67 port 53880
Jun 9 17:15:24 centos7a sshd[1812]: input_userauth_request: invalid user
linuxuser2(a)vuwtest.ac.nz [preauth]
Jun 9 17:15:24 centos7a sshd[1812]: Postponed keyboard-interactive for invalid user
linuxuser2(a)vuwtest.ac.nz from 10.100.32.67 port 53880 ssh2 [preauth]
Jun 9 17:15:35 centos7a sshd[1814]: pam_unix(sshd:auth): check pass; user unknown
Jun 9 17:15:35 centos7a sshd[1814]: pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=10.100.32.67
Jun 9 17:15:37 centos7a sshd[1812]: error: PAM: User not known to the underlying
authentication module for illegal user linuxuser2(a)vuwtest.ac.nz from 10.100.32.67
Jun 9 17:15:37 centos7a sshd[1812]: Failed keyboard-interactive/pam for invalid user
linuxuser2(a)vuwtest.ac.nz from 10.100.32.67 port 53880 ssh2
Jun 9 17:15:37 centos7a sshd[1812]: Postponed keyboard-interactive for invalid user
linuxuser2(a)vuwtest.ac.nz from 10.100.32.67 port 53880 ssh2 [preauth]
8><---
2 years, 11 months