problem allowing Windows Active Directory users to access SMB shares on IPA client machine (IPA has trust with AD)
by Thomas Handler
Hi all,
I am facing a problem I got stuck upon.
We have the following setup:
+-----------+
| |
| AD |
| |
+-----------+
+--------------+ ^
| +----------+
| ums012 |
| |
| IPA |
+--------------+
^
| +--------------+
| | |
| | ums029 |
| | |
| | smbclient |
| +---+----------+
+------+--------+ |
| | |
| ums025 | |
| |<------------------+
| samba |
+---------------+
IPA has a trust established with AD which is working fine. Active Directory users can logon on Linux machines which are connected to IPA, `id some-ad-user` properly shows the AD groups.
ums012 and ums025 are running RHEL 9.3, ums029 is running RHEL 8.9.
ums029 is used as a test client via smbclient.
ums025 was setup following the instructions in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
Setup worked fine, all steps went ok.
But when i switch over to ums029 and try to verify with an ad user I get
kinit <ad user>
smbclient -L ums025.idm.example.com -U <ad user> --use-kerberos=required
Password for [<ad user>@EXAMPLE.COM]:
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/ums025.idm.example.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER
whereas this is working fine when running the verification as IPA user.
I tried finding hints in the logs but was unsuccessful, thus I’m writing to the list.
Best regards,
Thomas
3 months
disable OTP authentication on specific hosts
by Giuseppe Calò
Hi all, the default User authentication methos that we use is only: "Two factor authentication (password + OTP)"
Threfore the users can access to host or service (LDAP) by OTP.
We are looking for a way to disable OTP on a specific host or for ldap queries.
Can you help me?
Thanks
———————————————————————————————————————
Giuseppe Calò
Fondazione CMCC
Centro Euro-Mediterraneo sui Cambiamenti Climatici presso Complesso Ecotekne
Università del Salento - Strada Prov.le Lecce - Monteroni 73100 Lecce IT
http://www.cmcc.it
https://goo.gl/maps/wtahPDbNVen
mobile: (+39) 3208190020
email: giuseppe.calo(a)cmcc.it
Le informazioni contenute in questo messaggio di posta elettronica e negli allegati se presenti sono riservate e confidenziali: ne è vietata la diffusione in qualsiasi modo o forma (GDPR 2016/679).
Qualora lei non fosse il destinatario del messaggio, la invito a non diffonderlo e ad eliminarlo dandone gentilmente comunicazione al mittente.
The information included in this e-mail and any attachments are confidential and may also be privileged (GDPR 2016/679).
If you are not the correct recipient, you are kindly requested to notify the sender immediately, to cancel it and not disclose the contents to any other person.
3 months, 1 week
Seeking Advice: Limiting User Access in FreeIPA Web Interface
by Carlos Eduardo Porter
Hello,
I hope this message finds you well. I'm currently working on deploying
FreeIPA for a small company and have encountered a challenge that I’d like
to share with you, hoping to confirm if I'm on the right track.
My objective is to restrict access within the FreeIPA web interface,
specifically, I want to ensure that only members of a group named
"managers" can view information about other accounts and groups on the
FreeIPA server.
I am aware that this issue might seem familiar as it has been discussed in
this forum previously. Nonetheless, I'm bringing it up again with the
intention of finding a solution that could benefit others facing similar
challenges.
From what I've gathered over the years, altering the default permissions in
FreeIPA, which allow access to all accounts, could potentially lead to more
complications (refer to [1] for details). However, there seems to be a
possibility of achieving this through the correct configuration of
permissions, privileges, and roles in FreeIPA. For instance, setting up
filters that permit a user to view only their own account information.
Despite my efforts, I haven’t been successful in implementing this so far.
Here’s an example of what I've tried:
# Adds a new permission named 'Self Only Access' allowing read, search, and
compare rights limited to user's own attributes
ipa permission-add 'Self Only Access' --right={'read','search','compare'}
--type=user --attrs={'uid','mail','title'} --filter="(uid=\${user})"
# Creates a new privilege called 'Self Read User Privilege'
ipa privilege-add 'Self Read User Privilege' --desc="Privilege for Self
Read User"
# Adds the 'Self Only Access' permission to the 'Self Read User Privilege'
ipa privilege-add-permission 'Self Read User Privilege' --permissions='Self
Only Access'
# Creates a new role named 'CustomSelfReadUserRole' with a description for
the self-read privilege
ipa role-add 'CustomSelfReadUserRole' --desc='Role with Self Read User
Privilege'
# Associates the 'Self Read User Privilege' with the
'CustomSelfReadUserRole'
ipa role-add-privilege 'CustomSelfReadUserRole' --privileges='Self Read
User Privilege'
# Displays the details of the 'CustomSelfReadUserRole'
ipa role-show 'CustomSelfReadUserRole'
# Adds specific users ('user1' and 'user2') as members of the
'CustomSelfReadUserRole'
ipa role-add-member 'CustomSelfReadUserRole' --users={'user1','user2'}
This approach is partly based on a blog entry by Alexander Bokovoy ([2])
about creating permissions in FreeIPA.
Another more drastic measure involves modifying Apache2 to use mod_ldap and
restricting access to the FreeIPA API, as shown below:
# Creating a new configuration file for Apache2 with LDAP settings
cat > /etc/httpd/conf.d/ldap.conf
# Loading necessary modules for LDAP and GSSAPI authentication
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule auth_gssapi_module modules/mod_auth_gssapi.so
# Configuration settings for the location '/ipa'
<Location "/ipa">
# Setting the authentication type to Basic
AuthType Basic
# Naming the restricted access area for clarity
AuthName "FreeIPA Restricted Access"
# Specifying LDAP as the provider for basic authentication
AuthBasicProvider ldap
# Configuring LDAP bind credentials (username and password)
AuthLDAPBindDN "uid=<username>,cn=users,cn=accounts,dc=example,dc=com"
AuthLDAPBindPassword "<secret>"
# Disabling LDAP referrals (redirects to other servers for
authentication)
LDAPReferrals Off
# Specifying an empty user file; authentication is done against LDAP
AuthUserFile /dev/null
# Defining the LDAP URL with a filter for user ID (uid)
AuthLDAPURL "ldaps://
freeipa.example.com/cn=users,cn=accounts,dc=example,dc=com?uid" NONE
# Configuring LDAP group attributes for authorization checks
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
# Restricting access to members of the 'managers' group in LDAP
Require ldap-group cn=managers,cn=groups,cn=accounts,dc=example,dc=com
</Location>
However ,this setup doesn't work either since I end up with a blank page
after authentication with the Apache2 server and can't load the login page
for FreeIPA.
I'm also considering an approach similar to one discussed in a previous
conversation ([3]), but I’m uncertain about its applicability in my
situation.
I would greatly appreciate any advice or recommendations on how to either
allow web interface access solely to the "managers" group or set up
permissions in FreeIPA so that users are unable to browse/see/find other
user accounts in the LDAP directory (excluding the bind user account, of
course).
Thank you for your time and expertise.
Best regards,
Carlos Porter.
References:
[1] [Restrict User Access - FreeIPA Users Mailing List](
https://freeipa-users.redhat.narkive.com/AYqO5sQr/restrict-user-access)
[2] [Creating Permissions in FreeIPA - Alexander Bokovoy's Blog](
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/)
[3] [FreeIPA Users Mailing List Archive](
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
)
3 months, 1 week
ipa-replica-install fails during initial replication
by Markus Rexhepi-Lindberg
The replication step fails while installing a new ipa replica server.
Some facts:
* Both servers running version 4.9.12.
* Both servers running RHEL 8.9
* Master located in Sweden and replica located in USA.
* Actual domain has been substituted with "example.com".
Some logs:
= replica=
replica# ipa-replica-install --verbose --setup-dns --forwarder 10.0.2.200 --forwarder 10.0.2.201 --forwarder 10.0.2.202 --setup-ca
...
Created connection context.ldap2_140175491229624
Fetching nsDS5ReplicaId from master [attempt 1/5]
retrieving schema for SchemaCache url=ldap://se-rhidm02x.se.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f7d2304e278>
Successfully updated nsDS5ReplicaId.
Add or update replica config cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config
Added replica config cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config
update_entry modlist [(0, 'nsDS5ReplicaBindDN', [b'cn=ldap/se-rhidm02x.se.example.com(a)LNX.EXAMPLE.COM,cn=config'])]
Add or update replica config cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config
No update to cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config necessary
Waiting up to 300 seconds for replication (ldap://se-rhidm02x.se.example.com:389) cn=meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config (objectclass=*)
Entry found [LDAPEntry(ipapython.dn.DN('cn=meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top']
, 'cn': [b'meTousidc1-rhidm01x.idc1.us.example.com'], 'nsDS5ReplicaHost': [b'usidc1-rhidm01x.idc1.us.example.com'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=lnx,d
c=example,dc=com'], 'description': [b'me to usidc1-rhidm01x.idc1.us.example.com'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfaile
dauth krbloginfailedcount passwordgraceusertime'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalMo
difiersName internalModifyTimestamp'], 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime'], 'nsds
5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateSt
atus': [b'Error (-2) Problem connecting to replica - LDAP error: Local error (connection error)'], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "red", "ldap_rc": "-2", "ldap_rc_text": "Local error", "
repl_rc": "16", "repl_rc_text": "connection error", "date": "2024-02-15T14:35:36Z", "message": "Error (-2) Problem connecting to replica - LDAP error: Local error (connection error)"}'], 'nsds5replicaUpda
teInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})]
Waiting up to 300 seconds for replication (ldapi://%2Frun%2Fslapd-LNX-EXAMPLE-COM.socket) cn=meTose-rhidm02x.se.example.com,cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config (objectclass=*)
Entry found [LDAPEntry(ipapython.dn.DN('cn=meTose-rhidm02x.se.example.com,cn=replica,cn=dc\=lnx\,dc\=example\,dc\=com,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicationagreement', b'top'], 'cn': [
b'meTose-rhidm02x.se.example.com'], 'nsDS5ReplicaHost': [b'se-rhidm02x.se.example.com'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=lnx,dc=example,dc=com'], 'descripti
on': [b'me to se-rhidm02x.se.example.com'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgr
aceusertime'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'
], 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime'], 'nsds5replicareapactive': [b'0'], 'nsds5r
eplicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication s
essions started since server startup'], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "20
24-02-15T14:35:28Z", "message": "Error (0) No replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5re
plicaLastInitEnd': [b'19700101000000Z']})]
Starting replication, please wait until this has completed.
Update in progress, 15 seconds elapsed
[ldap://se-rhidm02x.se.example.com:389] reports: Update failed! Status: [Error (-2) - LDAP error: Local error - no response received]
replica# cat /var/log/dirsrv/slapd-LNX-EXAMPLE-COM/errors
...
[15/Feb/2024:09:35:58.128874085 -0500] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=meTose-rhidm02x.se.example.com" (se-rhidm02x:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica.
...
replica# cat /var/log/dirsrv/slapd-LNX-EXAMPLE-COM/access
...
[15/Feb/2024:09:35:28.821998361 -0500] conn=6 fd=119 slot=119 connection from 10.0.13.145 to 192.168.224.21
[15/Feb/2024:09:35:28.827100928 -0500] conn=6 op=0 UNBIND
[15/Feb/2024:09:35:28.827120206 -0500] conn=6 op=0 fd=119 closed error - U1
...
= master =
master# cat /var/log/dirsrv/slapd-LNX-EXAMPLE-COM/access
...
[15/Feb/2024:15:35:44.803292478 +0100] conn=37567 op=31 SRCH base="cn=meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectC
lass=*)" attrs="nsds5BeginReplicaRefresh nsds5replicaLastInitStart cn nsds5replicaLastInitStatusJSON nsds5replicaLastInitEnd nsds5replicaUpdateInProgress nsds5replicaLastInitStatus"
[15/Feb/2024:15:35:44.803737834 +0100] conn=37567 op=31 RESULT err=0 tag=101 nentries=1 wtime=0.000219465 optime=0.000451462 etime=0.000669200
[15/Feb/2024:15:35:45.170456864 +0100] conn=37383 op=16 UNBIND
[15/Feb/2024:15:35:45.170486056 +0100] conn=37383 op=16 fd=273 closed error - U1
...
master# cat /var/log/dirsrv/slapd-LNX-EXAMPLE-COM/errors
...
[15/Feb/2024:15:35:37.160764934 +0100] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 1 seconds.
[15/Feb/2024:15:35:38.274695202 +0100] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 2 seconds.
[15/Feb/2024:15:35:40.388281036 +0100] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 3 seconds.
[15/Feb/2024:15:35:43.503252882 +0100] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 4 seconds.
[15/Feb/2024:15:35:47.618537566 +0100] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -2, retrying in 5 seconds.
...
3 months, 1 week
disable OTP authentication on specific hosts
by Giuseppe Calo
Hi all, the default User authentication methos that we use is only: "Two factor authentication (password + OTP)"
Threfore the users can access to host or service (LDAP) by OTP.
We are looking for a way to disable OTP on a specific host or for ldap queries.
Can you help me?
Thanks
3 months, 1 week
disable OTP authentication on specific hosts
by Giuseppe Calo
Hi all, the default User authentication methos that we use is only: "Two factor authentication (password + OTP)"
Threfore the users can access to host or service (LDAP) by OTP.
We are looking for a way to disable OTP on a specific host or for ldap queries.
Can you help me?
Thanks
3 months, 1 week
FreeIPA - access restriction
by Zdravko Nikolaev
Hello everyone,
I've looked up old threads and tried to find some applicable solution but I'm kind of stuck so any advice would be appreciated.
I'm trying to deploy a new Freeipa installation, currently running on centos9 stream. I'm using iptables for firewall and I have allowed only certain IPs and ports. My idea was to block port 80 and 443 for the whole world and allow only certain IPs via the httpd config file by adding "Require IP 1.1.1.1"(example ip) inside the <Directory "/var/www"> and <Directory "/var/www/html"> blocks. That worked and I'm able to access the main page from that IP while other IPs are not loading at all, however, when I try to login, the authentication process is not going through.
Example log of fail:
[remote 1.1.1.1:60676] ipa: INFO: 401 Unauthorized: HTTPConnectionPool(host='test.com', port=80): Max retries exceeded with url: /ipa/session/cookie (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7ffb12100d60>: Failed to establish a new connection: [Errno 110] Connection timed out'))
For the iptables I have a script inputing the rules which looks like this:
/sbin/iptables -F
/sbin/iptables -A INPUT -s 127.0.0.0/24 -j ACCEPT
/sbin/iptables -A INPUT -s 1.1.1.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j ACCEPT
iptables -A INPUT -p udp --dport 389 -j ACCEPT
iptables -A INPUT -p tcp --dport 636 -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -j ACCEPT
iptables -A INPUT -p udp --dport 88 -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -j DROP
/sbin/iptables-save
The question is, how to keep port 80 and 443 (the web access in general) restricted only to certain IPs and not the whole world, while still being able to use all functionalities of the freeipa server, like logging in and working with the graphical UI?
*I have installed our own verified ssl certificate
Also for the ports, do I need to have 389,636 and 88 opened all the time and how secure the services behind those ports are?
Any input would be appreciated.
Thank you
3 months, 1 week
Locked users synchronisation
by Ales Rozmarin
Hi guys,
I'm not sure if this is ok or not. I have two freeipa servers and when user get locked I can see this only on one server. I check ipa-healthcheck and both servers working OK. Do I have to change any settings for that or this is how system works? In future I'm planing to add few more servers and I think when user will get locked won't be very convinent to go through 4-5 server to find locked user.
I'm running IPA 4.10.2 on Rocky 9.3.
I read post from 7 years ago that is in system but I wonder if anything changed since then?
Regards
Ales
3 months, 1 week
FreeIPA 4.11.1 radius proxy auth timeout
by Lenard Pasztor
Hi All!
I've just configured FreeIPA with duo authproxy. I assigned a user to use this radius proxy.
When I try to log in to FreeIPA admin UI it successful when the mobile push receiving in shortly and I have time to accept the login with my mobile device.
So there is a timeout problem. I've tried to search this maillist and found some old mails in this topic, but they not helped.
I've found the ipa-otpd logs and I see that the ipa-otpd always reports Accept-Accept but usually it is too late and the FreeIPA admin UI reports auth failed.
Can somebody tell where can I configure the timeout?
I've also tried to set up the password+radius auth on an enrolled linux host. I can log in the user with password auth, but when I set radius auth on the "Authentication indicators" section of the enrolled host the user can't log in and not receiving 2FA push.
How can I debug this?
Thanks!
3 months, 1 week