Authenticating users with a different UPN suffix in an AD trust configuration
by Robert Sturrock
Hi All,
We have IPA running in a one-way trust with our AD and it’s working well. However, there are a number of users who belong to an affiliated institution who are nonetheless present in our AD, but with a different UPN suffix to the trust domains. The particulars are:
IPA realm: IPA.LOCALDOMAIN
AD realms: STAFF.LOCALDOMAIN, STUDENT.LOCALDOMAIN
Regular users typically have a UPN of ‘firstname.lastname(a)staff.xn--localdomain-yi3f
The affiliated users have a UPN of ‘firstname.lastname@affiliate'
The trust relationship looks like this on the IPA server:
# ipa trustdomain-find
Realm name: STAFF.LOCALDOMAIN
Domain name: staff.localdomain
Domain NetBIOS name: STAFF
Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661
Domain enabled: True
Domain name: student.localdomain
Domain NetBIOS name: STUDENT
Domain Security Identifier: S-1-5-21-3906414162-3274047707-1428844997
Domain enabled: True
----------------------------
Number of entries returned 2
——————————————
We have a test IPA server with HBAC allow_all and we can ssh to it reliably as a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we see the following exceptions in /var/log/sssd/krb5_child.log:
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPA.LOCALDOMAIN]
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328378][Client 'firstname.lastname\@AFFILIATE(a)IPA.LOCALDOMAIN' not found in Kerberos database]
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [map_krb5_error] (0x0020): 1365: [-1765328378][Client 'firstname.lastname\@AFFILIATE(a)IPA.LOCALDOMAIN' not found in Kerberos database]
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [k5c_send_data] (0x0200): Received error code 1432158209
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [main] (0x0400): krb5_child completed successfully
(The test environment is RHEL7.3, running ipa-server-4.4.0-14.el7_3.7.x86_64 and associated packages).
Is this version of IPA able to support trust users with a different UPN suffix, and if so, what special configuration is required to achieve this?
Regards,
Robert.
6 years, 9 months
Syncronization on servers
by Ataliba Teixeira
Hello,
reading some docs about the sync of my two servers :
# ipa-replica-manage list
server1.domain: master
server2.domain: master
# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
server2.domain:389: 7
server1.domain:389: 4
Certificate Server Replica Update Vectors:
No CS-RUVs found.
My doubt is . To solve this i only need to run the command :
ipa-replica-manage force-sync --from srv2.domain
?
Thanks for your atention :-)
--
Ataliba Teixeira via Inbox by Gmail
6 years, 9 months
trying to retrieve CA cert via LDAP .... stuck
by Pieter Baele
Hi,
I've a weird problem with 2 hosts on ipa-client-install registration.
All my servers are using a 99% alike kickstart profile.
8 hosts did their registration almost immediately (after submit of admin)
But on 2 servers I am stuck with:
stderr=
trying to retrieve CA cert via LDAP from ....
Any idea what the reason could be? I checked: DNS, firewall
But all verifications and discovery before this step are successful.
It's only possible I did a ipa-client-uninstall on those hosts before.
(not 100% sure)
Sincerely Pieter
6 years, 9 months
Re: IPA client configuration fail on AIX client
by Lakshan Jayasekara
Hi harald,
Thanks for the update.
Lakshan Jayasekara
Senior Systems Engineer
Mobile: +94 77 294 0396 | Dir: +94 11 235 6949
General:+94 11 235 6949 Ext: 949 | Fax: +94 11 2544346
LankaClear (Pvt) Ltd, Level 18, Bank of Ceylon Head Office,
“BOC Square”, No. 01, Bank of Ceylon Mw, Colombo 01, Sri Lanka.
http://www.lankaclear.com<http://www.lankaclear.com/>
[cid:image6179cf.JPG@e24a60b4.4697d0ac]
Confidentiality Notice: The information contained in this message is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. This email has been scanned for all viruses by the Symantec End Point Protection Email Security System.
[cid:image34736e.JPG@a7c72278.48924b76]<http://>
________________________________
From: Harald Dunkel<mailto:harald.dunkel@aixigo.de>
Sent: 7/3/2017 6:47 PM
To: Lakshan Jayasekara via FreeIPA-users<mailto:freeipa-users@lists.fedorahosted.org>
Cc: Lakshan Jayasekara<mailto:Lakshan.Jayasekara@lankaclear.com>
Subject: Re: [Freeipa-users] IPA client configuration fail on AIX client
Hi Lakshan,
AIX 7.1 provides a script to configure Kerberos, e.g.
# export PATH=/usr/krb5/sbin:/usr/krb5/bin:/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java6/jre/bin:/usr/java6/bin
# config.krb5 -C -r EXAMPLE.COM -d example.com -c ipa1.example.com -s ipa1.example.com
This link might be helpful:
https://aerostitch.github.io/linux_and_unix/AIX/AIX-Security-Kerberos_Aut...
Its about AD integration, but it shows how it is supposed to work.
Hope this helps
Harri
6 years, 9 months
IPA client configuration fail on AIX client
by Lakshan Jayasekara
Hi all,
Once initiating the kinit admin command below error pops up
bash-4.3# kinit admin
Password for admin(a)LANKACLEAR.LK:
xxxxxxxxxx
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:413)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:274)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:261)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:559)
at com.ibm.security.krb5.internal.TCPClient.<init>(TCPClient.java:40)
at com.ibm.security.krb5.i.run(i.java:39)
at java.security.AccessController.doPrivileged(AccessController.java:379)
at com.ibm.security.krb5.h.a(h.java:74)
at com.ibm.security.krb5.h.a(h.java:88)
at com.ibm.security.krb5.h.a(h.java:31)
at com.ibm.security.krb5.internal.tools.Kinit.a(Kinit.java:97)
at com.ibm.security.krb5.internal.tools.Kinit.<init>(Kinit.java:108)
at com.ibm.security.krb5.internal.tools.Kinit.main(Kinit.java:139)
com.ibm.security.krb5.KrbException, status code: 0
message: java.net.ConnectException: Connection refused
if you have any clue let men know.
Lakshan Jayasekara
Senior Systems Engineer
Mobile: +94 77 294 0396 | Dir: +94 11 235 6949
General:+94 11 235 6949 Ext: 949 | Fax: +94 11 2544346
LankaClear (Pvt) Ltd, Level 18, Bank of Ceylon Head Office,
“BOC Square”, No. 01, Bank of Ceylon Mw, Colombo 01, Sri Lanka.
http://www.lankaclear.com<http://www.lankaclear.com/>
[cid:image809ccd.JPG@751704c7.46b6c6bd]
Confidentiality Notice: The information contained in this message is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. This email has been scanned for all viruses by the Symantec End Point Protection Email Security System.
[cid:imagee396cf.JPG@b84c98ce.49a391a5]<http://>
6 years, 9 months
Errors after Upgrading from Fedora 23 to Fedora 25
by dntosas@yuboto.com
Hello World!
I got an installation with FreeIPA server 4.2.4 in Fedora 23 and all worked fine
I decided to upgrade to Fedora 25 via dnf-upgrade-plugin
All the upgrade proc goes smooth and as a result my freeipa rpm packages also upgraded (from 4.2.4 to 4.4.4)
Now, the problem is that nothing works now.
The command "ipa-server-upgrade" shows:
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Timeout exceeded
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
I attach the appropriate logs:
/var/log/ipaupgrade.log
2017-06-29T14:55:06Z DEBUG duration: 0 seconds
2017-06-29T14:55:06Z DEBUG [10/10]: starting directory server
2017-06-29T14:55:06Z DEBUG Starting external process
2017-06-29T14:55:06Z DEBUG args=/bin/systemctl start dirsrv(a)xxx.service
2017-06-29T14:55:09Z DEBUG Process finished, return code=0
2017-06-29T14:55:09Z DEBUG stdout=
2017-06-29T14:55:09Z DEBUG stderr=
2017-06-29T14:55:09Z DEBUG Starting external process
2017-06-29T14:55:09Z DEBUG args=/bin/systemctl is-active dirsrv(a)xxx.service
2017-06-29T14:55:09Z DEBUG Process finished, return code=0
2017-06-29T14:55:09Z DEBUG stdout=active
2017-06-29T14:55:09Z DEBUG stderr=
2017-06-29T14:55:09Z DEBUG wait_for_open_ports: localhost [389] timeout 300
/var/log/dirsrv/.../errors.log
[29/Jun/2017:17:57:21.091850887 +0300] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 110 (Connection timed out)
[29/Jun/2017:17:58:18.114145058 +0300] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
[29/Jun/2017:17:58:42.135719951 +0300] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 110 (Connection timed out)
[29/Jun/2017:18:01:30.160763487 +0300] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
[29/Jun/2017:18:01:54.183552684 +0300] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 110 (Connection timed out)
/var/log/krb5kdc.log
Jun 29 17:54:08 ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17 16 23 25 26}) x.x.x.x: ISSUE: authtime 1498748048, etypes {rep=18 tkt=18 ses=18}, ldap/ipa1.srv.xxx.com(a)SRV.xxx.COM for krbtgt/SRV.xxx.COM(a)SRV.xxx.COM
Jun 29 17:54:08 ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:08 ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17 16 23 25 26}) x.x.x.x: LOOKING_UP_CLIENT: ldap/ipa1.srv.xxx.com(a)SRV.xxx.COM for krbtgt/SRV.xxx.COM(a)SRV.xxx.COM, Server error
Jun 29 17:55:08 ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:08 ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17 16 23 25 26}) x.x.x.x: LOOKING_UP_CLIENT: ldap/ipa1.srv.xxx.com(a)SRV.xxx.COM for krbtgt/SRV.xxx.COM(a)SRV.xxx.COM, Server error
Jun 29 17:55:08 ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:24 ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17 16 23 25 26}) x.x.x.x: NEEDED_PREAUTH: ldap/ipa1.srv.xxx.com(a)SRV.xxx.COM for krbtgt/SRV.xxx.COM(a)SRV.xxx.COM, Additional pre-authentication required
Jun 29 17:55:24 ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:24 ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17 16 23 25 26}) x.x.x.x: ISSUE: authtime 1498748124, etypes {rep=18 tkt=18 ses=18}, ldap/ipa1.srv.xxx.com(a)SRV.xxx.COM for krbtgt/SRV.xxx.COM(a)SRV.xxx.COM
Jun 29 17:55:24 ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
I have tried different ways of making command "ipa-server-upgrade" complete its job but nothing worked.
Any Ideas ? :(
6 years, 9 months
ipa-dnskeysyncd crash
by Carlos Silva
Hi list!
I have a fully update CentOS 7 server running FreeIPA and after a
restart today (or at least it was when I noticed) ipa-dnskeysyncd is
constatly crashing. It fails with this traceback:
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]:
ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO Synchronizing zone
r3pek.org.
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]:
ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO attrs:
{'idnsseckeyref': ['pkcs11:object=xxx'], 'dn':
'cn=xxxxx,cn=keys,idnsname=r3pek.org.,cn=dns,dc=r3pek,dc=org', 'cn':
['xxxxx'], 'idnsseckeypublish': ['xxxxxx'], 'objectclass':
['idnsSecKey'], 'idnssecalgorithm': ['RSASHA256'], 'idnsseckeyzone':
['TRUE'], 'idnsseckeycreated': ['xxxxxx'], 'idnsseckeyactivate':
['xxxxxx']}
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]:
ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO attrs:
{'idnsseckeyref': ['pkcs11:object=xxxxxxxx'], 'dn':
'cn=xxxxxx,cn=keys,idnsname=r3pek.org.,cn=dns,dc=r3pek,dc=org', 'cn':
['xxxxxxxx'], 'idnsseckeypublish': ['20170108222825Z'], 'objectclass':
['idnsSecKey'], 'idnsseckeydelete': ['xxxxxx'], 'idnssecalgorithm':
['RSASHA256'], 'idnsseckeyzone': ['TRUE'], 'idnsseckeycreated':
['xxxxxxxx'], 'idnsseckeyinactive': ['xxxxxxxx'],
'idnsseckeyactivate': ['xxxxxxx']}
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: Traceback (most
recent call last):
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: File
"/usr/libexec/ipa/ipa-dnskeysyncd", line 110, in <module>
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: while
ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: File
"/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
syncrepl_poll
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]:
self.syncrepl_refreshdone()
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: File
"/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line
117, in syncrepl_refreshdone
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]:
self.bindmgr.sync(self.dnssec_zones)
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: File
"/usr/lib/python2.7/site-packages/ipapython/dnssec/bindmgr.py", line
206, in sync
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: self.sync_zone(zone)
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: File
"/usr/lib/python2.7/site-packages/ipapython/dnssec/bindmgr.py", line
179, in sync_zone
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]:
self.install_key(zone, uuid, attrs, tempdir)
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: File
"/usr/lib/python2.7/site-packages/ipapython/dnssec/bindmgr.py", line
114, in install_key
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: result =
ipautil.run(cmd, capture_output=True)
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in
run
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]: raise
CalledProcessError(p.returncode, arg_string, str(output))
Jul 01 23:45:01 srv04.r3pek.org ipa-dnskeysyncd[5582]:
subprocess.CalledProcessError: Command
'/usr/sbin/dnssec-keyfromlabel-pkcs11 -K
/var/named/dyndb-ldap/ipa/master/r3pek.org/tmpJzMW9A -a RSASHA256 -l
pkcs11:object=e60654a85b9927752d2f5f526af0317a;pin-source=/var/lib/ipa/dnssec/softhsm_pin
-I 20170408214422 -D 20170423112007 -P 20170108222825 -A
20170108222825 r3pek.org.' returned non-zero exit status 1
I run a "watch -n0.1 ls -lh
/var/named/dyndb-ldap/ipa/master/r3pek.org/" and as far as I can see,
that tmp file is never created, maybe that could be the problem?
6 years, 9 months