November 2018 - FreeIPA-users - Fedora Mailing-Lists

by Natxo Asenjo

hi, I can successfully login using a smartcard (fedora 29 client, centos 7 kdcs, latest patch level). However, when I try to access a kerberized service, I need to kinit first, because I don't have a ticket: $ klist klist: Credentials cache 'KCM:1006000001' not found I already have krb5-pkinit in de client and if I kinit -n I get a wellknown/anonymous ticket from the kdcs, but this is obviously not what I had in mind :-) Am I doing something wrong or is this to be expected? -- regards, Natxo

9 months, 1 week

4
10
0 / 0

Change IP address of IPA server

by John Duino

Due to some preferred changes in our environment, we would like to change the IP address of two of our servers. My thinking is that we stop IPA on those hosts, change their IP and power down, then change the IP in the DNS of the running IPA's, then bring the two servers up. I am assuming all associations are done via fqdn and not an IP, is that correct? Is this safe or am I risking some corruption to the environment? -- John Duino jduino(a)oblong.com

9 months, 1 week

2
2
0 / 0

FreeIPA PPC64LE builds

by Pieter Baele

Anyone an idea what the timeline/roadmap is for FreeIPA ipa-server PPC64LE build for Centos 7 (or RH IDM on RHEL 7/8) I only see some packages for PowerPC on Fedora and Ubuntu....

9 months, 1 week

3
5
0 / 0

Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials

by Alexander Bokovoy

On ti, 13 marras 2018, Mustafa Karci via FreeIPA-users wrote: >Dear Alexander, > >The main intention is to setup a freeipa-server with a trust domain to >a Windows 2019 AD server. So for all windows env we would like to use >Windows 2019AD server and for all our Linux based server we would like >to use FreeIPA-server. > >From this point we have setup a basic Windows2019 AD domain with the >following realm ad.srv.world And the FreeIPA server has the following >realm ipa.srv.world > >The Windowd 2019 server also acts as the DNS server, where the >freeipa-server has his own dns rules and forwarding rule enabled to >zone ad.srv.world (windows 2019 DNS server). > > >From the ipa-server run the following command > >ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx > >All seems working ok on the ipa-server. But when trying to add the >freeipa server to a windows 2019 AD im getting the following error: > >ipa trust-add --type=ad ad.srv.world --admin Administrator --password >Active Directory domain administrator's password: >ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials > >Already tried to change permission on the AD site, but group policy >domain admin should be enough to setup a trused domain between these >two. No, this is not (at least not yet) an AD side. You need to look into Samba logs. Your excerpts from the logs below show that Samba is capable to authenticate the connection from IPA framework properly and understands that this is a constrained delegation use (HTTP/... service principal acts on behalf of 'admin' user principal). However, it is not able to validate that 'admin' user has enough permissions to perform what is needed: >Successfully validated Kerberos PAC > pac_data: struct PAC_DATA > num_buffers : 0x00000005 (5) > version : 0x00000000 (0) > buffers: ARRAY(5) > buffers: struct PAC_BUFFER > type : PAC_TYPE_LOGON_INFO (1) > _ndr_size : 0x000001a8 (424) > info : * > info : union PAC_INFO(case 1) > logon_info: struct PAC_LOGON_INFO_CTR > info : * > info: struct PAC_LOGON_INFO > info3: struct netr_SamInfo3 > base: struct netr_SamBaseInfo > logon_time : NTTIME(0) > logoff_time : Thu Jan 1 01:00:00 AM 1970 CET > kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET > last_password_change : Fri Nov 2 04:41:05 PM 2018 CET > allow_password_change : NTTIME(0) > force_password_change : Thu Jan 1 01:00:00 AM 1970 CET > account_name: struct lsa_String > length : 0x000a (10) > size : 0x000a (10) > string : * > string : 'admin' > full_name: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'Administrator' > logon_script: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > profile_path: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > home_directory: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > home_drive: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > logon_count : 0x0000 (0) > bad_password_count : 0x0000 (0) > rid : 0x000001f4 (500) > primary_gid : 0x00000200 (512) > groups: struct samr_RidWithAttributeArray > count : 0x00000000 (0) > rids : * > rids: ARRAY(0) > user_flags : 0x00000000 (0) > 0: NETLOGON_GUEST > 0: NETLOGON_NOENCRYPTION > 0: NETLOGON_CACHED_ACCOUNT > 0: NETLOGON_USED_LM_PASSWORD > 0: NETLOGON_EXTRA_SIDS > 0: NETLOGON_SUBAUTH_SESSION_KEY > 0: NETLOGON_SERVER_TRUST_ACCOUNT > 0: NETLOGON_NTLMV2_ENABLED > 0: NETLOGON_RESOURCE_GROUPS > 0: NETLOGON_PROFILE_PATH_RETURNED > 0: NETLOGON_GRACE_LOGON > key: struct netr_UserSessionKey > key: ARRAY(16): <REDACTED SECRET VALUES> > logon_server: struct lsa_StringLarge > length : 0x0006 (6) > size : 0x0008 (8) > string : * > string : 'DLP' > logon_domain: struct lsa_StringLarge > > > > buffers: struct PAC_BUFFER > type : PAC_TYPE_LOGON_NAME (10) > _ndr_size : 0x00000014 (20) > info : * > info : union PAC_INFO(case 10) > logon_name: struct PAC_LOGON_NAME > logon_time : Mon Nov 12 04:01:01 PM 2018 CET > size : 0x000a (10) > account_name : 'admin' > _pad : 0x00000000 (0) > buffers: struct PAC_BUFFER > type : PAC_TYPE_CONSTRAINED_DELEGATION (11) > _ndr_size : 0x000000d8 (216) > info : * > info : union PAC_INFO(case 11) > constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR > info : * > info: struct PAC_CONSTRAINED_DELEGATION > proxy_target: struct lsa_String > length : 0x0048 (72) > size : 0x0048 (72) > string : * > string : 'HTTP/dlp.ipa.srv.world(a)IPA.SRV.WORLD' > num_transited_services : 0x00000001 (1) > transited_services : * > transited_services: ARRAY(1) > transited_services: struct lsa_String > length : 0x0048 (72) > size : 0x0048 (72) > string : * > string : 'cifs/dlp.ipa.srv.world(a)IPA.SRV.WORLD' > _pad : 0x00000000 (0) > buffers: struct PAC_BUFFER > type : PAC_TYPE_SRV_CHECKSUM (6) > _ndr_size : 0x00000010 (16) > info : * > info : union PAC_INFO(case 6) > srv_cksum: struct PAC_SIGNATURE_DATA > type : 0x00000010 (16) > signature : DATA_BLOB length=12 > [0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P > _pad : 0x00000000 (0) > buffers: struct PAC_BUFFER > type : PAC_TYPE_KDC_CHECKSUM (7) > _ndr_size : 0x00000010 (16) > info : * > info : union PAC_INFO(case 7) > kdc_cksum: struct PAC_SIGNATURE_DATA > type : 0x00000010 (16) > signature : DATA_BLOB length=12 > > >im a bit stuck with this issue. Can I see logs after this place? Smbd/winbindd should go on to resolve 'admin' user using a system and then build a local NT token for it. That one should have a RID 512 in it, like MS-PAC record above. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

9 months, 1 week

1
0
0 / 0

Re: ipa.service "fails" to start

by Florence Blanc-Renaud

On 10/19/18 6:49 AM, Z D via FreeIPA-users wrote: > Hi there, > > This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7. > > After reboot I couldn't start ipa service via systemctl, hence I run > "ipactl start --ignore-service-failures" and this was kind of > successful. I still have some discrepancies, and looking for > troubleshooting ideas. > > 1. "systemctl status ipa.service" reads that service failed > 2. "systemctl status pki-tomcatd.target" reads that PKI Tomcat Server > is running. Hi, The PKI service status can be found using "systemctl status pki-tomcatd(a)pki-tomcat.service". More details on the differences between targets and units can be found in the man pages for systemd.unit(5) and systemd.target(5). > 3. > # ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: STOPPED <---- !! > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > To troubleshoot, you can have a look at the output of # systemctl status pki-tomcatd(a)pki-tomcat.service and the logs in /var/log/pki/pki-tomcat/ca/debug. I would start by checking if some certificates expired with getcert list (check the status, should be MONITORING, and the expires: <date>). HTH, flo > > Well, why pki-tomcatd reads 'stopped' and how to make systemctl to > recognize that ipa service is running, thanks in advance, > > Zarko > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >

9 months, 1 week

5
20
0 / 0

LDAP - Zammad -> not offering all fields

by Tobi Berninger

Hey, i have an freeipa 4.5.4 on an Centos 7 up and running. I allready binded that ipa trough an ldap on an nextcloud installation. Now i try to do the same with an zammad. Sadly it doesnt offers me the right fields (first name, last name, mail and many more are missing) I set up an extra ldap sysaccount just for that reason, as it was described here: https://www.freeipa.org/page/HowTo/LDAP Any ideas what i was doing wrong? Others users in the zammad forum told me that zammad is offering them the fields i need, so i am quite convinced that the error is in an missconfiguration on my side. Sadly i didnt set the server up, i just try to keep it running. Thank u all for ur help and i apoligze for my english...

9 months, 1 week

4
5
0 / 0

Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials

by Mustafa Karci

Dear Alexander, The main intention is to setup a freeipa-server with a trust domain to a Windows 2019 AD server. So for all windows env we would like to use Windows 2019AD server and for all our Linux based server we would like to use FreeIPA-server. From this point we have setup a basic Windows2019 AD domain with the following realm ad.srv.world And the FreeIPA server has the following realm ipa.srv.world The Windowd 2019 server also acts as the DNS server, where the freeipa-server has his own dns rules and forwarding rule enabled to zone ad.srv.world (windows 2019 DNS server). From the ipa-server run the following command ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx All seems working ok on the ipa-server. But when trying to add the freeipa server to a windows 2019 AD im getting the following error: ipa trust-add --type=ad ad.srv.world --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials Already tried to change permission on the AD site, but group policy domain admin should be enough to setup a trused domain between these two. kinit admin Password for admin(a)IPA.SRV.WORLD<mailto:admin@IPA.SRV.WORLD>: klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin(a)IPA.SRV.WORLD Valid starting Expires Service principal 11/13/2018 11:12:38 11/14/2018 11:12:36 krbtgt/IPA.SRV.WORLD(a)IPA.SRV.WORL smbclient -L dlp.ipa.srv.world -k -d 3 lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" lp_load_ex: changing to config backend registry Initialising global parameters lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" added interface eth0 ip=10.50.1.103 bcast=10.50.1.255 netmask=255.255.255.0 Client started (version 4.7.1). Connecting to 10.50.1.103 at port 445 got OID=1.2.840.48018.1.2.2 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered SPNEGO login failed: {Access Denied} A proc ipa/default.conf [global] host = dlp.ipa.srv.world basedn = dc=ipa,dc=srv,dc=world realm = IPA.SRV.WORLD domain = ipa.srv.world xmlrpc_uri = https://dlp.ipa.srv.world/ipa/xml ldap_uri = ldapi://%2fvar%2frun%2fslapd-IPA-SRV-WORLD.socket enable_ra = True ra_plugin = dogtag dogtag_version = 10 mode = production krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPA.SRV.WORLD dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.SRV.WORLD = { kdc = dlp.ipa.srv.world:88 master_kdc = dlp.ipa.srv.world:88 admin_server = dlp.ipa.srv.world:749 default_domain = ipa.srv.world pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .ipa.srv.world = IPA.SRV.WORLD ipa.srv.world = IPA.SRV.WORLD dlp.ipa.srv.world = IPA.SRV.WORLD [dbmodules] IPA.SRV.WORLD = { db_library = ipadb.so } /var/log/http/* rpc reply data: [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ........ ........ [0020] 01 00 00 00 03 00 00 00 4B 00 00 00 4B 00 00 00 ........ K...K... [0030] 05 00 13 00 0D 78 57 34 12 34 12 CD AB EF 00 01 .....xW4 .4...... [0040] 23 45 67 89 AB 00 00 02 00 00 00 13 00 0D 04 5D #Eg..... .......] [0050] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 ........ ..+.H`.. [0060] 02 00 00 00 01 00 0B 02 00 00 00 01 00 07 02 00 ........ ........ [0070] C0 00 01 00 09 04 00 0A 32 01 67 00 00 00 00 00 ........ 2.g..... s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dee40 s4_tevent: Cancel immediate event 0x7f45cc3dee40 "tevent_req_trigger" Mapped to DCERPC endpoint 49152 added interface eth0 ip= xx.xx.xx.xxx bcast= xx.xx.xx.255 netmask=255.255.255.0 added interface eth0 ip= xx.xx.xx.xxx bcast= xx.xx.xx.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name dlp.ipa.srv.world<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost s4_tevent: Added timed event "composite_trigger": 0x7f45cc3c41f0 s4_tevent: Running timer event 0x7f45cc3c41f0 "composite_trigger" s4_tevent: Ending timer event 0x7f45cc3c41f0 "composite_trigger" Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 GSSAPI credentials for admin(a)IPA.SRV.WORLD will expire in 86359 secs GSS client Update(krb5)(1) Update failed: Unspecified GSS failure. Minor code may provide more information: Credential cache is empty s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dde50 s4_tevent: Cancel immediate event 0x7f45cc3dde50 "tevent_req_trigger" SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for host/DLP.IPA.SRV.WORLD failed (next[(null)]): NT_STATUS_LOGON_FAILURE Failed to setup SPNEGO negTokenInit request: NT_STATUS_LOGON_FAILURE s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dd540 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f45cc3dd540 Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for ncacn_ip_tcp: xx.xx.xx.xxx [49152,print,target_hostname=dlp.ipa.srv.world,abstract_syntax=12345778-1234-abcd-ef00-0123456789ab/0x00000000,localaddress=xx.xx.xx.xxx] NT_STATUS_LOGON_FAILURE s4_tevent: Destroying timer event 0x7f45cc3b9670 "dcerpc_connect_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3c5ef0 s4_tevent: Cancel immediate event 0x7f45cc3c5ef0 "tevent_req_trigger" [Tue Nov 13 10:51:04.693630 2018] [:error] [pid 24146] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Tue Nov 13 10:51:04.693675 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute [Tue Nov 13 10:51:04.693689 2018] [:error] [pid 24146] result = command(*args, **options) [Tue Nov 13 10:51:04.693700 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Tue Nov 13 10:51:04.693711 2018] [:error] [pid 24146] return self.__do_call(*args, **options) [Tue Nov 13 10:51:04.693722 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call [Tue Nov 13 10:51:04.693733 2018] [:error] [pid 24146] ret = self.run(*args, **options) [Tue Nov 13 10:51:04.693743 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run [Tue Nov 13 10:51:04.693754 2018] [:error] [pid 24146] return self.execute(*args, **options) [Tue Nov 13 10:51:04.693765 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 726, in execute [Tue Nov 13 10:51:04.693776 2018] [:error] [pid 24146] full_join = self.validate_options(*keys, **options) [Tue Nov 13 10:51:04.693786 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 829, in validate_options [Tue Nov 13 10:51:04.693797 2018] [:error] [pid 24146] self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) [Tue Nov 13 10:51:04.693808 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1557, in __init__ [Tue Nov 13 10:51:04.693818 2018] [:error] [pid 24146] self.__populate_local_domain() [Tue Nov 13 10:51:04.693829 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1570, in __populate_local_domain [Tue Nov 13 10:51:04.693840 2018] [:error] [pid 24146] ld.retrieve(installutils.get_fqdn()) [Tue Nov 13 10:51:04.693850 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 960, in retrieve [Tue Nov 13 10:51:04.693861 2018] [:error] [pid 24146] self.init_lsa_pipe(remote_host) [Tue Nov 13 10:51:04.693900 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 879, in init_lsa_pipe [Tue Nov 13 10:51:04.693922 2018] [:error] [pid 24146] % dict(host=remote_host)) [Tue Nov 13 10:51:04.693933 2018] [:error] [pid 24146] ACIError: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials [Tue Nov 13 10:51:04.693944 2018] [:error] [pid 24146] [Tue Nov 13 10:51:04.694550 2018] [:error] [pid 24146] ipa: INFO: [jsonserver_session] admin(a)IPA.SRV.WORLD: trust_add/1(u'ad.srv.world', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.228'): ACIError [Tue Nov 13 10:51:04.696944 2018] [:error] [pid 24146] ipa: DEBUG: Destroyed connection context.ldap2_139937313614032 /var/log/samba/* 10:51:04.514558, 1, pid=26847, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:419(ndr_print_debug) &global_blob: struct smbXsrv_session_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000001 (1) info : union smbXsrv_session_globalU(case 0) info0 : * info0: struct smbXsrv_session_global0 db_rec : * session_global_id : 0x7990abe5 (2039524325) session_wire_id : 0x000000007990abe5 (2039524325) creation_time : Tue Nov 13 10:51:05 AM 2018 CET expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_time : NTTIME(0) auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0311 (785) signing_flags : 0x00 (0) 0: SMBXSRV_SIGNING_REQUIRED 0: SMBXSRV_PROCESSED_SIGNED_PACKET 0: SMBXSRV_PROCESSED_UNSIGNED_PACKET encryption_flags : 0x00 (0) 0: SMBXSRV_ENCRYPTION_REQUIRED 0: SMBXSRV_ENCRYPTION_DESIRED 0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET 0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x00000000000068df (26847) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807) local_address : 'ipv4:10.50.1.103:445' remote_address : 'ipv4:10.50.1.103:56404' remote_name : '10.50.1.103' auth_session_info_seqnum : 0x00000000 (0) connection : * encryption_cipher : 0x0000 (0) [2018/11/13 10:51:04.515148, 5, pid=26847, effective(0, 0), real(0, 0)] 018/11/13 10:51:04.515354, 1, pid=26847, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:419(ndr_print_debug) &session_blob: struct smbXsrv_sessionB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_sessionU(case 0) info0 : * info0: struct smbXsrv_session table : * db_rec : NULL client : * local_id : 0x7990abe5 (2039524325) global : * global: struct smbXsrv_session_global0 db_rec : NULL session_global_id : 0x7990abe5 (2039524325) session_wire_id : 0x000000007990abe5 (2039524325) creation_time : Tue Nov 13 10:51:05 AM 2018 CET expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_time : NTTIME(0) auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0311 (785) signing_flags : 0x00 (0) 0: SMBXSRV_SIGNING_REQUIRED 0: SMBXSRV_PROCESSED_SIGNED_PACKET 0: SMBXSRV_PROCESSED_UNSIGNED_PACKET encryption_flags : 0x00 (0) 0: SMBXSRV_ENCRYPTION_REQUIRED 0: SMBXSRV_ENCRYPTION_DESIRED 0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET 0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x00000000000068df (26847) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807) local_address : 'ipv4:10.50.1.103:445' remote_address : 'ipv4:10.50.1.103:56404' remote_name : '10.50.1.103' auth_session_info_seqnum : 0x00000000 (0) connection : * encryption_cipher : 0x0000 (0) status : NT_STATUS_MORE_PROCESSING_REQUIRED idle_time : Tue Nov 13 10:51:05 AM 2018 CET nonce_high_random : 0x0000000000000000 (0) nonce_high_max : 0x0000000000000000 (0) nonce_high : 0x0000000000000000 (0) nonce_low : 0x0000000000000000 (0) compat : NULL tcon_table : * pending_auth : NULL version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_sessionU(case 0) info0 : * info0: struct smbXsrv_session table : * db_rec : NULL client : * local_id : 0x7990abe5 (2039524325) global : * global: struct smbXsrv_session_global0 db_rec : NULL session_global_id : 0x7990abe5 (2039524325) session_wire_id : 0x000000007990abe5 (2039524325) creation_time : Tue Nov 13 10:51:05 AM 2018 CET expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_time : NTTIME(0) auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0311 (785) signing_flags : 0x00 (0) 0: SMBXSRV_SIGNING_REQUIRED 0: SMBXSRV_PROCESSED_SIGNED_PACKET 0: SMBXSRV_PROCESSED_UNSIGNED_PACKET encryption_flags : 0x00 (0) 0: SMBXSRV_ENCRYPTION_REQUIRED 0: SMBXSRV_ENCRYPTION_DESIRED 0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET 0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x00000000000068df (26847) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807) local_address : 'ipv4:10.50.1.103:445' remote_address : 'ipv4:10.50.1.103:56404' remote_name : '10.50.1.103' auth_session_info_seqnum : 0x00000000 (0) connection : * encryption_cipher : 0x0000 (0) status : NT_STATUS_MORE_PROCESSING_REQUIRED idle_time : Tue Nov 13 10:51:05 AM 2018 CET nonce_high_random : 0x0000000000000000 (0) nonce_high_max : 0x0000000000000000 (0) nonce_high : 0x0000000000000000 (0) nonce_low : 0x0000000000000000 (0) compat : NULL tcon_table : * pending_auth : * pending_auth: struct smbXsrv_session_auth0 prev : * next : NULL session : * connection : * gensec : * preauth : * in_flags : 0x00 (0) in_security_mode : 0x03 (3) creation_time : Tue Nov 13 10:51:05 AM 2018 CET idle_time : Tue Nov 13 10:51:05 AM 2018 CET Successfully validated Kerberos PAC pac_data: struct PAC_DATA num_buffers : 0x00000005 (5) version : 0x00000000 (0) buffers: ARRAY(5) buffers: struct PAC_BUFFER type : PAC_TYPE_LOGON_INFO (1) _ndr_size : 0x000001a8 (424) info : * info : union PAC_INFO(case 1) logon_info: struct PAC_LOGON_INFO_CTR info : * info: struct PAC_LOGON_INFO info3: struct netr_SamInfo3 base: struct netr_SamBaseInfo logon_time : NTTIME(0) logoff_time : Thu Jan 1 01:00:00 AM 1970 CET kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET last_password_change : Fri Nov 2 04:41:05 PM 2018 CET allow_password_change : NTTIME(0) force_password_change : Thu Jan 1 01:00:00 AM 1970 CET account_name: struct lsa_String length : 0x000a (10) size : 0x000a (10) string : * string : 'admin' full_name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) rid : 0x000001f4 (500) primary_gid : 0x00000200 (512) groups: struct samr_RidWithAttributeArray count : 0x00000000 (0) rids : * rids: ARRAY(0) user_flags : 0x00000000 (0) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 0: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 0: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key: ARRAY(16): <REDACTED SECRET VALUES> logon_server: struct lsa_StringLarge length : 0x0006 (6) size : 0x0008 (8) string : * string : 'DLP' logon_domain: struct lsa_StringLarge buffers: struct PAC_BUFFER type : PAC_TYPE_LOGON_NAME (10) _ndr_size : 0x00000014 (20) info : * info : union PAC_INFO(case 10) logon_name: struct PAC_LOGON_NAME logon_time : Mon Nov 12 04:01:01 PM 2018 CET size : 0x000a (10) account_name : 'admin' _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_CONSTRAINED_DELEGATION (11) _ndr_size : 0x000000d8 (216) info : * info : union PAC_INFO(case 11) constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR info : * info: struct PAC_CONSTRAINED_DELEGATION proxy_target: struct lsa_String length : 0x0048 (72) size : 0x0048 (72) string : * string : 'HTTP/dlp.ipa.srv.world(a)IPA.SRV.WORLD' num_transited_services : 0x00000001 (1) transited_services : * transited_services: ARRAY(1) transited_services: struct lsa_String length : 0x0048 (72) size : 0x0048 (72) string : * string : 'cifs/dlp.ipa.srv.world(a)IPA.SRV.WORLD' _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_SRV_CHECKSUM (6) _ndr_size : 0x00000010 (16) info : * info : union PAC_INFO(case 6) srv_cksum: struct PAC_SIGNATURE_DATA type : 0x00000010 (16) signature : DATA_BLOB length=12 [0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_KDC_CHECKSUM (7) _ndr_size : 0x00000010 (16) info : * info : union PAC_INFO(case 7) kdc_cksum: struct PAC_SIGNATURE_DATA type : 0x00000010 (16) signature : DATA_BLOB length=12 im a bit stuck with this issue. Kind regards

9 months, 1 week

1
0
0 / 0

How to import ca.crt in Chrome

by Kees Bakker

Hi, When I import my FreeIPA's ca.crt in Google Chrome I'm getting an error: Certification Authority Import Error Unable to parse file How should I import the CERT in Google Chrome (version 71)? BTW. The import works fine in Firefox (version 53) -- Kees

9 months, 1 week

2
2
0 / 0

Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials

by Alexander Bokovoy

On ma, 12 marras 2018, Mustafa Karci via FreeIPA-users wrote: >Dear Alexander, > >Is this issue still ongoing? Still getting the following error when >freeipa server tries to join a Windows 2019 AD server. > >ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied >your credentials Could you please provide more details? The original thread was about Samba AD and you are talking about Windows 2019 AD server. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

9 months, 1 week

1
0
0 / 0

Creating proxy users for PWM. Which is better DN?

by Joyce Babu

I am trying to setup PWM for allowing users to reset their password. I found the following guide on setting up PWM with FreeIPA https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 . The above guide creates the pwmproxy and pwmtest users under cn=users,cn=accounts,dc=example,dc=com. uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com But FreeIPA documentation does not recommend creating such accounts as normal user accounts. https://www.freeipa.org/page/HowTo/LDAP#System_Accounts Is it better to create the above accounts under cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo? Or does PWM require that the pwm users also be created under the same base dn?

9 months, 1 week

3
4
0 / 0

2019

2018

2017

FreeIPA-users November 2018