November 2018 - FreeIPA-users - Fedora Mailing-Lists

certmonger (back in time) renewal is onyl 50% successful

by Zarko D

Hi there, still working on cert renewal with little bit of progress, hence asking kindly for more support until final resolution. As per the subject, certmonger renews two out of four certificates. [1] stop ntpd, go back in time (Aug 10 2018), where all certs are valid [2] restart krb5kdc, 389, httpd, CA [3] Verify that CA is running. # SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://`hostname`:8443/ca/agent/ca/profileReview % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to ca-ldap01.domain.com port 8443 (#0) * Trying x.x.x.x... * Connected to ca-ldap01.domain.com (IP) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/httpd/alias/ * CAfile: /etc/ipa/ca.crt CApath: none * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=ca-ldap01.domain.com,O=domain.com * start date: Jul 18 01:47:45 2018 GMT * expire date: Jul 07 01:47:45 2020 GMT * common name: ca-ldap01.domain.com * issuer: CN=Certificate Authority,O=domain.com > GET /ca/agent/ca/profileReview HTTP/1.1 > User-Agent: curl/7.29.0 > Host: ca-ldap01.domain.com:8443 > Accept: */* > * NSS: client certificate not found (nickname not specified) < HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 < Content-Type: text/html;charset=UTF-8 < Transfer-Encoding: chunked < Date: Fri, 10 Aug 2018 08:54:11 GMT < { [data not shown] 100 17641 0 17641 0 0 203k 0 --:--:-- --:--:-- --:--:-- 205k * Connection #0 to host ca-ldap01.domain.com left intact [4] ipactl status reads: # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: STOPPED pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [5] restart certmonger, four cert are in submitting status # getcert list | egrep "certificate|expire|status" Number of certificates and requests being tracked: 6. status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:38 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:35 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:36 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2036-08-24 20:49:35 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2020-07-07 01:47:45 UTC [6] Here is where problem starts, the CA stop running, and /var/lib/pki/pki-tomcat/logs/ca/selftests.log report 0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] SystemCertsVerification: system certs verification success 0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup! 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Initializing self test plugins: 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! [7] I see that 'auditSigningCert' and ocspSigningCert have been renewed, so obviously at this very moment their validity time is not same as for other certs. Hence selftests.logs reports auditSigningCert is invalid, and CA stops running and I am left with tow certs not renewed. New cert list now is: # getcert list | egrep "certificate|expires" Number of certificates and requests being tracked: 6. certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2020-10-29 06:35:38 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2020-10-11 20:15:53 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:36 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2036-08-24 20:49:35 UTC certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2020-07-07 01:47:45 UTC The question now is how to work around this problem? Instead of restarting certmonger service, is it better to renew certs with 'getcert resubmit' in some specific order? thanks, Zarko

3 years, 6 months

1
2
0 / 0

dirsrv not starting

by Andrew Meyer

We have 2 servers in our AWS west environment running CentOS 7. The server just went unresponsive and I rebooted it. After it came back up it won't start drisrv service. I get the following errors from systemd/journalctl: [root@freeipa02 slapd-EXAMPLE-NET]# systemctl status dirsrv(a)EXAMPLE.NET -l● dirsrv(a)EXAMPLE.NET.service - 389 Directory Server EXAMPLE.NET. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Active: failed (Result: resources) Nov 16 20:27:46 freeipa02.west.example systemd[1]: dirsrv(a)EXAMPLE.NET.service failed to run 'start-pre' task: No such file or directoryNov 16 20:27:46 freeipa02.west.example systemd[1]: Failed to start 389 Directory Server EXAMPLE.NET..Nov 16 20:27:46 freeipa02.west.example systemd[1]: Unit dirsrv(a)EXAMPLE.NET.service entered failed state.Nov 16 20:27:46 freeipa02.west.example systemd[1]: dirsrv(a)EXAMPLE.NET.service failed.Nov 16 20:27:46 freeipa02.west.example systemd[1]: Starting 389 Directory Server EXAMPLE.NET....Nov 16 20:29:10 freeipa02.west.example systemd[1]: Failed to load environment files: No such file or directoryNov 16 20:29:10 freeipa02.west.example systemd[1]: dirsrv(a)EXAMPLE.NET.service failed to run 'start-pre' task: No such file or directoryNov 16 20:29:10 freeipa02.west.example systemd[1]: Failed to start 389 Directory Server EXAMPLE.NET..Nov 16 20:29:10 freeipa02.west.example systemd[1]: dirsrv(a)EXAMPLE.NET.service failed.Nov 16 20:29:10 freeipa02.west.example systemd[1]: Starting 389 Directory Server EXAMPLE.NET....[root@freeipa02 slapd-EXAMPLE-NET]# All the files are there. I did a comparison to the 01 server. Regards,Andrew

3 years, 6 months

1
2
0 / 0

FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

by Eric Fredrickson

Hello everyone, I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled. FreeIPA Setup: CentOS 7.5 FreeIPA 4.5.4 HBAC Service: openvpn HBAC Rule: [root@ipa ~]# ipa hbacrule-show openvpn_access Rule name: openvpn_access Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. Enabled: TRUE Users: <users> Hosts: vpnhost.localdomain.local Services: openvpn User account: [root@ipa ~]# ipa user-show <omitted> User login: <omitted> First name: <omitted> Last name: <omitted> Home directory: /home/<omitted> Login shell: /bin/bash Principal name: <omitted> Principal alias: <omitted> Email address: <omitted> UID: 1909600003 GID: 1909600003 User authentication types: otp Certificate: <omitted> Account disabled: False Password: True Member of groups: vpn_users Member of HBAC rule: openvpn_access Indirect Member of HBAC rule: user_ipa_access Kerberos keys available: True OpenVPN server: /etc/pam.d/openvpn #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts. Eric

3 years, 6 months

2
1
0 / 0

FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

by Eric Fredrickson

Hello everyone, I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled. FreeIPA Setup: CentOS 7.5 FreeIPA 4.5.4 HBAC Service: openvpn HBAC Rule: [root@ipa ~]# ipa hbacrule-show openvpn_access Rule name: openvpn_access Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. Enabled: TRUE Users: <users> Hosts: vpnhost.localdomain.local Services: openvpn User account: [root@ipa ~]# ipa user-show <omitted> User login: <omitted> First name: <omitted> Last name: <omitted> Home directory: /home/<omitted> Login shell: /bin/bash Principal name: <omitted> Principal alias: <omitted> Email address: <omitted> UID: 1909600003 GID: 1909600003 User authentication types: otp Certificate: <omitted> Account disabled: False Password: True Member of groups: vpn_users Member of HBAC rule: openvpn_access Indirect Member of HBAC rule: user_ipa_access Kerberos keys available: True OpenVPN server: /etc/pam.d/openvpn #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts. Eric

3 years, 6 months

4
3
0 / 0

Get IPA server of location

by Peter Tselios

Hello, I have 2 FreeIPA servers placed in 2 AWS placement groups (AZ1, AZ2). I want to register my hosts in the IPA Server of the same placement group. Using dig I get the following: dig +short -t SRV _ldap._tcp.example.com. _ldap._tcp.AWS-eu-west-1a._locations.example.com. 50 100 389 euw1-prd-l-ipa02.example.com. 0 100 389 euw1-prd-l-ipa01.example.com. which, at least in my eyes, means that I have an LDAP server in a location. So, if I search this location I will get only ONE LDAP (or kerberos, it's the same) server. But no: dig +short -t SRV _ldap._tcp.AWS-eu-west-1a._locations.example.com. 50 100 389 euw1-prd-l-ipa02.example.com. 0 100 389 euw1-prd-l-ipa01.example.com. Now, I have some issues with this: Why do I have BOTH IPA servers in ONE location, since I have set only one of them in the specific location? Replication has nothing to do with it, we talk about the host of the location! If this a cognitive decision to add all replicated IPA servers to all locations? If so, why? Finally, is there any way to I get the IPA server(s) of a specific location? (My understanding is that we don't have the SUBNET entries as in IPA 2.x series and this is handled automatically with service discovery).

3 years, 6 months

2
2
0 / 0

Mix and Match Local Users and Groups with IPA Users and Groups?

by Ryan Slominski

What is the recommended way to handle a local user in an IPA group? For example, I have the standard local user "apache" that I'd like to add to an IPA group. I don't really want to add an "apache" user to IPA as it isn't really a regular user. Similarly, I don't want to create a local group of the same name and membership as the group in IPA. NIS seems to allow groups that reference local users. Can IPA? An IPA User in a local group is a similar problem, what is the solution there?

3 years, 6 months

3
3
0 / 0

smartcard auth + kerberos ticket?

by Natxo Asenjo

hi, I can successfully login using a smartcard (fedora 29 client, centos 7 kdcs, latest patch level). However, when I try to access a kerberized service, I need to kinit first, because I don't have a ticket: $ klist klist: Credentials cache 'KCM:1006000001' not found I already have krb5-pkinit in de client and if I kinit -n I get a wellknown/anonymous ticket from the kdcs, but this is obviously not what I had in mind :-) Am I doing something wrong or is this to be expected? -- regards, Natxo

3 years, 6 months

4
10
0 / 0

Change IP address of IPA server

by John Duino

Due to some preferred changes in our environment, we would like to change the IP address of two of our servers. My thinking is that we stop IPA on those hosts, change their IP and power down, then change the IP in the DNS of the running IPA's, then bring the two servers up. I am assuming all associations are done via fqdn and not an IP, is that correct? Is this safe or am I risking some corruption to the environment? -- John Duino jduino(a)oblong.com

3 years, 6 months

2
2
0 / 0

FreeIPA PPC64LE builds

by Pieter Baele

Anyone an idea what the timeline/roadmap is for FreeIPA ipa-server PPC64LE build for Centos 7 (or RH IDM on RHEL 7/8) I only see some packages for PowerPC on Fedora and Ubuntu....

3 years, 6 months

3
5
0 / 0

Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials

by Alexander Bokovoy

On ti, 13 marras 2018, Mustafa Karci via FreeIPA-users wrote: >Dear Alexander, > >The main intention is to setup a freeipa-server with a trust domain to >a Windows 2019 AD server. So for all windows env we would like to use >Windows 2019AD server and for all our Linux based server we would like >to use FreeIPA-server. > >From this point we have setup a basic Windows2019 AD domain with the >following realm ad.srv.world And the FreeIPA server has the following >realm ipa.srv.world > >The Windowd 2019 server also acts as the DNS server, where the >freeipa-server has his own dns rules and forwarding rule enabled to >zone ad.srv.world (windows 2019 DNS server). > > >From the ipa-server run the following command > >ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx > >All seems working ok on the ipa-server. But when trying to add the >freeipa server to a windows 2019 AD im getting the following error: > >ipa trust-add --type=ad ad.srv.world --admin Administrator --password >Active Directory domain administrator's password: >ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials > >Already tried to change permission on the AD site, but group policy >domain admin should be enough to setup a trused domain between these >two. No, this is not (at least not yet) an AD side. You need to look into Samba logs. Your excerpts from the logs below show that Samba is capable to authenticate the connection from IPA framework properly and understands that this is a constrained delegation use (HTTP/... service principal acts on behalf of 'admin' user principal). However, it is not able to validate that 'admin' user has enough permissions to perform what is needed: >Successfully validated Kerberos PAC > pac_data: struct PAC_DATA > num_buffers : 0x00000005 (5) > version : 0x00000000 (0) > buffers: ARRAY(5) > buffers: struct PAC_BUFFER > type : PAC_TYPE_LOGON_INFO (1) > _ndr_size : 0x000001a8 (424) > info : * > info : union PAC_INFO(case 1) > logon_info: struct PAC_LOGON_INFO_CTR > info : * > info: struct PAC_LOGON_INFO > info3: struct netr_SamInfo3 > base: struct netr_SamBaseInfo > logon_time : NTTIME(0) > logoff_time : Thu Jan 1 01:00:00 AM 1970 CET > kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET > last_password_change : Fri Nov 2 04:41:05 PM 2018 CET > allow_password_change : NTTIME(0) > force_password_change : Thu Jan 1 01:00:00 AM 1970 CET > account_name: struct lsa_String > length : 0x000a (10) > size : 0x000a (10) > string : * > string : 'admin' > full_name: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'Administrator' > logon_script: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > profile_path: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > home_directory: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > home_drive: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > logon_count : 0x0000 (0) > bad_password_count : 0x0000 (0) > rid : 0x000001f4 (500) > primary_gid : 0x00000200 (512) > groups: struct samr_RidWithAttributeArray > count : 0x00000000 (0) > rids : * > rids: ARRAY(0) > user_flags : 0x00000000 (0) > 0: NETLOGON_GUEST > 0: NETLOGON_NOENCRYPTION > 0: NETLOGON_CACHED_ACCOUNT > 0: NETLOGON_USED_LM_PASSWORD > 0: NETLOGON_EXTRA_SIDS > 0: NETLOGON_SUBAUTH_SESSION_KEY > 0: NETLOGON_SERVER_TRUST_ACCOUNT > 0: NETLOGON_NTLMV2_ENABLED > 0: NETLOGON_RESOURCE_GROUPS > 0: NETLOGON_PROFILE_PATH_RETURNED > 0: NETLOGON_GRACE_LOGON > key: struct netr_UserSessionKey > key: ARRAY(16): <REDACTED SECRET VALUES> > logon_server: struct lsa_StringLarge > length : 0x0006 (6) > size : 0x0008 (8) > string : * > string : 'DLP' > logon_domain: struct lsa_StringLarge > > > > buffers: struct PAC_BUFFER > type : PAC_TYPE_LOGON_NAME (10) > _ndr_size : 0x00000014 (20) > info : * > info : union PAC_INFO(case 10) > logon_name: struct PAC_LOGON_NAME > logon_time : Mon Nov 12 04:01:01 PM 2018 CET > size : 0x000a (10) > account_name : 'admin' > _pad : 0x00000000 (0) > buffers: struct PAC_BUFFER > type : PAC_TYPE_CONSTRAINED_DELEGATION (11) > _ndr_size : 0x000000d8 (216) > info : * > info : union PAC_INFO(case 11) > constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR > info : * > info: struct PAC_CONSTRAINED_DELEGATION > proxy_target: struct lsa_String > length : 0x0048 (72) > size : 0x0048 (72) > string : * > string : 'HTTP/dlp.ipa.srv.world(a)IPA.SRV.WORLD' > num_transited_services : 0x00000001 (1) > transited_services : * > transited_services: ARRAY(1) > transited_services: struct lsa_String > length : 0x0048 (72) > size : 0x0048 (72) > string : * > string : 'cifs/dlp.ipa.srv.world(a)IPA.SRV.WORLD' > _pad : 0x00000000 (0) > buffers: struct PAC_BUFFER > type : PAC_TYPE_SRV_CHECKSUM (6) > _ndr_size : 0x00000010 (16) > info : * > info : union PAC_INFO(case 6) > srv_cksum: struct PAC_SIGNATURE_DATA > type : 0x00000010 (16) > signature : DATA_BLOB length=12 > [0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P > _pad : 0x00000000 (0) > buffers: struct PAC_BUFFER > type : PAC_TYPE_KDC_CHECKSUM (7) > _ndr_size : 0x00000010 (16) > info : * > info : union PAC_INFO(case 7) > kdc_cksum: struct PAC_SIGNATURE_DATA > type : 0x00000010 (16) > signature : DATA_BLOB length=12 > > >im a bit stuck with this issue. Can I see logs after this place? Smbd/winbindd should go on to resolve 'admin' user using a system and then build a local NT token for it. That one should have a RID 512 in it, like MS-PAC record above. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

3 years, 6 months

1
0
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users November 2018