FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
by Eric Fredrickson
Hello everyone,
I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled.
FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4
HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_access
Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
Enabled: TRUE
Users: <users>
Hosts: vpnhost.localdomain.local
Services: openvpn
User account:
[root@ipa ~]# ipa user-show <omitted>
User login: <omitted>
First name: <omitted>
Last name: <omitted>
Home directory: /home/<omitted>
Login shell: /bin/bash
Principal name: <omitted>
Principal alias: <omitted>
Email address: <omitted>
UID: 1909600003
GID: 1909600003
User authentication types: otp
Certificate: <omitted>
Account disabled: False
Password: True
Member of groups: vpn_users
Member of HBAC rule: openvpn_access
Indirect Member of HBAC rule: user_ipa_access
Kerberos keys available: True
OpenVPN server:
/etc/pam.d/openvpn
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts.
Eric
2 years, 5 months
FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
by Eric Fredrickson
Hello everyone,
I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled.
FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4
HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_access
Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
Enabled: TRUE
Users: <users>
Hosts: vpnhost.localdomain.local
Services: openvpn
User account:
[root@ipa ~]# ipa user-show <omitted>
User login: <omitted>
First name: <omitted>
Last name: <omitted>
Home directory: /home/<omitted>
Login shell: /bin/bash
Principal name: <omitted>
Principal alias: <omitted>
Email address: <omitted>
UID: 1909600003
GID: 1909600003
User authentication types: otp
Certificate: <omitted>
Account disabled: False
Password: True
Member of groups: vpn_users
Member of HBAC rule: openvpn_access
Indirect Member of HBAC rule: user_ipa_access
Kerberos keys available: True
OpenVPN server:
/etc/pam.d/openvpn
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts.
Eric
2 years, 5 months
Get IPA server of location
by Peter Tselios
Hello,
I have 2 FreeIPA servers placed in 2 AWS placement groups (AZ1, AZ2).
I want to register my hosts in the IPA Server of the same placement group.
Using dig I get the following:
dig +short -t SRV _ldap._tcp.example.com.
_ldap._tcp.AWS-eu-west-1a._locations.example.com.
50 100 389 euw1-prd-l-ipa02.example.com.
0 100 389 euw1-prd-l-ipa01.example.com.
which, at least in my eyes, means that I have an LDAP server in a location. So, if I search this location I will get only ONE LDAP (or kerberos, it's the same) server.
But no:
dig +short -t SRV _ldap._tcp.AWS-eu-west-1a._locations.example.com.
50 100 389 euw1-prd-l-ipa02.example.com.
0 100 389 euw1-prd-l-ipa01.example.com.
Now, I have some issues with this:
Why do I have BOTH IPA servers in ONE location, since I have set only one of them in the specific location? Replication has nothing to do with it, we talk about the host of the location!
If this a cognitive decision to add all replicated IPA servers to all locations? If so, why?
Finally, is there any way to I get the IPA server(s) of a specific location?
(My understanding is that we don't have the SUBNET entries as in IPA 2.x series and this is handled automatically with service discovery).
2 years, 5 months
Mix and Match Local Users and Groups with IPA Users and Groups?
by Ryan Slominski
What is the recommended way to handle a local user in an IPA group?
For example, I have the standard local user "apache" that I'd like to add to an IPA group. I don't really want to add an "apache" user to IPA as it isn't really a regular user. Similarly, I don't want to create a local group of the same name and membership as the group in IPA. NIS seems to allow groups that reference local users. Can IPA?
An IPA User in a local group is a similar problem, what is the solution there?
2 years, 5 months
smartcard auth + kerberos ticket?
by Natxo Asenjo
hi,
I can successfully login using a smartcard (fedora 29 client, centos 7
kdcs, latest patch level).
However, when I try to access a kerberized service, I need to kinit first,
because I don't have a ticket:
$ klist
klist: Credentials cache 'KCM:1006000001' not found
I already have krb5-pkinit in de client and if I kinit -n I get a
wellknown/anonymous ticket from the kdcs, but this is obviously not what I
had in mind :-)
Am I doing something wrong or is this to be expected?
--
regards,
Natxo
2 years, 5 months
Change IP address of IPA server
by John Duino
Due to some preferred changes in our environment, we would like to change
the IP address of two of our servers. My thinking is that we stop IPA on
those hosts, change their IP and power down, then change the IP in the DNS
of the running IPA's, then bring the two servers up. I am assuming all
associations are done via fqdn and not an IP, is that correct? Is this safe
or am I risking some corruption to the environment?
--
John Duino
jduino(a)oblong.com
2 years, 5 months
FreeIPA PPC64LE builds
by Pieter Baele
Anyone an idea what the timeline/roadmap is for FreeIPA ipa-server PPC64LE
build for Centos 7 (or RH IDM on RHEL 7/8)
I only see some packages for PowerPC on Fedora and Ubuntu....
2 years, 5 months
Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials
by Alexander Bokovoy
On ti, 13 marras 2018, Mustafa Karci via FreeIPA-users wrote:
>Dear Alexander,
>
>The main intention is to setup a freeipa-server with a trust domain to
>a Windows 2019 AD server. So for all windows env we would like to use
>Windows 2019AD server and for all our Linux based server we would like
>to use FreeIPA-server.
>
>From this point we have setup a basic Windows2019 AD domain with the
>following realm ad.srv.world And the FreeIPA server has the following
>realm ipa.srv.world
>
>The Windowd 2019 server also acts as the DNS server, where the
>freeipa-server has his own dns rules and forwarding rule enabled to
>zone ad.srv.world (windows 2019 DNS server).
>
>
>From the ipa-server run the following command
>
>ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx
>
>All seems working ok on the ipa-server. But when trying to add the
>freeipa server to a windows 2019 AD im getting the following error:
>
>ipa trust-add --type=ad ad.srv.world --admin Administrator --password
>Active Directory domain administrator's password:
>ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials
>
>Already tried to change permission on the AD site, but group policy
>domain admin should be enough to setup a trused domain between these
>two.
No, this is not (at least not yet) an AD side. You need to look into
Samba logs. Your excerpts from the logs below show that Samba is capable
to authenticate the connection from IPA framework properly and
understands that this is a constrained delegation use (HTTP/...
service principal acts on behalf of 'admin' user principal). However, it
is not able to validate that 'admin' user has enough permissions to
perform what is needed:
>Successfully validated Kerberos PAC
> pac_data: struct PAC_DATA
> num_buffers : 0x00000005 (5)
> version : 0x00000000 (0)
> buffers: ARRAY(5)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_LOGON_INFO (1)
> _ndr_size : 0x000001a8 (424)
> info : *
> info : union PAC_INFO(case 1)
> logon_info: struct PAC_LOGON_INFO_CTR
> info : *
> info: struct PAC_LOGON_INFO
> info3: struct netr_SamInfo3
> base: struct netr_SamBaseInfo
> logon_time : NTTIME(0)
> logoff_time : Thu Jan 1 01:00:00 AM 1970 CET
> kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET
> last_password_change : Fri Nov 2 04:41:05 PM 2018 CET
> allow_password_change : NTTIME(0)
> force_password_change : Thu Jan 1 01:00:00 AM 1970 CET
> account_name: struct lsa_String
> length : 0x000a (10)
> size : 0x000a (10)
> string : *
> string : 'admin'
> full_name: struct lsa_String
> length : 0x001a (26)
> size : 0x001a (26)
> string : *
> string : 'Administrator'
> logon_script: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> profile_path: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> home_directory: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> home_drive: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> logon_count : 0x0000 (0)
> bad_password_count : 0x0000 (0)
> rid : 0x000001f4 (500)
> primary_gid : 0x00000200 (512)
> groups: struct samr_RidWithAttributeArray
> count : 0x00000000 (0)
> rids : *
> rids: ARRAY(0)
> user_flags : 0x00000000 (0)
> 0: NETLOGON_GUEST
> 0: NETLOGON_NOENCRYPTION
> 0: NETLOGON_CACHED_ACCOUNT
> 0: NETLOGON_USED_LM_PASSWORD
> 0: NETLOGON_EXTRA_SIDS
> 0: NETLOGON_SUBAUTH_SESSION_KEY
> 0: NETLOGON_SERVER_TRUST_ACCOUNT
> 0: NETLOGON_NTLMV2_ENABLED
> 0: NETLOGON_RESOURCE_GROUPS
> 0: NETLOGON_PROFILE_PATH_RETURNED
> 0: NETLOGON_GRACE_LOGON
> key: struct netr_UserSessionKey
> key: ARRAY(16): <REDACTED SECRET VALUES>
> logon_server: struct lsa_StringLarge
> length : 0x0006 (6)
> size : 0x0008 (8)
> string : *
> string : 'DLP'
> logon_domain: struct lsa_StringLarge
>
>
>
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_LOGON_NAME (10)
> _ndr_size : 0x00000014 (20)
> info : *
> info : union PAC_INFO(case 10)
> logon_name: struct PAC_LOGON_NAME
> logon_time : Mon Nov 12 04:01:01 PM 2018 CET
> size : 0x000a (10)
> account_name : 'admin'
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_CONSTRAINED_DELEGATION (11)
> _ndr_size : 0x000000d8 (216)
> info : *
> info : union PAC_INFO(case 11)
> constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR
> info : *
> info: struct PAC_CONSTRAINED_DELEGATION
> proxy_target: struct lsa_String
> length : 0x0048 (72)
> size : 0x0048 (72)
> string : *
> string : 'HTTP/dlp.ipa.srv.world(a)IPA.SRV.WORLD'
> num_transited_services : 0x00000001 (1)
> transited_services : *
> transited_services: ARRAY(1)
> transited_services: struct lsa_String
> length : 0x0048 (72)
> size : 0x0048 (72)
> string : *
> string : 'cifs/dlp.ipa.srv.world(a)IPA.SRV.WORLD'
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_SRV_CHECKSUM (6)
> _ndr_size : 0x00000010 (16)
> info : *
> info : union PAC_INFO(case 6)
> srv_cksum: struct PAC_SIGNATURE_DATA
> type : 0x00000010 (16)
> signature : DATA_BLOB length=12
> [0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_KDC_CHECKSUM (7)
> _ndr_size : 0x00000010 (16)
> info : *
> info : union PAC_INFO(case 7)
> kdc_cksum: struct PAC_SIGNATURE_DATA
> type : 0x00000010 (16)
> signature : DATA_BLOB length=12
>
>
>im a bit stuck with this issue.
Can I see logs after this place? Smbd/winbindd should go on to resolve
'admin' user using a system and then build a local NT token for it. That
one should have a RID 512 in it, like MS-PAC record above.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
2 years, 5 months
Re: ipa.service "fails" to start
by Florence Blanc-Renaud
On 10/19/18 6:49 AM, Z D via FreeIPA-users wrote:
> Hi there,
>
> This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7.
>
> After reboot I couldn't start ipa service via systemctl, hence I run
> "ipactl start --ignore-service-failures" and this was kind of
> successful. I still have some discrepancies, and looking for
> troubleshooting ideas.
>
> 1. "systemctl status ipa.service" reads that service failed
> 2. "systemctl status pki-tomcatd.target" reads that PKI Tomcat Server
> is running.
Hi,
The PKI service status can be found using "systemctl status
pki-tomcatd(a)pki-tomcat.service".
More details on the differences between targets and units can be found
in the man pages for systemd.unit(5) and systemd.target(5).
> 3.
> # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: STOPPED <---- !!
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
To troubleshoot, you can have a look at the output of
# systemctl status pki-tomcatd(a)pki-tomcat.service
and the logs in /var/log/pki/pki-tomcat/ca/debug.
I would start by checking if some certificates expired with getcert list
(check the status, should be MONITORING, and the expires: <date>).
HTH,
flo
>
> Well, why pki-tomcatd reads 'stopped' and how to make systemctl to
> recognize that ipa service is running, thanks in advance,
>
> Zarko
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
2 years, 5 months
LDAP - Zammad -> not offering all fields
by Tobi Berninger
Hey,
i have an freeipa 4.5.4 on an Centos 7 up and running.
I allready binded that ipa trough an ldap on an nextcloud installation.
Now i try to do the same with an zammad. Sadly it doesnt offers me the
right fields (first name, last name, mail and many more are missing)
I set up an extra ldap sysaccount just for that reason, as it was described
here: https://www.freeipa.org/page/HowTo/LDAP
Any ideas what i was doing wrong?
Others users in the zammad forum told me that zammad is offering them the
fields i need, so i am quite convinced that the error is in an
missconfiguration on my side. Sadly i didnt set the server up, i just try
to keep it running.
Thank u all for ur help and i apoligze for my english...
2 years, 5 months
