krbpasswordexpiration field gone from "ipa user-show" ?
by Ivars Strazdiņš
Hi,
just upgraded Centos to 7.6 and got FreeIPA upgraded to 4.6.4.
Now command "ipa user-show <USERNAME> —all” does not return “krbpasswordexpiration” field anymore.
Is there another simple way to find out when user's password expires? We kind of relied on this to warn them in advance.
We could possibly calculate expiration date from user’s “krblastpwdchange” field and "ipa pwpolicy-find” command output, but maybe there’s a simpler way?
Thanks and kind regards,
Ivars
5 years, 4 months
Certificate Issue on IPA server
by Christopher Young
IPA 4.5.4 (has been upgraded for years just to understand that there
is a history)
This system (ipa01) is the renewal master (in case that matters)
I'm getting the following error on 'getcert'. My gut tells me this is
kinda a big deal. :) I really could use some help figuring this one
out as I'm not the most CA-versed. I have been learning quite a bit
reading some of the blogs, but there's definitely alot of ignorance of
the details on my part.
The error:
-----------
[root@orldc-prod-ipa01 log]# getcert list | grep -A12 -B1 error
status: MONITORING
ca-error: Server at
"http://orldc-prod-ipa01.passur.local:8080/ca/ee/ca/profileSubmit"
replied: Record not found
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PASSUR.LOCAL
subject: CN=orldc-prod-ipa01.passur.local,O=PASSUR.LOCAL
expires: 2018-12-06 21:43:50 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
-----------
If I look at the cert referenced locally in the NSS DB:
------
[root@orldc-prod-ipa01 log]# certutil -L -d /etc/pki/pki-tomcat/alias
-f /etc/httpd/alias/pwdfile.txt
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
subsystemCert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
------
[root@orldc-prod-ipa01 log]# certutil -L -d /etc/pki/pki-tomcat/alias
-f /etc/httpd/alias/pwdfile.txt -n 'Server-Cert cert-pki-ca' | grep
"Subject:\|Serial"
Serial Number: 268304422 (0xffe0026)
Subject: "CN=orldc-prod-ipa01.passur.local,O=PASSUR.LOCAL"
-----
[root@orldc-prod-ipa01 log]# ipa cert-find --min-serial-number
268304422 --max-serial-number 268304423
----------------------
0 certificates matched
----------------------
-----
I'm trying to figure out how to find this certificate. And IF somehow
it is wrong or missing, how do I fix such a scenario?
Any help here is always appreciated! Unfortunately, I'm running out
of time based on the expiration date I see on 'getcert'. I'm not sure
of the ramifications, but this seems pretty critical on the surface.
Thanks again for any help and direction!
-- Chris
5 years, 4 months
Re: SSO issue on one freeipauser
by Alexander Bokovoy
Please do not drop the public mailing list.
On ke, 05 joulu 2018, tarak sinha wrote:
>Hi Alexander,
>
>We recently build new IPA servers in our DC, new IPA server realm name will
>be IPA.EXAMPLE.COM and old IPA realm was EXAMPLE.COM.
>
>If you see only one user impacted to do SSO on this host rest of the users
>are able to do SSO perfectly with new REALM (IPA.EXAMPLE.COM)
You need to look into that user's environment. Perhaps, the user has own
krb5.conf override by setting KRB5_CONFIG environment variable.
>
>
>On Wed, Dec 5, 2018 at 8:27 PM Alexander Bokovoy <abokovoy(a)redhat.com>
>wrote:
>
>> On ke, 05 joulu 2018, tarak sinha wrote:
>> >user not working
>> >
>> >[aalevoor(a)deploy1.ops ~]$ kvno host/mstageegw3.example.com
>> >kvno: Server not found in Kerberos database while getting credentials for
>> >host/mstageegw3.example.com(a)EXAMPLE.COM
>> >[aalevoor(a)deploy1.ops ~]$
>> >
>> >*Working user on same host*
>> >
>> >tsinha(a)deploy1.ops ~]$ kvno host/mstageegw3.example.com
>> >host/mstageegw3.example.com(a)IPA.EXAMPLE.COM: kvno = 1
>> >
>> >Any further advice to check
>> You need to explain how EXAMPLE.COM and IPA.EXAMPLE.COM Kerberos realms
>> are related to each other.
>>
>> What is your deployment design?
>>
>>
>> >
>> >On Wed, Dec 5, 2018 at 5:44 PM tarak sinha <taraksinha09(a)gmail.com>
>> wrote:
>> >
>> >> Thanks, I'll check it out.
>> >>
>> >> On Wed, Dec 5, 2018, 5:19 PM Alexander Bokovoy <abokovoy(a)redhat.com
>> wrote:
>> >>
>> >>> On ke, 05 joulu 2018, tarak sinha wrote:
>> >>> >Yes, I can. thanks alex for your help. Let me know what needs to be
>> done.
>> >>> >
>> >>> >[root(a)deploy1.ops tsinha]# kvno -S host mstageegw3.example.com
>> >>> >kvno: invalid option -- S
>> >>> >usage: kvno [-4 | [-c ccache] [-e etype] [-k keytab]] service1
>> service2
>> >>> ...
>> >>> >[root(a)deploy1.ops tsinha]#
>> >>> What OS is this?
>> >>>
>> >>> Anyway, what happens if you get
>> >>>
>> >>> kvno host/mstageegw3.example.com
>> >>>
>> >>> Also, please show
>> >>>
>> >>> ipa host-show --all mstageegw3.example.com
>> >>>
>> >>>
>> >>>
>> >>> >
>> >>> >On Wed, Dec 5, 2018 at 4:28 PM Alexander Bokovoy <abokovoy(a)redhat.com
>> >
>> >>> >wrote:
>> >>> >
>> >>> >> On ke, 05 joulu 2018, tarak sinha via FreeIPA-users wrote:
>> >>> >> >Hi Guys,
>> >>> >> >
>> >>> >> >I am having issue to ssh with one host with SSO, all the users are
>> >>> able to
>> >>> >> >ssh without asking password but only my userid having issue with
>> >>> asking
>> >>> >> >password, I have tried to do kdestroy and did kinit again with
>> userid
>> >>> >> along
>> >>> >> >with REALM but did not work. if you have any suggestions please
>> let me
>> >>> >> know
>> >>> >> >to check further.
>> >>> >> >
>> >>> >> >Here it is output for ssh connection which asking password,
>> >>> >> >----snip----
>> >>> >> >
>> >>> >> >debug1: Authentications that can continue:
>> >>> >> >publickey,gssapi-keyex,gssapi-with-mic,password
>> >>> >> >debug1: Next authentication method: gssapi-with-mic
>> >>> >> >debug1: Unspecified GSS failure. Minor code may provide more
>> >>> information
>> >>> >> >Server not found in Kerberos database
>> >>> >> ^^ this is your problem.
>> >>> >>
>> >>> >> Can you show output of
>> >>> >>
>> >>> >> kvno -S host mstageegw3.example.com
>> >>> >>
>> >>> >> on your client from where you do SSH?
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> >debug1: Unspecified GSS failure. Minor code may provide more
>> >>> information
>> >>> >> >Server not found in Kerberos database
>> >>> >> >debug1: Unspecified GSS failure. Minor code may provide more
>> >>> information
>> >>> >> >Server not found in Kerberos database
>> >>> >> >debug2: we did not send a packet, disable method
>> >>> >> >debug1: Next authentication method: publickey
>> >>> >> >debug1: Offering public key: /uhome/aalevoor/.ssh/id_rsa
>> >>> >> >debug2: we sent a publickey packet, wait for reply
>> >>> >> >debug1: Authentications that can continue:
>> >>> >> >publickey,gssapi-keyex,gssapi-with-mic,password
>> >>> >> >debug1: Trying private key: /uhome/aalevoor/.ssh/id_dsa
>> >>> >> >debug2: we did not send a packet, disable method
>> >>> >> >debug1: Next authentication method: password
>> >>> >> >aalevoor(a)mstageegw3.example.com's password:
>> >>> >> >debug2: we sent a password packet, wait for reply
>> >>> >> >debug1: Authentication succeeded (password).
>> >>> >> >debug1: channel 0: new [client-session]
>> >>> >> >debug2: channel 0: send open
>> >>> >> >debug1: Entering interactive session.
>> >>> >> >debug2: callback start
>> >>> >> >debug2: client_session2_setup: id 0
>> >>> >> >debug2: channel 0: request pty-req confirm 0
>> >>> >> >debug2: channel 0: request shell confirm 0
>> >>> >> >debug2: fd 4 setting TCP_NODELAY
>> >>> >> >debug2: callback done
>> >>> >> >debug2: channel 0: open confirm rwindow 0 rmax 32768
>> >>> >> >debug2: channel 0: rcvd adjust 2097152
>> >>> >> >Last login: Wed Dec 5 01:53:06 2018 from 10.22.6.70
>> >>> >> >
>> >>> >> >--
>> >>> >> >
>> >>> >> >*Thanks,*
>> >>> >> >
>> >>> >> >*TS*
>> >>> >>
>> >>> >> >_______________________________________________
>> >>> >> >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> >>> >> >To unsubscribe send an email to
>> >>> >> freeipa-users-leave(a)lists.fedorahosted.org
>> >>> >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> >>> >> >List Guidelines:
>> >>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> >>> >> >List Archives:
>> >>> >>
>> >>>
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> / Alexander Bokovoy
>> >>> >> Sr. Principal Software Engineer
>> >>> >> Security / Identity Management Engineering
>> >>> >> Red Hat Limited, Finland
>> >>> >>
>> >>> >
>> >>> >
>> >>> >--
>> >>> >
>> >>> >*Thanks,*
>> >>> >
>> >>> >*Tarak Nath Sinha*
>> >>> >
>> >>> >*Mobile: **+91 8197522750*
>> >>>
>> >>> --
>> >>> / Alexander Bokovoy
>> >>> Sr. Principal Software Engineer
>> >>> Security / Identity Management Engineering
>> >>> Red Hat Limited, Finland
>> >>>
>> >>
>> >
>> >--
>> >
>> >*Thanks,*
>> >
>> >*Tarak Nath Sinha*
>> >
>> >*Mobile: **+91 8197522750*
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>
>
>--
>
>*Thanks,*
>
>*Tarak Nath Sinha*
>
>*Mobile: **+91 8197522750*
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
5 years, 4 months
sudo and hostgroups
by Winfried de Heiden
Hi all,
On a brand new install, sudo for hostgroup seems not to work. Ik create
a sudo rule for admins, only to to "averything" on all servers within
the hostgroup "ipaservers":
Rule name: s3_sudo_freeipa_admins
Enabled: TRUE
Command category: all
RunAs User category: all
RunAs Group category: all
User Groups: admins
Host Groups: ipaservers
However, user admins is not allowed to to so:
admin@freeipa1 ~]$ sudo -l
[sudo] password for admin:
Sorry, user admin may not run sudo on freeipa1.
Removing the group but adding the two FreeIPA-servers:
Rule name: s3_sudo_freeipa_admins
Enabled: TRUE
Command category: all
RunAs User category: all
RunAs Group category: all
User Groups: admins
Hosts: freeipa1.example.local, freeipa2.example.local
After cleaning the sssd-cache:
sudo -l
[sudo] password for admin:
Matching Defaults entries for admin on freeipa1:
!visiblepw, always_set_home, match_group_by_gid, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User admin may run the following commands on freeipa1:
(ALL : ALL) ALL
There are not clients yet, this issues was reproduced on a brand new
CentOS 7.5 IPA installation with no modifications or else...
What's hapening here?
Winfried
5 years, 4 months
Re: SSO issue on one freeipauser
by Alexander Bokovoy
On ke, 05 joulu 2018, tarak sinha wrote:
>user not working
>
>[aalevoor(a)deploy1.ops ~]$ kvno host/mstageegw3.example.com
>kvno: Server not found in Kerberos database while getting credentials for
>host/mstageegw3.example.com(a)EXAMPLE.COM
>[aalevoor(a)deploy1.ops ~]$
>
>*Working user on same host*
>
>tsinha(a)deploy1.ops ~]$ kvno host/mstageegw3.example.com
>host/mstageegw3.example.com(a)IPA.EXAMPLE.COM: kvno = 1
>
>Any further advice to check
You need to explain how EXAMPLE.COM and IPA.EXAMPLE.COM Kerberos realms
are related to each other.
What is your deployment design?
>
>On Wed, Dec 5, 2018 at 5:44 PM tarak sinha <taraksinha09(a)gmail.com> wrote:
>
>> Thanks, I'll check it out.
>>
>> On Wed, Dec 5, 2018, 5:19 PM Alexander Bokovoy <abokovoy(a)redhat.com wrote:
>>
>>> On ke, 05 joulu 2018, tarak sinha wrote:
>>> >Yes, I can. thanks alex for your help. Let me know what needs to be done.
>>> >
>>> >[root(a)deploy1.ops tsinha]# kvno -S host mstageegw3.example.com
>>> >kvno: invalid option -- S
>>> >usage: kvno [-4 | [-c ccache] [-e etype] [-k keytab]] service1 service2
>>> ...
>>> >[root(a)deploy1.ops tsinha]#
>>> What OS is this?
>>>
>>> Anyway, what happens if you get
>>>
>>> kvno host/mstageegw3.example.com
>>>
>>> Also, please show
>>>
>>> ipa host-show --all mstageegw3.example.com
>>>
>>>
>>>
>>> >
>>> >On Wed, Dec 5, 2018 at 4:28 PM Alexander Bokovoy <abokovoy(a)redhat.com>
>>> >wrote:
>>> >
>>> >> On ke, 05 joulu 2018, tarak sinha via FreeIPA-users wrote:
>>> >> >Hi Guys,
>>> >> >
>>> >> >I am having issue to ssh with one host with SSO, all the users are
>>> able to
>>> >> >ssh without asking password but only my userid having issue with
>>> asking
>>> >> >password, I have tried to do kdestroy and did kinit again with userid
>>> >> along
>>> >> >with REALM but did not work. if you have any suggestions please let me
>>> >> know
>>> >> >to check further.
>>> >> >
>>> >> >Here it is output for ssh connection which asking password,
>>> >> >----snip----
>>> >> >
>>> >> >debug1: Authentications that can continue:
>>> >> >publickey,gssapi-keyex,gssapi-with-mic,password
>>> >> >debug1: Next authentication method: gssapi-with-mic
>>> >> >debug1: Unspecified GSS failure. Minor code may provide more
>>> information
>>> >> >Server not found in Kerberos database
>>> >> ^^ this is your problem.
>>> >>
>>> >> Can you show output of
>>> >>
>>> >> kvno -S host mstageegw3.example.com
>>> >>
>>> >> on your client from where you do SSH?
>>> >>
>>> >>
>>> >>
>>> >> >debug1: Unspecified GSS failure. Minor code may provide more
>>> information
>>> >> >Server not found in Kerberos database
>>> >> >debug1: Unspecified GSS failure. Minor code may provide more
>>> information
>>> >> >Server not found in Kerberos database
>>> >> >debug2: we did not send a packet, disable method
>>> >> >debug1: Next authentication method: publickey
>>> >> >debug1: Offering public key: /uhome/aalevoor/.ssh/id_rsa
>>> >> >debug2: we sent a publickey packet, wait for reply
>>> >> >debug1: Authentications that can continue:
>>> >> >publickey,gssapi-keyex,gssapi-with-mic,password
>>> >> >debug1: Trying private key: /uhome/aalevoor/.ssh/id_dsa
>>> >> >debug2: we did not send a packet, disable method
>>> >> >debug1: Next authentication method: password
>>> >> >aalevoor(a)mstageegw3.example.com's password:
>>> >> >debug2: we sent a password packet, wait for reply
>>> >> >debug1: Authentication succeeded (password).
>>> >> >debug1: channel 0: new [client-session]
>>> >> >debug2: channel 0: send open
>>> >> >debug1: Entering interactive session.
>>> >> >debug2: callback start
>>> >> >debug2: client_session2_setup: id 0
>>> >> >debug2: channel 0: request pty-req confirm 0
>>> >> >debug2: channel 0: request shell confirm 0
>>> >> >debug2: fd 4 setting TCP_NODELAY
>>> >> >debug2: callback done
>>> >> >debug2: channel 0: open confirm rwindow 0 rmax 32768
>>> >> >debug2: channel 0: rcvd adjust 2097152
>>> >> >Last login: Wed Dec 5 01:53:06 2018 from 10.22.6.70
>>> >> >
>>> >> >--
>>> >> >
>>> >> >*Thanks,*
>>> >> >
>>> >> >*TS*
>>> >>
>>> >> >_______________________________________________
>>> >> >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> >> >To unsubscribe send an email to
>>> >> freeipa-users-leave(a)lists.fedorahosted.org
>>> >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> >> >List Guidelines:
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> >> >List Archives:
>>> >>
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> >>
>>> >>
>>> >> --
>>> >> / Alexander Bokovoy
>>> >> Sr. Principal Software Engineer
>>> >> Security / Identity Management Engineering
>>> >> Red Hat Limited, Finland
>>> >>
>>> >
>>> >
>>> >--
>>> >
>>> >*Thanks,*
>>> >
>>> >*Tarak Nath Sinha*
>>> >
>>> >*Mobile: **+91 8197522750*
>>>
>>> --
>>> / Alexander Bokovoy
>>> Sr. Principal Software Engineer
>>> Security / Identity Management Engineering
>>> Red Hat Limited, Finland
>>>
>>
>
>--
>
>*Thanks,*
>
>*Tarak Nath Sinha*
>
>*Mobile: **+91 8197522750*
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
5 years, 4 months
TOTP generators producing different values
by Brian Topping
Hi all, I have a question about TOTP authenticators (Google Authenticator, Authy, FreeOTP):
Why is it that a given URL/QRCode can load into all three authenticators, but all three give different OTP values at any given time and only FreeOTP actually works?
When I run `ipa otp-sync` with values from Authy, it crashes:
```
[root@ns-0 /]# ipa otptoken-sync 752f744e-1879-4499-a9c5-8932f739d26a
User ID: player1
Password:
First Code:
Second Code:
ipa: ERROR: non-public: AttributeError: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 139, in execute
result = self.Command[_name](*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
return self.__do_call(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in run
return self.forward(*args, **options)
File "/usr/lib/python2.7/site-packages/ipaclient/plugins/otptoken.py", line 168, in forward
query['token'] = DN((obj.primary_key.name, args[0]),
AttributeError: 'NoneType' object has no attribute 'name'
ipa: ERROR: an internal error has occurred
```
Thanks kindly for any leads on this!
Brian
5 years, 4 months
Issue setting up FreeIPA and Samba
by Robert Byrne
Hi,
I am trying to setup FreeIPA to authenticate users logging into Linux systems, but would also like to use this to authenticate users accessing Samba shares from Windows clients. The problem is that I cannot access the shares at all from Windows clients and when I try to access a share from a Linux client, the following error message is printed:
robert@workstation 14:13:09 > smbclient //192.168.0.xx/samba -U robert
WARNING: The "syslog" option is deprecated
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
Enter WORKGROUP\robert's password:
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
session setup failed: NT_STATUS_LOGON_FAILURE
Information regarding the setup:
- The FreeIPA + Samba server (samba.linux.company.local) is a VM running CentOS 7. The FreeIPA version is "VERSION: 4.5.4, API_VERSION: 2.228". The Samba version is 4.7.1.
- The firewalls on the server, VM host and clients are turned off for debugging purposes.
- SELINUX is also turned off.
- This was a fresh install and FreeIPA was setup with the following commands:
sudo yum install ipa-server
sudo ipa-server-install
Do you want to configure integrated DNS (BIND)? [no]: no
Server host name [ipa.company.local]: samba.linux.company.local
Please confirm the domain name [company.local]: samba.linux.company.local
Please provide a realm name [SAMBA.COMPANY.LOCAL]: SAMBA.LINUX.COMPANY.LOCAL
- The users can log into the Linux workstations that have been enrolled, suggesting that the setup is at least partly correct.
The Windows clients are not enrolled into the FreeIPA domain and are instead in the domain company.local. I followed the instructions here (https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_I...) with the following options:
yum install ipa-server-trust-ad
sudo ipa-adtrust-install
Enable trusted domains support in slapi-nis? [no]: no
NetBIOS domain name [LINUX]: LINUX
Do you want to run the ipa-sidgen task? [no]: yes
Followed by:
sudo mkdir /samba
sudo chmod 777 /samba
sudo net conf addshare samba /samba writeable=y guest_ok=n
sudo systemctl restart smb
Running sudo net conf list produces the following output:
[global]
workgroup = LINUX
netbios name = SAMBA
realm = LINUX.COMPANY.LOCAL
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-LINUX-COMPANY-LOCAL.socket
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=linux,dc=company,dc=local
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
[samba]
path = /samba
guest ok = yes
read only = no
When I try to mount the share on Windows clients (either with \\192.168.0.xx\samba or \\samba.linux.company.local in Explorer) it states that 'The user name or password is incorrect.' I am not convinced that this is the case, however, since the same message is displayed even if the share is created with the option 'guest_ok=y'.
If I try to mount the 'guest_ok=y' share from a Linux client in the FreeIPA realm, I at least get an error message:
robert@workstation 14:13:09 > smbclient //192.168.0.xx/samba -U username
WARNING: The "syslog" option is deprecated
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
Enter LINUX\robert's password:
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
session setup failed: NT_STATUS_LOGON_FAILURE
Under both Windows and Linux I have tried all combinations of domain (LINUX, SAMBA, WORKGROUP) and various user that I can think of, but with no success.
Does anyone have an idea what the issue might be? I previously created the above setup on a pair of VMs and everything worked as expected, but am having difficulty reproducing it here....
Many thanks in advance for any help and suggestions! Please let me know if you need any more information.
Rob
5 years, 4 months
SSO issue on one freeipauser
by tarak sinha
Hi Guys,
I am having issue to ssh with one host with SSO, all the users are able to
ssh without asking password but only my userid having issue with asking
password, I have tried to do kdestroy and did kinit again with userid along
with REALM but did not work. if you have any suggestions please let me know
to check further.
Here it is output for ssh connection which asking password,
----snip----
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /uhome/aalevoor/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /uhome/aalevoor/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
aalevoor(a)mstageegw3.example.com's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 0
debug2: channel 0: request shell confirm 0
debug2: fd 4 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
Last login: Wed Dec 5 01:53:06 2018 from 10.22.6.70
--
*Thanks,*
*TS*
5 years, 4 months
ipa-replica-install error migrating CentOS 6 to 7
by Marc Wiatrowski
I'm trying to migrate a CentOS 6 IPA setup to CentOS 7. Both are fully
updated CentOS 6.10 (ipa-server-3.0.0-51) and CentOS 7.6
(ipa-server-4.6.4-10)
I've been following:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
I ran copy-schema-to-ca.py on centos6 and created the replica info file
without any issues. But then:
[root@centos7]$ ipa-replica-install /var/lib/ipa/replica-info-centos7.gpg
--setup-ca --ip-address 192.168.1.1 --setup-dns --no-forwarders
Directory Manager (existing master) password:
Run connection check to master
admin(a)DOMAIN.NET password:
Connection check OK
Adding [192.168.1.1 centos7.domain.net] to your /etc/hosts file
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: enabling ldapi
....
[27/41]: ignore time skew for initial replication
[28/41]: setting up initial replication
[error] DatabaseError: Server is unwilling to perform: modification of
attribute nsds5replicabinddngroupcheckinterval is not allowed in replica
entry
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR Server is unwilling to perform: modification
of attribute nsds5replicabinddngroupcheckinterval is not allowed in replica
entry
ipapython.admintool: ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
centos6:/var/log/dirsrv/slapd/errors:
[04/Dec/2018:14:58:13 -0500] NSMMReplicationPlugin - replica_config_modify:
modification of attribute nsds5replicabinddngroupcheckinterval is not
allowed in replica entry
The ipareplica-install.log contains the same errors at the end. I have
googled and seen similar issues but the solutions span from fixed already
in a previous release to not having an answer in the thread. It appears
CentOS 6 shouldn't have this attribute and that should be ok? but fails all
the same.
Any suggestions?
Thank you in advance,
Marc
5 years, 4 months
FreeIPA 4.6.4 Web GUI - Login failed due to an unknown reason.
by Andrey Ptashnik
Dear FreeIPA Team,
I have an issue with Web GUI throwing error message "Login failed due to an unknown reason" when login through Web interface.
Other functionality like directory service, DNS and authentication with ipa-clients seems to work fine.
I first spotted this issue in 4.5.0 and tried troubleshooting steps from previous thread, however that did not help.
Hoping that issue is solved in higher versions I tried upgrading ipa-server packages via:
# yum upgrade ipa-server
# ipa-server-upgrade
However it did not solve the issue in 4.6.6 and exactly the same behavior I saw in version 4.5.0
# rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64
ipa-server-4.6.4-10.el7.centos.x86_64
krb5-libs-1.15.1-34.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
sssd-krb5-1.16.2-13.el7.x86_64
httpd-2.4.6-88.el7.centos.x86_64
# cat /etc/*release*
CentOS Linux release 7.4.1708 (Core)
What could be the next troubleshooting step in my case?
Thanks in advance,
Andrey
5 years, 4 months