December 2018 - FreeIPA-users - Fedora Mailing-Lists

krbpasswordexpiration field gone from "ipa user-show" ?

by Ivars Strazdiņš

Hi, just upgraded Centos to 7.6 and got FreeIPA upgraded to 4.6.4. Now command "ipa user-show <USERNAME> —all” does not return “krbpasswordexpiration” field anymore. Is there another simple way to find out when user's password expires? We kind of relied on this to warn them in advance. We could possibly calculate expiration date from user’s “krblastpwdchange” field and "ipa pwpolicy-find” command output, but maybe there’s a simpler way? Thanks and kind regards, Ivars

5 years, 4 months

3
7
0 / 0

Certificate Issue on IPA server

by Christopher Young

IPA 4.5.4 (has been upgraded for years just to understand that there is a history) This system (ipa01) is the renewal master (in case that matters) I'm getting the following error on 'getcert'. My gut tells me this is kinda a big deal. :) I really could use some help figuring this one out as I'm not the most CA-versed. I have been learning quite a bit reading some of the blogs, but there's definitely alot of ignorance of the details on my part. The error: ----------- [root@orldc-prod-ipa01 log]# getcert list | grep -A12 -B1 error status: MONITORING ca-error: Server at "http://orldc-prod-ipa01.passur.local:8080/ca/ee/ca/profileSubmit" replied: Record not found stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PASSUR.LOCAL subject: CN=orldc-prod-ipa01.passur.local,O=PASSUR.LOCAL expires: 2018-12-06 21:43:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes ----------- If I look at the cert referenced locally in the NSS DB: ------ [root@orldc-prod-ipa01 log]# certutil -L -d /etc/pki/pki-tomcat/alias -f /etc/httpd/alias/pwdfile.txt Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u ------ [root@orldc-prod-ipa01 log]# certutil -L -d /etc/pki/pki-tomcat/alias -f /etc/httpd/alias/pwdfile.txt -n 'Server-Cert cert-pki-ca' | grep "Subject:\|Serial" Serial Number: 268304422 (0xffe0026) Subject: "CN=orldc-prod-ipa01.passur.local,O=PASSUR.LOCAL" ----- [root@orldc-prod-ipa01 log]# ipa cert-find --min-serial-number 268304422 --max-serial-number 268304423 ---------------------- 0 certificates matched ---------------------- ----- I'm trying to figure out how to find this certificate. And IF somehow it is wrong or missing, how do I fix such a scenario? Any help here is always appreciated! Unfortunately, I'm running out of time based on the expiration date I see on 'getcert'. I'm not sure of the ramifications, but this seems pretty critical on the surface. Thanks again for any help and direction! -- Chris

5 years, 4 months

3
13
0 / 0

Re: SSO issue on one freeipauser

by Alexander Bokovoy

Please do not drop the public mailing list. On ke, 05 joulu 2018, tarak sinha wrote: >Hi Alexander, > >We recently build new IPA servers in our DC, new IPA server realm name will >be IPA.EXAMPLE.COM and old IPA realm was EXAMPLE.COM. > >If you see only one user impacted to do SSO on this host rest of the users >are able to do SSO perfectly with new REALM (IPA.EXAMPLE.COM) You need to look into that user's environment. Perhaps, the user has own krb5.conf override by setting KRB5_CONFIG environment variable. > > >On Wed, Dec 5, 2018 at 8:27 PM Alexander Bokovoy <abokovoy(a)redhat.com> >wrote: > >> On ke, 05 joulu 2018, tarak sinha wrote: >> >user not working >> > >> >[aalevoor(a)deploy1.ops ~]$ kvno host/mstageegw3.example.com >> >kvno: Server not found in Kerberos database while getting credentials for >> >host/mstageegw3.example.com(a)EXAMPLE.COM >> >[aalevoor(a)deploy1.ops ~]$ >> > >> >*Working user on same host* >> > >> >tsinha(a)deploy1.ops ~]$ kvno host/mstageegw3.example.com >> >host/mstageegw3.example.com(a)IPA.EXAMPLE.COM: kvno = 1 >> > >> >Any further advice to check >> You need to explain how EXAMPLE.COM and IPA.EXAMPLE.COM Kerberos realms >> are related to each other. >> >> What is your deployment design? >> >> >> > >> >On Wed, Dec 5, 2018 at 5:44 PM tarak sinha <taraksinha09(a)gmail.com> >> wrote: >> > >> >> Thanks, I'll check it out. >> >> >> >> On Wed, Dec 5, 2018, 5:19 PM Alexander Bokovoy <abokovoy(a)redhat.com >> wrote: >> >> >> >>> On ke, 05 joulu 2018, tarak sinha wrote: >> >>> >Yes, I can. thanks alex for your help. Let me know what needs to be >> done. >> >>> > >> >>> >[root(a)deploy1.ops tsinha]# kvno -S host mstageegw3.example.com >> >>> >kvno: invalid option -- S >> >>> >usage: kvno [-4 | [-c ccache] [-e etype] [-k keytab]] service1 >> service2 >> >>> ... >> >>> >[root(a)deploy1.ops tsinha]# >> >>> What OS is this? >> >>> >> >>> Anyway, what happens if you get >> >>> >> >>> kvno host/mstageegw3.example.com >> >>> >> >>> Also, please show >> >>> >> >>> ipa host-show --all mstageegw3.example.com >> >>> >> >>> >> >>> >> >>> > >> >>> >On Wed, Dec 5, 2018 at 4:28 PM Alexander Bokovoy <abokovoy(a)redhat.com >> > >> >>> >wrote: >> >>> > >> >>> >> On ke, 05 joulu 2018, tarak sinha via FreeIPA-users wrote: >> >>> >> >Hi Guys, >> >>> >> > >> >>> >> >I am having issue to ssh with one host with SSO, all the users are >> >>> able to >> >>> >> >ssh without asking password but only my userid having issue with >> >>> asking >> >>> >> >password, I have tried to do kdestroy and did kinit again with >> userid >> >>> >> along >> >>> >> >with REALM but did not work. if you have any suggestions please >> let me >> >>> >> know >> >>> >> >to check further. >> >>> >> > >> >>> >> >Here it is output for ssh connection which asking password, >> >>> >> >----snip---- >> >>> >> > >> >>> >> >debug1: Authentications that can continue: >> >>> >> >publickey,gssapi-keyex,gssapi-with-mic,password >> >>> >> >debug1: Next authentication method: gssapi-with-mic >> >>> >> >debug1: Unspecified GSS failure. Minor code may provide more >> >>> information >> >>> >> >Server not found in Kerberos database >> >>> >> ^^ this is your problem. >> >>> >> >> >>> >> Can you show output of >> >>> >> >> >>> >> kvno -S host mstageegw3.example.com >> >>> >> >> >>> >> on your client from where you do SSH? >> >>> >> >> >>> >> >> >>> >> >> >>> >> >debug1: Unspecified GSS failure. Minor code may provide more >> >>> information >> >>> >> >Server not found in Kerberos database >> >>> >> >debug1: Unspecified GSS failure. Minor code may provide more >> >>> information >> >>> >> >Server not found in Kerberos database >> >>> >> >debug2: we did not send a packet, disable method >> >>> >> >debug1: Next authentication method: publickey >> >>> >> >debug1: Offering public key: /uhome/aalevoor/.ssh/id_rsa >> >>> >> >debug2: we sent a publickey packet, wait for reply >> >>> >> >debug1: Authentications that can continue: >> >>> >> >publickey,gssapi-keyex,gssapi-with-mic,password >> >>> >> >debug1: Trying private key: /uhome/aalevoor/.ssh/id_dsa >> >>> >> >debug2: we did not send a packet, disable method >> >>> >> >debug1: Next authentication method: password >> >>> >> >aalevoor(a)mstageegw3.example.com's password: >> >>> >> >debug2: we sent a password packet, wait for reply >> >>> >> >debug1: Authentication succeeded (password). >> >>> >> >debug1: channel 0: new [client-session] >> >>> >> >debug2: channel 0: send open >> >>> >> >debug1: Entering interactive session. >> >>> >> >debug2: callback start >> >>> >> >debug2: client_session2_setup: id 0 >> >>> >> >debug2: channel 0: request pty-req confirm 0 >> >>> >> >debug2: channel 0: request shell confirm 0 >> >>> >> >debug2: fd 4 setting TCP_NODELAY >> >>> >> >debug2: callback done >> >>> >> >debug2: channel 0: open confirm rwindow 0 rmax 32768 >> >>> >> >debug2: channel 0: rcvd adjust 2097152 >> >>> >> >Last login: Wed Dec 5 01:53:06 2018 from 10.22.6.70 >> >>> >> > >> >>> >> >-- >> >>> >> > >> >>> >> >*Thanks,* >> >>> >> > >> >>> >> >*TS* >> >>> >> >> >>> >> >_______________________________________________ >> >>> >> >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> >>> >> >To unsubscribe send an email to >> >>> >> freeipa-users-leave(a)lists.fedorahosted.org >> >>> >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> >>> >> >List Guidelines: >> >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >> >>> >> >List Archives: >> >>> >> >> >>> >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >> >>> >> >> >>> >> >> >>> >> -- >> >>> >> / Alexander Bokovoy >> >>> >> Sr. Principal Software Engineer >> >>> >> Security / Identity Management Engineering >> >>> >> Red Hat Limited, Finland >> >>> >> >> >>> > >> >>> > >> >>> >-- >> >>> > >> >>> >*Thanks,* >> >>> > >> >>> >*Tarak Nath Sinha* >> >>> > >> >>> >*Mobile: **+91 8197522750* >> >>> >> >>> -- >> >>> / Alexander Bokovoy >> >>> Sr. Principal Software Engineer >> >>> Security / Identity Management Engineering >> >>> Red Hat Limited, Finland >> >>> >> >> >> > >> >-- >> > >> >*Thanks,* >> > >> >*Tarak Nath Sinha* >> > >> >*Mobile: **+91 8197522750* >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> > > >-- > >*Thanks,* > >*Tarak Nath Sinha* > >*Mobile: **+91 8197522750* -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

5 years, 4 months

1
0
0 / 0

sudo and hostgroups

by Winfried de Heiden

Hi all, On a brand new install, sudo for hostgroup seems not to work. Ik create a sudo rule for admins, only to to "averything" on all servers within the hostgroup "ipaservers": Rule name: s3_sudo_freeipa_admins Enabled: TRUE Command category: all RunAs User category: all RunAs Group category: all User Groups: admins Host Groups: ipaservers However, user admins is not allowed to to so: admin@freeipa1 ~]$ sudo -l [sudo] password for admin: Sorry, user admin may not run sudo on freeipa1. Removing the group but adding the two FreeIPA-servers: Rule name: s3_sudo_freeipa_admins Enabled: TRUE Command category: all RunAs User category: all RunAs Group category: all User Groups: admins Hosts: freeipa1.example.local, freeipa2.example.local After cleaning the sssd-cache: sudo -l [sudo] password for admin: Matching Defaults entries for admin on freeipa1: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User admin may run the following commands on freeipa1: (ALL : ALL) ALL There are not clients yet, this issues was reproduced on a brand new CentOS 7.5 IPA installation with no modifications or else... What's hapening here? Winfried

5 years, 4 months

2
3
0 / 0

Re: SSO issue on one freeipauser

by Alexander Bokovoy

On ke, 05 joulu 2018, tarak sinha wrote: >user not working > >[aalevoor(a)deploy1.ops ~]$ kvno host/mstageegw3.example.com >kvno: Server not found in Kerberos database while getting credentials for >host/mstageegw3.example.com(a)EXAMPLE.COM >[aalevoor(a)deploy1.ops ~]$ > >*Working user on same host* > >tsinha(a)deploy1.ops ~]$ kvno host/mstageegw3.example.com >host/mstageegw3.example.com(a)IPA.EXAMPLE.COM: kvno = 1 > >Any further advice to check You need to explain how EXAMPLE.COM and IPA.EXAMPLE.COM Kerberos realms are related to each other. What is your deployment design? > >On Wed, Dec 5, 2018 at 5:44 PM tarak sinha <taraksinha09(a)gmail.com> wrote: > >> Thanks, I'll check it out. >> >> On Wed, Dec 5, 2018, 5:19 PM Alexander Bokovoy <abokovoy(a)redhat.com wrote: >> >>> On ke, 05 joulu 2018, tarak sinha wrote: >>> >Yes, I can. thanks alex for your help. Let me know what needs to be done. >>> > >>> >[root(a)deploy1.ops tsinha]# kvno -S host mstageegw3.example.com >>> >kvno: invalid option -- S >>> >usage: kvno [-4 | [-c ccache] [-e etype] [-k keytab]] service1 service2 >>> ... >>> >[root(a)deploy1.ops tsinha]# >>> What OS is this? >>> >>> Anyway, what happens if you get >>> >>> kvno host/mstageegw3.example.com >>> >>> Also, please show >>> >>> ipa host-show --all mstageegw3.example.com >>> >>> >>> >>> > >>> >On Wed, Dec 5, 2018 at 4:28 PM Alexander Bokovoy <abokovoy(a)redhat.com> >>> >wrote: >>> > >>> >> On ke, 05 joulu 2018, tarak sinha via FreeIPA-users wrote: >>> >> >Hi Guys, >>> >> > >>> >> >I am having issue to ssh with one host with SSO, all the users are >>> able to >>> >> >ssh without asking password but only my userid having issue with >>> asking >>> >> >password, I have tried to do kdestroy and did kinit again with userid >>> >> along >>> >> >with REALM but did not work. if you have any suggestions please let me >>> >> know >>> >> >to check further. >>> >> > >>> >> >Here it is output for ssh connection which asking password, >>> >> >----snip---- >>> >> > >>> >> >debug1: Authentications that can continue: >>> >> >publickey,gssapi-keyex,gssapi-with-mic,password >>> >> >debug1: Next authentication method: gssapi-with-mic >>> >> >debug1: Unspecified GSS failure. Minor code may provide more >>> information >>> >> >Server not found in Kerberos database >>> >> ^^ this is your problem. >>> >> >>> >> Can you show output of >>> >> >>> >> kvno -S host mstageegw3.example.com >>> >> >>> >> on your client from where you do SSH? >>> >> >>> >> >>> >> >>> >> >debug1: Unspecified GSS failure. Minor code may provide more >>> information >>> >> >Server not found in Kerberos database >>> >> >debug1: Unspecified GSS failure. Minor code may provide more >>> information >>> >> >Server not found in Kerberos database >>> >> >debug2: we did not send a packet, disable method >>> >> >debug1: Next authentication method: publickey >>> >> >debug1: Offering public key: /uhome/aalevoor/.ssh/id_rsa >>> >> >debug2: we sent a publickey packet, wait for reply >>> >> >debug1: Authentications that can continue: >>> >> >publickey,gssapi-keyex,gssapi-with-mic,password >>> >> >debug1: Trying private key: /uhome/aalevoor/.ssh/id_dsa >>> >> >debug2: we did not send a packet, disable method >>> >> >debug1: Next authentication method: password >>> >> >aalevoor(a)mstageegw3.example.com's password: >>> >> >debug2: we sent a password packet, wait for reply >>> >> >debug1: Authentication succeeded (password). >>> >> >debug1: channel 0: new [client-session] >>> >> >debug2: channel 0: send open >>> >> >debug1: Entering interactive session. >>> >> >debug2: callback start >>> >> >debug2: client_session2_setup: id 0 >>> >> >debug2: channel 0: request pty-req confirm 0 >>> >> >debug2: channel 0: request shell confirm 0 >>> >> >debug2: fd 4 setting TCP_NODELAY >>> >> >debug2: callback done >>> >> >debug2: channel 0: open confirm rwindow 0 rmax 32768 >>> >> >debug2: channel 0: rcvd adjust 2097152 >>> >> >Last login: Wed Dec 5 01:53:06 2018 from 10.22.6.70 >>> >> > >>> >> >-- >>> >> > >>> >> >*Thanks,* >>> >> > >>> >> >*TS* >>> >> >>> >> >_______________________________________________ >>> >> >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >>> >> >To unsubscribe send an email to >>> >> freeipa-users-leave(a)lists.fedorahosted.org >>> >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> >> >List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> >> >List Archives: >>> >> >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>> >> >>> >> >>> >> -- >>> >> / Alexander Bokovoy >>> >> Sr. Principal Software Engineer >>> >> Security / Identity Management Engineering >>> >> Red Hat Limited, Finland >>> >> >>> > >>> > >>> >-- >>> > >>> >*Thanks,* >>> > >>> >*Tarak Nath Sinha* >>> > >>> >*Mobile: **+91 8197522750* >>> >>> -- >>> / Alexander Bokovoy >>> Sr. Principal Software Engineer >>> Security / Identity Management Engineering >>> Red Hat Limited, Finland >>> >> > >-- > >*Thanks,* > >*Tarak Nath Sinha* > >*Mobile: **+91 8197522750* -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

5 years, 4 months

1
0
0 / 0

TOTP generators producing different values

by Brian Topping

Hi all, I have a question about TOTP authenticators (Google Authenticator, Authy, FreeOTP): Why is it that a given URL/QRCode can load into all three authenticators, but all three give different OTP values at any given time and only FreeOTP actually works? When I run `ipa otp-sync` with values from Authy, it crashes: ``` [root@ns-0 /]# ipa otptoken-sync 752f744e-1879-4499-a9c5-8932f739d26a User ID: player1 Password: First Code: Second Code: ipa: ERROR: non-public: AttributeError: 'NoneType' object has no attribute 'name' Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 139, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipaclient/plugins/otptoken.py", line 168, in forward query['token'] = DN((obj.primary_key.name, args[0]), AttributeError: 'NoneType' object has no attribute 'name' ipa: ERROR: an internal error has occurred ``` Thanks kindly for any leads on this! Brian

5 years, 4 months

3
3
0 / 0

Issue setting up FreeIPA and Samba

by Robert Byrne

Hi, I am trying to setup FreeIPA to authenticate users logging into Linux systems, but would also like to use this to authenticate users accessing Samba shares from Windows clients. The problem is that I cannot access the shares at all from Windows clients and when I try to access a share from a Linux client, the following error message is printed: robert@workstation 14:13:09 > smbclient //192.168.0.xx/samba -U robert WARNING: The "syslog" option is deprecated krb5_init_context failed (Invalid argument) smb_krb5_context_init_basic failed (Invalid argument) Enter WORKGROUP\robert's password: krb5_init_context failed (Invalid argument) smb_krb5_context_init_basic failed (Invalid argument) session setup failed: NT_STATUS_LOGON_FAILURE Information regarding the setup: - The FreeIPA + Samba server (samba.linux.company.local) is a VM running CentOS 7. The FreeIPA version is "VERSION: 4.5.4, API_VERSION: 2.228". The Samba version is 4.7.1. - The firewalls on the server, VM host and clients are turned off for debugging purposes. - SELINUX is also turned off. - This was a fresh install and FreeIPA was setup with the following commands: sudo yum install ipa-server sudo ipa-server-install Do you want to configure integrated DNS (BIND)? [no]: no Server host name [ipa.company.local]: samba.linux.company.local Please confirm the domain name [company.local]: samba.linux.company.local Please provide a realm name [SAMBA.COMPANY.LOCAL]: SAMBA.LINUX.COMPANY.LOCAL - The users can log into the Linux workstations that have been enrolled, suggesting that the setup is at least partly correct. The Windows clients are not enrolled into the FreeIPA domain and are instead in the domain company.local. I followed the instructions here (https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_I...) with the following options: yum install ipa-server-trust-ad sudo ipa-adtrust-install Enable trusted domains support in slapi-nis? [no]: no NetBIOS domain name [LINUX]: LINUX Do you want to run the ipa-sidgen task? [no]: yes Followed by: sudo mkdir /samba sudo chmod 777 /samba sudo net conf addshare samba /samba writeable=y guest_ok=n sudo systemctl restart smb Running sudo net conf list produces the following output: [global] workgroup = LINUX netbios name = SAMBA realm = LINUX.COMPANY.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes log level = 1 max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-LINUX-COMPANY-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=linux,dc=company,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork [samba] path = /samba guest ok = yes read only = no When I try to mount the share on Windows clients (either with \\192.168.0.xx\samba or \\samba.linux.company.local in Explorer) it states that 'The user name or password is incorrect.' I am not convinced that this is the case, however, since the same message is displayed even if the share is created with the option 'guest_ok=y'. If I try to mount the 'guest_ok=y' share from a Linux client in the FreeIPA realm, I at least get an error message: robert@workstation 14:13:09 > smbclient //192.168.0.xx/samba -U username WARNING: The "syslog" option is deprecated krb5_init_context failed (Invalid argument) smb_krb5_context_init_basic failed (Invalid argument) Enter LINUX\robert's password: krb5_init_context failed (Invalid argument) smb_krb5_context_init_basic failed (Invalid argument) session setup failed: NT_STATUS_LOGON_FAILURE Under both Windows and Linux I have tried all combinations of domain (LINUX, SAMBA, WORKGROUP) and various user that I can think of, but with no success. Does anyone have an idea what the issue might be? I previously created the above setup on a pair of VMs and everything worked as expected, but am having difficulty reproducing it here.... Many thanks in advance for any help and suggestions! Please let me know if you need any more information. Rob

5 years, 4 months

3
4
0 / 0

SSO issue on one freeipauser

by tarak sinha

Hi Guys, I am having issue to ssh with one host with SSO, all the users are able to ssh without asking password but only my userid having issue with asking password, I have tried to do kdestroy and did kinit again with userid along with REALM but did not work. if you have any suggestions please let me know to check further. Here it is output for ssh connection which asking password, ----snip---- debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Offering public key: /uhome/aalevoor/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /uhome/aalevoor/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: Next authentication method: password aalevoor(a)mstageegw3.example.com's password: debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 0 debug2: channel 0: request shell confirm 0 debug2: fd 4 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 2097152 Last login: Wed Dec 5 01:53:06 2018 from 10.22.6.70 -- *Thanks,* *TS*

5 years, 4 months

2
4
0 / 0

ipa-replica-install error migrating CentOS 6 to 7

by Marc Wiatrowski

I'm trying to migrate a CentOS 6 IPA setup to CentOS 7. Both are fully updated CentOS 6.10 (ipa-server-3.0.0-51) and CentOS 7.6 (ipa-server-4.6.4-10) I've been following: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... I ran copy-schema-to-ca.py on centos6 and created the replica info file without any issues. But then: [root@centos7]$ ipa-replica-install /var/lib/ipa/replica-info-centos7.gpg --setup-ca --ip-address 192.168.1.1 --setup-dns --no-forwarders Directory Manager (existing master) password: Run connection check to master admin(a)DOMAIN.NET password: Connection check OK Adding [192.168.1.1 centos7.domain.net] to your /etc/hosts file Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: enabling ldapi .... [27/41]: ignore time skew for initial replication [28/41]: setting up initial replication [error] DatabaseError: Server is unwilling to perform: modification of attribute nsds5replicabinddngroupcheckinterval is not allowed in replica entry Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR Server is unwilling to perform: modification of attribute nsds5replicabinddngroupcheckinterval is not allowed in replica entry ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information centos6:/var/log/dirsrv/slapd/errors: [04/Dec/2018:14:58:13 -0500] NSMMReplicationPlugin - replica_config_modify: modification of attribute nsds5replicabinddngroupcheckinterval is not allowed in replica entry The ipareplica-install.log contains the same errors at the end. I have googled and seen similar issues but the solutions span from fixed already in a previous release to not having an answer in the thread. It appears CentOS 6 shouldn't have this attribute and that should be ok? but fails all the same. Any suggestions? Thank you in advance, Marc

5 years, 4 months

3
3
0 / 0

FreeIPA 4.6.4 Web GUI - Login failed due to an unknown reason.

by Andrey Ptashnik

Dear FreeIPA Team, I have an issue with Web GUI throwing error message "Login failed due to an unknown reason" when login through Web interface. Other functionality like directory service, DNS and authentication with ipa-clients seems to work fine. I first spotted this issue in 4.5.0 and tried troubleshooting steps from previous thread, however that did not help. Hoping that issue is solved in higher versions I tried upgrading ipa-server packages via: # yum upgrade ipa-server # ipa-server-upgrade However it did not solve the issue in 4.6.6 and exactly the same behavior I saw in version 4.5.0 # rpm -q ipa-server.x86_64 krb5-libs.x86_64 krb5-server.x86_64 cyrus-sasl-gssapi.x86_64 sssd-krb5.x86_64 httpd.x86_64 ipa-server-4.6.4-10.el7.centos.x86_64 krb5-libs-1.15.1-34.el7.x86_64 krb5-server-1.15.1-34.el7.x86_64 cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 sssd-krb5-1.16.2-13.el7.x86_64 httpd-2.4.6-88.el7.centos.x86_64 # cat /etc/*release* CentOS Linux release 7.4.1708 (Core) What could be the next troubleshooting step in my case? Thanks in advance, Andrey

5 years, 4 months

2
5
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users December 2018