Re: How to use HBAC rules on services where is used Ipsion
by SOLER SANGUESA Miguel
I have added the service on IPA and changed on the HBAC rule form "any service" to "ipsilon", but now I can not login on ipsilon.
Also I've checked that there is no '/etc/pam.d/ipsilon' file
Thanks & Regards.
______________________________
Miguel Soler Sangüesa
Consultant - Linux Systems Administrator
OPPV - Linux Server Support
[cid:image001.png@01D41870.F204ED80] + 34 96 199 39 24 - EXT 3924
[cid:image002.png@01D41870.F204ED80] + 41 22 929 19 13
[cid:image003.jpg@01D41870.F204ED80]<https://www.unicc.org/Pages/Home.aspx>
2 years, 7 months
weird problems with passwords and user accounts
by Karl Forner
[ tried to create the thread by mail, but did not seem to work, so I'm creating it from the web UI. Sorry if there's a duplicate coming in...]
Hi,
The problem started with a user that could not connect with his initial password from the GUI: Username or password incorrect.
I reset it myself, and tried with the new temp password: idem.
I retried many many times. Same.
I tried creating a new user, same.
In the meantime I realized the admin password had expired.
I could not update it successfully via the command-line, but I could using the GUI.
I tried many things, but now "ipa user-status" fails for a lot of accounts:
pa: ERROR: xxxxx: user not found
I tried creating a new account from command-line with ipa user-add, then asks for the status using "ipa user-status", it failed the same way.
What's happening ?
What should I try ?
Thanks.
2 years, 7 months
Unauthorized: kinit: Generic preauthentication failure while getting initial credentials
by Karl Forner
I tried to dig a little on my problem where new accounts or passwords-reset accounts can no longer connect to the web UI.
Looking a /var/log/http.log:
for a user that fails (brand new account):
[Tue Jul 10 13:46:20.536415 2018] [wsgi:error] [pid 1526] ipa: INFO: 401 Unauthorized: kinit: Generic preauthentication failure while getting initial credentials
[Tue Jul 10 13:46:20.536605 2018] [wsgi:error] [pid 1526]
for a user that works:
[Tue Jul 10 13:48:44.776366 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: i18n_messages(): SUCCESS
[Tue Jul 10 13:48:44.783299 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: config_show(): SUCCESS
[Tue Jul 10 13:48:44.945623 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: user_find(None, whoami=True, all=True): SUCCESS
[Tue Jul 10 13:48:44.946730 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: env(None): SUCCESS
[Tue Jul 10 13:48:44.956964 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: dns_is_enabled(): SUCCESS
[Tue Jul 10 13:48:44.963362 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: trustconfig_show(): NotFound
....
What should I look into next ?
Thanks.
2 years, 7 months
weird problems with passwords and user accounts
by Karl Forner
Hi,
The problem started with a user that could not connect with his initial
password from the GUI: Username or password incorrect.
I reset it myself, and tried with the new temp password: idem.
I retried many many times. Same.
I tried creating a new user, same.
In the meantime I realized the admin password had expired.
I could not update it successfully via the command-line, but I could using
the GUI.
I tried many things, but now "ipa user-status" fails for a lot of accounts:
pa: ERROR: xxxxx: user not found
I tried creating a new account from command-line with ipa user-add, then
asks for the status using "ipa user-status", it failed the same way.
What's happening ?
What should I try ?
Thanks.
Karl
2 years, 7 months
Re: Certificates renewing with the wrong Subject
by Jakob Ackermann
I'm getting the same problem. Did you find a solution? I cannot get my certificates renew with the wright subject. It always adding the hostname of a deleted replica into 'cert_subject_der'.
Thanks,
Jakob
2 years, 8 months
AIX 7.x with sudo, netgroups, LDAP and Kerberos
by Pieter Baele
I have currently been assisting an AIX colleague to use IPA as
authentication/authz provider for AIX systems.
That way we are moving to a common platform
We have found some examples on the web (AIX 5.x, AIX 6); information here
and there - but for the moment we still have a few issues.
The proprietary AIX schema extensions would be a nice to have, but are not
required (as I have read in earlier posts)
Has anyone seen a complete working example for a AIX client configuration
for FreeIPA?
Once we have found everything; I'll try to share the information.
-- PieterB
2 years, 8 months
kpasswd: Preauthentication failed getting initial ticket
by lune voo
Hello !
I contact you because I encounter a problem when I use kpasswd using python
popen function.
I use freeipa 3.0 and python 2.6.6.
Here is what I do in python :
input_process = otp + '\n' + password + '\n' + password
cmd = 'kpasswd %s' % user_login
cmd_and_args = shlex.split(cmd)
p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT)
(output, error) = p.communicate(input=input_process)
Before doing that, I performed the following command in order to have more
logs :
export KRB5_TRACE=/dev/stdout
And here is what I see in the logs :
###
[47700] 1530630765.610794: Getting initial credentials for test_user@MYREALM
[47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser
[47700] 1530630765.610998: Retrieving admin@MYREALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF: from
FILE:/tmp/krb5cc_testuser with result: 0/Success
[47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for
krbtgt/MYREALM@MYREALM: fast_avail: yes
[47700] 1530630765.611006: Using FAST due to armor ccache negotiation result
[47700] 1530630765.611016: Getting credentials admin@MYREALM ->
krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser
[47700] 1530630765.611044: Retrieving admin@MYREALM ->
krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success
[47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559
[47700] 1530630765.611089: Creating authenticator for admin@MYREALM ->
krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key
aes256-cts/2559
[47700] 1530630765.611168: FAST armor key: aes256-cts/79AB
[47700] 1530630765.611179: Setting initial creds service to kadmin/changepw
[47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser
[47700] 1530630765.611208: Retrieving admin@MYREALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF: from
FILE:/tmp/krb5cc_testuser with result: 0/Success
[47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for
krbtgt/MYREALM@MYREALM: fast_avail: yes
[47700] 1530630765.611213: Using FAST due to armor ccache negotiation result
[47700] 1530630765.611219: Getting credentials admin@MYREALM ->
krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser
[47700] 1530630765.611240: Retrieving admin@MYREALM ->
krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success
[47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559
[47700] 1530630765.611256: Creating authenticator for admin@MYREALM ->
krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key
aes256-cts/2559
[47700] 1530630765.611288: FAST armor key: aes256-cts/62C4
[47700] 1530630765.611299: Encoding request body and padata into FAST
request
[47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM
[47700] 1530630765.611418: Resolving hostname ipamasterhostname
[47700] 1530630765.611608: Initiating TCP connection to stream
ipamasterIP:88
[47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88
[47700] 1530630765.675154: Received answer from stream ipamasterIP:88
[47700] 1530630765.675208: Response was from master KDC
[47700] 1530630765.675238: Received error from KDC: -1765328359/Additional
pre-authentication required
[47700] 1530630765.675249: Decoding FAST response
[47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133, 137
[47700] 1530630765.675319: Received cookie: MIT
Password for test_user@MYREALM: [47700] 1530630765.682884: Preauth module
encrypted_challenge (138) (flags=1) returned: 0/Success
[47700] 1530630765.682889: Produced preauth for next request: 133, 138
[47700] 1530630765.682891: Encoding request body and padata into FAST
request
[47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM
[47700] 1530630765.682967: Resolving hostname ipamasterhostname
[47700] 1530630765.683098: Initiating TCP connection to stream
ipamasterIP:88
[47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88
[47700] 1530630765.756232: Received answer from stream ipamasterIP:88
[47700] 1530630765.756302: Response was from master KDC
[47700] 1530630765.756321: Received error from KDC:
-1765328360/Preauthentication failed
[47700] 1530630765.756325: Decoding FAST response
[47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138, 133,
137
kpasswd: Preauthentication failed getting initial ticket
)
###
I don't understand yet why the commande kpasswd is failing ?
My ticket admin is good.
My ticket cache is used only by me.
May you help me to understand what is going on please ?
Is there a way to use ipa python library to perform a kpasswd instead of
popen of kpasswd command ?
Best regards.
Lune
2 years, 8 months
AD user shown id command but visible for ldapsearch
by Pieter Baele
Hi,
On a test FreeIPA environment (4.5.0-22), a user is shown using the id
command, so ID Override is working as well.
id xxxx(a)accmsnet.railb.be
uid=8028(xxx(a)Accmsnet.railb.be) gid=4030(ucc)
groups=4030(ucc),702800513(domain users(a)Accmsnet.railb.be
),1318400009(ad_users)
However this particular (AD) user is not shown using an ldapsearch in the
compat
ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be
'(&(objectClass=posixAccount)(uid=xxxx))'
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=mcj7700))
# requesting: ALL
#
# search result
search: 4
result: 0 Success
Any idea? This is not happening in our production environment.
I cleared caches, did enable slapi-compat, and even tried adding the
resolution by an ldif to be sure
I did also re-run ipa-adtrust-install
I really don't understand why the AD users are not visible in LDAP....
Sincerely Pieter
2 years, 8 months
Re: certmonger upgrade failure
by Rob Crittenden
Harald Dunkel wrote:
> Hi Robert,
>
> On 6/26/18 4:45 PM, Rob Crittenden via FreeIPA-users wrote:
>> Harald Dunkel wrote:
>>>
>>> I see several files with a key_pin or Key_pin_file inside. I would prefer
>>> to send you these files in an encrypted EMail. What would you suggest? Do
>>> you have PGP?
>>
>> Except for the pin the rest of the content is generally safe. My key is
>> available in the MIT keyserver if you want to send it out of band.
>>
I don't see anything obviously wrong. I'd try launching certmonger from
a shell to see what you get:
# certmonger -d 9
rob
2 years, 8 months
AD overwrite not persistence
by Michael Gusek
Hi,
we use an Active Directory (Server 2012) and a FreeIPA 4.5.4
installation. FreeIPA runs under Centos 7, sssd version is
sssd-1.16.0-19.el7.x86_64. Between AD and FreeIPA we have set up a
one-way trust. For some AD users, we have set up a uid override under
"Default Trust View" in FreeIPA. This overwrite is regularly lost on the
FreeIPA server. If we clear the sssd cache (systemctl stop sssd; rm -rf
/var/lib/sss/{db,mc}/*; systemctl start sssd), the override takes effect
again. Here is a history for today:
2018-07-03 10:55:01
2018-07-03 11:05:01
2018-07-03 11:06:01
2018-07-03 11:10:01
2018-07-03 11:12:01
2018-07-03 11:15:01
2018-07-03 11:29:01
2018-07-03 11:31:01
2018-07-03 11:34:01
As you can see, there is no periodicality, from yesterday to today it
runs for about 11h without problems, and today since 11:34
How can fix the problem?
Michael
2 years, 8 months
