I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations.
>The internal DNS does not support:
>Conditional forwarders are not implemented yet
I THINK I got DNS actually working , but had to use solution like here
Although Petr says to stay away from forwarders in IPA
Is it better to attempt AD as subdomain of IPA (which I'm currently doing) , or IPA as subdomain of AD ?
On both samba4 and freeipa machine I can currently dig SRV records for both domains , but when I attempt ipa add-trust, I see in httpd error logs
>[Fri Aug 10 11:58:43.122526 2018] [:error] [pid 6169] ipa: ERROR: Attempt to solve forest trust topology conflicts
>[Fri Aug 10 11:58:43.125865 2018] [:error] [pid 6169] ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified domain did not exist.')
Which leads me to believe that no, DNS is not working correctly ( I have all firewall/iptables off and selinux off).
I can give more concrete/examples , but before get lost in the weeds wanted to know on broad consensus is it even possible or known bad issues with Samba AD ?
Like here https://www.freeipa.org/page/IPAv3_AD_trust#Samba , it says
>In order to get properly working MIT krb5-based Samba4 build one have to use --without-ad-dc --with-system-mitkrb5 options when configuring WAF top level build.
Which I'm confused ... how to get I get AD trust, if I'm setting up samba without AD abilities??
Yet here https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
a. If you have an AD ( Microsoft ) , use it
b. If you don't have a Microsoft AD , setup Samba4
>but it can be configured to trust FreeIPA
Does anyone know of a complete A..Z example of how to do that? (what options were used to configure Samba and Freeipa, etc)
I have a master server that had a replica installed. The replica has been
uninstalled. When I try to run "ipa-replica-manage del --force
replica.server" it fails with:
invalid 'PKINIT enabled server': all masters must have IPA master role
How can I delete this replica?
We have IPA setup in an AD trust to support our Linux fleet. I’m running into a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an NFS-mounted filesystem from an NFS server using NFSv4/krb5. Files and directories show up as ‘nobody’ or an incorrect numerical ID when listed with ‘ls’. RHEL7 clients seem to working fine with a very similar configuration (as far as I can tell).
The particulars are:
- AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user identity is ‘user@localdomain’)
- IPA domain is ‘ipa.localdomain’
- The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf).
I have mounted the NFS volume on the clients with a simple:
mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt
Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see:
$ ls -ld rns
drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns
.. with these corresponding nfsidmap messages:
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: key: 0x2c254c26 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' does not map into domain 'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nfs4_name_to_uid: final return value is -22
.. whereas on the RHEL7 client, I see:
$ ls -ld rns
drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: key: 0xf113fd2 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname 'rns@localdomain'
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_uid: final return value is 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: key: 0x2125a5d2 type: gid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_gid: calling nsswitch->name_to_gid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_gid: final return value is 0
Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into ‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’?
(My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can login and use local filesystems without issue).
The idmapd.conf looks like this:
Verbosity = 4
Pipefs-Directory = /run/rpc_pipefs
Domain = ipa.localdomain
Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN
Nobody-User = nobody
Nobody-Group = nogroup
Method = nsswitch
Any pointers appreciated!
I have just upgraded my cluster from FreeIPA 4.4.0-14 to 4.6.4-10.
All is good, logging via IPA credentials, HBAC and sudo rules are working.
I have only a issue logging via SSH with AD credentials. Before the upgrade
all was working well.
I think that the trust is ok, because *kinit*, *ipa hbactest* and *ipa
trustdomain-find* (on both ipa servers) are working well:
*[root@mlv-ipasrv01 ~]# ipa trustdomain-find MYDOMAIN.COM
<http://MYDOMAIN.COM> Domain name: mydomain.com <http://mydomain.com>
Domain NetBIOS name: MYDOMAIN Domain Security Identifier:
S-1-5-21-3367759252-2451474351-126822339 Domain enabled:
True----------------------------Number of entries returned
1----------------------------[root@mlv-ipasrv01 ~]# ipa hbactest
sshd--------------------Access granted: True-------------------- Matched
rules: allow_ad_ipa_admins Not matched rules: allow_ad_ipa_apps Not
matched rules: allow_ipa_it_mysite[root@mlv-testipa01 ~]# kinit
morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>Password for
<morgan.marodin(a)mydomain.com>:[root@mlv-testipa01 ~]# klistTicket cache:
KEYRING:persistent:0:0Default principal: morgan.marodin(a)MYDOMAIN.COM
<morgan.marodin(a)MYDOMAIN.COM>Valid starting Expires
Service principal02/19/2019 17:55:23 02/20/2019 03:55:23
krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM <MYDOMAIN.COM(a)MYDOMAIN.COM> renew
until 02/20/2019 17:55:18*
This is the error log:
*[root@mlv-testipa01 ~]# tail -f /var/log/secureFeb 19 18:03:21
mlv-testipa01 sshd: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252
user=morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>Feb 19
18:03:21 mlv-testipa01 sshd: pam_sss(sshd:account): Access denied
for user morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>: 6
(Permission denied)Feb 19 18:03:21 mlv-testipa01 sshd: error: PAM:
User account has expired for morgan.marodin(a)mydomain.com
<morgan.marodin(a)mydomain.com> from 192.168.100.252Feb 19 18:03:21
mlv-testipa01 sshd: fatal: monitor_read: unpermitted request 104*
It seems a problem with pam and sssd.
Do you have any suggestions?
, but there is some stuff that is not clear to me.
As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
Keycloak is the way to go, right?
However, Keycloak setup is not trivial, correct? Running CentOS there
is no straightforward way to install and integrate it with a FreeIPA
What is the special sauce for users using a browser on an IPA-joined
system to log in to apps without even seeing a login form? SPNEGO?
I'm using mod_auth_gssapi for some apps, having httpd do the
authentication and forward it through REMOTE_USER, but it doesn't do
the magic. There are some hints on mod_auth_gssapi's docs, but nothing
3) How should you deliver apps?
Suppose you are a web app developer and you want to deliver a web
application which can easily integrate with FreeIPA. What's the most
comfortable option you can give? (assuming, for instance, that you want
the SSO magic sauce). Is there any difference between apps that will
run on the FreeIPA's domain owner's systems or third party apps?
( Y )
()~*~() mail: alex at corcoles dot net
Sorry, I am probably missing something very basic in the way how the vault should work for services...
So my task is simple: let's say I want to store a secret for a script. That is, the script must be able to retrieve it in an unattended way.
The script is running on a Linux server server.mydomain.com, which is enrolled in FreeIPA domain.
The script is running under user "svc-user" which I've created on the FreeIPA just for that (so, its principal is svc-user(a)MYDOMAIN.COM).
Additionally, I've also created a service "MYSVC" on the FreeIPA (so I now also have the principal MYSVC\server.mydomain.com(a)MYDOMAIN.COM).
Finally, I did not set any password for the user "svc-user" and I've configured its shell to be /sbin/nologin. Not sure if it will make any difference.
And now, with all this ready, I am trying to store my secret as admin, so that my script can retrieve it.
I create a vault (I tried also standard one, but here I am showing an example with asymmetrical one, because all examples I found use it):
<Entering password for admin>
ipa vault-add svc-vault --service MYSVC\server.mydomain.com --type asymmetric --public-key-file svc.pub.pem
ipa vault-archive svc-vault --service MYSVC\server.mydomain.com --data <secret_data_in_base64>
OK, secret is stored. And here is my vault:
# ipa vault-find --services
1 vault matched
Vault name: svc-vault
Vault service: MYSVC\server.mydomain.com(a)MYDOMAIN.COM
Number of entries returned 1
Finally, I generate a keytab for my script:
ipa-getkeytab -p MYSVC\server.mydomain.com -k /var/kerberos/krb5/user/856500016/client.keytab
OK... now I clean up with "kdestroy" and try to run my script as a user "svc-user".
And the script is trying to do this:
kinit MYSVC\server.mydomain.com -k -t /var/kerberos/krb5/user/856500016/client.keytab
ipa vault-find --services
... And the problem is that it simply doesn't find the svc-vault.
It does seem like it manages to get the Kerberos ticket, this is the output from klist (inside the script):
Default principal: MYSVC\server.mydomain.com(a)MYDOMAIN.COM
Valid starting Expires Service principal
02/27/2019 17:04:58 02/28/2019 17:04:58 krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM
Now... If I add the user "svc-user" as a member to my svc-vault, add the svc-user to the keytab and then use "kinit svc-user" in my script, then it seems to work.
But I don't understand then the whole point of "service vault"... what's the purpose of the MYSVC/server.mydomain.com principle here actually...?
And another question - can't exactly the same (with "svc-user" in keytab) work also for a standard vault, without keys...?
Because it looks like it becomes exactly the same usecase as if I just interactively use the vault shared with svc-user...
Is there a way to set up the maps to mount a users home directory if they
are divided up under a directory that is the first letter of their username
without mounting all such directories for every user? We have thousands of
students needing home directories and so they have divided up this way.
Example: /home/students/a/aardvark or /home/students/b/bugsbunny. The docs
I have read on autofs maps haven't been very clear on how to define this
kind of mapping, especially in FreeIPA.
BYU Dept. of Chemistry and Biochemistry
It's puzzling but the file required to be included in any custom plugin,
slapi-plugin.h, is nowhere to be found in the FreeIPA 4.6.4 install,
The documentation refers to this file being either in:
But it's not in either of this location. It's not at all on the box - I
searched from the top.
Please advise where I can find this header file? What package do I need to
install on RedHat 7.6 to get this file?
Forwarding to freeipa-users who have more knowledge on SSSD
-------- Forwarded Message --------
Subject: [389-users] How to invalidate local cache after user changed
Date: Wed, 27 Feb 2019 19:22:19 +0000 (UTC)
From: xinhuan zheng <xhzheng2001(a)yahoo.com>
Reply-To: General discussion list for the 389 Directory server project.
I have been struggling with this problem for a while. When a user
changed their password, our 389 directory servers received new password
and saved into directory server. However, when user tries to login to a
server whose authentication is using 389 directory server, their new
password won't work for the first few minutes. There is a local cache
process, sssd, running on the server the user tries to login. Apparently
sssd is still using old password information, and does not know password
has changed on directory servers. I have set sssd to keep cache
information for 5 minutes only, and do pre-fetch prior to cache
information expiring. But I don't know how to tell sssd to ignore cache
completely when information has changed on 389 directory server side.
Is there a way to completely disable sssd local cache, and only use it
when 389 directory servers are not available?