ILO Card IPA authentication
by Karim Bourenane
Hello All
I want to authenticate Users into our ILO 4 card HP by Freeipa.
The ESXI server is not enrolled into the IPA, only the DNS was defined.
Also i can't extract any keytab for easy user authentication.
Can you help me with this?
Regards
Karim Bourenane
4 years, 11 months
krb5_child always reports going offline when trying to login
by Robert Sturrock
Hi All.
I have a small test installation of IPA (RHEL7, ipa-server-4.6.4-10.el7_6.3.x86_64) in a sync arrangement with our local AD (passwords sync’d via Passsync).
When trying to login to the IPA server as myself (rns) or other IPA user, sssd seems to report going offline in krb5_child.log after initially being online (log level = 9 here) and the login attempt fails:
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [unpack_buffer] (0x0100): cmd [249] uid [10846] gid [10000] validate [true] enterprise principal [false] offline [false] UPN [rns@LOCALREALM]
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [unpack_buffer] (0x2000): No old ccache
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:10846] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/ipa-server.localdomain@LOCALREALM]
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-server.localdomain@LOCALREALM in keytab.
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-server.localdomain@LOCALREALM).
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [get_tgt_times] (0x1000): FAST ccache must be recreated
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4192]]]] [become_user] (0x0200): Trying to become user [0][0].
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4192]]]] [become_user] (0x0200): Already user [0].
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4192]]]] [check_fast_ccache] (0x2000): Running as [0][0].
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4192]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4192]]]] [create_ccache] (0x4000): Initializing ccache of type [FILE]
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4192]]]] [create_ccache] (0x4000): returning: 0
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [check_fast_ccache] (0x0200): FAST TGT was successfully recreated!
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [become_user] (0x0200): Trying to become user [10846][10000].
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [main] (0x2000): Running as [10846][10000].
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [k5c_setup] (0x2000): Running as [10846][10000].
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [set_lifetime_options] (0x0100): No specific lifetime requested.
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [main] (0x0400): Will perform pre-auth
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [LOCALREALM]
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205507: Getting initial credentials for rns@LOCALREALM
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205508: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_LOCALREALM
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205509: Retrieving host/ipa-server.localdomain@LOCALREALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_LOCALREALM with result: -1765328243/Matching credential not found
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205511: Sending unauthenticated request
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205512: Sending request (189 bytes) to LOCALREALM
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205513: Initiating TCP connection to stream 172.22.6.6:88
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205514: Sending TCP request to stream 172.22.6.6:88
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205515: Received answer (327 bytes) from stream 172.22.6.6:88
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205516: Terminating TCP connection to stream 172.22.6.6:88
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205517: Response was from master KDC
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205518: Received error from KDC: -1765328359/Additional pre-authentication required
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205519: Upgrading to FAST due to presence of PA_FX_FAST in reply
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205520: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_LOCALREALM
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205521: Retrieving host/ipa-server.localdomain@LOCALREALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_LOCALREALM with result: -1765328243/Matching credential not found
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205522: Getting credentials host/ipa-server.localdomain@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM using ccache MEMORY:/var/lib/sss/db/fast_ccache_LOCALREALM
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205523: Retrieving host/ipa-server.localdomain@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM from MEMORY:/var/lib/sss/db/fast_ccache_LOCALREALM with result: 0/Success
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205524: Armor ccache sesion key: aes256-cts/F8B1
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205526: Creating authenticator for host/ipa-server.localdomain@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM, seqnum 0, subkey aes256-cts/D6BB, session key aes256-cts/F8B1
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205528: FAST armor key: aes256-cts/B572
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205530: Sending unauthenticated request
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205531: Encoding request body and padata into FAST request
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205532: Sending request (1793 bytes) to LOCALREALM
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205533: Initiating TCP connection to stream 172.22.6.6:88
(Thu Jun 6 13:47:02 2019) [[sssd[krb5_child[4191]]]] [sss_child_krb5_trace_cb] (0x4000): [4191] 1559792822.205534: Sending TCP request to stream 172.22.6.6:88
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [main] (0x0400): krb5_child started.
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [unpack_buffer] (0x1000): total buffer size: [130]
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [unpack_buffer] (0x0100): cmd [241] uid [10846] gid [10000] validate [true] enterprise principal [false] offline [true] UPN [rns@LOCALREALM]
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [unpack_buffer] (0x2000): No old ccache
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:10846] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [become_user] (0x0200): Trying to become user [10846][10000].
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [main] (0x2000): Running as [10846][10000].
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [become_user] (0x0200): Trying to become user [10846][10000].
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [become_user] (0x0200): Already user [10846].
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [k5c_setup] (0x2000): Running as [10846][10000].
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [set_lifetime_options] (0x0100): No specific lifetime requested.
(Thu Jun 6 13:47:11 2019) [[sssd[krb5_child[4218]]]] [main] (0x0400): Will perform offline auth
Can someone with more knowledge of IPA provide some pointers as to what I should look for to help debug this issue? A plain old ‘kinit rns@LOCALDOMAIN’ works fine, FWIW.
Regards,
Robert.
4 years, 11 months
Minimal ipa configuration (inside docker)
by Dmitry Perets
Hi,
Could you please help me configuring ipa tool inside the docker container which is not enrolled?
I have a parent Linux VM that is enrolled in FreeIPA. On top of it I run a docker container, and I mount the entire /etc/ipa and /etc/krb5.conf (both in read-only mode).
My goal is just to be able to use ipa tools, like "ipa vault-*". No need for remote user login and other FreeIPA functionality.
I thought that having /etc/ipa/default.conf and /etc/ipa/ca.crt would be enough for ipa tool to work.
But currently, within the container, ipa says it is not configured:
# ipa
IPA client is not configured on this system
What exactly is it looking for...?
Thanks!
P.S. ipa-client version is 4.6.4. I see that there are plans for zero-config ipa tool, but in later versions... unfortunately, 4.6.4 is what is currently packaged into RHEL7.6 that we are using...
---
Regards,
Dmitry Perets
4 years, 11 months
FreeIPA DNS keeps losing certain A records
by Kristian Petersen
For the last few months I have noticed that certain A records keep
disappearing from my DNS. I have put them back manually multiple times and
the same thing happens again. The SSHFP stuff in DNS seems unaffected by
what ever is happening. Anyone know why a DNS entry would just disappear
like that? The server is one of the hosts in my RHV cluster, so I'd like
it to remain in DNS.
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
4 years, 11 months
Smartcard host login w/ Third-Party CA and PKINIT
by Khurrum Maqb
We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would like to properly configure smartcard authentication. The smartcards that we're using have been signed by an External CA controlled by a different entity. So to get that working, I've added the required CA certs using
ipa-cacert-manage -n "SmartCard CA #1" -t CT,C,C install <CA>.pem
and then ran ipa-certupdate on all replicas, and restarted httpd. I associated the card authentication cert from the user's smartcard to the Identity using the GUI. I am able to search using the cert, and it retrieves the user correctly.
I also used ipa-advise config-client-for-smart-card-auth > client_smart_card_script.sh to create the script, ran it on a client host with the correct CA files. On the client side I had to edit sssd.conf and add a
[pam]
p11_child_timeout = 15
and it worked and the user was able to log in to the desktop. However, it was taking 40 seconds for the login which sounded like something was timing out. I checked the krb log and found
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_child_timeout] (0x0040): Timeout for child [9822] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout.
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_auth_done] (0x0020): child timed out!
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [child_sig_handler] (0x0020): child [9822] was terminated by signal [9].
And it reported that the backend was offline
So I added
[domain/dom.ain.com]
krb5_auth_timeout = 15
and which point, I noticed I didn't have pkinit running on the servers. So I ran ipa-pkinit-manage enable on all the replicas with a CA and soon
ipa pkiinit-status showed that PKINIT status: enabled. and Backend stopped showing as offline.
However, that does not solve the issue, and if I have krb5_auth_timeout = 15 in sssd, the login stops working and instead I get a pre-auth issue: Additional pre-authentication requird / Matching credential not found
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204427: Getting initial credentials for user@REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204428: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204429: Retrieving host/gs6069-ld-i014.dom.ain.com@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM
.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_REALM with result: -1765328243/Matching credential not found
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204431: Sending unauthenticated request
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204432: Sending request (172 bytes) to REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204433: Initiating TCP connection to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204434: Sending TCP request to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204435: Received answer (299 bytes) from stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204436: Terminating TCP connection to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204437: Response was from master KDC
But if I REMOVE krb5_auth_timeout = 15 then it probably times out, and it logs the user in with the smart card + pin but klist shows NO kerberos tickets.
So my question is, do I have to add the external CA certificates to the KDC separately? They aren't really for our REALM so I don't know how that would help.
Running
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' username
prompts the user for the PIN, but after the PIN is entered, it immiediately asks for the password. So it looks like the part that is failing is the KRB authentication.
Any suggestions would be very appreciated. Ideally I'd like for the smartcard auth to let the users in in a timely manner (ie ~5-15 seconds) and also give the users a kerberos ticket.
Thanks!
4 years, 11 months