Docker using PAM on a freeipa host?
by Dominik Vogt
We have a freeipa server and some clients. One of the clients
runs a (minimal) Docker container with some custom application.
The application does user authorization and authentication using
PAM. Is there a good way to make PAM delegate all decisions to
the host running the Docker conainer? We'd like to avoid
configuring the container as a separate freeipa client.
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
3 years, 8 months
DNS Delegation
by Christian Hernandez
I'm having an issue delegating a subdomain. My domain is cloud.chx and I
ran the following.
ipa dnsrecord-add cloud.chx dc1.ad --a-rec=192.168.1.253
ipa dnsrecord-add 1.168.192.in-addr.arpa. 253 --ptr-rec=dc1.ad.cloud.chx.
ipa dnsrecord-add cloud.chx ad --ns-rec=dc1.ad.cloud.chx.
I checked and it's in the config
[root@ipa1 ~]# dig axfr cloud.chx | grep ad
ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx.
dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
But when I query, it doesn't return what I expected.
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15346
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dc1.ad.cloud.chx. IN NS
;; Query time: 27 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 30 15:48:03 PDT 2020
;; MSG SIZE rcvd: 45
The other DNS server is up and running.
[root@ipa1 ~]# dig @192.168.1.253 dc1.ad.cloud.chx
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @192.168.1.253
dc1.ad.cloud.chx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64777
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dc1.ad.cloud.chx. IN A
;; ANSWER SECTION:
dc1.ad.cloud.chx. 3600 IN A 192.168.1.253
;; Query time: 1 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Thu Jul 30 15:59:21 PDT 2020
;; MSG SIZE rcvd: 61
This is worth noting that adding +norec works.
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS +norec
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS
+norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36273
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dc1.ad.cloud.chx. IN NS
;; AUTHORITY SECTION:
ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx.
;; ADDITIONAL SECTION:
dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 30 15:59:39 PDT 2020
;; MSG SIZE rcvd: 75
Is there anything I'm missing?
---
Christian Hernandez, RHCE
Principal Technical Marketing Manager - Cloud Platforms
Red Hat, Inc <https://www.redhat.com/>
christian(a)redhat.com
Mobile: 626.502.8310
Slack: chernand
<https://www.redhat.com/>
3 years, 8 months
Some users get sshd:auth Permission denied
by TOULMONDE Sébastien (CSC/MST)
Hi,
Yesterday we migrated our dev servers to IPA - to help in the migration, I enabled the allow_all HBAC rule, but despite that, some users get this message:
Jul 29 15:56:23 el4966 sshd[98029]: Postponed keyboard-interactive for id094844 from 81.245.6.11 port 35552 ssh2 [preauth]
Jul 29 15:56:49 el4966 sshd[98034]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=el1921.bc user=id094844
Jul 29 15:56:49 el4966 sshd[98034]: pam_sss(sshd:auth): received for user id094844: 6 (Permission denied) < ----- This
Jul 29 15:56:52 el4966 sshd[98029]: error: PAM: Authentication failure for id094844 from el1921.bc
Jul 29 15:56:52 el4966 sshd[98029]: Failed keyboard-interactive/pam for id094844 from 81.245.6.11 port 35552 ssh2
Jul 29 15:56:58 el4966 sshd[98029]: Postponed keyboard-interactive for id094844 from 81.245.6.11 port 35552 ssh2 [preauth]
Jul 29 15:57:00 el4966 sshd[98029]: Connection closed by 81.245.6.11 port 35552 [preauth]
These are external (AD) users. Weird thing: not all users have this and not everywhere... I tried to remove the LDAP filter on the IPA server -> same thing... I'm running out of ideas...
Thanks for your help!
S. Toulmonde
Sensitivity: Internal Use Only
This e-mail cannot be used for other purposes than Proximus business use. See more on https://www.proximus.be/maildisclaimer
3 years, 8 months
AD trust user logins where their userPrincipalName does not match AD's DNS domain name
by Sam Morris
I have a FreeIPA setup that trusts an Active Directory domain. I have users who exist in the AD domain, but who are unable to log into Linux systems.
The domains are:
ad.domain.examaple: the Active Directory domain
ipa.ad.domain.example: the FreeIPA domain
The user has a SAM-Account-Name of 'user.name' and a userPrincipalName of
'user.name(a)thirdparty.com'.
Here are the log messages I see when one of them tries to log in:
==> krb5_child.log <==
(Thu Jul 23 11:08:58 2020) [[sssd[krb5_child[2481132]]]] [get_and_save_tgt] (0x0020): 1704: [-1765328378][Client 'user.name\@THIRDPARTY.COM(a)IPA.AD.DOMAIN.EXAMPLE' not found in Kerberos database]
(Thu Jul 23 11:08:58 2020) [[sssd[krb5_child[2481132]]]] [map_krb5_error] (0x0020): 1833: [-1765328378][Client 'user.name\@THIRDPARTY.COM(a)IPA.AD.DOMAIN.EXAMPLE' not found in Kerberos database]
==> sssd_ipa.ad.domain.example.log <==
(Thu Jul 23 11:08:58 2020) [sssd[be[ipa.ad.domain.example]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
A bit of research brings me to
<https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties> which
states:
A UPN suffix has the following restrictions:
It must be the DNS name of a domain, but does not need to be the name of
the domain that contains the user.
It must be the name of a domain in the current domain forest, or an
alternate name listed in the upnSuffixes attribute of the Partitions container
within the Configuration container.
I believe the user account violates the second of these restrictions, in that
its suffix (thirdparty.com) is neither in the AD forest, nor is it found in the
upnSuffixes attribute of
CN=Partitions,CN=Configuration,DC=ad,DC=domain,DC=example in AD.
Now the ugly part. I suspect this is just How Things Are Done around here and
getting the user's userPrincipalName changed to ad.domain.example will not be
particularly easy.
So in the meantime, is there any configuration I can do, either on the FreeIPA
servers or on the machine where the user needs to log in, to work around the
UPN suffix mismatch?
I am able to get a TGT for the user with 'kinit user.name(a)AD.DOMAIN.EXAMPLE',
so I guess I'm looking for a hypothetical way to tell sssd to map the UPN
suffix in the user's domain (thirdparty.com) to ad.domain.example when it tries
to get a ticket during user login...
I can also ask to get thirdparty.com added to the AD domain's list of UPN
suffixes. Can anyone confirm whether this would be sufficient to get sssd to be
able to authenticate the user?
Thanks!
--
Sam Morris <https://robots.org.uk/>
3 years, 8 months
Centos 8.2.2004 (Core) not pulling FreeIPA 4.8
by Damjan Kumin
Hello guys,
regardless what officially I do, my Centos is not pulling latest FreeiPA binaries to install, it sticks with 4.7
Since everything is working, it is not a deal-breaker, but still, now that everything is stable and config is absolutely correct, it would be time to upgrade and stay up to date with all fixes.
Any help on this topic please? Thanks in advance!
rgD
3 years, 8 months
autofs Troubles
by Ronald Wimmer
Hi,
all over sudden automounting home shares has stopped working on one of
our most important servers. The configuration has not changed at all.
Automounting on servers with identical configuration works.
What i tried so far:
1) stopping rpcidmapd, rpcgssd, autofs, sssd and restarting the services
2) rebooting the system
3) doing ipa-client-automount --uninstall and reconfiguring it again
4) checking /etc/sysconfig/nfs and /etc/idmapd.conf as well as sssd.conf
5) automount -fv tells me that it attemts to mount /home but nothing happens
No matter what I tried I could not get homeshares mounted again.
I would highly appreciate any input that brings me one step further.
Cheers,
Ronald
3 years, 8 months
ssh session timeout on freeipa clients
by Saurabh Garg
Hi,
Can someone please help me find an option if IdM server allows to control the ssh session timeout for user logins on freeipa clients?
thanks,
sgarg
3 years, 8 months
getting authentication token is no longer valid new one required error
by Kannappan M
Hi Team,
we have cloned one of the linux server which is having ipa user ac lets say
1. server a
2.server b
3. server c
4.server a.1 (clone server)
one user has been created in server a.1 , b and c
i was able to login to from b to c and c to b
but when i tried to login to server b to server a.1 or from c to server a.1
getting error as authentication failed error when i dig deep with the cat /var/log/secure getting message as
authentication token is no longer valid; new one required (log messages in server c and server b)
when i checked the logs in server a.1 (cat /var/log/secure)
pam_sss(sshd:auth): authentication success ; logname= uid = 0 euid=0 tty=ssh ruser= rhost= server c user
error:pam: user account has expired for USER from server c
please help me to fix it
Regards
Kanna
3 years, 9 months
PKI for Windows
by Vinícius Ferrão
Hello,
I need to issue some certificates for the AD Environment and I don’t have ADCS in place. So my FreeIPA deployment was with a self signed CA and the common AD Trust enabled.
Now with this issue I’m looking on the IPA’s documentation and there’s some recommendations to deploy IPA as as subCA from ADCS, but as as I said, I don’t have it. So I was thinking if it’s possible to issue certificates for Windows machines directly form FreeIPA, and if this is recommended or not.
If it’s possible but it will be a hassle, there’s a way to make FreeIPA talk with ADCS after the deployment? I can setup an ADCS instance to keep Windows certificates in a separate location.
I saw this post: https://frasertweedale.github.io/blog-redhat/posts/2019-09-23-direct-inte... but I don’t think it’s the same issue here; the valuable info that I found on this site is about trusting the FreeIPA CA certificate on Windows environment: "Operationally there is one additional step when the IPA CA is not subordinate to the AD CA: the IPA CA certificate has to be explicitly trusted.”; but the use case does not seems to be on a Windows system.
Thanks for any guidance.
3 years, 9 months