May 2017 - FreeIPA-users - Fedora Mailing-Lists

by wouter.hummelink＠kpn.com

Hi All, We have our basic configuration working now however AD trusted users cannot log in. The system reports: Can't retrieve attribute SYSTEM for NOUSER: No such file or directory In LDAP Access logs we see AIX query user@<ad.domain<mailto:user@%3cad.domain>> and directly after <user> on slapd. The same behavior happens with SU and that results in a session with empty HOME and SHELL variables (and an error report that you can't change directory to '') LSUSER command do however return correct information about these users. (IPA groups included) [22/May/2017:15:14:10.074845110 +0200] conn=1046 op=75 SRCH base="cn=users,cn=aixtest,cn=views,cn=compat,dc=ipa,dc=domain" scope=2 filter="(&(objectClass=posixaccount)(uid=aduser(a)ad.domain))" attrs=ALL [22/May/2017:15:14:10.076149098 +0200] conn=1046 op=75 RESULT err=0 tag=101 nentries=1 etime=0 [22/May/2017:15:14:10.099789298 +0200] conn=1046 op=76 SRCH base="cn=users,cn=aixtest,cn=views,cn=compat,dc=ipa,dc=domain" scope=2 filter="(&(objectClass=posixaccount)(uid=aduser))" attrs=ALL [22/May/2017:15:14:10.110271957 +0200] conn=1046 op=76 RESULT err=0 tag=101 nentries=0 etime=0 From: freeipa-users-bounces(a)redhat.com [mailto:freeipa-users-bounces@redhat.com] On Behalf Of Bjarne Blichfeldt Sent: woensdag 17 mei 2017 07:30 To: Luiz Fernando Vianna da Silva; freeipa-users(a)redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Thank you for pointing that out. I should of course have been more specific: native aix sudo does not support ldap and therefore sudorules from ldap, but it is possible to install a different sudo version with ldap enabled. Unfortunately, in our case, using external rpm's is not an option. Regards Bjarne Blichfeldt. From: Luiz Fernando Vianna da Silva [mailto:luiz.vianna@tivit.com.br] Sent: 16. maj 2017 16:43 To: Bjarne Blichfeldt <BJB(a)jndata.dk<mailto:BJB@jndata.dk>>; freeipa-users(a)redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that. You will have to maintain /etc/sudoers by som other means. Thats where you are mistaken. It is possible to integrate sudo rules into AIX, I've done it and have documented it here: https://www.freeipa.org/page/SUDO_Integration_for_AIX Give it a try, its a fairly simple procedure. P.S. IBM has recently pimped the AIX toolbox RPMs and even implemented it as a YUM server. I haven't tried using these new RPMs yet to see if they work with sudo integration. If you want to keep it safe, user perzl RPMs as I describe on the documentation. If you want, and I would appreciate it if you would, give the new RPMs from toolbox a go and if it works please update the documentaion, or send me your notes and I'll update it. Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 15-05-2017 02:53, Bjarne Blichfeldt escreveu: We have a working setup on three aix servers and by comparing our config with yours, I see the following differences: LDAP: /etc/security/ldap/ldap.cfg : userattrmappath:/etc/security/ldap/FreeIPAuser.map groupattrmappath:/etc/security/ldap/FreeIPAgroup.map userclasses:posixaccount /etc/security/ldap/FreeIPAuser.map: #FreeIPAuser.map file # https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configu... keyobjectclass SEC_CHAR posixaccount s # The following attributes are required by AIX to be functional username SEC_CHAR uid s id SEC_INT uidnumber s pgrp SEC_CHAR gidnumber s home SEC_CHAR homedirectory s shell SEC_CHAR loginshell s gecos SEC_CHAR gecos s spassword SEC_CHAR userpassword s lastupdate SEC_INT shadowlastchange s /etc/security/ldap/FreeIPAgroup.map: #FreeIPAgroup.map file # https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configu... groupname SEC_CHAR cn s id SEC_INT gidNumber s users SEC_LIST member m To test if the ldap is working: ls-secldapclntd lsldap -a passwd lsuser -R LDAP ALL KERBEROS: /etc/methods.cfg: KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes Add Kerberos to authorized authentication entities and verify: chauthent -k5 -std #Verify lsauthent Kerberos 5 Standard Aix To test: lsuser -R KRB5LDAP <someuser> Configure aix to create homedir during login: /etc/security/login.cfg: mkhomeatlogin = true usw: shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/ usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd maxlogins = 32767 logintimeout = 30 maxroles = 8 auth_type = STD_AUTH mkhomeatlogin = true Also remember: user can be locked in AIX so use smitty to unlock user and reset login attempts. As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that. You will have to maintain /etc/sudoers by som other means. Hope that helps, good luck. Regards Bjarne Blichfeldt. From: wouter.hummelink(a)kpn.com<mailto:wouter.hummelink@kpn.com> [mailto:wouter.hummelink@kpn.com] Sent: 12. maj 2017 16:03 To: iulian.roman(a)gmail.com<mailto:iulian.roman@gmail.com> Cc: freeipa-users(a)redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Yes, kinit works with IPA users. GSSAPI authentication is not keeping it simple, since we want passwords to work before trying TGS based logins over GSSAPI. The keytab works sinds lsuser is still able to get user data. (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, secldapclntd uses krb5 to identify itself to IPA) Also we are able to kinit host/aixlpar.example.org(a)EXAMPLE.ORG<mailto:host/aixlpar.example.org@EXAMPLE.ORG> -kt /etc/krb5/krb5.keytab We van try using su from an unprivileged user, but su has some different issues altogether, it doesn't like @ in usernames which we need at the next stage (integrating AD Trust) From: Iulian Roman [mailto:iulian.roman@gmail.com] Sent: vrijdag 12 mei 2017 15:56 To: Hummelink, Wouter Cc: luiz.vianna(a)tivit.com.br<mailto:luiz.vianna@tivit.com.br>; freeipa-users(a)redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 On Fri, May 12, 2017 at 3:31 PM, <wouter.hummelink(a)kpn.com<mailto:wouter.hummelink@kpn.com>> wrote: The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an issue for the ID view. My advice would be to start simple ,prove that your authentication works and you can develop a more elaborated setup afterwards. If you combine them all together it will be a trial and error which eventually will work at some point. Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit (with password and with the keytab) from aix and get a ticket from Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication enabled in sshd_config ? From what you've described i would suspect that your keytab is not correct , but that should be confirmed only by answering the questions above. Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: Luiz Fernando Vianna da Silva <luiz.vianna(a)tivit.com.br<mailto:luiz.vianna@tivit.com.br>> Datum: 12-05-17 15:03 (GMT+01:00) Aan: "Hummelink, Wouter" <wouter.hummelink(a)kpn.com<mailto:wouter.hummelink@kpn.com>>, freeipa-users(a)redhat.com<mailto:freeipa-users@redhat.com> Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Hello Wouter. It may seem silly, but try installing bash on one AIX server and test authenticating against that one. Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers. Let me know how it goes or if you have any issues. Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 12-05-2017 09:47, wouter.hummelink(a)kpn.com<mailto:wouter.hummelink@kpn.com> escreveu: Hi All, We're running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn't work with SSH on AIX reporting Failed password for user <xxx> We're using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) AIXs lsuser command is able to find all of the users it's supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org<http://ipaserver.example.org> binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2}<redacted> authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org<http://aixlpar.example.org> krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447<tel:+31%206%2012882447> E: wouter.hummelink(a)kpn.com<mailto:wouter.hummelink@kpn.com> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

6 years, 11 months

1
0
0 / 0

Re: help - trying to get Solaris IPA client to use AD credentials

by wouter.hummelink＠kpn.com

To use IPA with trusts you need to use the compat tree. See https://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust If you happen to get it working please share your experiences. Solaris is one of my future targets. Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: "BOYD, JOEY D GG-12 USAF NASIC/SCXE" <joey.boyd(a)us.af.mil> Datum: 19-05-17 13:29 (GMT+01:00) Aan: freeipa-users(a)lists.fedorahosted.org Onderwerp: [Freeipa-users] help - trying to get Solaris IPA client to use AD credentials My AD credentials work fine on Linux (sssd) IPA clients but I'm not familiar with configuring an openldap client to use AD credentials. Currently the Solaris client can only see IPA users. Joe Boyd _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org

6 years, 11 months

1
0
0 / 0

Re: CA CRL not tracking any certificates. Normal?

by Christophe TREFOIS

Update. Thanks to the invaluable help of Florence. Truly terrific. What we ended up doing. Investigate why it happened. No idea. Check that certificates on the other CA are still valid. Check Move CRL to the working CA. Check https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/... Figure out the parameters to pass to getcert to start-tracking the 8 certificates. Check Execute the following commands to start tracking the certificates. getcert start-tracking -d /etc/httpd/alias -n "Server-Cert" -c IPA -p /etc/httpd/alias/pwdfile.txt -C '/usr/libexec/ipa/certmonger/restart_httpd' getcert start-tracking -d /etc/dirsrv/slapd-UNI-LU -n "Server-Cert" -c IPA -p /etc/dirsrv/slapd-UNI-LU/pwdfile.txt -C '/usr/libexec/ipa/certmonger/restart_dirsrv UNI-LU’ Figure out Pin for hidden Pin entry grep internal /etc/pki/pki-tomcat/password.conf Run the commands by pvodiing pin on CLI getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" -c dogtag-ipa-renew-agent -P <pin code> -B '/usr/libexec/ipa/certmonger/stop_pkicad' -C '/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca”' Realize a helper command was missing. Add it. getcert add-ca -c dogtag-ipa-ca-renew-agent -e /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit Add the remaining certificates getcert start-tracking -d /etc/httpd/alias -n "ipaCert" -c dogtag-ipa-ca-renew-agent -p /etc/httpd/alias/pwdfile.txt -B '/usr/libexec/ipa/certmonger/renew_ra_cert_pre' -C '/usr/libexec/ipa/certmonger/renew_ra_cert' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P <pin code> -B '/usr/libexec/ipa/certmonger/stop_pkicad' -C '/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P <pin code> -B '/usr/libexec/ipa/certmonger/stop_pkicad' -C '/usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P <pin code> -B '/usr/libexec/ipa/certmonger/stop_pkicad' -C '/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P <pin code> -B '/usr/libexec/ipa/certmonger/stop_pkicad' -C '/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"' Check that the certificates match the other CA. getcert list Check that all are Monitoring. [root@toto2 ~]# getcert list | grep MONITORING | wc -l 8 Check that Serials match between the two CA servers. certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial certutil -L -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" | grep Serial certutil -L -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" | grep Serial certutil -L -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" | grep Serial certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" | grep Serial certutil -L -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" | grep Serial The other 3 are supposed to be different. After that, we move the CRL back to the original server, and assume everything is Ok. If anybody has any comments on this process, please do let the community know as I hope im not the only one with this problem. Kind regards, Christophe -- Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSITÉ DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook]<https://www.facebook.com/trefex> [Twitter] <https://twitter.com/Trefex> [Google Plus] <https://plus.google.com/+ChristopheTrefois/> [Linkedin] <https://www.linkedin.com/in/trefoischristophe> [skype] <http://skype:Trefex?call> ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 18 May 2017, at 23:27, Christophe TREFOIS <christophe.trefois(a)uni.lu<mailto:christophe.trefois@uni.lu>> wrote: Hi, I just saw that my CA CRL master is not tracking any certs. However, my other CA master replica is tracking 8 certificates. Is this normal and expected? Thanks, Christophe -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

6 years, 11 months

1
0
0 / 0

help - trying to get Solaris IPA client to use AD credentials

by BOYD, JOEY D GG-12 USAF NASIC/SCXE

My AD credentials work fine on Linux (sssd) IPA clients but I'm not familiar with configuring an openldap client to use AD credentials. Currently the Solaris client can only see IPA users. Joe Boyd

6 years, 11 months

3
2
0 / 0

FreeIPA-users list has been migrated

by Martin Bašti

Welcome, dear users, you have been automatically migrated to the new freeipa-users list. Please use the following email address for discussions from now on: freeipa-users(a)lists.fedorahosted.org Please note that freeipa-users(a)redhat.com will be set to read only mode. Thank you for understanding, Your FreeIPA team. -- Martin Bašti Software Engineer Red Hat Czech

6 years, 11 months

1
0
0 / 1

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2017