certmonger (back in time) renewal is onyl 50% successful
by Zarko D
Hi there, still working on cert renewal with little bit of progress, hence asking kindly for more support until final resolution. As per the subject, certmonger renews two out of four certificates.
[1] stop ntpd, go back in time (Aug 10 2018), where all certs are valid
[2] restart krb5kdc, 389, httpd, CA
[3] Verify that CA is running.
# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://`hostname`:8443/ca/agent/ca/profileReview
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to ca-ldap01.domain.com port 8443 (#0)
* Trying x.x.x.x...
* Connected to ca-ldap01.domain.com (IP) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias/
* CAfile: /etc/ipa/ca.crt
CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=ca-ldap01.domain.com,O=domain.com
* start date: Jul 18 01:47:45 2018 GMT
* expire date: Jul 07 01:47:45 2020 GMT
* common name: ca-ldap01.domain.com
* issuer: CN=Certificate Authority,O=domain.com
> GET /ca/agent/ca/profileReview HTTP/1.1
> User-Agent: curl/7.29.0
> Host: ca-ldap01.domain.com:8443
> Accept: */*
>
* NSS: client certificate not found (nickname not specified)
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Fri, 10 Aug 2018 08:54:11 GMT
<
{ [data not shown]
100 17641 0 17641 0 0 203k 0 --:--:-- --:--:-- --:--:-- 205k
* Connection #0 to host ca-ldap01.domain.com left intact
[4] ipactl status reads:
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: STOPPED
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[5] restart certmonger, four cert are in submitting status
# getcert list | egrep "certificate|expire|status"
Number of certificates and requests being tracked: 6.
status: SUBMITTING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:38 UTC
status: SUBMITTING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:35 UTC
status: SUBMITTING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
status: MONITORING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
status: SUBMITTING
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
expires: 2018-08-14 20:50:00 UTC
status: MONITORING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
expires: 2020-07-07 01:47:45 UTC
[6] Here is where problem starts, the CA stop running, and /var/lib/pki/pki-tomcat/logs/ca/selftests.log report
0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup!
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired.
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!
[7] I see that 'auditSigningCert' and ocspSigningCert have been renewed, so obviously at this very moment their validity time is not same as for other certs. Hence selftests.logs reports auditSigningCert is invalid, and CA stops running and I am left with tow certs not renewed. New cert list now is:
# getcert list | egrep "certificate|expires"
Number of certificates and requests being tracked: 6.
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2020-10-29 06:35:38 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2020-10-11 20:15:53 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
expires: 2018-08-14 20:50:00 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
expires: 2020-07-07 01:47:45 UTC
The question now is how to work around this problem?
Instead of restarting certmonger service, is it better to renew certs with 'getcert resubmit' in some specific order?
thanks, Zarko
3 years, 6 months
dirsrv not starting
by Andrew Meyer
We have 2 servers in our AWS west environment running CentOS 7. The server just went unresponsive and I rebooted it. After it came back up it won't start drisrv service. I get the following errors from systemd/journalctl:
[root@freeipa02 slapd-EXAMPLE-NET]# systemctl status dirsrv(a)EXAMPLE.NET -l● dirsrv(a)EXAMPLE.NET.service - 389 Directory Server EXAMPLE.NET. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Active: failed (Result: resources)
Nov 16 20:27:46 freeipa02.west.example systemd[1]: dirsrv(a)EXAMPLE.NET.service failed to run 'start-pre' task: No such file or directoryNov 16 20:27:46 freeipa02.west.example systemd[1]: Failed to start 389 Directory Server EXAMPLE.NET..Nov 16 20:27:46 freeipa02.west.example systemd[1]: Unit dirsrv(a)EXAMPLE.NET.service entered failed state.Nov 16 20:27:46 freeipa02.west.example systemd[1]: dirsrv(a)EXAMPLE.NET.service failed.Nov 16 20:27:46 freeipa02.west.example systemd[1]: Starting 389 Directory Server EXAMPLE.NET....Nov 16 20:29:10 freeipa02.west.example systemd[1]: Failed to load environment files: No such file or directoryNov 16 20:29:10 freeipa02.west.example systemd[1]: dirsrv(a)EXAMPLE.NET.service failed to run 'start-pre' task: No such file or directoryNov 16 20:29:10 freeipa02.west.example systemd[1]: Failed to start 389 Directory Server EXAMPLE.NET..Nov 16 20:29:10 freeipa02.west.example systemd[1]: dirsrv(a)EXAMPLE.NET.service failed.Nov 16 20:29:10 freeipa02.west.example systemd[1]: Starting 389 Directory Server EXAMPLE.NET....[root@freeipa02 slapd-EXAMPLE-NET]#
All the files are there. I did a comparison to the 01 server.
Regards,Andrew
3 years, 6 months
FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
by Eric Fredrickson
Hello everyone,
I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled.
FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4
HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_access
Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
Enabled: TRUE
Users: <users>
Hosts: vpnhost.localdomain.local
Services: openvpn
User account:
[root@ipa ~]# ipa user-show <omitted>
User login: <omitted>
First name: <omitted>
Last name: <omitted>
Home directory: /home/<omitted>
Login shell: /bin/bash
Principal name: <omitted>
Principal alias: <omitted>
Email address: <omitted>
UID: 1909600003
GID: 1909600003
User authentication types: otp
Certificate: <omitted>
Account disabled: False
Password: True
Member of groups: vpn_users
Member of HBAC rule: openvpn_access
Indirect Member of HBAC rule: user_ipa_access
Kerberos keys available: True
OpenVPN server:
/etc/pam.d/openvpn
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts.
Eric
3 years, 6 months
FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
by Eric Fredrickson
Hello everyone,
I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled.
FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4
HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_access
Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
Enabled: TRUE
Users: <users>
Hosts: vpnhost.localdomain.local
Services: openvpn
User account:
[root@ipa ~]# ipa user-show <omitted>
User login: <omitted>
First name: <omitted>
Last name: <omitted>
Home directory: /home/<omitted>
Login shell: /bin/bash
Principal name: <omitted>
Principal alias: <omitted>
Email address: <omitted>
UID: 1909600003
GID: 1909600003
User authentication types: otp
Certificate: <omitted>
Account disabled: False
Password: True
Member of groups: vpn_users
Member of HBAC rule: openvpn_access
Indirect Member of HBAC rule: user_ipa_access
Kerberos keys available: True
OpenVPN server:
/etc/pam.d/openvpn
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts.
Eric
3 years, 6 months
Get IPA server of location
by Peter Tselios
Hello,
I have 2 FreeIPA servers placed in 2 AWS placement groups (AZ1, AZ2).
I want to register my hosts in the IPA Server of the same placement group.
Using dig I get the following:
dig +short -t SRV _ldap._tcp.example.com.
_ldap._tcp.AWS-eu-west-1a._locations.example.com.
50 100 389 euw1-prd-l-ipa02.example.com.
0 100 389 euw1-prd-l-ipa01.example.com.
which, at least in my eyes, means that I have an LDAP server in a location. So, if I search this location I will get only ONE LDAP (or kerberos, it's the same) server.
But no:
dig +short -t SRV _ldap._tcp.AWS-eu-west-1a._locations.example.com.
50 100 389 euw1-prd-l-ipa02.example.com.
0 100 389 euw1-prd-l-ipa01.example.com.
Now, I have some issues with this:
Why do I have BOTH IPA servers in ONE location, since I have set only one of them in the specific location? Replication has nothing to do with it, we talk about the host of the location!
If this a cognitive decision to add all replicated IPA servers to all locations? If so, why?
Finally, is there any way to I get the IPA server(s) of a specific location?
(My understanding is that we don't have the SUBNET entries as in IPA 2.x series and this is handled automatically with service discovery).
3 years, 6 months
Mix and Match Local Users and Groups with IPA Users and Groups?
by Ryan Slominski
What is the recommended way to handle a local user in an IPA group?
For example, I have the standard local user "apache" that I'd like to add to an IPA group. I don't really want to add an "apache" user to IPA as it isn't really a regular user. Similarly, I don't want to create a local group of the same name and membership as the group in IPA. NIS seems to allow groups that reference local users. Can IPA?
An IPA User in a local group is a similar problem, what is the solution there?
3 years, 6 months
smartcard auth + kerberos ticket?
by Natxo Asenjo
hi,
I can successfully login using a smartcard (fedora 29 client, centos 7
kdcs, latest patch level).
However, when I try to access a kerberized service, I need to kinit first,
because I don't have a ticket:
$ klist
klist: Credentials cache 'KCM:1006000001' not found
I already have krb5-pkinit in de client and if I kinit -n I get a
wellknown/anonymous ticket from the kdcs, but this is obviously not what I
had in mind :-)
Am I doing something wrong or is this to be expected?
--
regards,
Natxo
3 years, 6 months
Change IP address of IPA server
by John Duino
Due to some preferred changes in our environment, we would like to change
the IP address of two of our servers. My thinking is that we stop IPA on
those hosts, change their IP and power down, then change the IP in the DNS
of the running IPA's, then bring the two servers up. I am assuming all
associations are done via fqdn and not an IP, is that correct? Is this safe
or am I risking some corruption to the environment?
--
John Duino
jduino(a)oblong.com
3 years, 6 months
FreeIPA PPC64LE builds
by Pieter Baele
Anyone an idea what the timeline/roadmap is for FreeIPA ipa-server PPC64LE
build for Centos 7 (or RH IDM on RHEL 7/8)
I only see some packages for PowerPC on Fedora and Ubuntu....
3 years, 6 months
Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials
by Alexander Bokovoy
On ti, 13 marras 2018, Mustafa Karci via FreeIPA-users wrote:
>Dear Alexander,
>
>The main intention is to setup a freeipa-server with a trust domain to
>a Windows 2019 AD server. So for all windows env we would like to use
>Windows 2019AD server and for all our Linux based server we would like
>to use FreeIPA-server.
>
>From this point we have setup a basic Windows2019 AD domain with the
>following realm ad.srv.world And the FreeIPA server has the following
>realm ipa.srv.world
>
>The Windowd 2019 server also acts as the DNS server, where the
>freeipa-server has his own dns rules and forwarding rule enabled to
>zone ad.srv.world (windows 2019 DNS server).
>
>
>From the ipa-server run the following command
>
>ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx
>
>All seems working ok on the ipa-server. But when trying to add the
>freeipa server to a windows 2019 AD im getting the following error:
>
>ipa trust-add --type=ad ad.srv.world --admin Administrator --password
>Active Directory domain administrator's password:
>ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials
>
>Already tried to change permission on the AD site, but group policy
>domain admin should be enough to setup a trused domain between these
>two.
No, this is not (at least not yet) an AD side. You need to look into
Samba logs. Your excerpts from the logs below show that Samba is capable
to authenticate the connection from IPA framework properly and
understands that this is a constrained delegation use (HTTP/...
service principal acts on behalf of 'admin' user principal). However, it
is not able to validate that 'admin' user has enough permissions to
perform what is needed:
>Successfully validated Kerberos PAC
> pac_data: struct PAC_DATA
> num_buffers : 0x00000005 (5)
> version : 0x00000000 (0)
> buffers: ARRAY(5)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_LOGON_INFO (1)
> _ndr_size : 0x000001a8 (424)
> info : *
> info : union PAC_INFO(case 1)
> logon_info: struct PAC_LOGON_INFO_CTR
> info : *
> info: struct PAC_LOGON_INFO
> info3: struct netr_SamInfo3
> base: struct netr_SamBaseInfo
> logon_time : NTTIME(0)
> logoff_time : Thu Jan 1 01:00:00 AM 1970 CET
> kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET
> last_password_change : Fri Nov 2 04:41:05 PM 2018 CET
> allow_password_change : NTTIME(0)
> force_password_change : Thu Jan 1 01:00:00 AM 1970 CET
> account_name: struct lsa_String
> length : 0x000a (10)
> size : 0x000a (10)
> string : *
> string : 'admin'
> full_name: struct lsa_String
> length : 0x001a (26)
> size : 0x001a (26)
> string : *
> string : 'Administrator'
> logon_script: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> profile_path: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> home_directory: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> home_drive: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> logon_count : 0x0000 (0)
> bad_password_count : 0x0000 (0)
> rid : 0x000001f4 (500)
> primary_gid : 0x00000200 (512)
> groups: struct samr_RidWithAttributeArray
> count : 0x00000000 (0)
> rids : *
> rids: ARRAY(0)
> user_flags : 0x00000000 (0)
> 0: NETLOGON_GUEST
> 0: NETLOGON_NOENCRYPTION
> 0: NETLOGON_CACHED_ACCOUNT
> 0: NETLOGON_USED_LM_PASSWORD
> 0: NETLOGON_EXTRA_SIDS
> 0: NETLOGON_SUBAUTH_SESSION_KEY
> 0: NETLOGON_SERVER_TRUST_ACCOUNT
> 0: NETLOGON_NTLMV2_ENABLED
> 0: NETLOGON_RESOURCE_GROUPS
> 0: NETLOGON_PROFILE_PATH_RETURNED
> 0: NETLOGON_GRACE_LOGON
> key: struct netr_UserSessionKey
> key: ARRAY(16): <REDACTED SECRET VALUES>
> logon_server: struct lsa_StringLarge
> length : 0x0006 (6)
> size : 0x0008 (8)
> string : *
> string : 'DLP'
> logon_domain: struct lsa_StringLarge
>
>
>
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_LOGON_NAME (10)
> _ndr_size : 0x00000014 (20)
> info : *
> info : union PAC_INFO(case 10)
> logon_name: struct PAC_LOGON_NAME
> logon_time : Mon Nov 12 04:01:01 PM 2018 CET
> size : 0x000a (10)
> account_name : 'admin'
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_CONSTRAINED_DELEGATION (11)
> _ndr_size : 0x000000d8 (216)
> info : *
> info : union PAC_INFO(case 11)
> constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR
> info : *
> info: struct PAC_CONSTRAINED_DELEGATION
> proxy_target: struct lsa_String
> length : 0x0048 (72)
> size : 0x0048 (72)
> string : *
> string : 'HTTP/dlp.ipa.srv.world(a)IPA.SRV.WORLD'
> num_transited_services : 0x00000001 (1)
> transited_services : *
> transited_services: ARRAY(1)
> transited_services: struct lsa_String
> length : 0x0048 (72)
> size : 0x0048 (72)
> string : *
> string : 'cifs/dlp.ipa.srv.world(a)IPA.SRV.WORLD'
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_SRV_CHECKSUM (6)
> _ndr_size : 0x00000010 (16)
> info : *
> info : union PAC_INFO(case 6)
> srv_cksum: struct PAC_SIGNATURE_DATA
> type : 0x00000010 (16)
> signature : DATA_BLOB length=12
> [0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_KDC_CHECKSUM (7)
> _ndr_size : 0x00000010 (16)
> info : *
> info : union PAC_INFO(case 7)
> kdc_cksum: struct PAC_SIGNATURE_DATA
> type : 0x00000010 (16)
> signature : DATA_BLOB length=12
>
>
>im a bit stuck with this issue.
Can I see logs after this place? Smbd/winbindd should go on to resolve
'admin' user using a system and then build a local NT token for it. That
one should have a RID 512 in it, like MS-PAC record above.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 6 months
