November 2018 - FreeIPA-users - Fedora Mailing-Lists

by Eric Fredrickson

Hello everyone, I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled. FreeIPA Setup: CentOS 7.5 FreeIPA 4.5.4 HBAC Service: openvpn HBAC Rule: [root@ipa ~]# ipa hbacrule-show openvpn_access Rule name: openvpn_access Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. Enabled: TRUE Users: <users> Hosts: vpnhost.localdomain.local Services: openvpn User account: [root@ipa ~]# ipa user-show <omitted> User login: <omitted> First name: <omitted> Last name: <omitted> Home directory: /home/<omitted> Login shell: /bin/bash Principal name: <omitted> Principal alias: <omitted> Email address: <omitted> UID: 1909600003 GID: 1909600003 User authentication types: otp Certificate: <omitted> Account disabled: False Password: True Member of groups: vpn_users Member of HBAC rule: openvpn_access Indirect Member of HBAC rule: user_ipa_access Kerberos keys available: True OpenVPN server: /etc/pam.d/openvpn #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts. Eric

1 year, 10 months

4
3
0 / 0

Get IPA server of location

by Peter Tselios

Hello, I have 2 FreeIPA servers placed in 2 AWS placement groups (AZ1, AZ2). I want to register my hosts in the IPA Server of the same placement group. Using dig I get the following: dig +short -t SRV _ldap._tcp.example.com. _ldap._tcp.AWS-eu-west-1a._locations.example.com. 50 100 389 euw1-prd-l-ipa02.example.com. 0 100 389 euw1-prd-l-ipa01.example.com. which, at least in my eyes, means that I have an LDAP server in a location. So, if I search this location I will get only ONE LDAP (or kerberos, it's the same) server. But no: dig +short -t SRV _ldap._tcp.AWS-eu-west-1a._locations.example.com. 50 100 389 euw1-prd-l-ipa02.example.com. 0 100 389 euw1-prd-l-ipa01.example.com. Now, I have some issues with this: Why do I have BOTH IPA servers in ONE location, since I have set only one of them in the specific location? Replication has nothing to do with it, we talk about the host of the location! If this a cognitive decision to add all replicated IPA servers to all locations? If so, why? Finally, is there any way to I get the IPA server(s) of a specific location? (My understanding is that we don't have the SUBNET entries as in IPA 2.x series and this is handled automatically with service discovery).

1 year, 10 months

2
2
0 / 0

Mix and Match Local Users and Groups with IPA Users and Groups?

by Ryan Slominski

What is the recommended way to handle a local user in an IPA group? For example, I have the standard local user "apache" that I'd like to add to an IPA group. I don't really want to add an "apache" user to IPA as it isn't really a regular user. Similarly, I don't want to create a local group of the same name and membership as the group in IPA. NIS seems to allow groups that reference local users. Can IPA? An IPA User in a local group is a similar problem, what is the solution there?

1 year, 10 months

3
3
0 / 0

smartcard auth + kerberos ticket?

by Natxo Asenjo

hi, I can successfully login using a smartcard (fedora 29 client, centos 7 kdcs, latest patch level). However, when I try to access a kerberized service, I need to kinit first, because I don't have a ticket: $ klist klist: Credentials cache 'KCM:1006000001' not found I already have krb5-pkinit in de client and if I kinit -n I get a wellknown/anonymous ticket from the kdcs, but this is obviously not what I had in mind :-) Am I doing something wrong or is this to be expected? -- regards, Natxo

1 year, 10 months

4
10
0 / 0

Change IP address of IPA server

by John Duino

Due to some preferred changes in our environment, we would like to change the IP address of two of our servers. My thinking is that we stop IPA on those hosts, change their IP and power down, then change the IP in the DNS of the running IPA's, then bring the two servers up. I am assuming all associations are done via fqdn and not an IP, is that correct? Is this safe or am I risking some corruption to the environment? -- John Duino jduino(a)oblong.com

1 year, 10 months

2
2
0 / 0

FreeIPA PPC64LE builds

by Pieter Baele

Anyone an idea what the timeline/roadmap is for FreeIPA ipa-server PPC64LE build for Centos 7 (or RH IDM on RHEL 7/8) I only see some packages for PowerPC on Fedora and Ubuntu....

1 year, 10 months

3
5
0 / 0

Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials

by Alexander Bokovoy

On ti, 13 marras 2018, Mustafa Karci via FreeIPA-users wrote: >Dear Alexander, > >The main intention is to setup a freeipa-server with a trust domain to >a Windows 2019 AD server. So for all windows env we would like to use >Windows 2019AD server and for all our Linux based server we would like >to use FreeIPA-server. > >From this point we have setup a basic Windows2019 AD domain with the >following realm ad.srv.world And the FreeIPA server has the following >realm ipa.srv.world > >The Windowd 2019 server also acts as the DNS server, where the >freeipa-server has his own dns rules and forwarding rule enabled to >zone ad.srv.world (windows 2019 DNS server). > > >From the ipa-server run the following command > >ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx > >All seems working ok on the ipa-server. But when trying to add the >freeipa server to a windows 2019 AD im getting the following error: > >ipa trust-add --type=ad ad.srv.world --admin Administrator --password >Active Directory domain administrator's password: >ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials > >Already tried to change permission on the AD site, but group policy >domain admin should be enough to setup a trused domain between these >two. No, this is not (at least not yet) an AD side. You need to look into Samba logs. Your excerpts from the logs below show that Samba is capable to authenticate the connection from IPA framework properly and understands that this is a constrained delegation use (HTTP/... service principal acts on behalf of 'admin' user principal). However, it is not able to validate that 'admin' user has enough permissions to perform what is needed: >Successfully validated Kerberos PAC > pac_data: struct PAC_DATA > num_buffers : 0x00000005 (5) > version : 0x00000000 (0) > buffers: ARRAY(5) > buffers: struct PAC_BUFFER > type : PAC_TYPE_LOGON_INFO (1) > _ndr_size : 0x000001a8 (424) > info : * > info : union PAC_INFO(case 1) > logon_info: struct PAC_LOGON_INFO_CTR > info : * > info: struct PAC_LOGON_INFO > info3: struct netr_SamInfo3 > base: struct netr_SamBaseInfo > logon_time : NTTIME(0) > logoff_time : Thu Jan 1 01:00:00 AM 1970 CET > kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET > last_password_change : Fri Nov 2 04:41:05 PM 2018 CET > allow_password_change : NTTIME(0) > force_password_change : Thu Jan 1 01:00:00 AM 1970 CET > account_name: struct lsa_String > length : 0x000a (10) > size : 0x000a (10) > string : * > string : 'admin' > full_name: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'Administrator' > logon_script: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > profile_path: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > home_directory: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > home_drive: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : * > string : '' > logon_count : 0x0000 (0) > bad_password_count : 0x0000 (0) > rid : 0x000001f4 (500) > primary_gid : 0x00000200 (512) > groups: struct samr_RidWithAttributeArray > count : 0x00000000 (0) > rids : * > rids: ARRAY(0) > user_flags : 0x00000000 (0) > 0: NETLOGON_GUEST > 0: NETLOGON_NOENCRYPTION > 0: NETLOGON_CACHED_ACCOUNT > 0: NETLOGON_USED_LM_PASSWORD > 0: NETLOGON_EXTRA_SIDS > 0: NETLOGON_SUBAUTH_SESSION_KEY > 0: NETLOGON_SERVER_TRUST_ACCOUNT > 0: NETLOGON_NTLMV2_ENABLED > 0: NETLOGON_RESOURCE_GROUPS > 0: NETLOGON_PROFILE_PATH_RETURNED > 0: NETLOGON_GRACE_LOGON > key: struct netr_UserSessionKey > key: ARRAY(16): <REDACTED SECRET VALUES> > logon_server: struct lsa_StringLarge > length : 0x0006 (6) > size : 0x0008 (8) > string : * > string : 'DLP' > logon_domain: struct lsa_StringLarge > > > > buffers: struct PAC_BUFFER > type : PAC_TYPE_LOGON_NAME (10) > _ndr_size : 0x00000014 (20) > info : * > info : union PAC_INFO(case 10) > logon_name: struct PAC_LOGON_NAME > logon_time : Mon Nov 12 04:01:01 PM 2018 CET > size : 0x000a (10) > account_name : 'admin' > _pad : 0x00000000 (0) > buffers: struct PAC_BUFFER > type : PAC_TYPE_CONSTRAINED_DELEGATION (11) > _ndr_size : 0x000000d8 (216) > info : * > info : union PAC_INFO(case 11) > constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR > info : * > info: struct PAC_CONSTRAINED_DELEGATION > proxy_target: struct lsa_String > length : 0x0048 (72) > size : 0x0048 (72) > string : * > string : 'HTTP/dlp.ipa.srv.world(a)IPA.SRV.WORLD' > num_transited_services : 0x00000001 (1) > transited_services : * > transited_services: ARRAY(1) > transited_services: struct lsa_String > length : 0x0048 (72) > size : 0x0048 (72) > string : * > string : 'cifs/dlp.ipa.srv.world(a)IPA.SRV.WORLD' > _pad : 0x00000000 (0) > buffers: struct PAC_BUFFER > type : PAC_TYPE_SRV_CHECKSUM (6) > _ndr_size : 0x00000010 (16) > info : * > info : union PAC_INFO(case 6) > srv_cksum: struct PAC_SIGNATURE_DATA > type : 0x00000010 (16) > signature : DATA_BLOB length=12 > [0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P > _pad : 0x00000000 (0) > buffers: struct PAC_BUFFER > type : PAC_TYPE_KDC_CHECKSUM (7) > _ndr_size : 0x00000010 (16) > info : * > info : union PAC_INFO(case 7) > kdc_cksum: struct PAC_SIGNATURE_DATA > type : 0x00000010 (16) > signature : DATA_BLOB length=12 > > >im a bit stuck with this issue. Can I see logs after this place? Smbd/winbindd should go on to resolve 'admin' user using a system and then build a local NT token for it. That one should have a RID 512 in it, like MS-PAC record above. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

1 year, 10 months

1
0
0 / 0

Re: ipa.service "fails" to start

by Florence Blanc-Renaud

On 10/19/18 6:49 AM, Z D via FreeIPA-users wrote: > Hi there, > > This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7. > > After reboot I couldn't start ipa service via systemctl, hence I run > "ipactl start --ignore-service-failures" and this was kind of > successful. I still have some discrepancies, and looking for > troubleshooting ideas. > > 1. "systemctl status ipa.service" reads that service failed > 2. "systemctl status pki-tomcatd.target" reads that PKI Tomcat Server > is running. Hi, The PKI service status can be found using "systemctl status pki-tomcatd(a)pki-tomcat.service". More details on the differences between targets and units can be found in the man pages for systemd.unit(5) and systemd.target(5). > 3. > # ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: STOPPED <---- !! > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > To troubleshoot, you can have a look at the output of # systemctl status pki-tomcatd(a)pki-tomcat.service and the logs in /var/log/pki/pki-tomcat/ca/debug. I would start by checking if some certificates expired with getcert list (check the status, should be MONITORING, and the expires: <date>). HTH, flo > > Well, why pki-tomcatd reads 'stopped' and how to make systemctl to > recognize that ipa service is running, thanks in advance, > > Zarko > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >

1 year, 10 months

5
20
0 / 0

LDAP - Zammad -> not offering all fields

by Tobi Berninger

Hey, i have an freeipa 4.5.4 on an Centos 7 up and running. I allready binded that ipa trough an ldap on an nextcloud installation. Now i try to do the same with an zammad. Sadly it doesnt offers me the right fields (first name, last name, mail and many more are missing) I set up an extra ldap sysaccount just for that reason, as it was described here: https://www.freeipa.org/page/HowTo/LDAP Any ideas what i was doing wrong? Others users in the zammad forum told me that zammad is offering them the fields i need, so i am quite convinced that the error is in an missconfiguration on my side. Sadly i didnt set the server up, i just try to keep it running. Thank u all for ur help and i apoligze for my english...

1 year, 10 months

4
5
0 / 0

Re: Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials

by Mustafa Karci

Dear Alexander, The main intention is to setup a freeipa-server with a trust domain to a Windows 2019 AD server. So for all windows env we would like to use Windows 2019AD server and for all our Linux based server we would like to use FreeIPA-server. From this point we have setup a basic Windows2019 AD domain with the following realm ad.srv.world And the FreeIPA server has the following realm ipa.srv.world The Windowd 2019 server also acts as the DNS server, where the freeipa-server has his own dns rules and forwarding rule enabled to zone ad.srv.world (windows 2019 DNS server). From the ipa-server run the following command ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx All seems working ok on the ipa-server. But when trying to add the freeipa server to a windows 2019 AD im getting the following error: ipa trust-add --type=ad ad.srv.world --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials Already tried to change permission on the AD site, but group policy domain admin should be enough to setup a trused domain between these two. kinit admin Password for admin(a)IPA.SRV.WORLD<mailto:admin@IPA.SRV.WORLD>: klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin(a)IPA.SRV.WORLD Valid starting Expires Service principal 11/13/2018 11:12:38 11/14/2018 11:12:36 krbtgt/IPA.SRV.WORLD(a)IPA.SRV.WORL smbclient -L dlp.ipa.srv.world -k -d 3 lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" lp_load_ex: changing to config backend registry Initialising global parameters lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" added interface eth0 ip=10.50.1.103 bcast=10.50.1.255 netmask=255.255.255.0 Client started (version 4.7.1). Connecting to 10.50.1.103 at port 445 got OID=1.2.840.48018.1.2.2 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered SPNEGO login failed: {Access Denied} A proc ipa/default.conf [global] host = dlp.ipa.srv.world basedn = dc=ipa,dc=srv,dc=world realm = IPA.SRV.WORLD domain = ipa.srv.world xmlrpc_uri = https://dlp.ipa.srv.world/ipa/xml ldap_uri = ldapi://%2fvar%2frun%2fslapd-IPA-SRV-WORLD.socket enable_ra = True ra_plugin = dogtag dogtag_version = 10 mode = production krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPA.SRV.WORLD dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.SRV.WORLD = { kdc = dlp.ipa.srv.world:88 master_kdc = dlp.ipa.srv.world:88 admin_server = dlp.ipa.srv.world:749 default_domain = ipa.srv.world pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .ipa.srv.world = IPA.SRV.WORLD ipa.srv.world = IPA.SRV.WORLD dlp.ipa.srv.world = IPA.SRV.WORLD [dbmodules] IPA.SRV.WORLD = { db_library = ipadb.so } /var/log/http/* rpc reply data: [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ........ ........ [0020] 01 00 00 00 03 00 00 00 4B 00 00 00 4B 00 00 00 ........ K...K... [0030] 05 00 13 00 0D 78 57 34 12 34 12 CD AB EF 00 01 .....xW4 .4...... [0040] 23 45 67 89 AB 00 00 02 00 00 00 13 00 0D 04 5D #Eg..... .......] [0050] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 ........ ..+.H`.. [0060] 02 00 00 00 01 00 0B 02 00 00 00 01 00 07 02 00 ........ ........ [0070] C0 00 01 00 09 04 00 0A 32 01 67 00 00 00 00 00 ........ 2.g..... s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dee40 s4_tevent: Cancel immediate event 0x7f45cc3dee40 "tevent_req_trigger" Mapped to DCERPC endpoint 49152 added interface eth0 ip= xx.xx.xx.xxx bcast= xx.xx.xx.255 netmask=255.255.255.0 added interface eth0 ip= xx.xx.xx.xxx bcast= xx.xx.xx.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name dlp.ipa.srv.world<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost s4_tevent: Added timed event "composite_trigger": 0x7f45cc3c41f0 s4_tevent: Running timer event 0x7f45cc3c41f0 "composite_trigger" s4_tevent: Ending timer event 0x7f45cc3c41f0 "composite_trigger" Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 GSSAPI credentials for admin(a)IPA.SRV.WORLD will expire in 86359 secs GSS client Update(krb5)(1) Update failed: Unspecified GSS failure. Minor code may provide more information: Credential cache is empty s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dde50 s4_tevent: Cancel immediate event 0x7f45cc3dde50 "tevent_req_trigger" SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for host/DLP.IPA.SRV.WORLD failed (next[(null)]): NT_STATUS_LOGON_FAILURE Failed to setup SPNEGO negTokenInit request: NT_STATUS_LOGON_FAILURE s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dd540 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f45cc3dd540 Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for ncacn_ip_tcp: xx.xx.xx.xxx [49152,print,target_hostname=dlp.ipa.srv.world,abstract_syntax=12345778-1234-abcd-ef00-0123456789ab/0x00000000,localaddress=xx.xx.xx.xxx] NT_STATUS_LOGON_FAILURE s4_tevent: Destroying timer event 0x7f45cc3b9670 "dcerpc_connect_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3c5ef0 s4_tevent: Cancel immediate event 0x7f45cc3c5ef0 "tevent_req_trigger" [Tue Nov 13 10:51:04.693630 2018] [:error] [pid 24146] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Tue Nov 13 10:51:04.693675 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute [Tue Nov 13 10:51:04.693689 2018] [:error] [pid 24146] result = command(*args, **options) [Tue Nov 13 10:51:04.693700 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Tue Nov 13 10:51:04.693711 2018] [:error] [pid 24146] return self.__do_call(*args, **options) [Tue Nov 13 10:51:04.693722 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call [Tue Nov 13 10:51:04.693733 2018] [:error] [pid 24146] ret = self.run(*args, **options) [Tue Nov 13 10:51:04.693743 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run [Tue Nov 13 10:51:04.693754 2018] [:error] [pid 24146] return self.execute(*args, **options) [Tue Nov 13 10:51:04.693765 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 726, in execute [Tue Nov 13 10:51:04.693776 2018] [:error] [pid 24146] full_join = self.validate_options(*keys, **options) [Tue Nov 13 10:51:04.693786 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 829, in validate_options [Tue Nov 13 10:51:04.693797 2018] [:error] [pid 24146] self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) [Tue Nov 13 10:51:04.693808 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1557, in __init__ [Tue Nov 13 10:51:04.693818 2018] [:error] [pid 24146] self.__populate_local_domain() [Tue Nov 13 10:51:04.693829 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1570, in __populate_local_domain [Tue Nov 13 10:51:04.693840 2018] [:error] [pid 24146] ld.retrieve(installutils.get_fqdn()) [Tue Nov 13 10:51:04.693850 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 960, in retrieve [Tue Nov 13 10:51:04.693861 2018] [:error] [pid 24146] self.init_lsa_pipe(remote_host) [Tue Nov 13 10:51:04.693900 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 879, in init_lsa_pipe [Tue Nov 13 10:51:04.693922 2018] [:error] [pid 24146] % dict(host=remote_host)) [Tue Nov 13 10:51:04.693933 2018] [:error] [pid 24146] ACIError: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials [Tue Nov 13 10:51:04.693944 2018] [:error] [pid 24146] [Tue Nov 13 10:51:04.694550 2018] [:error] [pid 24146] ipa: INFO: [jsonserver_session] admin(a)IPA.SRV.WORLD: trust_add/1(u'ad.srv.world', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.228'): ACIError [Tue Nov 13 10:51:04.696944 2018] [:error] [pid 24146] ipa: DEBUG: Destroyed connection context.ldap2_139937313614032 /var/log/samba/* 10:51:04.514558, 1, pid=26847, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:419(ndr_print_debug) &global_blob: struct smbXsrv_session_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000001 (1) info : union smbXsrv_session_globalU(case 0) info0 : * info0: struct smbXsrv_session_global0 db_rec : * session_global_id : 0x7990abe5 (2039524325) session_wire_id : 0x000000007990abe5 (2039524325) creation_time : Tue Nov 13 10:51:05 AM 2018 CET expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_time : NTTIME(0) auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0311 (785) signing_flags : 0x00 (0) 0: SMBXSRV_SIGNING_REQUIRED 0: SMBXSRV_PROCESSED_SIGNED_PACKET 0: SMBXSRV_PROCESSED_UNSIGNED_PACKET encryption_flags : 0x00 (0) 0: SMBXSRV_ENCRYPTION_REQUIRED 0: SMBXSRV_ENCRYPTION_DESIRED 0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET 0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x00000000000068df (26847) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807) local_address : 'ipv4:10.50.1.103:445' remote_address : 'ipv4:10.50.1.103:56404' remote_name : '10.50.1.103' auth_session_info_seqnum : 0x00000000 (0) connection : * encryption_cipher : 0x0000 (0) [2018/11/13 10:51:04.515148, 5, pid=26847, effective(0, 0), real(0, 0)] 018/11/13 10:51:04.515354, 1, pid=26847, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:419(ndr_print_debug) &session_blob: struct smbXsrv_sessionB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_sessionU(case 0) info0 : * info0: struct smbXsrv_session table : * db_rec : NULL client : * local_id : 0x7990abe5 (2039524325) global : * global: struct smbXsrv_session_global0 db_rec : NULL session_global_id : 0x7990abe5 (2039524325) session_wire_id : 0x000000007990abe5 (2039524325) creation_time : Tue Nov 13 10:51:05 AM 2018 CET expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_time : NTTIME(0) auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0311 (785) signing_flags : 0x00 (0) 0: SMBXSRV_SIGNING_REQUIRED 0: SMBXSRV_PROCESSED_SIGNED_PACKET 0: SMBXSRV_PROCESSED_UNSIGNED_PACKET encryption_flags : 0x00 (0) 0: SMBXSRV_ENCRYPTION_REQUIRED 0: SMBXSRV_ENCRYPTION_DESIRED 0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET 0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x00000000000068df (26847) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807) local_address : 'ipv4:10.50.1.103:445' remote_address : 'ipv4:10.50.1.103:56404' remote_name : '10.50.1.103' auth_session_info_seqnum : 0x00000000 (0) connection : * encryption_cipher : 0x0000 (0) status : NT_STATUS_MORE_PROCESSING_REQUIRED idle_time : Tue Nov 13 10:51:05 AM 2018 CET nonce_high_random : 0x0000000000000000 (0) nonce_high_max : 0x0000000000000000 (0) nonce_high : 0x0000000000000000 (0) nonce_low : 0x0000000000000000 (0) compat : NULL tcon_table : * pending_auth : NULL version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_sessionU(case 0) info0 : * info0: struct smbXsrv_session table : * db_rec : NULL client : * local_id : 0x7990abe5 (2039524325) global : * global: struct smbXsrv_session_global0 db_rec : NULL session_global_id : 0x7990abe5 (2039524325) session_wire_id : 0x000000007990abe5 (2039524325) creation_time : Tue Nov 13 10:51:05 AM 2018 CET expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_time : NTTIME(0) auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0311 (785) signing_flags : 0x00 (0) 0: SMBXSRV_SIGNING_REQUIRED 0: SMBXSRV_PROCESSED_SIGNED_PACKET 0: SMBXSRV_PROCESSED_UNSIGNED_PACKET encryption_flags : 0x00 (0) 0: SMBXSRV_ENCRYPTION_REQUIRED 0: SMBXSRV_ENCRYPTION_DESIRED 0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET 0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x00000000000068df (26847) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807) local_address : 'ipv4:10.50.1.103:445' remote_address : 'ipv4:10.50.1.103:56404' remote_name : '10.50.1.103' auth_session_info_seqnum : 0x00000000 (0) connection : * encryption_cipher : 0x0000 (0) status : NT_STATUS_MORE_PROCESSING_REQUIRED idle_time : Tue Nov 13 10:51:05 AM 2018 CET nonce_high_random : 0x0000000000000000 (0) nonce_high_max : 0x0000000000000000 (0) nonce_high : 0x0000000000000000 (0) nonce_low : 0x0000000000000000 (0) compat : NULL tcon_table : * pending_auth : * pending_auth: struct smbXsrv_session_auth0 prev : * next : NULL session : * connection : * gensec : * preauth : * in_flags : 0x00 (0) in_security_mode : 0x03 (3) creation_time : Tue Nov 13 10:51:05 AM 2018 CET idle_time : Tue Nov 13 10:51:05 AM 2018 CET Successfully validated Kerberos PAC pac_data: struct PAC_DATA num_buffers : 0x00000005 (5) version : 0x00000000 (0) buffers: ARRAY(5) buffers: struct PAC_BUFFER type : PAC_TYPE_LOGON_INFO (1) _ndr_size : 0x000001a8 (424) info : * info : union PAC_INFO(case 1) logon_info: struct PAC_LOGON_INFO_CTR info : * info: struct PAC_LOGON_INFO info3: struct netr_SamInfo3 base: struct netr_SamBaseInfo logon_time : NTTIME(0) logoff_time : Thu Jan 1 01:00:00 AM 1970 CET kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET last_password_change : Fri Nov 2 04:41:05 PM 2018 CET allow_password_change : NTTIME(0) force_password_change : Thu Jan 1 01:00:00 AM 1970 CET account_name: struct lsa_String length : 0x000a (10) size : 0x000a (10) string : * string : 'admin' full_name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) rid : 0x000001f4 (500) primary_gid : 0x00000200 (512) groups: struct samr_RidWithAttributeArray count : 0x00000000 (0) rids : * rids: ARRAY(0) user_flags : 0x00000000 (0) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 0: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 0: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key: ARRAY(16): <REDACTED SECRET VALUES> logon_server: struct lsa_StringLarge length : 0x0006 (6) size : 0x0008 (8) string : * string : 'DLP' logon_domain: struct lsa_StringLarge buffers: struct PAC_BUFFER type : PAC_TYPE_LOGON_NAME (10) _ndr_size : 0x00000014 (20) info : * info : union PAC_INFO(case 10) logon_name: struct PAC_LOGON_NAME logon_time : Mon Nov 12 04:01:01 PM 2018 CET size : 0x000a (10) account_name : 'admin' _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_CONSTRAINED_DELEGATION (11) _ndr_size : 0x000000d8 (216) info : * info : union PAC_INFO(case 11) constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR info : * info: struct PAC_CONSTRAINED_DELEGATION proxy_target: struct lsa_String length : 0x0048 (72) size : 0x0048 (72) string : * string : 'HTTP/dlp.ipa.srv.world(a)IPA.SRV.WORLD' num_transited_services : 0x00000001 (1) transited_services : * transited_services: ARRAY(1) transited_services: struct lsa_String length : 0x0048 (72) size : 0x0048 (72) string : * string : 'cifs/dlp.ipa.srv.world(a)IPA.SRV.WORLD' _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_SRV_CHECKSUM (6) _ndr_size : 0x00000010 (16) info : * info : union PAC_INFO(case 6) srv_cksum: struct PAC_SIGNATURE_DATA type : 0x00000010 (16) signature : DATA_BLOB length=12 [0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_KDC_CHECKSUM (7) _ndr_size : 0x00000010 (16) info : * info : union PAC_INFO(case 7) kdc_cksum: struct PAC_SIGNATURE_DATA type : 0x00000010 (16) signature : DATA_BLOB length=12 im a bit stuck with this issue. Kind regards

1 year, 10 months

1
0
0 / 0

2020

2019

2018

2017

FreeIPA-users November 2018