Re: Hardship setting up samba share that depends on IPA trust with AD
by Николай Савельев
> Date: Wed, 13 Jun 2018 22:11:23 +0300
> From: Alexander Bokovoy <abokovoy(a)redhat.com>
> Subject: [Freeipa-users] Re: Hardship setting up samba share that
> depends on IPA trust with AD
>
> Yes, it is not supported right now.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: ${hyperkitty_url}
>
> ------------------------------
>
> End of FreeIPA-users Digest, Vol 14, Issue 14
> *********************************************
Hi, Alexander.
I write article for russian it portal about freeipa.
I want to say about samba, ipa with ad trust and problems.
May I use your phrases in sthis mail list as an expert opinion?
I want to caution other peoples from troubles with ipa.
--
С уважением, Николай.
5 years, 10 months
AD admin account I use for trust setup is getting audited - what specific permissions does the AD user need to have for trust setup?
by Chris Dagdigian
Hi folks,
Tried to find this in the FreeIPA and RHEL IDM docs but could not find
my answer with any specificity ...
I have a user account called "idmbind" inside an AD controller for a
domain that we integrate with our linux fleet in AWS
Because this domain is non-essential and we had full control we got lazy
and just made the "idmbind" account as privileged as possible -- it's
currently part of the "Domain Admin" and "Enterprise Admin" groups
Now that crunch time is over we are auditing all our AD user accounts.
I've been specifically asked:
"Does your idmbind user really need Enterprise Admin group membership?"
"Does your idmbind user really need Domain Admin group membership?"
Is there a concise answer somewhere on what permissions/roles the local
AD user account needs to have when we use that username and password to
set up 1-way and 2-way trusts with FreeIPA? The docs and screenshots
show the words "domain administrator" but I'm wondering if the
requirements are more specific.
I figure "Domain Admin yes, Enterprise Admin no" may be the proper
answer but looking for a more authoritative voice, thanks!
Chris
5 years, 10 months
Problem with upgrade
by Alessandro Perucchi
Hello everyone,
We were using Freeipa on Fedora 24. And we are in the process to upgrade to
Fedora 28.
We have a cluster of 2 nodes (freeipa-01 and freeipa-02).
I am trying to upgrade one server after the other, from one release to the
next.
Basically:
freeipa-01 Fedora 24 -> Fedora 25
freeipa-02 Fedora 24 -> Fedora 25
freeipa-02 Fedora 25 -> Fedora 26
freeipa-01 Fedora 25 -> Fedora 26
freeipa-01 Fedora 26 -> Fedora 27
freeipa-02 Fedora 26 -> Fedora 27
freeipa-02 Fedora 27 -> Fedora 28
freeipa-01 Fedora 27 -> Fedora 28
Since Fedora doesn’t support to jump from one version to another, except
one release at the time.
My idea is to check that once a server is upgraded, then everything is
stable, before going to the next server, and try to be as near as possible
from a version point of view between the 2 freeipa node cluster.
Today <http://airmail.calendar/2018-06-12%2012:00:00%20CEST>, I could
upgrade without problems from Fedora 24 -> Fedora 25 on both nodes
(freeipa-01 and freeipa-02).
In trying to upgrade to Fedora 26, I got some problems, the main problem is
that the upgrade of ldap 389 is not successful, and the one from IPA either.
After investigating a long moment, I have found that ns-slapd listen only
to IPv6, on UDP, and NOT on IPv4 and TCP.
Here is what I have:
[root@freeipa-02 lib]# lsof -Pni |grep slap
ns-slapd 21005 dirsrv 9u IPv6 1617283379 <//1617283379> 0t0
UDP *:389
ns-slapd 21005 dirsrv 77u IPv4 1617321218 <//1617321218> 0t0
TCP 10.100.0.102:60646->10.100.0.101:389 (ESTABLISHED)
ns-slapd 21005 dirsrv 81u IPv4 1617317640 <//1617317640> 0t0
TCP 10.100.0.102:60648->10.100.0.101:389 (ESTABLISHED)
So, I decided to look at the file dse.ldif, and found that the entry
"nsslapd-port” was set to “0” and no “nsslapd-listenhost” was not set at
all.
I have then added the line
nsslapd-listenhost: 0.0.0.0
and changed the nsslapd-port to look like:
nsslap-port: 389
And after doing a
systemctl stop dirsrv@DOM-LOCAL ; systemctl start dirsrv@DOM-LOCAL
No changes… all modification on my dse.ldif were gone.
I stopped again the dirsrv, did again my changes on dse.ldif, and run the
following command:
/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-DOM-LOCAL -i
/var/run/dirsrv/slapd-DOM-LOCAL.pid
and now, I have the following:
[root@freeipa-02 updates]# lsof -Pni |grep 389
ns-slapd 78507 dirsrv 10u IPv6 1681165214 <//1681165214> 0t0
UDP *:389
ns-slapd 78507 dirsrv 11u IPv4 1681165216 <//1681165216> 0t0
TCP *:389 (LISTEN)
ns-slapd 78507 dirsrv 114u IPv4 1684131928 <//1684131928> 0t0
TCP 10.100.0.102:389->10.100.0.110:36828 (ESTABLISHED)
So my questions are:
- how to change the dse.ldif file?
- Is there another way to ensure that the port that listen is TCP / 389 on
IPv4?
- Is there something that needs to be done between Fedora 25 and 26?
Knowing that I will go to Fedora 28, is there something that I need to be
aware of?
- Anything that can help me generally with my upgrade path?
Best regards,
Alessandro
5 years, 10 months
ipa operation errors from a client, but not servers
by Kat
Anyone seen this before? Can't find anything in searches.
(Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
(Server - ipa-server-4.5.4-10.el7_5.1.x86_64)
On a client, running RHEL 7.4, and IPA server is RHEL 7.5
$ipa user-show freddy --all
ipa: ERROR: ImportError: No module named gssapi
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1356, in run
api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714,
in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421,
in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592,
in load_plugins
for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 945,
in packages
import ipaclient.remote_plugins
File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
line 14, in <module>
from ipaclient.plugins.rpcclient import rpcclient
File
"/usr/lib/python2.7/site-packages/ipaclient/plugins/rpcclient.py", line
32, in <module>
from ipalib.rpc import xmlclient, jsonclient
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 45, in
<module>
import gssapi
ImportError: No module named gssapi
ipa: ERROR: an internal error has occurred
Same command on another host (client) - works flawlessly, but it is same
software.
Ideas?
Kat
5 years, 10 months
How to list groups an external user is a member of?
by Marc Boorshtein
Looking through the API, I see that I can list the external members of
a group via group_show but is there a way to list all the groups an
external user is a member of without enumerating all groups and just
looking for the external users? For instance when I'm logged in as an
external user and type "id" the user's memberships in both AD and IPA
are listed.
Thanks
5 years, 10 months
Announcing SSSD 1.16.2
by Jakub Hrozek
SSSD 1.16.2
===========
The SSSD team is proud to announce the release of version 1.16.2 of the
System Security Services Daemon.
The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
New Features
^^^^^^^^^^^^
* The smart card authentication, or in more general certificate authentication
code now supports OpenSSL in addition to previously supported NSS (#3489).
In addition, the SSH responder can now return public SSH keys derived from
the public keys stored in a X.509 certificate. Please refer to the
``ssh_use_certificate_keys`` option in the man pages.
* The files provider now supports mirroring multiple passwd or group
files. This enhancement can be used to use the SSSD files provider instead
of the nss_altfiles module
Notable bug fixes
^^^^^^^^^^^^^^^^^
* A memory handling issue in the ``nss_ex`` interface was fixed. This bug
would manifest in IPA environments with a trusted AD domain as a crash of
the ns-slapd process, because a ``ns-slapd`` plugin loads the ``nss_ex``
interface (#3715)
* Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
* The ``ad_site`` override is now honored in GPO code as well (#3646)
* Several potential crashes in the NSS responder's netgroup code were fixed
(#3679, #3731)
* A potential crash in the autofs responder's code was fixed (#3752)
* The LDAP provider now supports group renaming (#2653)
* The GPO access control code no longer returns an error if one of the
relevant GPO rules contained no SIDs at all (#3680)
* A memory leak in the IPA provider related to resolving external AD
groups was fixed (#3719)
* Setups that used multiple domains where one of the domains had its ID
space limited using the ``min_id/max_id`` options did not resolve requests
by ID properly (#3728)
* Overriding IDs or names did not work correctly when the domain resolution
order was set as well (#3595)
* A version mismatch between certain newer Samba versions (e.g. those shipped
in RHEL-7.5) and the Winbind interface provided by SSSD was fixed. To further
prevent issues like this in the future, the correct interface is now detected
at build time (#3741)
* The files provider no longer returns a qualified name in case domain
resolution order is used (#3743)
* A race condition between evaluating IPA group memberships and AD group
memberships in setups with IPA-AD trusts that would have manifested as
randomly losing IPA group memberships assigned to an AD user was fixed
(#3744)
* Setting an SELinux login label was broken in setups where the domain
resolution order was used (#3740)
* SSSD start up issue on systems that use the libldb library with version
1.4.0 or newer was fixed.
Packaging Changes
-----------------
* Several new build requirements were added in order to support the OpenSSL
certificate authentication
Documentation Changes
---------------------
* The files provider gained two new configuration options ``passwd_files``
and ``group_files.`` These can be used to specify the additional files
to mirror.
* A new ``ssh_use_certificate_keys`` option toggles whether the SSH responder
would return public SSH keys derived from X.509 certificates.
* The ``local_negative_timeout`` option is now enabled by default. This
means that if SSSD fails to find a user in the configured domains,
but is then able to find the user with an NSS call such as getpwnam,
it would negatively cache the request for the duration of the
local_negative_timeout option.
Tickets Fixed
-------------
* `3752 <https://pagure.io/SSSD/sssd/issue/3752>`_ - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily due to a double free
* `3749 <https://pagure.io/SSSD/sssd/issue/3749>`_ - [RFE] sssd.conf should mention the FILES provider as valid config value for the 'id_provider'
* `3748 <https://pagure.io/SSSD/sssd/issue/3748>`_ - home dir disappear in sssd cache on the IPA master for AD users
* `3744 <https://pagure.io/SSSD/sssd/issue/3744>`_ - Race condition between concurrent initgroups requests can cause one of them to return incomplete information
* `3743 <https://pagure.io/SSSD/sssd/issue/3743>`_ - Weirdness when using files provider and domain resolution order
* `3742 <https://pagure.io/SSSD/sssd/issue/3742>`_ - Change of: User may not run sudo --> a password is required
* `3741 <https://pagure.io/SSSD/sssd/issue/3741>`_ - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION
* `3740 <https://pagure.io/SSSD/sssd/issue/3740>`_ - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map
* `3733 <https://pagure.io/SSSD/sssd/issue/3733>`_ - sssd fails to download known_hosts from freeipa
* `3728 <https://pagure.io/SSSD/sssd/issue/3728>`_ - Request by ID outside the min_id/max_id limit of a first domain does not reach the second domain
* `3726 <https://pagure.io/SSSD/sssd/issue/3726>`_ - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.
* `3725 <https://pagure.io/SSSD/sssd/issue/3725>`_ - sssd not honoring dyndns_server if the DNS update process is terminated with a signal
* `3719 <https://pagure.io/SSSD/sssd/issue/3719>`_ - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process
* `3715 <https://pagure.io/SSSD/sssd/issue/3715>`_ - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound?
* `3706 <https://pagure.io/SSSD/sssd/issue/3706>`_ - Hide debug message domain not found for well known sid
* `3694 <https://pagure.io/SSSD/sssd/issue/3694>`_ - externalUser sudo attribute must be fully-qualified
* `3684 <https://pagure.io/SSSD/sssd/issue/3684>`_ - A group is not updated if its member is removed with the cleanup task, but the group does not change
* `3680 <https://pagure.io/SSSD/sssd/issue/3680>`_ - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs
* `3679 <https://pagure.io/SSSD/sssd/issue/3679>`_ - Make nss netgroup requests more robust
* `3674 <https://pagure.io/SSSD/sssd/issue/3674>`_ - The tcurl module logs the payload
* `3671 <https://pagure.io/SSSD/sssd/issue/3671>`_ - KCM: Payload buffer is too small
* `3666 <https://pagure.io/SSSD/sssd/issue/3666>`_ - Fix usage of str.decode() in our tests
* `3664 <https://pagure.io/SSSD/sssd/issue/3664>`_ - LOGS: Improve debugging in case the PAM service is not mapped to any GPO rule
* `3660 <https://pagure.io/SSSD/sssd/issue/3660>`_ - confdb_expand_app_domains() always fails
* `3658 <https://pagure.io/SSSD/sssd/issue/3658>`_ - Application domain is not interpreted correctly
* `3656 <https://pagure.io/SSSD/sssd/issue/3656>`_ - PyErr_NewExceptionWithDoc configure check should not use cached results for different python versions
* `3646 <https://pagure.io/SSSD/sssd/issue/3646>`_ - SSSD's GPO code ignores ad_site option
* `3644 <https://pagure.io/SSSD/sssd/issue/3644>`_ - sss_groupshow no longer labels MPG groups
* `3634 <https://pagure.io/SSSD/sssd/issue/3634>`_ - sssctl COMMAND --help fails if sssd is not configured
* `3633 <https://pagure.io/SSSD/sssd/issue/3633>`_ - Reset the last_request_time when any activity happens on Secrets and KCM responders
* `3629 <https://pagure.io/SSSD/sssd/issue/3629>`_ - Implement sss_nss_getsidbyuid and sss_nss_etsidbygid for situations where customers define UID == GID
* `3619 <https://pagure.io/SSSD/sssd/issue/3619>`_ - Enable local_negative_timeout by default
* `3605 <https://pagure.io/SSSD/sssd/issue/3605>`_ - Fix pep8 issues on our python files.
* `3595 <https://pagure.io/SSSD/sssd/issue/3595>`_ - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set
* `3558 <https://pagure.io/SSSD/sssd/issue/3558>`_ - sudo: report error when two rules share cn
* `3550 <https://pagure.io/SSSD/sssd/issue/3550>`_ - refresh_expired_interval does not work with netgrous in 1.15
* `3520 <https://pagure.io/SSSD/sssd/issue/3520>`_ - Files provider supports only BE_FILTER_ENUM
* `3469 <https://pagure.io/SSSD/sssd/issue/3469>`_ - extend sss-certmap man page regarding priority processing
* `3436 <https://pagure.io/SSSD/sssd/issue/3436>`_ - Certificates used in unit tests have limited lifetime
* `3402 <https://pagure.io/SSSD/sssd/issue/3402>`_ - Support alternative sources for the files provider
* `3335 <https://pagure.io/SSSD/sssd/issue/3335>`_ - GPO retrieval doesn't work if SMB1 is disabled
* `2653 <https://pagure.io/SSSD/sssd/issue/2653>`_ - Group renaming issue when "id_provider = ldap" is set.
Detailed Changelog
------------------
* Fabiano Fidêncio (77):
* TESTS: Fix E501 pep8 issues on test_ldap.py
* TESTS: Fix E20[12] pep8 issues on python-test.py
* TESTS: Fix E501 pep8 issues on python-test.py
* TESTS: Fix E251 pep8 issues on python-test.py
* TESTS: Fix E231 pep8 issues on python-test.py
* TESTS: Fix E265 pep8 issues on python-test.py
* TESTS: Fix E128 pep8 issues on python-test.py
* TESTS: Fix E302 pep8 issues on python-test.py
* TESTS: Fix W391 pep8 issues on python-test.py
* TESTS: Fix E228 pep8 issues on python-test.py
* TESTS: Fix E261 pep8 issues on python-test.py
* TESTS: Fix E701 pep8 issues on python-test.py
* TESTS: Fix E305 pep8 issues on python-test.py
* TESTS: Fix E20[12] pep8 issues on pysss_murmur-test.py
* TESTS: Fix E211 pep8 issues on pysss_murmur-test.py
* TESTS: Fix E20[12] pep8 issues on pyhbac-test.py
* TESTS: Fix E261 pep8 issues on pyhbac-test.py
* TESTS: Fix W391 pep8 issues on pyhbac-test.py
* TESTS: Fix E501 pep8 issues on pyhbac-test.py
* TESTS: Fix E302 pep8 issues on pyhbac-test.py
* TESTS: Fix E305 pep8 issues on pyhbac-test.py
* TESTS: Fix E711 pep8 issues on sssd_group.py
* TESTS: Fix E305 pep8 issues on sssd_netgroup.py
* TESTS: Fix E501 pep8 issues on utils.py
* TESTS: Fix E305 pep8 issues on conf.py
* CONTRIB: Fix E501 pep8 issues on sssd_gdb_plugin.py
* CONTRIB: Fix E305 pep8 issues on sssd_gdb_plugin.py
* TESTS: Fix E302 pep8 issues on test_enumeration.py
* TESTS: FIX E501 pep8 issues on pysss_murmur-test.py
* CI: Enable pep8 check
* CI: Ignore E722 pep8 issues on debian machines
* TESTS: Fix E501 pep8 issues on test_netgroup.py
* NSS: Remove dead code
* CONFDB: Start a ldb transaction from sss_ldb_modify_permissive()
* TOOLS: Take into consideration app domains
* TESTS: Move get_call_output() to util.py
* TESTS: Make get_call_output() more flexible about the stderr log
* TESTS: Add a basic test of `sssctl domain-list`
* KCM: Use json_loadb() when dealing with sss_iobuf data
* KCM: Remove mem_ctx from kcm_new_req()
* KCM: Introduce kcm_input_get_payload_len()
* KCM: Do not use 2048 as fixed size for the payload
* KCM: Adjust REPLY_MAX to the one used in krb5
* KCM: Fix typo in ccdb_sec_delete_list_done()
* KCM: Only print the number of found items after we have it
* SERVER: Tone down shutdown messages for socket-activated responders
* MAN: Improve docs about GC detection
* NSS: Add InvalidateGroupById handler
* DP: Add dp_sbus_invalidate_group_memcache()
* ERRORS: Add ERR_GID_DUPLICATED
* SDAP: Add sdap_handle_id_collision_for_incomplete_groups()
* SDAP: Properly handle group id-collision when renaming incomplete groups
* SYSDB_OPS: Error out on id-collision when adding an incomplete group
* SECRETS: reset last_request_time on any activity
* KCM: reset last_request_time on any activity
* RESPONDER: Add sss_client_fd_handler()
* RESPONDER: Make use of sss_client_fd_handler()
* SECRETS: Make use of sss_client_fd_handler()
* KCM: Make use of sss_client_fd_handler()
* TESTS: Rename test_idle_timeout()
* TESTS: Add test for responder_idle_timeout
* TESTS: Fix typo in test_sysdb_domain_resolution_order_ops()
* SYSDB: Properly handle name/gid override when using domain resolution order
* TESTS: Increase test_resp_idle_timeout* timeout
* COVERITY: Add coverity support
* MAKE_SRPM: Add --output parameter
* Add .copr/Makefile
* CACHE_REQ: Don't force a fqname for files provider' output
* cache_req: Don't force a fqname for files provider output
* tests: Add a test for files provider + domain resolution order
* man: Users managed by the files provider don't have their output fully-qualified
* Revert "CACHE_REQ: Don't force a fqname for files provider' output"
* selinux_child: workaround fqnames when using DRO
* sudo_ldap: fix sudoHost=defaults -> cn=defaults in the filter
* Revert "sysdb custom: completely replace old object instead of merging it"
* sysdb_sudo: completely replace old object instead of merging it
* tlog: only log in tcurl_write_data when SSS_KCM_LOG_PRIVATE_DATA is set to YES
* Jakub Hrozek (33):
* Bumping the version to track 1.16.2 development
* IPA: Handle empty nisDomainName
* TESTS: Fix E266 pep8 issues on test_ldap.py
* TESTS: Fix E231 pep8 issues on test_session_recording.py
* TESTS: Fix E501 pep8 issues on test_session_recording.py
* TESTS: Fix E303 pep8 issues on test_ldap.py
* SYSDB: When marking an entry as expired, also set the originalModifyTimestamp to 1
* IPA: Qualify the externalUser sudo attribute
* NSS: Adjust netgroup setnetgrent cache lifetime if midpoint refresh is used
* TESTS: Add a test for the multiple files feature
* SDAP: Improve a DEBUG message about GC detection
* LDAP: Augment the sdap_opts structure with a data provider pointer
* TESTS: Add an integration test for renaming incomplete groups during initgroups
* SYSDB: sysdb_add_incomplete_group now returns EEXIST with a duplicate GID
* MAN: Document which principal does the AD provider use
* FILES: Do not overwrite and actually remove files_ctx.{pwd,grp}_watch
* FILES: Reduce code duplication
* FILES: Reset the domain status back even on errors
* FILES: Skip files that are not created yet
* FILES: Only send the request for update if the files domain is inconsistent
* DYNDNS: Move the retry logic into a separate function
* DYNDNS: Retry also on timeouts
* AD: Warn if the LDAP schema is overriden with the AD provider
* SYSDB: Only check non-POSIX groups for GID conflicts
* Do not keep allocating external groups on a long-lived context
* CACHE_REQ: Do not fail the domain locator plugin if ID outside the domain range is looked up
* MAN: Fix the title of the session recording man page
* DP/LDAP: Only increase the initgrTimestamp when the full initgroups DP request finishes
* LDAP: Do not use signal-unsafe calls in ldap_child SIGTERM handler
* AUTOFS: remove timed event if related object is removed
* RESPONDERS: Enable the local negative timeout by default
* LDAP: Suppress a loud debug message in case a built-in SID can't be resolved
* Updating the translations for the 1.16.2 release
* Justin Stephenson (3):
* DEBUG: Print simple allow and deny lists
* CONFDB: Add passwd_files and group_files options
* FILES: Handle files provider sources
* Lukas Slebodnik (21):
* CI: Add dbus into debian dependencies
* intg: convert results returned as bytes to strings
* SYSDB: Remove unused parameter from sysdb_cache_connect_helper
* SPEC: Add gcc to build dependencies
* UTIL: Use alternative way for detecting PyErr_NewExceptionWithDoc
* CONFIGURE: drop unused check
* SYSDB: Return ENOENT for mpg with local provider
* sysdb-tests: sysdb_search_group_by_name with local provider
* selinux_child: Allow to query sssd
* selinux_child: Fix crash with initialized key
* BUILD: Remove unnecessary flags from test_ipa_dn
* BUILD: Remove ldap libraries from SSSD_LIBS
* BUILD: Remove ldap libraries from TOOL_LIBS
* BUILD: Remove pcre libs from common _LIBS
* BUILD: Remove pcre from krb5_child
* BUILD: Remove libcollection form common libs
* BUILD: Reduce dependencies of sss_signal
* BUILD: Remove cares from sssd_secrets
* BUILD: Remove libini_config from common libs
* MONITOR: Do not use two configuration databases
* CI: Prepare for python3 -> python
* Michal Židek (6):
* AD: Missing header in ad_access.h
* GPO: Add ad_options to ad_gpo_process_som_state
* GPO: Use AD site override if set
* GPO: Fix bug with empty GPO rules
* GPO: DEBUG msg when GP to PAM mappings overlap
* GPO: Debugging default PAM service mapping
* Pavel Březina (3):
* sudo ldap: do not store rules without sudoHost attribute
* sysdb custom: completely replace old object instead of merging it
* sssctl: move check for version error to correct place
* Richard Sharpe (1):
* nss-imap: add sss_nss_getsidbyuid() and sss_nss_getsidbygid()
* Sumit Bose (38):
* intg: enhance netgroups test
* TESTS: simple CA to generate certificates for test
* TESTS: replace hardcoded certificates
* TESTS: remove NSS test databases
* test_ca: add empty index.txt.attr file
* nss: initialize nss_enum_index in nss_setnetgrent()
* nss: add a netgroup counter to struct nss_enum_index
* nss-idmap: do not set a limit
* nss-idmap: use right group list pointer after sss_get_ex()
* NSS: nss_clear_netgroup_hash_table() do not free data
* winbind idmap plugin: support inferface version 6
* winbind idmap plugin: fix detection
* p11_child: move verification into separate functions
* p11_child: add verification option
* utils: add get_ssh_key_from_cert()
* utils: move p11 child paths to util.h
* utils: add cert_to_ssh_key request
* tests: add test for cert_to_ssh_key request
* ssh: use cert_to_ssh_key request to verify certifcate and get keys
* ssh: add option ssh_use_certificate_keys and enhance man page
* utils: remove unused code from cert utils
* tests: add SSH responder tests
* p11_child: split common and NSS code into separate files
* p11_child: add OpenSSL support
* TESTS: make some cert auth checks order independent
* p11_child: allow tests to use OpenSSL version of p11_child
* certmap: fix issue found by Coverity in OpenSSL version
* SPEC/CI: enable openssl build for Debian and upcoming versions
* certmap: allow missing empty EKU in OpenSSL version
* KCM: be aware that size_t might have different size than other integers
* sysdb: add sysdb_getgrgid_attrs()
* ipa: use mpg aware group lookup in get_object_from_cache()
* ipa: allow mpg group objects in apply_subdomain_homedir()
* AD/LDAP: do not fall back to mpg user lookup on GC connection
* cifs idmap plugin: use new sss_nss_idmap calls
* winbind idmap plugin: use new sss_nss_idmap calls
* libwbclient-sssd: use new sss_nss_idmap calls
* pysss_nss_idmap: add python bindings for new sss_nss_idmap calls
* Thorsten Scherf (1):
* man: Add FILES as a valid config option for 'id_provider'
* Yuri Chornoivan (1):
* MAN: Fix minor typos
* amitkuma (1):
* sssctl: Showing help even when sssd not configured
* amitkumar50 (2):
* MAN: Add sss-certmap man page regarding priority processing
* MAN: Clarify how comments work in sssd.conf
5 years, 10 months
Setting up fileserver using Samba shares and FreeIPA
by Kristian Petersen
I am trying to get a file server set up using RHEL 7.5, Samba, and Red Hat
IdM 4.5.0 I have an older file server that works and hav been using it as
a template for build this new one from scratch. However, right now I can't
get smb to start. I keep getting errors about ipasam.c in journalctl:
Jun 06 13:53:30 fileserver1.cpms.byu.edu smbd[11624]: kerberos error:
code=-1765328203, message=Keytab contains no suitable keys for cifs/
fileserver1.cpms.byu.edu(a)CPMS.BYU.EDU
Jun 06 13:53:31 fileserver1.cpms.byu.edu smbd[11624]: [2018/06/06
13:53:31.815713, 0] ipa_sam.c:4245(bind_callback_cleanup)
Jun 06 15:26:05 fileserver1.cpms.byu.edu smbd[12372]: Failed to get base
DN.
I have made sure that the cifs service is set up in IPA for fileserver1 and
did an ipa-getkeytab to get a keytab for the service on fileserver1 as well
which is why a was surprised to see a message about the keytab in the
journal.
A little earlier in the journal it also talks about being unable to do an
anonymous bind to LDAP. It doesn't surprise me that it failed, but I tried
supplying the LDAP bind creds using smbpasswd and that didn't seem to make
any difference. It still tries an anonymous bind anyway which will never
work.
I have also already set up a role for giving fileserver1 the permissions
necessary to allow it to read the ipaNTHash.
P.S.: Before I sent this email to the list I upgraded one of my IPA servers
to the new kernel in RHEL 7.5 and smb broke in what looks like the same way
on that machine as well. It makes me wonder if this isn't a kernel problem
rather than an IPA problem. The errors I got on that machine before
rolling back to a working snapshot are below:
Jun 06 16:27:05 ipa1.cpms.byu.edu smbd[12179]: kerberos error:
code=-1765328360, message=Preauthentication failed
Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06
16:27:06.332266, 0] ipa_sam.c:4556(pdb_init_ipasam)
Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: Failed to get base DN.
Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06
16:27:06.332318, 0]
../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: pdb backend
ipasam:ldapi://%2fvar%2frun%2fslapd-CPMS-BYU-EDU.socket did not correctly
init
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
5 years, 10 months
keycloak
by Andrew Meyer
what is the difference between keycloak and freeipa?
Is there a free version of this? Is that what ipsilon is? If not is there a repo for this?
5 years, 10 months
Cannot log in as an AD user to FreeIPA client but can log in to server
by Bart
Hi all,
I've set up two FreeIPA servers without CA (I provided 3rd party certificates during the installation process). I also established trust to an AD domain as below:
ipa trust-add --type=ad AD.DOMAIN --external=True --all
I checked that I can successfully obtain cross-realm ticket (kvno -S host ...) as described below:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
I also can ssh to either of the two FreeIPA servers as user(a)ad.domain.
However, when I configured FreeIPA client and tried to ssh into it / su inside it as the same ad user then it fails (I cannot ssh, when I try to su - as the ad user it fails with user(a)ad.domain does not exist.
I increased sssd log level on both client and servers but I cannot find anything spooky there (but I might as well not know what to look for :)).
Can someone please advise on how to narrow this down?
5 years, 10 months
double domain?
by Kat
hi
Where would be a good place to look in either sssd or somewhere in the
system if we are seeing a mixture of UserID lookups in this format:
username(a)domain.example.com <--- this makes sense
BUT - also seeing:
username@domain.example.com(a)domain.eexample.com <--- This does not??
I am very confused as to how this might be getting sent to PAM for the
lookups and because of it we see random PAM "System Error"s
I do have in krb5.conf
[domain_realm]
.domain.example.com = DOMAIN.EXAMPLE.COM
domain.example.com = DOMAIN.EXAMPLE.COM
prodhost1.domain.example.com = DOMAIN.EXAMPLE.COM
But this seems to have been set after the ipa-client-install - so I am a
little confused?
Any suggestions?
Kat
5 years, 10 months
