client cannot authenticate or su
by Albert Szostkiewicz
Hi,
I've installed ipa-client on my laptop without issues, it did found domain properly.
kinit connects to ipa but I am unable to su any user or even login:
(root)$ su my_user
su: user my_user does not exist
(root)$ cat /var/log/sssd/sssd_nss.log
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #219: Setting "User by ID" plugin
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_send] (0x0400): CR #219: New request 'User by ID'
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #219: Performing a multi-domain search
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #219: Search will check the cache and check the data provider
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/DOM_LOCATE_TYPE/implicit_files/User by ID]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/DOM_LOCATE_TYPE/home.mydomain.com/User by ID]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain implicit_files type POSIX is valid
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #219: Using domain [implicit_files]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR #219: Looking up UID:0@implicit_files
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #219: Checking negative cache for [UID:0@implicit_files]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/implicit_files/0]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/0]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #219: [UID:0@implicit_files] does not exist (negative cache)
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain home.mydomain.com type POSIX is valid
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #219: Using domain [home.mydomain.com]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR #219: Looking up UID:0@home.mydomain.com
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #219: Checking negative cache for [UID:0@home.mydomain.com]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/home.mydomain.com/0]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/0]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #219: [UID:0@home.mydomain.com] does not exist (negative cache)
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_process_result] (0x0400): CR #219: Finished: Not found
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x5565caddc630][31]
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Sun Mar 3 09:54:41 2019) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x5565cadddc60][30]
(root)$ id $my_user
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(root)$ kinit my_user
Password for my_user(a)HOME.MYDOMAIN.COM:
(root)$ ipa user-find my_user
--------------
1 user matched
--------------
User login: my_user
First name: MyUserName
Last name: MyUserSurname
Home directory: /home/my_user
Login shell: /bin/sh
Principal name: my_user(a)HOME.MYDOMAIN.COM
Principal alias: my_user(a)HOME.MYDOMAIN.COM
Email address: my_user(a)mydomain.com, my.user(a)gmail.com
UID: 1907400004
GID: 1907400003
SSH public key fingerprint: SHA256:############################################# my_user(a)mydomain.com (ssh-rsa)
Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
I've cleared /var/lib/sss/db/*
5 years, 1 month
ipa service vault - cannot find
by Dmitry Perets
Hi,
Sorry, I am probably missing something very basic in the way how the vault should work for services...
So my task is simple: let's say I want to store a secret for a script. That is, the script must be able to retrieve it in an unattended way.
The script is running on a Linux server server.mydomain.com, which is enrolled in FreeIPA domain.
The script is running under user "svc-user" which I've created on the FreeIPA just for that (so, its principal is svc-user(a)MYDOMAIN.COM).
Additionally, I've also created a service "MYSVC" on the FreeIPA (so I now also have the principal MYSVC\server.mydomain.com(a)MYDOMAIN.COM).
Finally, I did not set any password for the user "svc-user" and I've configured its shell to be /sbin/nologin. Not sure if it will make any difference.
And now, with all this ready, I am trying to store my secret as admin, so that my script can retrieve it.
I create a vault (I tried also standard one, but here I am showing an example with asymmetrical one, because all examples I found use it):
kinit admin
<Entering password for admin>
ipa vault-add svc-vault --service MYSVC\server.mydomain.com --type asymmetric --public-key-file svc.pub.pem
ipa vault-archive svc-vault --service MYSVC\server.mydomain.com --data <secret_data_in_base64>
OK, secret is stored. And here is my vault:
# ipa vault-find --services
---------------
1 vault matched
---------------
Vault name: svc-vault
Type: asymmetric
Vault service: MYSVC\server.mydomain.com(a)MYDOMAIN.COM
----------------------------
Number of entries returned 1
----------------------------
Finally, I generate a keytab for my script:
ipa-getkeytab -p MYSVC\server.mydomain.com -k /var/kerberos/krb5/user/856500016/client.keytab
OK... now I clean up with "kdestroy" and try to run my script as a user "svc-user".
And the script is trying to do this:
kinit MYSVC\server.mydomain.com -k -t /var/kerberos/krb5/user/856500016/client.keytab
klist
ipa vault-find --services
... And the problem is that it simply doesn't find the svc-vault.
It does seem like it manages to get the Kerberos ticket, this is the output from klist (inside the script):
Default principal: MYSVC\server.mydomain.com(a)MYDOMAIN.COM
Valid starting Expires Service principal
02/27/2019 17:04:58 02/28/2019 17:04:58 krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM
Now... If I add the user "svc-user" as a member to my svc-vault, add the svc-user to the keytab and then use "kinit svc-user" in my script, then it seems to work.
But I don't understand then the whole point of "service vault"... what's the purpose of the MYSVC/server.mydomain.com principle here actually...?
And another question - can't exactly the same (with "svc-user" in keytab) work also for a standard vault, without keys...?
Because it looks like it becomes exactly the same usecase as if I just interactively use the vault shared with svc-user...
Thanks!
5 years, 1 month
Set up ipa-client via Ansible
by Ronald Wimmer
Hi,
I set up relevant ansible files exaclty like described in:
https://www.freeipa.org/page/V4/ClientInstallationWithAnsible#Ansible_ipa...
The ipaclient role was fetched from here:
https://github.com/freeipa/ansible-freeipa/tree/master/roles
Uninstalling an ipaclient works. Installing an ipaclient fails with:
> ERROR! no action detected in task. This often indicates a misspelled
> module name, or incorrect module path.
>
> The error appears to have been in '/srv/ansible/install.yml': line 12,
> column 5, but may
> be elsewhere in the file depending on the exact syntax problem.
>
> The offending line appears to be:
>
>
> - name: Configure IPA client
> ^ here
Most likely the ipaclient module cannot be found. I downloaded
https://github.com/freeipa/ansible-freeipa/tree/master/module_utils and
put the three python files into the library directory next to my
install.yml playbook file. I also put them into
~/.ansible/plugins/modules. But that still did not work.
This is my install.yml:
> ---
> - name: Playbook to configure IPA clients with username/password
> hosts: ipaclients
> become: true
>
> tasks:
> - name: Install IPA client package
> package:
> name: ipa-client
> state: present
>
> - name: Configure IPA client
> ipaclient:
> state: present
> domain: "{{ ipaclient_domain }}"
> realm: "{{ ipaclient_realm }}"
> principal: "{{ ipaclient_principal }}"
> password: "{{ ipaclient_password }}"
> extra_args: "{{ ipaclient_extraargs }}"
And this my inventory file:
> [ipaclients]
> ipa-test.linux.mydomain.at
>
> [ipaclients:vars]
> ipaclient_domain=linux.mydomain.at
> ipaclient_realm=LINUX.MYDOMAIN.AT
> #ipaclient_extraargs=[ '--kinit-attempts=3', '--mkhomedir']
> ipaclient_principal=enroll
> ipaclient_password=somepass
What am I missing here?
Cheers,
Ronald
5 years, 1 month
Autofs maps for students directories divided by first letter of username
by Kristian Petersen
Is there a way to set up the maps to mount a users home directory if they
are divided up under a directory that is the first letter of their username
without mounting all such directories for every user? We have thousands of
students needing home directories and so they have divided up this way.
Example: /home/students/a/aardvark or /home/students/b/bugsbunny. The docs
I have read on autofs maps haven't been very clear on how to define this
kind of mapping, especially in FreeIPA.
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
5 years, 1 month