SASL Bind failed Can't contact LDAP server
by Deepak Subhramanian
I am getting this error when key tabs are generated for my Hadoop Cluster.
I am getting an access error when I create key tabs with IPA commands -
User has these permissions
ipa role-add hadoopadminrole
ipa role-add-privilege hadoopadminrole --privileges="User Administrators"
ipa role-add-privilege hadoopadminrole --privileges="Service Administrators"
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
dev8-ipa-server.mia.cloud.net -p test(a)MIA.CLOUD.NET -k /tmp/ipa.keytab
Failed to parse result: Insufficient access rights
2019-07-15 04:39:33,221 - Failed to create keytab file for kafka/
hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET - Failed to
export the keytab file for kafka/
hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET:
ExitCode: 9
STDOUT:
STDERR: SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Failed to get keytab
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa user-add test
First name: Test
Last name: Test
-----------------
Added user "test"
-----------------
User login: test
First name: Test
Last name: Test
Full name: Test Test
Display name: Test Test
Initials: TT
Home directory: /home/test
GECOS: Test Test
Login shell: /bin/sh
Kerberos principal: test(a)MIA.CLOUD.NET
Email address: test(a)mia.cloud.net
UID: 1818200036
GID: 1818200036
Password: False
Member of groups: ipausers
Kerberos keys available: False
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
dev8-ipa-server.mia.cloud.net -p test(a)MIA.CLOUD.NET -k /tmp/ipa.keytab
Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /tmp/ipa.keytab
--
Deepak Subhramanian
2 years, 10 months
Change the 404 error pages on Tomcat
by Boyd Ako
Anybody know how to change the 404 error pages so it doesn't display server information? It's an ACAS finding; plugin 12085. https://www.tenable.com/plugins/nessus/12085
I did try to do the OWASP securing stuff, but it's not a "standard install" of tomcat as far as i can tell.
Running `find / -fstype xfs -type f -name "web.xml"` I added the below error page lines to the web.xml files that have the "welcome-file-list" as the OWASP document stated. But it's still doing the default 404 error page.
<error-page>
<error-code>404</error-code>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.jsp</location>
</error-page>
The only thing that the server is doing is for FreeIPA. No other web services as far as I know. The ports reported are 8080 and 8443 which I believe are related to the OCSP stuff.
2 years, 10 months
Can I join older clients to a newer server?
by Janez Molicnik
I have IPA server installed on CentOS Linux 7.6. (IPA VERSION: 4.6.4, API_VERSION: 2.229), but I have some older servers, that run older versions of CentOS:
- on the ones that have CentOS version 6.x, there is only version 3.0.0 of ipa-client available in repository
- on the ones that have CentOS version 7 or lower that 7.6 there is only version 4.4.0 of ipa-client available in repository
On the page about the client ( https://www.freeipa.org/page/Client ) I have found some compatibility notes, but the article talks mainly about connecting newer clients to older servers. What about the other way around? Which problems can I expect when I connect older clients to the newer server? Will I have to configure SSSD manually?
2 years, 10 months
unregister old EMail address on this mailing list?
by Harald Dunkel
Hi folks,
I have a new EMail address.
Problem is, there is no option on [Manage subscription] to replace
the EMail address. The old address is not available to send an
unsubscribe to mailman, either. I could subscribe my new address
via mail to mailman, but
https://lists.fedorahosted.org/admin/accounts/subscriptions/
doesn't show these subscriptions, either.
Since the old address is still valid for receiving mails I get all
EMails twice now. How can I unsubscribe the old EMail address from
freeipa-users and freeipa-devel?
Every helpful comment is highly appreciated
Harri
2 years, 10 months
Random [Preauthentication failed] error in krb5 after a few days
by Raul Gomez
Hello list,
I'm facing an issue here that prevents authenticating within a client machine.
When an sssd daemon has been running for a few days, suddenly krb5 fails to authenticate a user with the following error from krb5
[[sssd[krb5_child[1616]]]] [get_and_save_tgt] (0x0020): 1695: [-1765328360][Preauthentication failed]
[[sssd[krb5_child[1616]]]] [map_krb5_error] (0x0020): 1808: [-1765328360][Preauthentication failed]
[[sssd[krb5_child[1616]]]] [k5c_send_data] (0x0200): Received error code 1432158221
2 years, 10 months
Configuring polkit policy on Ubuntu
by Kees Bakker
Hey,
Does anyone have a suggestion how to combine FreeIPA and polkit (policykit)
on Ubuntu? Notice that, for some reason, Ubuntu (and Debian) is stuck at polkit 0.105.
I'm looking for ways to use HBAC rules in combination with service polkit-1. So that
we're able to say: this user can do polkit things on this host.
--
Kees
2 years, 10 months
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)
by Harald Dunkel
Hi folks,
Setup: ipa-server 4.6.4-7 on CentOS 7
Problem:
ipa host-del gives me
[root@ipa1 ~]# ipa host-del ppcl027.example.com
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)
Google pointed me to https://access.redhat.com/solutions/3624671,
but AFAICS this fix is not applicable. "^/ca/rest/certs/search" is
already in
:
# matches for CA REST API
<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove|^/ca/rest/certs/search">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient optional
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
:
?
Every helpful comment is highly appreciated
Harri
2 years, 10 months
unable to login to fedora server cockpit-ws
by Albert Szostkiewicz
After running fedora update, I am unable to log-in into the cocpit-ws and I am not sure what went wrong.
I am able to ssh to the box using ipa credentials without issue. But cocpit gives me "wrong username or password"
Errors I'm getting in journal 'couldn't read from connection: Peer sent fatal TLS alert: Unknown certificate'
I'm running FreeIpa server and cocpit-ws on same machine
Maybe someone had similar issue or some ideas where to start debugging it ?
Log snippet when I am trying to log in:
myserver.domain.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
myserver.domain.com cockpit-ws[13295]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert
myserver.domain.com cockpit-ws[13295]: couldn't read from connection: Peer sent fatal TLS alert: Unknown certificate
myserver.domain.com cockpit-session[13298]: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=10.0.5.44 user=myuser
myserver.domain.com audit[13298]: USER_AUTH pid=13298 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss acct="myuser" exe="/usr/libexec/cockpit-session" hostname=10.0.5.44 addr=10.0.5.44 terminal=? res=success'
myserver.domain.com audit[13298]: USER_ACCT pid=13298 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="myuser" exe="/usr/libexec/cockpit-session" hostname=10.0.5.44 addr=10.0.5.44 terminal=? res=success'
myserver.domain.com audit[13298]: CRED_ACQ pid=13298 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="myuser" exe="/usr/libexec/cockpit-session" hostname=10.0.5.44 addr=10.0.5.44 terminal=? res=success'
myserver.domain.com cockpit-session[13298]: pam_ssh_add: Identity added: /home/myuser/.ssh/id_rsa (myuser(a)myserver.domain.com)
myserver.domain.com systemd-logind[1067]: New session 39 of user myuser.
-- Subject: A new session 39 has been created for user myuser
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: https://www.freedesktop.org/wiki/Software/systemd/multiseat
--
-- A new session with the ID 39 has been created for the user myuser.
--
-- The leading process of the session is 13298.
myserver.domain.com systemd[1]: Started Session 39 of user myuser.
-- Subject: Unit session-39.scope has finished start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-39.scope has finished starting up.
--
-- The start-up result is done.
myserver.domain.com cockpit-session[13298]: pam_unix(cockpit:session): session opened for user myuser by (uid=0)
myserver.domain.com audit[13298]: USER_START pid=13298 uid=0 auid=1907400001 ses=39 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_ssh_add,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss,pam_umask,pam_lastlog acct="myuser" exe="/usr/libexec/cockpit-sessi>
myserver.domain.com audit[13298]: CRED_REFR pid=13298 uid=0 auid=1907400001 ses=39 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="myuser" exe="/usr/libexec/cockpit-session" hostname=10.0.5.44 addr=10.0.5.44 terminal=? res=success'
myserver.domain.com cockpit-ws[13295]: 3: Permission denied.
myserver.domain.com audit[13298]: CRED_DISP pid=13298 uid=0 auid=1907400001 ses=39 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="myuser" exe="/usr/libexec/cockpit-session" hostname=10.0.5.44 addr=10.0.5.44 terminal=? res=success'
myserver.domain.com cockpit-session[13298]: pam_unix(cockpit:session): session closed for user myuser
myserver.domain.com audit[13298]: USER_END pid=13298 uid=0 auid=1907400001 ses=39 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_ssh_add,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss,pam_umask,pam_lastlog acct="myuser" exe="/usr/libexec/cockpit-sessio>
myserver.domain.com systemd-logind[1067]: Session 39 logged out. Waiting for processes to exit.
myserver.domain.com systemd-logind[1067]: Removed session 39.
-- Subject: Session 39 has been terminated
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: https://www.freedesktop.org/wiki/Software/systemd/multiseat
--
-- A session with the ID 39 has been terminated.
2 years, 10 months
Error when trying to login on a CentOS 6 and OTP Token is enabled but not enforced in an account
by Raul Gomez
Hello list!
I'm new to FreeIPA, so probably this is something that has an easy fix but I can't find a way around it.
I have an environment where there are several CentOS 6 and CentOS 7 machines and I'm trying to centralize the user authentication and management, so I installed a cluster of 3 FreeIPA servers for this.
Now, by company policies, it is mandatory to have ssh pubkey authentication and ideally 2FA enabled in all servers (2FA just for sudo in this case), but CentOS 6 is not able to use 2FA because of the old sss/krb versions it provides, so I decided to enable it just in the CentOS 7 servers via auth indicators and they are working fine there!
BUT! When I enroll a CentOS 6 server, I'm facing an issue when the 2FA via OTP Token is enabled in a user account, even if it is not enforced; that is, the "Two factor authentication (password + OTP)" check box is unchecked within the FreeIPA WebAdmin portal in the user account and of course, there is no auth indicators set for the CentOS 6 server.
If I disable the user's OTP Token, or if it is removed from the user account, then I can execute sudo correctly on CentOS 6, but then I can't successfully run any sudo command in any CentOS 7 server (it ask for First/Second factor), and it fails even if I remove the auth indicator on them.
I'm I correct to assume that selectively enabling authentication indicators per host OS version I can implement the solution I want? If so, could anyone tell me what I'm missing here?
With debud_level = 6 on sssd.conf in the CentOS 6 client, this is the relevant output regarding this failure when OTP Token is enabled:
Jul 5 20:09:07.842 sshd[6883]: Accepted publickey for my.user from 172.30.2.147 port 41876 ssh2
Jul 5 20:09:07.850 sshd[6883]: pam_unix(sshd:session): session opened for user my.user by (uid=0)
Jul 5 20:09:12.828 sudo: pam_unix(sudo:auth): authentication failure; logname=my.user uid=645100025 euid=0 tty=/dev/pts/1 ruser=my.user rhost= user=my.user
Jul 5 20:09:12.898 sudo: pam_sss(sudo:auth): authentication failure; logname=my.user uid=645100025 euid=0 tty=/dev/pts/1 ruser=my.user rhost= user=my.user
Jul 5 20:09:12.898 sudo: pam_sss(sudo:auth): received for user my.user: 17 (Failure setting user credentials)
Jul 5 20:11:40.930 sudo: pam_unix(sudo:auth): conversation failed
Jul 5 20:11:40.930 sudo: pam_unix(sudo:auth): auth could not identify password for [my.user]
Jul 5 20:11:40.975 sudo: pam_sss(sudo:auth): authentication failure; logname=my.user uid=645100025 euid=0 tty=/dev/pts/1 ruser=my.user rhost= user=my.user
Jul 5 20:11:40.975 sudo: pam_sss(sudo:auth): received for user my.user: 7 (Authentication failure)
Jul 5 20:11:40.975 sudo: my.user : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/my.user ; USER=root ; COMMAND=list
These are my IPA/sss/krb versions on CentOS 6.10 servers:
sssd: 1.13.3-60.el6_10.2
ipa-client: 3.0.0-51.el6
krb5: 1.10.3-65.el6
And these are the IPA/sss/krb versions on CentOS 7.6 IPA servers:
sssd: 1.16.2-13.el7_6.8
ipa-server: 4.6.4-10.el7_6.3
krb5-server: 1.15.1-37.el7_6
Thank you very much in advance for any help, regards...
2 years, 10 months
Share value between pre and post operation
by Elena Fedorov
Hello,
what is the best way of sharing a private value between pre and post
operation of two plugins, for example between prebind and postbind plugins.
I was looking at the Slapi_PBlock *pb - can I use a field of this structure
to set a value in the prebind plugin and then read this value in the post
bind plugin?
If yes, which field can be used for this?
If no, what other mechanism is available for sharing values between pre
and post plugins?
Thanks,
Elena Fedorov
Senior Consultant, Analytics Cloud Expert Services SDK API
T:613-356-6106
https://www.ibm.com/analytics/us/en/services/cloud-expert-services.html
2 years, 10 months
