AD trusted group incomplet list of members in client
by Natxo Asenjo
hi,
reposting with zipped log.
we have a trust between an AD forest (2016) and an RHEL 7 Idm environment.
We have this ad group:
$ ipa group-show d-xxx-platform-admins
Group name: d-xxx-platform-admins
Description: AD d-xxx-platform-admins
External member: d-xxx-platform-admins(a)ad.local
Member of groups: xxx-platform-admins
When I run the command getent group xxx-platform-admins on the kdc, I get
the full list of users in the AD group:
$ getent group xxx-platform-admins
xxx-platform-admins:*:1679450504:a-user1@ad.local,a-user2@ad.local
,a-user3@ad.local,a-user4@ad.local,a-user5@ad.local,a-user6(a)ad.local
,a-user7@ad.local,a-user8@ad.local,a-user9@ad.local,a-user10(a)ad.local
,a-user11@ad.local,a-user12@ad.local,a-user12@ad.local,a-user13(a)ad.local
,a-user14@ad.local,a-user15@ad.local,a-user16(a)ad.local
but on the idm client:
# getent group xxx-platform-admins
xxx-platform-admins:*:1679450504:a-user1@ad.local,a-user2@ad.local
Attached the sssd_nss.log with debuggging enabled.
Thanks in advance.
--
regards,
Natxo
3 years, 4 months
Re: Reinstalling client's OS
by Roberto Cornacchia
Thank you Angus and Detlev!
On Fri, 4 Dec 2020, 12:46 Angus Clarke via FreeIPA-users, <
freeipa-users(a)lists.fedorahosted.org> wrote:
> The steps you mention seem fine to me Roberto, Detlev has detailed an
> alternative.
>
> If you lose a client and need to rebuild (i.e. you didn't get chance to
> run the "--uninstall" option) then you can also just delete the host entry
> from IPA through the web gui or ipa command line before running the
> ipa-client-install (join) command.
>
> When I have issues with clients (very infrequent and I have some 5000
> clients) I find that running the "--uninstall" and then the install (steps
> 1 and 3) fix most issues without having to look into them (blind fix for
> the time wary!)
>
> Regards
> Angus
>
> ------------------------------
> *From:* Detlev Habicht via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org>
> *Sent:* 04 December 2020 11:59
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Detlev Habicht <detlev.habicht(a)ims.uni-hannover.de>
> *Subject:* [Freeipa-users] Re: Reinstalling client's OS
>
> Hi,
>
> you can reinstall a client with something like this:
>
> /usr/sbin/ipa-client-install --force --unattended —domain=xxx —realm=xxx
> —server=xxx —server=yyy --force-ntpd —keytab=./krb5.keytab
> --ca-cert-file=./ca.crt
>
> But you must save your keytab and ca file before.
>
> For me it is working …
>
> Detlev
>
> --
> Detlev | Institut fuer Mikroelektronische Systeme
> Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
> --------+-------- Handy +49 172 5415752 ---------------------------
>
>
>
> > Am 04.12.2020 um 11:46 schrieb Roberto Cornacchia via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org>:
> >
> > Hello,
> >
> > Apologies if this is a trivial question, I could not find an obvious
> answer anywhere.
> >
> > If I want to reinstall from scratch the OS of an already enrolled
> client, is this the right procedure?
> >
> > 1. ipa-client-install --uninstall
> > 2. <reinstall OS>
> > 3. ipa-client-install
> >
> > Best regards,
> > Roberto
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
> > List Guidelines:
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
> > List Archives:
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
> List Guidelines:
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
> List Archives:
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
3 years, 4 months
Reinstalling client's OS
by Roberto Cornacchia
Hello,
Apologies if this is a trivial question, I could not find an obvious answer
anywhere.
If I want to reinstall from scratch the OS of an already enrolled client,
is this the right procedure?
1. ipa-client-install --uninstall
2. <reinstall OS>
3. ipa-client-install
Best regards,
Roberto
3 years, 4 months
Allocation of a new value for DNA range failed
by Ronald Wimmer
After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran
into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to
fit in? And that the DNA range of each IPA server has to be distinct
from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago
https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Cheers,
Ronald
3 years, 4 months
SmartCard-HSM authentication using pinpad card reader for improved security
by Peter Steen
Hello Folks!
We are working on getting smart card authentication working using pinpad card readers for improved security.
To do this we use:
FreeIPA Server is running on Fedora32 with latest updates. FreeIPA is also configured to be Certificate Authority.
FreeIPA Clients are Fedora 32 based with latest updates with connected usb card reader Gemalto C700 with pinpad, we use several user individual SmartCard HSM 4K with FreeIPA signed certificates on them. FreeIPA Clients run OpenSC and are configured to use smartcard certificate based authentication, setup per Smartare HSM best practice. Further clients are using SSSD and not PAM_PKCS#11.
All working great using smartcard for authentication, as long not enabling the pinpad in opensc.
If doing so we are prompted for the PIN not only in the pinpad reader but also GDM prompts you to enter PIN on keyboard.
Expected result is to be logged in directly after entering correct PIN code on pinpad reader, not being prompted by GDM to enter PIN on keyboard as well.
If enabling pinpad, login gets a bit odd:
1. Fedora 32 workstation GDM menu prompts a few users that can login
2. Smartcard is inserted in reader
3. GDM blanks out the screen and smartcard reader prompts to enter PIN.
4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display.
5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of being logged in to the window manager, here Gnome or xfce.
6. Any number can be entered, it does not matter, followed by hitting enter.
7. Once again smartcard reader now prompts for PIN.
8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button.
9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected.
What could this be, anyone who have seen this before or know how to set it up ?
3 years, 4 months
Question regarding the GUI
by Frederic Ayrault
Bonjour,
I would like to change the password expiration date from the user profile
instead of using a LDAP script.
Is it possible to change a field to editable one ?
Thank you
Best Regards,
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
fred(a)lix.polytechnique.fr
3 years, 4 months
encrytion type "Triple DES cbc mode with HMAC/sha1" ipa-getkeytab not granted by ipa 4.6.4 server
by Rob van Halteren
Hello,
I try to enable des3-cbc-sha1 encryption type for a nfs service on a linux Centos-7 nfs-server that is enrolled with a ipa 4.6.4 server
I have allow_weak_crypto = true in my keytab.conf on the nfs server.
To check permitted encryption types I do on the nfs server:
$ipa-getkeytab --permitted-enctypes
Supported encryption types:
AES-256 CTS mode with 96-bit SHA-1 HMAC
AES-128 CTS mode with 96-bit SHA-1 HMAC
AES-256 CTS mode with 192-bit SHA-384 HMAC
AES-128 CTS mode with 128-bit SHA-256 HMAC
Triple DES cbc mode with HMAC/sha1
ArcFour with HMAC/md5
Camellia-128 CTS mode with CMAC
Camellia-256 CTS mode with CMAC
DES cbc mode with CRC-32
DES cbc mode with RSA-MD5
DES cbc mode with RSA-MD4
when:
$ ipa-getkeytab -p nfs/myhost.mydomain@MYDOMAIN —e des3-cbc-sha1 -k /etc/krb5.keytab
I get: Keytab successfully retrieved and stored in: /etc/krb5.keytab
However when checking I only see "aes" encryption types are optained.
>klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/myhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96)
1 host/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96)
4 nfs/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96)
4 nfs/rmyhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96)
Not shure what I am doing wrong here.
I would like to experiment with weak encryption type to see if it's possible to mount a kereberized nfs share on a Apple computer
running osx 10.13
If I read the documentation well Apple supports: OS X NFS RPCSEC_GSS supports: des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1.
nfs version 3
Thanks for any help.
Rob.
3 years, 4 months
Services - Differences between FreeIPA and MS AD
by Ronald Wimmer
I am trying to get a deeper understanding how services are organized.
When browsing the LDAP directory in FreeIPA I can see that services are
organized in a separate (DN:
cn=services,cn=accounts,dc=linux,dc=mydomain,dc=at) and that each
services connection to the computer object can be found in the ManagedBy
attribute. So far, so good.
In the Windows world I see services specified directly in SPN attributes
of a computer object. That makes sense and looks very similar to the IPA
world.
What I do not completely understand is why SPNs cann also be specified
as an attribute of an AD (service account) user. Why? What's the purpose
of that? (almost every tutorial on the web uses the mapuser-parameter of
the ktpass command but none states why this is needed.) I can imagine
that it makes sense for Linux servers when there is no computer object
in the AD. But what are other reasons/use cases?
I do know that this question is slightly off-topic. Nevertheless, I am
sure somebody here has a good answer to it which I would highly
appreciate to hear.
Cheers,
Ronald
3 years, 4 months