February 2020 - FreeIPA-users - Fedora Mailing-Lists

Is this still viable ? HowTo/vsphere5 integration

by White, Daniel E. (GSFC-770.0)[NICS]

https://www.freeipa.org/page/HowTo/vsphere5_integration It describes modification of the LDAP tree ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

4 years, 1 month

1
0
0 / 0

Caching

by Ronald Wimmer

If SSSD has cache_credentials set to True it will take some time until changes become visible on an IPA client. When I change sudo permissions for a certain user I usually want to changes to be effective immediately. Does this imply setting cache_credentials to False or what are best practices here? Cheers, Ronald

4 years, 1 month

2
5
0 / 0

IPA client's sssd.conf

by Ronald Wimmer

Is there a way to set some default keys and values that end up in an IPA client's sssd.conf upon ipa-client-install? Cheers, Ronald

4 years, 1 month

3
4
0 / 0

Re: IPA client's sssd.conf

by Alexander Bokovoy

On pe, 28 helmi 2020, Ronald Wimmer wrote: >For instance, I would like to set values for: > >ldap_sudo_smart_refresh_interval or >default_shell = /bin/bash No, there are no centralized settings like that. There are settings managed as part of 'ipa config-mod', but out of those SSSD picks up the following settings: - whether migration mode is enabled, - default SELinux user context and map order, - domain resolution order, for trusted domains ('subdomains' in SSSD speak). Technically, SSSD also loads a host object specific to the host it runs on, so there are some properties that can be exposed via this. For example, ID View applied to the host is discovered this way and FleetCommander integration (deskprofile) is retrieving rules in a similar way. But nothing like this is implemented for a generic option support right now. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

4 years, 1 month

1
0
0 / 0

recuring error during ipa-replica-install

by LHEUREUX Bernard

Hi all, I would linke to reinstall a replica for my FreeIPA infra that has failed its ipa-server-upgrade after the updat'e of CentOS ipa-server-4.6.5-11.el7.centos.4.x86_64, a few days ago... But everytime I try I get the following error on that machine : Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: creating certificate server db [2/29]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [3/29]: creating ACIs for admin [4/29]: creating installation admin user [5/29]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpjRZhjK' returned non-zero exit status 1 ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information I cannot find any relevant info in the logs to tell me what could be done... Do you have an idea ? --- Bernard Lheureux Linux System Engineer IT Infra [Nethys] Rue Fivé 150, B-4100 Seraing GSM: +32-475-530311 http://www.nethys.be<http://www.nethys.be/> [cid:image014.png@01D5EC9E.85117780]<http://www.resa.be/> [nethys-energy]<http://www.nethys.be/fr> [Voo]<http://www.voo.be/fr/> [Betv]<http://www.betv.be/> [Win]<https://www.win.be/> Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l'usage des personnes ou des entités précisées dans les champs 'A', 'Cc' et 'Cci'. Si vous n'êtes pas l'un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n'engage que son signataire et aucunement son employeur.

4 years, 1 month

4
5
0 / 0

Can't login AD users on FreeIPA client

by Michael Solodovnikov

I have a fresh installed FreeIPA 4.6.5, sssd 1.16.4, krb5 1.15.1-37, samba 4.9.1-10, on CentOS 7.7.1908, can’t login as AD user. FreeIPA configured one-way trust AD(win.gtf.kz),AD user have UPN n.user(a)fgt.kz. FreeIPA realm nix.gtf.kz. ============ Сonfigs on server FreeIPA(dc1.nix.gtf.kz) # ipa trust-show win.gtf.kz Realm name: win.gtf.kz Domain NetBIOS name: GTF Domain Security Identifier: S-1-5-21-1397031248-555657444-1703228444 Trust direction: Trusting forest Trust type: Active Directory domain UPN suffixes: gtf.kz, fgt.kz [root@dc1 ~]# cat /etc/krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = NIX.GTF.KZ dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] NIX.GTF.KZ = { kdc = dc1.nix.gtf.kz:88 master_kdc = dc1.nix.gtf.kz:88 admin_server = dc1.nix.gtf.kz:749 default_domain = nix.gtf.kz pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .nix.gtf.kz = NIX.GTF.KZ nix.gtf.kz = NIX.GTF.KZ dc1.nix.gtf.kz = NIX.GTF.KZ [dbmodules] NIX.GTF.KZ = { db_library = ipadb.so } [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } [root@dc1 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz [domain_realm] .win.gtf.kz = WIN.GTF.KZ win.gtf.kz = WIN.GTF.KZ [capaths] WIN.GTF.KZ = { NIX.GTF.KZ = WIN.GTF.KZ } NIX.GTF.KZ = { WIN.GTF.KZ = WIN.GTF.KZ } [root@dc1 ~]# cat /etc/sssd/sssd.conf [domain/nix.gtf.kz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.gtf.kz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = dc1.nix.gtf.kz chpass_provider = ipa ipa_server = dc1.nix.gtf.kz ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = sudo, nss, ifp, pam, ssh domains = nix.gtf.kz [nss] memcache_timeout = 600 homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] allowed_uids = ipaapi, root [secrets] [session_recording] ============ AD user. [root@dc1 ~]# getent passwd solodovnikov(a)win.gtf.kz solodovnikov@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov: [root@dc1 ~]# kinit solodovnikov(a)win.gtf.kz Password for solodovnikov(a)win.gtf.kz: [root@dc1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm Default principal: solodovnikov(a)WIN.GTF.KZ Valid starting Expires Service principal 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/WIN.GTF.KZ(a)WIN.GTF.KZ renew until 02/20/2020 11:05:10 [root@dc1 ~]# kvno -S host dc1.nix.gtf.kz host/dc1.nix.gtf.kz(a)NIX.GTF.KZ: kvno = 2 [root@dc1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm Default principal: solodovnikov(a)WIN.GTF.KZ Valid starting Expires Service principal 02/19/2020 11:07:34 02/19/2020 21:05:16 host/dc1.nix.gtf.kz(a)NIX.GTF.KZ renew until 02/20/2020 11:05:10 02/19/2020 11:07:34 02/19/2020 21:05:16 krbtgt/NIX.gtf.kz(a)WIN.GTF.KZ renew until 02/20/2020 11:05:10 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/WIN.gtf.kz(a)WIN.GTF.KZ renew until 02/20/2020 11:05:10 ============ Attempts to login using SSH or su by AD user failed. The error is the same. [root@dc1 ~]# useradd test [root@dc1 ~]# su - test [test@dc1 ~]$ su - solodovnikov(a)win.gtf.kz Password: su: Authentication failure In sssd log: (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_port_status] (0x1000): Port status of port 0 for server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x0200): Found address for server dc1.nix.gtf.kz: [192.168.8.7] TTL 7200 (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://dc1.nix.gtf.kz' (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_add_krb5info_offline_callback] (0x4000): Removal callback already available for service [IPA]. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_R9aYcg] (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_R9aYcg] (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [sss_domain_get_state] (0x1000): Domain win.gtf.kz is Active (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [10883] (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [10883] (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): Waiting for child [10883]. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): child [10883] finished successfully. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovnikov(a)win.gtf.kz] is empty. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x55e915585c80] done. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #95]: Request handler finished [0]: Success (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #95]: Receiving request data. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #95]: Request removed. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #95]: Sending result [4][win.gtf.kz] In krb5kdc.log: Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@FGT.KZ(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ, Realm not local to KDC Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): closing down fd 11 Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11 Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@FGT.KZ(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ, Realm not local to KDC Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11 ============ Сonfigs on client FreeIPA(sqlg.nix.gtf.kz) [root@sqlg ~]# cat /etc/redhat-release CentOS Linux release 7.7.1908 (Core) [root@sqlg ~]# ipa --version VERSION: 4.6.5, API_VERSION: 2.231 [root@sqlg ~]# cat /etc/krb5.conf #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = NIX.GTF.KZ dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] NIX.GTF.KZ = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .nix.gtf.kz = NIX.GTF.KZ nix.gtf.kz = NIX.GTF.KZ sqlg.nix.gtf.kz = NIX.GTF.KZ [root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz [domain_realm] .win.gtf.kz = WIN.GTF.KZ win.gtf.kz = WIN.GTF.KZ [capaths] WIN.GTF.KZ = { NIX.GTF.KZ = WIN.GTF.KZ } NIX.GTF.KZ = { WIN.GTF.KZ = WIN.GTF.KZ } [root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz [domain_realm] .win.gtf.kz = WIN.GTF.KZ win.gtf.kz = WIN.GTF.KZ [capaths] WIN.GTF.KZ = { NIX.GTF.KZ = WIN.GTF.KZ } NIX.GTF.KZ = { WIN.GTF.KZ = WIN.GTF.KZ } [root@sqlg ~]# cat /etc/sssd/sssd.conf [domain/nix.gtf.kz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.gtf.kz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = sqlg.nix.gtf.kz chpass_provider = ipa ipa_server = _srv_, dc1.nix.gtf.kz ldap_tls_cacert = /etc/ipa/ca.crt # if do not add these options, then does not find the AD user use_fully_qualified_names = True re_expression = ((?P<name>.+)@(?P<domain>[^@]+$)) [sssd] services = nss, sudo, pam, ssh domains = nix.gtf.kz [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording] [root@sqlg ~]# getent passwd solodovnikov(a)win.gtf.kz solodovnikov@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov: [root@sqlg ~]# kinit solodovnikov(a)win.gtf.kz Password for solodovnikov(a)win.gtf.kz: [root@sqlg ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: solodovnikov(a)WIN.GTF.KZ Valid starting Expires Service principal 02/19/2020 12:37:47 02/19/2020 22:37:47 krbtgt/WIN.gtf.kz(a)WIN.GTF.KZ renew until 02/20/2020 12:37:42 [root@sqlg ~]# kvno -S host dc1.nix.gtf.kz host/dc1.nix.gtf.kz(a)NIX.GTF.KZ: kvno = 2 [root@sqlg ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: solodovnikov(a)WIN.GTF.KZ Valid starting Expires Service principal 02/19/2020 12:38:30 02/19/2020 22:37:47 host/dc1.nix.gtf.kz(a)NIX.GTF.KZ renew until 02/20/2020 12:37:42 02/19/2020 12:38:30 02/19/2020 22:37:47 krbtgt/NIX.gtf.kz(a)WIN.GTF.KZ renew until 02/20/2020 12:37:42 02/19/2020 12:37:47 02/19/2020 22:37:47 krbtgt/WIN.gtf.kz(a)WIN.GTF.KZ renew until 02/20/2020 12:37:42 [root@sqlg ~]# [root@sqlg ~]# su - test Last login: Wed Feb 19 11:50:14 +07 2020 on pts/0 [test@sqlg ~]$ su - solodovnikov(a)win.gtf.kz Password: su: Authentication failure In sssd log: (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_failed_login_attempts] (0x4000): Failed login attempts [0], allowed failed login attempts [0], failed login delay [5]. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [sysdb_cache_auth] (0x0100): Cached credentials not available. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0) (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_cache_creds] (0x0020): Offline authentication failed (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovnikov(a)win.gtf.kz] is empty. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x55b69c74baf0] done. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #12]: Request handler finished [0]: Success (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #12]: Receiving request data. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #12]: Request removed. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #12]: Sending result [6][win.gtf.kz] In /var/log/messages Feb 19 12:40:08 sqlg su: (to test) root on pts/0 Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm "FGT.KZ" Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm "FGT.KZ" Feb 19 12:40:42 sqlg [sssd[krb5_child[6514]]]: Cannot find KDC for realm "FGT.KZ" Feb 19 12:40:42 sqlg [sssd[krb5_child[6514]]]: Cannot find KDC for realm "FGT.KZ" Feb 19 12:40:44 sqlg su: FAILED SU (to solodovnikov(a)win.gtf.kz) root on pts/0 ============ If add to sssd.conf on the server IPA. [domain/nix.gtf.kz/win.gtf.kz] subdomain_inherit = ldap_user_principal ldap_user_principal = nosuchattr In sssd log: (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [sbus_dispatch] (0x4000): dbus conn: 0x55f84f6f3e70 (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [sbus_dispatch] (0x4000): Dispatching. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): Waiting for child [11773]. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): child [11773] finished successfully. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovnikov(a)win.gtf.kz] is empty. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x55f850749870] done. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #23]: Request handler finished [0]: Success (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #23]: Receiving request data. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #23]: Request removed. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #23]: Sending result [4][win.gtf.kz] In krb5kdc.log: Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 192.168.8.7: NEEDED_PREAUTH: host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ, Additional pre-authentication required Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11 Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 192.168.8.7: ISSUE: authtime 1582092478, etypes {rep=18 tkt=18 ses=18}, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11 Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: solodovnikov\@WIN.GTF.KZ(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ, Realm not local to KDC Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11 Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11 Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11 Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11262](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: solodovnikov\@WIN.GTF.KZ(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ, Realm not local to KDC Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11262](info): closing down fd 11 Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.GTF.KZ(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11 Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.GTF.KZ(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11 On client FreeIPA. In sssd log: (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x0200): Found address for server dc1.nix.gtf.kz: [192.168.8.7] TTL 1200 (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://dc1.nix.gtf.kz' (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_add_krb5info_offline_callback] (0x4000): Removal callback already available for service [IPA]. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_A8oO7w] (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_A8oO7w] (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [sss_domain_get_state] (0x1000): Domain win.gtf.kz is Active (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [6709] (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [6709] (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): Waiting for child [6709]. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): child [6709] finished successfully. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovnikov(a)win.gtf.kz] is empty. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x56508c296b50] done. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #25]: Request handler finished [0]: Success (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #25]: Receiving request data. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #25]: Request removed. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #25]: Sending result [4][win.gtf.kz] In /var/log/messages Feb 19 13:19:49 sqlg su: (to test) root on pts/0 Feb 19 13:20:02 sqlg [sssd[krb5_child[6709]]]: Error constructing AP-REQ armor: Server krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ not found in Kerberos database Feb 19 13:20:02 sqlg [sssd[krb5_child[6709]]]: Error constructing AP-REQ armor: Server krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ not found in Kerberos database Feb 19 13:20:03 sqlg su: FAILED SU (to solodovnikov(a)win.gtf.kz) root on pts/0 Hope this list can provide some pointers. Thanks in advance.

4 years, 1 month

2
9
0 / 0

ipa host-del ERROR Unable to communicate with CMS (403)

by Chris Bacott

Hello, I've been searching for resolution on this issue for a while now, but it seems all of the issues others have encountered were unrelated. Host OS: CentOS 8.1.1911 All packages up to date. This is a stock installation of freeipa, nothing tricky like replication or anything. The system authenticates fine, however when I went to add a host to it, for whatever reason the client got the hostname wrong, thus samba authentication wasn't working. I deleted the install on the client, and went to re-install, and it began asking for a password for the host. I never set one up to my knowledge. So, I went to delete the client host completely from the server, and that is where I got the above error. I've examined 'getcert list', no error. I confirmed that all firewalls are (currently) off, and ports are open. I've examined all logs under /var/log/pki, and there's no errors that I could find. As far as I can tell, tomcat is working just fine, all certs are fine, but ipa is saying it cannot connect, getting a 403 forbidden error. Any insights would be helpful.

4 years, 1 month

2
5
0 / 0

Add more user/group container objects in freeIPA.

by Mary Georgiou

Hello all, I'd like to add to the FreeIPA 389DS more user and group containers. For example currently, the default one is cn=users, cn=accounts, dc=example,dc=com and I'd like to add OU=something, cn=accounts, dc=example,dc=com and under it cn=some_other_users,OU=something, cn=accounts, dc=example,dc=com etc. Is this possible without breaking everything in FreeIPA (considering that I'd like the entries in that part of the tree to be handled as accounts that can be added to groups etc)? Thanks in advance!

4 years, 1 month

2
5
0 / 0

DC-Controllers LDAPS only

by Ronald Wimmer

Will IPA be affected somehow when Windows Domain Controllers start accepting LDAPS traffic only? Cheers, Ronald

4 years, 1 month

1
1
0 / 0

Split domain for IPA and internal machines

by Nicholas DeMarco

I've configured FreeIPA servers in identity.demarcohome.com, and my internal machines are in int.demarcohome.com. I added discovery SRV records to the int.demarcohome.com: _kerberos TXT "IDENTITY.demarcohome.COM" _kerberos-master._tcp SRV 0 100 88 ipa1.identity.demarcohome.com. _kerberos-master._udp SRV 0 100 88 ipa1.identity.demarcohome.com. _kerberos._tcp SRV 0 100 88 ipa1.identity.demarcohome.com. _kerberos._udp SRV 0 100 88 ipa1.identity.demarcohome.com. _kpasswd._udp SRV 0 100 464 ipa1.identity.demarcohome.com. _ldap._tcp SRV 0 100 389 ipa1.identity.demarcohome.com. When configuring a client, a few things didn't go well: 2020-02-24T22:51:21Z DEBUG args=['/usr/bin/getent', 'passwd', ' ndemarco(a)int.demarcohome.com'] 2020-02-24T22:51:21Z DEBUG Process finished, return code=2 Also some unexpected [Try 1] blocks in the error log like: DEBUG Try RPC connection INFO [try 1]: Forwarding 'ping' to json server ' https://ipa1.identity.demarcohome.com/ipa/session/json' DEBUG New HTTP connection (ipa1.identity.demarcohome.com) My DNS is probably not set up properly yet, but I'm properly worn out for the day on this.

4 years, 1 month

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2020