Caching
by Ronald Wimmer
If SSSD has cache_credentials set to True it will take some time until
changes become visible on an IPA client. When I change sudo permissions
for a certain user I usually want to changes to be effective
immediately. Does this imply setting cache_credentials to False or what
are best practices here?
Cheers,
Ronald
4 years, 1 month
IPA client's sssd.conf
by Ronald Wimmer
Is there a way to set some default keys and values that end up in an IPA
client's sssd.conf upon ipa-client-install?
Cheers,
Ronald
4 years, 1 month
Re: IPA client's sssd.conf
by Alexander Bokovoy
On pe, 28 helmi 2020, Ronald Wimmer wrote:
>For instance, I would like to set values for:
>
>ldap_sudo_smart_refresh_interval or
>default_shell = /bin/bash
No, there are no centralized settings like that.
There are settings managed as part of 'ipa config-mod', but out of those
SSSD picks up the following settings:
- whether migration mode is enabled,
- default SELinux user context and map order,
- domain resolution order, for trusted domains ('subdomains' in SSSD
speak).
Technically, SSSD also loads a host object specific to the host it runs
on, so there are some properties that can be exposed via this. For
example, ID View applied to the host is discovered this way and
FleetCommander integration (deskprofile) is retrieving rules in a
similar way.
But nothing like this is implemented for a generic option support right
now.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4 years, 1 month
recuring error during ipa-replica-install
by LHEUREUX Bernard
Hi all,
I would linke to reinstall a replica for my FreeIPA infra that has failed its ipa-server-upgrade after the updat'e of CentOS ipa-server-4.6.5-11.el7.centos.4.x86_64, a few days ago...
But everytime I try I get the following error on that machine :
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/29]: creating certificate server db
[2/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded
[3/29]: creating ACIs for admin
[4/29]: creating installation admin user
[5/29]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpjRZhjK' returned non-zero exit status 1
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
I cannot find any relevant info in the logs to tell me what could be done...
Do you have an idea ?
---
Bernard Lheureux
Linux System Engineer
IT Infra
[Nethys]
Rue Fivé 150, B-4100 Seraing
GSM: +32-475-530311
http://www.nethys.be<http://www.nethys.be/>
[cid:image014.png@01D5EC9E.85117780]<http://www.resa.be/>
[nethys-energy]<http://www.nethys.be/fr>
[Voo]<http://www.voo.be/fr/>
[Betv]<http://www.betv.be/>
[Win]<https://www.win.be/>
Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l'usage des personnes ou des entités précisées dans les champs 'A', 'Cc' et 'Cci'. Si vous n'êtes pas l'un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n'engage que son signataire et aucunement son employeur.
4 years, 1 month
Can't login AD users on FreeIPA client
by Michael Solodovnikov
I have a fresh installed FreeIPA 4.6.5, sssd 1.16.4, krb5 1.15.1-37, samba 4.9.1-10, on CentOS 7.7.1908, can’t login as AD user.
FreeIPA configured one-way trust AD(win.gtf.kz),AD user have UPN n.user(a)fgt.kz. FreeIPA realm nix.gtf.kz.
============
Сonfigs on server FreeIPA(dc1.nix.gtf.kz)
# ipa trust-show win.gtf.kz
Realm name: win.gtf.kz
Domain NetBIOS name: GTF
Domain Security Identifier: S-1-5-21-1397031248-555657444-1703228444
Trust direction: Trusting forest
Trust type: Active Directory domain
UPN suffixes: gtf.kz, fgt.kz
[root@dc1 ~]# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = NIX.GTF.KZ
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
NIX.GTF.KZ = {
kdc = dc1.nix.gtf.kz:88
master_kdc = dc1.nix.gtf.kz:88
admin_server = dc1.nix.gtf.kz:749
default_domain = nix.gtf.kz
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.nix.gtf.kz = NIX.GTF.KZ
nix.gtf.kz = NIX.GTF.KZ
dc1.nix.gtf.kz = NIX.GTF.KZ
[dbmodules]
NIX.GTF.KZ = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
[root@dc1 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz
[domain_realm]
.win.gtf.kz = WIN.GTF.KZ
win.gtf.kz = WIN.GTF.KZ
[capaths]
WIN.GTF.KZ = {
NIX.GTF.KZ = WIN.GTF.KZ
}
NIX.GTF.KZ = {
WIN.GTF.KZ = WIN.GTF.KZ
}
[root@dc1 ~]# cat /etc/sssd/sssd.conf
[domain/nix.gtf.kz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.gtf.kz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dc1.nix.gtf.kz
chpass_provider = ipa
ipa_server = dc1.nix.gtf.kz
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh
domains = nix.gtf.kz
[nss]
memcache_timeout = 600
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
allowed_uids = ipaapi, root
[secrets]
[session_recording]
============
AD user.
[root@dc1 ~]# getent passwd solodovnikov(a)win.gtf.kz
solodovnikov@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov:
[root@dc1 ~]# kinit solodovnikov(a)win.gtf.kz
Password for solodovnikov(a)win.gtf.kz:
[root@dc1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm
Default principal: solodovnikov(a)WIN.GTF.KZ
Valid starting Expires Service principal
02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/WIN.GTF.KZ(a)WIN.GTF.KZ
renew until 02/20/2020 11:05:10
[root@dc1 ~]# kvno -S host dc1.nix.gtf.kz
host/dc1.nix.gtf.kz(a)NIX.GTF.KZ: kvno = 2
[root@dc1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm
Default principal: solodovnikov(a)WIN.GTF.KZ
Valid starting Expires Service principal
02/19/2020 11:07:34 02/19/2020 21:05:16 host/dc1.nix.gtf.kz(a)NIX.GTF.KZ
renew until 02/20/2020 11:05:10
02/19/2020 11:07:34 02/19/2020 21:05:16 krbtgt/NIX.gtf.kz(a)WIN.GTF.KZ
renew until 02/20/2020 11:05:10
02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/WIN.gtf.kz(a)WIN.GTF.KZ
renew until 02/20/2020 11:05:10
============
Attempts to login using SSH or su by AD user failed. The error is the same.
[root@dc1 ~]# useradd test
[root@dc1 ~]# su - test
[test@dc1 ~]$ su - solodovnikov(a)win.gtf.kz
Password:
su: Authentication failure
In sssd log:
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_port_status] (0x1000): Port status of port 0 for server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x0200): Found address for server dc1.nix.gtf.kz: [192.168.8.7] TTL 7200
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://dc1.nix.gtf.kz'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_add_krb5info_offline_callback] (0x4000): Removal callback already available for service [IPA].
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_R9aYcg]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_R9aYcg]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [sss_domain_get_state] (0x1000): Domain win.gtf.kz is Active
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [10883]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [10883]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] (0x0400): All data has been sent!
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): Waiting for child [10883].
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): child [10883] finished successfully.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovnikov(a)win.gtf.kz] is empty.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x55e915585c80] done.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #95]: Request handler finished [0]: Success
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #95]: Receiving request data.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #95]: Request removed.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #95]: Sending result [4][win.gtf.kz]
In krb5kdc.log:
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@FGT.KZ(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ, Realm not local to KDC
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): closing down fd 11
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@FGT.KZ(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ, Realm not local to KDC
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11
============
Сonfigs on client FreeIPA(sqlg.nix.gtf.kz)
[root@sqlg ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@sqlg ~]# ipa --version
VERSION: 4.6.5, API_VERSION: 2.231
[root@sqlg ~]# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = NIX.GTF.KZ
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
NIX.GTF.KZ = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.nix.gtf.kz = NIX.GTF.KZ
nix.gtf.kz = NIX.GTF.KZ
sqlg.nix.gtf.kz = NIX.GTF.KZ
[root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz
[domain_realm]
.win.gtf.kz = WIN.GTF.KZ
win.gtf.kz = WIN.GTF.KZ
[capaths]
WIN.GTF.KZ = {
NIX.GTF.KZ = WIN.GTF.KZ
}
NIX.GTF.KZ = {
WIN.GTF.KZ = WIN.GTF.KZ
}
[root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz
[domain_realm]
.win.gtf.kz = WIN.GTF.KZ
win.gtf.kz = WIN.GTF.KZ
[capaths]
WIN.GTF.KZ = {
NIX.GTF.KZ = WIN.GTF.KZ
}
NIX.GTF.KZ = {
WIN.GTF.KZ = WIN.GTF.KZ
}
[root@sqlg ~]# cat /etc/sssd/sssd.conf
[domain/nix.gtf.kz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.gtf.kz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = sqlg.nix.gtf.kz
chpass_provider = ipa
ipa_server = _srv_, dc1.nix.gtf.kz
ldap_tls_cacert = /etc/ipa/ca.crt
# if do not add these options, then does not find the AD user
use_fully_qualified_names = True
re_expression = ((?P<name>.+)@(?P<domain>[^@]+$))
[sssd]
services = nss, sudo, pam, ssh
domains = nix.gtf.kz
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
[root@sqlg ~]# getent passwd solodovnikov(a)win.gtf.kz
solodovnikov@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov:
[root@sqlg ~]# kinit solodovnikov(a)win.gtf.kz
Password for solodovnikov(a)win.gtf.kz:
[root@sqlg ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: solodovnikov(a)WIN.GTF.KZ
Valid starting Expires Service principal
02/19/2020 12:37:47 02/19/2020 22:37:47 krbtgt/WIN.gtf.kz(a)WIN.GTF.KZ
renew until 02/20/2020 12:37:42
[root@sqlg ~]# kvno -S host dc1.nix.gtf.kz
host/dc1.nix.gtf.kz(a)NIX.GTF.KZ: kvno = 2
[root@sqlg ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: solodovnikov(a)WIN.GTF.KZ
Valid starting Expires Service principal
02/19/2020 12:38:30 02/19/2020 22:37:47 host/dc1.nix.gtf.kz(a)NIX.GTF.KZ
renew until 02/20/2020 12:37:42
02/19/2020 12:38:30 02/19/2020 22:37:47 krbtgt/NIX.gtf.kz(a)WIN.GTF.KZ
renew until 02/20/2020 12:37:42
02/19/2020 12:37:47 02/19/2020 22:37:47 krbtgt/WIN.gtf.kz(a)WIN.GTF.KZ
renew until 02/20/2020 12:37:42
[root@sqlg ~]#
[root@sqlg ~]# su - test
Last login: Wed Feb 19 11:50:14 +07 2020 on pts/0
[test@sqlg ~]$ su - solodovnikov(a)win.gtf.kz
Password:
su: Authentication failure
In sssd log:
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_failed_login_attempts] (0x4000): Failed login attempts [0], allowed failed login attempts [0], failed login delay [5].
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [sysdb_cache_auth] (0x0100): Cached credentials not available.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0)
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_cache_creds] (0x0020): Offline authentication failed
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovnikov(a)win.gtf.kz] is empty.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x55b69c74baf0] done.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #12]: Request handler finished [0]: Success
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #12]: Receiving request data.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #12]: Request removed.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #12]: Sending result [6][win.gtf.kz]
In /var/log/messages
Feb 19 12:40:08 sqlg su: (to test) root on pts/0
Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm "FGT.KZ"
Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm "FGT.KZ"
Feb 19 12:40:42 sqlg [sssd[krb5_child[6514]]]: Cannot find KDC for realm "FGT.KZ"
Feb 19 12:40:42 sqlg [sssd[krb5_child[6514]]]: Cannot find KDC for realm "FGT.KZ"
Feb 19 12:40:44 sqlg su: FAILED SU (to solodovnikov(a)win.gtf.kz) root on pts/0
============
If add to sssd.conf on the server IPA.
[domain/nix.gtf.kz/win.gtf.kz]
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr
In sssd log:
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [sbus_dispatch] (0x4000): dbus conn: 0x55f84f6f3e70
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] (0x0400): All data has been sent!
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): Waiting for child [11773].
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): child [11773] finished successfully.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovnikov(a)win.gtf.kz] is empty.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x55f850749870] done.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #23]: Request handler finished [0]: Success
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #23]: Receiving request data.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #23]: Request removed.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #23]: Sending result [4][win.gtf.kz]
In krb5kdc.log:
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 192.168.8.7: NEEDED_PREAUTH: host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ, Additional pre-authentication required
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 192.168.8.7: ISSUE: authtime 1582092478, etypes {rep=18 tkt=18 ses=18}, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: solodovnikov\@WIN.GTF.KZ(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ, Realm not local to KDC
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf.kz(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11262](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: solodovnikov\@WIN.GTF.KZ(a)NIX.GTF.KZ for krbtgt/NIX.GTF.KZ(a)NIX.GTF.KZ, Realm not local to KDC
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11262](info): closing down fd 11
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.GTF.KZ(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.GTF.KZ(a)NIX.GTF.KZ for krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ, Server not found in Kerberos database
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11
On client FreeIPA.
In sssd log:
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x0200): Found address for server dc1.nix.gtf.kz: [192.168.8.7] TTL 1200
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://dc1.nix.gtf.kz'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_add_krb5info_offline_callback] (0x4000): Removal callback already available for service [IPA].
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_A8oO7w]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_A8oO7w]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [sss_domain_get_state] (0x1000): Domain win.gtf.kz is Active
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [6709]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [6709]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] (0x0400): All data has been sent!
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): Waiting for child [6709].
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): child [6709] finished successfully.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovnikov(a)win.gtf.kz] is empty.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x56508c296b50] done.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #25]: Request handler finished [0]: Success
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #25]: Receiving request data.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #25]: Request removed.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #25]: Sending result [4][win.gtf.kz]
In /var/log/messages
Feb 19 13:19:49 sqlg su: (to test) root on pts/0
Feb 19 13:20:02 sqlg [sssd[krb5_child[6709]]]: Error constructing AP-REQ armor: Server krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ not found in Kerberos database
Feb 19 13:20:02 sqlg [sssd[krb5_child[6709]]]: Error constructing AP-REQ armor: Server krbtgt/WIN.GTF.KZ(a)NIX.GTF.KZ not found in Kerberos database
Feb 19 13:20:03 sqlg su: FAILED SU (to solodovnikov(a)win.gtf.kz) root on pts/0
Hope this list can provide some pointers.
Thanks in advance.
4 years, 1 month
ipa host-del ERROR Unable to communicate with CMS (403)
by Chris Bacott
Hello,
I've been searching for resolution on this issue for a while now, but it seems all of the issues others have encountered were unrelated.
Host OS: CentOS 8.1.1911
All packages up to date.
This is a stock installation of freeipa, nothing tricky like replication or anything. The system authenticates fine, however when I went to add a host to it, for whatever reason the client got the hostname wrong, thus samba authentication wasn't working. I deleted the install on the client, and went to re-install, and it began asking for a password for the host. I never set one up to my knowledge. So, I went to delete the client host completely from the server, and that is where I got the above error.
I've examined 'getcert list', no error. I confirmed that all firewalls are (currently) off, and ports are open. I've examined all logs under /var/log/pki, and there's no errors that I could find. As far as I can tell, tomcat is working just fine, all certs are fine, but ipa is saying it cannot connect, getting a 403 forbidden error. Any insights would be helpful.
4 years, 1 month
Add more user/group container objects in freeIPA.
by Mary Georgiou
Hello all,
I'd like to add to the FreeIPA 389DS more user and group containers.
For example currently, the default one is cn=users, cn=accounts, dc=example,dc=com and I'd like to add OU=something, cn=accounts, dc=example,dc=com and under it cn=some_other_users,OU=something, cn=accounts, dc=example,dc=com etc.
Is this possible without breaking everything in FreeIPA (considering that I'd like the entries in that part of the tree to be handled as accounts that can be added to groups etc)?
Thanks in advance!
4 years, 1 month
DC-Controllers LDAPS only
by Ronald Wimmer
Will IPA be affected somehow when Windows Domain Controllers start
accepting LDAPS traffic only?
Cheers,
Ronald
4 years, 1 month