FreeIPA-users February 2021

freeipa-users@lists.fedorahosted.org

44 participants
73 discussions

AD user unable to ssh to Linux host
by Mustapha Aissat 02 Feb '21

02 Feb '21

Hi all, I'm facing some problems with connecting AD user to Linux host via ssh. I already configure the trust between IPA server and AD. I create an external group "*grp_dba*" to point on AD group I create a posix group "*admindba*" that contain the external group I create a HBAC rule "*allow_dba*" to allow the group to access the host. I did an HBAC test and it tells me that the access is granted to the user. On the Client host, id, getent and even su work. but I still can't do an ssh! Can you please guide me? Thank you in advance. Here some commands that I used and logs ---------- *on IPA server :* [root@idm01 ~]# *ipa group-show admindba* Group name: admindba GID: 336200005 Member groups: grp_dba Member of HBAC rule: allow_dba [root@idm01 ~]# *ipa hbactest --user=admin_dba01(a)dz.corp --host=zabbix.linux.dz.corp --service=sshd* -------------------- Access granted: True -------------------- Matched rules: allow_dba *On Client host :* [root@zabbix ~]# *id admin_dba01(a)dz.corp* uid=1790001108(admin_dba01(a)dz.corp) gid=1790001108(admin_dba01(a)dz.corp) groups=1790001108(admin_dba01(a)dz.corp),1790000513(domain users(a)dz.corp ),336200005(admindba),1790001107(grp_dba(a)dz.corp) [root@zabbix ~]# *geten admin_dba01(a)dz.corp* getenforce getent [root@zabbix ~]# *getent passwd admin_dba01(a)dz.corp* admin_dba01(a)dz.corp :*:1790001108:1790001108:admin_dba01:/home/dz.corp/admin_dba01: [root@zabbix ~]# *getent group admin_dba01(a)dz.corp* admin_dba01@dz.corp:*:1790001108: [root@zabbix ~]# *su - admin_dba01(a)dz.corp* Last login: Mon Feb 1 16:57:39 CET 2021 on pts/1 *[admin_dba01@dz.corp@zabbix ~]$ logout* [root@zabbix ~]# [root@zabbix ~]# *journalctl -e* Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Starting SSSD Kerberos Cache Manager... Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Started SSSD Kerberos Cache Manager. Feb 01 19:32:33 zabbix.linux.dz.corp sssd[kcm][17086]: Starting up Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=admin_dba01(a)dz.corp Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): received for user admin_dba01(a)dz.corp: 6 (Permission denied) Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: error: PAM: Authentication failure for admin_dba01(a)dz.corp from 192.168.122.1 Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: Postponed keyboard-interactive for admin_dba01(a)dz.corp from 192.168.122.1 port 43908 ssh2 [preauth] Feb 01 19:32:36 zabbix.linux.dz.corp sshd[17076]: Connection closed by authenticating user admin_dba01(a)dz.corp 192.168.122.1 port 43908 [preauth] ------- Best regards,

2 2

SelfService change password.
by Kiselev Mikhail 02 Feb '21

02 Feb '21

I met with the problem that the user cannot update his own password ipa user-show new User login: new First name: new Last name: new Home directory: /home/new Login shell: /bin/bash Principal name: new(a)OPENTECH.LOCAL Principal alias: new(a)OPENTECH.LOCAL Email address: new(a)e2e4online.ru UID: 346726108 GID: 100 Account disabled: False Password: True Member of groups: ipausers, users Indirect Member of group: jira_users, grafana_users, asterisk_users, perspectiva_rdp, bamboo_users, nexus_users, bitbucket_users, moodle_users, harbor_users, inkass_rdp, desktop, confluence_users, jenkins_users, maven_users, ivideon_users, chat_users, mail_users, nextcloud_users Indirect Member of HBAC rule: login_users Kerberos keys available: True ipa user-status new ----------------------- Account disabled: False ----------------------- Server: ipareplica1.opentech.local Failed logins: 0 Last successful authentication: N/A Last failed authentication: N/A Time now: 2021-01-12T06:58:47Z Server: ipareplica2.opentech.local Failed logins: 0 Last successful authentication: N/A Last failed authentication: N/A Time now: 2021-01-12T06:58:47Z Server: ipa.opentech.local Failed logins: 0 Last successful authentication: N/A Last failed authentication: N/A Time now: 2021-01-12T06:58:47Z ---------------------------- Number of entries returned 3 ---------------------------- ipa -vv passwd ipa: INFO: trying https://ipa.opentech.local/ipa/session/json ipa: INFO: Request: { "id": 0, "method": "ping", "params": [ [], {} ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "new(a)OPENTECH.LOCAL", "result": { "messages": [ { "code": 13001, "data": { "server_version": "2.231" }, "message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.231", "name": "VersionMissing", "type": "warning" } ], "summary": "IPA server version 4.6.6. API version 2.231" }, "version": "4.6.6" } ipa: INFO: [try 1]: Forwarding 'command_defaults/1' to json server 'https://ipa.opentech.local/ipa/session/json' ipa: INFO: Request: { "id": 0, "method": "command_defaults/1", "params": [ [ "passwd/1" ], { "kw": null, "params": [ "principal" ], "version": "2.231" } ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "new(a)OPENTECH.LOCAL", "result": { "result": { "principal": "new(a)OPENTECH.LOCAL" } }, "version": "4.6.6" } ipa: INFO: [try 1]: Forwarding 'command_defaults/1' to json server 'https://ipa.opentech.local/ipa/session/json' ipa: INFO: Request: { "id": 0, "method": "command_defaults/1", "params": [ [ "passwd/1" ], { "kw": { "principal": "new(a)OPENTECH.LOCAL" }, "params": [ "current_password" ], "version": "2.231" } ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "new(a)OPENTECH.LOCAL", "result": { "result": {} }, "version": "4.6.6" } Current Password: New Password: Enter New Password again to verify: ipa: INFO: [try 1]: Forwarding 'command_defaults/1' to json server 'https://ipa.opentech.local/ipa/session/json' ipa: INFO: Request: { "id": 0, "method": "command_defaults/1", "params": [ [ "passwd/1" ], { "kw": null, "params": [ "principal" ], "version": "2.231" } ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "new(a)OPENTECH.LOCAL", "result": { "result": { "principal": "new(a)OPENTECH.LOCAL" } }, "version": "4.6.6" } ipa: INFO: [try 1]: Forwarding 'passwd/1' to json server 'https://ipa.opentech.local/ipa/session/json' ipa: INFO: Request: { "id": 0, "method": "passwd/1", "params": [ [], { "current_password": "test", "password": "123", "version": "2.231" } ] } ipa: INFO: Response: { "error": { "code": 2100, "data": { "info": "Insufficient access rights" }, "message": "Insufficient access: Insufficient access rights", "name": "ACIError" }, "id": 0, "principal": "new(a)OPENTECH.LOCAL", "result": null, "version": "4.6.6" } ipa: ERROR: Insufficient access: Insufficient access rights

3 3

389ds replication - ERR - slapi_ldap_bind - Could not send bind request for id
by lejeczek 01 Feb '21

01 Feb '21

Hi guys, I'm trying to set up replication for a non-IPA database following RHEL's docs, I'm on Centos Stream, and I get errors: .... [01/Feb/2021:11:25:38.854769282 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 (Invalid function argument.), network error 0 (Unknown error, host "dzien.private:636") [01/Feb/2021:11:25:38.856822436 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=swir-dzien-agreement" (dzien:636) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) (error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding) [01/Feb/2021:11:25:41.874045655 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 (Invalid function argument.), network error 0 (Unknown error, host "dzien.private:636") ... Instructions seem rather solid & easy to follow. What am I missing when you look at the errors? many thanks, L.

3 7

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2021