Re: FreeIPA, kinit with OTP
by Michael Schwartzkopff
On 22.02.22 00:08, Angus Clarke wrote:
> I was meant to have attached the script sorry!
>
> Attached now.
>
> Hope it helps
> Angus
> ________________________________
> From: Michael Schwartzkopff<ms(a)sys4.de>
> Sent: 21 February 2022 23:39
> To: Angus Clarke<angus(a)charworth.com>
> Subject: Re: [Freeipa-users] Re: FreeIPA, kinit with OTP
>
> On 21.02.22 21:34, Angus Clarke wrote:
>
> Hi Michael
>
> I wrote this a long time back and we use it extensively. It mentions:
>
> # requires krb5-pkinit (not installed on ipa client by default)
>
> Otherwise something else is amiss I suppose.
>
> Regards
> Angus
>
>
>
> after installation of the packet I can do a kinit -n and get the ANONYMOUS ticket.
>
>
> But when I do a kinit with my user name I get:
>
> $ kinit username
> kinit: Pre-authentication failed: Invalid argument while getting initial credentials
>
>
>
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsys4.d...>, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
following the steps of the script I get one step further.
but still
$ kinit -T KCM:1286400012 username
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials
Are the any log files to check the auth process?
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
2 years, 2 months
FreeIPA, kinit with OTP
by Michael Schwartzkopff
Hi,
I want to use OTP for krb tickets. Plain login works as expected. When I
start kinit user I get the response:
$ kinit user
kinit: Generic preauthentication failure while getting initial credentials
I read some docs and tried:
$ kinit -n
Password for WELLKNOWN/ANONYMOUS(a)SYS4.DE:
Where do I set this ANONYMOUS password?
On my FreeIPA server pkinit is enabled.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
2 years, 2 months
Rejoining to domain but getting error - You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
by sharmaji a
Hi FreeIPA team,
I'm verifying FreeIPA backup/restore process.
In our lab environment, FreeIPA 4.5.0 was running fine with single instance. I took the backup. Shutdown the VM.
Created Fresh CentOS 7 VM and install IPA server 4.6.8 and did restore "data only" backup. FQDN and IP address is same as old VM.
After little troubleshooting all services are working fine. I can see all users & host - All good.
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Now from existing client side, I did ipa-client-install --uninstall. but when i do
ipa-client-install --domain example.com --realm EXAMPLE.COM; but getting below error:
Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
I tried on fresh client but still domain joining is failing with same error.
Any suggestion?
Also someone can share good document for backup/restore process where backup is restored on completely new & Fresh system... it will be highly appreciated.
Regards,
Anand
2 years, 2 months
MemberManager
by Sigbjorn Lie-Soland
Hi list,
We recenlty upgraded our IPA environment from EL7.9 to EL8.5. And now we are testing out the new Member Manager feature.
Adding a usergroup (example: "role-groupmanager") as a MemberManager for another group (example: "role-usergroup-A") yields an error message when the user member of the "role-groupmanager” group (example: “thorleif”) attempts to add/remove users from the group "role-usergroup-A”:
"Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry"
If I add the user “thorleif” directly as a MemberManager of the group "role-usergroup-A”, allows him to successfully add and remove users from the group "role-usergroup-A”.
I presume this is a bug? Is there a known BZ for this or do you need me to open one?
Regards,
Siggi
2 years, 2 months
zone types - allow both - check for state
by lejeczek
@devel
Hi guys.
Not knowing nitty-gritty of the internals if it, I'd dare to suggest, as
future enhancement perhaps, this:
allow both types of zone, creation of the second type would fail if
first is 'enabled' and the same would go for '-mod' - allow(and
facilitate switch) enable only if other is disabled(certainly allow both
to be 'disabled')
that would certainly be handy bit from an admin point of view.
many thanks, L.
2 years, 2 months
Use of OTP in special cases?
by Michael Schwartzkopff
Hi,
I am testing OTP usage of FreeIPA. really cool stuff. Thanks for you work.
I have a user with "authentication type: OTP". So every time he wants to
log in he is asked for username and token. Works.
Sometimes it should be sufficient to provide only password, not OTP
(i.e. inside company with company laptop).
OTP should only be asked in special cases like VPN access. Is this possible?
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
2 years, 2 months
pcks11-bind with DDNS updates from ISC DHCP returns SERVFAIL frequently
by Brian J. Murrell
Is anyone here running FreeIPA on EL8 (a.k.a. RedHat IdM) with DDNS
updates enabled from dhcpd, and running that server as their network's
recursive resolver? Successfully?
On EL7, this just didn't work for me due to
https://bugzilla.redhat.com/show_bug.cgi?id=1409321 and it seems even
worse on EL8.
The TL;DR: is that if you have DDNS updates coming named-pkcs11 from
ISC dhcpd, many (i.e. recursive resolver) queries to named-pkcs11 will
frequently, temporarily and intermittently return SERVFAIL.
If you stop the DDNS updates from ISC DHCP the recursive resolving
behaviour of the server stabilizes and it stops returning SERVFAILs.
So, this is just a query to see if anyone is actually running this
configuration successfully. If you think you might be successful with
this configuration, how many recursive resolvers do you have in your
network? If you have more than just the (single) FreeIPA server, it
might be that named-pkcs11 on that machine is frequently returning
SERVFAIL and that you are just not noticing because your alternate
recursive resolvers are masking it.
So if you are running in such a configuration with alternate recursive
resolvers, it might be interesting to use tcpdump or some such on your
FreeIPA server to see if your named-pkcs11 is indeed returning SERVFAIL
for many of your queries.
Cheers,
b.
2 years, 2 months
freeipa and pihole integration, so no forwarders
by Rob Verduijn
Hi all,
I'm trying to reduce the number of systems in my network.
Currently if I want to use a pi-hole in combination with freeipa one of
them is going to use the other as a forwarder.
And without some firewall/router port redirection magic (also hopelessly
complicating things) this is not going to run on one system.
Did anybody manage to integrate pi-hole into freeipa as a plugin or some
other nifty solution making it possible to run it all on one system ?
Rob
2 years, 2 months
Ubuntu 20.04 as a client - no A records
by lejeczek
Hi guys
would anybody be able to confirm that Ubuntu client does not get IPA to
create A record unless '--ip-address' is used with the client?
I do not suppose it's IPA server's issue, right?
many thanks, L.
2 years, 2 months
Freeipa and server SFTP
by MERCIER Jonathan
Dear Dev team and community,
I created a PAM file in order to authenticate user through vstpd service
I would like to get your recommendation
Thanks for your insight
--------------------------------------
#%PAM-1.0
auth sufficient pam_sss.so forward_pass
auth required pam_env.so
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account include password-auth
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session required pam_mkhomedir.so umask=0022
session required pam_loginuid.so
session include password-auth
2 years, 2 months
