aes256-sha2
by Charles Hedrick
If I wanted to using aes256-sha2 for tickets by default, how would I do that? I've verified that our KDC can issue service tickets for that if I specify -e aes256-sha2 with ipa-getkeytab, but kinit and everything else seems to use older encryptioni types.
5 months, 3 weeks
[SSSD] Announcing SSSD 2.9.3
by Pavel Březina
# SSSD 2.9.3
The SSSD team is announcing the release of version 2.9.3 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.9.3
See the full release notes at:
https://sssd.io/release-notes/sssd-2.9.3.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* The proxy provider is now able to handle certificate mapping and
matching rules and users handled by the proxy provider can be configured
for local Smartcard authentication. Besides the mapping rule local
Smartcard authentication should be enabled with the 'local_auth_policy'
option in the backend and with 'pam_cert_auth' in the PAM responder.
### Important fixes
Passkey doesn't fail when using FreeIPA server-side authentication and
require-user-verification=false.
### New features
* When adding a new credential to KCM and the user has already reached
their limit, the oldest expired credential will be removed to free some
space. If no expired credential is found to be removed, the operation
will fail as it happened in the previous versions.
5 months, 3 weeks
New plugin - freeipa-postfixadmin
by Francis Augusto Medeiros-Logeay
Hi,
I have finished writing a plugin to easily administrate postfix/dovecot accounts from FreeIPA:
https://github.com/oculos/freeipa-postfixadmin/tree/main
oculos/freeipa-postfixadmin: A FreeIPA plugin for mimicking PostfixAdmin functionality
github.com
There is already a very well written plugin (https://github.com/Carbenium/freeipa-mailserver/tree/master) that does much of what my plugin does (and much more elegantly), but my main goal was to replicate the way Postfixadmin presents data.
There is a few stuff to do with this plugin. I need to hide some actions on the User’s Actions menu (such as create or delete, when the user already has or doesn’t have a mailbox). «enable_cond» didn’t work for me.
I would be happy if someone else does the permissions part. Since I use freeIpa mostly on my homelab, so fine grained permissions was not a priority, but it might be to people. I also didn’t add an interface for changing passwords for the mailboxes that aren’t a «user» (ie., under cn=users). I might use Keycloak for that.
I’ll focus on create postfix/dovecot configurations and will update the repo when that happens.
Best,
Francis
5 months, 4 weeks
New plugin almost ready - postfixadmin
by Francis Augusto Medeiros-Logeay
Hi,
I have almost finished a plugin for FreeIPA, so that admins can have similar functionality found on Postfix Admin.
https://github.com/oculos/freeipa-postfixadmin/blob/main/README.md
freeipa-postfixadmin/README.md at main · oculos/freeipa-postfixadmin
github.com
There is already a good plugin that does a bit of that, but the goal is a bit different. My main goal is not to mix up postfix configuration with groups and hosts, but have separate entities for domain, aliases and virtual domains, in addition to mailboxes.
It was written mostly to allow me to migrate my mailboxes from MySQL to FreeIPA, and I don’t have a huge postfix configuration - I only have multiple domains, mailboxes, aliases and virtual domains, so that’s the functionality I wanted with this plugin.
There are a few things missing before this can go in production («production» here means to actually migrate my mailboxes to FreeIPA), adding a mailbox to ipa users on the gui being the most important one.
I would appreciate any comments and feedbacks regarding this plugin. It wasn’t easy to understand the logic on how to write one, but I got the hang of it (for simple stuff).
Best,
Francis
5 months, 4 weeks
[FOSDEM] [CfP] Identity and Access Management devroom at FOSDEM 2024
by Iker Pedrosa
Hi!
It is a great pleasure to announce a devroom dedicated to Identity and
Access Management at FOSDEM 2024. The last devroom at FOSDEM dedicated to
this topic was in 2018 and we would like to replicate that success.
Original FOSDEM CfP below.
I think there are enough interesting developments and uses of FreeIPA in
different environments that it is worth presenting at this event.
Consider submitting a talk proposal if you are planning to attend FOSDEM!
Deadline is December 1st, 2023.
Original CfP
Hi!
This is a call for proposals for the Identity and Access Management
Devroom: https://iam-devroom.github.io/fosdem-2024/
# Identity and Access Management Devroom @ FOSDEM'2024
[FOSDEM 2024](https://fosdem.org/2024/) will have a [identity and
access management
devroom](https://fosdem.org/2024/schedule/track/identity_and_access_manag....
The IAM devroom is planned to be run at **Sunday, February 4th, 2024** in
Brussels, Belgium at [ULB](http://www.ulb.ac.be/).
## Our topics this year
This is the Identity and Access Management Devroom and we invite you to submit
a talk that is relevant to operating systems' identity and access management in
the free software and open source world. We don't exclude any relevant
submission, for ideas and suggestions please check the previous edition of IAM
devroom at [FOSDEM
2018](https://archive.fosdem.org/2018/schedule/track/identity_and_access_...
Suggested topics:
- Security: algorithms and protocols for IAM/IdM; passwords and
password alternatives
- Federated and social identity; leveraging external identities in applications
- Audit, compliance, monitoring
- User experience, desktop integration
- Free software IAM/IdM offerings
- IAM/IdM deployment reports
and more. Don't be shy and show how your project helps to improve our lives.
## Submissions
Submissions require a small abstract and a short speaker description and must
be submitted [via the Pretalx system](https://fosdem.org/submit) no later than
**1st of December 2023**. Suggested duration for a timeslot to apply for is
**25 minutes** (20 min presentation + 5 mins questions). The schedule shall be
finalized by **15 December 2023**.
Note that this is a new submission system and accounts from pentabarf were not
migrated: Presenters will have to create a new account.
Instructions:
* Go to [https://fosdem.org/submit](https://fosdem.org/submit)
* Register a new account
* Create a new event with your title and abstract and some
information about you
* Be sure to set the event track to "Identity and Access Management devroom"
* Subscribe to the [iam-devroom at lists.fosdem.org
<https://lists.fosdem.org/listinfo/fosdem>](https://lists.fosdem.org/listinfo/iam-devroom)
mailing list for announcements
### Organizers
* You! - any help with organizing is highly appreciated!
* Alexander Bokovoy (ab at samba.org
<https://lists.fosdem.org/listinfo/fosdem>)
* Iker Pedrosa (ipedrosa at redhat.com
<https://lists.fosdem.org/listinfo/fosdem>)
--
Iker Pedrosa
Senior Software Engineer, Identity Management team
Red Hat <https://www.redhat.com>
Txapela (gorria) buruan eta ibili munduan
(Red) hat on his head and walk the world
Basque proverb
<https://www.redhat.com>
6 months
Allow sysaccount to view its own entry
by Adam Bishop
I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Many Thanks,
Adam Bishop
6 months
Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
by Alexander Bokovoy
On Пан, 06 ліс 2023, Kroon PC, Peter wrote:
>Hi all,
>
>thanks for the response, and my apologies for my slow reply -- life happened.
>I put my responses inline. It seems that the ldapupdate file you provided generated a SID config.
Thanks. It is hard to read your inline responses as they went without
proper quoting but I think I understood what you wanted to show.
You still need to add an ID range that covers your actual POSIX IDs. Without
that we wouldn't able to generate SIDs either.
After an ID range is added, `ipa config-mod --enable-sid --add-sids`
should fix the rest.
>
>Peter
>
>
>________________________________________
>Van: Alexander Bokovoy <abokovoy(a)redhat.com>
>Verzonden: donderdag 26 oktober 2023 16:59
>Aan: Kroon PC, Peter
>CC: Rob Crittenden; FreeIPA users list
>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
>
>On Чцв, 26 кас 2023, Kroon PC, Peter wrote:
>>Hi Alexander and Rob,
>>
>>many thanks for your prompt responses :)
>>I made a new lxc machine and restored a backup so at least I have a working environment again. I kept the borken one for further investigation which I'll use to provide more information.
>>I'm not super comfortable using mailing lists, and I'm not sure whether my mail client (outlook) will mangle my inline responses.
>>
>>Peter
>>
>>________________________________________
>>Van: Alexander Bokovoy <abokovoy(a)redhat.com>
>>Verzonden: woensdag 25 oktober 2023 20:49
>>Aan: Rob Crittenden
>>CC: FreeIPA users list; Kroon PC, Peter
>>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
>>
>>On ���, 25 ��� 2023, Rob Crittenden wrote:
>>>Alexander Bokovoy via FreeIPA-users wrote:
>>>> On ���, 25 ��� 2023, Kroon PC, Peter via FreeIPA-users wrote:
>>>>> Hi all,
>>>>>
>>>>> After upgrading to Rocky linux 9.2 I'm running into issues with my IPA
>>>>> server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
>>>>>
>>>>> $ kinit admin
>>>>> Password for admin(a)EXAMPLE.COM:
>>>>> $ ipa show-user admin
>>>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>>>>> Error: No credentials were supplied, or the credentials were
>>>>> unavailable or inaccessible (Credential cache is empty)
>>>>>
>>>>> /var/log/krb5kdc.log:
>>>>> okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes
>>>>> {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
>>>>> aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)})
>>>>> 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes
>>>>> {rep=UNSUPPORTED:(0)} HTTP/freeipa.example.com(a)EXAMPLE.COM for
>>>>> ldap/freeipa.example.com(a)EXAMPLE.COM, TGT has been revoked
>>>>>
>>>>> As the log shows, the KDC states there is no PAC, and therefore revokes
>>>>> the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC).
>>>>> Because of this, the web gui also doesn't work.
>>>>
>>>> That is correct description of the reason why it does not work.
>>>>
>>>>>
>>>>> $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl
>>>>> "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier
>>>>> SASL/GSSAPI authentication started
>>>>> SASL username: admin(a)EXAMPLE.COM
>>>>> SASL SSF: 256
>>>>> SASL data security layer installed.
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree
>>>>> # filter: ipaNTSecurityIdentifier=*
>>>>> # requesting: uid ipaNTSecurityIdentifier
>>>>> #
>>>>>
>>>>> # admin, users, accounts, example.com
>>>>> dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
>>>>> uid: admin
>>>>> ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500
>>>>>
>>>>> # search result
>>>>> search: 4
>>>>> result: 0 Success
>>>>>
>>>>> # numResponses: 2
>>>>> # numEntries: 1
>>>>>
>>>>> Out of the ~200 or so users only the admin user has a
>>>>> ipaNTSecurityIdentifier, but I don't know if it's correct...
>>>>> I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI
>>>>> is broken. I do still have LDAP access fortunately.
>>>>
>>>> You can run it, see below. If you'd run, do you have any error messages in
>>>> the dirsrv errors log related to sidgen plugin?
>>>>
>>>>>
>>>>> I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf,
>>>>> but that results in the exact same error. Setting ipaKrbAuthzData=None
>>>>> in cn=ipaConfig also has no effect.
>>>>
>>>> No, one cannot disable PAC globally in FreeIPA. S4U operations
>>>> require PAC presence since last year, so for any real Kerberos service
>>>> that uses S4U (like IPA API or web UI) one cannot disable PAC
>>>> enforcement.
>>
>>This is useful information :)
>>
>>>>
>>>> Look at your ID range and SID configuration. You can avoid admin issue
>>>> currently by running 'ipa' tool on IPA server as root with '-e
>>>> in_server=true' option. This will force the tool to simulate direct
>>>> access (as if it is running within httpd) and talk directly to LDAPI
>>>> socket.
>>>>
>>>> Something like below:
>>>>
>>>> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
>>>> ipa: WARNING: API Version number was not sent, forward compatibility not
>>>> guaranteed. Assuming server's API version, 2.253
>>>> Domain: ipa1.test
>>>> Security Identifier: S-1-5-21-790702333-3825749031-3739951824
>>>> NetBIOS name: IPA1
>>>> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1
>>>> Fallback primary group: Default SMB Group
>>>> IPA AD trust agents: master1.ipa1.test
>>>> IPA AD trust controllers: master1.ipa1.test
>>
>>KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
>>ipa: ERROR: : trust configuration not found
>
>Ok, let's try differently. Can you provide output of
>
># ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-EXAMPLE-COM.socket \
> -b cn=ad,cn=etc,dc=example,dc=com
>
>(replace EXAMPLE-COM and dc=example,dc=com by your domain data)
>
>dn: cn=ad,cn=etc,dc=example,dc=com
>objectClass: nsContainer
>objectClass: top
>cn: cn
>cn: ad
>>
>>
>>>>
>>>> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find
>>>> ipa: WARNING: API Version number was not sent, forward compatibility not
>>>> guaranteed. Assuming server's API version, 2.253
>>>> ----------------
>>>> 5 ranges matched
>>>> ----------------
>>>> Range name: IPA1.TEST_id_range
>>>> First Posix ID of the range: 1055600000
>>>> Number of IDs in the range: 200000
>>>> First RID of the corresponding RID range: 1000
>>>> First RID of the secondary RID range: 100000000
>>>> Range type: local domain range
>>>>
>>>> ... [ skip ] ...
>>>>
>>>>
>>
>>ipa: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.251
>>----------------
>>2 ranges matched
>>----------------
>> Range name: EXAMPLE.COM_id_range
>> First Posix ID of the range: 1000
>> Number of IDs in the range: 4000
>> Range type: local domain range
>
>This one is definitely not configured to handle SIDs. Also, see my
>comment at the bottom of this email.
>
>>
>> Range name: EXAMPLE.COM_subid_range
>> First Posix ID of the range: 2147483648
>> Number of IDs in the range: 2147352576
>> First RID of the corresponding RID range: 2147479648
>> Domain SID of the trusted domain: S-1-5-21-738065-838566-2966017632
>> Range type: Active Directory domain range
>>----------------------------
>>Number of entries returned 2
>>----------------------------
>>
>>>
>>>In my testing you can't run config-mod without a principal, and running
>>>in-server does not have a principal.
>>>
>>># KRB5CACHE=/dev/null ipa -e in_server=true config-mod --add-sids
>>>--enable-sid
>>>[snip]
>>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
>>>line 701, in pre_callback
>>> self._enable_sid(ldap, options)
>>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
>>>line 512, in _enable_sid
>>> if not principal_has_privilege(self.api, context.principal, privilege):
>>> ^^^^^^^^^^^^^^^^^
>>>AttributeError: '_thread._local' object has no attribute 'principal'
>>>ipa: ERROR: an internal error has occurred
>>
>>Thank you, Rob. I did not check that part.
>>
>>On IPA master one can run the oddjobd-activated script directly:
>>
>># /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
>>
>>$ /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
>>Configuring SID generation
>> [1/8]: creating samba domain object
>> [error] TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>>('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>>The ipa-enable-sid command failed. See /var/log/ipaserver-enable-sid.log for more information
>>
>>Python traceback from the log:
>>2023-10-26T13:24:21Z DEBUG Traceback (most recent call last):
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
>> method()
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 485, in __create_samba_domain_object
>> api.Backend.ldap2.add_entry(entry)
>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, in add_entry
>> super(LDAPCache, self).add_entry(entry)
>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, in add_entry
>> self.conn.add_s(str(entry.dn), list(attrs.items()))
>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in add_s
>> return self.add_ext_s(dn,modlist,None,None)
>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, in add_ext_s
>> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls)
>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, in add_ext
>> return self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
>> result = func(*args,**kwargs)
>>TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>>
>>2023-10-26T13:24:21Z DEBUG [error] TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>>2023-10-26T13:24:21Z DEBUG Destroyed connection context.ldap2_140617190554016
>>2023-10-26T13:24:21Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
>> return_value = self.run()
>> File "/usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid", line 68, in run
>> smb.create_instance()
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 913, in create_instance
>> self.start_creation(show_service_name=False)
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
>> method()
>> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 485, in __create_samba_domain_object
>> api.Backend.ldap2.add_entry(entry)
>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, in add_entry
>> super(LDAPCache, self).add_entry(entry)
>> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, in add_entry
>> self.conn.add_s(str(entry.dn), list(attrs.items()))
>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in add_s
>> return self.add_ext_s(dn,modlist,None,None)
>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, in add_ext_s
>> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls)
>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, in add_ext
>> return self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
>> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
>> result = func(*args,**kwargs)
>>
>>2023-10-26T13:24:21Z DEBUG The ipa-enable-sid command failed, exception: TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>>
>>
>>I still need to see ID range and trustconfig-show output to understand
>>the state of this deployment. Also, dirsrv errors log would be helpful
>>if there was an attempt to run sidgen in past.
>>
>>I went through the dirsrv logs, and found the following:
>>[24/Oct/2023:10:25:34.071341978 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
>>[24/Oct/2023:10:25:34.300104111 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [52021] into an unused SID.
>>[24/Oct/2023:10:25:34.300266490 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
>>[24/Oct/2023:10:25:34.303536359 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
>
>You have a range that defines UID/GID space of [1000...5000] but IDs are
>outside this range. This is pretty much wrong regardless of whether we
>enforce SIDs or not ;)
>
>You need to create a separate ID range that would cover your existing
>IDs. Before that, we need to create a configuration to be used for SID
>generation -- if the ldapsearch above would show us that the entry in
>cn=ad,cn=etc,$SUFFIX does not exist.
>
>Since ipa-enable-sid has failed, probably the entry indeed does not exist and
>it would be easier to construct it with ipa-ldap-updater tool:
>
>----
>dn: cn=${DOMAIN},cn=ad,cn=etc,${SUFFIX}
>default:objectClass: ipaNTDomainAttrs
>default:objectClass: nsContainer
>default:objectClass: top
>default:cn: ${DOMAIN}
>default:ipaNTFlatName: NETBIOSNAME
>default:ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440
>default:ipaNTDomainGUID: 529fcbe9-3e34-3122-a541-6786236014c1
>default:ipaNTFallbackPrimaryGroup: cn=Default SMB Group,cn=groups,cn=accounts,${SUFFIX}
>----
>
>Change 'NETBIOSNAME' above to some name. By default that would be a
>first part of your Kerberos realm, e.g. for IPA1.TEST that would be
>IPA.
>
>The SID value (S-1-5-21-...) is the one that your admin user has,
>without the last part (relative identifier, RID, which is -500 for
>administrator case).
>
>Save this to a file named '90-somefile.update' and run as root
>
># ipa-ldap-updater ./90-somefile.update
>
>
>Alright, it said "update successful". The ldapsearch above now produces:
># ad, etc, example.com
>dn: cn=ad,cn=etc,dc=example,dc=com
>objectClass: nsContainer
>objectClass: top
>cn: cn
>cn: ad
>
># example.com, ad, etc, example.com
>dn: cn=example.com,cn=ad,cn=etc,dc=example,dc=com
>objectClass: ipaNTDomainAttrs
>objectClass: nsContainer
>objectClass: top
>cn: example.com
>ipaNTFlatName: MYNETBIOSNAME
>ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440
>ipaNTDomainGUID: 529fcbe9-3e34-3122-a541-6786236014c1
>ipaNTFallbackPrimaryGroup: cn=Default SMB Group,cn=groups,cn=accounts,dc=example,dc=com
>
>--
>/ Alexander Bokovoy
>Sr. Principal Software Engineer
>Security / Identity Management Engineering
>Red Hat Limited, Finland
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
6 months
FreeIPA Server - Allow authentication over multiple networks
by kevin@kjay.net
I have a pair of IPA servers with 2 networks(192.168.10.0,
192.168.30.0). Authentication happens over the 192.168.30.0 network. I
am unable to authenticate over the 192.168.10.0 network.
What do I need to configure to get authentication working over the
192.168.10.0 network? Is this easily done post-installation?
Thanks,
Kevin
6 months
FreeIPA and DNSSEC
by Yavor Marinov
Hello all,
initially our main FreeIPA has been installed with DNSSEC but at the moment
I have issues with it as the ipa-ods-exporter is failing. I've tried the
following:
- ipa-dns-install --no-dnssec-validation - at the moment this is exiting
with the following errors in 6/7 step - creating replica keys
2023-11-06T12:07:32Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
line 686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
line 672, in run_step
method()
File
"/usr/lib/python3.9/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 320, in __setup_replica_keys
p11 = _ipap11helper.P11_Helper(
File "/usr/lib/python3.9/site-packages/ipaserver/p11helper.py", line 882,
in __init__
check_return_value(rv, "log in")
File "/usr/lib/python3.9/site-packages/ipaserver/p11helper.py", line 609,
in check_return_value
raise Error(errmsg)
ipaserver.p11helper.Error: Error at log in: 0xa0
- ipa-dns-install --dnssec-master --kasp-db /var/opendnssec/kasp.db -
this commands fails with
2023-11-06T12:15:28Z DEBUG stderr=ipa-dnskeysync-replica: INFO To
increase debugging set debug=True in dns.conf See default.conf(5) for
details
Traceback (most recent call last):
File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 179, in <module>
localhsm = LocalHSM(
File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py",
line 96, in __init__
self.p11 = _ipap11helper.P11_Helper(label, pin, library)
File "/usr/lib/python3.9/site-packages/ipaserver/p11helper.py", line 882,
in __init__
check_return_value(rv, "log in")
File "/usr/lib/python3.9/site-packages/ipaserver/p11helper.py", line 609,
in check_return_value
raise Error(errmsg)
ipaserver.p11helper.Error: Error at log in: 0xa0
Exception ignored in: <function LocalHSM.__del__ at 0x7fef464364c0>
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py",
line 99, in __del__
self.p11.finalize()
AttributeError: 'LocalHSM' object has no attribute 'p11'
Can someone advice how to regenerate everything from scratch so DNSSEC is
again available for the configured zones
Best Regards
6 months
Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
by Alexander Bokovoy
On Чцв, 26 кас 2023, Kroon PC, Peter wrote:
>Hi Alexander and Rob,
>
>many thanks for your prompt responses :)
>I made a new lxc machine and restored a backup so at least I have a working environment again. I kept the borken one for further investigation which I'll use to provide more information.
>I'm not super comfortable using mailing lists, and I'm not sure whether my mail client (outlook) will mangle my inline responses.
>
>Peter
>
>________________________________________
>Van: Alexander Bokovoy <abokovoy(a)redhat.com>
>Verzonden: woensdag 25 oktober 2023 20:49
>Aan: Rob Crittenden
>CC: FreeIPA users list; Kroon PC, Peter
>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
>
>On ���, 25 ��� 2023, Rob Crittenden wrote:
>>Alexander Bokovoy via FreeIPA-users wrote:
>>> On ���, 25 ��� 2023, Kroon PC, Peter via FreeIPA-users wrote:
>>>> Hi all,
>>>>
>>>> After upgrading to Rocky linux 9.2 I'm running into issues with my IPA
>>>> server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
>>>>
>>>> $ kinit admin
>>>> Password for admin(a)EXAMPLE.COM:
>>>> $ ipa show-user admin
>>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>>>> Error: No credentials were supplied, or the credentials were
>>>> unavailable or inaccessible (Credential cache is empty)
>>>>
>>>> /var/log/krb5kdc.log:
>>>> okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes
>>>> {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
>>>> aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)})
>>>> 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes
>>>> {rep=UNSUPPORTED:(0)} HTTP/freeipa.example.com(a)EXAMPLE.COM for
>>>> ldap/freeipa.example.com(a)EXAMPLE.COM, TGT has been revoked
>>>>
>>>> As the log shows, the KDC states there is no PAC, and therefore revokes
>>>> the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC).
>>>> Because of this, the web gui also doesn't work.
>>>
>>> That is correct description of the reason why it does not work.
>>>
>>>>
>>>> $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl
>>>> "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier
>>>> SASL/GSSAPI authentication started
>>>> SASL username: admin(a)EXAMPLE.COM
>>>> SASL SSF: 256
>>>> SASL data security layer installed.
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree
>>>> # filter: ipaNTSecurityIdentifier=*
>>>> # requesting: uid ipaNTSecurityIdentifier
>>>> #
>>>>
>>>> # admin, users, accounts, example.com
>>>> dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
>>>> uid: admin
>>>> ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500
>>>>
>>>> # search result
>>>> search: 4
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>>
>>>> Out of the ~200 or so users only the admin user has a
>>>> ipaNTSecurityIdentifier, but I don't know if it's correct...
>>>> I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI
>>>> is broken. I do still have LDAP access fortunately.
>>>
>>> You can run it, see below. If you'd run, do you have any error messages in
>>> the dirsrv errors log related to sidgen plugin?
>>>
>>>>
>>>> I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf,
>>>> but that results in the exact same error. Setting ipaKrbAuthzData=None
>>>> in cn=ipaConfig also has no effect.
>>>
>>> No, one cannot disable PAC globally in FreeIPA. S4U operations
>>> require PAC presence since last year, so for any real Kerberos service
>>> that uses S4U (like IPA API or web UI) one cannot disable PAC
>>> enforcement.
>
>This is useful information :)
>
>>>
>>> Look at your ID range and SID configuration. You can avoid admin issue
>>> currently by running 'ipa' tool on IPA server as root with '-e
>>> in_server=true' option. This will force the tool to simulate direct
>>> access (as if it is running within httpd) and talk directly to LDAPI
>>> socket.
>>>
>>> Something like below:
>>>
>>> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
>>> ipa: WARNING: API Version number was not sent, forward compatibility not
>>> guaranteed. Assuming server's API version, 2.253
>>> Domain: ipa1.test
>>> Security Identifier: S-1-5-21-790702333-3825749031-3739951824
>>> NetBIOS name: IPA1
>>> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1
>>> Fallback primary group: Default SMB Group
>>> IPA AD trust agents: master1.ipa1.test
>>> IPA AD trust controllers: master1.ipa1.test
>
>KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
>ipa: ERROR: : trust configuration not found
Ok, let's try differently. Can you provide output of
# ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-EXAMPLE-COM.socket \
-b cn=ad,cn=etc,dc=example,dc=com
(replace EXAMPLE-COM and dc=example,dc=com by your domain data)
>
>
>>>
>>> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find
>>> ipa: WARNING: API Version number was not sent, forward compatibility not
>>> guaranteed. Assuming server's API version, 2.253
>>> ----------------
>>> 5 ranges matched
>>> ----------------
>>> Range name: IPA1.TEST_id_range
>>> First Posix ID of the range: 1055600000
>>> Number of IDs in the range: 200000
>>> First RID of the corresponding RID range: 1000
>>> First RID of the secondary RID range: 100000000
>>> Range type: local domain range
>>>
>>> ... [ skip ] ...
>>>
>>>
>
>ipa: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.251
>----------------
>2 ranges matched
>----------------
> Range name: EXAMPLE.COM_id_range
> First Posix ID of the range: 1000
> Number of IDs in the range: 4000
> Range type: local domain range
This one is definitely not configured to handle SIDs. Also, see my
comment at the bottom of this email.
>
> Range name: EXAMPLE.COM_subid_range
> First Posix ID of the range: 2147483648
> Number of IDs in the range: 2147352576
> First RID of the corresponding RID range: 2147479648
> Domain SID of the trusted domain: S-1-5-21-738065-838566-2966017632
> Range type: Active Directory domain range
>----------------------------
>Number of entries returned 2
>----------------------------
>
>>
>>In my testing you can't run config-mod without a principal, and running
>>in-server does not have a principal.
>>
>># KRB5CACHE=/dev/null ipa -e in_server=true config-mod --add-sids
>>--enable-sid
>>[snip]
>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
>>line 701, in pre_callback
>> self._enable_sid(ldap, options)
>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
>>line 512, in _enable_sid
>> if not principal_has_privilege(self.api, context.principal, privilege):
>> ^^^^^^^^^^^^^^^^^
>>AttributeError: '_thread._local' object has no attribute 'principal'
>>ipa: ERROR: an internal error has occurred
>
>Thank you, Rob. I did not check that part.
>
>On IPA master one can run the oddjobd-activated script directly:
>
># /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
>
>$ /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
>Configuring SID generation
> [1/8]: creating samba domain object
> [error] TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>The ipa-enable-sid command failed. See /var/log/ipaserver-enable-sid.log for more information
>
>Python traceback from the log:
>2023-10-26T13:24:21Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
> method()
> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 485, in __create_samba_domain_object
> api.Backend.ldap2.add_entry(entry)
> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, in add_entry
> super(LDAPCache, self).add_entry(entry)
> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, in add_entry
> self.conn.add_s(str(entry.dn), list(attrs.items()))
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in add_s
> return self.add_ext_s(dn,modlist,None,None)
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, in add_ext_s
> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls)
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, in add_ext
> return self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
> result = func(*args,**kwargs)
>TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>
>2023-10-26T13:24:21Z DEBUG [error] TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>2023-10-26T13:24:21Z DEBUG Destroyed connection context.ldap2_140617190554016
>2023-10-26T13:24:21Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
> return_value = self.run()
> File "/usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid", line 68, in run
> smb.create_instance()
> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 913, in create_instance
> self.start_creation(show_service_name=False)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
> method()
> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 485, in __create_samba_domain_object
> api.Backend.ldap2.add_entry(entry)
> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, in add_entry
> super(LDAPCache, self).add_entry(entry)
> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, in add_entry
> self.conn.add_s(str(entry.dn), list(attrs.items()))
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in add_s
> return self.add_ext_s(dn,modlist,None,None)
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, in add_ext_s
> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls)
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, in add_ext
> return self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
> result = func(*args,**kwargs)
>
>2023-10-26T13:24:21Z DEBUG The ipa-enable-sid command failed, exception: TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>
>
>I still need to see ID range and trustconfig-show output to understand
>the state of this deployment. Also, dirsrv errors log would be helpful
>if there was an attempt to run sidgen in past.
>
>I went through the dirsrv logs, and found the following:
>[24/Oct/2023:10:25:34.071341978 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
>[24/Oct/2023:10:25:34.300104111 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [52021] into an unused SID.
>[24/Oct/2023:10:25:34.300266490 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
>[24/Oct/2023:10:25:34.303536359 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
You have a range that defines UID/GID space of [1000...5000] but IDs are
outside this range. This is pretty much wrong regardless of whether we
enforce SIDs or not ;)
You need to create a separate ID range that would cover your existing
IDs. Before that, we need to create a configuration to be used for SID
generation -- if the ldapsearch above would show us that the entry in
cn=ad,cn=etc,$SUFFIX does not exist.
Since ipa-enable-sid has failed, probably the entry indeed does not exist and
it would be easier to construct it with ipa-ldap-updater tool:
----
dn: cn=${DOMAIN},cn=ad,cn=etc,${SUFFIX}
default:objectClass: ipaNTDomainAttrs
default:objectClass: nsContainer
default:objectClass: top
default:cn: ${DOMAIN}
default:ipaNTFlatName: NETBIOSNAME
default:ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440
default:ipaNTDomainGUID: 529fcbe9-3e34-3122-a541-6786236014c1
default:ipaNTFallbackPrimaryGroup: cn=Default SMB Group,cn=groups,cn=accounts,${SUFFIX}
----
Change 'NETBIOSNAME' above to some name. By default that would be a
first part of your Kerberos realm, e.g. for IPA1.TEST that would be
IPA.
The SID value (S-1-5-21-...) is the one that your admin user has,
without the last part (relative identifier, RID, which is -500 for
administrator case).
Save this to a file named '90-somefile.update' and run as root
# ipa-ldap-updater ./90-somefile.update
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
6 months