Re: [Freeipa-users] How to verify user with proxy server

Hi Petr, I have already successfully verified the freeipa user's login process by using 3rd-party RADIUS server for otp auth type. But I have a question that if there is no single radius auth type for a freeipa user. In other words, the 3rd-pardy RADIUS server simply provides a way for otp auth

Re: [Freeipa-users] Disabling Anonymous Binds (LDAP)

So annonymous bind should be disabled can you try ldapsearch without any login information? On 16.11.2016 19:01, dan.finkelst...@high5games.com wrote: I'm on FreeIPA 4.x id:image001.jpg@01D1C26F.0E28FA60 *Daniel Alex Finkelstein*| Lead Dev Ops Engineer _dan.fi

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Hi Jakub, I ended up re-enrolling the box and it is behaving as expected except I am not getting a host cert. Robert indicated auto host cert no longer avail with rhel 7 but using the --request -cert option on enroll to get a host cert if I wanted one. I did so and get this in the install lo

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

On Wed, Nov 16, 2016 at 09:56:59AM -0700, Sean Hogan wrote: > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials OK, now there's at least the same error from kinit as sssd is generating. Can

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Sean Hogan wrote: > update.. > > I decided to unenroll the box and remove it from IPA totally. I enrolled > it again and the box is now working as expected. However I did check if > server1 now has a host certificate loaded in IPA and it does not. > I have not had to do anything extra in getting a

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

update.. I decided to unenroll the box and remove it from IPA totally. I enrolled it again and the box is now working as expected. However I did check if server1 now has a host certificate loaded in IPA and it does not. I have not had to do anything extra in getting a host cert loaded into IP

Re: [Freeipa-users] minimise impact compromised host

On 16.11.2016 18:26, Stijn De Weirdt wrote: > hi petr, > > this is a different question: what can we do such that compromised host > can do a little as possible if the admin doesn't (yet) know the host is > compromised. > > the default policy allows way too much. For

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Yes sir... I added the kinit kts in the previous thinking it was needed. > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting > initial credentials > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1

Re: [Freeipa-users] Disabling Anonymous Binds (LDAP)

I'm on FreeIPA 4.x [id:image001.jpg@01D1C26F.0E28FA60] Daniel Alex Finkelstein| Lead Dev Ops Engineer dan.finkelst...@h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

On 11/16/2016 05:56 PM, Sean Hogan wrote: Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not seem to be working if I have it right.. kinit -kt is more promising but still fails *Klists* [root@server1 read]# klist -e Ticket cache: KEYRING:persistent:1:111 D

Re: [Freeipa-users] Disabling Anonymous Binds (LDAP)

On 16.11.2016 18:47, Martin Basti wrote: On 16.11.2016 17:46, dan.finkelst...@high5games.com wrote: I've seen some discussion in the (distant) past about disabling anonymous binds to the LDAP component of IPA, and I'm wondering if there's a preferred method to do it. Further, are there a

Re: [Freeipa-users] Disabling Anonymous Binds (LDAP)

On 16.11.2016 17:46, dan.finkelst...@high5games.com wrote: I've seen some discussion in the (distant) past about disabling anonymous binds to the LDAP component of IPA, and I'm wondering if there's a preferred method to do it. Further, are there any known problems with disabling anonymous b

Re: [Freeipa-users] minimise impact compromised host

hi petr, this is a different question: what can we do such that compromised host can do a little as possible if the admin doesn't (yet) know the host is compromised. the default policy allows way too much. >>> >>> For any useful advice we need more details. >>> >>> What ar

Re: [Freeipa-users] minimise impact compromised host

On 16.11.2016 17:47, Stijn De Weirdt wrote: >>> this is a different question: what can we do such that compromised host >>> can do a little as possible if the admin doesn't (yet) know the host is >>> compromised. >>> >>> the default policy allows way too much. >> >> For any useful advice we need mo

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not seem to be working if I have it right.. kinit -kt is more promising but still fails Klists [root@server1 read]# klist -e Ticket cache: KEYRING:persistent:1:111 Default principal: admin@ipa.local Valid sta

[Freeipa-users] Disabling Anonymous Binds (LDAP)

I've seen some discussion in the (distant) past about disabling anonymous binds to the LDAP component of IPA, and I'm wondering if there's a preferred method to do it. Further, are there any known problems with disabling anonymous binds when using FreeIPA? The only modern documentation I can fin

Re: [Freeipa-users] minimise impact compromised host

Stijn De Weirdt wrote: >>> this is a different question: what can we do such that compromised host >>> can do a little as possible if the admin doesn't (yet) know the host is >>> compromised. >>> >>> the default policy allows way too much. >> >> For any useful advice we need more details. >> >> Wha

Re: [Freeipa-users] minimise impact compromised host

>> this is a different question: what can we do such that compromised host >> can do a little as possible if the admin doesn't (yet) know the host is >> compromised. >> >> the default policy allows way too much. > > For any useful advice we need more details. > > What are the operations you want

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

On 11/16/2016 05:14 PM, Sean Hogan wrote: Hi Jakub, Thanks... here is output *klist -ke* [root@server1 rusers]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 host/server1.ipa.local@IPA.LOCAL (aes256

Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

Yes... just got 2 of them from same address.. kimi rachel Sean Hogan From: Tony Brian Albers To: "freeipa-users@redhat.com" Date: 11/15/2016 11:54 PM Subject:Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users thr

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Hi Jakub, Thanks... here is output klist -ke [root@server1 rusers]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) 1 host/server1.ipa

Re: [Freeipa-users] IPA 4.4 and Trust Agents/Controllers

On 16.11.2016 16:40, Baird, Josh wrote: > Hi, > > I'm currently testing an IPA 4.3 (RHEL 7.2) to IPA 4.4 (RHEL 7.3) upgrade and > had a few questions about the concept of trust agents/controllers. > > Prior to IPA 4.4, were all IPA masters (that 'ipa-adtrust-install' was ran > on) considered '

Re: [Freeipa-users] minimise impact compromised host

On 16.11.2016 15:33, Stijn De Weirdt wrote: > hi martin, > we are looking how to configure whatever relevant policy to minimise the impact of compromised IPA hosts (ie servers with a valid host keytab). in particular, it looks like it possible to retrieve any user token once >>

[Freeipa-users] IPA 4.4 and Trust Agents/Controllers

Hi, I'm currently testing an IPA 4.3 (RHEL 7.2) to IPA 4.4 (RHEL 7.3) upgrade and had a few questions about the concept of trust agents/controllers. Prior to IPA 4.4, were all IPA masters (that 'ipa-adtrust-install' was ran on) considered 'trust controllers'? In my lab, the upgrade automatica

Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

Ummm, Kinit should work from any host, whether that host is part of the domain or not. It contains no inherent knowledge of any passwords. If it succeeds, then you either picked a bad password, stored the password in a plaintext file, or an actual authorized user ran it. It seems that it would

Re: [Freeipa-users] minimise impact compromised host

hi martin, >>> we are looking how to configure whatever relevant policy to minimise the >>> impact of compromised IPA hosts (ie servers with a valid host keytab). >>> >>> in particular, it looks like it possible to retrieve any user token once >>> you have access to a valid host keytab. >>> >>> we

Re: [Freeipa-users] Freeipa-users Digest, Vol 100, Issue 48

On Wed, Nov 16, 2016 at 02:31:52PM +0100, rajat gupta wrote: > Thanks, It is working for few user but not for every one. I have cleared > the sssd cache as well. > = > /var/log/secure > > Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_sss(sshd:auth): authentication > failure; logn

Re: [Freeipa-users] Freeipa-users Digest, Vol 100, Issue 49

1]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881 > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881 > > [set_lifetime_options] (0x0100):

Re: [Freeipa-users] minimise impact compromised host

On 11/16/2016 03:10 PM, Sumit Bose wrote: On Wed, Nov 16, 2016 at 02:41:34PM +0100, Martin Babinsky wrote: On 11/16/2016 02:33 PM, Petr Spacek wrote: On 16.11.2016 14:01, Stijn De Weirdt wrote: hi all, we are looking how to configure whatever relevant policy to minimise the impact of compromi

Re: [Freeipa-users] minimise impact compromised host

On Wed, Nov 16, 2016 at 02:41:34PM +0100, Martin Babinsky wrote: > On 11/16/2016 02:33 PM, Petr Spacek wrote: > > On 16.11.2016 14:01, Stijn De Weirdt wrote: > > > hi all, > > > > > > we are looking how to configure whatever relevant policy to minimise the > > > impact of compromised IPA hosts (ie

Re: [Freeipa-users] minimise impact compromised host

>> we are looking how to configure whatever relevant policy to minimise the >> impact of compromised IPA hosts (ie servers with a valid host keytab). >> >> in particular, it looks like it possible to retrieve any user token once >> you have access to a valid host keytab. >> >> we're aware that the

Re: [Freeipa-users] minimise impact compromised host

On 11/16/2016 02:33 PM, Petr Spacek wrote: On 16.11.2016 14:01, Stijn De Weirdt wrote: hi all, we are looking how to configure whatever relevant policy to minimise the impact of compromised IPA hosts (ie servers with a valid host keytab). in particular, it looks like it possible to retrieve an

Re: [Freeipa-users] Client x.x.xx - RFC 1918 response from Internet in /var/log/messages

On 16.11.2016 12:56, Bjarne Blichfeldt wrote: > Just updated a couple of free-ipa servers to: > ipa-server-dns-4.4.0-12.el7.noarch > redhat-release-server-7.3-7.el7.x86_64 > > Before the update, I resolved the issue with RFC messages by: > /etc/named.conf: > options { >disable-empty-zone "10.i

Re: [Freeipa-users] minimise impact compromised host

On 16.11.2016 14:01, Stijn De Weirdt wrote: > hi all, > > we are looking how to configure whatever relevant policy to minimise the > impact of compromised IPA hosts (ie servers with a valid host keytab). > > in particular, it looks like it possible to retrieve any user token once > you have acces

Re: [Freeipa-users] Freeipa-users Digest, Vol 100, Issue 48

> > * > > Havsteensvej 4 > > * > > 4000 Roskilde > > > Telefon 63 63 63 63/ Fax 63 63 63 64 > > > www.jndata.dk > > > [cid:image006.png@01D24008.CA6EF0F0] > -- next part -- > An HTML attachment was scrubbed... > U

Re: [Freeipa-users] pam_winbind(sshd:auth): pam_get_item returned a password

On Wed, Nov 16, 2016 at 01:01:59PM +0100, Sumit Bose wrote: > On Wed, Nov 16, 2016 at 12:49:59PM +0100, rajat gupta wrote: > > I am using FreeIPA version 4.4.0 Active Directory trust setup. And on > > Active Directory side I am using UPN suffix. > > Following are my domain setup. > > > > AD DOMAN

[Freeipa-users] minimise impact compromised host

hi all, we are looking how to configure whatever relevant policy to minimise the impact of compromised IPA hosts (ie servers with a valid host keytab). in particular, it looks like it possible to retrieve any user token once you have access to a valid host keytab. we're aware that the default IP

Re: [Freeipa-users] pam_winbind(sshd:auth): pam_get_item returned a password

On Wed, Nov 16, 2016 at 12:49:59PM +0100, rajat gupta wrote: > I am using FreeIPA version 4.4.0 Active Directory trust setup. And on > Active Directory side I am using UPN suffix. > Following are my domain setup. > > AD DOMANIN :- corp.addomain.com > UPN suffix :- usern...@mydomain.com > IPA DOMA

[Freeipa-users] Client x.x.xx - RFC 1918 response from Internet in /var/log/messages

Just updated a couple of free-ipa servers to: ipa-server-dns-4.4.0-12.el7.noarch redhat-release-server-7.3-7.el7.x86_64 Before the update, I resolved the issue with RFC messages by: /etc/named.conf: options { disable-empty-zone "10.in-addr.arpa."; : Now after the update the RFS messages has re

[Freeipa-users] pam_winbind(sshd:auth): pam_get_item returned a password

I am using FreeIPA version 4.4.0 Active Directory trust setup. And on Active Directory side I am using UPN suffix. Following are my domain setup. AD DOMANIN :- corp.addomain.com UPN suffix :- usern...@mydomain.com IPA DOMAIN :- ipa.ipadomain.local IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain

[Freeipa-users] Fwd: [Freeipa-devel] pam_winbind(sshd:auth): pam_get_item returned a password

> > Hi, > > I am using FreeIPA version 4.4.0 and Active Directory trust setup. on > Active Directory side I am using UPN suffix. > > Following are my setup. > > AD DOMANIN :- corp.addomain.com > UPN suffix :- usern...@mydomain.com > > I

Re: [Freeipa-users] [Freeipa-devel] pam_winbind(sshd:auth): pam_get_item returned a password

On 11/16/2016 10:41 AM, rajat gupta wrote: I am using FreeIPA version 4.4.0 and Active Directory trust setup. on Active Directory side I am using UPN suffix. Following are my setup. AD DOMANIN :- corp.addomain.com UPN suffix :- usern...@mydomain.com

Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

Indeed the kinit keeps working correctly. If you give a good password it retrieves the tokens correctly. Thus it's not only DOS, but also an potentional brutal password retriever as well. Blocking on firewall level,ok, but what if you use DHCP. It's more difficult to protect it, through that way.

Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

On 11/16/2016 10:04 AM, Paessens, Daniel wrote: Currently am I looking for a workable solution for the following situation: Let's say that an ipa client has been stolen (or compromised). What can we do to block all access from it, towards IPA (and rest) For example if we use the command "

Re: [Freeipa-users] Shadow Utils appears in sssd.conf

On Wed, Nov 16, 2016 at 09:39:05AM +0100, Lukas Slebodnik wrote: > On (16/11/16 11:46), Lachlan Musicman wrote: > >I don't know what I've done wrong, but when I use ipa-client-install on a > >new host to add to my one way trust domain, I now have a > >[domain/shadowutils] stanza. > > > >This first

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: > > > Hello, > > >I am starting to see some issues with a few RHEL7 boxes I have been > enrolling to my RHEL 6 IPA server regarding encryption. > > > RHEL 7 client > Red Hat Enterprise Linux Server release 7.1 (Maipo) > sssd-ipa-

[Freeipa-users] Actions for a stolen/compromised IPA Client

Currently am I looking for a workable solution for the following situation: Let's say that an ipa client has been stolen (or compromised). What can we do to block all access from it, towards IPA (and rest) For example if we use the command "ipa host-disable" it's noticed that IPA users ar

Re: [Freeipa-users] Shadow Utils appears in sssd.conf

On (16/11/16 11:46), Lachlan Musicman wrote: >I don't know what I've done wrong, but when I use ipa-client-install on a >new host to add to my one way trust domain, I now have a >[domain/shadowutils] stanza. > >This first happened a couple of weeks ago, I saw this bug and thought "it >will be solve