e NFS with sec=host)?
Thanks,
Bryce
> -Original Message-
> From: Alexander Frolushkin [mailto:alexander.frolush...@megafon.ru]
> Sent: Sunday, April 12, 2015 9:27 PM
> To: Nordgren, Bryce L -FS; 'Martin Kosek'; freeipa-users@redhat.com
> Subject: RE: [Freeipa-u
Ummm,
Kinit should work from any host, whether that host is part of the domain or
not. It contains no inherent knowledge of any passwords. If it succeeds, then
you either picked a bad password, stored the password in a plaintext file, or
an actual authorized user ran it. It seems that it would
My guess aligns with this response:
http://stackoverflow.com/questions/31153584/why-is-there-such-a-performance-difference-on-raspberry-pi-between-open-and-orac
Bryce
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de Heiden
Sent: Thursday
> > Close. The problem is to expose kerberized services in the local realm to
> users holding foreign credentials, supporting SSO wherever possible. This
> includes file sharing via NFS, kerberized web apps, ssh logins, and anything
> else the local realm has to offer. SSSD can handle ssh logins (i
> I guess we just do not see this scenario in practice yet.
What I've found in the last decade is that scientists and CIO types cannot talk
for lack of a common language. CIO types believe in closed systems over which
they have complete control. Scientists are funded to work with others from
o
> There is a groups pf people that belong to different organizations, for
> example universities that launch a project together. They have the identities
> in their own home organization (domains). There is a "hosting" organization
> that some of the members of the group might belong to. Jointly a
> > Variant (A) - IdP + PKINIT:
> > A1) User authenticates to his SAML/OpenID provider (external domain)
> > A2) User locally generates CSR
> > A3) User contacts IdP (gssapi/saml ; gssapi/openid) and sends CSR to
> > the IdP
> > A4) IdP returns short-lived certificate (validity period matches
> > p
http://www.freeipa.org/page/External_Collaboration_Domains
This is mostly Dimitri's text, but I did butcher it some. Also has a figure.
Will update the external users RFE next.
Bryce
This electronic message contains information generated by the USDA solely for
the intended recipients. Any u
I've run out of time for today, but the external collaboration pages are slowly
evolving.
http://www.freeipa.org/page/External_Users_in_IPA
Dimitri observed that my RFE page was too long. I observe it also has too much
stuff unrelated to the actual meat of the RFE. So I factored out most of th
e: [Freeipa-users] External collaboration edits
On 04/19/2014 07:46 PM, Nordgren, Bryce L -FS wrote:
I've run out of time for today, but the external collaboration pages are slowly
evolving.
http://www.freeipa.org/page/External_Users_in_IPA
Dimitri observed that my RFE page was too lon
[...talking about views...]
> It's not only about AD, but use-case and examples in the design page
> currently all refer to AD. The key is to find a unique reference to the
> upstream object which in the AD case is obviously the SID. In a previous
> version of the page there were a bit more detail
> -Original Message-
> From: Sumit Bose [mailto:sb...@redhat.com]
> Sent: Tuesday, June 17, 2014 3:27 AM
> > Case one would represent vanilla Kerberos trusts, or the quite likely
> scenario where an external collaboration domain is separated from corporate
> AD by a firewall. (e.g., insti
When thinking about gateways and what Ipsilon may do, I came across this thesis:
https://davidben.net/thesis.pdf
and source
https://github.com/davidben/webathena
His approach to unifying web and non-web technologies was to build gateways for
non-web services such that browser based clients cou
> Where does the javascript come from ?
> How do you trust it is not going to send your password somewhere ?
> How do you trust another bug in the browser will not allow another "tab"
> top read the memory of the browser including your password or TGT ?
>
> There is a good reason crypto and keys o
Inconsistently managed AD user entries.
Many accounts in my AD are posixAccounts, but I encountered one today (created
in 2013) which had no posix information whatsoever. This crumpled my assumption
that I could leverage posix information from the institutional source. Under my
current system,
> -Original Message-
> From: Simo Sorce [mailto:s...@redhat.com]
> Sent: Wednesday, June 18, 2014 1:35 PM
> > Clearly there are potential problems. The question is, are they bigger
> > problems than sending your password across the net?
>
> No, but why should you ?
> It is quite simple to
> The reason is that rpcidmapd` does not parse fully-qualified usernames
> so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work.
If someone can educate me as to why there are two @ signs in the above, I can
fix the wiki page
(http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_
> The second @ is not provided by kerberos, it is rpcimapd making false
> assumptions, it does a getpwuid and gets back adt...@ad.example.org as
> the username, to which it decides to slap on the local REALM name with an @
> sign in between.
>
> I think this is something that may be handled with i
Also: http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04
Never became an RFC, but cites Simo's I-D on a Kerberos PAC.
I like the CITI approach better (also approach 2 of section 6 in the above
I-D). I have no use for the groups defined in my active directory. Also, for
the ex
> Would the idmap sss module we have on the list pending review help here?
My read of the design page suggests that the plugin is 66% of a solution. There
are three types of identities which need to be related:
* local machine accounts/identities (meaningful to the filesystem)
* security princi
> -Original Message-
> > What I'm not quite clear on is the interaction between idmapd and ldap
> > (slides 15,16,18). Does idmapd want to see this "NFSv4RemoteUser"
> > schema on the LDAP server? Is this schema something that FreeIPA would
> > have to support for NFS to work with cross-r
> > I see the first two represented on the design, but not the last. I suspect
> that this means that the plugin regards security principals and NFSv4
> identities as the same thing, which may mean it won't work for multiple
> domains? Let me turn the question on its head: according to the OP, th
Hi guys,
I set up freeipa 4.0.0 on a brand new Fedora 20 box, from your copr repos.
Install and config went fine. Kinit: fine. Trying to migrate from my old ldap
setup: problem. Old ldap setup primarily had accounts for web apps
(inetOrgPerson) and a few accounts with everything needed for log
> Hi Aron,
>
> the support case you referenced is linked to bugzilla
> https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked
> for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the
> patch will be released in 6.6..
username@domain is coded in the NFS spec a
> Thing is, nfsidmap always adds and then substracts '@' plus domain,
> assuming that the part prior to '@' is what going to be mapped by the
> domain-specific idmap mapper.
That's the crux of the problem right there. Sssd is not a domain-specific
idmap mapper. Sssd is a domain-aware, multido
On a clean Fedora 20, minimal install, system using the netinstall iso, I'm
getting an error all the way at the end of the ipa-server-install process (when
it tries to run ipa-client-install). I put the fqdn of the hostname in
/etc/hostname and "ipaddr ipa.usfs-i2.umt.edu ipa" in /etc/hosts and
> On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:
> > DNS A, SRV, and TXT
> >entries are in place. Reverse DNS works.
My text DNS entry is possibly hosed, as it's in lowercase. I put in a request
to capitalize it.
[root@ipa yum.repos.d]# host -t TXT _kerberos.usfs-i2.um
> This is definitely TXT record of _kerberos.usfs-i2.umt.edu issue because
> when we fetch the realm value (as cn=USFS-I2.UMT.EDU), we compare the
> strings "USFS-I2.UMT.EDU" and "usfs-i2.umt.edu" (of TXT record
> _kerberos.usfs-i2.umt.edu) to be exact match, i.e. including case.
>
> After all, i
> So the question now is: why is DNS discovery pre-empting the specific
> parameters provided on the command line? According to the output below,
> it looks like it understands server and domain are forced, but it does a dns
> lookup on realm?
Tried again with the "stock" Fedora-20 version of fre
DNS is fixed, 4.0.0 is installed, and my external users have been migrated from
an LDAP store via the migrate-ds script.
The password migration page keeps telling me that the password or username I
entered is incorrect. (username: test.user, password: test) I did not mistype
this. I did set the
> Someone has reported an issue with password migration where 389-ds is
> rejecting the passwords with: passwords with storage scheme are not
> allowed. That may be part of the problem.
That was me, but the context was 'ipa user-add' with a password hash rather
than migrate-ds. Although it make
> > That was me, but the context was 'ipa user-add' with a password hash
> rather than migrate-ds. Although it makes sense that 389 ds would act the
> same regardless of how I attempt to store the password. How can I check to
> see whether the passwords made it to freeipa? The migrate-ds script di
> > It didn't. My message to the list was the initial "is this a bug or am I
> > being
> dumb?" question. Until now, there was no response.
>
> There were two responses, from Petr and myself in the thread titled
> "Migrating from a hybrid web/posix LDAP"
My bad. I missed them somehow. The centos
> So if I understand the 389-ds ticket correctly, I can add pre-hashed passwords
> via ldapmodify to the 389 server using directory manager as the bind dn? I
> just can't use the ipa command line tool/script.
The short answer is "no". Trying to add the userPassword attribute with
ldapmodify bind
> I will work with DS team to backport the switch option to Fedora 20 389-ds-
> base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem
> ASAP, ideally this week.
Thanks much, Martin!
This electronic message contains information generated by the USDA solely for
the int
One of our larger users was in a similar situation a few years ago and
ended up running Fedora until RHEL caught up and then migrating the servers.
I'm running it on F20 because it seemed like the dependencies would make
running it on CentOS 7 a pile of pain I didn't need. I do think "RHEL catchi
> Note that fixed 389-ds-base is now available in Fedora 20 updates-testing
> repo:
>
> https://admin.fedoraproject.org/updates/FEDORA-2014-8709/389-ds-base-
> 1.3.2.20-1.fc20
>
> If you install that + switch cn=config's nsslapd-allow-hashed-passwords
> attribute to "on", you will be able to fini
> We are evaluating RHEL7 IdM (FreeIPA 3.3) for identity management for our
> UNIX infrastructure. All of our Linux hosts currently have standard and
> consistent UID/GIDs for at least all of our administrative users. I'm looking
> for advice on how to migrate these users into IPA.
>...
> Event
> Well, the users are definitely going to be in IPA (or AD via IPA). However,
> they *will* exist in both IPA and locally during the migration period. If
> they
> have the same UID/GIDs in both places (local and IPA), then I will need to
> prefer IPA to 'files' in nsswitch.conf. The main reaso
Hey all,
On CentOS 7 (presumably RHEL7 too), the tutorial on
http://www.freeipa.org/page/PKI breaks (when applied to installing a
certificate in /etc/openldap/certs). The offending line is "ipa-getcert request
-d /etc/openldap/certs ...", and the failure message is "/etc/openldap/certs
must be
Spoke too soon. I needed the following "extra" selinux policy module to make
all the AVCs go away.
BTW: the instructions on http://www.freeipa.org/page/PKI really only work if
you leave the password blank when you create a new database with certutil.
Otherwise, the "ipa-getcert request" command
> Can you please open a selinux bug and attach info on how you fixed it ?
http://bugs.centos.org/view.php?id=7458
Presumably a corresponding bug could be opened for Fedora 19 and/or RHEL 7, but
I could be wrong.
Bryce
This electronic message contains information generated by the USDA solely
> Hmm, sorry for incomplete instructions then. I updated the instructions to
> cope with that situation better (details in
> https://fedorahosted.org/freeipa/ticket/4466#comment:2). Please feel free
> to report more findings or even better help us enhance the page even
> further :-)
Hmm, I though
> Assume that FQDN is constructed as static hostname.domainname from
> DHCP or via reverse DNS lookup. What happens if the machine (laptop)
> moves from one network to another? What if the machine have multiple
> interfaces?
>
> As a result, any change in FQDN will break your Kerberos setup.
The
> >> Let me elaborate. We haven't had time to work on this but it would be
> >> really valuable if you could experiment with it a little bit.
> >>
> >> Simo, Alexander, could you propose some dirty tricks to try?
> > The thread mentioned above has all needed information already.
> Should we turn i
I’ve got a prototype setup for cross-realm operations. I don’t know if that’s
useful for you or not. I don’t have control over “my” AD, and I’m managing this
during our CIO’s migration from one AD realm to another (so duplicate users
having distinct DNs and Kerberos principals are the norm, rath
Over the past month, I rearranged my local systems for our collaboration
environment. The essence of the work is to combine employee identities (defined
in AD) with identities for external users (defined in FreeIPA), massage them so
that they look the same, and export them to every posix desktop
> -Original Message-
> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> Sent: Monday, August 25, 2014 3:04 AM
> To: Nordgren, Bryce L -FS
> Cc: 'freeipa-users@redhat.com'; 'sssd-us...@lists.fedorahosted.org'
> Subject: Re: [Freeipa-users]
Is it sane to request that freeipa store ssh keys for users who come into the
environment via a trust? Not all of them, of course, but those who want to
store public keys there.
My freeipa server is mostly there to manage machines, and users (incl. me)
mostly come in over trusts from the corpor
Sweet! Yes I am apparently talking about that. Consider this an independent
request for that. :)
You are talking about this, right?
https://fedorahosted.org/freeipa/ticket/4509
This electronic message contains information generated by the USDA solely for
the intended recipients. Any una
Overwriting certain attributes may be more directly addressed by:
https://fedorahosted.org/freeipa/ticket/3979
You are to some extent describing a feature that we call "views" that is
currently in works.
But there are two parts:
a) Ability to overwrite POSIX attributes for AD users - this is v
You can bring over password hashes for LDAP, but not Kerberos...provided your
389-ds is new enough to have a recently added configuration switch. If your
system is in "migration mode", then authenticating via LDAP creates Kerberos
hashes transparently.
If you're running 4.0.x, see here for some
Hi Rob,
How does the NFS server map the apache user to “something” it recognizes? I
would suggest that the easiest solution may be to use an IPA account called
“apache”, so that the mappings would just work, but currently I’m having
trouble running a service as a domain user via systemd.
(http
> -Original Message-
> I went through this thread:
> https://www.redhat.com/archives/freeipa-users/2014-
> January/msg00177.html
Since January, I've been turning this problem over and over. A good summary of
my functional requirements is here:
http://www.freeipa.org/page/External_Colla
> Also opened https://fedorahosted.org/freeipa/ticket/4544
Tried to summarize this thread on that ticket.
Back to the OP's concern, whenever I use NFS as a documentroot for apache (even
a WebDAV server), I make a separate mountpoint, fall back to sec=sys, set
"all-squash", and specify the webs
> The hostname put by ipa-client-install corresponds to the server to which this
> client is enrolled. You enroll with a single server, after all.
How would one enroll with multiple IPA servers? For instance, a standard
configuration for a Rocks HPC cluster is to have at least two and usually th
Hello,
I manage a suite of machines and services which are used for collaborative
projects with external partners. I want to allow users within our organization
to authenticate with their existing Active Directory accounts, and I have set
up an "External Users" LDAP directory to establish ident
Hi Dimitri,
>Just to be sure I understand.
>You have internal users - they are in AD. You have external users - they are
>in LDAP.
>You merge two directories and you want to replace this setup with IPA.
Yes.
>It seems that to support your use case you would need to make the external
>users be
In my previous message, I asked about one-way trust with AD to provide a means
of "extending" our corporate AD with accounts for external cooperators. I
expect this is just a technical matter: either FreeIPA supports it or not, and
there's no conceptual obstacles. So, my password is the same, an
> Both AD integration solutions we have (synchronization and
> cross-forest domain trusts) assume having higher level access
> privileges at the time integration is set up.
My problem here is that I'm too ignorable. :) There's over 15000 users in our
AD; I'm in Montana, the admins are in DC. Wor
>>I think that the requirement is to have two distinct sets of users
>>while you don't have control over one set (AD users) but you have to
>>manage the other set (IPA users) somehow.
Yup.
>I'm yet to see what is the benefit over having only IPA users. Given single
>sign-on wasn't a concern, it
>If IPA is a centrally managed identity and access control system,
Since this seems to be a philosophical/generalized point, may I interject my
own experience? I view IPA as a means of managing identities, not as a means
of centrally controlling access. Two reasons:
* In our organization, the
I don't know if this is your issue, but I noticed this:
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create krb5
context for user with uid 0 for server nfs-server.example.local
Feb 15 23:43:23 nfs-client rpc.gssd[1123]: WARNING: Failed to create machine
krb5 context with credent
>You raise a good point regarding kinit - do I have to be kinit'ed in as anybody
>before trying to mount the share? I thought as the host and service principals
>are in the /etc/krb5.keytab I didn't need to specifically authenticate against
> the IPA server? - I might be showing a fundamental lac
> On Wed, Feb 26, 2014 at 04:24:54PM -0500, Steve Dainard wrote:
> > Would it not be possible for root to disable selinux enforcement?
It should also be possible to copy private keys out of ~user/.ssh and login to
other machines as "user", assuming no password on the ssh key pair.
It's probably
> But I
> would argue that in this case root can just add some other module to the
> pam stack that would dump passwords for any user who uses pam stack
> regardless whether SSSD is in the picture or not so it is not SSSD problem and
> I do not think it can be generally solved with the software.
> Caching credentials is disabled by default[1]. Even when credential caching is
> enabled, the cache is only ever readable by root, the hashes are
> *never* exposed to the system. FYI, the hash is a salted sha512.
Ah. Much better.
> What leads you to believe the cached credentials can be retrie
> > Offline password caching is also optional and a different method.
> > In this case the actual password is maintained in the kernel keyring
> > in locked memory until the machine goes online and can acquire a TGT.
> > On success it is deleted.
> >
> > however it doesn't really matter from an ev
> > >>UID/GID solution
> > >>https://fedorahosted.org/sssd/ticket/1715
> > >>
> > >>Chaining access providers:
> > >>https://fedorahosted.org/sssd/ticket/1326
> > >I'm not sure these two are enough for a thesis..
> >
> > I think at least the first one is.
> > You change UID and/or GID on the serve
> You *could* build a system that can work w/o synchronization, if you
> carefully restrict what protocols and applications you use (think about
> distributed filesystems) although you'd still need a local persistent map at
> least. Backups and restore to other machines would need to be done
> care
So the bottom line, if I understand this conversation so far, allowing each
machine to synthesize OS-specific information from pure Kerberos principal
names:
* Breaks host-based authentication for file sharing (NFS3/2).
* Breaks CIFS ACLs (no central SIDs) (Does it also break CIFS completely?)
*
I'm jumping in kind of late, but I may have a way for you to eliminate your
current man in the middle password proxy.
> >>> On Mon, 2014-03-03 at 18:42 -0600, Trey Dockendorf wrote:
>
> Is it possible with FreeIPA to use an external KDC or pass some
> or all authent
> But let me say I am not at all against having thesis' that explore some of
> these
> theoretical questions, however one need to understand that the deliverable
> may end up being something that cannot be implemented or that it would
> require a long time to do so. As long as that is clear everyt
> In the default case IPA, will automatically allocate a non conflicting range
> to
> AD SIDs and pa SIDs to UIDs automatically. however if you want to use posix
> Ids stored in AD then yes, you will have to take care manually to avoid
> conflicts.
A perhaps doable, more applied thesis still re
I’m not, in general, in favor of solutions which promiscuously sling Kerberos
passwords around the net. ☺ pGina + Kerberos authenticating directly off of IPA
would be the way to go, I think.
Presumably Dimitri’s statement about the user being “foreign” and having
limited access to windows servi
>Collaboration can be in different ways. It all depends on the use case. It can
>be OpenID, SAML, Kerberos, etc. There are different technologies and they suit
>better different use cases.
>Can you please share under what circumstances such "inversion" would actually
>be needed?
Console login
Hey guys,
Back again. Thanks for your responses so far.
OTP is interesting, but requires that an account be created in the local
domain, which is kind of opposed to the notion of federated identities.
Ipsilon is also interesting, from its description as a gateway to non-Kerberos
identitiy prov
> I think it does not really differ from what I described, conceptually.
> It is, however, requiring much more work than what I described.
>
> FreeIPA has flat LDAP DIT. Adding support for separate OUs is in itself a non-
> trivial task.
Ah. Well since that's the case, separate OUs are gone. (You
Sorry for the delayed reply. This is "other duties as assigned" and the day job
got in the way. :) However, the computer is busy running fits to data for the
next day or so. My electronic master is thus distracted.
> >> Wow!
> >> First of all thanks for a nice pictures and sharing your ideas.
>
An RHEL 7 host filesystem may have the same basic structure as an Ubuntu trusty
container filesystem, but may have different users defined, particularly for
running services and for owning the files those services must touch. To what
extent do you want the same users to be enforced between the c
80 matches
Mail list logo
