We have a freeipa server and some clients. One of the clients
runs a (minimal) Docker container with some custom application.
The application does user authorization and authentication using
PAM. Is there a good way to make PAM delegate all decisions to
the host running the Docker conainer? We'd like to avoid
configuring the container as a separate freeipa client.
Dominik ^_^ ^_^
Yesterday we migrated our dev servers to IPA - to help in the migration, I enabled the allow_all HBAC rule, but despite that, some users get this message:
Jul 29 15:56:23 el4966 sshd: Postponed keyboard-interactive for id094844 from 126.96.36.199 port 35552 ssh2 [preauth]
Jul 29 15:56:49 el4966 sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=el1921.bc user=id094844
Jul 29 15:56:49 el4966 sshd: pam_sss(sshd:auth): received for user id094844: 6 (Permission denied) < ----- This
Jul 29 15:56:52 el4966 sshd: error: PAM: Authentication failure for id094844 from el1921.bc
Jul 29 15:56:52 el4966 sshd: Failed keyboard-interactive/pam for id094844 from 188.8.131.52 port 35552 ssh2
Jul 29 15:56:58 el4966 sshd: Postponed keyboard-interactive for id094844 from 184.108.40.206 port 35552 ssh2 [preauth]
Jul 29 15:57:00 el4966 sshd: Connection closed by 220.127.116.11 port 35552 [preauth]
These are external (AD) users. Weird thing: not all users have this and not everywhere... I tried to remove the LDAP filter on the IPA server -> same thing... I'm running out of ideas...
Thanks for your help!
Sensitivity: Internal Use Only
This e-mail cannot be used for other purposes than Proximus business use. See more on https://www.proximus.be/maildisclaimer
I have a FreeIPA setup that trusts an Active Directory domain. I have users who exist in the AD domain, but who are unable to log into Linux systems.
The domains are:
ad.domain.examaple: the Active Directory domain
ipa.ad.domain.example: the FreeIPA domain
The user has a SAM-Account-Name of 'user.name' and a userPrincipalName of
Here are the log messages I see when one of them tries to log in:
==> krb5_child.log <==
(Thu Jul 23 11:08:58 2020) [[sssd[krb5_child]]] [get_and_save_tgt] (0x0020): 1704: [-1765328378][Client 'user.name\@THIRDPARTY.COM(a)IPA.AD.DOMAIN.EXAMPLE' not found in Kerberos database]
(Thu Jul 23 11:08:58 2020) [[sssd[krb5_child]]] [map_krb5_error] (0x0020): 1833: [-1765328378][Client 'user.name\@THIRDPARTY.COM(a)IPA.AD.DOMAIN.EXAMPLE' not found in Kerberos database]
==> sssd_ipa.ad.domain.example.log <==
(Thu Jul 23 11:08:58 2020) [sssd[be[ipa.ad.domain.example]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
A bit of research brings me to
A UPN suffix has the following restrictions:
It must be the DNS name of a domain, but does not need to be the name of
the domain that contains the user.
It must be the name of a domain in the current domain forest, or an
alternate name listed in the upnSuffixes attribute of the Partitions container
within the Configuration container.
I believe the user account violates the second of these restrictions, in that
its suffix (thirdparty.com) is neither in the AD forest, nor is it found in the
upnSuffixes attribute of
CN=Partitions,CN=Configuration,DC=ad,DC=domain,DC=example in AD.
Now the ugly part. I suspect this is just How Things Are Done around here and
getting the user's userPrincipalName changed to ad.domain.example will not be
So in the meantime, is there any configuration I can do, either on the FreeIPA
servers or on the machine where the user needs to log in, to work around the
UPN suffix mismatch?
I am able to get a TGT for the user with 'kinit user.name(a)AD.DOMAIN.EXAMPLE',
so I guess I'm looking for a hypothetical way to tell sssd to map the UPN
suffix in the user's domain (thirdparty.com) to ad.domain.example when it tries
to get a ticket during user login...
I can also ask to get thirdparty.com added to the AD domain's list of UPN
suffixes. Can anyone confirm whether this would be sufficient to get sssd to be
able to authenticate the user?
Sam Morris <https://robots.org.uk/>
regardless what officially I do, my Centos is not pulling latest FreeiPA binaries to install, it sticks with 4.7
Since everything is working, it is not a deal-breaker, but still, now that everything is stable and config is absolutely correct, it would be time to upgrade and stay up to date with all fixes.
Any help on this topic please? Thanks in advance!
all over sudden automounting home shares has stopped working on one of
our most important servers. The configuration has not changed at all.
Automounting on servers with identical configuration works.
What i tried so far:
1) stopping rpcidmapd, rpcgssd, autofs, sssd and restarting the services
2) rebooting the system
3) doing ipa-client-automount --uninstall and reconfiguring it again
4) checking /etc/sysconfig/nfs and /etc/idmapd.conf as well as sssd.conf
5) automount -fv tells me that it attemts to mount /home but nothing happens
No matter what I tried I could not get homeshares mounted again.
I would highly appreciate any input that brings me one step further.
I installed FreeIPA replica on 4.8.4 on CentOS 8 from 4.4.4 from Fedora
25 with `ipa-replica-install --setup-dns --auto-forwarders`, without
`--setup-ca` due to errors, which went fine. I do want to install CA
though, which failed when I did `--setup-ca` and then later
`ipa-ca-install` with the following error:
[4/29]: creating installation admin user
Unable to log in as uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca on ldap://freeipa.infra.opensuse.org:389
[hint] tune with replication_wait_timeout
[error] NotFound: uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca did not replicate to ldap://freeipa.infra.opensuse.org:389
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Obviously I did try try extending the timeout based on that, but I don't
think that was helpful in the end, considering the logs produced by the
192.168.47.90 - - [23/Jul/2020:00:25:36 +0000] "GET /ca/rest/account/login HTTP/1.1" 401 994
server process in journal
SSLAuthenticatorWithFallback: Authenticating with BASIC authentication
SSLAuthenticatorWithFallback: Fallback auth header: WWW-Authenticate=Basic realm="Certificate Authority"
SSLAuthenticatorWithFallback: Fallback auth return code: 401
SSLAuthenticatorWithFallback: Result: false
and from pki logs
Failed to authenticate as admin UID=admin-freeipa2.infra.opensuse.org. Error: netscape.ldap.LDAPException: error result (49)
I don't particularly know how to proceed from here, since those errors
don't mean much to me. I see however it's not just me having issues with
`ipa-ca-install` at least similar to this one (although by the looks of
it, the reason is already different ;)
Thanks in advance for trying,
we have cloned one of the linux server which is having ipa user ac lets say
1. server a
3. server c
4.server a.1 (clone server)
one user has been created in server a.1 , b and c
i was able to login to from b to c and c to b
but when i tried to login to server b to server a.1 or from c to server a.1
getting error as authentication failed error when i dig deep with the cat /var/log/secure getting message as
authentication token is no longer valid; new one required (log messages in server c and server b)
when i checked the logs in server a.1 (cat /var/log/secure)
pam_sss(sshd:auth): authentication success ; logname= uid = 0 euid=0 tty=ssh ruser= rhost= server c user
error:pam: user account has expired for USER from server c
please help me to fix it