Hi all, to confirm, both uidNumber and gidNumber must be within the ID range right? I have 1 user and 22 groups that got assigned numbers outside the range. Would it be possible to constrain these at an ldap level?
Peter ________________________________________ Van: Alexander Bokovoy <[email protected]> Verzonden: dinsdag 7 november 2023 09:34 Aan: Kroon PC, Peter CC: Rob Crittenden; FreeIPA users list Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC On Пан, 06 ліс 2023, Kroon PC, Peter wrote: >Hi all, > >thanks for the response, and my apologies for my slow reply -- life happened. >I put my responses inline. It seems that the ldapupdate file you provided >generated a SID config. Thanks. It is hard to read your inline responses as they went without proper quoting but I think I understood what you wanted to show. You still need to add an ID range that covers your actual POSIX IDs. Without that we wouldn't able to generate SIDs either. After an ID range is added, `ipa config-mod --enable-sid --add-sids` should fix the rest. > >Peter > > >________________________________________ >Van: Alexander Bokovoy <[email protected]> >Verzonden: donderdag 26 oktober 2023 16:59 >Aan: Kroon PC, Peter >CC: Rob Crittenden; FreeIPA users list >Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT >following S4U2PROXY_NO_HEADER_PAC > >On Чцв, 26 кас 2023, Kroon PC, Peter wrote: >>Hi Alexander and Rob, >> >>many thanks for your prompt responses :) >>I made a new lxc machine and restored a backup so at least I have a working >>environment again. I kept the borken one for further investigation which I'll >>use to provide more information. >>I'm not super comfortable using mailing lists, and I'm not sure whether my >>mail client (outlook) will mangle my inline responses. >> >>Peter >> >>________________________________________ >>Van: Alexander Bokovoy <[email protected]> >>Verzonden: woensdag 25 oktober 2023 20:49 >>Aan: Rob Crittenden >>CC: FreeIPA users list; Kroon PC, Peter >>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT >>following S4U2PROXY_NO_HEADER_PAC >> >>On ���, 25 ��� 2023, Rob Crittenden wrote: >>>Alexander Bokovoy via FreeIPA-users wrote: >>>> On ���, 25 ��� 2023, Kroon PC, Peter via FreeIPA-users wrote: >>>>> Hi all, >>>>> >>>>> After upgrading to Rocky linux 9.2 I'm running into issues with my IPA >>>>> server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred: >>>>> >>>>> $ kinit admin >>>>> Password for [email protected]: >>>>> $ ipa show-user admin >>>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >>>>> Error: No credentials were supplied, or the credentials were >>>>> unavailable or inaccessible (Credential cache is empty) >>>>> >>>>> /var/log/krb5kdc.log: >>>>> okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes >>>>> {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), >>>>> aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) >>>>> 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes >>>>> {rep=UNSUPPORTED:(0)} HTTP/[email protected] for >>>>> ldap/[email protected], TGT has been revoked >>>>> >>>>> As the log shows, the KDC states there is no PAC, and therefore revokes >>>>> the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC). >>>>> Because of this, the web gui also doesn't work. >>>> >>>> That is correct description of the reason why it does not work. >>>> >>>>> >>>>> $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl >>>>> "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier >>>>> SASL/GSSAPI authentication started >>>>> SASL username: [email protected] >>>>> SASL SSF: 256 >>>>> SASL data security layer installed. >>>>> # extended LDIF >>>>> # >>>>> # LDAPv3 >>>>> # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree >>>>> # filter: ipaNTSecurityIdentifier=* >>>>> # requesting: uid ipaNTSecurityIdentifier >>>>> # >>>>> >>>>> # admin, users, accounts, example.com >>>>> dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com >>>>> uid: admin >>>>> ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500 >>>>> >>>>> # search result >>>>> search: 4 >>>>> result: 0 Success >>>>> >>>>> # numResponses: 2 >>>>> # numEntries: 1 >>>>> >>>>> Out of the ~200 or so users only the admin user has a >>>>> ipaNTSecurityIdentifier, but I don't know if it's correct... >>>>> I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI >>>>> is broken. I do still have LDAP access fortunately. >>>> >>>> You can run it, see below. If you'd run, do you have any error messages in >>>> the dirsrv errors log related to sidgen plugin? >>>> >>>>> >>>>> I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf, >>>>> but that results in the exact same error. Setting ipaKrbAuthzData=None >>>>> in cn=ipaConfig also has no effect. >>>> >>>> No, one cannot disable PAC globally in FreeIPA. S4U operations >>>> require PAC presence since last year, so for any real Kerberos service >>>> that uses S4U (like IPA API or web UI) one cannot disable PAC >>>> enforcement. >> >>This is useful information :) >> >>>> >>>> Look at your ID range and SID configuration. You can avoid admin issue >>>> currently by running 'ipa' tool on IPA server as root with '-e >>>> in_server=true' option. This will force the tool to simulate direct >>>> access (as if it is running within httpd) and talk directly to LDAPI >>>> socket. >>>> >>>> Something like below: >>>> >>>> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show >>>> ipa: WARNING: API Version number was not sent, forward compatibility not >>>> guaranteed. Assuming server's API version, 2.253 >>>> Domain: ipa1.test >>>> Security Identifier: S-1-5-21-790702333-3825749031-3739951824 >>>> NetBIOS name: IPA1 >>>> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1 >>>> Fallback primary group: Default SMB Group >>>> IPA AD trust agents: master1.ipa1.test >>>> IPA AD trust controllers: master1.ipa1.test >> >>KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show >>ipa: ERROR: : trust configuration not found > >Ok, let's try differently. Can you provide output of > ># ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-EXAMPLE-COM.socket \ > -b cn=ad,cn=etc,dc=example,dc=com > >(replace EXAMPLE-COM and dc=example,dc=com by your domain data) > >dn: cn=ad,cn=etc,dc=example,dc=com >objectClass: nsContainer >objectClass: top >cn: cn >cn: ad >> >> >>>> >>>> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find >>>> ipa: WARNING: API Version number was not sent, forward compatibility not >>>> guaranteed. Assuming server's API version, 2.253 >>>> ---------------- >>>> 5 ranges matched >>>> ---------------- >>>> Range name: IPA1.TEST_id_range >>>> First Posix ID of the range: 1055600000 >>>> Number of IDs in the range: 200000 >>>> First RID of the corresponding RID range: 1000 >>>> First RID of the secondary RID range: 100000000 >>>> Range type: local domain range >>>> >>>> ... [ skip ] ... >>>> >>>> >> >>ipa: WARNING: API Version number was not sent, forward compatibility not >>guaranteed. Assuming server's API version, 2.251 >>---------------- >>2 ranges matched >>---------------- >> Range name: EXAMPLE.COM_id_range >> First Posix ID of the range: 1000 >> Number of IDs in the range: 4000 >> Range type: local domain range > >This one is definitely not configured to handle SIDs. Also, see my >comment at the bottom of this email. > >> >> Range name: EXAMPLE.COM_subid_range >> First Posix ID of the range: 2147483648 >> Number of IDs in the range: 2147352576 >> First RID of the corresponding RID range: 2147479648 >> Domain SID of the trusted domain: S-1-5-21-738065-838566-2966017632 >> Range type: Active Directory domain range >>---------------------------- >>Number of entries returned 2 >>---------------------------- >> >>> >>>In my testing you can't run config-mod without a principal, and running >>>in-server does not have a principal. >>> >>># KRB5CACHE=/dev/null ipa -e in_server=true config-mod --add-sids >>>--enable-sid >>>[snip] >>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py", >>>line 701, in pre_callback >>> self._enable_sid(ldap, options) >>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py", >>>line 512, in _enable_sid >>> if not principal_has_privilege(self.api, context.principal, privilege): >>> ^^^^^^^^^^^^^^^^^ >>>AttributeError: '_thread._local' object has no attribute 'principal' >>>ipa: ERROR: an internal error has occurred >> >>Thank you, Rob. I did not check that part. >> >>On IPA master one can run the oddjobd-activated script directly: >> >># /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids >> >>$ /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids >>Configuring SID generation >> [1/8]: creating samba domain object >> [error] TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the >> list', None) >>('Tuple_to_LDAPMod(): expected a byte string in the list', None) >>The ipa-enable-sid command failed. See /var/log/ipaserver-enable-sid.log for >>more information >> >>Python traceback from the log: >>2023-10-26T13:24:21Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line >> 686, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line >> 672, in run_step >> method() >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", >> line 485, in __create_samba_domain_object >> api.Backend.ldap2.add_entry(entry) >> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, in >> add_entry >> super(LDAPCache, self).add_entry(entry) >> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, in >> add_entry >> self.conn.add_s(str(entry.dn), list(attrs.items())) >> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in >> add_s >> return self.add_ext_s(dn,modlist,None,None) >> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, in >> add_ext_s >> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls) >> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, in >> add_ext >> return >> self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) >> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in >> _ldap_call >> result = func(*args,**kwargs) >>TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None) >> >>2023-10-26T13:24:21Z DEBUG [error] TypeError: ('Tuple_to_LDAPMod(): >>expected a byte string in the list', None) >>2023-10-26T13:24:21Z DEBUG Destroyed connection context.ldap2_140617190554016 >>2023-10-26T13:24:21Z DEBUG File >>"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in >>execute >> return_value = self.run() >> File "/usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid", line >> 68, in run >> smb.create_instance() >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", >> line 913, in create_instance >> self.start_creation(show_service_name=False) >> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line >> 686, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line >> 672, in run_step >> method() >> File >> "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", >> line 485, in __create_samba_domain_object >> api.Backend.ldap2.add_entry(entry) >> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, in >> add_entry >> super(LDAPCache, self).add_entry(entry) >> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, in >> add_entry >> self.conn.add_s(str(entry.dn), list(attrs.items())) >> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in >> add_s >> return self.add_ext_s(dn,modlist,None,None) >> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, in >> add_ext_s >> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls) >> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, in >> add_ext >> return >> self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) >> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in >> _ldap_call >> result = func(*args,**kwargs) >> >>2023-10-26T13:24:21Z DEBUG The ipa-enable-sid command failed, exception: >>TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None) >> >> >>I still need to see ID range and trustconfig-show output to understand >>the state of this deployment. Also, dirsrv errors log would be helpful >>if there was an attempt to run sidgen in past. >> >>I went through the dirsrv logs, and found the following: >>[24/Oct/2023:10:25:34.071341978 +0000] - ERR - sidgen_task_thread - [file >>ipa_sidgen_task.c, line 194]: Sidgen task starts ... >>[24/Oct/2023:10:25:34.300104111 +0000] - ERR - find_sid_for_ldap_entry - >>[file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [52021] into an >>unused SID. >>[24/Oct/2023:10:25:34.300266490 +0000] - ERR - do_work - [file >>ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. >>[24/Oct/2023:10:25:34.303536359 +0000] - ERR - sidgen_task_thread - [file >>ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. > >You have a range that defines UID/GID space of [1000...5000] but IDs are >outside this range. This is pretty much wrong regardless of whether we >enforce SIDs or not ;) > >You need to create a separate ID range that would cover your existing >IDs. Before that, we need to create a configuration to be used for SID >generation -- if the ldapsearch above would show us that the entry in >cn=ad,cn=etc,$SUFFIX does not exist. > >Since ipa-enable-sid has failed, probably the entry indeed does not exist and >it would be easier to construct it with ipa-ldap-updater tool: > >---- >dn: cn=${DOMAIN},cn=ad,cn=etc,${SUFFIX} >default:objectClass: ipaNTDomainAttrs >default:objectClass: nsContainer >default:objectClass: top >default:cn: ${DOMAIN} >default:ipaNTFlatName: NETBIOSNAME >default:ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440 >default:ipaNTDomainGUID: 529fcbe9-3e34-3122-a541-6786236014c1 >default:ipaNTFallbackPrimaryGroup: cn=Default SMB >Group,cn=groups,cn=accounts,${SUFFIX} >---- > >Change 'NETBIOSNAME' above to some name. By default that would be a >first part of your Kerberos realm, e.g. for IPA1.TEST that would be >IPA. > >The SID value (S-1-5-21-...) is the one that your admin user has, >without the last part (relative identifier, RID, which is -500 for >administrator case). > >Save this to a file named '90-somefile.update' and run as root > ># ipa-ldap-updater ./90-somefile.update > > >Alright, it said "update successful". The ldapsearch above now produces: ># ad, etc, example.com >dn: cn=ad,cn=etc,dc=example,dc=com >objectClass: nsContainer >objectClass: top >cn: cn >cn: ad > ># example.com, ad, etc, example.com >dn: cn=example.com,cn=ad,cn=etc,dc=example,dc=com >objectClass: ipaNTDomainAttrs >objectClass: nsContainer >objectClass: top >cn: example.com >ipaNTFlatName: MYNETBIOSNAME >ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440 >ipaNTDomainGUID: 529fcbe9-3e34-3122-a541-6786236014c1 >ipaNTFallbackPrimaryGroup: cn=Default SMB >Group,cn=groups,cn=accounts,dc=example,dc=com > >-- >/ Alexander Bokovoy >Sr. Principal Software Engineer >Security / Identity Management Engineering >Red Hat Limited, Finland > -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
