I work in company with many servers and Pcs for developers. Servers are win2003, PC developers Windows XP.
In a server Win2003 named preiis01, in preproduction environment, other people in company install a client certificate using any other user (domainCompany\adminsystems) for logging in server preiis01.
Anyone admin uses the user "domainCompany\adminsystems" for log in server preiis01 (using Terminal Server, Remote Desktop for Windows XP).
the admin user is domainCompany\adminsystems", which installs certificate.
Admin user install it like this:
Session login like "domainCompany\adminsystems"
Certificate is PFX file. Do Install PFX and using Wizard. The key private not check for export.
Input the password and install.
There is an application Web which AppPool Identity is: NETWORK SERVICE account.
web server is IIS 6.0.
in preiis01,
That admin user executes mmc -> Snap in -> Certificates for Local Machine. In node -> Personal -> Certificates, he had seen the client certificate:
Issued To ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1
Issued By FNMT Clase 2 CA
In properties of certificate, the thumbprint: "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13"
That admin user executes this commands:
winhttpcertcfg.exe LOCAL_MACHINE\My -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" -g -a "NETWORK SERVICE"
Result is:
Matching certificate:
CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1
OU=703015476
OU=FNMT Clase 2 CA
O=FNMT
C=ES
Granting private key access for
account: NT AUTHORITY\NETWORK SERVICE
Now, admin user executes this command:
winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1"
The result is:
Matching certificate:
CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1
OU=700012476
OU=FNMT Clase 2 CA
O=FNMT
C=ES
Additional accounts and groups with
access to the private key include:
domainCompany\adminsystems NT
AUTHORITY\SYSTEM
BUILTIN\Administrators NT
AUTHORITY\NETWORK SERVICE
NOw, in an aspx page in application web in server Win2003, IIS 6.0, I have this code:
NOte: value for X509Certificate2.HasPrivateKeyAccess() is NO (false) for "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" certificate.
ASP.NET application executes using the identity :: NT AUTHORITY\NETWORK SERVICE
lbInfo.Text += "<br/><br/>ASP.NET application executes using the identity :: <b>" + WindowsIdentity.GetCurrent().Name + "</b><br>";
var store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
Certificates = store.Certificates;
repeater1.DataSource = Certificates;
repeater1.DataBind();
var nombreCertificado = "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1";
store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindBySubjectName, nombreCertificado, false);
if (col.Count > 0)
{
X509Certificate2 certificate = col[0];
store.Close();
Message.Text = "Certificado " + nombreCertificado + " encontrado en " + StoreLocation.LocalMachine;
FirmarConCertificado(nombreCertificado, certificate);
}
else
{
store.Close();
Message.Text = "El certificado " + nombreCertificado + " no esta instalado en la máquina";
}
public void FirmarConCertificado(string nombreCertificado, X509Certificate2 certificate)
{
try
{
var mensaje = "Datos de prueba";
System.Text.Encoding enc = System.Text.Encoding.Default;
byte[] data = enc.GetBytes(mensaje);
var contentInfo = new System.Security.Cryptography.Pkcs.ContentInfo(data);
var signedCms = new System.Security.Cryptography.Pkcs.SignedCms(contentInfo, true);
var cmsSigner = new System.Security.Cryptography.Pkcs.CmsSigner(certificate);
// Sign the CMS/PKCS #7 message
signedCms.ComputeSignature(cmsSigner);
// Encode the CMS/PKCS #7 message
var ret = Convert.ToBase64String(signedCms.Encode());
Message.Text += "Firmado con Certificado " + nombreCertificado + " encontrado en " + StoreLocation.LocalMachine;
}
catch (Exception ex)
{
Message.Text = "Error al firmar con certificado: " + ex.ToString();
Message.Text += "<br /><br />InnerException: " + ex.InnerException;
}
}
The code fails for me, and I get this error: Cannot find the certificate and private key for decryption.
Error line is:signedCms.ComputeSignature(cmsSigner);
Error al firmar con certificado:
System.Security.Cryptography.CryptographicException:
Cannot find the certificate and
private key for decryption.
at
System.Security.Cryptography.Pkcs.PkcsUtils.CreateSignerEncodeInfo(CmsSigner
signer, Boolean silent) at
System.Security.Cryptography.Pkcs.SignedCms.Sign(CmsSigner
signer, Boolean silent) at
System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner
signer, Boolean silent) at
System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner
signer) at
ASP.dgsfp_test_testcert_aspx.FirmarConCertificado(String
nombreCertificado, X509Certificate2
certificate) in
c:\Company\App\Test\TestCert.aspx:line
242
Then, the admin user (I remember, who install the certificate) executes this commands:
FindPrivateKey My LocalMachine -t "93
bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7
9d 81 70 a6 c4 13" –c
FindPrivateKey
My LocalMachine -n "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" –a
FindPrivateKey My LocalMachine -n
"CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1"
–a
The result for all 3 commands is the same:
FindPrivateKey helps user to find the
location of the Private Key file of a
X.50 9 Certificate.
Usage: FindPrivateKey [{ {-n } | {-t }
} [-f | -d | -a]]
subject name of the
certificate
thumbprint of the
certificate (use certmgr.exe to get
it)
-f output file name only
-d output directory only
-a output absolute file
name e.g. FindPrivateKey My
CurrentUser -n "CN=John Doe"
e.g. FindPrivateKey My LocalMachine -t
"03 33 98 63 d0 47 e7 48 71 33 62 64
76 5 c 4c 9d 42 1d 6b 52" -c
FindPrivateKey don't get anything, but winhttpcertcfg.exe -l works fine (matching certificate)
We have given privileges to the Network Service user using the winhttpcertcfg.exe tool, and in code ASP.NET (execute under Network Service account) the certificate is found. But fails when sign using certificate.
If someone could give us some information about, or suggestions
update:
User in domain "domainCompany\Pre_Certificado" install Certificate in Store Local Machine.
domainCompany\Pre_Certificado is Administrator, in IIS_WPG group, has Local Policies: “Log on as Service“
I configure AppPool Identity in IIS 6.0 for : domainCompany\Pre_Certificado
ASP.NET application executes using the identity :: domainCompany\Pre_Certificado
I recycle AppPool and execute application, I get System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption
If I test again, log in session in server IIS, using domainCompany\Pre_Certificado user, I call page in ASP.NET application and all is OK.
(note: log in server IIS using Terminal Server)
But if log off session in server IIS (user: domainCompany\Pre_Certificado), I get the same error:
System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption
Any suggestions ??
Do the first 2 steps as the same as you would with IIS 7.5 (click here)
Create / Purchase certificate. Make sure it has a private key.
Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"
Run the below command as an administrator. Replace the following:
Replace [Subject] with the certificate's subject and use quotes if it contains spaces. I think you can also just put the first word as long as there isn't another cert that starts with the same subject.
Replace [Store] with the certificate store you imported to, default I believe is "ROOT" or "MY" on IIS 6, i.e. "LOCAL_MACHINE\ROOT" or "LOCAL_MACHINE\MY"
Replace [computername] with the name of the computer. You might be able to use ".\" notation for [computernam] i.e. ".\NETWORK SERVICE" but I have not tried it.
winhttpcertcfg.exe -g -a "[computername]\NETWORK SERVICE" -c LOCAL_MACHINE\[Store] -s "[Subject]"
Note: If you are running ASP.NET Application Pool under an identity other than "NETWORK SERVICE" you'll need the change "NETWORK SERVICE" in the above command to the identity that you're running the IIS application pool.
Please check this document which would help you to resolve the issue. I would recommend to use following command option:
winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER
May need to grant access to the anonymous user also. If you are allowing anonymous access then the request is running as the anonymous user not network service.
Related
I'm trying to test and Office 365 (with Outlook) account for remote access via IMAP. Despite the large amount of posts regarding this issue, i was not able to find something that make my test work, so i'm asking again.
This is the scenario : I have an outlook/office365 account, with IMAP enabled by the admin.
From a local server i'm using the next command from openssl to connect to the IMAP server:
openssl s_client -crlf -connect outlook.office365.com:993 -quiet
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
* OK The Microsoft Exchange IMAP4 service is ready. [UwBDADEAUABSADgAMABDAEEAMAAwADUAOAAuAGwAYQBtAHAAcgBkADgAMAAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
Apparently i'm connected to the IMAP server, so now i try to authenticate.
First i get the list of AUTH methods that the server accepts.
02 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
02 OK CAPABILITY completed
So, i try to authenticate using PLAIN. As far as i understand i need to put the credentials in base64 format, so i use the command "base64" from my linux server in order to get.
So, if my username is "user#mydomain.com" and my password is "mysecretpassword" i use this:
echo -en "\0user#mydomain.com\0mysecretpassword" | openssl base64
I get
AHVzZXJAbXlkb21haW4uY29tAG15c2VjcmV0cGFzc3dvcmQ=
Then in the connection i use :
01 AUTHENTICATE PLAIN
+
AHVzZXJAbXlkb21haW4uY29tAG15c2VjcmV0cGFzc3dvcmQ=
01 NO AUTHENTICATE failed.
No matter what i try i always get "AUTHENTICATE failed".
Maybe i'm not doing something wrong?. Do i need to set up something else in the office365 server? Is correct to asume if the server answer with AUTH=PLAIN as capability i can use this method to authenticate?.
On other hand I'm 100% sure about my user and password, i can connec to to the SMTP (smpt.office365.com) server with this credentials without any problem.
I have tried without luck this credentials:
"\0user#mydomain.com\0mysecretpassword"
"\000user#mydomain.com\000mysecretpassword"
"\0user#mydomain.com\0user#mydomain.com\0mysecretpassword"
Any ideas?
Thanks!
I have finally made some tests and thanks to #Max who pointed my in the right direction i was able to make this thing work. I have contacted MS support and I was able to first check the IMAP status of my Office365 account.
I followed the steps here (https://www.kraftkennedy.com/how-to-temporarily-re-enable-basic-authentication-in-exchange-online/) in order to check the status of my IMAP service, and it was with Basic Auth disabled..., so with the admin account i was able to enable it using a little box.
Then i was succesfully able to login using "Basic Auth"..with
01 AUTHETICATE PLAIN Ahfu4sdjkdsu9d9d9wee4
01 OK AUTHENTICATE completed.
And with
01 LOGIN user pass
01 OK LOGIN completed.
So, as #Max mention, Microsoft is disabling "Basic Auth" for good, but you can enable it again.
Hope this could be useful for all.
Regards,
The microstack.openstack project recently enabled/required tls authentication as outlined here. I am working on deploying an openstack cluster to microstack using a terraform example here. As a result of the change, I receive an unknown signed cert error when trying to create an openstack network client data source.
data "openstack_networking_network_v2" "terraform" {
name = "${var.pool}"
}
The error I get when calling terraform plan:
Error: Error creating OpenStack networking client: Post "https://XXX.XXX.XXX.132:5000/v3/auth/tokens": OpenStack connection error, retries exhausted. Aborting. Last error was: x509: certificate signed by unknown authority
with data.openstack_networking_network_v2.terraform,
on datasources.tf line 1, in data "openstack_networking_network_v2" "terraform":
1: data "openstack_networking_network_v2" "terraform" {
Is there a way to ignore the certificate error, so that I can successfully use terraform to create the openstack cluster? I have tried updating the generate-self-signed parameter, but I haven't seen any change in behavior:
sudo snap set microstack config.tls.generate-self-signed=false
I think insecure provider parameter is what you are looking for:
(Optional) Trust self-signed SSL certificates. If omitted, the OS_INSECURE environment variable is used.
Try:
provider "openstack" {
insecure = true
}
Disclaimer: I haven't tried that.
The problem was that I did not source the admin-openrc.sh file that I had downloaded from the horizon web page:
$ source admin-openrc.sh
I faced the same problem, if it could help, here my contribution :
sudo snap get microstack config.tls
Key Value
config.tls.cacert-path /var/snap/microstack/common/etc/ssl/certs/cacert.pem
config.tls.cert-path /var/snap/microstack/common/etc/ssl/certs/cert.pem
config.tls.compute {...}
config.tls.generate-self-signed true
config.tls.key-path /var/snap/microstack/common/etc/ssl/private/key.pem
In terraform directory, do :
cat /var/snap/microstack/common/etc/ssl/certs/cacert.pem : copy paste -> cacert.pem
cat /var/snap/microstack/common/etc/ssl/certs/cert.pem : copy/paste -> cert.pem
cat /var/snap/microstack/common/etc/ssl/private/key.pem : copy/past -> key.pem
And create a file in your terraform directory main.tf :
provider "openstack" {
user_name = "admin"
tenant_name = "admin"
password = "pass" (get with sudo snap get microstack config.credentials.keystone-password)
auth_url = "https://host_ip:5000/v3"
#insecure = true (uncomment & comment cacert_file + key line)
cacert_file = "/terraform_dir/cacert.pem"
#cert = "/terraform_dir/cert.pem" (if needed)
key = "/terraform_dir/private.pem"
region = "microstack" (or regionOne)
}
To finish terraform plan/apply
I am trying to configure our IIS to serve https over the following websites :
mywebsite
mywebsite.default.corporate.domain
servername/mywebsite
I set up 2 IIS websites hosted on this server.
One is the default and hosts various services, which means that some random bindings are activated (net.pipe, net.msmq, net.tcp), plus http and https.
The other one is mywebsite with 4 bindings : mywebsite and mywebsite.default.corporate.domain both over http and https.
I have generated a certificate in p12 format, with both mywebsite, mywebsite.default.corporate.domain and servername as subject alternative name, imported it in local computer personal certificates, and this is the certificate I am using for all 3 https binding.
I set the friendly name to *mywebsite and I edited the https bindings to match each expected domain.
Both mywebsite and servername/mywebsite work great, but mywebsite.default.corporate.domain shows an invalid certificate in chrome. When I check the details, the only subject alternative name is servername, even though the public key matches the one I get with the other two valid pages.
Following various questions and answers, I tried to set the IP adress in the bindings, tried the certutil -repairestore command and numerous IIS resets. I also tried to split the websites for mywebsite and mywebsite.default.corporate.domain.
If anyone has a suggestion, I am completely at loss here and spent way too much time on this already. I am using cutting edge technology (IIS 7 on Windows Server 2008 R2).
Thanks !
Edit 1 : SSL Diagnostics Tool report as requested (anonymised as per company policy, sorry) :
System Time : Tuesday, June 02, 2020 2:20:52 PM Romance Standard Time
Processor Architecture : x64
OS : Microsoft Windows NT 6.1.7601 Service Pack 1
Microsoft Internet Information Services 7.5
SERVER SSL PROTOCOLS
PCT 1.0 : Enabled
SSL 2.0 : Enabled
SSL 3.0 : Enabled
TLS 1.0 : Enabled
SChannel EventLogging : 1 (hex)
-----
[W3SVC/1]
ServerComment : Default Web Site
ServerAutoStart : True
ServerState : Started
BINDING : http *:80:
BINDING : net.tcp 808:*
BINDING : net.pipe *
BINDING : net.msmq localhost
BINDING : msmq.formatname localhost
[W3SVC/2]
ServerComment : mywebsite
ServerAutoStart : True
ServerState : Started
BINDING : http 184.11.52.120:80:mywebsite
BINDING : https 184.11.52.120:443:mywebsite
SSLCertHash : 8111C2E82C5AD2C3E556D5D523BE8C43C4AC46BB
SSL Flags :
Testing EndPoint : 184.11.52.120:443 - Success
#CertName : *mywebsite
#Version : 3
#You have a private key that corresponds to this certificate.
#Signature Algorithm : sha256RSA
#Key Exchange Algorithm : RSA-PKCS1-KeyEx Key Size : 2048
#Subject : CN=servername.default.corporate.domain, OU=STAR, O=MYCOMPANY, L=Paris, S=Ile de France, C=FR
#Issuer : CN=COMP UniPass Server Authentication 2016 CA, O=MYCOMPANY
#Validity : From Friday, May 29, 2020 6:04:08 PM To Tuesday, July 30, 2024 6:04:08 PM
#Serial Number : 4630C58DA21F1A05A8B348255FD0B168DDF104C3
DS Mapper Usage : Disabled
Archived : False
#Basic Constraints : Subject Type=End Entity, Path Length Constraint=None
#Authority Key Identifier : KeyID=fe 3b 7f 76 62 f8 80 36 04 95 8f 34 0a e1 6d af 72 31 6a df
#Authority Information Access : [1]Authority Info Access: Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2), Alternative Name=URL=http://unipass.mycompany.com/ca/ServerAuthentication2016.crt
#Subject Alternative Name : DNS Name=servername.default.corporate.domain, DNS Name=servername, DNS Name=staruat, DNS Name=staruat.default.corporate.domain, DNS Name=mywebsite.default.corporate.domain, DNS Name=mywebsite
#Enhanced Key Usage : Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), Secure Email (1.3.6.1.5.5.7.3.4)
#CRL Distribution Points : [1]CRL Distribution Point: Distribution Point Name:Full Name:URL=ldap://ldap.unipass.mycompany/CN=ServerAuthentication2016,OU=UniPass,O=COMP?certificateRevocationList, [2]CRL Distribution Point: Distribution Point Name:Full Name:URL=http://http.unipass.mycompany/?crlname=ServerAuthentication2016, [3]CRL Distribution Point: Distribution Point Name:Full Name:URL=http://unipass.mycompany.com/crl/ServerAuthentication2016.crl
#Subject Key Identifier : 86 dd 98 41 1c db fc 08 af d1 e8 5b 04 a8 c0 ba 93 be 6f 2a
#Key Usage : Digital Signature, Non-Repudiation, Key Encipherment (e0)
Certificate verified.
[W3SVC/3]
ServerComment : mywebsite.default.corporate.domain
ServerAutoStart : True
ServerState : Started
BINDING : https 184.11.52.120:443:mywebsite.default.corporate.domain
SSLCertHash : 8111C2E82C5AD2C3E556D5D523BE8C43C4AC46BB
SSL Flags :
Testing EndPoint : 184.11.52.120:443 - Success
#CertName : *mywebsite
#Version : 3
#You have a private key that corresponds to this certificate.
#Signature Algorithm : sha256RSA
#Key Exchange Algorithm : RSA-PKCS1-KeyEx Key Size : 2048
#Subject : CN=servername.default.corporate.domain, OU=STAR, O=MYCOMPANY, L=Paris, S=Ile de France, C=FR
#Issuer : CN=COMP UniPass Server Authentication 2016 CA, O=MYCOMPANY
#Validity : From Friday, May 29, 2020 6:04:08 PM To Tuesday, July 30, 2024 6:04:08 PM
#Serial Number : 4630C58DA21F1A05A8B348255FD0B168DDF104C3
DS Mapper Usage : Disabled
Archived : False
#Basic Constraints : Subject Type=End Entity, Path Length Constraint=None
#Authority Key Identifier : KeyID=fe 3b 7f 76 62 f8 80 36 04 95 8f 34 0a e1 6d af 72 31 6a df
#Authority Information Access : [1]Authority Info Access: Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2), Alternative Name=URL=http://unipass.mycompany.com/ca/ServerAuthentication2016.crt
#Subject Alternative Name : DNS Name=servername.default.corporate.domain, DNS Name=servername, DNS Name=staruat, DNS Name=staruat.default.corporate.domain, DNS Name=mywebsite.default.corporate.domain, DNS Name=mywebsite
#Enhanced Key Usage : Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), Secure Email (1.3.6.1.5.5.7.3.4)
#CRL Distribution Points : [1]CRL Distribution Point: Distribution Point Name:Full Name:URL=ldap://ldap.unipass.mycompany/CN=ServerAuthentication2016,OU=UniPass,O=COMP?certificateRevocationList, [2]CRL Distribution Point: Distribution Point Name:Full Name:URL=http://http.unipass.mycompany/?crlname=ServerAuthentication2016, [3]CRL Distribution Point: Distribution Point Name:Full Name:URL=http://unipass.mycompany.com/crl/ServerAuthentication2016.crl
#Subject Key Identifier : 86 dd 98 41 1c db fc 08 af d1 e8 5b 04 a8 c0 ba 93 be 6f 2a
#Key Usage : Digital Signature, Non-Repudiation, Key Encipherment (e0)
Certificate verified.
BINDING : http 184.11.52.120:80:mywebsite.default.corporate.domain
-----
Edit 2 : Apparently the issue in intermitent which is even more incomprehensible/worrying to me.
Edit 3 : I have a feeling it is actually a client error. When the certificate is valid, the Certification Path is not the same as when the certificate is invalid. I am not sure this is possible but there seems to be 2 different corporate root certificate that chrome chooses from to validate my website certificate, one of which allows the good alias, and the other does not. I will contact the ssl support.
Edit 4 : Wanted to wait a bit to confirm that the issue disappeared for good, and it did. I do not have a good explanation but I think there was a configuration issue on our intranet maybe because my company does some weird man in the middle proxying and it might have been wrong for a while. I really do not have the level of expertise to understand what went wrong so this is yet another useless question on stackoverflow, my deepest sympathies if you end up on this question and expect some help...
I want to implementation centralize auth using AWS Simple AD (samba). The client machine is linux based (ubuntu and amazon linux). Ony my ldap, i just creat one user (cn=test) under dc=ldap,dc=test,dc=io.
I am using sssd as the auth client from my linux machine. And here my /etc/sssd/sssd.conf :
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.test.io
ldap_default_bind_dn = dc=ldap,dc=test,dc=io
ldap_default_authtok = password01
ldap_default_authtok_type = password
ldap_search_base = dc=ldap,dc=test,dc=io
ldap_user_search_base = dc=ldap,dc=test,dc=io
ldap_group_search_base = odc=ldap,dc=test,dc=io
ldap_user_object_class = inetOrgPerson
ldap_user_gecos = cn
override_shell = /bin/bash
cache_credentials = true
enumerate = true
But, it looks like not working from the client, i didn't get the ldap user from my client (i execute this getent passwd).
And i got this error:
nss_ldap: reconnecting to LDAP server...
nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
nss_ldap: could not search LDAP server - Server is unavailable
No passwd entry for user 'test'
Here is my reference to configure the sssd client enter link description here
Any suggestion for this case ?
Thanks
The error message you are getting is from nss_ldap, not from nss_sss. So I assume in /etc/nsswitch.conf, you configured the ldap module either on its own or before sss. If the user information is to be returned by sssd then use the sss nsswich module.
I would also recommend to not use enumerate=true unless your directory is quite small.
In /etc/nsswitch.conf be sure to have:
passwd: files sss
shadow: files sss
groups: files sss
And of course in the stack of the /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac you have to use the pam_sss.so library.
Server is a RHEL7, Kerberos is AD (Windows). I'm only client of KDC.
Arcfour-hmac works fine but when I change encryption type to aes-256 and set up a new keytab, kinit still works, but not kvno. And even if the user seems to have a valid ticket (in klist) he is not able to start services anymore.
I don't have access to the Kerberos AD, but it seems properly configured to use aes-256, because end users (on Windows computers) already request tickets in this encryption type.
My krb5.conf :
[libdefaults]
default_realm = TOTO.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tkt_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
[realms]
TOTO.NET = {
kdc = kdc1.toto.net
kdc = kdc2.toto.net
admin_server = kdc1.toto.net
}
[domain_realm]
.toto.net = TOTO.NET
toto.net = TOTO.NET
And here the errors I got when I try to acquire a ticket with kvno :
[2477332] 1493147723.961912: Getting credentials myuser#TOTO.NET -> nn/myserver#TOTO.NET using ccache FILE:/tmp/krb5cc_0
[2477332] 1493147723.962055: Retrieving myuser#TOTO.NET -> nn/myserver#TOTO.NET from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[2477332] 1493147723.962257: Retrieving myuser#TOTO.NET -> krbtgt/TOTO.NET#TOTO.NET from FILE:/tmp/krb5cc_0 with result: 0/Success
[2477332] 1493147723.962267: Starting with TGT for client realm: myuser#TOTO.NET -> krbtgt/TOTO.NET#TOTO.NET
[2477332] 1493147723.962274: Requesting tickets for nn/myserver#TOTO.NET, referrals on
[2477332] 1493147723.962309: Generated subkey for TGS request: aes256-cts/17DF
[2477332] 1493147723.962363: etypes requested in TGS request: aes256-cts, aes128-cts
[2477332] 1493147723.962504: Encoding request body and padata into FAST request
[2477332] 1493147723.962575: Sending request (1716 bytes) to TOTO.NET
[2477332] 1493147723.962725: Resolving hostname kdc1.TOTO.NET
[2477332] 1493147723.963054: Initiating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147723.964205: Sending TCP request to stream ip_of_kdc1:88
[2477332] 1493147724.3751: Received answer (329 bytes) from stream ip_of_kdc1:88
[2477332] 1493147724.3765: Terminating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147724.3846: Response was not from master KDC
[2477332] 1493147724.3879: Decoding FAST response
[2477332] 1493147724.3965: TGS request result: -1765328370/KDC has no support for encryption type
klist -ket mykeytab
Keytab name: FILE:nn.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 01/01/1970 01:00:00 nn/myserver01#TOTO.NET (aes256-cts-hmac-sha1-96)
1 03/22/2017 16:34:55 nn/myserver02#TOTO.NET (aes256-cts-hmac-sha1-96)
Thanks for your help
Ask your AD administrator to enable support for AES-256 encryption types on the AD account associated with the keytab. To find that account, run this command:
setspn -Q nn/myserver01#TOTO.NET
the output will tell you the name of the account. It will start with CN=xxx, where "xxx" is the name of the AD account. To enable support for AES-256 encryption types on the AD account, tell your AD admin that the checkbox "This account supports Kerberos AES 256 bit encryption" must be checked, and that is found under Account tab, all the way at the bottom.
I just recently encountered this problem and was able to solve it.
for us, it was that AD was using a different salt than what the Kerberos client used by default.
That is, when using ktutil:
addent -password -p servicepuppetnp#AMER.EXAMPLE.COM -k 4 -e arcfour-hmac
Password for admspike_white#AMER.EXAMPLE.COM:
produces a keytab file that I could use to kinit as that principal. Whereas:
ktutil: addent -password -p admspike_white#AMER.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96
Password for admspike_white#AMER.EXAMPLE.COM:
did not produce a keytab file that would allow successful kinit. (pre-auth failure).
I had to do this:
ktutil: addent -password -p admspike_white#AMER.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 -f
Password for admspike_white#AMER.EXAMPLE.COM:
which tells ktutil to get the salt info from the AD DC. then it uses the correct salt. That produces a keytab file that allows successful kinit.