Error configuring Kerberos on CentOS 6 - security

After configuring Kerberos on private server which runs on CentOS 6, I get this error when I run the kinit I get the following response:
kinit: Realm not local to KDC while getting initial credentials
This is the copy of my config file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# rdns = false
default_realm = CENTSERVER01
# default_ccache_name = KEYSTRING:persistent:%{uid}
[realms]
CENTSERVER01 = {
kdc = centserver01:88
admin_server = centserver01:88
}
[domain_realm]
.centserver01 = CENTSERVER01
centserver01 = CENTSERVER01

This error usually means that your Kerberos configuration file, which is by default /etc/krb5.conf, is configured wrong. You'll need to fix that, in order to fix the problem. These errors are usually caught through a simple visual examination of this file. Edit the file according to the sample krb5.conf file on the MIT web site; simply replace the the example.com name with your actual Kerberos realm name and DNS name, keeping note of case sensitivity throughout.

Related

YesodAuth Google OAuth2 timing out

I'm trying to set up Authentication and Authorization for my Yesod website according to the book.
However, once I set up my Google OAuth2, I get a timeout:
HttpExceptionRequest Request {
host = "accounts.google.com"
port = 443
secure = True
requestHeaders = [("Content-Type","application/x-www-form-urlencoded")]
path = "/o/oauth2/token"
queryString = ""
method = "POST"
proxy = Nothing
rawBody = False
redirectCount = 10
responseTimeout = ResponseTimeoutDefault
requestVersion = HTTP/1.1
proxySecureMode = ProxySecureWithConnect
}
ConnectionTimeout
I tried using yesod-auth-oauth2 instead, but I still got a timeout error:
HttpExceptionRequest Request {
host = "www.googleapis.com"
port = 443
secure = True
requestHeaders = [("Content-Type","application/x-www-form-urlencoded"),("Authorization","<REDACTED>"),("User-Agent","hoauth2"),("Accept","application/json")]
path = "/oauth2/v3/token"
queryString = ""
method = "POST"
proxy = Nothing
rawBody = False
redirectCount = 10
responseTimeout = ResponseTimeoutDefault
requestVersion = HTTP/1.1
proxySecureMode = ProxySecureWithConnect
}
ConnectionTimeout
I have the Google+ API and Contacts API enabled for the web application. I'm running my website locally right now, and have my Authorized redirect URIs as
http://localhost:3000/auth/page/google/callback
http://localhost:3000/auth/page/googleemail2/complete
Turns out for my case, it was due to the IPv6 address of www.googleapis.com being filtered out by Cisco AnyConnect Socket Filter.
For instance, in the connection package, I Debug.Trace.trace'd addrs in the resolve' function to find out that the server was trying to connect initially to the IPv6 address, then the IPv4 one. Connecting to the IPv4 addresses (e.g. using ping or telnet) worked, but the IPv6 address did not, so ultimately it was a firewall issue.

Can't get samba to share folder with AD users

I have an AD server running on server 2019. I just setup a linux box and configured samba for some reason i can't get getent group "domain admins" to show anything. if i do getent passwd Administrator it does work, and wbinfo -u or wbinfo --domain-groups works fine as well.
SMB.CONF
[global]
server role = MEMBER SERVER
security = ADS
realm = TESTLAB.COM
workgroup = TEST
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 %h
log file = /var/log/samba/%m.log
log level = 5
idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config TESTLAB : backend = rid
idmap config TESTLAB : range = 30000-40000
idmap config TESTLAB : backend = ad
password server = adsrv1.testlab.com
encrypt passwords = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 4
winbind use default domain = yes
#winbind normalize name = yes
os level = 20
domain master = no
local master = yes
preferred master = no
map to guest = bad user
host msdfs = no
netbios name = smbsrv
client min protocol = SMB2
client max protocol = SMB3
client ldap sasl wrapping = plain
hosts allow = 10.0.0.0/16
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
acl group control = yes
acl map full control = true
ea support = yes
vfs objects = acl_xattr
store dos attributes = yes
#dos flemode = yes
dos filetimes = yes
enable privileges = yes
restrict anonymous = 2
strict allocate = yes
guest ok = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
username map = /etc/samba/user.map
template shell = /bin/bash
template homedir = /home/TESTLAB/%U
[Data]
comment = "User Data"
path = /mnt/data
create mask = 0770
browseable = yes
writable = yes
valid users = #"Domain Admins" #"Domain Users"
write list = #"Domain Admins" #"Domain Users"
NSSWITCH.CONF
passwd: compat files winbind sss
group: compat files windind sss
shadow: compat files sss
gshadow: files
hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
KRB5.conf
[libdefaults]
default_realm = testlab.com
dns_lookup_realm = false
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
testlab.com = {
kdc = adsrv1.testlab.com
admin_server = adsrv1.testlab.com
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.testlab.com = TESTLAB.COM
SSSD.CONF
[sssd]
config_file_version = 2
services = nss, pam
domains = TESTLAB
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP
[nss]
[pam]
# Example LDAP domain
[TESTLAB.COM/LDAP]
id_provider = ldap
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
ldap_schema = rfc2307
ldap_uri = ldap://ldap.testlab.com
ldap_search_base = dc=testlab,dc=com
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = true
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = true
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.
[domain/TESTLAB]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://ldap.testlab.com
ldap_search_base = dc=testlab,dc=com
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
krb5_server = 10.0.0.10
krb5_realm = TESTLAB.COM
It might help if you used the correct domain name on the 'idmap config' lines.
You have 'workgroup = TEST' and 'idmap config TESTLAB : backend = rid', they must match, change 'TESTLAB' to 'TEST'
Oh, and if your version of Samba is >= 4.8.0 , then remove sssd, you cannot use Samba >= 4.8.0 with sssd.
OK, I would remove these lines from your smb.conf:
server role = MEMBER SERVER
password server = adsrv1.testlab.com
encrypt passwords = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
netbios name = smbsrv
os level = 20
local master = yes
acl map full control = true
ea support = yes
dos filetimes = yes
enable privileges = yes
guest ok = no
browseable = yes
idmap config TESTLAB : backend = ad
create mask = 0770
valid users = #"Domain Admins" #"Domain Users"
write list = #"Domain Admins" #"Domain Users"
Then set the permissions on the share from Windows (security tab)
I would also upgrade Debian to Buster, this will get you a later version of Samba.

Disable Authentication in OpenStack Swift

I want that everyone (unauthorized) could store/read objects form my test swift server. Is there a way to disable authentication at all? I'm authorized with the following user (proxy-server.conf):
[filter:tempauth]
use = egg:swift#tempauth
user_test_tester = testing .admin
but want to give possibility to non-users make requests to my server also.
It depends on what kind of requests you want to use and what auth middleware you are using. If you are using keystone you are stuck using container level permissions. You can set permissions on a container to be public.
curl -X POST -i \
-H "X-Auth-Token: abcdeftoken" \
-H "X-Container-Read: .r:*" \
-H "X-Container-Write: .r:*" \
http://swift.example.com/v1/AUTH_testing/container
You can configure your proxy-server pipeline with no authentication middleware, tempauth or with keystoneauth. In the first solution you don't need to provide any password. in the second solution you can have user, group and password set in your configuration and the last one contacts keystone server for identification.
example:
[pipeline:main]
### no pass
# pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit copy container-quotas account-quotas slo dlo versioned_writes proxy-logging proxy-server
### tempauth
# pipeline = catch_errors gatekeeper healthcheck proxy-logging cache listing_formats container_sync bulk tempurl ratelimit tempauth copy container-quotas account-quotas slo dlo versioned_writes symlink proxy-logging proxy-server
### keystoneauth
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk ratelimit authtoken keystoneauth container-quotas account-quotas slo dlo versioned_writes proxy-logging proxy-server
[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin,user
# https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
www_authenticate_uri = http://controller:5000/
auth_url = http://controller:5000/
memcached_servers = controller:11211
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = swift
password = SWIFT_PASS # change this
delay_auth_decision = True
log_level = debug
service_token_roles_required = True
[filter:tempauth]
use = egg:swift#tempauth
user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin
user_test2_tester2 = testing2 .admin
user_test_tester3 = testing3
user_test5_tester5 = testing5 service

Samba Share problems using AD

I have an AD domin in Windows Server Enterprise 2008 R2.
The domain name is ferreiradias.local
I have installed a xubuntu box 16.04 with all updates done.
I have installed samba, winbind and krb5-client and ntp and configured them.
krb5.conf:
[libdefaults]
ticket_lifetime = 24h
default_realm = FERREIRADIAS.LOCAL
forwardable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
FERREIRADIAS.LOCAL = {
kdc = 192.168.1.3:88
admin_server = DC-FD.FERREIRADIAS.LOCAL
default_domain = FERREIRADIAS.LOCAL
}
[domain_realm]
.FERREIRADIAS.LOCAL = FERREIRADIAS.LOCAL
FERREIRADIAS.LOCAL = FERREIRADIAS.LOCAL
.ferreiradias.local = FERREIRADIAS.LOCAL
ferreiradias.local = FERREIRADIAS.LOCAL
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
nssswitch.conf
passwd: files winbind
group: files winbind
shadow: files winbind
hostname
nas1
hosts
127.0.0.1 localhost
127.0.1.1 nas1.ferreiradias.local nas1.ferreiradias nas1
I could add the linux box to the AD. Everything ok until that point.
smb.conf
[global]
security = ADS
realm = FERREIRADIAS.LOCAL
password server = 192.168.1.3
workgroup = ferreiradias
idmap config * : range = 10000-20000
server string = Linuxserver
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
ntlm auth = yes
lanman auth = no
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
map to guest = bad user
guest account = nobody
unix extensions = yes
[partilha1]
comment = Marketing
path = /sharing/
valid users =#FERREIRADIAS\jorgcar
writable = yes
read only = no
force create mode = 0777
create mask = 0777
directory mask = 0777
force directory mode = 0777
access based share enum = yes
hide unreadable = yes
The problem is when I try to access the linux box via Windows 10 / 7, I have "access denied" error. Can someone point me some guides? Really stuck on this
Try adding the line
client max protocol = SMB3
in
/etc/samba/smb.conf
to section [global].
Maybe your samba version is not supported.

pyramid_beaker session does not terminate after 30 minutes

I installed python_beaker, added it into include:
session_factory = session_factory_from_settings(settings)
config = Configurator(settings=settings, session_factory=session_factory)
config.include('pyramid_beaker')
Added into development.ini these settings:
session.type = file
session.data_dir = /tmp/sessions/data
session.lock_dir = /tmp/sessions/lock
session.key = key
session.secret = secret
session.cookie_on_exception = true
But the session never ends. What am I doing wrong?

Resources