August 2018 - FreeIPA-users - Fedora mailing-lists

IPA CA allow CSR SAN names in external domains
by Steve Dainard 14 Mar '22

14 Mar '22

Hello I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be able to add SAN's for a different dns domain than exists in the IPA realm. The dns for 'otherdomain.com' is handled by active directory which my IPA server has a cross-forest trust with. ie: host: client1.ipadomain.com certificate: CN = client1.ipadomain.com, SAN = client1.ipadomain.com, servicename.otherdomain.com When I try to submit this CSR with 'ipa-getcert request' the IPA server denies with: "The service principal for subject alt name servicename.otherdomain.com in certificate request does not exist" It seems that the default CAACL enforces a profile named 'caIPAserviceCert', but I'm having some trouble determining what can be modified (or cloned and changed in a new profile) that would allow the CA to sign a CSR that contains *.ipadomain.com and *.otherdomain.com in the SAN. This is the only section in the profile that contains SAN: policyset.serverCertSet.12.constraint.class_id=noConstraintImpl policyset.serverCertSet.12.constraint.name=No Constraint policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Thanks, Steve

3 3

freeipa with sudo and 2FA (OTP)
by John Ratliff 31 Jan '22

31 Jan '22

I'm trying to setup freeipa with OTP. I created a TOTP under my user in freeipa and updated my user to use 2FA (password + OTP). When I try to do sudo, it only asks for my password and it fails every time (presumably because it isn't getting the OTP first). I didn't see anything useful in the sss_sudo logs, even after adding debug_level = 6 in the config. What can I do to further troubleshoot this? Thanks.

4 6

kinit -n asking for password on clients
by John Ratliff 13 Jul '20

13 Jul '20

When trying to do pkinit, if I do kinit -n on one of the IdM servers, it works fine. If I try on a client machine, it asks me for the password for WELLKNOWN/ANONYMOUS@REALM. I have the pkinit_anchors setup for the realm. As I'm trying to do anonymous pkinit, I think I don't need a client certificate. On the server, I get this: $ KRB5_TRACE="/dev/stderr" kinit -n [13061] 1518402857.924212: Getting initial credentials for WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM [13061] 1518402857.929673: Sending request (200 bytes) to IDM.EXAMPLE.COM [13061] 1518402857.931830: Initiating TCP connection to stream 10.77.9.101:88 [13061] 1518402857.932241: Sending TCP request to stream 10.77.9.101:88 [13061] 1518402857.939162: Received answer (359 bytes) from stream 10.77.9.101:88 [13061] 1518402857.939180: Terminating TCP connection to stream 10.77.9.101:88 [13061] 1518402857.939284: Response was from master KDC [13061] 1518402857.939380: Received error from KDC: -1765328359/Additional pre-authentication required [13061] 1518402857.939474: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [13061] 1518402857.939499: Selected etype info: etype aes256-cts, salt "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params "" [13061] 1518402857.939509: Received cookie: MIT [13061] 1518402857.939563: Preauth module pkinit (147) (info) returned: 0/Success [13061] 1518402857.940352: PKINIT client computed kdc-req-body checksum 9/D98A0144E7E4ACC66B63EBCA98379AB9F055D143 [13061] 1518402857.940369: PKINIT client making DH request [13061] 1518402858.935: Preauth module pkinit (16) (real) returned: 0/Success [13061] 1518402858.956: Produced preauth for next request: 133, 16 [13061] 1518402858.994: Sending request (1408 bytes) to IDM.EXAMPLE.COM [13061] 1518402858.1091: Initiating TCP connection to stream 10.77.9.101:88 [13061] 1518402858.1187: Sending TCP request to stream 10.77.9.101:88 [13061] 1518402858.43063: Received answer (2880 bytes) from stream 10.77.9.101:88 [13061] 1518402858.43088: Terminating TCP connection to stream 10.77.9.101:88 [13061] 1518402858.43198: Response was from master KDC [13061] 1518402858.43258: Processing preauth types: 17, 19, 147 [13061] 1518402858.43273: Selected etype info: etype aes256-cts, salt "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params "" [13061] 1518402858.43300: Preauth module pkinit (147) (info) returned: 0/Success [13061] 1518402858.44150: PKINIT client verified DH reply [13061] 1518402858.44189: PKINIT client found id-pkinit-san in KDC cert: krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM [13061] 1518402858.44199: PKINIT client matched KDC principal krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM against id-pkinit-san; no EKU check required [13061] 1518402858.62345: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/00E0 [13061] 1518402858.62395: Preauth module pkinit (17) (real) returned: 0/Success [13061] 1518402858.62402: Produced preauth for next request: (empty) [13061] 1518402858.62414: AS key determined by preauth: aes256-cts/00E0 [13061] 1518402858.62547: Decrypted AS reply; session key is: aes256-cts/96F0 [13061] 1518402858.62589: FAST negotiation: available [13061] 1518402858.62692: Initializing KEYRING:persistent:760400007:krb_ccache_f3PFEy1 with default princ WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS [13061] 1518402858.62770: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM in KEYRING:persistent:760400007:krb_ccache_f3PFEy1 [13061] 1518402858.62846: Storing config in KEYRING:persistent:760400007:krb_ccache_f3PFEy1 for krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM: fast_avail: yes [13061] 1518402858.62878: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/fast_avail/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM@X-CACHECONF: in KEYRING:persistent:760400007:krb_ccache_f3PFEy1 [13061] 1518402858.62933: Storing config in KEYRING:persistent:760400007:krb_ccache_f3PFEy1 for krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM: pa_type: 16 [13061] 1518402858.62954: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/pa_type/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM@X-CACHECONF: in KEYRING:persistent:760400007:krb_ccache_f3PFEy1 But on the client, I get this: $ KRB5_TRACE="/dev/stderr" kinit -n [2941] 1518402820.155827: Getting initial credentials for WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM [2941] 1518402820.156298: Sending request (200 bytes) to IDM.EXAMPLE.COM [2941] 1518402820.158723: Resolving hostname paine.example.com. [2941] 1518402820.159975: Resolving hostname phantom.example.com. [2941] 1518402820.160757: Resolving hostname paine.example.com. [2941] 1518402820.161411: Initiating TCP connection to stream 204.89.253.101:88 [2941] 1518402820.162065: Sending TCP request to stream 204.89.253.101:88 [2941] 1518402820.168495: Received answer (359 bytes) from stream 204.89.253.101:88 [2941] 1518402820.168532: Terminating TCP connection to stream 204.89.253.101:88 [2941] 1518402820.169917: Response was from master KDC [2941] 1518402820.169974: Received error from KDC: -1765328359/Additional pre-authentication required [2941] 1518402820.170029: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [2941] 1518402820.170051: Selected etype info: etype aes256-cts, salt "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params "" [2941] 1518402820.170062: Received cookie: MIT Password for WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM: [2941] 1518402833.34612: Preauth module encrypted_timestamp (2) (real) returned: -1765328252/Password read interrupted kinit: Pre-authentication failed: Password read interrupted while getting initial credentials Suggestions on what I'm missing? Thanks.

3 3

FreeIPA v4.5.0 install lost topology suffixes
by Gavin Williams 19 Aug '19

19 Aug '19

Afternoon all I’ve got a slightly strange one with one of our FreeIPA clusters, whereby the topology suffixes appear to have disappeared. From what I can see, this is causing replication issues between the hosts, which is causing us issues with bootstrapping new clients against FreeIPA. I’m not aware of any config changes that have happened on the FreeIPA hosts that could have caused this issue, so am a bit stumped atm. Is someone able to advise next steps on how to investigate the cause and correct the configuration? Regards Gavin

4 4

DNS A Record Disappears after IPA Server reboot
by Mariusz Stolarczyk 26 Jul '19

26 Jul '19

Hi all, Whenever I have to reboot my IPA server I loose one of my IPA client's DNS A Record. Curiously all of the IPA client related SSHFP records are intact as well as the reverse lookup record. The only thing that was slightly different about this client is at some point the IP address was changed. I did however change the IP address on a different client with no problems. Thanks, -Mark

3 3

IPA users and local groups question
by Jeff Goddard 11 Jun '19

11 Jun '19

First off thanks to everyone who makes FreeIPA. Its an awesome product that we love. We're working at breaking our application up into micro services and using docker containers and deployment automation. As part of this I have a deploy user in IPA and a rundeck server that performs tasks as this user. However, we need this user to be part of the local docker hosts "docker" group. Is this something I have to do manually per host? Is it possible to create a docker IPA group that will substitute for the local docker group and do it all in IPA? Our IPA version is 4.4. The servers are Centos 7.2 and the clients are ubuntu 16.04 LTS. Thanks for the insight, references and help, Jeff

5 6

zabbix for monitoring FreeIPA server?
by Tony Brian Albers 24 May '19

24 May '19

Hi guys, Anyone got this working? And if so, how did you do it? I know I can monitor the components separately, but if you know of anything that can do it easier I'd be happy to know about it. /tony -- -- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316

3 3

ipa-getkeytab: PrincipalName not found
by Harald Dunkel 26 Apr '19

26 Apr '19

Hi folks, maybe I missed something, but shouldn't admin have sufficient privileges to run # ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp # reboot : : # kinit admin # ipa-getkeytab -s ipa1.example.de -p HTTP/stretch1.vs.example.de -k /etc/apache2/apache2.keytab ? ipa-getkeytab failed with Failed to parse result: PrincipalName not found. I would have expected it to create the principal on the fly. "admin" was created at freeipa install time on the first server, AFAIR. It is member of the "admins" and "trust admins" groups. I am concerned that I corrupted something. Every helpful comment is highly appreciated. Harri

3 5

FreeIPA AD Trust with Samba4 ... is it possible?
by D Anderson 01 Apr '19

01 Apr '19

Hello all, I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations. https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Limitations| >The internal DNS does not support: >zone transfers https://wiki.samba.org/index.php/DNS_Administration#Administering_DNS_on_Wi… >Conditional forwarders are not implemented yet I THINK I got DNS actually working , but had to use solution like here https://www.redhat.com/archives/freeipa-users/2012-October/msg00194.html Although Petr says to stay away from forwarders in IPA Is it better to attempt AD as subdomain of IPA (which I'm currently doing) , or IPA as subdomain of AD ? On both samba4 and freeipa machine I can currently dig SRV records for both domains , but when I attempt ipa add-trust, I see in httpd error logs >[Fri Aug 10 11:58:43.122526 2018] [:error] [pid 6169] ipa: ERROR: Attempt to solve forest trust topology conflicts >[Fri Aug 10 11:58:43.125865 2018] [:error] [pid 6169] ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified domain did not exist.') Which leads me to believe that no, DNS is not working correctly ( I have all firewall/iptables off and selinux off). I can give more concrete/examples , but before get lost in the weeds wanted to know on broad consensus is it even possible or known bad issues with Samba AD ? Like here https://www.freeipa.org/page/IPAv3_AD_trust#Samba , it says >In order to get properly working MIT krb5-based Samba4 build one have to use --without-ad-dc --with-system-mitkrb5 options when configuring WAF top level build. Which I'm confused ... how to get I get AD trust, if I'm setting up samba without AD abilities?? Yet here https://www.freeipa.org/page/Windows_authentication_against_FreeIPA It recommends a. If you have an AD ( Microsoft ) , use it b. If you don't have a Microsoft AD , setup Samba4 >but it can be configured to trust FreeIPA Does anyone know of a complete A..Z example of how to do that? (what options were used to configure Samba and Freeipa, etc) Thanks

5 7

nfsidmap/nss_getpwnam fails to resolve users with IPA/NFSv4+krb5
by Robert Sturrock 12 Mar '19

12 Mar '19

Hi All. We have IPA setup in an AD trust to support our Linux fleet. I’m running into a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an NFS-mounted filesystem from an NFS server using NFSv4/krb5. Files and directories show up as ‘nobody’ or an incorrect numerical ID when listed with ‘ls’. RHEL7 clients seem to working fine with a very similar configuration (as far as I can tell). The particulars are: - AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user identity is ‘user@localdomain’) - IPA domain is ‘ipa.localdomain’ - The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf). I have mounted the NFS volume on the clients with a simple: mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see: $ ls -ld rns drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns .. with these corresponding nfsidmap messages: Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns@localdomain@ipa.localdomain timeout 600 Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain@ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)' Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain@ipa.localdomain' does not map into domain 'ipa.localdomain' Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22 Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22 .. whereas on the RHEL7 client, I see: $ ls -ld rns drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: key: 0xf113fd2 type: uid value: rns@localdomain@ipa.localdomain timeout 600 Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: calling nsswitch->name_to_uid Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nss_getpwnam: name 'rns@localdomain@ipa.localdomain' domain 'ipa.localdomain': resulting localname 'rns@localdomain' Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0 Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: final return value is 0 Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: key: 0x2125a5d2 type: gid value: rns@localdomain@ipa.localdomain timeout 600 Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: calling nsswitch->name_to_gid Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: final return value is 0 Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into ‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’? (My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can login and use local filesystems without issue). The idmapd.conf looks like this: [General] Verbosity = 4 Pipefs-Directory = /run/rpc_pipefs Domain = ipa.localdomain Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method = nsswitch Any pointers appreciated! Regards, Robert.

3 5

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users August 2018