January 2019 - FreeIPA-users - Fedora mailing-lists

Re: Lost IPA master Left with replica only
by Rob van Halteren 24 Jan '19

24 Jan '19

Thanks, The working replica was installed without CA. This is what I can find in the replica install log. from the replica that is working. ipa-replica-install was invoked with argument "/var/lib/ipa/replica-info-replica.ams.mydomain.gpg" and options: {'no_forwarders': False, 'conf_ssh': True, 'conf_sshd': True, 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False, 'unattended': False, 'no_host_dns': False, 'ip_address': None, 'no_reverse': False, 'setup_dns': False, 'create_sshfp': True, 'setup_ca': False, 'forwarders': None, 'debug': False, 'conf_ntp': True, 'skip_conncheck': False} DEBUG args=/usr/sbin/ipa-replica-conncheck --master master.bxl.mydomain --auto-master-check --realm MYDOMAIN --principal theboss --hostname replica.ams.mydomain Is there a command that can be used to poll for the CA master ? ROB VAN HALTEREN AV | IT System Engineer Entrepotdok 66 NL-1018 AD Amsterdam T: +31 20 530 9696 F: +31 20 530 9697 www.filmmore.eu <http://www.filmmore.eu/> <http://www.filmmore.eu/> <http://twitter.com/filmmore> <http://www.facebook.com/FilmmoreINT/> <http://www.linkedin.com/company/filmmore-amsterdam/>

2 1

Login WebUI fails
by 74cmonty 23 Jan '19

23 Jan '19

Hi, starting today I cannot login to WebUI anymore. This is not a password authentication issue because I can switch to user "admin" in console. When I enter 'kinit list' as root I get this response: kinit: general error (see e-text) for Initial credentials will be fetched. The same error is shown for 'kinit admin'. How can I fix this issue? THX

2 8

fiddling with Win2016 trust - users
by lejeczek 23 Jan '19

23 Jan '19

hi guys After a longer break from Windowze, I had Win2012 trust okey in the past, now I'm fiddling with Win2016 and have this question: After trust (one-way coming from AD) established okey should AD's users be immediately available to/in IPA? Usual things such as id, ipa user-show do find them users. I cannot remember how it was with my Win2012. many thanks, L.

3 11

ipa: ERROR: Nameserver 'd01.unix.dom.name.' does not have a corresponding A/AAAA record
by TomK 23 Jan '19

23 Jan '19

Hey All, I've 4 NS servers: ipa01.unix.dom.name 192.168.0.44 ipa02.unix.dom.name 192.168.0.45 and remote ones (Just simple named / DNS ) dns01.d01.unix.dom.name 192.168.0.130 dns02.d01.unix.dom.name 192.168.0.132 When using: 1) ipa dnsforwardzone-add d01.unix.dom.name --forwarder=192.168.0.130 --forwarder=192.168.0.132 --forward-policy=only 2) ipa dnsrecord-add unix.dom.name. d01 --ns-rec=d01.unix.dom.name. I'm greeted with: ipa: ERROR: Nameserver 'd01.unix.dom.name.' does not have a corresponding A/AAAA record So I can add an A record on the IPA servers but perhaps this is looking for the A record on the forwarding DNS servers 192.168.0.130 and 192.168.0.132? If I'm adding it on the IPA side then I'll add d01 with two IP addresses to? Doesn't seem to make sense. I just need to forward on d01. I'm forwarding the whole subzone. What I have is: ipa-common-4.5.0-22.el7.centos.noarch python2-ipaclient-4.5.0-22.el7.centos.noarch python-ipaddress-1.0.16-2.el7.noarch ipa-client-common-4.5.0-22.el7.centos.noarch python-iniparse-0.4-9.el7.noarch ipa-server-common-4.5.0-22.el7.centos.noarch ipa-server-dns-4.5.0-22.el7.centos.noarch python-libipa_hbac-1.15.2-50.el7_4.8.x86_64 libipa_hbac-1.15.2-50.el7_4.8.x86_64 python2-ipaserver-4.5.0-22.el7.centos.noarch sssd-ipa-1.15.2-50.el7_4.8.x86_64 ipa-client-4.5.0-22.el7.centos.x86_64 ipa-python-compat-4.5.0-22.el7.centos.noarch ipa-server-trust-ad-4.5.0-22.el7.centos.x86_64 python2-ipalib-4.5.0-22.el7.centos.noarch ipa-server-4.5.0-22.el7.centos.x86_64 -- Cheers, Tom K. ------------------------------------------------------------------------------------- Living on earth is expensive, but it includes a free trip around the sun.

1 1

ManageIQ/Cloudforms integration
by Sigbjorn Lie-Soland 22 Jan '19

22 Jan '19

Hi list, Is there a known repository with an existing ManageIQ/Cloudforms Automate framework for FreeIPA? I am primarily looking for the ability to create HBAC and SUDO rules as part of the provisioning process. Thanks. Regards, Siggi

4 7

CA master reinstall via replication
by Rob Foehl 21 Jan '19

21 Jan '19

If I have a pair of IPA servers and need to reinstall the one currently holding the CA master, is it actually necessary to promote the other one, or can I just follow the procedure to rebuild the current master via replication and then verify its CA configuration[1] after the fact? Thanks, -Rob [1] Specifically, everything mentioned in https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

2 5

SSO
by Николай Савельев 19 Jan '19

19 Jan '19

I'm planning use SSO with freeipa and choosing provider between ipsilon-project and keycloack. I tried ipsilon about year ago, there were some bugs. And I see that project almost die. Just 2 commits during the year. But keycloack seems very big and dificult to me. I'm terrified. What do you think? What should I use? -- С уважением, Николай.

3 2

Per-host 2FA and "Second Factor (optional)" message
by Chris Herdt 18 Jan '19

18 Jan '19

I'd seen previous posts (now a few years old) on enabling per-host 2-factor authentication with FreeIPA. I'm using FreeIPA 4.6.4 on CentOS 7. I followed what I think are the correct steps to enable 2FA on a specific host, but the behavior is a little strange: User A: enable both Password and Two factor authentication (password + OTP), and configure a OTP. User B: enable just the Password option. Host A: select "otp" under Authentication indicators, ensure the following lines are present in /etc/ssh/sshd_config and restart sshd: ChallengeResponseAuthentication yes AuthenticationMethods keyboard-interactive Host B: make no changes to Authentication indicators (none selected), make the same changes as above to sshd_config. After these changes: User A -> Host A The user sees the following prompts: First Factor: Second Factor (optional): However, the second factor is required (as expected) and the login fails without it. User A -> Host B The user gets the same prompt as above, but the second factor is actually optional, and the login succeeds without supplying any value. User B -> Host A The user gets a regular password prompt, but cannot log in using the correct password (as expected, since a OTP is required). User B -> Host B The user gets a regular password prompt and can log in as expected. Everything is working more-or-less as expected, but the "Second Factor (optional)" prompt is a little confusing, particularly in cases where it is required. Is this due to my specific configuration (or mis-configuration) or is this the expected behavior?

2 2

Lost IPA master Left with replica only
by Rob van Halteren 18 Jan '19

18 Jan '19

Hello, I am fairly new to freeipa. Sorry for that. I have a freeipa installation with 1 master in domain bxl.mydomain and a replica in ams.mydomain. At this stage I have lost the master. I did not install the master and replica myself, but from the documentation I learned that the master should be the CA for the system. However when I look for the configs on the master that should determine the CA I can find any that make sense. freeipa version of master and replica are 3.0.0. on Centos 6 both running in lxc container on different Proxmox hypervisors. the ipa config-show output from the master looked like. Maximum username length: 32 Home directory base: /users_roaming/ Default shell: /bin/bash Default users group: prod-users Default e-mail domain: bxl.mydomain Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O= BXL.MYDOMAIN Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC I want to know if I need to promote the replica and how to proceed. I have a great part of the master in the backup including the /etc, /var/lib/ /var/log/ and /root directories

2 1

Ipsilon - Unauthorized
by Ronald Wimmer 17 Jan '19

17 Jan '19

I set up ipsilon on a separate machine as documented in https://ipsilon-project.org/doc/quickstart-ipa.html When I try to log in with the admin user I get the "Unauthorized" error. The logs say: ==> ssl_error_log <== [Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977] [client 10.65.150.250:33802] PAM account validation failed for user admin: Permission denied, referer: https://ipa-ipsilon.linux.mydomain.at/idp/login/gssapi/negotiate?ipsilon_tr…

2 2

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2019