December 2019 - FreeIPA-users - Fedora mailing-lists

Freeipa master server multihomed/Sync with AD/freeipa replicas that sync with individual network
by Lohit Valleru 13 Dec '19

13 Dec '19

Hello, I understand that this has been brought up before, but just wanted to ask if anyone has found a solution since then. We administer an HPC cluster, with private network and campus network. The campus network and private network have no route to each other by design. Almost all the HPC clusters are designed in such a manner to keep the private network/campus network separated and secure. We need freeipa master server to be installed that is on both campus network and private network. AD is available on campus network, and master freeipa should be able to synchronize with AD on campus network. Apart from above, i should be able to add freeipa replicas/slave servers which are only on private network/or only on campus network and that sync with mulithomed master freeipa. Thus the freeipa master server will have two hostnames for two networks. for example. freeipa.hpc.private, freeipa.test.org The hosts on private network will talk to freeipa slaves/replicas on private network, while the hosts on campus network will talk to freeipa slaves/replicas on campus network. Please let is know if the above is possible, since it is a hard requirement without which we cannot go ahead. I see that this RFE was mentioned here, but not sure of any updates: https://pagure.io/freeipa/issue/4007 Also please do let me know, of any other design implementation that could accomplish the above requirements. Thank you, Lohit

1 0

have users reset password
by Johan Vermeulen 13 Dec '19

13 Dec '19

Hello All, so we have some 200 laptops who are ipa-clients. At the moment the only way for the users on these laptops to reset their passwords is to wait until the password expires. Than they get a message on the login screen and they can reset the password. I would like to have an alternative method. Have them login to the Freeipa server is the obvious, but here they see too much information, like all the users. Is there another way to have users reset their passwords? Many thanks, J.

5 8

What is the meaning of "kpasswd: Clients credentials have been revoked getting initial ticket"
by lune voo 12 Dec '19

12 Dec '19

Hello everyone. I contact you because I have a problem when I reinitialize some passwords for other users. I created a login in IPA and I added this login into the admins group. Then I was able to perform some password changes for other accounts, using : 1. ipa passwd to set a one time password 2. kpasswd to set a "permanent" password (respecting the password policy) 3. And then I send the password to the end user Then I tried on another account. - The ipa passwd works well. - But when I tried the kpasswd, I get the following error message : "kpasswd: Clients credentials have been revoked getting initial ticket" I retried multiple times, but I always got the same error message. I thought it was because the account was locked. So I checked with ipa status and the account is not locked. What does this error message mean please ? -> When it says the "client", does it mean the other account I am trying to kpasswd ? -> When it says that the credentials have been revoked, what does it mean ? -> What is this initial ticket it is mentioning ? Thank you in advance ! Best regards. Lune

1 1

Crontab not being allowed when using FreeIPA, so what is purpose of crond HBAC service?
by Jones, Bob (rwj5d) 12 Dec '19

12 Dec '19

Hello all, We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One problem we are encountering is with usage of cron (and specifically crontab to edit/list users cron entries). We have HBAC enabled, and have crond as allowed in the list of services users can access. If I perform a hbactest it shows users have access granted. On the local system, we have the /etc/cron.allow file that just lists user root. I have also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the crontab command, they get the following message: You (user(a)ipa.domain.com) are not allowed to use this program (crontab) See crontab(1) for more information If we add the user user(a)ipa.domain.com to the /etc/cron.allow file then the user can run the crontab command. If you read the man page for crontab this is the correct described behavior in conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in the crond pam file to make sure the access.conf file is not interacting with any of this. So I guess my questions are: 1. Is this the expected behavior for users in IPA that are granted access to the crond service? 2. If so, what is the purpose of the crond service in IPA? 3. Is there a way to allow IPA users to use the crontab command without adding them to local /etc/cron.[allow|deny] files? Pertinent version details: IPA servers on RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4 389 directory server version 1.3.9.1-10 Clients on CentOS/RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4 Thanks, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services

3 3

Using shortname on old sssd (rhel6)
by S Toulmonde 12 Dec '19

12 Dec '19

Hello all! I'm migration our old LDAP infra to IPA 4.6.5 (rhel 7) with an external trust to Windows. Previously, all users were their shortname because we replicated AD users to LDAP. Most users reside in AD, but we have *nix-only users in LDAP. Everything seems fine for rhel7+ because sssd can do multi-domain search and thus allow me to use shortname instead of user+domain. My issue is on the rhel6 servers: sssd there is 1.13.3, so multi-domain isn't available... Which is a bummer for me because we have 1000+ rhel6 servers and this is going to be a pain to have sometimes longnames, sometimes shortnames. Has anyone work around this already? I considered my options: - Try to use sssd proxy - Try sss_override - Write a plugin for sssd to search to IPA's idoverride and return a match - Sob in front of an IPA at a pub :) Thanks for your inputs!

3 4

FreeIPA - EL8 - smart card login
by Winfried de Heiden 11 Dec '19

11 Dec '19

Running FreeIPA 4.7.1, on CentOS 8, I configured IPA-server to use smartcard login follwoing https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ht… I configured a CentOS 8 machine to use smartcard-login. After configuring the IPA-client, running the scripts produced by ipa-advise will show an error: ./config-client-for-smart-card-auth.sh /etc/ipa/ca.crt ~ ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error.". Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful Logging in a Yubikey 5 works fine. The error is caused by this line: echo "" | modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile /usr/lib64/opensc-pkcs11.so Now, what going on here and can this error really be ignored? Is it worth to create a Bugzilla? Same error also aoocurs on a fresh RHEL 8.1 machine. Winfried

2 1

Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
by White, Daniel E. (GSFC-770.0)[NICS] 10 Dec '19

10 Dec '19

Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units. Thanks. ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

2 12

How to determine when host last checked in?
by Master Blaster 10 Dec '19

10 Dec '19

In large orginizations, hosts can sometimes be retired without following procedures, etc, which leaves host objects in FreeIPA for hosts that no longer exist. Is there anyway to see when a host last checked in with FreeIPA? One could then delete host objects which haven't connected in say 30/60/90 days.

3 4

/var/log/pki/pki-tomcat/ca/debug
by Ronald Wimmer 10 Dec '19

10 Dec '19

I cannot remember to have set anything to "debug" regarding CA. Nevertheless, these files are growing continuously: -rw-r-----. 1 pkiuser pkiuser 1.6G Dec 10 09:15 /var/log/pki/pki-tomcat/ca/debug -rw-r-----. 1 pkiuser pkiuser 303M Dec 10 09:16 /var/log/pki/pki-tomcat/ca/debug -rw-r-----. 1 pkiuser pkiuser 298M Dec 10 09:17 /var/log/pki/pki-tomcat/ca/debug -rw-r-----. 1 pkiuser pkiuser 5.9G Dec 10 09:16 /var/log/pki/pki-tomcat/ca/debug Where can I turn off debug mode? Cheers, Ronald

2 1

ipa-healtcheck: IPACertfileExpirationCheck, IPACertmongerExpirationCheck
by Alex Corcoles 09 Dec '19

09 Dec '19

Hi, I've been running ipa-healthcheck for a while and this morning I started to get a few failures: { "source": "ipahealthcheck.ipa.certs", "kw": { "msg": "Request id 20180929065627 expires in 27 days", "expiration_date": "20200104123511Z", "days": 27, "key": "20180929065627" }, "uuid": "02af62dc-ac2c-48a6-951f-884e119be9a7", "duration": "0.046374", "when": "20191208113322Z", "check": "IPACertmongerExpirationCheck", "result": "WARNING" }, { "source": "ipahealthcheck.ipa.certs", "kw": { "msg": "Request id 20180929065620 expires in 27 days", "expiration_date": "20200104123511Z", "days": 27, "key": "20180929065620" }, "uuid": "ce377ee1-6f8a-4921-9c33-01c6d82e91ff", "duration": "0.148693", "when": "20191208113323Z", "check": "IPACertfileExpirationCheck", "result": "WARNING" }, I get a pair of these for a couple of certs. Should WARNING results be ignored (because those should be renewed automatically, perhaps?)? I was running --failures-only, but perhaps I should run --severity CRITICAL,ERROR for monitoring? Cheers, Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/

2 2

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users December 2019