January 2020 - FreeIPA-users - Fedora mailing-lists

Freeipa unicodepwd generator
by LUCAS GUILHERME DIEDRICH 26 Mar '20

26 Mar '20

Hello guys, is there any change for storing the password over freeipa it generate an password with the unicodepwd format? I'm still trying to replicate some users from freeipa to AD, i would like to mantain my Freeipa as the principal manager for users and groups. thanks.

5 9

Re: Issues with certificates: X509: KEY_VALUES_MISMATCH
by Rob Crittenden 04 Mar '20

04 Mar '20

Dmitri Moudraninets wrote: > Hi Rob, > > I recovered the key file. Restarted FreeIPA and certmonger. Now issue > looks different: > image.png > > Subjects disappeared. If I click on a certificate 29 I see this: > cannot connect to > 'https://freeipa.corp.mydomain.de:443/ca/agent/ca/displayBySerial': > [Errno 13] Permission denied Set the same ownership/permissions on the key as you did the cert and run restorecon on it. rob > > пн, 25 нояб. 2019 г. в 13:58, Rob Crittenden <rcritten(a)redhat.com > <mailto:rcritten@redhat.com>>: > > Dmitri Moudraninets wrote: > > Hi Rob, > > > > > > > > I did the following: > > I removed original ra-agent.pem and ra-agent key > > and > > openssl x509 -in /root/debug.cert -out /var/lib/ipa/ra-agent.pem > > chown root:ipaapi /var/lib/ipa/ra-agent.pem > > chmod 0440 /var/lib/ipa/ra-agent.pem > > restorecon /var/lib/ipa/ra-agent.pem > > You removed the key!? I sure hope you have a backup of it. > > Put it back and I think that will resolve things. > > > > > Successfully restarted FreeIPA: > > Directory Service: RUNNING > > krb5kdc Service: RUNNING > > kadmin Service: RUNNING > > named Service: RUNNING > > httpd Service: RUNNING > > ipa-custodia Service: RUNNING > > ntpd Service: RUNNING > > pki-tomcatd Service: RUNNING > > smb Service: RUNNING > > winbind Service: RUNNING > > ipa-otpd Service: RUNNING > > ipa-dnskeysyncd Service: RUNNING > > ipa: INFO: The ipactl command was successful > > The agent cert is not required for the CA to operate. > > > Now GUI shows different error: > > cannot connect to > > 'https://freeipa.corp.mydomain.de:443/ca/agent/ca/displayBySerial': > > [Errno 2] No such file or directory > > > > > > [root@freeipa ~]# getcert list -f /var/lib/ipa/ra-agent.pem > > Number of certificates and requests being tracked: 16. > > Request ID '20180912151611': > > status: NEED_CSR > > stuck: no > > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=CORP.MYDOMAIN.DE > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE> > > subject: CN=IPA RA,O=CORP.MYDOMAIN.DE <http://CORP.MYDOMAIN.DE> > <http://CORP.MYDOMAIN.DE> > > expires: 2019-11-25 15:32:12 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > This shows that the certificate has the right subject now which is good > but you removed its private key so it won't work. > > rob > > > > > сб, 23 нояб. 2019 г. в 20:26, Rob Crittenden <rcritten(a)redhat.com > <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>: > > > > Dmitri Moudraninets wrote: > > > Hi Rob, > > > > > > ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=directory manager' -W > > > -b uid=ipara,ou=People,o=ipaca usercertificate > > > > > > shows me the following: > > > > > > Issuer: O=CORP.MYDOMAIN.DE <http://CORP.MYDOMAIN.DE> > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE>, > > > CN=Certificate Authority > > > Validity > > > Not Before: Dec 5 15:32:12 2017 GMT > > > Not After : *Nov 25 15:32:12 2019* GMT > > > > > > It's going to expire on Monday. Can it be a problem? > > > > You didn't provide the cert subject so I can't be sure this is > the right > > cert. If it contains CN = IPA RA then it is. > > > > And yes, it expires in two days. What you'd need to do is > restore it per > > my previous instruction into /var/lib/ipa/ra-agent.pem on the > renewal > > master (ipa config-show to see which one it is). > > > > Then run: > > > > # getcert resubmit -f /var/lib/ipa/ra-agent.pem > > > > That should renew the cert. > > > > On the other masters I'd run the same command and that may fix > things > > there as well. > > > > rob > > > > > I tried this command: > > > openssl x509 -text -in /var/lib/ipa/ra-agent.pem > > > > > > and it shows the following: > > > Certificate: > > > Data: > > > Version: 3 (0x2) > > > Serial Number: 28 (0x1c) > > > Signature Algorithm: sha256WithRSAEncryption > > > Issuer: O=CORP.MYDOMAIN.DE <http://CORP.MYDOMAIN.DE> > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE>, > > > CN=Certificate Authority > > > Validity > > > Not Before: Oct 29 10:39:47 2019 GMT > > > Not After : Oct 29 09:39:47 2021 GMT > > > Subject: O=CORP.MYDOMAIN.DE > <http://CORP.MYDOMAIN.DE> <http://CORP.MYDOMAIN.DE>, CN=dmud > > > Subject Public Key Info: > > > Public Key Algorithm: rsaEncryption > > > Public-Key: (2048 bit) > > > Modulus: > > > > 00:ba:09:81:99:9b:17:99:07:5a:10:28:c8:7a:03: > > > ... > > > > 18:db:02:ce:b4:66:ce:5a:e9:12:af:d3:da:bf:f7: > > > 66:5f > > > Exponent: 65537 (0x10001) > > > X509v3 extensions: > > > X509v3 Authority Key Identifier: > > > keyid:D2:...70:BF > > > > > > X509v3 Subject Key Identifier: > > > DE:...:51:0A > > > X509v3 Subject Alternative Name: > > > email:dmud@corp.mydomain.de > <mailto:email%3Admud@corp.mydomain.de> > > <mailto:email%3Admud@corp.mydomain.de > <mailto:email%253Admud@corp.mydomain.de>> > > > <mailto:email%3Admud@corp.mydomain.de > <mailto:email%253Admud@corp.mydomain.de> > > <mailto:email%253Admud@corp.mydomain.de > <mailto:email%25253Admud@corp.mydomain.de>>> > > > Authority Information Access: > > > OCSP - > URI:http://ipa-ca.corp.mydomain.de/ca/ocsp > > > > > > > > > I did nothing to /var/lib/ipa/ra-agent.pem yet. > > > > > > > > > чт, 21 нояб. 2019 г. в 16:54, Rob Crittenden > <rcritten(a)redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>: > > > > > > Dmitri Moudraninets wrote: > > > > Hi Rob, > > > > > > > > Yes both masters are failing the same way. Output > of openssl > > x509 > > > -noout > > > > -modulus -in /var/lib/ipa/ra-agent.pem is the same on both > > masters. > > > > Output of openssl rsa -noout -modulus -in > > /var/lib/ipa/ra-agent.key is > > > > also the same on both masters. But the output of the first > > command is > > > > not the same as the output of the second command. > > > > > > > > I can't remember that I troubleshoot any other > problems but we > > > tried to > > > > generate some personal certificates for some users. > Also we > > tried to > > > > generate certificates with key files for some of our > internal > > > services. > > > > We did that for the first time and it worked at the > end. Also I > > > changed > > > > the admin password not so long ago. > > > > > > > > > > > > Below you can find the output of the requested commands: > > > > > > > > > > > > [root@second_master ~]# getcert list -f > > /var/lib/ipa/ra-agent.pem > > > > Number of certificates and requests being tracked: 9. > > > > Request ID '20180912151730': > > > > status: MONITORING > > > > stuck: no > > > > key pair storage: > type=FILE,location='/var/lib/ipa/ra-agent.key' > > > > certificate: > type=FILE,location='/var/lib/ipa/ra-agent.pem' > > > > CA: dogtag-ipa-ca-renew-agent > > > > issuer: CN=Certificate Authority,O=CORP.MYDOMAIN.DE > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE> > > > <http://CORP.MYDOMAIN.DE> > > > > <http://CORP.MYDOMAIN.DE> > > > > subject: CN=dmud,O=CORP.MYDOMAIN.DE > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE> <http://CORP.MYDOMAIN.DE> > > > <http://CORP.MYDOMAIN.DE> > > > > *<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< I see a username here. > > Does it have > > > > to be like that?* > > > > expires: 2021-10-29 09:39:47 UTC > > > > email: dmud(a)corp.mydomain.de > <mailto:dmud@corp.mydomain.de> <mailto:dmud@corp.mydomain.de > <mailto:dmud@corp.mydomain.de>> > > <mailto:dmud@corp.mydomain.de <mailto:dmud@corp.mydomain.de> > <mailto:dmud@corp.mydomain.de <mailto:dmud@corp.mydomain.de>>> > > > <mailto:dmud@corp.mydomain.de > <mailto:dmud@corp.mydomain.de> <mailto:dmud@corp.mydomain.de > <mailto:dmud@corp.mydomain.de>> > > <mailto:dmud@corp.mydomain.de <mailto:dmud@corp.mydomain.de> > <mailto:dmud@corp.mydomain.de <mailto:dmud@corp.mydomain.de>>>> > > > > key usage: > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert_pre > > > > post-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert > > > > track: yes > > > > auto-renew: yes > > > > > > Right, someone overwrote the RA agent certificate. > > > > > > Look to see if the user entry in the CA has the right cert: > > > > > > $ ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=directory > manager' > > -W -b > > > uid=ipara,ou=People,o=ipaca usercertificate > > > > > > Put the base64 value of the usercertificate attribute into a > > file and > > > add a prefix/suffix around it: > > > > > > -----BEGIN CERTIFICATE----- > > > MII....blah= > > > -----END CERTIFICATE----- > > > > > > $ openssl x509 -text -in /path/to/file > > > > > > If the Subject is O = CORP.MYDOMAIN.DE > <http://CORP.MYDOMAIN.DE> > > <http://CORP.MYDOMAIN.DE> <http://CORP.MYDOMAIN.DE>, CN > > > = IPA RA then that's a good > > > start. Also look at the expires date to be sure it is > still valid. > > > > > > Assuming that is ok then re-run the openssl modulus commands > > to ensure > > > they are the same. > > > > > > Assuming that too is ok then you have the proper, valid RA > > agent cert. > > > In that case I'd move the current file out of the way, who > > knows what it > > > is, then run: > > > > > > # openssl x509 -in /path/to/file -out > > /var/lib/ipa/ra-agent.pem (just to > > > properly format the agent cert) > > > # chown root:ipaapi /var/lib/ipa/ra-agent.pem > > > # chmod 0440 /var/lib/ipa/ra-agent.pem > > > # restorecon /var/lib/ipa/ra-agent.pem > > > > > > Then try something like: ipa cert-show 1 > > > > > > This will exercise the RA agent cert and as long as you > don't > > get an > > > error back things are working again. > > > > > > The cert is common among all masters so you can copy the > file > > to your > > > other master(s), ensuring proper ownership, permissions and > > SELinux > > > context. > > > > > > rob > > > > > > > > > > > > -- > > > WBR > > > Dmitry > > > > > > > > -- > > With best regards/Mit freundlichen Grüßen > > > > Moudraninets Dmitry, RHCSA > > http://www.linkedin.com/in/moudraninets > > http://www.xing.com/profile/Dmitry_Mudraninets > > > > -- > With best regards/Mit freundlichen Grüßen > > Moudraninets Dmitry, RHCSA > http://www.linkedin.com/in/moudraninets > http://www.xing.com/profile/Dmitry_Mudraninets

2 7

How to make ipa root certificate available system wide
by Kevin Vasko 02 Mar '20

02 Mar '20

Hello, I’m wanting to make our https servers use a trusted certificate within our LAN only. So for example if I have websrv1.ny.example.com when a user uses a machine that’s enrolled into our realm and they visit https://websrv1.ny.example.com they shouldn’t be prompted to accept the self signed certificate. I think I’m pretty close but I’m missing a small part. The ipa server is all setup and working. Hosts are enrolled to ipa and have the /etc/ipa/ca.crt. I have created a service for the http server in IPA. I have obtained a .key file and .crt file for my web server. Those keys for the web server are in the appropriate location and the web server is pointing at the certs correctly. On my clients when I go to the web servers URl I am no longer getting a “self signed cert” error message in the browser. That message has now changed to “unverified certificate authority”. Which basically indicates to me that the browser doesn’t know if this certificate authority should/can be trusted. If i go in the browser (firefox or chrome) in the certificate authority section and import the /etc/ipa/ca.crt i get no errors in the browser about it being unverified. So my question is, what am I missing to make the /etc/ipa/ca.crt file globally available for browsers to pick up the certificate automatically? when we enroll a host we simply do freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir Accept the defaults, put in the password to enroll and that’s it. Is there something I’m missing? -Kevin

6 14

suggestion for password policy
by Charles Hedrick 06 Feb '20

06 Feb '20

The NIST recommendations for passwords say they don’t think character classes and expiration are useful. Instead, they recommend using a blacklist of known common passwords. There’s no way to implement this policy without writing your own plugin. It would be useful for IPA’s password policy to allow you to specify a database of forbidden passwords. We’ve done this using a plugin, but I’d rather not have to write C code to implement policy.

2 8

FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
by Wulf C. Krueger 05 Feb '20

05 Feb '20

Hello, my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start: ---- # ipactl start IPA version error: data needs to be upgraded (expected version '4.8.1-4.fc31', current version '4.8.1-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl ---- Logs: ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log pki-tomcatd@pki-tomcat log: https://mailstation.de/ipa-logs/pki-tomcatd@pki-tomcat.log pki-tomcat-ca-debug log: https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log So it looks like the LDAP server isn't reachable but its log says it's running: https://mailstation.de/ipa-logs/dirsrv@MAILSTATION-DE.log There's nothing listening on ports 389 and 636, though. Help would be highly appreciated. Best regards, Wulf

6 24

pki-tomcat doesn't start, it can't update certificate
by Serge Barkov 04 Feb '20

04 Feb '20

I have a freeipa with two nodes. I have no problem with one of them but on the other one pki-tomcat can't start. ipacts starts with --ignore-service-failure and pki-tomcatd Service: STOPPED The first thing I found a certificate expired and I changed date back in time before expiration date. ipa-cacert-manage renew says ok but certificate for pki-tomcat doesn't work. getcert list shows all certificates are well but this one no: Request ID '20171110140549': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa0.domain.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=ipa0.domain.com,O=DOMAIN.COM expires: 2019-10-31 14:05:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes [root@ipa0 pki-tomcat]# curl https://ipa0.domain.com:8443/ca/agent/ca/profileReview <!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 - /ca/agent/ca/profileReview</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>/ca/agent/ca/profileReview</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class="lin e"><h3>Apache Tomcat/8.0.46</h3></bod What can I do to make pki-tomcat work? How to repair the certificate?

3 13

shouldn't freeipa work by default?
by Harald Dunkel 04 Feb '20

04 Feb '20

Hi folks, *ipa help topics* gives me # ipa help topics ipa: ERROR: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8". # env | egrep LANG\|LC # echo $? 1 Shouldn't the command line interface work by default? Why not silently assume UTF-8 and continue? Printing a warning might be OK. Regards Harri

2 2

files to omit from backup
by Charles Hedrick 03 Feb '20

03 Feb '20

We currently do rsync backups of our server. On an MIT server, you’d want to omit the stash file. But IPA doesn’t use that. Is there anything like that that should be omitted? I’m not sure just how freeipa bootstraps trust when it starts up.

3 2

Centos 7 after unroll and join to new server authorization doesn’t work
by Petar Kozić 31 Jan '20

31 Jan '20

Hi, I have one IPA server dirsrv001 and newone dirsrv002 dirsrv001 is old server from where I want to unroll my VPS’s and join to new server. I do some testing with Ubuntu VPS’s and that works perfect. I have problem with one Centos 7 server. I join client to dirsrv002 without problems but when I want to login I login over ssh but I can’t do sudo. Ask me for pass and than three times and that is. Sudo permission on IPA server is configured as well because works on other. If I run on that Centos client command: kinit my_username and when I enter pass everything is ok. If I check syslog, I get this error: [sssd[krb5_child[8541]]]: Key version is not available I found that is problem with /etc/krb5.keytab file. But I tried to unroll client, move that file and join again, problem was same. Please, does someone have some idea? *—* *Petar Kozić*

3 5

"finger" not working to match on names. What am I missing here?
by Russell Jones 30 Jan '20

30 Jan '20

Hi all, I have client machines bound to my FreeIPA domain correctly as best I can tell. I have noticed however that the "finger" command appears to not be matching on user's names anymore like it does with my older NIS clients. Finger appears to only work when passing it the actual username of a user, not their first or last names. /etc/nsswitch.conf is configured properly for user matching on the client. What am I missing? Thank you! passwd: files sss shadow: files sss group: files sss #initgroups: files sss #hosts: db files nisplus nis dns hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: nisplus sss publickey: nisplus automount: files nisplus sss aliases: files nisplus sudoers: files sss

2 3

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2020