Hi, I have 2 nodes of IPA system. The 'Server-Cert cert-pki-ca' of master node was expired unexpectedly.
Based on https://ftweedal.fedorapeople.org/ipa-cert-renewal-deep-dive.pdf, this cert is for HTTS( pki-tomcat), AKA Dogtag website.
As it was expired, Dogtag is OOS, either.
Right now, those services are not running, --- pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ---
This is /var/log/pki/pki-tomcat/ca/selftests.log ---------------------
0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peers Certificate has expired. 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! -----------------
And /var/log/pki/pki-tomcat/ca/debug ------------
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(Server-Cert cert-pki-ca, SSLServer) [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(Server-Cert cert-pki-ca, true, SSLServer) [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired.
-----------------
Output from certutil: ------- Issuer: "CN=Certificate Authority,O=IPA.PTHL.HK" Validity: Not Before: Tue Nov 21 08:43:11 2017 Not After : Mon Nov 11 08:43:11 2019 Subject: "CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK"
----------
This certificate was expired, so here comes the point,
1. Why ipa cert-mon did monitor and renew it? So weired.
getcert list | grep tomcat -i
does not return this certificate.
2. How to fix it? it's renewal master by 'ipa config-show | grep 'IPA CA renewal master'
1) I reset the clock during the valid period, and restart services. it failed.
2) I plan to renew or recreate a Server-Cert since my CA is still valid, but I'm not sure it's doable and don't know how.
Not sure it's a bug or not, my slave node is good, both are running freeipa v4.6.4.
Thanks a lot.
I reset system clock to a proper point now IPA is working.
Server-Cert cert-pki-ca was not tracked by certmonger somehow, I add it but it says
# output of getcert list. ------------------------------------- Request ID '20191101102140': status: MONITORING ca-error: Server at "http://ipa.ipa.pthl.hk:8080/ca/ee/ca/profileSubmit" replied: Certificate serial number {0} to be renewed is revoked. Cannot renew a revoked certificate stuck: no ----- --------------------
And it was not renewed.
So how to renew this certificate manually?
I also read https://frasertweedale.github.io/blog-redhat/posts/2019-02-28-dogtag-cert-fi... but there is no 'cert-fix' command in my IPA.
Thanks.
I find out why ipa didn't run even I reset system clock.
Because dirsrv and httpd cetificate was valid "Not before Oct 26", and dogtag certificate was valid " Not After Nov 11", so I have to set clock during this period. :) --------------------
What I try: 1. set clock to ensure pki-tomcat works, I set it to Oct 27. 2. set clock to Oct 6, remove httpd/dirsrv certificate and re-sign a new one. It does NOT work. As kerebeors refuses to work.
luckydog xf via FreeIPA-users wrote:
I find out why ipa didn't run even I reset system clock.
Because dirsrv and httpd cetificate was valid "Not before Oct 26", and dogtag certificate was valid " Not After Nov 11", so I have to set clock during this period. :)
What I try:
- set clock to ensure pki-tomcat works, I set it to Oct 27.
- set clock to Oct 6, remove httpd/dirsrv certificate and re-sign a new one. It does NOT work. As kerebeors refuses to work.
Refuses to work how? It doesn't restart? What does it log?
rob
Forget to copy its error. :(
This is resolved by "
---- getcert modify-ca -c dogtag-ipa-ca-renew-agent -e '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -N' ---- and start-tracking....
The reason is that once certmonger renews a certificate, it would use old certificate request information to geneate a new one. But the old one may not work out.
-N tells certmonger to discard the old stuff and just create a new one.
luckydog xf via FreeIPA-users wrote:
This is resolved by "
getcert modify-ca -c dogtag-ipa-ca-renew-agent -e '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -N'
and start-tracking....
The reason is that once certmonger renews a certificate, it would use old certificate request information to geneate a new one. But the old one may not work out.
-N tells certmonger to discard the old stuff and just create a new one.
It tells certmonger to use a CSR and not rely on the dogtag renew-by-serial number capability. This is the default since 4.8.1.
rob
I see. Just curious about the following error,
---- certificate serial number {0} to be renewed is revoked. Cannot renew a revoked
---- Where does serial number store in the dogtag? Redhat docs say it's in 389 DS, but I cannot find it out.
And would any stuff related certificate would store in 389 DS ?
I reset system clock to Oct 27, while this certificate would expire in Nov 11.
It's still valid and should be renewed by certmonger.
So there is no reason it say the serial number was revoked.
On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote:
I reset system clock to Oct 27, while this certificate would expire in Nov 11.
It's still valid and should be renewed by certmonger.
So there is no reason it say the serial number was revoked.
Hi,
can you check if the cert is revoked with: $ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca' | grep -i Serial (note the Serial number) $ ipa cert-show <serial found above>
Does the last command display "Revoked: True" with a Revocation reason or "Revoked: False"?
flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote: Hi,
can you check if the cert is revoked with: $ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca' | grep -i Serial (note the Serial number) $ ipa cert-show <serial found above>
Does the last command display "Revoked: True" with a Revocation reason or "Revoked: False"?
flo
[root@ipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca' | grep serial -i Serial Number: 268238851 (0xffd0003) ****************************************************************
[root@ipa ~]# ipa cert-show 268238851 Issuing CA: ipa Certificate: ..... ### chopped ###
Subject: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK Issuer: CN=Certificate Authority,O=IPA.PTHL.HK Not Before: Tue Nov 21 08:43:11 2017 UTC Not After: Mon Nov 11 08:43:11 2019 UTC Serial number: 268238851 Serial number (hex): 0xFFD0003 Revoked: True Revocation reason: 0 ---------------------------------------------------
Yes, this serial Number was marked 'revoked'.
On 1/3/20 3:03 AM, luckydog xf via FreeIPA-users wrote:
On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote: Hi,
can you check if the cert is revoked with: $ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca' | grep -i Serial (note the Serial number) $ ipa cert-show <serial found above>
Does the last command display "Revoked: True" with a Revocation reason or "Revoked: False"?
flo
[root@ipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca' | grep serial -i Serial Number: 268238851 (0xffd0003)
[root@ipa ~]# ipa cert-show 268238851 Issuing CA: ipa Certificate: ..... ### chopped ###
Subject: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK Issuer: CN=Certificate Authority,O=IPA.PTHL.HK Not Before: Tue Nov 21 08:43:11 2017 UTC Not After: Mon Nov 11 08:43:11 2019 UTC Serial number: 268238851 Serial number (hex): 0xFFD0003 Revoked: True Revocation reason: 0
Yes, this serial Number was marked 'revoked'.
Hi,
the following is not a supported procedure but you can try to manually edit the certificate entry and remove the revocation information. The entry is cn=<serial>,ou=certificaterepository,ou=ca,o=ipaca and you will need to remove the attributes revokedOn, revokedBy, revInfo and replace certStatus: REVOKED with certStatus: VALID.
You can use ldapmodify:
$ ldapmodify -D "cn=directory manager" -W -f mod.ldif
With the following mod.ldif: $ cat mod.ldif dn: cn=<serial>,ou=certificateRepository,ou=ca,o=ipaca changetype: modify delete: revokedOn - delete: revokedBy - delete: revInfo - replace: certStatus certStatus: VALID
After that, check that the cert is not revoked any more with $ ipa cert-show <serial>, and you should be able to retry the renewal. HTH, flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I tried this way, but I have not found this entry.
===
ldapsearch -x -h localhost -D "cn=directory manager" -W > all.ldif
====
grep revoke -i all.ldf ----
returned nothing.
My IPA is v4.6.4.
On 1/7/20 10:04 AM, luckydog xf via FreeIPA-users wrote:
I tried this way, but I have not found this entry.
===
ldapsearch -x -h localhost -D "cn=directory manager" -W > all.ldif
Hi,
if your /etc/openldap/ldap.conf is configured with default settings, it probably has BASE dc=<your domain>,dc=com
but the search needs to be done on a different suffix o=ipaca. What do you get with ldapsearch -x -h localhost -D "cn=directory manager" -W -b o=ipaca
flo
====
grep revoke -i all.ldf
returned nothing.
My IPA is v4.6.4. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks, I did it as your instruction, the old serial 268238851 was revoked and invalid. A new serial was generated and valid already.
================== # 268238851, certificateRepository, ca, ipaca dn: cn=268238851,ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: certificateRecord serialno: 09268238851 metaInfo: requestId:9970004 metaInfo: profileId:caInternalAuthServerCert notBefore: 20171121164311Z notAfter: 20191111164311Z duration: 1162208000000 subjectName: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK issuerName: CN=Certificate Authority,O=IPA.PTHL.HK publicKeyData:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: XXXXXXXXXXXXXXXXXXXXXXXX version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20171121164311Z autoRenew: ENABLED issuedBy: admin-ipa.ipa.pthl.hk cn: 268238851 revInfo: 20180625110026Z;CRLReasonExtension=0 revokedBy: ipara revokedOn: 20180625110026Z certStatus: REVOKED dateOfModify: 20180625110026Z ===============
Thanks. It seems that all the certificates are stored in 389 DS and being tracked.
On 1/16/20 10:16 AM, luckydog xf via FreeIPA-users wrote:
Thanks, I did it as your instruction, the old serial 268238851 was revoked and invalid. A new serial was generated and valid already.
================== # 268238851, certificateRepository, ca, ipaca dn: cn=268238851,ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: certificateRecord serialno: 09268238851 metaInfo: requestId:9970004 metaInfo: profileId:caInternalAuthServerCert notBefore: 20171121164311Z notAfter: 20191111164311Z duration: 1162208000000 subjectName: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK issuerName: CN=Certificate Authority,O=IPA.PTHL.HK publicKeyData:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: XXXXXXXXXXXXXXXXXXXXXXXX version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20171121164311Z autoRenew: ENABLED issuedBy: admin-ipa.ipa.pthl.hk cn: 268238851 revInfo: 20180625110026Z;CRLReasonExtension=0 revokedBy: ipara revokedOn: 20180625110026Z certStatus: REVOKED dateOfModify: 20180625110026Z ===============
Thanks. It seems that all the certificates are stored in 389 DS and being tracked.
Great! thanks for closing the loop. flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
One more question to ask,
1. Both /etc/dirsrv/alias and /etc/http/alias store certificates for themselves. Right?
2. Dogtag is a cerfificate lifecycle management system, e.g issue/renew/rovke. Any CSR would validate by httpd first and then forward to dogtag subCA? per https://ftweedal.fedorapeople.org/ipa-cert-renewal-deep-dive.pdf
3. Where do certificates issued by dogtag store? any stuff would store in 389 DS?
Thanks,
Hello,
when i want to set the Kerberos policy via IPA GUI for tickets, i have two parameters:
Max renew Max life
„Max life“ is working for me as expected.
But it seems, that „Max renew“ has a value with a maximum for 14 days (of course i set it in seconds). Is this true?
What can i do to set a value higher than 14 days?
Thank you for any help!
Detlev
P.S.: We need a high value for simulations …
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Hello Detlev,
i have set the "Max renew to 1814400 seconds without any Problems in the GUI.
And ipa krbtpolicy-show --all shows me this:
Max life: 86400 Max renew: 18144000
I set the new "Max renew" and save it, nothing more :)
Regards
Dirk
Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
Hello,
when i want to set the Kerberos policy via IPA GUI for tickets, i have two parameters:
Max renew Max life
„Max life“ is working for me as expected.
But it seems, that „Max renew“ has a value with a maximum for 14 days (of course i set it in seconds). Is this true?
What can i do to set a value higher than 14 days?
Thank you for any help!
Detlev
P.S.: We need a high value for simulations …
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Yes … i can do this too …
But see you this value also with klist???
Greetings
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Am 02.01.2020 um 16:03 schrieb Dirk Streubel dirk.streubel@posteo.de:
Hello Detlev,
i have set the "Max renew to 1814400 seconds without any Problems in the GUI.
And ipa krbtpolicy-show --all shows me this:
Max life: 86400 Max renew: 18144000
I set the new "Max renew" and save it, nothing more :)
Regards
Dirk
Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
Hello,
when i want to set the Kerberos policy via IPA GUI for tickets, i have two parameters:
Max renew Max life
„Max life“ is working for me as expected.
But it seems, that „Max renew“ has a value with a maximum for 14 days (of course i set it in seconds). Is this true?
What can i do to set a value higher than 14 days?
Thank you for any help!
Detlev
P.S.: We need a high value for simulations …
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello Detlev,
i have made this:
ipa krbtpolicy-mod --maxlife=43200 --maxrenew=604800
and the result is this:
Standard-Principal: dirk@XXX
Valid starting Expires Service principal 02.01.2020 16:53:29 03.01.2020 04:53:29 krbtgt/XXX@XXX erneuern bis 03.01.2020 16:53:21
Is this what you wanted to see?
When i set the maxlife to 7 days i can only see the expire Date.
I don't know why and i must say i am not a "Kerberos Master" :)
Regards
Dirk
Am 02.01.20 um 16:13 schrieb Detlev Habicht via FreeIPA-users:
Yes … i can do this too …
But see you this value also with klist???
Greetings
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Am 02.01.2020 um 16:03 schrieb Dirk Streubel dirk.streubel@posteo.de:
Hello Detlev,
i have set the "Max renew to 1814400 seconds without any Problems in the GUI.
And ipa krbtpolicy-show --all shows me this:
Max life: 86400 Max renew: 18144000
I set the new "Max renew" and save it, nothing more :)
Regards
Dirk
Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
Hello,
when i want to set the Kerberos policy via IPA GUI for tickets, i have two parameters:
Max renew Max life
„Max life“ is working for me as expected.
But it seems, that „Max renew“ has a value with a maximum for 14 days (of course i set it in seconds). Is this true?
What can i do to set a value higher than 14 days?
Thank you for any help!
Detlev
P.S.: We need a high value for simulations …
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
please have a look at the documentation [1]. There are multiple levels where the ticket max life/max renew can be defined and the doc explains the various settings that must be taken into account.
Hope this clarifies, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
On 1/2/20 4:59 PM, Dirk Streubel via FreeIPA-users wrote:
Hello Detlev,
i have made this:
ipa krbtpolicy-mod --maxlife=43200 --maxrenew=604800
and the result is this:
Standard-Principal: dirk@XXX
Valid starting Expires Service principal 02.01.2020 16:53:29 03.01.2020 04:53:29 krbtgt/XXX@XXX erneuern bis 03.01.2020 16:53:21
Is this what you wanted to see?
When i set the maxlife to 7 days i can only see the expire Date.
I don't know why and i must say i am not a "Kerberos Master" :)
Regards
Dirk
Am 02.01.20 um 16:13 schrieb Detlev Habicht via FreeIPA-users:
Yes … i can do this too …
But see you this value also with klist???
Greetings
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Am 02.01.2020 um 16:03 schrieb Dirk Streubel dirk.streubel@posteo.de:
Hello Detlev,
i have set the "Max renew to 1814400 seconds without any Problems in the GUI.
And ipa krbtpolicy-show --all shows me this:
Max life: 86400 Max renew: 18144000
I set the new "Max renew" and save it, nothing more :)
Regards
Dirk
Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
Hello,
when i want to set the Kerberos policy via IPA GUI for tickets, i have two parameters:
Max renew Max life
„Max life“ is working for me as expected.
But it seems, that „Max renew“ has a value with a maximum for 14 days (of course i set it in seconds). Is this true?
What can i do to set a value higher than 14 days?
Thank you for any help!
Detlev
P.S.: We need a high value for simulations …
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thank you very much.
Reading the docs at the right page is really helpful :-) :
The value requested by the client is compared to the --maxlife setting of the user_name-specific Kerberos ticket policies if these policies exist, and the lower value of the two is selected. If user_name-specific Kerberos ticket policies do not exist, the value sent by the client is compared to the --maxlife setting of the Global Kerberos ticket policy, and the lower value of the two is selected. For details on global and user-specific Kerberos ticket policies, see Section 29.1.2, “Global and User-specific Kerberos Ticket Policies”.
The value selected in the previous step is compared to two other values: The value of the max_life setting in the /var/kerberos/krb5kdc/kdc.conf file The value set in the krbMaxTicketLife attribute of the LDAP entry with the distinguished name (DN): krbPrincipalName=krbtgt/REALM_NAME@REALM_NAME,cn=REALM_NAME,cn=kerberos,domain_name
The lowest of the three values is ultimately selected for the lifetime of the Kerberos ticket granted to user_name.
You have to check three places! And the most important hint is the last sentence: The lowest value wins! So with IPA GUI you cannot set a value higher as in kdc.conf and LDAP.
Thank you for the help.
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Am 02.01.2020 um 17:34 schrieb Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org:
Hi,
please have a look at the documentation [1]. There are multiple levels where the ticket max life/max renew can be defined and the doc explains the various settings that must be taken into account.
Hope this clarifies, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
On 1/2/20 4:59 PM, Dirk Streubel via FreeIPA-users wrote:
Hello Detlev, i have made this: ipa krbtpolicy-mod --maxlife=43200 --maxrenew=604800 and the result is this: Standard-Principal: dirk@XXX Valid starting Expires Service principal 02.01.2020 16:53:29 03.01.2020 04:53:29 krbtgt/XXX@XXX erneuern bis 03.01.2020 16:53:21 Is this what you wanted to see? When i set the maxlife to 7 days i can only see the expire Date. I don't know why and i must say i am not a "Kerberos Master" :) Regards Dirk Am 02.01.20 um 16:13 schrieb Detlev Habicht via FreeIPA-users:
Yes … i can do this too …
But see you this value also with klist???
Greetings
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Am 02.01.2020 um 16:03 schrieb Dirk Streubel dirk.streubel@posteo.de:
Hello Detlev,
i have set the "Max renew to 1814400 seconds without any Problems in the GUI.
And ipa krbtpolicy-show --all shows me this:
Max life: 86400 Max renew: 18144000
I set the new "Max renew" and save it, nothing more :)
Regards
Dirk
Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
Hello,
when i want to set the Kerberos policy via IPA GUI for tickets, i have two parameters:
Max renew Max life
„Max life“ is working for me as expected.
But it seems, that „Max renew“ has a value with a maximum for 14 days (of course i set it in seconds). Is this true?
What can i do to set a value higher than 14 days?
Thank you for any help!
Detlev
P.S.: We need a high value for simulations …
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Interesting, why my post was intercepted by a new topic ?
Lol.
Sorry, maybe my fault.
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Am 03.01.2020 um 03:05 schrieb luckydog xf via FreeIPA-users freeipa-users@lists.fedorahosted.org:
Interesting, why my post was intercepted by a new topic ?
Lol. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I'm confused. :)
freeipa-users@lists.fedorahosted.org
-
Detlev Habicht -
Dirk Streubel -
Florence Blanc-Renaud -
luckydog xf -
Rob Crittenden