[Freeipa-users] Re: Root CA is changing in an AD Trust environment
On 6/24/20 2:01 PM, White, David via FreeIPA-users wrote: We have IdM / FreeIPA running on RHEL 7 boxes. This is a 6-node cluster that has an existing 1-way trust back to Active Directory. IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: ipa trust-add --type=ad example.com --admin admin_user We just learned very recently that our Active Directory team is generating and installing a new Root CA certificate into AD. That is happening tonight at 9pm. The existing Root CA will remain in place until it expires in about 1 month. Is there anything that we will have to do to IdM to get it to trust the new certificate? Even though the existing Root CA should remain in place for the next month, is there any chance something will break tonight when the new Root certificate is installed? Hi, are you using smart card authentication with certificates delivered by AD's Root CA? If it is the case, you will need to re-run the scripts used to configure the clients and servers for smart card authentication, providing the new AD's Root CA. See "Preparing the Identity Management Client for Smart-card Authentication" [1] and "Preparing the Identity Management Server for Smart-card Authentication in the Web UI" [2]. flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/auth-idm-client-sc#sc-auth-idm-client-prereqs [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/sc-web-ui-auth#sc-idm-users-auth-preparing-the-server I know we would be facing a lot more work, had we used AD’s Root CA for the client connections. So I feel fortunate in that regard. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Root CA is changing in an AD Trust environment
> Trust to Active Directory does not rely on any CA certificate or certificate > properties from Active Directory. Many Active Directory forests do not have > integrated CA at all. Thanks. That makes me feel a lot better about tonight. > However, if you have deployed IPA CA as a sub-CA of existing AD CA, you might > be affected. Please clarify whether this is indeed the case. I can confirm that we do NOT have IPA setup as a sub-CA. There was actually a complicated conversation about that specific topic when we were in the midst of deploying. 1 week after having RHEL consultants on site, one of my colleagues made me re-deploy the entire cluster again, because he wanted the sub-CA. After even more back and forth with our Corporate AD team, and testing, we re-deployed yet again without the sub-CA. It was a fiasco. The consultant was great. My colleagues were not. Felt like the longest 3 weeks of my life, with requirements changing on me every other day. LOL. Thank you! On 6/24/20, 8:13 AM, "Alexander Bokovoy" wrote: On ke, 24 kesä 2020, White, David via FreeIPA-users wrote: >We have IdM / FreeIPA running on RHEL 7 boxes. >This is a 6-node cluster that has an existing 1-way trust back to >Active Directory. > >IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: >ipa trust-add --type=ad example.com --admin admin_user > >We just learned very recently that our Active Directory team is >generating and installing a new Root CA certificate into AD. That is >happening tonight at 9pm. > >The existing Root CA will remain in place until it expires in about 1 month. > >Is there anything that we will have to do to IdM to get it to trust the >new certificate? Trust to Active Directory does not rely on any CA certificate or certificate properties from Active Directory. Many Active Directory forests do not have integrated CA at all. So for the trust to AD specifically, this is not an issue. However, if you have deployed IPA CA as a sub-CA of existing AD CA, you might be affected. Please clarify whether this is indeed the case. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Root CA is changing in an AD Trust environment
On ke, 24 kesä 2020, White, David via FreeIPA-users wrote: We have IdM / FreeIPA running on RHEL 7 boxes. This is a 6-node cluster that has an existing 1-way trust back to Active Directory. IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: ipa trust-add --type=ad example.com --admin admin_user We just learned very recently that our Active Directory team is generating and installing a new Root CA certificate into AD. That is happening tonight at 9pm. The existing Root CA will remain in place until it expires in about 1 month. Is there anything that we will have to do to IdM to get it to trust the new certificate? Trust to Active Directory does not rely on any CA certificate or certificate properties from Active Directory. Many Active Directory forests do not have integrated CA at all. So for the trust to AD specifically, this is not an issue. However, if you have deployed IPA CA as a sub-CA of existing AD CA, you might be affected. Please clarify whether this is indeed the case. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Setting up a custom service
On ke, 24 kesä 2020, Dominik Vogt via FreeIPA-users wrote: For a test setup, we need to create a custom service running on a server and a custom application running on the client. The sample gss client/server from the Kerberos sources is used for demonstration. Setting this up with plain Kerberos is easy: 1. Create the service principal with $ addprinc -randkey sample/server.domain 2. Add key to keytab $ ktadd ... 3. Copy keytab to server 4. Run the service $ gss_server -port 12345 sample Now, how would one do this with freeipa, using the command line interface? 1. Create service $ ipa service-add sample/server.domain 2a. Create the service key? How? 2b. Generate the keytab for the key? How? 3. Copy the keytab to the server? Manually or is there a freeipa way to do that? Assuming both client and server are enrolled into FreeIPA: 1. As admin, add a service and allow its host to create a keytab: kinit admin ipa service-add sample/server.domain ipa service-allow-create-keytab sample/server.domain --hosts=server.domain 2. On the server system: kinit -k ipa-getkeytab -p sample/server.domain -k ./sample.keytab 3. Run the service $ KRB5_KTNAME=./sample.keytab KRB5_CLIENT_KTNAME=./sample.keytab gss_server -port 12345 sample See man kerberos(7) for the environment variables, ipa-getkeytab(1) for examples of ipa-getkeytab use and 'ipa help service' for details on the service commands (or any other IPA command line utility commands). Is this approach correct? Any pointer to the relevant documentation would also be helpful. This all is documented in RHEL IdM documentation, as linked on https://www.freeipa.org/page/Documentation#User_Guides RHEL 7 documentation is more detailed as RHEL 8 takes a different approach in documenting specific use cases while RHEL 7 documentation covers all operations. They mostly complement each other. Managing services is chapter 16 in RHEL7 documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/services#adding-service-entry A relevant design document pair upstream is https://www.freeipa.org/page/V4/Keytab_Retrieval and https://www.freeipa.org/page/V4/Keytab_Retrieval_Management (I'm completely new to freeipa.) Ciao Dominik ^_^ ^_^ -- Dominik Vogt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Root CA is changing in an AD Trust environment
We have IdM / FreeIPA running on RHEL 7 boxes. This is a 6-node cluster that has an existing 1-way trust back to Active Directory. IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: ipa trust-add --type=ad example.com --admin admin_user We just learned very recently that our Active Directory team is generating and installing a new Root CA certificate into AD. That is happening tonight at 9pm. The existing Root CA will remain in place until it expires in about 1 month. Is there anything that we will have to do to IdM to get it to trust the new certificate? Even though the existing Root CA should remain in place for the next month, is there any chance something will break tonight when the new Root certificate is installed? I know we would be facing a lot more work, had we used AD’s Root CA for the client connections. So I feel fortunate in that regard. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Setting up a custom service
For a test setup, we need to create a custom service running on a server and a custom application running on the client. The sample gss client/server from the Kerberos sources is used for demonstration. Setting this up with plain Kerberos is easy: 1. Create the service principal with $ addprinc -randkey sample/server.domain 2. Add key to keytab $ ktadd ... 3. Copy keytab to server 4. Run the service $ gss_server -port 12345 sample Now, how would one do this with freeipa, using the command line interface? 1. Create service $ ipa service-add sample/server.domain 2a. Create the service key? How? 2b. Generate the keytab for the key? How? 3. Copy the keytab to the server? Manually or is there a freeipa way to do that? Is this approach correct? Any pointer to the relevant documentation would also be helpful. (I'm completely new to freeipa.) Ciao Dominik ^_^ ^_^ -- Dominik Vogt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: bad filter to find ad users
On Wed, Jun 24, 2020 at 11:40:45AM +0200, Nathanaël Blanchet via FreeIPA-users wrote: > Hello, > > I manage two independant AD domains, and I set up a trust with my > freeipa server (realm NAT.ABES.FR). > > The trust-add step is ok for both and trust are both seen as active > directory trust: > > 2 trusts matched > > Realm name: ACME.local Domain NetBIOS name: ACME Domain Security > Identifier: S-1-5-21-3044139164-2180978765-3887461208 Trust type: Active > Directory domain > > Realm name: levant.abes.fr Domain NetBIOS name: LEVANT Domain Security > Identifier: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 > ] - [ callto:2569697501 | 2569697501 ] Trust type: > Active Directory domain > > Idranges are also ok: > > Range name: ACME.LOCAL_id_range First Posix ID of the range: > 54200 Number of IDs in the range: 20 First RID of the > corresponding RID range: 0 Domain SID of the trusted domain: > S-1-5-21-3044139164-2180978765-3887461208 Range type: Active Directory > domain range > > Range name: LEVANT.ABES.FR_id_range First Posix ID of the range: > 56440 Number of IDs in the range: 20 First RID of the > corresponding RID range: 0 Domain SID of the trusted domain: > S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ > callto:2569697501 | 2569697501 ] Range type: Active Directory > domain range > > I can get id with ACME.local but not on levant.abes.fr: > > id toto@ACME.local > uid=542001112( toto@ACME.local ) gid=542001112( toto@ACME.local ) > groups=542001112( toto@ACME.local ),542000513(utilisateurs du > domaine@ACME.local ) > > id administrat...@levant.abes.fr > id: ‘ administrat...@levant.abes.fr ’: no such user > > when debugging sssd, I find that the ldap filter query is not the same > on both domains: > > ACME.local: > [(&(sAMAccountName=toto)(objectclass=user)(sAMAccountName=*)(objectSID=*))] > > levant.abes.fr: > [(&(sAMAccountName=poujol)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0] > > > > The ACME domain is on a single 2012R2 server > > The LEVANT domain is on an AD cluster with different AD versions: 2008, > 2012R2, 2016 > > SRV records are all ok from AD side and from ipaserver side. > > Some users on LEVANT hadpreviously some unix attributes that I deleted, > and so any vmsSFU30OrderNumber or msSFU30MaxUidNumber or > msSFU30MaxUidNumber as mentionned here > [ https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD | > https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD ] > > I deleted, recreated trust, restarted sssd daemon, but the result is > always the same, the ldap search on AD is always done with uidNumber > instead of objectSID and no users of the trusted domain are found. > > What can I do more? Hi, did you remove SSSD's cache while restarting SSSD? Please try sssctl cache-remove -ops or if sssctl is not installed systemctl stop sssd.service ; rm -f /var/lib/sss/db/* ; systemctl start sssd.service HTH bye, Sumit > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] bad filter to find ad users
Hello, I manage two independant AD domains, and I set up a trust with my freeipa server (realm NAT.ABES.FR). The trust-add step is ok for both and trust are both seen as active directory trust: 2 trusts matched Realm name: ACME.local Domain NetBIOS name: ACME Domain Security Identifier: S-1-5-21-3044139164-2180978765-3887461208 Trust type: Active Directory domain Realm name: levant.abes.fr Domain NetBIOS name: LEVANT Domain Security Identifier: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ callto:2569697501 | 2569697501 ] Trust type: Active Directory domain Idranges are also ok: Range name: ACME.LOCAL_id_range First Posix ID of the range: 54200 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-3044139164-2180978765-3887461208 Range type: Active Directory domain range Range name: LEVANT.ABES.FR_id_range First Posix ID of the range: 56440 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S- 1-5-21 - [ callto:116659660-2524593236 | 116659660-2524593236 ] - [ callto:2569697501 | 2569697501 ] Range type: Active Directory domain range I can get id with ACME.local but not on levant.abes.fr: id toto@ACME.local uid=542001112( toto@ACME.local ) gid=542001112( toto@ACME.local ) groups=542001112( toto@ACME.local ),542000513(utilisateurs du domaine@ACME.local ) id administrat...@levant.abes.fr id: ‘ administrat...@levant.abes.fr ’: no such user when debugging sssd, I find that the ldap filter query is not the same on both domains: ACME.local: [(&(sAMAccountName=toto)(objectclass=user)(sAMAccountName=*)(objectSID=*))] levant.abes.fr: [(&(sAMAccountName=poujol)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0] The ACME domain is on a single 2012R2 server The LEVANT domain is on an AD cluster with different AD versions: 2008, 2012R2, 2016 SRV records are all ok from AD side and from ipaserver side. Some users on LEVANT hadpreviously some unix attributes that I deleted, and so any vmsSFU30OrderNumber or msSFU30MaxUidNumber or msSFU30MaxUidNumber as mentionned here [ https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD | https://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD ] I deleted, recreated trust, restarted sssd daemon, but the result is always the same, the ldap search on AD is always done with uidNumber instead of objectSID and no users of the trusted domain are found. What can I do more? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org