[Freeipa-users] Re: Running external cert management on Ipa server?
On Thu, Sep 10, 2020 at 06:12:18PM +0100, Dominik Vogt via FreeIPA-users wrote: > On Thu, Sep 10, 2020 at 11:17:42AM -0400, Rob Crittenden via FreeIPA-users > wrote: > > > a customer wants to use the Redhat certificate system instead of > > > the one built into freeipa. AFAIK both use dogtag under the hood. > > > > Can you expand on what "instead of" means here? What type of integration > > are they looking for? You seem to suggest below that both would be running. > > I'm really no freeipa expert. All I know is that some certificate > system is normally installed with the ipa-server package. The > customer wants to use RHCS instead because of some feature that's > only present in RHCS. (We've already dicussed that with Redhat > support.). > It would be good to know what that feature is. Maybe there is a way to use it now, or we can enable it in the future. Or perhaps it really is a dead end. But unless we know what feature the customer wants, we can not evaluate. Thanks, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Running external cert management on Ipa server?
On Thu, Sep 10, 2020 at 08:32:39PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On to, 10 syys 2020, Dominik Vogt via FreeIPA-users wrote: > > On Thu, Sep 10, 2020 at 11:17:42AM -0400, Rob Crittenden via FreeIPA-users > > wrote: > > > > a customer wants to use the Redhat certificate system instead of > > > > the one built into freeipa. AFAIK both use dogtag under the hood. > RHEL IdM does not support a configuration where RHCS is used on the same > host as RHEL IdM server and as a replacement of integrated RHEL IdM CA. > This is not tested and was never supported. > What else is needed other than it is not supported, not tested, and not > considered as a supported configuration by RHEL IdM team? Thanks, that was what I wanted to hear. This should hopefully be enough to convince the customer that putting als many services on the ipa server as possible is not such a good idea after all. Ciao Dominik ^_^ ^_^ -- Dominik Vogt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Running external cert management on Ipa server?
On to, 10 syys 2020, Dominik Vogt via FreeIPA-users wrote: On Thu, Sep 10, 2020 at 11:17:42AM -0400, Rob Crittenden via FreeIPA-users wrote: > a customer wants to use the Redhat certificate system instead of > the one built into freeipa. AFAIK both use dogtag under the hood. Can you expand on what "instead of" means here? What type of integration are they looking for? You seem to suggest below that both would be running. I'm really no freeipa expert. All I know is that some certificate system is normally installed with the ipa-server package. The customer wants to use RHCS instead because of some feature that's only present in RHCS. (We've already dicussed that with Redhat support.). RHEL IdM does not support a configuration where RHCS is used on the same host as RHEL IdM server and as a replacement of integrated RHEL IdM CA. This is not tested and was never supported. If you want, you may involve me into your support case with Red Hat. You can, of course, run RHCS on a separate system and use RHEL IdM with external CA provided by RHCS. With this configuration, no integration would really exist between the two systems beyond external CA providing standard way of signing IPA CA as its own sub-CA or by issuing server certificates for IPA services. If possible, we want to disable the certificate system that comes with freeipa and use only RHCS. The point is that the customer wants some evidence against running RHCS on the freeipa server. (Not just security and availability issues.) What else is needed other than it is not supported, not tested, and not considered as a supported configuration by RHEL IdM team? -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Running external cert management on Ipa server?
On Thu, Sep 10, 2020 at 11:17:42AM -0400, Rob Crittenden via FreeIPA-users wrote: > > a customer wants to use the Redhat certificate system instead of > > the one built into freeipa. AFAIK both use dogtag under the hood. > > Can you expand on what "instead of" means here? What type of integration > are they looking for? You seem to suggest below that both would be running. I'm really no freeipa expert. All I know is that some certificate system is normally installed with the ipa-server package. The customer wants to use RHCS instead because of some feature that's only present in RHCS. (We've already dicussed that with Redhat support.). If possible, we want to disable the certificate system that comes with freeipa and use only RHCS. The point is that the customer wants some evidence against running RHCS on the freeipa server. (Not just security and availability issues.) Thank you very much for the additional information below, that really helps a lot. > > The customer wants to run the certificate system on the same > > machine as the ipa server, if possible (because otherwise he needs > > more hardware). Redhat support had some unspecific concerns that > > RHCS might conflict with the one that is part of freeipa. > > > > Is it possible at all? Will it cause trouble? Has anybody some > > experience with that setup? > > We strongly discourage running other services on an IPA server, and if > they already have limited hardware then double that. Every new service > expands the attack surface on the machine. > > While there are few details here, in worst case it would add another > LDAP instance and expand an already large java process. Whether it would > cause issues is largely unknown. If they carefully selected the ports to > use it *might* work but yeah, not something we'd recommend or easily > support. And who knows how upgrades would work. > > I'm sure RH support wasn't specific b/c AFAIK nobody has ever tried this. > > The point I'd make is that IPA is not just some service you run. Its > purpose is to centralize all AAA operations. Do you really want to cheap > out on that? What is the cost of downtime/losing everything to a > hardware fault vs buying more hardware? > > If pressed I suppose I'd suggest running RHCS and IPA in separate VMs > rather than on bare hardware in order to achieve separation. But this > still looks like putting all eggs into one basket. Ciao Dominik ^_^ ^_^ -- Dominik Vogt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
Hi. On 9/10/20 5:31 PM, Sumit Bose via FreeIPA-users wrote: just to be on the safe side, have you installed the krb5-pkinit package on Fedora 32? Sigh... the krb5-pkinit was somehow absent on Fedora 32. Thank you for help and sorry for the noise. Although, could SSSD somehow detect this situation? I mean, when Smart card credentials are present, but Kerberos PKINIT library is absent? An appropriate error message would save a lot of time spent on debugging this ;). I will coordinate with Jan to check if it is the same problem on his Ubuntu. Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Allocation of a new value for DNA range failed
Ronald Wimmer via FreeIPA-users wrote: > > Quoting Rob Crittenden : > >> Ronald Wimmer via FreeIPA-users wrote: >>> On 06.07.20 19:52, Rob Crittenden wrote: Ronald Wimmer via FreeIPA-users wrote: > After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran > into this particular problem. > > Is it right that I need to have an ID range where all DNA ranges > have to > fit in? And that the DNA range of each IPA server has to be distinct > from the ranges of the other IPA servers? > > I will start by checking each IPA server with > > ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix > IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' > > (according to what Rob wrote on his blog some years ago > https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ ) Not every master has to have a range. Only those masters that you create users and groups on. The DNA plugin should be smart enough to skip any conflicting allocations but why press it? It isn't a whole lot of extra work to manually set things up if you have to do that anyway and you can sleep better knowing that duplicate values aren't possible. Yes, it needs to fit within any IPA ranges you have created. You can have more than one. Otherwise you could theoretically end up in a conflict with other ranges, like a trust, which would be bad. There is nothing constraining what DNA range you set. The IPA ranges are there for a hint. >>> >>> So. If my ID range for the IPA domain is >>> >>> ID Range >>> 124660 >>> 124680 >>> >>> I could set the DNA ranges like that: >>> >>> DNA Range ipa1 >>> 124661 >>> 1246620001 >>> >>> DNA Range ipa2 >>> 1246620002 >>> 1246640002 >>> >>> DNA Range ipa3 >>> 1246640003 >>> 1246660003 >>> >>> DNA Range ipa4 >>> 1246660004 >>> 1246680004 >>> >>> DNA Range ipa5 >>> 1246680005 >>> 124675 >>> >>> DNA Range ipa6 >>> 124676 >>> 1246720006 >>> >>> DNA Range ipa7 >>> 1246720007 >>> 1246740007 >>> >>> DNA Range ipa8 >>> 1246740008 >>> 1246760008 >>> >>> Do you agree? >>> >>> Do I have to use ldapmodify or could I use >>> >>> ipa-replica-manage dnarange-set ipa1.mydomain.at 124661-1246620001 ? >> >> You can use ipa-replica-manage. >> >> As I write in the blog, not every server is required to have a range >> set. It is only needed on servers that users will be created on and it >> will ask its peers for a range if a need arises. >> >> So sure, you can micromanage it like this if you want but if you create >> another server and it needs a range it will split one of these. > > The thing is that I put a loadbalancer in front of all the eight IPA > servers (so that users can access the Web GUI like ipa.linux.mydomain.at > where the actual servers are blabla2-8.linux.mydomain.at). When > accessing the web interface the user does not know on which IPA server > he ended up. In this scenario every IPA server would need a range of its > own, right? Seems so. Again, it's not exactly wrong to manually do it, you just lose some automation and risk splitting the values deeply when creating new masters so just keep this in mind. You may have to manually re-adjust at some point. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
On Thu, Sep 10, 2020 at 02:04:52PM +0200, Radosław Kujawa via FreeIPA-users wrote: Hi. On 9/10/20 12:17 PM, Sumit Bose via FreeIPA-users wrote: So far SSSD implicitly assume that PKINIT comes first and hence did not enforce the order. I will add some code to make sure PKINIT is preferred over OTP and password if a Smartcard is present. Awesome, please let me know when the code is present in SSSD repo. I will build it and test. Hi, just to be on the safe side, have you installed the krb5-pkinit package on Fedora 32? bye, Sumit Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Running external cert management on Ipa server?
Dominik Vogt via FreeIPA-users wrote: > Hi folks, > > a customer wants to use the Redhat certificate system instead of > the one built into freeipa. AFAIK both use dogtag under the hood. Can you expand on what "instead of" means here? What type of integration are they looking for? You seem to suggest below that both would be running. > The customer wants to run the certificate system on the same > machine as the ipa server, if possible (because otherwise he needs > more hardware). Redhat support had some unspecific concerns that > RHCS might conflict with the one that is part of freeipa. > > Is it possible at all? Will it cause trouble? Has anybody some > experience with that setup? We strongly discourage running other services on an IPA server, and if they already have limited hardware then double that. Every new service expands the attack surface on the machine. While there are few details here, in worst case it would add another LDAP instance and expand an already large java process. Whether it would cause issues is largely unknown. If they carefully selected the ports to use it *might* work but yeah, not something we'd recommend or easily support. And who knows how upgrades would work. I'm sure RH support wasn't specific b/c AFAIK nobody has ever tried this. The point I'd make is that IPA is not just some service you run. Its purpose is to centralize all AAA operations. Do you really want to cheap out on that? What is the cost of downtime/losing everything to a hardware fault vs buying more hardware? If pressed I suppose I'd suggest running RHCS and IPA in separate VMs rather than on bare hardware in order to achieve separation. But this still looks like putting all eggs into one basket. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Running external cert management on Ipa server?
Hi folks, a customer wants to use the Redhat certificate system instead of the one built into freeipa. AFAIK both use dogtag under the hood. The customer wants to run the certificate system on the same machine as the ipa server, if possible (because otherwise he needs more hardware). Redhat support had some unspecific concerns that RHCS might conflict with the one that is part of freeipa. Is it possible at all? Will it cause trouble? Has anybody some experience with that setup? Ciao Dominik ^_^ ^_^ -- Dominik Vogt ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
Hi. On 9/10/20 12:17 PM, Sumit Bose via FreeIPA-users wrote: So far SSSD implicitly assume that PKINIT comes first and hence did not enforce the order. I will add some code to make sure PKINIT is preferred over OTP and password if a Smartcard is present. Awesome, please let me know when the code is present in SSSD repo. I will build it and test. Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
On Thu, Sep 10, 2020 at 11:13:51AM +0200, Radoslaw Kujawa via FreeIPA-users wrote: Can you send the version of the krb5-libs package you are using on CentOS-8 and F32 as well? F32: krb5-libs-1.18.2-20.fc32.x86_64 CentOS 8: krb5-libs-1.17-18.el8.x86_64 Btw. I have downgraded SSSD to 2.2.3 on F32, but the problem persist. In my original email I have switched around SSSD versions used on CentOS and Fedora. But now I have the same version on both, so I guess my theory about it being a problem with SSSD could have been wrong: Hi, the issue is on the SSSD side. I assume the order the pre-authentication methods are returned by libkrb5 has changed. So far SSSD implicitly assume that PKINIT comes first and hence did not enforce the order. I will add some code to make sure PKINIT is preferred over OTP and password if a Smartcard is present. bye, Sumit F32: sssd-2.2.3-13.fc32.x86_64 CentOS 8: sssd-2.2.3-20.el8.x86_64 Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Problem with smartcard login when otp is enabled
Can you send the version of the krb5-libs package you are using on CentOS-8 and F32 as well? F32: krb5-libs-1.18.2-20.fc32.x86_64 CentOS 8: krb5-libs-1.17-18.el8.x86_64 Btw. I have downgraded SSSD to 2.2.3 on F32, but the problem persist. In my original email I have switched around SSSD versions used on CentOS and Fedora. But now I have the same version on both, so I guess my theory about it being a problem with SSSD could have been wrong: F32: sssd-2.2.3-13.fc32.x86_64 CentOS 8: sssd-2.2.3-20.el8.x86_64 Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org