[Freeipa-users] Re: AD Trust Types

[Alexander Bokovoy via FreeIPA-users]

On ma, 14 kesä 2021, Ronald Wimmer wrote:

On 14.06.21 13:37, Alexander Bokovoy wrote:

On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:

On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:

Hi,

please refer to External Trusts to Active Directory [1] from 
WIndows Integration guide, it nicely explains the difference 
between external trust and forest trust.

flo

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad
 




Sorry for my unspecific initial question. I did read the 
documentation. As I understood it the external trust somehow 
isolates the view on that particular domain.


If DomA_Trust is a normal one and DomB_Trust an external one I 
cannot use DomB users in a DomA group for example, right? If DomB 
trust was not external I could do that?


I think you need to start with Active Directory design and
documentation. In particular, group types in AD define who can be
included into them and how they can be consumed:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups


Type of trust between domains influences the use of groups but group
scopes are ultimate ones here.

When applying that to a trust between IPA and AD, remember that we only
have two trust types:

 - forest trust: IPA domain is in a separate forest than any AD domain

 - external trust: only immediately trusted AD domain users and groups
   can be seen and used for authentication across the trust, there is no
   transitivity into any other trust that this AD domain may have
   anywhere else

In addition to that, while forest trust in itself is transitive to
domains in the trusting forest, there is no transitivity across all
trusting forests. If forest A trusts forest B and forest B trusts forest
C, there is no trust from forest A to any domain in forest C.

The same applies to groups from those forests as well, complicated by
the group scopes.


In our case IPA hast a trust to the forest root of domain A which 
itself has a trust to domain B. IPA has an external trust to domain B. 
With the AD management tool we are using I can put users of domain B 
into a group of domain A.


What matters is where domain B is located. Is it part of the same forest
as domain A? Is it outside of forest A?

When I try to use that particular group (POSIX group that has the AD 
group as its member) in a HBAC scenario I do get a permission denied 
error.


It can be anything. This information does not give any chance to
understand why there is a problem.



External trust to domain B was setup years ago when we were still 
experimenting with IPA. So my first question is if the separate trust 
to domain B is needed at all? (because there is a trust from domain A 
to domain B on the AD side.) If yes I probably would not want domain B 
trust to be an external one in my scenario, would I?


You need to decide what you want. ;) If A and B are in the same forest,
then you don't need an external trust to B from IPA side.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

[Rob Crittenden via FreeIPA-users]

Bret Wortman via FreeIPA-users wrote:
> This appears to be the error, or at least it's the only "fatal" I could find 
> in the stream and it's near enough to the end of traffic that it seems 
> likely. I'm no expert on Wireshark so I'm hoping someone is willing to take a 
> peek and let me know if there's something obvious here.
> 
> https://gist.github.com/wortmanb/d3b1cb38e894d1fb0578ab05e459b178
> 
> 

Are you sure you aren't seeing a connect error on the F21 Apache server?
This looks to me like an untrusted CA or something like it.

Have you replaced any of your IPA certs on the F21 server? Signed the
IPA CA with an external?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] FreeIPA 4.9.4 and 4.9.5 released

[Alexander Bokovoy via FreeIPA-users]

The FreeIPA team would like to announce FreeIPA 4.9.4 and 4.9.5 releases!

Yes, this is not a mistake. First we created FreeIPA 4.9.4 on June
4th but then found a late time regression that took us more than ten
days to sort out, thus going with the FreeIPA 4.9.5 release.

This regression concerns an edge case of an unauthenticated or almost
expired user credential's run of 'ipa' command line tool returning
a non-processed Python exception instead of a human-readable error
message. This, in turn uncovered a bit of a misconfiguration on the IPA
server side which could trigger this behavior. In a process of
investigating it we also found a bug in GSS-Proxy tool.

FreeIPA 4.9.4 release notes are large and can be found at
https://www.freeipa.org/page/Releases/4.9.4

FreeIPA 4.9.5 is released and can be downloaded from
http://www.freeipa.org/page/Downloads. Builds for Fedora distributions
will be available from the official repository soon. FreeIPA
installation is currently broken in Fedora Rawhide due to an ongoing
migration to Python 3.10 in Fedora where mod_wsgi does not yet support
Python 3.10.

== Highlights in 4.9.5

=== Bug fixes

FreeIPA 4.9.5 is a stabilization release for the features delivered as a
part of 4.9.0 version series.

There are 7 bug-fixes since FreeIPA 4.9.4 release. Details of the
bug-fixes can be seen in the list of resolved tickets below.

== Upgrading

Upgrade instructions are available on Upgrade page.

== Feedback

Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.

== Resolved tickets

* https://pagure.io/freeipa/issue/8691[#8691] 
  [Tracker] Nightly failure (fc33) in test_winsyncmigrate.py: ipa-replica-manage connect --winsync error

* https://pagure.io/freeipa/issue/8702[#8702]
  (https://bugzilla.redhat.com/show_bug.cgi?id=1780317[rhbz#1780317])
  ipa-cert-fix: False Positive Status for cert renewal.
* https://pagure.io/freeipa/issue/8756[#8756]
  [Tracker] 389ds coredump in 
test_caless.py::TestReplicaInstall::test_wildcard_http
* https://pagure.io/freeipa/issue/8868[#8868]
  Nightly test failure in test_integration/test_fips.py::TestInstallFIPS
* https://pagure.io/freeipa/issue/8873[#8873]
  Missing credential cache can raise 500 when authenticating instead of 401
* https://pagure.io/freeipa/issue/8876[#8876]
  Nightly failure in test_installation.py::TestInstallWithCA1::test_install_with_bad_ldap_conf 
* https://pagure.io/freeipa/issue/8877[#8877]

  Nightly test failure in test_nfs.py: runner VM runs out of disk space due to 
huge sssd log file

== Detailed changelog since 4.9.4

=== Armando Neto (1)

* ipatests: Bump PR-CI boxes
https://pagure.io/freeipa/c/79e0919132adf0df764400f9c27268cbadd2578b[commit]

=== Alexander Bokovoy (3)

* Become FreeIPA 4.9.5
https://pagure.io/freeipa/c/e045f118c87346bfab5b5634fd23f3054f082f7f[commit]
* get_credentials: return ValueError for missing creds
https://pagure.io/freeipa/c/5238651da06547bb004de2434ae7d357422ba735[commit]
https://pagure.io/freeipa/issue/8873[#8873]
* Back to git snapshots
https://pagure.io/freeipa/c/b25f5bd9109b87916e097dd8353ea5f0dc49e398[commit]

=== Florence Blanc-Renaud (4)

* ipa-cert-fix man page: add note about certmonger renewal
https://pagure.io/freeipa/c/06a445aff10c1ab84e8784ab41b0a838e500e617[commit]
https://pagure.io/freeipa/issue/8702[#8702]
* freeipa.spec: bump 389-ds version
https://pagure.io/freeipa/c/6eb535334d33f8f375b856e3a2d0b8853b318b4d[commit]
https://pagure.io/freeipa/issue/8691[#8691],
https://pagure.io/freeipa/issue/8756[#8756]
* ipatests: delete the replica before uninstallation
https://pagure.io/freeipa/c/2b22450dfdc1657b463683b09b9c69816f9152d9[commit]
https://pagure.io/freeipa/issue/8876[#8876]
* ipatests: set selinux context for fips mode
https://pagure.io/freeipa/c/13b257d7a05fd255df472144712edb34604dbe06[commit]
https://pagure.io/freeipa/issue/8868[#8868]

=== Stanislav Levin (2)

* gssproxy: Don't refresh expired delegated credentials
https://pagure.io/freeipa/c/0fd06f33b83aec19a88c594d3750bc476157ab83[commit]
* krb_utils: Simplify get_credentials
https://pagure.io/freeipa/c/700be74975cad998e7dbcc4fb437e6b0bbd77305[commit]
https://pagure.io/freeipa/issue/8873[#8873]

=== Sergey Orlov (2)

* ipatests: disable test_nfs.py::TestNFS in nightly runs on Fedora 33
https://pagure.io/freeipa/c/c9f5acc0d281f1a27471091648c36f94528c5a29[commit]
https://pagure.io/freeipa/issue/8877[#8877]
* ipatests: temporary disable execution of test_nfs.py::TestNFS in nightly runs
https://pagure.io/freeipa/c/6ee14f513711ae9be799cfa2bd009f13c5248932[commit]
https://pagure.io/freeipa/issue/8877[#8877]


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-devel mailing list -- freeipa-de...@lists.fedorahosted.org
To unsubscribe send an 

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

[Bret Wortman via FreeIPA-users]

This appears to be the error, or at least it's the only "fatal" I could find in 
the stream and it's near enough to the end of traffic that it seems likely. I'm 
no expert on Wireshark so I'm hoping someone is willing to take a peek and let 
me know if there's something obvious here.

https://gist.github.com/wortmanb/d3b1cb38e894d1fb0578ab05e459b178


-- 
  Bret Wortman
  bret.wort...@damascusgrp.com

On Mon, Jun 14, 2021, at 6:24 AM, Bret Wortman via FreeIPA-users wrote:
> On Thu, Jun 10, 2021, at 5:45 PM, Rob Crittenden wrote:
> > So you've run ipa-replica-prepare  and then ship that file to
> >  right?
> 
> Exactly.
> 
> > At some point we started re-generating the CA certs file
> > (/root/cacert.p12) during preparation. Did we do this in F21? I have no
> > idea.
> > 
> > Can you use pk12util to look at the contents of that file? The password
> > is the initial DM password. Look for expirations, things like that.
> > 
> > # pk12util -l /root/cacert.p12
> 
> All the "Not After" dates were in 2022 or 2034, and the "Not Before" 
> dates were all before 2020. So I that all seems fine.
> 
> > 
> > You can generate a new one but it requires putting passwords into files
> > temporarily.
> > 
> > If you need to generate a new one make a backup of the current, put the
> > passwords in files per below and run this:
> > 
> > # PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p /tmp/nssdbpwd -w
> > /tmp/pk12pwd -o /root/cacert.p12
> > 
> > The NSS db password is in /etc/pki/pki-tomcat/password.conf the value
> > internal.
> > 
> > Otherwise I'm not sure what would generate the socket error except a
> > real network issue. Can you run wireshark on the new server during the
> > install to see what is happening?
> 
> I could, but these two systems are both VM guests on the same VMware 
> server, on the same virtual subnet. But I will take a deep dive today 
> into the network and see if I can find anything there.
> 
> > 
> > rob
> > 
> > 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: DNS Locations and external DNS

[Ronald Wimmer via FreeIPA-users]

On 14.06.21 15:52, Rafael Jeffman wrote:

Hello Ronald,

On Mon, Jun 14, 2021 at 8:12 AM Ronald Wimmer via FreeIPA-users 
> wrote:

 >
 > Is it sufficient to create DNS locations in IPA and do a ipa
 > dns-update-system-records --dry-run in order to populate new DNS Zone
 > information to the external DNS system?
 >

You should add the records given by the '--dry-run' in your external 
DNS, and you might need to transform them for a general purpose DNS 
server, but that seems to be enough.


I hit "send" to quickly so I forgot the step of reformatting the output 
in order to make nsupdate work with our customized version of Bind. As 
nsupdate has worked in the past I am pretty optimistic.


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: sssd version 2.2.3 issues with AD Trust View

[iulian roman via FreeIPA-users]

Hi Sumit, 

I do not override the primary gid (because I had this issue before and per your 
advise I removed the gid override) , only the UID. The same setup works with 
the older sssd version, as I mentioned and that's why i thought that something 
might have changed in sssd. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: healthcheck complains about a removed replica

[github--- via FreeIPA-users]

> On 29-05-2021 10:21, Alexander Bokovoy wrote:
> 
> But I did use "ipa-csreplica-manage del" as well. However, I remember that it
> complained it couldn't remove that host. I was assuming it was already gone.
> When I list with ipa-csreplica-manage then I don't see the old hosts anymore.

Its worth noting my install (4.9.3) on Fedora `ipa-csreplica-manage del` just 
prints a deprecated message and doesn't seem to do anything.

> 
> So, two things
> 1) "ipa-csreplica-manage del" somehow failed (it's probably too late to look
> at logs)
> 2) how can I still remove the old hosts?

I have/had the same problem.  I used 
https://www.dogtagpki.org/wiki/IPA_PKI_Admin_Setup to help me auth into the CA 
to remove the dead host.  

pki client-cert-import --pkcs12  /root/ca-agent.p12 --pkcs12-password 
[redact]
pki -n ipa-ca-agent  securitydomain-host-find
# you need the full Host ID section to remove
pki -n ipa-ca-agent  securitydomain-host-del "CA freeipa2[redact].net 443"

Keep in mind I'm fairly new to IPA, so maybe you don't want to do this on a 
production system without someone else more experienced chiming in.  But, so 
far, the health check stopped complaining, replication is fine, and all my 
users can still log in.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: DNS Locations and external DNS

[Rafael Jeffman via FreeIPA-users]

Hello Ronald,

On Mon, Jun 14, 2021 at 8:12 AM Ronald Wimmer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
> Is it sufficient to create DNS locations in IPA and do a ipa
> dns-update-system-records --dry-run in order to populate new DNS Zone
> information to the external DNS system?
>

You should add the records given by the '--dry-run' in your external DNS,
and you might need to transform them for a general purpose DNS server, but
that seems to be enough.

> Apart from adding IPA clients to their respective locations, there is
> nothing to do regarding DNS locations on IPA clients, right?

Apart from configuring the resolving nameservers on the clients, I don't
think there is anything else to do.

You might want to review Howto FreeIPA locations (
https://www.freeipa.org/page/Howto/IPA_locations),

> Cheers,
> Ronald

Regards,

Rafael

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure



--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: sssd version 2.2.3 issues with AD Trust View

[Sumit Bose via FreeIPA-users]

Am Mon, Jun 14, 2021 at 11:50:44AM - schrieb iulian roman via FreeIPA-users:
> Hello everybody, 
> 
> I have an IPA setup with AD trust configured and Trust View defined on the 
> IPA server. Everything works properly on Ubuntu 18 clients with sssd 1.16.1 
> but  it doesn't on Ubuntu 20 with sssd version 2.2.3. I can list /query the 
> AD accounts which are not part of the default Trust View, but not those 
> accounts which have the id overriden in the Trust View. 
> 
> Is that a known issue, or any idea what do I need to change /where to look  ? 

Hi,

which attributes are you overriding? If you change the primary GID of a
user you have to make sure that there is a group in AD with a matching
GID or a group where the GID is overridden with this value.

HTH

bye,
Sumit

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: AD Trust Types

[Ronald Wimmer via FreeIPA-users]

On 14.06.21 13:37, Alexander Bokovoy wrote:

On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:

On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:

Hi,

please refer to External Trusts to Active Directory [1] from WIndows 
Integration guide, it nicely explains the difference between external 
trust and forest trust.

flo

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad 
 



Sorry for my unspecific initial question. I did read the 
documentation. As I understood it the external trust somehow isolates 
the view on that particular domain.


If DomA_Trust is a normal one and DomB_Trust an external one I cannot 
use DomB users in a DomA group for example, right? If DomB trust was 
not external I could do that?


I think you need to start with Active Directory design and
documentation. In particular, group types in AD define who can be
included into them and how they can be consumed:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups 



Type of trust between domains influences the use of groups but group
scopes are ultimate ones here.

When applying that to a trust between IPA and AD, remember that we only
have two trust types:

  - forest trust: IPA domain is in a separate forest than any AD domain

  - external trust: only immediately trusted AD domain users and groups
    can be seen and used for authentication across the trust, there is no
    transitivity into any other trust that this AD domain may have
    anywhere else

In addition to that, while forest trust in itself is transitive to
domains in the trusting forest, there is no transitivity across all
trusting forests. If forest A trusts forest B and forest B trusts forest
C, there is no trust from forest A to any domain in forest C.

The same applies to groups from those forests as well, complicated by
the group scopes.


In our case IPA hast a trust to the forest root of domain A which itself 
has a trust to domain B. IPA has an external trust to domain B. With the 
AD management tool we are using I can put users of domain B into a group 
of domain A.


When I try to use that particular group (POSIX group that has the AD 
group as its member) in a HBAC scenario I do get a permission denied error.


External trust to domain B was setup years ago when we were still 
experimenting with IPA. So my first question is if the separate trust to 
domain B is needed at all? (because there is a trust from domain A to 
domain B on the AD side.) If yes I probably would not want domain B 
trust to be an external one in my scenario, would I?


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] sssd version 2.2.3 issues with AD Trust View

[iulian roman via FreeIPA-users]

Hello everybody, 

I have an IPA setup with AD trust configured and Trust View defined on the IPA 
server. Everything works properly on Ubuntu 18 clients with sssd 1.16.1 but  it 
doesn't on Ubuntu 20 with sssd version 2.2.3. I can list /query the AD accounts 
which are not part of the default Trust View, but not those accounts which have 
the id overriden in the Trust View. 

Is that a known issue, or any idea what do I need to change /where to look  ? 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: AD Trust Types

[Alexander Bokovoy via FreeIPA-users]

On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:

On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:

Hi,

please refer to External Trusts to Active Directory [1] from WIndows 
Integration guide, it nicely explains the difference between 
external trust and forest trust.

flo

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad
 



Sorry for my unspecific initial question. I did read the 
documentation. As I understood it the external trust somehow isolates 
the view on that particular domain.


If DomA_Trust is a normal one and DomB_Trust an external one I cannot 
use DomB users in a DomA group for example, right? If DomB trust was 
not external I could do that?


I think you need to start with Active Directory design and
documentation. In particular, group types in AD define who can be
included into them and how they can be consumed:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups

Type of trust between domains influences the use of groups but group
scopes are ultimate ones here.

When applying that to a trust between IPA and AD, remember that we only
have two trust types:

 - forest trust: IPA domain is in a separate forest than any AD domain

 - external trust: only immediately trusted AD domain users and groups
   can be seen and used for authentication across the trust, there is no
   transitivity into any other trust that this AD domain may have
   anywhere else

In addition to that, while forest trust in itself is transitive to
domains in the trusting forest, there is no transitivity across all
trusting forests. If forest A trusts forest B and forest B trusts forest
C, there is no trust from forest A to any domain in forest C.

The same applies to groups from those forests as well, complicated by
the group scopes.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: AD Trust Types

[Ronald Wimmer via FreeIPA-users]

On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:

Hi,

please refer to External Trusts to Active Directory [1] from WIndows 
Integration guide, it nicely explains the difference between external 
trust and forest trust.

flo

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad 



Sorry for my unspecific initial question. I did read the documentation. 
As I understood it the external trust somehow isolates the view on that 
particular domain.


If DomA_Trust is a normal one and DomB_Trust an external one I cannot 
use DomB users in a DomA group for example, right? If DomB trust was not 
external I could do that?


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] DNS Locations and external DNS

[Ronald Wimmer via FreeIPA-users]

Is it sufficient to create DNS locations in IPA and do a ipa 
dns-update-system-records --dry-run in order to populate new DNS Zone 
information to the external DNS system?


Apart from adding IPA clients to their respective locations, there is 
nothing to do regarding DNS locations on IPA clients, right?


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

[Bret Wortman via FreeIPA-users]

On Thu, Jun 10, 2021, at 5:45 PM, Rob Crittenden wrote:
> So you've run ipa-replica-prepare  and then ship that file to
>  right?

Exactly.

> At some point we started re-generating the CA certs file
> (/root/cacert.p12) during preparation. Did we do this in F21? I have no
> idea.
> 
> Can you use pk12util to look at the contents of that file? The password
> is the initial DM password. Look for expirations, things like that.
> 
> # pk12util -l /root/cacert.p12

All the "Not After" dates were in 2022 or 2034, and the "Not Before" dates were 
all before 2020. So I that all seems fine.

> 
> You can generate a new one but it requires putting passwords into files
> temporarily.
> 
> If you need to generate a new one make a backup of the current, put the
> passwords in files per below and run this:
> 
> # PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p /tmp/nssdbpwd -w
> /tmp/pk12pwd -o /root/cacert.p12
> 
> The NSS db password is in /etc/pki/pki-tomcat/password.conf the value
> internal.
> 
> Otherwise I'm not sure what would generate the socket error except a
> real network issue. Can you run wireshark on the new server during the
> install to see what is happening?

I could, but these two systems are both VM guests on the same VMware server, on 
the same virtual subnet. But I will take a deep dive today into the network and 
see if I can find anything there.

> 
> rob
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure