date:20220117

[Freeipa-users] Re: IPA broken after dnf update on CentOS 8

2022-01-17 Thread Abhinav Chittora via FreeIPA-users

Hi Florence,

I have checked all the logs files that you mentioned and there is not a
single event with ERROR log level. In my case, the installation is failed
after configuring the dirserv and trying to restart
pki-tomcatd@pki-tomcatd.service and the service timed out.

Here the information that asked : -

[root@idm01 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.5 (Ootpa)

[root@idm01 ~]# rpm -qa ipa-server pki-server java-1.8.0-openjdk 389-ds-base
pki-server-10.11.2-2.module+el8.5.0+12735+8eb38ccc.noarch
java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
389-ds-base-1.4.3.23-12.module+el8.5.0+13329+4096c77a.x86_64
[root@idm01 ~]#

I am still struggling whether it is the Java version which is causing the
problem or something else entirely. I have both SELinux & Firewalld
disabled as this is a POC system.
Please point out if you have any other pointer to troubleshoot this.



*--With Regards, Abhinav Chittora http://about.me/abhinav.chittora
 *

On Mon, Jan 17, 2022 at 9:58 PM Florence Blanc-Renaud 
wrote:

> Hi,
> What versions are you using?
> # cat /etc/redhat-release
> # rpm -qa ipa-server pki-server java-1.8.0-openjdk 389-ds-base
> There were known issues with some jdk versions, as well as
> incompatibilities between versions of 389-ds-base and pki-server.
>
> The following troubleshooting page
> 
> lists the log files that may be of interest to diagnose the problem. Based
> on their content we may have more ideas what could cause your issue.
> flo
>
>
> On Sat, Jan 15, 2022 at 10:58 AM Abhinav Chittora via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Attaching the output of journalctl -u pki-tomcatd@pki-tomcat
>>
>>
>>
>> *--With Regards, Abhinav Chittora*
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Automatic direcotry deletion on user removal

2022-01-17 Thread akshay p via FreeIPA-users

Hi,
I was wondering if there is a way to automatically delete home directory on 
user deletion. If not i would like to learn and possibly do something that 
would enable me to do such a task.  I ask you for pointers and thoughts on this 
matter.
Thank you.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: KDC Self Signed Certificate Creation

2022-01-17 Thread Rob Crittenden via FreeIPA-users

Mark Selby via FreeIPA-users wrote:
> My company has 6 FreeIPA servers across 3 different locations. Five of the 
> six servers are ok, but one we could not login to. The error messages pointed 
> to the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt`
> 
> My question is how do I "properly" renew or recreate this certificate. I have 
> been able to renew it with the command listed below - but the renewed cert 
> does not have the same characteristics as the other certs. The existing ones 
> all see to be self signed with the specified profile while my new one does 
> not have these features. It seems to be working Ok but it would great to 
> understand how to generate this cert correctly. All is any help is greatly 
> appreciated. 
> 
> The servers that work all display the following with using getcert list -f 
> /var/kerberos/krb5kdc/kdc.crt
> 
> Request ID '20191003181545':
> status: MONITORING
> stuck: no
> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> CA: SelfSign
> issuer: CN=ipa01.sub1.acme.org,O=ACME.ORG
> subject: CN=ipa01.sub1.acme.org,O=ACME.ORG
> expires: 2022-08-09 22:06:33 UTC
> principal name: krbtgt/acme@acme.org
> certificate template/profile: KDCs_PKINIT_Certs
> pre-save command: 
> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
> track: yes
> auto-renew: yes
> 
> Using the local-getcert start-tracking command below gets me an updated cert 
> but it is not self signed and does not have the specified profile.
> 
> local-getcert start-tracking \
> -k /var/kerberos/krb5kdc/kdc.key \
> -f /var/kerberos/krb5kdc/kdc.crt \
> -T KDCs_PKINIT_Certs \
> -C /usr/libexec/ipa/certmonger/renew_kdc_cert
> 
> Request ID '20220117193849':
> status: MONITORING
> stuck: no
> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> CA: local
> issuer: CN=Certificate Authority,O=ACME.ORG
> subject: CN=vipa06.sub3.acme.org,O=ACME.ORG
> expires: 2024-01-18 17:32:20 UTC
> principal name: krbtgt/acme@acme.org
> key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-pkinit-KPKdc
> pre-save command: 
> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
> track: yes
> auto-renew: yes

The prefix before getcert is a shortcut to the certmonger CA helper that
manages the certificate. selfsign and local are two different helpers.

You probably want getcert start-tracking -c selfsign  instead.

You can use getcert stop-tracking -i 20220117193849 to start over.

Take this with a grain of salt because I'm not sure where this renewed
certificate came from. The one tracked by local here looks more like it
was issued by IPA than selfsign based on the issuer.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Importing automount maps

2022-01-17 Thread Rob Crittenden via FreeIPA-users

Simon Matthews via FreeIPA-users wrote:
> The Redhat documentation provides a script for importing automount maps. The 
> script also uses ldapadd to add some data into the LDAP server. This part 
> doesn't appear to work. It's not clear to me that this part needs to work. 
> 
> The part of the script is:
> basedn=$(ipa env basedn | tr -d '[:space:]' | cut -f2 -d:)
> cat > /tmp/amap.ldif < dn: nis-domain=$2+nis-map=$4,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> nis-domain: $2
> nis-map: $4
> nis-base: automountmapname=$4,cn=$1,cn=automount,$basedn
> nis-filter: (objectclass=*)
> nis-key-format: %{automountKey}
> nis-value-format: %{automountInformation}
> EOF
> ldapadd -x -h $3 -D "cn=Directory Manager" -W -f /tmp/amap.ldif
> 
> Apart from the fact that $3 is probably the wrong variable (it points to the 
> hostname of the NIS server, which is likely different), when I try to run it, 
> I get:
>  ldapadd -x  -D "cn=Directory Manager" -W -f /tmp/amap.ldif
> Enter LDAP Password: 
> adding new entry "nis-domain=blue+nis-map=auto.home,cn=NIS 
> Server,cn=plugins,cn=config"
> ldap_add: No such object (32)
> 
> The file /tmp/amap.ldif contains:
> dn: nis-domain=blue+nis-map=auto.home,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> nis-domain: blue
> nis-map: auto.home
> nis-base: 
> automountmapname=auto.home,cn=default,cn=automount,dc=ipa,dc=bluepearlsoftware,dc=com
> nis-filter: (objectclass=*)
> nis-key-format: %{automountKey}
> nis-value-format: %{automountInformation}
> 
> ["blue" is my NIS domain]. 

Assuming that you want IPA to provide maps over NIS as you transition
away from it, you need to enable the plugin with: ipa-nis-manage enable

Then restart dirsrv. ipactl restart is probably the easiest way to do that.

Then the ldif should load.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Importing automount maps

2022-01-17 Thread Simon Matthews via FreeIPA-users

The Redhat documentation that I am referring to is here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/assembly_migrating-from-nis-to-identity-management_configuring-and-managing-idm

I just noticed that the doc is for RH 8, while I am on RH 7. I don't know if 
that would make any difference, but there is a difference in the version of 
FreeIPA. RedHat 7 is on 4.6, while Redhat 8 is on 4.8
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Importing automount maps

2022-01-17 Thread Simon Matthews via FreeIPA-users

The Redhat documentation provides a script for importing automount maps. The 
script also uses ldapadd to add some data into the LDAP server. This part 
doesn't appear to work. It's not clear to me that this part needs to work. 

The part of the script is:
basedn=$(ipa env basedn | tr -d '[:space:]' | cut -f2 -d:)
cat > /tmp/amap.ldif

[Freeipa-users] KDC Self Signed Certificate Creation

2022-01-17 Thread Mark Selby via FreeIPA-users

My company has 6 FreeIPA servers across 3 different locations. Five of the six 
servers are ok, but one we could not login to. The error messages pointed to 
the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt`

My question is how do I "properly" renew or recreate this certificate. I have 
been able to renew it with the command listed below - but the renewed cert does 
not have the same characteristics as the other certs. The existing ones all see 
to be self signed with the specified profile while my new one does not have 
these features. It seems to be working Ok but it would great to understand how 
to generate this cert correctly. All is any help is greatly appreciated. 

The servers that work all display the following with using getcert list -f 
/var/kerberos/krb5kdc/kdc.crt

Request ID '20191003181545':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=ipa01.sub1.acme.org,O=ACME.ORG
subject: CN=ipa01.sub1.acme.org,O=ACME.ORG
expires: 2022-08-09 22:06:33 UTC
principal name: krbtgt/acme@acme.org
certificate template/profile: KDCs_PKINIT_Certs
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes

Using the local-getcert start-tracking command below gets me an updated cert 
but it is not self signed and does not have the specified profile.

local-getcert start-tracking \
-k /var/kerberos/krb5kdc/kdc.key \
-f /var/kerberos/krb5kdc/kdc.crt \
-T KDCs_PKINIT_Certs \
-C /usr/libexec/ipa/certmonger/renew_kdc_cert

Request ID '20220117193849':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: local
issuer: CN=Certificate Authority,O=ACME.ORG
subject: CN=vipa06.sub3.acme.org,O=ACME.ORG
expires: 2024-01-18 17:32:20 UTC
principal name: krbtgt/acme@acme.org
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] KDC Self Signed Certificate Creation

2022-01-17 Thread Mark Selby via FreeIPA-users

My company has 6 FreeIPA servers across 3 different locations. Five of the six 
servers are ok, but one we could not login to. The error messages pointed to 
the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt`

My question is how do I "properly" renew or recreate this certificate. I have 
been able to renew it with the command listed below - but the renewed cert does 
not have the same characteristics as the other certs. The existing ones all see 
to be self signed with the specified profile while my new one does not have 
these features. It seems to be working Ok but it would great to understand how 
to generate this cert correctly. All is any help is greatly appreciated. 

The servers that work all display the following with using getcert list -f 
/var/kerberos/krb5kdc/kdc.crt

Request ID '20191003181545':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=ipa01.sub1.acme.org,O=ACME.ORG
subject: CN=ipa01.sub1.acme.org,O=ACME.ORG
expires: 2022-08-09 22:06:33 UTC
principal name: krbtgt/acme@acme.org
certificate template/profile: KDCs_PKINIT_Certs
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes

Using the local-getcert start-tracking command below gets me an updated cert 
but it is not self signed and does not have the specified profile.

local-getcert start-tracking \
-k /var/kerberos/krb5kdc/kdc.key \
-f /var/kerberos/krb5kdc/kdc.crt \
-T KDCs_PKINIT_Certs \
-C /usr/libexec/ipa/certmonger/renew_kdc_cert

Request ID '20220117193849':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: local
issuer: CN=Certificate Authority,O=ACME.ORG
subject: CN=vipa06.sub3.acme.org,O=ACME.ORG
expires: 2024-01-18 17:32:20 UTC
principal name: krbtgt/acme@acme.org
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Replica KRA install - Certificate at same location is already used

2022-01-17 Thread lejeczek via FreeIPA-users


Hi guys.

Is this critical on its face and un/reinstall is necessary or some 
troubleshooting can still reveal it's all good?


...

  [4/10]: destroying installation admin user
  [5/10]: enabling ephemeral requests
  [6/10]: restarting KRA
  [7/10]: configure certmonger for renewals
  [8/10]: configure certificate renewals
  [error] DBusException: org.fedorahosted.certmonger.duplicate: 
Certificate at same location is already used by request with nickname 
"20210709164208".


Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.

org.fedorahosted.certmonger.duplicate: Certificate at same location is 
already used by request with nickname "20210709164208".


many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: After OS/IPA updates Employee attributes in web app are blank

2022-01-17 Thread Rob Crittenden via FreeIPA-users

Scott Serr via FreeIPA-users wrote:
> On 1/12/22 11:43 AM, Rob Crittenden wrote:
> 
>> Scott Serr via FreeIPA-users wrote:
>>> Attributes in the Employee Information section of the user web page
>>> are blank following a series of OS/IPA updates. 
>>> The "ipa user-find --all" cli command shows these attributes fine. 
>>>
>>> Specifically (in my case):
>>>   Department Number
>>>   Employee Number
>>>   Employee Type
>>>
>>> I'm wondering if anyone else has seen this.  Trying to find a small
>>> test case, I've found 1 of my development VMs that has some
>>> snapshots.  It's Rocky 8.  It has seen OS/IPA updates frequently in
>>> the last month.  This VM also has a snapshot on December 8th.
>>>
>>> Now I have 3 clones of this VM (at different snapshot times):
>>> dev-current  --  fails to show these attributes on user web page
>>> dev-dec8  --  shows these attributes
>>> dev-dec8-updated-to-current  --  shows these attributes
>>>
>>> The system is mainly used to test updates, data remains the same. 
>>> The only difference I can think of is "dev-current" has had
>>> *incremental* OS/IPA updates between Dec 8th and now.
>>>
>>> I'm combing through a filesystem diff, trying to figure out why they
>>> behave differently, /usr/share/ipa appears to be the same.  Something
>>> else odd: "dev-current" has a new section "User attributes for SMB
>>> services" on the user web page.  The dev-dec8 and
>>> dev-dec8-updated-to-current states/VMs don't have this section on the
>>> user web page.
>>>
>>> Interested in any troubleshooting ideas, or ideas of why this is
>>> happening.
>>>
>>> Thank you,
>>> Scott
>>>
>>> dnf.log shows dev-current had an update to 4.9.6-6 that the other clone
>>> (dev-dec8-updated) did not. 
>>> It looks like 4.9.6-6, although replaced has created this lingering problem.
>>>
>>> dev-dec8-updated
>>> 2021-11-04T12:48:27-0600 DEBUG Upgraded:
>>> ipa-server-4.9.2-4.module+el8.4.0+664+1636a961.x86_64
>>> 2022-01-11T12:07:55-0700 DEBUG Upgraded:
>>> ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
>>>
>>> dev-current
>>> 2021-11-04T12:48:27-0600 DEBUG Upgraded:
>>> ipa-server-4.9.2-4.module+el8.4.0+664+1636a961.x86_64
>>> 2021-12-08T11:34:23-0700 DEBUG Upgraded:
>>> ipa-server-4.9.6-6.module+el8.5.0+675+61f67439.x86_64
>>> 2021-12-21T09:55:41-0700 DEBUG Upgraded:
>>> ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
>>>
>> I don't quite follow what you're trying to ask. Are these two separate
>> systems? Do both show the same behavior?
>>
>> Does the information show in the cli? ipa user-show --all someuser
>>
>> Do/did you have any custom plugins?
>>
>> What exact attributes are not displaying?
>>
>> rob
>>
> I'm sorry Rob, yesterday my web email client didn't do well with
> threading, I've tried to fix the thread.
> 
> These are clones of the same system, early on Dec 8th they were the same
> and since then took 2 different upgrade paths.  (I only power up 1 at a
> time because of IPs and hostnames)
> 
> dev-dec8-updated
> 2021-11-04T12:48:27-0600 DEBUG Upgraded: ipa-server-4.9.2-4
> 2022-01-11T12:07:55-0700 DEBUG Upgraded: ipa-server-4.9.6-10
> 
> dev-current
> 2021-11-04T12:48:27-0600 DEBUG Upgraded: ipa-server-4.9.2-4
> 2021-12-08T11:34:23-0700 DEBUG Upgraded: ipa-server-4.9.6-6
> 2021-12-21T09:55:41-0700 DEBUG Upgraded: ipa-server-4.9.6-10
> 
> The "dev-current" has gone down a different upgrade path from 
> "dev-dec8-updated" but they arrive at the same place (4.9.6-10).  It appears 
> that 4.9.6-6 has caused the issue.  The issue being those attributes in 
> Employee Information section of the web page.
> 
> These clone VMs did have a simple custom plugin.  It was 
> /usr/share/ipa/ui/js/plugins/myplugin/myplugin.js.  I removing the custom 
> plugin (from dev-current), but that didn't fix the missing attributes on the 
> web page.  Maybe there is some caching that I need to clear.  Very well could 
> be something from our custom plugin, is there anything tricky to back it out?
> 
> "ipa user-show --all me" shows Employee Type, Employee Number, and Department 
> Number properly.

I'm at a loss. The best I can suggest is to try the browser debugger to
see if you can tell what is happening. The data should be available
based on the cli (the ui uses the same interfaces).

As for removing it I think that removing the javascript, restarting
Apache and doing a force reload in the browser should do it.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: on stand-alone detached master - force-add KRA - ?

2022-01-17 Thread Rob Crittenden via FreeIPA-users

lejeczek via FreeIPA-users wrote:
> On 17/01/2022 16:20, Rob Crittenden wrote:
>> lejeczek via FreeIPA-users wrote:
>>> Hi guys
>>>
>>> Is it possible on a detached master to setup KRA, as if it was first
>>> master?
>> What is a detached master and why do you need to "force" install a KRA
>> on it? Assuming it's a server from an existing installation you've
>> removed all replication with, does the existing install already have a
>> KRA?
>>
>> What's the use-case?
>>
>> rob
>>
> box, which master was no 'kra', was physically detached then replication
> was removed with 'ipa-x-manage'
> 
> now it is:
> 
> -> $ ipa config-show
> 
>  Maximum username length: 32
>   Maximum hostname length: 64
>   Home directory base: /home
>   Default shell: /bin/sh
>   Default users group: ipausers
>   Default e-mail domain: abba.xx.priv.yy
>   Search time limit: 2
>   Search size limit: 100
>   User search fields: uid,givenname,sn,telephonenumber,ou,title
>   Group search fields: cn,description
>   Enable migration mode: FALSE
>   Certificate Subject base: O=ABBA.XX.PRIV.YY
>   Password Expiration Notification (days): 4
>   Password plugin features: AllowNThash, KDC:Disable Last Success
>   SELinux user map order:
> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
> 
>   Default SELinux user: unconfined_u:s0-s0:c0.c1023
>   Default PAC types: MS-PAC, nfs:NONE
>   IPA masters: first.abba.xx.priv.yy
>   IPA master capable of PKINIT: first.abba.xx.priv.yy
>   IPA CA servers: first.abba.xx.priv.yy
>   IPA CA renewal master: first.abba.xx.priv.yy
>   IPA DNS servers: first.abba.xx.priv.yy
> 
> I thought it would work as new first master:
> 
> -> $ ipa-kra-install
> Directory Manager password:
> 
> Failed to find an active KRA server!
> 
> to "convince" the master somehow, if possible, to install new KRA on
> this "new-first" master, would be neat.

Honestly, "neat" is not exactly a use case.

I'd suggest poking around with the pki securitydomain commands. I'm
guessing a KRA was previously deployed. Ripping that out could be tricky.

But if you tell the securitydomain that there is no KRA maybe that will
help. Or maybe not. The KRA install is failing because one was
previously deployed.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: HA / high availability service - ?

2022-01-17 Thread Harry G. Coin via FreeIPA-users



On 1/17/22 11:08, lejeczek via FreeIPA-users wrote:

On 17/01/2022 16:06, Harry G. Coin via FreeIPA-users wrote:


On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:

On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:

Hi guys.

I have an old - set up ~2 yrs ago - IPA domain which "survived" 
updates/upgrades till this day in such a way that integrated Samba 
serves up under different hostname/domain and serves non-enrolled 
clients(win 10) too.


With new deployment, 4.9.6, just adding things to just DNS - which 
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and 
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD


That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but 
rather it is, that non-enrolled clients, linux & windows will fail 
even if trying a "legitimate" master's Samba.


Is that the default behavior in current version - as I mentioned my 
"old" with up-dates/grades IPA allows non-enrolled - and if so can 
it be managed into allowing non-enrolled clients?



Lately it seems so much of freeipa's developers time is spent chasing 
Active Directory and related issues, when something 'breaks' 'a small 
business with a handful of windows boxes (maybe a mix of 'home' and 
'professional' versions, and a mix of windows 7 or 8 or 10) sharing 
off of freeipa's samba instance with no domain capability, used very 
basic 'map network dirve' and 'usernames and passwords' (entirely 
sufficient for most businesses which are small and will never have 
money enough for a full time IT staff member) I wonder if the 
upgrades still test for that 'widely needed not too technically 
exciting' setup.


I'm of that same mind and shared my thoughts on occasions such as this 
in the past.


That setup I did long ago was such that system policies needed to be 
'LEGACY' and non-enrolled Linux & win clients connected to IPA 
deployed that way - off the LEGACY, worked beautifully with Samba - 
so, not much hacking.


I understand there might be large customers with large ADs with IPA 
only glued somewhere next to it but the rest of us I imagine must be 
like that - small deployments which mixes everything and do _not_! 
need AD, and securities... are taken of with all sorts of other means.


I saw during one upgrade 'CLASSIC IPA" - or something alike - migrated 
to "IPA PRIMARY" or something like that. I'd imagine that was/when NEW 
installation changed so non-enrolled do not work now.


If I can vote, my vote shall go to - IPA devel re/consider changes to 
reintroduce (as an option) such a deployment mode where Samba would 
"weaken" the setup/config so all those non-enrolled customers can 
connect with _passwords_


many thanks, L.

I'm not even close to sure what it would look like exactly, but maybe 
what we're seeing is the 'Large-Corp' 'MS-IBM-i-zation' of 
redhat/freeipa fedora/centos and something like a 'rocky linux' version 
of what freeipa does is called for.  Most all the business in the world 
is small business, while most of the money to pay developers does not 
come from there.   Large corporations want to own things and need 
recurring revenue.  Small business  values tools that do the job and 
prefer not to buy new tools until the old one breaks.  Software does not 
rust.  So there's this disconnect.   So very many businesses see nothing 
in Windows 11 that helps them generate revenue that wasn't in Windows 
7.    I bet as more folks move to quickbooks 'on line' version the 
justification for having windows systems at all in many small businesses 
goes away now as linux based corporate workstations are completely 
sufficient.


Bind is doing internally much of what freeipa's added dnssec aims for.  
In small business, dns changes are infrequent so updating flat files and 
the occasional 'rndc' command is enough for the bind interface 
(bind-dns-ldap goes away) (An integrated dhcp server would be nice).  
Samba has its own internal ldap server as I understand it.  Maybe a 
'roll of freeipa' where it's assumed samba will be the ad/dc (to the 
extent one is needed anyhow, but it turns on ldap in samba and retires 
the need for an external ns-slapd).


Something to think about.



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: HA / high availability service - ?

2022-01-17 Thread Alexander Bokovoy via FreeIPA-users


On ma, 17 tammi 2022, lejeczek via FreeIPA-users wrote:

On 17/01/2022 16:06, Harry G. Coin via FreeIPA-users wrote:


On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:

On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:

Hi guys.

I have an old - set up ~2 yrs ago - IPA domain which "survived" 
updates/upgrades till this day in such a way that integrated 
Samba serves up under different hostname/domain and serves 
non-enrolled clients(win 10) too.


With new deployment, 4.9.6, just adding things to just DNS - 
which worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect 
and get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD


That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but 
rather it is, that non-enrolled clients, linux & windows will fail 
even if trying a "legitimate" master's Samba.


Is that the default behavior in current version - as I mentioned 
my "old" with up-dates/grades IPA allows non-enrolled - and if so 
can it be managed into allowing non-enrolled clients?



Lately it seems so much of freeipa's developers time is spent 
chasing Active Directory and related issues, when something 'breaks' 
'a small business with a handful of windows boxes  (maybe a mix of 
'home' and 'professional' versions, and a mix of windows 7 or 8 or 
10) sharing off of freeipa's samba instance with no domain 
capability, used very basic 'map network dirve' and 'usernames and 
passwords' (entirely sufficient for most businesses which are small 
and will never have money enough for a full time IT staff member) I 
wonder if the upgrades still test for that 'widely needed not too 
technically exciting' setup.


I'm of that same mind and shared my thoughts on occasions such as this 
in the past.


That setup I did long ago was such that system policies needed to be 
'LEGACY' and non-enrolled Linux & win clients connected to IPA 
deployed that way - off the LEGACY, worked beautifully with Samba - 
so, not much hacking.


I understand there might be large customers with large ADs with IPA 
only glued somewhere next to it but the rest of us I imagine must be 
like that - small deployments which mixes everything and do _not_! 
need AD, and securities... are taken of with all sorts of other means.


I saw during one upgrade 'CLASSIC IPA" - or something alike - migrated 
to "IPA PRIMARY" or something like that. I'd imagine that was/when NEW 
installation changed so non-enrolled do not work now.


If I can vote, my vote shall go to - IPA devel re/consider changes to 
reintroduce (as an option) such a deployment mode where Samba would 
"weaken" the setup/config so all those non-enrolled customers can 
connect with _passwords_


Please read Samba CVE notes from the recent (November 2021) security
release. Samba Team is not going to get back on the security, so please
realize that early rather than late.

The change of 'classic' domain controller type in smb.conf to 'ipa
primary domain controller' does not affect this operation, though. This
is exactly the change to keep IPA functioning as it was:

commit e2d5b4d709293b52112d078d6fcde95593d790c5

CVE-2020-25717: Add FreeIPA domain controller role

As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.

It means that role won't result in ROLE_STANDALONE.

ROLE_STANDALONE is what Samba internally banned from using Kerberos
authentication to prevent name authorization abuses as in
CVE-2020-25717. 


Since you are using unjoined client, this affects you in a way that you
cannot use the API that joined clients use in SMB protocol (mutually
authenticate domain controller and domain member, then use secure
channel between them to communicate) and have to use paths that aren't
supported anymore. Some part might be fixable -- I saw in your
(extremely short) log excerpt something that we definitely not support:

[2022/01/17 11:14:09.090933,  2, pid=35744]
ipa_sam.c:3645(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: me254
[2022/01/17 11:14:09.099720,  1, pid=35744]
../../source3/auth/check_samsec.c:454(check_sam_security)
  Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
[2022/01/17 11:14:09.099758,  2, pid=35744]
../../source3/auth/auth.c:348(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [me254] -> [me254]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1

The key here is source3/auth/check_samsec.c:check_sam_security() --
we've got there because the password provided by a client was verified
to be *wrong*:

nt_status = sam_password_ok(mem_ctx,
username, acct_ctrl,
challenge, lm_pw, nt_pw,
user_info, _sess_key, _sess_key);

/* Notify passdb backend of login success/failure. If not

[Freeipa-users] Re: HA / high availability service - ?

2022-01-17 Thread Alexander Bokovoy via FreeIPA-users


On ma, 17 tammi 2022, Harry G. Coin wrote:


On 1/17/22 10:26, Alexander Bokovoy wrote:

On ma, 17 tammi 2022, Harry G. Coin via FreeIPA-users wrote:


On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:

On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:

Hi guys.

I have an old - set up ~2 yrs ago - IPA domain which 
"survived" updates/upgrades till this day in such a way that 
integrated Samba serves up under different hostname/domain and 
serves non-enrolled clients(win 10) too.


With new deployment, 4.9.6, just adding things to just DNS - 
which worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients 
connect and get password prompt but Samba says: 
NT_STATUS_WRONG_PASSWORD


That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env 
but rather it is, that non-enrolled clients, linux & windows 
will fail even if trying a "legitimate" master's Samba.


Is that the default behavior in current version - as I mentioned 
my "old" with up-dates/grades IPA allows non-enrolled - and if 
so can it be managed into allowing non-enrolled clients?



Lately it seems so much of freeipa's developers time is spent 
chasing Active Directory and related issues, when something 
'breaks' 'a small business with a handful of windows boxes (maybe 
a mix of 'home' and 'professional' versions, and a mix of windows 
7 or 8 or 10) sharing off of freeipa's samba instance with no 
domain capability, used very basic 'map network dirve' and 
'usernames and passwords' (entirely sufficient for most businesses 
which are small and will never have money enough for a full time 
IT staff member) I wonder if the upgrades still test for that 
'widely needed not too technically exciting' setup.


FreeIPA team never claimed to provide any support for non-domain joined
Windows systems. On contrary, this is explicitly not supported. We do
not test these configurations because they are not supported for a
reason.

This does not stop brave sysadmins to try to hack their configurations
into what they think could be done. It might work or might not. Samba
upstream has too little resources to focus on all these configurations
as well. The focus there is more on Samba AD and most of very specific
file serving setups for AD domain members.

Life of NT4 domains and not joined clients using NTLM is long gone for
most of deployments that care about security. We (Samba and FreeIPA
teams upstream) are working with Microsoft to make a path forward
without insecure use of RC4 cipher in NTLM. Hopefully, we'll get
somewhere and not joined clients could get better support but we aren't
there.



An underappreciated realm  of 'care about security' are what you might 
call 'walled gardens' that have no expectation interior systems 
provide more than vandalism-level security, as they have little to no 
routine connection to the internet, and the key on the office door, 
security cameras and off-site backups are all that's needed.


While there are configurations like that, a much more real is a social
engineering factor where a system within your security perimeter is
compromised due to other factors and then exploited to attack internal
infrastructure.

Known attacks on RC4 hashes were within 52 hours to decrypt the has five
years ago. This is using CPU. With GPU it is even faster, so this is not
a fairy tale stuff, it is pretty much real.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: HA / high availability service - ?

2022-01-17 Thread lejeczek via FreeIPA-users


On 17/01/2022 16:06, Harry G. Coin via FreeIPA-users wrote:


On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:

On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:

Hi guys.

I have an old - set up ~2 yrs ago - IPA domain which "survived" 
updates/upgrades till this day in such a way that integrated Samba 
serves up under different hostname/domain and serves non-enrolled 
clients(win 10) too.


With new deployment, 4.9.6, just adding things to just DNS - which 
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and 
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD


That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but 
rather it is, that non-enrolled clients, linux & windows will fail 
even if trying a "legitimate" master's Samba.


Is that the default behavior in current version - as I mentioned my 
"old" with up-dates/grades IPA allows non-enrolled - and if so can it 
be managed into allowing non-enrolled clients?



Lately it seems so much of freeipa's developers time is spent chasing 
Active Directory and related issues, when something 'breaks' 'a small 
business with a handful of windows boxes  (maybe a mix of 'home' and 
'professional' versions, and a mix of windows 7 or 8 or 10) sharing 
off of freeipa's samba instance with no domain capability, used very 
basic 'map network dirve' and 'usernames and passwords' (entirely 
sufficient for most businesses which are small and will never have 
money enough for a full time IT staff member) I wonder if the upgrades 
still test for that 'widely needed not too technically exciting' setup.


I'm of that same mind and shared my thoughts on occasions such as this 
in the past.


That setup I did long ago was such that system policies needed to be 
'LEGACY' and non-enrolled Linux & win clients connected to IPA deployed 
that way - off the LEGACY, worked beautifully with Samba - so, not much 
hacking.


I understand there might be large customers with large ADs with IPA only 
glued somewhere next to it but the rest of us I imagine must be like 
that - small deployments which mixes everything and do _not_! need AD, 
and securities... are taken of with all sorts of other means.


I saw during one upgrade 'CLASSIC IPA" - or something alike - migrated 
to "IPA PRIMARY" or something like that. I'd imagine that was/when NEW 
installation changed so non-enrolled do not work now.


If I can vote, my vote shall go to - IPA devel re/consider changes to 
reintroduce (as an option) such a deployment mode where Samba would 
"weaken" the setup/config so all those non-enrolled customers can 
connect with _passwords_


many thanks, L.






Log snippet off a master's Samba when non-enrolled Linux connects:

...

[2022/01/17 11:14:09.090933,  2, pid=35744] 
ipa_sam.c:3645(init_sam_from_ldap)

  init_sam_from_ldap: Entry found for user: me254
[2022/01/17 11:14:09.099720,  1, pid=35744] 
../../source3/auth/check_samsec.c:454(check_sam_security)

  Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
[2022/01/17 11:14:09.099758,  2, pid=35744] 
../../source3/auth/auth.c:348(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [me254] -> [me254] 
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2022/01/17 11:14:09.099793,  2, pid=35744] 
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022 
11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] 
workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to 
[CCN]\[me254]. local host [ipv4:10.0.0.16:445]
  {"timestamp": "2022-01-17T11:14:09.099858+", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": 
"NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.0.0.16:445", 
"remoteAddress": "ipv4:10.0.0.6:55170", "serviceDescription": "SMB2", 
"authDescription": null, "clientDomain": "CCN", "clientAccount": 
"me254", "workstation": "DRUNK", "becameAccount": null, 
"becameDomain": null, "becameSid": null, "mappedAccount": "me254", 
"mappedDomain": "CCN", "netlogonComputer": null, 
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": "NTLMv2", "duration": 12172}}

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Some ipa user passwords did not work after update

2022-01-17 Thread Alexander Bokovoy via FreeIPA-users

On ma, 17 tammi 2022, Rob Crittenden via FreeIPA-users wrote:

Ronald Wimmer via FreeIPA-users wrote:

On 13.01.22 09:29, Ronald Wimmer via FreeIPA-users wrote:

Today the problem reappeared. I cannot login with the admin user. The
error message I get is "The password or username you entered is
incorrect". kinit also does not work.

It seems that the password has changed somehow without user interaction.

How can we debug this?

Cheers,
Ronald

We could verify that the user is neither locked nor disabled. The
password has not changed since we reset it. There is no obvious reason
why the password is not accepted anymore.

Whats strange is the fact that a particular IPA server says 'Failed
logins: 0' but shows a 'Last failed authentication' timestamp that is
later than the 'Last successful authentication' timestamp.

I suppose what I would do, as DM, is to take a snapshot of one of the
broken entries, because you want the userPassword, krbPrincipalKey, etc.
Then reset the password. If it breaks again compare the stored and new
entry to see what, if anything, is different.

Including things like logs for a failing kinit would be useful as well.

For login failures, following the sssd troubleshooting guide to bump up
the devel level.

I wonder if this is similar to
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/

but can't confirm without krb5kdc logs.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Some ipa user passwords did not work after update

2022-01-17 Thread Rob Crittenden via FreeIPA-users

Ronald Wimmer via FreeIPA-users wrote:
> On 13.01.22 09:29, Ronald Wimmer via FreeIPA-users wrote:
>> Today the problem reappeared. I cannot login with the admin user.  The
>> error message I get is "The password or username you entered is
>> incorrect". kinit also does not work.
>>
>> It seems that the password has changed somehow without user interaction.
>>
>> How can we debug this?
>>
>> Cheers,
>> Ronald
> 
> We could verify that the user is neither locked nor disabled. The
> password has not changed since we reset it. There is no obvious reason
> why the password is not accepted anymore.
> 
> Whats strange is the fact that a particular IPA server says 'Failed
> logins: 0' but shows a 'Last failed authentication' timestamp that is
> later than the 'Last successful authentication' timestamp.

I suppose what I would do, as DM, is to take a snapshot of one of the
broken entries, because you want the userPassword, krbPrincipalKey, etc.
Then reset the password. If it breaks again compare the stored and new
entry to see what, if anything, is different.

Including things like logs for a failing kinit would be useful as well.

For login failures, following the sssd troubleshooting guide to bump up
the devel level.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: on stand-alone detached master - force-add KRA - ?

2022-01-17 Thread lejeczek via FreeIPA-users


On 17/01/2022 16:20, Rob Crittenden wrote:

lejeczek via FreeIPA-users wrote:

Hi guys

Is it possible on a detached master to setup KRA, as if it was first
master?

What is a detached master and why do you need to "force" install a KRA
on it? Assuming it's a server from an existing installation you've
removed all replication with, does the existing install already have a KRA?

What's the use-case?

rob

box, which master was no 'kra', was physically detached then replication 
was removed with 'ipa-x-manage'


now it is:

-> $ ipa config-show

 Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: abba.xx.priv.yy
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=ABBA.XX.PRIV.YY
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: 
guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023

  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: first.abba.xx.priv.yy
  IPA master capable of PKINIT: first.abba.xx.priv.yy
  IPA CA servers: first.abba.xx.priv.yy
  IPA CA renewal master: first.abba.xx.priv.yy
  IPA DNS servers: first.abba.xx.priv.yy

I thought it would work as new first master:

-> $ ipa-kra-install
Directory Manager password:

Failed to find an active KRA server!

to "convince" the master somehow, if possible, to install new KRA on 
this "new-first" master, would be neat.


many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: HA / high availability service - ?

2022-01-17 Thread Harry G. Coin via FreeIPA-users



On 1/17/22 10:26, Alexander Bokovoy wrote:

On ma, 17 tammi 2022, Harry G. Coin via FreeIPA-users wrote:


On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:

On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:

Hi guys.

I have an old - set up ~2 yrs ago - IPA domain which "survived" 
updates/upgrades till this day in such a way that integrated Samba 
serves up under different hostname/domain and serves non-enrolled 
clients(win 10) too.


With new deployment, 4.9.6, just adding things to just DNS - which 
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and 
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD


That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but 
rather it is, that non-enrolled clients, linux & windows will fail 
even if trying a "legitimate" master's Samba.


Is that the default behavior in current version - as I mentioned my 
"old" with up-dates/grades IPA allows non-enrolled - and if so can 
it be managed into allowing non-enrolled clients?



Lately it seems so much of freeipa's developers time is spent chasing 
Active Directory and related issues, when something 'breaks' 'a small 
business with a handful of windows boxes (maybe a mix of 'home' and 
'professional' versions, and a mix of windows 7 or 8 or 10) sharing 
off of freeipa's samba instance with no domain capability, used very 
basic 'map network dirve' and 'usernames and passwords' (entirely 
sufficient for most businesses which are small and will never have 
money enough for a full time IT staff member) I wonder if the 
upgrades still test for that 'widely needed not too technically 
exciting' setup.


FreeIPA team never claimed to provide any support for non-domain joined
Windows systems. On contrary, this is explicitly not supported. We do
not test these configurations because they are not supported for a
reason.

This does not stop brave sysadmins to try to hack their configurations
into what they think could be done. It might work or might not. Samba
upstream has too little resources to focus on all these configurations
as well. The focus there is more on Samba AD and most of very specific
file serving setups for AD domain members.

Life of NT4 domains and not joined clients using NTLM is long gone for
most of deployments that care about security. We (Samba and FreeIPA
teams upstream) are working with Microsoft to make a path forward
without insecure use of RC4 cipher in NTLM. Hopefully, we'll get
somewhere and not joined clients could get better support but we aren't
there.



An underappreciated realm  of 'care about security' are what you might 
call 'walled gardens' that have no expectation interior systems provide 
more than vandalism-level security, as they have little to no routine 
connection to the internet, and the key on the office door, security 
cameras and off-site backups are all that's needed.





___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: IPA broken after dnf update on CentOS 8

2022-01-17 Thread Florence Blanc-Renaud via FreeIPA-users

Hi,
What versions are you using?
# cat /etc/redhat-release
# rpm -qa ipa-server pki-server java-1.8.0-openjdk 389-ds-base
There were known issues with some jdk versions, as well as
incompatibilities between versions of 389-ds-base and pki-server.

The following troubleshooting page

lists the log files that may be of interest to diagnose the problem. Based
on their content we may have more ideas what could cause your issue.
flo

On Sat, Jan 15, 2022 at 10:58 AM Abhinav Chittora via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Attaching the output of journalctl -u pki-tomcatd@pki-tomcat
>
>
>
> *--With Regards, Abhinav Chittora*
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: HA / high availability service - ?

2022-01-17 Thread Alexander Bokovoy via FreeIPA-users


On ma, 17 tammi 2022, Harry G. Coin via FreeIPA-users wrote:


On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:

On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:

Hi guys.

I have an old - set up ~2 yrs ago - IPA domain which "survived" 
updates/upgrades till this day in such a way that integrated Samba 
serves up under different hostname/domain and serves non-enrolled 
clients(win 10) too.


With new deployment, 4.9.6, just adding things to just DNS - which 
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect 
and get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD


That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but 
rather it is, that non-enrolled clients, linux & windows will fail 
even if trying a "legitimate" master's Samba.


Is that the default behavior in current version - as I mentioned my 
"old" with up-dates/grades IPA allows non-enrolled - and if so can 
it be managed into allowing non-enrolled clients?



Lately it seems so much of freeipa's developers time is spent chasing 
Active Directory and related issues, when something 'breaks' 'a small 
business with a handful of windows boxes  (maybe a mix of 'home' and 
'professional' versions, and a mix of windows 7 or 8 or 10) sharing 
off of freeipa's samba instance with no domain capability, used very 
basic 'map network dirve' and 'usernames and passwords' (entirely 
sufficient for most businesses which are small and will never have 
money enough for a full time IT staff member) I wonder if the upgrades 
still test for that 'widely needed not too technically exciting' 
setup.


FreeIPA team never claimed to provide any support for non-domain joined
Windows systems. On contrary, this is explicitly not supported. We do
not test these configurations because they are not supported for a
reason.

This does not stop brave sysadmins to try to hack their configurations
into what they think could be done. It might work or might not. Samba
upstream has too little resources to focus on all these configurations
as well. The focus there is more on Samba AD and most of very specific
file serving setups for AD domain members.

Life of NT4 domains and not joined clients using NTLM is long gone for
most of deployments that care about security. We (Samba and FreeIPA
teams upstream) are working with Microsoft to make a path forward
without insecure use of RC4 cipher in NTLM. Hopefully, we'll get
somewhere and not joined clients could get better support but we aren't
there.






Log snippet off a master's Samba when non-enrolled Linux connects:

...

[2022/01/17 11:14:09.090933,  2, pid=35744] 
ipa_sam.c:3645(init_sam_from_ldap)

  init_sam_from_ldap: Entry found for user: me254
[2022/01/17 11:14:09.099720,  1, pid=35744] 
../../source3/auth/check_samsec.c:454(check_sam_security)

  Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
[2022/01/17 11:14:09.099758,  2, pid=35744] 
../../source3/auth/auth.c:348(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [me254] -> [me254] 
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2022/01/17 11:14:09.099793,  2, pid=35744] 
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022 
11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] 
workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to 
[CCN]\[me254]. local host [ipv4:10.0.0.16:445]
  {"timestamp": "2022-01-17T11:14:09.099858+", "type": 
"Authentication", "Authentication": {"version": {"major": 1, 
"minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, 
"status": "NT_STATUS_WRONG_PASSWORD", "localAddress": 
"ipv4:10.0.0.16:445", "remoteAddress": "ipv4:10.0.0.6:55170", 
"serviceDescription": "SMB2", "authDescription": null, 
"clientDomain": "CCN", "clientAccount": "me254", "workstation": 
"DRUNK", "becameAccount": null, "becameDomain": null, "becameSid": 
null, "mappedAccount": "me254", "mappedDomain": "CCN", 
"netlogonComputer": null, "netlogonTrustAccount": null, 
"netlogonNegotiateFlags": "0x", "netlogonSecureChannelType": 
0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", 
"duration": 12172}}

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: on stand-alone detached master - force-add KRA - ?

2022-01-17 Thread Rob Crittenden via FreeIPA-users

lejeczek via FreeIPA-users wrote:
> Hi guys
> 
> Is it possible on a detached master to setup KRA, as if it was first
> master?

What is a detached master and why do you need to "force" install a KRA
on it? Assuming it's a server from an existing installation you've
removed all replication with, does the existing install already have a KRA?

What's the use-case?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] on stand-alone detached master - force-add KRA - ?

2022-01-17 Thread lejeczek via FreeIPA-users


Hi guys

Is it possible on a detached master to setup KRA, as if it was first master?

many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: HA / high availability service - ?

2022-01-17 Thread Harry G. Coin via FreeIPA-users



On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:

On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:

Hi guys.

I have an old - set up ~2 yrs ago - IPA domain which "survived" 
updates/upgrades till this day in such a way that integrated Samba 
serves up under different hostname/domain and serves non-enrolled 
clients(win 10) too.


With new deployment, 4.9.6, just adding things to just DNS - which 
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and 
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD


That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but 
rather it is, that non-enrolled clients, linux & windows will fail 
even if trying a "legitimate" master's Samba.


Is that the default behavior in current version - as I mentioned my 
"old" with up-dates/grades IPA allows non-enrolled - and if so can it 
be managed into allowing non-enrolled clients?



Lately it seems so much of freeipa's developers time is spent chasing 
Active Directory and related issues, when something 'breaks' 'a small 
business with a handful of windows boxes  (maybe a mix of 'home' and 
'professional' versions, and a mix of windows 7 or 8 or 10) sharing off 
of freeipa's samba instance with no domain capability, used very basic 
'map network dirve' and 'usernames and passwords' (entirely sufficient 
for most businesses which are small and will never have money enough for 
a full time IT staff member) I wonder if the upgrades still test for 
that 'widely needed not too technically exciting' setup.





Log snippet off a master's Samba when non-enrolled Linux connects:

...

[2022/01/17 11:14:09.090933,  2, pid=35744] 
ipa_sam.c:3645(init_sam_from_ldap)

  init_sam_from_ldap: Entry found for user: me254
[2022/01/17 11:14:09.099720,  1, pid=35744] 
../../source3/auth/check_samsec.c:454(check_sam_security)

  Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
[2022/01/17 11:14:09.099758,  2, pid=35744] 
../../source3/auth/auth.c:348(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [me254] -> [me254] 
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2022/01/17 11:14:09.099793,  2, pid=35744] 
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022 
11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] 
workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to 
[CCN]\[me254]. local host [ipv4:10.0.0.16:445]
  {"timestamp": "2022-01-17T11:14:09.099858+", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": 
"NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.0.0.16:445", 
"remoteAddress": "ipv4:10.0.0.6:55170", "serviceDescription": "SMB2", 
"authDescription": null, "clientDomain": "CCN", "clientAccount": 
"me254", "workstation": "DRUNK", "becameAccount": null, 
"becameDomain": null, "becameSid": null, "mappedAccount": "me254", 
"mappedDomain": "CCN", "netlogonComputer": null, 
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": "NTLMv2", "duration": 12172}}

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: HA / high availability service - ?

2022-01-17 Thread lejeczek via FreeIPA-users


On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:

Hi guys.

I have an old - set up ~2 yrs ago - IPA domain which "survived" 
updates/upgrades till this day in such a way that integrated Samba 
serves up under different hostname/domain and serves non-enrolled 
clients(win 10) too.


With new deployment, 4.9.6, just adding things to just DNS - which 
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and 
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD


That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but 
rather it is, that non-enrolled clients, linux & windows will fail even 
if trying a "legitimate" master's Samba.


Is that the default behavior in current version - as I mentioned my 
"old" with up-dates/grades IPA allows non-enrolled - and if so can it be 
managed into allowing non-enrolled clients?


Log snippet off a master's Samba when non-enrolled Linux connects:

...

[2022/01/17 11:14:09.090933,  2, pid=35744] 
ipa_sam.c:3645(init_sam_from_ldap)

  init_sam_from_ldap: Entry found for user: me254
[2022/01/17 11:14:09.099720,  1, pid=35744] 
../../source3/auth/check_samsec.c:454(check_sam_security)

  Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
[2022/01/17 11:14:09.099758,  2, pid=35744] 
../../source3/auth/auth.c:348(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [me254] -> [me254] 
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2022/01/17 11:14:09.099793,  2, pid=35744] 
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022 
11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] 
workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to 
[CCN]\[me254]. local host [ipv4:10.0.0.16:445]
  {"timestamp": "2022-01-17T11:14:09.099858+", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": 
"NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.0.0.16:445", 
"remoteAddress": "ipv4:10.0.0.6:55170", "serviceDescription": "SMB2", 
"authDescription": null, "clientDomain": "CCN", "clientAccount": 
"me254", "workstation": "DRUNK", "becameAccount": null, "becameDomain": 
null, "becameSid": null, "mappedAccount": "me254", "mappedDomain": 
"CCN", "netlogonComputer": null, "netlogonTrustAccount": null, 
"netlogonNegotiateFlags": "0x", "netlogonSecureChannelType": 0, 
"netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 
12172}}

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: DoD Common Access Card for authentication

2022-01-17 Thread Florence Blanc-Renaud via FreeIPA-users

Hi,
the official documentation for Smart Card + IdM is available at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/index

It also contains a troubleshooting section at the end that may help you
narrow down the issue.
HTH,
flo

On Tue, Jan 11, 2022 at 1:20 PM Stephen Berg, Code 7309 via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Where can I find documentation for getting authentication using DoD
> CAC's working?  The script I got using ipa-advise hasn't seemed to set
> this up correctly (or maybe just not completley) on the server where I
> tried it.  Using a client that is bound to just that server and none of
> the other replicas did not yield a workable CAC authentication.
>
> I'm running ipa-4.9.6-10 on Rocky Linux 8.5.
>
> --
> Stephen Berg, IT Specialist, Ocean Sciences Division, Code 7309
> Naval Research Laboratory
> W:   (228) 688-5738 <- (Preferred contact)
> DSN: (312) 823-5738
> C:   (228) 365-0162
> Flank Speed: stephen.p.berg@us.navy.mil
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: HA / high availability service - ?

2022-01-17 Thread lejeczek via FreeIPA-users


On 17/01/2022 09:18, lejeczek via FreeIPA-users wrote:

On 17/01/2022 06:19, Alexander Bokovoy wrote:

On su, 16 tammi 2022, lejeczek via FreeIPA-users wrote:

Hi guys.

I have an old - set up ~2 yrs ago - IPA domain which "survived" 
updates/upgrades till this day in such a way that integrated Samba 
serves up under different hostname/domain and serves non-enrolled 
clients(win 10) too.


With new deployment, 4.9.6, just adding things to just DNS - which 
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and 
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD


How - if it should be possible at all - to have a service, say 
Samba, which would serve a "virtual" FQDN? - which would make 
High-Available service for what I need.

What I've tried so far - adding host/service seems not good/enough.


The only HA service supported by Samba upstream is use of CTDB over a
distributed file system that supports required semantics.
https://wiki.samba.org/index.php/CTDB_and_Clustered_Samba

It is impossible to say what is exact problem you have with your setup
with that small amount of details. If you are already using CTDB, I'd
suggest to share more of your configuration and logs. If you are not
using CTDB for this configuration, there is most likely no way to help
with that without going too deep into technical details and since this
configuration would not be supported by either Samba or FreeIPA
upstream, this would probably be a waste of everyone's time.




It's purely about IPA - as mentioned that "old" deployment of mine - 
where DNS would manage a record(s) for a HA non-real-host, where such 
a FQDN (under IPA's realm or outside of it(as I had it with "old" 
domain)) would "float" between masters(following floating IP)


Really nothing else to be bothered with, certainly not at this point.

Info I found on "clustered services" is pretty scarce - my opinion - 
wish that covered Samba as one specific example, since Samba is - my 
opinion again - such an integral part of IPA.


Such "clustered Samba" seems like what should work - for me - any of 
the masters' Samba serving a given HA-FQDN - part needin careful 
fiddling would be kerberos I presume.


many thanks, L.

I realize one bit I might have left vague - Samba's customers/clients, 
those no need to authenticate with Kerberos, password authentication is 
good enough(what my "old" IPA does)


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: HA / high availability service - ?

2022-01-17 Thread lejeczek via FreeIPA-users


On 17/01/2022 06:19, Alexander Bokovoy wrote:

On su, 16 tammi 2022, lejeczek via FreeIPA-users wrote:

Hi guys.

I have an old - set up ~2 yrs ago - IPA domain which "survived" 
updates/upgrades till this day in such a way that integrated Samba 
serves up under different hostname/domain and serves non-enrolled 
clients(win 10) too.


With new deployment, 4.9.6, just adding things to just DNS - which 
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and 
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD


How - if it should be possible at all - to have a service, say Samba, 
which would serve a "virtual" FQDN? - which would make High-Available 
service for what I need.

What I've tried so far - adding host/service seems not good/enough.


The only HA service supported by Samba upstream is use of CTDB over a
distributed file system that supports required semantics.
https://wiki.samba.org/index.php/CTDB_and_Clustered_Samba

It is impossible to say what is exact problem you have with your setup
with that small amount of details. If you are already using CTDB, I'd
suggest to share more of your configuration and logs. If you are not
using CTDB for this configuration, there is most likely no way to help
with that without going too deep into technical details and since this
configuration would not be supported by either Samba or FreeIPA
upstream, this would probably be a waste of everyone's time.




It's purely about IPA - as mentioned that "old" deployment of mine - 
where DNS would manage a record(s) for a HA non-real-host, where such a 
FQDN (under IPA's realm or outside of it(as I had it with "old" domain)) 
would "float" between masters(following floating IP)


Really nothing else to be bothered with, certainly not at this point.

Info I found on "clustered services" is pretty scarce - my opinion - 
wish that covered Samba as one specific example, since Samba is - my 
opinion again - such an integral part of IPA.


Such "clustered Samba" seems like what should work - for me - any of the 
masters' Samba serving a given HA-FQDN - part needin careful fiddling 
would be kerberos I presume.


many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: IPA broken after dnf update on CentOS 8

[Freeipa-users] Automatic direcotry deletion on user removal

[Freeipa-users] Re: KDC Self Signed Certificate Creation

[Freeipa-users] Re: Importing automount maps

[Freeipa-users] Re: Importing automount maps

[Freeipa-users] Importing automount maps

[Freeipa-users] KDC Self Signed Certificate Creation

[Freeipa-users] KDC Self Signed Certificate Creation

[Freeipa-users] Replica KRA install - Certificate at same location is already used

[Freeipa-users] Re: After OS/IPA updates Employee attributes in web app are blank

[Freeipa-users] Re: on stand-alone detached master - force-add KRA - ?

[Freeipa-users] Re: HA / high availability service - ?

[Freeipa-users] Re: HA / high availability service - ?

[Freeipa-users] Re: HA / high availability service - ?

[Freeipa-users] Re: HA / high availability service - ?

[Freeipa-users] Re: Some ipa user passwords did not work after update

[Freeipa-users] Re: Some ipa user passwords did not work after update

[Freeipa-users] Re: on stand-alone detached master - force-add KRA - ?

[Freeipa-users] Re: HA / high availability service - ?

[Freeipa-users] Re: IPA broken after dnf update on CentOS 8

[Freeipa-users] Re: HA / high availability service - ?

[Freeipa-users] Re: on stand-alone detached master - force-add KRA - ?

[Freeipa-users] on stand-alone detached master - force-add KRA - ?

[Freeipa-users] Re: HA / high availability service - ?

[Freeipa-users] Re: HA / high availability service - ?

[Freeipa-users] Re: DoD Common Access Card for authentication

[Freeipa-users] Re: HA / high availability service - ?

[Freeipa-users] Re: HA / high availability service - ?

28 matches

Site Navigation

Mail list logo

Footer information