[Freeipa-users] Re: EMC Isilon and IPA - Kerberos

[thing.thing--- via FreeIPA-users]

We appear to have the isilon talking to Redhat's IPA / IdM using kerberos as 
nfs4 and krb5 work, so I assume this will work with freeipa.

Do the LDAP part as described elsewhere.

If you have access to RH support kbase,  based on RHEL6 notes for non-IPA 
joined NFS servers (See Debian10 NFS server example),

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/kerb-nfs

On an IPA master obtain a kerberos ticket as an IPA admin.

kinit admin

add the isilon host,
ipa host-add tststocoisnfs01.odstest.xx.ac.nz

And add nfs service,
ipa service-add-host nfs/tststocoisnfs01.odstest.xx.ac.nz 
--hosts=tststocoisnfs01.odstest.xx.ac.nz

check,

ipa service-show nfs/tststocoisnfs01.odstest.x.ac.nz

you should see "false" for the keytab initially

Delegate DNS.  Allow the Isilon to manage its roundrobin DNS as it has 6 IPs,

ipa host-add-managedby tststocoisnfs01.odstest.xx.ac.nz 
--hosts=tststocoisnfs01.odstest.xx.ac.nz

Create the other keytabs the Isilon wants (there will be 4,  host, HTTP, nfs 
and hdfs)

ipa service-add hdfs/tststocoisnfs01.odstest.xx.ac.nz
ipa service-add HTTP/tststocoisnfs01.odstest.xx.ac.nz

generate the 4 keytabs,

ipa-getkeytab -p nfs/tststocoisnfs01.odstest.xx.ac...@odstest.xx.ac.nz 
-k ~/tststocoisnfs01-nfs.keytab
ipa-getkeytab -p HTTP/tststocoisnfs01.odstest.xx.ac...@odstest.xx.ac.nz 
-k ~/tststocoisnfs01-HTTP.keytab
ipa-getkeytab -p host/tststocoisnfs01.odstest.xx.ac...@odstest.xx.ac.nz 
-k ~/tststocoisnfs01-host.keytab
ipa-getkeytab -p hdfs/tststocoisnfs01.odstest.xx...@odstest.xx.ac.nz -k 
~/tststocoisnfs01-hdfs.keytab

(seems to complain if all 4 are not done)

keytab should now be true

scp the 4 keytabs to the isilon.

run the isilon CLI to import these 4.  (I will add more as I have the commands)

So far  RHEL8, RHEL7, Centos7 and Debian10 NFS clients mountnfs4 using kerberos 
fine.





___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: 'transportCert cert-pki-kra' mix up

[Rob Crittenden via FreeIPA-users]

GH via FreeIPA-users wrote:
> Had to copy the ASCII into the CS.cfg on the "secondary" manually.  Now 
> everything shows that it's happy from my untrained eye.  Is there a way to 
> test that the CS.cfg will now copy over correctly or that certs will be 
> replicated correctly?  Appreciate all of the help so far to get me to this 
> point.

A clean bill of health from ipa-healthcheck is a decent start. It isn't
perfect but it covers a lot of the common issues.

I'll add that renewal across all servers isn't an immediate thing.
certmonger knows when the current one(s) will expire and by default will
start looking for new ones with 28 days left and go by halves after
that. So even if you manage to renew a CA cert on one side the others
aren't going to bother looking for it for quite some time.

If you want to check on replication you can always issue a test cert and
ensure it appears on all the other servers.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Allow AD users to manage multiple certificates

[Alexander Bokovoy via FreeIPA-users]

On to, 03 helmi 2022, Pedro Bezunartea Lopez via FreeIPA-users wrote:


Hi!

This is our currently working setup:
- AD Domain: ourdomain.local (working fine for Windows users' authentication, 
Domain Controllers, etc...)
- IPA Domain: idm.ourdomain.local (Trust relation successfully setup with the 
Domain Controllers)
- AD users can login to the IPA Server with their AD credentials.

Goal: Allow AD users to add and manage their own certificates for
different services (VPN access and the like). The workflow would be
something like:

1. Users adds a new CSR. (The user creates his key and generates the CSR 
locally)
2. IPA admins approve and issue the certificate.
3. The user downloads the certificate.

"Local" IPA users can add certificate requests in their profile by
clicking on Actions > New Certificate.

AD users are only allowed to edit their profile description, GECOS,
Login shell, add SSH public keys and add Certificates in PEM format,
not add Certificate Requests.


Correct. AD users on IPA side represented as ID overrides in a 'Default
Trust View' ID View. They are not users.

When IPA CA processes certificate signing request, it is done through
IPA server facade that does a number of checks to validate the requester
and its rights to request and issue a certificate using defined profile.
This code does not have support to process ID overrides as requesters.

We probably can add this support as there is nothing fundamentally
broken in doing so. The only problem is what SANs could be allowed for
issuance. Of a particular 'no go' is the Kerberos principal -- since
these are AD users, they cannot be used by IPA KDC as local principals,
so their certificates should not have principals from local IPA realm.
There might be other SAN types that is worth preventing. Also, CN would
probably be somewhat mangled in this case and not exactly correspond to
ID override's DN.

This all is worth to file as a ticket with detailed use cases and
proposals of a workflow and limitations, as well as security analysis.



We have tried a few things already:
- Certificate Mappings. They are designed for user authentication to
idm.ourdomain.local, no go.


Well, certificate mappings can also be used to map a certificate to a
user from a trusted domain. This is normal and is actively used by
various organizations because certificate mapping rules in IPA more
flexible than in AD. In those cases people get their certificates issued
by some other entity on tools like smartcards and IPA CA is not really
used for that.



- From the docs
https://www.freeipa.org/page/Active_Directory_trust_setup: Allow access
for users from AD domain to protected resources: Which "protected
resource" allows for users' certificates?


There is TLS certificate authentication that can be enabled for a web
app, for example. A combination of mod_ssl + mod_lookup_identity +
mod_auth_gssapi can turn a TLS client certificate authentication into a
service ticket to itself (Kerberos S4U2Self extension) and then use it
on behalf of the user to talk to other services (Kerberos S4U2Proxy
extension). This, for example, can be enabled to IPA Web UI.


- From RH docs: CHAPTER 73. ENABLING AD USERS TO ADMINISTER IDM: AD
users can administer IDM, but they cannot add a new Certificate Signing
Request to their own profile.


As I said, there is currently no implementation in certificate issuance
that would allow ID overrides to request certificates.

Please open a ticket and work on a possible design how this could look
like. You don't need to go deep to code level. Please list possible use
cases and expected workflow to allow understanding possible drawbacks of
this solution.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: IPA WebUI login fails

[Florence Blanc-Renaud via FreeIPA-users]

Hi,
did you define an idoverride-user for your AD user as described in
Authenticating
to the IdM Web UI as an AD User

?

flo

On Thu, Feb 3, 2022 at 3:50 PM iulian roman via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi Pedro,
>
> I've tried and restart several times, without any success. I have to
> mention that this issue is only with the ActiveDirectory users, with IPA
> defined users   it works properly.
>
> Regards,
> iulian roman
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: IPA WebUI login fails

[iulian roman via FreeIPA-users]

Hi Pedro, 

I've tried and restart several times, without any success. I have to mention 
that this issue is only with the ActiveDirectory users, with IPA defined users  
 it works properly. 

Regards,
iulian roman
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] SPNEGO cannot find mechanisms to negotiate

[Brian J. Murrell via FreeIPA-users]

On my fairly recently created replica, trying to sign on to the webUI
fails both with a ticket and with username/password.  The httpd error
log reports:

[Thu Feb 03 09:43:20.551081 2022] [wsgi:error] [pid 332932:tid 14068185152] 
[remote 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] ipa: INFO: 
[jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.237'): SUCCESS
[Thu Feb 03 09:43:21.096431 2022] [auth_gssapi:error] [pid 332935:tid 
140680940726016] [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to 
unseal session data!, referer: https://server.example.com/ipa/ui/
[Thu Feb 03 09:43:21.146884 2022] [auth_gssapi:error] [pid 332935:tid 
140681090156288] [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to 
unseal session data!, referer: https://server.example.com/ipa/ui/
[Thu Feb 03 09:43:21.605055 2022] [auth_gssapi:error] [pid 332935:tid 
140681090156288] [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] GSS ERROR 
gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. 
 Minor code may provide more information ( SPNEGO cannot find mechanisms to 
negotiate)], referer: https://server.example.com/ipa/ui/
[Thu Feb 03 09:43:21.621376 2022] [auth_gssapi:error] [pid 332935:tid 
140680923940608] [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to 
unseal session data!, referer: https://server.example.com/ipa/ui/
[Thu Feb 03 09:43:21.672265 2022] [auth_gssapi:error] [pid 332935:tid 
140680907155200] [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] Failed to 
unseal session data!, referer: https://server.example.com/ipa/ui/
[Thu Feb 03 09:43:22.019527 2022] [auth_gssapi:error] [pid 332935:tid 
140680907155200] [client 2001:123:aa:123:0:90cc:a629:cf42:5877:50870] GSS ERROR 
gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. 
 Minor code may provide more information ( SPNEGO cannot find mechanisms to 
negotiate)], referer: https://server.example.com/ipa/ui/

I found some google hits on gssproxy being the culprit but I can't seem
to find anything wrong with it.  It's not logging any errors or such.

Any ideas on what the problem could be here?

Cheers,
b.



signature.asc
Description: This is a digitally signed message part
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: IPA WebUI login fails

[Pedro Bezunartea López via FreeIPA-users]

Hi iulian,

Have you tried:
1. Login to your idm
2. kinit admin
3. Restart ipa: ipactl restart

Additionally, can you see any users when logged in as admin you browse to 
https://youripaserver.example.local/ipa/ui/#/e/idview/idoverrideuser/Default%20Trust%20View
 ?

Regards,

Pedro.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] IPA WebUI login fails

[iulian roman via FreeIPA-users]

Hello everybody, 

If  I try to login via WebUI with an AD account , i get the following error:

'Your session has expired. Please log in again.' in the WebUI interface. 

I the http access logs i have the following entry: 

user@EXAMPLE.LOCAL [03/Feb/2022:14:54:13 +0100] "POST /ipa/session/json 
HTTP/1.1" 401 176
user@EXAMPLE.LOCAL [03/Feb/2022:14:54:13 +0100] "GET 
/ipa/session/login_kerberos?_=1643896292999 HTTP/1.1" 401 262

On the http error_log:

[Thu Feb 03 14:54:13.466436 2022] [wsgi:error] [pid 1835110:tid 
140666734245632] [remote 10.8.137.41:58079] ipa: INFO: 401 Unauthorized: 
Insufficient access:  Invalid credentials
[Thu Feb 03 14:54:13.472887 2022] [:warn] [pid 1837963:tid 140666084521728] 
[client 10.8.137.41:58079] failed to set perms (3140) on file 
(/run/ipa/ccaches/user@EXAMPLE.LOCAL)!, referer: 
https://xxx.ipa.example.local/ipa/ui/
[Thu Feb 03 14:54:13.477997 2022] [wsgi:error] [pid 1835109:tid 
140666733983488] [remote 10.8.137.41:58079] ipa: INFO: 401 Unauthorized: Major 
(851968): Unspecified GSS failure.  Minor code may provide more information, 
Minor (108962060): Credential cache is empty

In the krb5kdc.log : 

Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): AS_REQ (6 
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), ca
mellia128-cts-cmac(25)}) 10.30.200.220: REFERRAL: 
user\@EXAMPLE.local@IPA.EXAMPLE.LOCAL for 
krbtgt/IPA.EXAMPLE.LOCAL@IPA.EXAMPLE.LOCAL, Realm not local to KDC
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): closing 
down fd 12
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): TGS_REQ 
(6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), c
amellia128-cts-cmac(25)}) 10.30.200.220: ISSUE: authtime 1643896453, etypes 
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), 
ses=aes256-cts-hmac-sha1-96(18)}, user@EXAMPLE.LOCAL for 
HTTP/xxxipaprd04.ipa.example.local@IPA.
EXAMPLE.LOCAL
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): closing 
down fd 12
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): TGS_REQ 
(6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), c
amellia128-cts-cmac(25)}) 10.30.200.220: ISSUE: authtime 1643896453, etypes 
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), 
ses=aes256-cts-hmac-sha1-96(18)}, 
HTTP/xxxipaprd04.ipa.example.local@IPA.EXAMPLE.LOCAL for ldap/c
xxxipaprd04.ipa.example.local@IPA.EXAMPLE.LOCAL
Feb 03 14:54:13 xxxipaprd04.ipa.example.local krb5kdc[3151688](info): ... 
CONSTRAINED-DELEGATION s4u-client=user@EXAMPLE.LOCAL

Any help would be really appreciated. 

Regards, 
iulian roman
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Allow AD users to manage multiple certificates

[Pedro Bezunartea Lopez via FreeIPA-users]

Hi!

This is our currently working setup:
- AD Domain: ourdomain.local (working fine for Windows users' authentication, 
Domain Controllers, etc...)
- IPA Domain: idm.ourdomain.local (Trust relation successfully setup with the 
Domain Controllers)
- AD users can login to the IPA Server with their AD credentials.

Goal: Allow AD users to add and manage their own certificates for different 
services (VPN access and the like). The workflow would be something like:

1. Users adds a new CSR. (The user creates his key and generates the CSR 
locally)
2. IPA admins approve and issue the certificate.
3. The user downloads the certificate.

"Local" IPA users can add certificate requests in their profile by clicking on 
Actions > New Certificate.

AD users are only allowed to edit their profile description, GECOS, Login 
shell, add SSH public keys and add Certificates in PEM format, not add 
Certificate Requests.

We have tried a few things already:
- Certificate Mappings. They are designed for user authentication to 
idm.ourdomain.local, no go.
- From the docs https://www.freeipa.org/page/Active_Directory_trust_setup: 
Allow access for users from AD domain to protected resources: Which "protected 
resource" allows for users' certificates?
- From RH docs: CHAPTER 73. ENABLING AD USERS TO ADMINISTER IDM: AD users can 
administer IDM, but they cannot add a new Certificate Signing Request to their 
own profile.

Any ideas? 

Sorry for the length of the post... TIA

Pedro.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='idm.issc.io', port=8080): Read timed out

[Ricardo Mendes via FreeIPA-users]

Hi Rob,

Thank you for the feedback, the "secret" and "requiredSecret" in server.xml had 
different values, I checked for the correct value in 
/etc/httpd/conf.d/ipa-pki-proxy.conf and did fix it.

Cheers!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure