[Freeipa-users] Re: pki-tomcatd service doesn't start on multiple servers in the domain
Hi flo, It was a copy-paste issue. I've also tested it again without the "-" at all where I'm only attempting to update the certificate blob and that doesn't seem to work either even though the ldapmodify doesn't error. ldap_initializer( ldap://localhost:389 ) replace usercertificate: NOT ASCII (894 bytes) modifying entry “uid=pkidbuser,ou=people,o=ipaca” modify complete Thanks, yajith ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] server sshfp update - ?
Hi guys. What is the correct way to update/modify server's sshfp records? I assumed those are in: /etc/ssh/ssh_host_*.pub and I should use 'host-mod --updatedns ..' but then such records do not look like what IPA had/created. many thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: DNS record with all IPA servers
lejeczek via FreeIPA-users wrote: > > > On 07/04/2022 18:04, Rob Crittenden wrote: >> lejeczek via FreeIPA-users wrote: >>> >>> On 06/04/2022 16:50, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: > On 30/03/2022 09:19, Alexander Bokovoy via FreeIPA-users wrote: >> On ke, 30 maalis 2022, Boris Behrens via FreeIPA-users wrote: >>> Hi, >>> I am currently trying to cleanup our IPA installation and saw that >>> all our >>> clients only got a single server configured, which doesn't sound >>> good. >>> (we've currently got two IPA servers). >>> >>> Is there some sort of record that can be used? >> Look into man page for 'ipa' tool: >> >> SERVERS >> The ipa client will determine which server to connect to in >> this order: >> >> 1. The server configured in /etc/ipa/default.conf in the >> xmlrpc_uri directive. >> >> 2. An unordered list of servers from the ldap DNS SRV >> records. >> >> If a kerberos error is raised by any of the requests then it >> will stop processing and display the error message. >> >> > But is that really a problem, and if not, when could that be a > problem? > I see all my clients end up with only single server in config files - > the which client hooked to at the installation time - is that not > how it > should be? It is only a potential problem if you don't use DNS discovery and that server goes away. In /etc/ipa/default.conf the server value is deprecated. The value of xmlrpc_uri is used to determine the API endpoint of an IPA server. This mostly affects the IPA tools and certmonger, all of which try DNS discovery first. There is no way to specify multiple servers in /etc/ipa/default.conf. So the worse case scenario is you don't use DNS discovery and a server goes away permanently never to be re-created. Any client with that hardcoded server value won't be able to use certmonger or IPA tools like ipa-certupdate, ipa, etc. Similarly SSSD is by default configured with: ipa_server = _srv_, ipa.example.test So if there is no DNS discovery and that one server dies, you're done until you restore the server or change the value (SSSD caching can mitigate this to some extent, it will be treated as offline). Going into your clients to evenly divide them between the two servers could save you some work if one went down forever but relying on DNS discovery to find servers is recommended and preferred. rob >>> How about bit "twisted" way of having things run, when only one - for >>> whatever imaginary reason - server is available to clients. Not at all >>> times but at a given time, say... today it's masterA but tomorrow will >>> be masterB >>> That would brakes some clients some times, correct? >>> And if so - would IPA be okay with a primitive remedy such as >>> 'xmlrpc_uri' pointing to a URI/record with a non-existing/not actual >>> host's hostname (still IPA server)? which would be always accessible to >>> all clients? >> If you have DNS SRV records then it should continue to work fine. There >> just may be a delay in some requests until failover occurs. >> >> We do not recommend putting a load balancer in front of IPA. It's a lot >> of manual effort and lots of room to make mistakes. >> >> rob >> > not a load-balancer - a record with a non-existing/non-actual server's > hostname, but still IPA server. > Better described as a "floating" record perhaps? > srv1.ipa.com A x.x.x > srv2.ipa.com A x.x.x > some more.. > mama.ipa.com A z.z.z (which IP, "physically" will travel from server to > server on "whatever" basis) > > then 'xmlrpc_uri' points to 'mama.ipa.com' > ? > As long as this does not brake IPA in some way, it's a "workaround" > which makes my setups very happy. Are you saying this works? I wouldn't expect it to. With TLS and Kerberos if you ask for host/service "foo" and get "bar" back it should fail. Unless you've done the work to add additional SAN and Kerberos naming. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Hi, We send the krb5_child.log attached as requested. The test was an ssh u...@adtest.xxx.xxx.xx@idmsrvpru.idmpru.xxx.xxx.xx from our IdM server. Many thanks. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. - Original Message - From: "Sumit Bose" To: "Mateo Duffour" Cc: "Alexander Bokovoy" , "Sumit Bose" , "freeipa-users" , "tizo" Sent: Friday, 8 April, 2022 02:45:06 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Thu, Apr 07, 2022 at 05:07:00PM -0300 schrieb Mateo Duffour: > Hi, > > The last answer that we received on bugzilla and on samba lists sais "Your > kpasswd is expecting FAST support which has been added in samba 4.16. So you > either have to disable FAST or upgrade first." > > We've upgraded our Samba server version to 4.16.0 and we're getting this > error now (when trying to login with any user from our IdM server): > > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error > constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx > not found in Kerberos database > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error > constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx > not found in Kerberos database Hi, looks like there are issues requesting the cross-realm TGT, it would be good to see the full krb5_child.log file with 'debug_level = 9' in the [domain/...] section of sssd.conf to maybe better understand why this fails. I would expect that the cross-realm TGT is requested during the validation of the Kerberos ticket. You can disable the validation as a workaround by adding krb5_validate = false in the [domain/...] section of sssd.conf, see man sssd-krb5 for details. bye, Sumit > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 > user=u...@adtest.xxx.xxx.xx > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): > received for user u...@adtest.xxx.xxx.xx : 4 (System error) > Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: > Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 > > Any help is appreciated, regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Mateo Duffour" > To: "Alexander Bokovoy" > Cc: "Sumit Bose" , "freeipa-users" > , "tizo" > Sent: Friday, 11 March, 2022 15:49:31 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Hi, > > We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to > report a bug on bugzilla.samba.org as you suggested. > > > Thanks again. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Alexander Bokovoy" > To: "Mateo Duffour" > Cc: "Sumit Bose" , "freeipa-users" > , "tizo" > Sent: Friday, 11 March, 2022 15:03:58 > Subject: Re: [Freeipa-users] Re: IdM with trust
[Freeipa-users] Re: Installing 3rd party PEM format Certificate on FreeIPA Server
Hi, if you refer to the man pages you will see the supported formats: # man ipa-cacert-manage ... The supported formats for the certificate files are *DER, PEM and PKCS#7* format. ... # man ipa-server-certinstall ... Replace the current Directory server SSL certificate, Apache server SSL certificate and/or Kerberos KDC certificate with the certificate in the specified files. The files are accepted in *PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐ mats*. ... HTH, flo On Sun, Apr 10, 2022 at 4:32 PM GAURAV Pande via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Guys , > > OS : Centos 7.9 > FreeIPA Server version: 4.6.8 > > I was referencing to this link : > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > for installing 3rd party Certificate for HTTP and LDAP services of FreeIPA > to make it secure . I see in this kb article .crt format is mentioned so > does this mean .pem format can't be installed on freeIPA server 4.6.8 > version ? > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
