[Freeipa-users] Replication of account lock state
Hi all, Having read up on whether replica servers can also replicate the lock status of an account. I'm trying to find out what the current status is on the latest FreeIPA v4.x. What are the available options? Right now having to log into multiple IPA servers to find lockouts is a real pita and security wise it like either failed Auth counters or the lockout status to be replicated. The ability to unlock from a single IPA server would also be pretty sweet. Is there any way to get either working? Thanks, Djerk ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] local root can login but freeipa users can't
This happen randomly, local root can login through SSH to the affected system but for freeipa user, login was successful but there's no prompt. When successfully logged in, it only display a message saying "Last login: xxx" and then no prompt. There's no sssd errors though, restarting the service doesn't help either. While the issue happen to one system, other systems freeipa users can login no problem. Only way to get out of this is to restart the entire system. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] ipa-pkinit-manage failure
Greetings, I'm trying to configure my replica IPA servers to support PKINIT. [root@office-ipa-1 ~]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Server at https://office-ipa-1./ipa/json failed request, will retry: 4301 (Certificate operation cannot be completed: Key Parameters 4096,8192 Not Matched).) Failed to configure PKINIT Full PKINIT configuration did not succeed The setup will only install bits essential to the server functionality You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful [root@office-ipa-1 ~]# I've manually installed the correct KDC cert with ipa-server-certinstall -k, but it seems I'm missing something out. Error regarding Key Parameters 4096,8192 Not Matched is expected, as we've changed all our certificate templates to support 4096 key and above. But I don't understand why ipa-pkinit-manage enable command tries to issue a new certificate and does not utilise the existing one? Regards, Alex Ivanov. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA
Hello, On 6/22/23 16:08, Finn Fysj via FreeIPA-users wrote: The installation of IPA server and replica does not produce desired result. Even though the mkhomedir is set to true the feature is not enabled in the authselect. Also the replica server does not replicate SUDO and HBAC rules from the IPA master. Is the only solution to re-install the whole IPA server/replicas stuff? Kinda stupid. Example of the IPA server role: - role: freeipa.ansible_freeipa.ipaserver vars: ipaserver: "{{ ansible_hostname }}.example" ipaserver_hostname: "{{ ansible_hostname }}.example" ipaadmin_password: "test123" ipadm_password: "test321" ipaserver_domain: "example.com" ipaserver_realm: "EXAMPLE.COM" ipaserver_no_host_dns: true ipaserver_mem_check: true ipaserver_install_packages: true ipaserver_setup_dns: false ipaserver_no_pkinit: true ipaserver_no_hbac_allow: true ipaserver_no_ui_redirect: false ipaclient_no_ntp: true ipaclient_mkhomedir: true ipaclient_no_sudo: false which IPA and ansible-freeipa versions are you using? Please provide more information about your inventory and setup. Are you trying to use the ipaserver role to deploy also replicas? The ipaserver role is only useful to deploy the initial master only. The replicas need to be deployed using the ipareplica role. Regards, Thomas ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Installing FreeIPA server + replica using Ansible Role FreeIPA
The installation of IPA server and replica does not produce desired result. Even though the mkhomedir is set to true the feature is not enabled in the authselect. Also the replica server does not replicate SUDO and HBAC rules from the IPA master. Is the only solution to re-install the whole IPA server/replicas stuff? Kinda stupid. Example of the IPA server role: - role: freeipa.ansible_freeipa.ipaserver vars: ipaserver: "{{ ansible_hostname }}.example" ipaserver_hostname: "{{ ansible_hostname }}.example" ipaadmin_password: "test123" ipadm_password: "test321" ipaserver_domain: "example.com" ipaserver_realm: "EXAMPLE.COM" ipaserver_no_host_dns: true ipaserver_mem_check: true ipaserver_install_packages: true ipaserver_setup_dns: false ipaserver_no_pkinit: true ipaserver_no_hbac_allow: true ipaserver_no_ui_redirect: false ipaclient_no_ntp: true ipaclient_mkhomedir: true ipaclient_no_sudo: false ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Migrating from Rhel 7 to Rhel 9 (changing UID/GID_MAX and losing admins group)
There's no direct failures, however, it won't copy groups that already exists, which is probably the case here. "Admins" already exists on the installed IPA. It's understandable Rob, however, we don't use the full capabilities of FreeIPA, only the LDAP and UI aspects of it. Cheers. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Removing dead servers with tombstone entries
> On Jun 21, 2023, at 18:07, Rob Crittenden wrote: > > Joe Rhodes via FreeIPA-users wrote: >> Hello all! >> >> I have a CentOS 7 based FreeIPA system that I’m migrating to Rocky 9. >> As suggested, I’ve created a Rocky 8 instance replica first. >> >> As I’ve been working on this (in a dev environment first), I’ve gotten >> myself into a state where I have two servers in the config that I cannot >> delete. (The VMs have been uninstalled and deleted.) >> >> ipa server-find >> >> - >> >> 7 IPA servers matched >> >> - >> >> Server name: ia-ipa-1.dev.purestake.tech >> >> Min domain level: 0 >> >> Max domain level: 1 >> >> >> Server name: ia-ipa-2.dev.purestake.tech >> >> Min domain level: 0 >> >> Max domain level: 1 >> >> >> Server name: joe-rocky-8.dev.purestake.tech >> >> Min domain level: 1 >> >> Max domain level: 1 >> >> >> Server name: joe-rocky-9.dev.purestake.tech >> >> Min domain level: 1 >> >> Max domain level: 1 >> >> >> Server name: oh-ipa-1.dev.purestake.tech >> >> Min domain level: 0 >> >> Max domain level: 1 >> >> >> Server name: oh-ipa-2.dev.purestake.tech >> >> Min domain level: 0 >> >> Max domain level: 1 >> >> >> Server name: oh-ipa-21.dev.purestake.tech >> >> Min domain level: 1 >> >> Max domain level: 1 >> >> >> >> The two servers I want to delete are joe-rocky-9 and oh-ipa-21. >> >> Trying to delete either give me: >> >> ipa server-del joe-rocky-9.dev.purestake.tech >> >> Removing joe-rocky-9.dev.purestake.tech from replication topology, >> please wait... >> >> ipa: ERROR: Server removal aborted: >> >> >> Replication topology in suffix 'domain' is disconnected: >> >> Topology does not allow server ia-ipa-1.dev.purestake.tech to replicate >> with servers: >> >> joe-rocky-9.dev.purestake.tech >> >> Topology does not allow server ia-ipa-2.dev.purestake.tech to replicate >> with servers: >> >> joe-rocky-9.dev.purestake.tech >> >> Topology does not allow server joe-rocky-8.dev.purestake.tech to >> replicate with servers: >> >> joe-rocky-9.dev.purestake.tech >> >> Topology does not allow server joe-rocky-9.dev.purestake.tech to >> replicate with servers: >> >> joe-rocky-8.dev.purestake.tech >> >> oh-ipa-1.dev.purestake.tech >> >> oh-ipa-2.dev.purestake.tech >> >> ia-ipa-1.dev.purestake.tech >> >> oh-ipa-21.dev.purestake.tech >> >> ia-ipa-2.dev.purestake.tech >> >> Topology does not allow server oh-ipa-1.dev.purestake.tech to replicate >> with servers: >> >> joe-rocky-9.dev.purestake.tech >> >> Topology does not allow server oh-ipa-2.dev.purestake.tech to replicate >> with servers: >> >> joe-rocky-9.dev.purestake.tech >> >> Topology does not allow server oh-ipa-21.dev.purestake.tech to replicate >> with servers: >> >> joe-rocky-9.dev.purestake.tech. >> >> >> and attempting to delete, ignoring the replication topology: >> >> ipa server-del joe-rocky-9.dev.purestake.tech --ignore-topology-disconnect >> >> Removing joe-rocky-9.dev.purestake.tech from replication topology, >> please wait... >> >> ipa: ERROR: Not allowed on non-leaf entry >> >> >> When I do a: ipa topologysegment-find domain the server joe-rocky-9 is >> not listed in any of the segments. >> >> I believe the issue is I have a bunch of replication issues regarding >> these two servers. (I had been adding and removing them as I was >> finding the right way to go about my upgrade) This command shows both >> of the servers: >> >> >> ldapsearch "nsds5ReplConflict=*" >> >> >> When I do the following search I see quite a few nsTombstone entries as >> children, which I assume is what’s blocking me from removing this DN >> (either using the ipa server-del command or the ldapdelete command). >> >> >> ldapsearch -D "cn=Directory Manager” -W "(objectclass=nsTombstone)" dn >> >> >> >> When I do this command: >> >> >> ipa-replica-manage list-ruv >> >> Replica Update Vectors: >> >> ia-ipa-1.dev.purestake.tech:389: 4 >> >> oh-ipa-1.dev.purestake.tech:389: 7 >> >> ia-ipa-2.dev.purestake.tech:389: 3 >> >> oh-ipa-2.dev.purestake.tech:389: 8 >> >> joe-rocky-8.dev.purestake.tech:389: 19 >> >> Certificate Server Replica Update Vectors: >> >> ia-ipa-1.dev.purestake.tech:389: 6 >> >> joe-rocky-8.dev.purestake.tech:389: 20 >> >> ia-ipa-2.dev.purestake.tech:389: 5 >> >> >> I get the expected list of RUVs, without the two servers I want to >> delete. Only the serves that are really on-line and legit show up. So >> I cannot use the “clean-ruv” command because the bad servers don’t show >> up with a replication ID. >> >> When I do this: >> >> ipa-replica-manage -p Extraordinary-northern-Conditioning-Idaho-7 >> clean-dangling-ruv >> >> >> The server 'joe-rocky-9.dev.purestake.tech' appears to be offline. >> >> The server 'oh-ipa-21.dev.purestake.tech' appears to be offline. >> >> No dangling RUVs found >> >> >> >> I see the
[Freeipa-users] Re: AD certificate authentication against FreeIPA - is that possible?
Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > Hi, > > We have an application that requires Active Directory. In order to > provide SSO, the application gets a user certificate from AD and, as I > understand, uses it towards a RHEL machine as a smart card. I installed > AD's ca certificates on the RHEL client and it works when sssd.conf is > all configured towards AD. > > I've joined the client to AD, as I said, but I do want my `id_provider` > in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA. > But when I do this, the authentication doesn't work. > > Is there a way to either force pam/sssd to check the certificates > against AD while still getting groups and names from ldap, or to get > FreeIPA to approve the certificates? > > I know this might be a very corner case, but if we make it works, this > would be beautiful. IMHO you should cross-post this to the SSSD users list as this seems more their area, https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/ I think expanding on your configuration would help too. Are you using the IPA certificate mapping to map the AD-issued certificates to an IPA user for authentication? What is the current provider? Is ipa not sufficient/working? rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] AD certificate authentication against FreeIPA - is that possible?
Hi, We have an application that requires Active Directory. In order to provide SSO, the application gets a user certificate from AD and, as I understand, uses it towards a RHEL machine as a smart card. I installed AD's ca certificates on the RHEL client and it works when sssd.conf is all configured towards AD. I've joined the client to AD, as I said, but I do want my `id_provider` in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA. But when I do this, the authentication doesn't work. Is there a way to either force pam/sssd to check the certificates against AD while still getting groups and names from ldap, or to get FreeIPA to approve the certificates? I know this might be a very corner case, but if we make it works, this would be beautiful. Best, Francis -- Francis Augusto Medeiros-Logeay Oslo, Norway ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue