from:"Jochen Hein via FreeIPA\-users"

[Freeipa-users] Additional Check for checkipaconsistency - KRA

2020-02-10 Thread Jochen Hein via FreeIPA-users


Hallo,

right now checkipaconsistency reports an error when not all IPA servers
havew AD trust enabled.  My first two IPA servers running CentOS 7 do
have KRA enabled, but installing KRA on a new CentOS 8 replica failed.
Would it be useful to check that in checkipaconsistency?

If yes, here's my first shot at it.

diff --git a/checkipaconsistency/freeipaserver.py 
b/checkipaconsistency/freeipaserver.py
index bdefe70..a58419b 100644
--- a/checkipaconsistency/freeipaserver.py
+++ b/checkipaconsistency/freeipaserver.py
@@ -49,6 +49,7 @@ class FreeIPAServer(object):
 self.ghosts = None
 self.bind = None
 self.msdcs = None
+self.kra = None
 self.replicas = None
 self.healthy_agreements = False
 
@@ -94,6 +95,7 @@ class FreeIPAServer(object):
 self.conflicts = self._count_ldap_conflicts()
 self.ghosts = self._ghost_replicas()
 self.bind = self._anon_bind()
+self.kra = self._kra()
 self.msdcs = self._ms_adtrust()
 self.replicas, self.healthy_agreements = self._replication_agreements()
 
@@ -385,6 +387,25 @@ class FreeIPAServer(object):
 self._log.debug(r)
 return r
 
+def _kra(self):
+self._log.debug('Checking KRA...%s' % self._fqdn)
+   r = False
+results = self._search(
+'cn=KRA,cn=%s,cn=masters,cn=ipa,cn=etc,%s' % ( self._fqdn , 
self._base_dn),
+'(ipaConfigString=*)',
+['ipaConfigString']
+)
+self._log.debug(results)
+if type(results) == list and len(results) > 0:
+#dn, attrs = results[0]
+
+#e = attrs['ipaConfigString'][1].decode('utf-8')
+#r = e['enabledService'].decode('utf-8')
+r = True
+else:
+r = False
+return r
+
 def _ms_adtrust(self):
 self._log.debug('Checking for MS ADTrust DNS records...')
 record = '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.%s' 
% self._domain
diff --git a/checkipaconsistency/main.py b/checkipaconsistency/main.py
index 858b89a..242418e 100755
--- a/checkipaconsistency/main.py
+++ b/checkipaconsistency/main.py
@@ -134,6 +134,7 @@ class Main(object):
 ('ghosts', 'Ghost Replicas'),
 ('bind', 'Anonymous BIND'),
 ('msdcs', 'Microsoft ADTrust'),
+('kra', 'KRA Status'),
 ('replicas', 'Replication Status')
 ])
 
@@ -156,7 +157,7 @@ class Main(object):
 parser.add_argument('-n', nargs='?', dest='nagios_check', help='Nagios 
plugin mode', default='not_set',
 choices=['', 'all', 'users', 'susers', 'pusers', 
'hosts', 'services', 'ugroups', 'hgroups',
  'ngroups', 'hbac', 'sudo', 'zones', 
'certs', 'conflicts', 'ghosts', 'bind',
- 'msdcs', 'replicas'])
+ 'msdcs', 'kra', 'replicas'])
 parser.add_argument('-w', '--warning', type=int, dest='warning',
 default=1, help='number of failed checks before 
warning (default: %(default)s)')
 parser.add_argument('-c', '--critical', type=int, dest='critical',

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: 2FA using ssh keys + Free OTP

2020-01-27 Thread Jochen Hein via FreeIPA-users

Daniel PC via FreeIPA-users 
writes:

> Currently, I have 2FA implemented with password + FreeOTP as authentication 
> methods.
>
> I wonder if possible to implement ssh pub+priv keys instead of a password as 
> the first authentication factor.
>
> Has anyone implemented such thing?

That's possible, but not with FreeIPA.  On my Jump-Host I have the
following in /etc/ssh/sshd_config:

,
| Match Group otpusers
| AuthenticationMethods gssapi-with-mic publickey,keyboard-interactive:pam
`

So I can login with Kerberos (and maybe with authentication indicators).

The second authentication stream uses pubkey and whatever is definded in
PAM. There I have:

,
| # If the user is in group otpusers, we use the next rule, otherwise we skip
| # the call to pam_yubico.
| auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers
| auth sufficient pam_yubico.so id= key= 
urllist=https://yubico.example.org/ttype/yubikey 
authfile=/etc/yubikeys/authorized_yubikeys
`

I use privacyidea to manage my 2FA tokens (here I use Yubikeys),
You could also use freeotp or something else - problem is to connect
token and user in the PAM stack,

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa failing to start after update

2020-01-20 Thread Jochen Hein via FreeIPA-users

Andrew Meyer via FreeIPA-users 
writes:

> [andrew.meyer@freeipa01 ~]$ sudo ipactl --ignore-service-failures start
...
> Starting smb Service
> Failed to start smb Service
> Forced start, ignoring smb Service, continuing normal operation
> Starting winbind Service
> Failed to start winbind Service
> Forced start, ignoring winbind Service, continuing normal operation
> Starting ipa-otpd Service
> Starting ipa-dnskeysyncd Service
> ipa: INFO: The ipactl command was successful

That seems to be a bug - see:
https://bugs.centos.org/view.php?id=16929

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: adding external 2FA

2019-07-09 Thread Jochen Hein via FreeIPA-users

Andrew Meyer via FreeIPA-users 
writes:

> I am trying to research how to add other 2FA providers to FreeIPA. 
> Has anyone added Duo or something else to FreeIPA/IPA in the most
> recent versions?

I'm running Privacyidea (https://www.privacyidea.org/) and FreeRADIUS
and have some users authenticate against RADIUS.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multi Enrollment possible ?

2019-04-23 Thread Jochen Hein via FreeIPA-users

Karim Bourenane via FreeIPA-users 
writes:

> I want to deploy some IPA-client with 2 interfaces, each host interface
> managed by each IPA server.

I think the IPA servers should be replicas.

> Can you confirm me, that its possible to enroll 2 time the ipa-client in
> each servers ?

I manage servers with multiple interfaces and use pricipal aliases for
that. So one host has aliases like imap.example.org and smtp.jochen.org.

Can you elaborate what your application looks like?

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Autofs maps for students directories divided by first letter of username

2019-02-28 Thread Jochen Hein via FreeIPA-users

Rob Crittenden via FreeIPA-users 
writes:

[...]

> I don't think that first entry is a glob. I believe that * just means
> any. & is shorthand for the matching key so
>
> * -fstype=nfs4,soft,intr,rsize=8192,wsize=8192,tcp
> fileserver.chem.byu.edu:/export/home/students/&
>
> Just substitutes whatever the matching key (*) to &.
>
> I assume this is in some auto.home-like map.
>
> I don't claim to know a lot about autofs but you might try creating an
> auto.home-a, auto.home-b, etc.
>
> auto.master contains:
>
> /export/home/students/a   auto.home-a
> /export/home/students/b auto.home-b
>
> This of course assumes that the homedir in the user entry is
> /export/home/students//

I also have no idea if that will work, but running "automount -vvvf" in
a terminal very likely produces enough traces to see how the map is
handled. I think that could help investigating what might work.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: how to deal with an existing user before client installation

2019-02-24 Thread Jochen Hein via FreeIPA-users

Albert Szostkiewicz via FreeIPA-users
 writes:

> So I do have an user on my laptop with same username as IPA user. I've
> noticed that after installing client, this existing user is still
> being authenticated by it's original password and is with its original
> UID.
> What is the best procedure in such cases?

I've renamed the local user to "l" and kept it as a
fallback/emergency user.  My user in IPA is just "" and I
normally log in with the IPA user.  The users have different UIDs and
both users have sudo rights, so I can fix whatever is broken when
something isn't working.

It's somewhat unconvenient to rename the local user, but I'm quite happy
to have a fallback.  After moving to IPA I've started adding that user
when installing a new system as the first user.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] FreeIPA-Client now in Debian Buster

2019-02-11 Thread Jochen Hein via FreeIPA-users


Hello,

today freeipa-client migrated from sid to buster - thanks a lot for
this!

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA managed autofs mount timeout

2018-12-20 Thread Jochen Hein via FreeIPA-users

William Muriithi via FreeIPA-users
 writes:

> I am using autofs to mount home directories.  The autofs maps are on IPA
> server. A while back, I adjusted the mount idle timeout from the default 5
> minutes to 2 hours.
>
> I now want to undo the change, essentially bring down the timeout to 5
> minutes.  I can't however remember how I had increased it and google just
> bring up how to adjust locally from /etc/sysconfig/autofs.  I recall
> vaguely I had done the change from IPA.  Anyone who would have this info
> without too much googling?

You can change the timeout globally in /etc/autofs.conf. Otherwise you
can add the --timeout option to the map entries, see auto.master(5) for
details.

So my guess is that you added the timeout to the automountkey. let's see
your automount map/key, something like:

ipa automountkey-show default auto,home --all

Is there a timeout?

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: is anyone running Debian as freeipa-client

2018-11-30 Thread Jochen Hein via FreeIPA-users

Johan Vermeulen via FreeIPA-users 
writes:

> Now it would come in handy if I could field some Debian clients for some
> purposes.
> But on the current stable release there is no freeipa client.
> I have installed some freeipa-clients from unstable, but it's not ideal.
>
> I'm wondering, is anyone doing this at the moment.
> Is there some repo for this?
> Can this be compiled from source?

I've installed the client packages from snapshot.debian.org with a
version near the freeze for the next release.  That's working fine for
me, but you won't get security fixes that way.

On the other hand other packages seem more relevant for security
patches, like sssd, kerberos, or certmonger - and these are part of
debian.

So, I'm quite happy with the packages from snapshots.
Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: HBAC Rules for OpenVPN Server

2018-09-18 Thread Jochen Hein via FreeIPA-users

Sina Owolabi via FreeIPA-users 
writes:

> Yes I use PAM with openvpn to authenticate user clients
> "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login"
> I'm also running a HBAC controlled IPA environment but the rule for vpnusers
> is a --servicecat=all:
>
> Rule name: allowvpnusers
>   Service category: all
>   Enabled: TRUE
>   User Groups: vpnusers
>   Hosts: vpn.internaldom.com

You use the login configuration for PAM. Either use that service or
change the parameter to openvpn-plugin-auth-pam.so to openvpn.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: HBAC Rules for OpenVPN Server

2018-09-17 Thread Jochen Hein via FreeIPA-users

Rob Crittenden via FreeIPA-users 
writes:

> Sina Owolabi via FreeIPA-users wrote:
>> Hi List
>> 
>> I’ve been struggling with this for a while and I would really appreciate
>> some advice. 
>> I have an openvpn server using freeIPA to authenticate users logging
>> into the office VPN. 
>> Currently all users have access to all services on the OpenVPN server. 
>> How do I use HBAC to properly restrict them to just OpenVPN? Do I need
>> them to have access to anything else?
>
...
> What HBAC rules you need for OpenVPN depends on how you have OpenVPN
> configured for auth.

To elaborate that somewhat more:  It depends how you authenticate your
users.  The most simple way is to enable PAM authentication in your
server config:

,
| plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
`

Then you create a file /etc/pam.d/openvpn and can use sssd there.  Your
HBAC rule needs to allow the openvpn service for the users.

You could also authenticate against LDAP or RADIUS and juggle with
groups, but PAM is really easier.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Can't ssh using GSSAPI delegation from one freeipa client to another consistently

2018-09-05 Thread Jochen Hein via FreeIPA-users

Ranbir via FreeIPA-users  writes:

> When GSSAPI delegation doesn't work, I see this error:
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Server host/ip...@theinside.rnr not found in Kerberos database

You used "ssh ipa01", right?  And the host has been enrolleed with
ipa01.theinside.rnr?

> What am I messing up?

I have in my ~/.ssh/config:
CanonicalizeHostname always
CanonicalDomains example.org

Hope that helps.
Jochen
-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: admin account getting locked

2018-07-10 Thread Jochen Hein via FreeIPA-users

hedrick--- via FreeIPA-users 
writes:

> We have a number of systems on the internet. They are constantly
> attacked through ssh. A lot of attacks try to guess passwords for a
> user called “admin.”

If you don't need the user admin on the outside facing boxes, you could
try that in /etc/sss/sssd.conf:

,
| ...
| [nss]
| homedir_substring = /home
| filter_users = root, admin
| ...
`

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BIIRDYGPJQMIEPXKZH3DM2GSMJIQLWGC/

[Freeipa-users] Re: keycloak

2018-06-07 Thread Jochen Hein via FreeIPA-users

Rob Crittenden via FreeIPA-users 
writes:

> I don't know where Keycloak upstream is.

Look at http://www.keycloak.org

Jochen
-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/46G7R54DGCO4PTA4S65EMTDJ5HB7BH3B/

[Freeipa-users] Re: some basic questions about FreeIPA

2018-05-14 Thread Jochen Hein via FreeIPA-users

Udo Rader via FreeIPA-users 
writes:

> Our current setup looks like this:
...
> #4 DHCP is handled by multiple, distributed ISC DHCP servers,
> configured to pull their configuration from OpenLDAP (network
> definitions, routers, NTP servers, MAC addresses etc.)
...
> Regarding DHCP, all I found were some older documents describing
> intentions to implement it [1], but I'm uncertain if that ever
> happened.

I'm using dnsmasq for DHCP.  My workflow is something like this:

- A host gets added to FreeIPA, its IP address is stored in LDAP for
  IPA's DNS.

- I manually add the MAC address to the server record:
  ipa host-mod  --macaddress=

- A script pulls the hosts from IPA and generates a config fragment for
  dnsmasq.  If there were changes, dnsmasq is reloaded.

Jochen

#!/bin/bash

tmp=/etc/dnsmasq.d/dynamic-hosts.conf.tmp

KRBPRINC='host/.example@example.org'

kinit -k $KRBPRINC

cat > $tmp <> ${tmp}.$$

LC_ALL=C.UTF-8 ipa host-find --all --raw | awk '
/fqdn:/ { ipstr=""; split($2,host,".") }
# for multi-home hosts, description contains the interface-name.
/iface:/ { "getent ahostsv4 " host[1] "-" $2 | getline ipstr; 
split(ipstr, ip, " ");
if ( ip[1] != "" )
printf "dhcp-host=" $3 ",id:*," ip[1] "," host[1] "-" 
$2 ",24h\n"
else
printf "ERROR: no ip for host »%s« and interface 
»%s«.\n", host[1], $2 > "/dev/stderr" }' >> ${tmp}.$$

sort < ${tmp}.$$ > $tmp
rm -f ${tmp}.$$

kdestroy -A

if cmp -s $out $tmp; then
rm -f $tmp ${tmp}.empty
else
if cmp -s ${tmp} ${tmp}.empty; then
rm -f ${tmp} ${tmp}.empty
else
mv $tmp $out
rm -f ${tmp}.empty
systemctl restart dnsmasq.service
fi
fi

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Overall users experience with Free-IPA

2018-05-08 Thread Jochen Hein via FreeIPA-users

Hi,

Duncan Colhoun via FreeIPA-users 
writes:

> Can I get some feedback on the overall experience setting up and
> running Free-IPA. I am looking at implementing Free-IPA to
> enhance/replace an OpenLDAP environment.

I'm running a small FreeIPA (2 servers) installation in a family
network. Install is easy, administration is also easy. I'm really happy
with SSO and CA for internal SSL servers.

Be prepared to read the Red Hat manuals and when problems show up, don't
hesitate to ask here. I found most fixes in the archive, but reading
this lists helped too. The developers are really helpful and friendly.

> So please share any horror/success stories.

I'm not comfortable resolving replication conflicts, but they really are
exceptional events.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: admin's credentials revoked?

2018-03-01 Thread Jochen Hein via FreeIPA-users

Bret Wortman via FreeIPA-users 
writes:

> # kinit admin
> kint: Client's credentials have been revoked while getting initial
> credentials
>
> Then while looking at /var/log/httpd/error_log:
>
> [date] [:error] [pid] [remote 192.168.1.50:96] Database Error: Server
> is unwilling to perform: Too many failed logins.
>
> What the? How can my admin account be getting locked?

Do you have an IPA client exposed to the internet?  Drive-by test logins
often try admin and yould lock you out.  You should filter the users
with sssd.  Add this to your /etc/sss/sssd.conf and restart sssd:

[nss]
filter_users = root, admin

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Zone transfers between external DNS slave and Internal IPA master

2018-03-01 Thread Jochen Hein via FreeIPA-users

Randy Morgan via FreeIPA-users 
writes:

[BIND as slave on IPA DNS masters]

> Has anyone set this up before and if so, do you have a sample config
> that I could look at to gain a better understanding of what is needed
> here?

I'm running a pair of IPA servers with a single DNS slave.  There's one
catch: you must select one IPA master where you get your zone from.
Each IPA master has it's own SOA record in the zone - otherwise you
would get errors due to lower SOA...

On the IPA side you must allow transfer for each needed zone:
ipa dnszone-mod  --allow-transfer=

The secondary is just a regular slave:

,
| masters ipa { 192.168.x.y; };
| 
| zone "example.org." IN {
|   type slave;
|   file "slave/example.org";
|   masters { ipa; };
| };
`

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: OTP for specific services only

2018-02-23 Thread Jochen Hein via FreeIPA-users

Winfried de Heiden via FreeIPA-users
 writes:

> OTP using IPA 4.5 on CentOS seems to work well. However: I can force a user 
> to use OTP and/or a host. 

Authentication indicators won't work that way...

> Selecting a user, ALL authentication needs OTP. Since sudo in this case will 
> ask for OTP also, this turn out
> quite inconvenient. Is is possible to select only certain services for OTP. 
> for example:
>
> login using SSH --> OTP
> login ftp --> OTP
> console --> password only
> sudo --> password only

Not easily with FreeIPA, but I do something similar with Privacyidea and
Yubikeys.  In FreeIPA I authenticate my user with RADIUS (freeradius and
Privacyidea).  In Privacyidea my user has a Yubukey token assigned, so I
log on with password+OTP when logging in.  When I do sudo I have a
special PAM config: Users with a yubikey authenticate only with OTP
instead of "NOPASSWD" - that way I don't need to type my password, but
still have some authentication going on.

You can't do that with tokens defined in FreeIPA, but looking at PAM
options might help you to get something working. Do you use hardware
tokens or a smartphone app/soft token?

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: How to replace a failed CA?

2018-02-21 Thread Jochen Hein via FreeIPA-users

Bret Wortman via FreeIPA-users 
writes:

> I may be going about this in the hardest way possible, so let me stop
> and roll everything back to my root need:
>
> I have two IPA servers which manage our infrastructure. We used to
> have three, but a catastrophic failure on one led to its total
> loss. And it was our CA.
>
> So now we have no CA -- is there a way to promote an existing system
> to take over? I realize it may well mean distributing a new root CA
> cert to everyone, but that seems less painful now than trying to set
> up a brand new cluster of servers and try to port our data over to
> them...

I'd start looking for the ca data in LDAP. If you still have it, you
might be lucky - if not there's no way to recreate the data (beside from
a backup of the failed server - which I guess doesn't exist any longer).

Do you have a tree o=ipaca in your LDAP?

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

2018-02-20 Thread Jochen Hein via FreeIPA-users

Bret Wortman via FreeIPA-users 
writes:

> Sequence of events in trying to stand up a new IPA server to replace
> (wholesale) our old ones.
>
...
> 3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders
...
> And now I'm back where I was. IPA is running and contains our user,
> host, and DNS data (plus others) from the original hosts but I can't
> connect to it using firefox. Any other possible solutions to this
> problem?
>
> We're using the same realm & network name, and we have to do that.

I'd try with another CA subject, see
https://blog.delouw.ch/2015/11/29/setting-up-ipa-with-a-specific-ca-cert-subject/
for details.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: freeipa with sudo and 2FA (OTP)

2018-02-05 Thread Jochen Hein via FreeIPA-users

John Ratliff via FreeIPA-users 
writes:

> Okay, so the problem wasn't that it wasn't working; it's that I didn't
> understand the prompts. Debian only prompts for password, but wants
> password + OTP on the same field. CentOS prompts for First Factor /
> Second Factor.
>
> Is there any way I can make it so that on Debian clients it asks for
> the factors separately as well?

Can you please look at /etc/pam.d?  Debian uses pam_unix to get the
password+OTP, CentOS/Fedora use pam_sss for non-local users.  I've added
the following to /usr/share/pam-configs and use that instead of pam_unix
and pam_sss.

unix+sss
Description: Binary data

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Documented monitoring best practices

2018-02-01 Thread Jochen Hein via FreeIPA-users

Alex Corcoles via FreeIPA-users 
writes:

> Is there any official literature about how to monitor FreeIPA?

I'm using https://github.com/peterpakos/checkipaconsistency to monitor
my replicas.

> Is there any plan to provide an official way to monitor FreeIPA? My
> foremost concern would be to ensure that all clients are correctly enrolled
> and sudo/ssh work, so I am not locked out of my systems. Ensuring that
> replication works seems good and popular. Of course I can check that all
> services are running and ports respond.
>
> What are the most common ways for FreeIPA to break?

Right now we had some problems with certificates not/halfway renewing,
so some tool to check LDAP against the different cert-stores might be
helpful.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: how to avoid ntpd?

2018-01-15 Thread Jochen Hein via FreeIPA-users

Lukas Slebodnik via FreeIPA-users 
writes:

> On (15/01/18 10:53), Rob Crittenden via FreeIPA-users wrote:

>>As I read it he has the reverse problem. He installed with NTP support
>>and now wants to remove it.
>>
>>You need to remove NTP as a managed IPA service by removing the entry:
>>
>>cn=NTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
>>
>>ipactl will no longer try to start the service.

I also consider to remove ntp service from my IPA servers...

>>Note that without good time then you may run into serious issues with
>>Kerberos and replication.
>
> I do not have any time related problems with chronyd + fedora *default* 
> configuration.

I also think that now all major Linux distributions configure some kind
of NTP client service per default (at least Debian, Ubuntu, CentOS run
here and enable some timesync by default - systemd-timesyncd too looks
very promising).

Even if the clients don't use the same NTP servers (each distribution
has its own pool) the time should be good enough.  At least that's what
I see on my systems - time is not a problem.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Expired certificate problem

2018-01-09 Thread Jochen Hein via FreeIPA-users

Giulio Casella via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto:
>> Giulio Casella via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
>> writes:
>>
>>> Done, ipactl status report everything running,
>>
>> That's not correct, see below.
>>
>>> but certificates don't renew.
>>> Looking at certmonger (in debug mod) I can see:
>>>
>>> "Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed
>>> request, will retry: 4035 (RPC failed at server.  Request failed with
>>> status 500: Non-2xx response from CA REST API: 500. ).
>>
>> internal error from apache
>>
>>> Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed
>>> request, will retry: -504 (libcurl failed to execute the HTTP POST
>>> transaction, explaining:  Failed connect to
>>> idc02.linux.unicloudidattica.local:443; Connection refused).
>>
>> no apache running
>
> I don't think so. HTTP 500 doesn't mean apache is not running, but an
> internal server error.
> Indeed I can reach the administration web ui. Login fails due to time
> skew, but apache is fully responsive.

Have a look again: Host idc01 delivers 500 - internal error. Host idc02
has no apache running ("connection refused").

> Apache return 500 when something behind the scene fails (maybe the
> pki-tomcat part, following a post to api).

Yes, try fixing idc01 - most probably dogtag/pki-tomcat there.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Expired certificate problem

2018-01-09 Thread Jochen Hein via FreeIPA-users

Giulio Casella via FreeIPA-users 
writes:

> Done, ipactl status report everything running, 

That's not correct, see below.

> but certificates don't renew.
> Looking at certmonger (in debug mod) I can see:
>
> "Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed
> request, will retry: 4035 (RPC failed at server.  Request failed with
> status 500: Non-2xx response from CA REST API: 500. ).

internal error from apache

> Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed
> request, will retry: -504 (libcurl failed to execute the HTTP POST
> transaction, explaining:  Failed connect to
> idc02.linux.unicloudidattica.local:443; Connection refused).

no apache running

> Have I to try to remove/re-add monitoring from certmonger for service
> certificates?

No - try to find out the errors above. Leave certmonger alone until you
fixed apache/dogtag.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04

2018-01-05 Thread Jochen Hein via FreeIPA-users

Cody Rathgeber  writes:

> Thanks,  I'm sure it was a versioning issue as the server is 4.5, and i see
> the default ubuntu 14.04 packages i was using were 3.3. Using the repo
> Jochen Mentioned I can install 4.0 on ubuntu 14.04 but I will get the below
> errors in the log during install, is this still due to 4.0 being too far
> behind the server's 4.5 and i'll need to build from source?

Possible.  I don't know where the problems begin - I started with IPA
server 4.1/4.2 some time ago and enrolled my 14.04 Laptop with 4.0.4
client (I had a system with 12.04 enrolled too).  I'm not going to
install/enroll another old Laptop - only 16.04 and newer...

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04

2018-01-04 Thread Jochen Hein via FreeIPA-users

Cody Rathgeber via FreeIPA-users 
writes:

> I'm trying to deploy freeipa to an environment running a mix of ubuntu
> 16.04 and 14.04 servers.
> on 16.04 the servers join and can pull down users no problem, on 14.04 when
> joining it'll throw a
>
> "Unable to find 'admin' user with 'getent passwd ad...@redacted.net'!:"

What packages do you use on 14.04?  I'm using the packages from
ppa:freeipa/4.0.  What's your IPA server release?

There were also reports about sssd problems:
https://www.redhat.com/archives/freeipa-users/2017-January/msg00190.html

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Using pam_krb5 to change password at ssh prompt gives shell

2017-11-28 Thread Jochen Hein via FreeIPA-users

Aaron Hicks via FreeIPA-users 
writes:

> As a workaround for another issue we have with using two-factor
> authentication, we're using pam_krb5 to change expired passwords, so in
> /etc/pam.d/password-auth-ac whe have changed the password section to be:
>
...
>
> This puts the user through a password reset process without the second
> factor interfering, but at the end they get shell. This is without the
> second factor.
>
>  
>
> Is there a parameter this so that the connection is disconnected instead, or
> the connection attempt is restarted?

I'd try pam_deny.  This should work for password section.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

2017-10-26 Thread Jochen Hein via FreeIPA-users

Kristian Petersen via FreeIPA-users
 writes:

> The dirsrv log just shows a bunch of the following:
> [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind - Error:
> could not bind id [cn=Replication Manager cloneAgreement1-ipa
> 2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config] authentication mechanism
> [SIMPLE]: error 32 (No such object)
>
> That makes sense though since pki-tomcat won't start.  Rob was asking what
> was in the logs located at /var/log/pki/pki-tomcat/ca/debug, but that path
> doesn't exist on any of my IPA servers.  He said that would normally be the
> first place to look.  Hence, I am looking for other solutions.

Brute force: reproduce the error and run "find /var/log -mmin -1 -type f -ls".
This finds the files changed in the last minute - one of these might
help.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

2017-10-26 Thread Jochen Hein via FreeIPA-users

Kristian Petersen via FreeIPA-users
 writes:

> When I recently updated one of my IPA servers (it reports
> 4.5.0-21.el7_4.1.2 in yum), the result was that it could not start back up
> because pki-tomcatd kept failing.  I was able to get it running for now by
> ignoring the failure of that one service, but I haven't been able to to
> determine the cause.  The logs are pretty quiet on this one.  They show the
> failure itself, but not information that helps me fix the problem.  

Can you show the relevant logs?  Is there something in the dirsrv logs
at that time?  CA logs aren't easy to read, but should give at least a
hint where to look further.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Manual IPA client install

2017-10-17 Thread Jochen Hein via FreeIPA-users

Mark Haney via FreeIPA-users 
writes:

> since these two servers are CentOS 6.9.  I'm almost certain I've got
> everything setup correctly, but I'm still unable to login as an IPA
> user either with SSH or with su - . I get ' does
> not exist'. However, I /can/ 'kinit admin' /and/ 'kinit mark.haney'
> successfully:

This looks like some problem with sssd.  Do you see your user with "id
 Rob Crittenden had me check the keytab KVNO and it matches with the
> KVNO of the IPA server.  The one issue I can definitely say I have is
> this:
>
> kinit -kt /etc/krb5.keytab
> kinit: Generic preauthentication failure while getting initial credentials

Can you show a trace with "KRB5_TRACE=/dev/stderr kinit -kt
/etc/krb5.keytab"?  What do you see in the KDC log?

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Web UI login fails after upgrading to 4.5

2017-10-05 Thread Jochen Hein via FreeIPA-users

Marius Bjørnstad via FreeIPA-users
 writes:

> After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login
> failed due to an unknown reason" on the web UI, no matter if I use the
> admin user or my personal user.
...
> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
> /var/run/ipa/ccaches/armor_7424 -X
> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
> non-zero exit status 1

Do you have krb5-pkinit installed?  I think there is a dependency
missing.  And I ran "ipa-pkinit-manage enable", but I don't remember if
it's needed for WebUI login.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: sssd suddenly throw system error on Mint 17.3 clients

2017-09-09 Thread Jochen Hein via FreeIPA-users

Torsten Harenberg via FreeIPA-users
 writes:

> Suddenly, our Linux Mint clients refrain from logging in users and
> throw a system error. I increased the log level and the relevant lines
> seem to be:
>
> (Sun Sep 10 03:19:09 2017) [sssd[be[pleiades.uni-wuppertal.de]]] 
> [hbac_eval_user_element] (0x0040): Parse error on [
> cn=System: Manage Host
> Principals+nsuniqueid=53120f31-41e811e7-b96dfa31-96759478,cn=permissions,cn=pbac,dc=pleiades,dc=uni-wuppertal,dc=de]:
> Malformed cache entry

This looks like an entry created by a replication conflict. Do you use
replicas? Then I'd check for replication conflicts:
http://directory.fedoraproject.org/docs/389ds/design/managing-repl-conflict-entries.html

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: [CentOS 7.5] error message during LDAP backup

2017-08-30 Thread Jochen Hein via FreeIPA-users

Ludwig Krispenz via FreeIPA-users 
writes:

> This is issue: https://pagure.io/389-ds-base/issue/49334

Thanks for the info.  I like the documentation and analysis in the
tickets (not only this one) - well done!

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] [CentOS 7.5] error message during LDAP backup

2017-08-30 Thread Jochen Hein via FreeIPA-users


I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have
the following new messages during backup:

Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.225932118 +0200] - ERR 
- dblayer_copy_directory - Backend instance "cldb" does not exist; Instance 
path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb could be invalid.
Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.260896691 +0200] - ERR 
- dblayer_backup - Error in copying directory 
(/var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb -> 
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup): 
err=-1

The path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb is valid and contains the
following files:

[root@freeipa1 cldb]# ls -la
insgesamt 6592
drwxr-xr-x. 2 dirsrv dirsrv4096 28. Aug 16:12 .
drwxrwx---. 6 dirsrv dirsrv  47  1. Dez 2016  ..
-rw---. 1 dirsrv dirsrv 5668864 30. Aug 08:54 
105a1694-b80711e6-a735c4e0-b4c95686_583b44c10004.db
-rw-r--r--. 1 dirsrv dirsrv   0 28. Aug 16:12 
105a1694-b80711e6-a735c4e0-b4c95686.sema
-rw---. 1 dirsrv dirsrv 1064960 30. Aug 08:52 
6464fab3-b80711e6-a735c4e0-b4c95686_5840787c000d.db
-rw-r--r--. 1 dirsrv dirsrv   0 28. Aug 16:12 
6464fab3-b80711e6-a735c4e0-b4c95686.sema
-rw---. 1 dirsrv dirsrv  30  1. Dez 2016  DBVERSION

The directory
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup
does not exist, all I have is:

[root@freeipa1 cldb]# ls -la /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/
insgesamt 0
drwxrwx---. 2 dirsrv dirsrv  6 30. Aug 01:34 .
drwxrwx---. 6 dirsrv dirsrv 47  1. Dez 2016  ..

I'll create
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup
manually and will see if that helps. I think it should be created during
upgrade or backup if it is missing.  What do you think?

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FIPA OTP 2FA

2017-08-08 Thread Jochen Hein via FreeIPA-users

saidireddy ranabothu via FreeIPA-users
 writes:

> I have enabled password+OTP authentication for a user and able to sync
> tokens and SSH.
>
> While ssh to server using FIPA credentials it's asking authentication in
> two steps as First Factor and Second Factor .
>
> But i just want to give it in a single line password ,Can any one suggest
> how to do it as  a single line password?

Try just pressing Enter when asked for second factor.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-06 Thread Jochen Hein via FreeIPA-users

Jochen Hein via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
> writes:
>
>> So theoretically certmonger could for example, track PEM files in the
>> filesystem and upon renewal run a post script to import the updated cert
>> into the java keystore.
>
> This is my current script to get a cert from IPA, which is tracked by
> certmonger.  I've yet to test refreshing a certificate, but the steps
> manually did work (I expect some SELINUX woes...):

Exactly as I though, I got an AVC denied:

> # Get a certificate and key from IPA
> #ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \
> #   -k /etc/pki/tls/private/saml.example.org.key \
> #   -N CN=saml.example.org \
> #   -D saml.example.org \
> #   -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1
> ##   -C ""

type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for
pid=7057 comm="certmonger" name="refresh_keycloak_certificate"
dev="sda1" ino=36338210 scontext= system_u:system_r:certmonger_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

I stored my refresh script in /root and might have some luck with
chcon.  But is there a location, for example in /etc, that would give my
script the needed rights?  No examples I've looked at in the IdM manual
used -C and no discussion about selinux lables.

certmonger scripts are stored in /usr/libexec/ipa/certmonger and have:

# ls -lZ /usr/libexec/ipa/certmonger/restart_httpd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0   
/usr/libexec/ipa/certmonger/restart_httpd

Once I label my script with bin_t I get more denials, so probably not
the right thing to do:

type=AVC msg=audit(1501563217.770:154): avc:  denied  { write } for  pid=12545 
comm="mkhomedir" name="lib" dev="vdc1" ino=131 
scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1501619025.994:1172): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="configuration" dev="vda1" ino=17147456 
scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 
tclass=dir
type=AVC msg=audit(1501619132.710:1173): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="configuration" dev="vda1" ino=17147456 
scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 
tclass=dir
type=AVC msg=audit(1501619192.323:1174): avc:  denied  { create } for  
pid=18555 comm="certmonger" name="saml.jochen.org.key" 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1501619605.451:1182): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="root" dev="vda1" ino=33595521 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1501699449.127:2460): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="root" dev="vda1" ino=33595521 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1502045477.106:1325): avc:  denied  { execute } for  
pid=7057 comm="certmonger" name="refresh_keycloak_certificate" dev="sda1" 
ino=36338210 scontext=system_u:system_r:certmonger_t:s0 
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1502049392.796:1375): avc:  denied  { write } for  pid=3851 
comm="openssl" name="saml.jochen.org.key" dev="sda1" ino=18535953 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1502049392.799:1376): avc:  denied  { write } for  pid=3852 
comm="openssl" name="temp.p12" dev="sda1" ino=18535954 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1502049392.802:1377): avc:  denied  { read } for  pid=3854 
comm="keytool" name="cpu" dev="sysfs" ino=33 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

Is there some documentation where the admin should store his scripts and
how to label them that I missed?

I found certmonger_selinux, but that's too abstract for me. 

The (probably too big) hammer made it work for me:

# chcon -v --type=certmonger_unconfined_exec_t 
/root/refresh_keycloak_certificate

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Valid Sender ? - Re: Re: ipa-getcert and java certstore/keytool

2017-08-03 Thread Jochen Hein via FreeIPA-users

Rob Crittenden  writes:

> certmonger doesn't support storing certificates in a java keystore.

That's what I found out :-)

> The tricky bit might be in dealing with the CSR. certmonger needs the
> private key in order do the renewal.
>
> I guess one thing you could do is a straight ipa-getcert -f
> /path/to/cert.pem -k /path/to/key.pem ...  -C
> /path/to/your/post/script

Something like that might work and I hoped that someone might have done
and documented it before... 

> Then take the resulting PEM files, create a PKCS#12 file out of them,
> and import that into your java keystore.

That's what I'll try - let's see how that works out.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] ipa-getcert and java certstore/keytool

2017-08-02 Thread Jochen Hein via FreeIPA-users


Hi,

I'm playing around with keycloak and wanted to use an SSL certificate
from IPA.  I've looked around but didn't see any howto about using java
keytool with ipa-getcert. Has someone experience with it?

I was not successful adding key/cert created by certmonger into keytool,
and also not successful signing a csr from keytool with IPA. If noone
has hints, I'll try again and provide commands/logs...

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: autofs.service on NFS clients and servers

2017-07-14 Thread Jochen Hein via FreeIPA-users

Prasun Gera via FreeIPA-users 
writes:

> The only thing I would be interested in knowing is if there is a
> performance penalty to mounting NFS locally. Ideally, it should be smart
> enough to know that, but I'm not sure if it is.

On my NFS server /home is a local ext4 mount and exportet. The clients
automount it as /zentral.  autofs.zentral contains:

*   -fstype=nfs4,rw,sec=krb5p,soft,rsize=8192,wsize=8192
nfs.example.org:/home/&

When I access /zentral/jochen I get the following mount:

/dev/mapper/home_lv on /zentral/jochen type ext4 
(rw,noatime,errors=remount-ro,data=ordered)

That seems to be a bind mount.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA 4.4 with Yubikey and Radius for VPN auth

2017-06-12 Thread Jochen Hein via FreeIPA-users


Hello Dagan,

> The VPN is Cisco, we use openconnect to connect to it currently and it
> works without a problem.

I use ocserv on my VPN server and openconnect - normally with GSSAPI,
but I'll try with password/OTP.

> The Yubikeys in the existing configuration are in a static file, which
> does reference a cloud api key but I am not sure if this is required?

No, it is not required.

> I am hoping to be able to register each Yubikey against a user is
> FreeIPA and not have to use any external components to verify them.

How do you use the two slots on the yubikey? I do use slot 1 with a self
programmed yubico mode, but you can also enroll a yubikey directly into
FreeIPA.  I was happy to overwrite slot 1, but you might want to use
slot 2.

> But I am looking for some guidance on how that configuration might work. 

I guess it's almost too easy...

- enable OTP in freeipa:
  ipa config-mod --user-auth-type='password' --user-auth-type='otp'

- enroll the yubikey:
  ipa otptoken-add-yubikey  --slot=<1 or 2>

beware that the slot will be overwritten and the secret programmed
  there will be lost.

- enable OTP for the user
  ipa user-mod  --user-auth-type='password' --user-auth-type='otp'

On your RADIUS server just use PAM-sss against FreeIPA.

My ocserv talks pam directly and asks for "First Factor" and "Second
Factor". If RADIUS only asks for "Password", just enter .

That's it.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

43 matches

Mail list logo