[Freeipa-users] Re: posix and non-posix AD users
I'm going to piggy back on this thread, because it is very relevant to a question I have. What's the difference between the two options (ipa-ad-trust vs. ipa-ad-trust-posix), other than the uid & gid mapping? Why would I choose 1 over the other? I have always scratched my head a little bit why my AD users are able to login to our FreeIPA (IdM) environment when they don't have the uidNumber attribute set in AD. That's the case, although a Red Hat consultant who helped me setup our environment over a year ago said that we needed to make sure we set the uidNumber attribute. My process in creating the groups within IdM have been to run the following 4 commands: ipa group-add --desc='AD groupName External Group' ad_groupName_external --external ipa group-add --desc='AD groupName Internal-Posix' ad_groupName_posix ipa group-add-member ad_groupName_posix --groups ad_groupName_external ipa group-add-member ad_group_name_external --external 'corp-ad-domain.com\groupName' # just hit enter the prompts for this last command. -David From: Florence Renaud via FreeIPA-users Reply-To: FreeIPA users list Date: Friday, May 7, 2021 at 10:45 To: FreeIPA users list Cc: iulian roman , Florence Renaud Subject: [Freeipa-users] Re: posix and non-posix AD users Hi,when a trust is established with posix range type, the users need to have uidNumber and gidNumber set on AD side.If you want IdM to generate uid and gid, the range type has to be ipa-ad-trust instead of ipa-ad-trust-posix but I believe the posix attributes of the AD entries wo Hi, when a trust is established with posix range type, the users need to have uidNumber and gidNumber set on AD side. If you want IdM to generate uid and gid, the range type has to be ipa-ad-trust instead of ipa-ad-trust-posix but I believe the posix attributes of the AD entries won't be taken into account in this case (even if the AD entry contains a uidnumber/gidnumber, the one seen from IdM clients will be generated and is likely to differ). flo On Fri, May 7, 2021 at 3:34 PM iulian roman via FreeIPA-users wrote: I have configured a trust between IdM and Active Directory with posix range type. The users which do have an uidNumber in AD are correctly listed, but those without uidNumber are not (similar for the groups). Is there any setting or possibility to have the AD users without uidNumber get an uid generated automatically (if they do not have one in AD) by IPA and listed as AD users in Linux ? ___ FreeIPA-users mailing list -- mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to mailto:freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:
[Freeipa-users] Re: Health Checks for RHEL7
>I assume /usr/local/lib/python3.x isn't in your PYTHONPATH. This is a > dead-end though as many of the checks aren't applicable to 4.6.x. Ah, that makes sense. > I did a backport a few releases ago and built it against EPEL but it's still > rough. > https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/ That look sweet. Thanks for your work here. I tested it in the lab, and intentionally broke something, and confirmed that it works fine. I've started writing a number of health checks of my own, apart from your code here, that look for exit status codes. Running your code in debug mode (--debug), I don't see whether or not EACH of these checks are returning a separate status code or not. (i.e. 0 = healthy, or !0 = not healthy) Does this script do anything like that? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Health Checks for RHEL7
Are any of you aware of any way to get these health checks working on a RHEL 7 system? https://github.com/freeipa/freeipa-healthcheck IIRC, these checks weren't really introduced until a newer version of FreeIPA, so they are only included on RHEL 8 and above, but I'm wondering if there's a way to get these installed manually. Is this possible on RHEL 7? I tried doing the following a lab environment: - Downloaded the code and extracted it - pip3 install pytest-runner - python3 setup.py install Now, I do have an executable at /usr/local/bin/ipa-healthcheck However, when I go to run that, I'm getting the following error: [root@cha-cop-lab-mgt-ath-001 freeipa-healthcheck-master]# /usr/local/bin/ipa-healthcheck Traceback (most recent call last): File "/usr/local/bin/ipa-healthcheck", line 11, in load_entry_point('ipahealthcheck==0.6', 'console_scripts', 'ipa-healthcheck')() File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 476, in load_entry_point return get_distribution(dist).load_entry_point(group, name) File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2700, in load_entry_point return ep.load() File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2318, in load return self.resolve() File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2324, in resolve module = __import__(self.module_name, fromlist=['__name__'], level=0) ModuleNotFoundError: No module named 'ipahealthcheck' ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Resetting LDAP Password
Thank you. Without getting too much into the weeds, I've had an ongoing conversation for quite some time with some support folks who are trying to help me troubleshoot why we've been unable to get authentication working - as of yet - on RHEL 6 clients, when RHEL 7 works perfectly fine. The support team asked me to run that query and provide stdout, but as of yet, I've been unable to get it to work, due to the failed credentials. Your explanation makes a lot of sense. Due to the limitations of sssd in RHEL 6 and how sssd integrates with an IPA installation that has a trust back to AD, I'm aware that there's some differences in how the client gets configured. I think some of the limitations we're running into are also related to our firewall flows and that we're using KdcProxy features on the IdM servers to proxy all Kerberos requests to AD through the IPA servers. I've sent this email thread over to our (new) technical account manager, and we'll continue to work together towards a resolution. On 8/4/20, 10:42 AM, "Alexander Bokovoy" wrote: On ti, 04 elo 2020, White, David via FreeIPA-users wrote: >We have a IPA environment that has an existing trust with Active Directory. > >I'm trying to troubleshoot some things, and am trying to run a `ldapsearch` against our IPA environment. >It keeps asking for an LDAP Bind password. > >1. I know the Directory Admin password >2. I know the local 'admin' password to get into the UI as the "admin" user >3. I know my own Active Directory password. > >None of these passwords are working. > >[root@cha-cop-lab-mgt-ath-001 whitedm]# ldapsearch -ZZ -H ldap://ipa-hostname-001.lab.example.net -b 'cn=compat,dc=fiberlab,dc=example,dc=net' -D 'cn=whitedm' -W >Enter LDAP Password: >ldap_bind: Invalid credentials (49) > >I recall setting up the LDAP password on the initial install of the IPA software when these servers were first launched. >How can I reset this LDAP password? What are you trying to achieve here? You are using compat tree which is a read-only dynamic view on some content provided elsewhere. You are using your own account RDN but ldapsearch wants your DN for bind, not RDN. Your DN depends on what you want to authenticate with -- if this is your AD user, then you need to use a compat tree DN for uid=whitedm@ad.domain,cn=users,cn=compat,dc= if this is your IPA user, then you need to use your IPA user DN, e.g. uid=admin,cn=users,cn=accounts,dc=... if this is Directory Manager, then DN is 'cn=Directory Manager'. It looks like RDN but that's a virtual object which don't exist anywhere and is treated by 389-ds in a special way. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Resetting LDAP Password
We have a IPA environment that has an existing trust with Active Directory. I'm trying to troubleshoot some things, and am trying to run a `ldapsearch` against our IPA environment. It keeps asking for an LDAP Bind password. 1. I know the Directory Admin password 2. I know the local 'admin' password to get into the UI as the "admin" user 3. I know my own Active Directory password. None of these passwords are working. [root@cha-cop-lab-mgt-ath-001 whitedm]# ldapsearch -ZZ -H ldap://ipa-hostname-001.lab.example.net -b 'cn=compat,dc=fiberlab,dc=example,dc=net' -D 'cn=whitedm' -W Enter LDAP Password: ldap_bind: Invalid credentials (49) I recall setting up the LDAP password on the initial install of the IPA software when these servers were first launched. How can I reset this LDAP password? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Root CA is changing in an AD Trust environment
> Trust to Active Directory does not rely on any CA certificate or certificate > properties from Active Directory. Many Active Directory forests do not have > integrated CA at all. Thanks. That makes me feel a lot better about tonight. > However, if you have deployed IPA CA as a sub-CA of existing AD CA, you might > be affected. Please clarify whether this is indeed the case. I can confirm that we do NOT have IPA setup as a sub-CA. There was actually a complicated conversation about that specific topic when we were in the midst of deploying. 1 week after having RHEL consultants on site, one of my colleagues made me re-deploy the entire cluster again, because he wanted the sub-CA. After even more back and forth with our Corporate AD team, and testing, we re-deployed yet again without the sub-CA. It was a fiasco. The consultant was great. My colleagues were not. Felt like the longest 3 weeks of my life, with requirements changing on me every other day. LOL. Thank you! On 6/24/20, 8:13 AM, "Alexander Bokovoy" wrote: On ke, 24 kesä 2020, White, David via FreeIPA-users wrote: >We have IdM / FreeIPA running on RHEL 7 boxes. >This is a 6-node cluster that has an existing 1-way trust back to >Active Directory. > >IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: >ipa trust-add --type=ad example.com --admin admin_user > >We just learned very recently that our Active Directory team is >generating and installing a new Root CA certificate into AD. That is >happening tonight at 9pm. > >The existing Root CA will remain in place until it expires in about 1 month. > >Is there anything that we will have to do to IdM to get it to trust the >new certificate? Trust to Active Directory does not rely on any CA certificate or certificate properties from Active Directory. Many Active Directory forests do not have integrated CA at all. So for the trust to AD specifically, this is not an issue. However, if you have deployed IPA CA as a sub-CA of existing AD CA, you might be affected. Please clarify whether this is indeed the case. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Root CA is changing in an AD Trust environment
We have IdM / FreeIPA running on RHEL 7 boxes. This is a 6-node cluster that has an existing 1-way trust back to Active Directory. IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: ipa trust-add --type=ad example.com --admin admin_user We just learned very recently that our Active Directory team is generating and installing a new Root CA certificate into AD. That is happening tonight at 9pm. The existing Root CA will remain in place until it expires in about 1 month. Is there anything that we will have to do to IdM to get it to trust the new certificate? Even though the existing Root CA should remain in place for the next month, is there any chance something will break tonight when the new Root certificate is installed? I know we would be facing a lot more work, had we used AD’s Root CA for the client connections. So I feel fortunate in that regard. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] HBAC Rule to allow anonymous NFS mounts from specific subnets
Is it possible to allow hosts in specific subnets to connect to a FreeIPA-connected server over NFS anonymously? e.g. I'm wondering if I could setup a HBAC rule by doing something like the following: ipa hbacsvc-add nfs-mount ipahbacrule-add allow_nfs_mount Then attach that to the NFS server And then allow "anyone" to connect over NFS to that server Bonus points if there's a way to restrict the source NFS connection by IP address or subnet Is this possible? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Getting shell to IdM client via AD credentials takes very long time
> When I ssh, it takes about that long before it even prompts me for my > username. > Then it takes a few more seconds to authenticate me after I type in my > password. I need to correct myself here. When I SSH, it prompts for a username immediately. When I enter the username, it then takes 15-20+ seconds to prompt for the password. Then it takes a few more seconds before logging me in. From: "White, David via FreeIPA-users" Reply-To: FreeIPA users list Date: Tuesday, March 24, 2020 at 11:09 AM To: "freeipa-users@lists.fedorahosted.org" Cc: "White, David" Subject: [Freeipa-users] Getting shell to IdM client via AD credentials takes very long time We have a large AD environment, which our IdM / FreeIPA servers authenticate users out of. The issue I'm trying to address is that it takes a very long time (upwards of 15-20+ seconds) to get a shell on any IdM client server. Our IdM servers are RHEL 7 boxes, using RHEL repositories: Installed Packages Name : ipa-server Arch : x86_64 Version : 4.6.5 Release : 11.el7_7.4 When I ssh, it takes about that long before it even prompts me for my username. Then it takes a few more seconds to authenticate me after I type in my password. I have worked through the documents at https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments and https://access.redhat.com/articles/2133801 (which seem to be mostly word-for-word the same article). I have implemented the recommended settings onto the IdM servers, namely, the following is now in the IdM server's sssd.conf file: [domain/domname] subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0 This seems to have fixed the delays I noticed whenever I would run "id my-u...@mydomain.com" from any server enrolled in IdM. The "id" command now seems to be very snappy, and responds almost immediately. However, it still takes the same 15-20 seconds+ to get a shell on an IdM client. Reading the above article(s) on what to do with the client, I'm concerned that the recommended changes won't fix my underlying issue. The articles recommend adding the following to the client's sssd.conf file: [pam] pam_id_timeout = N [domain/domname] krb5_auth_timeout = N I've made the recommended changes to 1 of my clients, but it is still seeing a significant delay. So, the issue I'm trying to address is the time it takes to login. It would seem to me that the above options don't actually address the "time to login" issue. Any additional suggestions on this? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Getting shell to IdM client via AD credentials takes very long time
We have a large AD environment, which our IdM / FreeIPA servers authenticate users out of. The issue I'm trying to address is that it takes a very long time (upwards of 15-20+ seconds) to get a shell on any IdM client server. Our IdM servers are RHEL 7 boxes, using RHEL repositories: Installed Packages Name: ipa-server Arch: x86_64 Version : 4.6.5 Release : 11.el7_7.4 When I ssh, it takes about that long before it even prompts me for my username. Then it takes a few more seconds to authenticate me after I type in my password. I have worked through the documents at https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ and https://access.redhat.com/articles/2133801 (which seem to be mostly word-for-word the same article). I have implemented the recommended settings onto the IdM servers, namely, the following is now in the IdM server's sssd.conf file: [domain/domname] subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0 This seems to have fixed the delays I noticed whenever I would run "id my-u...@mydomain.com" from any server enrolled in IdM. The "id" command now seems to be very snappy, and responds almost immediately. However, it still takes the same 15-20 seconds+ to get a shell on an IdM client. Reading the above article(s) on what to do with the client, I'm concerned that the recommended changes won't fix my underlying issue. The articles recommend adding the following to the client's sssd.conf file: [pam] pam_id_timeout = N [domain/domname] krb5_auth_timeout = N I've made the recommended changes to 1 of my clients, but it is still seeing a significant delay. So, the issue I'm trying to address is the time it takes to login. It would seem to me that the above options don't actually address the "time to login" issue. Any additional suggestions on this? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Overriding the Default shell for Active Directory users
Thank you. That looks perfect. We're already placing a custom sssd file, so adding that setting is no big deal. From: Rob Crittenden Date: Wednesday, March 4, 2020 at 12:23 PM To: FreeIPA users list Cc: "White, David" Subject: Re: [Freeipa-users] Overriding the Default shell for Active Directory users White, David via FreeIPA-users wrote: > We have a FreeIPA / IdM environment that talks to Active Directory, where the user accounts live. > > In the IdM GUI, I have navigated to: IPA Server -> Configuration > And I configured the "Default Shell" to: White, David via FreeIPA-users wrote: > We have a FreeIPA / IdM environment that talks to Active Directory, where the > user accounts live. > > In the IdM GUI, I have navigated to: IPA Server -> Configuration > And I configured the "Default Shell" to: /bin/bash > > However, whenever new users SSH to a server using their AD credentials, they > are still put into a /bin/sh shell. > > I have created an ID Override for myself by going to: Identity -> ID Views, > editing the "Default Trust View", and adding myself. > In my ID Override, I have set my own shell to /bin/bash > > My guess is that the global option in IPA Server -> Configuration is only > applied to local IPA accounts, and not AD accounts. > Is that a correct assumption? Yes. > Is there any way that we can change the default shell for AD users without > having to manually and individually create an ID Override? You can do so directly in sssd by setting default_shell in sssd.conf. See also https://computingforgeeks.com/set-default-login-shell-on-sssd-for-ad-trust-users-using-freeipa There is no way to tell ipa-client-install to do this automatically. You may be able to drop in a config snippet to do this though. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Overriding the Default shell for Active Directory users
We have a FreeIPA / IdM environment that talks to Active Directory, where the user accounts live. In the IdM GUI, I have navigated to: IPA Server -> Configuration And I configured the "Default Shell" to: /bin/bash However, whenever new users SSH to a server using their AD credentials, they are still put into a /bin/sh shell. I have created an ID Override for myself by going to: Identity -> ID Views, editing the "Default Trust View", and adding myself. In my ID Override, I have set my own shell to /bin/bash My guess is that the global option in IPA Server -> Configuration is only applied to local IPA accounts, and not AD accounts. Is that a correct assumption? Is there any way that we can change the default shell for AD users without having to manually and individually create an ID Override? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Proxy LDAP queries to Active Directory
Hello, Thanks for your response on this. > you can bind as AD user with the DN of the AD user object from the compat tree To confirm, are you suggesting that I simply create the service account inside of Active Directory, but still have Mediawiki talk to the IdM server? Mediawiki takes a json file. The following works perfectly fine when I use an IdM service account. In the below config, `idm.example.com` is a specific node in the IdM cluster. { "LDAP": { "connection": { "server": "idm.example.com", "user": "uid=admin,cn=users,cn=compat,dc=example,dc=com", "pass": "REDACTED", "port":"389", "enctype":"clear", "basedn": "dc=example,dc=com", "groupbasedn": "dc=example,dc=com", "userbasedn": "dc=example,dc=com", "searchattribute": "uid", "searchstring": "uid=USER-NAME,cn=users,cn=compat,dc=example,dc=com", "usernameattribute": "uid", "realnameattribute": "cn", "emailattribute": "mail" } } } When I update this config to talk to AD, I use the same server address, but I change the values as appropriate to match AD's requirements for searchattribute, searchstring, usernameattribute, etc I'm still unable to get this to work, but I'm also still troubleshooting, and not giving up. As I continue to troubleshoot, I wanted to respond to this and make sure I'm clear on what you're suggesting. Thanks again, David From: Sumit Bose via FreeIPA-users Reply-To: FreeIPA users list Date: Monday, January 6, 2020 at 12:10 PM To: "freeipa-users@lists.fedorahosted.org" Cc: Sumit Bose Subject: [Freeipa-users] Re: Proxy LDAP queries to Active Directory On Mon, Jan 06, 2020 at 05:01:05PM +, White, David via FreeIPA-users wrote: > Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust? > > I have AD, where users live. > I have FreeIPA / RedHat IdM. & On Mon, Jan 06, 2020 at 05:01:05PM +, White, David via FreeIPA-users wrote: > Is there a way to proxy client LDAP requests to the upstream Active Directory > that FreeIPA is configured to trust? > > I have AD, where users live. > I have FreeIPA / R
[Freeipa-users] Proxy LDAP queries to Active Directory
Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust? I have AD, where users live. I have FreeIPA / RedHat IdM. And I have servers that are registered to FreeIPA. But I also have applications (such as Mediawiki, or Red Hat Satellite to name a few) that support LDAP authentication. I want to be able to use my AD credentials to login to Mediawiki or Satellite, but have the application bind to FreeIPA, instead of binding it to AD. Is this possible? I currently: Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki using an account that is built locally instead of FreeIPA, but I cannot login to Mediawiki using my AD credentials. - David White Engineer II, Fiber Systems Engineering (423) 648-1500, Option 2 [/var/folders/7m/l5bzdbz14c9bkrwxvn2ffnjcgq/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.jpg@01D4B3F3.F5D81170] ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Setup AD Trust without DNS resolution from AD
> Yep, so you cannot do anything until your AD DCs will be able to query > DNS for IPA domain. Let me try to clarify what I'm after. Our production environment (which I described below) is working fine. There are no problems, and I don't need or want to query against IdM's DNS. I now want to setup a completely new, completely separate Lab IdM realm: LAB-REALM.EXAMPLE.COM In the Lab environment, we only have "2" DNS servers: IdM RH-LAB-DNS RH-LAB-DNS does NOT have 53/tcp or 53/udp communication to AD-DNS. But FreeIPA does have the other ports open (389/tcp, 135/tcp, 138-139/tcp & udp, etc.) Because my RH-LAB-DNS servers don't have 53/tcp or 53/udp access to AD DNS, I was hoping that I could put the AD SRV, TXT Kerberos and other necessary records into RH-LAB-DNS. I'll basically turn RH-LAB-DNS into an authoritative zone for AD (and yes, I know that's very bad practice. I would never dream of doing something like in a production environment). If you STILL say this is not possible, then oh, well. __ I appreciate the thought experiment, and thank you for your time! -David From: Alexander Bokovoy Date: Thursday, December 19, 2019 at 11:12 AM To: FreeIPA users list Cc: "White, David" Subject: Re: [Freeipa-users] Re: Setup AD Trust without DNS resolution from AD On to, 19 joulu 2019, White, David via FreeIPA-users wrote: >> Are AD DCs using that DNS server to look up IPA zone records already? >> Again, this is about AD DCs, not IPA itself. > >AD (and the Corporate environment) talk to 1 set of DNS servers (let's call >this AD-DNS). >Our RedHat servers talk to a different set of DNS servers (let's call this >RH-DNS). >IdM runs DNS internally for its own realm. > >IdM forwards to RH-DNS for anything that it doesn't know about. >RH-DNS forwards to AD-DNS for anything that it doesn't know about. >AD-DNS does NOT query against RH-DNS or IdM. > >To make sure I'm not crazy, I just logged into a Windows box on the AD >environment and did the following: >P:\>nslookup idm.example.com >Server: ad.example.com >Address: 10.1.1.2 >*** ad.example.com can't find idm.example.com: Non-existent domain Yep, so you cannot do anything until your AD DCs will be able to query DNS for IPA domain. > >On 12/19/19, 10:31 AM, "Alexander Bokovoy" wrote: > > On to, 19 joulu 2019, White, David via FreeIPA-users wrote: > >Thank you for both of your responses. > > > >> No. The reason for that is that AD domain controllers have to resolve IPA > >> DC addresses as well and they use DNS for that too. > >I feel fairly certain that our AD environment is not currently able to > >resolve our production IPA servers. AD is not setup to do DNS > >resolution in our corporate environment, for one, and for another, I > >know that the IPA realm hasn't been added to our corporate DNS servers > >(as a slave zone, a forwarding zone, or otherwise). > > > >To clarify on our setup, IPA of course has its own realm. > >IPA is running its own DNS services. > >We have BIND running elsewhere that does DNS forwarding to the IPA > >realm. > Are AD DCs using that DNS server to look up IPA zone records already? > Again, this is about AD DCs, not IPA itself. > > > > >> Just to add to that, you can't put SRV records in /etc/hosts, it merely > >> offers a means to resolve names to IPs and vice versa AFAIK. > > > >We have a stand-alone DNS server in our lab environment. > >Is it not possible to add the Active Directory SRV records in there? > Do you host the whole AD domain DNS zone on that DNS server? > Is that DNS server marked as authoritative to that zone? > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > > >___ >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >Fedora Code of Conduct: >https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: >https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Setup AD Trust without DNS resolution from AD
> Are AD DCs using that DNS server to look up IPA zone records already? >Again, this is about AD DCs, not IPA itself. AD (and the Corporate environment) talk to 1 set of DNS servers (let's call this AD-DNS). Our RedHat servers talk to a different set of DNS servers (let's call this RH-DNS). IdM runs DNS internally for its own realm. IdM forwards to RH-DNS for anything that it doesn't know about. RH-DNS forwards to AD-DNS for anything that it doesn't know about. AD-DNS does NOT query against RH-DNS or IdM. To make sure I'm not crazy, I just logged into a Windows box on the AD environment and did the following: P:\>nslookup idm.example.com Server: ad.example.com Address: 10.1.1.2 *** ad.example.com can't find idm.example.com: Non-existent domain On 12/19/19, 10:31 AM, "Alexander Bokovoy" wrote: On to, 19 joulu 2019, White, David via FreeIPA-users wrote: >Thank you for both of your responses. > >> No. The reason for that is that AD domain controllers have to resolve IPA DC addresses as well and they use DNS for that too. >I feel fairly certain that our AD environment is not currently able to >resolve our production IPA servers. AD is not setup to do DNS >resolution in our corporate environment, for one, and for another, I >know that the IPA realm hasn't been added to our corporate DNS servers >(as a slave zone, a forwarding zone, or otherwise). > >To clarify on our setup, IPA of course has its own realm. >IPA is running its own DNS services. >We have BIND running elsewhere that does DNS forwarding to the IPA >realm. Are AD DCs using that DNS server to look up IPA zone records already? Again, this is about AD DCs, not IPA itself. > >> Just to add to that, you can't put SRV records in /etc/hosts, it merely offers a means to resolve names to IPs and vice versa AFAIK. > >We have a stand-alone DNS server in our lab environment. >Is it not possible to add the Active Directory SRV records in there? Do you host the whole AD domain DNS zone on that DNS server? Is that DNS server marked as authoritative to that zone? -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Setup AD Trust without DNS resolution from AD
Thank you for both of your responses. > No. The reason for that is that AD domain controllers have to resolve IPA DC > addresses as well and they use DNS for that too. I feel fairly certain that our AD environment is not currently able to resolve our production IPA servers. AD is not setup to do DNS resolution in our corporate environment, for one, and for another, I know that the IPA realm hasn't been added to our corporate DNS servers (as a slave zone, a forwarding zone, or otherwise). To clarify on our setup, IPA of course has its own realm. IPA is running its own DNS services. We have BIND running elsewhere that does DNS forwarding to the IPA realm. > Just to add to that, you can't put SRV records in /etc/hosts, it merely > offers a means to resolve names to IPs and vice versa AFAIK. We have a stand-alone DNS server in our lab environment. Is it not possible to add the Active Directory SRV records in there? From: Angus Clarke Date: Thursday, December 19, 2019 at 7:22 AM Cc: "White, David" , Alexander Bokovoy Subject: [Freeipa-users] Re: Setup AD Trust without DNS resolution from AD Just to add to that, you can't put SRV records in /etc/hosts, it merely offers a means to resolve names to IPs and vice versa AFAIK. Regards Angus From: Alexander Bokovoy via FreeIPA-users Sent: Wednesday, 18 December 2019, 19:47 To: FreeIPA users list Cc: White, David; Alexander Bokovoy Subject: [Freeipa-users] Re: Setup AD Trust without DNS resolution from AD On ke, 18 joulu 2019, White, David via FreeIPA-users wrote: >I am trying to spin up a new 2-node cluster in my lab environment. > >I have FreeIPA installed, and can login to the web UI. >At this point, I’m trying to establish a trust with AD: > >ipa trust-add --type=ad example.net --admin administrator > >Based on the errors I was getting with that command’s stdout and >subsequent research, it occurred to me that I don’t have DNS resolution >to our corporate internal DNS from my lab environment. > >As this is a lab environment, I really don’t care about best practices >(although I do eventually want to get corporate DNS resolution into my >lab, that’s likely not happening until January given the holidays… and >I need to make progress on this project if at all possible). > >Is it possible to set the required AD records into `/etc/hosts` on each >of the (2) nodes? No. The reason for that is that AD domain controllers have to resolve IPA DC addresses as well and they use DNS for that too. So it is not just on IPA side. Additionally, after they resolved SRV records via DNS, they perform actual site-local search using connectionless LDAP (CLDAP, 389/UDP) directly at the DCs and then resolve those DCs via DNS, so there is need to have a fully working DNS setup. > >And/or since I already have IdM installed with DNS services, is it >possible for me to go into the web UI, and create a new DNS zone in >there for the upstream AD environment? > >Here are the records I’ve entered into my /etc/hosts file on the master >FreeIPA server that I’m trying to use to establish the trust (As you >can see, we have 4 AD servers, so I have set the “A” record in >/etc/hosts four different times): > > >Idm-node-1.fiberlab.example.net > >Idm-node-2.fiberlab.example.net > >example.net > >example.net > >example.net > >example.net > >_kerberos._tcp.example.net > >_kerberos._tcp.example.net > >_kerberos._tcp.example.net > >_kerberos._tcp.example.net > >_kerberos._udp.example.net > >_kerberos._udp.example.net > >_kerberos._udp.example.net > >_kerberos._udp.example.net > > > -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2Fdata=02%7C01%7C%7C0b715528cba44008478d08d783eab4ed%7C84df9e7fe9f640afb435%7C1%7C0%7C637122916387810016sdata=9iFnN6iGIOU5%2BJeHf7sPaJx7CZr4dQzLKNSEV3EMMYM%3Dreserved=0 List Guidelines: https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelinesdata=02%7C01%7C%7C0b715528cba44008478d08d783eab4ed%7C84df9e7fe9f640afb435%7C1%7C0%7C637122916387810016sdata=aIiucFudji3beG%2Bee5eLuWuSVOtleH5fzvpBEm1ibco%3Dreserved=0 List Archives: https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.orgdata=02%7C01%7C%7C0b715528cba44008478d08d783eab4ed%7C84df9e7fe9f640afb4
[Freeipa-users] Setup AD Trust without DNS resolution from AD
I am trying to spin up a new 2-node cluster in my lab environment. I have FreeIPA installed, and can login to the web UI. At this point, I’m trying to establish a trust with AD: ipa trust-add --type=ad example.net --admin administrator Based on the errors I was getting with that command’s stdout and subsequent research, it occurred to me that I don’t have DNS resolution to our corporate internal DNS from my lab environment. As this is a lab environment, I really don’t care about best practices (although I do eventually want to get corporate DNS resolution into my lab, that’s likely not happening until January given the holidays… and I need to make progress on this project if at all possible). Is it possible to set the required AD records into `/etc/hosts` on each of the (2) nodes? And/or since I already have IdM installed with DNS services, is it possible for me to go into the web UI, and create a new DNS zone in there for the upstream AD environment? Here are the records I’ve entered into my /etc/hosts file on the master FreeIPA server that I’m trying to use to establish the trust (As you can see, we have 4 AD servers, so I have set the “A” record in /etc/hosts four different times): Idm-node-1.fiberlab.example.net Idm-node-2.fiberlab.example.net example.net example.net example.net example.net _kerberos._tcp.example.net _kerberos._tcp.example.net _kerberos._tcp.example.net _kerberos._tcp.example.net _kerberos._udp.example.net _kerberos._udp.example.net _kerberos._udp.example.net _kerberos._udp.example.net ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Is there potential for split-brain with even number of FreeIPA nodes?
Reviewing the FreeIPA documentation for deployment recommendations, I read: “generally, it is recommended to have at least 2-3 replicas in each datacenter”. A couple of months ago, when we initially designed and deployed FreeIPA / IdM, we decided to deploy 3 nodes into each of our two datacenters, for a total of 6 servers. I have re-deployed that cluster 4-5 different times over the past few months for various reasons as we’ve continued to test things and prepare for use in our production environment. In master-master database clusters (such as a MariaDB Galera cluster), you never want to have an even number of servers, to avoid the potential for a split-brain scenario. https://galeracluster.com/library/documentation/weighted-quorum.html Clusters that have an even number of nodes risk split-brain conditions. If should you lose network connectivity somewhere between the partitions in a way that causes the number of nodes to split exactly in half, neither partition can retain quorum and both enter a non-primary state. Is this a scenario that FreeIPA could run into? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Allow AD users to manage FreeIPA
That's very helpful. Thank you very much. Is there any chance RHEL & CentOS would add this `freeipa-adusers-admins` plugin for RHEL 7.x? If what I read on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/enabling-ad-user-to-administer-idm_managing-user-groups-cli is correct, the prerequisite is to run RHEL 8 and use the `idm:DL1` stream and install the `adtrust` module. If so, this isn't that big of a deal. We can still manage our ipa servers without Web UI admin access. Or we can of course use a shared service account or something. It would have been helpful, though, to give those permissions to an AD user in our environment. Thanks again, - David White Engineer II, Fiber Systems Engineering On 11/27/19, 9:05 AM, "Alexander Bokovoy" wrote: On ke, 27 marras 2019, White, David via FreeIPA-users wrote: >I'm reviewing the documentation at >https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I >am hoping to allow members of certain AD groups to login to FreeIPA >from the web GUI. Does this documentation only apply to the FreeIPA >CLI, or does it also affect access to manage through the web GUI? You should be looking at the official documentation, not upstream design documents. Official documentation for FreeIPA is available at access.redhat.com: RHEL7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html RHEL7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/planning_identity_management/ RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/index RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/index The last link has a chapter related to your enquiry, "CHAPTER 22. ENABLING AD USERS TO ADMINISTER IDM": https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/enabling-ad-user-to-administer-idm_managing-user-groups-cli >I'm also a little bit confused why the documentation says to add a >domain user to the AD "administrators" group (as an ID Override). That >feels like a security risk, because I don't want the user to be >considered an Active Directory administrator -- I only want the person >(well, any members of the `engineers` group) to have admin access over >FreeIPA. If you have ipa-idoverride-memberof package installed (as part of idm:DL1/adtrust profile, for example), you can add ID overrides to any group that you have associated permissions to manage resources. Documentation shows adding to 'admins' group as an example because this group is given all permissions in IPA already. > >It sounds like this would have to be done on a user-by-user basis (and >is not something we could apply to an entire AD group that already >exists)? It is not something you could apply to an entire group, correct. The group-based addition is not implemented yet. >I ran: >`id administra...@ad.domain.com` and verified that I do have stdout. > >But then I ran: >`ipa group-show administra...@ad.domain.com` and stdout included: >ipa: ERROR: administra...@ad.domain.com: group not found > >Is there any way to accomplish what I want? No, that is not possible. You might want to read more details in https://raw.githubusercontent.com/abbra/freeipa-adusers-admins/master/plugin/Feature.mediawiki -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Allow AD users to manage FreeIPA
I'm reviewing the documentation at https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I am hoping to allow members of certain AD groups to login to FreeIPA from the web GUI. Does this documentation only apply to the FreeIPA CLI, or does it also affect access to manage through the web GUI? Let's say we have an AD group named "engineers", and I want those engineers to have admin access over FreeIPA. If the above documentation only affects the CLI, that feels a little bit redundant, because we can of course easily create Sudo / Su rules to allow members of "engineers" to have control over the FreeIPA nodes using HBAC rules and such. (This is already done and working -- members of `engineers` already have CLI admin access over FreeIPA -- I now want them to have GUI admin access). I'm also a little bit confused why the documentation says to add a domain user to the AD "administrators" group (as an ID Override). That feels like a security risk, because I don't want the user to be considered an Active Directory administrator -- I only want the person (well, any members of the `engineers` group) to have admin access over FreeIPA. It sounds like this would have to be done on a user-by-user basis (and is not something we could apply to an entire AD group that already exists)? I ran: `id administra...@ad.domain.com` and verified that I do have stdout. But then I ran: `ipa group-show administra...@ad.domain.com` and stdout included: ipa: ERROR: administra...@ad.domain.com: group not found Is there any way to accomplish what I want? - David White Engineer II, Fiber Systems Engineering ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org