Re: [Freeipa-users] Advise for the best way to achieve AD Caching?
Hi Petr, Thanks for the response. I didn't know about Samba 4, so that's worth some further investigation on my part - Thanks. So from what you've said below it can't run as a standalone, but SSSD does allow caching(if a user has authenticated previous).. does IPA have the ability to cache credentials for ~1 hour, so if there is a short loss of network connectivity users still get the OK from the cache? I'm still having a look at SyncRepl from slapd for replication, but not sure how this will work in the event that the Provider is uncontactable - as long as it caches credentials/details for ~ 1 hour that's acceptable. Regards David -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Thursday, May 05, 2016 18:17 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching? On 5.5.2016 06:28, David LeVene wrote: > Hey All, > > I'm looking for a bit of direction around the best way to > configure/setup an on-site cache &/or replica from an AD Server which > will be uni-directional (AD -> IPA/slapd) > > The master are multiple AD Servers located around the place, and we exist in > a place which is outside of the core network and that network link is a > single point of failure. > > What I want to achieve is in the event we lose connectivity with the world > users can still authenticate, but if someone is disabled/updated at the top > level it replicates down. I've got a test AD Server & have been reviewing > IPA, but have hit an issue in that I can't get software installed on the AD > Masters for the 389 dir sync software. > > Currently I've configured a synchronization based solution with one way > replication from the AD Masters -> IPA. This works fine and I can see all the > users being created in IPA - but as the passwords can't be synced without > installing software I can't use this method. All methods which can work completely off-line will require access to keys on AD server. This means either some additional software on AD side OR having proper AD server which is hosted locally. This could theoretically be Samba 4 AD server if you want to try that. If your clients are sufficiently new you can try to use SSSD everywhere but it comes with own limitations, e.g. users who never logged in before will not be able to login when the network link is down. I hope this help. Petr^2 Spacek > Another nice thing would be to have a separate domain/tree available so we > can split up the staff that are from the master servers and some client > related user/passes that won't be in the Global Directory - but managed from > the same place. > > Are there any other setup's that will achieve what I require? Have seen slapd > with proxy cache but I'm not sure on this options either and configuring > slapd with all the ldif files manually seems a little daunting at first sight. > > Thanks in advance, > David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help needed with keytabs
Hi again After further testing, it seems like my problems were caused by the use of the -F option on the kinit line. Roderick On 05/05/2016 22:31, Roderick Johnstone wrote: Hi Mike Thanks for sharing your setup. It looks pretty much like mine. I just tried your kinit command syntax and then I can ipa ping successfully. Then I tried my kinit syntax (after a kdestroy) and I can still ipa ping successfully! So, it does work now, but I don't know why it didn't work for me earlier. It feels like some sort of caching problem but I think kdestroy clears the cache. Thanks again for your help. Roderick On 05/05/2016 19:47, Michael ORourke wrote: Roderick, Here's how we do it. Create a service account user, for example "svc_useradm". Then generate a keytab for the service account, and store it somewhere secure. ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab Now we can leverage the keytab for that user principal. Example: [root@infrae2u01 ~]# kdestroy [root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_user...@lnx.dr.LOCAL [root@infrae2u01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: svc_user...@lnx.dr.LOCAL Valid starting ExpiresService principal 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/lnx.dr.lo...@lnx.dr.LOCAL [root@infrae2u01 ~]# ipa ping -- IPA server version 3.0.0. API version 2.49 -- If you need to access the service account, then setup a sudo rule to switch user to that account. Example: "sudo su - svc_useradm" -Mike -Original Message- From: Roderick JohnstoneSent: May 5, 2016 12:39 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Help needed with keytabs Hi I need to run some ipa commands in cron jobs. The post here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html suggests I need to use a keytab file to authenticate kerberos. I've tried the prescription there, with variations, without success. My current testing framework is to log into the ipa client (RHEL6.7, ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy the current tickets, re-establish a tgt for the user with kinit using the keytab and try to run an ipa command. The ipa command fails (just like in my cron jobs which use the same kinit command). 1) Log into ipa client as user test. 2) Get the keytab $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k /home/test/test.keytab -P New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: /home/test/test.keytab I seem to have to reset the password to what it was in this step, otherwise it gets set to something random and the user test cannot log into the ipa client any more. 3) Log into the ipa client as user test. Then $ kdestroy $ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH) 4) kinit from the keytab: $ kinit -F t...@example.com -k -t /home/test/test.keytab 5) Check the tickets $ klist Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH Default principal: t...@example.com Valid starting ExpiresService principal 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example@example.com 6) Run an ipa command: $ ipa ping ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, https://ipa2.example.com/ipa/xml Can someone advise what I'm doing wrong in this procedure please (some strings were changed to anonymize the setting)? For completeness of information, the ipa servers are RHEL 7.2, ipa-server-4.2.0-15.el7_2.6.1.x86_64. Thanks Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Looking for documentation for Python API
[This didn't show up in the archives or list after 12 house, so resending. Sorry if it's a dupe.] I've been googling and looking through the documentation, but I have yet to find official docs for the Python API for FreeIPA. The first result for 'python' when doing a search on www.freeipa.org is http://www.freeipa.org/page/Python_Coding_Style On that page, there is a link to "freeIPA Python API documentation" which goes to https://www.freeipa.org/page/Documentation#Developer_Documentation That page, however, doesn't have one mention of Python, and only one mention of "API" and that is "How to migrate your code to the new LDAP API" which doesn't seem to be related. I did manage to find https://github.com/encukou/freeipa/tree/master/doc/examples which has a couple (very convoluted) examples, but seems far from complete. There is a freeipa-python RPM, but *WHERE* is the documentation for the Python API. Or should I just shell-out to the 'ipa' command from all my python scripts? :) I found https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ and https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt so I'm sure I could work up something with python and requests, but I'd prefer to use the official API if I could. :) Any assistance would be great! j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design jos...@azariah.com - Jabber: pedah...@gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Anthony Cheng wrote: More updates; it turns out that there were some duplicate and expired certificates as well as incorrect trust attributes; (e.g. seeing 2 instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I deleted the duplicate cert and re-add certificate w/ valid date and fix cert trust attributes along the way. You're fixing the wrong place. Apache is up and serving which is how you are getting Not Found. It is dogtag that isn't starting for some reason. Maybe Endi has some ideas. rob So it went from this [root@test ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u sample.NET IPA CA CT,C,C ipaCert u,u,u Signing-Certu,u,u Server-Cert u,u,u to this [root@test ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipaCertu,u,u Server-Cert u,u,u sample.NET IPA CA CT,C,C Signing-Certu,u,u And also re-try resubmit/restart processes but unfortunately error persists ( ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed : Unable to communicate with CMS (Not Found)).) Currently I am on the process to recreate this problem on RHEL 6 to try to get RH support on this. Thanks, Anthony On Wed, May 4, 2016 at 10:34 AM, Anthony Chengwrote: On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden wrote: Anthony Cheng wrote: Small update, I found an article on the RH solution library (https://access.redhat.com/solutions/2020223) that has the same error code that I am getting and I followed the steps with certutil to update the cert attributes but it is still not working. The article is listed as "Solution in Progress". [root@test ~]# getcert list | more Number of certificates and requests being tracked: 7. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server.Certificate operation cannot be comp leted: Unable to communicate with CMS (Not Found)). Not Found means the CA didn't start. You need to examine the debug and selftest logs to determine why. rob selftests.log is empty; there are entries for other time but not for the test to when I set the clock to renew certs. [root@test pki-ca]# clock Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds [root@test pki-ca]# [root@test pki-ca]# [root@test pki-ca]# ll * | grep self -rw-r-. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log -rw-r-. 1 pkiuser pkiuser 1206 Apr 7 2015 selftests.log.20150407143526 -rw-r-. 1 pkiuser pkiuser 3673 Jun 30 2015 selftests.log.20150630163924 -rw-r-. 1 pkiuser pkiuser 1217 Aug 31 20:07 selftests.log.20150831160735 -rw-r-. 1 pkiuser pkiuser 3798 Oct 24 14:12 selftests.log.20151024101159 From debug log I see some error messages: [28/Jan/2016:21:09:03][main]: SigningUnit init: debug org.mozilla.jss.crypto.ObjectNotFoundException [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException Certificate object not found at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) Full log: [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown() [28/Jan/2016:21:09:02][main]: [28/Jan/2016:21:09:02][main]: = DEBUG SUBSYSTEM INITIALIZED === [28/Jan/2016:21:09:02][main]: [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_STARTUP [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_SHUTDOWN [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_CERT_POLICY [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_CERT_PROFILE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_CRL_PROFILE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_OCSP_PROFILE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH [28/Jan/2016:21:09:02][main]:
Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
More updates; it turns out that there were some duplicate and expired certificates as well as incorrect trust attributes; (e.g. seeing 2 instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I deleted the duplicate cert and re-add certificate w/ valid date and fix cert trust attributes along the way. So it went from this [root@test ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u sample.NET IPA CA CT,C,C ipaCert u,u,u Signing-Certu,u,u Server-Cert u,u,u to this [root@test ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipaCertu,u,u Server-Cert u,u,u sample.NET IPA CA CT,C,C Signing-Certu,u,u And also re-try resubmit/restart processes but unfortunately error persists ( ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed : Unable to communicate with CMS (Not Found)).) Currently I am on the process to recreate this problem on RHEL 6 to try to get RH support on this. Thanks, Anthony On Wed, May 4, 2016 at 10:34 AM, Anthony Chengwrote: > On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden wrote: >> Anthony Cheng wrote: >>> >>> Small update, I found an article on the RH solution library >>> (https://access.redhat.com/solutions/2020223) that has the same error >>> code that I am getting and I followed the steps with certutil to update >>> the cert attributes but it is still not working. The article is listed >>> as "Solution in Progress". >>> >>> [root@test ~]# getcert list | more >>> >>> Number of certificates and requests being tracked: 7. >>> >>> Request ID '20111214223243': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>> server.Certificate operation cannot be comp >>> >>> leted: Unable to communicate with CMS (Not Found)). >> >> >> Not Found means the CA didn't start. You need to examine the debug and >> selftest logs to determine why. >> >> rob > > selftests.log is empty; there are entries for other time but not for > the test to when I set the clock to renew certs. > > [root@test pki-ca]# clock > Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds > [root@test pki-ca]# > [root@test pki-ca]# > > [root@test pki-ca]# ll * | grep self > -rw-r-. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log > -rw-r-. 1 pkiuser pkiuser 1206 Apr 7 2015 > selftests.log.20150407143526 > -rw-r-. 1 pkiuser pkiuser 3673 Jun 30 2015 > selftests.log.20150630163924 > -rw-r-. 1 pkiuser pkiuser 1217 Aug 31 20:07 > selftests.log.20150831160735 > -rw-r-. 1 pkiuser pkiuser 3798 Oct 24 14:12 > selftests.log.20151024101159 > > From debug log I see some error messages: > > [28/Jan/2016:21:09:03][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException > Certificate object not found > at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) > > Full log: > > [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown() > [28/Jan/2016:21:09:02][main]: > [28/Jan/2016:21:09:02][main]: = DEBUG SUBSYSTEM INITIALIZED === > [28/Jan/2016:21:09:02][main]: > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > AUDIT_LOG_STARTUP > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > AUDIT_LOG_SHUTDOWN > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_CERT_POLICY > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_CERT_PROFILE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_CRL_PROFILE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_OCSP_PROFILE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH > [28/Jan/2016:21:09:02][main]: LogFile: log event type
Re: [Freeipa-users] Help needed with keytabs
Hi Mike Thanks for sharing your setup. It looks pretty much like mine. I just tried your kinit command syntax and then I can ipa ping successfully. Then I tried my kinit syntax (after a kdestroy) and I can still ipa ping successfully! So, it does work now, but I don't know why it didn't work for me earlier. It feels like some sort of caching problem but I think kdestroy clears the cache. Thanks again for your help. Roderick On 05/05/2016 19:47, Michael ORourke wrote: Roderick, Here's how we do it. Create a service account user, for example "svc_useradm". Then generate a keytab for the service account, and store it somewhere secure. ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab Now we can leverage the keytab for that user principal. Example: [root@infrae2u01 ~]# kdestroy [root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_user...@lnx.dr.LOCAL [root@infrae2u01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: svc_user...@lnx.dr.LOCAL Valid starting ExpiresService principal 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/lnx.dr.lo...@lnx.dr.LOCAL [root@infrae2u01 ~]# ipa ping -- IPA server version 3.0.0. API version 2.49 -- If you need to access the service account, then setup a sudo rule to switch user to that account. Example: "sudo su - svc_useradm" -Mike -Original Message- From: Roderick JohnstoneSent: May 5, 2016 12:39 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Help needed with keytabs Hi I need to run some ipa commands in cron jobs. The post here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html suggests I need to use a keytab file to authenticate kerberos. I've tried the prescription there, with variations, without success. My current testing framework is to log into the ipa client (RHEL6.7, ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy the current tickets, re-establish a tgt for the user with kinit using the keytab and try to run an ipa command. The ipa command fails (just like in my cron jobs which use the same kinit command). 1) Log into ipa client as user test. 2) Get the keytab $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k /home/test/test.keytab -P New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: /home/test/test.keytab I seem to have to reset the password to what it was in this step, otherwise it gets set to something random and the user test cannot log into the ipa client any more. 3) Log into the ipa client as user test. Then $ kdestroy $ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH) 4) kinit from the keytab: $ kinit -F t...@example.com -k -t /home/test/test.keytab 5) Check the tickets $ klist Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH Default principal: t...@example.com Valid starting ExpiresService principal 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example@example.com 6) Run an ipa command: $ ipa ping ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, https://ipa2.example.com/ipa/xml Can someone advise what I'm doing wrong in this procedure please (some strings were changed to anonymize the setting)? For completeness of information, the ipa servers are RHEL 7.2, ipa-server-4.2.0-15.el7_2.6.1.x86_64. Thanks Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Dogtag migration to FreeIPA
On Thu, May 05, 2016 at 12:46:48PM -0700, Ha T. Lam wrote: > Hi Fraser, > > Thank you very much for the immediate response. Our use-case for Dogtag is: > our installation engineers request a signing CA cert through the Dogtag web > interface, and our admin grants the request, anything following is not > managed with Dogtag. So we only use Dogtag for managing the root cert and > the signing CA certs (beside OCSP, audit certs, etc that come with the > system). > > I'm not sure how your solution would work in our case, if we import a > signing cert into Dogtag and sign other certs that we give to our > installation engineers using it, it would change our current cert chain. > > Reading your reply, I realized I probably misunderstood how FreeIPA worked, > I thought I only needed to import Dogtag's Root CA (which is our company > Root CA) into FreeIPA's Dogtag for it to work. Just for checking, this > would not work, would it? > Correct; there isn't right now a way to "adopt" an existing CA into an existing Dogtag instance. In either case, because you are issuing admin-approved CA certificates, I don't think FreeIPA fits your use case. In the future we will support sub-CA creation (it is what I am working on) so you might want to evaluate FreeIPA once that feature has landed. Cheers, Fraser > Thanks, > Ha > > On Wed, May 4, 2016 at 7:24 PM, Fraser Tweedalewrote: > > > On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote: > > > Hi, > > > > > > We have an in-house CA system managed by a stand-alone Dogtag system, we > > > would like to integrate it with our FreeIPA system which is already in > > use > > > and is setup with the company LDAP. I'm new to FreeIPA and I have some > > > questions about this process: > > > > > > 1. Is it possible to add our current Dogtag on top of the FreeIPA system > > > directly? If so, how would I achieve that? > > > > > This is not supported, though it's technically feasible (we just > > don't have any code to do it). > > > > > 2. If it's not possible to do the above, what about setting up a clone of > > > the current FreeIPA system and migrate Dogtag during the installation of > > > the replica? Is this a better option? > > > > > Same as above... technically feasible but no way to do it right now. > > > > > 3. Any other alternative? > > > > > One alternative is to export your CA signing cert and key, and > > install a new Dogtag instance in your FreeIPA environment. The IPA > > Dogtag instance would be "detached" from your existing Dogtag > > instance but, cryptographically speaking, it would be the same CA. > > > > You would have to tweak serial number ranges to ensure the new > > instance doesn't reuse serial numbers that were already used (a > > simple procedure). > > > > How well this would work in your organisation would depend on what > > sorts of things you use the exiting Dogtag for, how clients expect > > to renew certificates, etc. I'm happy to answer questions you might > > have in considering this approach. > > > > Cheers, > > Fraser > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Dogtag migration to FreeIPA
Hi Fraser, Thank you very much for the immediate response. Our use-case for Dogtag is: our installation engineers request a signing CA cert through the Dogtag web interface, and our admin grants the request, anything following is not managed with Dogtag. So we only use Dogtag for managing the root cert and the signing CA certs (beside OCSP, audit certs, etc that come with the system). I'm not sure how your solution would work in our case, if we import a signing cert into Dogtag and sign other certs that we give to our installation engineers using it, it would change our current cert chain. Reading your reply, I realized I probably misunderstood how FreeIPA worked, I thought I only needed to import Dogtag's Root CA (which is our company Root CA) into FreeIPA's Dogtag for it to work. Just for checking, this would not work, would it? Thanks, Ha On Wed, May 4, 2016 at 7:24 PM, Fraser Tweedalewrote: > On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote: > > Hi, > > > > We have an in-house CA system managed by a stand-alone Dogtag system, we > > would like to integrate it with our FreeIPA system which is already in > use > > and is setup with the company LDAP. I'm new to FreeIPA and I have some > > questions about this process: > > > > 1. Is it possible to add our current Dogtag on top of the FreeIPA system > > directly? If so, how would I achieve that? > > > This is not supported, though it's technically feasible (we just > don't have any code to do it). > > > 2. If it's not possible to do the above, what about setting up a clone of > > the current FreeIPA system and migrate Dogtag during the installation of > > the replica? Is this a better option? > > > Same as above... technically feasible but no way to do it right now. > > > 3. Any other alternative? > > > One alternative is to export your CA signing cert and key, and > install a new Dogtag instance in your FreeIPA environment. The IPA > Dogtag instance would be "detached" from your existing Dogtag > instance but, cryptographically speaking, it would be the same CA. > > You would have to tweak serial number ranges to ensure the new > instance doesn't reuse serial numbers that were already used (a > simple procedure). > > How well this would work in your organisation would depend on what > sorts of things you use the exiting Dogtag for, how clients expect > to renew certificates, etc. I'm happy to answer questions you might > have in considering this approach. > > Cheers, > Fraser > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help needed with keytabs
Roderick, Here's how we do it. Create a service account user, for example "svc_useradm". Then generate a keytab for the service account, and store it somewhere secure. ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab Now we can leverage the keytab for that user principal. Example: [root@infrae2u01 ~]# kdestroy [root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_user...@lnx.dr.LOCAL [root@infrae2u01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: svc_user...@lnx.dr.LOCAL Valid starting ExpiresService principal 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/lnx.dr.lo...@lnx.dr.LOCAL [root@infrae2u01 ~]# ipa ping -- IPA server version 3.0.0. API version 2.49 -- If you need to access the service account, then setup a sudo rule to switch user to that account. Example: "sudo su - svc_useradm" -Mike -Original Message- >From: Roderick Johnstone>Sent: May 5, 2016 12:39 PM >To: freeipa-users@redhat.com >Subject: [Freeipa-users] Help needed with keytabs > >Hi > >I need to run some ipa commands in cron jobs. > >The post here: >https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html >suggests I need to use a keytab file to authenticate kerberos. > >I've tried the prescription there, with variations, without success. > >My current testing framework is to log into the ipa client (RHEL6.7, >ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, >destroy the current tickets, re-establish a tgt for the user with kinit >using the keytab and try to run an ipa command. The ipa command fails >(just like in my cron jobs which use the same kinit command). > >1) Log into ipa client as user test. > >2) Get the keytab >$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k >/home/test/test.keytab -P >New Principal Password: >Verify Principal Password: >Keytab successfully retrieved and stored in: /home/test/test.keytab > >I seem to have to reset the password to what it was in this step, >otherwise it gets set to something random and the user test cannot log >into the ipa client any more. > >3) Log into the ipa client as user test. Then >$ kdestroy >$ klist >klist: No credentials cache found (ticket cache >FILE:/tmp/krb5cc_3395_PWO4wH) > >4) kinit from the keytab: >$ kinit -F t...@example.com -k -t /home/test/test.keytab > >5) Check the tickets >$ klist >Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH >Default principal: t...@example.com > >Valid starting ExpiresService principal >05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example@example.com > >6) Run an ipa command: >$ ipa ping >ipa: ERROR: cannot connect to Gettext('any of the configured servers', >domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, >https://ipa2.example.com/ipa/xml > >Can someone advise what I'm doing wrong in this procedure please (some >strings were changed to anonymize the setting)? > >For completeness of information, the ipa servers are RHEL 7.2, >ipa-server-4.2.0-15.el7_2.6.1.x86_64. > >Thanks > >Roderick Johnstone > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to configure DNSSEC signing
As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and I have the same problem. These are the steps I took: # yum update -y # yum install -y nano net-tools wget # yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm # cd /etc/yum.repos.d/ # wget -N https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-fr eeipa-epel-7.repo # yum install -y haveged # systemctl start haveged # systemctl enable haveged # yum install -y ipa-server ipa-server-dns # ipa-server-install -r EXAMPLE.COM -n example.com --mkhomedir --ip-address=192.0.2.10 --idstart=10 --idmax=19 --no-ui-redirect --ssh-trust-dns --setup-dns --no-forwarders --no-reverse # ipa-dns-install --no-forwarders --no-reverse --dnssec-master # ipa dnszone-mod example.com --dnssec=true GTG -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gary T. Giesen Sent: May-05-16 11:19 AM To: 'Petr Spacek'; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing I'm not entirely sure if this is what you were asking for, but here's a manual LDAP query and the associated logs, and then I restarted ipa-dnskeysyncd and the logs associated with that as well: [root@host /]# date Thu May 5 10:52:12 EDT 2016 [root@host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub '(|(objectClass=idnsZone)(objectClass=idnsS ecKey)(objectClass=ipk11PublicKey))' SASL/GSSAPI authentication started SASL username: u...@example.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base
[Freeipa-users] Help needed with keytabs
Hi I need to run some ipa commands in cron jobs. The post here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html suggests I need to use a keytab file to authenticate kerberos. I've tried the prescription there, with variations, without success. My current testing framework is to log into the ipa client (RHEL6.7, ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy the current tickets, re-establish a tgt for the user with kinit using the keytab and try to run an ipa command. The ipa command fails (just like in my cron jobs which use the same kinit command). 1) Log into ipa client as user test. 2) Get the keytab $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k /home/test/test.keytab -P New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: /home/test/test.keytab I seem to have to reset the password to what it was in this step, otherwise it gets set to something random and the user test cannot log into the ipa client any more. 3) Log into the ipa client as user test. Then $ kdestroy $ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH) 4) kinit from the keytab: $ kinit -F t...@example.com -k -t /home/test/test.keytab 5) Check the tickets $ klist Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH Default principal: t...@example.com Valid starting ExpiresService principal 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example@example.com 6) Run an ipa command: $ ipa ping ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, https://ipa2.example.com/ipa/xml Can someone advise what I'm doing wrong in this procedure please (some strings were changed to anonymize the setting)? For completeness of information, the ipa servers are RHEL 7.2, ipa-server-4.2.0-15.el7_2.6.1.x86_64. Thanks Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to configure DNSSEC signing
I'm not entirely sure if this is what you were asking for, but here's a manual LDAP query and the associated logs, and then I restarted ipa-dnskeysyncd and the logs associated with that as well: [root@host /]# date Thu May 5 10:52:12 EDT 2016 [root@host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub '(|(objectClass=idnsZone)(objectClass=idnsS ecKey)(objectClass=ipk11PublicKey))' SASL/GSSAPI authentication started SASL username: u...@example.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base
Re: [Freeipa-users] freeipa permission denied for user
On Thu, May 05, 2016 at 08:13:00PM +0530, Rakesh Rajasekharan wrote: > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281 [get_and_save_tgt] > (0x0020): 1000: [-1765328353][Decrypt integrity check failed] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281 [map_krb5_error] > (0x0020): 1069: [-1765328353][Decrypt integrity check failed] This seems like a wrong password.. Are you able to kinit with the same password using the user's principal? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Automatic consistency checking
On 05.05.2016 15:54, Andrew Holway wrote: Hello, We've been using Freeipa on Centos for a while and found one day that the replication stuff was broken and that the LDAP database on our pair of IPA servers was inconsistent. We didn't know how long this had been broken for but we were not able to repair it either. We use AWS so we've now deployed RHEL AMI's and are now using IdM so we can get support when this is breaking but I am a bit stuck how to monitor that the replication is still working. So is there some monitoring mechanisms in FreeIPA? Cheers, Andrew This is planned for future, you can use https://github.com/peterpakos/ipa_check_consistency (community script without any guarantee) to check your servers. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Unable to create a new replica
I'm trying to create a new replica and i receive the following message: onfiguring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica I have done a multiple time: ipa-replica-manage del new-ipa.domain.local --force --cleanup I have validated that my ports are open: nmap -Pn -p53,80,88,443,389,464,636 existing-ipa Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-05 13:46 UTC Nmap scan report for existing-ipa (xxx.xxx.xxx.xxx) Host is up (0.29s latency). rDNS record for xxx.xxx.xxx.xxx: existing-ipa.domain.local PORTSTATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 464/tcp open kpasswd5 636/tcp open ldapssl Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds nmap -Pn -p53,80,88,443,389,464,636 xxx.xxx.xxx.xxx (this is after the failed install - closed means nothing is listening) Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-05 13:50 UTC Nmap scan report for new-ipa.domain.local (xxx.xxx.xxx.xxx) Host is up (0.21s latency). PORTSTATE SERVICE 53/tcp closed domain 80/tcp closed http 88/tcp closed kerberos-sec 389/tcp open ldap 443/tcp closed https 464/tcp closed kpasswd5 636/tcp open ldapssl Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds I am running on Centos 7 with: ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 sssd-ipa-1.13.0-40.el7_2.2.x86_64 libipa_hbac-1.13.0-40.el7_2.2.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 The other strange thing i notice at the beginning of the install is: ipa : ERRORCould not resolve hostname new-ipa.domain.local using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) But i can find it from the command line with dig/nslookup. With more debug info, i find it is trying to reach another ipa that he has no access to (geo is too far and ports are closed instead of using resolv.conf). What am i missing here? BTW i have multiples replicas installed already. Thanks Louis data:image/png;base64,iVBORw0KGgoNSUhEUgAAATBMCAIAAABlDnyqGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAUkZJREFUeNrUvQdgZNV5L37PrdNHZdT7Slptb7C7bKEsHQMG3BLABvL8DLgmL3aaE/s9J3HiVOefZzsOTmzAQBwbbAzGGDALC9t71RZJq941o+kzt7/v3DNzdTVNo7Jr/y/a4c6dc/v5nd/XDxL+5j+pPIuu69RSLEt1nKU9lHXRNK1wA5ReyHrGRo7j4KuqqnR6gY2yLMNhdWMhV24u5o3M2gh/6VPku4acG2nLwhgLuRg4Jrkvcnz41TyIeS/kUsl6vsvL9+StW/K9l3zXXOTGYn4tvGMxDZawzWJuhCw0dYWXKwShpV3mfEzZndXcqBkL6e4mBgg8rF3fiuEMYKCCOMy4hvk+7QKIyrivnI/COvr8dnaJBTyThSFtSa5nzouhr+iFLjkal/bZLeB2MjBpEixsgWsjK4SdgKlM/skg2JyYhDWqiMeVceoCTzgfAvP9ah0X5vucF0B6V3PgXpKDXx1qoa/cFVyhG7gSmCySoPLhkyDQFPwAlqb4mkGDc2CyuIeWjclsostun1P+zLnjwmD5mx0r51Q3rmbHWwxJ0v//EjWLEduuKCbzKYGAQKsmRqjSxGS2dJoTk9RV6dPZ+Cz8uvM9mWLk/KvWKxYv0y5e9L3iDPlbiMbfkhEh+0qI6kikVvIVFgIzIrjmVCNzYHLRnaxIXbFI+GVc+W+KFa+CsHaVNcl8DdgrKios4DkiXWMpjUMarcp2pP -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Automatic consistency checking
On 05/05/2016 03:54 PM, Andrew Holway wrote: Hello, We've been using Freeipa on Centos for a while and found one day that the replication stuff was broken and that the LDAP database on our pair of IPA servers was inconsistent. We didn't know how long this had been broken for but we were not able to repair it either. We use AWS so we've now deployed RHEL AMI's and are now using IdM so we can get support when this is breaking but I am a bit stuck how to monitor that the replication is still working. So is there some monitoring mechanisms in FreeIPA? Cheers, Andrew Hi Andrew, to check the status of a replica you can use the following command: """ ipa-replica-manage list -v replica1.ipa.test master1.ipa.test: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-05-05 14:29:01+00:00 """ -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Automatic consistency checking
Hello, We've been using Freeipa on Centos for a while and found one day that the replication stuff was broken and that the LDAP database on our pair of IPA servers was inconsistent. We didn't know how long this had been broken for but we were not able to repair it either. We use AWS so we've now deployed RHEL AMI's and are now using IdM so we can get support when this is breaking but I am a bit stuck how to monitor that the replication is still working. So is there some monitoring mechanisms in FreeIPA? Cheers, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] service cert to a host/member/service
lejeczek wrote: On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: lejeczek wrote: hi users, as one follows official docs and issues a certificate for a service/host, one wonders what is the correct way to move such a certificate to a host(which is domain member) ? I understand certificates issued with: $ ipa cert-request -add --principal are stored in ldap backend, (yet I don't quite get the difference between that tool and ipa-certget). The first uses the IPA command-line to get a cert directly. ipa-getcert uses certmonger. If you are getting a certificate for another host, particularly if that host isn't an IPA client, then the first form is the way to go. How do I get such a certificate off the server and to a host-not-server? $ ipa cert-show--out cert.pem In my case I'm hoping to use this certificate in apache+nss. I realize I also will need CA certificate on that host, which I got hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way? So in this case you'd want to generate the CSR on the host-not-server using certutil. You'd take that CSR to the enrolled host and run ipa cert-request ... Get a copy of the cert and get that and /etc/ipa/ca.crt to the Is this the only place where IPA' CA cert resides? I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN $ certutil -d /etc/dirsrv/slapd-MY.. gets me: MY-DOMAIN IPA CACT,C,C Server-Certu,u,u what is that IPA CA then? I also see the same with: $ certutil -d /etc/httpd/alias -L Is this the same one certificate? (including /etc/ipa/ca.crt) Yes, these are all (or should be) the same (there is a copy in LDAP too). I get these with: ipa-getcert list I'm guessing these are set up by installer and to be managed by certmonger, for DS and web server for certificates auto management purposes? Yes, certmonger manages automatic renewal. rob many thanks. host-not-server. Use certutil to add both to your NSS database. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] service cert to a host/member/service
On 05/05/2016 11:44 AM, lejeczek wrote: > On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: >> lejeczek wrote: >>> hi users, as one follows official docs and issues a certificate for a >>> service/host, one wonders what is the correct way to move such a >>> certificate >>> to a host(which is domain member) ? I understand certificates issued with: >>> $ >>> ipa cert-request -add --principal are stored in ldap backend, (yet I >>> don't >>> quite get the difference between that tool and ipa-certget). >> >> >> The first uses the IPA command-line to get a cert directly. ipa-getcert >> uses certmonger. >> >> If you are getting a certificate for another host, particularly if that >> host isn't an IPA client, then the first form is the way to go. >> >>> How do I get such a certificate off the server and to a host-not-server? >> >> >> $ ipa cert-show--out cert.pem >> >>> In my case I'm hoping to use this certificate in apache+nss. I realize I >>> also >>> will need CA certificate on that host, which I got hold of with certutil >>> operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way? >> >> >> So in this case you'd want to generate the CSR on the host-not-server >> using certutil. You'd take that CSR to the enrolled host and run ipa >> cert-request ... >> >> Get a copy of the cert and get that and /etc/ipa/ca.crt to the > Is this the only place where IPA' CA cert resides? > I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN > $ certutil -d /etc/dirsrv/slapd-MY.. > gets me: > > MY-DOMAIN IPA CACT,C,C > Server-Certu,u,u > > what is that IPA CA then? > I also see the same with: > $ certutil -d /etc/httpd/alias -L > Is this the same one certificate? (including /etc/ipa/ca.crt) > > I get these with: ipa-getcert list > I'm guessing these are set up by installer and to be managed by certmonger, > for > DS and web server for certificates auto management purposes? You can use generic `getcert` tool to get all certs managed by certmonger and their location. It will show you also PKI internal certs. # getcert list `ipa-getcert list` is equivalent to `getcert list -c IPA` > > many thanks. > >> host-not-server. >> >> Use certutil to add both to your NSS database. >> >> rob >> > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP token policies.
+1 For enforcing OTP in web UI. When the user logs in for the first time he should be taken to a page to create a OTP token. Users should be able to login only using passwd+OTP. Are there any ideas for ensuring that all users are using OTP tokens ? On 4 May 2016 at 05:12, Peter Bisroevwrote: > Dear Developers, > > Firstly, thank you for a fantastic product. I have a few questions > relating to OTP that I could not find the answers to in the Red Hat IdM > manual, http://www.freeipa.org/page/V4/OTP document, and on both user and > devel mailing lists. Hopefully I have not missed anything obvious :) > > With FreeIPA version 4.2, is it possible to enforce policies on what > administrators and/or users can do with OTP tokens? For example: > > 1) Is there a way to enforce how many tokens can be active for a user at > the same time? > > 2) Is it possible to force the number of digits to be eight and a specific > algorithm to be used? > > 3) Is it possible to force the user to create a new OTP token after the > first password change? > > If there is such support, it can be used to overcome the soft OTP token > enrollment bootstrap issue. For example, currently, if the administrator > creates a new user and enables "Two factor authentication (password + OTP)" > but does not assign an OTP token, the user is able to login, change the > password and continue using the new password without enabling 2FA > indefinitely. > > However, once the OTP token is created, either by administrator or the > user, the systems forces the token's use from this point on. Maybe in the > future, FreeIPA can force the user to enable OTP at first login into the > FreeIPA console? But I guess then, the system must somehow stop the users > from login in into any other service besides FreeIPA web console, until the > OTP token is generated. > > A few more questions: > > Would it be possible to describe a use case when having multiple OTP > tokens enabled at the same time is a requirement? > > How does TOTP token synchronization work? Can it be disabled? > > Thank you for your time and help! > > Regards, > --peter > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Error Server update not syn to Server02 but reverse ok
Hi all: Orginal config server <> server02 , either server can add user and syn Now server < server02 ,GSSAPI show as below ..ANY idea? THX [05/May/2016:17:29:03 +0800] - 389-Directory/1.2.11.25 B2013.325.1951 starting up [05/May/2016:17:29:03 +0800] - WARNING: userRoot: entry cache size 10485760B is less than db size 17113088B; We recommend to increase the entry cache size nsslapd-cachememsize. [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [05/May/2016:17:29:03 +0800] attrcrypt - All prepared ciphers are not available. Please disable attribute encryption. [05/May/2016:17:29:03 +0800] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ABC,dc=com [05/May/2016:17:29:07 +0800] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ABC,dc=com [05/May/2016:17:29:07 +0800] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ABC,dc=com [05/May/2016:17:29:07 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be added before the CoS Definition. [05/May/2016:17:29:07 +0800] set_krb5_creds - Could not get initial credentials for principal [ldap/server.abc@abc.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [05/May/2016:17:29:07 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) errno 0 (Success) [05/May/2016:17:29:07 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [05/May/2016:17:29:07 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) [05/May/2016:17:29:07 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be added before the CoS Definition. [05/May/2016:17:29:07 +0800] - slapd started. Listening on All Interfaces port 389 for LDAP requests [05/May/2016:17:29:07 +0800] - Listening on All Interfaces port 636 for LDAPS requests [05/May/2016:17:29:07 +0800] - Listening on /var/run/slapd-ABC-COM.socket for LDAPI requests [05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Replication bind with GSSAPI auth resumed [05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Missing data encountered [05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Incremental update failed and requires administrator action -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] service cert to a host/member/service
On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: > lejeczek wrote: > > hi users, > > > > as one follows official docs and issues a certificate for a > > service/host, one wonders what is the correct way to move such a > > certificate to a host(which is domain member) ? > > I understand certificates issued with: > > > > $ ipa cert-request -add --principal > > > > are stored in ldap backend, (yet I don't quite get the difference > > between that tool and ipa-certget). > > The first uses the IPA command-line to get a cert directly. ipa- > getcert > uses certmonger. > > If you are getting a certificate for another host, particularly if > that > host isn't an IPA client, then the first form is the way to go. > > > How do I get such a certificate off the server and to a host-not- > > server? > > $ ipa cert-show--out cert.pem > > > In my case I'm hoping to use this certificate in apache+nss. > > I realize I also will need CA certificate on that host, which I got > > hold > > of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's > > the > > right way? > > So in this case you'd want to generate the CSR on the host-not- > server > using certutil. You'd take that CSR to the enrolled host and run ipa > cert-request ... > > Get a copy of the cert and get that and /etc/ipa/ca.crt to the Is this the only place where IPA' CA cert resides? I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN $ certutil -d /etc/dirsrv/slapd-MY.. gets me: MY-DOMAIN IPA CACT,C,C Server-Cert u,u,u what is that IPA CA then? I also see the same with: $ certutil -d /etc/httpd/alias -L Is this the same one certificate? (including /etc/ipa/ca.crt) I get these with: ipa-getcert list I'm guessing these are set up by installer and to be managed by certmonger, for DS and web server for certificates auto management purposes? many thanks. > host-not-server. > > Use certutil to add both to your NSS database. > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Advise for the best way to achieve AD Caching?
On 5.5.2016 06:28, David LeVene wrote: > Hey All, > > I'm looking for a bit of direction around the best way to configure/setup an > on-site cache &/or replica from an AD Server which will be uni-directional > (AD -> IPA/slapd) > > The master are multiple AD Servers located around the place, and we exist in > a place which is outside of the core network and that network link is a > single point of failure. > > What I want to achieve is in the event we lose connectivity with the world > users can still authenticate, but if someone is disabled/updated at the top > level it replicates down. I've got a test AD Server & have been reviewing > IPA, but have hit an issue in that I can't get software installed on the AD > Masters for the 389 dir sync software. > > Currently I've configured a synchronization based solution with one way > replication from the AD Masters -> IPA. This works fine and I can see all the > users being created in IPA - but as the passwords can't be synced without > installing software I can't use this method. All methods which can work completely off-line will require access to keys on AD server. This means either some additional software on AD side OR having proper AD server which is hosted locally. This could theoretically be Samba 4 AD server if you want to try that. If your clients are sufficiently new you can try to use SSSD everywhere but it comes with own limitations, e.g. users who never logged in before will not be able to login when the network link is down. I hope this help. Petr^2 Spacek > Another nice thing would be to have a separate domain/tree available so we > can split up the staff that are from the master servers and some client > related user/passes that won't be in the Global Directory - but managed from > the same place. > > Are there any other setup's that will achieve what I require? Have seen slapd > with proxy cache but I'm not sure on this options either and configuring > slapd with all the ldif files manually seems a little daunting at first sight. > > Thanks in advance, > David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Who uses FreeIPA?
On 4.5.2016 16:33, Jakub Hrozek wrote: > On Wed, May 04, 2016 at 04:23:00PM +0200, Martin Kosek wrote: >> On 05/04/2016 09:23 AM, Jakub Hrozek wrote: >>> On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: On (03/05/16 15:09), Alexandre de Verteuil wrote: > Hello all, > > I've deployed FreeIPA in my home lab and I'm happy to have single > sign-on for all my Archlinux virtual machines and Fedora laptops :) > > It took me lots of research and conversations before hearing about > FreeIPA for the first time while searching for a libre SSO solution. I > think FreeIPA needs much more exposure. I am really impressed with it. > Tomorrow I am giving a short presentation at my workplace to talk about > it and invite other sysadmins to try it. > > I would like to make a slide showing the current adoption of FreeIPA. I > read that Red Hat uses it internally, but do they actually deploy it in > their client's infrastructures? Are there any big companies that use it? > Even if I only have reports of schools and small businesses would be > good enough to say it's production ready and it has traction. > > Whether you are reporting about your own use or you know where I can > find out more would be greatly appreciated! I have not found a "Who uses > FreeIPA" page on the Internet. > The GNOME Infrastructure is now powered by FreeIPA! October 7, 2014 https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ >>> >>> Would it make sense to add 'success stories' like this to the >>> freeipa.org home page? Of course, we can't use Red Hat IDM customers, >>> but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu >>> could be added there if they would agree.. >> >> I think it would make sense. We already know at least about GNOME as Lukas >> mentioned or about eBay's Hadoop clusters: >> >> https://hadoopsummit.uservoice.com/forums/344958-governance-and-security/suggestions/11664876-freeipa-for-securing-hadoop-fish >> >> I think we should start a new "References" page on the FreeIPA.org wiki and >> ask >> for success stories from this list. Any takers? :-) > > I think we should ask those projects for permission first.. Why is that? The information is public in both cases, right? I really do not see a reason for ask-before-linking approach. (The next step is "pay-before-linking" as seen in various proposals from European governments.) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Restore form full backup but some warns/error ok , BUT WORK OK service
Hi All: I restore from backup but some lib / pki error come. As the package is ipa-server-3.0.0-26.el6_4.4.x86_64 But now is ipa-server-3.0.0-47.el6.centos.2.x86_64 , it seem no harm ? How to tune it ? Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[ OK ] Starting CA Service Traceback (most recent call last): File "/usr/sbin/pki-server", line 88, in cli = PKIServerCLI() File "/usr/sbin/pki-server", line 34, in __init__ super(PKIServerCLI, self).__init__('pki-server', 'PKI server command-line interface') File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__ self.modules = collections.OrderedDict() AttributeError: 'module' object has no attribute 'OrderedDict' Starting pki-ca: [ OK ] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] get freeipa to update ad users and groups more often
On Wed, May 04, 2016 at 10:51:37PM +0200, Rob Verduijn wrote: > Hi, > > I avoided the slow filling group by using the AD-Group with spaces > (was a tad more challenging for scipting) > > But here's the releases (some of them) > > ipa 4.2 and sssd 1.13 > > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 The IPA packages haven't been released yet (those will be at least ipa-4.2.0-15.el7_2.15) but even with older packages, I would have expected id to return the groups, "just" not getent group. > sssd-common-1.13.0-40.el7_2.2.x86_64 > sssd-client-1.13.0-40.el7_2.2.x86_64 > sssd-ad-1.13.0-40.el7_2.2.x86_64 > > Cheers > Rob Verduijn > > 2016-05-04 18:06 GMT+02:00 Jakub Hrozek: > > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: > >> to make sure I did the following on the ipa host > >> > >> systemctl stop sssd.service > >> rm -f /var/lib/sss/db/* > >> systemctl start sssd.service > >> > >> now there is no cheating from cach > >> getent passwd u...@ad-domain.com works and gives userid > >> id u...@ad-domain.com works fine and show all goups the user is a > >> member of including ad_linux_administrators (ipa group) and 'linux > >> administrat...@ad-domain.com' > >> getent group ad_linux_administrators only shows the group ad, no > >> members, these pop up after a very long time > >> getent group 'linux administrat...@ad-domain.com' imediatly show all > >> members > > > > Please note that getent group only works with very recent versions of > > ipa and sssd. What version are you running. > > > >> > >> weird > >> > >> Rob Verduijn > >> > >> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek : > >> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: > >> >> This goes especially for ad groups that are bested in ipa_groups > >> >> > >> >> ie : > >> >> microsft group is defined as an external group, > >> >> and that external group is member of an ipa group > >> >> and that ipa group takes forever. > >> >> > >> >> Regards > >> >> Rob Verduijn > >> > > >> > All the work in this area is done by sssd on the server. The sssd there > >> > runs a periodical task to re-fetch new external groups memberships every > >> > 10 seconds. So I would expect the group memberships to turn up after 10 > >> > seconds at worst. > >> > > >> > Are you sure (from sssd logs) that maybe sssd is not going into offline > >> > state and just consults its cache? > >> > > >> >> > >> >> > >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn : > >> >> > Hello, > >> >> > > >> >> > I'm using a trust to microsoft active directory to allow users access > >> >> > to linux servers. > >> >> > > >> >> > But when a user is added it takes a very long time for ipa to > >> >> > register this. > >> >> > And even more time for the ipa clients since they have to wait for the > >> >> > ipa servers. > >> >> > > >> >> > Since I hate to tell the users to wait for a couple hours, and also I > >> >> > do not like to clean up the sssd cache folder each time a new user > >> >> > appears. > >> >> > > >> >> > Is there a way to tell ipa and all clients to refresh their cache ? > >> >> > > >> >> > Regards > >> >> > Rob Verduijn > >> >> > >> >> -- > >> >> Manage your subscription for the Freeipa-users mailing list: > >> >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> >> Go to http://freeipa.org for more info on the project > >> > > >> > -- > >> > Manage your subscription for the Freeipa-users mailing list: > >> > https://www.redhat.com/mailman/listinfo/freeipa-users > >> > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project