[Freeipa-users] How RBAC defined.

[Ben .T.George]

Hi List,

i have one working setup with HBAC and sudo rules.

I would like to know more about RBAC. like what is RBAC and what can be
achieved with RBAC.

anyone please share some good topics about this as i am getting so many and
the information's mentioned on those are different.

 Thanks & Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

[Adam Kaczka]

Hi all,

I have inherited a IPA system that has an expired cert and the old admins
have left; I followed (
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but running into
errors when I try to renew the CA certs even after time is reset.  Also
tried the troubleshooting under (
http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a >
/tmp/ra.crt" to add the cert in the database.

>From the output of getcert list, I see both CA_UNREACHABLE and
NEED_CSR_GEN_PIN.  I followed redhat article here (
https://access.redhat.com/solutions/1142913) which verified key file
password is correct and I have reset time.  However the NEED_CSR_GEN_PIN
status remains.  My company actually has redhat support but when they built
this IPA whoever built it was using Centos 6 so I am out of luck here.

Would really appreciate any help since I am stuck at this point?  What else
I can do at this point?  e.g. Is generate a new CA cert necessary, etc.?

Version:
ipa-pki-ca-theme.noarch
9.0.3-7.el6@base
ipa-pki-common-theme.noarch  9.0.3-7.el6
@base
ipa-pmincho-fonts.noarch 003.02-3.1.el6
@base
ipa-python.x86_643.0.0-47.el6.centos.2
@updates
ipa-server.x86_643.0.0-47.el6.centos.2
@updates
ipa-server-selinux.x86_643.0.0-47.el6.centos.2
@updates

Part of error logs from /var/log/pki-ca/debug after I reset clock; I see
these errors which I think is relevlant?:
[27/Dec/2015:14:12:01][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
Certificate object not found
[27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
Certificate object not found
[27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()

Result seems to show key file password is correct:
certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
/etc/dirsrv/slapd-REALM-NET/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
< 0> rsa     NSS Certificate DB:Server-Cert


certutil -L -d /var/lib/pki-ca/alias

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-caCTu,Cu,Cu


certutil -L -d /etc/httpd/alias

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
ipaCert u,u,u
REALM.COM IPA CA  CT,C,


certutil -L -d /etc/dirsrv/slapd-REALM-COM

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
REALM.COM IPA CA  CT,C,C


Output of getcert list:

Number of certificates and requests being tracked: 7.
Request ID '21135214223243':
status: CA_UNREACHABLE
ca-error: Server at https://host.example.net/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate oper
ation cannot be completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfil
e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=example.NET
subject: CN=host.example.net,O=example.NET
expires: 2016-03-29 14:09:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '21135214223300':
status: CA_UNREACHABLE
ca-error: Server at https://host.example.net/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate oper
ation cannot be completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='
/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=example.NET
subject: CN=host.example.net,O=example.NET
expires: 2016-03-29 

Re: [Freeipa-users] sssd went away, failed to restart

[Harald Dunkel]

On 05/13/16 14:45, Lukas Slebodnik wrote:
> On (12/05/16 15:35), Harald Dunkel wrote:
>> On 05/12/16 13:48, Lukas Slebodnik wrote:
> 
>>> I would like to fix it but I do not know what to fix.
>>>
>>> Is there anything interesting/suspicious in syslog/journald
>>> from the same time?
>>>
>>
>> "journalctl -u sssd" says
>>
> It is not helpful either.
> We asked to find *ANYTHING* interesting/suspicious in syslog/journald
> So it needn't be related to sssd.
> 

Understood. Below is the complete journalctl and syslog from reboot
till sssd being marked as failed by systemd. The only problems I see
in between are the authentication failures and "user unknown" error
messages. The log files on the ipa servers don't show any signs
of a problem either (esp. krb5kdc.log, the slapd log files, and
kernel.log of the ipa1 server).

> It can be realted to swapping, out of entropy, disk needs to spin up,
> high load, DNS not responding, whatever
> 
> But it's task for you to find out what trigger the problem.
> We do not have an access to problematic machines.
> 

Does it really matter *why* this host is slow or why ipa1 didn't
answer? My point is that sssd should be sufficiently stable to
startup even when its slow "somehow" and when the first ipa server
it tried appears to be unreachable. Looking at the log files I
have the impression that ipa2 works as expected, and yet sssd on
the client went Guru for some reason it didn't write into the log
file.

> So try to find a reason which trigger the problem and provide
> reasonable reproducer.
>

I'd love to give you more information, but this is a production
system. Rebooting the host to find some way to reproduce the
problem is painful for a lot of people.

Since the client runs Jessie I will try to backport Timo's freeipa
4.3.1 packages for Debian/Ubuntu. sssd is already up-to-date.
ipa1 and ipa2 are running Centos 7 and freeipa 4.2; hopefully
thats OK. And I am setting up additional servers ipa3 and ipa4
to improve availability.


Regards
Harri

-- Logs begin at Sat 2016-05-07 01:00:34 CEST, end at Fri 2016-05-13 20:14:51 
CEST. --
May 12 06:01:57 srvvm01.ac.example.com systemd-journal[24]: Runtime journal is 
using 8.0M (max allowed 3.1G, trying to leave 4.0G free of 31.4G available → 
current limit 3.1G).
May 12 06:01:57 srvvm01.ac.example.com systemd-journal[24]: Runtime journal is 
using 8.0M (max allowed 3.1G, trying to leave 4.0G free of 31.4G available → 
current limit 3.1G).
May 12 06:01:57 srvvm01.ac.example.com systemd-journal[24]: Journal started
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Mounted Debug File System.
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Mounted Huge Pages File 
System.
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Mounted POSIX Message Queue 
File System.
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Started Remount Root and 
Kernel File Systems.
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Started Various fixups to 
make systemd work better on Debian.
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Load/Save Random 
Seed...
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Local File Systems 
(Pre).
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Reached target Local File 
Systems (Pre).
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Local File Systems.
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Reached target Local File 
Systems.
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Remote File Systems.
May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Started Trigger Flushing of 
Journal to Persistent Storage.
May 12 06:02:06 srvvm01.ac.example.com systemd-journal[24]: Permanent journal 
is using 2.4G (max allowed 2.0G, trying to leave 4.0G free of 2.1T available → 
current limit 2.4G).
May 12 06:02:14 srvvm01.ac.example.com systemd-journal[24]: Time spent on 
flushing to /var is 8.301385s for 16 entries.
May 12 06:01:59 srvvm01.ac.example.com logger[65]: 
/etc/resolvconf/update-libc.d/sendmail (dynamic) update_resolv:
May 12 06:01:59 srvvm01.ac.example.com logger[66]: 
/etc/resolvconf/update-libc.d/sendmail (dynamic) update_sendmail:
May 12 06:02:15 srvvm01.ac.example.com logger[94]: 
/etc/network/if-up.d/sendmail (dynamic) update_interface: lo up
May 12 06:02:15 srvvm01.ac.example.com logger[95]: 
/etc/network/if-up.d/sendmail (dynamic) update_sendmail: lo up
May 12 06:02:15 srvvm01.ac.example.com logger[132]: 
/etc/resolvconf/update-libc.d/sendmail (dynamic) update_resolv:
May 12 06:02:15 srvvm01.ac.example.com logger[133]: 
/etc/resolvconf/update-libc.d/sendmail (dynamic) update_sendmail:
May 12 06:02:15 srvvm01.ac.example.com logger[145]: 
/etc/network/if-up.d/sendmail (dynamic) update_interface: eth0 up
May 12 06:02:15 srvvm01.ac.example.com logger[146]: 
/etc/network/if-up.d/sendmail (dynamic) update_provider: eth0 up ac.example.com.
May 12 06:02:15 srvvm01.ac.example.com logger[147]: 
/etc/network/if-up.d/sendmail (dynamic) update_host: eth0 up 

Re: [Freeipa-users] otp question to limit brute force vector for web applications

[Thomas Heil]

Hi,

On 13.05.2016 16:12, Petr Spacek wrote:
> On 13.5.2016 15:25, Thomas Heil wrote:
>> Hi,
>>
>> I would like to reduce the vector of brute force attacks in my web
>> application written in php. Users can login via passord and otp which
>> are hosted on freeipa.
>>
>> To achieve this I would like to check the otp first, so no password auth
>> is done on the freeipa server and no user can be locked out.
>>
>> If the otp is correct, the user is now allowed to to login via password+otp.
>>
>> unfortunately, there is no api method that can check only the otp for a
>> user with an  identity.
>>
>> Would it be possible to expose such a new method?
> 
> This would open a new attack vector so it is a bad idea.
> 
> Attacker must not be able to distinguish case where password OR OTP is
> correct/wrong. If you allow this, the attacker will be able to crack OTP first
> and then continue with password, so you are making it easier.

Okay you are right with that. Sorry.

My intention is to avoid to be vulnerable for brute force attacks. I
have a trust with an active directory and want to avoid that the user on
ad side is locked if otp is wrong.

Is this possible?


> 
> Do not do that :-)
> 

Indeed, I will not do that.


cheers
thomas


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa user-add, two entries in the ldap

[Petr Spacek]

On 13.5.2016 16:10, bahan w wrote:
> Please ignore the character "-" in .
> 
> On Fri, May 13, 2016 at 4:09 PM, bahan w  wrote:
> 
>> Hello !
>>
>> I performed recently an ipa user-add for a new user and when I check in
>> the ldap, I can see two entries for it :
>> - One in uid=,cn=users,cn=compat,dc=
>> - One in uid=,cn=users,cn=accounts,dc=
>>
>> Is it normal ?
>> I know that my user is the one defined in the tree
>> cn=users,cn=accounts,dc=.
>>
>> What is exactly the entry in cn=users,cn=compat,dc= please ?

This is auto-generated entry which is used for old clients:
See
http://www.freeipa.org/page/HowTo/LDAP#Unix_clients
and
man ipa-compat-manage

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp question to limit brute force vector for web applications

[Petr Spacek]

On 13.5.2016 15:25, Thomas Heil wrote:
> Hi,
> 
> I would like to reduce the vector of brute force attacks in my web
> application written in php. Users can login via passord and otp which
> are hosted on freeipa.
> 
> To achieve this I would like to check the otp first, so no password auth
> is done on the freeipa server and no user can be locked out.
> 
> If the otp is correct, the user is now allowed to to login via password+otp.
> 
> unfortunately, there is no api method that can check only the otp for a
> user with an  identity.
> 
> Would it be possible to expose such a new method?

This would open a new attack vector so it is a bad idea.

Attacker must not be able to distinguish case where password OR OTP is
correct/wrong. If you allow this, the attacker will be able to crack OTP first
and then continue with password, so you are making it easier.

Do not do that :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa user-add, two entries in the ldap

[bahan w]

Please ignore the character "-" in .

On Fri, May 13, 2016 at 4:09 PM, bahan w  wrote:

> Hello !
>
> I performed recently an ipa user-add for a new user and when I check in
> the ldap, I can see two entries for it :
> - One in uid=,cn=users,cn=compat,dc=
> - One in uid=,cn=users,cn=accounts,dc=
>
> Is it normal ?
> I know that my user is the one defined in the tree
> cn=users,cn=accounts,dc=.
>
> What is exactly the entry in cn=users,cn=compat,dc= please ?
>
> BR.
>
> Bahan
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa user-add, two entries in the ldap

[bahan w]

Hello !

I performed recently an ipa user-add for a new user and when I check in the
ldap, I can see two entries for it :
- One in uid=,cn=users,cn=compat,dc=
- One in uid=,cn=users,cn=accounts,dc=

Is it normal ?
I know that my user is the one defined in the tree
cn=users,cn=accounts,dc=.

What is exactly the entry in cn=users,cn=compat,dc= please ?

BR.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] otp question to limit brute force vector for web applications

[Thomas Heil]

Hi,

I would like to reduce the vector of brute force attacks in my web
application written in php. Users can login via passord and otp which
are hosted on freeipa.

To achieve this I would like to check the otp first, so no password auth
is done on the freeipa server and no user can be locked out.

If the otp is correct, the user is now allowed to to login via password+otp.

unfortunately, there is no api method that can check only the otp for a
user with an  identity.

Would it be possible to expose such a new method?

kind regards
-- 
Thomas
--

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

[Sumit Bose]

On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> .. if possible, would you know?
> hi everybody,
> I'm trying, and hoping it is possible to realm join an AD but is such a
> way so I tap my IPA into specific OU within that AD.

I'm not exactly sure what you mean here. Do you want to join a computer
which is already a client in an IPA domain to AD as well? If this is the
case I would recommend to consider the IPA trust feature. Joining 2
domain is in general possible with SSSD but has to be done with very
great care, e.g. by using different keytabs for each domain.

> The thing is - I'm thinking it would make user access control ideal
> from the start as I need only users from that OU, but also because I'm
> only granted access to the user/group who has control over that OU.
> I'm trying that but I see:
> 
> ! The computer account RIDER already exists, but is not in the desired
> organizational unit.
> adcli: joining domain ccc.bb.aa failed: The computer account RIDER
> already exists,

Computer account names in AD must be unique even if they are added to
different OUs. So if there is already a computer called RIDER joined to
AD and it is not your computer you have to rename your computer to join.
If it is your computer and you want to create it in a different OU you
have to delete to old computer object first and then do a fresh join.

HTH

bye,
Sumit

>  ! Failed to join the domain
> 
> I'm doing this:
> $ realm join ccc.bb.aa --user=private-user --computer-ou=private
> 
> and computer is in OU=private of ccc.bb.aa
> so is the user private-user
> 
> many thanks.
> L##SELECTION_END##

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

[Lukas Slebodnik]

On (12/05/16 16:16), Harald Dunkel wrote:
>On 04/26/16 17:29, Timo Aaltonen wrote:
>> 
>> I guess 4.3.1 would need to be in sid first, and it just got rejected
>> because of the minified javascript (bug #787593). Don't know when
>> that'll get fixed.
>> 
>
>Since 24beta is out without fixing
>
>   https://fedorahosted.org/freeipa/ticket/5639
>
You might see in ticket that planned milestone is "Future Releases"
that isn't any particular release (4.4.x ...)

It basically mean that patches are welcome.
That's how it works in open source world.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd went away, failed to restart

[Lukas Slebodnik]

On (12/05/16 15:35), Harald Dunkel wrote:
>On 05/12/16 13:48, Lukas Slebodnik wrote:
>> It would be nice if you could provide reliable reproducer.
>> I'm sorry we do not have a crystall ball and sssd log files
>> did not help either. They are truncated.
>> 
>
>Thats all I got.
>
and that's the reason why we cannot help more :-(

>> I would like to fix it but I do not know what to fix.
>> 
>> Is there anything interesting/suspicious in syslog/journald
>> from the same time?
>> 
>
>"journalctl -u sssd" says
>
It is not helpful either.
We asked to find *ANYTHING* interesting/suspicious in syslog/journald
So it needn't be related to sssd.

It can be realted to swapping, out of entropy, disk needs to spin up,
high load, DNS not responding, whatever

But it's task for you to find out what trigger the problem.
We do not have an access to problematic machines.

So try to find a reason which trigger the problem and provide
reasonable reproducer.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC active (?) ods-ksmutil

[Petr Spacek]

On 13.5.2016 14:07, Günther J. Niederwimmer wrote:
> Hello Petr,
> 
> thank you for the answer
> 
> Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek:
>> On 13.5.2016 13:14, Günther J. Niederwimmer wrote:
>>> Cannot open destination file, will not make backup.
>>> No keys in the READY state matched your parameters, please check the
>>> parameters
>>
>> This is correct. Configured TTL did not expire yet so the key is not
>> "ready". See the column "Date of next transition". You will be able to
>> activate the key when this time passes.
>>
>> For detailed info please see
>> https://wiki.opendnssec.org/display/DOCS/Key+States
>>
>> If you are going to use DNSSEC please make sure to use very latests FreeIPA
>> 4.3.1 or newer. We fixed a lot of bugs in the last release.
> 
> My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any 
> repository 
> for this System ?

You might either try
https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/
or wait for CentOS 7.3.

Petr^2 Spacek

> This is my private Server and I hope this is running correct ?
>  
>> Petr^2 Spacek
>>
>>> when i say
>>>
>>> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key
>>> list --verbose
>>> SQLite database set to: /var/opendnssec/kasp.db
>>> Keys:
>>> Zone:   Keytype:  State:Date of next
>>> transition (to):  Size:   Algorithm:  CKA_ID:
>>> Repository:   Keytag:
>>> examle.comKSK   publish   2016-05-14
>>> 00:16:00 (ready)30728   6145b3b71c448dfc1130d0f9d2caac79 
>>> SoftHSM 40447
>>> example.comZSK   active2016-08-11
>>> 10:16:00 (retire)   20488   d7fe5c98d5f3f89aefb9e8dfb92ebcb1 
>>> SoftHSM 60630
>>>
>>> The DS Record are published in the ".com" Domain
>>>
>>> dig +rrcomments example.com DS
>>> ;; ANSWER SECTION:
>>> example.com.   85610   IN  DS  40447 8 1
>>> 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913
>>> example.com.   85610   IN  DS  40447 8 2
>>> 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734
>>>
>>> Is this the correct status or have I to change anything ?
>>>
>>> Have I to change the KSK status form publish to active or is this correct
>>> ?
>>>
>>> Thanks for a answer
> 
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Looking for documentation for Python API

[Alexander Bokovoy]

On Fri, 13 May 2016, Petr Vobornik wrote:

On 05/13/2016 11:49 AM, Alexander Bokovoy wrote:

On Thu, 12 May 2016, Jan Cholasta wrote:

On 11.5.2016 10:52, Martin Kosek wrote:

On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:

On Friday, May 06, 2016 09:04:59 Martin Basti wrote:

since IPA4.2 web UI contains API browser (IPA Server/API Browser)

So for example for caacl-add:
api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional
description")

you can try commands in "ipa console" it contains initialized API,
just
call api.Command.()

API.txt provides the same information as API browser, but browser
looks
better :)

Feel free to ask anything, if you identified gaps in docs which are
hard
to understand for non-IPA developer feel free report it, or feel
free to
create howTo in freeipa.org page.


Thanks for the pointers. I'm looking at automating some user and group
additions, group editing, etc.  Am I right in assuming that anything
that uses
the api.Command. will require a kinit  before it
is run,
even if it is via the Python API? If I want to use a user/pass from
the script
itself (and not have a shell script which does kinit, then fires off
my Python
script) would I be better off hitting the web API with sessions and
JSON-RPC as
detailed here:

https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/


Put another way, since I want to hit the API from a system that
might not have
sssd installed, nor has joined the realm, I assume it would be
*impossible* to
use api.Command. as it relies on a Kerberos ticket?  To
put it yet
another way: is there a way to hand a user/pass to the Python API and
authenticate that way.


The API itself can be hit with user/password, as noted in Alexander's
blog. If
you want to use the actual Python API, Kerberos may be the only way.
But I
think Jan or Petr may had some other (hacky) way to pass
user+password there too.


I don't think we support anything but Kerberos on the client side in
our Python API. It might be possible to somehow emulate what the web
UI does, but I haven't personally ever attempted to do that. Petr,
have you?

It should be relatively easy to update IPA cli code to accept a jar with
a cookie and use that if Kerberos ccache is missing or empty.



I implemented it a year ago, but the patch was not merged:
https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html

I can revive it. I think it brings sufficient value to get merged.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC active (?) ods-ksmutil

[Günther J . Niederwimmer]

Hello Petr,

thank you for the answer

Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek:
> On 13.5.2016 13:14, Günther J. Niederwimmer wrote:
> > Cannot open destination file, will not make backup.
> > No keys in the READY state matched your parameters, please check the
> > parameters
> 
> This is correct. Configured TTL did not expire yet so the key is not
> "ready". See the column "Date of next transition". You will be able to
> activate the key when this time passes.
> 
> For detailed info please see
> https://wiki.opendnssec.org/display/DOCS/Key+States
> 
> If you are going to use DNSSEC please make sure to use very latests FreeIPA
> 4.3.1 or newer. We fixed a lot of bugs in the last release.

My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any repository 
for this System ?

This is my private Server and I hope this is running correct ?
 
> Petr^2 Spacek
> 
> > when i say
> > 
> > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key
> > list --verbose
> > SQLite database set to: /var/opendnssec/kasp.db
> > Keys:
> > Zone:   Keytype:  State:Date of next
> > transition (to):  Size:   Algorithm:  CKA_ID:
> > Repository:   Keytag:
> > examle.comKSK   publish   2016-05-14
> > 00:16:00 (ready)30728   6145b3b71c448dfc1130d0f9d2caac79 
> > SoftHSM 40447
> > example.comZSK   active2016-08-11
> > 10:16:00 (retire)   20488   d7fe5c98d5f3f89aefb9e8dfb92ebcb1 
> > SoftHSM 60630
> > 
> > The DS Record are published in the ".com" Domain
> > 
> > dig +rrcomments example.com DS
> > ;; ANSWER SECTION:
> > example.com.   85610   IN  DS  40447 8 1
> > 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913
> > example.com.   85610   IN  DS  40447 8 2
> > 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734
> > 
> > Is this the correct status or have I to change anything ?
> > 
> > Have I to change the KSK status form publish to active or is this correct
> > ?
> > 
> > Thanks for a answer


-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC active (?) ods-ksmutil

[Petr Spacek]

On 13.5.2016 13:14, Günther J. Niederwimmer wrote:
> Hello,
> I have activated now my domain with DNSSEC but I mean I have a Problem to set 
> it ACTIVE ?
> 
> I install and Test it from
> https://www.freeipa.org/page/Howto/DNSSEC
> 
> but my output from 
> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key ds-
> seen --zone example.com --keytag 40447
> is 
> 
> Cannot open destination file, will not make backup.
> No keys in the READY state matched your parameters, please check the 
> parameters

This is correct. Configured TTL did not expire yet so the key is not "ready".
See the column "Date of next transition". You will be able to activate the key
when this time passes.

For detailed info please see
https://wiki.opendnssec.org/display/DOCS/Key+States

If you are going to use DNSSEC please make sure to use very latests FreeIPA
4.3.1 or newer. We fixed a lot of bugs in the last release.

Petr^2 Spacek


> 
> when i say
> 
> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key list 
> --verbose
> SQLite database set to: /var/opendnssec/kasp.db
> Keys:
> Zone:   Keytype:  State:Date of next 
> transition (to):  Size:   Algorithm:  CKA_ID:   
> Repository:   Keytag:
> examle.comKSK   publish   2016-05-14 00:16:00 
> (ready)30728   6145b3b71c448dfc1130d0f9d2caac79  SoftHSM  
>  
> 40447
> example.comZSK   active2016-08-11 
> 10:16:00 
> (retire)   20488   d7fe5c98d5f3f89aefb9e8dfb92ebcb1  SoftHSM
> 60630
> 
> The DS Record are published in the ".com" Domain
> 
> dig +rrcomments example.com DS
> ;; ANSWER SECTION:
> example.com.   85610   IN  DS  40447 8 1 
> 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913
> example.com.   85610   IN  DS  40447 8 2 
> 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734
> 
> Is this the correct status or have I to change anything ?
> 
> Have I to change the KSK status form publish to active or is this correct ?
> 
> Thanks for a answer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNSSEC active (?) ods-ksmutil

[Günther J . Niederwimmer]

Hello,
I have activated now my domain with DNSSEC but I mean I have a Problem to set 
it ACTIVE ?

I install and Test it from
https://www.freeipa.org/page/Howto/DNSSEC

but my output from 
sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key ds-
seen --zone example.com --keytag 40447
is 

Cannot open destination file, will not make backup.
No keys in the READY state matched your parameters, please check the 
parameters

when i say

sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key list 
--verbose
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:   Keytype:  State:Date of next 
transition (to):  Size:   Algorithm:  CKA_ID:   
Repository:   Keytag:
examle.comKSK   publish   2016-05-14 00:16:00 
(ready)30728   6145b3b71c448dfc1130d0f9d2caac79  SoftHSM
   
40447
example.comZSK   active2016-08-11 10:16:00 
(retire)   20488   d7fe5c98d5f3f89aefb9e8dfb92ebcb1  SoftHSM
60630

The DS Record are published in the ".com" Domain

dig +rrcomments example.com DS
;; ANSWER SECTION:
example.com.   85610   IN  DS  40447 8 1 
4E04D91BF29E1941E00CC36B13BC3F50BBA5C913
example.com.   85610   IN  DS  40447 8 2 
92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734

Is this the correct status or have I to change anything ?

Have I to change the KSK status form publish to active or is this correct ?

Thanks for a answer

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Looking for documentation for Python API

[Petr Vobornik]

On 05/13/2016 11:49 AM, Alexander Bokovoy wrote:
> On Thu, 12 May 2016, Jan Cholasta wrote:
>> On 11.5.2016 10:52, Martin Kosek wrote:
>>> On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:
 On Friday, May 06, 2016 09:04:59 Martin Basti wrote:
> since IPA4.2 web UI contains API browser (IPA Server/API Browser)
>
> So for example for caacl-add:
> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional
> description")
>
> you can try commands in "ipa console" it contains initialized API,
> just
> call api.Command.()
>
> API.txt provides the same information as API browser, but browser
> looks
> better :)
>
> Feel free to ask anything, if you identified gaps in docs which are
> hard
> to understand for non-IPA developer feel free report it, or feel
> free to
> create howTo in freeipa.org page.

 Thanks for the pointers. I'm looking at automating some user and group
 additions, group editing, etc.  Am I right in assuming that anything
 that uses
 the api.Command. will require a kinit  before it
 is run,
 even if it is via the Python API? If I want to use a user/pass from
 the script
 itself (and not have a shell script which does kinit, then fires off
 my Python
 script) would I be better off hitting the web API with sessions and
 JSON-RPC as
 detailed here:

 https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/


 Put another way, since I want to hit the API from a system that
 might not have
 sssd installed, nor has joined the realm, I assume it would be
 *impossible* to
 use api.Command. as it relies on a Kerberos ticket?  To
 put it yet
 another way: is there a way to hand a user/pass to the Python API and
 authenticate that way.
>>>
>>> The API itself can be hit with user/password, as noted in Alexander's
>>> blog. If
>>> you want to use the actual Python API, Kerberos may be the only way.
>>> But I
>>> think Jan or Petr may had some other (hacky) way to pass
>>> user+password there too.
>>
>> I don't think we support anything but Kerberos on the client side in
>> our Python API. It might be possible to somehow emulate what the web
>> UI does, but I haven't personally ever attempted to do that. Petr,
>> have you?
> It should be relatively easy to update IPA cli code to accept a jar with
> a cookie and use that if Kerberos ccache is missing or empty.
> 

I implemented it a year ago, but the patch was not merged:
https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389?

[Marc Boorshtein]

Thanks Alexander.  I wasn't looking to get anything developed, just
curious if it would work or even if it there was something I could try
on my end like a change to a directory setting to see if it would even
work.  Understood that there's more in the connection between the
ipaclient and the DC then just LDAP.

Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity


On Fri, May 13, 2016 at 5:46 AM, Alexander Bokovoy  wrote:
> On Wed, 11 May 2016, Marc Boorshtein wrote:
>>
>> I've got a potential use case where I want to authenticate users using
>> their AD credentials, store accounts and permissions in FreeIPA but
>> not have a cross forest trust.  One way to do this is to have SSSD
>> talk LDAP to a virtual directory which would route the bind to AD but
>> all other operations to the 389 backing IPA.  Kerberos wouldn't work,
>> but if you're interested in password or ssh key based auth it should
>> work, right?  Then you'd still get the HBAC benefits?
>
> There is more than just look up in LDAP when talking to AD DCs. Trust
> ensures we have enough correctly set security descriptors on the objects
> we use to represent our identity to access AD DCs. If that part is
> missing, you get all kinds of problems.
>
> Replacing trust by something that is effectively attempting to simulate
> trust but not being a trust scenario is, of course, possible. However, I
> don't see this as something we'd like to put any reasonable time to
> develop because it is a corner case with disproportional amount of
> development time investment. You may disagree and that's fine, but this
> doesn't change the fact that somebody needs to invest time into it.
> --
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Looking for documentation for Python API

[Alexander Bokovoy]

On Thu, 12 May 2016, Jan Cholasta wrote:

On 11.5.2016 10:52, Martin Kosek wrote:

On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:

On Friday, May 06, 2016 09:04:59 Martin Basti wrote:

since IPA4.2 web UI contains API browser (IPA Server/API Browser)

So for example for caacl-add:
api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional
description")

you can try commands in "ipa console" it contains initialized API, just
call api.Command.()

API.txt provides the same information as API browser, but browser looks
better :)

Feel free to ask anything, if you identified gaps in docs which are hard
to understand for non-IPA developer feel free report it, or feel free to
create howTo in freeipa.org page.


Thanks for the pointers. I'm looking at automating some user and group
additions, group editing, etc.  Am I right in assuming that anything that uses
the api.Command. will require a kinit  before it is run,
even if it is via the Python API? If I want to use a user/pass from the script
itself (and not have a shell script which does kinit, then fires off my Python
script) would I be better off hitting the web API with sessions and JSON-RPC as
detailed here:

https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/

Put another way, since I want to hit the API from a system that might not have
sssd installed, nor has joined the realm, I assume it would be *impossible* to
use api.Command. as it relies on a Kerberos ticket?  To put it yet
another way: is there a way to hand a user/pass to the Python API and
authenticate that way.


The API itself can be hit with user/password, as noted in Alexander's blog. If
you want to use the actual Python API, Kerberos may be the only way. But I
think Jan or Petr may had some other (hacky) way to pass user+password there 
too.


I don't think we support anything but Kerberos on the client side in 
our Python API. It might be possible to somehow emulate what the web 
UI does, but I haven't personally ever attempted to do that. Petr, 
have you?

It should be relatively easy to update IPA cli code to accept a jar with
a cookie and use that if Kerberos ccache is missing or empty.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389?

[Alexander Bokovoy]

On Wed, 11 May 2016, Marc Boorshtein wrote:

I've got a potential use case where I want to authenticate users using
their AD credentials, store accounts and permissions in FreeIPA but
not have a cross forest trust.  One way to do this is to have SSSD
talk LDAP to a virtual directory which would route the bind to AD but
all other operations to the 389 backing IPA.  Kerberos wouldn't work,
but if you're interested in password or ssh key based auth it should
work, right?  Then you'd still get the HBAC benefits?

There is more than just look up in LDAP when talking to AD DCs. Trust
ensures we have enough correctly set security descriptors on the objects
we use to represent our identity to access AD DCs. If that part is
missing, you get all kinds of problems.

Replacing trust by something that is effectively attempting to simulate
trust but not being a trust scenario is, of course, possible. However, I
don't see this as something we'd like to put any reasonable time to
develop because it is a corner case with disproportional amount of
development time investment. You may disagree and that's fine, but this
doesn't change the fact that somebody needs to invest time into it.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu 16.04 / FreeIPA 4.3 install

[Timo Aaltonen]

On 11.05.2016 17:14, Zak Wolfinger wrote:
> I’m trying to set up FreeIPA as a replica.  I’ve followed the
> instructions in section 4 here:  
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#prepping-replica
>  
> The replica install appears to be successful, but when I try to do
> ‘ipactl start’ I get this:
> 
> IPA is not configured (see man pages of ipa-server-install for help)
> 
> I’ve looked through the man pages but I’m not seeing what needs to be
> done.  

4.3 on ubuntu supports only domain level 1 replicas, so you need to have
4.3 server installed first and then install a client and promote it to a
replica.


-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC NSEC3 Parameter

[Martin Kosek]

On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote:
> Hello,
> I have the Problem to find the correct way for NSEC3PARAM ?
> 
> With your Help I have this found
> 
> ipa dnszone-mod example.com. --nsec3param-rec "  
>  "
> 
> But it dos not work correct ?
> 
> Now the question, is this the correct way
> 
> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283"
>  
> to insert the NSEC3PARAMETER ??

This should be right, there were related fixes by
https://fedorahosted.org/freeipa/ticket/4413

Your second command works in my test environment:
# ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283"
# dig -t nsec3param example.com. +short
1 7 100 F9BA6264232B7283

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project