[Freeipa-users] How RBAC defined.
Hi List, i have one working setup with HBAC and sudo rules. I would like to know more about RBAC. like what is RBAC and what can be achieved with RBAC. anyone please share some good topics about this as i am getting so many and the information's mentioned on those are different. Thanks & Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN
Hi all, I have inherited a IPA system that has an expired cert and the old admins have left; I followed ( http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but running into errors when I try to renew the CA certs even after time is reset. Also tried the troubleshooting under ( http://www.freeipa.org/page/Troubleshooting#Authentication_Errors); specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt" to add the cert in the database. >From the output of getcert list, I see both CA_UNREACHABLE and NEED_CSR_GEN_PIN. I followed redhat article here ( https://access.redhat.com/solutions/1142913) which verified key file password is correct and I have reset time. However the NEED_CSR_GEN_PIN status remains. My company actually has redhat support but when they built this IPA whoever built it was using Centos 6 so I am out of luck here. Would really appreciate any help since I am stuck at this point? What else I can do at this point? e.g. Is generate a new CA cert necessary, etc.? Version: ipa-pki-ca-theme.noarch 9.0.3-7.el6@base ipa-pki-common-theme.noarch 9.0.3-7.el6 @base ipa-pmincho-fonts.noarch 003.02-3.1.el6 @base ipa-python.x86_643.0.0-47.el6.centos.2 @updates ipa-server.x86_643.0.0-47.el6.centos.2 @updates ipa-server-selinux.x86_643.0.0-47.el6.centos.2 @updates Part of error logs from /var/log/pki-ca/debug after I reset clock; I see these errors which I think is relevlant?: [27/Dec/2015:14:12:01][main]: SigningUnit init: debug org.mozilla.jss.crypto.ObjectNotFoundException Certificate object not found [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException Certificate object not found [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown() Result seems to show key file password is correct: certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f /etc/dirsrv/slapd-REALM-NET/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa NSS Certificate DB:Server-Cert certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-caCTu,Cu,Cu certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u REALM.COM IPA CA CT,C, certutil -L -d /etc/dirsrv/slapd-REALM-COM Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u REALM.COM IPA CA CT,C,C Output of getcert list: Number of certificates and requests being tracked: 7. Request ID '21135214223243': status: CA_UNREACHABLE ca-error: Server at https://host.example.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate oper ation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfil e='/etc/dirsrv/slapd-example-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=example.NET subject: CN=host.example.net,O=example.NET expires: 2016-03-29 14:09:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '21135214223300': status: CA_UNREACHABLE ca-error: Server at https://host.example.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate oper ation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile=' /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=example.NET subject: CN=host.example.net,O=example.NET expires: 2016-03-29
Re: [Freeipa-users] sssd went away, failed to restart
On 05/13/16 14:45, Lukas Slebodnik wrote: > On (12/05/16 15:35), Harald Dunkel wrote: >> On 05/12/16 13:48, Lukas Slebodnik wrote: > >>> I would like to fix it but I do not know what to fix. >>> >>> Is there anything interesting/suspicious in syslog/journald >>> from the same time? >>> >> >> "journalctl -u sssd" says >> > It is not helpful either. > We asked to find *ANYTHING* interesting/suspicious in syslog/journald > So it needn't be related to sssd. > Understood. Below is the complete journalctl and syslog from reboot till sssd being marked as failed by systemd. The only problems I see in between are the authentication failures and "user unknown" error messages. The log files on the ipa servers don't show any signs of a problem either (esp. krb5kdc.log, the slapd log files, and kernel.log of the ipa1 server). > It can be realted to swapping, out of entropy, disk needs to spin up, > high load, DNS not responding, whatever > > But it's task for you to find out what trigger the problem. > We do not have an access to problematic machines. > Does it really matter *why* this host is slow or why ipa1 didn't answer? My point is that sssd should be sufficiently stable to startup even when its slow "somehow" and when the first ipa server it tried appears to be unreachable. Looking at the log files I have the impression that ipa2 works as expected, and yet sssd on the client went Guru for some reason it didn't write into the log file. > So try to find a reason which trigger the problem and provide > reasonable reproducer. > I'd love to give you more information, but this is a production system. Rebooting the host to find some way to reproduce the problem is painful for a lot of people. Since the client runs Jessie I will try to backport Timo's freeipa 4.3.1 packages for Debian/Ubuntu. sssd is already up-to-date. ipa1 and ipa2 are running Centos 7 and freeipa 4.2; hopefully thats OK. And I am setting up additional servers ipa3 and ipa4 to improve availability. Regards Harri -- Logs begin at Sat 2016-05-07 01:00:34 CEST, end at Fri 2016-05-13 20:14:51 CEST. -- May 12 06:01:57 srvvm01.ac.example.com systemd-journal[24]: Runtime journal is using 8.0M (max allowed 3.1G, trying to leave 4.0G free of 31.4G available → current limit 3.1G). May 12 06:01:57 srvvm01.ac.example.com systemd-journal[24]: Runtime journal is using 8.0M (max allowed 3.1G, trying to leave 4.0G free of 31.4G available → current limit 3.1G). May 12 06:01:57 srvvm01.ac.example.com systemd-journal[24]: Journal started May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Mounted Debug File System. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Mounted Huge Pages File System. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Mounted POSIX Message Queue File System. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Started Remount Root and Kernel File Systems. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Started Various fixups to make systemd work better on Debian. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Load/Save Random Seed... May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Local File Systems (Pre). May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Reached target Local File Systems (Pre). May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Local File Systems. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Reached target Local File Systems. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Remote File Systems. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Started Trigger Flushing of Journal to Persistent Storage. May 12 06:02:06 srvvm01.ac.example.com systemd-journal[24]: Permanent journal is using 2.4G (max allowed 2.0G, trying to leave 4.0G free of 2.1T available → current limit 2.4G). May 12 06:02:14 srvvm01.ac.example.com systemd-journal[24]: Time spent on flushing to /var is 8.301385s for 16 entries. May 12 06:01:59 srvvm01.ac.example.com logger[65]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_resolv: May 12 06:01:59 srvvm01.ac.example.com logger[66]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_sendmail: May 12 06:02:15 srvvm01.ac.example.com logger[94]: /etc/network/if-up.d/sendmail (dynamic) update_interface: lo up May 12 06:02:15 srvvm01.ac.example.com logger[95]: /etc/network/if-up.d/sendmail (dynamic) update_sendmail: lo up May 12 06:02:15 srvvm01.ac.example.com logger[132]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_resolv: May 12 06:02:15 srvvm01.ac.example.com logger[133]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_sendmail: May 12 06:02:15 srvvm01.ac.example.com logger[145]: /etc/network/if-up.d/sendmail (dynamic) update_interface: eth0 up May 12 06:02:15 srvvm01.ac.example.com logger[146]: /etc/network/if-up.d/sendmail (dynamic) update_provider: eth0 up ac.example.com. May 12 06:02:15 srvvm01.ac.example.com logger[147]: /etc/network/if-up.d/sendmail (dynamic) update_host: eth0 up
Re: [Freeipa-users] otp question to limit brute force vector for web applications
Hi, On 13.05.2016 16:12, Petr Spacek wrote: > On 13.5.2016 15:25, Thomas Heil wrote: >> Hi, >> >> I would like to reduce the vector of brute force attacks in my web >> application written in php. Users can login via passord and otp which >> are hosted on freeipa. >> >> To achieve this I would like to check the otp first, so no password auth >> is done on the freeipa server and no user can be locked out. >> >> If the otp is correct, the user is now allowed to to login via password+otp. >> >> unfortunately, there is no api method that can check only the otp for a >> user with an identity. >> >> Would it be possible to expose such a new method? > > This would open a new attack vector so it is a bad idea. > > Attacker must not be able to distinguish case where password OR OTP is > correct/wrong. If you allow this, the attacker will be able to crack OTP first > and then continue with password, so you are making it easier. Okay you are right with that. Sorry. My intention is to avoid to be vulnerable for brute force attacks. I have a trust with an active directory and want to avoid that the user on ad side is locked if otp is wrong. Is this possible? > > Do not do that :-) > Indeed, I will not do that. cheers thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa user-add, two entries in the ldap
On 13.5.2016 16:10, bahan w wrote: > Please ignore the character "-" in . > > On Fri, May 13, 2016 at 4:09 PM, bahan wwrote: > >> Hello ! >> >> I performed recently an ipa user-add for a new user and when I check in >> the ldap, I can see two entries for it : >> - One in uid=,cn=users,cn=compat,dc= >> - One in uid=,cn=users,cn=accounts,dc= >> >> Is it normal ? >> I know that my user is the one defined in the tree >> cn=users,cn=accounts,dc=. >> >> What is exactly the entry in cn=users,cn=compat,dc= please ? This is auto-generated entry which is used for old clients: See http://www.freeipa.org/page/HowTo/LDAP#Unix_clients and man ipa-compat-manage -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp question to limit brute force vector for web applications
On 13.5.2016 15:25, Thomas Heil wrote: > Hi, > > I would like to reduce the vector of brute force attacks in my web > application written in php. Users can login via passord and otp which > are hosted on freeipa. > > To achieve this I would like to check the otp first, so no password auth > is done on the freeipa server and no user can be locked out. > > If the otp is correct, the user is now allowed to to login via password+otp. > > unfortunately, there is no api method that can check only the otp for a > user with an identity. > > Would it be possible to expose such a new method? This would open a new attack vector so it is a bad idea. Attacker must not be able to distinguish case where password OR OTP is correct/wrong. If you allow this, the attacker will be able to crack OTP first and then continue with password, so you are making it easier. Do not do that :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa user-add, two entries in the ldap
Please ignore the character "-" in . On Fri, May 13, 2016 at 4:09 PM, bahan wwrote: > Hello ! > > I performed recently an ipa user-add for a new user and when I check in > the ldap, I can see two entries for it : > - One in uid=,cn=users,cn=compat,dc= > - One in uid=,cn=users,cn=accounts,dc= > > Is it normal ? > I know that my user is the one defined in the tree > cn=users,cn=accounts,dc=. > > What is exactly the entry in cn=users,cn=compat,dc= please ? > > BR. > > Bahan > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa user-add, two entries in the ldap
Hello ! I performed recently an ipa user-add for a new user and when I check in the ldap, I can see two entries for it : - One in uid=,cn=users,cn=compat,dc= - One in uid=,cn=users,cn=accounts,dc= Is it normal ? I know that my user is the one defined in the tree cn=users,cn=accounts,dc=. What is exactly the entry in cn=users,cn=compat,dc= please ? BR. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] otp question to limit brute force vector for web applications
Hi, I would like to reduce the vector of brute force attacks in my web application written in php. Users can login via passord and otp which are hosted on freeipa. To achieve this I would like to check the otp first, so no password auth is done on the freeipa server and no user can be locked out. If the otp is correct, the user is now allowed to to login via password+otp. unfortunately, there is no api method that can check only the otp for a user with an identity. Would it be possible to expose such a new method? kind regards -- Thomas -- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..
On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > .. if possible, would you know? > hi everybody, > I'm trying, and hoping it is possible to realm join an AD but is such a > way so I tap my IPA into specific OU within that AD. I'm not exactly sure what you mean here. Do you want to join a computer which is already a client in an IPA domain to AD as well? If this is the case I would recommend to consider the IPA trust feature. Joining 2 domain is in general possible with SSSD but has to be done with very great care, e.g. by using different keytabs for each domain. > The thing is - I'm thinking it would make user access control ideal > from the start as I need only users from that OU, but also because I'm > only granted access to the user/group who has control over that OU. > I'm trying that but I see: > > ! The computer account RIDER already exists, but is not in the desired > organizational unit. > adcli: joining domain ccc.bb.aa failed: The computer account RIDER > already exists, Computer account names in AD must be unique even if they are added to different OUs. So if there is already a computer called RIDER joined to AD and it is not your computer you have to rename your computer to join. If it is your computer and you want to create it in a different OU you have to delete to old computer object first and then do a fresh join. HTH bye, Sumit > ! Failed to join the domain > > I'm doing this: > $ realm join ccc.bb.aa --user=private-user --computer-ou=private > > and computer is in OU=private of ccc.bb.aa > so is the user private-user > > many thanks. > L##SELECTION_END## > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
On (12/05/16 16:16), Harald Dunkel wrote: >On 04/26/16 17:29, Timo Aaltonen wrote: >> >> I guess 4.3.1 would need to be in sid first, and it just got rejected >> because of the minified javascript (bug #787593). Don't know when >> that'll get fixed. >> > >Since 24beta is out without fixing > > https://fedorahosted.org/freeipa/ticket/5639 > You might see in ticket that planned milestone is "Future Releases" that isn't any particular release (4.4.x ...) It basically mean that patches are welcome. That's how it works in open source world. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd went away, failed to restart
On (12/05/16 15:35), Harald Dunkel wrote: >On 05/12/16 13:48, Lukas Slebodnik wrote: >> It would be nice if you could provide reliable reproducer. >> I'm sorry we do not have a crystall ball and sssd log files >> did not help either. They are truncated. >> > >Thats all I got. > and that's the reason why we cannot help more :-( >> I would like to fix it but I do not know what to fix. >> >> Is there anything interesting/suspicious in syslog/journald >> from the same time? >> > >"journalctl -u sssd" says > It is not helpful either. We asked to find *ANYTHING* interesting/suspicious in syslog/journald So it needn't be related to sssd. It can be realted to swapping, out of entropy, disk needs to spin up, high load, DNS not responding, whatever But it's task for you to find out what trigger the problem. We do not have an access to problematic machines. So try to find a reason which trigger the problem and provide reasonable reproducer. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC active (?) ods-ksmutil
On 13.5.2016 14:07, Günther J. Niederwimmer wrote: > Hello Petr, > > thank you for the answer > > Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek: >> On 13.5.2016 13:14, Günther J. Niederwimmer wrote: >>> Cannot open destination file, will not make backup. >>> No keys in the READY state matched your parameters, please check the >>> parameters >> >> This is correct. Configured TTL did not expire yet so the key is not >> "ready". See the column "Date of next transition". You will be able to >> activate the key when this time passes. >> >> For detailed info please see >> https://wiki.opendnssec.org/display/DOCS/Key+States >> >> If you are going to use DNSSEC please make sure to use very latests FreeIPA >> 4.3.1 or newer. We fixed a lot of bugs in the last release. > > My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any > repository > for this System ? You might either try https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ or wait for CentOS 7.3. Petr^2 Spacek > This is my private Server and I hope this is running correct ? > >> Petr^2 Spacek >> >>> when i say >>> >>> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key >>> list --verbose >>> SQLite database set to: /var/opendnssec/kasp.db >>> Keys: >>> Zone: Keytype: State:Date of next >>> transition (to): Size: Algorithm: CKA_ID: >>> Repository: Keytag: >>> examle.comKSK publish 2016-05-14 >>> 00:16:00 (ready)30728 6145b3b71c448dfc1130d0f9d2caac79 >>> SoftHSM 40447 >>> example.comZSK active2016-08-11 >>> 10:16:00 (retire) 20488 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 >>> SoftHSM 60630 >>> >>> The DS Record are published in the ".com" Domain >>> >>> dig +rrcomments example.com DS >>> ;; ANSWER SECTION: >>> example.com. 85610 IN DS 40447 8 1 >>> 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 >>> example.com. 85610 IN DS 40447 8 2 >>> 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 >>> >>> Is this the correct status or have I to change anything ? >>> >>> Have I to change the KSK status form publish to active or is this correct >>> ? >>> >>> Thanks for a answer > > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Looking for documentation for Python API
On Fri, 13 May 2016, Petr Vobornik wrote: On 05/13/2016 11:49 AM, Alexander Bokovoy wrote: On Thu, 12 May 2016, Jan Cholasta wrote: On 11.5.2016 10:52, Martin Kosek wrote: On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: On Friday, May 06, 2016 09:04:59 Martin Basti wrote: since IPA4.2 web UI contains API browser (IPA Server/API Browser) So for example for caacl-add: api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional description") you can try commands in "ipa console" it contains initialized API, just call api.Command.() API.txt provides the same information as API browser, but browser looks better :) Feel free to ask anything, if you identified gaps in docs which are hard to understand for non-IPA developer feel free report it, or feel free to create howTo in freeipa.org page. Thanks for the pointers. I'm looking at automating some user and group additions, group editing, etc. Am I right in assuming that anything that uses the api.Command. will require a kinit before it is run, even if it is via the Python API? If I want to use a user/pass from the script itself (and not have a shell script which does kinit, then fires off my Python script) would I be better off hitting the web API with sessions and JSON-RPC as detailed here: https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ Put another way, since I want to hit the API from a system that might not have sssd installed, nor has joined the realm, I assume it would be *impossible* to use api.Command. as it relies on a Kerberos ticket? To put it yet another way: is there a way to hand a user/pass to the Python API and authenticate that way. The API itself can be hit with user/password, as noted in Alexander's blog. If you want to use the actual Python API, Kerberos may be the only way. But I think Jan or Petr may had some other (hacky) way to pass user+password there too. I don't think we support anything but Kerberos on the client side in our Python API. It might be possible to somehow emulate what the web UI does, but I haven't personally ever attempted to do that. Petr, have you? It should be relatively easy to update IPA cli code to accept a jar with a cookie and use that if Kerberos ccache is missing or empty. I implemented it a year ago, but the patch was not merged: https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html I can revive it. I think it brings sufficient value to get merged. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC active (?) ods-ksmutil
Hello Petr, thank you for the answer Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek: > On 13.5.2016 13:14, Günther J. Niederwimmer wrote: > > Cannot open destination file, will not make backup. > > No keys in the READY state matched your parameters, please check the > > parameters > > This is correct. Configured TTL did not expire yet so the key is not > "ready". See the column "Date of next transition". You will be able to > activate the key when this time passes. > > For detailed info please see > https://wiki.opendnssec.org/display/DOCS/Key+States > > If you are going to use DNSSEC please make sure to use very latests FreeIPA > 4.3.1 or newer. We fixed a lot of bugs in the last release. My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any repository for this System ? This is my private Server and I hope this is running correct ? > Petr^2 Spacek > > > when i say > > > > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key > > list --verbose > > SQLite database set to: /var/opendnssec/kasp.db > > Keys: > > Zone: Keytype: State:Date of next > > transition (to): Size: Algorithm: CKA_ID: > > Repository: Keytag: > > examle.comKSK publish 2016-05-14 > > 00:16:00 (ready)30728 6145b3b71c448dfc1130d0f9d2caac79 > > SoftHSM 40447 > > example.comZSK active2016-08-11 > > 10:16:00 (retire) 20488 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 > > SoftHSM 60630 > > > > The DS Record are published in the ".com" Domain > > > > dig +rrcomments example.com DS > > ;; ANSWER SECTION: > > example.com. 85610 IN DS 40447 8 1 > > 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 > > example.com. 85610 IN DS 40447 8 2 > > 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 > > > > Is this the correct status or have I to change anything ? > > > > Have I to change the KSK status form publish to active or is this correct > > ? > > > > Thanks for a answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC active (?) ods-ksmutil
On 13.5.2016 13:14, Günther J. Niederwimmer wrote: > Hello, > I have activated now my domain with DNSSEC but I mean I have a Problem to set > it ACTIVE ? > > I install and Test it from > https://www.freeipa.org/page/Howto/DNSSEC > > but my output from > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key ds- > seen --zone example.com --keytag 40447 > is > > Cannot open destination file, will not make backup. > No keys in the READY state matched your parameters, please check the > parameters This is correct. Configured TTL did not expire yet so the key is not "ready". See the column "Date of next transition". You will be able to activate the key when this time passes. For detailed info please see https://wiki.opendnssec.org/display/DOCS/Key+States If you are going to use DNSSEC please make sure to use very latests FreeIPA 4.3.1 or newer. We fixed a lot of bugs in the last release. Petr^2 Spacek > > when i say > > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key list > --verbose > SQLite database set to: /var/opendnssec/kasp.db > Keys: > Zone: Keytype: State:Date of next > transition (to): Size: Algorithm: CKA_ID: > Repository: Keytag: > examle.comKSK publish 2016-05-14 00:16:00 > (ready)30728 6145b3b71c448dfc1130d0f9d2caac79 SoftHSM > > 40447 > example.comZSK active2016-08-11 > 10:16:00 > (retire) 20488 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 SoftHSM > 60630 > > The DS Record are published in the ".com" Domain > > dig +rrcomments example.com DS > ;; ANSWER SECTION: > example.com. 85610 IN DS 40447 8 1 > 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 > example.com. 85610 IN DS 40447 8 2 > 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 > > Is this the correct status or have I to change anything ? > > Have I to change the KSK status form publish to active or is this correct ? > > Thanks for a answer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNSSEC active (?) ods-ksmutil
Hello, I have activated now my domain with DNSSEC but I mean I have a Problem to set it ACTIVE ? I install and Test it from https://www.freeipa.org/page/Howto/DNSSEC but my output from sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key ds- seen --zone example.com --keytag 40447 is Cannot open destination file, will not make backup. No keys in the READY state matched your parameters, please check the parameters when i say sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key list --verbose SQLite database set to: /var/opendnssec/kasp.db Keys: Zone: Keytype: State:Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: examle.comKSK publish 2016-05-14 00:16:00 (ready)30728 6145b3b71c448dfc1130d0f9d2caac79 SoftHSM 40447 example.comZSK active2016-08-11 10:16:00 (retire) 20488 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 SoftHSM 60630 The DS Record are published in the ".com" Domain dig +rrcomments example.com DS ;; ANSWER SECTION: example.com. 85610 IN DS 40447 8 1 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 example.com. 85610 IN DS 40447 8 2 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 Is this the correct status or have I to change anything ? Have I to change the KSK status form publish to active or is this correct ? Thanks for a answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Looking for documentation for Python API
On 05/13/2016 11:49 AM, Alexander Bokovoy wrote: > On Thu, 12 May 2016, Jan Cholasta wrote: >> On 11.5.2016 10:52, Martin Kosek wrote: >>> On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: On Friday, May 06, 2016 09:04:59 Martin Basti wrote: > since IPA4.2 web UI contains API browser (IPA Server/API Browser) > > So for example for caacl-add: > api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional > description") > > you can try commands in "ipa console" it contains initialized API, > just > call api.Command.() > > API.txt provides the same information as API browser, but browser > looks > better :) > > Feel free to ask anything, if you identified gaps in docs which are > hard > to understand for non-IPA developer feel free report it, or feel > free to > create howTo in freeipa.org page. Thanks for the pointers. I'm looking at automating some user and group additions, group editing, etc. Am I right in assuming that anything that uses the api.Command. will require a kinit before it is run, even if it is via the Python API? If I want to use a user/pass from the script itself (and not have a shell script which does kinit, then fires off my Python script) would I be better off hitting the web API with sessions and JSON-RPC as detailed here: https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ Put another way, since I want to hit the API from a system that might not have sssd installed, nor has joined the realm, I assume it would be *impossible* to use api.Command. as it relies on a Kerberos ticket? To put it yet another way: is there a way to hand a user/pass to the Python API and authenticate that way. >>> >>> The API itself can be hit with user/password, as noted in Alexander's >>> blog. If >>> you want to use the actual Python API, Kerberos may be the only way. >>> But I >>> think Jan or Petr may had some other (hacky) way to pass >>> user+password there too. >> >> I don't think we support anything but Kerberos on the client side in >> our Python API. It might be possible to somehow emulate what the web >> UI does, but I haven't personally ever attempted to do that. Petr, >> have you? > It should be relatively easy to update IPA cli code to accept a jar with > a cookie and use that if Kerberos ccache is missing or empty. > I implemented it a year ago, but the patch was not merged: https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389?
Thanks Alexander. I wasn't looking to get anything developed, just curious if it would work or even if it there was something I could try on my end like a change to a directory setting to see if it would even work. Understood that there's more in the connection between the ipaclient and the DC then just LDAP. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com Twitter - @mlbiam / @tremolosecurity On Fri, May 13, 2016 at 5:46 AM, Alexander Bokovoywrote: > On Wed, 11 May 2016, Marc Boorshtein wrote: >> >> I've got a potential use case where I want to authenticate users using >> their AD credentials, store accounts and permissions in FreeIPA but >> not have a cross forest trust. One way to do this is to have SSSD >> talk LDAP to a virtual directory which would route the bind to AD but >> all other operations to the 389 backing IPA. Kerberos wouldn't work, >> but if you're interested in password or ssh key based auth it should >> work, right? Then you'd still get the HBAC benefits? > > There is more than just look up in LDAP when talking to AD DCs. Trust > ensures we have enough correctly set security descriptors on the objects > we use to represent our identity to access AD DCs. If that part is > missing, you get all kinds of problems. > > Replacing trust by something that is effectively attempting to simulate > trust but not being a trust scenario is, of course, possible. However, I > don't see this as something we'd like to put any reasonable time to > develop because it is a corner case with disproportional amount of > development time investment. You may disagree and that's fine, but this > doesn't change the fact that somebody needs to invest time into it. > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Looking for documentation for Python API
On Thu, 12 May 2016, Jan Cholasta wrote: On 11.5.2016 10:52, Martin Kosek wrote: On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: On Friday, May 06, 2016 09:04:59 Martin Basti wrote: since IPA4.2 web UI contains API browser (IPA Server/API Browser) So for example for caacl-add: api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional description") you can try commands in "ipa console" it contains initialized API, just call api.Command.() API.txt provides the same information as API browser, but browser looks better :) Feel free to ask anything, if you identified gaps in docs which are hard to understand for non-IPA developer feel free report it, or feel free to create howTo in freeipa.org page. Thanks for the pointers. I'm looking at automating some user and group additions, group editing, etc. Am I right in assuming that anything that uses the api.Command. will require a kinit before it is run, even if it is via the Python API? If I want to use a user/pass from the script itself (and not have a shell script which does kinit, then fires off my Python script) would I be better off hitting the web API with sessions and JSON-RPC as detailed here: https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ Put another way, since I want to hit the API from a system that might not have sssd installed, nor has joined the realm, I assume it would be *impossible* to use api.Command. as it relies on a Kerberos ticket? To put it yet another way: is there a way to hand a user/pass to the Python API and authenticate that way. The API itself can be hit with user/password, as noted in Alexander's blog. If you want to use the actual Python API, Kerberos may be the only way. But I think Jan or Petr may had some other (hacky) way to pass user+password there too. I don't think we support anything but Kerberos on the client side in our Python API. It might be possible to somehow emulate what the web UI does, but I haven't personally ever attempted to do that. Petr, have you? It should be relatively easy to update IPA cli code to accept a jar with a cookie and use that if Kerberos ccache is missing or empty. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389?
On Wed, 11 May 2016, Marc Boorshtein wrote: I've got a potential use case where I want to authenticate users using their AD credentials, store accounts and permissions in FreeIPA but not have a cross forest trust. One way to do this is to have SSSD talk LDAP to a virtual directory which would route the bind to AD but all other operations to the 389 backing IPA. Kerberos wouldn't work, but if you're interested in password or ssh key based auth it should work, right? Then you'd still get the HBAC benefits? There is more than just look up in LDAP when talking to AD DCs. Trust ensures we have enough correctly set security descriptors on the objects we use to represent our identity to access AD DCs. If that part is missing, you get all kinds of problems. Replacing trust by something that is effectively attempting to simulate trust but not being a trust scenario is, of course, possible. However, I don't see this as something we'd like to put any reasonable time to develop because it is a corner case with disproportional amount of development time investment. You may disagree and that's fine, but this doesn't change the fact that somebody needs to invest time into it. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu 16.04 / FreeIPA 4.3 install
On 11.05.2016 17:14, Zak Wolfinger wrote: > I’m trying to set up FreeIPA as a replica. I’ve followed the > instructions in section 4 here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#prepping-replica > > The replica install appears to be successful, but when I try to do > ‘ipactl start’ I get this: > > IPA is not configured (see man pages of ipa-server-install for help) > > I’ve looked through the man pages but I’m not seeing what needs to be > done. 4.3 on ubuntu supports only domain level 1 replicas, so you need to have 4.3 server installed first and then install a client and promote it to a replica. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC NSEC3 Parameter
On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: > Hello, > I have the Problem to find the correct way for NSEC3PARAM ? > > With your Help I have this found > > ipa dnszone-mod example.com. --nsec3param-rec " > " > > But it dos not work correct ? > > Now the question, is this the correct way > > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > > to insert the NSEC3PARAMETER ?? This should be right, there were related fixes by https://fedorahosted.org/freeipa/ticket/4413 Your second command works in my test environment: # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" # dig -t nsec3param example.com. +short 1 7 100 F9BA6264232B7283 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project