Re: [Freeipa-users] Installing on Ubuntu 16.04
Don't worry about this during the install from the repository. I also got that installing on Ubuntu recently. Running ipa-server-install later will set up the missing data and pki-tomcat will start fine. At the point apt is trying to start the service it can't start cleanly. The package configure probably shouldn't be attempting to start it. On Mon, 1 May 2017, 04:20 Robert L. Harris,wrote: > >Gave up on freeipa and Ubuntu 17.10. Re-installed with 16.04 and some > base packages which does include freeipa-client. When I do an apt-get > install on freeipa-server it runs along happily until I find this: > > . > ... > Setting up pki-server (10.2.6+git20160317-1) ... > Job for pki-tomcatd.service failed because the control process exited with > error code. See "systemctl status pki-tomcatd.service" and "journalctl -xe" > for details. > invoke-rc.d: initscript pki-tomcatd, action "start" failed. > * pki-tomcatd.service - LSB: Start pki-tomcatd at boot time >Loaded: loaded (/etc/init.d/pki-tomcatd; bad; vendor preset: enabled) >Active: failed (Result: exit-code) since Sun 2017-04-30 20:38:29 MDT; > 3ms ago > Docs: man:systemd-sysv-generator(8) > Process: 9645 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, > status=5) > > Apr 30 20:38:29 ipa systemd[1]: Starting LSB: Start pki-tomcatd at boot > time... > Apr 30 20:38:29 ipa pki-tomcatd[9645]: ERROR: No 'tomcat' instances > installed! > ... because no CA instance has been configured yet. > pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it. > pki-tomcatd.target is a disabled or a static unit, not starting it. > Setting up pki-ca (10.2.6+git20160317-1) ... > ... > . > > > I have been googling but can't find a relevant fix that resolves this. > Any ideas? > > Robert > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
Yesterday, Chrome on both my Ubuntu and Windows machines updated to version 58.0.3029.81. It appears that this version of Chrome will not trust certificates based on Common Name. Looking at the Chrome documentation and borne out by one of the messages, from Chrome 58, the subjectAltName is required to identify the DNS name of the host that the certificate is issued for. I would be grateful if someone could point me in the direction of how to recreate my SSL certificates so that the subjectAltName is populated. Thanks in advance -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and DHCP
Well, that's true, but I do do it indirectly. I assign fixed addresses for servers by MAC address and host name in DHCP and manage the IP address of that host through FreeIPA DNS. If you tell DHCP that a particular MAC address is a particular host name, when that host requests a DHCP allocated address, the DHCP server does a DNS lookup on the host name and gives the machine a lease on the address. I have no idea if that is intended behaviour or if it is something that isn't a good idea for some reason, I discovered that it worked by accident! It has simplified my small setup however as DNS and therefore FreeIPA control the fixed IP addresses of the servers. I do have to remember to set up each fixed address's MAC address and host name in the DHCP configuration when I create it, but it makes reconfiguring fixed IP addresses a breeze. It ought to be possible to script synchronisation of the DHCP configuration with the host information in FreeIPA, but I only deal with a handful of machines, so I've never bothered. On Sun, 18 Oct 2015 23:12 William Brownwrote: > On Fri, 2015-10-16 at 15:01 +0200, Nicola Canepa wrote: > > Hello. > > Is there a suggested way to have DHCP IP/MAC associations managed > > through the IPA web interface? > > > > Thank you for any pointer. > > Hi, > > There is currently no way to manage DHCP with FreeIPA. > > -- > Sincerely, > > William Brown > Software Engineer > Red Hat, Brisbane > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA
I do have it working, but I have Atlassian Crowd sitting between FreeIPA and the Google Apps log in. On 28 Apr 2014 15:44, Simo Sorce s...@redhat.com wrote: On Mon, 2014-04-28 at 08:24 -0400, Dmitri Pal wrote: On 04/28/2014 08:22 AM, Chris Whittle wrote: Ha! that was my thread about SAML vs GADS but there ended up not being any info on how to actually use GADS with Free IPA. It dropped after Simo saying he was going to work on getting docs for ipsilon (which from the conversation and I can gather is basically SAML) and I asked for someone who had experience with GADS so I started a new one for simplification. I do not think we have a better answer for you other than what Martin mentioned and SAML IdP Simo is working on. note that any other SAML IdP that has support for LDAP may work, for example http://picketlink.org/ may work for you if you have experience in setting up jboss based applications and know how to make your way in configuring such software. (I can't help here really). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Samba 4 with IPA
Hi I don't know if anyone has tried what I want to do, I really just want to know if it's possible at the moment. A few pointers to any information would be helpful too! I have an existing FreeIPA server running on a CentOS machine. It is used to authenticate all users on the network. This works very well, but setting up Windows workstations is a bit of a pain. I also want to provide some network storage for the windows machines. To this end, I would like to set up a Samba 4 server as a slave to FreeIPA so that the Windows workstations could join an AD domain controlled by Samba 4, but actually authenticating against FreeIPA. I really want to keep FreeIPA in the driving seat, but would love to be able to make the Windows workstations behave as though they were on a domain. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Samba 4 with IPA
Thanks for all your help. I'll give it a go and see how far I get. On 30 Apr 2013 19:37, Alexander Bokovoy aboko...@redhat.com wrote: On Tue, 30 Apr 2013, simon.williams@thehelpfulcat.**comsimon.willi...@thehelpfulcat.comwrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup#** Using_Samba_shareshttp://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP authentication for 3rd party
I use Atlassian products, but use Crowd to provide single signon. This means that Crowd is the only application that needs to authenticate against LDAP. I found that I had to tell Crowd that the server was 389 DS. I could not get it to work set to OpenLDAP. Regards Simon On 11 Apr 2013 23:36, Peter Brown rendhal...@gmail.com wrote: On 12 April 2013 05:04, John Dennis jden...@redhat.com wrote: On 04/11/2013 02:47 PM, Bartek Moczulski wrote: hi, I've got a problem with using IPA as authentication source over LDAP. Generally there are two approaches to LDAP authentication: 1. bind using admin account and read passwords from user objects (but in ipa you cannot read passwords through ldap, right?) 2. bind to authenticate - service tries to log in to ldap with user's credentials. If login is successful authentication is also succesful - this approach does not work because you cannot login to IPA ldap using bare username, you need a full LDAP DN. Most applications I know of that do bind as user to authenticate also permit you to specify a format string into which the user name is inserted (i.e. the format string is the dn, e.g. uid=%u,cn=users,cn=accounts,**dc=example,dc=com) -or- they do a search to discover the dn. If you application does not support either approach it's broken IMHO. I have used this method for Confluence, Jira, Stash, Icinga and Foreman. I will be adding more applications in the future as well. If the application doesn't support Kerberos it's the next best thing in my opinion. I have also use it to get email lists into dovecot and postfix. One caveat I found is you need to tell Atlassian applications that FreeIPA is a plain OpenLDAP server to get it to work. Apart from that it works out of the box as they say. Reading passwords and/or password hashes is not supported for security reasons. Now, I've got a 3rd party application supporting both mentioned above appoaches and the question is - how to make it work with ipa? thanks in advance, Bartek. __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where has my LDAP server gone!
Thank you, that has solved the issue wonderfully! I do remember the update hanging now you mention it, but I didn't put two and two together! Regards Simon On 7 Apr 2013 21:47, Rob Crittenden rcrit...@redhat.com wrote: Simon Williams wrote: Hi I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago and it upgraded FreeIPA to version 3. I use a couple of web applications that cannot use Kerberos, but can use LDAP to authenticate. These stopped working. When I investigated the issue, I discovered that the LDAP server wasn't there any more. Google searches have proved fruitless and I can't find any documentation for v3. Can anyone tell me how to get my LDAP server back? There is a bug in 389-ds that is affecting some IPA upgrades. It causes the upgrade process to hang and breaking out of it leaves the LDAP server not listening to anything (note that if the upgrade outright fails we do restore things). What you want to do is this: 1. service dirsrv stop (you MUST do this before editing dse.ldif) 2. edit dse.ldif and set nsslapd-port: 389 nsslapd-security: on 3. service dirsrv start 4. as root, ipa-ldap-updater --ldapi Updated 389-ds packages are being worked on. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Where has my LDAP server gone!
Hi I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago and it upgraded FreeIPA to version 3. I use a couple of web applications that cannot use Kerberos, but can use LDAP to authenticate. These stopped working. When I investigated the issue, I discovered that the LDAP server wasn't there any more. Google searches have proved fruitless and I can't find any documentation for v3. Can anyone tell me how to get my LDAP server back? Regards Simon ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] mod_nss issue.
I have found a problem with mod_nss that appears to have been reported in 2010, but I cannot find any further reference to it. The 2010 reference contains a comment saying that it is an issue and needs to be fixed. I have not been able to find any issue tracking system for mod_nss and so haven't been able to check on the status. The problem is that mod_nss does not appear to respond with the correct certificate when multiple name virtual servers are configured on an instance of Apache. It always responds with the certificate of the first name virtual server defined. It does process the other sites' configurations because it complains if certificates with the aliases used are not in the database. This would not be an issue (for me) if mod_ssl could be used for virtual servers other than the IPA server, but they cannot co-exist. If you try to mix them, mod_ssl complains that port 443 is being used for the IPA server, but it is not SSL aware. I suppose it would be possible to reconfigure the IPA name virtual server to use mod_ssl bu exporting the certificate, but I really don't like to muck around with the directory server configuration more than is necessary as it is vital that it remains stable and secure. Could anyone enlighten me as to whether this issue is being looked at or even if it is fixed and the CentOS people (CentOS 6.3 standard repositories all packages up to date as of yesterday) just aren't supplying a new enough version of mod_nss. At the moment, I can use my SSL secured sites as the encryption works okay, but I cannot open them up as they report the wrong host name in the certificate. Regards Simon Williams ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] mod_nss issue.
I understand exactly where you are coming from Alexander and in an ideal world the web sites that I want to get at externally would be on a different server. I am not the normal type of FreeIPA user, being a very small business with only a couple of users and half a dozen or so machines and, currently, very limited resources. IPA makes it so easy to administer the network however that I would be loathed not to use it! We are developing software and I only have one server that I can dedicate to being a stable host. I have two other machines on the network that are currently always on and both are used for development both running Fedora, one x64 and one Arm. Neither of these machines could be considered stable. The other machines are a mix of Windows and Fedora laptops, soon to have a Mac added if my partner gets her way. I currently restrict access to the IPA name virtual server by not having a publicly accessible name for it (and using deny all, allow *local network*, but I don't think that does anything as the incoming packets are routed using NAT, but it costs nothing to have it there!). I realise that this is insecure as a request on port 443 that does not have a host name will be handled by the default and therefore IPA name virtual server. That is something I still have to address, but was intending to make the default name virtual server just redirect to a 404 error page. I had already found, read and tried the guide at the link you sent, that is how I discovered that mod_ssl and mod_nss wouldn't co-exist. Your comment Rob has started me thinking along different lines than I was. If the mod_ssl/mod_nss incompatibility only exists if the same port and IP address is used, since I specifically don't want the IPA server to be available outside the local network, I could either use a different port for the non-IPA name virtual servers (the gateway could still present 80 and 443 to the outside world since the gateway is redirecting the packets anyway). Or a different virtual IP address on the server for the non-IPA sites (only one NIC on the server and no free slots, so couldn't be physically separate). This would kill two birds with one stone (ie. make the IPA instance more secure and solve the certificate problem). It would also make it easier to put the non-IPA web servers on a different machine when I am in a position to do that. Thank you both for your help. I think that you have prodded me in the right direction for a workaround. Regards Simon Williams On Mon, Oct 8, 2012 at 1:45 PM, Rob Crittenden rcrit...@redhat.com wrote: Alexander Bokovoy wrote: On Mon, 08 Oct 2012, Simon Williams wrote: I have found a problem with mod_nss that appears to have been reported in 2010, but I cannot find any further reference to it. The 2010 reference contains a comment saying that it is an issue and needs to be fixed. I have not been able to find any issue tracking system for mod_nss and so haven't been able to check on the status. The problem is that mod_nss does not appear to respond with the correct certificate when multiple name virtual servers are configured on an instance of Apache. It always responds with the certificate of the first name virtual server defined. It does process the other sites' configurations because it complains if certificates with the aliases used are not in the database. This would not be an issue (for me) if mod_ssl could be used for virtual servers other than the IPA server, but they cannot co-exist. If you try to mix them, mod_ssl complains that port 443 is being used for the IPA server, but it is not SSL aware. I suppose it would be possible to reconfigure the IPA name virtual server to use mod_ssl bu exporting the certificate, but I really don't like to muck around with the directory server configuration more than is necessary as it is vital that it remains stable and secure. Could anyone enlighten me as to whether this issue is being looked at or even if it is fixed and the CentOS people (CentOS 6.3 standard repositories all packages up to date as of yesterday) just aren't supplying a new enough version of mod_nss. At the moment, I can use my SSL secured sites as the encryption works okay, but I cannot open them up as they report the wrong host name in the certificate. I assume all this comes because you run these virtual servers on the same instance as FreeIPA master itself, thus conflicting mod_ssl and mod_nss. Here is description how to make name-based SSL virtual hosts working in FreeIPA environment using mod_ssl. This howto assumes you are using a separate server than FreeIPA master to provide actual hosting for the virtual hosts which also makes sense because one would need to apply greater security protection to the KDC which runs on the same FreeIPA host. http://freeipa.org/page/**Apache_SNI_With_Kerberoshttp://freeipa.org/page/Apache_SNI_With_Kerberos mod_nss doesn't support SNI because NSS
[Freeipa-users] Fwd: Re: Certificates for public facing web sites
Fantastic, I knew about the flag, but thought it only worked on hosts. It works on services too, which solves the problem. Thank you. -- Forwarded message -- From: Rob Crittenden rcrit...@redhat.com Date: Oct 1, 2012 3:23 PM Subject: Re: [Freeipa-users] Certificates for public facing web sites To: Simon Williams simon.willi...@thehelpfulcat.com Cc: freeipa-users@redhat.com Simon Williams wrote: Hi Possibly a bit of a strange requirement, I don't really know! I have a small business and am using IPA to manage our network. I have migrated from an LDAP setup with a variety of different certificates lying around for different applications and find IPA much easier to administer, despite the fact that it probably overkill for a couple of users using half a dozen hosts. I have a few named virtual hosts that provide access to web based systems from outside the local network, but I do not have sufficient control over the external domain's DNS to add a subdomain with it's own DNS. I can add A records and CNAME records to point to the virtual hosts, but I cannot add NS records to delegate name resolution to my own DNS. The ISP I use does not allow dynamic DNS updates. I would like to use FreeIPA to manage the SSL certificates for these virtual hosts using mod_nss and have already implemented this successfully for virtual hosts on the local domain, but since I do not control the public domain, I can't see how to achieve this. Please forgive me if I am missing something obvious, but I've only been using FreeIPA for two weeks and it is a testament to it's ease of use that I have managed to get as far as I have with it in that time unaided! So the problem is your domain is example.com and is managed by IPA and you want to create certificates for someothercorp.com? You should be able to use the --force flag to create a host and create services/issue certificates from that point. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users