[Freeipa-users] Re: CentOS 7 Letsencrypt CA

2017-05-25 Thread Fraser Tweedale via FreeIPA-users 
On Thu, May 25, 2017 at 01:39:46PM +0200, Günther J. Niederwimmer via 
FreeIPA-users wrote:
> Hello,
> 
> after the mistake with Startcom CA (Class 3), now I look for a new 
> Certificate..
> 
> Is it possible and functional to install a Letsencrypt CA on a IPA-Server?
> 
> I have found a script on "github" to install a Letsencript CA for FreeIPA 
> (fedora), but can any tell me is this working with CentOS 7.(3).
> 
> Thanks for a answer,
> 
Hi,

Let's Encrypt is a trusted public CA; you can only acquire leaf
certificates for TLS servers from Let's Encrypt.  You cannot acquire
a CA certificate from Let's Encrypt.

The script you found must be for acquiring service certificates from
Let's Encrypt, for IPA-enrolled hosts/services.  I do not know if it
works with CentOS 7, but if it works with FreeIPA 4.x on Fedora, it
will probably work with ipa-4.x on CentOS 7.

Thanks,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Illegal cross-realm ticket

2017-05-25 Thread Jake via FreeIPA-users 
Hey Guys, 

Centos7.3 
FreeIPA 4.4.0 


I'm having a strange issue with cross-realm tickets that I'm having a hard time 
troubleshooting. it looks similar to an issue posted back in 2014. 
https://www.redhat.com/archives/freeipa-users/2014-October/msg00207.html but 
this routes file seems to exist. 

My Setup. 

example.org = legacy (all users exist here) (transitive trust with example.com) 
example.com = forest root (transitive trust with example.com) 
ipa.example.com = ipa domain (one-way trust with example.com & example.org) 
with route filters. 
ad.example.com = domain in forest for servers/users 

If I get a kerberos ticket on a non-ipa joined client with kinit as a user @ 
legacy , I can use kerberos to authenticate. 

If I log into an ipa-joined server on ipa.example.com as a user @ legacy and 
attempt to use kerberos auth to another server, I received this error: 

debug3: authmethod_lookup gssapi-keyex 
debug3: remaining preferred: gssapi-with-mic,keyboard-interactive 
debug3: authmethod_is_enabled gssapi-keyex 
debug1: Next authentication method: gssapi-keyex 
debug1: No valid Key exchange context 
debug2: we did not send a packet, disable method 
debug3: authmethod_lookup gssapi-with-mic 
debug3: remaining preferred: keyboard-interactive 
debug3: authmethod_is_enabled gssapi-with-mic 
debug1: Next authentication method: gssapi-with-mic 
debug2: we sent a gssapi-with-mic packet, wait for reply 
debug1: Delegating credentials 
debug1: Delegating credentials 
debug1: Unspecified GSS failure. Minor code may provide more information 
Illegal cross-realm ticket 


Any help would be apprecaited, I checked capaths and it looks correct. 

cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com 
[domain_realm] 
.EXAMPLE.COM = EXAMPLE.COM 
EXAMPLE.COM = EXAMPLE.COM 
.AD.EXAMPLE.COM = AD.EXAMPLE.COM 
AD.EXAMPLE.COM = AD.EXAMPLE.COM 
.EXAMPLE.ORG = EXAMPLE.ORG 
EXAMPLE.ORG = EXAMPLE.ORG 
[capaths] 
EXAMPLE.COM = { 
IPA.EXAMPLE.COM = EXAMPLE.COM 
} 
AD.EXAMPLE.COM = { 
IPA.EXAMPLE.COM = EXAMPLE.COM 
} 
EXAMPLE.ORG = { 
IPA.EXAMPLE.COM = EXAMPLE.ORG 
} 
IPA.EXAMPLE.COM = { 
EXAMPLE.COM = EXAMPLE.COM 
AD.EXAMPLE.COM = EXAMPLE.COM 
EXAMPLE.ORG = EXAMPLE.ORG 
} 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Request to Contribute a How/To Page

2017-05-25 Thread Rob Crittenden via FreeIPA-users 
Jason Sherrill via FreeIPA-users wrote:
> Opened in incognito, same error: "An error occurred: an invalid token
> was found." 

It's hard to say, it works for me though.

I'll ping the FAS maintainer and see what I can find out.

rob

> 
> On Thu, May 25, 2017 at 12:12 PM, Martin Bašti  > wrote:
> 
> Could you try to clean cookies or incognito mode?
> 
> 
> On 25.05.2017 16:08, Jason Sherrill via FreeIPA-users wrote:
>> I successfully logged-in, but encountered some issues. While using
>> Chrome on http://www.freeipa.org/page/Special:OpenIDLogin
>> , clicking the
>> /Fedora /button and then the /Login/create account with
>> OpenID/ button initially loaded a completely empty page and, after
>> reloading, displayed an error.  I successfully logged in via
>> Firefox after a few attempts, but across Chrome, Firefox and
>> SafariI I now load this: 
>>
>>
>>   OpenID error
>>
>> An error occurred: an invalid token was found.
>>
>>
>>
>> Authenticating on the Fedora site (https://admin.fedoraproject.org
>> ) is working without issue. Thanks!
>>
>>
>> - Jason
>>
>>
>> On Thu, May 25, 2017 at 6:43 AM, Martin Bašti > > wrote:
>>
>> Hello,
>>
>> could you please log in to wiki page, we can add permissions
>> after initial login.
>>
>> Martin
>>
>>
>> On 24.05.2017 16:39, Jason Sherrill via FreeIPA-users wrote:
>>> I would like to post the procedure that I used for
>>> configuring OS X 10.12 for use with IPA. My fedora account is
>>> jr_sherr...@yahoo.com , may it
>>> be added to the editors group for the IPA's wiki? Thank you!
>>>
>>> -- 
>>>
>>> *Jason Sherrill*
>>> Deeplocal Inc. 
>>> mobile: 412-636-2073 
>>> office: 412-362-0201 
>>>
>>>
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> 
>>> To unsubscribe send an email to 
>>> freeipa-users-le...@lists.fedorahosted.org
>>> 
>>
>> -- 
>> Martin Bašti
>> Software Engineer
>> Red Hat Czech
>>
>>
>>
>>
>> -- 
>>
>> *Jason Sherrill*
>> Deeplocal Inc. 
>> mobile: 412-636-2073 
>> office: 412-362-0201 
>>
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> 
>> To unsubscribe send an email to 
>> freeipa-users-le...@lists.fedorahosted.org
>> 
> 
> -- 
> Martin Bašti
> Software Engineer
> Red Hat Czech
> 
> 
> 
> 
> -- 
> 
> *Jason Sherrill*
> Deeplocal Inc. 
> mobile: 412-636-2073 
> office: 412-362-0201 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Certificate renewals with external CA

2017-05-25 Thread Rob Foehl via FreeIPA-users 

On Thu, 25 May 2017, Fraser Tweedale wrote:


This is not correct.  The CA cert must be valid for the leaf cert to
be valid, but the CA cert *can* be renewed without requiring leaf
certificates to be reissued.  So long as the following conditions
are met, everything will be fine:

1. The CA's key (and Subject Key Identifier) do not change
2. The CA's Subject DN does not change
3. The new CA certificate gets distributed to clients.


Huh?  The CA cert's validity wasn't in question -- it was still valid, and 
was used to issue a slew of new certificates, all of which expire in two 
weeks, at expiration of the original CA cert.  It has since been renewed, 
but that doesn't change the state of any of the leaf certs issued in the 
interim.  Also not sure what the list of conditions has to do with 
anything, when it's up to "ipa-cacert-manage renew" to get those right.


-Rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Setting up IPA server on an already domain joined machine

2017-05-25 Thread Simo Sorce via FreeIPA-users 
On Mon, 2017-05-22 at 10:17 +, doug.ke...@wipro.com wrote:
> Hi,
> 
> 
> I'm wondering if anyone else has done something similar to us, and if so am 
> wondering how you went about it or if it is indeed at all possible.
> 
> 
> Our situation is:
> 
> 
>   *   We have a few VMs which are domain joined to "internal.local" which is 
> an Active Directory domain that we have no control over or administrative 
> access
>   *   We would like to install IPA on these VMs (replicated, with named for 
> DNS) with a separate domain called "dev.zone"
>   *   Authentication to the VM itself via SSH should be carried out against 
> "internal.local" still – we will point our own services that we are going to 
> install like GitLab directly at the IPA server
>   *   "dev.zone" will be setup as a conditional forwarder on the Active 
> Directory domain pointing at the IPA-installed named-pkcs11 service to do 
> resolution for this domain
> 
> 
> My initial findings are that IPA installs fine but it changes some things in 
> /etc/krb5.conf like:
> 
> 
>   *   Adding in "dev.zone" realm
>   *   Modifies the "default_realm" to be "dev.zone"
>   *   Leaves the "[realm]" definition for "internal.local" but empties it of 
> the "kdc" and "admin_server" definitions
>   *   Removes the kerberos tickets for "internal.local" that were in "net ads 
> keytab list"
> 
> 
> This ultimately results in IPA working fine but authentication to the server 
> via SSH no longer works as it's looking to "dev.zone" now.
> 
> 
> Is it possible to achieve what we're wanting to do? Can these two things 
> co-exist peacefully?

Doug,
it may be possible with custom scripts, but it will probably not be a
very stable solution as upgrades may change things in unexpected ways.

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: krbLastSuccessfulAuth

2017-05-25 Thread Simo Sorce via FreeIPA-users 
On Tue, 2017-05-23 at 13:07 -0400, Chris Apsey via FreeIPA-users wrote:
> All,
> 
> We use freeIPA as the LDAP backend for OpenStack Keystone, GitLab, and a 
> few other things.  We have been looking for a way to keep track of the 
> last time a user logged on, and the obvious answer seems to be the 
> krbLastSuccessfulAuth attribute.  The problem is that this value for all 
> users is N/A:
> 
> ---
> Account disabled: False
> ---
>Server: {{srv}}
>Failed logins: 0
>Last successful authentication: N/A
>Last failed authentication: N/A
>Time now: 2017-05-23T16:47:49Z
> 
> Number of entries returned 1
> 
> 
> I checked to make sure that the ipaConfigString doesn't contain 
> KDC:Disable Last Success.  Does krbLastSuccessfulAuth only get updated 
> when using kerberized logins?  If so, is there a way to track the last 
> time a user successfully authenticated via pure LDAP (besides parsing 
> logs)?

As the name krbLastSuccessfulAuth implies we update this only on a
successful kerberos login (and I think we do not replicate it by
default, as it would cause a lot of replication overhead).

I think atm parsing logs is the only way, it may be nice to have an RFE
open to track the need to have a consolidated log/queue where we can
emit messages when someone (un)successfully logs in.

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Request to Contribute a How/To Page

2017-05-25 Thread Jason Sherrill via FreeIPA-users 
I successfully logged-in, but encountered some issues. While using Chrome
on http://www.freeipa.org/page/Special:OpenIDLogin, clicking the
*Fedora *button
and then the *Login/create account with OpenID* button initially loaded a
completely empty page and, after reloading, displayed an error.  I
successfully logged in via Firefox after a few attempts, but across Chrome,
Firefox and SafariI I now load this:

OpenID error

An error occurred: an invalid token was found.



Authenticating on the Fedora site (https://admin.fedoraproject.org) is
working without issue. Thanks!


- Jason

On Thu, May 25, 2017 at 6:43 AM, Martin Bašti  wrote:

> Hello,
>
> could you please log in to wiki page, we can add permissions after initial
> login.
>
> Martin
>
> On 24.05.2017 16:39, Jason Sherrill via FreeIPA-users wrote:
>
> I would like to post the procedure that I used for configuring OS X 10.12
> for use with IPA. My fedora account is jr_sherr...@yahoo.com, may it be
> added to the editors group for the IPA's wiki? Thank you!
>
> --
>
> *Jason Sherrill*
> Deeplocal Inc. 
> mobile: 412-636-2073 <%28412%29%20636-2073>
> office: 412-362-0201 <%28412%29%20362-0201>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
> --
> Martin Bašti
> Software Engineer
> Red Hat Czech
>
>


-- 

*Jason Sherrill*
Deeplocal Inc. 
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: CentOS 7 Letsencrypt CA

2017-05-25 Thread Bitskrieg via FreeIPA-users 

Günther,

The script from github works fine 
(https://github.com/freeipa/freeipa-letsencrypt).  We use it in production 
on CentOS 7.  Keep in mind the script by will only configure the 
certificate for the web ui, and not LDAP/s.  You will need a separate 
process for that.


Chris


On May 25, 2017 7:40:25 AM "Günther J. Niederwimmer via FreeIPA-users" 
 wrote:



Hello,

after the mistake with Startcom CA (Class 3), now I look for a new
Certificate..

Is it possible and functional to install a Letsencrypt CA on a IPA-Server?

I have found a script on "github" to install a Letsencript CA for FreeIPA
(fedora), but can any tell me is this working with CentOS 7.(3).

Thanks for a answer,

--
mit freundlichen Grüssen / best regards

  Günther J. Niederwimmer
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: CentOS 7 Letsencrypt CA

2017-05-25 Thread John Keates via FreeIPA-users 
Hi,

Instead of using the Let’s Encrypt thing on the IPA server itself, I often just 
use it on a reverse proxy. This way the end-users see the verified CA and 
FreeIPA can keep doing it’s business.
I tried to use ACME on the IPA server in the past, but it wasn’t very well 
integrated and caused problems. Since only web-facing elements benefit from 
external CA signed certificates (for users that access it but don’t have the CA 
on their machine), it doesn’t actually need to be integrated with the rest of 
IPA.

John

> On 25 May 2017, at 13:39, Günther J. Niederwimmer via FreeIPA-users 
>  wrote:
> 
> Hello,
> 
> after the mistake with Startcom CA (Class 3), now I look for a new 
> Certificate..
> 
> Is it possible and functional to install a Letsencrypt CA on a IPA-Server?
> 
> I have found a script on "github" to install a Letsencript CA for FreeIPA 
> (fedora), but can any tell me is this working with CentOS 7.(3).
> 
> Thanks for a answer,
> 
> -- 
> mit freundlichen Grüssen / best regards
> 
>  Günther J. Niederwimmer
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] CentOS 7 Letsencrypt CA

2017-05-25 Thread Günther J . Niederwimmer via FreeIPA-users 
Hello,

after the mistake with Startcom CA (Class 3), now I look for a new 
Certificate..

Is it possible and functional to install a Letsencrypt CA on a IPA-Server?

I have found a script on "github" to install a Letsencript CA for FreeIPA 
(fedora), but can any tell me is this working with CentOS 7.(3).

Thanks for a answer,

-- 
mit freundlichen Grüssen / best regards

  Günther J. Niederwimmer
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Request to Contribute a How/To Page

2017-05-25 Thread Martin Bašti via FreeIPA-users 

Hello,

could you please log in to wiki page, we can add permissions after 
initial login.


Martin


On 24.05.2017 16:39, Jason Sherrill via FreeIPA-users wrote:
I would like to post the procedure that I used for configuring OS X 
10.12 for use with IPA. My fedora account is jr_sherr...@yahoo.com 
, may it be added to the editors group 
for the IPA's wiki? Thank you!


--

*Jason Sherrill*
Deeplocal Inc. 
mobile: 412-636-2073 
office: 412-362-0201 


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


--
Martin Bašti
Software Engineer
Red Hat Czech

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Certificate renewals with external CA

2017-05-25 Thread Fraser Tweedale via FreeIPA-users 
On Thu, May 25, 2017 at 01:34:16AM -0400, Rob Foehl via FreeIPA-users wrote:
> I've got a test instance of FreeIPA 4.4.4 running on F25 that was installed
> with --external-ca, and the resulting CSR signed with a validity period of
> 30 days to test behavior around expirations.
> 
> Upon booting that instance today, certmonger decided to preemptively renew
> every IPA cert -- which is a good thing -- but did so without waiting for
> renewal of the IPA CA cert first, which is less good.  Now that instance has
> a pile of certs that expire in two weeks, since they were signed with and
> thus tied to the expiration of the old IPA CA cert.
> 
This is not correct.  The CA cert must be valid for the leaf cert to
be valid, but the CA cert *can* be renewed without requiring leaf
certificates to be reissued.  So long as the following conditions
are met, everything will be fine:

1. The CA's key (and Subject Key Identifier) do not change
2. The CA's Subject DN does not change
3. The new CA certificate gets distributed to clients.

Cheers,
Fraser

> While I'm guessing certmonger will figure this out and do the right thing
> within a couple weeks -- and with the expectation that this would only
> happen once per IPA CA renewal with a "real" deployment -- is this the
> intended behavior?
> 
> Logs are a bit of a mess between this and a potentially-resolved SELinux
> issue with certmonger, but I'll wedge them all into a proper bug report if
> desired.
> 
> -Rob
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org