[Freeipa-users] Re: Certificates for embeded devices and old equipment.
Hi Kendrick, Please give more detail about exactly what you did and what the errors were. FWIW the warning below does not seem relevant to your issue. Thanks, Fraser On Thu, Feb 20, 2020 at 02:01:22AM -, Kendrick . via FreeIPA-users wrote: > I have a older kvm that is requiring an unencrypted pem for its > cert from freeipa. I have also tried signing a csr from an older > ilo product and the cert manager started giving a 404 check your > services after trying to import it. any suggestions on how best to > aproch these issues. > I did notice in the logs > Feb 19 20:49:40 ipa server[3225]: java.util.TimerThread.run(Timer.java:505) > Feb 19 20:49:40 ipa server[3225]: WARNING: The web application [ca] appears > to have started a thread named [AsyncLoader watchdog] but has failed to stop > it. This is very likely to create a memory leak. Stack trace of thread: ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] ipa reverse dns best practices.
Should i create a single reverse zone or should there be zones for each subnet? 10.1.1/24 10.1.2/24 10.1.3/26 10.1.3.192/26 etc? 10.1.1-50/ is the likely used ip range with a few /25-26's Thanks Kendrick ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Certificates for embeded devices and old equipment.
I have a older kvm that is requiring an unencrypted pem for its cert from freeipa. I have also tried signing a csr from an older ilo product and the cert manager started giving a 404 check your services after trying to import it. any suggestions on how best to aproch these issues. I did notice in the logs Feb 19 20:49:40 ipa server[3225]: java.util.TimerThread.run(Timer.java:505) Feb 19 20:49:40 ipa server[3225]: WARNING: The web application [ca] appears to have started a thread named [AsyncLoader watchdog] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread: ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Reissue IPA LDAP cert with SAN
Ian Pilcher via FreeIPA-users wrote: > I am trying to get OpenShift to use my FreeIPA installation > (ipa-server-4.6.5-11.el7.centos.4.x86_64) as an identity provider. > OpenShift is refusing to talk to the LDAP server, because its > certificate doesn't contain a subjectAltName. > > So I need to re-request/re-issue the certificate with the SAN. Will it > be sufficient to modify the caIPAserviceCert profile to copy the host- > name from the CN to the SAN (as discussed in [1]) and then use > ipa-getcert resubmit? > > Will this break anything? (I only have a single IPA server/CA.) > > Thanks! > > [1] > https://frasertweedale.github.io/blog-redhat/posts/2017-07-11-cn-deprecation.html > > You don't need to modify any configuration to get a SAN, just resubmit the certmonger request with -D and a new cert will be issued. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Reissue IPA LDAP cert with SAN
I am trying to get OpenShift to use my FreeIPA installation (ipa-server-4.6.5-11.el7.centos.4.x86_64) as an identity provider. OpenShift is refusing to talk to the LDAP server, because its certificate doesn't contain a subjectAltName. So I need to re-request/re-issue the certificate with the SAN. Will it be sufficient to modify the caIPAserviceCert profile to copy the host- name from the CN to the SAN (as discussed in [1]) and then use ipa-getcert resubmit? Will this break anything? (I only have a single IPA server/CA.) Thanks! [1] https://frasertweedale.github.io/blog-redhat/posts/2017-07-11-cn-deprecation.html -- In Soviet Russia, Google searches you! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Trust with Azure AD possible in the near future?
Hi, I discovered this: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-forest-trust Does this, in theory, mean that in the near future, a trust with Azure AD Domain Services would be possible without much effort from the developers? I thought I would bring this to your attention in the off chance that this has eluded you and after all the article is quite recent. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
On Wed, Feb 19, 2020 at 07:26:51AM -, Michael Solodovnikov via
FreeIPA-users wrote:
> I have a fresh installed FreeIPA 4.6.5, sssd 1.16.4, krb5 1.15.1-37, samba
> 4.9.1-10, on CentOS 7.7.1908, can’t login as AD user.
> FreeIPA configured one-way trust AD(win.gtf.kz),AD user have UPN
> n.u...@fgt.kz. FreeIPA realm nix.gtf.kz.
>
>
...
>
> AD user.
>
> [root@dc1 ~]# getent passwd solodovni...@win.gtf.kz
> solodovni...@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov:
>
> [root@dc1 ~]# kinit solodovni...@win.gtf.kz
> Password for solodovni...@win.gtf.kz:
> [root@dc1 ~]# klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm
> Default principal: solodovni...@win.gtf.kz
>
> Valid starting Expires Service principal
> 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/win.gtf...@win.gtf.kz
> renew until 02/20/2020 11:05:10
>
> [root@dc1 ~]# kvno -S host dc1.nix.gtf.kz
> host/dc1.nix.gtf...@nix.gtf.kz: kvno = 2
> [root@dc1 ~]# klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm
> Default principal: solodovni...@win.gtf.kz
>
> Valid starting Expires Service principal
> 02/19/2020 11:07:34 02/19/2020 21:05:16 host/dc1.nix.gtf...@nix.gtf.kz
> renew until 02/20/2020 11:05:10
> 02/19/2020 11:07:34 02/19/2020 21:05:16 krbtgt/nix.gtf...@win.gtf.kz
> renew until 02/20/2020 11:05:10
> 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/win.gtf...@win.gtf.kz
> renew until 02/20/2020 11:05:10
Hi,
the lower-case components in the krbtgt principals
'krbtgt/nix.gtf...@win.gtf.kz' and 'krbtgt/win.gtf...@win.gtf.kz' are
looking odd, especially since the latter was
'krbtgt/win.gtf...@win.gtf.kz' after calling kinit.
Can you run the same commands as
KRB5_TRACE=/dev/stdout kinit solodovni...@win.gtf.kz
KRB5_TRACE=/dev/stdout klist
KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz
KRB5_TRACE=/dev/stdout klist
and send the output?
>
>
>
...
> In krb5kdc.log:
>
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): AS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@fgt...@nix.gtf.kz
> for krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): closing down fd 11
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
> host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
> found in Kerberos database
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
> host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
> found in Kerberos database
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): AS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@fgt...@nix.gtf.kz
> for krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
> host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
> found in Kerberos database
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
> host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
> found in Kerberos database
Here the all upper-case version is requested and not found. Please note
the Kerberos according to the RFCs is case-sensitive and the IPA KDC
treats principal names case-sensitive in contrast to AD DCs.
The cross-realm TGT is needed for the Kerberos ticket validation. You
can disable this for testing by setting 'krb5_validate = False' in the
[domain/...] section of sssd.conf. But since validation is a useful
security feature, especially in an environment with trust, I'd recommend
to still find the real cause of the issue and not use 'krb5_validate =
False' permanently.
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11
>
>
>
>
> Сonfigs on client FreeIPA(sqlg.nix.gtf.kz)
>
> [root@sqlg ~]# cat /etc/redhat-release
> CentOS Linux release 7.7.1908 (Core)
> [root@sqlg ~]# ipa --version
> VERSION: 4.6.5, API_VERSION: 2.231
>
> [root@sqlg ~]# cat /etc/krb5.conf
> #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = NIX.GTF.KZ
> dns_lookup_realm = true
