[Freeipa-users] Re: Prevent admin user lock

[Alexander Bokovoy via FreeIPA-users]

On ke, 29 huhti 2020, Petar Kozić via FreeIPA-users wrote:

Hi Alexander, thank you for your reply, can you point some details how can
I do that?


See 'ipa help pwpolicy' and official documentation chapter 'Definiting
IdM password policies':
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/defining-idm-password-policies_configuring-and-managing-idm

Just set max failures to 0.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: SERVFAIL for one hostname

[Petr Menšík via FreeIPA-users]

On 4/29/20 2:30 PM, Tiemen Ruiten wrote:
> Hello Petr,
> 
> Thank you for the pointers. Even without DNSSEC validation, the query
> doesn't return the A-record. Delv also returns SERVFAIL. What I do see at
> DNSViz
> ,
> is "NSEC3 proving non-existence of
> download.wisselkoersenvoorjeadministratie". That doesn't look normal, if I
> compare it with mijn.ing.nl (hostname of a major bank in NL) there is no
> such output. I'll try to contact the domain administrators and get them to
> fix it
> 
> I tried to set the NTA, but it also didn't make a difference. Is there any
> other way I could semi-permanently (until the domain administrators fix it)
> work around this error?

I don't know what the issue is. I am sorry, do not know how can I help.

I tried this command:
for NS in $(dig +short ns wisselkoersenvoorjeadministratie.nl); do dig
+dnssec +short download.wisselkoersenvoorjeadministratie.nl @$NS; done
185.87.187.229
A 8 2 3600 2020050700 2020041600 27409
wisselkoersenvoorjeadministratie.nl.
Kg7KcdhcilEWlDrSFNf87n0TYXK7Os8rKFcQOcOcR/5Sppn3Gp6H/63S
Htw62Qcy4lhkV+cM8xBZHFVhsLoXeOfaVAU7kcn9W0vNoB+lLC+V/qAm
JDPl/7a8n5mJMoiRRR2VcX4EFNYEyrsMWa0XFW7ukVmCqDCWnX8n/8kR Irk=
A 8 2 3600 2020050700 2020041600 27409
wisselkoersenvoorjeadministratie.nl.
Kg7KcdhcilEWlDrSFNf87n0TYXK7Os8rKFcQOcOcR/5Sppn3Gp6H/63S
Htw62Qcy4lhkV+cM8xBZHFVhsLoXeOfaVAU7kcn9W0vNoB+lLC+V/qAm
JDPl/7a8n5mJMoiRRR2VcX4EFNYEyrsMWa0XFW7ukVmCqDCWnX8n/8kR Irk=
185.87.187.229
185.87.187.229
A 8 2 3600 2020050700 2020041600 27409
wisselkoersenvoorjeadministratie.nl.
Kg7KcdhcilEWlDrSFNf87n0TYXK7Os8rKFcQOcOcR/5Sppn3Gp6H/63S
Htw62Qcy4lhkV+cM8xBZHFVhsLoXeOfaVAU7kcn9W0vNoB+lLC+V/qAm
JDPl/7a8n5mJMoiRRR2VcX4EFNYEyrsMWa0XFW7ukVmCqDCWnX8n/8kR Irk=

It looks ok on the first glance. I could not find anything similar to
dnsviz.net in responses. Would it be possible just some geolocation
nodes are broken and others work? delv works fine on that name to me. I
do not have IPv6 connectivity, if that changes anything.

I have never seen such diagram for a name on dnsviz. I think there is
definitely something wrong with their server, maybe not only wrong
signatures. It should be in your named-pkcs11 logs when rndc trace was
increased to 5 at least.

Checking what their servers responded would be most important. It seems
I see different result than dnsviz.net. Checking from different regions
might help, is possible.
> 
> On Wed, Apr 29, 2020 at 11:52 AM Petr Menšík via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> 
>> Hi Tiemen,
>>
>> it might help you to use dig and delv to debug dns related issues.
>> SERVFAIL is quite often some issue in DNSSEC validation. To ensure
>> validation is reponsible, try just:
>>
>> dig +cd download.wisselkoersenvoorjeadministratie.nl
>>
>> It it succeeds, validation is responsible. Quite good tool to discover
>> what is wrong in that is delv. Use +vtrace to get details. If your server
>> provides recursive service, try targetting it with @127.0.0.1.
>>
>> delv +cd +vtrace @127.0.0.1
>> download.wisselkoersenvoorjeadministratie.nl
>>
>> If it tells you fully validated, it is ok. Try removing +cd. When it still
>> validates, bind should get the same results. Only cached records may
>> produce different results.
>>
>> Try flushing cache under that domain:
>>
>> rndc flushtree wisselkoersenvoorjeadministratie.nl
>>
>> In case owner of that domain fixed the signature, it might help. If this
>> did not help and you are quite sure this is uninteded error, temporary
>> validation exception could be set. Before you do it, you should be
>> confident noone tried to push you wrong answer into your cache. Usually, it
>> should be error on domain server's that its operator had not yet fixed.
>>
>> rndc nta wisselkoersenvoorjeadministratie.nl
>>
>> Note NTA is time limited for a reason. Correct is fixing it on
>> authoritative servers and flushing just cached tree. Check man rndc for
>> details.
>>
>> named-pkcs11 trace logs would get you similar messages to delv. But I find
>> delv easier to use if possible.
>>
>> Validation of www.regenboog-lelystad.nl. failed few minutes ago to me,
>> but seems to be fixed now.
>>
>> Regards,
>> Petr
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>
> 
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
___
FreeIPA-users mailing list -- 

[Freeipa-users] Re: Cannot delete old server after migration

[Florence Blanc-Renaud via FreeIPA-users]

On 4/29/20 3:11 PM, Ronald Wimmer via FreeIPA-users wrote:
I followed the guide at 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating 
to migrate my server (including CA renewal master).


When I try to uninstall tho old server according to 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/uninstalling-an-ipa-server_installing-identity-management 
I get the following error message:


ipa server-del idm1.linux.mydomain.at

Removing ipa1.linux.mydomain.at from replication topology, please wait...
ipa: ERROR: Server removal aborted:

Removal of 'ipa1.linux.mydomain.at' leads to disconnected topology in 
suffix 'ca':

Hi,
you can check your replication topology using the web UI and need to 
make sure that each server is connected to at least another one, for the 
domain suffix and for the CA suffix, and that removing the server will 
not create a disconnected topology. Navigate to IPA Server > Topology > 
Topology Graph.
If it's not the case (as hinted by the error message), you need to 
create replication agreements and only then will you be able to delete 
the node.
If you are sure of what you're doing, you can use the 
--ignore-topology-disconnect option to force the removal.


HTH,
flo

Topology does not allow server idm1.linux.mydomain.at to replicate with 
servers:

     ipa5.linux.mydomain.at
     ipa2.linux.mydomain.at
     ipa6.linux.mydomain.at
Topology does not allow server ipa2.linux.mydomain.at to replicate with 
servers:

     ipa5.linux.mydomain.at
     idm1.linux.mydomain.at
Topology does not allow server ipa5.linux.mydomain.at to replicate with 
servers:

     ipa2.linux.mydomain.at
     idm1.linux.mydomain.at
     ipa6.linux.mydomain.at
Topology does not allow server ipa6.linux.mydomain.at to replicate with 
servers:

     ipa5.linux.mydomain.at
     idm1.linux.mydomain.at.

How do I get rid of the remaining replication agreements?

Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org 


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Administration delegation for multiple hosts services

[Alexander Bokovoy via FreeIPA-users]

On ke, 29 huhti 2020, Julien Rische via FreeIPA-users wrote:

Hello everyone,

To properly support load-balanced services, we need FreeIPA-managed service
hosts to be able to retrieve the following elements, without the intervention
of any user (only starting with the host keytab):

- Keytab containing keys for:
    - Service canonical principal
    - When accessed via service DNS alias (Kerberos rDNS lookup disabled)
    - Service principal alias for host
    - When accessed via service DNS alias (Kerberos rDNS lookup enabled)
    - When accessed via host canonical FQDN
- X.509 certificate for:
    - Service alias FQDN
    - Host actual FQDN

In order to obtain each element of this list, we need to:

- Allow the host to retrieve the service key
    - Creation/reset of the key should be forbidden
- Allow the host to request a certificate for both its own FQDN and the service
  DNS alias (which matches the service canonical principal)
    - Preferably only these 2 subject names should be allowed
- Create a service principal alias matching the host's FQDN

We are managing hundreds of services spread across tens of thousands of hosts.
Each service is managed by a different user group, hence we can't afford to
grant all these users the "Service Administrators" privilege.

Ideally, each service would be configured just once (with just maybe a few
exceptional updates). On the contrary, hostgroup(s) containing the service
hosts would be continuously updated. This way, FreeIPA administrator would give
their blessing at service creation, and then let service administrators manage
hosts membership.

We think the following configuration could be applied for each service:

- A hostgroup containing all the service hosts, allowed to:
    - Retrieve the service key
    - Request certificate with alternative suject name by:
    - Being assigned the to "managedBy" service attribute
    - Or being granted the permission to write the "userCertificate"
  service attribute
- A service administrators group, allowed to:
    - Write the "member" attribute of the hostgroup
    - Create/reset the service key

The keytab creation/retrieval part is quite straight forward to deal with. But
this is not necessarily the case for certificates and service principal aliases:

We observed the "managedBy" setting has 2 downsides:

- It grants the host the permission to request a certificate with subject
  alternative names, but it also grants the permission to create/reset the key,
  which we don't want.
- It consists of a list of hosts that must be continuously maintained, since it
  cannot refer to the hostgroup directly.

Therefore it seems that a permission granting the hostgroup to update the
service's "userCertificate" attribute sounds more flexible. But both options
have the downside of granting any host from the hostgroup to request any other
as the alternative subject name.

Regarding the service principal aliases, we haven't found any way to
dynamically update the list as the service hostgroup changes. We could either
grant the service hostgroup the permission to update the "krbPrincipalName"
service attribute, but it sounds like an excessive permission. We could also
implement a background service continuously updating principal alias list of
services according to their associated hostgroups.

So I would summarise my questions this way:

- Are assumptions used in this message true?

Yes. Quite good summary, thanks for that.


- Is granting write permissions on "userCertificate" service attribute the best
  alternative to "managedBy" for our use case?


With FreeIPA 4.8.4+ we have support for member managers which define who
can write to the member attribute of the group. See
https://freeipa.readthedocs.io/en/latest/designs/membermanager.html for
more details. Since this applies to any group, you can have a service
administrators group to manage a hostgroup membership and to define a
group that has write permissions to userCertificate through the normal
role/permissions mechanism.



- What is the best way to keep a service principal alias list up-to-date with a
  hostgroup?

To add a KrbPrincipalName alias to a specific service principal on a hostgroup
change, it is probably would be easier to extend automember feature (see
details in 'ipa help automember'). Right now it is hard-coded to use two
types: hostgroup and group even though automember plugin in 389-ds
allows to define an attribute that would be used for grouping feature
and define what entry's attribute to use to populate the value.

The problem is that it only takes a value as it is from the entry, there
is no way to transform it to some other value. If you'd look into
install/updates/40-automember.update file, you'll see that hostgroup
poluation is taking a 'dn' value of an entry and asks to add that as a
'member' of a hostgroup:

dn: cn=Hostgroup,cn=automember,cn=etc,$SUFFIX
default: objectclass: autoMemberDefinition
default: cn: Hostgroup

[Freeipa-users] Re: HBAC Rule to allow anonymous NFS mounts from specific subnets

[Alexander Bokovoy via FreeIPA-users]

On ke, 29 huhti 2020, White, David via FreeIPA-users wrote:

Is it possible to allow hosts in specific subnets to connect to a 
FreeIPA-connected server over NFS anonymously?
e.g. I'm wondering if I could setup a HBAC rule by doing something like the 
following:

ipa hbacsvc-add nfs-mount
ipahbacrule-add allow_nfs_mount

Then attach that to the NFS server
And then allow "anyone" to connect over NFS to that server


HBAC rules apply in PAM through use of pam_sss module. NFS servers do
not use PAM authentication, so your chances to apply HBAC rules are not
there.


Bonus points if there's a way to restrict the source NFS connection by IP 
address or subnet


You need to look into your firewall setup.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Samba and winbind not starting

[Ronald Wimmer via FreeIPA-users]

I've managed to successfully migrate my ipa server #1 (including CA 
renewal master) to RHEL8. After a few checks I found out that the trust 
controller role was missing on the new system. So I ran 
ipa-adtrust-install. However, the command "id myuser@ad.domain" did not 
return any results. ipactl status revealed that smbd and winbind were 
not running. ipactl restart did not help.


Any ideas on how to get the trust controller role working again on the 
new machine?


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] HBAC Rule to allow anonymous NFS mounts from specific subnets

[White, David via FreeIPA-users]

Is it possible to allow hosts in specific subnets to connect to a 
FreeIPA-connected server over NFS anonymously? 
e.g. I'm wondering if I could setup a HBAC rule by doing something like the 
following:

ipa hbacsvc-add nfs-mount
ipahbacrule-add allow_nfs_mount

Then attach that to the NFS server
And then allow "anyone" to connect over NFS to that server

Bonus points if there's a way to restrict the source NFS connection by IP 
address or subnet

Is this possible? 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Prevent admin user lock

[Alexander Bokovoy via FreeIPA-users]

On ke, 29 huhti 2020, Petar Kozić via FreeIPA-users wrote:

Hi folks,

My free iPA server works on public IP and need to be public. Because of
that I have problem because admin user is often locked becuase too many
incorrect logins.
Can I filter admin user login to some IP and how?


You can create a password policy specifically to admin user that would
make the user non-lockable.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Samba integration - access without Kerberos

[Alexander Bokovoy via FreeIPA-users]

On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:



On 16/01/2020 13:56, Alexander Bokovoy wrote:

On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:

hi everybody.

I see this subject might have been poked around many
times, a couple
times at least for sure. But, I thought I'll poke again
and hopefully
get some latest comments & thoughts on - how to make
IPA's Samba allow
password authentication to Win clients from outside of
IPA/AD domains?

Would there, by now, possibly be a semi-official (by IPA
team) way of
getting there, since the subject first came up a longer
while ago?


This particular use case (non-enrolled Windows machines)
is not
supported and not planned.

There is no way right now and with FreeIPA 4.8 we are
closing down
ability to generate RC4 hashes for user passwords which means
non-Kerberos authentication will not work.

There will be some work in future around replacing NTLM
method at least
between open source projects. Both MIT Kerberos and
Heimdal have now
support for NegoEx extension which allows to tunnel
non-Kerberos
authentication method between a client and a server, in
case you have
other authentication source. There are no plugins that
utilize it yet
but Microsoft uses NegoEx to bind your Windows account to
your cloud
account (live.com or some OIDC source) with PKU2U security
package.

In short, there might be means to explore these options
but they aren't
there yet.



some time later... :)
It seems that smblient from a separate/disconnected IPA
domain, from a master server of such domain, can connect
with no kerberos, password auth works.

$ smbclient -L //knives.priv.dom -Upriv.dom\\me
Enter PRIV.DOM\me's password:

    Sharename   Type  Comment
...
...

PRIV.DOM is  ipa --version
VERSION: 4.6.6, API_VERSION: 2.231

That must make one wonder - if Linux Samba tools can do pass
auth to IPA's Samba then Windows too must somehow persuaded
to do the same?


No, it would not, at least in Windows UI. Windows _clients_ expect
certain set of capabilities provided by the domain controller which
FreeIPA is not providing yet.


Could it be a question of some policies/registries tuning &
tweaking in such a way that this would work?


It is not about policies and tweaks, sorry.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Samba integration - access without Kerberos

[lejeczek via FreeIPA-users]

On 29/04/2020 18:20, Alexander Bokovoy wrote:
> On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:
>>
>>
>> On 16/01/2020 13:56, Alexander Bokovoy wrote:
>>> On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
 hi everybody.

 I see this subject might have been poked around many
 times, a couple
 times at least for sure. But, I thought I'll poke again
 and hopefully
 get some latest comments & thoughts on - how to make
 IPA's Samba allow
 password authentication to Win clients from outside of
 IPA/AD domains?

 Would there, by now, possibly be a semi-official (by IPA
 team) way of
 getting there, since the subject first came up a longer
 while ago?
>>>
>>> This particular use case (non-enrolled Windows machines)
>>> is not
>>> supported and not planned.
>>>
>>> There is no way right now and with FreeIPA 4.8 we are
>>> closing down
>>> ability to generate RC4 hashes for user passwords which
>>> means
>>> non-Kerberos authentication will not work.
>>>
>>> There will be some work in future around replacing NTLM
>>> method at least
>>> between open source projects. Both MIT Kerberos and
>>> Heimdal have now
>>> support for NegoEx extension which allows to tunnel
>>> non-Kerberos
>>> authentication method between a client and a server, in
>>> case you have
>>> other authentication source. There are no plugins that
>>> utilize it yet
>>> but Microsoft uses NegoEx to bind your Windows account to
>>> your cloud
>>> account (live.com or some OIDC source) with PKU2U security
>>> package.
>>>
>>> In short, there might be means to explore these options
>>> but they aren't
>>> there yet.
>>>
>>>
>> some time later... :)
>> It seems that smblient from a separate/disconnected IPA
>> domain, from a master server of such domain, can connect
>> with no kerberos, password auth works.
>>
>> $ smbclient -L //knives.priv.dom -Upriv.dom\\me
>> Enter PRIV.DOM\me's password:
>>
>>     Sharename   Type  Comment
>> ...
>> ...
>>
>> PRIV.DOM is  ipa --version
>> VERSION: 4.6.6, API_VERSION: 2.231
>>
>> That must make one wonder - if Linux Samba tools can do pass
>> auth to IPA's Samba then Windows too must somehow persuaded
>> to do the same?
>
> No, it would not, at least in Windows UI. Windows
> _clients_ expect
> certain set of capabilities provided by the domain
> controller which
> FreeIPA is not providing yet.
>
>> Could it be a question of some policies/registries tuning &
>> tweaking in such a way that this would work?
>
> It is not about policies and tweaks, sorry.
>
And this:
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
is that obsolete and should be ignored?
That would not fix IPA's Samba to server Win10 (non-AD mode)
clients?

many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Plugin problem after upgrade

[Frederic AYRAULT via FreeIPA-users]

according to this DEBUG ipaserver.plugins.bureau is not a valid plugin 
module in the ipaupgrade.log,


I need to modify my plugin :-(

Regards,

Frederic.

Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique 


f...@lix.polytechnique.fr

Le 29/04/2020 à 15:33, Frederic AYRAULT a écrit :

Bonjour,

I upgraded my Centos servers from 7.7.1908 to 7.8.2003 and ipa 
upgrades from 4.6.5 to 4.6.6


In the directory /usr/share/ipa/ui/js/plugins/bureau , I am using the 
enclosed file bureau.js
to show the room number field in the gui. But after the upgrade, the 
field is there, but empty.


I deleted one of my servers, downgrade ipa packages et reinstall ipa, 
and the plugin is working,

I can see the value in the field.

Do you have any idea ?

Thank you

Regards,

Frederic

Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique 


f...@lix.polytechnique.fr



#from ipalib.plugins import user
from .baseuser import baseuser
from ipalib.parameters import Str
from ipalib import _
baseuser.takes_params = baseuser.takes_params + (
Str('roomnumber?',
cli_name='roomnumber',
label=_('Room number'),
),
)
baseuser.default_attributes.append('roomnumber')

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Samba and winbind not starting

[Ronald Wimmer via FreeIPA-users]

On 29.04.20 19:17, Alexander Bokovoy via FreeIPA-users wrote:

On ke, 29 huhti 2020, Ronald Wimmer via FreeIPA-users wrote:
I've managed to successfully migrate my ipa server #1 (including CA 
renewal master) to RHEL8. After a few checks I found out that the 
trust controller role was missing on the new system. So I ran 
ipa-adtrust-install. However, the command "id myuser@ad.domain" did 
not return any results. ipactl status revealed that smbd and winbind 
were not running. ipactl restart did not help.


Any ideas on how to get the trust controller role working again on the 
new machine?


Is this RHEL or CentOS? CentOS 8.1 still suffers from 
https://bugs.centos.org/view.php?id=16929


If this is RHEL, then if you'd collect sosreport, opening a case with
Red Hat Support would be a good idea.


Oh no! This instance is running CentOS...
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Samba and winbind not starting

[Alexander Bokovoy via FreeIPA-users]

On ke, 29 huhti 2020, Ronald Wimmer via FreeIPA-users wrote:
I've managed to successfully migrate my ipa server #1 (including CA 
renewal master) to RHEL8. After a few checks I found out that the 
trust controller role was missing on the new system. So I ran 
ipa-adtrust-install. However, the command "id myuser@ad.domain" did 
not return any results. ipactl status revealed that smbd and winbind 
were not running. ipactl restart did not help.


Any ideas on how to get the trust controller role working again on the 
new machine?


Is this RHEL or CentOS? CentOS 8.1 still suffers from 
https://bugs.centos.org/view.php?id=16929


If this is RHEL, then if you'd collect sosreport, opening a case with
Red Hat Support would be a good idea.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Prevent admin user lock

[Petar Kozić via FreeIPA-users]

Hi Alexander, thank you for your reply, can you point some details how can
I do that?

On Wed, Apr 29, 2020, 15:48 Alexander Bokovoy  wrote:

> On ke, 29 huhti 2020, Petar Kozić via FreeIPA-users wrote:
> >Hi folks,
> >
> >My free iPA server works on public IP and need to be public. Because of
> >that I have problem because admin user is often locked becuase too many
> >incorrect logins.
> >Can I filter admin user login to some IP and how?
>
> You can create a password policy specifically to admin user that would
> make the user non-lockable.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Client part of server install failing - KRB5CCNAME not defined in HTTP request environment

[Simon Williams via FreeIPA-users]

I am having an issue attempting to install IPA Server.  The server
component install processes correctly, but when it comes to set up the
client components it fails:

2020-04-28T22:41:42Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/ipa.mydomain@mydomain.com'
2020-04-28T22:41:42Z INFO trying https://ipa.mydomain.com/ipa/json
2020-04-28T22:41:42Z DEBUG Created connection context.rpcclient_1954644240
2020-04-28T22:41:42Z INFO [try 1]: Forwarding 'schema' to json server
'https://ipa.mydomain.com/ipa/json'
2020-04-28T22:41:42Z DEBUG New HTTP connection (ipa.mydomain.com)
2020-04-28T22:41:53Z DEBUG HTTP connection destroyed (ipa.mydomain.com)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 732, in
single_request
response.msg)
ProtocolError: 
2020-04-28T22:41:53Z DEBUG Destroyed connection context.rpcclient_1954644240
2020-04-28T22:41:53Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
execute
return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
319, in run
return cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
360, in run
return self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
386, in execute
for rval in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
431, in __runner
exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
460, in _handle_execute_exception
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
450, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
421, in __runner
step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
418, in 
step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
655, in _configure
next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
431, in __runner
exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
460, in _handle_execute_exception
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
518, in _handle_exception
self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
450, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
450, in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
421, in __runner
step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
418, in 
step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
65, in _install
for unused in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line
3671, in main
install(self)
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line
2392, in install
_install(options)
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line
2734, in _install
api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 739, in
finalize
self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 431, in
__do_if_not_done
getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 619, in
load_plugins
for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 949, in
packages
ipaclient.remote_plugins.get_package(self),
  File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
line 134, in get_package
plugins = schema.get_package(server_info, client)
  File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line
553, in get_package
schema = Schema(client)
  

[Freeipa-users] Re: Samba integration - access without Kerberos

[lejeczek via FreeIPA-users]

On 16/01/2020 13:56, Alexander Bokovoy wrote:
> On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
>> hi everybody.
>>
>> I see this subject might have been poked around many
>> times, a couple
>> times at least for sure. But, I thought I'll poke again
>> and hopefully
>> get some latest comments & thoughts on - how to make
>> IPA's Samba allow
>> password authentication to Win clients from outside of
>> IPA/AD domains?
>>
>> Would there, by now, possibly be a semi-official (by IPA
>> team) way of
>> getting there, since the subject first came up a longer
>> while ago?
>
> This particular use case (non-enrolled Windows machines)
> is not
> supported and not planned.
>
> There is no way right now and with FreeIPA 4.8 we are
> closing down
> ability to generate RC4 hashes for user passwords which means
> non-Kerberos authentication will not work.
>
> There will be some work in future around replacing NTLM
> method at least
> between open source projects. Both MIT Kerberos and
> Heimdal have now
> support for NegoEx extension which allows to tunnel
> non-Kerberos
> authentication method between a client and a server, in
> case you have
> other authentication source. There are no plugins that
> utilize it yet
> but Microsoft uses NegoEx to bind your Windows account to
> your cloud
> account (live.com or some OIDC source) with PKU2U security
> package.
>
> In short, there might be means to explore these options
> but they aren't
> there yet.
>
>
some time later... :)
It seems that smblient from a separate/disconnected IPA
domain, from a master server of such domain, can connect
with no kerberos, password auth works.

$ smbclient -L //knives.priv.dom -Upriv.dom\\me
Enter PRIV.DOM\me's password:

    Sharename   Type  Comment
...
...

PRIV.DOM is  ipa --version
VERSION: 4.6.6, API_VERSION: 2.231

That must make one wonder - if Linux Samba tools can do pass
auth to IPA's Samba then Windows too must somehow persuaded
to do the same?
Could it be a question of some policies/registries tuning &
tweaking in such a way that this would work?

many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Samba integration - access without Kerberos

[Alexander Bokovoy via FreeIPA-users]

On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:



On 29/04/2020 18:20, Alexander Bokovoy wrote:

On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:



On 16/01/2020 13:56, Alexander Bokovoy wrote:

On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:

hi everybody.

I see this subject might have been poked around many
times, a couple
times at least for sure. But, I thought I'll poke again
and hopefully
get some latest comments & thoughts on - how to make
IPA's Samba allow
password authentication to Win clients from outside of
IPA/AD domains?

Would there, by now, possibly be a semi-official (by IPA
team) way of
getting there, since the subject first came up a longer
while ago?


This particular use case (non-enrolled Windows machines)
is not
supported and not planned.

There is no way right now and with FreeIPA 4.8 we are
closing down
ability to generate RC4 hashes for user passwords which
means
non-Kerberos authentication will not work.

There will be some work in future around replacing NTLM
method at least
between open source projects. Both MIT Kerberos and
Heimdal have now
support for NegoEx extension which allows to tunnel
non-Kerberos
authentication method between a client and a server, in
case you have
other authentication source. There are no plugins that
utilize it yet
but Microsoft uses NegoEx to bind your Windows account to
your cloud
account (live.com or some OIDC source) with PKU2U security
package.

In short, there might be means to explore these options
but they aren't
there yet.



some time later... :)
It seems that smblient from a separate/disconnected IPA
domain, from a master server of such domain, can connect
with no kerberos, password auth works.

$ smbclient -L //knives.priv.dom -Upriv.dom\\me
Enter PRIV.DOM\me's password:

    Sharename   Type  Comment
...
...

PRIV.DOM is  ipa --version
VERSION: 4.6.6, API_VERSION: 2.231

That must make one wonder - if Linux Samba tools can do pass
auth to IPA's Samba then Windows too must somehow persuaded
to do the same?


No, it would not, at least in Windows UI. Windows
_clients_ expect
certain set of capabilities provided by the domain
controller which
FreeIPA is not providing yet.


Could it be a question of some policies/registries tuning &
tweaking in such a way that this would work?


It is not about policies and tweaks, sorry.


And this:
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
is that obsolete and should be ignored?
That would not fix IPA's Samba to server Win10 (non-AD mode)
clients?


Correct. Even if sometimes people claim it is working, it is definitely
not something we would be willing to support. As I said, with FreeIPA
4.8 the whole NTLM story is gone for users already, so only Kerberos
authentication is going to be present until we'll create new secure 
mechanism.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: SERVFAIL for one hostname

[Petr Menšík via FreeIPA-users]

Hi Tiemen,

it might help you to use dig and delv to debug dns related issues. SERVFAIL is 
quite often some issue in DNSSEC validation. To ensure validation is 
reponsible, try just:

dig +cd download.wisselkoersenvoorjeadministratie.nl

It it succeeds, validation is responsible. Quite good tool to discover what is 
wrong in that is delv. Use +vtrace to get details. If your server provides 
recursive service, try targetting it with @127.0.0.1.

delv +cd +vtrace @127.0.0.1 download.wisselkoersenvoorjeadministratie.nl

If it tells you fully validated, it is ok. Try removing +cd. When it still 
validates, bind should get the same results. Only cached records may produce 
different results.

Try flushing cache under that domain:

rndc flushtree wisselkoersenvoorjeadministratie.nl

In case owner of that domain fixed the signature, it might help. If this did 
not help and you are quite sure this is uninteded error, temporary validation 
exception could be set. Before you do it, you should be confident noone tried 
to push you wrong answer into your cache. Usually, it should be error on domain 
server's that its operator had not yet fixed.

rndc nta wisselkoersenvoorjeadministratie.nl

Note NTA is time limited for a reason. Correct is fixing it on authoritative 
servers and flushing just cached tree. Check man rndc for details.

named-pkcs11 trace logs would get you similar messages to delv. But I find delv 
easier to use if possible.

Validation of www.regenboog-lelystad.nl. failed few minutes ago to me, but 
seems to be fixed now.

Regards,
Petr
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Apparently transient error cl5DBData2Entry - Invalid data version

[Roderick Johnstone via FreeIPA-users]

Hi

We have 3 IPA servers which we are in the process of updating from RHEL 
7.7 to RHEL 7.8.


Servers X, Z are at: ipa-server-4.6.6-11.el7.x86_64 (RHEL 7.8)
Server W is at: ipa-server-4.6.5-11.el7_7.3.x86_64 (RHEL 7.7)

Server X was updated some time ago, and server Z was updated last Thursday.

I was doing some checks of the log files before our planned update of 
server W to RHEL 7.8 tomorrow and found the following in 
/var/log/dirsrv/slapd-REALM/errors:


[26/Apr/2020:22:00:21.704887592 +0100] - INFO - dblayer_copy_directory - 
Backing up file 119 
(/var/lib/dirsrv/slapd-REALM/bak/REALM/ipaca/vlv#cacompleterenewalpkitomcatindex.db)


[26/Apr/2020:22:00:23.627421118 +0100] - ERR - NSMMReplicationPlugin - 
changelog program - cl5DBData2Entry - Invalid data version


[26/Apr/2020:22:00:24.760704543 +0100] - INFO - dblayer_copyfile - 
Copying 
/var/lib/dirsrv/slapd-REALM/db/ipaca/vlv#cacompleterenewalpkitomcatindex.db 
to 
/var/lib/dirsrv/slapd-REALM/bak/REALM/ipaca/vlv#cacompleterenewalpkitomcatindex.db


[26/Apr/2020:22:00:24.776815976 +0100] - ERR - NSMMReplicationPlugin - 
changelog program - cl5DBData2Entry - Invalid data version


The errors were generated during our cronjob that runs this each night:
/sbin/ipa-backup --data --online

The errors don't seem to have been present the last two nights.

Would I be right to assume that this is just some transient 
inconsistency caused by doing the online backup or should I be more 
worried even though the error hasn't occurred since?


Thanks for any insights on this.

Roderick Johnstone

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] failed to verify krb5 credentials: Server not found in Kerberos database

[Faraz Younus via FreeIPA-users]

HI Team,

I'm getting subjected on when enrolled to new FreeIPA how can it be fixed ?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Migrate CA from 7 to 8

[Ronald Wimmer via FreeIPA-users]

According to 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating#install-replica_migrate-7-to-8 
I should do a "ipa-csreplica-manage list" on the new server after having 
run "ipa-replica-install" The verbose output in the RedHat-Document has 
a different output of "ipa-csreplica-manage" than mine. The document 
says "Incremental update succeeded" whereas mine reports "No replication 
sessions started since server startup".


Is this a problem or should replication not have already taken place at 
this migration step?


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Migrate CA from 7 to 8

[Ronald Wimmer via FreeIPA-users]

On 29.04.20 14:45, Ronald Wimmer via FreeIPA-users wrote:
According to 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating#install-replica_migrate-7-to-8 
I should do a "ipa-csreplica-manage list" on the new server after having 
run "ipa-replica-install" The verbose output in the RedHat-Document has 
a different output of "ipa-csreplica-manage" than mine. The document 
says "Incremental update succeeded" whereas mine reports "No replication 
sessions started since server startup".


Is this a problem or should replication not have already taken place at 
this migration step?


OK. I should have waited for a couple of minutes. Now it says 
"Incremental update succeeded" as expected.


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] DNS - trusted-keys via IPA's tools - ?

[lejeczek via FreeIPA-users]

hi everybody

I want to ask if we have a way of adding trusted-keys?
Official/recommended VS by fiddling/non-recommended
?

many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Prevent admin user lock

[Petar Kozić via FreeIPA-users]

Hi folks,

My free iPA server works on public IP and need to be public. Because of
that I have problem because admin user is often locked becuase too many
incorrect logins.
Can I filter admin user login to some IP and how?

Thank you.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Cannot delete old server after migration

[Ronald Wimmer via FreeIPA-users]

I followed the guide at 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating 
to migrate my server (including CA renewal master).


When I try to uninstall tho old server according to 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/uninstalling-an-ipa-server_installing-identity-management 
I get the following error message:


ipa server-del idm1.linux.mydomain.at

Removing ipa1.linux.mydomain.at from replication topology, please wait...
ipa: ERROR: Server removal aborted:

Removal of 'ipa1.linux.mydomain.at' leads to disconnected topology in 
suffix 'ca':
Topology does not allow server idm1.linux.mydomain.at to replicate with 
servers:

ipa5.linux.mydomain.at
ipa2.linux.mydomain.at
ipa6.linux.mydomain.at
Topology does not allow server ipa2.linux.mydomain.at to replicate with 
servers:

ipa5.linux.mydomain.at
idm1.linux.mydomain.at
Topology does not allow server ipa5.linux.mydomain.at to replicate with 
servers:

ipa2.linux.mydomain.at
idm1.linux.mydomain.at
ipa6.linux.mydomain.at
Topology does not allow server ipa6.linux.mydomain.at to replicate with 
servers:

ipa5.linux.mydomain.at
idm1.linux.mydomain.at.

How do I get rid of the remaining replication agreements?

Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Administration delegation for multiple hosts services

[Julien Rische via FreeIPA-users]

Hello everyone,

To properly support load-balanced services, we need FreeIPA-managed service
hosts to be able to retrieve the following elements, without the intervention
of any user (only starting with the host keytab):

- Keytab containing keys for:
    - Service canonical principal
    - When accessed via service DNS alias (Kerberos rDNS lookup disabled)
    - Service principal alias for host
    - When accessed via service DNS alias (Kerberos rDNS lookup enabled)
    - When accessed via host canonical FQDN
- X.509 certificate for:
    - Service alias FQDN
    - Host actual FQDN

In order to obtain each element of this list, we need to:

- Allow the host to retrieve the service key
    - Creation/reset of the key should be forbidden
- Allow the host to request a certificate for both its own FQDN and the service
  DNS alias (which matches the service canonical principal)
    - Preferably only these 2 subject names should be allowed
- Create a service principal alias matching the host's FQDN

We are managing hundreds of services spread across tens of thousands of hosts.
Each service is managed by a different user group, hence we can't afford to
grant all these users the "Service Administrators" privilege.

Ideally, each service would be configured just once (with just maybe a few
exceptional updates). On the contrary, hostgroup(s) containing the service
hosts would be continuously updated. This way, FreeIPA administrator would give
their blessing at service creation, and then let service administrators manage
hosts membership.

We think the following configuration could be applied for each service:

- A hostgroup containing all the service hosts, allowed to:
    - Retrieve the service key
    - Request certificate with alternative suject name by:
    - Being assigned the to "managedBy" service attribute
    - Or being granted the permission to write the "userCertificate"
  service attribute
- A service administrators group, allowed to:
    - Write the "member" attribute of the hostgroup
    - Create/reset the service key

The keytab creation/retrieval part is quite straight forward to deal with. But
this is not necessarily the case for certificates and service principal aliases:

We observed the "managedBy" setting has 2 downsides:

- It grants the host the permission to request a certificate with subject
  alternative names, but it also grants the permission to create/reset the key,
  which we don't want.
- It consists of a list of hosts that must be continuously maintained, since it
  cannot refer to the hostgroup directly.

Therefore it seems that a permission granting the hostgroup to update the
service's "userCertificate" attribute sounds more flexible. But both options
have the downside of granting any host from the hostgroup to request any other
as the alternative subject name.

Regarding the service principal aliases, we haven't found any way to
dynamically update the list as the service hostgroup changes. We could either
grant the service hostgroup the permission to update the "krbPrincipalName"
service attribute, but it sounds like an excessive permission. We could also
implement a background service continuously updating principal alias list of
services according to their associated hostgroups.

So I would summarise my questions this way:

- Are assumptions used in this message true?
- Is granting write permissions on "userCertificate" service attribute the best
  alternative to "managedBy" for our use case?
- What is the best way to keep a service principal alias list up-to-date with a
  hostgroup?

Since it is my first message on this mailing list, I would like to pay tribute
to the development team of FreeIPA and its community. Even if there is still
work to do, FreeIPA is a quite impressive piece of work given the complexity of
the environment it is trying to integrate into, and the variety of use cases it
has to support.

Kind regards,

---
Julien Rische
Systems engineer
CERN
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: SERVFAIL for one hostname

[Tiemen Ruiten via FreeIPA-users]

Hello Petr,

Thank you for the pointers. Even without DNSSEC validation, the query
doesn't return the A-record. Delv also returns SERVFAIL. What I do see at
DNSViz
,
is "NSEC3 proving non-existence of
download.wisselkoersenvoorjeadministratie". That doesn't look normal, if I
compare it with mijn.ing.nl (hostname of a major bank in NL) there is no
such output. I'll try to contact the domain administrators and get them to
fix it

I tried to set the NTA, but it also didn't make a difference. Is there any
other way I could semi-permanently (until the domain administrators fix it)
work around this error?

On Wed, Apr 29, 2020 at 11:52 AM Petr Menšík via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi Tiemen,
>
> it might help you to use dig and delv to debug dns related issues.
> SERVFAIL is quite often some issue in DNSSEC validation. To ensure
> validation is reponsible, try just:
>
> dig +cd download.wisselkoersenvoorjeadministratie.nl
>
> It it succeeds, validation is responsible. Quite good tool to discover
> what is wrong in that is delv. Use +vtrace to get details. If your server
> provides recursive service, try targetting it with @127.0.0.1.
>
> delv +cd +vtrace @127.0.0.1
> download.wisselkoersenvoorjeadministratie.nl
>
> If it tells you fully validated, it is ok. Try removing +cd. When it still
> validates, bind should get the same results. Only cached records may
> produce different results.
>
> Try flushing cache under that domain:
>
> rndc flushtree wisselkoersenvoorjeadministratie.nl
>
> In case owner of that domain fixed the signature, it might help. If this
> did not help and you are quite sure this is uninteded error, temporary
> validation exception could be set. Before you do it, you should be
> confident noone tried to push you wrong answer into your cache. Usually, it
> should be error on domain server's that its operator had not yet fixed.
>
> rndc nta wisselkoersenvoorjeadministratie.nl
>
> Note NTA is time limited for a reason. Correct is fixing it on
> authoritative servers and flushing just cached tree. Check man rndc for
> details.
>
> named-pkcs11 trace logs would get you similar messages to delv. But I find
> delv easier to use if possible.
>
> Validation of www.regenboog-lelystad.nl. failed few minutes ago to me,
> but seems to be fixed now.
>
> Regards,
> Petr
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>


-- 
Tiemen Ruiten
Infrastructure Engineer
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org