[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

[Rob Crittenden via FreeIPA-users]

Harald Dunkel via FreeIPA-users wrote:
> Hi Rob,
> 
> On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote:
>> Harald Dunkel via FreeIPA-users wrote:
>>> See attachment.
>>>
>>> Please note the "invalid certificate". Du you remember the thread
>>> on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
>>> after root certificate change via ipa-cacert-manage" and the
>>> output of "ipa-certupdate -v" I had posted?
>>>
>>
>> The ipa-certupdate error was a red herring. IPA was just looking for all
>> possible CA certs it could know about.
>>
> OK.
> 
>> It does look like the trust is wrong on your CA cert in the tomcat NSS
>> database.
>>
>> # certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
>> [ snip ]
>> caSigningCert cert-pki-caCTu,Cu,Cu
>>
>> If yours isn't that
> 
> Sorry, but I don't understand. My what isn't what?

If your entry doesn't look like that, which it does.

>> you can try modifying it with:
>>
>> # certutil -M -d /var/lib/pki/pki-tomcat/ca/alias -n "caSigningCert
>> cert-pki-ca" -t CTu,Cu,Cu
>>
> Here is what I see on the broken ipa server:
> 
> 
> [root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> 
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
> 
> Server-Cert cert-pki-ca  u,u,u
> subsystemCert cert-pki-cau,u,u
> caSigningCert cert-pki-caCTu,Cu,Cu
> auditSigningCert cert-pki-ca u,u,Pu
> ocspSigningCert cert-pki-ca  u,u,u
> CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
> CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  ,,
> 
> 
> The CN=example Root CA,... certificate is unwanted. It did not expire,
> but it uses an invalid format for its expiration date. I ran ipa-cacert-manage
> to replace it with the CN=root-CA,... certificate a few months ago.
> 
> 
> The certificate database on another ipa server (not broken yet, as it
> seems) looks different:
> 
> 
> [root@ipa2 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> 
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
> 
> caSigningCert cert-pki-caCTu,Cu,Cu
> subsystemCert cert-pki-cau,u,u
> CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
> caSigningCert cert-pki-caCTu,Cu,Cu
> CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  C,,
> ocspSigningCert cert-pki-ca  u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> Server-Cert cert-pki-ca  u,u,u
> 
> 
> I would highly appreciate any advice how to cleanup this mess.
> 
> How comes that the unwanted "example Root CA" is still in the databases at
> all? Due to the broken format I have to get rid of it asap.

What is broken about the cert? I can only assume you installed your IPA
server by having an external CA sign it. It would appear that this
external CA, in your case CN=root-ca, isn't trusted hence the server
won't start.

To fix this you could run:

# certutil -M -d /var/lib/pki/pki-tomcat/ca/alias -n
"CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE" -t C,,

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Maintenance mode

[Lachlan Musicman via FreeIPA-users]

Stupid question, but to stop anyone from logging in anywhere - for instance
during a maintenance period - is there an easy maintenance mode in IPA?

Or is the best method to disable all HBAC rules?

cheers
L.
--
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
together. "

*Greg Bloom* @greggish
https://twitter.com/greggish/status/873177525903609857
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: User's personal group not resolving

[Aaron Hicks via FreeIPA-users]

Hi Rob,

We figured out there were a relatively small number of id clashes between uids 
and gids between users and groups and have resolved most of them, we're now 
working on making gidNumber = uidNumber with a python script calling user-mod 
via the FreeIPA API. It's looking good in our test environment.

I think, with hindsight, gidNumber != uidNumber is a Bad Idea™ and maybe we 
should discourage directory administrators to not do it.

Regards,

Aaron

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Thursday, 7 December 2017 9:54 AM
To: Aaron Hicks ; 'FreeIPA users list' 

Subject: Re: [Freeipa-users] User's personal group not resolving

Aaron Hicks wrote:
>> Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. 
>> Is that what you mean by creating the groups?
> 
> No, it's the gid of the user, so exists only as a private user group.

If you migrated from another LDAP server then there is no user-private group. 
You just have a gidNumber value set in their user entry which is why no group 
appears via nss. You need to create a unique group for each user with a 
matching gid.

rob

> 
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Thursday, 7 December 2017 3:59 AM
> To: FreeIPA users list 
> Cc: Aaron Hicks 
> Subject: Re: [Freeipa-users] User's personal group not resolving
> 
> Aaron Hicks via FreeIPA-users wrote:
>> Hello the list,
>>
>>  
>>
>> We imported all our users with uidnumbers from our old LDAP, but 
>> their gidNumber was from 4 groups. This caused us issues with users 
>> wanting to grant access to personal spaces to one user, but instead 
>> granting access to all the members of the group.
>>
>>  
>>
>> To resolve this, when they were imported into FreeIPA we assigned 
>> them all new gidNumbers, as reusing their uidNumbers caused large 
>> number of gidNumber clashes as many groups were assigned from the 
>> same integer range. So now we have a log of users with uidNumber 5XXX 
>> and gidNumber 5000XXX.
>>
>>  
>>
>> When they log in they see an error like this:
>>
>>  
>>
>> /usr/bin/id: cannot find name for group ID 100019
>>
>>  
>>
>> It’s pretty much because their gidNumber != uidNumber
>>
>>  
>>
>> So getting all the name and group details:
>>
>> [username@ipaserver01:~] $ id username
>>
>> uid=5807(username) gid=100019
>> groups=100019,66400035(group1),6647(group2),66400012(group3),6640
>> 0
>> 044(group4),175321(group5),2075295(group6),66400046(group7)
>>
>> [username@ipaserver01:~] 2 $ id -g username
>>
>> 100019
>>
>> [username@ipaserver01:~] $ getent group 5807
>>
>> username:*:5807:
>>
>> [username@ipaserver01:~] $ getent group 100019
>>
>> [username@ipaserver01:~] $
>>
>>  
>>
>> Now, the last part, we can’t change their uidNumber. We have a 
>> massive filesystem (many terabytes) backed by a tape library (many 
>> petabytes) so we need their uidNumber to match that file archived to 
>> tape in 1987 and migrated through our tape system upgrades :P
>>
>>  
>>
>> So the question is; can we make it resolve those gidNumbers?
>>
>>  
>>
>> …I could make 2,500 groups for 2,500 users…
> 
> Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. 
> Is that what you mean by creating the groups?
> 
> rob
> 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Guide to enabling CA?

[Alexander Bokovoy via FreeIPA-users]

On ke, 06 joulu 2017, Bret Wortman via FreeIPA-users wrote:

Is there an online guide to turning on a CA?

We had one, which signed all our SSL Certs and such. It worked quite 
nicely. Then we rolled an upgrade around our IPA servers to get them 
from Fedora to Centos, and in the process, we failed to migrate the 
CA, so we ended up with 3 servers without a CA.


Fast-forward to today, and we lost one, which was our intended CA. So 
now I have two servers (a and z) which are working just fine but we 
can't create new SSL certs signed by our IPA CA.


How can I go about promoting one of these to CA? I know I followed 
online directions the last time, but that was years ago and I've lost 
the link. Thanks!


It's a private development network, so relying on external CAs isn't 
an option.

If you are OK with re-issuing all certificates with a completely new CA
that will be installed, you can start with 'ipa-ca-install'.

You need to make sure your old CA master which you lost is disconnected
from the topology first because ipa-ca-install would otherwise attempt
to promote the replica it runs on to CA by obtaining CA certificates
from existing CA (which you don't have anymore).

If ipa-ca-install succeeded, then you'd need to re-issue certificates
for existing IPA services on this host using 'getcert' utility. See 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IO6BSB6K76E5XRM4IQEFJRTIPK6KKXFX/

for details on how to perform that. The example in that email does not
concern new CA case but re-issuing certificate requests should be done
similarly.

Most likely you'd have to experiment so best to create clone a VM and
isolate it from the rest of topology before doing actual changes.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: User's personal group not resolving

[Aaron Hicks via FreeIPA-users]

> Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. 
> Is that what you mean by creating the groups?

No, it's the gid of the user, so exists only as a private user group.

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Thursday, 7 December 2017 3:59 AM
To: FreeIPA users list 
Cc: Aaron Hicks 
Subject: Re: [Freeipa-users] User's personal group not resolving

Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
> 
>  
> 
> We imported all our users with uidnumbers from our old LDAP, but their 
> gidNumber was from 4 groups. This caused us issues with users wanting 
> to grant access to personal spaces to one user, but instead granting 
> access to all the members of the group.
> 
>  
> 
> To resolve this, when they were imported into FreeIPA we assigned them 
> all new gidNumbers, as reusing their uidNumbers caused large number of 
> gidNumber clashes as many groups were assigned from the same integer 
> range. So now we have a log of users with uidNumber 5XXX and gidNumber 
> 5000XXX.
> 
>  
> 
> When they log in they see an error like this:
> 
>  
> 
> /usr/bin/id: cannot find name for group ID 100019
> 
>  
> 
> It’s pretty much because their gidNumber != uidNumber
> 
>  
> 
> So getting all the name and group details:
> 
> [username@ipaserver01:~] $ id username
> 
> uid=5807(username) gid=100019
> groups=100019,66400035(group1),6647(group2),66400012(group3),66400
> 044(group4),175321(group5),2075295(group6),66400046(group7)
> 
> [username@ipaserver01:~] 2 $ id -g username
> 
> 100019
> 
> [username@ipaserver01:~] $ getent group 5807
> 
> username:*:5807:
> 
> [username@ipaserver01:~] $ getent group 100019
> 
> [username@ipaserver01:~] $
> 
>  
> 
> Now, the last part, we can’t change their uidNumber. We have a massive 
> filesystem (many terabytes) backed by a tape library (many petabytes) 
> so we need their uidNumber to match that file archived to tape in 1987 
> and migrated through our tape system upgrades :P
> 
>  
> 
> So the question is; can we make it resolve those gidNumbers?
> 
>  
> 
> …I could make 2,500 groups for 2,500 users…

Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. Is 
that what you mean by creating the groups?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: openvpn authenticating to freeipa

[Lee Wiscovitch via FreeIPA-users]

We use openvpn's "auth-user-pass-verify" option to call a perl script 
that queries PAM.


I can't provide all of it since it has sensitive/corporate information 
but essentially OpenVPN will provide the password used during client 
negotiation as an environment variable, and the perl script sends that 
to PAM to be validated. Then based off the results the script will 
either end with a 0 (Good/Pass) or 1 (Bad/Fail). OpenVPN will 
automatically terminate the connection if the script ends with anything 
other than 0.


We ended up going this route cause we also wanted to verify a TOTP token 
as well as the user/pass, and the perl script allows for that (We obtain 
the TOTP token by configuring the client ovpn to request 
"static-challenge" which is also provided to the script via environment 
variable).



On 12/06/2017 03:29 PM, Andrew Meyer via FreeIPA-users wrote:

I already had the line in there for the plugin.

On Wednesday, December 6, 2017 2:28 PM, Andrew Meyer  
wrote:



I think I did see that while searching, but did not click on it.  I will now!
Thank you!


On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users 
 wrote:



Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam


That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn



(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn -> 
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is a 
symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so


That may help.







Mike Plemmons | Senior DevOps Engineer | CrossChx

614.427.2411
mike.plemm...@crosschx.com

www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users 
 wrote:

Hello,

I am trying to configure my openvpn setup to authenticate against FreeIPA.  I 
have OpenVPN configured and is accepting connections.  The package for 
ldap_auth is installed and configured.  However I have tried to setup anonymous 
ldap lookups and authenticated ldap lookups and neither seem to be working.  
Every time I change the config to test openvpn works just fine.  However when I 
try to connect to the VPN it tells me that the LDAP bind failed w/ invalid 
credentials.  I have been combing through google and found that a few people 
used pam in the past and still do today.  Is this proper procedure for setting 
this up?

Is there a similar pam module that I could copy/link?

Thank you,
Andrew
__ _
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: openvpn authenticating to freeipa

[Andrew Meyer via FreeIPA-users]

I already had the line in there for the plugin.

On Wednesday, December 6, 2017 2:28 PM, Andrew Meyer  
wrote:



I think I did see that while searching, but did not click on it.  I will now!
Thank you!


On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users 
 wrote:



Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam


That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn



(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn -> 
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is a 
symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so


That may help.







Mike Plemmons | Senior DevOps Engineer | CrossChx

614.427.2411
mike.plemm...@crosschx.com

www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users 
 wrote:

Hello,
>I am trying to configure my openvpn setup to authenticate against FreeIPA.  I 
>have OpenVPN configured and is accepting connections.  The package for 
>ldap_auth is installed and configured.  However I have tried to setup 
>anonymous ldap lookups and authenticated ldap lookups and neither seem to be 
>working.  Every time I change the config to test openvpn works just fine.  
>However when I try to connect to the VPN it tells me that the LDAP bind failed 
>w/ invalid credentials.  I have been combing through google and found that a 
>few people used pam in the past and still do today.  Is this proper procedure 
>for setting this up?
>
>Is there a similar pam module that I could copy/link?
>
>Thank you,
>Andrew
>__ _
>FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org

>

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: openvpn authenticating to freeipa

[Andrew Meyer via FreeIPA-users]

I think I did see that while searching, but did not click on it.  I will now!
Thank you!


On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users 
 wrote:



Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam


That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn



(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn -> 
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is a 
symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so


That may help.







Mike Plemmons | Senior DevOps Engineer | CrossChx

614.427.2411
mike.plemm...@crosschx.com

www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users 
 wrote:

Hello,
>I am trying to configure my openvpn setup to authenticate against FreeIPA.  I 
>have OpenVPN configured and is accepting connections.  The package for 
>ldap_auth is installed and configured.  However I have tried to setup 
>anonymous ldap lookups and authenticated ldap lookups and neither seem to be 
>working.  Every time I change the config to test openvpn works just fine.  
>However when I try to connect to the VPN it tells me that the LDAP bind failed 
>w/ invalid credentials.  I have been combing through google and found that a 
>few people used pam in the past and still do today.  Is this proper procedure 
>for setting this up?
>
>Is there a similar pam module that I could copy/link?
>
>Thank you,
>Andrew
>__ _
>FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org
>

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: openvpn authenticating to freeipa

[Michael Plemmons via FreeIPA-users]

Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam

That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn


(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn ->
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is
a symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required  pam_unix.so
session optional  pam_sss.so


That may help.





*Mike Plemmons | Senior DevOps Engineer | CrossChx*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hello,
> I am trying to configure my openvpn setup to authenticate against
> FreeIPA.  I have OpenVPN configured and is accepting connections.  The
> package for ldap_auth is installed and configured.  However I have tried to
> setup anonymous ldap lookups and authenticated ldap lookups and neither
> seem to be working.  Every time I change the config to test openvpn works
> just fine.  However when I try to connect to the VPN it tells me that the
> LDAP bind failed w/ invalid credentials.  I have been combing through
> google and found that a few people used pam in the past and still do
> today.  Is this proper procedure for setting this up?
>
> Is there a similar pam module that I could copy/link?
>
> Thank you,
> Andrew
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] openvpn authenticating to freeipa

[Andrew Meyer via FreeIPA-users]

Hello,
I am trying to configure my openvpn setup to authenticate against FreeIPA.  I 
have OpenVPN configured and is accepting connections.  The package for 
ldap_auth is installed and configured.  However I have tried to setup anonymous 
ldap lookups and authenticated ldap lookups and neither seem to be working.  
Every time I change the config to test openvpn works just fine.  However when I 
try to connect to the VPN it tells me that the LDAP bind failed w/ invalid 
credentials.  I have been combing through google and found that a few people 
used pam in the past and still do today.  Is this proper procedure for setting 
this up?

Is there a similar pam module that I could copy/link?

Thank you,
Andrew
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

[Harald Dunkel via FreeIPA-users]

Hi Rob,

On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote:
> Harald Dunkel via FreeIPA-users wrote:
>> See attachment.
>>
>> Please note the "invalid certificate". Du you remember the thread
>> on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
>> after root certificate change via ipa-cacert-manage" and the
>> output of "ipa-certupdate -v" I had posted?
>>
>
> The ipa-certupdate error was a red herring. IPA was just looking for all
> possible CA certs it could know about.
>
OK.

> It does look like the trust is wrong on your CA cert in the tomcat NSS
> database.
>
> # certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> [ snip ]
> caSigningCert cert-pki-caCTu,Cu,Cu
>
> If yours isn't that

Sorry, but I don't understand. My what isn't what?

> you can try modifying it with:
>
> # certutil -M -d /var/lib/pki/pki-tomcat/ca/alias -n "caSigningCert
> cert-pki-ca" -t CTu,Cu,Cu
>
Here is what I see on the broken ipa server:


[root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
caSigningCert cert-pki-caCTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca  u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  ,,


The CN=example Root CA,... certificate is unwanted. It did not expire,
but it uses an invalid format for its expiration date. I ran ipa-cacert-manage
to replace it with the CN=root-CA,... certificate a few months ago.


The certificate database on another ipa server (not broken yet, as it
seems) looks different:


[root@ipa2 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-caCTu,Cu,Cu
subsystemCert cert-pki-cau,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
caSigningCert cert-pki-caCTu,Cu,Cu
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  C,,
ocspSigningCert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca  u,u,u


I would highly appreciate any advice how to cleanup this mess.

How comes that the unwanted "example Root CA" is still in the databases at
all? Due to the broken format I have to get rid of it asap.


Regards
Harri



signature.asc
Description: OpenPGP digital signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

[Rob Crittenden via FreeIPA-users]

Harald Dunkel via FreeIPA-users wrote:
> See attachment.
> 
> Please note the "invalid certificate". Du you remember the thread
> on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
> after root certificate change via ipa-cacert-manage" and the
> output of "ipa-certupdate -v" I had posted?
>

The ipa-certupdate error was a red herring. IPA was just looking for all
possible CA certs it could know about.

It does look like the trust is wrong on your CA cert in the tomcat NSS
database.

# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
[ snip ]
caSigningCert cert-pki-caCTu,Cu,Cu

If yours isn't that you can try modifying it with:

# certutil -M -d /var/lib/pki/pki-tomcat/ca/alias -n "caSigningCert
cert-pki-ca" -t CTu,Cu,Cu

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

[Harald Dunkel via FreeIPA-users]

See attachment.

Please note the "invalid certificate". Du you remember the thread
on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
after root certificate change via ipa-cacert-manage" and the
output of "ipa-certupdate -v" I had posted?


Regards
Harri


debug.txt.gz
Description: application/gzip
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Guide to enabling CA?

[Bret Wortman via FreeIPA-users]

Is there an online guide to turning on a CA?

We had one, which signed all our SSL Certs and such. It worked quite 
nicely. Then we rolled an upgrade around our IPA servers to get them 
from Fedora to Centos, and in the process, we failed to migrate the CA, 
so we ended up with 3 servers without a CA.


Fast-forward to today, and we lost one, which was our intended CA. So 
now I have two servers (a and z) which are working just fine but we 
can't create new SSL certs signed by our IPA CA.


How can I go about promoting one of these to CA? I know I followed 
online directions the last time, but that was years ago and I've lost 
the link. Thanks!


It's a private development network, so relying on external CAs isn't an 
option.


--
photo   

*Bret Wortman*
President, Damascus Products LLC
855-644-2783  | 303-523-8037  | 
b...@damascusproducts.com  | 
http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030
 	 




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

[Rob Crittenden via FreeIPA-users]

Harald Dunkel via FreeIPA-users wrote:
> Hi folks,
> 
> Platform: Centos 7.4, ipa 4.5.0-21
> 
> The ipa service cannot be started anymore. Error message:
> 
> # systemctl status ipa
> * ipa.service - Identity, Policy, Audit
>Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor
> preset: disabled)
>Active: failed (Result: exit-code) since Wed 2017-12-06 14:45:53 CET;
> 12min ago
>   Process: 307 ExecStart=/usr/sbin/ipactl start (code=exited,
> status=1/FAILURE)
>  Main PID: 307 (code=exited, status=1/FAILURE)
> 
> Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting Directory Service
> Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting krb5kdc Service
> Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting kadmin Service
> Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting httpd Service
> Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting ipa-custodia Service
> Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting pki-tomcatd Service
> Dec 06 14:45:53 ipa1.aixigo.de systemd[1]: ipa.service: main process
> exited, code=exited, status=1/FAILURE
> Dec 06 14:45:53 ipa1.aixigo.de systemd[1]: Failed to start Identity,
> Policy, Audit.
> Dec 06 14:45:53 ipa1.aixigo.de systemd[1]: Unit ipa.service entered
> failed state.
> Dec 06 14:45:53 ipa1.aixigo.de systemd[1]: ipa.service failed.
> 
> 
> Apparently pki-tomcatd is to blame. See the attached logfiles.

Need the (compressed) debug log.

You can get the rest of the IPA service started by passing
--ignore-service-failures to ipactl.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: User's personal group not resolving

[Rob Crittenden via FreeIPA-users]

Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
> 
>  
> 
> We imported all our users with uidnumbers from our old LDAP, but their
> gidNumber was from 4 groups. This caused us issues with users wanting to
> grant access to personal spaces to one user, but instead granting access
> to all the members of the group.
> 
>  
> 
> To resolve this, when they were imported into FreeIPA we assigned them
> all new gidNumbers, as reusing their uidNumbers caused large number of
> gidNumber clashes as many groups were assigned from the same integer
> range. So now we have a log of users with uidNumber 5XXX and gidNumber
> 5000XXX.
> 
>  
> 
> When they log in they see an error like this:
> 
>  
> 
> /usr/bin/id: cannot find name for group ID 100019
> 
>  
> 
> It’s pretty much because their gidNumber != uidNumber
> 
>  
> 
> So getting all the name and group details:
> 
> [username@ipaserver01:~] $ id username
> 
> uid=5807(username) gid=100019
> groups=100019,66400035(group1),6647(group2),66400012(group3),66400044(group4),175321(group5),2075295(group6),66400046(group7)
> 
> [username@ipaserver01:~] 2 $ id -g username
> 
> 100019
> 
> [username@ipaserver01:~] $ getent group 5807
> 
> username:*:5807:
> 
> [username@ipaserver01:~] $ getent group 100019
> 
> [username@ipaserver01:~] $
> 
>  
> 
> Now, the last part, we can’t change their uidNumber. We have a massive
> filesystem (many terabytes) backed by a tape library (many petabytes) so
> we need their uidNumber to match that file archived to tape in 1987 and
> migrated through our tape system upgrades :P
> 
>  
> 
> So the question is; can we make it resolve those gidNumbers?
> 
>  
> 
> …I could make 2,500 groups for 2,500 users…

Does a group with gidNumber 100019 exist in IPA? It sounds like it
doesn't. Is that what you mean by creating the groups?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] worst nightmare come true: ipa service doesn't start anymore

[Harald Dunkel via FreeIPA-users]

Hi folks,

Platform: Centos 7.4, ipa 4.5.0-21

The ipa service cannot be started anymore. Error message:

# systemctl status ipa
* ipa.service - Identity, Policy, Audit
   Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: 
disabled)
   Active: failed (Result: exit-code) since Wed 2017-12-06 14:45:53 CET; 12min 
ago
  Process: 307 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE)
 Main PID: 307 (code=exited, status=1/FAILURE)

Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting Directory Service
Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting krb5kdc Service
Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting kadmin Service
Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting httpd Service
Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting ipa-custodia Service
Dec 06 14:45:52 ipa1.aixigo.de ipactl[307]: Starting pki-tomcatd Service
Dec 06 14:45:53 ipa1.aixigo.de systemd[1]: ipa.service: main process exited, 
code=exited, status=1/FAILURE
Dec 06 14:45:53 ipa1.aixigo.de systemd[1]: Failed to start Identity, Policy, 
Audit.
Dec 06 14:45:53 ipa1.aixigo.de systemd[1]: Unit ipa.service entered failed 
state.
Dec 06 14:45:53 ipa1.aixigo.de systemd[1]: ipa.service failed.


Apparently pki-tomcatd is to blame. See the attached logfiles.


Every helpful comment is highly appreciated.
Harri
Dec 06, 2017 3:06:02 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false]
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://ipa1.aixigo.de:9080/ca/ocsp' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property.
Dec 06, 2017 3:06:03 PM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to 

[Freeipa-users] Change default ldap scheme

[Andrew Radygin via FreeIPA-users]

Hello everybody,

I want to know, is there possibility to change default ldap scheme, where user 
and groups are storing.
For instance, I have:

cn=USER, cn=groups, cn=accounts, dc=domain,dc=net 
cn=GROUP-OF-USERS, cn=groups, cn=accounts, dc=domain,dc=net

It seems to be too straightforward. Can I change it to 
cn=USER, cn=groups, cn=accounts, dc=domain,dc=net
cn=GROUP-OF-USERS, cn=org-groups, cn=accounts, dc=domain,dc=net

?

Or to do any other corrections of ldap scheme for placing different objects.

Thanks!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org