[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

[Umarzuki Mochlis via FreeIPA-users]

2018-02-14 4:55 GMT+08:00 Rob Crittenden :
> Umarzuki Mochlis wrote:
>> 2018-02-13 22:59 GMT+08:00 Rob Crittenden :
>>> Umarzuki Mochlis via FreeIPA-users wrote:
 it stuck with "status: SUBMITTING" when I issue command "ipa-getcert
 list" after I resubmit cert renew "get-cert resubmit -i ID"
>>>
>>> Which request is stuck? Can you provide the output of ipa-getcert list
>>> -i ID?
>>>
>>> rob
>>
>> these request still 'submitting' since service started. I resubmit
>> them one or two years ago.
>
> The certs are certainly very expired at this point. Do these exist in
> reality anymore?
>
> # certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM
> # certutil -L -d /etc/httpd/alias
> # grep NSSNickname /etc/httpd/conf.d/nss.conf
>
> rob
>

yes

[root@ipa ~]# certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
DOMAIN.COM IPA CACT,,C
[root@ipa ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
DOMAIN.COM IPA CACT,C,C
ipaCert  u,u,u
Server-Cert  u,u,u
[root@ipa ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
NSSNickname Server-Cert
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: user/admin

[Rob Crittenden via FreeIPA-users]

Charles Hedrick via FreeIPA-users wrote:
> There’s a convention of creating admin instances for users, usually named 
> user/admin. IPA doesn’t seem to allow such instances. Is there a way to make 
> them work? 
> 
> As far as I can tell the instance can only be a hostname. That doesn’t seem 
> like a sensible restriction.

To be used for what purpose?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: user/admin

[Charles Hedrick via FreeIPA-users]

I can actually create a principal foo/admin by creating a user foo-admin and 
change the principal. But kinit can’t use it, so it’s not terribly useful.

> On Feb 13, 2018, at 4:52 PM, Charles Hedrick  wrote:
> 
> There’s a convention of creating admin instances for users, usually named 
> user/admin. IPA doesn’t seem to allow such instances. Is there a way to make 
> them work? 
> 
> As far as I can tell the instance can only be a hostname. That doesn’t seem 
> like a sensible restriction.
> 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] user/admin

[Charles Hedrick via FreeIPA-users]

There’s a convention of creating admin instances for users, usually named 
user/admin. IPA doesn’t seem to allow such instances. Is there a way to make 
them work? 

As far as I can tell the instance can only be a hostname. That doesn’t seem 
like a sensible restriction.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA-Server Deletion issues

[Rob Crittenden via FreeIPA-users]

Jamal Mahmoud via FreeIPA-users wrote:
> Hi Rob,
> 
> I've isolated the output on lithium when i ran
> ipa-replica-manage del oxygen.eggvfx.ie 
> --force --cleanup
> It's quite heavy still but here it is

This is helpful. It shows that oxygen is being looked for in the IPA
masters location, cn=masters and is returning err=32, not found.

What I don't know is why or where this query is coming from.

There are several queries that look like they might originate in the
389-ds topology plugin but I couldn't find where and I'm not familiar
with it in general. Queries like:

SRCH base="cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=1
filter="(objectClass=top)" attrs="ipaMaxDomainLevel cn ipaMinDomainLevel
ipaReplTopoManagedSuffix ipaLocation ipaServiceWeight"

I'm not entirely sure when you invoke ipa-replica-manage if it is
calling the topology plugin under the hood or not. It almost certainly
is when you use the UI.

I'm cc'ing someone who knows this better.

rob

> 
> [13/Feb/2018:09:14:45.823204160 +] conn=192207 fd=155 slot=155 SSL
> connection from 192.168.94.4 to 192.168.94.4
> [13/Feb/2018:09:14:46.027998523 +] conn=192207 TLS1.2 256-bit AES-GCM
> [13/Feb/2018:09:14:46.031226897 +] conn=45 op=31409 SRCH
> base="dc=eggvfx,dc=ie" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/eggvfx...@eggvfx.ie
> )(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/eggvfx...@eggvfx.ie
> )))" attrs="krbPrincipalName
> krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
> [13/Feb/2018:09:14:46.031713683 +] conn=45 op=31409 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.032193288 +] conn=45 op=31410 SRCH
> base="dc=eggvfx,dc=ie" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/lithium.eggvfx...@eggvfx.ie
> )(krbPrincipalName:caseIgnoreIA5Match:=ldap/lithium.eggvfx...@eggvfx.ie
> )))" attrs="krbPrincipalName
> krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
> [13/Feb/2018:09:14:46.032529772 +] conn=45 op=31410 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.032696842 +] conn=45 op=31411 SRCH
> base="cn=EGGVFX.IE ,cn=kerberos,dc=eggvfx,dc=ie"
> scope=0 filter="(objectClass=krbticketpolicyaux)"
> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
> [13/Feb/2018:09:14:46.032904807 +] conn=45 op=31411 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.033085928 +] conn=45 op=31412 SRCH
> base="dc=eggvfx,dc=ie" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ad...@eggvfx.ie
> ))" attrs="krbPrincipalName krbCanonicalName
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
> [13/Feb/2018:09:14:46.033377257 +] conn=45 op=31412 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.033555617 +] conn=45 op=31413 SRCH
> base="cn=EGGVFX.IE ,cn=kerberos,dc=eggvfx,dc=ie"
> scope=0 filter="(objectClass=krbticketpolicyaux)"
> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
> [13/Feb/2018:09:14:46.033714662 +] conn=45 op=31413 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.034731567 +] conn=192207 op=0 BIND dn=""
> method=sasl version=3 mech=GSSAPI
> [13/Feb/2018:09:14:46.776688499 +] conn=192207 op=0 RESULT err=14
> tag=97 nentries=0 etime=1, 

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

[Rob Crittenden via FreeIPA-users]

Umarzuki Mochlis wrote:
> 2018-02-13 22:59 GMT+08:00 Rob Crittenden :
>> Umarzuki Mochlis via FreeIPA-users wrote:
>>> it stuck with "status: SUBMITTING" when I issue command "ipa-getcert
>>> list" after I resubmit cert renew "get-cert resubmit -i ID"
>>
>> Which request is stuck? Can you provide the output of ipa-getcert list
>> -i ID?
>>
>> rob
> 
> these request still 'submitting' since service started. I resubmit
> them one or two years ago.

The certs are certainly very expired at this point. Do these exist in
reality anymore?

# certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM
# certutil -L -d /etc/httpd/alias
# grep NSSNickname /etc/httpd/conf.d/nss.conf

rob

> 
> [root@ipa ~]# ipa-getcert list | more
> Number of certificates and requests being tracked: 7.
> Request ID '20130112120232':
> status: SUBMITTING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nic
> kname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname
> ='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=DOMAIN.COM
> subject: CN=ipa.domain.com,O=DOMAIN.COM
> expires: 2016-12-16 16:18:27 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM
> track: yes
> auto-renew: yes
> Request ID '20130112120734':
> status: SUBMITTING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Serve
> r-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cer
> t',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=DOMAIN.COM
> subject: CN=ipa.domain.com,O=DOMAIN.COM
> expires: 2016-12-16 16:18:27 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA users and local groups question

[Rob Crittenden via FreeIPA-users]

Jeff Goddard via FreeIPA-users wrote:
> First off thanks to everyone who makes FreeIPA. Its an awesome product
> that we love. 
> 
> We're working at breaking our application up into micro services and
> using docker containers and deployment automation. As part of this I
> have a deploy user in IPA and a rundeck server that performs tasks as
> this user. However, we need this user to be part of the local docker
> hosts "docker" group. Is this something I have to do manually per host?
> Is it possible to create a docker IPA group that will substitute for the
> local docker group and do it all in IPA? Our IPA version is 4.4. The
> servers are Centos 7.2 and the clients are ubuntu 16.04 LTS. 
> 
> Thanks for the insight, references and help,

SSSD can do group merging,
https://sgallagh.wordpress.com/2016/01/28/remote-group-merging-for-fedora/

I don't know if your distributions have the right packages to do so.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA users and local groups question

[Jakub Hrozek via FreeIPA-users]

> On 13 Feb 2018, at 21:04, Jeff Goddard via FreeIPA-users 
>  wrote:
> 
> First off thanks to everyone who makes FreeIPA. Its an awesome product that 
> we love. 
> 
> We're working at breaking our application up into micro services and using 
> docker containers and deployment automation. As part of this I have a deploy 
> user in IPA and a rundeck server that performs tasks as this user. However, 
> we need this user to be part of the local docker hosts "docker" group. Is 
> this something I have to do manually per host? Is it possible to create a 
> docker IPA group that will substitute for the local docker group and do it 
> all in IPA? Our IPA version is 4.4. The servers are Centos 7.2 and the 
> clients are ubuntu 16.04 LTS. 
> 
> Thanks for the insight, references and help,
> 

I’m afraid the answer is ‘possible in general, but not with the versions you 
are running’, see https://sourceware.org/glibc/wiki/Proposals/GroupMerging and 
https://sgallagh.wordpress.com/2016/01/28/remote-group-merging-for-fedora/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] IPA users and local groups question

[Jeff Goddard via FreeIPA-users]

First off thanks to everyone who makes FreeIPA. Its an awesome product that
we love.

We're working at breaking our application up into micro services and using
docker containers and deployment automation. As part of this I have a
deploy user in IPA and a rundeck server that performs tasks as this user.
However, we need this user to be part of the local docker hosts "docker"
group. Is this something I have to do manually per host? Is it possible to
create a docker IPA group that will substitute for the local docker group
and do it all in IPA? Our IPA version is 4.4. The servers are Centos 7.2
and the clients are ubuntu 16.04 LTS.

Thanks for the insight, references and help,

Jeff
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Natxo Asenjo via FreeIPA-users]

On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo 
wrote:

>
> the canonical way to do this is using ldap paging, with ldapsearch  you
> could try using the -E pr= parameter, where  could be 1000 for
> instance. That way you know you are always under the limit imposed by the
> server.
>
>
if you use -E pr=1000/noprompt, it will not prompt to continue, nicer for
scripts obviously.

--
Groeten,
natxo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Natxo Asenjo via FreeIPA-users]

On Tue, Feb 13, 2018 at 3:33 PM, Bret Wortman via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I've run up against a limit I can't seem to adjust.
>
> When listing a particular DNS zone which has well over 5000 hosts in it,
> we keep getting "Search result has been truncated: Configured
> administrative server limit exceeded."
>
> I've tried fixing this in a number of ways. We've shut down the services,
> edited dse.ldif to raise nsslapd-searchlimit to 9 and restarted, but:
>

the canonical way to do this is using ldap paging, with ldapsearch  you
could try using the -E pr= parameter, where  could be 1000 for
instance. That way you know you are always under the limit imposed by the
server.

If you set pr= to higher than 5000 then it should give all the results
in one go.


--
Groeten,
natxo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Apache HTTPD with kerberized NFS4 document root

[Simo Sorce via FreeIPA-users]

On Tue, 2018-02-13 at 19:23 +0100, Ray via FreeIPA-users wrote:
> Hi Simo,
> 
> > > Hi Simo,
> > > 
> > > > > Hi there,
> > > > > 
> > > > > I'm trying to make Apache to access a kerberized document root on
> > > > > CentOS
> > > > > 7 using gssproxy. So far without success. On the web server machine
> > > > > (=NFS client) I configured a gss-proxy config file:
> > > > > 
> > > > > # cat /etc/gssproxy/99-nfs-client.conf
> > > > > [service/nfs-client]
> > > > >mechs = krb5
> > > > >cred_store = keytab:/etc/krb5.keytab
> > > > >cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> > > > >cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
> > > > >cred_usage = initiate
> > > > >allow_any_uid = yes
> > > > >trusted = yes
> > > > >euid = 0
> > > > > 
> > > > > In addition to this I set up a credentials cache
> > > > > /var/lib/gssproxy/clients/krb5cc_
> > > > 
> > > > What did you put in this file?
> > > 
> > > Probably I made a mistake here: I got the keytab from the IPA server 
> > > and
> > > named it /var/lib/gssproxy/clients/krb5cc_ instead of
> > > /var/lib/gssproxy/clients/.keytab. I fixed that now (by
> > > mv'ing it) and ran
> > > 
> > >systemctl stop gssproxy to not have gssproxy as a 
> > > daemon
> > >gssproxy -d -i -C /etc/gssproxy/ &  to have gssproxy dump any debug
> > > msgs to my terminal
> > 
> > Note that running gssproxy from a root shell makes it run in unconfined
> > mode, so later on the files it create may have SELinux contexts that
> > are wrong and gssproxy may fail in various ways.
> 
> Ok, right now I switched SELinunx off (setenforce 0) until I have 
> somehting working...
> 
> > > # klist -ke .keytab
> > > Keytab name: FILE:.keytab
> > > KVNO Principal
> > > 
> > > --
> > > 1 nfs/ (aes256-cts-hmac-sha1-96)
> > > 1 nfs/ (aes128-cts-hmac-sha1-96)
> > > 1 host/ (aes256-cts-hmac-sha1-96)
> > > 1 host/ (aes128-cts-hmac-sha1-96)
> > 
> > This is not the keytab you want most probably.
> > You want a keytab with credentials that the server can map to a
> > UID/GID, usually that is done for user principals. However the server
> > can be configured to map a specific service principal name to a local
> > use as well, it's on the server side at this point.
> 
> I removed the above keytab and made a new one with user credentials:
> 
> # klist -ke .keytab
> Keytab name: FILE:.keytab
> KVNO Principal
>  
> --
> 2 @REALM (aes256-cts-hmac-sha1-96)
> 2 @REALM (aes128-cts-hmac-sha1-96)
> 
> This seems insufficient though, 'coz when I mount the NFS docroot 
> temporarily to /mnt and then "ls -l /" as httpd-user, I get to see this 
> line:
> 
> d??   ? ??   ?? mnt
> 
> Which other principals should I add to the keytab? I tried adding the 
> nfs service principal to the keytab, but that doesn't change this 
> behavior... Does the order in which I add principals to the keytab 
> matter in this context?

The first one is picked, and you have all you need there.

> klist for httpd-user looks not good either, concering the validy 
> timestamps (1970...1970), or is that normal?:
> 
> $ klist
> Ticket cache: KEYRING:persistent::
> Default principal: @REALM
> 
> Valid starting   Expires  Service principal
> 01/01/1970 01:00:00  01/01/1970 01:00:00  
> Encrypted/Credentials/v1@X-GSSPROXY:

It is an artifact of how Gssproxy stores credentials for you (in
encrypted form), it is normal, not a problem.

> > The (null) represents the default socket, not a bug.
> > 
> > Unfortunately the default log level does not show the result of the
> > calls, but it is  normal to see 2 init context calls, so it seem to be
> > working right on the gssproxy side.
> 
> I think there's something not right with gssproxy: when I call it with 
> --debug-level=3 it still says "level: 0":
> 
> # gssproxy --debug --debug-level=3 -i -C /etc/gssproxy/ &
> [1] 17831
> root@nfsclient:/var/lib/gssproxy/clients# [2018/02/13 09:56:20]: Debug 
> Enabled (level: 0)
> 
> Nevertheless the output becomes extremely verbose (plenty of hex). In 
> the man-page --debug-level is not mentioned at all (ok, still better 
> this way than having something promised in the manpage that does not 
> exist in the binary...).

Do you have any logs on the server side ?
As far as I can tell the client side (GSSAPI wise at least) is working
correctly.

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Apache HTTPD with kerberized NFS4 document root

[Ray via FreeIPA-users]

Hi Simo,


Hi Simo,

> > Hi there,
> >
> > I'm trying to make Apache to access a kerberized document root on
> > CentOS
> > 7 using gssproxy. So far without success. On the web server machine
> > (=NFS client) I configured a gss-proxy config file:
> >
> > # cat /etc/gssproxy/99-nfs-client.conf
> > [service/nfs-client]
> >mechs = krb5
> >cred_store = keytab:/etc/krb5.keytab
> >cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> >cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
> >cred_usage = initiate
> >allow_any_uid = yes
> >trusted = yes
> >euid = 0
> >
> > In addition to this I set up a credentials cache
> > /var/lib/gssproxy/clients/krb5cc_
>
> What did you put in this file?

Probably I made a mistake here: I got the keytab from the IPA server 
and

named it /var/lib/gssproxy/clients/krb5cc_ instead of
/var/lib/gssproxy/clients/.keytab. I fixed that now (by
mv'ing it) and ran

   systemctl stop gssproxy to not have gssproxy as a 
daemon

   gssproxy -d -i -C /etc/gssproxy/ &  to have gssproxy dump any debug
msgs to my terminal


Note that running gssproxy from a root shell makes it run in unconfined
mode, so later on the files it create may have SELinux contexts that
are wrong and gssproxy may fail in various ways.


Ok, right now I switched SELinunx off (setenforce 0) until I have 
somehting working...



# klist -ke .keytab
Keytab name: FILE:.keytab
KVNO Principal

--
1 nfs/ (aes256-cts-hmac-sha1-96)
1 nfs/ (aes128-cts-hmac-sha1-96)
1 host/ (aes256-cts-hmac-sha1-96)
1 host/ (aes128-cts-hmac-sha1-96)


This is not the keytab you want most probably.
You want a keytab with credentials that the server can map to a
UID/GID, usually that is done for user principals. However the server
can be configured to map a specific service principal name to a local
use as well, it's on the server side at this point.


I removed the above keytab and made a new one with user credentials:

# klist -ke .keytab
Keytab name: FILE:.keytab
KVNO Principal
 
--

   2 @REALM (aes256-cts-hmac-sha1-96)
   2 @REALM (aes128-cts-hmac-sha1-96)

This seems insufficient though, 'coz when I mount the NFS docroot 
temporarily to /mnt and then "ls -l /" as httpd-user, I get to see this 
line:


d??   ? ??   ?? mnt

Which other principals should I add to the keytab? I tried adding the 
nfs service principal to the keytab, but that doesn't change this 
behavior... Does the order in which I add principals to the keytab 
matter in this context?


klist for httpd-user looks not good either, concering the validy 
timestamps (1970...1970), or is that normal?:


$ klist
Ticket cache: KEYRING:persistent::
Default principal: @REALM

Valid starting   Expires  Service principal
01/01/1970 01:00:00  01/01/1970 01:00:00  
Encrypted/Credentials/v1@X-GSSPROXY:



The (null) represents the default socket, not a bug.

Unfortunately the default log level does not show the result of the
calls, but it is  normal to see 2 init context calls, so it seem to be
working right on the gssproxy side.


I think there's something not right with gssproxy: when I call it with 
--debug-level=3 it still says "level: 0":


# gssproxy --debug --debug-level=3 -i -C /etc/gssproxy/ &
[1] 17831
root@nfsclient:/var/lib/gssproxy/clients# [2018/02/13 09:56:20]: Debug 
Enabled (level: 0)


Nevertheless the output becomes extremely verbose (plenty of hex). In 
the man-page --debug-level is not mentioned at all (ok, still better 
this way than having something promised in the manpage that does not 
exist in the binary...).


Best,
Ray
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

Looking at it now.


On 02/13/2018 01:09 PM, Rob Crittenden wrote:

Bret Wortman via FreeIPA-users wrote:

I've run up against a limit I can't seem to adjust.

When listing a particular DNS zone which has well over 5000 hosts in it,
we keep getting "Search result has been truncated: Configured
administrative server limit exceeded."

I've tried fixing this in a number of ways. We've shut down the
services, edited dse.ldif to raise nsslapd-searchlimit to 9 and
restarted, but:

#ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep
nsslapd-sizelimit
snsslapd-sizelimit: 2000

What do I need to do to be able to list all my DNS entries for this
zone? This 5000 limit is enforced through the CLI as well, as "ipa
dnsrecord-find damascusgrp.com --sizelimit=9" will only return 5000
entries. I know it's taxing and intensive, but I need to be able to
query the WHOLE set of records we have without this restriction.

How can I get around this?

Have you looked at
http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html

rob

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

[Rob Crittenden via FreeIPA-users]

Bret Wortman via FreeIPA-users wrote:
> I've run up against a limit I can't seem to adjust.
> 
> When listing a particular DNS zone which has well over 5000 hosts in it,
> we keep getting "Search result has been truncated: Configured
> administrative server limit exceeded."
> 
> I've tried fixing this in a number of ways. We've shut down the
> services, edited dse.ldif to raise nsslapd-searchlimit to 9 and
> restarted, but:
> 
> #ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep
> nsslapd-sizelimit
> snsslapd-sizelimit: 2000
> 
> What do I need to do to be able to list all my DNS entries for this
> zone? This 5000 limit is enforced through the CLI as well, as "ipa
> dnsrecord-find damascusgrp.com --sizelimit=9" will only return 5000
> entries. I know it's taxing and intensive, but I need to be able to
> query the WHOLE set of records we have without this restriction.
> 
> How can I get around this?

Have you looked at
http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Apache HTTPD with kerberized NFS4 document root

[Simo Sorce via FreeIPA-users]

Comment inline.

On Tue, 2018-02-13 at 16:58 +0100, Ray via FreeIPA-users wrote:
> Hi Simo,
> 
> > > Hi there,
> > > 
> > > I'm trying to make Apache to access a kerberized document root on 
> > > CentOS
> > > 7 using gssproxy. So far without success. On the web server machine
> > > (=NFS client) I configured a gss-proxy config file:
> > > 
> > > # cat /etc/gssproxy/99-nfs-client.conf
> > > [service/nfs-client]
> > >mechs = krb5
> > >cred_store = keytab:/etc/krb5.keytab
> > >cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> > >cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
> > >cred_usage = initiate
> > >allow_any_uid = yes
> > >trusted = yes
> > >euid = 0
> > > 
> > > In addition to this I set up a credentials cache
> > > /var/lib/gssproxy/clients/krb5cc_
> > 
> > What did you put in this file?
> 
> Probably I made a mistake here: I got the keytab from the IPA server and 
> named it /var/lib/gssproxy/clients/krb5cc_ instead of 
> /var/lib/gssproxy/clients/.keytab. I fixed that now (by 
> mv'ing it) and ran
> 
>systemctl stop gssproxy to not have gssproxy as a daemon
>gssproxy -d -i -C /etc/gssproxy/ &  to have gssproxy dump any debug 
> msgs to my terminal

Note that running gssproxy from a root shell makes it run in unconfined
mode, so later on the files it create may have SELinux contexts that
are wrong and gssproxy may fail in various ways.

> After temporarily mounting the docroot to /mnt using
> 
>mount -vv -t nfs4 nfsserver:/path/to/export /mnt
> 
> I saw some debug messages flying by:
> 
> mount.nfs4: timeout set for Tue Feb 13 08:20:21 2018
> mount.nfs4: trying text-based options 
> 'vers=4.1,addr=,clientaddr='
> [2018/02/13 08:18:21]: Client connected (fd = 9)[2018/02/13 08:18:21]:  
> (pid = 623) (uid = 0) (gid = 0)[2018/02/13 08:18:21]:  (context = 
> system_u:system_r:gssd_t:s0)[2018/02/13 08:18:21]:
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
> for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
> (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
> (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
> for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
> (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
> (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
> for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
> (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
> (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
> for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
> (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
> [2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
> (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
> 
> And when I then su to the apache user and try to access the directory, I 
> see some more debug messages:
> 
> # su -s /bin/bash 
> bash-4.2$ cd /mnt
> [2018/02/13 08:19:33]: Client connected (fd = 9)[2018/02/13 08:19:33]:  
> (pid = 623) (uid = ) (gid = )[2018/02/13 
> 08:19:33]:  (context = system_u:system_r:gssd_t:s0)[2018/02/13 
> 08:19:33]:
> [2018/02/13 08:19:33]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
> for service "nfs-client", euid: ,socket: (null)
> [2018/02/13 08:19:33]: gp_rpc_execute: executing 8 
> (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid:  uid>,socket: (null)
> [2018/02/13 08:19:34]: gp_rpc_execute: executing 8 
> (GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid:  uid>,socket: (null)
> bash: cd: /mnt: Permission denied
> 
> Unfortunately still no success, as the last line indicates, however I 
> get to see a new /var/lib/gssproxy/clients/krb5cc_ file tat 
> was created by gssproxy, I presume:
> 
> -rw---. 1 root root 1819 Feb 13 08:19 krb5cc_
> 
> The keytab file /var/lib/gssproxy/clients/.keytab looks like 
> this:
> 
> # klist -ke .keytab
> Keytab name: FILE:.keytab
> KVNO Principal
>  
> --
> 1 nfs/ (aes256-cts-hmac-sha1-96)
> 1 nfs/ (aes128-cts-hmac-sha1-96)
> 1 host/ (aes256-cts-hmac-sha1-96)
> 1 host/ (aes128-cts-hmac-sha1-96)

This is not the keytab you want most probably.

[Freeipa-users] Re: Apache HTTPD with kerberized NFS4 document root

[Ray via FreeIPA-users]

Hi Simo,


Hi there,

I'm trying to make Apache to access a kerberized document root on 
CentOS

7 using gssproxy. So far without success. On the web server machine
(=NFS client) I configured a gss-proxy config file:

# cat /etc/gssproxy/99-nfs-client.conf
[service/nfs-client]
   mechs = krb5
   cred_store = keytab:/etc/krb5.keytab
   cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
   cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
   cred_usage = initiate
   allow_any_uid = yes
   trusted = yes
   euid = 0

In addition to this I set up a credentials cache
/var/lib/gssproxy/clients/krb5cc_


What did you put in this file?


Probably I made a mistake here: I got the keytab from the IPA server and 
named it /var/lib/gssproxy/clients/krb5cc_ instead of 
/var/lib/gssproxy/clients/.keytab. I fixed that now (by 
mv'ing it) and ran


  systemctl stop gssproxy to not have gssproxy as a daemon
  gssproxy -d -i -C /etc/gssproxy/ &  to have gssproxy dump any debug 
msgs to my terminal


After temporarily mounting the docroot to /mnt using

  mount -vv -t nfs4 nfsserver:/path/to/export /mnt

I saw some debug messages flying by:

mount.nfs4: timeout set for Tue Feb 13 08:20:21 2018
mount.nfs4: trying text-based options 
'vers=4.1,addr=,clientaddr='
[2018/02/13 08:18:21]: Client connected (fd = 9)[2018/02/13 08:18:21]:  
(pid = 623) (uid = 0) (gid = 0)[2018/02/13 08:18:21]:  (context = 
system_u:system_r:gssd_t:s0)[2018/02/13 08:18:21]:
[2018/02/13 08:18:21]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)
[2018/02/13 08:18:21]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: 0,socket: (null)


And when I then su to the apache user and try to access the directory, I 
see some more debug messages:


# su -s /bin/bash 
bash-4.2$ cd /mnt
[2018/02/13 08:19:33]: Client connected (fd = 9)[2018/02/13 08:19:33]:  
(pid = 623) (uid = ) (gid = )[2018/02/13 
08:19:33]:  (context = system_u:system_r:gssd_t:s0)[2018/02/13 
08:19:33]:
[2018/02/13 08:19:33]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
for service "nfs-client", euid: ,socket: (null)
[2018/02/13 08:19:33]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: uid>,socket: (null)
[2018/02/13 08:19:34]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: uid>,socket: (null)

bash: cd: /mnt: Permission denied

Unfortunately still no success, as the last line indicates, however I 
get to see a new /var/lib/gssproxy/clients/krb5cc_ file tat 
was created by gssproxy, I presume:


-rw---. 1 root root 1819 Feb 13 08:19 krb5cc_

The keytab file /var/lib/gssproxy/clients/.keytab looks like 
this:


# klist -ke .keytab
Keytab name: FILE:.keytab
KVNO Principal
 
--

   1 nfs/ (aes256-cts-hmac-sha1-96)
   1 nfs/ (aes128-cts-hmac-sha1-96)
   1 host/ (aes256-cts-hmac-sha1-96)
   1 host/ (aes128-cts-hmac-sha1-96)



The configuration is correct, although you could tailor it specifically
to the apache process (setting a strinct euid not using allow_any_uid
nor trusted).


Ok, that would make sense. Will do that once I can access the docroot as 
apache user.


Do the debug messages shown above indicate what might be wrong? The 
"socket: (null)" bit perhaps?


The last two log lines looked rather promising to me:
[2018/02/13 08:19:33]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) for service "nfs-client", euid: uid>,socket: (null)
[2018/02/13 08:19:34]: gp_rpc_execute: executing 8 
(GSSX_INIT_SEC_CONTEXT) 

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

[Umarzuki Mochlis via FreeIPA-users]

2018-02-13 22:59 GMT+08:00 Rob Crittenden :
> Umarzuki Mochlis via FreeIPA-users wrote:
>> it stuck with "status: SUBMITTING" when I issue command "ipa-getcert
>> list" after I resubmit cert renew "get-cert resubmit -i ID"
>
> Which request is stuck? Can you provide the output of ipa-getcert list
> -i ID?
>
> rob

these request still 'submitting' since service started. I resubmit
them one or two years ago.

[root@ipa ~]# ipa-getcert list | more
Number of certificates and requests being tracked: 7.
Request ID '20130112120232':
status: SUBMITTING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nic
kname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname
='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=ipa.domain.com,O=DOMAIN.COM
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM
track: yes
auto-renew: yes
Request ID '20130112120734':
status: SUBMITTING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Serve
r-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cer
t',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=ipa.domain.com,O=DOMAIN.COM
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-server-install --dirsrv-config-file example

[Rob Crittenden via FreeIPA-users]

Alex M via FreeIPA-users wrote:
> Martin, 
> 
> After some tests, i found that  the value for  the 
> nsslapd-sasl-max-buffer-size is reset to default (2097152) during 
> installation. It is correct? 
> 
> ipa-server-install -d  --dirsrv-config-file=update.ldif
> 
> update.ldif
> 
> dn: cn=config
> changetype: modify
> replace: nsslapd-maxsasliosize
> nsslapd-maxsasliosize: 10485760
> -
> replace: nsslapd-sasl-max-buffer-size
> nsslapd-sasl-max-buffer-size: 10485760
> 
> or 
> 
> dn: cn=config
> changetype: modify
> replace: nsslapd-maxsasliosize
> nsslapd-maxsasliosize: 10485760
> dn: cn=config
> changetype: modify
> replace: nsslapd-sasl-max-buffer-size
> nsslapd-sasl-max-buffer-size: 10485760
> 
> I've tried both.
> 
> Log files:
> 
> From ipaserver-install.log (Centos 7.4)
> ~
> 2018-02-12T16:52:38Z DEBUG nsslapd-sasl-max-buffer-size:
> 2018-02-12T16:52:38Z DEBUG10485760
> ~
> 2018-02-12T16:52:38Z DEBUG only: set nsslapd-sasl-max-buffer-size to 
> '2097152', current value [u'10485760']
> 2018-02-12T16:52:38Z DEBUG only: updated value [u'2097152']
> 2018-02-12T16:52:38Z DEBUG -
> 2018-02-12T16:52:38Z DEBUG Final value after applying updates
> ~
> 2018-02-12T16:52:38Z DEBUG nsslapd-sasl-max-buffer-size:
> 2018-02-12T16:52:38Z DEBUG2097152
> ~
> 2018-02-12T16:52:38Z DEBUG [(2, u'nsslapd-sasl-max-buffer-size', 
> [u'2097152'])]
> 2018-02-12T16:52:38Z DEBUG Updated 1
> 2018-02-12T16:52:38Z DEBUG Done
> 2018-02-12T16:52:38Z DEBUG Updating existing entry: cn=config
> ~
> 2018-02-12T16:52:38Z DEBUG nsslapd-sasl-max-buffer-size:
> 2018-02-12T16:52:38Z DEBUG2097152
> 
> The same for the Fedora 27 ipaserver-nstall.log:
> ~
> 2018-02-13T10:45:57Z DEBUG nsslapd-sasl-max-buffer-size:
> 2018-02-13T10:45:57Z DEBUG10485760
> ~
> 2018-02-13T10:45:57Z DEBUG(targetattr != aci)(version 3.0; aci "cert 
> manager read access"; allow (read, search, compare) userdn = 
> "ldap:///uid=pkidbuser,ou=people,o=ipaca;;)
> 2018-02-13T10:45:57Z DEBUG only: set nsslapd-sasl-max-buffer-size to 
> '2097152', current value ['10485760']
> 2018-02-13T10:45:57Z DEBUG only: updated value ['2097152']
> ~
> 2018-02-13T10:45:58Z DEBUG nsslapd-sasl-max-buffer-size:
> 2018-02-13T10:45:58Z DEBUG2097152
> ~
> 2018-02-13T10:45:58Z DEBUG(targetattr != aci)(version 3.0; aci "cert 
> manager read access"; allow (read, search, compare) userdn = 
> "ldap:///uid=pkidbuser,ou=people,o=ipaca;;)
> 2018-02-13T10:45:58Z DEBUG [(2, 'nsslapd-sasl-max-buffer-size', ['2097152'])]
> 2018-02-13T10:45:58Z DEBUG Updated 1
> 2018-02-13T10:45:58Z DEBUG Done
> 2018-02-13T10:45:58Z DEBUG Updating existing entry: cn=config
> ~
> 2018-02-13T10:45:58Z DEBUG nsslapd-sasl-max-buffer-size:
> 2018-02-13T10:45:58Z DEBUG2097152

This shows that an LDAP update file in IPA is making the change but I
can't seem to find that in the source tree.

Can you provide more context to the logging? Look for "Parsing update
file ''" in the lines before this.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

[Rob Crittenden via FreeIPA-users]

Umarzuki Mochlis via FreeIPA-users wrote:
> it stuck with "status: SUBMITTING" when I issue command "ipa-getcert
> list" after I resubmit cert renew "get-cert resubmit -i ID"

Which request is stuck? Can you provide the output of ipa-getcert list
-i ID?

rob

> 
> 2018-02-13 10:05 GMT+08:00 Fraser Tweedale :
>> On Tue, Feb 13, 2018 at 08:53:10AM +0800, Umarzuki Mochlis via FreeIPA-users 
>> wrote:
>>> Hi,
>>>
>>> Is it possible to apply wildcard SSL on v3.1 to be able to migrate to
>>> recent free-ipa?
>>> Reason being that, I need to backdate date to year before self-signed 
>>> expired.
>>> I have not been able to renew certificate so far.
>>>
>> Hi Umarzuki,
>>
>> Could you please give more info, specifically about which certs are
>> expired and what errors you are encountering while attempting to
>> renew them?  Some hints about how to modify Dogtag certificate
>> profiles to issue wildcard certificates can be found here[1].  But
>> your description of the problem does not contain enough information
>> to make me confident that a wildcard cert will help.
>>
>> [1] 
>> https://frasertweedale.github.io/blog-redhat/posts/2017-06-26-freeipa-wildcard-san.html
>>
>> Cheers,
>> Fraser
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Apache HTTPD with kerberized NFS4 document root

[Simo Sorce via FreeIPA-users]

On Tue, 2018-02-13 at 15:35 +0100, Ray via FreeIPA-users wrote:
> Hi there,
> 
> I'm trying to make Apache to access a kerberized document root on CentOS 
> 7 using gssproxy. So far without success. On the web server machine 
> (=NFS client) I configured a gss-proxy config file:
> 
> # cat /etc/gssproxy/99-nfs-client.conf
> [service/nfs-client]
>mechs = krb5
>cred_store = keytab:/etc/krb5.keytab
>cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
>cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
>cred_usage = initiate
>allow_any_uid = yes
>trusted = yes
>euid = 0
> 
> In addition to this I set up a credentials cache 
> /var/lib/gssproxy/clients/krb5cc_

What did you put in this file ?

> The Apache user is managed using FreeIPA and is a member of the exported 
> directory's group that shall be used as document root, hence it should 
> have access permissions to the directory and kinit for "apache" shows no 
> ticket.

Did you get a keytab for the apache user and place it in
/var/lib/gssproxy/clients/.keytab ?

> However, when I "su -s /bin/bash apache" and try to access the 
> NFS-mounted directory, I get permission denied (even with SELinux 
> temporarily disabled).
> 
> Right now, I do not see how I can proceed and there's not much meat on 
> the Google-bone for this specific topic. Can someone here point me into 
> the right direction?
> 
>* Is the config outlined the correct way to achieve what I want to do?

The configuration is correct, although you could tailor it specifically
to the apache process (setting a strinct euid not using allow_any_uid
nor trusted).

>* Is there a way to debug the issue I'm furrently facing?

You can raise the debug level of gssproxy to 3 and see what fails.

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: deploying freeipa

[Andrew Radygin via FreeIPA-users]

I have another software in that role.
Here it is - https://www.ispsystem.com/software/dnsmanager
It's frontend for managing zones and pdns+mysql as backend.
So when I configuring new hosts, these servers play as authoritative dns.
No special configuring for freeipa server, only ipa-server-install with

'setup_dns': False

And specified --domain and --realm when doing ipa-client-install

2018-02-13 17:29 GMT+03:00 Andrew Meyer :

> What is your authoritative DNS?  MS AD?  Are you manually populating the
> records?  My boss wants to eliminate DNS from this equation because he
> thinks we will have to maintain another set of DNS servers.  If FreeIPA is
> only authoritative for its own zone and managing servers within the zone,
> then we should have no issues.  We will need to put forwarders in to talk
> to Route53.  But I don't see that as an issue.
>
>
> On Tuesday, February 13, 2018 8:25 AM, Andrew Radygin 
> wrote:
>
>
> I'm running FreeIPA 4.5 server with several hundred hosts and dozens of
> users. And it's perfectly fine, especially if you already have another
> instrument for dns managing.
> I haven't experienced any problems from such setup so far.
>
> 2018-02-13 17:10 GMT+03:00 Andrew Meyer via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>:
>
> Fish the entries?  Can you elaborate on that a bit more?
>
> Since FreeIPA auto-builds txt records and what not for client
> machines...How did you do that?
>
> Or did you not utilize that?
>
>
> On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users 
>  fedorahosted.org > wrote:
>
>
> You can, but you need to add the DNS entries that FreeIPA adds to its
> domain to your DNS server.
>
> What I did was install FreeIPA in a test environment and fish the entries
> from there.
>
> On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users 
>  fedorahosted.org > wrote:
>
> I know I have sent in multiple emails, but we are trying to deploy FreeIPA
> correctly.  However I am getting asked to find out some other details.
>
> Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and still
> be able to use the SSH, sudo, selinux, LDAP & krb5.
>
> We are moving to AWS and management is afraid that we will have to
> maintain multiple sets of DNS.  And that if FreeIPA is the focal point for
> all servers and god for bid it crashes, there goes our whole environment.
> They would like to put the zone in R53 and have that handle ALL the
> records.  If we do go through with not installing DNS w/ FreeIPA will we be
> shooting ourselves in the foot?
>
> I know that FreeIPA relies heavily on DNS and I have seen multiple
> conversations regarding not to do this, but is this somewhere in the best
> practices?
>
> I found this thread from 2015 but I don't think it applies anymore:
> Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
> 
>
> Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
> 
>
>
> The problem is that we have 30 domains that we want to use in R53 and he
> wants to bypass FreeIPA for doing DNS other than for auth and sudo and
> ldap.  Could we put entries in the /etc/hosts file to point to the FreeIPA
> servers?  I feel like this might work and might be more problematic down
> the line.
>
> Regards,
> Andrew
>
> __ _
> FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
> 
> To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org 
>
>
>
>
> --
>___
>  {~._.~}
>   ( Y )
>  ()~*~()  mail: alex at corcoles dot net
>  (_)-(_)  http://alex.corcoles.net/
>
> __ _
> FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
> 
> To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org 
>
>
>
> __ _
> FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
> 
> To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org 
>
>
>
>
> --
> Best regards, Andrew.
>
>
>


-- 
Best regards, Andrew.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: deploying freeipa

[Andrew Meyer via FreeIPA-users]

Thank you, that will help.  I don't want to have to go down that road but it's 
looking more and more like I will have to.

On Tuesday, February 13, 2018 8:34 AM, Alexander Bokovoy via FreeIPA-users 
 wrote:
 

 On ti, 13 helmi 2018, Andrew Meyer via FreeIPA-users wrote:
>Fish the entries?  Can you elaborate on that a bit more?
>Since FreeIPA auto-builds txt records and what not for client
>machines...How did you do that?  Or did you not utilize that?
When you install IPA master without integrated DNS server, IPA installer
will generate you a sample DNS zone for own domain and put it into a
temporary file in /tmp. The name of the file is displayed in the console
output, it looks like /tmp/ipa.system.records.*.db

You can re-generate the same file with the following sequence:

- as root on IPA master run
  ipa -e in_server=True console

  this will open a special IPA console where you can use Python API
  directly. Note that this operation does not require Kerberos ticket
  and does not communicate with IPA framework; instead, it does directly
  talk to IPA LDAP over a local interface as a cn=Directory Manager, so
  be careful what you do there.

- within the console, enter following (>>> indicates where to enter):
>>> from ipaserver.install import bindinstance
>>> bind = bindinstance.BindInstance(api=api)
>>> bind.create_file_with_system_records()

- exit console with ctrl-D

You'd get something like this in your terminal:

[root@master ~]# ipa -e in_server=True console 
(Custom IPA interactive Python console)
>>> from ipaserver.install import bindinstance
>>> bind = bindinstance.BindInstance(api=api)
>>> bind.create_file_with_system_records()
Please add records in this file to your DNS system: 
/tmp/ipa.system.records.c3fq4oa1.db
>>> (pressed ctrl-D here)
now exiting InteractiveConsole...

[root@master ~]# cat /tmp/ipa.system.records.c3fq4oa1.db
_kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN 
SRV 0 100 88 master.example.com.
_kerberos._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._tcp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN 
SRV 0 100 88 master.example.com.
_kerberos._udp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._udp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos.example.com. 86400 IN TXT "EXAMPLE.COM"
_kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 master.example.com.
_kpasswd._udp.example.com. 86400 IN SRV 0 100 464 master.example.com.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 
100 389 master.example.com.
_ldap._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 389 master.example.com.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 master.example.com.
_ntp._udp.example.com. 86400 IN SRV 0 100 123 master.example.com.
ipa-ca.example.com. 86400 IN A SOME-IPv4-ADDRESS


>
>    On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users 
> wrote:
>
>
> You can, but you need to add the DNS entries that FreeIPA adds to its domain 
> to your DNS server.
>
>What I did was install FreeIPA in a test environment and fish the entries from 
>there.
>
>On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users 
> wrote:
>
>I know I have sent in multiple emails, but we are trying to deploy FreeIPA 
>correctly.  However I am getting asked to find out some other details.  
>Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and still be 
>able to use the SSH, sudo, selinux, LDAP & krb5.  
>We are moving to AWS and management is afraid that we will have to maintain 
>multiple sets of DNS.  And that if FreeIPA is the focal point for all servers 
>and god for bid it crashes, there goes our whole environment.  They would like 
>to put the zone in R53 and have that handle ALL the records.  If we do go 
>through with not installing DNS w/ FreeIPA will we be shooting ourselves in 
>the foot?  
>I know that FreeIPA relies heavily on DNS and I have seen multiple 
>conversations regarding not to do this, but is this somewhere in the best 
>practices?
>I found this thread from 2015 but I don't think it applies anymore:Re: 
>[Freeipa-users] Can freeIPA work without Kerberos and DNS
>
>
>|
>|  |
>Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
>  |  |
>
>  |
>
>
>
>The problem is that we have 30 domains that we want to use in R53 and he wants 
>to bypass FreeIPA for doing DNS other than for auth and sudo and ldap.  Could 
>we put entries in the /etc/hosts file to point to the FreeIPA servers?  I feel 
>like this might work and might be more problematic down the line.
>Regards,Andrew

[Freeipa-users] Apache HTTPD with kerberized NFS4 document root

[Ray via FreeIPA-users]

Hi there,

I'm trying to make Apache to access a kerberized document root on CentOS 
7 using gssproxy. So far without success. On the web server machine 
(=NFS client) I configured a gss-proxy config file:


# cat /etc/gssproxy/99-nfs-client.conf
[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0

In addition to this I set up a credentials cache 
/var/lib/gssproxy/clients/krb5cc_


The Apache user is managed using FreeIPA and is a member of the exported 
directory's group that shall be used as document root, hence it should 
have access permissions to the directory and kinit for "apache" shows no 
ticket.


However, when I "su -s /bin/bash apache" and try to access the 
NFS-mounted directory, I get permission denied (even with SELinux 
temporarily disabled).


Right now, I do not see how I can proceed and there's not much meat on 
the Google-bone for this specific topic. Can someone here point me into 
the right direction?


  * Is the config outlined the correct way to achieve what I want to do?
  * Is there a way to debug the issue I'm furrently facing?

Best,
Ray
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: deploying freeipa

[Alexander Bokovoy via FreeIPA-users]

On ti, 13 helmi 2018, Andrew Meyer via FreeIPA-users wrote:

Fish the entries?  Can you elaborate on that a bit more?
Since FreeIPA auto-builds txt records and what not for client
machines...How did you do that?  Or did you not utilize that?

When you install IPA master without integrated DNS server, IPA installer
will generate you a sample DNS zone for own domain and put it into a
temporary file in /tmp. The name of the file is displayed in the console
output, it looks like /tmp/ipa.system.records.*.db

You can re-generate the same file with the following sequence:

- as root on IPA master run
 ipa -e in_server=True console

 this will open a special IPA console where you can use Python API
 directly. Note that this operation does not require Kerberos ticket
 and does not communicate with IPA framework; instead, it does directly
 talk to IPA LDAP over a local interface as a cn=Directory Manager, so
 be careful what you do there.

- within the console, enter following (>>> indicates where to enter):

from ipaserver.install import bindinstance
bind = bindinstance.BindInstance(api=api)
bind.create_file_with_system_records()


- exit console with ctrl-D

You'd get something like this in your terminal:

[root@master ~]# ipa -e in_server=True console 
(Custom IPA interactive Python console)

from ipaserver.install import bindinstance
bind = bindinstance.BindInstance(api=api)
bind.create_file_with_system_records()

Please add records in this file to your DNS system: 
/tmp/ipa.system.records.c3fq4oa1.db

(pressed ctrl-D here)

now exiting InteractiveConsole...

[root@master ~]# cat /tmp/ipa.system.records.c3fq4oa1.db
_kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN 
SRV 0 100 88 master.example.com.
_kerberos._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._tcp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN 
SRV 0 100 88 master.example.com.
_kerberos._udp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._udp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos.example.com. 86400 IN TXT "EXAMPLE.COM"
_kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 master.example.com.
_kpasswd._udp.example.com. 86400 IN SRV 0 100 464 master.example.com.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 
100 389 master.example.com.
_ldap._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 389 master.example.com.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 master.example.com.
_ntp._udp.example.com. 86400 IN SRV 0 100 123 master.example.com.
ipa-ca.example.com. 86400 IN A SOME-IPv4-ADDRESS




   On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users 
 wrote:


You can, but you need to add the DNS entries that FreeIPA adds to its domain to 
your DNS server.

What I did was install FreeIPA in a test environment and fish the entries from 
there.

On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users 
 wrote:

I know I have sent in multiple emails, but we are trying to deploy FreeIPA 
correctly.  However I am getting asked to find out some other details.  
Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and still be able 
to use the SSH, sudo, selinux, LDAP & krb5.  
We are moving to AWS and management is afraid that we will have to maintain 
multiple sets of DNS.  And that if FreeIPA is the focal point for all servers 
and god for bid it crashes, there goes our whole environment.  They would like 
to put the zone in R53 and have that handle ALL the records.  If we do go 
through with not installing DNS w/ FreeIPA will we be shooting ourselves in the 
foot?  
I know that FreeIPA relies heavily on DNS and I have seen multiple 
conversations regarding not to do this, but is this somewhere in the best 
practices?
I found this thread from 2015 but I don't think it applies anymore:Re: 
[Freeipa-users] Can freeIPA work without Kerberos and DNS


|
|   |
Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
  |  |

 |



The problem is that we have 30 domains that we want to use in R53 and he wants 
to bypass FreeIPA for doing DNS other than for auth and sudo and ldap.  Could 
we put entries in the /etc/hosts file to point to the FreeIPA servers?  I feel 
like this might work and might be more problematic down the line.
Regards,Andrew
__ _
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org





--
   ___
 {~._.~}  ( Y )
 ()~*~()  mail: alex at corcoles dot net (_)-(_)  http://alex.corcoles.net/

[Freeipa-users] Fixing limit on DNS searches

[Bret Wortman via FreeIPA-users]

I've run up against a limit I can't seem to adjust.

When listing a particular DNS zone which has well over 5000 hosts in it, 
we keep getting "Search result has been truncated: Configured 
administrative server limit exceeded."


I've tried fixing this in a number of ways. We've shut down the 
services, edited dse.ldif to raise nsslapd-searchlimit to 9 and 
restarted, but:


#ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep 
nsslapd-sizelimit

snsslapd-sizelimit: 2000

What do I need to do to be able to list all my DNS entries for this 
zone? This 5000 limit is enforced through the CLI as well, as "ipa 
dnsrecord-find damascusgrp.com --sizelimit=9" will only return 5000 
entries. I know it's taxing and intensive, but I need to be able to 
query the WHOLE set of records we have without this restriction.


How can I get around this?


--
photo   

*Bret Wortman*
President, Damascus Products LLC
855-644-2783  | 303-523-8037  | 
b...@damascusproducts.com  | 
http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030
 	 




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: deploying freeipa

[Andrew Meyer via FreeIPA-users]

What is your authoritative DNS?  MS AD?  Are you manually populating the 
records?  My boss wants to eliminate DNS from this equation because he thinks 
we will have to maintain another set of DNS servers.  If FreeIPA is only 
authoritative for its own zone and managing servers within the zone, then we 
should have no issues.  We will need to put forwarders in to talk to Route53.  
But I don't see that as an issue.

On Tuesday, February 13, 2018 8:25 AM, Andrew Radygin  
wrote:
 

 I'm running FreeIPA 4.5 server with several hundred hosts and dozens of users. 
And it's perfectly fine, especially if you already have another instrument for 
dns managing.
I haven't experienced any problems from such setup so far.

2018-02-13 17:10 GMT+03:00 Andrew Meyer via FreeIPA-users 
:

Fish the entries?  Can you elaborate on that a bit more?
Since FreeIPA auto-builds txt records and what not for client machines...How 
did you do that?
Or did you not utilize that? 

On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users 
 wrote:
 

 You can, but you need to add the DNS entries that FreeIPA adds to its domain 
to your DNS server.

What I did was install FreeIPA in a test environment and fish the entries from 
there.

On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users 
 wrote:

I know I have sent in multiple emails, but we are trying to deploy FreeIPA 
correctly.  However I am getting asked to find out some other details.  
Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and still be 
able to use the SSH, sudo, selinux, LDAP & krb5.  
We are moving to AWS and management is afraid that we will have to maintain 
multiple sets of DNS.  And that if FreeIPA is the focal point for all servers 
and god for bid it crashes, there goes our whole environment.  They would like 
to put the zone in R53 and have that handle ALL the records.  If we do go 
through with not installing DNS w/ FreeIPA will we be shooting ourselves in the 
foot?  
I know that FreeIPA relies heavily on DNS and I have seen multiple 
conversations regarding not to do this, but is this somewhere in the best 
practices?
I found this thread from 2015 but I don't think it applies anymore:Re: 
[Freeipa-users] Can freeIPA work without Kerberos and DNS

  
|  
|   |  
Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
   |  |

  |

 

The problem is that we have 30 domains that we want to use in R53 and he wants 
to bypass FreeIPA for doing DNS other than for auth and sudo and ldap.  Could 
we put entries in the /etc/hosts file to point to the FreeIPA servers?  I feel 
like this might work and might be more problematic down the line.
Regards,Andrew
__ _
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org





-- 
   ___
 {~._.~}  ( Y )
 ()~*~()  mail: alex at corcoles dot net (_)-(_)  http://alex.corcoles.net/
__ _
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org


   
__ _
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org





-- 
Best regards, Andrew.

   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: deploying freeipa

[Andrew Radygin via FreeIPA-users]

Sorry, missed words, I meant - such setup of freeipa without DNS completely.

2018-02-13 17:25 GMT+03:00 Andrew Radygin :

> I'm running FreeIPA 4.5 server with several hundred hosts and dozens of
> users. And it's perfectly fine, especially if you already have another
> instrument for dns managing.
> I haven't experienced any problems from such setup so far.
>
> 2018-02-13 17:10 GMT+03:00 Andrew Meyer via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>:
>
>> Fish the entries?  Can you elaborate on that a bit more?
>>
>> Since FreeIPA auto-builds txt records and what not for client
>> machines...How did you do that?
>>
>> Or did you not utilize that?
>>
>>
>> On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users <
>> freeipa-users@lists.fedorahosted.org> wrote:
>>
>>
>> You can, but you need to add the DNS entries that FreeIPA adds to its
>> domain to your DNS server.
>>
>> What I did was install FreeIPA in a test environment and fish the entries
>> from there.
>>
>> On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users <
>> freeipa-users@lists.fedorahosted.org> wrote:
>>
>> I know I have sent in multiple emails, but we are trying to deploy
>> FreeIPA correctly.  However I am getting asked to find out some other
>> details.
>>
>> Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and
>> still be able to use the SSH, sudo, selinux, LDAP & krb5.
>>
>> We are moving to AWS and management is afraid that we will have to
>> maintain multiple sets of DNS.  And that if FreeIPA is the focal point for
>> all servers and god for bid it crashes, there goes our whole environment.
>> They would like to put the zone in R53 and have that handle ALL the
>> records.  If we do go through with not installing DNS w/ FreeIPA will we be
>> shooting ourselves in the foot?
>>
>> I know that FreeIPA relies heavily on DNS and I have seen multiple
>> conversations regarding not to do this, but is this somewhere in the best
>> practices?
>>
>> I found this thread from 2015 but I don't think it applies anymore:
>> Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
>> 
>>
>> Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
>> 
>>
>>
>> The problem is that we have 30 domains that we want to use in R53 and he
>> wants to bypass FreeIPA for doing DNS other than for auth and sudo and
>> ldap.  Could we put entries in the /etc/hosts file to point to the FreeIPA
>> servers?  I feel like this might work and might be more problematic down
>> the line.
>>
>> Regards,
>> Andrew
>>
>> __ _
>> FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
>> 
>> To unsubscribe send an email to freeipa-users-leave@lists.
>> fedorahosted.org 
>>
>>
>>
>>
>> --
>>___
>>  {~._.~}
>>   ( Y )
>>  ()~*~()  mail: alex at corcoles dot net
>>  (_)-(_)  http://alex.corcoles.net/
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>
>
> --
> Best regards, Andrew.
>



-- 
Best regards, Andrew.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: deploying freeipa

[Andrew Radygin via FreeIPA-users]

I'm running FreeIPA 4.5 server with several hundred hosts and dozens of
users. And it's perfectly fine, especially if you already have another
instrument for dns managing.
I haven't experienced any problems from such setup so far.

2018-02-13 17:10 GMT+03:00 Andrew Meyer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> Fish the entries?  Can you elaborate on that a bit more?
>
> Since FreeIPA auto-builds txt records and what not for client
> machines...How did you do that?
>
> Or did you not utilize that?
>
>
> On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>
> You can, but you need to add the DNS entries that FreeIPA adds to its
> domain to your DNS server.
>
> What I did was install FreeIPA in a test environment and fish the entries
> from there.
>
> On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> I know I have sent in multiple emails, but we are trying to deploy FreeIPA
> correctly.  However I am getting asked to find out some other details.
>
> Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and still
> be able to use the SSH, sudo, selinux, LDAP & krb5.
>
> We are moving to AWS and management is afraid that we will have to
> maintain multiple sets of DNS.  And that if FreeIPA is the focal point for
> all servers and god for bid it crashes, there goes our whole environment.
> They would like to put the zone in R53 and have that handle ALL the
> records.  If we do go through with not installing DNS w/ FreeIPA will we be
> shooting ourselves in the foot?
>
> I know that FreeIPA relies heavily on DNS and I have seen multiple
> conversations regarding not to do this, but is this somewhere in the best
> practices?
>
> I found this thread from 2015 but I don't think it applies anymore:
> Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
> 
>
> Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
> 
>
>
> The problem is that we have 30 domains that we want to use in R53 and he
> wants to bypass FreeIPA for doing DNS other than for auth and sudo and
> ldap.  Could we put entries in the /etc/hosts file to point to the FreeIPA
> servers?  I feel like this might work and might be more problematic down
> the line.
>
> Regards,
> Andrew
>
> __ _
> FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
> 
> To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org 
>
>
>
>
> --
>___
>  {~._.~}
>   ( Y )
>  ()~*~()  mail: alex at corcoles dot net
>  (_)-(_)  http://alex.corcoles.net/
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>


-- 
Best regards, Andrew.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: deploying freeipa

[Andrew Meyer via FreeIPA-users]

Fish the entries?  Can you elaborate on that a bit more?
Since FreeIPA auto-builds txt records and what not for client machines...How 
did you do that?
Or did you not utilize that? 

On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users 
 wrote:
 

 You can, but you need to add the DNS entries that FreeIPA adds to its domain 
to your DNS server.

What I did was install FreeIPA in a test environment and fish the entries from 
there.

On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users 
 wrote:

I know I have sent in multiple emails, but we are trying to deploy FreeIPA 
correctly.  However I am getting asked to find out some other details.  
Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and still be 
able to use the SSH, sudo, selinux, LDAP & krb5.  
We are moving to AWS and management is afraid that we will have to maintain 
multiple sets of DNS.  And that if FreeIPA is the focal point for all servers 
and god for bid it crashes, there goes our whole environment.  They would like 
to put the zone in R53 and have that handle ALL the records.  If we do go 
through with not installing DNS w/ FreeIPA will we be shooting ourselves in the 
foot?  
I know that FreeIPA relies heavily on DNS and I have seen multiple 
conversations regarding not to do this, but is this somewhere in the best 
practices?
I found this thread from 2015 but I don't think it applies anymore:Re: 
[Freeipa-users] Can freeIPA work without Kerberos and DNS

  
|  
|   |  
Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
   |  |

  |

 

The problem is that we have 30 domains that we want to use in R53 and he wants 
to bypass FreeIPA for doing DNS other than for auth and sudo and ldap.  Could 
we put entries in the /etc/hosts file to point to the FreeIPA servers?  I feel 
like this might work and might be more problematic down the line.
Regards,Andrew
__ _
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org





-- 
   ___
 {~._.~}  ( Y )
 ()~*~()  mail: alex at corcoles dot net (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-server-install --dirsrv-config-file example

[Alex M via FreeIPA-users]

Martin, 

After some tests, i found that  the value for  the nsslapd-sasl-max-buffer-size 
is reset to default (2097152) during installation. It is correct? 

ipa-server-install -d  --dirsrv-config-file=update.ldif

update.ldif

dn: cn=config
changetype: modify
replace: nsslapd-maxsasliosize
nsslapd-maxsasliosize: 10485760
-
replace: nsslapd-sasl-max-buffer-size
nsslapd-sasl-max-buffer-size: 10485760

or 

dn: cn=config
changetype: modify
replace: nsslapd-maxsasliosize
nsslapd-maxsasliosize: 10485760
dn: cn=config
changetype: modify
replace: nsslapd-sasl-max-buffer-size
nsslapd-sasl-max-buffer-size: 10485760

I've tried both.

Log files:

From ipaserver-install.log (Centos 7.4)
~
2018-02-12T16:52:38Z DEBUG nsslapd-sasl-max-buffer-size:
2018-02-12T16:52:38Z DEBUG  10485760
~
2018-02-12T16:52:38Z DEBUG only: set nsslapd-sasl-max-buffer-size to '2097152', 
current value [u'10485760']
2018-02-12T16:52:38Z DEBUG only: updated value [u'2097152']
2018-02-12T16:52:38Z DEBUG -
2018-02-12T16:52:38Z DEBUG Final value after applying updates
~
2018-02-12T16:52:38Z DEBUG nsslapd-sasl-max-buffer-size:
2018-02-12T16:52:38Z DEBUG  2097152
~
2018-02-12T16:52:38Z DEBUG [(2, u'nsslapd-sasl-max-buffer-size', [u'2097152'])]
2018-02-12T16:52:38Z DEBUG Updated 1
2018-02-12T16:52:38Z DEBUG Done
2018-02-12T16:52:38Z DEBUG Updating existing entry: cn=config
~
2018-02-12T16:52:38Z DEBUG nsslapd-sasl-max-buffer-size:
2018-02-12T16:52:38Z DEBUG  2097152

The same for the Fedora 27 ipaserver-nstall.log:
~
2018-02-13T10:45:57Z DEBUG nsslapd-sasl-max-buffer-size:
2018-02-13T10:45:57Z DEBUG  10485760
~
2018-02-13T10:45:57Z DEBUG  (targetattr != aci)(version 3.0; aci "cert 
manager read access"; allow (read, search, compare) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipaca;;)
2018-02-13T10:45:57Z DEBUG only: set nsslapd-sasl-max-buffer-size to '2097152', 
current value ['10485760']
2018-02-13T10:45:57Z DEBUG only: updated value ['2097152']
~
2018-02-13T10:45:58Z DEBUG nsslapd-sasl-max-buffer-size:
2018-02-13T10:45:58Z DEBUG  2097152
~
2018-02-13T10:45:58Z DEBUG  (targetattr != aci)(version 3.0; aci "cert 
manager read access"; allow (read, search, compare) userdn = 
"ldap:///uid=pkidbuser,ou=people,o=ipaca;;)
2018-02-13T10:45:58Z DEBUG [(2, 'nsslapd-sasl-max-buffer-size', ['2097152'])]
2018-02-13T10:45:58Z DEBUG Updated 1
2018-02-13T10:45:58Z DEBUG Done
2018-02-13T10:45:58Z DEBUG Updating existing entry: cn=config
~
2018-02-13T10:45:58Z DEBUG nsslapd-sasl-max-buffer-size:
2018-02-13T10:45:58Z DEBUG  2097152
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Migration AD trust and group

[Henrik Stigendal via FreeIPA-users]

Hi,

I am looking into migrating an existing deployment of LDAP with hundreds of 
users and hundreds of groups into a IPA solution with trust against AD. All 
users currently exists with the same names in AD but groups does not, one 
solution would be adding all those groups to AD with gidNumber set to only 
administer the users and groups in AD. External groups seems to be the 
solution, but that would require external groups created in the IPA, I would 
like to avoid that and have tested with groups only in AD with gidNumber set 
and it seems to work, I can at least see the group and SUDO rules works with 
the group.

So my question is, can you use groups in AD without referencing them in IPA and 
any please throw in any other suggestions for trying to have all data in active 
directory without having to change anything in the IPA when adding users or 
groups (or host/netgroups for that matter)

Thanks
Henrik


Sent from my iPad___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: deploying freeipa

[Alex Corcoles via FreeIPA-users]

You can, but you need to add the DNS entries that FreeIPA adds to its
domain to your DNS server.

What I did was install FreeIPA in a test environment and fish the entries
from there.

On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I know I have sent in multiple emails, but we are trying to deploy FreeIPA
> correctly.  However I am getting asked to find out some other details.
>
> Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and still
> be able to use the SSH, sudo, selinux, LDAP & krb5.
>
> We are moving to AWS and management is afraid that we will have to
> maintain multiple sets of DNS.  And that if FreeIPA is the focal point for
> all servers and god for bid it crashes, there goes our whole environment.
> They would like to put the zone in R53 and have that handle ALL the
> records.  If we do go through with not installing DNS w/ FreeIPA will we be
> shooting ourselves in the foot?
>
> I know that FreeIPA relies heavily on DNS and I have seen multiple
> conversations regarding not to do this, but is this somewhere in the best
> practices?
>
> I found this thread from 2015 but I don't think it applies anymore:
> Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
> 
>
> Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
> 
>
>
> The problem is that we have 30 domains that we want to use in R53 and he
> wants to bypass FreeIPA for doing DNS other than for auth and sudo and
> ldap.  Could we put entries in the /etc/hosts file to point to the FreeIPA
> servers?  I feel like this might work and might be more problematic down
> the line.
>
> Regards,
> Andrew
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>


-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

[Umarzuki Mochlis via FreeIPA-users]

it stuck with "status: SUBMITTING" when I issue command "ipa-getcert
list" after I resubmit cert renew "get-cert resubmit -i ID"

2018-02-13 10:05 GMT+08:00 Fraser Tweedale :
> On Tue, Feb 13, 2018 at 08:53:10AM +0800, Umarzuki Mochlis via FreeIPA-users 
> wrote:
>> Hi,
>>
>> Is it possible to apply wildcard SSL on v3.1 to be able to migrate to
>> recent free-ipa?
>> Reason being that, I need to backdate date to year before self-signed 
>> expired.
>> I have not been able to renew certificate so far.
>>
> Hi Umarzuki,
>
> Could you please give more info, specifically about which certs are
> expired and what errors you are encountering while attempting to
> renew them?  Some hints about how to modify Dogtag certificate
> profiles to issue wildcard certificates can be found here[1].  But
> your description of the problem does not contain enough information
> to make me confident that a wildcard cert will help.
>
> [1] 
> https://frasertweedale.github.io/blog-redhat/posts/2017-06-26-freeipa-wildcard-san.html
>
> Cheers,
> Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org