[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error

[Sumit Bose via FreeIPA-users]

On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote:
> hi,
> 
> trying to get smart card authentication using a yubikey.
> 
> I follow the
> 
> $ opensc-tool --list-readers
> # Detected readers (pcsc)
> Nr.  Card  Features  Name
> 0Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
> 
> I managed to import a key and certificate (generated by openssl):
> 
> $ yubico-piv-tool -a status -v
> trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'.
> Action 'status' does not need authentication.
> Now processing for action 'status'.
> CHUID:No data available
> CCC:No data available
> Slot 9a:
> Algorithm:RSA2048
> Subject DN:O=UNIX.ASENJO.NL, CN=user50
> Issuer DN:O=UNIX.ASENJO.NL, CN=Certificate Authority
> Fingerprint:
>  dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9
> Not Before:Nov  8 22:40:02 2018 GMT
> Not After:Nov  8 22:40:02 2020 GMT
> PIN tries left:3
> 
> And this user50 has this certificate in ipa.
> 
> My trouble starts when running this step on the client:
> 
> # modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so
> -force
> ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11
> error."
> 
> I have tried using full paths (/usr/lib64/opensc-pkcs11.so,
> /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
> 
> So, basically, I'm stuck now :(, because without this piece opensc cannot
> work apparently.
> 
> This is a fedora 29 host, by the way.
> 
> Any clues?

Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if
p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that
p11-kit-proxy is added by default to the NSS databases and the PKCS#11
modules only register with p11-kit.

HTH

bye,
Sumit

> 
> -- 
> regards,
> Natxo
> --
> Groeten,
> natxo

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] smartcard yubikey opensc-pkcs11.so error

[Natxo Asenjo via FreeIPA-users]

hi,

trying to get smart card authentication using a yubikey.

I follow the

$ opensc-tool --list-readers
# Detected readers (pcsc)
Nr.  Card  Features  Name
0Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00

I managed to import a key and certificate (generated by openssl):

$ yubico-piv-tool -a status -v
trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'.
Action 'status' does not need authentication.
Now processing for action 'status'.
CHUID:No data available
CCC:No data available
Slot 9a:
Algorithm:RSA2048
Subject DN:O=UNIX.ASENJO.NL, CN=user50
Issuer DN:O=UNIX.ASENJO.NL, CN=Certificate Authority
Fingerprint:
 dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9
Not Before:Nov  8 22:40:02 2018 GMT
Not After:Nov  8 22:40:02 2020 GMT
PIN tries left:3

And this user50 has this certificate in ipa.

My trouble starts when running this step on the client:

# modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so
-force
ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11
error."

I have tried using full paths (/usr/lib64/opensc-pkcs11.so,
/usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.

So, basically, I'm stuck now :(, because without this piece opensc cannot
work apparently.

This is a fedora 29 host, by the way.

Any clues?

-- 
regards,
Natxo
--
Groeten,
natxo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: yubikey csr not working

[Natxo Asenjo via FreeIPA-users]

On Thu, Nov 8, 2018 at 11:32 PM Fraser Tweedale  wrote:

>
> Naxto, could you please provide Dogtag debug log from
> /var/log/pki/pki-tomcat/ca/debug and, if there is any traceback in
> the journal at the time of this error, please give detail of that
> too (`journalctl -u pki-tomcatd@pki-tomcat`).
>
>
aha, I see an error now in the debug log:

[08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile:
createRequests: begins
[08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: Start parsePKCS10():
-BEGIN CERTIFICATE REQUEST-
MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV
4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57
Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD
h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF
lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K
hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN
AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G
iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5
b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg
3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q
KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4
lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0=
-END CERTIFICATE REQUEST-

[08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile:
parsePKCS10: signature verification enabled
[08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile:
parsePKCS10 setting thread token
[08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile:
Unable to parse PKCS #10 request: java.security.SignatureException: PKCS10:
PKCS10: Request Subject: CN=user50: Invalid PKCS #10 signature
java.security.SignatureException: PKCS10: PKCS10: Request Subject:
CN=user50: Invalid PKCS #10 signature

the journalctl output:
Nov 08 22:37:13 kdc1.unix.asenjo.nl server[10677]: PKCS10: PKCS10: Request
Subject: CN=user50: sig.verify() failed
Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Creating session
23596D3C3AFFCDE19F5B386C288E8290
Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Principal:
GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager
Agents,)]
Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Destroying session
5E49B1956B6902F7DFD52236F5A1A783



Thanks,
> Fraser
>


-- 
--
Groeten,
natxo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

[Zarko D via FreeIPA-users]

Hi Fraser, I am making some progress. Let's please continue. 

[1] 
I was able to follow your info and find common date in past for all certs to be 
valid. 
Note, in case this is important, I have four IPA servers and I do this on CA 
renewal master. 

[2] 
Then system clock was set to past time (about 2 weeks before expire time) , 
stop ntp, restart krb5kdc, dirsrv, httpd, CA. The I verify that CA is running, 
with command :
 
SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt 
https://`hostname`:8443/ca/agent/ca/profileReview

* Initializing NSS with certpath: sql:/etc/httpd/alias/
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*   subject: CN=ca-ldap04,O=REALM.COM
*   start date: Aug 01 17:18:06 2018 GMT
*   expire date: Jul 21 17:18:06 2020 GMT
*   common name: ca-ldap04
*   issuer: CN=Certificate Authority,O=US.ORACLE.COM
> GET /ca/agent/ca/profileReview HTTP/1.1
> User-Agent: curl/7.29.0
> Host: ca-ldap04:8443
> Accept: */*
>
* NSS: client certificate not found (nickname not specified)
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Wed, 01 Aug 2018 18:28:04 GMT
<
{ [data not shown]
100 176410 176410 0   230k  0 --:--:-- --:--:-- --:--:--  232k
* Connection #0 to host ca-ldap04.realm.com left intact

[3]
Restart certmonger, and ONLY ONE cert is renewed, it's "Server-Cert 
cert-pki-ca". 

status: CA_UNREACHABLE
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:38 UTC
status: CA_UNREACHABLE
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:35 UTC
status: CA_UNREACHABLE
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
expires: 2020-07-21 17:18:06 UTC
status: CA_UNREACHABLE
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
expires: 2018-08-14 20:50:00 UTC

[4]
From "journalctl -fu certmonger --full " basically there is " Insufficient 
access:  Invalid credentials"

Aug 01 11:04:45 ca-ldap04.realm.com certmonger[7447]: 2018-08-01 11:04:45 
[7447] Will revisit CA6('dogtag-ipa-ca-renew-agent').default_profile now.
Aug 01 11:04:45 ca-ldap04.realm.com certmonger[7447]: 2018-08-01 11:04:45 
[7447] CA6('dogtag-ipa-ca-renew-agent').default_profile moved to state 
'DISABLED'
Aug 01 11:04:45 ca-ldap04.realm.com certmonger[7447]: 2018-08-01 11:04:45 
[7447] Waiting for instructions for 
CA6('dogtag-ipa-ca-renew-agent').default_profile.
Aug 01 11:04:45 ca-ldap04.realm.com dogtag-ipa-ca-renew-agent-submit[7526]: 
Traceback (most recent call last):

  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in 


sys.exit(main())

  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in 
main

if ca.is_renewal_master():

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
1188, in is_renewal_master

self.ldap_connect()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
177, in ldap_connect

conn.do_bind(self.dm_password, autobind=self.autobind)

  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in 
do_bind

self.do_sasl_gssapi_bind(timeout=timeout)
 

[Freeipa-users] Re: Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

[Peter Fern via FreeIPA-users]

On 9/11/18 3:07 pm, John Petrini via FreeIPA-users wrote:

The mname override now lives in ldap and is configured using the
dnsserver-mod command. fake_mname is no longer included in named.conf.
I think that feature was added to address this issue:
https://pagure.io/bind-dyndb-ldap/issue/162

We use TSIG for dynamic updates without any issues, not sure if
something has changed there but it works for us.



Good to know - things may indeed have changed, last time I messed with 
this was on v4.3.x.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

[John Petrini via FreeIPA-users]

The mname override now lives in ldap and is configured using the
dnsserver-mod command. fake_mname is no longer included in named.conf.
I think that feature was added to address this issue:
https://pagure.io/bind-dyndb-ldap/issue/162

We use TSIG for dynamic updates without any issues, not sure if
something has changed there but it works for us.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

[Peter Fern via FreeIPA-users]

It can be done, but there are some caveats you should be aware of:

- You'll need to disable the fake_mname that bind gets configured with 
for your SOA to show up correctly
- Any time you add/change a replica, you'll need to check your NS/SOA 
records and probably correct them again, as they get reset.
- TSIG updates for dynamic DNS don't work, as the nameserver in the SOA 
record doesn't match the required service principal.  You can kind of 
work around this by creating a new service for 
DNS/yournameserver.here.com to match your SOA record, delegating that to 
the appropriate hosts, and adding the kerberos key for that service to 
the bind keytab.  Even after doing this though, I've found it to be 
unreliable, and somewhat difficult to debug.


I filed an issue or two about related problems some years ago, but they 
weren't given much in the way of attention, because public DNS is deemed 
an unsupported configuration, so you probably shouldn't expect much in 
the way of help if things go poorly.


On 9/11/18 1:37 pm, Jonathan Vaughn via FreeIPA-users wrote:
If I set up FreeIPA on 10.x.x.x internal IP, and have it manage 
company.net , it seems to want to set the NS 
record to it's FQDN that only will be reachable internally. The 
internal IP is SNAT mapped to an external IP (vs using DMZ), so DNS 
requests can reach the server via the external IP.


Other than assigning a public IP to FreeIPA server instead (and 
placing that IP in DMZ vs how our firewall/router is currently set up 
with SNAT), is there a way to serve public zones managed by FreeIPA 
functionally ?


Is it safe to just edit the NS/A records such that they're using 
externally resolvable addresses? Or will that break something?


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

[Peter Fern via FreeIPA-users]

On 9/11/18 2:14 pm, John Petrini via FreeIPA-users wrote:

Yes. When you create a new zone it creates NS records for each IPA
server by default but you can change them to whatever you want.

If you do this you'll probably want to remove the SOA mname override
from each of your IPA DNS servers otherwise changing the authoritative
name server on the zone will have no effect on the mname in the zones
SOA. It's been a while since I've done it but if I remember correctly
you just have to set it to and empty string to remove it.

Get a list of the of the IPA DNS servers:
ipa dnsserver-find

Remove the mname override from each one
ipa dnsserver-mod  –soa-mname-override



I don't know if this method provided here works, but the method I used 
was to comment out the `fake_mname` arg for the ipa dynamic-db in the 
bind configuration (named.conf).

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

[John Petrini via FreeIPA-users]

Yes. When you create a new zone it creates NS records for each IPA
server by default but you can change them to whatever you want.

If you do this you'll probably want to remove the SOA mname override
from each of your IPA DNS servers otherwise changing the authoritative
name server on the zone will have no effect on the mname in the zones
SOA. It's been a while since I've done it but if I remember correctly
you just have to set it to and empty string to remove it.

Get a list of the of the IPA DNS servers:
ipa dnsserver-find

Remove the mname override from each one
ipa dnsserver-mod  –soa-mname-override
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

[Jonathan Vaughn via FreeIPA-users]

If I set up FreeIPA on 10.x.x.x internal IP, and have it manage company.net,
it seems to want to set the NS record to it's FQDN that only will be
reachable internally. The internal IP is SNAT mapped to an external IP (vs
using DMZ), so DNS requests can reach the server via the external IP.

Other than assigning a public IP to FreeIPA server instead (and placing
that IP in DMZ vs how our firewall/router is currently set up with SNAT),
is there a way to serve public zones managed by FreeIPA functionally ?

Is it safe to just edit the NS/A records such that they're using externally
resolvable addresses? Or will that break something?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issues installing replica

[Fraser Tweedale via FreeIPA-users]

On Thu, Nov 08, 2018 at 09:27:14PM +0100, Alex Corcoles via FreeIPA-users wrote:
> On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles  wrote:
> 
> > This is not timestamped, but I guess it is the thing. Weird, I don't
> > remember my provisioning does anything JRE-related, but I will do some
> > digging myself.
> >
> 
> Yay, I'm an idiot. I have automatic updates via yum-cron and OpenJDK had
> been updated. A reboot solved the issue.
> 
> I'm not sure if it's worth filing a bug about this, but I don't mind doing
> so.
> 
> Sorry for wasting everyone's time :(
> 
> Álex
>
No worries Alex; glad the server is working again.

Cheers,
Fraser

> -- 
>___
>  {~._.~}
>   ( Y )
>  ()~*~()  mail: alex at corcoles dot net
>  (_)-(_)  http://alex.corcoles.net/

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: yubikey csr not working

[Fraser Tweedale via FreeIPA-users]

On Thu, Nov 08, 2018 at 05:16:53PM -0500, Rob Crittenden via FreeIPA-users 
wrote:
> Natxo Asenjo via FreeIPA-users wrote:
> > hi,
> > 
> > I am testing smartcard authentication with a yubikey neo like described
> > in
> > https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html
> > 
> > I successfully generated a key using the yubico-piv-tool, and with that
> > a csr.
> > 
> > yubico-piv-tool -a verify-pin -a request-certificate -s 9e -S "/CN=user50/"
> > Enter PIN:
> > Successfully verified PIN.
> > 
> > -BEGIN CERTIFICATE REQUEST-
> > MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF
> > AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV
> > 4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57
> > Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD
> > h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF
> > lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K
> > hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN
> > AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G
> > iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5
> > b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg
> > 3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q
> > KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4
> > lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0=
> > -END CERTIFICATE REQUEST-
> > Successfully generated a certificate request.
> > 
> > With this csr I try generating a certificate but it fails:
> > 
> > $ ipa cert-request user50.csr --principal user50 --raw
> > ipa: ERROR: Request failed with status 500: Non-2xx response from CA
> > REST API: 500. Invalid Request
> > 
> > In the pki logs I only see this error.
> > 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET
> > /ca/rest/authorities/edb13864-3c75-4c7d-b5b8-dd4322789437/cert HTTP/1.1"
> > 200 920
> > 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET
> > /ca/rest/account/logout HTTP/1.1" 204 -
> > 192.168.5.10 - - [08/Nov/2018:22:37:13 +0100] "POST
> > /ca/rest/certrequests?issuer-id=edb13864-3c75-4c7d-b5b8-dd4322789437
> > HTTP/1.1" 500 123
> > 
> > Any ideas as to what is going wrong?
> 
> You need to specify a profile for it since it is a user certificate.
> 
> When I played with this over the summer I started with
> https://frasertweedale.github.io/blog-redhat/posts/2016-07-25-freeipa-subcas.html
> 
Nevertheless, the Dogtag CA should not be returning status 500.

Naxto, could you please provide Dogtag debug log from
/var/log/pki/pki-tomcat/ca/debug and, if there is any traceback in
the journal at the time of this error, please give detail of that
too (`journalctl -u pki-tomcatd@pki-tomcat`).

Thanks,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate

[Fraser Tweedale via FreeIPA-users]

On Thu, Nov 08, 2018 at 11:39:41AM +, Peter Oliver wrote:
> On Thu, 8 Nov 2018, 01:41 Fraser Tweedale  
> >
> > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'.
> > Do the 'userCertificate', 'description' and 'seeAlso' attributes
> > match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
> >
> > If not, update the entry to match the certificate.
> >
> 
> Thanks.  Entry uid=pkidbuser,ou=people,o=ipaca contained the certificate
> for "CN=CA Subsystem", not "CN=IPA RA" as was found in
> /var/lib/ipa/ra-agent.pem.  However, changing it didn't change the errors I
> received when trying to use vault, and additionally caused pki-tomcatd to
> be unable to restart ("Error netscape.ldap.LDAPException: Authentication
> failed (49)").  It seems like it's more than this one thing that's out of
> place.
> 
I'm sorry Peter, I told you the wrong user entry.  I should have
said uid=ipara, not uid=pkidbuser.  I'm sorry for the mistake.
Please restore the uid=pkidbuser entry to its previous state, and
perform the steps I mentioned against the uid=ipara entry instead.
(Note that the ipara entry doesn't have or need the 'seeAlso'
attribute).

(I got confused because both of these entries need to be in sync
with a certificate.  The pkidbuser entry is used by Dogtag to
authenticate to the LDAP database).

Thanks,
Fraser

> -- 
> Peter Oliver
> 
> >
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: yubikey csr not working

[Rob Crittenden via FreeIPA-users]

Natxo Asenjo via FreeIPA-users wrote:
> hi,
> 
> I am testing smartcard authentication with a yubikey neo like described
> in
> https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html
> 
> I successfully generated a key using the yubico-piv-tool, and with that
> a csr.
> 
> yubico-piv-tool -a verify-pin -a request-certificate -s 9e -S "/CN=user50/"
> Enter PIN:
> Successfully verified PIN.
> 
> -BEGIN CERTIFICATE REQUEST-
> MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF
> AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV
> 4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57
> Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD
> h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF
> lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K
> hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN
> AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G
> iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5
> b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg
> 3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q
> KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4
> lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0=
> -END CERTIFICATE REQUEST-
> Successfully generated a certificate request.
> 
> With this csr I try generating a certificate but it fails:
> 
> $ ipa cert-request user50.csr --principal user50 --raw
> ipa: ERROR: Request failed with status 500: Non-2xx response from CA
> REST API: 500. Invalid Request
> 
> In the pki logs I only see this error.
> 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET
> /ca/rest/authorities/edb13864-3c75-4c7d-b5b8-dd4322789437/cert HTTP/1.1"
> 200 920
> 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET
> /ca/rest/account/logout HTTP/1.1" 204 -
> 192.168.5.10 - - [08/Nov/2018:22:37:13 +0100] "POST
> /ca/rest/certrequests?issuer-id=edb13864-3c75-4c7d-b5b8-dd4322789437
> HTTP/1.1" 500 123
> 
> Any ideas as to what is going wrong?

You need to specify a profile for it since it is a user certificate.

When I played with this over the summer I started with
https://frasertweedale.github.io/blog-redhat/posts/2016-07-25-freeipa-subcas.html

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] yubikey csr not working

[Natxo Asenjo via FreeIPA-users]

hi,

I am testing smartcard authentication with a yubikey neo like described in
https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html

I successfully generated a key using the yubico-piv-tool, and with that a
csr.

yubico-piv-tool -a verify-pin -a request-certificate -s 9e -S "/CN=user50/"
Enter PIN:
Successfully verified PIN.

-BEGIN CERTIFICATE REQUEST-
MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV
4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57
Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD
h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF
lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K
hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN
AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G
iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5
b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg
3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q
KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4
lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0=
-END CERTIFICATE REQUEST-
Successfully generated a certificate request.

With this csr I try generating a certificate but it fails:

$ ipa cert-request user50.csr --principal user50 --raw
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST
API: 500. Invalid Request

In the pki logs I only see this error.
192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET
/ca/rest/authorities/edb13864-3c75-4c7d-b5b8-dd4322789437/cert HTTP/1.1"
200 920
192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET
/ca/rest/account/logout HTTP/1.1" 204 -
192.168.5.10 - - [08/Nov/2018:22:37:13 +0100] "POST
/ca/rest/certrequests?issuer-id=edb13864-3c75-4c7d-b5b8-dd4322789437
HTTP/1.1" 500 123

Any ideas as to what is going wrong?

Thanks!

--
Groeten,
natxo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issues installing replica

[Alex Corcoles via FreeIPA-users]

On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles  wrote:

> This is not timestamped, but I guess it is the thing. Weird, I don't
> remember my provisioning does anything JRE-related, but I will do some
> digging myself.
>

Yay, I'm an idiot. I have automatic updates via yum-cron and OpenJDK had
been updated. A reboot solved the issue.

I'm not sure if it's worth filing a bug about this, but I don't mind doing
so.

Sorry for wasting everyone's time :(

Álex
-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Getting access denied when using kerberos when mounting nfs share

[Kevin Vasko via FreeIPA-users]

I actually ended up figuring this out. For whatever reasons NFS_SECURE=“yes” 
was not in the configuration file (/etc/sysconfig/nfs). Once I added that to 
the configuration on the NFS server and the client (not sure if it’s needed 
there or not) but it started working after resetting all the services. 

Thanks for the reply.

-Kevin

> On Nov 8, 2018, at 12:46 PM, Robbie Harwood  wrote:
> 
> Kevin Vasko via FreeIPA-users 
> writes:
> 
>> I followed these instructions to enable kerberos within my realm/domain. 
>> 
>> My FreeIPA, NFS server and my NFS client is CentOS 7.4
>> 
>> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/kerb-nfs.html
>> 
>> I’m completely stuck in that when I mount the NFS share I get
>> 
>> Sudo mount -o sec=krb5p share.example.com:/data/shared /mnt/shared
>> 
>> “mount.nfs: access denied by server while mounting 
>> share.example.com:/data/shared”
>> 
>> My /etc/exports file
>> /data/shared 172.16.0.0/24(sec=krb5p, rw, ...)
>> 
>> On my nfs server /var/log/messages all i see is
>> 
>> rpc.mountd[1674]: authenticated mount request from 172.16.0.23:819 for 
>> /data/shared (/data/shared)
>> 
>> If i remove the “sec=krb5p” from the mount and the exports file it mounts 
>> just fine.
> 
> What messages to you see from rpc.gssd on the client (assuming you're
> using gssproxy)?  Also, anything in gssproxy logs on the server or
> client?
> 
> Thanks,
> --Robbie
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: sftp file broswer causes 4 (System Error)

[Alexander Bokovoy via FreeIPA-users]

On to, 08 marras 2018, Alfredo De Luca via FreeIPA-users wrote:

Hi alexander. Thanks for your info.
Here are 2 logs. One is the pam.log and the other one is the domain.log at
the time when we got the error below.

Nov  8 17:09:06 sftp-test sshd[25100]: pam_sss(sshd:account): Access denied
for user nifi_sftp: 4 (System error)

The user to search is nifi_sftp.

Thanks heaps and let me know if you need more info

Do you have SELinux enabled? Disabled?

From the looks of sssd_.log you have trouble with setting
SELinux for the user:

Thu Nov  8 17:09:06 2018) [sssd[be[novalocal]]] [selinux_child_done] (0x0020): 
selinux_child_parse_response failed: [22][Invalid argument]

This means that most likely you have SELinux disabled completely yet
SSSD attempts to set up SELinux context and considers its failure a hard
fail.

Setting

selinux_provider = none

in [domain/novalocal] section should help if you are not using SELinux.


Cheers



On Wed, Nov 7, 2018 at 3:49 PM Alexander Bokovoy 
wrote:


On ke, 07 marras 2018, Alfredo De Luca via FreeIPA-users wrote:
>Hi all. I wonder who and how this is been resolved?
>I have centos 7 where an sftp server is running. Authentication is with
>freeIPA 4.5.4.
>all the users connect to the sftp server normally but when there are
>multiple connections  randomly I got this error
>
>Nov  7 08:30:09 sftp sshd[23487]: pam_sss(sshd:account): Access denied for
>user nifi_sftp: 4 (System error)
>
>Not sure why. The same user doesn't have any issue connecting manually but
>when different connections from 3 nodes (running a open source sftp client
>called NIFI from apache.org) I got that error.
>I have to say that I tried to reproduce with a script running multiple
>connections at the same time and I get the same errors. If I use
>controlmaster mechanism on ssh client I dont' get the error at all.
>
>Any idea?
Use sssd debugging to demonstrate why pam_sss is denying access.
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

You'd need logs from the sssd_.log and sssd_pam.log related to
the time when there is an attempt to connect with NIFI. Use
debug_level=9 in domain and pam sections to show all logs and provide
them somewhere we can look up.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland




--
*Alfredo*



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issues installing replica

[Alex Corcoles via FreeIPA-users]

Hi Fraser and the new guys!

I think this may be it:

https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3#file-_var_log_pki_pki-tomcat_localhost-2018-11-07-log

snip:

SEVERE: Servlet.service() for servlet [caUpdateNumberRange] in context with
path [/ca] threw exception [Could not initialize class
sun.security.ssl.SSLContextImpl$TLSContext] with root cause
java.lang.NoClassDefFoundError: Could not initialize class
sun.security.ssl.SSLContextImpl$TLSContext
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at java.security.Provider$Service.getImplClass(Provider.java:1634)
at java.security.Provider$Service.newInstance(Provider.java:1592)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
at
org.apache.http.conn.ssl.SSLSocketFactory.getSocketFactory(SSLSocketFactory.java:171)
at
org.apache.http.impl.conn.SchemeRegistryFactory.createDefault(SchemeRegistryFactory.java:49)
at
org.apache.http.impl.client.AbstractHttpClient.createClientConnectionManager(AbstractHttpClient.java:306)
at
org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:466)
at com.netscape.certsrv.client.PKIConnection.(PKIConnection.java:114)
at
com.netscape.cms.servlet.csadmin.ConfigurationUtils.post(ConfigurationUtils.java:273)
at
com.netscape.cms.authentication.TokenAuthentication.sendAuthRequest(TokenAuthentication.java:216)
at
com.netscape.cms.authentication.TokenAuthentication.authenticate(TokenAuthentication.java:147)
at
com.netscape.cms.servlet.common.CMSGateway.checkAuthManager(CMSGateway.java:196)
at
com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1792)
at
com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1700)
at
com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1690)
at
com.netscape.cms.servlet.csadmin.UpdateNumberRange.process(UpdateNumberRange.java:88)

This is not timestamped, but I guess it is the thing. Weird, I don't
remember my provisioning does anything JRE-related, but I will do some
digging myself.

One more question: is this a replica created from a replica?
> I fixed an issue quite recently that can occur under such a
> scenario, the symptoms of which are similar to yours.
>

Nope, I think this is my original freeipa-server. I might have done
something unlawful here, but I don't think so.

BTW:

On Thu, Nov 8, 2018 at 5:51 AM Fraser Tweedale  wrote:

> (Which is fair enough; we didn't ask for this extra stuff until
> now.)
>

I'm sorry- I could have actually poked at those logs myself (I am- or was-
a Java web dev). Looking at my previous post, my "did the song and dance
again" might have been impolite (if it does any good- this was more out of
frustration because my provisioning setup is unnecessarily slow). FreeIPA
is an awesome piece of software I get for free, I get support for free on
this mailing list from the authors, so I don't think I'm entitled to much
more. I suppose I'm also doing some free testing for RedHat, but I think
I'm the one getting the most benefit out of this, so thank you guys and
apologies.

Cheers,

Álex
-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

[Eric Fredrickson via FreeIPA-users]

Hello everyone,

I'm having an issue with OTP when logging into a vpn server that is a client of 
FreeIPA.  I can login with no issues when OTP is disabled.

FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4

HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_access
Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
 Enabled: TRUE
 Users: 
 Hosts: vpnhost.localdomain.local
 Services: openvpn

User account:
[root@ipa ~]# ipa user-show 
  User login: 
  First name: 
  Last name: 
  Home directory: /home/
  Login shell: /bin/bash
  Principal name: 
  Principal alias: 
  Email address: 
  UID: 190963
  GID: 190963
  User authentication types: otp
  Certificate: 
  Account disabled: False
  Password: True
  Member of groups: vpn_users
  Member of HBAC rule: openvpn_access
  Indirect Member of HBAC rule: user_ipa_access
  Kerberos keys available: True

OpenVPN server:
/etc/pam.d/openvpn
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authrequired  pam_faildelay.so delay=200
auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 
quiet
auth[default=1 ignore=ignore success=ok] pam_localuser.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok


passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so

server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn


Any help would be greatly appreciated.  Any other information that you may 
need, please feel free to ask.  I've read multiple threads, some have gotten it 
to work without posting answers, some have not and has stated openvpn does not 
support multiple prompts.

Eric
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

[Eric Fredrickson via FreeIPA-users]

Hello everyone,

I'm having an issue with OTP when logging into a vpn server that is a client of 
FreeIPA.  I can login with no issues when OTP is disabled.

FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4

HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_access
Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
 Enabled: TRUE
 Users: 
 Hosts: vpnhost.localdomain.local
 Services: openvpn

User account:
[root@ipa ~]# ipa user-show 
  User login: 
  First name: 
  Last name: 
  Home directory: /home/
  Login shell: /bin/bash
  Principal name: 
  Principal alias: 
  Email address: 
  UID: 190963
  GID: 190963
  User authentication types: otp
  Certificate: 
  Account disabled: False
  Password: True
  Member of groups: vpn_users
  Member of HBAC rule: openvpn_access
  Indirect Member of HBAC rule: user_ipa_access
  Kerberos keys available: True

OpenVPN server:
/etc/pam.d/openvpn
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authrequired  pam_faildelay.so delay=200
auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 
quiet
auth[default=1 ignore=ignore success=ok] pam_localuser.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok


passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so

server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn


Any help would be greatly appreciated.  Any other information that you may 
need, please feel free to ask.  I've read multiple threads, some have gotten it 
to work without posting answers, some have not and has stated openvpn does not 
support multiple prompts.

Eric
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

[Eric Fredrickson via FreeIPA-users]

Hello everyone,

I'm having an issue with OTP when logging into a vpn server that is a client of 
FreeIPA.  I can login with no issues when OTP is disabled.

FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4

HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_access
Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
 Enabled: TRUE
 Users: 
 Hosts: vpnhost.localdomain.local
 Services: openvpn

User account:
[root@ipa ~]# ipa user-show 
  User login: 
  First name: 
  Last name: 
  Home directory: /home/
  Login shell: /bin/bash
  Principal name: 
  Principal alias: 
  Email address: 
  UID: 190963
  GID: 190963
  User authentication types: otp
  Certificate: 
  Account disabled: False
  Password: True
  Member of groups: vpn_users
  Member of HBAC rule: openvpn_access
  Indirect Member of HBAC rule: user_ipa_access
  Kerberos keys available: True

OpenVPN server:
/etc/pam.d/openvpn
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authrequired  pam_faildelay.so delay=200
auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 
quiet
auth[default=1 ignore=ignore success=ok] pam_localuser.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok


passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so

server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn


Any help would be greatly appreciated.  Any other information that you may 
need, please feel free to ask.  I've read multiple threads, some have gotten it 
to work without posting answers, some have not and has stated openvpn does not 
support multiple prompts.

Eric
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Getting access denied when using kerberos when mounting nfs share

[Robbie Harwood via FreeIPA-users]

Kevin Vasko via FreeIPA-users 
writes:

> I followed these instructions to enable kerberos within my realm/domain. 
>
> My FreeIPA, NFS server and my NFS client is CentOS 7.4
>
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/kerb-nfs.html
>
> I’m completely stuck in that when I mount the NFS share I get
>
> Sudo mount -o sec=krb5p share.example.com:/data/shared /mnt/shared
>
> “mount.nfs: access denied by server while mounting 
> share.example.com:/data/shared”
>
> My /etc/exports file
> /data/shared 172.16.0.0/24(sec=krb5p, rw, ...)
>
> On my nfs server /var/log/messages all i see is
>
> rpc.mountd[1674]: authenticated mount request from 172.16.0.23:819 for 
> /data/shared (/data/shared)
>
> If i remove the “sec=krb5p” from the mount and the exports file it mounts 
> just fine.

What messages to you see from rpc.gssd on the client (assuming you're
using gssproxy)?  Also, anything in gssproxy logs on the server or
client?

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate

[Peter Oliver via FreeIPA-users]

On Thu, 8 Nov 2018, 01:41 Fraser Tweedale 
> Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'.
> Do the 'userCertificate', 'description' and 'seeAlso' attributes
> match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
>
> If not, update the entry to match the certificate.
>

Thanks.  Entry uid=pkidbuser,ou=people,o=ipaca contained the certificate
for "CN=CA Subsystem", not "CN=IPA RA" as was found in
/var/lib/ipa/ra-agent.pem.  However, changing it didn't change the errors I
received when trying to use vault, and additionally caused pki-tomcatd to
be unable to restart ("Error netscape.ldap.LDAPException: Authentication
failed (49)").  It seems like it's more than this one thing that's out of
place.

-- 
Peter Oliver

>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

[Fraser Tweedale via FreeIPA-users]

On Thu, Nov 08, 2018 at 06:03:27AM -, Zarko D via FreeIPA-users wrote:
> Thank you Fraser for the support. 
> 'REALM.COM IPA CA' or caSigningCert is valid for 20 years, should be no 
> problem here. 
> But I am afraid I can't find common date for remaining four certs. As per 
> bellow data:
> 
> [1] There is common date for auditSigningCert, subsystemCert and Server-Cert
> [2] There is common date for Server-Cert and ocspSigningCert
> [3] ocspSigningCert CANNOT have common date with auditSigningCert and 
> subsystemCert
> 
> # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'auditSigningCert cert-pki-ca'
> Not Before: Wed Aug 24 20:49:38 2016
> Not After : Tue Aug 14 20:49:38 2018
> 
> # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
> Not Before: Wed Aug 24 20:49:35 2016
> Not After : Sun Aug 24 20:49:35 2036
> 
> # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca'
> Not Before: Wed Aug 24 20:49:36 2016
> Not After : Tue Aug 14 20:49:36 2018
> 
> # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca'
> Not Before: Sat Nov 12 16:21:33 2016
> Not After : Fri Nov 02 15:21:33 2018
> 
> # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca'
> Not Before: Mon Oct 22 20:15:53 2018
> Not After : Sun Oct 11 20:15:53 2020
> 
> # certutil -L -d /etc/dirsrv/slapd-REALM-COM -n 'REALM.COM IPA CA'
> Not Before: Wed Aug 24 20:49:35 2016
> Not After : Sun Aug 24 20:49:35 2036
> 
> 
> What would you suggest now ? 
>
I'm not 100% sure on the procedure but it will be something like:

1. Find an older version of the ocspSigningCert under
'ou=certificateRepository,ou=ca,o=ipaca', that is valid at the same
time as all the other certs.  Copy the certificate data to a file.

2. Back up the ocspSigningCert from the /etc/pki/pki-tomcat/alias
NSSDB, via pk12util.

3. Delete the ocspSigningCert from the /etc/pki/pki-tomcat/alias
NSSDB, i.e.:

  certutil -d /etc/pki/pki-tomcat/alias  \
-f /etc/pki/pki-tomcat/alias/pwdfile.txt \
-D -n "ocspSigningCert cert-pki-ca"

4. IIRC, (3) should only delete the "most recent"  version of the
OCSP cert, and expose the earlier version.  But if this is not the
case, then import the certificate you saved at (1) via `certutil
-A`.

Once you have coerced to the NSSDB to have a set of certificates
that are all valid at some point in time, set the system clock to
that time, restart Dogtag, and initiate renewals.

Cheers,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: SSH Key auth with expired Kerberos password

[Sumit Bose via FreeIPA-users]

On Wed, Nov 07, 2018 at 09:53:03PM +, Nathan Harper via FreeIPA-users wrote:
> Hi all,
> 
> We have noticed some behaviour that we are trying to work out if it is
> expected or not (or if this is an SSSD thing).   We have a pair of FreeIPA
> replicas running on CentOS 7 (v4.5.x), with various CentOS 7 clients.
>  Most clients aren't actually enrolled in FreeIPA, but are configured with:
> 
> id_provider = ldap
> auth_provider = krb5
> 
> Authentication works as expected, plus password changes etc.   However, if
> a user has added a public key to authorized_keys, the status of the
> password is not considered and at no point is a user prompted to change
> their password.   More importantly, if a user is disabled in FreeIPA, they
> are still permitted to login using their SSH key.

If you are using the generic LDAP id_provider you might need to configure
access control for your needs. For this please see the ldap_access_order
option in the sssd-ldap man page.

> 
> I have checked the behaviour on a client that is enrolled, and it is better
> (disabling a user does prevent access), but it still does not give any
> indication about failed passwords.

IPA supports multiple authentication methods and although one might be
expired others might still work. E.g. you can use Smartcard
authentication with IPA and I guess you would be surprised if password
authentication would fail because your certificate on the Smartcard is
expired.


HTH

bye,
Sumit

> 
> Under most circumstances this wouldn't be too much of an issue, but we make
> use of one application for remote access that does not know what to do with
> an expired password, and instead just presents 'authentication failed'.
> 
> Any suggestions?

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org