[Freeipa-users] Re: Retrieve private key from CA chain

[Sam Klein via FreeIPA-users]

Hi Rob,

> Need more context on what you're trying to do.

I hope to use a key to identify each endpoint for a Cisco Identity Services 
Engine.

To do so, I need a private key.

My hope was that IdM could automate this for me with a CA chain.

Does this context help?

Sam
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ns-slapd hangs several times a day

[Jared Ledvina via FreeIPA-users]

//Keeping the freeipa-users list included

Hi Sylvain, 

Ah shucks. For the debug info packages, you might be able to leverage the 
packages available on https://dl.fedoraproject.org/pub/epel/ but, someone else 
on this list might know more. 

The only other idea that comes to mind is what was discussed on 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/QPVGTNEARBEIV64ETMSDKTSYMTPEHW2T/

Specifically, in your 'cn=config' see if nsslapd-enable-nunc-stans is set to 
on, if it is, try using the ldapmodify in the above comment to disable it. For 
context, that defaults to off as a result of 
https://bugzilla.redhat.com/show_bug.cgi?id=1614501 


Hope this helps,
Jared

On Mon, Oct 21, 2019, at 5:31 AM, Sylvain Coutant wrote:
> Jared,
> 
> Thanks for your message. To be honest, I would have expected this to be a 
> network issue at first. All the symptoms are there. But tcpdump tells me that 
> things are ok ...
> 
> For the debuginfo, I already had a look but was unable to find the right 
> packages:
> 
> yum search --enablerepo=epel-debuginfo 389-ds
> Loaded plugins: fastestmirror
> Loading mirror speeds from cached hostfile
>  * base: centos.mirrors.proxad.net
>  * epel: mirrors.coreix.net
>  * epel-debuginfo: mirrors.coreix.net
>  * extras: centos.mirrors.proxad.net
>  * updates: centos.mirrors.proxad.net
> 
>  N/S matched: 389-ds 
> =
> 389-dsgw-debuginfo.x86_64 : Debug information for package 389-dsgw
> 389-ds.noarch : 389 Directory, Administration, and Console Suite
> 389-ds-base.x86_64 : 389 Directory Server (base)
> 389-ds-base-devel.x86_64 : Development libraries for 389 Directory Server
> 389-ds-base-libs.x86_64 : Core libraries for 389 Directory Server
> 389-ds-base-snmp.x86_64 : SNMP Agent for 389 Directory Server
> 389-ds-console.noarch : 389 Directory Server Management Console
> 389-ds-console-doc.noarch : Web docs for 389 Directory Server Management 
> Console
> 389-dsgw.x86_64 : 389 Directory Server Gateway (dsgw)
> 
> There's no 389-ds-base-debuginfo available. I'm probably missing something ...
> 
> Like always, the cluster hanged during the nightly backup. The node running 
> the backup was dead. After restarting it, I tried to disable retroCL triming 
> as per https://bugzilla.redhat.com/show_bug.cgi?id=1751295, but still had a 
> hang during resync. I enabled a few more logs in ds, but at first it doesn't 
> look much helpful right now except that it stops logging anything (including 
> housekeeping stuff) when stale.
> 
> 
> /Sylvain.
> 
> 
> 
> 
> Le lun. 21 oct. 2019 à 06:00, Jared Ledvina  a écrit :
>> __
>> Hi Sylvain,
>> 
>> I believe we had a similar issue in our configuration. I can dig in more 
>> tomorrow but, we had deadlocks with the retroCL plugin. 
>> 
>> If you follow the steps outlined on this page, 
>> https://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debug_hangs to 
>> get a stack trace, I can try to see if you're hitting the same thing. 
>> 
>> See https://bugzilla.redhat.com/show_bug.cgi?id=1751295 for some more 
>> details on the issue. 
>> 
>> Hope that helps,
>> Jared
>> 
>> On Sun, Oct 20, 2019, at 3:55 PM, Sylvain Coutant via FreeIPA-users wrote:
>>> Hello gurus,
>>> 
>>> We are running a 3 nodes FreeIPA cluster for some time without major 
>>> trouble. One server may stale from time to time, without real trouble to 
>>> restart it.
>>> 
>>> A few days ago, we had to migrate the VMs between two clouds (disk image 
>>> copied from one to the other). They have been renumbered from old to new 
>>> IPv4 address space. Not that easy, but we finally got it done with all DNS 
>>> entries in sync. Yet, since the migration, ns-slapd process hangs randomly 
>>> way more often than before (went from once every few months to several 
>>> times a day) and is especially hard to restart on any node.
>>> 
>>> While starting up, the netstat output is like:
>>> 
>>> Active Internet connections (w/o servers)
>>> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
>>> tcp6 184527 0 10.217.151.3:389 10.217.151.2:52314 ESTABLISHED 
>>> 29948/ns-slapd 
>>> 
>>> Netstat and tcpdump show it processes very slowly the recvq (sometimes like 
>>> 79 bytes per 1-2 seconds). At some point it just stops processing it and 
>>> hangs (only kill -9 works to take it down). When stale, strace shows the 
>>> process loops only on :
>>> 
>>> getpeername(8, 0x7ffe62c49fd0, 0x7ffe62c49f94) = -1 ENOTCONN (Transport 
>>> endpoint is not connected)
>>> poll([{fd=50, events=POLLIN}, 

[Freeipa-users] Re: Retrieve private key from CA chain

[Rob Crittenden via FreeIPA-users]

Sam Klein via FreeIPA-users wrote:
> Using certutil, I'm able to extract my localhost CA using this command.
> 
> certutils -L -d dbm:/etc/ipa/nssdb -a -n 'Local IPA host'
> 
> However, I need a signing key to create a private key. Is there a method to 
> extract a private key that signed my localhost CA from the endpoint, or does 
> this key exist on my server?

Need more context on what you're trying to do. You shouldn't need direct
access to the CA private key.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Retrieve private key from CA chain

[Sam Klein via FreeIPA-users]

Using certutil, I'm able to extract my localhost CA using this command.

certutils -L -d dbm:/etc/ipa/nssdb -a -n 'Local IPA host'

However, I need a signing key to create a private key. Is there a method to 
extract a private key that signed my localhost CA from the endpoint, or does 
this key exist on my server?

Thank you.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] is it possible to enable constrained delegation for only some users?

[Charles Hedrick via FreeIPA-users]

We have kerberos everywhere, and use it for access to NFS home directories.

So what do we do about cron jobs? We have a solution, but it involves custom 
code that impersonates the KDC. I’d like to do someone more standard.

Constained delegation seems like a possibility. But I’d need to be able to say 
“allow cron to get credentials for NFS for a specific group of users.” Since 
all of our systems run cron, I don’t want to allow any system to be able to get 
an NFS credential for any user. That would let root on any system see anyone’s 
files. So the user has to authorize it. Presumably if the user runs his own 
desktop, he’s willing to allow it to get credentials for himself. But I 
wouldn’t trust his machine to be able to get mine.

The constrained delegation mechanism seems to handle this, except that I don’t 
see a way to constrain it to specific users. Am I missing something?

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: SSH Hostbased Authentication with FreeIPA

[Vinícius Ferrão via FreeIPA-users]

Guys, thank you all.

I’ve opened an issue on the SSSD page:
https://pagure.io/SSSD/sssd/issue/4106

Feel free to add anything related.

Thanks.

On 18 Oct 2019, at 03:24, Vinícius Ferrão via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:



On 18 Oct 2019, at 03:20, Sumit Bose 
mailto:sb...@redhat.com>> wrote:

On Fri, Oct 18, 2019 at 05:57:40AM +, Vinícius Ferrão wrote:


On 17 Oct 2019, at 03:52, Sumit Bose 
mailto:sb...@redhat.com>> wrote:

On Thu, Oct 17, 2019 at 04:32:05AM +, Vinícius Ferrão wrote:


On 16 Oct 2019, at 16:01, Rob Crittenden 
mailto:rcrit...@redhat.com>>
 wrote:

Vinícius Ferrão wrote:


On 15 Oct 2019, at 17:49, Rob Crittenden 
mailto:rcrit...@redhat.com>
> wrote:

Vinícius Ferrão wrote:
Hi Rob

On 15 Oct 2019, at 10:22, Rob Crittenden 
mailto:rcrit...@redhat.com>

> wrote:

Vinícius Ferrão via FreeIPA-users wrote:
Hello,

I’m trying to implement SSH Hostbased Authentication between IPA
joined machines but I’m with difficulties regarding:

* The /etc/ssh/ssh_known_hosts file.

In a FreeIPA environment the known_hosts are stored on IPA, and I’m
aware of the ProxyCommand /usr/bin/sss_ssh_knownhostsproxy; but how
can I create this file with the entries from FreeIPA?

Why do you want to? That is the point of the proxy, so dynamic files
don't need to be maintained.

Because it appears to be a requirement. Unfortunately SSH does not look
at /var/lib/sss/pubconf/known_hosts:

debug1: userauth_hostbased: cuser admin chost
hpclab01.cluster.iq.ufrj.br>>
 >
>. pkalg
ecdsa-sha2-nistp256 slen 100 [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x561842345040
debug2: hostbased_key_allowed: chost 
hpclab01.cluster.iq.ufrj.br>>
>
>. 
resolvedname
hpclab01.cluster.iq.ufrj.br>>
 >
> ipaddr
172.26.0.1
debug2: stripping trailing dot from chost 
hpclab01.cluster.iq.ufrj.br>>
>
>.
debug2: auth_rhosts2: clientuser admin hostname
hpclab01.cluster.iq.ufrj.br>>
 >
> ipaddr
172.26.0.1
debug1: temporarily_use_uid: 168300/168300 (e=0/0)
debug1: restore_uid: 0/0
debug1: fd 8 clearing O_NONBLOCK
debug2: hostbased_key_allowed: access allowed by auth_rhosts2
debug1: temporarily_use_uid: 168300/168300 (e=0/0)
debug1: restore_uid: 0/0
debug1: check_key_in_hostfiles: key for host
hpclab01.cluster.iq.ufrj.br>>
 >
> not 
found
debug1: temporarily_use_uid: 168300/168300 (e=0/0)
debug1: restore_uid: 

[Freeipa-users] Re: Ipa user can't login via ssh

[Rob Crittenden via FreeIPA-users]

Elhamsadat Azarian wrote:
> Hi Rob
> Thank you for helping
> I disabled default HBAC rule and add a new rule that user "elham" could
> login and ssh on hosts "ipa-client and ipa-server" 
> Now it can ssh to ipa-server but still it had problem with ipa-client.
> So rules couldnt solve my problem.

I don't know what to tell you without more details.

rob

> 
> On Tue, 15 Oct 2019, 16:44 Rob Crittenden,  > wrote:
> 
> Please keep freeipa-users in the responses.
> 
> Elhamsadat Azarian wrote:
> > Hi Rob
> > I did it and i got this answer:
> >
> > Access granted : false
> >
> > What can i do now?
> 
> IPA ships with a default HBAC rule, allow_all, which allows all users to
> authenticate on all hosts. I can only assume you've deleted or disabled
> that, and that's fine.
> 
> But if you do then you need to create the set of rules to grant access
> to hosts for the appropriate users.
> 
> To provide specific assistance you'd need to share a bit of internal
> details, current HBAC rules, etc. It is understandable if you can't
> do that.
> 
> But basically you need to evaluate your HBAC rules to find out why this
> user can't log into hosts. The user may be missing from a group, for
> example.
> 
> rob
> >
> > On Mon, 14 Oct 2019, 18:07 Rob Crittenden,  
> > >> wrote:
> >
> >     Elhamsadat Azarian wrote:
> >     > I tryed to add HBAC rules to my user but it said : some
> operation
> >     > failed. Users cannot be added when user category = all
> >
> >     Adding list back.
> >
> >     Try something like:
> >
> >     ipa hbactest --user elham --service ssh --host 
> >
> >     There is an equivalent way to do it in the UI.
> >
> >     rob
> >
> >     >
> >     > On Wed, 9 Oct 2019, 17:19 Rob Crittenden,
> mailto:rcrit...@redhat.com>
> >     >
> >     > 
>  >     >
> >     >     Kevin Vasko via FreeIPA-users wrote:
> >     >     > Have you made sure your “elham” user has the correct
> permissions
> >     >     to access the machines? Take a look in the UI at the
> >     >     groups/permissions that user elham has. Take a look at
> your HBAC
> >     >     rules as well. That would be my first recommendation to
> check
> >     if it
> >     >     was me.
> >     >
> >     >     Right, and the troubleshooting page suggests that (and
> >     increasing debug
> >     >     logging).
> >     >
> >     >     Please provide the output of the things you have already
> >     looked at.
> >     >
> >     >     rob
> >     >
> >     >     >
> >     >     > -Kevin
> >     >     >
> >     >     >> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via
> >     FreeIPA-users
> >     >      
> >      >
> >     >      
> >       >     >     >>
> >     >     >> ### Request for enhancement
> >     >     >> as a Linux admin i want to login into my ipa client
> with a user
> >     >     that is defined in ipa-server UI.
> >     >     >>
> >     >     >> ### Issue
> >     >     >> I installed Ipa-server and an Ipa-client on CentOS7.6
> >     >     >> I defined Internal DNS on ipa-server and i defined A
> and PTR
> >     >     records for client on ipa-server.
> >     >     >> now i can see my client in ipa-UI and i defined a
> user with
> >     name
> >     >     "elham" and i expect that it can login into ipa-client.
> >     >     >> when i login with root in ipa-client and i do sudo
> elham, it
> >     >     works and kinit elham works too but
> >     >     >> when i do ssh into ipa-client with this user, it show
> >     "Access denied"
> >     >     >> i have errors with this context:
> >     >     >> pam_reply : authentication failure to the client
> >     >     >> pam_sss: authentication falure
> >     >     >>
> >     >     >> im tired of this issue. please help me if you know the
> >     solution.
> >     >     >>
> >     >     >>  Steps to Reproduce
> >     >     >> 1. define new user "elham" in ipa UI
> >     >     >> 2. SSH to ipa-client with elham
> >     >     >> 3. access 

[Freeipa-users] Freeipa homedir overrides

[Matthias Salzmann via FreeIPA-users]

Hello together 
I'am a newby in Freeipa

I have a ( one-side ) cross-forrest trust with an Active Directory Domain.
AD user are able to login with ssh on the linux server. That works fine.

With sssd i am able to override the homedir. (override_homedir = /home/%u)

Unfortunately it is not possible to override the homedir with an additional 
variable. Example:  /home/%g/%u   ( %g = $group ) 

The default group of each user should be included in homedir like 
/home/merchandising/paul

in FreeIpa server i am able to override a user homedir with ID views but only 
for a single user.

Does it anyone knows how i can override the homedir for a special group?

Many Thanks

Matthias
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Freeipa homedir overrides

[Matthias Salzmann via FreeIPA-users]

Hello together 
I'am a newby in Freeipa

I have a ( one-side ) cross-forrest trust with an Active Directory Domain.
AD user are able to login with ssh on the linux server. That works fine.

With sssd i am able to override the homedir. (override_homedir = /home/%u)

Unfortunately it is not possible to override the homedir with an additional 
variable. Example:  /home/%g/%u   ( %g = $group ) 

The default group of each user should be included in homedir like 
/home/merchandising/paul

In FreeIpa server i am able to override a user homedir with ID views but only 
for a single user.

Does it anyone knows how i can override the homedir for a special group?

Many Thanks

Matthias

  
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org