[Freeipa-users] Re: Split domain for IPA and internal machines

[Florence Blanc-Renaud via FreeIPA-users]

On 2/25/20 12:10 AM, Nicholas DeMarco via FreeIPA-users wrote:
I've configured FreeIPA servers in identity.demarcohome.com 
, and my internal machines are in 
int.demarcohome.com .


I added discovery SRV records to the int.demarcohome.com 
:

_kerberos TXT "IDENTITY.demarcohome.COM "
_kerberos-master._tcp SRV 0 100 88 ipa1.identity.demarcohome.com 
.
_kerberos-master._udp SRV 0 100 88 ipa1.identity.demarcohome.com 
.
_kerberos._tcp SRV 0 100 88 ipa1.identity.demarcohome.com 
.
_kerberos._udp SRV 0 100 88 ipa1.identity.demarcohome.com 
.
_kpasswd._udp SRV 0 100 464 ipa1.identity.demarcohome.com 
.
_ldap._tcp SRV 0 100 389 ipa1.identity.demarcohome.com 
.


When configuring a client, a few things didn't go well:
2020-02-24T22:51:21Z DEBUG args=['/usr/bin/getent', 'passwd', 
'ndema...@int.demarcohome.com ']

Hi,
from the above line I assume that ipa-client-install is run with the 
principal "ndemarco" instead of the usual admin user. This should work 
but it looks like the principal is resolved as 
ndema...@int.demarcohome.com instead of ndema...@identity.demarcohome.com.

Could you try with the full principal name:
ipa-client-install [...] --principal ndema...@identity.demarcohome.com ?

flo


2020-02-24T22:51:21Z DEBUG Process finished, return code=2

Also some unexpected [Try 1] blocks in the error log like:
DEBUG Try RPC connection
INFO [try 1]: Forwarding 'ping' to json server 
'https://ipa1.identity.demarcohome.com/ipa/session/json'
DEBUG New HTTP connection (ipa1.identity.demarcohome.com 
)


My DNS is probably not set up properly yet, but I'm properly worn out 
for the day on this.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Can't login AD users on FreeIPA client

[Sumit Bose via FreeIPA-users]

On Tue, Feb 25, 2020 at 04:16:53AM -, Michael Solodovnikov via 
FreeIPA-users wrote:
> Hi.
> 
> > Can you run the same commands as
> > 
> > KRB5_TRACE=/dev/stdout kinit solodovnikov(a)win.gtf.kz
> > KRB5_TRACE=/dev/stdout klist
> > KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz
> > KRB5_TRACE=/dev/stdout klist
> > 
> > and send the output?
> 
> KRB5_TRACE - https://paste.centos.org/view/848348bc
>  
> > Here the all upper-case version is requested and not found. Please note
> > the Kerberos according to the RFCs is case-sensitive and the IPA KDC
> > treats principal names case-sensitive in contrast to AD DCs.
> 
> Yes, I pay attention to it.
>  
> > The cross-realm TGT is needed for the Kerberos ticket validation. You
> > can disable this for testing by setting 'krb5_validate = False' in the
> > [domain/...] section of sssd.conf. But since validation is a useful
> > security feature, especially in an environment with trust, I'd recommend
> > to still find the real cause of the issue and not use 'krb5_validate =
> > False' permanently.
> 
> Add  'krb5_validate = False'  option, not working.
> 
> In server disabled options:
> 
> [domain/nix.gtf.kz/win.gtf.kz]
> subdomain_inherit = ldap_user_principal
> ldap_user_principal = nosuchattr
> 
> And enable:
> 
> krb5_validate = False
> 
> [domain/nix.gtf.kz]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = nix.gtf.kz
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = dc1.nix.gtf.kz
> chpass_provider = ipa
> ipa_server = dc1.nix.gtf.kz
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> krb5_validate = False
> debug_level=9
> 
> [sssd]
> services = sudo, nss, ifp, pam, ssh
> domains = nix.gtf.kz
> debug_level=9
> ...
> 
> Clean and restart.
> # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
> # systemctl restart ipa
> 
> [root@dc1 ~]# su - test
> Last login: Wed Feb 19 16:41:14 +07 2020 on pts/0
> [test@dc1 ~]$ su - solodovnikov(a)win.gtf.kz
> Password:
> su: Authentication failure
> 
> In krb5kdc.log - https://paste.centos.org/view/b921a40b
>  
> > This looks like the client cannot properly detect that enterprise
> > principal should be used. To understand why it would be good to see the
> > full SSSD domain log of the client. As a workaround you can add
> > 'krb5_use_enterprise_principal = True' to the [domain/...] section of
> > sssd.conf on the IPA client. Given the issue from above you might have
> > to add 'krb5_validate = False' as well.
>  
> In client add krb5_use_enterprise_principal = True and krb5_validate = False
> 
> [domain/nix.gtf.kz]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = nix.gtf.kz
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = sqlg.nix.gtf.kz
> chpass_provider = ipa
> ipa_server = _srv_, dc1.nix.gtf.kz
> ldap_tls_cacert = /etc/ipa/ca.crt
> 
> krb5_use_enterprise_principal = True
> krb5_validate = False
> 
> use_fully_qualified_names = True
> re_expression = ((?P.+)@(?P[^@]+$))
> 
> debug_level=9
> [sssd]
> services = nss, sudo, pam, ssh
> 
> domains = nix.gtf.kz
> 
> debug_level=9
> ...
> 
> # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
> 
> [root@sqlg ~]# su - test
> Last login: Wed Feb 19 16:45:57 +07 2020 on pts/0
> [test@sqlg ~]$ su - solodovnikov(a)win.gtf.kz
> Password:
> su: Authentication failure
> 
> In sssd log - https://paste.centos.org/view/359115b9
> In messages - https://paste.centos.org/view/f459ec56
> In krb5kdc.log on server - https://paste.centos.org/view/960eab78

Hi,

can you paste krb5_child.log from the server and client attempt as well?

bye,
Sumit

> 
> Michael.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Using sssd/freeipa and samba: User j...@mds.xyz can mount Samba share in Win 10. Same share fails to mount on a Mac using same user.

[TomK via FreeIPA-users]

Hey All,

This might be a bit of an unusual question but perhaps someone here has 
seen this scenario.


As per the subject says, user j...@mds.xyz can mount Samba share in Win 
10.  Same share fails to mount on a Mac using same user.


Appears Mac's insist on interpreting the UPN j...@mds.xyz as 
@ instead of just considering the entire string, 
"j...@mds.xyz" as a user.


Tried both the Mac UI and command line using such things as:

mount_smbfs -d 5 "//MDS.XYZ;joe:@192.168.0.125/NFS-joe" /samba/


but the attempt fails to mount instead giving:

[2020/02/25 00:38:25.979467,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2020/02/25 00:38:25.979543,  3] 
../source3/auth/check_samsec.c:399(check_sam_security)

  check_sam_security: Couldn't find user 'joe' in passdb.
[2020/02/25 00:38:25.979614,  2] 
../source3/auth/auth.c:334(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [joe] -> [joe] FAILED 
with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2020/02/25 00:38:25.979779,  2] 
../auth/auth_log.c:476(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MDS.XYZ]\[joe] at [Tue, 25 Feb 2020 
00:38:25.979710 EST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] 
workstation [MACBOOKPRO-0138] remote host [ipv4:192.168.0.206:52695] 
mapped to [MDS.XYZ]\[joe]. local host [ipv4:192.168.0.125:445]
[2020/02/25 00:38:25.980276,  2] 
../lib/audit_logging/audit_logging.c:141(audit_log_json)
  JSON Authentication: {"timestamp": "2020-02-25T00:38:25.980017-0500", 
"type": "Authentication", "Authentication": {"version": {"major": 1, 
"minor": 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": 
"ipv4:192.168.0.125:445", "remoteAddress": "ipv4:192.168.0.206:52695", 
"serviceDescription": "SMB2", "authDescription": null, "clientDomain": 
"MDS.XYZ", "clientAccount": "joe", "workstation": "MACBOOKPRO-0138", 
"becameAccount": null, "becameDomain": null, "becameSid": null, 
"mappedAccount": "joe", "mappedDomain": "MDS.XYZ", "netlogonComputer": 
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": 
"0x", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": 
null, "passwordType": "NTLMv2", "duration": 9826}}

[2020/02/25 00:38:25.980420,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)


SSSD is configured on the NFS03 servers from which Samba is running. 
Authentication works fine on all hosts with SSSD.  SSSD in turn is 
connected to FreeIPA.


Wondering if anyone has seen this scenario and remembers what the 
possible solution may have been to get said mounts working on a Mac?


--
Thx,
TK.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Can't login AD users on FreeIPA client

[Michael Solodovnikov via FreeIPA-users]

Hi.

> Can you run the same commands as
> 
> KRB5_TRACE=/dev/stdout kinit solodovnikov(a)win.gtf.kz
> KRB5_TRACE=/dev/stdout klist
> KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz
> KRB5_TRACE=/dev/stdout klist
> 
> and send the output?

KRB5_TRACE - https://paste.centos.org/view/848348bc
 
> Here the all upper-case version is requested and not found. Please note
> the Kerberos according to the RFCs is case-sensitive and the IPA KDC
> treats principal names case-sensitive in contrast to AD DCs.

Yes, I pay attention to it.
 
> The cross-realm TGT is needed for the Kerberos ticket validation. You
> can disable this for testing by setting 'krb5_validate = False' in the
> [domain/...] section of sssd.conf. But since validation is a useful
> security feature, especially in an environment with trust, I'd recommend
> to still find the real cause of the issue and not use 'krb5_validate =
> False' permanently.

Add  'krb5_validate = False'  option, not working.

In server disabled options:

[domain/nix.gtf.kz/win.gtf.kz]
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr

And enable:

krb5_validate = False

[domain/nix.gtf.kz]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.gtf.kz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dc1.nix.gtf.kz
chpass_provider = ipa
ipa_server = dc1.nix.gtf.kz
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_validate = False
debug_level=9

[sssd]
services = sudo, nss, ifp, pam, ssh
domains = nix.gtf.kz
debug_level=9
...

Clean and restart.
# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
# systemctl restart ipa

[root@dc1 ~]# su - test
Last login: Wed Feb 19 16:41:14 +07 2020 on pts/0
[test@dc1 ~]$ su - solodovnikov(a)win.gtf.kz
Password:
su: Authentication failure

In krb5kdc.log - https://paste.centos.org/view/b921a40b
 
> This looks like the client cannot properly detect that enterprise
> principal should be used. To understand why it would be good to see the
> full SSSD domain log of the client. As a workaround you can add
> 'krb5_use_enterprise_principal = True' to the [domain/...] section of
> sssd.conf on the IPA client. Given the issue from above you might have
> to add 'krb5_validate = False' as well.
 
In client add krb5_use_enterprise_principal = True and krb5_validate = False

[domain/nix.gtf.kz]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.gtf.kz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = sqlg.nix.gtf.kz
chpass_provider = ipa
ipa_server = _srv_, dc1.nix.gtf.kz
ldap_tls_cacert = /etc/ipa/ca.crt

krb5_use_enterprise_principal = True
krb5_validate = False

use_fully_qualified_names = True
re_expression = ((?P.+)@(?P[^@]+$))

debug_level=9
[sssd]
services = nss, sudo, pam, ssh

domains = nix.gtf.kz

debug_level=9
...

# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

[root@sqlg ~]# su - test
Last login: Wed Feb 19 16:45:57 +07 2020 on pts/0
[test@sqlg ~]$ su - solodovnikov(a)win.gtf.kz
Password:
su: Authentication failure

In sssd log - https://paste.centos.org/view/359115b9
In messages - https://paste.centos.org/view/f459ec56
In krb5kdc.log on server - https://paste.centos.org/view/960eab78

Michael.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Split domain for IPA and internal machines

[Nicholas DeMarco via FreeIPA-users]

I've configured FreeIPA servers in identity.demarcohome.com, and my
internal machines are in int.demarcohome.com.

I added discovery SRV records to the int.demarcohome.com:
_kerberos TXT "IDENTITY.demarcohome.COM"
_kerberos-master._tcp SRV 0 100 88 ipa1.identity.demarcohome.com.
_kerberos-master._udp SRV 0 100 88 ipa1.identity.demarcohome.com.
_kerberos._tcp SRV 0 100 88 ipa1.identity.demarcohome.com.
_kerberos._udp SRV 0 100 88 ipa1.identity.demarcohome.com.
_kpasswd._udp SRV 0 100 464 ipa1.identity.demarcohome.com.
_ldap._tcp SRV 0 100 389 ipa1.identity.demarcohome.com.

When configuring a client, a few things didn't go well:
2020-02-24T22:51:21Z DEBUG args=['/usr/bin/getent', 'passwd', '
ndema...@int.demarcohome.com']
2020-02-24T22:51:21Z DEBUG Process finished, return code=2

Also some unexpected [Try 1] blocks in the error log like:
DEBUG Try RPC connection
INFO [try 1]: Forwarding 'ping' to json server '
https://ipa1.identity.demarcohome.com/ipa/session/json'
DEBUG New HTTP connection (ipa1.identity.demarcohome.com)

My DNS is probably not set up properly yet, but I'm properly worn out for
the day on this.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: dhcp dynamic update

[Kevin Vasko via FreeIPA-users]

I’m interested in hearing others responses as well on this. 

Is there anything in particular I would need to do to make sure I can get 
things back into a “working” state? 

-Kevin

> On Feb 24, 2020, at 12:10 PM, Andrew Meyer via FreeIPA-users 
>  wrote:
> 
> Hello,
> I was trying to search the mailing list before emailing about this but has 
> anyone set this up 
> https://archyslife.blogspot.com/2019/01/freeipa-integrating-your-dhcpd-dynamic.html
>  OR https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update in 
> their environment?  
> 
> In the past I ran into issues when making changes to /etc/named.conf so 
> before I go doing this I wanted to make sure others had tried this out.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] dhcp dynamic update

[Andrew Meyer via FreeIPA-users]

Hello,
I was trying to search the mailing list before emailing about this but has 
anyone set this up 
https://archyslife.blogspot.com/2019/01/freeipa-integrating-your-dhcpd-dynamic.html
 OR https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update in 
their environment?  

In the past I ran into issues when making changes to /etc/named.conf so before 
I go doing this I wanted to make sure others had tried this out.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: problem with the ipa_pwd_extop plugin when using sssd-ldap with FreeIPA / replace of the passwordExpirationTime attribute with the value “19700101000000Z”

[Christopher Paul via FreeIPA-users]

On 2/23/20 10:23 PM, Sumit Bose via FreeIPA-users wrote:

Hi,

can you send your sssd.conf?

bye,
Sumit


Sure thing. Attached.

Thanks,

CP

[sssd]
config_file_version = 2
services = nss, sudo, pam, ssh
domains = lab2.rexconsulting.net
user = sssd
debug_level = 9
 
[domain/lab2.rexconsulting.net]
debug_level = 9
cache_credentials = True
entry_cache_timeout = 90
refresh_expired_interval = 60
enumerate = false
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_schema = IPA
ldap_purge_cache_timeout = 60
ldap_sudo_full_refresh_interval = 21600
ldap_sudo_smart_refresh_interval = 90
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_tls_reqcert = demand
ldap_uri = ldap://ipa2.lab2.rexconsulting.net
ldap_backup_uri = ldap://ipa1.lab2.rexconsulting.net
ldap_chpass_uri = ldap://ipa2.lab2.rexconsulting.net
ldap_chpass_backup_uri = ldap://ipa1.lab2.rexconsulting.net
ldap_default_bind_dn = cn=Directory Manager
ldap_default_authtok = 
ldap_search_base = dc=lab2,dc=rexconsulting,dc=net
ldap_user_search_base = cn=users,cn=accounts,dc=lab2,dc=rexconsulting,dc=net
ldap_group_search_base = cn=groups,cn=compat,dc=lab2,dc=rexconsulting,dc=net
ldap_sudo_search_base = ou=sudoers,dc=lab2,dc=rexconsulting,dc=net
ldap_user_ssh_public_key = ipaSshPubKey
#ldap_access_order = pwd_expire_policy_renew
ldap_access_order = pwd_expire_policy_renew, filter
#ldap_access_filter = (objectclass=ipasshuser)
ldap_access_filter = 
(&(userClass=super)(objectclass=ipasshuser)(memberOf=cn=staff,cn=groups,cn=accounts,dc=lab2,dc=rexconsulting,dc=net))
 
[sudo]
 
[ssh]
 
[pam]
pam_id_timeout = 5
offline_credentials_expiration = 1
offline_failed_login_attempts = 2
pam_verbosity = 2
 
[nss]
filter_groups = root
filter_users = root
entry_cache_nowait_percentage = 50
entry_negative_timeout = 15
local_negative_timeout = 60
memcache_timeout = 300
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Trust with Azure AD possible in the near future?

[Kimmo Rantala via FreeIPA-users]

I haven't yet since the Azure stuff is not exactly free of charge.
That said, this is a thing we are interested at work. It might take some
time for us to get a test enviroment that has that directory service up.

If someone else has this already set up, I presume that initial results can
be posted in this thread.

ma 24. helmik. 2020 klo 10.33 Alexander Bokovoy 
kirjoitti:

> On ke, 19 helmi 2020, Kimmo Rantala via FreeIPA-users wrote:
> >Hi,
> >
> >I discovered this:
> >
> https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-forest-trust
> >
> >Does this, in theory, mean that in the near future, a trust with Azure
> >AD Domain Services would be possible without much effort from the
> >developers?
> >
> >I thought I would bring this to your attention in the off chance that
> >this has eluded you and after all the article is quite recent.
>
> Thank you, Kimmo. Looks promising.
> Did you try to enable it all working?
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

[Alexander Bokovoy via FreeIPA-users]

On ma, 24 helmi 2020, dmitriys via FreeIPA-users wrote:

Hi !
After you advice i did this :
#  kinit admin
# ipa ping
IPA server version 4.6.90.pre1+git20180411. API version 2.229
# ipa-cacert-manage -p 'Q*password' -n COMODO -t C,, install 
/home/addtrustexternalcaroot2.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful

# ipa-certupdate
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140600762419792
ipapython.admintool: INFO: The ipa-certupdate command was successful


# ipa-server-certinstall -w -d /home/ldap_soft2bet_com.key /home/ldap_comodo.pem

ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, 
exception: ScriptError: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: The ipa-server-certinstall command failed.


I think your primary issue is that on Ubuntu and Debian systems there is
no backend to handle system-wide certificate store in FreeIPA. This is
tracked by https://pagure.io/freeipa/issue/8106 and there is a pull
request https://github.com/freeipa/freeipa/pull/4102 that attempts to
add such support but Debian's way of adding certificates to a cert store
is not able to work with what IPA tools supply to it. Please see the
ticket and the PR to gain more knowledge about it.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

[dmitriys via FreeIPA-users]

Hi !
After you advice i did this :
 #  kinit admin
 # ipa ping 
IPA server version 4.6.90.pre1+git20180411. API version 2.229
# ipa-cacert-manage -p 'Q*password' -n COMODO -t C,, install 
/home/addtrustexternalcaroot2.crt
 Installing CA certificate, please wait
 CA certificate successfully installed
 The ipa-cacert-manage command was successful

# ipa-certupdate
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140600762419792
ipapython.admintool: INFO: The ipa-certupdate command was successful


# ipa-server-certinstall -w -d /home/ldap_soft2bet_com.key /home/ldap_comodo.pem

ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, 
exception: ScriptError: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: The ipa-server-certinstall command failed.



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Trust with Azure AD possible in the near future?

[Alexander Bokovoy via FreeIPA-users]

On ke, 19 helmi 2020, Kimmo Rantala via FreeIPA-users wrote:

Hi,

I discovered this:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-forest-trust

Does this, in theory, mean that in the near future, a trust with Azure
AD Domain Services would be possible without much effort from the
developers?

I thought I would bring this to your attention in the off chance that
this has eluded you and after all the article is quite recent.


Thank you, Kimmo. Looks promising.
Did you try to enable it all working?


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org