date:20200302

[Freeipa-users] Re: How to make ipa root certificate available system wide

2020-03-02 Thread Nick DeMarco via FreeIPA-users

This article explains how Firefox and the OS certificate database are related. 
Starting with Firefox 64, an enterprise policy controls the relationship 
between Firefox trusted roots and OS trusted roots.

https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Debian client browsers don't trust root cert after ipa-client-install

2020-03-02 Thread Nicholas DeMarco via FreeIPA-users

Just after pressing send on this message, I found where Firefox can be
configured to trust enterprise root certificates. See this article:

https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox


Once configured, Firefox should trust the OS certificate store. But I
haven't gotten it to work. Yet.


On Mon, Mar 2, 2020 at 11:22 PM Nicholas DeMarco 
wrote:

> Hello, Thanks to this group's help, I'm learning my way through IPA's
> certificate system.
>
> I read Fraser's well written post on creating sub-CAs, and successfully
> got everything to work. I then ran into the same problem Kevin Vasko hit in
> this thread:
>
>
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/45CQE3CGG5QFZ5YMRGYJDICB7WWFWAVQ/
>
>
> It seems Debian-based Chrome and Firefox don't implicitly trust the OS
> root certificate store.
>
> For each Firefox profile (about:profiles), the NSS db is in
> ~/.mozilla/firefox/. The certs in this directory can be listed
>
> certutil -d sql:/home/nick/.mozilla/firefox/4sar5x5s.default-release/ -L
>
> On Ubuntu 18.04, after installing and configuring IPA client (#
> ipa-client-install --mkhomedir), the IPA certificate is listed in the store.
>
> Still, Firefox doesn't trust the IPA server or its trusted hosts. Why???
>
> It's been established that Linux Firefox and Linux Chrome don't trust the
> OS trusted certificate stores. It seems, with all that comes with
> assumptions, that Firefox doesn't trust its own profile store, either.
>
> Nick
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Debian client browsers don't trust root cert after ipa-client-install

2020-03-02 Thread Nicholas DeMarco via FreeIPA-users

Hello, Thanks to this group's help, I'm learning my way through IPA's
certificate system.

I read Fraser's well written post on creating sub-CAs, and successfully got
everything to work. I then ran into the same problem Kevin Vasko hit in
this thread:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/45CQE3CGG5QFZ5YMRGYJDICB7WWFWAVQ/

It seems Debian-based Chrome and Firefox don't implicitly trust the OS root
certificate store.

For each Firefox profile (about:profiles), the NSS db is in
~/.mozilla/firefox/. The certs in this directory can be listed

certutil -d sql:/home/nick/.mozilla/firefox/4sar5x5s.default-release/ -L

On Ubuntu 18.04, after installing and configuring IPA client (#
ipa-client-install --mkhomedir), the IPA certificate is listed in the store.

Still, Firefox doesn't trust the IPA server or its trusted hosts. Why???

It's been established that Linux Firefox and Linux Chrome don't trust the
OS trusted certificate stores. It seems, with all that comes with
assumptions, that Firefox doesn't trust its own profile store, either.

Nick
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: sshd.config overwriten during FIRST ipa-client-installation

2020-03-02 Thread Rob Crittenden via FreeIPA-users

pgb205 wrote:
> 1.correct
> 2. only port is configured to something else. the rest of sshd_conf is
> default
> 3. correct. only append --no-sshd option to prevent reconfiguration of
> sshd_conf file
> 4. correct. after install port 22 is again in effect
> 5. no. after uninstall there are no changes. And trying to re-install
> again as in 3. doesnt change the file. 

I can't reproduce this.

Can you provide an ipaclient-install.log where sshd_config is modified?

rob

> 
> On Thursday, February 27, 2020, 10:12:29 AM EST, Rob Crittenden
>  wrote:
> 
> 
> pgb205 via FreeIPA-users wrote:
>> 1.  ipa client 4.6.5-11.el7
>> 2. one of the lines in sshd.conf is reverted to the default option.
>> specifically port number. Almost seems like the file is restored from
>> the backup
>> version. But then we are using --no-sshd option.
> 
> I think we'll need to see /var/log/ipaclient-install.log.
> 
> So to be clear, you:
> 
> * start with no client installed
> * sshd is configured for port other than 22 (and other things)
> * run ipa-client-install --no-sshd
> * sshd now is configured with Port 22
> * ipa-client-install --uninstall restores the pre-install sshd.conf so
> things are back to "normal"
> 
> Does that match what you're seeing?
> 
> I'll note that IPA does not purposely change the port at all, whether
> sshd is configured or not.
> 
> rob
> 
> 
>>
>> On Wednesday, February 26, 2020, 05:47:34 PM EST, Rob Crittenden
>> mailto:rcrit...@redhat.com>> wrote:
>>
>>
>> pgb205 via FreeIPA-users wrote:
>>> 1. Happens on RHEL/Centos only(other distros are not affected)
>>> 2. Happens only during the first attempted install of ipa-client
>>> package. If we try to reinstall the sshd.conf is not modified.
>>> 3. We tried with --no-sshd flag to prevent sshd configuration
>>> as suggested in the following ticket
>>> [Freeipa-devel] [PATCH] 85 Add --no-ssh option to ipa-client-install to
>>>
>>
> 
>>
>>>
>>>
>>> We no longer get an messages in /var/log/ipaclientinstall.log about
>>> sshd.conf being backed up,  BUT 
>>> the file still gets changed.
>>
>> What version of IPA?
>>
>> How is it changed?
>>
>> rob
> 
>>
>>
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> 
>> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
>> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
>>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: sshd.config overwriten during FIRST ipa-client-installation

2020-03-02 Thread pgb205 via FreeIPA-users

 1.correct2. only port is configured to something else. the rest of sshd_conf 
is default3. correct. only append --no-sshd option to prevent reconfiguration 
of sshd_conf file4. correct. after install port 22 is again in effect5. no. 
after uninstall there are no changes. And trying to re-install again as in 3. 
doesnt change the file. 
On Thursday, February 27, 2020, 10:12:29 AM EST, Rob Crittenden 
 wrote:  
 
 pgb205 via FreeIPA-users wrote:
> 1.  ipa client 4.6.5-11.el7
> 2. one of the lines in sshd.conf is reverted to the default option.
> specifically port number. Almost seems like the file is restored from
> the backup
> version. But then we are using --no-sshd option.

I think we'll need to see /var/log/ipaclient-install.log.

So to be clear, you:

* start with no client installed
* sshd is configured for port other than 22 (and other things)
* run ipa-client-install --no-sshd
* sshd now is configured with Port 22
* ipa-client-install --uninstall restores the pre-install sshd.conf so
things are back to "normal"

Does that match what you're seeing?

I'll note that IPA does not purposely change the port at all, whether
sshd is configured or not.

rob

> 
> On Wednesday, February 26, 2020, 05:47:34 PM EST, Rob Crittenden
>  wrote:
> 
> 
> pgb205 via FreeIPA-users wrote:
>> 1. Happens on RHEL/Centos only(other distros are not affected)
>> 2. Happens only during the first attempted install of ipa-client
>> package. If we try to reinstall the sshd.conf is not modified.
>> 3. We tried with --no-sshd flag to prevent sshd configuration
>> as suggested in the following ticket
>> [Freeipa-devel] [PATCH] 85 Add --no-ssh option to ipa-client-install to
>>
> 
> 
>>
>>
>> We no longer get an messages in /var/log/ipaclientinstall.log about
>> sshd.conf being backed up,  BUT 
>> the file still gets changed.
> 
> What version of IPA?
> 
> How is it changed?
> 
> rob
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
  ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Domain controllers switch to LDAPS

2020-03-02 Thread Ronald Wimmer via FreeIPA-users


On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote:

[...]
Some people are panicking and want to switch everything to LDAPS. For
those there is additional enhancement in works. For everyone else there
is no need to do anything.
[...]
According to the information I have our AD guys are switching everything 
to LDAPS only...

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to make ipa root certificate available system wide

[Freeipa-users] Re: Debian client browsers don't trust root cert after ipa-client-install

[Freeipa-users] Debian client browsers don't trust root cert after ipa-client-install

[Freeipa-users] Re: sshd.config overwriten during FIRST ipa-client-installation

[Freeipa-users] Re: sshd.config overwriten during FIRST ipa-client-installation

[Freeipa-users] Re: Domain controllers switch to LDAPS

6 matches

Site Navigation

Mail list logo

Footer information