[Freeipa-users] Re: permanent service account keys for kerberos NFS share
On 08.10.20 19:05, Rob Verduijn via FreeIPA-users wrote: duh it moved again https://github.com/gssapi/gssproxy/tree/main/docs the example is your answer https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md I didn't even know this is possible. Thanks a lot! Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: How to disable NTP on an ipa-server
Hi Rob I have fired up Apache Directory Studio, and have navigated the LDAP tree to the cn=NTP entry. Should I be deleting the entire cn=NTP entry, with all attributes; or just the ipaConfigString "startOrder 45"? thanks Chris - Original message -From: Rob Crittenden via FreeIPA-users To: FreeIPA users list Cc: Christopher Lamb , Rob Crittenden Subject: [EXTERNAL] [Freeipa-users] Re: How to disable NTP on an ipa-serverDate: Thu, Oct 8, 2020 9:05 PM Christopher Lamb via FreeIPA-users wrote:> Hi All> > Last night we successfully upgraded our ipa server to OEL 7.9, and> ipa-server-4.6.8-5.el7.> > However the ipa.service will not start, because it fails at the NTP Service.> > All other ipa components start if we use the --ignore-service-failures> option.> > # ipactl start --ignore-service-failures> Existing service file detected!> Assuming stale, cleaning and proceeding> Starting Directory Service> Starting krb5kdc Service> Starting kadmin Service> Starting httpd Service> Starting ntpd Service> Failed to start ntpd Service> Forced start, ignoring ntpd Service, continuing normal operation> Starting pki-tomcatd Service> Starting ipa-otpd Service> > I am ok with ntpd not starting, we have long since moved to chrony, and> have ntpd disabled and masked.> > The question is, how do I configure our ipa-server to not use ntpd?> > I am aware that there are options for ntpd on installation, but am> unsure how to do this for an existing server.> > https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support Masking the service won't help because it is managed by ipactl. Itdetermines the list of services by looking incn=masters,cn=ipa,cn=etc,$SUFFIXA entry looks like:dn: cn=NTP,cn=ipa.example.test,cn=masters,cn=ipa,cn=etc,dc=example,dc=tes tobjectClass: nsContainerobjectClass: ipaConfigObjectobjectClass: topcn: NTPipaConfigString: startOrder 45ipaConfigString: enabledServiceipactl only looks at the startOrder of ipaConfigString. You'll need todelete this entry entirely.rob___FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.orgFedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Adding subjectAltName when the certificate is signed
Hi. On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote: Radosław Kujawa via FreeIPA-users wrote: Hi list. Is it possible to add email subjectAltName to a certificate when it is being signed by the IPA? How would the profile know what e-mail to add? These certificates are treated by IPA as "user certificates". The CN is set to IPA user's login. By some magic, IPA knows that such certificate should be added to LDAP object representing particular user. I hoped it would be possible to instruct it, to fetch the email attribute from LDAP object when signing the cert (based on the CN) and put it into subjectAltName. Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Adding subjectAltName when the certificate is signed
Radosław Kujawa via FreeIPA-users wrote: > Hi list. > > Is it possible to add email subjectAltName to a certificate when it is > being signed by the IPA? > > My use case is that I have CSRs generated by the users. The tool used to > generate the CSR does not allow to add me to include an email > subjectAltName. The problem is that private key is held on the external > device, so I am not easily able to manipulate the CSR using openssl. > > I already have a specific certificate profile added to IPA, used for > this process. But I am not sure if it is possible to enforce adding SAN > with user's email address when signing the certificate. I'd be grateful > for any hints. > How would the profile know what e-mail to add? rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: How to disable NTP on an ipa-server
Christopher Lamb via FreeIPA-users wrote: > Hi All > > Last night we successfully upgraded our ipa server to OEL 7.9, and > ipa-server-4.6.8-5.el7. > > However the ipa.service will not start, because it fails at the NTP Service. > > All other ipa components start if we use the --ignore-service-failures > option. > > # ipactl start --ignore-service-failures > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting httpd Service > Starting ntpd Service > Failed to start ntpd Service > Forced start, ignoring ntpd Service, continuing normal operation > Starting pki-tomcatd Service > Starting ipa-otpd Service > > I am ok with ntpd not starting, we have long since moved to chrony, and > have ntpd disabled and masked. > > The question is, how do I configure our ipa-server to not use ntpd? > > I am aware that there are options for ntpd on installation, but am > unsure how to do this for an existing server. > > https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support Masking the service won't help because it is managed by ipactl. It determines the list of services by looking in cn=masters,cn=ipa,cn=etc,$SUFFIX A entry looks like: dn: cn=NTP,cn=ipa.example.test,cn=masters,cn=ipa,cn=etc,dc=example,dc=tes t objectClass: nsContainer objectClass: ipaConfigObject objectClass: top cn: NTP ipaConfigString: startOrder 45 ipaConfigString: enabledService ipactl only looks at the startOrder of ipaConfigString. You'll need to delete this entry entirely. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Stop/Disable Apache on IdM servers
Angus Clarke via FreeIPA-users wrote: > Hello > > We have a single mesh of FreeIPA servers in several different locations, > we capture logs (apache ErrorLog directive) to a log server in each of > those locations. When auditors ask us questions we have to trawl log > servers from all locations as our IdM administrators might have used any > of the IdM servers to make changes. > > To limit that access to one site, I am considering stopping and > disabling apache on all IdM servers at other sites and just wanted to > check there are no unintended consequences in that action. > > I'm not looking for enforcement, merely a means of persuading the team > to use the web interface or command line tools at one site. It's completely untested so if something went wrong you'd be pretty far out on the ledge. You're purposely creating a single-point-of-failure. You'd need to work out some system to transition the web server to another server. The chosen server would need to run a CA, otherwise it will try to find one and fail at connecting since the CA connect is proxied through Apache. Establishing a new CA would likewise almost certainly be problematic. The ipa-ca CNAME is used so clients can use OCSP. You'd have to manually limit this value to only the available web server. Same with CRL. Running other administrative commands on those hosts would fail miserably (ipa-certupdate, ipa-cacert-manage for sure). I'm not certain if ipa-server-upgrade which is also run at package installation needs local API access. IPA servers make certain assumptions about what basic services are available. So this could well be the kind of thing that seems to work, you relax and forget about it, then all heck breaks loose. Either way, masking/stopping the service wouldn't really work since it is managed via ipactl. You'd have to mark the service as disabled in IPA, and I'm not sure you can do that to an IPA service so you'd probably have to do it manually using ldapmodify. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: slapd-IPA-MYDOMAIN-COM missing configuration.
François Cami via FreeIPA-users wrote: > On Thu, Oct 8, 2020 at 7:00 PM Albert Szostkiewicz via FreeIPA-users > wrote: >> >> Unfortunately I am unable to pinpoint what happened. >> No replica, some backups, but not sure how far to look for yet. >> >> dirsrv@HOME-MYDOMAIN-COM >> works and it's active >> >> but only >> dirsrv@IPA-MYDOMAIN-COM >> does not >> >> I am little bit confused as my domain is 'home.mydomain.com' therefore i >> wasn't sure if 'ipa-mydomain-com' should be even there on a first place ? > > I don't think it should. > > You might want to dig a little deeper and understand how this was created. > > It might be safe to move the IPA-MYDOMAIN-COM entries away (I would > not delete anything at this point) and see if you can start FreeIPA. > > And.. I would do regular backups, and have a replica with the same > roles as your first server if at all possible. It's almost certainly a leftover from some previous installation. I kept these directories around in case a user paid for a 3rd party certificate. I didn't want an uninstallation to cost $$$. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: permanent service account keys for kerberos NFS share
duh it moved again https://github.com/gssapi/gssproxy/tree/main/docs the example is your answer https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md Rob Op do 8 okt. 2020 om 19:03 schreef Rob Verduijn : > Hi, > Check this, it is already installed on your rhel/centos server, and works > great with ipa. > ( in fact the lead dev is also a dev on ipa ) > https://pagure.io/gssproxy > > Rob > > Op do 8 okt. 2020 om 18:20 schreef Kevin Vasko via FreeIPA-users < > freeipa-users@lists.fedorahosted.org>: > >> Hello, >> >> We have an application that does some data processing on our NFS server. >> Users typically just ssh into a box which then has a kerberos key generated >> for them, which allows them access the NFS share and run the script. >> >> We are wanting to set this up in a more automated fashion. Such as >> running the script in the background as a service. However, after a few >> days the kerberos keys become invalid killing access to the NFS share and >> the data. >> >> Is there a way to generate some account/keys that will have permanent >> access for service level stuff like this? >> >> -Kevin >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: permanent service account keys for kerberos NFS share
Hi, Check this, it is already installed on your rhel/centos server, and works great with ipa. ( in fact the lead dev is also a dev on ipa ) https://pagure.io/gssproxy Rob Op do 8 okt. 2020 om 18:20 schreef Kevin Vasko via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > Hello, > > We have an application that does some data processing on our NFS server. > Users typically just ssh into a box which then has a kerberos key generated > for them, which allows them access the NFS share and run the script. > > We are wanting to set this up in a more automated fashion. Such as running > the script in the background as a service. However, after a few days the > kerberos keys become invalid killing access to the NFS share and the data. > > Is there a way to generate some account/keys that will have permanent > access for service level stuff like this? > > -Kevin > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: slapd-IPA-MYDOMAIN-COM missing configuration.
Unfortunately I am unable to pinpoint what happened. No replica, some backups, but not sure how far to look for yet. dirsrv@HOME-MYDOMAIN-COM works and it's active but only dirsrv@IPA-MYDOMAIN-COM does not I am little bit confused as my domain is 'home.mydomain.com' therefore i wasn't sure if 'ipa-mydomain-com' should be even there on a first place ? Cheers! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: slapd-IPA-MYDOMAIN-COM missing configuration.
On Thu, Oct 8, 2020 at 6:27 PM Albert Szostkiewicz via FreeIPA-users wrote: > > Hi! > > My dirsrv@IPA-MYDOMAIN-COM.service on IPA server fails to start due to > missing configuration. How can I re-create one ? > > journalctl: > ds_systemd_ask_password_acl[10117]: grep: > /etc/dirsrv/slapd-IPA-MYDOMAIN-COM/dse.ldif: No such file or directory > ns-slapd[10122]: INFO - dse_check_file - The config > /etc/dirsrv/slapd-IPA-MYDOMAIN-COM/dse.ldif can not be accessed. Attempting > restore ... (reason: 0) > ns-slapd[10122]: INFO - dse_check_file - The backup > /etc/dirsrv/slapd-IPA-MYDOMAIN-COM/dse.ldif.bak can not be accessed. Check it > exists and permissions. > ns-slapd[10122]: ERR - slapd_bootstrap_config - No valid configurations can > be accessed! You must restore /etc/dirsrv/slapd-IPA-MYDOMAIN-COM/dse.ldif > from ba> > ns-slapd[10122]: EMERG - main - The configuration files in directory > /etc/dirsrv/slapd-IPA-MYDOMAIN-COM could not be read or were not found. > Please refer to> > systemd[1]: dirsrv@IPA-MYDOMAIN-COM.service: Main process exited, > code=exited, status=1/FAILURE > systemd[1]: dirsrv@IPA-MYDOMAIN-COM.service: Failed with result 'exit-code'. > systemd[1]: Failed to start 389 Directory Server IPA-MYDOMAIN-COM.. > -- Subject: Unit dirsrv@IPA-MYDOMAIN-COM.service has failed > > $ ls /etc/dirsrv/ > drwxr-xr-x 2 root root 82 Nov 13 2019 config > -rw--- 1 dirsrv dirsrv 570 Sep 18 2019 ds.keytab > drwxr-xr-x 2 root root 25 Nov 13 2019 schema > drwxr-x--- 4 dirsrv dirsrv 4096 Oct 7 21:26 slapd-HOME-MYDOMAIN-COM > drwxr-x--- 2 dirsrv dirsrv 37 Sep 18 2019 slapd-HOME-MYDOMAIN-COM.removed > drwxr-x--- 2 dirsrv dirsrv 37 Feb 18 2019 slapd-IPA-MYDOMAIN-COM.removed It looks like your Directory Server instances have been removed. https://directory.fedoraproject.org/docs/389ds/legacy/install-guide.html Do you know what happened on this machine? Do you have a replica? Do you have backups? François > There is one ".removed" - not sure why and if i can maybe re-use it ? > Cheers! > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: slapd-IPA-MYDOMAIN-COM missing configuration.
Want to note that my domain is 'home.mydomain.com' not 'ipa.mydomain.com' ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] slapd-IPA-MYDOMAIN-COM missing configuration.
Hi! My dirsrv@IPA-MYDOMAIN-COM.service on IPA server fails to start due to missing configuration. How can I re-create one ? journalctl: ds_systemd_ask_password_acl[10117]: grep: /etc/dirsrv/slapd-IPA-MYDOMAIN-COM/dse.ldif: No such file or directory ns-slapd[10122]: INFO - dse_check_file - The config /etc/dirsrv/slapd-IPA-MYDOMAIN-COM/dse.ldif can not be accessed. Attempting restore ... (reason: 0) ns-slapd[10122]: INFO - dse_check_file - The backup /etc/dirsrv/slapd-IPA-MYDOMAIN-COM/dse.ldif.bak can not be accessed. Check it exists and permissions. ns-slapd[10122]: ERR - slapd_bootstrap_config - No valid configurations can be accessed! You must restore /etc/dirsrv/slapd-IPA-MYDOMAIN-COM/dse.ldif from ba> ns-slapd[10122]: EMERG - main - The configuration files in directory /etc/dirsrv/slapd-IPA-MYDOMAIN-COM could not be read or were not found. Please refer to> systemd[1]: dirsrv@IPA-MYDOMAIN-COM.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: dirsrv@IPA-MYDOMAIN-COM.service: Failed with result 'exit-code'. systemd[1]: Failed to start 389 Directory Server IPA-MYDOMAIN-COM.. -- Subject: Unit dirsrv@IPA-MYDOMAIN-COM.service has failed $ ls /etc/dirsrv/ drwxr-xr-x 2 root root 82 Nov 13 2019 config -rw--- 1 dirsrv dirsrv 570 Sep 18 2019 ds.keytab drwxr-xr-x 2 root root 25 Nov 13 2019 schema drwxr-x--- 4 dirsrv dirsrv 4096 Oct 7 21:26 slapd-HOME-MYDOMAIN-COM drwxr-x--- 2 dirsrv dirsrv 37 Sep 18 2019 slapd-HOME-MYDOMAIN-COM.removed drwxr-x--- 2 dirsrv dirsrv 37 Feb 18 2019 slapd-IPA-MYDOMAIN-COM.removed There is one ".removed" - not sure why and if i can maybe re-use it ? Cheers! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] permanent service account keys for kerberos NFS share
Hello, We have an application that does some data processing on our NFS server. Users typically just ssh into a box which then has a kerberos key generated for them, which allows them access the NFS share and run the script. We are wanting to set this up in a more automated fashion. Such as running the script in the background as a service. However, after a few days the kerberos keys become invalid killing access to the NFS share and the data. Is there a way to generate some account/keys that will have permanent access for service level stuff like this? -Kevin ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Adding subjectAltName when the certificate is signed
Hi list. Is it possible to add email subjectAltName to a certificate when it is being signed by the IPA? My use case is that I have CSRs generated by the users. The tool used to generate the CSR does not allow to add me to include an email subjectAltName. The problem is that private key is held on the external device, so I am not easily able to manipulate the CSR using openssl. I already have a specific certificate profile added to IPA, used for this process. But I am not sure if it is possible to enforce adding SAN with user's email address when signing the certificate. I'd be grateful for any hints. Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] How to disable NTP on an ipa-server
Hi All Last night we successfully upgraded our ipa server to OEL 7.9, and ipa-server-4.6.8-5.el7. However the ipa.service will not start, because it fails at the NTP Service. All other ipa components start if we use the --ignore-service-failures option. # ipactl start --ignore-service-failuresExisting service file detected!Assuming stale, cleaning and proceedingStarting Directory ServiceStarting krb5kdc ServiceStarting kadmin ServiceStarting httpd ServiceStarting ntpd ServiceFailed to start ntpd ServiceForced start, ignoring ntpd Service, continuing normal operationStarting pki-tomcatd ServiceStarting ipa-otpd Service I am ok with ntpd not starting, we have long since moved to chrony, and have ntpd disabled and masked. The question is, how do I configure our ipa-server to not use ntpd? I am aware that there are options for ntpd on installation, but am unsure how to do this for an existing server. https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support Cheers Chris ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Stop/Disable Apache on IdM servers
Hello We have a single mesh of FreeIPA servers in several different locations, we capture logs (apache ErrorLog directive) to a log server in each of those locations. When auditors ask us questions we have to trawl log servers from all locations as our IdM administrators might have used any of the IdM servers to make changes. To limit that access to one site, I am considering stopping and disabling apache on all IdM servers at other sites and just wanted to check there are no unintended consequences in that action. I'm not looking for enforcement, merely a means of persuading the team to use the web interface or command line tools at one site. Thanks! Angus ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: pki-tomcat wont start; LDAP auth failure
On 10/8/20 12:53 PM, Arjen Heidinga via FreeIPA-users wrote: Hello all! Since sime time my pki-tomcat deamon can't connect to the LDAP., ging me an error (below). The root-CA was expired in the meantime, I fixed it with some hack-n-slashwork. I am not sure what credentials (none, client cert?) are used to connect. Does anyone have pointers? Hope I have not snipped too much log. Hi, pki authenticates to the LDAP server using the certificate "subsystemCert cert-pki-ca" stored in /etc/pki/pki-tomcat/alias. If the cert is expired, or if it cannot be mapped to a LDAP entry, then the authentication fails. Please have a look at this blog post [1] for more debugging tips. The blog focuses on a case where authentication fails with return code 49 (invalid credentials) and in your case the error is 48 (inappropriate authentication) but the troubleshooting steps would be similar. HTH, flo [1] https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ Thanks, Arjen Heidinga freeipa-server-common-4.8.9-2.fc32.noarch 2020-10-08 12:46:35 [main] FINEST: Getting internaldb.doCloning=true 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: doCloning: true 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: mininum: 3 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: maximum: 15 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: host: starkey.platypusnet.org 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: port: 636 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: secure: true 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: authentication: 2 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: makeConnection(true) 2020-10-08 12:46:35 [main] FINEST: Getting internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca 2020-10-08 12:46:35 [main] FINEST: Property tcp.keepAlive not found 2020-10-08 12:46:35 [main] FINEST: Getting tcp.keepAlive=true 2020-10-08 12:46:35 [main] FINE: TCP Keep-Alive: true 2020-10-08 12:46:35 [main] FINE: LdapBoundConnection: Connecting to starkey.platypusnet.org:636 with client cert auth 2020-10-08 12:46:35 [main] FINE: ldapconn/PKISocketFactory.makeSSLSocket: begins 2020-10-08 12:46:35 [main] FINE: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca 2020-10-08 12:46:35 [main] FINE: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca 2020-10-08 12:46:35 [main] FINE: SSLClientCertificatSelectionCB: Entering! 2020-10-08 12:46:35 [main] FINE: Candidate cert: Server-Cert cert-pki-ca 2020-10-08 12:46:35 [main] FINE: Candidate cert: caSigningCert cert-pki-ca 2020-10-08 12:46:35 [main] FINE: SSLClientCertificateSelectionCB: returning: null 2020-10-08 12:46:35 [main] FINE: PKIClientSocketListener.handshakeCompleted: begins 2020-10-08 12:46:35 [main] FINE: Handshake completed: 2020-10-08 12:46:35 [main] FINE: - client: 192.168.124.201 2020-10-08 12:46:35 [main] FINE: - server: 192.168.124.201 2020-10-08 12:46:35 [main] FINE: - subject: SYSTEM 2020-10-08 12:46:35 [main] FINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH 2020-10-08 12:46:35 [main] FINE: LogFile: event type not selected: CLIENT_ACCESS_SESSION_ESTABLISH 2020-10-08 12:46:35 [main] FINE: PKIClientSocketListener.handshakeCompleted: CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS 2020-10-08 12:46:35 [main] FINE: PKIClientSocketListener.handshakeCompleted: clientIP=192.168.124.201 serverIP=192.168.124.201 serverPort=31746 2020-10-08 12:46:35 [main] FINE: SSL handshake happened 2020-10-08 12:46:35 [main] SEVERE: LdapBoundConnFactory: Unable to connect to LDAP server: Authentication failed netscape.ldap.LDAPException: Authentication failed (48) at netscape.ldap.LDAPSaslBind.checkForSASLBindCompletion(Unknown Source) at netscape.ldap.LDAPSaslBind.bind(Unknown Source) at netscape.ldap.LDAPSaslBind.bind(Unknown Source) at netscape.ldap.LDAPConnection.authenticate(Unknown Source) at netscape.ldap.LDAPConnection.authenticate(Unknown Source) at netscape.ldap.LDAPConnection.checkClientAuth(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at com.netscape.cmscore.ldapconn.LdapBoundConnection.(LdapBoundConnection.java:105) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:285) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:261) ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:
[Freeipa-users] pki-tomcat wont start; LDAP auth failure
Hello all! Since sime time my pki-tomcat deamon can't connect to the LDAP., ging me an error (below). The root-CA was expired in the meantime, I fixed it with some hack-n-slashwork. I am not sure what credentials (none, client cert?) are used to connect. Does anyone have pointers? Hope I have not snipped too much log. Thanks, Arjen Heidinga freeipa-server-common-4.8.9-2.fc32.noarch 2020-10-08 12:46:35 [main] FINEST: Getting internaldb.doCloning=true 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: doCloning: true 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: mininum: 3 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: maximum: 15 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: host: starkey.platypusnet.org 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: port: 636 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: secure: true 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: authentication: 2 2020-10-08 12:46:35 [main] FINE: LdapBoundConnFactory: makeConnection(true) 2020-10-08 12:46:35 [main] FINEST: Getting internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca 2020-10-08 12:46:35 [main] FINEST: Property tcp.keepAlive not found 2020-10-08 12:46:35 [main] FINEST: Getting tcp.keepAlive=true 2020-10-08 12:46:35 [main] FINE: TCP Keep-Alive: true 2020-10-08 12:46:35 [main] FINE: LdapBoundConnection: Connecting to starkey.platypusnet.org:636 with client cert auth 2020-10-08 12:46:35 [main] FINE: ldapconn/PKISocketFactory.makeSSLSocket: begins 2020-10-08 12:46:35 [main] FINE: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca 2020-10-08 12:46:35 [main] FINE: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca 2020-10-08 12:46:35 [main] FINE: SSLClientCertificatSelectionCB: Entering! 2020-10-08 12:46:35 [main] FINE: Candidate cert: Server-Cert cert-pki-ca 2020-10-08 12:46:35 [main] FINE: Candidate cert: caSigningCert cert-pki-ca 2020-10-08 12:46:35 [main] FINE: SSLClientCertificateSelectionCB: returning: null 2020-10-08 12:46:35 [main] FINE: PKIClientSocketListener.handshakeCompleted: begins 2020-10-08 12:46:35 [main] FINE: Handshake completed: 2020-10-08 12:46:35 [main] FINE: - client: 192.168.124.201 2020-10-08 12:46:35 [main] FINE: - server: 192.168.124.201 2020-10-08 12:46:35 [main] FINE: - subject: SYSTEM 2020-10-08 12:46:35 [main] FINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH 2020-10-08 12:46:35 [main] FINE: LogFile: event type not selected: CLIENT_ACCESS_SESSION_ESTABLISH 2020-10-08 12:46:35 [main] FINE: PKIClientSocketListener.handshakeCompleted: CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS 2020-10-08 12:46:35 [main] FINE: PKIClientSocketListener.handshakeCompleted: clientIP=192.168.124.201 serverIP=192.168.124.201 serverPort=31746 2020-10-08 12:46:35 [main] FINE: SSL handshake happened 2020-10-08 12:46:35 [main] SEVERE: LdapBoundConnFactory: Unable to connect to LDAP server: Authentication failed netscape.ldap.LDAPException: Authentication failed (48) at netscape.ldap.LDAPSaslBind.checkForSASLBindCompletion(Unknown Source) at netscape.ldap.LDAPSaslBind.bind(Unknown Source) at netscape.ldap.LDAPSaslBind.bind(Unknown Source) at netscape.ldap.LDAPConnection.authenticate(Unknown Source) at netscape.ldap.LDAPConnection.authenticate(Unknown Source) at netscape.ldap.LDAPConnection.checkClientAuth(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at com.netscape.cmscore.ldapconn.LdapBoundConnection.(LdapBoundConnection.java:105) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:285) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:261) OpenPGP_0xBF4B11AA2C5273AF.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
