Hi,
I am considering FreeIPA for a multi-site project, to provide both PKI and LDAP
services.
So ideally, I would like to have one separate FreeIPA server on each site + one
central FreeIPA server.
And this is what I have in mind:
1. The central FreeIPA server will be my master for
Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with
openssl. So I've signed the FreeIPA's request with my self-signed "root ca"
certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem
Sorry, I've figured it out myself...
The problem was not with the Root CA certificate, the reported error is
misleading here.
Actually, the problem was with the certificate generated for the FreeIPA
itself.
It had CA:FALSE, because I forgot to select the right extension profile when
signing
Hi,
If I have my IPA replicas with DNS, I see that DNS is completely replicated
between them.
But what if I need to have different DNS resolution for the same name in
different locations? How can I achieve that with IPA DNS?
Below is the detailed example, if needed.
Suppose I have two sites
Hi,
Sorry, I am probably missing something very basic in the way how the vault
should work for services...
So my task is simple: let's say I want to store a secret for a script. That is,
the script must be able to retrieve it in an unattended way.
The script is running on a Linux server
Any ideas...?
Thanks.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines:
OK, so replying to myself - in case someone has the same goal...
Here is the way that I came up with eventually. I really hope this is how it
was designed to be =)
The main culprit is that the IPA service principal must be the _owner_ of the
vault. This point is somehow missing in all the
Hi,
I am experiencing a strange issue with DNS resolution between my replicas,
could you please help me to figure it out?
My topology is:
rhel-ipa.ims.example.com => rhel-ipa-replica.ams.ims.example.com =>
rhel-ipa-newreplica.ams.ims.example.com
All three are IPA servers with DNS.
And I've
Hi,
I have the same issue right now...
I had two working replicas, and I tried to add the third one. But due
to some issues with ansible playbook, the installation of that third
replica failed in the middle (I believe ansible lost SSH connection
somewhere in the middle). That obviously left the
Sorry, this was actually my response to another thread, but due to some issue,
it was posted like a separate thread... I think it was caused by GMAIL that
popped up when I tried to reply. @moderators, if possible, please delete this...
___
On Mon, Mar 18, 2019 at 4:53 PM Rob Crittenden wrote:
>
>
> ipa-replica-manage del --cleanup --force will clean these
> entries up, and others.
>
> rob
Rob,
I tried this. It didn't work. The command itself failed with the same
error message:
PKINIT enabled server': all masters must have IPA
>
> Exactly as the others report, I can no longer login to the WebUI. It says
> "invalid
> 'PKINIT enabled server': all masters must have IPA master role enabled" and
> then throws an exception:
>
UPDATE: To resolve it, you can delete the following subtree entirely:
DN:
Hi,
I saw another solution for your problem - you can define a user as
"passSyncManager".
Then that particular user will be able to set passwords for other
users without having them immediately expired.
This is especially handy when you have periodic synchronization with
some external account
Responding to myself - for future reference.
I found in /var/named/data/named.run that my parent zone
(ims.example.com) failed to load.
Turns out I had to implement a proper delegation: in the zone
"ims.example.com" I had to add A entries for "rhel-ipa-replica.ams"
and "rhel-ipa-newreplica.ams".
Hi,
My Web Server is enrolled in the FreeIPA domain, but the clients are external.
So login is done via a custom login form - part of the Web Application.
In this setup, I know how to authenticate the clients to the Web Application
using FreeIPA as a backend - I can use
Hi,
With ipa-server 4.6.4-10.el7_6.2 on RHEL7, I see the following issue
My host name is a bit long, of a form: idm01.site01.poc.my.network.com
I am installing a fresh new IPA server on this host, with DNS server.
Running ipa-server-install without arguments.
During installation I can
>
>
> Right, IPA isn't going to recursively fill in the missing zones for you.
>
> Is there a particular reason you want to install this way?
>
> rob
>
Actually yes. It is a multi-site private cloud deployment. All sites are
identical. The naming convention is
IPA has replicas on each site
Hi,
Could you please help me configuring ipa tool inside the docker container which
is not enrolled?
I have a parent Linux VM that is enrolled in FreeIPA. On top of it I run a
docker container, and I mount the entire /etc/ipa and /etc/krb5.conf (both in
read-only mode).
My goal is just to be
>
> Regarding your docker issue; IPA expects more than just a file and a config
> directory, you
> can check the source code for ipaclient, the cli and the modules it imports,
> you’ll see a
> large amount of checks it’s using to find out if the install is OK and
> working.
> If you just want
TBH another problem is that REST API for vaults is not as easy as I thought...
The call "vault_retrieve_internal" is a not so simple, I see that it requires
to generate a session_key and the secret will be returned encrypted with it...
I'd appreciate if someone could point me to a working
> Dmitry Perets via FreeIPA-users wrote:
>
> The directory /var/lib/ipa-client/sysrestore has to exist and must
> contain at least one file
>
> rob
This is when I am embarassed that I didn't find time to look into the code
myself =)
Thank you very much, i
Hi,
I observe a weird problem, trying to figure out how it could happen...
On one of my IPA installations, IPA doesn't recognize stage users, UNLESS they
include objectClass posixaccount.
For example, below output shows a staged user that I've manually added with
"ldapmodify", but as you can
>
> If 'ipa stageuser-find' doesn't find it, you can enable server-side
> debugging and retry, then you should see debug output in error_log.
>
> Create /etc/ipa/server.conf
>
> [global]
> debug = True
>
> and restart httpd, then retry.
Weirdly enough:
[Wed Jun 12 11:03:38.648863 2019]
> Somehow the filter is not replaced...??? still (objectclass=posixaccount):
> [Wed Jun 12 11:03:39.016496 2019] [:error] [pid 17432] ipa: DEBUG:
> stageuser_find:
> pre_callback new
> filter=(objectclass=\\70\\6f\\73\\69\\78\\61\\63\\63\\6f\\75\\6e\\74)
>
Sorry, looks like this debug output
>
> Basically, I'm looking at seeing if Python interactive console will show
> you the same garbage in the filter text or not. If yes, then it looks
> like there is a bit of uncleaned unicode/str code checks in 4.6.
>
Yes, same output is also in the console... and both on working and on
> On ke, 12 kesä 2019, Dmitry Perets via FreeIPA-users wrote:
> Can you share
> what queries correspond to these requests in dirsrv access
> log?
Yes, mistery continues...
WORKING:
[12/Jun/2019:12:31:25.546759725 +0200] conn=18810 op=2 SRCH base="cn=staged
users,cn=accounts,c
> Hi Dmitry
> can you open a ticket for this issue? I reproduced on RHEL 7.6 and it
> happens because of the following code:
> container_filter = "(objectclass=posixaccount)"
> # provisioning system can create non posixaccount stage user
> # but then they have to
For reference: https://bugzilla.redhat.com/show_bug.cgi?id=1721550
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
> Dmitry Perets via FreeIPA-users wrote:
>
> You might want to look for replication conflicts. Maybe one entry is
> hung up.
>
> rob
Hi Rob, you mean on the WORKING IPA?
Because indeed, now it looks more weird that one is WORKING rather than that
the other is NOT WORKI
Hi,
I have a use-case when an application needs to access the secret stored in IPA
Vault. The problem is that the application is containerized...
So what would be the best practice to authenticate to the Vault?
The logic says we should use REST API, but how to authenticate to the IPA,
Hi,
I know of one usage - all the IPA ansible modules (ipa_*) query for 'ipa-ca'
record to find the IPA server.
But for other cases - looks like IPA clients mostly rely on entries like
'_kerberos.*' and '_ldap.*'...
What other functionality uses 'ipa-ca' record?
Thanks.
---
Regards,
Dmitry
>
> Certificates are issued from IPA CA with the OCSP responder URI
> http://ipa-ca.$DOMAIN/ca/ocsp and CRL distribution point
> http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin (these are set in the
> certificate extensions).
>
> flo
Thanks! Does it have to be an IPA server with CA? What if it
Hi,
In several scenarios when CA must be accessed, I face issues with the algorithm
to select IPA server running CA.
Wanted to check if there is an easy solution in place that I am missing...
For example, if I run "ipa vault-retrieve" on IPA server that doesn't run
CA/KRA, it will forward the
OK, I was probably a bit inaccurate about the algorithm with LDAP lookup.
I had an impression that IPA always picks the first value, but it looks like it
does have some randomization, but somehow the first entries are chosen more
often. I had to run "ipa vault-retrieve" 5-8 times until it
Hi,
I've created a new IPA replica.
ipa-replica-install has completed successfully.
ipa-ca-install has completed successfully as well.
However, ipa-kra-install fails.
In the terminal the fails right here:
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
[1/11]: creating ACIs
Hi,
I'd like to ask for your advise for the following topology...
On a given site, IPA server has two legs (two NICs), let's call them "inside
NIC" and "outside NIC".
The inside NIC subnet is local to the site. The outside NIC subnet is
interconnecting sites.
All the local clients talk to
The progress so far...
>
> 1. We create two A records for the same IPA hostname, let's say
> "ipa.site1.example.com". But then not sure if it will work fine...
> Technically,
> two IPs for the same name means load-balancing, right? So will I have
> intermittent
> connectivity issues, because
Hi Alexander,
Thanks again for your help on this...
Just one question regarding your fix here:
https://github.com/abbra/freeipa/pull/9/files
When you say "host aliases", what exactly do you mean? DNS CNAME records?
Because then, I am afraid, this would not solve my problem. I can't create
Hi Francois,
> You do not need to add SRV records, this is difficult to manage in the long
> run.
>
> ipa-client-install(1) covers this scenario with the --domain=DOMAIN parameter.
>
> See also https://bugzilla.redhat.com/show_bug.cgi?id=1385515#c14 for a
> detailed explanation.
>
Well, that
Hi Alexander,
Yes, indeed, I got the feeling that it is not supported =)
Problem is that it cought me by surprise in the middle of a huge project, as I
wouldn't expect that - out of all things - this would not have a solution.
First hit was when I learned that "DNS views" were not supported,
>
> You know that you are basically
> opening your environment for CSRF and
> phishing attack?
Yes, absolutely! That was just to ensure that it was the last visible problem
(still in lab environment).
Now returned the check, added the host_aliases, as you shown above - and it
works.
Again,
Hi Alexander,
I am going to submit an RFE via Red Hat support case, to support multihomed IPA
server setup. I list two proposals in the RFE:
(1) Support Split DNS (views) which, I believe, is already supported by the
underlying BIND. This would allow us to define one view for IPA servers and
Hi Alexander,
Posting here, as it might be useful to others.
I've got a suggestion via Red Hat support ticket that looks promising...
So, earlier I tried to configure all IPA servers to resolve to internal IP and
then add external IP to their /etc/hosts when creating replica. And that failed
Hi,
After a bit more searching - my issue looks exactly like this one:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/AJNEM5CZ6KXNXIMD4TJY3LSRESRIJBFE/
I also have the same error in /var/log/pki/pki-tomcat/kra/system:
0.ajp-bio-127.0.0.1-8009-exec-1 -
Hi Peter,
Did you manage to resolve this issue back then?
Because I face exactly the same one, appreciate if you can give me some hints.
Thanks!
---
Regards,
Dmitry Perets
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To
Hi,
Try using these, to delete replication agreements:
ipa topologysegment-find
ipa topologysegment-del
Then you can repeat "ipa-replica-manage del".
---
Regards,
Dmitry Perets
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To
Hi,
Pretty much any vault-related calls in one of my environments result in the
internal error, although the call seems to (partially) succeed.
For example:
# ipa vault-add test --type standard
ipa: ERROR: an internal error has occurred
But the vault is created:
# ipa vault-find
Hi,
Posting back here, in case someone gets this issue in the future...
The problem turned out to be that IPA put wrong CA cert subject in the LDAP
entry under "uid=ipakra,ou=people,o=kra,o=ipaca".
It looked like this:
dn: uid=ipakra,ou=people,o=kra,o=ipaca
description: 2;7;CN=Certificate
Hi,
Really weird issue...
We build a docker container to run some ansible playbooks within it.
We notice, that IF the container has "ipa-client" package installed, there is a
HUGE performance degradation to execute the same playbook.
E.g. 20 seconds without ipa-client vs 2 minutes with
Hi,
Is it possible to retrieve an existing user keytab, without resetting the key?
I see there is "ipa-getkeytab -r", but it doesn't seem to work for me, at least
not for user principals:
$ kinit admin
$ ipa-getkeytab -p auto -r -k new.auto.keytab
Failed to load translations
Failed to parse
Oh ok, so I just need to create IPA host and let admin fetch its keytab on
all real hosts running the service. Fair enough, thanks!
Btw in the meantime I discovered that it is possible to retrieve user's
keytab with "ipa-getkeytab -r" if you authenticate as "cn=Directory
Manager". Apparently, it
Hi,
Can you please remind me from which IPA version you support service
principals not bound to hosts? I think that would be then a better solution
for my case, as I am really using this user for non-interactive workloads.
And in the meantime, what is the nicest solution for some service that
52 matches
Mail list logo