[Freeipa-users] Additional Check for checkipaconsistency - KRA
Hallo, right now checkipaconsistency reports an error when not all IPA servers havew AD trust enabled. My first two IPA servers running CentOS 7 do have KRA enabled, but installing KRA on a new CentOS 8 replica failed. Would it be useful to check that in checkipaconsistency? If yes, here's my first shot at it. diff --git a/checkipaconsistency/freeipaserver.py b/checkipaconsistency/freeipaserver.py index bdefe70..a58419b 100644 --- a/checkipaconsistency/freeipaserver.py +++ b/checkipaconsistency/freeipaserver.py @@ -49,6 +49,7 @@ class FreeIPAServer(object): self.ghosts = None self.bind = None self.msdcs = None +self.kra = None self.replicas = None self.healthy_agreements = False @@ -94,6 +95,7 @@ class FreeIPAServer(object): self.conflicts = self._count_ldap_conflicts() self.ghosts = self._ghost_replicas() self.bind = self._anon_bind() +self.kra = self._kra() self.msdcs = self._ms_adtrust() self.replicas, self.healthy_agreements = self._replication_agreements() @@ -385,6 +387,25 @@ class FreeIPAServer(object): self._log.debug(r) return r +def _kra(self): +self._log.debug('Checking KRA...%s' % self._fqdn) + r = False +results = self._search( +'cn=KRA,cn=%s,cn=masters,cn=ipa,cn=etc,%s' % ( self._fqdn , self._base_dn), +'(ipaConfigString=*)', +['ipaConfigString'] +) +self._log.debug(results) +if type(results) == list and len(results) > 0: +#dn, attrs = results[0] + +#e = attrs['ipaConfigString'][1].decode('utf-8') +#r = e['enabledService'].decode('utf-8') +r = True +else: +r = False +return r + def _ms_adtrust(self): self._log.debug('Checking for MS ADTrust DNS records...') record = '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.%s' % self._domain diff --git a/checkipaconsistency/main.py b/checkipaconsistency/main.py index 858b89a..242418e 100755 --- a/checkipaconsistency/main.py +++ b/checkipaconsistency/main.py @@ -134,6 +134,7 @@ class Main(object): ('ghosts', 'Ghost Replicas'), ('bind', 'Anonymous BIND'), ('msdcs', 'Microsoft ADTrust'), +('kra', 'KRA Status'), ('replicas', 'Replication Status') ]) @@ -156,7 +157,7 @@ class Main(object): parser.add_argument('-n', nargs='?', dest='nagios_check', help='Nagios plugin mode', default='not_set', choices=['', 'all', 'users', 'susers', 'pusers', 'hosts', 'services', 'ugroups', 'hgroups', 'ngroups', 'hbac', 'sudo', 'zones', 'certs', 'conflicts', 'ghosts', 'bind', - 'msdcs', 'replicas']) + 'msdcs', 'kra', 'replicas']) parser.add_argument('-w', '--warning', type=int, dest='warning', default=1, help='number of failed checks before warning (default: %(default)s)') parser.add_argument('-c', '--critical', type=int, dest='critical', Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: 2FA using ssh keys + Free OTP
Daniel PC via FreeIPA-users writes: > Currently, I have 2FA implemented with password + FreeOTP as authentication > methods. > > I wonder if possible to implement ssh pub+priv keys instead of a password as > the first authentication factor. > > Has anyone implemented such thing? That's possible, but not with FreeIPA. On my Jump-Host I have the following in /etc/ssh/sshd_config: , | Match Group otpusers | AuthenticationMethods gssapi-with-mic publickey,keyboard-interactive:pam ` So I can login with Kerberos (and maybe with authentication indicators). The second authentication stream uses pubkey and whatever is definded in PAM. There I have: , | # If the user is in group otpusers, we use the next rule, otherwise we skip | # the call to pam_yubico. | auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers | auth sufficient pam_yubico.so id= key= urllist=https://yubico.example.org/ttype/yubikey authfile=/etc/yubikeys/authorized_yubikeys ` I use privacyidea to manage my 2FA tokens (here I use Yubikeys), You could also use freeotp or something else - problem is to connect token and user in the PAM stack, Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeipa failing to start after update
Andrew Meyer via FreeIPA-users writes: > [andrew.meyer@freeipa01 ~]$ sudo ipactl --ignore-service-failures start ... > Starting smb Service > Failed to start smb Service > Forced start, ignoring smb Service, continuing normal operation > Starting winbind Service > Failed to start winbind Service > Forced start, ignoring winbind Service, continuing normal operation > Starting ipa-otpd Service > Starting ipa-dnskeysyncd Service > ipa: INFO: The ipactl command was successful That seems to be a bug - see: https://bugs.centos.org/view.php?id=16929 Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: adding external 2FA
Andrew Meyer via FreeIPA-users writes: > I am trying to research how to add other 2FA providers to FreeIPA. > Has anyone added Duo or something else to FreeIPA/IPA in the most > recent versions? I'm running Privacyidea (https://www.privacyidea.org/) and FreeRADIUS and have some users authenticate against RADIUS. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Multi Enrollment possible ?
Karim Bourenane via FreeIPA-users writes: > I want to deploy some IPA-client with 2 interfaces, each host interface > managed by each IPA server. I think the IPA servers should be replicas. > Can you confirm me, that its possible to enroll 2 time the ipa-client in > each servers ? I manage servers with multiple interfaces and use pricipal aliases for that. So one host has aliases like imap.example.org and smtp.jochen.org. Can you elaborate what your application looks like? Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Autofs maps for students directories divided by first letter of username
Rob Crittenden via FreeIPA-users writes: [...] > I don't think that first entry is a glob. I believe that * just means > any. & is shorthand for the matching key so > > * -fstype=nfs4,soft,intr,rsize=8192,wsize=8192,tcp > fileserver.chem.byu.edu:/export/home/students/& > > Just substitutes whatever the matching key (*) to &. > > I assume this is in some auto.home-like map. > > I don't claim to know a lot about autofs but you might try creating an > auto.home-a, auto.home-b, etc. > > auto.master contains: > > /export/home/students/a auto.home-a > /export/home/students/b auto.home-b > > This of course assumes that the homedir in the user entry is > /export/home/students// I also have no idea if that will work, but running "automount -vvvf" in a terminal very likely produces enough traces to see how the map is handled. I think that could help investigating what might work. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: how to deal with an existing user before client installation
Albert Szostkiewicz via FreeIPA-users writes: > So I do have an user on my laptop with same username as IPA user. I've > noticed that after installing client, this existing user is still > being authenticated by it's original password and is with its original > UID. > What is the best procedure in such cases? I've renamed the local user to "l" and kept it as a fallback/emergency user. My user in IPA is just "" and I normally log in with the IPA user. The users have different UIDs and both users have sudo rights, so I can fix whatever is broken when something isn't working. It's somewhat unconvenient to rename the local user, but I'm quite happy to have a fallback. After moving to IPA I've started adding that user when installing a new system as the first user. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] FreeIPA-Client now in Debian Buster
Hello, today freeipa-client migrated from sid to buster - thanks a lot for this! Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: IPA managed autofs mount timeout
William Muriithi via FreeIPA-users writes: > I am using autofs to mount home directories. The autofs maps are on IPA > server. A while back, I adjusted the mount idle timeout from the default 5 > minutes to 2 hours. > > I now want to undo the change, essentially bring down the timeout to 5 > minutes. I can't however remember how I had increased it and google just > bring up how to adjust locally from /etc/sysconfig/autofs. I recall > vaguely I had done the change from IPA. Anyone who would have this info > without too much googling? You can change the timeout globally in /etc/autofs.conf. Otherwise you can add the --timeout option to the map entries, see auto.master(5) for details. So my guess is that you added the timeout to the automountkey. let's see your automount map/key, something like: ipa automountkey-show default auto,home --all Is there a timeout? Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: is anyone running Debian as freeipa-client
Johan Vermeulen via FreeIPA-users writes: > Now it would come in handy if I could field some Debian clients for some > purposes. > But on the current stable release there is no freeipa client. > I have installed some freeipa-clients from unstable, but it's not ideal. > > I'm wondering, is anyone doing this at the moment. > Is there some repo for this? > Can this be compiled from source? I've installed the client packages from snapshot.debian.org with a version near the freeze for the next release. That's working fine for me, but you won't get security fixes that way. On the other hand other packages seem more relevant for security patches, like sssd, kerberos, or certmonger - and these are part of debian. So, I'm quite happy with the packages from snapshots. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: HBAC Rules for OpenVPN Server
Sina Owolabi via FreeIPA-users writes: > Yes I use PAM with openvpn to authenticate user clients > "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login" > I'm also running a HBAC controlled IPA environment but the rule for vpnusers > is a --servicecat=all: > > Rule name: allowvpnusers > Service category: all > Enabled: TRUE > User Groups: vpnusers > Hosts: vpn.internaldom.com You use the login configuration for PAM. Either use that service or change the parameter to openvpn-plugin-auth-pam.so to openvpn. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: HBAC Rules for OpenVPN Server
Rob Crittenden via FreeIPA-users writes: > Sina Owolabi via FreeIPA-users wrote: >> Hi List >> >> I’ve been struggling with this for a while and I would really appreciate >> some advice. >> I have an openvpn server using freeIPA to authenticate users logging >> into the office VPN. >> Currently all users have access to all services on the OpenVPN server. >> How do I use HBAC to properly restrict them to just OpenVPN? Do I need >> them to have access to anything else? > ... > What HBAC rules you need for OpenVPN depends on how you have OpenVPN > configured for auth. To elaborate that somewhat more: It depends how you authenticate your users. The most simple way is to enable PAM authentication in your server config: , | plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn ` Then you create a file /etc/pam.d/openvpn and can use sssd there. Your HBAC rule needs to allow the openvpn service for the users. You could also authenticate against LDAP or RADIUS and juggle with groups, but PAM is really easier. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't ssh using GSSAPI delegation from one freeipa client to another consistently
Ranbir via FreeIPA-users writes: > When GSSAPI delegation doesn't work, I see this error: > > debug1: Unspecified GSS failure. Minor code may provide more information > Server host/ip...@theinside.rnr not found in Kerberos database You used "ssh ipa01", right? And the host has been enrolleed with ipa01.theinside.rnr? > What am I messing up? I have in my ~/.ssh/config: CanonicalizeHostname always CanonicalDomains example.org Hope that helps. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: admin account getting locked
hedrick--- via FreeIPA-users writes: > We have a number of systems on the internet. They are constantly > attacked through ssh. A lot of attacks try to guess passwords for a > user called “admin.” If you don't need the user admin on the outside facing boxes, you could try that in /etc/sss/sssd.conf: , | ... | [nss] | homedir_substring = /home | filter_users = root, admin | ... ` Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BIIRDYGPJQMIEPXKZH3DM2GSMJIQLWGC/
[Freeipa-users] Re: keycloak
Rob Crittenden via FreeIPA-users writes: > I don't know where Keycloak upstream is. Look at http://www.keycloak.org Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/46G7R54DGCO4PTA4S65EMTDJ5HB7BH3B/
[Freeipa-users] Re: some basic questions about FreeIPA
Udo Rader via FreeIPA-users writes: > Our current setup looks like this: ... > #4 DHCP is handled by multiple, distributed ISC DHCP servers, > configured to pull their configuration from OpenLDAP (network > definitions, routers, NTP servers, MAC addresses etc.) ... > Regarding DHCP, all I found were some older documents describing > intentions to implement it [1], but I'm uncertain if that ever > happened. I'm using dnsmasq for DHCP. My workflow is something like this: - A host gets added to FreeIPA, its IP address is stored in LDAP for IPA's DNS. - I manually add the MAC address to the server record: ipa host-mod --macaddress= - A script pulls the hosts from IPA and generates a config fragment for dnsmasq. If there were changes, dnsmasq is reloaded. Jochen #!/bin/bash tmp=/etc/dnsmasq.d/dynamic-hosts.conf.tmp KRBPRINC='host/.example@example.org' kinit -k $KRBPRINC cat > $tmp <> ${tmp}.$$ LC_ALL=C.UTF-8 ipa host-find --all --raw | awk ' /fqdn:/ { ipstr=""; split($2,host,".") } # for multi-home hosts, description contains the interface-name. /iface:/ { "getent ahostsv4 " host[1] "-" $2 | getline ipstr; split(ipstr, ip, " "); if ( ip[1] != "" ) printf "dhcp-host=" $3 ",id:*," ip[1] "," host[1] "-" $2 ",24h\n" else printf "ERROR: no ip for host »%s« and interface »%s«.\n", host[1], $2 > "/dev/stderr" }' >> ${tmp}.$$ sort < ${tmp}.$$ > $tmp rm -f ${tmp}.$$ kdestroy -A if cmp -s $out $tmp; then rm -f $tmp ${tmp}.empty else if cmp -s ${tmp} ${tmp}.empty; then rm -f ${tmp} ${tmp}.empty else mv $tmp $out rm -f ${tmp}.empty systemctl restart dnsmasq.service fi fi -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Overall users experience with Free-IPA
Hi, Duncan Colhoun via FreeIPA-users writes: > Can I get some feedback on the overall experience setting up and > running Free-IPA. I am looking at implementing Free-IPA to > enhance/replace an OpenLDAP environment. I'm running a small FreeIPA (2 servers) installation in a family network. Install is easy, administration is also easy. I'm really happy with SSO and CA for internal SSL servers. Be prepared to read the Red Hat manuals and when problems show up, don't hesitate to ask here. I found most fixes in the archive, but reading this lists helped too. The developers are really helpful and friendly. > So please share any horror/success stories. I'm not comfortable resolving replication conflicts, but they really are exceptional events. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Zone transfers between external DNS slave and Internal IPA master
Jochen Hein via FreeIPA-users writes: > Randy Morgan via FreeIPA-users > writes: > > [BIND as slave on IPA DNS masters] > >> Has anyone set this up before and if so, do you have a sample config >> that I could look at to gain a better understanding of what is needed >> here? > > I'm running a pair of IPA servers with a single DNS slave. There's one > catch: you must select one IPA master where you get your zone from. > Each IPA master has it's own SOA record in the zone - otherwise you > would get errors due to lower SOA... You'll miss another thing as well: you clients using the BIND slave can't update their DNS records dynamically. You could probably run bind-dyndb-ldap on your slave and replicate with LDAP or access IPA's LDAP. But then it seems easier to just run a replica... Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: admin's credentials revoked?
Bret Wortman via FreeIPA-users writes: > # kinit admin > kint: Client's credentials have been revoked while getting initial > credentials > > Then while looking at /var/log/httpd/error_log: > > [date] [:error] [pid] [remote 192.168.1.50:96] Database Error: Server > is unwilling to perform: Too many failed logins. > > What the? How can my admin account be getting locked? Do you have an IPA client exposed to the internet? Drive-by test logins often try admin and yould lock you out. You should filter the users with sssd. Add this to your /etc/sss/sssd.conf and restart sssd: [nss] filter_users = root, admin Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Zone transfers between external DNS slave and Internal IPA master
Randy Morgan via FreeIPA-users writes: [BIND as slave on IPA DNS masters] > Has anyone set this up before and if so, do you have a sample config > that I could look at to gain a better understanding of what is needed > here? I'm running a pair of IPA servers with a single DNS slave. There's one catch: you must select one IPA master where you get your zone from. Each IPA master has it's own SOA record in the zone - otherwise you would get errors due to lower SOA... On the IPA side you must allow transfer for each needed zone: ipa dnszone-mod --allow-transfer= The secondary is just a regular slave: , | masters ipa { 192.168.x.y; }; | | zone "example.org." IN { | type slave; | file "slave/example.org"; | masters { ipa; }; | }; ` Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: OTP for specific services only
Winfried de Heiden via FreeIPA-users writes: > OTP using IPA 4.5 on CentOS seems to work well. However: I can force a user > to use OTP and/or a host. Authentication indicators won't work that way... > Selecting a user, ALL authentication needs OTP. Since sudo in this case will > ask for OTP also, this turn out > quite inconvenient. Is is possible to select only certain services for OTP. > for example: > > login using SSH --> OTP > login ftp --> OTP > console --> password only > sudo --> password only Not easily with FreeIPA, but I do something similar with Privacyidea and Yubikeys. In FreeIPA I authenticate my user with RADIUS (freeradius and Privacyidea). In Privacyidea my user has a Yubukey token assigned, so I log on with password+OTP when logging in. When I do sudo I have a special PAM config: Users with a yubikey authenticate only with OTP instead of "NOPASSWD" - that way I don't need to type my password, but still have some authentication going on. You can't do that with tokens defined in FreeIPA, but looking at PAM options might help you to get something working. Do you use hardware tokens or a smartphone app/soft token? Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: How to replace a failed CA?
Bret Wortman via FreeIPA-users writes: > If this is the correct search, then no. It's gone. Now, if you don't have the private keys any longer (see Rob's mail), we should consider your CA really gone. I'd look at ipa-ca-install and something like https://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion. You'll need to refresh the CA certs and certificates on all clients after recreating a new CA. Use a new CA subject with --subject... Getting dogtag going probably won't be easy, but we'll see. I had problems after cert renewal, but got dogtag up with password authentication temporarily and could fix certs/ldap. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: How to replace a failed CA?
Bret Wortman via FreeIPA-users writes: > I may be going about this in the hardest way possible, so let me stop > and roll everything back to my root need: > > I have two IPA servers which manage our infrastructure. We used to > have three, but a catastrophic failure on one led to its total > loss. And it was our CA. > > So now we have no CA -- is there a way to promote an existing system > to take over? I realize it may well mean distributing a new root CA > cert to everyone, but that seems less painful now than trying to set > up a brand new cluster of servers and try to port our data over to > them... I'd start looking for the ca data in LDAP. If you still have it, you might be lucky - if not there's no way to recreate the data (beside from a backup of the failed server - which I guess doesn't exist any longer). Do you have a tree o=ipaca in your LDAP? Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL
Bret Wortman via FreeIPA-users writes: > Sequence of events in trying to stand up a new IPA server to replace > (wholesale) our old ones. > ... > 3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders ... > And now I'm back where I was. IPA is running and contains our user, > host, and DNS data (plus others) from the original hosts but I can't > connect to it using firefox. Any other possible solutions to this > problem? > > We're using the same realm & network name, and we have to do that. I'd try with another CA subject, see https://blog.delouw.ch/2015/11/29/setting-up-ipa-with-a-specific-ca-cert-subject/ for details. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: freeipa with sudo and 2FA (OTP)
John Ratliff via FreeIPA-users writes: > Okay, so the problem wasn't that it wasn't working; it's that I didn't > understand the prompts. Debian only prompts for password, but wants > password + OTP on the same field. CentOS prompts for First Factor / > Second Factor. > > Is there any way I can make it so that on Debian clients it asks for > the factors separately as well? Can you please look at /etc/pam.d? Debian uses pam_unix to get the password+OTP, CentOS/Fedora use pam_sss for non-local users. I've added the following to /usr/share/pam-configs and use that instead of pam_unix and pam_sss. unix+sss Description: Binary data Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Documented monitoring best practices
Alex Corcoles via FreeIPA-users writes: > Is there any official literature about how to monitor FreeIPA? I'm using https://github.com/peterpakos/checkipaconsistency to monitor my replicas. > Is there any plan to provide an official way to monitor FreeIPA? My > foremost concern would be to ensure that all clients are correctly enrolled > and sudo/ssh work, so I am not locked out of my systems. Ensuring that > replication works seems good and popular. Of course I can check that all > services are running and ports respond. > > What are the most common ways for FreeIPA to break? Right now we had some problems with certificates not/halfway renewing, so some tool to check LDAP against the different cert-stores might be helpful. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: how to avoid ntpd?
Lukas Slebodnik via FreeIPA-users writes: > On (15/01/18 10:53), Rob Crittenden via FreeIPA-users wrote: >>As I read it he has the reverse problem. He installed with NTP support >>and now wants to remove it. >> >>You need to remove NTP as a managed IPA service by removing the entry: >> >>cn=NTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com >> >>ipactl will no longer try to start the service. I also consider to remove ntp service from my IPA servers... >>Note that without good time then you may run into serious issues with >>Kerberos and replication. > > I do not have any time related problems with chronyd + fedora *default* > configuration. I also think that now all major Linux distributions configure some kind of NTP client service per default (at least Debian, Ubuntu, CentOS run here and enable some timesync by default - systemd-timesyncd too looks very promising). Even if the clients don't use the same NTP servers (each distribution has its own pool) the time should be good enough. At least that's what I see on my systems - time is not a problem. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Expired certificate problem
Giulio Casella via FreeIPA-users writes: > Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto: >> Giulio Casella via FreeIPA-users >> writes: >> >>> Done, ipactl status report everything running, >> >> That's not correct, see below. >> >>> but certificates don't renew. >>> Looking at certmonger (in debug mod) I can see: >>> >>> "Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed >>> request, will retry: 4035 (RPC failed at server. Request failed with >>> status 500: Non-2xx response from CA REST API: 500. ). >> >> internal error from apache >> >>> Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed >>> request, will retry: -504 (libcurl failed to execute the HTTP POST >>> transaction, explaining: Failed connect to >>> idc02.linux.unicloudidattica.local:443; Connection refused). >> >> no apache running > > I don't think so. HTTP 500 doesn't mean apache is not running, but an > internal server error. > Indeed I can reach the administration web ui. Login fails due to time > skew, but apache is fully responsive. Have a look again: Host idc01 delivers 500 - internal error. Host idc02 has no apache running ("connection refused"). > Apache return 500 when something behind the scene fails (maybe the > pki-tomcat part, following a post to api). Yes, try fixing idc01 - most probably dogtag/pki-tomcat there. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Expired certificate problem
Giulio Casella via FreeIPA-users writes: > Done, ipactl status report everything running, That's not correct, see below. > but certificates don't renew. > Looking at certmonger (in debug mod) I can see: > > "Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed > request, will retry: 4035 (RPC failed at server. Request failed with > status 500: Non-2xx response from CA REST API: 500. ). internal error from apache > Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed > request, will retry: -504 (libcurl failed to execute the HTTP POST > transaction, explaining: Failed connect to > idc02.linux.unicloudidattica.local:443; Connection refused). no apache running > Have I to try to remove/re-add monitoring from certmonger for service > certificates? No - try to find out the errors above. Leave certmonger alone until you fixed apache/dogtag. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04
Cody Rathgeber writes: > Thanks, I'm sure it was a versioning issue as the server is 4.5, and i see > the default ubuntu 14.04 packages i was using were 3.3. Using the repo > Jochen Mentioned I can install 4.0 on ubuntu 14.04 but I will get the below > errors in the log during install, is this still due to 4.0 being too far > behind the server's 4.5 and i'll need to build from source? Possible. I don't know where the problems begin - I started with IPA server 4.1/4.2 some time ago and enrolled my 14.04 Laptop with 4.0.4 client (I had a system with 12.04 enrolled too). I'm not going to install/enroll another old Laptop - only 16.04 and newer... Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04
Cody Rathgeber via FreeIPA-users writes: > I'm trying to deploy freeipa to an environment running a mix of ubuntu > 16.04 and 14.04 servers. > on 16.04 the servers join and can pull down users no problem, on 14.04 when > joining it'll throw a > > "Unable to find 'admin' user with 'getent passwd ad...@redacted.net'!:" What packages do you use on 14.04? I'm using the packages from ppa:freeipa/4.0. What's your IPA server release? There were also reports about sssd problems: https://www.redhat.com/archives/freeipa-users/2017-January/msg00190.html Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Using pam_krb5 to change password at ssh prompt gives shell
Aaron Hicks via FreeIPA-users writes: > As a workaround for another issue we have with using two-factor > authentication, we're using pam_krb5 to change expired passwords, so in > /etc/pam.d/password-auth-ac whe have changed the password section to be: > ... > > This puts the user through a password reset process without the second > factor interfering, but at the end they get shell. This is without the > second factor. > > > > Is there a parameter this so that the connection is disconnected instead, or > the connection attempt is restarted? I'd try pam_deny. This should work for password section. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Swiching which FreeIPA server is the main CA
Kristian Petersen via FreeIPA-users writes: > The dirsrv log just shows a bunch of the following: > [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind - Error: > could not bind id [cn=Replication Manager cloneAgreement1-ipa > 2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config] authentication mechanism > [SIMPLE]: error 32 (No such object) > > That makes sense though since pki-tomcat won't start. Rob was asking what > was in the logs located at /var/log/pki/pki-tomcat/ca/debug, but that path > doesn't exist on any of my IPA servers. He said that would normally be the > first place to look. Hence, I am looking for other solutions. Brute force: reproduce the error and run "find /var/log -mmin -1 -type f -ls". This finds the files changed in the last minute - one of these might help. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Swiching which FreeIPA server is the main CA
Kristian Petersen via FreeIPA-users writes: > When I recently updated one of my IPA servers (it reports > 4.5.0-21.el7_4.1.2 in yum), the result was that it could not start back up > because pki-tomcatd kept failing. I was able to get it running for now by > ignoring the failure of that one service, but I haven't been able to to > determine the cause. The logs are pretty quiet on this one. They show the > failure itself, but not information that helps me fix the problem. Can you show the relevant logs? Is there something in the dirsrv logs at that time? CA logs aren't easy to read, but should give at least a hint where to look further. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Manual IPA client install
Mark Haney via FreeIPA-users writes: > since these two servers are CentOS 6.9. I'm almost certain I've got > everything setup correctly, but I'm still unable to login as an IPA > user either with SSH or with su - . I get ' does > not exist'. However, I /can/ 'kinit admin' /and/ 'kinit mark.haney' > successfully: This looks like some problem with sssd. Do you see your user with "id https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > Rob Crittenden had me check the keytab KVNO and it matches with the > KVNO of the IPA server. The one issue I can definitely say I have is > this: > > kinit -kt /etc/krb5.keytab > kinit: Generic preauthentication failure while getting initial credentials Can you show a trace with "KRB5_TRACE=/dev/stderr kinit -kt /etc/krb5.keytab"? What do you see in the KDC log? Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5
Alexander Bokovoy writes: > On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote: >>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote >>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c >>> /var/run/ipa/ccaches/armor_7424 -X >>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X >>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned >>> non-zero exit status 1 >> >>Do you have krb5-pkinit installed? I think there is a dependency >>missing. And I ran "ipa-pkinit-manage enable", but I don't remember if >>it's needed for WebUI login. > Looking into RHEL/CentOS spec file, I see: Hm, then the dependency was missing for the client pakages for Debian/Ubuntu. Thanks for checking. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Web UI login fails after upgrading to 4.5
Marius Bjørnstad via FreeIPA-users writes: > After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login > failed due to an unknown reason" on the web UI, no matter if I use the > admin user or my personal user. ... > [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote > 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c > /var/run/ipa/ccaches/armor_7424 -X > X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X > X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned > non-zero exit status 1 Do you have krb5-pkinit installed? I think there is a dependency missing. And I ran "ipa-pkinit-manage enable", but I don't remember if it's needed for WebUI login. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: IPA Server down after system update
Gady Notrica via FreeIPA-users writes: > But still having the same issue: No, you don't. Earlier it timed out waiting for dirsrv, but now it's dogtag (Port 8080, 8443): > > 2017-09-15T15:58:46Z DEBUG stderr= 2017-09-15T15:58:46Z DEBUG > wait_for_open_ports: localhost [8080, 8443] timeout 300 > 2017-09-15T16:03:46Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Have a look at the dogtag logs and possibly https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ For me another replica refreshed the certificate while ipaupgrade was running. Another possibility was failure to refresh the cert due to selinux. (Can't find the ticket now). Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: sssd suddenly throw system error on Mint 17.3 clients
Torsten Harenberg via FreeIPA-users writes: > Suddenly, our Linux Mint clients refrain from logging in users and > throw a system error. I increased the log level and the relevant lines > seem to be: > > (Sun Sep 10 03:19:09 2017) [sssd[be[pleiades.uni-wuppertal.de]]] > [hbac_eval_user_element] (0x0040): Parse error on [ > cn=System: Manage Host > Principals+nsuniqueid=53120f31-41e811e7-b96dfa31-96759478,cn=permissions,cn=pbac,dc=pleiades,dc=uni-wuppertal,dc=de]: > Malformed cache entry This looks like an entry created by a replication conflict. Do you use replicas? Then I'd check for replication conflicts: http://directory.fedoraproject.org/docs/389ds/design/managing-repl-conflict-entries.html Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: [CentOS 7.5] error message during LDAP backup
Ludwig Krispenz via FreeIPA-users writes: > This is issue: https://pagure.io/389-ds-base/issue/49334 Thanks for the info. I like the documentation and analysis in the tickets (not only this one) - well done! Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] [CentOS 7.5] error message during LDAP backup
I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have the following new messages during backup: Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.225932118 +0200] - ERR - dblayer_copy_directory - Backend instance "cldb" does not exist; Instance path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb could be invalid. Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.260896691 +0200] - ERR - dblayer_backup - Error in copying directory (/var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb -> /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup): err=-1 The path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb is valid and contains the following files: [root@freeipa1 cldb]# ls -la insgesamt 6592 drwxr-xr-x. 2 dirsrv dirsrv4096 28. Aug 16:12 . drwxrwx---. 6 dirsrv dirsrv 47 1. Dez 2016 .. -rw---. 1 dirsrv dirsrv 5668864 30. Aug 08:54 105a1694-b80711e6-a735c4e0-b4c95686_583b44c10004.db -rw-r--r--. 1 dirsrv dirsrv 0 28. Aug 16:12 105a1694-b80711e6-a735c4e0-b4c95686.sema -rw---. 1 dirsrv dirsrv 1064960 30. Aug 08:52 6464fab3-b80711e6-a735c4e0-b4c95686_5840787c000d.db -rw-r--r--. 1 dirsrv dirsrv 0 28. Aug 16:12 6464fab3-b80711e6-a735c4e0-b4c95686.sema -rw---. 1 dirsrv dirsrv 30 1. Dez 2016 DBVERSION The directory /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup does not exist, all I have is: [root@freeipa1 cldb]# ls -la /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/ insgesamt 0 drwxrwx---. 2 dirsrv dirsrv 6 30. Aug 01:34 . drwxrwx---. 6 dirsrv dirsrv 47 1. Dez 2016 .. I'll create /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup manually and will see if that helps. I think it should be created during upgrade or backup if it is missing. What do you think? Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FIPA OTP 2FA
saidireddy ranabothu via FreeIPA-users writes: > I have enabled password+OTP authentication for a user and able to sync > tokens and SSH. > > While ssh to server using FIPA credentials it's asking authentication in > two steps as First Factor and Second Factor . > > But i just want to give it in a single line password ,Can any one suggest > how to do it as a single line password? Try just pressing Enter when asked for second factor. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-getcert and java certstore/keytool
Jochen Hein via FreeIPA-users writes: > Rob Crittenden via FreeIPA-users > writes: > >> So theoretically certmonger could for example, track PEM files in the >> filesystem and upon renewal run a post script to import the updated cert >> into the java keystore. > > This is my current script to get a cert from IPA, which is tracked by > certmonger. I've yet to test refreshing a certificate, but the steps > manually did work (I expect some SELINUX woes...): Exactly as I though, I got an AVC denied: > # Get a certificate and key from IPA > #ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \ > # -k /etc/pki/tls/private/saml.example.org.key \ > # -N CN=saml.example.org \ > # -D saml.example.org \ > # -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1 > ## -C "" type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for pid=7057 comm="certmonger" name="refresh_keycloak_certificate" dev="sda1" ino=36338210 scontext= system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file I stored my refresh script in /root and might have some luck with chcon. But is there a location, for example in /etc, that would give my script the needed rights? No examples I've looked at in the IdM manual used -C and no discussion about selinux lables. certmonger scripts are stored in /usr/libexec/ipa/certmonger and have: # ls -lZ /usr/libexec/ipa/certmonger/restart_httpd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/ipa/certmonger/restart_httpd Once I label my script with bin_t I get more denials, so probably not the right thing to do: type=AVC msg=audit(1501563217.770:154): avc: denied { write } for pid=12545 comm="mkhomedir" name="lib" dev="vdc1" ino=131 scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1501619025.994:1172): avc: denied { write } for pid=15759 comm="certmonger" name="configuration" dev="vda1" ino=17147456 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir type=AVC msg=audit(1501619132.710:1173): avc: denied { write } for pid=15759 comm="certmonger" name="configuration" dev="vda1" ino=17147456 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir type=AVC msg=audit(1501619192.323:1174): avc: denied { create } for pid=18555 comm="certmonger" name="saml.jochen.org.key" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1501619605.451:1182): avc: denied { write } for pid=15759 comm="certmonger" name="root" dev="vda1" ino=33595521 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(1501699449.127:2460): avc: denied { write } for pid=15759 comm="certmonger" name="root" dev="vda1" ino=33595521 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for pid=7057 comm="certmonger" name="refresh_keycloak_certificate" dev="sda1" ino=36338210 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file type=AVC msg=audit(1502049392.796:1375): avc: denied { write } for pid=3851 comm="openssl" name="saml.jochen.org.key" dev="sda1" ino=18535953 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1502049392.799:1376): avc: denied { write } for pid=3852 comm="openssl" name="temp.p12" dev="sda1" ino=18535954 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1502049392.802:1377): avc: denied { read } for pid=3854 comm="keytool" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir Is there some documentation where the admin should store his scripts and how to label them that I missed? I found certmonger_selinux, but that's too abstract for me. The (probably too big) hammer made it work for me: # chcon -v --type=certmonger_unconfined_exec_t /root/refresh_keycloak_certificate Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-getcert and java certstore/keytool
Rob Crittenden via FreeIPA-users writes: > certmonger doesn't support storing certificates in a java keystore. > > certmonger has the concept of pre and post renewal scripts so you can, > for example stop or start a service, or import a renewed certificate > somewhere else (IPA uses this to store a copy of some certificates in LDAP). > > So theoretically certmonger could for example, track PEM files in the > filesystem and upon renewal run a post script to import the updated cert > into the java keystore. This is my current script to get a cert from IPA, which is tracked by certmonger. I've yet to test refreshing a certificate, but the steps manually did work (I excpect some SELINUX woes...): # Get a certificate and key from IPA #ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \ # -k /etc/pki/tls/private/saml.example.org.key \ # -N CN=saml.example.org \ # -D saml.example.org \ # -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1 ## -C "" cd /opt/jboss/keycloak/standalone/configuration # We need to have the password we use on the keystore also as the key password. # IPA keys do not have a password - let's add one to a temp file. openssl rsa -des3 -in /etc/pki/tls/private/saml.example.org.key -out saml.example.org.key \ -passout file:/opt/jboss/keycloak/standalone/configuration/keystore.password # Combine the key, the cert, and the CA cert into a pkcs12 file, which we'll # import with keytool later. We need two password files with the same content, # otherwise we'll get "Error reading password from BIO". openssl pkcs12 -export \ -passin file:/opt/jboss/keycloak/standalone/configuration/keystore.password \ -passout file:/opt/jboss/keycloak/standalone/configuration/keystore.password2 \ -in /etc/pki/tls/certs/saml.example.org.crt -inkey saml.example.org.key \ -CAfile /etc/ipa/ca.crt -out temp.p12 -chain #-in /etc/pki/tls/certs/saml.example.org.crt -inkey /etc/pki/tls/private/saml.example.org.key \ # Now we can import our "pkcs12 keystore" into the keytool keystore we'll use # for wildfly/keycloak keytool -importkeystore -trustcacerts \ -srckeystore temp.p12 -srcstoretype PKCS12 \ -srcstorepass:file /opt/jboss/keycloak/standalone/configuration/keystore.password \ -destkeypass:file /opt/jboss/keycloak/standalone/configuration/keystore.password \ -deststorepass:file /opt/jboss/keycloak/standalone/configuration/keystore.password \ -destkeystore /opt/jboss/keycloak/standalone/configuration/keycloak.jks # We might now restart keycloak to activate the new certificate #systemctl restart keycloak.service Puh, there were some hurdles, some google-fu needed, and lots of trial-and-error. I'm not sure how we can help other users of keytool, but I'm confident to get automatic refresh implemented, Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Valid Sender ? - Re: Re: ipa-getcert and java certstore/keytool
Rob Crittenden writes: > certmonger doesn't support storing certificates in a java keystore. That's what I found out :-) > The tricky bit might be in dealing with the CSR. certmonger needs the > private key in order do the renewal. > > I guess one thing you could do is a straight ipa-getcert -f > /path/to/cert.pem -k /path/to/key.pem ... -C > /path/to/your/post/script Something like that might work and I hoped that someone might have done and documented it before... > Then take the resulting PEM files, create a PKCS#12 file out of them, > and import that into your java keystore. That's what I'll try - let's see how that works out. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] ipa-getcert and java certstore/keytool
Hi, I'm playing around with keycloak and wanted to use an SSL certificate from IPA. I've looked around but didn't see any howto about using java keytool with ipa-getcert. Has someone experience with it? I was not successful adding key/cert created by certmonger into keytool, and also not successful signing a csr from keytool with IPA. If noone has hints, I'll try again and provide commands/logs... Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: autofs.service on NFS clients and servers
Prasun Gera via FreeIPA-users writes: > The only thing I would be interested in knowing is if there is a > performance penalty to mounting NFS locally. Ideally, it should be smart > enough to know that, but I'm not sure if it is. On my NFS server /home is a local ext4 mount and exportet. The clients automount it as /zentral. autofs.zentral contains: * -fstype=nfs4,rw,sec=krb5p,soft,rsize=8192,wsize=8192 nfs.example.org:/home/& When I access /zentral/jochen I get the following mount: /dev/mapper/home_lv on /zentral/jochen type ext4 (rw,noatime,errors=remount-ro,data=ordered) That seems to be a bind mount. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.4 with Yubikey and Radius for VPN auth
Hello Dagan, > The VPN is Cisco, we use openconnect to connect to it currently and it > works without a problem. I use ocserv on my VPN server and openconnect - normally with GSSAPI, but I'll try with password/OTP. > The Yubikeys in the existing configuration are in a static file, which > does reference a cloud api key but I am not sure if this is required? No, it is not required. > I am hoping to be able to register each Yubikey against a user is > FreeIPA and not have to use any external components to verify them. How do you use the two slots on the yubikey? I do use slot 1 with a self programmed yubico mode, but you can also enroll a yubikey directly into FreeIPA. I was happy to overwrite slot 1, but you might want to use slot 2. > But I am looking for some guidance on how that configuration might work. I guess it's almost too easy... - enable OTP in freeipa: ipa config-mod --user-auth-type='password' --user-auth-type='otp' - enroll the yubikey: ipa otptoken-add-yubikey --slot=<1 or 2> beware that the slot will be overwritten and the secret programmed there will be lost. - enable OTP for the user ipa user-mod --user-auth-type='password' --user-auth-type='otp' On your RADIUS server just use PAM-sss against FreeIPA. My ocserv talks pam directly and asks for "First Factor" and "Second Factor". If RADIUS only asks for "Password", just enter . That's it. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.4 with Yubikey and Radius for VPN auth
Hallo, Dagan McGregor via FreeIPA-users writes: > I have been asked to configure FreeIPA 4.4 servers to handle VPN What kind of VPN do you use? What client do you use? > authentication using a FreeRADIUS server, with 2FA being generated by > a Yubikey given to each user. Is the Yubikey enrolled in FreeIPA? Or do you use Yubico's cloud servers, or something else? > The existing radius server configuration uses PAM sssd and yubico > modules with a static file for the Yubikeys, and works with the token > appended to the password. The sssd functions as a user lookup to > FreeIPA. > Is there a recommended method, like using the radius ldap module, to > query username, password, and Yubikey values? I do have my Yubikey enrolled in Privacyidea. In FreeIPA I authenticate my user with RADIUS, which in turn asks Privacyidea. Privacyidea uses LDAP from FreeIPA as my userstore (and can authenticate against it with the password only). pam_sss turns to FreeIPA for authentication and asks me for "First Factor" (aka password) and "Second Factor2 (aka OTP). > Does anyone have a working implementation of something similar? If that works for your VPN needs to be checked. If you get only one prompt, try password+OTP. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org