Re: [Freeipa-users] FW: FW: FW: named and IpA
On 10.10.2014 10:32, Jan Pazdziora wrote: On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote: On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks for the additional data.It starts to make sense now, but I'm wondering if that could possibly be a weakness in the IdM model ? Well, define a weakness :-) Whole IPA server is built around LDAP database so LDAP is single point of failure *for one particular* IPA server. IPA offers a solution called replicas. You can have multiple IPA servers with (two-way) replicated LDAP database so outage on N-1 servers will not affect your clients as long as clients are able to fail-over to the last functional server. The question is, what should happen when no LDAP server can be used? Should the forwarding suddenly kick in for all zones which will cause completely different data to be served? Or should the DNS server refuse to serve anything at that point (even the forwarding) because it has no way to know what should be forwarded and what not (I assume bind does not keep around list of zones that were LDAP-backed the last time LDAP worked). There probably should be at least an option (if not default) for bind to serve nothing if LDAP is not accessible. In the past, named refused to start when LDAP was not available. Later it was flagged as bug and current behavior was implemented: https://bugzilla.redhat.com/show_bug.cgi?id=662930 Feel free to open RFE. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FW: FW: FW: named and IpA
On Mon, Oct 13, 2014 at 01:02:38PM +0200, Petr Spacek wrote: There probably should be at least an option (if not default) for bind to serve nothing if LDAP is not accessible. In the past, named refused to start when LDAP was not available. Later it was flagged as bug and current behavior was implemented: https://bugzilla.redhat.com/show_bug.cgi?id=662930 Feel free to open RFE. Done: https://fedorahosted.org/bind-dyndb-ldap/ticket/140 Thank you, -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] mastercrl.bin very old
hi, yet another certificate authority question. We have a centos 6.5 ipa environment with two domain controllers (kdc01, kdc02). The first one is the first replica and maintains the crl (or so it should). Recently our monitoring warned us that the web host certificate for kdc01 was about to expire. And it auto-renewed this weeked, with was great. But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). Am I looking at the wrong urls? How can I check that the crl is ok? Thanks in advance for your tips. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrate KRB DB hashes to IPA LDAP
On my old system from which i migrated the users/group accounts uses the Kerberos own DB without LDAP for the principals. I could dump the master key : kdb5_util dump filename K/M@REALM Now i have a lot of numbers in the dumpfile. Which number belongs to which LDAP attribute in the (test) FreeIPA 389 LDAP System (Simon called it a throwaway system :-) ) I dont know the data structure of the KRB own DB. cheers, Andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from FreeIPA-Windows to FreeIPA-samba4
2014-10-09 18:12 GMT-04:00 Dmitri Pal d...@redhat.com: On 10/09/2014 04:38 PM, Carlos Raúl Laguna wrote: Hello to everyone, for some time now i have been pretty much stalking the samba project site, looking forward to forest trust and it seem that they introduced new functions to support trust domains https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc1.txt i guess i an future will be possible. Yes in future. Anyway, i am about to do a FreeIPA-Windows deployment and i was wondering if it will be possible in a future migrate from windows to samba? Yes. This is the intent. At least to be able to replace AD with Samba DC in some cases. I am not sure how smooth the migration part will be. And also, which version of FreeIPA is most ready for deployment ? Now? In which distro? In RHEL please use what is in 7.0. If you use Fedora then at least 4.0. You might want to wait couple weeks and use 4.1 when it gets released. Thanks for your time and effort. Regard -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Thanks for your reply, it will be any way to use 4.1 in RHEL 7L.Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] strange error from EL 7 install?
Happy Monday everyone... Wondering if anyone else is seeing this error since this weekend? Trying to add in a new IPA replica, which of course requires the software installed -- this is in CentOS 7 using COPR repo and : -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (ipa) Requires: jackson-jaxrs-json-provider and yet, I have never had that issue until this weekend. :-( Any help? Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] strange error from EL 7 install?
After further investigation - it looks like the PKI base was altered/updated because even on a running server a yum update produces same error: # yum check-update Loaded plugins: fastestmirror, product-id, subscription-manager, versionlock Loading mirror speeds from cached hostfile * base: linux.mirrors.es.net * extras: mirrors.usinternet.com * updates: centos.host-engine.com pki-base.noarch 10.2.0-3.el7.centos freeipa pki-ca.noarch 10.2.0-3.el7.centos freeipa pki-server.noarch 10.2.0-3.el7.centos freeipa pki-tools.x86_64 10.2.0-3.el7.centos freeipa slapi-nis.x86_64 0.54-1.el7.centosfreeipa and: if you select yes: --- Package pki-base.noarch 0:10.2.0-3.el7.centos will be an update -- Processing Dependency: jackson-jaxrs-json-provider for package: pki-base-10.2.0-3.el7.centos.noarch -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (freeipa) Requires: jackson-jaxrs-json-provider You could try using --skip-broken to work around the problem On 10/13/14 9:18 AM, Janelle wrote: Happy Monday everyone... Wondering if anyone else is seeing this error since this weekend? Trying to add in a new IPA replica, which of course requires the software installed -- this is in CentOS 7 using COPR repo and : -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (ipa) Requires: jackson-jaxrs-json-provider and yet, I have never had that issue until this weekend. :-( Any help? Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched the kdc01: Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 and the kdc02 a few days later: Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 So that explains the dates, but why dit it stop the publication of crls? -- -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched the kdc01: Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 and the kdc02 a few days later: Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 So that explains the dates, but why dit it stop the publication of crls? I'd suggest looking in /var/log/ipaupgrade.log for those dates to see what happened. I'm guessing that both were deemed to not be the CRL generator so generation was stopped on both. See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable one of the masters to do the CRL generation. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1 localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated!-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched the kdc01: Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 and the kdc02 a few days later: Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 So that explains the dates, but why dit it stop the publication of crls? I'd suggest looking in /var/log/ipaupgrade.log for those dates to see what happened. I'm guessing that both were deemed to not be the CRL generator so generation was stopped on both. See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable one of the masters to do the CRL generation. I was just looking at that article and wondering if that would not be the culprit. I will post and update later. Thanks! -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1 localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Replace Self-Signed Cert
Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1 localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
On Mon, Oct 13, 2014 at 8:17 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched the kdc01: Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 and the kdc02 a few days later: Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 So that explains the dates, but why dit it stop the publication of crls? I'd suggest looking in /var/log/ipaupgrade.log for those dates to see what happened. I'm guessing that both were deemed to not be the CRL generator so generation was stopped on both. See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable one of the masters to do the CRL generation. I was just looking at that article and wondering if that would not be the culprit. I will post and update later. ok, so I added on the CRL generator (kdc01) this to CS.cfg : ca.listenToCloneModifications=true and rebooted and on the kdc02 (the second replica, not holding the CRL generator) I removed the comment on the rewrite rule, restarted apache2 and now when getting /ipa/crl/MasterCRL.bin clients get redirected to https://kdc01.domain.tld/ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL And this crl is up to date $ openssl crl -inform DER -in Downloads/MasterCRL.crl -noout -lastupdate lastUpdate=Oct 13 19:00:00 2014 GMT $ openssl crl -inform DER -in Downloads/MasterCRL.crl -noout -nextupdate nextUpdate=Oct 13 23:00:00 2014 GMT But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I still get the old crl dated june 28th last year. Should I modify ipa-pki-proxy.conf as well on the CRL generator host to point to the /ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL as well? -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrate KRB DB hashes to IPA LDAP
On Mon, 13 Oct 2014 17:30:58 +0200 Andreas Ladanyi andreas.lada...@kit.edu wrote: On my old system from which i migrated the users/group accounts uses the Kerberos own DB without LDAP for the principals. I could dump the master key : kdb5_util dump filename K/M@REALM Now i have a lot of numbers in the dumpfile. Which number belongs to which LDAP attribute in the (test) FreeIPA 389 LDAP System (Simon called it a throwaway system :-) ) I dont know the data structure of the KRB own DB. And you shouldn't really care, you should use the kdb5 utils to load back the dumped DB, provided you first create all users and hosts and services via the freeipa tools. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sysctl and/or limits.conf?
On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000 servers that will be talking to 3-4 masters/replicas. Are there any formulas to follow? thanks If you get an answer to this, or if you know of any other performance tuning params, let me know and I'll build it in to puppet-ipa. Thanks, James I do not think it is easy automatable. Please see http://www.freeipa.org/page/Deployment_Recommendations and part about replicas. If 3000 in one datacenter then 3 is good enough or 4 if you are very LDAP heavy (some applications are like Jira for example). If you have 2 data center I would go for 2+2. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from FreeIPA-Windows to FreeIPA-samba4
On 10/13/2014 11:40 AM, Carlos Raúl Laguna wrote: 2014-10-09 18:12 GMT-04:00 Dmitri Pal d...@redhat.com mailto:d...@redhat.com: On 10/09/2014 04:38 PM, Carlos Raúl Laguna wrote: Hello to everyone, for some time now i have been pretty much stalking the samba project site, looking forward to forest trust and it seem that they introduced new functions to support trust domains https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc1.txt i guess i an future will be possible. Yes in future. Anyway, i am about to do a FreeIPA-Windows deployment and i was wondering if it will be possible in a future migrate from windows to samba? Yes. This is the intent. At least to be able to replace AD with Samba DC in some cases. I am not sure how smooth the migration part will be. And also, which version of FreeIPA is most ready for deployment ? Now? In which distro? In RHEL please use what is in 7.0. If you use Fedora then at least 4.0. You might want to wait couple weeks and use 4.1 when it gets released. Thanks for your time and effort. Regard -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Thanks for your reply, it will be any way to use 4.1 in RHEL 7L.Regards We plan to bring 4.1 into RHEL7.x. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
Hi there, My understanding is the only way to install a third party cert is to start from scratch. The part that is unclear to me is if there is a method of exporting the data prior to, and importing the data after the fresh instance of freeipa has been installed. I assume that one would also have to re-install all clients utilizing freeipa. Thanks, Bill On Mon Oct 13 15:45:05 2014, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sysctl and/or limits.conf?
On 13 October 2014 18:18, Dmitri Pal d...@redhat.com wrote: On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000 servers that will be talking to 3-4 masters/replicas. Are there any formulas to follow? thanks If you get an answer to this, or if you know of any other performance tuning params, let me know and I'll build it in to puppet-ipa. Thanks, James I do not think it is easy automatable. You underestimate me ;) Please see http://www.freeipa.org/page/Deployment_Recommendations and part about replicas. If 3000 in one datacenter then 3 is good enough or 4 if you are very LDAP heavy (some applications are like Jira for example). If you have 2 data center I would go for 2+2. OP (and myself) were also curious on if there were any machine specific optimizations to add? Eg: sysctl, /proc tuning, etc... Anything out there? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. AFAIU the biggest issue will be with the clients. I suspect that they might be quite confused if you just drop in the certs from the 3rd party. If you noticed the page has the following line: The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. I think it should say by external CA to be clear. It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now. You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com mailto:quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sysctl and/or limits.conf?
On 10/13/2014 06:58 PM, James wrote: On 13 October 2014 18:18, Dmitri Pal d...@redhat.com wrote: On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000 servers that will be talking to 3-4 masters/replicas. Are there any formulas to follow? thanks If you get an answer to this, or if you know of any other performance tuning params, let me know and I'll build it in to puppet-ipa. Thanks, James I do not think it is easy automatable. You underestimate me ;) Please see http://www.freeipa.org/page/Deployment_Recommendations and part about replicas. If 3000 in one datacenter then 3 is good enough or 4 if you are very LDAP heavy (some applications are like Jira for example). If you have 2 data center I would go for 2+2. OP (and myself) were also curious on if there were any machine specific optimizations to add? Eg: sysctl, /proc tuning, etc... Anything out there? Not to the best of my knowledge. I mean DS has a lot of knobs but they need tuneup only in case of huge databases. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
makes sense. i will still try out that cert add command in my test environment, just to see if it works. looks like for now, 4.1 upgrade is my best option. On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. AFAIU the biggest issue will be with the clients. I suspect that they might be quite confused if you just drop in the certs from the 3rd party. If you noticed the page has the following line: The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. I think it should say by external CA to be clear. It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now. You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sysctl and/or limits.conf?
Hi again, A lot of this information has been very useful. I did have a question I could not answer. I noticed in the Deployment Recommendations docs, it says not to have any more than 4 replication agreements. Perhaps I am missing something, but I don't see how to get a replica to be a master to be able to create another replicate? Am I missing something obvious here? Thank you, ~Janelle On 10/13/14 3:18 PM, Dmitri Pal wrote: On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000 servers that will be talking to 3-4 masters/replicas. Are there any formulas to follow? thanks If you get an answer to this, or if you know of any other performance tuning params, let me know and I'll build it in to puppet-ipa. Thanks, James I do not think it is easy automatable. Please see http://www.freeipa.org/page/Deployment_Recommendations and part about replicas. If 3000 in one datacenter then 3 is good enough or 4 if you are very LDAP heavy (some applications are like Jira for example). If you have 2 data center I would go for 2+2. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] strange error from EL 7 install?
On Mon, Oct 13, 2014 at 09:52:40AM -0700, Janelle wrote: After further investigation - it looks like the PKI base was altered/updated because even on a running server a yum update produces same error: # yum check-update Loaded plugins: fastestmirror, product-id, subscription-manager, versionlock Loading mirror speeds from cached hostfile * base: linux.mirrors.es.net * extras: mirrors.usinternet.com * updates: centos.host-engine.com pki-base.noarch 10.2.0-3.el7.centos freeipa pki-ca.noarch 10.2.0-3.el7.centos freeipa pki-server.noarch 10.2.0-3.el7.centos freeipa pki-tools.x86_64 10.2.0-3.el7.centos freeipa slapi-nis.x86_64 0.54-1.el7.centosfreeipa and: if you select yes: --- Package pki-base.noarch 0:10.2.0-3.el7.centos will be an update -- Processing Dependency: jackson-jaxrs-json-provider for package: pki-base-10.2.0-3.el7.centos.noarch -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (freeipa) Requires: jackson-jaxrs-json-provider You could try using --skip-broken to work around the problem Hi Janelle, Looks like the COPR moved from Dogtag 10.1 to 10.2 on 8 Oct, and 10.2 declares a dependency on Jackson which is not in EPEL. The dependency causing the probelm (jackson-jaxrs-json-provider) was introduced at commit 32d71bb. I'm not sure on the right approach to fixing this but I've copied pki-devel who will be able to help. Fraser On 10/13/14 9:18 AM, Janelle wrote: Happy Monday everyone... Wondering if anyone else is seeing this error since this weekend? Trying to add in a new IPA replica, which of course requires the software installed -- this is in CentOS 7 using COPR repo and : -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (ipa) Requires: jackson-jaxrs-json-provider and yet, I have never had that issue until this weekend. :-( Any help? Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] strange error from EL 7 install?
Actually, I did find a fix and forgot to post. I was able to mirror the COPR repo, and after reviewing it, found that simply removing the pki-base...fc21 directory, and regenning the repo data with createrepo, fixed the problem. It drops the version of PKI back to the 10.1 branch and that resolved the dependencies. Hope this helps, Janelle On 10/13/14 9:48 PM, Fraser Tweedale wrote: On Mon, Oct 13, 2014 at 09:52:40AM -0700, Janelle wrote: After further investigation - it looks like the PKI base was altered/updated because even on a running server a yum update produces same error: # yum check-update Loaded plugins: fastestmirror, product-id, subscription-manager, versionlock Loading mirror speeds from cached hostfile * base: linux.mirrors.es.net * extras: mirrors.usinternet.com * updates: centos.host-engine.com pki-base.noarch 10.2.0-3.el7.centos freeipa pki-ca.noarch 10.2.0-3.el7.centos freeipa pki-server.noarch 10.2.0-3.el7.centos freeipa pki-tools.x86_64 10.2.0-3.el7.centos freeipa slapi-nis.x86_64 0.54-1.el7.centosfreeipa and: if you select yes: --- Package pki-base.noarch 0:10.2.0-3.el7.centos will be an update -- Processing Dependency: jackson-jaxrs-json-provider for package: pki-base-10.2.0-3.el7.centos.noarch -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (freeipa) Requires: jackson-jaxrs-json-provider You could try using --skip-broken to work around the problem Hi Janelle, Looks like the COPR moved from Dogtag 10.1 to 10.2 on 8 Oct, and 10.2 declares a dependency on Jackson which is not in EPEL. The dependency causing the probelm (jackson-jaxrs-json-provider) was introduced at commit 32d71bb. I'm not sure on the right approach to fixing this but I've copied pki-devel who will be able to help. Fraser On 10/13/14 9:18 AM, Janelle wrote: Happy Monday everyone... Wondering if anyone else is seeing this error since this weekend? Trying to add in a new IPA replica, which of course requires the software installed -- this is in CentOS 7 using COPR repo and : -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (ipa) Requires: jackson-jaxrs-json-provider and yet, I have never had that issue until this weekend. :-( Any help? Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries ldap_tls_cacert = /etc/ssl/ca.crt enumerate = True #to enumerate users and groups [sssd] enumerate = True services = nss, pam, sudo config_file_version = 2 domains = mydomain.com [nss] [pam] [sudo] - Interestingly enough the [nss] section is empty, just as shown in the post at FreeBSD forums. 3. The users created at the IPA server can`t locally log in to the server, but it`s possible to ssh to the server as an IPA user from the FreeBSD host. However, there are some interesting behaviors (again, this is what happens when just following the IPA Quick Start Quide for the server side the post from FreeBSD forums for the client side): - home directories are not automatically created on the IPA server; - id command output shows correct uid, but the group of any IPA user doesn`t show as ipausers - instead, the group name is the same as username, + something like context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023. 4. Here is the list of snapshots taken from my FreeBSD VM when I installed necessary ports, maybe these snapshots will provide some additional info on sssd behavior: clean_install starting_sssd_install krb5_choice_added_LDAP openldap24-sasl-client_choice_added_FETCH_GSSAPI cyrus-sasl2_choice_defaults bind_choice_added_GSSAPI_MIT sssd_installation_finished sudo_installed_with_INSULTS_LDAP_SSSD cyrus-sasl2-gssapi_choice_added_MIT all_ports_installed_directories_created all_configs_applied_sssd_started 14-Oct-14 00:32, Lukas Slebodnik пишет: On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
