Re: [Freeipa-users] PKI signing certificate question
I personally haven't done this, but from https://www.freeipa.org/page/PKI "when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure." and from https://www.redhat.com/archives/freeipa-users/2014-January/msg00057.html "First run ipa-server-install with --external-ca, which will create a CSR for IPA CA certificate in /root/ipa.csr. Then sign the CSR with the external CA to get the IPA CA certificate. Finally, run ipa-server-install with --external_cert_file pointing to the IPA CA certificate and --external_ca_file pointing to CA certificate of the external CA." >From that previous paragraph, it looks like the --external-ca option doesn't actually install anything, just creates the correct CSR for the domain you intend to create. If you can create a temporary CentOS virtual machine you could run the "ipa-server-install --external-ca" command and see what happens :) Hope this helps, Anthony Clark On Wed, Jul 27, 2016 at 11:24 PM, William Muriithi < william.murii...@gmail.com> wrote: > Hello > > I want to use an external certificate when setting up a new FreeIPA > next week and plan to send the CSR tomorrow. > > I would like to source a certificate for example.com and use it on > FreeIPA on eng.example.com. I can't specifically set the FreeIPA on > example.com because we have active directory on corp.example.com > > Is there a way for using FreeIPA with such a setup? I am hoping that > if I can setup FreeIPA using example.com, I can be able to generate > certificates for both Windows and Linux plus other like > vpn.example.com that don't sit well on either AD or FreeIPA domain. > > Whats the best way to approach this? If not possible, would setting > FreeIPA as a sub domain for active directory help? > > Regards, > > William > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] PKI signing certificate question
Hello I want to use an external certificate when setting up a new FreeIPA next week and plan to send the CSR tomorrow. I would like to source a certificate for example.com and use it on FreeIPA on eng.example.com. I can't specifically set the FreeIPA on example.com because we have active directory on corp.example.com Is there a way for using FreeIPA with such a setup? I am hoping that if I can setup FreeIPA using example.com, I can be able to generate certificates for both Windows and Linux plus other like vpn.example.com that don't sit well on either AD or FreeIPA domain. Whats the best way to approach this? If not possible, would setting FreeIPA as a sub domain for active directory help? Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error
Hi, I am running ipa server 4.2 and set it up without using "--setup-dns=no". On few clients the installation fails with the below error message. I verified that the ipa master dns is resolvable. Not sure what could be wrong here.. Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: Could not resolve host: ipa-master-in.xyz.com; Unknown error Use ipa-getkeytab to obtain a host principal for this server. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Failed to obtain host TGT: (-1765328203, 'Key table entry not found') Installation failed. Force set so not rolling back changes. I tried removeing /etc/ipa/ca.crt and delete any older certificates "certutil -D -n 'IPA CA' -d /etc/pki/nssdb" However, no luck yet.. any suggestions on how can I debug this.. Thanks Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with
Hello, We are running IPA version: 4.2.0, API_version: 2.156 on CentOS 7.2.1511 (Core) Trust is configured with Windows 2008 R2 Enterprise Domain roottest1.com Below is output from ipa trustdomain-find Realm name: ROOTTEST1.COM Domain name: deluxetest1.com Domain NetBIOS name: DELUXETEST1 Domain Security Identifier: S-1-5-21-254737954-3826080811-539560843 Domain enabled: True Domain name: roottest1.com Domain NetBIOS name: ROOTTEST1 Domain Security Identifier: S-1-5-21-3637171213-1932491363-3141112745 Domain enabled: True Number of entries returned 2 Users from roottest1.com domain work fine but users from deluxetest1.com domain can not authenticate. As root you can su to users from both domains and run id with the expected output. Below is output from running id from a user in each domain: id t4431...@roottest1.com uid=908601177(t4431...@roottest1.com) gid=908601177(t4431...@roottest1.com) groups=908601177(t4431...@roottest1.com),908601174(hbac-on-root-glo...@roottest1.com),908601175(lsar-on-root-glo...@roottest1.com),908600513(domain us...@roottest1.com),111487(hbac-on-root-global),111486(lsar-on-root-global) id t443...@deluxetest1.com uid=959201836(t443...@deluxetest1.com) gid=959201836(t443...@deluxetest1.com) groups=959201836(t443...@deluxetest1.com),908601174(hbac-on-root-glo...@roottest1.com),908601175(lsar-on-root-glo...@roottest1.com),959202271(hbac-on-glo...@deluxetest1.com),959202270(lsar-on-glo...@deluxetest1.com),959200512(domain adm...@deluxetest1.com),959200513(domain us...@deluxetest1.com),111487(hbac-on-root-global),111486(lsar-on-root-global),1114800010(lsar-on-global),111489(hbac-on-global) I have tried to make the groups in AD universal groups and have the groups from deluxetest1 as members to the related groups in roottest1 with no change in the results. These groups can be seen in the output above. Is there a way to get users from deluxetest1.com domain to function with the same results as users from roottest1.com? Please let me know what other information you need. Thanks! Roger Kimery Tech. Solutions Integration Engineer Deluxe Rewards 44747 Helm Ct Plymouth, Mi. 48170 877-706-4321 ext 314912 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD cross-realm
On 07/27/2016 11:35 AM, Abu Haris wrote: sir/madame, I am in great trouble in choosing FreeIPA for identity management. I want to know more about AD cross-realm trust and how it works. -- A.H Hi Abu, there is quite an extensive upstream documentation of IPA-AD trust workings and setup. You can start by looking at http://www.freeipa.org/page/Trusts -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD cross-realm
sir/madame, I am in great trouble in choosing FreeIPA for identity management. I want to know more about AD cross-realm trust and how it works. -- A.H -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problems with web console in IPA
On Wed, 27 Jul 2016, Baird, Josh wrote: Hi, We are running the most recent IPA packages in RHEL7 and are facing a few issues when accessing the web console: First, since we utilize a Kerberos trust with AD, we had to create 'internal' IPA users that we use to login to the web console. I believe it is expected that AD users cannot login to the web console, but this may be coming in a future version? Correct. Not supported right now. Secondly, when we browse to the web console from a Windows system that is joined to our AD domain, we first see a 'basic auth' popup that asks us for our user credentials. No username or password is accepted here. If we hit 'Escape' the normal IPA forms-based authentication appears. We are able to login via this form. What is causing the 'basic auth' popup? In short -- bugs in your browser, specifically, in Chrome. Chrome is pretty bad in its handling of Negotiate authentication response, it does assume too much and don't use proper negotiation flow. mod_auth_gssapi has some way to handle it other than completely disabling Negotiate header but it is still not a fully solved problem. https://github.com/modauthgssapi/mod_auth_gssapi/pull/65 has more details. Lastly, we are not able to login *unless* we use Chrome's 'incognito mode.' If we browse to the web console in a normal browser, we first have to escape out of the 'basic-auth' window, but after we input our username/password into the form, another 'basic-auth' window pops up. If we escape out of this, the forms based login now displays 'Your session has expired. Please re-login.' Because of this, we *have* to use Chrome's incognito function. That's Chrome bug when Negotiate fails but still offered by the server. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Sync and groups
On Wed, 27 Jul 2016, malo wrote: Hi, Thank your for your reply, it really is much clearer to me now. I think I get why SSSD offline authentication would help to solve "AD unreachable" issue. If I understood well, the SSSD on the IPA master would cache credentials, allowing the user to log in (as in the kinit meaning) even if the AD is unreachable ? On each IPA client, including IPA master. You are always login to the specific host and SSSD always tries to reach the server that gives authentication response (AD DCs, in the case of AD users). If it cannot reach that server, offline authentication is considered. At last, I did not quite understand how the KDC proxy would help to prevent network related issues. To me it is just a way to allow users with restrictive firewall rules to authenticate and requests ticket, if I understood well (from this doc https://www.freeipa.org/page/V4/KDC_Proxy) Right. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Sync and groups
Hi, Thank your for your reply, it really is much clearer to me now. I think I get why SSSD offline authentication would help to solve "AD unreachable" issue. If I understood well, the SSSD on the IPA master would cache credentials, allowing the user to log in (as in the kinit meaning) even if the AD is unreachable ? At last, I did not quite understand how the KDC proxy would help to prevent network related issues. To me it is just a way to allow users with restrictive firewall rules to authenticate and requests ticket, if I understood well (from this doc https://www.freeipa.org/page/V4/KDC_Proxy) Thanks again for your help, Nathan On 07/26/2016 10:30 AM, Alexander Bokovoy wrote: On Tue, 26 Jul 2016, malo wrote: Hello, I am currently setting up an architecture involving FreeIPA to provide SSO for SSH to the servers. I have several servers (~1500) in a few datacenters all over the world (North America, South America, Europe, Asia). The idea here was to have 4 masters/replicas per datacenter, with one master/replica involved in a winsync replication process with our AD. Thus, we would not suffer network outages, slow downs or timeouts because each FreeIPA server would have a closer database of users instead of querying a long distance AD. I've managed to setup successfully the winsync replication (after having trouble with replication rights). I then turned on group replication : ldapmodify -x -D "cn=directory manager" -w PASS dn: cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dff\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds7NewWinGroupSyncEnabled nsds7NewWinGroupSyncEnabled: true I re-initialized the replication but I have no groups. I did a little digging and came on this : https://bugzilla.redhat.com/show_bug.cgi?id=1002414 Very unfortunate for me but a few things bother me. It says "reenable" in the RFE and I also found this documentation : https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html There is a difference between 389-ds winsync and FreeIPA winsync. The latter is a simplified version that doesn't see development anymore and is not supporting group sync because groups on IPA side are sufficiently different from AD groups while generic 389-ds winsync plugin is not tuned to IPA DIT. It clearly specifies how to sync groups, which I enabled, but nothings happen for me. So, my questions would be : - Is winsync group sync still enabled ? - If not, why and when has it been disabled ? - Is there anyway I could reenable it, by digging into the code ? Group sync seems a really MUST HAVE as a feature for the winsync, since flat hierarchy is not really useful, imho. IPA uses flat hierarchy and has no support for non-flat DIT. I can't consider an AD Trust architecture, It would be too dangerous since the network connectivity of the AD is not safe enough, I could not risk to block SSH access on my servers because of network lag. Has anyone been in a similar situation ? Do you have implemented AD trust or winsync replication in such a large scale ? I cannot tell about actual deployments but there are plenty deployments with trust to AD in multiple data centers. If you need, with FreeIPA 4.0+ you can actually proxy Kerberos authentication via IPA servers to AD DCs and also can do offline authentication in SSSD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problems with web console in IPA
Hi, We are running the most recent IPA packages in RHEL7 and are facing a few issues when accessing the web console: First, since we utilize a Kerberos trust with AD, we had to create 'internal' IPA users that we use to login to the web console. I believe it is expected that AD users cannot login to the web console, but this may be coming in a future version? Secondly, when we browse to the web console from a Windows system that is joined to our AD domain, we first see a 'basic auth' popup that asks us for our user credentials. No username or password is accepted here. If we hit 'Escape' the normal IPA forms-based authentication appears. We are able to login via this form. What is causing the 'basic auth' popup? Lastly, we are not able to login *unless* we use Chrome's 'incognito mode.' If we browse to the web console in a normal browser, we first have to escape out of the 'basic-auth' window, but after we input our username/password into the form, another 'basic-auth' window pops up. If we escape out of this, the forms based login now displays 'Your session has expired. Please re-login.' Because of this, we *have* to use Chrome's incognito function. Can anyone offer some suggestions or advice for these problems? Thanks, Josh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project