Renewal of External Third Party SSL Cert
by Alka Murali
Hello,
I am using the embedded CA For FreeIPA as well as external CA Signed by
Digicert. However, the certificate will be expiring next month.
After renewal, do I need to install the certificate again using the same
steps mentioned within the link
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Similarly how will I be able to update the new certificate in my IPA
Clients too. Do I need to follow the steps below on all IPA Clients?
-----
certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt
cp ipa.crt /etc/ipa/ca.crt
-------
Can you please brief up the exact procedure to follow for the third party
SSL cert renewal.
Thanks and Regards,
Alka Murali
6 years, 5 months
Question about /etc/pki/java/cacerts and password change
by Markovich
Hello FreeIpa community!
I'm a bit confused about JKS "/etc/pki/java/cacerts".
Am I right, that default password for this JKS is "changeit"?
Can I change this password? If yes, shoud it be the same on all hosts connected to FreeIpa?
Will it be problem later for FreeIpa? Should I somehow tell FreeIpa this password?
Also what is the best practice to tell java to trust FreeIpa CA?
Regards,
Andrey
6 years, 5 months
Deployment considerations - domain name
by Aljaž Srebrnič
Hello list,
I’m managing the network for my hackerspace, and we’re moving to FreeIPA (from plain LDAP) to manage internal and external services.
We have some services that are hosted on public, external machines (wiki, etc.) that members would authenticate to via Ipsilon OAuth2 that are under the main domain (e.g. wiki.example.org), and some internally hosted services that are under a subdomain (e.g. netbox.hq.example.org).
My plan is to have a IPA replica on the ”outside” with Ipsilon for external auth, and a couple of local replicas (one of which is the ca master). The outside replica would be connected via VPN to the internal network, to avoid opening lots of ports to the outside world.
I’m having some difficulties choosing the proper Kerberos domain, and in general putting together the ”external” world (example.org domain) and the ”internal” one (hq.example.com domain) because the DNS server on the main domain is under CloudFlare.
Would getting a new domain just for FreeIPA be advisable?
Thanks,
Aljaž
--
Aljaž Srebrnič a.k.a g5pw
My public key: https://g5pw.me/key
Key fingerprint = 2109 8131 60CA 01AF 75EC 01BF E140 E1EE A54E E677
6 years, 5 months
Directory service stop and won't stay up when restarted
by Alexandre Pitre
Hi,
I had two freeipa replica servers up and running in our german DC for
nearly 2 months and this morning out of the blue they stopped working.
Looking at ipactl status, both servers are reporting that their directory
service is stopped. Trying to restart ipa only works from 2 minutes to an
hour.
Looking at the /var/log/dirsrv/slapd-DOMAIN-COM/errors there's no errors
that show up before it crash.
However, looking at /var/log/messages, this lovely segfault show up:
XXXXXX kernel: ns-slapd[17507]: segfault at 8 ip 00007fb99e56149f sp
00007fb96bee83c0 error 4 in libslapd.s
o.0.1.0[7fb99e483000+128000]
Out of despair to get production back up and running quickly, I reinstalled
one replica...it worked for an hour and came back with the same issue.
We have 6 other freeipa replica running accross 3 different site with zero
issues.
We're running CentOS 7.4 with the latest packages, ipa-server-4.5.0-21 &
389-ds-base-1.3.6.1-21.
Any clues why ?
Thanks
--
Alexandre Pitre
alexandre.pitre(a)gmail.com
6 years, 5 months
adduser using keytab does not work, using kinit credential it does
by Matt .
I try to add a user using a principal where has been received a keytab for, the user and it's group are owner, chmod is 600 as it should be. The user can create a valid credential using this keytab.
When I call the user_add command I get the following error.
Array
(
[error] => Array
(
[code] => 2100
[data] => Array
(
[info] => Could not read UPG Definition originfilter. Check your permissions.
)
[message] => Insufficient access: Could not read UPG Definition originfilter. Check your permissions.
[name] => ACIError
)
[id] =>
[principal] => testuser/ipa-01.mydomain.tld(a)MY.DOMAIN
[result] =>
[version] => 4.4.4
)
Everything goes well when I do a 'kinit testuser' and created a credential and then call the user_add function again.
Where could this go wrong ?
6 years, 5 months
Get userstatus back from ldap login
by Matt .
Hi guys,
I thought by default (because of security reasons) it was not possible
to get back from a login if the useraccount exists when you login but
it was possible to make some setting to have this available.
Is someone able to tell me how to do this so my ldap clients het back
the right status ?
Thanks,
Matt
6 years, 5 months
Re: Expired passwords and generating an OTP token
by Aaron Hicks
Hello the list,
It's here:
https://pagure.io/SSSD/sssd/blob/master/f/src/providers/ipa/ipa_auth.c#_395
SSSD is not doing its job properly when a user has an expired password and
an OTP token, and they should reset their password at the ssh prompt.
When a user has an expired password it should ignore the OTP token during
password reset process, and then disconnect.
The condition where an expired or compromised temporary password is obtained
by an unauthorised entity means that as long as the unauthorised entity does
not have the OTP token secret, the worst they can do is reset your password.
This condition is escaped when someone, either the user, a helpdesk agent,
or an admin, resets the password to something the unauthorised entity
doesn't know.
The case of the unauthorised entity having both the password and OTP token
is already recognised as a compromised state, so the code doesn't need to
protect us from that.
Regards,
Aaron
From: Aaron Hicks [mailto:aaron.hicks@nesi.org.nz]
Sent: Thursday, 23 November 2017 5:44 PM
To: 'FreeIPA users list' <freeipa-users(a)lists.fedorahosted.org>
Cc: 'Sumit Bose' <sbose(a)redhat.com>
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token
Progress,
We made Pam use kinit username when a user had an expired password, and this
allowed users to reset passwords at the ssh prompt.
However passwd remains broken on all the hosts, regardless of their auth
indicator.
Aaron
Get Outlook for iOS <https://aka.ms/o0ukef>
_____
From: Aaron Hicks <aaron.hicks(a)nesi.org.nz <mailto:aaron.hicks@nesi.org.nz>
>
Sent: Thursday, November 23, 2017 4:25:12 PM
To: 'FreeIPA users list'
Cc: 'Sumit Bose'
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP
token
Hello the list,
The next bit of information is that the passwd command itself is broken when
a user has a OTP token set.
$ passwd
Changing password for user otpuser1.
Current Password:
passwd: Authentication token manipulation error
$ passwd
Changing password for user otpuser1.
Current Password:
passwd: Authentication token manipulation error
$ passwd
Changing password for user otpuser1.
Current Password:
passwd: Authentication token manipulation error
$ passwd
Changing password for user otpuser1.
Current Password:
passwd: Authentication token manipulation error
These were with the user's valid-not-expired password, and with
passwordOTPCODE
The Current Password: prompt fails.
Regards,
Aaron
From: Aaron Hicks [mailto:aaron.hicks@nesi.org.nz]
Sent: Thursday, 23 November 2017 3:44 PM
To: 'FreeIPA users list' <freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org> >
Cc: 'Sumit Bose' <sbose(a)redhat.com <mailto:sbose@redhat.com> >
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP
token
Hello the list,
We've kept at this today and this is what we think we are seeing:
* Preauth is detecting that a user has an expired password and a
token, so discards the token and just asks for password
* Password check succeeds and hands to the password change process
(maybe using /etc/pam.d/passwd and /etc/pam.d/system-auth)
* BUT the Current Password: check fails because it doesn't preauth to
check if the password is expired
* AND because the password is expired passwordOTPCODE is not valid
either
Similarly, accounts with expired passwords can't authenticate against the
API because their password is expired. Which would at least allow our
customer management system to disable or delete their OTP token so they can
reset their passwords.
In addition to this, users are not able to reset passwords at the ssh login
on hosts where 2FA is not enabled either! So this seems to be narrowing down
on the bits of pam and sssd uset to authenticate the password change
process.
An interesting note is, kinit does not require OTPCODE.
Finally, no users do not have access to the FreeIPA web interface or a host
without 2FA. The 2FA secured host is to be their lander node into our
network.
Regards,
Aaron
From: Aaron Hicks [mailto:aaron.hicks@nesi.org.nz]
Sent: Thursday, 23 November 2017 10:33 AM
To: 'FreeIPA users list' <freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org> >
Cc: 'Sumit Bose' <sbose(a)redhat.com <mailto:sbose@redhat.com> >
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP
token
Hello the List,
A couple of new things to this problem, when a user has an expired password
and a valid OTP token, the password reset process is broken on all machines
at the ssh prompt. Even the ones that do not require 2FA.
Feedback so far form Sumit indicates this is incorrect behaviour.
As an attempt to get around this, I've tried adding a permission to the
helpdesk role that would allow them to manage OTP tokens. I'll submit
another thread on that.
Regards,
Aaron
From: Aaron Hicks [mailto:aaron.hicks@nesi.org.nz]
Sent: Thursday, 23 November 2017 6:31 AM
To: Sumit Bose <sbose(a)redhat.com <mailto:sbose@redhat.com> >
Cc: 'FreeIPA users list' <freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org> >; 'Sumit Bose'
<sbose(a)redhat.com <mailto:sbose@redhat.com> >
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token
Hi Sumit,
I sent those to you directly as I wasn't comfortable posting them to the
list.
Regards,
Aaron
Get Outlook for iOS <https://aka.ms/o0ukef>
_____
From: Sumit Bose <sbose(a)redhat.com <mailto:sbose@redhat.com> >
Sent: Wednesday, November 22, 2017 10:19:34 PM
To: Aaron Hicks
Cc: 'FreeIPA users list'; 'Sumit Bose'
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP
token
On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote:
> Hi Sumit,
>
> Here is /etc/pam.d/password-auth I missed that it was an include, an that
you wanted it too, again it's as installed bt CentOS 7.4 and
ipa-client-install
>
ok, the PAM configuration looks good. Can you send me the PAM related
messages form /var/log/secure or the journal which cover the failed
attempt? And additionally the SSSD logs with debug_level=9 from the same
time. Most important would be sssd_pam.log, sssd_domain.name.log and
krb5_child-log.
bye,
Sumit
6 years, 5 months
restrict parallel ssh logins on different freeipa systems
by Michael Frank
Hi,
we run freeipa based on red hat 7.3
It is possible to determine if a certain user (idm user who can become root via sudo) is logged in on multiple idm machines
and restrict for the user that only *one* login on a single server at the same time is allowed ?
Any hints how to do this - or - is there something „built-in“ ?
br,
michael
6 years, 5 months
WebGui Cert back to selfsigned
by Matt .
Hi Guys,
Is there a proven way to set the WebGui cert back to a self signed one
? I have installed an expired 3rd party certificate and want to move
back to a selfsigned cert and later on to an letsEncrypt one.
Setting back the time before the expiration of the certificate on the
server would be a start and also disable all nameservers in
/etc/resolv.conf so the time is not updated on an ipa start/restart.
But what then ? Is there no "reset command/way available" ?
Thanks!
Matt
6 years, 5 months
Promote ipa-client-install to a replica successful but system become unstable
by barrykfl@gmail.com
Dear all:
two servers replica but the latter one become unstable.
I success promote a client to replcia master .
but after reboot the response is slow and the certomanger start fail
and remote login ssh very slow delay half minuets
boot log found certmanger fail to start and login service fail:
just can proof that if i remove all ipa client it is fine again and login
service fine.
Any idea how come ? as i used 3.0 before soit use gpg to install replcia
server,
but now it use ipa-client-install first then promote to ipa-replica-install
later.
[1;31mFAILED [0m] Failed to start Zabbix Agent.
See 'systemctl status zabbix_agentd.service' for details.
[ [1;31mFAILED [0m] Failed to start Login Service.
See 'systemctl status systemd-logind.service' for details.
[ [32m OK [0m] Stopped Login Service.
Starting Login Service...
[ [1;31mFAILED [0m] Failed to start Login Service.
See 'systemctl status systemd-logind.service' for details.
[ [32m OK [0m] Stopped Login Service.
Starting Login Service...
[ [32m OK [0m] Started /etc/rc.d/rc.local Compatibility.
Starting Terminate Plymouth Boot Screen...
Starting Wait for Plymouth Boot Screen to Quit...
6 years, 5 months