Is it possible to define the default ClientAliveInterval in FreeIPA
by Milos Cuculovic
Hi all,
I’m using FreeIPA to manage the Ubuntu server users mostly for SSH login purposes.
Is it possible to define a default ClientAliveInterval in FreeIPA, the same parameter that is available in /etc/ssh/sshd_config file?
The goal being to have a default interval limit for all FreeIPA user sessions on the server. The configuration is basic, using erberos and SSSD.
Looking forward to hearing from you.
Milos
4 years, 11 months
Password reset
by Yuri Krysko
Hello All,
I am familiar with the approach laid out in https://www.freeipa.org/page/Self-Service_Password_Reset and how we should use 3rd-party password reset tools. I’d like to clarify why the Change Password link is present in user’s profile, as well as admin users may try to reset their password from Active Users -> <user> -> Actions -> Reset Password. Also, there’s a way to grant, as I understand it, write access to various password-related attributes via RBAC -> Self Service Permissions, which should enable users to update these attributes. Could someone please clarify if I should be able to change my own password using UI considering the above?
Thanks,
Yuri
________________________________
LEGAL DISCLAIMER: M.C. Dean, Inc. and its subsidiaries considers this e-mail and any files transmitted with it to be protected, proprietary or privileged information intended solely for the use of the named recipient(s). Any disclosure of this material or the information contained herein, in whole or in part, to anyone outside of the intended recipient or affiliates is strictly prohibited. M. C. Dean, Inc. accepts no liability for the content of this e-mail or for the consequences of any actions taken on the basis of the information contained in it, unless that information is subsequently confirmed in writing. Employees of M.C. Dean, Inc. are instructed not to infringe on any rights of the recipient; any such communication violates company policy. If you are not the intended recipient, any disclosure, copying, distribution, or action taken or omitted in reliance on this information is strictly prohibited by M.C. Dean, Inc.; please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
4 years, 11 months
Get username and password via bind preop plugin in FreeIPA
by Elena Fedorov
Hello,
I have FreeIPA version 4.6.4, api_version 2.229
The system supports sasl bind version 3, mech GSSAPI.
I need to support logon from the front end for users who are not part of
the FreeIPA directory server.
For such users I will need to bind as a predefined existing Free IPA
account.
The problem is I can not capture a username (entered in the front end) in
the pre-op bind plugin.
FreeIPA does not even call the pre-op plugin if it can not find a username,
entered in the front end, in the Directory Server.
What can I do to grab a username from the front end?
Thanks,
4 years, 11 months
Re: Cert expired for pki-tomcat and process would not start
by Rob Crittenden
Sayfiddin, Farhad wrote:
> Here is the output of getcert list
I think if you stop IPA, go back in time to when this server cert is
valid (it is the TLS cert for the CA server) and manually start dirsrv,
dogtag and krb5 then run certmonger resubmit -i 20170214143200
You want to be sure ntpd (or chronyc) isn't running to force time back
to now.
rob
>
> [root@sl1mmgplidm0002 ~]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20170214143155':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=CA Audit,O=IPA.GEN.ZONE
> expires: 2020-12-01 18:52:55 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170214143156':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=OCSP Subsystem,O=IPA.GEN.ZONE
> expires: 2020-12-01 18:52:54 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170214143157':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=CA Subsystem,O=IPA.GEN.ZONE
> expires: 2020-12-01 18:53:15 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170214143158':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=Certificate Authority,O=IPA.GEN.ZONE
> expires: 2037-01-18 20:02:36 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170214143159':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=IPA RA,O=IPA.GEN.ZONE
> expires: 2020-12-01 18:52:44 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20170214143200':
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to https://sl1mmgplidm0002.ipa.gen.zone:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
> expires: 2019-01-08 20:16:52 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20170214143201':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-GEN-ZONE/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
> expires: 2020-12-23 03:40:21 UTC
> principal name: ldap/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-GEN-ZONE
> track: yes
> auto-renew: yes
> Request ID '20170214143202':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
> expires: 2020-12-23 03:40:31 UTC
> principal name: HTTP/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
> Already tried this solution with no luck:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpress.c...
>
> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -L
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Server-Cert u,u,u
> ipaCert u,u,u
> IPA.GEN.ZONE IPA CA CT,C,C
>
> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t ',,'
> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t 'CT,C,C'
>
> Curl command still fails
>
> [root@sl1mmgplidm0002 ~]# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://`hostname`:8443/ca/agent/ca/profileReview
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to sl1mmgplidm0002.ipa.gen.zone port 8443 (#0)
> * Trying 172.20.0.36...
> * Connected to sl1mmgplidm0002.ipa.gen.zone (172.20.0.36) port 8443 (#0)
> * Initializing NSS with certpath: sql:/etc/httpd/alias/
> * CAfile: /etc/ipa/ca.crt
> CApath: none
> * Server certificate:
> * subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
> * start date: Jan 18 20:16:52 2017 GMT
> * expire date: Jan 08 20:16:52 2019 GMT
> * common name: sl1mmgplidm0002.ipa.gen.zone
> * issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> * NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
> * Peer's Certificate has expired.
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
> * Closing connection 0
> curl: (60) Peer's Certificate has expired.
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
>
> -----Original Message-----
> From: Rob Crittenden <rcritten(a)redhat.com>
> Sent: Thursday, June 13, 2019 4:08 PM
> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Cc: Sayfiddin, Farhad <fsayfiddin(a)tkcholdings.com>
> Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process would not start
>
> Sayfiddin, Farhad via FreeIPA-users wrote:
>> We have two replica servers sl1mmgplidm0001/2.
>>
>>
>>
>> sl1mmgplidm0001 is functioning as CRL master and has no issues.
>>
>>
>>
>> [root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
>>
>> IPA CA renewal master: sl1mmgplidm0001
>>
>> [root@sl1mmgplidm0001 ~]#
>>
>>
>>
>> [root@sl1mmgplidm0001 ~]# ipactl status
>>
>> Directory Service: RUNNING
>>
>> krb5kdc Service: RUNNING
>>
>> kadmin Service: RUNNING
>>
>> named Service: RUNNING
>>
>> ipa_memcached Service: RUNNING
>>
>> httpd Service: RUNNING
>>
>> ipa-custodia Service: RUNNING
>>
>> pki-tomcatd Service: RUNNING
>>
>> smb Service: RUNNING
>>
>> winbind Service: RUNNING
>>
>> ipa-otpd Service: RUNNING
>>
>> ipa-dnskeysyncd Service: RUNNING
>>
>> ipa: INFO: The ipactl command was successful
>>
>> [root@sl1mmgplidm0001 ~]#
>>
>>
>>
>> sl1mmgplidm0002 is having an issue where pki-tomcat process would not
>> start due to expired cert. It has CA_UNREACHABLE error
>>
>>
>>
>> [root@sl1mmgplidm0002 ~]# ipactl status
>>
>> Directory Service: RUNNING
>>
>> krb5kdc Service: RUNNING
>>
>> kadmin Service: RUNNING
>>
>> named Service: RUNNING
>>
>> ipa_memcached Service: RUNNING
>>
>> httpd Service: RUNNING
>>
>> ipa-custodia Service: RUNNING
>>
>> pki-tomcatd Service: STOPPED
>>
>> smb Service: RUNNING
>>
>> winbind Service: RUNNING
>>
>> ipa-otpd Service: RUNNING
>>
>> ipa-dnskeysyncd Service: RUNNING
>>
>> ipa: INFO: The ipactl command was successful
>>
>> [root@sl1mmgplidm0002 ~]#
>>
>>
>>
>> [root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200
>> Request ID '20170214143200':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Error 60 connecting to
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__sl1mmgplidm0002-3
>> A8443_ca_agent_ca_profileReview&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOqUeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=EvNOXdLcm_vL9kIJfZltxwLVIojayf1wau_ByrzA_m0&e= : Peer certificate cannot be authenticated with given CA certificates.
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=IPA
>>
>> subject: CN=sl1mmgplidm0002,O=IPA
>>
>> expires: 2019-01-08 20:16:52 UTC
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> [root@sl1mmgplidm0002 ~]#
>>
>>
>>
>> Tried running renew_ca_cert command and "getcert resubmit -i" with no luck.
>
> Don't run ipa-cacert-manage renew. It renews only the root CA cert which won't help.
>
> We need to see the full output of getcert list to see what status all the certs are in.
>
> You might also try this:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpress.c...
>
> rob
>
4 years, 11 months
HA Client Question
by Christian Reiss
Hey folks,
I just recently began planning the deployment of FreeIPA and have
successfully made several test setups. Next step would be to integrate
this in our new datacenter; so we are starting there from scratch.
I understand HA on the server side. What boogles my head is HA on the
*client* side.
For example: Our pfsenses use a LDAP lookup against a single FQDN, and
the cert must be valid (against any provided CA). Exporting the CA from
freeIPA and importing that in pfsense is a cake.
But what do I point the clients towards? Let's say I have 4 FreeIPA servers:
- ipa01.auth.dc-01.company.com
- ipa02.auth.dc-01.company.com
- ipa03.auth.dc-01.company.com
- ipa04.auth.dc-01.company.com
Realm company.com, Kerberos COMPANY.COM. If I point the pfsense (I'll
stick to that as an example) against ipa01.auth.dc-01.company.com and
this server is offline, then no HA is given. DNS Delegation might yield
*any* of the four servers, including the one offline, so a 25% fault
chance in there.
Second question, same area: If I want my users to have one single url
for the FreeIPA webservice, like auth.company.com that follows the above
solution then the self-signed and generated certs do not have this as
altname.
So summed up:
- How can I make (ldap) clients access the current online server(s)?
- How can I provide access to the webinterace to the current online
server(s)?
(Or is this simply by the magic of dns zone delegation and pure faith
that always an online server will be hit?)
Thanks for any advice!
-Christian.
--
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
4 years, 11 months
Introducing ipa-healthcheck
by Rob Crittenden
I'd like to introduce a new tool for an IPA adminstrators tool kit we're
working on, currently in a beta state and shipping in Fedora 29+.
ipa-healthcheck is proactive tool for identifying current, potential and
future issues within an IPA installation.
It executes a series of checks in the areas of certificates, AD trust,
replication and the filesystem (and a few others). These checks can
return a success, warning or error. Any check executed will return a
value, the idea being if something with the check blows up and causes it
to not execute you'd otherwise not know and would have a false sense of
security.
A systemd timer is configured which will execute this on a nightly
basis, dumping the output in JSON format in /var/log/ipa/healthcheck/.
It can also be executed from the command-line as root and requires an
admin Kerberos ticket. From the command-line it is probably most useful
to use the --failures-only option in order to suppress the SUCCESS
messages: no news is good news in this case.
It currently only works with IPA 4.7.2+. Will we backport to 4.6? I
don't know yet.
I'd appreciate any feedback on whether it:
- is helpful
- works
- doesn't report false positives
- is usable: a lot of the output is what I think would be useful but we
won't know until applied in the real world
- does what you need. We can add more checks so if you have ideas please
let us know
Note that there are a few things we run that just produce output that
needs to be analyzed separately. DNA range checking is an example. It is
perfectly fine to not have a DNA range assigned on all masters but you'd
want to know if you had none defined on all masters.
thanks
rob
4 years, 11 months
Re: Cert expired for pki-tomcat and process would not start
by Rob Crittenden
Sayfiddin, Farhad via FreeIPA-users wrote:
> We have two replica servers sl1mmgplidm0001/2.
>
>
>
> sl1mmgplidm0001 is functioning as CRL master and has no issues.
>
>
>
> [root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
>
> IPA CA renewal master: sl1mmgplidm0001
>
> [root@sl1mmgplidm0001 ~]#
>
>
>
> [root@sl1mmgplidm0001 ~]# ipactl status
>
> Directory Service: RUNNING
>
> krb5kdc Service: RUNNING
>
> kadmin Service: RUNNING
>
> named Service: RUNNING
>
> ipa_memcached Service: RUNNING
>
> httpd Service: RUNNING
>
> ipa-custodia Service: RUNNING
>
> pki-tomcatd Service: RUNNING
>
> smb Service: RUNNING
>
> winbind Service: RUNNING
>
> ipa-otpd Service: RUNNING
>
> ipa-dnskeysyncd Service: RUNNING
>
> ipa: INFO: The ipactl command was successful
>
> [root@sl1mmgplidm0001 ~]#
>
>
>
> sl1mmgplidm0002 is having an issue where pki-tomcat process would not
> start due to expired cert. It has CA_UNREACHABLE error
>
>
>
> [root@sl1mmgplidm0002 ~]# ipactl status
>
> Directory Service: RUNNING
>
> krb5kdc Service: RUNNING
>
> kadmin Service: RUNNING
>
> named Service: RUNNING
>
> ipa_memcached Service: RUNNING
>
> httpd Service: RUNNING
>
> ipa-custodia Service: RUNNING
>
> pki-tomcatd Service: STOPPED
>
> smb Service: RUNNING
>
> winbind Service: RUNNING
>
> ipa-otpd Service: RUNNING
>
> ipa-dnskeysyncd Service: RUNNING
>
> ipa: INFO: The ipactl command was successful
>
> [root@sl1mmgplidm0002 ~]#
>
>
>
> [root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200
> Request ID '20170214143200':
>
> status: CA_UNREACHABLE
>
> ca-error: Error 60 connecting to
> https://sl1mmgplidm0002:8443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with given CA certificates.
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O=IPA
>
> subject: CN=sl1mmgplidm0002,O=IPA
>
> expires: 2019-01-08 20:16:52 UTC
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> [root@sl1mmgplidm0002 ~]#
>
>
>
> Tried running renew_ca_cert command and "getcert resubmit -i" with no luck.
Don't run ipa-cacert-manage renew. It renews only the root CA cert which
won't help.
We need to see the full output of getcert list to see what status all
the certs are in.
You might also try this:
https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-auth...
rob
4 years, 11 months
Duplicate certificate tracking request
by Remco Kranenburg
Hi all,
We noticed that we have a duplicate tracking request for a certificate.
Is this normal, or can we remove one of them? We suspect that this
happened because we migrated our systems to another provider and we
made a mistake with FreeIPA.
The tracking requests as reported by getcert:
Request ID '20170801134610':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/ssl/private/ipa_host.key'
certificate: type=FILE,location='/etc/ssl/certs/ipa_host.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa.example.com,O=EXAMPLE.COM
expires: 2021-01-07 15:03:30 UTC
dns: ipa.example.com
principal name: host/ipa.example.com(a)EXAMPLE.COM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190107150328':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/ssl/private/ipa_host.key'
certificate: type=FILE,location='/etc/ssl/certs/ipa_host.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa.example.com,O=EXAMPLE.COM
expires: 2021-01-07 15:03:30 UTC
dns: ipa.example.com
principal name: host/ipa.example.com(a)EXAMPLE.COM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
--
Remco Kranenburg
4 years, 11 months
Announcing SSSD 2.2.0
by Jakub Hrozek
SSSD 2.2.0
===========
The SSSD team is proud to announce the release of version 2.2.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
————----
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
New features
^^^^^^^^^^^^
* The Kerberos provider (and composite authentication providers based on it,
like AD or IPA) can now include more KDC addresses or host
names when writing data for the Kerberos locator plugin (see
``sssd_krb5_locator_plugin(8)``). This means that Kerberos client
applications, such as ``kinit`` would be able to switch between multiple
KDC servers discovered by SSSD. Please see description of the option
``krb5_kdcinfo_lookahead`` in the ``sssd-krb5(5)`` manual page for more
information or refer to `the design page
<https://docs.pagure.org/SSSD.sssd/design_pages/kdcinfo_multiple_servers.html>`_
(#3973, #3974, #3975)
* The 2FA prompting can now be configured. The administrator can set custom
prompts for first or second factor or select a single prompt for both
factors. This can be configured per-service. Please see the section called
"Prompting configuration" in the ``sssd.conf(5)`` manual page for more
details or refer to `the design page
<https://docs.pagure.org/SSSD.sssd/design_pages/prompting_configuration.html>`_
(#3264).
* The LDAP authentication provider now allows to use a different method of
changing LDAP passwords using a modify operation in addition to the default
extended operation. This is meant to support old LDAP servers that do not
implement the extended operation. The password change using the modification
operation can be selected with ``ldap_pwmodify_mode = "ldap_modify"``. More
information can also be found in `the design page
<https://docs.pagure.org/SSSD.sssd/design_pages/prompting_configuration.html>`_
(#1314)
* The ``auto_private_groups`` configuration option now takes a new value
``hybrid``. This mode autogenerates private groups for user entries where
the UID and GID values have the same value and at the same time the GID
value does not correspond to a real group entry in LDAP (#3822)
* A new option ``ad_gpo_ignore_unreadable`` was added. This option,
which defaults to false, can be used to ignore group policy containers in AD
with unreadable or missing attributes. This is for the case when server
contains GPOs that have very strict permissions on their attributes
in AD but are unrelated to access control (#3867)
* The ``cached_auth_timeout`` parameter is now inherited by trusted domains
(#3960). The pre-authentication request is now cached as well when this
option is in effect (#3960)
* The ``ldap_sasl_mech`` option now accepts another mechanism ``GSS-SPNEGO``
in addition to ``GSSAPI``. Using SPNEGO might be preferable with newer
Active Directory servers especially with hardened configurations. SSSD might
switch to using SPNEGO by default in a future release (#4006)
* The ``sssctl`` tool has two new commands ``cert-show`` and ``cert-map``
which can help in troubleshooting Smart-Card and in general user certificate
related issues
Notable bug fixes
^^^^^^^^^^^^^^^^^
* A potential race condition between SSSD receiving a notification to try
switching to online mode and the network being actually reachable is
now handled better. SSSD now tries to go online three times with an
increasing delay between online checks up to 4s (#3467).
* A potential deadlock in user resolution when the IPA provider fetches
the keytab used to authenticate to a trusted AD domain was fixed (#3992)
* When checking if objects that cannot be looked up exist locally and thus
should be added to a negative cache with a longer negative TTL (see
``local_negative_timeout`` in ``sssd.conf(5)``), the blocking NSS API
is no longer used. The blocking calls which might have caused a timeout
especially during SSSD startup (#3963)
* Some cache attributes used by the Kerberos ticket renewal code are
now indexed, which speeds up the cache searches which might have otherwise
caused SSSD to appear blocked and killed by the internal watchdog (#3968)
* Cached objects from an Active Directory domain trusted by an IPA domain
that no longer exist on the server are now properly removed from the
cache (#3984)
* The ``sudoRunAsUser/Group`` now work correctly with an IPA configuration
that also uses the ``domain_resolution_order``, either set locally or
centrally (#3957)
* Certificates that are completely missing the Key Usage (KU) certificate
extension are now handled gracefully (rhbz#1660899)
* The sudo smart refresh (see man ``sssd-sudo``) now correctly uses the
highest USN number, which results in more efficient queries (#3997)
* The ``pam_sss`` module now returns PAM_USER_UNKNOWN if the PAM socket
is missing completely. This could have been the case if SSSD is running
with the files domain only and a user resolved by a completely different
PAM module logs in (#3988)
* Netgroups lookups now honor the midpoint refresh interval set by
``cache_refresh_percent`` (#3947)
* The list of users or groups from the ``filter_users/filter_groups`` lists
which will be negatively cached, avoiding lookups of those entries, are
now correctly evaluated for domains that are discovered after sssd
had started (#3983). These lists can also now include UPNs (#3978)
* The IPA access provider no longer fails if the configuration file
completely disables dereference by setting ``ldap_deref_threshold=0``
(#3979)
* The ``sss_cache`` tool does not print loud warnings in case the sssd
cache cannot be written to, typically this was occuring when ``/var``
was mounted read-only during an ``rpm-ostree`` update.
* The command line tools such as ``sssctl`` can now operate on the implicit
files domain (#3769)
* The files and proxy provider no longer crash on receiving a request
to go online, which they don't implement (#4014)
* A potential crash in the online check callback was fixed (#3990)
* The winbind ID-mapping plugin now works with recent Samba releases again
(#4005)
Packaging Changes
-----------------
None
Documentation Changes
---------------------
* A new option ``ad_gpo_ignore_unreadable`` was added
* A new option ``krb5_kdcinfo_lookahead`` was added
* A new option ``ldap_pwmodify_mode`` was added
* The option ``ldap_sasl_mech`` now accepts a new value ``GSS-SPNEGO``
* The option ``auto_private_groups`` now accepts a new value ``hybrid``
* Multi-factor prompting can now be configured in a separate section called
``[prompting]``
Tickets Fixed
-------------
* `4016 <https://pagure.io/SSSD/sssd/issue/4016>`_ - sssd fails to build with Python 3.8
* `4015 <https://pagure.io/SSSD/sssd/issue/4015>`_ - The server error message is not returned if password change fails
* `4014 <https://pagure.io/SSSD/sssd/issue/4014>`_ - The files provider does not handle resetOffline properly
* `4006 <https://pagure.io/SSSD/sssd/issue/4006>`_ - sssd does not properly check GSS-SPNEGO
* `3997 <https://pagure.io/SSSD/sssd/issue/3997>`_ - sudo: always use server highest usn for smart refresh
* `3992 <https://pagure.io/SSSD/sssd/issue/3992>`_ - ipa-getkeytab can call NSS operation which might deadlock the subdomains request
* `3991 <https://pagure.io/SSSD/sssd/issue/3991>`_ - providers/data_provider_be: code review required
* `3990 <https://pagure.io/SSSD/sssd/issue/3990>`_ - providers/data_provider_be: potential dereferencing of 'bad' ptr
* `3989 <https://pagure.io/SSSD/sssd/issue/3989>`_ - Consider merge of two "negcache" tests.
* `3988 <https://pagure.io/SSSD/sssd/issue/3988>`_ - pam_sss failing for external users not configured via sssd
* `3984 <https://pagure.io/SSSD/sssd/issue/3984>`_ - IPA: Deleted user from trusted domain is not removed properly from the cache on IPA clients
* `3983 <https://pagure.io/SSSD/sssd/issue/3983>`_ - filter_users option is not applied to sub-domains if SSSD starts offline
* `3980 <https://pagure.io/SSSD/sssd/issue/3980>`_ - sudorule matching when no host or hostcat set
* `3979 <https://pagure.io/SSSD/sssd/issue/3979>`_ - The HBAC code requires dereference to be enabled and fails otherwise
* `3978 <https://pagure.io/SSSD/sssd/issue/3978>`_ - UPN negative cache does not use values from 'filter_users' config option
* `3976 <https://pagure.io/SSSD/sssd/issue/3976>`_ - crash in dp_failover_active_server
* `3975 <https://pagure.io/SSSD/sssd/issue/3975>`_ - Lookahead resolving of host names to provide names for the kdcinfo plugin
* `3974 <https://pagure.io/SSSD/sssd/issue/3974>`_ - Write a list of host names up to a configurable limit to the kdcinfo files
* `3973 <https://pagure.io/SSSD/sssd/issue/3973>`_ - The kdcinfo plugin should be able to resolve host names
* `3972 <https://pagure.io/SSSD/sssd/issue/3972>`_ - Circular dependency between subdomains update and NSS responder invoking getDomains
* `3968 <https://pagure.io/SSSD/sssd/issue/3968>`_ - krb5_child_init: check_ccache_files() might be *too* slow with large cache
* `3965 <https://pagure.io/SSSD/sssd/issue/3965>`_ - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider
* `3964 <https://pagure.io/SSSD/sssd/issue/3964>`_ - Responders: `is_user_local_by_name()` should avoid calling nss API entirely
* `3963 <https://pagure.io/SSSD/sssd/issue/3963>`_ - Responders: processing of `filter_users`/`filter_groups` should avoid calling blocking NSS API
* `3960 <https://pagure.io/SSSD/sssd/issue/3960>`_ - cached_auth_timeout not honored for AD users authenticated via trust with FreeIPA
* `3957 <https://pagure.io/SSSD/sssd/issue/3957>`_ - sudo: runAsUser/Group does not work with domain_resolution_order
* `3946 <https://pagure.io/SSSD/sssd/issue/3946>`_ - SSSD netgroups do not honor entry_cache_nowait_percentage
* `3931 <https://pagure.io/SSSD/sssd/issue/3931>`_ - proxy provider is not working with enumerate=true when trying to fetch all groups
* `3907 <https://pagure.io/SSSD/sssd/issue/3907>`_ - responders chain requests that were issued before reconnection to sssd_be
* `3899 <https://pagure.io/SSSD/sssd/issue/3899>`_ - change the default service search base in SSSD-IPA
* `3867 <https://pagure.io/SSSD/sssd/issue/3867>`_ - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD.
* `3861 <https://pagure.io/SSSD/sssd/issue/3861>`_ - Python multihost tests are not part of upstream tarball
* `3838 <https://pagure.io/SSSD/sssd/issue/3838>`_ - KCM: If the default ccache cannot be found, fall back to the first one
* `3822 <https://pagure.io/SSSD/sssd/issue/3822>`_ - Enable generating user private groups only for users with no primary GID
* `3769 <https://pagure.io/SSSD/sssd/issue/3769>`_ - sssd tools don't handle the implicit domain
* `3636 <https://pagure.io/SSSD/sssd/issue/3636>`_ - nested group missing after updates on provider
* `3614 <https://pagure.io/SSSD/sssd/issue/3614>`_ - FIPS mode breaks using pysss.so (sss_obfuscate)
* `3467 <https://pagure.io/SSSD/sssd/issue/3467>`_ - online detection in case sssd starts before network does appears to be broken
* `3401 <https://pagure.io/SSSD/sssd/issue/3401>`_ - sssd does not failover to another IPA server if just the KDC service fails
* `3264 <https://pagure.io/SSSD/sssd/issue/3264>`_ - [RFE] Make 2FA prompting configurable
* `1314 <https://pagure.io/SSSD/sssd/issue/1314>`_ - RFE Request for allowing password changes using SSSD in DS which dont follow OID's from RFC 3062
Detailed changelog
------------------
* Alexey Tikhonov (24):
* negcache: avoid "is_*_local" calls in some cases
* providers/ldap: sdap_extend_map_with_list() fixed
* providers/ldap: const params should be const
* providers/proxy: small optimization
* providers/proxy: fixed wrong check
* providers/proxy: fixed usage of wrong mem ctx
* providers/proxy: got rid of excessive mem copies
* providers/proxy: fixed erroneous free of orig_grp
* providers/proxy: const params should be const
* Util: added facility to load nss lib syms
* responder/negcache: avoid calling nsswitch NSS API
* negcache_files: got rid of large array on stack
* TESTS: moved cwrap/test_negcache to cmocka tests
* TESTS: fixed regression in cmocka/test_negcache_2.c
* ci/sssd.supp: getpwuid() leak suppression
* data_provider_be: fixed dereferencing of 'bad' ptr
* TESTS: two `negcache` tests were merged
* data_provider_be: got rid of went_offline usage
* providers/ipa: Fixed obvious copy-paste error
* providers/ipa: Changed default service search base
* TESTS: ability to run unit tests under valgrind
* Monitor & utils: got rid of pid filename duplication
* Monitor: fixed bug with services launch
* ldap/sdap_idmap.c: removed unnecessary include
* Branen Salmon (1):
* knownhostsproxy: friendly error msg for NXDOMAIN
* Colin Walters (1):
* sss_cache: Do nothing if SYSTEMD_OFFLINE=1
* Jakub Hrozek (21):
* Updating the version to track the next release
* TESTS: Add a unit test for UPNs stored by sss_ncache_prepopulate
* UTIL: Add a is_domain_mpg shorthand
* UTIL: Convert bool mpg to an enum mpg_mode
* CONFDB: Read auto_private_groups as string, not bool
* CONFDB/SYSDB: Add the hybrid MPG mode
* CACHE_REQ: Add cache_req_data_get_type()
* NSS: Add the hybrid-MPG mode
* TESTS: Add integration tests for auto_private_groups=hybrid
* SYSDB: Inherit cached_auth_timeout from the main domain
* AD: Allow configuring auto_private_groups per subdomain or with subdomain_inherit
* SDAP: Add sdap_has_deref_support_ex()
* IPA: Use dereference for host groups even if the configuration disables dereference
* KCM: Fall back to using the first ccache if the default does not exist
* krb5: Do not use unindexed objectCategory in a search filter
* SYSDB: Index the ccacheFile attribute
* krb5: Silence an error message if no cache entries have ccache stored but renewal is enabled
* PAM: Also cache SSS_PAM_PREAUTH
* LDAP: Return the error message from the extended operation password change also on failure
* Update the translations for the 2.2.0 release
* Updating the version for the 2.2.0 release
* Michal Židek (2):
* GPO: Add option ad_gpo_ignore_unreadable
* tests: Add multihost tests to upstream tarball
* Mikhail Novosyolov (1):
* Fix pidpath in systemd unit
* Niranjan M.R (7):
* TESTS: Add @Title to test case docstrings for basic sanity tests
* TESTS: Add @Title to test case docstrings for config tests
* TESTS: Add @Title to test case docstrings for KCM tests.
* TESTS: Add @Title to test case docstrings for sssctl config tests.
* TESTS: Add @Title to test case docstrings for sudo tests
* TESTS: Add @Title to test case docstrings for files tests.
* TESTS: Add @Title to test case docstrings for ifp tests
* Pavel Březina (18):
* netgroups: honor cache_refresh_percent
* sdap: add sdap_modify_passwd_send
* sdap: add ldap_pwmodify_mode option
* sdap: split password change to separate request
* sdap: use ldap_pwmodify_mode to change password
* be: remember last good server's name instead of fo_server structure
* sudo ipa: do not store rules without sudoHost attribute
* ipa: store sudo runas attribute with internal fqname
* sudo: format runas attributes to correct output name
* memberof: keep memberOf attribute for nested member
* sudo: always use server highest known usn for smart refresh
* man: update sudo smart refresh documentation to reflect new USN behavior
* ci: do not fail everything when one distro fails
* ci: archive test-suite.log
* ci: add Fedora 30
* ci: remove code duplication in Jenkinsfile
* ci: run moderate set of tests
* ci: do not install dependencies
* Samuel Cabrero (1):
* SUDO: Allow defaults sudoRole without sudoUser attribute
* Sumit Bose (29):
* NEGCACHE: initialize UPN negative cache as well
* NEGCACHE: fix typo in debug message
* NEGCACHE: repopulate negative cache after get_domains
* ldap: add users_get_handle_no_user()
* ldap: make groups_get_handle_no_group() public
* ipa s2n: fix typo
* ipa s2n: do not add UPG member
* ipa s2n: try to remove objects not found on the server
* pam_sss: PAM_USER_UNKNOWN if socket is missing
* pam: introduce prompt_config struct
* authtok: add dedicated type for 2fa with single string
* pam_sss: use configured prompting
* PAM: add initial prompting configuration
* intg: add test for password prompt configuration
* ipa: ipa_getkeytab don't call libnss_sss
* winbind idmap plugin: update struct idmap_domain to latest version
* sdap: update last_usn on reconnect
* SDAP: allow GSS-SPNEGO for LDAP SASL bind as well
* sdap: inherit SDAP_SASL_MECH if not set explicitly
* DP: add NULL check to be_ptask_{enable|disable}
* certmap: allow missing KU in OpenSSL version
* test: add certificate without KU to certmap tests
* certmap: add sss_certmap_display_cert_content()
* sssctl: add cert-show
* files: add missing newline to debug message
* sssctl: add cert-map
* tests: fix enctypes in test_copy_keytab
* CI: use python3-pep8 on Fedora 31 and later
* BUILD: fix libpython handling in Python3.8
* Tom Briden (1):
* build: only do automagic linking against systemd if required
* Tomas Halman (6):
* krb5_locator: Allow hostname in kdcinfo files
* krb5: Write multiple dnsnames into kdc info file
* Providers: Delay online check on startup
* krb5: Lookahead resolving of host names
* sss_cache: Do nothing if /var is read-only
* confdb: sssd tools don't handle the implicit domain
* Tomislav Dukaric (1):
* self.OPTCRE.match(line) fails if there's a whitespace before option name, which is valid for SSSD. This will ignore any whitespace before the option
* Yuri Chornoivan (1):
* Fix various minor typos
* realsobek (1):
* fix man page reference
4 years, 11 months