SSH key authentication fails on some nodes (Server refused our key)
by Jeff Vincent
Most of our FreeIPA client nodes are Ubuntu 14, 16 and some 18. We have a fair number where I am unable to use SSH authentication because the server refuses the key.
The same user/key works fine on other nodes.
I have checked to the best of my knowledge the files and compared them to a node that works and can't find any differences.
/etc/nsswitch.conf
/etc/sssd/sssd.conf
I don't understand the nuances of FreeIPA to know where else to look. Can anyone suggest what else I can look at to troubleshoot what is going on? Every user experiences this on different nodes.
Thanks!
4 years, 4 months
centos 7.6 or 8.0?
by Charles Hedrick
We have a limited time period when I would prefer to do major changes. I had expected to update our Centos 7.6 to 8 during January. Unfortunately it appears that there have been no updates to 8, pending 8.1 and 8.1 is waiting for a surprising mount of time. I have a test 8.0 installation, and it works, but obviously it isn’t under any load. Would you feel safer with 7.6 or 8.0?
4 years, 4 months
Re: DNS discovery / locations
by Alexander Bokovoy
On to, 09 tammi 2020, Angus Clarke via FreeIPA-users wrote:
>Hello
>
>Not sure if this is more a generic DNS question or not ...
>
>We run FreeIPA 4.6.4 on a RHEL7.6 clone, we do not use FreeIPA DNS and
>we currently do not use DNS discovery. I have read this:
>https://www.freeipa.org/page/Howto/IPA_locations<https://www.freeipa.org/page/Howto/IPA_locations#Advanced_configuration>
>and am comfortable configuring split view DNS records.
>
>
>As we depoy more sites. I am looking to move to using DNS discovery,
>however we use site specific DNS domains (rightly or wrongly with a
>private TLD ... cross that bridge when we come to it ...) such as:
>
>site1.blah
>site2.blah
>
>which is different from the given example of example.com being used
>across all sites.
>
>
>Our Realm Domain is blah - I have put the location based DNS records
>immediately under .blah.
>
>In testing, I see ipa clients initially query DNS for SRV records under
>site1.blah - when that fails the clients then perform a second DNS
>query for SRV records under .blah - which works and my test outcome is
>good - the setup works!
>
>Is it safe for me to assume that this process will remain the same for
>future IDM client versions? My concern is that if future versions
>neglect the second-attempt DNS discovery lookup (under .blah) then my
>setup will break.
There are no plans to change this behavior. At worst, you can add SRV
records to siteX.blah directly.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4 years, 4 months
DNS discovery / locations
by Angus Clarke
Hello
Not sure if this is more a generic DNS question or not ...
We run FreeIPA 4.6.4 on a RHEL7.6 clone, we do not use FreeIPA DNS and we currently do not use DNS discovery. I have read this: https://www.freeipa.org/page/Howto/IPA_locations<https://www.freeipa.org/page/Howto/IPA_locations#Advanced_configuration> and am comfortable configuring split view DNS records.
As we depoy more sites. I am looking to move to using DNS discovery, however we use site specific DNS domains (rightly or wrongly with a private TLD ... cross that bridge when we come to it ...) such as:
site1.blah
site2.blah
which is different from the given example of example.com being used across all sites.
Our Realm Domain is blah - I have put the location based DNS records immediately under .blah.
In testing, I see ipa clients initially query DNS for SRV records under site1.blah - when that fails the clients then perform a second DNS query for SRV records under .blah - which works and my test outcome is good - the setup works!
Is it safe for me to assume that this process will remain the same for future IDM client versions? My concern is that if future versions neglect the second-attempt DNS discovery lookup (under .blah) then my setup will break.
Thanks for any pointers
Angus
4 years, 4 months
Replica install Error ?
by Günther J. Niederwimmer
Hello,
this is a new installed Server CentOS 7.7
but it is not possible to configure this for IPA replica
I have this Error
ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec:
GeneralName(componentType=NamedTypes(NamedType('rfc822Name',
IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=1)))),
NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128,
tagFormat=0, tagId=2)))), NamedType('directoryName',
Name(componentType=NamedTypes(NamedType('', RDNSequence())), tagSet=TagSet((),
Tag(tagClass=128, tagFormat=0, tagId=4)))),
NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((),
Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress',
OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=7)))),
NamedType('registeredID', ObjectIdentifier('<no value>'))))
ipapython.admintool: ERROR The ipa-replica-install command failed. See /
var/log/ipareplica-install.log for more information
I install before ipa-client-install, this is working but afterward for the
replica i Have this Problem?
firewall Ports are open.
--
mit freundlichen Grüßen / best regards
Günther J. Niederwimmer
4 years, 4 months
Re: krbpasswordexpiration field gone from "ipa user-show" ?
by Igor Stets
We use ipa-server-4.6.4-10.el7.centos.6.x86_64
and update expiration check script:
# userpw_expiry_datetime=$(/usr/bin/ipa user-show ${user} --all | grep
krbpasswordexpiration | awk '{print $2}' | cut -c 1-14)
userpw_expiry_datetime=$(/usr/bin/ipa user-show ${user} --all | grep -i
"password expiration:" | awk '{print $4}' | cut -c 1-14)
This is work for me.
Regards. Igor S.
4 years, 4 months
How to allow users to manage their own certs
by Michael Plemmons
We have a need where we want to allow a user to submit their own CSR to
generate their own SSL certificate and to be able to download their own
certificate.
I get the following error:
Insufficient access: Principal 'testplem(a)MGMT.EXAMPLE.COM' is not permitted
to use CA 'ipa' with profile 'IECUserRoles' for certificate issuance.
Here are the permissions I have setup.
* Create a new Privilege called SelfService
* Add the following permissions to the SelfService Privilege
* Request Certificate (FreeIPA builtin permission)
* Retrieve Certificates from the CA (FreeIPA builtin permission)
* UserSelfSerivceCertificate (custom permission)
* ReadCAProfile (custom permission)
* ReadIPACA (custom permission)
* Create Role called SelfService
* Attach the SelfService Privilege to this Role
* I then attach that Role to a test user.
I am sure I am missing other permissions but I am not sure what. If there
is already documentation that explains how to do this I am happy to
reference that. If not, what else am I missing.
============
dn:
cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
ipaPermRight: read
ipaPermRight: search
ipaPermRight: compare
ipaPermRight: write
ipaPermRight: add
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermBindRuleType: permission
ipaPermissionType: SYSTEM
ipaPermissionType: V2
cn: UserSelfSerivceCertificate
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com
ipaPermIncludedAttr: usercertificate
============
dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
ipaPermBindRuleType: permission
ipaPermTarget:
cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co
m
ipaPermRight: read
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
cn: ReadCAProfile
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com
ipaPermIncludedAttr: cn
ipaPermIncludedAttr: description
ipaPermIncludedAttr: ipacertprofilestoreissued
ipaPermIncludedAttr: objectclass
============
dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com
ipaPermRight: read
ipaPermRight: search
ipaPermRight: compare
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermBindRuleType: permission
ipaPermissionType: SYSTEM
ipaPermissionType: V2
cn: ReadIPACA
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com
ipaPermIncludedAttr: cn
ipaPermIncludedAttr: description
ipaPermIncludedAttr: ipacaid
ipaPermIncludedAttr: ipacaissuerdn
ipaPermIncludedAttr: ipacasubjectdn
ipaPermIncludedAttr: objectclass
Thank you for any insight you are able to provide.
--
*Mike Plemmons *
Senior Infrastructure Engineer
614-427-2411
<https://oliveai.com/>
99 E. Main Street
Columbus, OH 43215
oliveai.com
Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y>
4 years, 4 months
IPA server rebooted after freeze, now services can't authenticate with ldap
by Kristian Petersen
My primary IPA server has failed. I was running a python script against
IPA doing some user management when everything when unresponsive. I
couldn't even get in at a console to check what was going on. I ended up
rebooting it. After doing so, dirsrv wouldn't start because dse.ldif was
missing. I have copied this file over from a replica IPA server, so dirsrv
starts now. However, it seems that other services are unable to connect to
LDAP properly. DNS isn't resolving when querying the primary even though
ipactl shows named is running. smb and winbind won't start and it appears
to be a problem with connecting to LDAP. Is there a way to check the
integrity of my LDAP database? Or should I try to copy the LDAP database
form my working replica to the primary?
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
4 years, 4 months