ACME under Centos Stream 8 - Bad cert profile
by Antoine Gatineau
Hello,
So I'm trying out the new acme feature in freeipa version 4.9.0-1.module_el8.4.0+639+a88aab78 from CentOS Stream 8.
My setup is a rebuild from replica (fresh install on centos stream as a replica of a centos 8 non-stream existing replica).
I enabled acme using "sudo ipa-acme-manage enable"
From an ipa-client, I can successfully perform a certbot register. But certbot certonly --standalone etc... fails with the error :
2021-03-21 09:54:07,083:DEBUG:acme.client:Received response:
HTTP 500
Date: Sun, 21 Mar 2021 08:54:05 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1g mod_auth_gssapi/1.6.1 mod_wsgi/4.6.4 Python/3.6
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 6750
Connection: close
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-
color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-
color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b>
com.netscape.certsrv.base.BadRequestException: Unable to get enrollment template for acmeIPAServerCert: Profile not found</p><p><b>Description</b> The server encountered an unexpected condition that
prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: com.netscape.certsrv.base.BadRequestException: Unable to get enrollment template for
acmeIPAServerCert: Profile not found
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78)
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
java.security.AccessController.doPrivileged(Native Method)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
sun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
</pre><p><b>Root Cause</b></p><pre>com.netscape.certsrv.base.BadRequestException: Unable to get enrollment template for acmeIPAServerCert: Profile not found
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
java.lang.reflect.Constructor.newInstance(Constructor.java:423)
com.netscape.certsrv.client.PKIClient.handleErrorResponse(PKIClient.java:135)
com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:143)
com.netscape.certsrv.ca.CACertClient.getEnrollmentTemplate(CACertClient.java:167)
org.dogtagpki.acme.issuer.PKIIssuer.issueCertificate(PKIIssuer.java:148)
org.dogtagpki.acme.server.ACMEFinalizeOrderService.handlePOST(ACMEFinalizeOrderService.java:91)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
java.security.AccessController.doPrivileged(Native Method)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
sun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>
2021-03-21 09:54:07,084:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 369, in obtain_certificate
cert, chain = self.obtain_certificate_from_csr(csr, orderr)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 301, in obtain_certificate_from_csr
orderr = self.acme.finalize_order(orderr, deadline)
File "/usr/lib/python3/dist-packages/acme/client.py", line 927, in finalize_order
return self.client.finalize_order(orderr, deadline)
File "/usr/lib/python3/dist-packages/acme/client.py", line 754, in finalize_order
self._post(orderr.body.finalize, wrapped_csr)
File "/usr/lib/python3/dist-packages/acme/client.py", line 96, in _post
return self.net.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1204, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1218, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1079, in _check_response
raise errors.ClientError(response)
acme.errors.ClientError: <Response [500]>
2021-03-21 09:54:07,084:ERROR:certbot.log:An unexpected error occurred:
From what I gathered pki-server should use the profile defined in freeipa right?
$ sudo ls -l /usr/share/ipa/profiles/acmeIPAServerCert.cfg
-rw-r--r--. 1 root root 6707 Dec 23 15:38 /usr/share/ipa/profiles/acmeIPAServerCert.cfg
What's the best way to fix the configuration?
Is it best to open a bug for this? I know centos stream is not yet up to date, so it's maybe already fixed.
Thanks
3 years, 2 months
Require OTP for ipa commands
by David Harvey
Hello again list,
Is it possible to differentiate between a kerberos ticket that was granted
with OTP vs one that would not (for the purpose of requiring it for `ipa
some-privileged command` )
Aim: Protect servers with OTP but not always require it for workstations.
But to require OTP for the privilege that ipa commands
afford powerful users from their workstation.
Other potential avenues (full admission - less research performed) - I'd be
interested in would be periodic requirements for OTP, but not for say
screen unlock events.
Thanks as always,
David
3 years, 2 months
FreeIPA Plugins not found
by Carlos Queen
Hello everyone,
I want to change my email format and I searched out, I found an instruction that uses a piece of python code in /usr/lib/python2.7/site-packages/ipalib/plugins/, problem is that my ipa server version is 4.6.8 and API 2.237 and it has not the directory plugins.
My question is: It is not possible to add plugins in this version? Is there any other way to customize anything in freeipa?
I hope you guys help me, thanks in advance.
3 years, 2 months
IPA/AD cross-realm without a trust
by Julien Rische
Hello everyone,
We are currently trying to establish a simple cross-realm between an IPA and an
AD domain (not a trust). This is due the specific setup we have: we already
have an external source of users and groups information exporting to both
domains, hence we don't really have a need for the features the trust provides.
Clients can just lookup any user/group information from their own domain's
identity manager.
The only thing we would need is for AD users to be able to access IPA-managed
services. But since clients usually only have one available credential cache at
a time, we need at least a one-way Kerberos-level cross-realm.
Apparently, we are not the first ones facing the issue described
hereafter[1][2], but I couldn't find any trace of a successful outcome.
This is our setup:
- IPA
- Version: 4.8.7
- Realm: IPA.EXAMPLE.COM
- DNS domain: ipa.example.com
- Server: server01.ipa.example.com
- AD
- Functional level: Windows Server 2008 R2
- Realm: AD.EXAMPLE.COM
- DNS domain: ad.example.com
- Domain controller: dc01.ad.example.com
The configuration of the cross-realm was done this way (same password on both
domains):
On dc01.ad.example.com AD domain controller:
===
ksetup /addkdc IPA.EXAMPLE.COM server01.ipa.example.com
netdom trust IPA.EXAMPLE.COM /domain:ad.example.com /add /realm /passwordt:XXXXX
ksetup /SetEncTypeAttr IPA.EXAMPLE.COM AES256-CTS-HMAC-SHA1-96
===
On server01.ipa.example.com IPA server (the "ipa-setup-override-restrictions" argument seems to be mandatory[3]):
===
kadmin.local -x ipa-setup-override-restrictions
kadmin.local: add_principal -requires_preauth -e 'aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96' -pw XXXXX krbtgt/IPA.EXAMPLE.COM(a)AD.EXAMPLE.COM
===
The cross-realm TGT is visible in LDAP:
===
$ ldapsearch -LLL -o ldif-wrap=no -QY GSSAPI -H ldaps://server01.ipa.example.com krbCanonicalName=krbtgt/IPA.EXAMPLE.COM(a)AD.EXAMPLE.COM
dn: krbPrincipalName=krbtgt/IPA.EXAMPLE.COM(a)AD.EXAMPLE.COM,cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,dc=example,dc=com
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: krbTicketPolicyAux
objectClass: top
krbPrincipalName: krbtgt/IPA.EXAMPLE.COM(a)AD.EXAMPLE.COM
krbCanonicalName: krbtgt/IPA.EXAMPLE.COM(a)AD.EXAMPLE.COM
krbLastPwdChange: 20210318113328Z
krbTicketFlags: 128
krbExtraData:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==
krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,dc=example,dc=com
===
We configured an AD test client :
===
[libdefaults]
default_realm = AD.EXAMPLE.COM
ticket_lifetime = 25h
renew_lifetime = 120h
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
[domain_realm]
.ipa.example.com = IPA.EXAMPLE.COM
.ad.example.com = AD.EXAMPLE.COM
[realms]
IPA.EXAMPLE.COM = {
admin_server = server01.ipa.example.com
kpasswd_server = server01.ipa.example.com
kdc = server01.ipa.example.com
}
AD.EXAMPLE.COM = {
kpasswd_server = dc01.ad.example.com
admin_server = dc01.ad.example.com
kdc = dc01.ad.example.com
}
[capaths]
AD.EXAMPLE.COM = {
IPA.EXAMPLE.COM = .
}
IPA.EXAMPLE.COM = {
AD.EXAMPLE.COM = .
}
===
We authenticate as an AD user and request an IPA service ticket:
===
$ kinit me(a)AD.EXAMPLE.COM
$ KRB5_TRACE=/dev/stderr kvno HTTP/server01.ipa.example.com(a)IPA.EXAMPLE.COM
: Getting credentials me(a)AD.EXAMPLE.COM -> HTTP/server01.ipa.example.com(a)IPA.EXAMPLE.COM using ccache FILE:/tmp/krb5cc_0_8LQSGjNfp4
: Retrieving me(a)AD.EXAMPLE.COM -> HTTP/server01.ipa.example.com(a)IPA.EXAMPLE.COM from FILE:/tmp/krb5cc_0_8LQSGjNfp4 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0_8LQSGjNfp4)
: Retrieving me(a)AD.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM from FILE:/tmp/krb5cc_0_8LQSGjNfp4 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0_8LQSGjNfp4)
: Retrieving me(a)AD.EXAMPLE.COM -> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM from FILE:/tmp/krb5cc_0_8LQSGjNfp4 with result: 0/Success
: Starting with TGT for client realm: me(a)AD.EXAMPLE.COM -> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
: Retrieving me(a)AD.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM from FILE:/tmp/krb5cc_0_8LQSGjNfp4 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0_8LQSGjNfp4)
: Requesting TGT krbtgt/IPA.EXAMPLE.COM(a)AD.EXAMPLE.COM using TGT krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
: Generated subkey for TGS request: aes256-cts/053B
: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, rc4-hmac, camellia128-cts, camellia256-cts
: Encoding request body and padata into FAST request
: Sending request (1747 bytes) to AD.EXAMPLE.COM
: Resolving hostname dc01.ad.example.com
: Initiating TCP connection to stream XXXX:XXXX:XXX:XX::XXX:XXX:88
: Initiating TCP connection to stream XXX.XXX.XX.XXX:88
: Sending TCP request to stream XXX.XXX.XX.XXX:88
: Received answer (1660 bytes) from stream XXX.XXX.XX.XXX:88
: Terminating TCP connection to stream XXXX:XXXX:XXX:XX::XXX:XXX:88
: Terminating TCP connection to stream XXX.XXX.XX.XXX:88
: Response was not from master KDC
: Decoding FAST response
: FAST reply key: aes256-cts/B731
: TGS reply is for me(a)AD.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)AD.EXAMPLE.COM with session key aes256-cts/A6B0
: TGS request result: 0/Success
: Storing me(a)AD.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)AD.EXAMPLE.COM in FILE:/tmp/krb5cc_0_8LQSGjNfp4
: Received TGT for service realm: krbtgt/IPA.EXAMPLE.COM(a)AD.EXAMPLE.COM
: Requesting tickets for HTTP/server01.ipa.example.com(a)IPA.EXAMPLE.COM, referrals on
: Generated subkey for TGS request: aes256-cts/6AFE
: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, rc4-hmac, camellia128-cts, camellia256-cts
: Encoding request body and padata into FAST request
: Sending request (1754 bytes) to IPA.EXAMPLE.COM
: Resolving hostname server01.ipa.example.com
: Initiating TCP connection to stream XXXX:XXXX:XXX:XX::XXX:XXX:88
: Sending TCP request to stream XXXX:XXXX:XXX:XX::XXX:XXX:88
: Received answer (479 bytes) from stream XXXX:XXXX:XXX:XX::XXX:XXX:88
: Terminating TCP connection to stream XXXX:XXXX:XXX:XX::XXX:XXX:88
: Response was not from master KDC
: Decoding FAST response
: TGS request result: -1765328324/KDC returned error string: HANDLE_AUTHDATA
: Requesting tickets for HTTP/server01.ipa.example.com(a)IPA.EXAMPLE.COM, referrals off
: Generated subkey for TGS request: aes256-cts/EB57
: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, rc4-hmac, camellia128-cts, camellia256-cts
: Encoding request body and padata into FAST request
: Sending request (1754 bytes) to IPA.EXAMPLE.COM
: Resolving hostname server01.ipa.example.com
: Initiating TCP connection to stream XXXX:XXXX:XXX:XX::XXX:XXX:88
: Sending TCP request to stream XXXX:XXXX:XXX:XX::XXX:XXX:88
: Received answer (479 bytes) from stream XXXX:XXXX:XXX:XX::XXX:XXX:88
: Terminating TCP connection to stream XXXX:XXXX:XXX:XX::XXX:XXX:88
: Response was not from master KDC
: Decoding FAST response
: TGS request result: -1765328324/KDC returned error string: HANDLE_AUTHDATA
kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for HTTP/server01.ipa.example.com(a)IPA.EXAMPLE.COM
$ klist -def
Ticket cache: FILE:/tmp/krb5cc_0_8LQSGjNfp4
Default principal: me(a)AD.EXAMPLE.COM
Valid starting Expires Service principal
03/18/2021 15:38:40 03/19/2021 01:38:40 krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
renew until 03/23/2021 15:38:32, Flags: FRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 , AD types:
03/18/2021 15:38:49 03/19/2021 01:38:40 krbtgt/IPA.EXAMPLE.COM(a)AD.EXAMPLE.COM
Flags: FA, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 , AD types:
===
This is what the error looks like on the IPA KDC side:
===
TGS_REQ : handle_authdata (22)
TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) XXXX:XXXX:XXX:XX::XXX:XXX: HANDLE_AUTHDATA: authtime 1616078320, etypes {rep=UNSUPPORTED:(0)} me(a)AD.EXAMPLE.COM for HTTP/server01.ipa.example.com(a)IPA.EXAMPLE.COM, Invalid argument
closing down fd 12
TGS_REQ : handle_authdata (22)
TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) XXXX:XXXX:XXX:XX::XXX:XXX: HANDLE_AUTHDATA: authtime 1616078320, etypes {rep=UNSUPPORTED:(0)} me(a)AD.EXAMPLE.COM for HTTP/server01.ipa.example.com(a)IPA.EXAMPLE.COM, Invalid argument
closing down fd 12
===
Do you think a vanilla cross-realm between IPA and AD is possible? If yes, does
someone have an idea why the handle_authdata function[4] is failing? Are we
missing something in the configuration?
Kind regards,
Julien Rische
CERN
[1] http://kerberos.996246.n3.nabble.com/HANDLE-AUTHDATA-error-when-trying-to...
[2] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1035494
[4] https://github.com/krb5/krb5/blob/krb5-1.18.2-final/src/kdc/kdc_authdata....
3 years, 2 months
FreeIPA Enterprise or Paid Support
by Rohan Talkar
HI,
I am new to FreeIPA & planning to implement it my organization.
I am not sure do FreeIPA have Enterprise or paid support.
Please let me know if any one have idea about this.
Regards,
Ron
3 years, 2 months
Multi-Master addition to existing cluster
by Mark Potter
I have a working FreeIPA cluster and need to start deploying for other
geolocations. I deployed with freeipa-ansible. While I can find docs on
multi-master setups I am struggling to find the initial setup bits.
Would it be best to deploy a new cluster without any knowledge of the
existing cluster and setup replication post-install or is it possible to
just add the hosts as `ipaserver` and `ipareplicas` to the inventory and
rerun the playbook?
I am looking for the best way to set this up without risk to the current
environment. I apologize if I've missed something relatively simple in the
docs.
--
*Mark Potter*
Senior Linux Administrator
DownUnder GeoSolutions
16200 Park Row Drive, Suite 100
Houston TX 77084, USA
tel +1 832 582 3221
markp(a)dug.com
www.dug.com
3 years, 2 months
reduce "normal user" permission
by Scott Serr
Two parts to this question:
Is there a way to disable a normal user's ability to modify their
attributes like their name?
And along those lines, is there a convenient way to reduce what a normal
user sees of other users (via web and cli)?
I'm using version 4.8.
Thank you!
3 years, 2 months
Another 2FA question Debian and Ubuntu
by David Harvey
Hi list,
I've been attempting to get optional 2FA working for my Debian derivatives
so I can run per-host OTP nicely for the more sensitive boxes.
So far:
A user with "password and otp" only allowed in the can login as expected
with the password and OTP concatenated.
A user with both "password" and "password and otp" allowed cannot use the
concatonated practice. Working as expected I think so far from my
readings...
I've then been trying to follow the advice on this thread :
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
So that the pre-auth check can be made (the most relevant bit is the
example PAM script I've been shamelessly trying to force into action).
Applying their advice It gets me as far as throwing up the correct prompt
for 2FA users vs password only users, but on trying to auth either with or
without the OTP supplied I can't get in. I see the following errors in the
auth log:
Mar 15 17:36:38 focal-test login[5183]: PAM (login) no control flag supplied
Mar 15 17:36:38 focal-test login[5183]: PAM (login) no module name supplied
Mar 15 17:36:38 focal-test login[5183]: PAM pam_parse: expecting return
value; [...try_first_pass]
Mar 15 17:36:38 focal-test login[5183]: PAM unable to dlopen(sha512):
/lib/security/sha512: cannot open shared object file: No such file or
directory
Mar 15 17:36:38 focal-test login[5183]: PAM adding faulty module: sha512
Mar 15 17:36:38 focal-test login[5183]: PAM (other) no control flag supplied
Mar 15 17:36:38 focal-test login[5183]: PAM (other) no module name supplied
Mar 15 17:36:38 focal-test login[5183]: PAM pam_parse: expecting return
value; [...try_first_pass]
Mar 15 17:36:47 focal-test login[5183]: pam_sss(login:auth): authentication
success; logname=david uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=david
Mar 15 17:36:49 focal-test login[5183]: FAILED LOGIN (1) on '/dev/pts/0'
FOR 'david', Permission denied
I've been trying across a spread of ubuntu and Debian versions to try and
ensure I've entertained sufficiently new sssd and libkrb5 versions but am
pretty stumped. Most confusing is the sha512 errors when it's also included
in the default unix pam config.
Feel free to tell me to f@£$ off to the sssd lists!
David
3 years, 2 months
SRV entries remain after removing replica
by Kees Bakker
Hi,
After removing one of the replicas the SRV records in DNS remained. I'm talking
about _kpasswd._udp _kerberos._udp _kerberos._tcp _kerberos-master._udp etc
Two questions.
1. Is this a known problem?
2. Is there a (simple?) command to remove these SRV entries?
I can remove them manually, so it's not a big deal.
--
Kees
3 years, 2 months
integrated Samba to respond under different FQDN - how?
by lejeczek
Hi guys.
I'd like to ask whether Samba should be able to respond
under/via a FQDN different from IPA's default.
I use word "should" deliberately as I have Samba do that, with:
- ipa-server-4.8.7-14.module_el8.3.0+698+d6d67052.x86_64
- samba-4.13.4-1.el8.x86_64
Eg. IPA is: "priv.my.dom.private" and its DNS manages
"us.private" and Samba is completely fine serving Win10
non-enrolled clients under "us.private".
I did not do any "extra" tweaking, certainly I do not
recall, only usual DNS bits.
Now I'm hoping to have the same with:
- ipa-server-4.9.0-1.module_el8.4.0+639+a88aab78.x86_64
- samba-4.13.4-1.el8.x86_64
but having, I believe virtually the same setup, Samba is not
happy.
n
Before I paste any logs, etc. - I guess the question for an
expert, if one happens to read this is - should it work in
as well or that functionality was "taken away" in 4.9.
many thanks, L
3 years, 2 months