IPA CA allow CSR SAN names in external domains
by Steve Dainard
Hello
I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be
able to add SAN's for a different dns domain than exists in the IPA realm.
The dns for 'otherdomain.com' is handled by active directory which my IPA
server has a cross-forest trust with.
ie:
host: client1.ipadomain.com
certificate: CN = client1.ipadomain.com, SAN = client1.ipadomain.com,
servicename.otherdomain.com
When I try to submit this CSR with 'ipa-getcert request' the IPA server
denies with: "The service principal for subject alt name
servicename.otherdomain.com in certificate request does not exist"
It seems that the default CAACL enforces a profile named
'caIPAserviceCert', but I'm having some trouble determining what can be
modified (or cloned and changed in a new profile) that would allow the CA
to sign a CSR that contains *.ipadomain.com and *.otherdomain.com in the
SAN.
This is the only section in the profile that contains SAN:
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.12.default.name=Copy Common Name to Subject
Alternative Name
Thanks,
Steve
2 years, 2 months
freeipa with sudo and 2FA (OTP)
by John Ratliff
I'm trying to setup freeipa with OTP. I created a TOTP under my user in
freeipa and updated my user to use 2FA (password + OTP).
When I try to do sudo, it only asks for my password and it fails every
time (presumably because it isn't getting the OTP first).
I didn't see anything useful in the sss_sudo logs, even after adding
debug_level = 6 in the config.
What can I do to further troubleshoot this?
Thanks.
2 years, 3 months
IPA broken after dnf update on CentOS 8
by Vinícius Ferrão
Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host.
After def -y update and reboot, IPA fails to load an it’s in broken state.
[root@headnode ~]# systemctl status ipa
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago
Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE)
Main PID: 1278 (code=exited, status=1/FAILURE)
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i>
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details:
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '>
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more >
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade>
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'.
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit.
If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something.
The relevant thing that I’ve found by myself is:
2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service> failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n’)
Is that Java regression again that happened a month or two ago?
Thank you all.
2 years, 4 months
Problems after replacing SSL certificates
by Andreas Bulling
Dear all,
I have recently started using FreeIPA (4.8.1 on Ubuntu) and now wanted to replace the original SSL certificates for the web UI and the LDAP server with official ones issued by our university.
I've followed the procedure described here (no errors):
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
I could confirm in the browser that the certificate for the web UI has been replaced and I therefore assume so has the LDAP certificate. Authentication from other hosts/services using LDAP still works but in the server log file I see errors like these for all hosts in the domain:
Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: NEEDED_PREAUTH: host/X@X for krbtgt/X@X, Additional pre-authentication required
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for krbtgt/X@X
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Apr 20 19:57:11 auth krb5kdc[24895]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for ldap/X@X
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Also, ipa-certupdate on the respective clients shows
ipa-certupdate
trying https://X/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://X/ipa/json'
cannot connect to 'https://X/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
The ipa-certupdate command failed.
Also, I can't login to the web UI anymore. I tried
ipa-getkeytab -s X -p HTTP/X@X -k /var/lib/ipa/gssproxy/http.keytab
on the freeipa server (followed by ipactl restart) but this didn't help.
Any idea/suggestions for how to get everything working again?
Thanks a lot!
2 years, 7 months
User in AD not found by IPA
by Marc Boorshtein
We added a new account to AD that has a domain trust with FreeIPA. This
one user is having an issue where IPA can't find him. The user is in the
same OU as other users that work fine. The user is unlocked
(userAccountControl is 512) and the userprincipalname is set. When I try
to add the user to an id view or an external group IPA gives me the error
"trusted domain object not found" . Not really sure where to look next to
figure out what's wrong. We see the user when we make LDAP calls to AD.
Thanks
Marc
2 years, 7 months
freeIPA Status Debian/Ubuntu
by Nico Maas
Hello there,
with the decline of CentOS I need to migrate away from CentOS 8 to something different.
I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"?
Best regards,
Nico
2 years, 8 months
Cannot add externally-signed IPA CA certificate
by Dmitry Perets
Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with openssl. So I've signed the FreeIPA's request with my self-signed "root ca" certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem --external-cert-file=/root/rootca/certs/ipacert.pem
<...skipped...>
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in /root/rootca/rootcacert.pem, /root/rootca/certs/ipacert.pem is not valid: not a CA certificate
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The subj above is my self-made root CA cert, so it looks like something is missing in it. But what...?
Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else is required, so that FreeIPA accepts it as a root CA?
Should I add it somewhere first, before running the ipa-server-install?
[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Validity
Not Before: Oct 24 11:43:13 2018 GMT
Not After : Oct 21 11:43:13 2028 GMT
Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<...skipped...>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Authority Key Identifier:
keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<...skipped...>
Thanks!!
2 years, 9 months
Changing directory manager password
by Ian Pilcher
Maybe it's just me, but I still find the documentation on this subject
confusing. (This is probably because the docs seem to be telling me
that I don't need to do anything beyond the actual password change, and
I don't trust answers that seem too easy.)
I running a single-node IPA 4.6.8 on RHEL 7. The actual password change
with ldapmodify[1] is simple enough. Am I reading the FreeIPA
documentation[2] correctly, that I don't need to perform any other
steps?
Thanks!
[1]
https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpas...
[2] https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
--
========================================================================
Ian Pilcher Sr. Principal Product Manager
+1 469 892-8704 Red Hat Cloud Platforms
========================================================================
2 years, 9 months
Network I/O error when trying to resolve AD users
by Ronald Wimmer
Today I set up an IPA test web application in our IPA test environment.
I figured out that my AD user was resolved but the user of my colleague
was not. (getent passwd userA/userB)
I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and
started SSSD again. After that I could not resolve any AD user. The sssd
logs showed an Network I/O error:
==> /var/log/sssd/sssd_ipatest.mydomain.at.log <==
(2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: Operations error(1), Failed to
handle the request.
.
(2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation failed, server logs might contain more
details.
(2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done]
(0x0040): s2n exop request failed.
(2021-06-30 11:46:14): [be[ipatest.mydomain.at]]
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed:
[1432158230]: Network I/O Error.
==> /var/log/sssd/sssd_nss.log <==
(2021-06-30 11:46:14): [nss] [cache_req_common_process_dp_reply]
(0x0040): CR #197: Data Provider Error: 3, 1432158230, Network I/O Error
(2021-06-30 11:46:14): [nss] [cache_req_common_process_dp_reply]
(0x0400): CR #197: Due to an error we will return cached data
(2021-06-30 11:46:14): [nss] [cache_req_search_cache] (0x0400): CR #197:
Looking up [aduser271(a)ORG.MYDOMAIN.AT] in cache
(2021-06-30 11:46:14): [nss] [cache_req_search_cache] (0x0400): CR #197:
Object [aduser271(a)ORG.MYDOMAIN.AT] was not found in cache
(2021-06-30 11:46:14): [nss] [cache_req_process_result] (0x0400): CR
#197: Finished: Not found
(2021-06-30 11:46:14): [nss] [client_recv] (0x0200): Client disconnected!
What the hell is going on here? Any hints would be highly appreciated!
Cheers,
Ronald
2 years, 10 months
Compatibility Plugin .update file for Active Directory
by Joseph Fry
My goal is to use the compatibility plugin to display IPA hosts in a format that an Active Directory centric tool can consume. Essentially my solution creates two containers under cn=compat called cn=adComputers and cn=adComputerGroups. An entry is added to adComputers for every ipaHost, and attributes populated that match active directory ldap attributes for a 'computer' object. We do the same for each IPA hostgroup.
I have come pretty close to getting this working, but now I need to get the groups populated with the group members, but not the IPA hosts... instead I need the members to be the corresponding cn=adComputers entries that were created.
So I need to manipulate the members attribute. For example the member attribute of one of the hostgroups in ipa is:
fqdn=test.lab.local,cn=computers,cn=accounts,dc=lab,dc=local
I need to change it to:
cn=test.lab.local,cn=adcomputers,cn=compat,dc=lab,dc=local
Below is my .update file. I want to add a line at the end like:
add:schema-compat-entry-attribute: member=%{member}
But want to rewrite the %{member} value as described above. I know I can do some logic here, as evidenced by https://pagure.io/freeipa/blob/master/f/install/updates/80-schema_compat.... where they use %ifeq and %%%deref_f. But I cannot find any documentation explaining what options are available. Essentially I am hoping there is some sort of regex manipulation capability here?
My .update file so far:
dn: cn=adComputers, cn=Schema Compatibility, cn=plugins, cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: adComputers
add:schema-compat-container-group: cn=compat, $SUFFIX
add:schema-compat-container-rdn: cn=adComputers
add:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
add:schema-compat-search-filter: (&(fqdn=*)(objectClass=ipaHost))
add:schema-compat-entry-rdn: cn=%first("%{fqdn}")
add:schema-compat-check-access: yes
add:schema-compat-entry-attribute: objectclass=computer
add:schema-compat-entry-attribute: cn=%{fqdn}
add:schema-compat-entry-attribute: sAMAccountType=805306369
add:schema-compat-entry-attribute: dNSHostName=%{fqdn}
add:schema-compat-entry-attribute: operatingSystem=%{nsHardwarePlatform}
add:schema-compat-entry-attribute: operatingSystemVersion=%{nsOsVersion}
add:schema-compat-entry-attribute: name=%{serverHostName}
add:schema-compat-entry-attribute: sAMAccountName=$$%{serverHostName}
add:schema-compat-entry-attribute: location=%{nsHostLocation}
dn: cn=adComputerGroups, cn=Schema Compatibility, cn=plugins, cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: adComputerGroups
add:schema-compat-container-group: cn=compat, $SUFFIX
add:schema-compat-container-rdn: cn=adComputerGroups
add:schema-compat-search-base: cn=hostgroups, cn=accounts, $SUFFIX
add:schema-compat-search-filter: (&(member=*)(objectClass=ipahostgroup))
add:schema-compat-entry-rdn: cn=%{cn}
add:schema-compat-entry-check-access: yes
add:schema-compat-entry-attribute: objectclass=group
add:schema-compat-entry-attribute: cn=%{cn}
add:schema-compat-entry-attribute: groupType=-2147483646
add:schema-compat-entry-attribute: sAMAccountType=268435456
add:schema-compat-entry-attribute: name=%{cn}
add:schema-compat-entry-attribute: sAMAccountName=$$%{cn}
2 years, 10 months