subuids and subgids client side configuration
by Rob Verduijn
Hello,
Is there any additional configuration required to use the subordinate id's
on a fedora client
after assigning a subuid/subgid range to an account in the freeipa server ?
now after trying to create a new rootless container image as an ordinary
user it complains there potentially not enough uids or gids available in
user namespace.
and to check /etc/subuid and /etc/subgid.
Rob
2 years
expired Server-cert
by Serge Krawczenko
Greetings,all
I've been observing multiple issues for some time, unable to enroll new
clients etc.
Finally found out that the possible root cause is the expired Server-Cert
cert-pki-ca and therefore pki-tomcat service won't start
Here's the output of getcert list -d /etc/pki/pki-tomcat/alias/
Request ID '20171204131518':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=....
subject: CN=....
expires: 2022-04-25 17:06:51 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
Other certs in /etc/pki/pki-tomcat/alias/ seem to be ok but this one.
I'd like to understand how to perform the forced update for this one, i
assume it must be renewed automatically though
I tried to invoke post-save command manually but no luck.
Appreciate any ideas
2 years
How to add NOPASSWD for ALL commands (no prompt for password)
by Damola Azeez
I'm trying to create a user to use for my automation. I don't want to have the Users created manually on each host as that's time-consuming. Is there a way I can use IPA to handle this requirement such that the user I create is sudo and runs Sudo commands without asking for a password?
2 years
c9s - package conflicts with updates
by lejeczek
Hi
just to let you @devel guys know in case this might affect &
brake IPA as in the (recent) past.
...
Problem 1: package pki-java-11.2.0-0.2.beta1.el9.noarch
requires pki-base = 11.2.0-0.2.beta1.el9, but none of the
providers can be installed
- package idm-pki-base-11.2.0-0.4.beta3.el9.noarch
obsoletes pki-base < 11.2.0-0.4.beta3.el9 provided by
pki-base-11.2.0-0.2.beta1.el9.noarch
- cannot install the best update candidate for package
pki-java-11.2.0-0.2.beta1.el9.noarch
- cannot install the best update candidate for package
pki-base-11.2.0-0.2.beta1.el9.noarch
Problem 2: problem with installed package
pki-java-11.2.0-0.2.beta1.el9.noarch
- package pki-java-11.2.0-0.2.beta1.el9.noarch requires
pki-base = 11.2.0-0.2.beta1.el9, but none of the providers
can be installed
- package pki-base-11.2.0-0.2.beta1.el9.noarch requires
python3-pki = 11.2.0-0.2.beta1.el9, but none of the
providers can be installed
- package python3-idm-pki-11.2.0-0.4.beta3.el9.noarch
obsoletes python3-pki < 11.2.0-0.4.beta3.el9 provided by
python3-pki-11.2.0-0.2.beta1.el9.noarch
- cannot install the best update candidate for package
python3-pki-11.2.0-0.2.beta1.el9.noarch
...
thanks, L
2 years
CA not configured on second replica but it is configured
by Pavlo Pocheptsov
Hi list.
ipa2 node was promoted to ca with ipa-ca-instal
and it shows all is good on its side:
[root@ipa2 ~]# ipa-replica-manage list
ipa3: master
ipa2: master
[root@ipa2 ~]# ipa-csreplica-manage list
ipa3: master
ipa2: *master*
[root@ipa2 ~]# ipa config-show |grep CA
Certificate Subject base: O=removed
IPA CA servers: *ipa2, ipa3*
IPA CA renewal master: ipa3
[root@ipa2 ~]# ipa server-role-find | grep -A1 -B1 CA
Server name: ipa2
Role name: CA server
Role status: *enabled*
--
Server name: ipa3
Role name: CA server
Role status: *enabled*
[root@ipa2 ~]# ipa-replica-manage list-ruv
Replica Update Vectors:
ipa2:389: 11
ipa3:389: 9
Certificate Server Replica Update Vectors:
ipa2:389: 12
ipa3:389: 10
But ipa3 node doesn't see ipa2 as ca master:
[root@ipa3 ~]# ipa-replica-manage list
ipa3: master
ipa2: master
[root@ipa3 ~]# ipa-csreplica-manage list
ipa3: master
ipa2: *CA not configured*
[root@ipa3 ~]# ipa config-show |grep CA
Certificate Subject base: O=removed
IPA CA servers: *ipa3* <----- no ipa2 here
IPA CA renewal master: ipa3
[root@ipa3 ~]# ipa server-role-find | grep -B1 -A1 CA
Server name: ipa2
Role name: CA server
Role status: *absent*
--
Server name: ipa3
Role name: CA server
Role status: enabled
[root@ipa3 ~]# ipa-replica-manage list-ruv
Replica Update Vectors:
ipa3:389: 9
ipa2:389: 11
Certificate Server Replica Update Vectors:
ipa3:389: 10
ipa2:389: 12
Centos 7.9
FreeIPA, version: 4.6.8
What is the real situation here? Is there CA replication btw replicas or no?
Is it possible to fix this and make ipa2 CA role visible on ipa3?
Any extra information I can provide to fully understand the issue?
Pavel
2 years
Re: hostgroup automember rules
by Florence Blanc-Renaud
Hi,
On Fri, May 20, 2022 at 11:48 AM Angus Clarke via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> Hello
>
> FreeIPA 4.6.8
>
> We are very happy with hostgroup automember rules based on servername
> attribute however one of our internal customers uses a generic servername
> template for all of their servers regardless of its function.
>
> So I'm wondering what other attributes I might use for hostgroup
> automember - perhaps some of the attributes can be configured by the
> ipa-client-install (the host's "description" field perhaps) although I
> don't see such mention in the man page ... Presumably they could use a
> different enrollment user ("enrolledby") for each of their hostgroup
> functions (not ideal.)
>
> There are various attribute fields in the WebUI but I don't find much
> documentation for them. What is the "|" field - perhaps I can exploit this
> somehow?
>
The automember group functionality is described in this chapter: Automating
group membership using IdM CLI
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...>
.
You can define a new hostgroup with an automember rule based on any
attribute defined in the schema. Just be aware that the conditions are
defined using Perl-compatible regular expressions (PCRE) format.
The 'l' attribute is an alias for 'locality' or 'localityname' and can
contain any string. For any attribute you can find its description in the
LDAP schema.
The host entries have multiple object classes. For instance if you run
ipa host-show server.ipa.test --all --raw
you can see all its objectclasses:
objectClass: top
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: ipaservice
objectClass: pkiuser
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: krbticketpolicyaux
objectClass: ipasshhost
objectClass: ipaSshGroupOfPubKeys
Each object class defines the mandatory/optional attributes that the entry
can contain. For instance in order to find the attributes for the *nshost*
objectclass:
ldapsearch -LLL -o ldif-wrap=no -b cn=schema -s base objectclasses | grep
-i nshost
objectclasses: ( nsHost-oid NAME 'nsHost' DESC 'Netscape defined
objectclass' SUP top STRUCTURAL MUST cn MAY ( serverHostName $ description
$ l $ nsHostLocation $ nsHardwarePlatform $ nsOsVersion ) X-ORIGIN
'Netscape' )
The *nshost* objectclass allows the presence of *serverhostname*,
*description*, *l* etc...
Now to find what *description* can contain:
ldapsearch -LLL -o ldif-wrap=no -b cn=schema -s base attributetypes | grep
-i description
attributetypes: ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'RFC 4519' )
The SYNTAX part defines the type of data (the RFC 4517
<https://datatracker.ietf.org/doc/html/rfc4517#section-3.3.6> defines
1.3.6.1.4.1.1466.115.121.1.15 as a DirectoryString).
With this knowledge, you can pick an attribute where you want to store
information that can be used to group the hosts together, and create the
matching rule using this attribute.
If you are curious about LDAP schema in general, you can read the RFC 4519
<https://www.ietf.org/rfc/rfc4519.txt>.
HTH,
flo
> Any advice gladly received.
>
> Thanks a lot
> Angus
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
2 years
hostgroup automember rules
by Angus Clarke
Hello
FreeIPA 4.6.8
We are very happy with hostgroup automember rules based on servername attribute however one of our internal customers uses a generic servername template for all of their servers regardless of its function.
So I'm wondering what other attributes I might use for hostgroup automember - perhaps some of the attributes can be configured by the ipa-client-install (the host's "description" field perhaps) although I don't see such mention in the man page ... Presumably they could use a different enrollment user ("enrolledby") for each of their hostgroup functions (not ideal.)
There are various attribute fields in the WebUI but I don't find much documentation for them. What is the "|" field - perhaps I can exploit this somehow?
Any advice gladly received.
Thanks a lot
Angus
2 years
FreeIPA and DHCP @home
by Ronald Wimmer
I am aware of the fact that there is no actual need for neatly
integrating DHCP into FreeIPA. At least in enterprise environments.
As my home network has grown over the years I am thinking about using
FreeIPA at home as well. Wouldn't it be sufficient to let a DHCP server
make dynamic updates to the DNS zone managed by FreeIPA's bind server to
make it work? I know a real integration would require much more. But
would it be sufficient for a home setup?
Cheers,
Ronald
2 years
Unable to Login using LDAP User
by Damola Azeez
I've installed FreeIPA on all host I manage and everything has been fine until today when had to reboot the whole hosts. Every other host worked except one. checking the log file of the server, i saw the below error
"[sssd[ldap_child[44316]]]: Client 'host/xxx@XXX' not found in Kerberos database"
I've tried uninstalling the IP client and reinstalling it but i still have the same issue.
Host: oracle linux 6.9
IPA server: IPA, version: 4.9.6
2 years
RHEL 8.6 and sub ids
by Omar Aloraini
From what I read, with the release of RHEL 8.6, I can use Podman with sub
ids managed by Freeipa.
I managed to generate sub uids and gids for all users. But, I'm unable to
launch containers in rootless mode due to insufficient uids and/or gids.
Perhaps there something missing with PAM or SSSD?
Thanks,
2 years