FreeIPA -Airtight- No access to Internet - How to update/upgrade package installation.
by Marcelo Carvalho
I have an FreeIPA host that has to be out of reach of Internet.
I can update the host OS and packages by syncing RHEL repo to my LocalRepo. No issues there for every package installed, but I am not able to update FreeIPA.
From https://www.freeipa.org/page/Upgrade we have instruction on upgrades:
FreeIPA 3.3.0 or newer
# yum update freeipa-server
I have not tried because the purpose is to bring "freeipa-server" package to the LocalRepo for host access. I cannot find the repository for "freeipa-server."
Please advise on how to identify FreeIPA repo for RHEL-9, or how to proceed with offline FreeIPA upgrade.
Many thanks.
Marcelo Carvalho
IT Senior System Administrator
Astranis Space Technologies Corp.
mcarvalho(a)astranis.com
https://www.astranis.com/
P.S. Will "# yum update freeipa-server" work? I do not see it as output of the repository when the development host is available to them.
The host is running on AWS and using a Linux RHEL-9 from AWS.
3 months, 3 weeks
Cannot login to FreeIPA as 'admin' user...
by Tom Spettigue
Hey all -
I'm having an odd bug when I try to login to the web interface as the FreeIPA 'admin' user. I get the following error message:
Login failed due to an unknown reason.
Not sure where that's coming from, but per this post (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...) I went ahead and checked the validity period of the `/var/kerberos/krb5kdc/kdc.crt` with the `openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt` command. Sure as shoot, that certificate expired on the 22nd of January at about 7:00 AM GMT - and I'm stuck unable to login and manage my domain. :(
Now according to the end of that thread, the problem just up and fixed itself but I'm up against a wall here in that I... definitely need to to be able to get in pretty soon, as I have a new host I need to provision. Is there any way to manually jumpstart this process?
3 months, 3 weeks
Permission / privilege to unlock accounts
by Russell Long
I'm trying to create a set of limited users who have the ability to unlock
all other user accounts and change their passwords. I've got the password
portion figured out, however when a user with the limited permissions tries
to run the `unlock` operation they get the following message:
Insufficient access: Insufficient 'write' privilege to
the 'krbLoginFailedCount' attribute of entry...
I have attempted to create a permission granting this access, but it does
not appear to work.
I'll attach an image of the existing permission, not sure how the list will
handle the image.
--Russ
3 months, 4 weeks
Is there even one freeipa dev that knows everything about upgrading across major OS releases?
by Harry G Coin
Hi! This is meant for the good future of freeipa, a package I've
appreciated for some years, so across the user cultures and languages
please understand it as supportive and not a complaint!
For all freeipa's 'master-master' replica technology, there remain
'some instances more primary than others' even if the topology diagrams
claim equivalence. Lose 'that one that's even more primary' and (absent
high-learning-curve, on-site capability, and intervention that calls for
high-bar mastery of seldom used subsystems) -- you're on a track to
breakage. Why? Because it's when, not if, that 'primary' system will
need a major OS point release (8 to 9 in the present situation). In
that case, there is as yet no 'just works' upgrade path. With 'not the
super special 'even more master than other' master replicas, it's easy
and 'it just works'... but 'for that one...' freeipa is not ready for
'prime time'.
For example, should site admins 'just know' whether there is a current
kasp.db maintained in more than one place? How many know about
ipa-crlgen-manage, or whether /etc/pki/pki-tomcat/ca/CS.cfg should or
shouldn't have ca.certStatusUpdateInterval=0, or have the command ipa
config-mod --ca-renewal-master-server at the top of their mind? SID
range assignments?
Fundamentally, the fair question is: Which freeipa subsystems that I
don't happen to have studied in dev-level detail have similar 'deep
gotchas that are obvious to the one who specializes in that, but opaque
to everyone else'? Not even the freeipa devs who write the docs collect
all the steps in one place. While there are 'characterizations of
worries' those come without steps, the advice doesn't say what steps
will work, just what won't. ('don't leapp upgrade').
The way forward I think is fairly doable. First is to have each 'dev
that's an expert in their thing' (dns, kra, etc. etc.) make sure all
'master' level replicas have, updated, whatever 'special files' might be
necessary, even if they aren't 'the extra special primary replica', and
may never get used.
Second is an 'orchestration' command, to be run on a master-replica that
is 'the latest os', that will, 'all in one', do all the magic to become
'the extra special primary master' and take those options off 'the old
primary', even if it means installing trust/dns/etc subsystems extant on
the 'old master' but missing from the 'soon to be new primary master'.
An orchestration command that manages everything from moving which fqdn
is authoritative in SOA records, to magic tiny entries in CA.cfg files.
When that command is done, the 'old primary' becomes 'just another
master replica that happens to be using an older os'. Then the 'old
primary' can be discarded and replaced with the latest os and a fresh
install as a master replica. At that point, it's optional whether to
move the 'special primary' status 'back' to the 'now new OS master system'.
The admin pain involved at present 'for that one system that's the extra
special primary' at os major release upgrade time -- it sets too high an
education bar, obviously higher than even one freeipa-dev has, as the
docs prove-- and as such needs a team approach to address,, before OS 9
to 10 please!
Thanks for all you've done so far!
Harry Coin
3 months, 4 weeks
cannot login on FreeIPA web GUI: Your session has expired. Please log in again.
by Harald Dunkel
Hi folks,
after the upgrade from ipa-server.x86_64 4.9.12-9 to version 4.9.12-11
my FreeIPA servers' web interfaces became inaccessible. At login time there
is a message
Your session has expired. Please log in again.
I found some other threads about similar problems in this ML. However, the
suggested fix to create SIDs
[root@ipa0 log]# /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --netbios-name EXAMPLE --add-sids
Configuring SID generation
[1/8]: creating samba domain object
Samba domain object already exists
[2/8]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[3/8]: adding RID bases
RID bases already set, nothing to do
[4/8]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[5/8]: activating sidgen task
Sidgen task plugin already configured, nothing to do
[6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[7/8]: adding fallback group
Fallback group already set, nothing to do
[8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
The ipa-enable-sid command was successful
[root@ipa0 log]# echo $?
0
did not help. I still cannot login on the web interface. (Looking at the
output it didn't had to do anything, anyway. AFAIR this SID thingy was
already done during migration from CentOS 7 to 8, AFAIR).
[root@ipa0 ~]# ipa idrange-find --raw
----------------
3 ranges matched
----------------
cn: EXAMPLE.DE_id_range
ipabaseid: 379400000
ipaidrangesize: 200000
ipabaserid: 379400000
ipasecondarybaserid: 379600000
iparangetype: ipa-local
cn: EXAMPLE.DE_posix
ipabaseid: 1000
ipaidrangesize: 99000
ipabaserid: 1000
ipasecondarybaserid: 100000
iparangetype: ipa-local
cn: EXAMPLE.DE_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-194929194
iparangetype: ipa-ad-trust
----------------------------
Number of entries returned 3
----------------------------
/var/log/messages shows
Jan 23 13:50:28 ipa0 [6654]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
Jan 23 13:50:28 ipa0 [6653]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
Jan 23 13:50:31 ipa0 [6654]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
Jan 23 13:50:31 ipa0 [6653]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
/var/log/krb5kdc.log
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1706012763, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa0.example.de(a)EXAMPLE.DE for ldap/ipa0.example.de(a)EXAMPLE.DE, KDC policy rejects request
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown>
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): closing down fd 4
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1706012763, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa0.example.de(a)EXAMPLE.DE for ldap/ipa0.example.de(a)EXAMPLE.DE, KDC policy rejects request
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown>
Jan 23 13:50:28 ipa0.example.de krb5kdc[6611](info): closing down fd 4
Jan 23 13:50:30 ipa0.example.de krb5kdc[6611](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)EXAMPLE.DE for krbtgt/EXAMPLE.DE(a)EXAMPLE.DE, Additional pre-authentication required
Jan 23 13:50:30 ipa0.example.de krb5kdc[6611](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6587](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: ISSUE: authtime 1706014231, etypes {rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, WELLKNOWN/ANONYMOUS(a)EXAMPLE.DE for krbtgt/EXAMPLE.DE(a)EXAMPLE.DE
Jan 23 13:50:31 ipa0.example.de krb5kdc[6587](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6611](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: NEEDED_PREAUTH: hdunkel(a)EXAMPLE.DE for krbtgt/EXAMPLE.DE(a)EXAMPLE.DE, Additional pre-authentication required
Jan 23 13:50:31 ipa0.example.de krb5kdc[6611](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6592](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: ISSUE: authtime 1706014231, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, hdunkel(a)EXAMPLE.DE for krbtgt/EXAMPLE.DE(a)EXAMPLE.DE
Jan 23 13:50:31 ipa0.example.de krb5kdc[6592](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6588](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: ISSUE: authtime 1706014231, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, hdunkel(a)EXAMPLE.DE for HTTP/ipa0.example.de(a)EXAMPLE.DE
Jan 23 13:50:31 ipa0.example.de krb5kdc[6588](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6587](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1706014231, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa0.example.de(a)EXAMPLE.DE for ldap/ipa0.example.de(a)EXAMPLE.DE, KDC policy rejects request
Jan 23 13:50:31 ipa0.example.de krb5kdc[6587](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown>
Jan 23 13:50:31 ipa0.example.de krb5kdc[6587](info): closing down fd 4
Jan 23 13:50:31 ipa0.example.de krb5kdc[6588](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.19.96.2: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1706014231, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa0.example.de(a)EXAMPLE.DE for ldap/ipa0.example.de(a)EXAMPLE.DE, KDC policy rejects request
Jan 23 13:50:31 ipa0.example.de krb5kdc[6588](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown>
Jan 23 13:50:31 ipa0.example.de krb5kdc[6588](info): closing down fd 4
Every helpful hint is highly appreciated.
Harri
3 months, 4 weeks
Re: FreeIPA or RHEL IdM with Amazon Cognito
by Alexander Bokovoy
On Срд, 24 сту 2024, Carlos Lopez via FreeIPA-users wrote:
>Hi all,
>
>I need to integrate authentication and role access for a few users
>between Amazon Cognito and FreeIPA/IdM. The idea is that the user logs
>in with Cognito but the access validation, password changes, roles,
>etc. are hosted in FreeIPA. The resources where users login are outside
>of Amazon (for example our internal password management app). Is this
>possible? Could it be an option to use SAML?
IPA can delegate authentication (actually, authorization as in OAuth2
Device Authorization Grant Flow) to an external IdP provider. Amazon
Cognito does not have support for OAuth2 Device Authorization Grant flow
but one can create a separate flow integrated with Cognito:
https://aws.amazon.com/blogs/security/implement-oauth-2-0-device-grant-fl...
See
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
for RHEL IdM documentation.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4 months
FreeIPA or RHEL IdM with Amazon Cognito
by Carlos Lopez
Hi all,
I need to integrate authentication and role access for a few users between Amazon Cognito and FreeIPA/IdM. The idea is that the user logs in with Cognito but the access validation, password changes, roles, etc. are hosted in FreeIPA. The resources where users login are outside of Amazon (for example our internal password management app). Is this possible? Could it be an option to use SAML?
Thanks.
Best regards,
C. L. Martinez
4 months
Different ID ranges cannot login to samba
by Rui Gomes
Hello Everyone,
We are experiencing a strange error, where we have 2 ID ranges. The default
one always worked well with samba, we have add a second ID range that works
perfectly for everything but no user in that range can login to samba.
All the users in the default ID range can authenticate with samba, but no
user on a lower ID 5000-10000 manage to authenticate, no obvious errors in
the logs.
Does this ring any bells, we have tried to force samba ID range made no
difference.
Regards
RG
4 months
Can't login to IPA
by Bogdan Stoica
After upgrading ipa to the latest version, login to webui is no longer
working
I'm using Rocky Linux 8.9 and these are the IPA installed packages:
[root@ipa02 dnssec]# rpm -qa | grep ipa
ipa-server-4.9.12-11.module+el8.9.0+1652+4ee71f6a.x86_64
ipa-server-common-4.9.12-11.module+el8.9.0+1652+4ee71f6a.noarch
libipa_hbac-2.9.1-4.el8_9.x86_64
ipa-client-common-4.9.12-11.module+el8.9.0+1652+4ee71f6a.noarch
ipa-client-4.9.12-11.module+el8.9.0+1652+4ee71f6a.x86_64
python3-libipa_hbac-2.9.1-4.el8_9.x86_64
sssd-ipa-2.9.1-4.el8_9.x86_64
ipa-common-4.9.12-11.module+el8.9.0+1652+4ee71f6a.noarch
python3-ipaclient-4.9.12-11.module+el8.9.0+1652+4ee71f6a.noarch
ipa-server-dns-4.9.12-11.module+el8.9.0+1652+4ee71f6a.noarch
rocky-logos-ipa-86.3-1.el8.noarch
ipa-healthcheck-0.12-3.module+el8.9.0+1434+912e18bd.noarch
python3-ipalib-4.9.12-11.module+el8.9.0+1652+4ee71f6a.noarch
ipa-healthcheck-core-0.12-3.module+el8.9.0+1434+912e18bd.noarch
python3-ipaserver-4.9.12-11.module+el8.9.0+1652+4ee71f6a.noarch
ipa-selinux-4.9.12-11.module+el8.9.0+1652+4ee71f6a.noarch
When trying to run this command (as some users suggested): ipa config-mod
--enable-sid --add-sids
I'm getting this:
ipa: ERROR: cannot connect to 'https://ipa02.shtar.prod1/ipa/session/json':
Exceeded number of tries to forward a request.
4 months
