KDC Self Signed Certificate Creation
by Mark Selby
My company has 6 FreeIPA servers across 3 different locations. Five of the six servers are ok, but one we could not login to. The error messages pointed to the expired certificate located at `/var/kerberos/krb5kdc/kdc.crt`
My question is how do I "properly" renew or recreate this certificate. I have been able to renew it with the command listed below - but the renewed cert does not have the same characteristics as the other certs. The existing ones all see to be self signed with the specified profile while my new one does not have these features. It seems to be working Ok but it would great to understand how to generate this cert correctly. All is any help is greatly appreciated.
The servers that work all display the following with using getcert list -f /var/kerberos/krb5kdc/kdc.crt
Request ID '20191003181545':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=ipa01.sub1.acme.org,O=ACME.ORG
subject: CN=ipa01.sub1.acme.org,O=ACME.ORG
expires: 2022-08-09 22:06:33 UTC
principal name: krbtgt/ACME.ORG(a)ACME.ORG
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Using the local-getcert start-tracking command below gets me an updated cert but it is not self signed and does not have the specified profile.
local-getcert start-tracking \
-k /var/kerberos/krb5kdc/kdc.key \
-f /var/kerberos/krb5kdc/kdc.crt \
-T KDCs_PKINIT_Certs \
-C /usr/libexec/ipa/certmonger/renew_kdc_cert
Request ID '20220117193849':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: local
issuer: CN=Certificate Authority,O=ACME.ORG
subject: CN=vipa06.sub3.acme.org,O=ACME.ORG
expires: 2024-01-18 17:32:20 UTC
principal name: krbtgt/ACME.ORG(a)ACME.ORG
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
1 week, 5 days
How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?
by cdknight
When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources.
1 month, 2 weeks
Login failed due to an unknown reason
by Dan West
I am running into a strange issue with a few user accounts where logging into the web interface gives them the error message "Login failed due to an unknown reason”. It also prevents them from SSH’ing into IPA bound systems using passwords. Pubkeys work fine (as long as it is manually added to the local accounts) and any services I have bound to it (Gitlab, Mattermost, Owncloud, etc) seem to work fine. I ’think’ this is kerberos related since the only services that are using it is SSH and probably the IPA web interface. Here is the apache error log for it:
[Thu Jan 13 09:15:38.688228 2022] [wsgi:error] [pid 579266:tid 139812542121728] [remote xx.xxx.xx.xxx:52162] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844948): TGT has been revoked
I ’think’ the message "TGT has been revoked” is due to the 401 error, since the user is not showing as being authorized to login. However, this user is enabled and I have tried a number of things to try to fix it:
1. Disable/Re-enable account
2. Reset passwords
3. Kinit username (seems to get a ticket, but logins still do not work)
4. Run the account migration task (using the web gui)
5. Restart the IPA server and services
6. Re-initialize the IPA server from another master
Also, I can confirm that the passwords are correct since a failed password error message shows up differently and other services are using it correctly. Going down the Kerberos path, here is the krb5kdc log file:
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) yy.yy.yy.yy: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Additional pre-authentication required
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): closing down fd 12
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) yy.yy.yy.yy: ISSUE: authtime 1642094138, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, WELLKNOWN/ANONYMOUS(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): closing down fd 12
Jan 13 09:15:38 ipa.example.com krb5kdc[579225](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) yy.yy.yy.yy: NEEDED_PREAUTH: testuser(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Additional pre-authentication required
Jan 13 09:15:38 ipa.example.com krb5kdc[579225](info): closing down fd 12
Jan 13 09:15:38 ipa.example.com krb5kdc[579225](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) yy.yy.yy.yy: ISSUE: authtime 1642094138, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, testuser(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
Jan 13 09:15:38 ipa.example.com krb5kdc[579225](info): closing down fd 12
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-997841278-3584560916-1456654135], PAC [S-1-5-21-2108153867-2082035330-3701898995]
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): TGS_REQ : handle_authdata (-1765328364)
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) yy.yy.yy.yy: HANDLE_AUTHDATA: authtime 1642094138, etypes {rep=UNSUPPORTED:(0)} testuser(a)EXAMPLE.COM for HTTP/ipa.example.com(a)EXAMPLE.COM, TGT has been revoked
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): closing down fd 12
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](Error): PAC issue: PAC record claims domain SID different to local domain SID or any trusted domain SID: local [S-1-5-21-997841278-3584560916-1456654135], PAC [S-1-5-21-2108153867-2082035330-3701898995]
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): TGS_REQ : handle_authdata (-1765328364)
Jan 13 09:15:38 ipa.example.com krb5kdc[579226](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), DEPRECATED:arcfour-hmac(23)}) yy.yy.yy.yy: HANDLE_AUTHDATA: authtime 1642094138, etypes {rep=UNSUPPORTED:(0)} testuser(a)EXAMPLE.COM for HTTP/ipa.example.com(a)EXAMPLE.COM, TGT has been revoked
I only see two errors that might be related:
"PAC record claims domain SID different to local domain SID or any trusted domain SID”
"DEPRECATED:arcfour-hmac(23)”
However, those might just be red herrings or something else that is unrelated.
So far, there are only a small number of accounts that have this problem, but more seem to be popping up on a daily basis. The only fix I have found is the nuclear option, where I completely remove the account and then add it back in with the same UID/GID, group memberships and policies. After that it seems to work fine. However, I would rather not want to do this to all accounts since that would be a logistical nightmare.
Are there any suggestions for either troubleshooting or fixing this problem with a lighter approach? Is it possible to reset or regenerate the users kerberos authentication?
Thanks,
Dan West
Systems Administrator
Galois Inc.
http://galois.com
2 months, 4 weeks
certmonger error on ubuntu
by Robson Francisco de Souza
Hello!
I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and
most certificates should expire within three weeks. As this deadline
approaches, I noticed certmonger has been unable to renew certificates due
to the error below.
After googling for two days, I found this issue has been observed by many
people before, mostly after expiration of the certificates, as in
https://tinyurl.com/vajmocw
Still, I couldn't find a solution to this problem.
If it is impossible to fix this issue while using FreeIPA 4.3.1, I would
like to:
1) Find a way to renew all certificates even if certmonger can't be fixed.
This would allow me to postpone the solution to after the next OS and/or
FreeIPA upgrade
2) Find out what version of FreeIPA I should upgrade to while the operating
system remains Ubuntu 16.04
Any help would be appreciated!
Thanks!
Robson
======> Command: systemctl status certmonger
Nov 17 20:53:08 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17
20:53:08 [3873125] Error 77 connecting to
https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem
with the SSL CA cert (path? access rights?).
Nov 17 21:10:13 ipa.cefapnet.icb.usp.br
dogtag-ipa-ca-renew-agent-submit[3875188]: Forwarding request to
dogtag-ipa-renew-agent
Nov 17 21:10:13 ipa.cefapnet.icb.usp.br
dogtag-ipa-ca-renew-agent-submit[3875188]: dogtag-ipa-renew-agent returned 3
Nov 17 21:10:13 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17
21:10:13 [3873125] Error 77 connecting to
https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem
with the SSL CA cert (path? access rights?).
Nov 17 21:25:20 ipa.cefapnet.icb.usp.br
dogtag-ipa-ca-renew-agent-submit[3875738]: Forwarding request to
dogtag-ipa-renew-agent
Nov 17 21:25:20 ipa.cefapnet.icb.usp.br
dogtag-ipa-ca-renew-agent-submit[3875738]: dogtag-ipa-renew-agent returned 3
Nov 17 21:25:21 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17
21:25:21 [3873125] Error 77 connecting to
https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem
with the SSL CA cert (path? access rights?).
Nov 17 21:25:31 ipa.cefapnet.icb.usp.br
dogtag-ipa-ca-renew-agent-submit[3875766]: Forwarding request to
dogtag-ipa-renew-agent
Nov 17 21:25:31 ipa.cefapnet.icb.usp.br
dogtag-ipa-ca-renew-agent-submit[3875766]: dogtag-ipa-renew-agent returned 3
Nov 17 21:25:31 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17
21:25:31 [3873125] Error 77 connecting to
https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem
with the SSL CA cert (path? access rights?).
--
Robson Francisco de Souza, PhD
Laboratório de Estrutura e Evolução de Proteínas (LEEP/PSEL)
Departamento de Microbiologia
Instituto de Ciências Biomédicas
Universidade de São Paulo
Av. Prof. Lineu Prestes, 1374 - Ed. Biomédicas II - Sala 250 - 2o. andar
Tel: 3091-0891
Cidade Universitária - CEP 05508-900 - São Paulo - SP - Brasil
----
Robson Francisco de Souza, PhD
Protein Structure and Evolution Laboratory (LEEP/PSEL)
Microbiology Departament
Biomedical Sciences Institute
University of Sao Paulo
Av. Prof. Lineu Prestes, 1374 - Biomédicas II - Sala 250
Phone: 55-11-3091-0891
Cidade Universitária - ZIP 05508-900 - São Paulo - SP - Brazil
3 months, 3 weeks
Greenfield FreeIPA deployment - is it OK to put FreeIPA at the domain apex, or a "best practice" to put it in a subdomain?
by Braden McGrath
Hello FreeIPA-users. The Subject line is the core of my question here; I'll provide a bit more detail below.
I work for what is (effectively) a startup, non-profit internet provider. I have an extensive Windows background, and "know enough to be dangerous" with Linux & BSD (have been tinkering with GNU/Linux on and off since Slackware 3.0 or 3.1). I'm very familiar with Windows Active Directory, but the org does not have any AD infrastructure right now (and being nonprofit, are trying to avoid spending money for MS, especially when all of the other VMs will be Linux or BSD anyway).
Given the nonprofit nature, I discovered FreeIPA when looking for a free centralized directory system. The goal is to consolidate all credentials for *other* Linux VMs (customer-facing DNS, CRM web server, SNMP/network graphing servers, etc) as well as provide a back-end for RADIUS for management of network equipment (switches, routers, P2P wireless, etc). Simplifying DNS management and replication is also appealing, I'd rather administrate one system than two or three.
In case it changes your opinion of the plan at all - all of the network equipment and VMs will be on *private* (10.x) IPv4 space and behind one or more firewalls, at least initially. We do want to add public IPv6, but do not have that yet. We only have a small allocation (/26) of public v4 from our upstream that will be NATed through a firewall and not directly on any devices. The traffic to FreeIPA is going to be internal-only, I do not plan on exposing FreeIPA's DNS "to the world" at all. Even customer-facing internal DNS will likely be through separate caching forwarders pointing back to FreeIPA.
I have a completely unused, publicly registered domain (let's just call it "example.net" for this thread) available to dedicate to this system. We also own "example.org" and are using that for our public web presence, and I intend to keep that entirely standalone.
Given that I have no current "interoperability" concerns, is there anything "wrong" with putting FreeIPA directly at the root of example.net? Or would it be more wise, from an interop, security, or manageability standpoint (i.e. a "best practice"), to root FreeIPA at something like auth.example.net or ipa.example.net and then have a separate set of nameservers handling the base domain? If I put FreeIPA's root (and Kerberos realm) in a subdomain, is it possible to *also* have it manage the parent domain's DNS entries?
I've read through the Quick Start Guide and Deployment Recommendations (https://www.freeipa.org/page/Deployment_Recommendations), which is part of how I've come to the decisions I've made thus far. I couldn't really find guidance one way or the other on whether FreeIPA "should" be in a subdomain or not, hence this posting. I would appreciate any insight the community can provide!
4 months, 3 weeks
FreeIPA web session timeout
by Yuri Krysko
Hello,
Could you please advise how to configure FreeIPA web UI user session timeout?
Thanks,
Yuri
________________________________
LEGAL DISCLAIMER: M.C. Dean, Inc. and its subsidiaries considers this e-mail and any files transmitted with it to be protected, proprietary or privileged information intended solely for the use of the named recipient(s). Any disclosure of this material or the information contained herein, in whole or in part, to anyone outside of the intended recipient or affiliates is strictly prohibited. M. C. Dean, Inc. accepts no liability for the content of this e-mail or for the consequences of any actions taken on the basis of the information contained in it, unless that information is subsequently confirmed in writing. Employees of M.C. Dean, Inc. are instructed not to infringe on any rights of the recipient; any such communication violates company policy. If you are not the intended recipient, any disclosure, copying, distribution, or action taken or omitted in reliance on this information is strictly prohibited by M.C. Dean, Inc.; please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
4 months, 3 weeks
Auto cleanup old enrolled hosts
by Russ Long
We're adding FreeIPA to an immutable, often rotated environment (AWS ECS Hosts). These hosts are spun up and down at least daily. Is there a way to check FreeIPA to see when a host has last communicated with the FreeIPA Cluster? I'd like to use this information to auto-delete hosts that have not reported in from the FreeIPA host list.
6 months
Allow sysaccount to view its own entry
by Adam Bishop
I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Many Thanks,
Adam Bishop
6 months, 3 weeks
kinit: KDC can't fulfill requested option while renewing credentials - which approach?
by Pieter Baele
I tried various approached to get Renewable tickets :
modifying the kdc
modifying krb5.conf
using kadmin.local on every replica to modify the principal; which is not
working - as designed (?)- in IPA
What should I do to get a ticket with the correct R flag from IPA ?
I don't think this is SSSD related (the service needing the renewable
ticket this way is Apache Storm)
Thanks a lot!
8 months, 2 weeks