ipa radius proxy
by Giuseppe Calo
Hi all, I installed simple freeradius (not enabled particular module),I configured radisu client, one simple user (only password) and added RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util "radtest"
from this server work fine.
What am I doing wrong?
Can somebody explain better the utility ipa radius proxy?
Thanks
1 year, 4 months
Update documentation of "Windows authentication against FreeIPA"
by Alejo Diaz
Currently, if I follow the steps I can't get working Windows 10 or 11 (both 22H2) with FreeIPA v4.10.1.
Please, update/add this steps:
1. The algorithm "arcfour-hmac" isn't necessary in this versions (I don't know in others versions). Just skip the "-e" option or specify with "-e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96".
2. Enforce use of TCP when use Kerberos in Windows running the follows commands after the step 5 of "Configure Windows (ksetup)" section. This steps helps when you logged via VPN or when the packet size is > 1500 (MTU limited!).
```
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v "MaxPacketSize" /t REG_DWORD /d 1 /f
ksetup /setrealmflags [REALM_NAME] tcpsupported
```
3. Ensure the `permitted_enctypes` in `/etc/krb5.conf` configuration on FreeIPA servers (and replicas). Next, delete `/etc/krb5.conf.d/crypto-policies` (I don't test if updating this file from a tool works). This ensure that every ticket sended from FreeIPA kdc always use the `permitted_enctypes` algorithms.
```
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
```
After change, run the followed commands in FreeIPA servers and replicas:
```
systemctl stop sssd.service
sss_cache -E
systemctl restart krb5kdc.service
systemctl start sssd.service
```
4. The step 8 from "Configure Windows (ksetup)" section isn't necessary. Windows creates the user automatically.
5. If you don't want type <user>@<domain> for every uncached user, run the followed command to hard-coded domain in logon (add after step 5 of "Configure Windows (ksetup)" section?):
```
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DefaultLogonDomain /t REG_SZ /d "[REALM_NAME]" /f
```
6. The step 1 of "Configure Windows (ksetup)" section changes from "/setdomain" to "/setrealm". Actually, both works but I don't know if in the future this command changes.
1 year, 4 months
additional info: nsslapd-maxdescriptors: invalid value "65536", maximum file descriptors must range from 1 to 8192 (the current process limit). Server will use a setting of 8192.
by roy liang
my freeipa 4.3
May I ask, this parameter cannot be increased, this limit refers to where the limit?Can the system see if it can reach 262140, or is there another configuration limit in the service?
apt list | grep 389-ds
389-ds/xenial,xenial 1.3.4.9-1 all
....
ldapmodify -x -H "ldaps://xx.com:636" -D "cn=directory manager" -w xxx
dn: cn=config
changetype: modify
replace: nsslapd-maxdescriptors
nsslapd-maxdescriptors: 65536
modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info: nsslapd-maxdescriptors: invalid value "65536", maximum file descriptors must range from 1 to 8192 (the current process limit). Server will use a setting of 8192.
-----
ulimit -aH
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 512646
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 262140
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) unlimited
cpu time (seconds, -t) unlimited
max user processes (-u) 512646
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
ulimit -Hn
262140
1 year, 4 months
