DNS zone origin record search
by John Morris
This works to find a single DNS record:
$ ipa dnsrecord-find example.com --name=ipa-ca --pkey-only
Record name: ipa-ca
----------------------------
Number of entries returned 1
----------------------------
But this fails to find the origin record:
$ ipa dnsrecord-find example.com --name=@ --pkey-only
----------------------------
Number of entries returned 0
----------------------------
It appears that the origin record is only treated inconsistently in
`dnsrecord-find`; other dnsrecord commands work fine in the form
`dnsrecord-* example.com @`.
How does one find ONLY for a zone's origin record?
Thanks-
John
6 years, 3 months
ipa 4.4.0-14 not honoring "ipa-client-install --force-join" command?
by Chris Dagdigian
Hi folks,
Fixing a topology and replication issue caused my IDM infrastructure to
forget about roughly 30 enrolled client hosts.
Though this would be trivial to fix via an ansible playbook that runs
the IPA client install command again with the "--force-join" argument.
Manpage and docs suggest this should work. Any tips or help appreciated!
Software:
ipa-common-4.4.0-14.el7.centos.7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
Error when I try to re-enroll the client:
[root@deawilldpp06 centos]#
[root@deawilldpp06 centos]# ipa-client-install --force-join --mkhomedir
--unattended --password=XXXX --principal YYYY --server
deawilidmp001.ZZZZ.org --domain WWWWW.org
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using
'ipa-client-install --uninstall'.
[root@deawilldpp06 centos]#
[root@deawilldpp06 centos]#
6 years, 3 months
Ansible and ipa-client-install
by Florence Blanc-Renaud
Hi,
the team is starting investigations regarding the deployment of IPA
using Ansible, and we would like to get community feedback. Ansible
already provides a few community-maintained Identity Modules [1]
allowing to manage users, groups, hosts, hbac rules, roles, sudo rules,
but in a first phase, we are focusing on IPA client installation.
The command line ipa-client-install is configuring various components
(hostname, NTP client, IPA client, SSSD, PAM and NSS, Kerberos client +
host keytab, DNS, ssh, OpenLDAP client, NIS, automount, firefox prefs...)
Because of this modularity, a possible strategy would be to provide an
Ansible role for ipaclient, decomposing the installation into reusable
Ansible parts (kerberos client role, OpenLDAP client etc).
In order to avoid maintaining 2 different installation mechanisms, we
could rewrite ipa-client-install so that it internally calls Ansible to
perform the configuration. Note that this would include a new dependency
on Ansible, and we need to make sure that this is acceptable, keeping in
mind that we are not targeting only RHEL and Fedora but also other Linux
distributions.
Another strategy would be to have Ansible call the current
ipa-client-install command, but the limitation is that this CLI is not
idempotent. It exits on error when the host is already configured as an
IPA client.
A few community-provided IPA roles (client or server) are already using
this approach. They can be found in Galaxy [2].
Whatever strategy is picked, we need to
- keep aligned the Ansible module/role/playbook version and IPA version.
- identify the most important options from ipa-client-install in order
to start with what is really needed from the community
- identify the most frequent use cases regarding
* authentication: install with username and password, with one-time
password, with an existing keytab
* DNS configuration: using DNS autodiscovery based on the host domain
name, specifying a domain or a server
...
We are waiting for your feedback on all these topics: would you be
likely to use Ansible to deploy an IPA client, which requirements,
concerns, ideas do you have in this area?
Thank you for your involvement in this project: as users of FreeIPA,
your voice really matters, and you can take this opportunity to
influence the direction we are going to take.
Flo
[1] https://docs.ansible.com/ansible/list_of_identity_modules.html
[2]
https://galaxy.ansible.com/list#/roles?page=1&page_size=10&autocomplete=ipa
6 years, 3 months
Replication failing on some records
by Nick Campion
Hi all,
We have a 3 master setup that is failing to replicate changes from a
particular node to the other IPA instances. The replication status says
it's all fine, however the record hasn't been changed on the other
servers. We've seen this on user password changes, adding hosts and
services. The only thing we've found that seems to fix this temporarily
is to re-initialize from the master with the changed record. A
force-sync doesn't pick up the changed record.
Not sure what logs would be helpful to diagnose what is happening in
this setup.
# ipa-replica-manage -v list `hostname`
freeipa03.mgmt.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
last update ended: 2017-06-07 14:43:53+00:00
freeipa02.mgmt.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
last update ended: 2017-06-07 14:43:53+00:00
# ldapsearch -W -x -D "cn=directory manager" -b
"cn=users,cn=accounts,dc=ipa,dc=example,dc=com" "nsds5ReplConflict=*" *
nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=ipa,dc=example,dc=com> with scope
subtree
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Any help in what else can be checked or what logs would be helpful would
be appreciated.
Thanks
Nick
6 years, 3 months
FreeIPA 4.4 with Yubikey and Radius for VPN auth
by Dagan McGregor
Hello,
I have been asked to configure FreeIPA 4.4 servers to handle VPN authentication using a FreeRADIUS server, with 2FA being generated by a Yubikey given to each user.
The existing radius server configuration uses PAM sssd and yubico modules with a static file for the Yubikeys, and works with the token appended to the password. The sssd functions as a user lookup to FreeIPA.
I am hoping to be able to migrate the configuration to use only FreeRADIUS and FreeIPA with dynamic lookups, but I am not sure where to start.
Is there a recommended method, like using the radius ldap module, to query username, password, and Yubikey values?
Does anyone have a working implementation of something similar?
Cheers,
Dagan
6 years, 3 months
FreeIPA Replica Install issue on CentOS 7.3 and ipa 4.4.0
by Eric Renfro
I've been trying to rebuild my FreeIPA server that I run on CentOS 7.3.
Previously, I was running FreeIPA 4.2.x and upgraded over time to 4.4.0
now, but somewhere along the lines, it totally broke and failed. For me
it's not a big deal because it serves very little in a home cluster
lab, but I wanted to take this time to update my chef cookbooks to
accomodate the new way to auto-configure FreeIPA.
The Server installation portion was pretty much the same as before.
It's the replica that's mostly changed.
Using the install method with ipa-replica-install, I'm using these
arguments:
ipa-replica-install --unattended \
--no-ntp --mkhomedir --skip-conncheck \
--ip-address 172.17.0.102 \
--principal admin \
--admin-password "redacted" \
--server ipa1.home.ld \
--domain home.ld \
--realm HOME.LD
And it's failing with the following results:
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/44]: creating directory server user
[2/44]: creating directory server instance
[3/44]: updating configuration in dse.ldif
[4/44]: restarting directory server
[5/44]: adding default schema
[6/44]: enabling memberof plugin
[7/44]: enabling winsync plugin
[8/44]: configuring replication version plugin
[9/44]: enabling IPA enrollment plugin
[10/44]: enabling ldapi
[11/44]: configuring uniqueness plugin
[12/44]: configuring uuid plugin
[13/44]: configuring modrdn plugin
[14/44]: configuring DNS plugin
[15/44]: enabling entryUSN plugin
[16/44]: configuring lockout plugin
[17/44]: configuring topology plugin
[18/44]: creating indices
[19/44]: enabling referential integrity plugin
[20/44]: configuring certmap.conf
[21/44]: configure autobind for root
[22/44]: configure new location for managed entries
[23/44]: configure dirsrv ccache
[24/44]: enabling SASL mapping fallback
[25/44]: restarting directory server
[26/44]: creating DS keytab
[27/44]: retrieving DS Certificate
[28/44]: restarting directory server
[29/44]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 15 seconds elapsed
[ipa1.home.ld] reports: Update failed! Status: [49 - LDAP error:
Invalid credentials]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
STDERR: Client hostname: ipa2.home.ld
Realm: HOME.LD
DNS Domain: home.ld
IPA Server: ipa1.home.ld
BaseDN: dc=home,dc=ld
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=HOME.LD
Issuer: CN=Certificate Authority,O=HOME.LD
Valid From: Sun Jun 11 14:31:12 2017 UTC
Valid Until: Thu Jun 11 14:31:12 2037 UTC
Enrolled in IPA realm HOME.LD
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm HOME.LD
trying https://ipa1.home.ld/ipa/json
Forwarding 'schema' to json server 'https://ipa1.home.ld/ipa/json'
trying https://ipa1.home.ld/ipa/session/json
Forwarding 'ping' to json server 'https://ipa1.home.ld/ipa/session/json
'
Forwarding 'ca_is_enabled' to json server 'https://ipa1.home.ld/ipa/ses
sion/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://ipa1.home.ld/ipa/session/
json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring home.ld as NIS domain.
Client configuration complete.
ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to
start replication
ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-
replica-install command failed. See /var/log/ipareplica-install.log for
more information
Attached is the full logs from ipareplica-install.log
Any help on this would be greatly appreciated. I had tried all weekend
long trying to get this to work all to the same basic failure.
Eric
6 years, 3 months
Scheduled disable/delete user account
by Per Qvindesland
Hi All
Is it possible to a schedule for when a user account is disabled/deleted? the reason why I am asking is that we would like to be able to set an account to be disabled or deleted when the user leaves the company, for the moment it can take time until a sys admin disables or deletes the account which is not optimal.
Regards
Per
6 years, 3 months
Re: documentation or example of using S42U for NFS
by Jens Timmerman
Hi Greg,
On 02/03/2017 03:29, Greg wrote:
> I've been at this as well for a while now, and managed to make it work
> for my NFS needs (automounting user homes with password-less logons).
>
>
>
> $ ipa servicedelegationrule-show ipa-nfs-delegation
> Delegation name: ipa-nfs-delegation
> Allowed Target: ipa-nfs-delegation-targets
> Member principals: *host*/*nfsclient*.dom.com(a)DOM.COM
> <mailto:dom.com@DOM.COM>
>
> $ ipa servicedelegationtarget-show ipa-nfs-delegation-targets
> Delegation name: ipa-nfs-delegation-targets
> Member principals: *nfs*/*nfsserver*.dom.com(a)DOM.COM
> <mailto:dom.com@DOM.COM>
>
> Only niggle here is IPA CLI didn't let me add "host/..." principal to
> the rule, or perhaps there's a default LDAP ACI of some sort and it
> requires a privilege/permission to be granted. The "ipa
> servicedelegationrule-add-member ..." command simply says "no such
> entry" for "host/..." type principals. Maybe IPA folks can comment.
>
An official reply form IPA dev's might indeed be useful here.
> I force added it to the delegation rule via LDAP instead using this ldif:
>
> dn: cn=ipa-nfs-delegation,cn=s4u2proxy,cn=etc,dc=dom,dc=com
> changetype: modify
> add: memberPrincipal
> memberPrincipal: host/nfsclient.dom.com(a)DOM.COM
> <mailto:nfsclient.dom.com@DOM.COM>
>
I didn't want to resort to this trickery, turns out there's no reason at
all to use host/, you can create a nfs-client service, and use this.
(I guess this is the recommended way?)
$ ipa service-add nfs-client/node2801.example.com(a)EXAMPLE.COM
--ok-to-auth-as-delegate=True
$ ipa servicedelegationrule-add-member nfs-delegation
--principals=nfs-client/node2801.example.com
$ ipa servicedelegationrule-show nfs-delegation
Delegation name: nfs-delegation
Allowed Target: nfs-delegation-targets
Member principals: nfs-client/node2801.example.com(a)EXAMPLE.COM
> The "nfs/..." principal can be added using CLI
> "ipa servicedelegationtarget-add-member ..." just fine.
>
> 3. Allow the "nfsclient" host to impersonate users:
>
> $ ipa host-mod nfsclient.dom.com <http://nfsclient.dom.com>
> --ok-to-auth-as-delegate=true
not needed, we did this for the service
>
> 4. On the "nfsclient" machine, add "impersonate = true" line in the
> "[service/nfs-client]" section of /etc/gssproxy/gssproxy.conf.
change
cred_store = keytab:/etc/krb5.keytab
to
cred_store = keytab:/etc/nfs-client.keytab
where you get nfs-client.keytab by running
ipa-getkeytab -p nfs-client/node2801.example.com -k /etc/nfs-client.keytab
>
> 5. Restart nfs/gssproxy/rpc services on client and server (it's
> probably just gssproxy on the client that needs a kick, but just to be
> sure). I was also religiously doing "sss_cache -E" for good measure,
> unmounting anything that got mounted, and clearing
> /var/lib/gssproxy/clients of all caches, to start as cleanly before
> each attempt at user logon. Obv make sure the user does not have an
> existing/valid ticket in their own cache ("kdestroy -A" as the user),
> otherwise it'll just mount successfully without delegation.
>
> I think that's it, I've messed about with the config for a long time
> and in many places, so there's a small chance there's something else
> that I did and don't remember. Gssproxy config on "nfsserver" is
> vanilla, as are my sssd.confs and krb5.confs on both machines, can't
> think of much else that I might've changed for now.
worked for me, thx!
>
> So my IPA automount config now mounts users' home dirs on the
> "nfsclient", without any tickets or keytabs from users.
>
> There's also a "krb5_principal" option available in gssproxy.conf - I
> tried to set that to "nfs/nfsclient(a)DOM.COM
> <mailto:nfsclient@DOM.COM>" in "[service/nfs-client]" section on the
> "nfsclient" machine, to try and force gssproxy to use that principal
> instead of "host/...", but it didn't seem to work, gssproxy defaults
> to "host/...". Possibly mis-understanding what this option is for, and
> possibly "host/..." is the safer/standard option? I'm assuming it's
> default for a reason, or maybe just operational convenience (not
> having to pollute /etc/krb5.keytabs with more principals than necessary).
>
according to
https://lists.fedorahosted.org/archives/list/gss-proxy@lists.fedorahosted...
`Well ... embarrassingly ... you might be right if we used
krb5_principal anywhere. I am looking at master code and this looks like
a forgotten option ... oops. `
> Hope this helps.
>
> --
> Thanks,
>
> Greg Kubok.
>
Regards,
Jens Timmerman
6 years, 3 months
String index out of range: -36
by jochem@kuijpersadvies.nl
Hello all,
This i my first post here, so be gentle.
I'm running FreeIPA 4.4.0-14 (ipa-server-4.4.0-14.el7.centos.7.x86_64) on CentOS 7.3.1611 and since a while i can't get any certificates to my hosts.
The client has installed: ipa-client-4.4.0-14.el7.centos.7.x86_64 ans is also running CentOS 7.3.1611 (actually, this happens on all new clients, same os, same version).
I'm running 'ipa-getcert request -f /etc/pki/tls/certs/servername.crt -k /etc/pki/tls/private/servername.key' on the client. This runs without any errors. When i look at the output of 'ipa-getcert list' i get:
Request ID '20170610005114':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.crossyn.local/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (String index out of range: -36)).
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/servername.key'
certificate: type=FILE,location='/etc/pki/tls/certs/servername.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
On the FreeIPA server i noticed in /var/log/httpd/error_log:
[Sat Jun 10 02:51:15.230313 2017] [:error] [pid 7199] ipa: ERROR: ra.request_certificate(): FAILURE (String index out of range: -36)
[Sat Jun 10 02:51:15.230621 2017] [:error] [pid 7199] ipa: INFO: [xmlserver] host/<hostname removed>: cert_request(<removed certificate for security reasons>', principal=u'host/<hostname removed>', add=True, version=u'2.51'): CertificateOperationError
Any thoughts on how to fix this? Or debug this further? This i a single FreeIPA server with no replica's. When this is fixed i'm going to add a replica but i don't think i can do that without fixing this.
Best regards,
Jochem Kuijpers
6 years, 3 months
