deploying freeipa
by Andrew Meyer
I know I have sent in multiple emails, but we are trying to deploy FreeIPA correctly. However I am getting asked to find out some other details.
Can FreeIPA survive w/o DNS? We would like to implement FreeIPA and still be able to use the SSH, sudo, selinux, LDAP & krb5.
We are moving to AWS and management is afraid that we will have to maintain multiple sets of DNS. And that if FreeIPA is the focal point for all servers and god for bid it crashes, there goes our whole environment. They would like to put the zone in R53 and have that handle ALL the records. If we do go through with not installing DNS w/ FreeIPA will we be shooting ourselves in the foot?
I know that FreeIPA relies heavily on DNS and I have seen multiple conversations regarding not to do this, but is this somewhere in the best practices?
I found this thread from 2015 but I don't think it applies anymore:Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
|
| |
Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
| |
|
The problem is that we have 30 domains that we want to use in R53 and he wants to bypass FreeIPA for doing DNS other than for auth and sudo and ldap. Could we put entries in the /etc/hosts file to point to the FreeIPA servers? I feel like this might work and might be more problematic down the line.
Regards,Andrew
3 years, 1 month
Migration AD trust and group
by Henrik Stigendal
Hi,
I am looking into migrating an existing deployment of LDAP with hundreds of users and hundreds of groups into a IPA solution with trust against AD. All users currently exists with the same names in AD but groups does not, one solution would be adding all those groups to AD with gidNumber set to only administer the users and groups in AD. External groups seems to be the solution, but that would require external groups created in the IPA, I would like to avoid that and have tested with groups only in AD with gidNumber set and it seems to work, I can at least see the group and SUDO rules works with the group.
So my question is, can you use groups in AD without referencing them in IPA and any please throw in any other suggestions for trying to have all data in active directory without having to change anything in the IPA when adding users or groups (or host/netgroups for that matter)
Thanks
Henrik
Sent from my iPad
3 years, 1 month
DNS forward zones
by Andrew Meyer
Is it possible to have DNS forward zones only exist on servers in a specific location?
3 years, 1 month
resolvers
by Andrew Meyer
If I don't have global resolver FreeIPA will fallback to using what is in /etc/resolv.conf, correct?
3 years, 1 month
Missing MasterCRL.bin after upgrade from 3.0 to 4 on CentOS 7.4
by Jim Richard
We have a nice simple setup, a single master running 3.0.0-51.el6.centos and as far as I can tell we're in very good shape, all certs checkout ok, being monitored, nothing expired.
Great! Let's finally do the upgrade to CentoOS 7/IPA 4.X
Carefully follow all the instructions here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...>
Everything goes great, I note that CS.cfg on CentOS lives under /etc/pki-ca not /var/lib, ok no problem, great, great and then:
I get to this part of the document:
6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly
Make sure the /var/lib/ipa/pki-ca/publish/MasterCRL.bin file exists on the new master CA server.
The file is generated based on the time interval defined in the /etc/pki/pki- tomcat/ca/CS.cfg file using the ca.crl.MasterCRL.autoUpdateInterval parameter. The default value is 240 minutes (4 hours).
If the file exists, the new master CA server is configured correctly, and you can safely dismiss the previous CA master system.
And after messing with CS.cfg update interval settings, rebooting etc, I still get no MasterCRL.bin on the new host.
Any clues as to what I might be doing wrong?
Really hard to say without more info I'm sure.
Can you tell me what to check on the original master before I get started with all the upgrade steps?
I have rolled back my virtual machine snapshot so I'm back to "everything good" state, I think :)
On the original master, before upgrade I have:
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 5 21:00 MasterCRL-20180205-210000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 01:00 MasterCRL-20180206-010000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 05:00 MasterCRL-20180206-050000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 09:00 MasterCRL-20180206-090000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 13:00 MasterCRL-20180206-130000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 17:00 MasterCRL-20180206-170000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 21:00 MasterCRL-20180206-210000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 01:00 MasterCRL-20180207-010000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 07:36 MasterCRL-20180207-073614.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 09:00 MasterCRL-20180207-090000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 13:00 MasterCRL-20180207-130000.der
-rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 17:00 MasterCRL-20180207-170000.der
lrwxrwxrwx 1 pkiuser pkiuser 57 Feb 7 17:00 MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20180207-170000.der
drwxrwxr-x 2 root pkiuser 36864 Feb 7 17:00 .
That looks all correct right? Indicated the master is doing what it should re CRL's etc.
I do note that on the new server /var/lib/ipa/pki-ca/publish/ is "root pkiuser 775" not "pkiuser pkiuser", but me thinks that's ok.
What log should I look at to see some indication that a transfer or like, "get the CRL list to the new node" is failing?
Thanks !!
<http://www.placeiq.com/> <http://www.placeiq.com/> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq> <https://www.linkedin.com/company/placeiq>
SYSTEM ADMINISTRATOR III
(646) 338-8905
<http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-201...> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-...> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-...> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-...> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-...> <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-p...> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initi...> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initi...> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initi...> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initi...> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initi...> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?...> <http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-plat...> <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-mile...> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreakin...> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreakin...> <https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-i...>
3 years, 1 month
Freeipa Replica with second nfs server
by Jens Laufer
Hey,
as we just bought an new server, i moved everything to him, and it seems to
work pretty fine. But now i want to use the spare server as an backup and
their the problems started:
1. How i set up a duplicated nfs server for autofs'ing the home directory?
1. a. How is the best practices to keep them synced? Maybe even with an
backup function for files that got deleted on one of them?
1. b How i redirect autofs to mount the right nfs when one is failing?
As i was researching that and trying out several settings, i mentioned that
i wasnt able to get the autofs central managment by freeipa running. I had
to write the configs to every client. But i am not quite sure if it wasnt
better for the replica settings but also for everyday use to get an
centralized configuration of autofs running. so my second question would be:
2. How to run an autofs setting in freeipa and how to apply them to an
client?
Pls apoligze my english, it is my third language, and thank u all for every
help u have to offer
Greetings j.
3 years, 1 month
New replica (4.5) issues
by john.bowman@zayo.com
After some trial and error I was finally able to get a new replica + CA (RHEL7.4 and ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 4.x) and the ipa-replica-install command completed successfully but now when I run the ipa-manage-replica -v list <host> command I see this:
# ipa-replica-manage -v list ipa5.domain.tld
Directory Manager password:
ipa1.domain.tld: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (3) Replication error acquiring replica: Unable to acquire replica: permission denied. The bind dn does not have permission to supply replication updates to the replica. Will retry later. (permission denied)
last update ended: 1970-01-01 00:00:00+00:00
I ran the ipa-replica-manage re-initialize and it runs successfully and the above permission denied error goes away but the host can not be connected to any other replicas, it no longer sees itself as a replica or csreplica. I assume this is due to the re-init. I'm leery of trying to force it to try and join and potentially cause more issues. I would appreciate any helpful suggestions.
3 years, 1 month
FreeIPA UI not working - Only shows certificate management
by tezarin@yahoo.com
Hi all,
I have installed FreeIPA server on CentOS 6.9 but the GUI is not coming up completely. It only shows the following certificate system messages. Not sure why and here are the files in the /etc/httpd/alias:
lrwxrwxrwx 1 root root 24 Jan 30 14:19 libnssckbi.so -> /usr/lib64/libnssckbi.so
-rw-r----- 1 root apache 16384 Jan 30 14:19 secmod.db.orig
-rw-r----- 1 root apache 24576 Jan 30 14:19 key3.db.orig
-rw-r----- 1 root apache 65536 Jan 30 14:19 cert8.db.orig
-rw------- 1 root root 5274 Jan 30 14:19 install.log
-rw------- 1 root root 32 Feb 1 19:32 ipasession.key
-rw------- 1 root apache 41 Feb 7 16:47 pwdfile.txt.ipasave
-rw-r----- 1 root apache 16384 Feb 7 16:47 secmod.db.ipasave
-rw-r----- 1 root apache 16384 Feb 7 17:09 key3.db.ipasave
-rw-r----- 1 root apache 65536 Feb 7 17:09 cert8.db.ipasave
-rw------- 1 root apache 41 Feb 7 17:49 pwdfile.txt
-rw-r----- 1 root apache 16384 Feb 7 17:49 secmod.db
-rw-r----- 1 root apache 16384 Feb 8 12:00 key3.db
-rw-r----- 1 root apache 65536 Feb 8 12:00 cert8.db
And here are the certs in my /root directory:
-rw-------. 1 root root 1006 Nov 16 2015 anaconda-ks.cfg
-rw-r--r-- 1 pkiuser pkiuser 10328 Feb 7 17:48 cacert.p12
-rw------- 1 root root 2604 Feb 7 17:48 ca-agent.p12
And here is what the GUI shows:
Certificate System
Certificate System
-
The Certificate System is an enterprise-class open source Certificate Authority (CA). It is a full-featured system, and has been hardened by real-world deployments. It supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management, and much more.
Enter
Any info would be much appreciated.
Thank you
3 years, 1 month
timed out waiting on keys?
by Kat
This is a new one I have not seen before.
Have 4 servers, trying to add a 5th.
Master A and B (in one location) can talk to C and D (in another location)
Trying to add E, which is a new location with the master to replicate
from being D.
When I run client install, no issues at all. Then I try to install E as
a replica with DNS and CA setup and it gets almost all the way and ends
up failing with (from the logs):
2018-02-04T20:00:56Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Timed out trying to obtain keys.
2018-02-04T20:00:56Z ERROR Timed out trying to obtain keys.
It actually dies at:
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
What is confusing, the log also shows that it times out waiting for keys
to appear on "A", which it cannot get to because of location/firewall
settings. What I don't understand, since I am building the replica off
"D", why is it trying to communicate with A?
Any ideas on how to resolve this?
-K
3 years, 1 month
