Re: CA Master Confusion
by Rob Crittenden
Auerbach, Steven via FreeIPA-users wrote:
> After several weeks I am moving back to this project.
>
> I am reading the "Howto/Promote CA to Renewal and CRL Master" documentation.
>
> Background: When I added the Linux 7 / Ipa v4 system (ipa3) I used an export from the original ipa v3 (ipa1) as the input to an ipa-create-replica command.
>
> When I execute the command for ipa version < 4.0 to verify certificate master on all three servers (ipa1 and ipa2 are v3.3, and ipa3 is v4.0)
> $ getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save
> the response I get
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
> is the same on all three servers.
>
> Several Questions:
> Is this as expected or does it indicate a problem?
It depends. On the IPA v4 server what does ipa config-show |grep -i
renewal say?
> Since ipa3 is NOT the first master, what is the process to make an ipa v4 server the first master?
I assume by first master you mean the CA renewal master and CRL
generator. On the v4 server run: ipa config-mod
--ca-renewal-master-server=<v4 master fqdn>
> Is this done before unconfiguring master status on the ipa v3 servers or after?
Order doesn't matter as long as you aren't in the middle of a renewal.
> Do I unconfigure master renewal on ipa1 and unconfigure clone renewal on ipa2?
Not sure what you mean. It used to be that the tracking was different
between the renewal master and the others. I don't believe that is the
case in v3.3+.
> What to do about the same information on ipa3 (the ipa v4 server) at this point?
v4 uses the renewal master config setting to know which is the master.
I'd focus more on migrating the other two masters to v4 first. While
different versions can interopate together it is not ideal to run this
way in the long term.
rob
>
> I have no lab in which to try this update, so I am making these changes across a production datacenter and I am EXCEEEDINGLY wary of breaking everything.
>
> Advice appreciated.
>
>
> Steven Auerbach
> ASSISTANT DIRECTOR OF INFORMATION SYSTEMS
> INFORMATION TECHNOLOGY & SECURITY
> State University System of Florida
> Board of Governors
> 325 W. Gaines Street, Suite 1625
> Tallahassee, Florida 32399
> (850) 245-9592
> www.flbog.edu
>
>
>
> -----Original Message-----
> From: Florence Blanc-Renaud <flo(a)redhat.com>
> Sent: Tuesday, August 27, 2019 9:20 AM
> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu>
> Subject: Re: [Freeipa-users] CA Master Confusion
>
> On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:
>> As I work through understanding the current state of my CA mastering in this realm I am getting results I do not understand from these ipa commands (on the v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server):
>> On the v4.6.4 replica (ipa<3>):
>> $ sudo ipa config-show |grep 'CA renewal master'
>> [sudo] password for <user>:
>> $
>> $
>>
>> On the v3.0.0 (ipa<1>):
>> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b
>> 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn [sudo] password for <user>:
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope
>> subtree # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))
>> # requesting: dn
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>
> Hi,
> the ipaConfigString=caRenewalMaster attribute was introduced in freeIPA
> 4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I am not surprised that the search does not return anything.
> When the 3.0 server was installed, the attribute did not exist yet. When the 4.x replica was installed, the attribute was not added since the new replica wasn't CA master.
>
> As the attribute is not set at all, the ipa config-show command (internally using the same ldapsearch you did) is unable to find a CA master.
>
> If you want to move the CA master role to ipa3, just follow the steps in [1], making sure to apply the steps for the corresponding IPA version.
>
> Also please note that we do not recommend using versions 3.x and 4.x together over a long period of time. This is completely OK when you want to migrate but once you have ensured all the services are properly working, the 3.x master should be decommissioned. Please see [2].
> HTH,
> flo
>
> [1] https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.fre...
> [2]
> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess....
>
>>
>>
>> Neither tells me anything. Is it possible that the original installation never had a CA master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4 (ipa<3>) tells me:
>>
>> $ sudo ipa server-role-find --role 'CA server'
>> [sudo] password for <user>:
>> ----------------------
>> 3 server roles matched
>> ----------------------
>> Server name: ipa<2>.mydomain.local
>> Role name: CA server
>> Role status: absent
>>
>> Server name: ipa<1>.mydomain.local
>> Role name: CA server
>> Role status: enabled
>>
>> Server name: ipa<3>.mydomain.local
>> Role name: CA server
>> Role status: absent
>> ----------------------------
>> Number of entries returned 3
>> ----------------------------
>>
>> And on the v3.0.0 (ipa<1>) I get:
>>
>> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b
>> 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local' '(&(cn=CA)(ipaConfigString=caServer))' dn Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree
>> # filter: (&(cn=CA)(ipaConfigString=caServer))
>> # requesting: dn
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>> I know I am missing something basic and fundamental here. Is there a CA Master or not? If not, would I want to just enable the CA Master on the newest server (ipa<3>)?
>>
>> The way forward is not clear.
>> -Steven Auerbach
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
4 years, 1 month
Re: CA Master Confusion
by Florence Blanc-Renaud
On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:
> As I work through understanding the current state of my CA mastering in this realm I am getting results I do not understand from these ipa commands (on the v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server):
> On the v4.6.4 replica (ipa<3>):
> $ sudo ipa config-show |grep 'CA renewal master'
> [sudo] password for <user>:
> $
> $
>
> On the v3.0.0 (ipa<1>):
> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
> [sudo] password for <user>:
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope subtree
> # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))
> # requesting: dn
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
Hi,
the ipaConfigString=caRenewalMaster attribute was introduced in freeIPA
4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I
am not surprised that the search does not return anything.
When the 3.0 server was installed, the attribute did not exist yet. When
the 4.x replica was installed, the attribute was not added since the new
replica wasn't CA master.
As the attribute is not set at all, the ipa config-show command
(internally using the same ldapsearch you did) is unable to find a CA
master.
If you want to move the CA master role to ipa3, just follow the steps in
[1], making sure to apply the steps for the corresponding IPA version.
Also please note that we do not recommend using versions 3.x and 4.x
together over a long period of time. This is completely OK when you want
to migrate but once you have ensured all the services are properly
working, the 3.x master should be decommissioned. Please see [2].
HTH,
flo
[1] https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>
>
> Neither tells me anything. Is it possible that the original installation never had a CA master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4 (ipa<3>) tells me:
>
> $ sudo ipa server-role-find --role 'CA server'
> [sudo] password for <user>:
> ----------------------
> 3 server roles matched
> ----------------------
> Server name: ipa<2>.mydomain.local
> Role name: CA server
> Role status: absent
>
> Server name: ipa<1>.mydomain.local
> Role name: CA server
> Role status: enabled
>
> Server name: ipa<3>.mydomain.local
> Role name: CA server
> Role status: absent
> ----------------------------
> Number of entries returned 3
> ----------------------------
>
> And on the v3.0.0 (ipa<1>) I get:
>
> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local' '(&(cn=CA)(ipaConfigString=caServer))' dn
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree
> # filter: (&(cn=CA)(ipaConfigString=caServer))
> # requesting: dn
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
> I know I am missing something basic and fundamental here. Is there a CA Master or not? If not, would I want to just enable the CA Master on the newest server (ipa<3>)?
>
> The way forward is not clear.
> -Steven Auerbach
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
4 years, 1 month
Online migration from internal CA to no-CA setup
by Marco V.
Hi,
We've installed a replicated 7Server IPA setup with a internal CA.
Now, due to corporate policies we need to migrate to a no-CA setup (because we need to use corporate signed Certificates
and a sub-CA is also not allowed..) So we need to migrate from 7Server internal-CA replicated IPA to 8Server no-CA replicated IPA.
ipa-replica-install does not support --ca-cert-file, so we cannot install the new replica with the corporate certificates straight away.
What would be the correct procedure?
I've come up with the following steps:
1. install the new 8Server replicas without CA, (They will get the self-signed certificates from existing 7Server master (first master))
2. first add corporate root CA to both 7Server and 8Server nodes systems ca-bundle.trust.crt
3. manually replace HTTP and LDAP certificates with corporated signed certificates
4. remove 7Server replica and first master, so we end up with the no-CA 8Server nodes only
I'm wondering whether replication will still be functional when performing step 3, but I can perform additional testing on that.
We are running production with our setup, so we need a 'online' migration strategy.
Would this be the best approach or do I need another solution? ;-)
4 years, 1 month
Migration FreeIPA to another server
by Petar Kozić
Hi,
I have FreeIPA server running in docker. I using FreeIPA for ssh
authentication on servers. I have about 25 servers added there and about 15
users.
I want to migrate that on VPS.
I checked all documentation about migration but I didn’t found some
reasonable process.
Can someone write me what is easiest way to do that.
Thanks.
*—*
*Petar Kozić*
4 years, 1 month
ipa vault: internal error, "Invalid Credential"
by Dmitry Perets
Hi,
Pretty much any vault-related calls in one of my environments result in the internal error, although the call seems to (partially) succeed.
For example:
# ipa vault-add test --type standard
ipa: ERROR: an internal error has occurred
But the vault is created:
# ipa vault-find
---------------
1 vault matched
---------------
Vault name: test
Type: standard
Vault user: admin
----------------------------
Number of entries returned 1
----------------------------
I'll get the same erorr if I try "ipa vault-del", "vault-archive" or "vault-retrieve".
At the same time, the following is written in /var/log/messages:
Sep 19 23:54:39 t-idm-ber800-1 server: Invalid Credential.
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cmscore.authentication.CertUserDBAuthentication.authenticate(CertUserDBAuthentication.java:174)
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:112)
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:85)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:114)
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.doSubAuthenticate(SSLAuthenticatorWithFallback.java:47)
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate(AbstractPKIAuthenticator.java:89)
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.authenticate(SSLAuthenticatorWithFallback.java:59)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:578)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
Sep 19 23:54:39 t-idm-ber800-1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
Sep 19 23:54:39 t-idm-ber800-1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
Sep 19 23:54:39 t-idm-ber800-1 server: at java.lang.Thread.run(Thread.java:748)
Any idea what could go wrong here....?
Thanks.
Info: ipa-server 4.6.4 on RHEL 7.6, and I am running these commands from the IPA server itself, on which CA and KRA are installed (in fact, it's the only active CA/KRA master in that environment).
---
Regards,
Dmitry Perets
4 years, 1 month
Granting rwx permission to directory or file of host to a user by FREEIPA
by Syed Muhammad Hassan
I am new to freeipa and struggling very hard to achieve a task. Below is my desired task.
I have two hosts watch1.office.com and watch2.office.com and a user john in freeipa. I want that user john can only read,write,execute to /etc/sysconfig directory of watch1.office.com and edit /etc/ssh/sshd_config. How can I achieve this task? I want that user john can edit specific file or execute in a directory of which permission is granted. But I do not know how to make or grant such permission in freeipa. Any help would be much appreciated.
4 years, 1 month
Re: Enabling more FreeIPA CA servers
by Fraser Tweedale
Hi Stuart,
Adding the freeipa-users@ mailing list for visibility.
I'd have to work through your scenario to work out why it fails.
But it may be some time before I get around to that.
I think your idea to first try creating a CA replica on F28 before
moving forward to F30 is a sensible thing to try.
One question though: are you on Domain Level 0 or 1?
(`ipa domainlevel-get`).
Cheers,
Fraser
On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:
> Dear Fraser,
>
> I've read through lots of posts but I am uncertain about the best way
> forward and wonder if I could seek your guidance? I just don't want to break
> things.
>
> Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need
> updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30
> server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION:
> 2.233.
>
> The reason for adding a new server before updating the others is the web
> interface warning:
>
> Warning: Only One CA Server Detected
> It is strongly recommended to keep the CA services installed on more than
> one server
>
> which I fully understand is not good, but it doesn't offer to just fix it!
>
> I suspect server #4 may be too new, failing with both
>
> ipa-replica-install --setup-ca
>
> and
>
> ipa-ca-install
>
> in a very similar way, e.g.
>
> 2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
> 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step
> method()
> File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin
> self.admin_dn, master_conn
> ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
>
> 2019-09-26T16:18:15Z DEBUG [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
>
>
> which I think others have also run into.
>
> Next thought was to confirm what we had:
>
> [root@freeipa01 ~]# ipa server-find
> ---------------------
> 4 IPA servers matched
> ---------------------
> Server name: freeipa01.services.nsa.stats.ox.ac.uk F26
>
> Server name: freeipa02.services.nsa.stats.ox.ac.uk F26
>
> Server name: freeipa03.services.nsa.stats.ox.ac.uk F26
>
> Server name: freeipa04.services.nsa.stats.ox.ac.uk F30
> ----------------------------
> Number of entries returned 4
> ----------------------------
> [root@freeipa01 ~]# ipa server-role-find --role "CA server"
> ----------------------
> 4 server roles matched
> ----------------------
> Server name: freeipa01.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: enabled
>
> Server name: freeipa02.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: absent
>
> Server name: freeipa03.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: absent
>
> Server name: freeipa04.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: absent
> ----------------------------
> Number of entries returned 4
> ----------------------------
>
>
> and then find out how to change the "Role status:" to enabled, starting on
> freeipa02 but I am not sure how to achieve this, e.g.
>
>
> [root@freeipa02 ~]# ipa-ca-install
> CA is already installed on this host.
>
> true but doesn't really help. Sorry if this is very easy to do with a
> command I have totally missed.
>
> Currently I know if freeipa01 fails, client logins also fail, and I assume
> this is because it is the only CA server enabled.
>
> Work plan:
>
> 1. Enable more CA servers
>
> 2. Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too
> far at once, probably updating servers #2, then #3 and finally #1.
>
> 3. Add more servers for resiliency
>
>
> Any idea how to get more CA servers enabled or any other suggestions?
>
> Many thanks
>
> Best wishes
>
> Stuart
4 years, 1 month
IPA domain realms
by Ronald Wimmer
I have an IPA installation with an AD trust from ipa.mydomain.at to
ad.mydomain.at.
What is the Realm domains feature for?
Is it possible to define an IPA subdomain (e.g. test.ipa.mydomain.at) as
an additional realm domain? Will Kerberos and AD trust (configured for
ipa.mycomain.at) work for this domain?
Cheers,
Ronald
4 years, 1 month