New FreeIPA User - Bad Login Throttle or Progressive Delay or Brute Force Countermeasures
by Brad Chesney
...Does FreeIPA have anything built in to add increasing sadness to a would be intruder in the event of successive failed authentication attempts?
What is it called so I can search for the documentation on the topic?
Thanks. This is my first foray into making all the servers use one central system for authentication and access controls via roles and permissions.
4 years, 3 months
ipa-healthcheck: a replica says "RA agent description does not match", ""Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)"
by Alex Corcoles
Hi,
I'm monitoring using ipa-healthcheck and I just started getting:
$ sudo ipa-healthcheck --severity CRITICAL --severity ERROR --failures-only
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
[
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "RA agent description does not match 2;44;CN=Certificate
Authority,O=IPA.PDP7.NET;CN=IPA RA,O=IPA.PDP7.NET in LDAP and
2;7;CN=Certificate Authority,O=IPA.PDP7.NET;CN=IPA RA,O=IPA.PDP7.NET
expected",
"got": "2;44;CN=Certificate Authority,O=IPA.PDP7.NET;CN=IPA RA,O=
IPA.PDP7.NET",
"expected": "2;7;CN=Certificate Authority,O=IPA.PDP7.NET;CN=IPA RA,O=
IPA.PDP7.NET"
},
"uuid": "0bfa6af6-5dd9-4505-89dc-a733060042a4",
"duration": "0.037322",
"when": "20191221123847Z",
"check": "IPARAAgent",
"result": "ERROR"
},
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Request for certificate failed, Certificate operation cannot
be completed: EXCEPTION (Invalid Credential.)",
"key": "20181108202133"
},
"uuid": "bd04fd67-7b3e-4d2f-a87e-ff15563808e0",
"duration": "0.491949",
"when": "20191221123848Z",
"check": "IPACertRevocation",
"result": "ERROR"
},
... the second one is repeated a bunch of times. If I go into the replica
web UI to check cert 7, I get very much the same error:
An error has occurred (IPA Error 4301: CertificateOperationError)
Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
However, if I go to the first IPA server I created, I can view the cert
normally. How should I proceed?
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
4 years, 3 months
Easiest path to provide access to shares to Windows and Mac systems
by Kevin Vasko
So I feel we have a decent process for users on Linux (Ubuntu/CentOS)
to access NFS shares, however there is rumbling of people wanting to
use their Mac and Windows boxes to access the data shares.
The tricky part of this is we won't be able to enroll the Windows or
Mac systems into FreeIPA.
So is there a "simple" way to allow users on Mac and Windows that
can't be enrolled into the FreeIPA domain to access kerberized NFS
shares? I think this is going to be difficult in general to windows
and might have to swap to SMB?
For example, is there a way to download a SMB+Kerberos clients, grab
the keys from IPA and allow users to manually authenticate with kinit
and be able to access the NFS or a SMB share?
4 years, 3 months
Sequence rollover
by Sarah PETER
Dear all,
since a few days we get the following message about 1-2 times a day in the error logs of several of our replicas:
INFO - csngen_new_csn - Sequence rollover; local offset updated.
Is this something we should be worried about?
We ran the readNsState.py script from https://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-... and for one of the replicas it shows a big offset for the ipaca domain:
nsState is DwAAAAAAAABM4/ldAAAAAAoAAAAAAAAAngUAAAAAAABF0gAAAAAAAA==
Little Endian
For replica cn=replica,cn=dc\3Duni\2Cdc\3Dlu,cn=mapping tree,cn=config
fmtstr=[H6x3QH6x]
size=40
len of nsstate is 40
CSN generator state:
Replica ID : 15
Sampled Time : 1576657740
Gen as csn : 5df9e34c5382900150000
Time as str : Wed Dec 18 09:29:00 2019
Local Offset : 10
Remote Offset : 1438
Seq. num : 53829
System time : Wed Dec 18 09:30:07 2019
Diff in sec. : 67
Day:sec diff : 0:67
nsState is RwQAAAAAAAD+DtVdAAAAAAsAAAAAAAAADgAAAAAAAAAFAAAAAAAAAA==
Little Endian
For replica cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
fmtstr=[H6x3QH6x]
size=40
len of nsstate is 40
CSN generator state:
Replica ID : 1095
Sampled Time : 1574244094
Gen as csn : 5dd50efe000510950000
Time as str : Wed Nov 20 11:01:34 2019
Local Offset : 11
Remote Offset : 14
Seq. num : 5
System time : Wed Dec 18 09:30:07 2019
Diff in sec. : 2413713
Day:sec diff : 27:80913
However, there has not been a message about time/clock skew or any other error messages for that matter. We are running CentOS 7.7 with ipa-server 4.6.5-11.
Best regards,
Sarah
----
Sarah Peter
LCSB Bioinformatics Core & UL HPC Team
UNIVERSITÉ DU LUXEMBOURG
LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | Biotech II
6, avenue du Swing
L-4371 Belvaux
T +352 46 66 44 5360
sarah.peter(a)uni.lu<mailto:sarah.peter@uni.lu> http://lcsb.uni.lu<http://lcsb.uni.lu/>
-----
This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies.
-----
4 years, 3 months
COPR repositories changes
by Alexander Bokovoy
Hi,
thanks to the recent changes done by Dinesh(master[1] and ipa-4-8[2]),
it is now possible to have continuous rebuild of FreeIPA master and
ipa-4-8 branches using COPR repositories.
We now have @freeipa/freeipa-master-nightly[3] to continuously track git
master branch. Every time there is a commit made upstream in the master
branch and synchronized to FreeIPA GitHub mirror, COPR will do a rebuild
of the git master for Fedora 31 and Rawhide on x86_64, i686, aarch64,
and ppc64le.
We also have @freeipa/freeipa-4.8-nightly[4] to continuously track git
ipa-4-8 branch. Every time there is a commit made upstream in the master
branch and synchronized to FreeIPA GitHub mirror, COPR will do a rebuild
of the git master for Fedora 31 and Rawhide on x86_64, i686, aarch64,
and ppc64le.
Each repository page has explanation how to use the COPRs. There will
probably be some delay before actual packages will appear in the
repositories as we haven't had any merges upstream done yet since I've
set up the tracking process.
I also cleaned up @freeipa/freeipa-master[5] repository which is used for
hosting temporary dependencies that might still be lacking in stable
Fedora versions, not to provide FreeIPA rebuilds.
[1] https://github.com/freeipa/freeipa/pull/4034
[2] https://github.com/freeipa/freeipa/pull/4038
[3] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master-nightly
[4] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4.8-nightly
[5] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4 years, 3 months
Re: IPA with multiple legs: hostname resolution
by vallerul@mskcc.org
Hello Dmitry/Alexander,
I have faced similar challenge where I need multiple hostnames for IDM master to work. Can you please confirm if the below design would work.
IDM master hostname:
hpc-auth01.example.private
Primary Domain: example.private
Master hostname as 2 reachable DNS names, which are not routable to each other.
hpc-auth01.example.org<hpc-auth01.mskcc.org>
hpc-auth01.example.private
I have 2 clients. One on private network, one on campus network:
hpc-test01.example.private , which I should be able to register with hpc-auth01.example.private
hpc-test01.example.org<hpc-test01.mskcc.org>, which I should be able to register with hpc-auth01.example.org<hpc-auth01.mskcc.org>
Also I would like slaves to be replicate the same way as clients, with respective master DNS address.
So..
hpc-slave01.example.private will register/replicate and communicate on hpc-auth01.example.private
hpc-slave02.example.org<hpc-slave02.mskcc.org> will register/replicate and communicate on hpc-auth01.example.org<http://hpc-auth01.example.org>
May I know if the above is possible? I do not need to be setup during install and I am fine with configuring it after the installation too.
Thank you,
Lohit
=====================================================================
Please note that this e-mail and any files transmitted from
Memorial Sloan Kettering Cancer Center may be privileged, confidential,
and protected from disclosure under applicable law. If the reader of
this message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any reading, dissemination, distribution,
copying, or other use of this communication or any of its attachments
is strictly prohibited. If you have received this communication in
error, please notify the sender immediately by replying to this message
and deleting this message, any attachments, and all copies and backups
from your computer.
4 years, 3 months
Using Vaults with AD User // Groups
by Rami Elias (TECH V)
Freeipa Problem
we have a freeipa --> ad setup (one way trust)
our problem is we cant get external ad user // groups to work
what we did:
we added the trust:
Trust Settings
Realm name
domain.at
Domain NetBIOS name
DOMAIN
Domain Security Identifier
S-1-5-21-2435101603-3558199190-xxxxxxx
Trust direction
Trusting forest
Trust type
Active Directory domain
we have trusted domains:
domain.at
Enabled
DOMAIN
S-1-5-21-2435101603-3558199190-xxxxxxx
the global trust config looks like:
Domain
lx.domain.at
Security Identifier
S-1-5-21-3255425601-626398459-xxxxxx
NetBIOS name
LX
Domain GUID
671b2faa-5129-4a5c-a410-xxxxxxx
Fallback primary group
Default SMB Group
IPA AD trust agents
ipa-ihs-prod-c81.lx.domain.at
ipa-ihs-prod-c82.lx.domain.at
ipa-ihs-test-c81.lx.domain.at
ipa-ihs-test-c82.lx.domain.at
ipa-web-prod-c81.lx.domain.at
ipa-web-prod-c82.lx.domain.at
ipa-web-test-c81.lx.domain.at
ipa-web-test-c82.lx.domain.at
IPA AD trust controllers
ipa-ihs-prod-c81.lx.domain.at
ipa-ihs-prod-c82.lx.domain.at
ipa-ihs-test-c81.lx.domain.at
ipa-ihs-test-c82.lx.domain.at
ipa-web-prod-c81.lx.domain.at
ipa-web-prod-c82.lx.domain.at
ipa-web-test-c81.lx.domain.at
ipa-web-test-c82.lx.domain.at
we have those id ranges:
LX.DOMAIN.AT_id_range
224200000
200000
local domain range
DOMAIN.AT_id_range
800000000
200000
Active Directory domain range
we executed following commands for external group like described in https://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_fo...
ipa group-add --desc='u0-erdberg' u0-erdberg-verwaltung_ext --external
ipa group-add --desc='u0-erdberg' u0-erdberg-verwaltung
u0-erdberg-verwaltung
224200005
u0-erdberg
ipa group-add-member u0-erdberg-verwaltung_ext --external 'DOMAIN\u0-erdberg-verwaltung'
ipa group-add-member u0-erdberg-verwaltung --groups u0-erdberg-verwaltung_ext
now i login to a freeipa managed host or an ipa server with
ssh -l ad_user(a)domain.at server.lx.domain.at
and check my groups i get:
224200005(u0-erdberg-verwaltung) which is the freeipa group
800089798(u0-erdberg-verwaltung(a)domain.at) which is the ad group
now i added roles to the ipa group and the ipa ext group:
User Group: u0-erdberg-verwaltung
Role name
helpdesk
Enrollment Administrator
vault_admin
Smart Proxy Host Manager
IT Specialist
Security Architect
IT Security Specialist
User Administrator
User Group: u0-erdberg-verwaltung_ext
Role name
IT Security Specialist
vault_admin
Smart Proxy Host Manager
User Administrator
Security Architect
IT Specialist
helpdesk
Enrollment Administrator
now the fail happens:
ipa vault-add test --type=standard
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at' .
},
"id": 0,
"principal": "ad_user(a)DOMAIN.AT",
"result": null,
"version": "4.7.1"
}
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.
[ad_user@domain.at(a)ipa-ihs-test-c81 ~]$ ipa -vv vault-add test --type=standard
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "ad_user(a)DOMAIN.AT",
"result": {
"messages": [
{
"code": 13001,
"data": {
"server_version": "2.230"
},
"message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.230",
"name": "VersionMissing",
"type": "warning"
}
],
"summary": "IPA server version 4.7.1. API version 2.230"
},
"version": "4.7.1"
}
ipa: INFO: Request: {
"id": 0,
"method": "vault_add_internal/1",
"params": [
[
"test"
],
{
"ipavaulttype": "standard",
"version": "2.230"
}
]
}
ipa: INFO: Response: {
"error": {
"code": 2100,
"data": {
"info": "Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'."
},
"message": "Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.",
"name": "ACIError"
},
"id": 0,
"principal": "ad_user(a)DOMAIN.AT",
"result": null,
"version": "4.7.1"
}
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.
[ad_user@domain.at(a)ipa-ihs-test-c81 ~]$ ipa -vv vault-add test --type=standard
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "ad_user(a)DOMAIN.AT",
"result": {
"messages": [
{
"code": 13001,
"data": {
"server_version": "2.230"
},
"message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.230",
"name": "VersionMissing",
"type": "warning"
}
],
"summary": "IPA server version 4.7.1. API version 2.230"
},
"version": "4.7.1"
}
ipa: INFO: Request: {
"id": 0,
"method": "vault_add_internal/1",
"params": [
[
"test"
],
{
"ipavaulttype": "standard",
"version": "2.230"
}
]
}
ipa: INFO: Response: {
"error": {
"code": 2100,
"data": {
"info": "Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'."
},
"message": "Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.",
"name": "ACIError"
},
"id": 0,
"principal": "ad_user(a)DOMAIN.AT",
"result": null,
"version": "4.7.1"
}
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.
--
ÖAMTC I BAUMGASSE 129 I 1030 WIEN
Elias Rami | Devops Engineer
M +43 664 613 1346
elias.rami(a)oeamtc.at | www.oeamtc.at<http://www.oeamtc.at/> | ÖAMTC ZVR 7300335108
________________________________
Schenken Sie ein gutes Gefühl!
Jetzt online ÖAMTC Wertgutschein kaufen,
z.B. für Schutzbrief, Autobahnvignette, Reisen, Fahrtechnik, uvm.
www.oeamtc-gutschein.at<https://www.oeamtc-gutschein.at>
________________________________
Wichtiger Hinweis/Important Information:
Dieses E-Mail samt Anlagen („E-Mail“) dient nur zur Information. Erklärungen via E-Mail sind nicht rechtsverbindlich, sondern bedürfen der schriftlichen Bestätigung samt firmenmäßiger/statutenmäßiger Unterfertigung durch Mitglieder der Geschäftsleitung in vertretungsbefugter Anzahl. Für die Richtigkeit oder Vollständigkeit der übermittelten Informationen/Daten, für Übermittlungsfehler, für fehlgeleitete E-Mails oder für einen verspäteten Empfang wird nicht gehaftet. Eigene elektronische Empfangs- oder Lesebestätigungen gelten nicht als Bestätigung für den Erhalt eines E-Mails. Der Inhalt dieses E-Mails ist vertraulich. Wenn Sie nicht der angegebene Adressat oder dessen Vertreter sind, informieren Sie bitte umgehend den Absender und löschen Sie dieses E-Mail von Ihrem System. Die unerlaubte Weitergabe oder Nutzung ist nicht gestattet.
This e-mail and any attachment (“e-mail”) serves information purposes only. Statements via e-mail are not legally binding but require written confirmation including the signatures of the required number of managing directors under statutory provisions. We are not liable for the accuracy and sufficiency of the provided information/data, for any transmission error, misdirection, loss or delay of an e-mail. Electronic reading receipts are no confirmation for receipt of an e-mail. This e-mail is confidential. If you are not the addressee or his representative, please notify the sender immediately and delete this e-mail from your system. Any disclosure or use is prohibited.
________________________________
4 years, 3 months
Make a CRL + OCSP stapling check
by iam pollux
Hello,
We have a root CA and a subordinate CA with Freeipa.
The root CA issues a certificate for the subordinate CA and the subordinate CA provides certificates to the client workstations.
Since multi stapling is not available, is it possible to verify certificates with (simple) stapling with the subordinate CA and CRLs for the root CA?
And if it's possible how can we do?
Thank you very much!!
4 years, 3 months
Re: Setup AD Trust without DNS resolution from AD
by White, David
Thank you for both of your responses.
> No. The reason for that is that AD domain controllers have to resolve IPA DC addresses as well and they use DNS for that too.
I feel fairly certain that our AD environment is not currently able to resolve our production IPA servers.
AD is not setup to do DNS resolution in our corporate environment, for one, and for another, I know that the IPA realm hasn't been added to our corporate DNS servers (as a slave zone, a forwarding zone, or otherwise).
To clarify on our setup, IPA of course has its own realm.
IPA is running its own DNS services.
We have BIND running elsewhere that does DNS forwarding to the IPA realm.
> Just to add to that, you can't put SRV records in /etc/hosts, it merely offers a means to resolve names to IPs and vice versa AFAIK.
We have a stand-alone DNS server in our lab environment.
Is it not possible to add the Active Directory SRV records in there?
From: Angus Clarke <post(a)angusclarke.com>
Date: Thursday, December 19, 2019 at 7:22 AM
Cc: "White, David" <whitedm(a)epb.net>, Alexander Bokovoy <abokovoy(a)redhat.com>
Subject: [Freeipa-users] Re: Setup AD Trust without DNS resolution from AD
Just to add to that, you can't put SRV records in /etc/hosts, it merely offers a means to resolve names to IPs and vice versa AFAIK.
Regards
Angus
From: Alexander Bokovoy via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Wednesday, 18 December 2019, 19:47
To: FreeIPA users list
Cc: White, David; Alexander Bokovoy
Subject: [Freeipa-users] Re: Setup AD Trust without DNS resolution from AD
On ke, 18 joulu 2019, White, David via FreeIPA-users wrote:
>I am trying to spin up a new 2-node cluster in my lab environment.
>
>I have FreeIPA installed, and can login to the web UI.
>At this point, I’m trying to establish a trust with AD:
>
>ipa trust-add --type=ad example.net --admin administrator
>
>Based on the errors I was getting with that command’s stdout and
>subsequent research, it occurred to me that I don’t have DNS resolution
>to our corporate internal DNS from my lab environment.
>
>As this is a lab environment, I really don’t care about best practices
>(although I do eventually want to get corporate DNS resolution into my
>lab, that’s likely not happening until January given the holidays… and
>I need to make progress on this project if at all possible).
>
>Is it possible to set the required AD records into `/etc/hosts` on each
>of the (2) nodes?
No. The reason for that is that AD domain controllers have to resolve
IPA DC addresses as well and they use DNS for that too. So it is not
just on IPA side. Additionally, after they resolved SRV records via DNS,
they perform actual site-local search using connectionless LDAP (CLDAP,
389/UDP) directly at the DCs and then resolve those DCs via DNS, so
there is need to have a fully working DNS setup.
>
>And/or since I already have IdM installed with DNS services, is it
>possible for me to go into the web UI, and create a new DNS zone in
>there for the upstream AD environment?
>
>Here are the records I’ve entered into my /etc/hosts file on the master
>FreeIPA server that I’m trying to use to establish the trust (As you
>can see, we have 4 AD servers, so I have set the “A” record in
>/etc/hosts four different times):
>
>
>Idm-node-1.fiberlab.example.net
>
>Idm-node-2.fiberlab.example.net
>
>example.net
>
>example.net
>
>example.net
>
>example.net
>
>_kerberos._tcp.example.net
>
>_kerberos._tcp.example.net
>
>_kerberos._tcp.example.net
>
>_kerberos._tcp.example.net
>
>_kerberos._udp.example.net
>
>_kerberos._udp.example.net
>
>_kerberos._udp.example.net
>
>_kerberos._udp.example.net
>
>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
List Guidelines: https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
List Archives: https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...
4 years, 3 months