IPA users and local groups question
by Jeff Goddard
First off thanks to everyone who makes FreeIPA. Its an awesome product that
we love.
We're working at breaking our application up into micro services and using
docker containers and deployment automation. As part of this I have a
deploy user in IPA and a rundeck server that performs tasks as this user.
However, we need this user to be part of the local docker hosts "docker"
group. Is this something I have to do manually per host? Is it possible to
create a docker IPA group that will substitute for the local docker group
and do it all in IPA? Our IPA version is 4.4. The servers are Centos 7.2
and the clients are ubuntu 16.04 LTS.
Thanks for the insight, references and help,
Jeff
4 years, 10 months
zabbix for monitoring FreeIPA server?
by Tony Brian Albers
Hi guys,
Anyone got this working?
And if so, how did you do it?
I know I can monitor the components separately, but if you know of
anything that can do it easier I'd be happy to know about it.
/tony
--
--
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
4 years, 11 months
ipa-getkeytab: PrincipalName not found
by Harald Dunkel
Hi folks,
maybe I missed something, but shouldn't admin have sufficient
privileges to run
# ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp
# reboot
:
:
# kinit admin
# ipa-getkeytab -s ipa1.example.de -p HTTP/stretch1.vs.example.de -k /etc/apache2/apache2.keytab
?
ipa-getkeytab failed with
Failed to parse result: PrincipalName not found.
I would have expected it to create the principal on the fly.
"admin" was created at freeipa install time on the first server,
AFAIR. It is member of the "admins" and "trust admins" groups.
I am concerned that I corrupted something. Every helpful comment
is highly appreciated.
Harri
4 years, 12 months
different security policy for login(password+otp) and screenlock (password only) for workstation
by Jelle de Jong
Hello everybody,
I am looking for a way to have different authentication policy for a
freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the
password.
When a user logs out and back in then it needs to use the password+otp
again.
I am aware of the security implications for this.
How can I configure this policy?
Kind regards,
Jelle de Jong
5 years
Re: freeIPA Host certs
by Rob Crittenden
You've been asked multiple times to keep the list on all replies. This
is so others can benefit or perhaps chime in with additional suggestions.
Azim Siddiqui wrote:
> Hi Rob,
>
> I tried running getcert command, but it's not listing anything. ( Do I
> need to run this command on IPA server or other Jenkins, Git server ? )
I'd try on all of them. Who knows what the previous admin did. It is no
big loss if you can't find one.
> And also I couldn't able to find the private key.
You need to look in the configuration for those individual services.
They have to refer to some key and cert in order for TLS to work at all.
> Can I generate a new private key ? If yes then, can you please tell me
> the commands to run?
You don't need to maintain the current private key even if you find it.
If you don't find certmonger tracking then assuming the machine(s) are
IPA clients you can use ipa-getcert to request and track the
certificate. This should do renewal as well.
I wrote up a generic how to get a cert for a web server a few months
ago,
https://rcritten.wordpress.com/2018/11/26/how-do-i-get-a-certificate-for-...
rob
>
> Thanks & Regards,
> Azeem
>
>
>
>
>
> On Fri, 22 Mar 2019 at 16:02, Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Azim Siddiqui via FreeIPA-users wrote:
> > Hi Rob,
> >
> > Thank you for your email.
> >
> > So here's the thing, We have a total of five servers in our
> environment.
> > FreeIPA is installed on one of the servers. And the other servers have
> > Tomcat, Jenkins, Git and Haprxy running on the servers. So when i am
> > trying to access URL's for this application, for example- Git or
> > Jenkins, It is showing Site is not secured. So basically the
> certificate
> > has been expired. And also I can see the certificates are from IPA.
> >
> > So now I am looking for a way to renew or create new certs for my
> > current expired certs, which are from IPA. So that my URLs will be
> secured.
> > It's been more than a month, But I am not finding a correct process
> > for this.
> >
> > P.s :- The currently expired certs were created by a System admin, who
> > is not working for us now.
>
> Ok so /etc/pki/nssdb is not what you want.
>
> Look to see how those services are configured to find where their
> certificate(s) are on the filesystem.
>
> Run getcert list as root to see if the certs were originally requested
> using certmonger (I'm guessing not since you say they are expired).
>
> Once you find the cert files you might also find the original CSR. If
> not you can pretty easily generate a new one using the private key you
> find. Submit that to IPA using ipa cert_request and that should resolve
> things for you.
>
> rob
>
> >
> > Thanks & Regards,
> > Azeem
> >
> > On Fri, 22 Mar 2019 at 08:50, Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
> >
> > Azim Siddiqui via FreeIPA-users wrote:
> > > Hi Florence,
> > >
> > > I want to extract the private key and certificate to a PEM
> file.
> > > I am talking about the nssdb which is located in /etc/pki path.
> > >
> > > Content of nssdb :-
> > > certutil -L -d /etc/pki/nssdb/
> > >
> > > Certificate Nickname
> Trust
> > > Attributes
> > >
> > > SSL,S/MIME,JAR/XPI
> > >
> > > IPA.CLEAR-MARKETS.COM <http://IPA.CLEAR-MARKETS.COM>
> <http://IPA.CLEAR-MARKETS.COM>
> > <http://IPA.CLEAR-MARKETS.COM> IPA CA
> > > CT,C,C
> > >
> > >
> > > Is this the correct directory to extract the private key and
> > > certificate? Will it work if I extract the private key from
> nssdb and
> > > renew the certificate?
> >
> > The threading for this is a bit off so I can't follow the
> reasoning for
> > this.
> >
> > There is no private key in that directory, only the CA public
> > certificate. If you need that in PEM it is likely already on
> the machine
> > in /etc/ipa/ca.crt.
> >
> > What is your ultimate goal here?
> >
> > rob
> >
> > >
> > > Thanks & Regards,
> > > Azeem
> > >
> > >
> > > On Thu, 21 Mar 2019 at 05:00, Florence Blanc-Renaud
> > <flo(a)redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com
> <mailto:flo@redhat.com>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote:
> > >
> > > On 3/19/19 7:07 PM, Azim Siddiqui wrote:
> > > > Hi,
> > > >
> > > > I was wondering is there any way, I can extract the
> private
> > key and
> > > > certificate from nssdb directory? Bcoz the one key i
> have is not
> > > > matching to the certifficate.
> > > >
> > > Hi
> > > I am insisting, but please keep freeipa-users in copy.
> > >
> > > What do you mean by "extract"? Do you want to remove the key
> > from the
> > > nssdb? or transform it into another format?
> > > To remove a private key from a nssdb, use the certutil
> command
> > with -F
> > > option. You can find the full format in the man page
> certutil(1).
> > >
> > > If you want to create a PKCS12 file containing the
> private key and
> > > certificate:
> > > pk12util -o keys.p12 -n $alias -d $NSSDB
> > >
> > > If you want a PEM file containing the private key:
> > > pk12util -o keys.p12 -n $alias -d $NSSDB
> > > openssl pkcs12 -in keys.p12 -out cert.key -nodes
> > >
> > > If you want a PEM file containing the cert:
> > > certutil -L -d $NSSDB -n $alias -a -o cert.pem
> > >
> > > But first of all, which NSSDB directory are you working
> with?
> > A NSSDB
> > > can contain multiple keys and certificates, and also
> certificates
> > > without matching private keys. Can you show the content of
> > your NSSDB?
> > > certutil -L -d $NSSDB
> > > certutil -K -d $NSSDB
> > >
> > > flo
> > > > Thanks,
> > > > Azeem
> > > >
> > > > On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud
> > > <flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> wrote:
> > > >
> > > > On 3/19/19 4:18 PM, Azim Siddiqui wrote:
> > > > > Hi Florence,
> > > > >
> > > > > Thanks for the info. I will check for the
> > ipa cert-find command
> > > > and will
> > > > > send you the output. Actually, when I am trying to
> > do $ kinit
> > > > admin it
> > > > > is asking for a password. And I am not sure
> about the
> > > password, as I
> > > > > said it was set by the previous system admin.
> > > > >
> > > > Hi
> > > > (re-adding freeipa-users in cc)
> > > >
> > > > if you do kinit -kt /etc/krb5.keytab you should also
> > have enough
> > > > permissions to perform ipa cert-find.
> > > >
> > > > > And also I can see there is nssdb directory on the
> > server.
> > > Do you
> > > > by any
> > > > > chance know, what is that for?
> > > > There are many nssdb directories on a FreeIPA system.
> > For instance
> > > > /etc/ipa/nssdb is the NSS database used by the ipa *
> > commands. It
> > > > contains the certificates of the trusted certificate
> > > authorities. You
> > > > can find more information re. NSS databases in the man
> > page for
> > > > certutil(1).
> > > >
> > > > >
> > > > > If I have the private key on the server, how can I
> > renew the
> > > > certificate
> > > > > signed by IPA. can you please provide me the steps.
> > > > If you have the private key in $NSSDB database you
> just need
> > > to follow
> > > > the steps provided in my first email
> > > >
> > >
> >
> (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RHHOGPIOFGKFXDZM5OE3DY3RCC7TVCSM/).
> > > >
> > > > flo
> > > > >
> > > > > thanks & Regards,
> > > > > Azeem
> > > > >
> > > > > On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud
> > > > <flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>> wrote:
> > > > >
> > > > > On 3/18/19 7:50 PM, Azim Siddiqui wrote:
> > > > > > Hi Florence,
> > > > > >
> > > > > > Thanks for your reply.
> > > > > > I am referring to the applications. For
> > example, we have
> > > > > > Apache,haproxy,jenkins,git which uses
> certs signed
> > > by IPA. And
> > > > > now when
> > > > > > I am browsing these applications urls. It is
> > > showing, this
> > > > site
> > > > > is not
> > > > > > secured.
> > > > > > And originally, This cert were created
> by a system
> > > admin,
> > > > who is not
> > > > > > working with us now. So its getting hard
> for me to
> > > figure out,
> > > > > how can I
> > > > > > create or renew the certs.
> > > > > >
> > > > > > And I don't see any files ssl.conf or
> nss.conf in
> > > the server.
> > > > > > The output for getcert list command
> shows this :-
> > > > > > getcert list
> > > > > > Number of certificates and requests being
> > tracked: 0.
> > > > > >
> > > > > >
> > > > > > I just want to create a crt and key file
> signed by
> > > IPA. So
> > > > that I
> > > > > can
> > > > > > use it for the browsers.
> > > > > Hi,
> > > > >
> > > > > please keep the users mailing list in cc,
> so that
> > everyone
> > > > can get
> > > > > involved/see the resolution.
> > > > >
> > > > > It is difficult to provide advice with so few
> > information.
> > > > Can you
> > > > > start
> > > > > by checking which certificates were already
> issued by
> > > > FreeIPA, and
> > > > > we'll
> > > > > see if they are expired?
> > > > >
> > > > > $ kinit admin
> > > > > $ ipa cert-find
> > > > >
> > > > > With the full output and based on the subject
> > you'll be
> > > able to
> > > > > identify
> > > > > the host or service certs that you are
> using for your
> > > > applications. For
> > > > > each of these certs, run
> > > > > $ kinit admin
> > > > > $ ipa cert-show <serial number>
> > > > > and the output will show if the cert is expired
> > (check the
> > > > Not After
> > > > > field).
> > > > >
> > > > > For an expired cert, you will be able to renew
> > the cert if
> > > > you still
> > > > > have the private key. The private key location
> > can be found
> > > > by checking
> > > > > the configuration of your applications.
> > > > > For instance apache on rhel or fedora
> stores its
> > config in
> > > > > /etc/httpd/conf/httpd.conf, which by default
> > loads the
> > > modules in
> > > > > conf.modules.d/*.conf and the config files in
> > > conf.d/*.conf.
> > > > >
> > > > > flo
> > > > > >
> > > > > > Thanks,
> > > > > > Azeem
> > > > > >
> > > > > >
> > > > > > On Mon, 18 Mar 2019 at 05:30, Florence
> > Blanc-Renaud
> > > > > <flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>
> > > > > > <mailto:flo@redhat.com
> <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>>> wrote:
> > > > > >
> > > > > > On 3/15/19 8:16 PM, Azim Siddiqui wrote:
> > > > > > > Hi Florence,
> > > > > > >
> > > > > > > Hope you are doing good. I tried the
> > way you
> > > said. But
> > > > > still, it is
> > > > > > > showing certificate is expired.
> > > > > > >
> > > > > > > Let me be more clear about it.
> > > > > > >
> > > > > > > We have apache running with an
> expired
> > > certificate
> > > > which is
> > > > > > signed by
> > > > > > > FreeIPA. Now I want to renew or
> create
> > a new
> > > > certificate.
> > > > > So can you
> > > > > > > please tell me how can I renew or
> > create a new
> > > > certificate
> > > > > signed by
> > > > > > > Freeipa.
> > > > > > > As whenever I am going to the Apache
> > URL from the
> > > > browser,
> > > > > it is
> > > > > > showing
> > > > > > > site is not secured.
> > > > > > >
> > > > > > > Thanks & Regards,
> > > > > > > Azeem
> > > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > (re-adding freeipa-users in CC).
> > > > > > Can you first confirm that you are
> > referring to
> > > a cert for
> > > > > the apache
> > > > > > server *not running on one of the
> FreeIPA
> > masters*?
> > > > > >
> > > > > > Then please explain how you originally
> > obtained the
> > > > > certificate. Also
> > > > > > include the following information:
> > > > > > - relevant apache configuration (if
> using
> > > mod_ssl, then
> > > > > > /etc/httpd/conf.d/ssl.conf or if using
> > mod_nss,
> > > > > > /etc/httpd/conf.d/nss.conf).
> > > > > > - output of getcert list on the host
> > running apache
> > > > > >
> > > > > > flo
> > > > > >
> > > > > > > On Wed, 19 Dec 2018 at 14:04,
> Florence
> > > Blanc-Renaud
> > > > > > <flo(a)redhat.com
> <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>
> > > > > <mailto:flo@redhat.com
> <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>>
> > > > > > > <mailto:flo@redhat.com
> <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>
> > > > > <mailto:flo@redhat.com
> <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>>>> wrote:
> > > > > > >
> > > > > > > On 12/13/18 4:04 PM, Azim
> Siddiqui via
> > > > FreeIPA-users
> > > > > wrote:
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > Hope you are doing good. I
> have
> > a question
> > > > regarding
> > > > > > freeIPA host
> > > > > > > > certificates.
> > > > > > > > We are using FreeIPA as
> our LDAP. We
> > > have some
> > > > > > certificates for
> > > > > > > hosts ex
> > > > > > > > :- http/uat.com
> <http://uat.com> <http://uat.com>
> > <http://uat.com>
> > > <http://uat.com>
> > > > <http://uat.com> <http://uat.com>
> > > > > <http://uat.com>
> > > > > > <http://uat.com>.
> > > > > > > > And we deploying the certs in
> > Haproxy
> > > in PEM
> > > > format.
> > > > > > > > But the certificates for this
> > host has
> > > been
> > > > expired.
> > > > > > > > Can you please let me know
> in detail
> > > how to
> > > > renew
> > > > > my expired
> > > > > > > > certificates for the hosts.
> > Please provide
> > > > me the
> > > > > commands
> > > > > > and steps.
> > > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > from your description I
> understand that
> > > you are
> > > > > referring to
> > > > > > > certificates delivered by IPA CA
> > for one
> > > of the
> > > > > IPA-enrolled
> > > > > > hosts, but
> > > > > > > not the master's Server-Cert used
> > for IPA
> > > Web GUI.
> > > > > > >
> > > > > > > In this case, how did you
> obtain the
> > > > certificate? If
> > > > > you used
> > > > > > a method
> > > > > > > similar to what is described in
> > this wiki
> > > [1], the
> > > > > certificate
> > > > > > > should be
> > > > > > > monitored by certmonger and
> > automatically
> > > renewed.
> > > > > > >
> > > > > > > If you followed instead this wiki
> > [2], the
> > > > certificate
> > > > > is not
> > > > > > > tracked by
> > > > > > > certmonger and needs to be
> manually
> > renewed.
> > > > You need
> > > > > to do the
> > > > > > > following, assuming that the cert
> > is in a NSS
> > > > database
> > > > > $NSSDB
> > > > > > on the
> > > > > > > IPA
> > > > > > > client:
> > > > > > > - find the key nickname
> > > > > > > # certutil -K -d $NSSDB
> > > > > > > certutil: Checking token "NSS
> > Certificate DB"
> > > > in slot "NSS
> > > > > > User Private
> > > > > > > Key and Certificate Services"
> > > > > > > Enter Password or Pin for "NSS
> > > Certificate DB":
> > > > > > > < 0> rsa
> > > > > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS
> > > > > > > Certificate
> > > > > > > DB:Server-Cert
> > > > > > > (note the key nickname for
> the next
> > command)
> > > > > > >
> > > > > > > - create a new certificate
> request
> > that will
> > > > re-use the
> > > > > > existing key
> > > > > > > (replace DOMAIN.COM
> <http://DOMAIN.COM>
> > <http://DOMAIN.COM> <http://DOMAIN.COM>
> > > <http://DOMAIN.COM>
> > > > <http://DOMAIN.COM>
> > > > > <http://DOMAIN.COM> <http://DOMAIN.COM>
> > > > > > with your IPA domain, in
> > > > > > > uppercase):
> > > > > > > # certutil -R -d $NSSDB -k "NSS
> > Certificate
> > > > > DB:Server-Cert" -s
> > > > > > > cn=`hostname,O=DOMAIN.COM
> <http://DOMAIN.COM>
> > <http://DOMAIN.COM>
> > > <http://DOMAIN.COM> <http://DOMAIN.COM>
> > > > <http://DOMAIN.COM>
> > > > > <http://DOMAIN.COM>
> > > > > > <http://DOMAIN.COM>" -a -o /tmp/cert.csr
> > > > > > > Enter Password or Pin for "NSS
> > > Certificate DB":
> > > > > > >
> > > > > > > - request a certificate using
> the new
> > > > certificate request
> > > > > > > # kinit admin
> > > > > > > # ipa cert-request
> > > --principal=HTTP/`hostname`
> > > > > /tmp/web.csr
> > > > > > > (the output will display a Serial
> > Number that
> > > > needs to be
> > > > > > noted for the
> > > > > > > next command)
> > > > > > >
> > > > > > > - remove the previous cert
> from the NSS
> > > database:
> > > > > > > # certutil -D -d $NSSDB -n
> Server-Cert
> > > > > > >
> > > > > > > - export the certificate to a
> file,
> > then
> > > import the
> > > > > > certificate in the
> > > > > > > NSS database:
> > > > > > > # ipa cert-show $SERIAL_NUMBER
> > > > --out=/tmp/server.crt
> > > > > > > # certutil -A -d $NSSDB -n
> > Server-Cert -t
> > > u,u,u -i
> > > > > > /tmp/server.crt
> > > > > > >
> > > > > > > HTH,
> > > > > > > flo
> > > > > > >
> > > > > > > [1]
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger
> > > > > > > [2]
> > > > >
> > https://www.freeipa.org/page/PKI#Manual_certificate_requests
> > > > > > >
> > > > > > > > FreeIPA, version: 4.2.0
> > > > > > > >
> > > > > > > > Thanks & Regards,
> > > > > > > > Azeem
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > _______________________________________________
> > > > > > > > FreeIPA-users mailing list --
> > > > > > >
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > >
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>>
> > > > > >
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > >
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>>>
> > > > > > >
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > >
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>>
> > > > > >
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > >
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>>>>
> > > > > > > > To unsubscribe send an
> email to
> > > > > > >
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > >
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>>
> > > > > >
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > >
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>>>
> > > > > > >
> > > >
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > >
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>>
> > > > > >
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > >
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>>>>
> > > > > > > > Fedora Code of Conduct:
> > > > > > https://getfedora.org/code-of-conduct.html
> > > > > > > > List Guidelines:
> > > > > > >
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > > > List Archives:
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > Fedora Code of Conduct:
> https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > >
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
>
5 years
Re: System Account for Client Enrollment
by Abdul Wahab
Dear Alexander
Trust you are well. You are very helful.
I am trying to configure Libree NMS with FreeIPA but having below issues.
When I do ldapsearch, I get below error.
Please help me on this, what do I need to do. Thanks
Sent from Mail for Windows 10
5 years
FreeIPA AD Trust with Samba4 ... is it possible?
by D Anderson
Hello all,
I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations.
https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Limitations|
>The internal DNS does not support:
>zone transfers
https://wiki.samba.org/index.php/DNS_Administration#Administering_DNS_on_...
>Conditional forwarders are not implemented yet
I THINK I got DNS actually working , but had to use solution like here
https://www.redhat.com/archives/freeipa-users/2012-October/msg00194.html
Although Petr says to stay away from forwarders in IPA
Is it better to attempt AD as subdomain of IPA (which I'm currently doing) , or IPA as subdomain of AD ?
On both samba4 and freeipa machine I can currently dig SRV records for both domains , but when I attempt ipa add-trust, I see in httpd error logs
>[Fri Aug 10 11:58:43.122526 2018] [:error] [pid 6169] ipa: ERROR: Attempt to solve forest trust topology conflicts
>[Fri Aug 10 11:58:43.125865 2018] [:error] [pid 6169] ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified domain did not exist.')
Which leads me to believe that no, DNS is not working correctly ( I have all firewall/iptables off and selinux off).
I can give more concrete/examples , but before get lost in the weeds wanted to know on broad consensus is it even possible or known bad issues with Samba AD ?
Like here https://www.freeipa.org/page/IPAv3_AD_trust#Samba , it says
>In order to get properly working MIT krb5-based Samba4 build one have to use --without-ad-dc --with-system-mitkrb5 options when configuring WAF top level build.
Which I'm confused ... how to get I get AD trust, if I'm setting up samba without AD abilities??
Yet here https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
It recommends
a. If you have an AD ( Microsoft ) , use it
b. If you don't have a Microsoft AD , setup Samba4
>but it can be configured to trust FreeIPA
Does anyone know of a complete A..Z example of how to do that? (what options were used to configure Samba and Freeipa, etc)
Thanks
5 years
python-freeipa library
by Ilja Livenson
Hi,
this is a small advertisement about a library that we wrote for automating management of identities in FreeIPA - https://github.com/opennode/python-freeipa / https://python-freeipa.readthedocs.io/. It's been out for quite a while and we use it in production as well. MIT licensed and with only a single dependency - requests. Unfortunately couldn't find something like this when we needed, so perhaps library will save some hours for somebody else. PRs are welcome!
Current feature list is:
- Login to FreeIPA server using username and password.
- Search for users.
- Display information about a user.
- Add, modify and delete a user.
- Get lockout status of a user account.
- Enable and disable a user account.
- Search for groups.
- Display information about a named group.
- Add, modify and delete a group.
- Add members to a group.
- Remove members from a group.
- Change user password.
- Add, modify and delete automount locations, maps and keys.
cheers,
Ilya
5 years
Ubuntu 18, recovering borked installation
by Andreas Ericsson
VERSION: 4.6.90.pre1+git20180411, API_VERSION: 2.229
I'm having issues setting up upgrading and/or setting up replication for my
freeipa-server running on ubuntu 18.04. The same problem exists on three
separate installations, making me quite sure it's not a random user error
causing it. All the installations are single-node, with DNS-services and a
CA installed, although the CA isn't (yet) used to generate any certificates
for use outside the FreeIPA servers' own mesh of services.
The problem I consistently get essentially boils down to this:
IPA Error 4016: RemoteRetrieveError
Failed to authenticate to CA REST API
No matter if I try to upgrade, create a replica or just click my way to
"Authentication -> Certificate Authorities -> ipa" (strangely enough, just
clicking "Certificate Authorities" also throws up an error, but after
clicking "ok" the list populates and the only entry, "ipa" is clickable but
never gets me anywhere). I'm confident that fixing this problem would at
least get me along to the next step of the road.
Insofar as I understand it, there was a bug (is, in the version I'm
running) causing renewal of client certificates for the CMS to somehow
fail. That's consistent with what I see when running the following (output
last, for those interested):
getcert list | grep -B1 -A11 CA_REJECTED
The number of certificates listed varies from server to server, with the
oldest installation sporting four rejected certificates.
I've been attempting to work around the issue for several days, using every
trick of every link I've found when searching for others with similar
problems, the most promising of which seemed to be to allow the CMS to
connect to ldap using username and password instead of a client
certificate. That didn't work. Neither did "ipa-backup" followed by
"ipa-restore" on a fresh container installed with identical IP and system
configuration as the original one, so I'm currently at a loss.
Does anyone have any idea how I can get things working again? Pointers to
related issues would also be very helpful, or shortcuts to where I can at
least get the system upgraded to a version that has some sort of proper
documentation.
Unsurprisingly, doing a fresh install and then immediately upgrading to
4.7.1 from the ubuntu freeipa staging ppa works flawlessly, while my
systems fails.
Request ID '20190321175220':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190321175221':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190321175222':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
--
Request ID '20190321175225':
status: CA_REJECTED
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
5 years
resetting a password via the API
by Anthony Jarvis-Clark
Hello Everyone,
I'm testing out a FreeIPA password reset app and was wondering about its
use of an API call to reset the user's password.
The code in question is at
https://github.com/larrabee/freeipa-password-reset/blob/master/PasswordRe...
and
it's at line 61/62:
api.Command.user_mod(uid=unicode(uid), userpassword=unicode(password))
api.Command.user_mod(uid=unicode(uid),
setattr=unicode("krbPasswordExpiration={0}".format(date)))
When using the API, do you need to manually set the password expiration
date?
The reason I ask is because while testing, that code raises an exception
with the error message "Insufficient access: Insufficient 'write' privilege
to the 'krbPasswordExpiration' attribute of entry
'uid=test,cn=users,cn=accounts,dc=dev,dc=example,dc=net'."
I checked the permission "System: Change User Password" and it doesn't
include krbPasswordExpiration as a writable attribute.
I know that if you use ldapmodify to manually set the user's password, you
do need to also modify the krbPasswordExpiration attribute, but I wasn't
sure when modifying via the IPA API.
I hope this makes sense, thank you to everyone who answers questions on
this list, you really positively impact the open source community!
Many Thanks,
Anthony
5 years
