First off thanks to everyone who makes FreeIPA. Its an awesome product that
We're working at breaking our application up into micro services and using
docker containers and deployment automation. As part of this I have a
deploy user in IPA and a rundeck server that performs tasks as this user.
However, we need this user to be part of the local docker hosts "docker"
group. Is this something I have to do manually per host? Is it possible to
create a docker IPA group that will substitute for the local docker group
and do it all in IPA? Our IPA version is 4.4. The servers are Centos 7.2
and the clients are ubuntu 16.04 LTS.
Thanks for the insight, references and help,
Anyone got this working?
And if so, how did you do it?
I know I can monitor the components separately, but if you know of
anything that can do it easier I'd be happy to know about it.
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
So I now have an OS X work laptop and did a kinit user@MYDOMAIN and... it
I've seen some guides about joining an OS X system to FreeIPA, but I don't
think I want that (we are not currently joining work OS X systems to a
domain, but I suppose we will soon- and I guess joining two domains would
be hairy), but I'm wondering if it's not crazy to kinit, get my Kerberos
tickets and get SSO for https/ssh?
While having a ticket seems to not be enough to get SSH/Firefox to work,
I'm wondering if it's viable to get it to work or if it's a waste of time
because it cannot work or has serious limitations. It's mostly for learning
( Y )
()~*~() mail: alex at corcoles dot net
Two FreeIPA Idm Servers (1 Trust-Controller 1 Trust-Agent)
We ran into an issue were our Trust-Controller was offline and Kerberos authentication began failing for AD users. We do not allow interactive password auth. via sshd_config on IPA clients, only Pubkey or GSSAPI. From the clients we could resolve AD users without issue but AD user Kerberos authentication was failing with error regarding KDC not reachable.
Once we got the Trust-Controller back online, all was well and working again. Clearly our Trust-Controller was handling the KDC role in this use-case.
Example of klist output after Trust-Controller was back online. Hostnames/Users changed to protect the innocent of course.
Client: aduser @ AD-DOMAIN.COM
Server: host/ipaclient.freeipadomain.com @ FREEIPADOMAIN.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
Start Time: 4/29/2019 6:35:26 (local)
End Time: 4/29/2019 16:06:39 (local)
Renew Time: 5/6/2019 6:06:39 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: freeipa-trust-controller.freeipadomain.com
My question is this; since we are only doing Kerberos auth for AD users, is it necessary we add the Trust-Agent to some/all MSDCS SRV records within FreeIPA DNS for this to work, in the event Trust-Controller is offline? It's been awhile since needing to dig into FreeIPA, so perhaps I am missing something.
We're seeing some strange gid assignment behavior. When I run ipa group-add
on one ipa client I get gids in the expected range for my domain (8000-10000).
But when it is run on one of our IPA servers we get numbers like 108500 or 58500.
ipa idrange-find reports what I would expect everywhere:
# ipa idrange-find
3 ranges matched
Range name: AD.NWRA.COM_id_range
First Posix ID of the range: 20000
Number of IDs in the range: 20000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-XXXX
Range type: Active Directory domain range
Range name: legacy
First Posix ID of the range: 1000
Number of IDs in the range: 100
First RID of the corresponding RID range: 10000
First RID of the secondary RID range: 100010000
Range type: local domain range
Range name: NWRA.COM_id_range
First Posix ID of the range: 8000
Number of IDs in the range: 2000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Number of entries returned 3
No idea what else to look at.
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
Our dedicat NFS server was removed from the IPA GUI. The service does'nt
work since this time ONLY for new users.
How to restore service for all users without losing the data and the hand ?
Can you please help me to correct this state ?
Thanks you or your reply.
My goal, is to authenticate differents users from each client network
interface. If the first ipa server goes down (or network unreachable), then
the admin user can access to the second network interface to make
The goals also, is between the the IPA1 et IPA2, the servers don't have any
If i understand well, is not possible easyer, because i must change or
merge the krb5.keytab + sssd.conf right ?
Also i have another question:
What is the website to begun the full deloyement of FreeIPA ?
Because im litle lost with blog/freeipa.org/fedora/redhat, and somes
commands was depreciated ...
Im in last version of IPA : v4.6.4
Bien à vous
Mr Karim Bourenane
Apologies for the earlier premature post :)
This list helped me solve a number of issues getting a proof-of-concept ipa-ad cross-forest trust working. I believe there is one final issue, hopefully one of the experts here can have a look at the logs and let me know if anything sticks out.
I am able to SSH into the ipa master using my AD creds, but have not yet been able to ssh into a given ipa client using AD creds.
Here's some details:
1. domain.acme.com is the AD domain, ipa.domain.acme.com is the ipa domain. All ipa clients belong to ipa.domain.acme.com, and they reside in a DNS zone controlled by the ipa server.
2. It's using the posix id range scheme.
3. All configs are fairly stock, and everything set up quite happily using srvs for autodiscovery. There are sites configured, which appear to be working.
4. The ipa clients make no effort to contact the ad servers for KDC or PAC. I have a feeling it doesn't get that far.
5. IPA users can ssh into the ipa clients just fine, ad users cannot.
Thank you for your time,
This list helped solve a number of issues related to logging into clients under a cross-forest AD trust. I believe there is one final issue, I'm hoping one of the experts can have a look at the logs and configs.
I can ssh into the IPA servers themselves using AD credentials just fine, however ipa clients do not permit sh
Apr 29 18:14:28 va-prod-agent02 sshd: error: PAM: User not known to the underlying authentication module for illegal user bryantdj(a)splat.bt.com from va-admin.splat.bt.com
The FreeIPA team would like to announce the first release candidate of
FreeIPA 4.8.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora releases will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-8/ COPR repository].
A full release notes version can be read at https://www.freeipa.org/page/Releases/4.7.90.pre1
This mail only contains highlights and generic links due to large size
of the pre-release changes: there are more than 220 bug-fixes.
== Highlights in 4.7.90.pre1 ==
* 4580: FreeIPA's LDAP server requires SASL security strength factor of >= 56
FreeIPA LDAP server default configuration is improved to require SASL
security strength factor higher than 56 bit.
* 4491: Use lib389 to install 389-ds instead of setup-ds.pl
FreeIPA now utilizes Python-based installer of 389-ds directory server
* 4440: Add support for bounce_url to /ipa/ui/reset_password.html
The /ipa/ui/reset_password.html page accepts url parameter to provide
the user with a back link after successful password reset, to support
resets initiated by external web applications. Additional parameter
delay automatically redirects back after the specified number of seconds
* 5608: Tech preview: add Dogtag configuration extensions
FreeIPA team started rewrite of the Certificate Authority configuration
to make possible passing additional options when configuring Dogtag.
This is required to allow use of hardware secure (HSM) modules within
FreeIPA CA but also to allow tuning CA defaults. HSM configuration is
not yet fully available due to a number of open issues in Dogtag itself.
* 5803: Add utility to promote CA replica to CRL master
New utility was added to promote a CA replica to be the CRL master.
Design page] provides more details and use examples.
* 6077: Support One-Way Trust authenticated by trust secret
Samba integration was updated to allow establishing trust to Active
Directory from Windows side using a Trust wizard. This allows to
establish a one-way trust authenticated by a shared trust secret.
Additionally, it allows to establish a trust with Samba AD DC 4.7 or
later, initiated from Samba AD DC side.
* 6790: Allow creating IPA CA with 3084-bit key.
CA key size default is raised to 3072 instead of 2048 because it's the
recommended size by NIST. An extensibility feature added with ticket
5608 allows increasing the CA key size further buta 4096-bit key is
considerably slower. The change only affects new deployments. There is
no way to upgrade existing CA infrastructure other than issuing a new CA
key and re-issuing new certificates to all existing users of the old
root CA. In addition, lightweight sub-CAs are currently hard-coded to
2048 bit key size. All relevant public root CAs in the CA/B forum use
2048-bit RSA keys and SHA-256 PKCS#1 v1.5 signatures.
* 7193: Warn or adjust umask if it is too restrictive to break installation
FreeIPA deployment now enforces own umask settings where required to
allow deployment at hardened sites which follow some of STIG
* 7200 ipa-pkinit-manage reports a switch from local pkinit to full
pkinit configuration was successful although it was not
The command ipa-pkinit-manage enable|disable is reporting success even
though the PKINIT cert is not re-issued. The command triggers the
request of a new certificate (signed by IPA CA when state=enable,
selfsigned when disabled), but as the cert file is still present,
certmonger does not create a new request and the existing certificate is
The fix consists in deleting the cert and key file before calling
certmonger to request a new cert.
* 7206: Provide an option to include FQDN in IDM topology graph
In the replication topology graph visualization, it is now possible to
see a fully qualified name of the server. This change helps to reduce
confusion when managing complex multi-datacenter topologies.
* 7365: make kdcproxy errors in httpd error log less annoying in case AD
KDCs are not reachable
Log level for technical messages of a KDC proxy was reduced to keep logs clean.
* 7451: Allow issuing certificates with IP addresses in subjectAltName
FreeIPA now allows issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true:
** One of the DNS names in the SAN resolves to the IP address (possibly through a CNAME).
** All of the DNS entries in the resolution chain are managed by this IPA instance.
** The IP address has a (correct) reverse DNS entry that is managed by this IPA instance
* 7568: FreeIPA no longer supports Python 2
Removed Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
* 7632: Allow IPA Services to Start After the IPA Backup Has Completed
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window. This fix restarts the services as soon as all the required files
are gathered, and compresses after services are restarted.
* 7619, 7640, 7641: UI migration, password reset and configuration pages
Static pages in FreeIPA web UI now allow translated content
* 7658: sysadm_r should be included in default SELinux user map order
sysadm_r is a standard SELinux user role included in Red Hat Enterprise Linux.
* 7689: Domain Level 0 is no longer supported
Code to support operation on Domain Level 0 is removed. In order to
upgrade to FreeIPA 4.8.0 via replication, an existing deployment must
first be brought up to Domain Level 1.
* 7747: Support interactive prompt for NTP options for FreeIPA
FreeIPA now asks user for NTP source server or pool address in
interactive mode if there is no server nor pool specified and
autodiscovery has not found any NTP source in DNS records.
* 7892: Tech preview: hidden / unadvertised IPA replica
A hidden replica is an IPA master server that is not advertised to
clients or other masters. Hidden replicas have all services running and
available, but none of the services has any DNS SRV records or enabled
LDAP server roles. This makes hidden replicas invisible for service
Design document] provides more details on use cases and management of
* PyPI packages have fewer dependencies
The official PyPI packages ipalib, ipapython, ipaplatform, and ipaclient
no longer depend on the binary extensions netifaces and python-ldap by
=== Bug fixes ===
There are more than 220 bug-fixes details of which can be seen in
the list of resolved tickets at https://www.freeipa.org/page/Releases/4.7.90.pre1
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
or #freeipa channel on Freenode.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland