Smartcard host login w/ Third-Party CA and PKINIT
by Khurrum Maqb
We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would like to properly configure smartcard authentication. The smartcards that we're using have been signed by an External CA controlled by a different entity. So to get that working, I've added the required CA certs using
ipa-cacert-manage -n "SmartCard CA #1" -t CT,C,C install <CA>.pem
and then ran ipa-certupdate on all replicas, and restarted httpd. I associated the card authentication cert from the user's smartcard to the Identity using the GUI. I am able to search using the cert, and it retrieves the user correctly.
I also used ipa-advise config-client-for-smart-card-auth > client_smart_card_script.sh to create the script, ran it on a client host with the correct CA files. On the client side I had to edit sssd.conf and add a
[pam]
p11_child_timeout = 15
and it worked and the user was able to log in to the desktop. However, it was taking 40 seconds for the login which sounded like something was timing out. I checked the krb log and found
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_child_timeout] (0x0040): Timeout for child [9822] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout.
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_auth_done] (0x0020): child timed out!
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [child_sig_handler] (0x0020): child [9822] was terminated by signal [9].
And it reported that the backend was offline
So I added
[domain/dom.ain.com]
krb5_auth_timeout = 15
and which point, I noticed I didn't have pkinit running on the servers. So I ran ipa-pkinit-manage enable on all the replicas with a CA and soon
ipa pkiinit-status showed that PKINIT status: enabled. and Backend stopped showing as offline.
However, that does not solve the issue, and if I have krb5_auth_timeout = 15 in sssd, the login stops working and instead I get a pre-auth issue: Additional pre-authentication requird / Matching credential not found
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204427: Getting initial credentials for user@REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204428: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204429: Retrieving host/gs6069-ld-i014.dom.ain.com@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM
.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_REALM with result: -1765328243/Matching credential not found
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204431: Sending unauthenticated request
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204432: Sending request (172 bytes) to REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204433: Initiating TCP connection to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204434: Sending TCP request to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204435: Received answer (299 bytes) from stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204436: Terminating TCP connection to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204437: Response was from master KDC
But if I REMOVE krb5_auth_timeout = 15 then it probably times out, and it logs the user in with the smart card + pin but klist shows NO kerberos tickets.
So my question is, do I have to add the external CA certificates to the KDC separately? They aren't really for our REALM so I don't know how that would help.
Running
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' username
prompts the user for the PIN, but after the PIN is entered, it immiediately asks for the password. So it looks like the part that is failing is the KRB authentication.
Any suggestions would be very appreciated. Ideally I'd like for the smartcard auth to let the users in in a timely manner (ie ~5-15 seconds) and also give the users a kerberos ticket.
Thanks!
4 years, 3 months
deploying Freeipa ith script
by Boudjoudad Abdelkader
Hello,
I'm trying to automate freeipa-client installation on Ubuntu with custom
script using MAAS as follow :
HOSTNAME=$(hostname)
IP=$(hostname -i | awk '{print $1}')
echo "$HOSTNAME.example.com" > /etc/hostname
FQDN="$HOSTNAME.example.com"
echo "FQDN is: $FQDN"
sed -i "1 i\
$IP $FQDN $HOSTNAME" /etc/hosts
apt-get -y update
apt-get install -y nfs-kernel-server nfs-common
DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
ipa-client-install --hostname=$(hostname -f) --server=freeipa.example.com
--domain example.com --no-ntp --unattended --principal admin --password
'Deep201qa' --realm EXAMPLE.COM --enable-dns-updates
sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
service sssd restart
After the deployment i can do kinit domain_user and ipa user-show without
any problem, but when i tried to mount an nfs in /ec/fstab with the
following options i get an error:
The mount in /etc/fstab: nfs4
rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none
0 0
The error:
mount -av
/ : ignored
none : ignored
mount.nfs4: timeout set for Wed May 29 20:04:29 2019
mount.nfs4: trying text-based options
'vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none,addr=172.16.2.11,clientaddr=IP_ADDR0ESS
I tried to install freeipa-client manually and the nfs mount works:
ipa-client-install
What i'm missing?
Thanks,
4 years, 4 months
Windows Integration - Using SSH Without Passwords
by lejeczek
hi guys,
reading official guide one may assume - I do - that "Using SSH Without
Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
For me this does not work - ssh still asks for passwords.
If this is due to some failure/problem, then where to look and how to
troubleshoot?
many thanks, L.
4 years, 4 months
IPA-Backup fails
by Dirk Streubel
Hello,
have a little Problem with a full backup of my IPA Server.
The command : ipa-backup -d, doesn't work, the output is this:
papython.ipautil: DEBUG: stderr=ipa: INFO: The ipactl command was successful
ipaserver.install.ipa_backup: INFO: Backing up ipaca in LINUXTEST-INTRANET-FRITZ-DE to LDIF
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/sbin/db2ldif', '-Z', 'LINUXTEST-INTRANET-FRITZ-DE', '-r', '-n', 'ipaca', '-a', '/var/lib/dirsrv/slapd-LINUXTEST-INTRANET-FRITZ-DE/ldif/LINUXTEST-INTRANET-FRITZ-DE-ipaca.ldif']
ipapython.ipautil: DEBUG: Process finished, return code=1
ipapython.ipautil: DEBUG: stdout=Usage: db2ldif [-Z serverID] {-n backend_instance}* | {-s includesuffix}* [{-x excludesuffix}*] [-a outputfile]
[-E] [-r] [-u] [-U] [-m] [-1] [-q] [-V] [-v] [-h]
Note: either "-n backend" or "-s includesuffix" is required.
Options:
-Z serverID - Server instance identifier
-n backend - Backend database name. Example: userRoot
-s inclduesuffix - Suffix to include
-x - Suffix to exclude
-a outputfile - Name of the exported LDIF file
-r - Include replication data
-E - Decrypt attributes
-u - Do not export the nsUniqueId attribute
-U - Do not wrap long lines
-m - Do not base64 encode values
-1 - Do not include version text
-q - Quiet mode - suppresses output
-V - Verbose output
-v - Display version
-h - Display usage
You must supply a valid server instance identifier. Use -Z to specify instance name
Available instances: <none>
ipapython.ipautil: DEBUG: stderr=
ipaserver.install.ipa_backup: CRITICAL: db2ldif failed:
ipapython.admintool: DEBUG: File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3.7/site-packages/ipaserver/install/ipa_backup.py", line 329, in run
self.db2ldif(instance, 'ipaca', online=options.online)
File "/usr/lib/python3.7/site-packages/ipaserver/install/ipa_backup.py", line 461, in db2ldif
shutil.move(ldiffile, os.path.join(self.dir, ldifname))
File "/usr/lib64/python3.7/shutil.py", line 577, in move
copy_function(src, real_dst)
File "/usr/lib64/python3.7/shutil.py", line 263, in copy2
copyfile(src, dst, follow_symlinks=follow_symlinks)
File "/usr/lib64/python3.7/shutil.py", line 120, in copyfile
with open(src, 'rb') as fsrc:
ipapython.admintool: DEBUG: The ipa-backup command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/dirsrv/slapd-LINUXTEST-INTRANET-FRITZ-DE/ldif/LINUXTEST-INTRANET-FRITZ-DE-ipaca.ldif'
ipapython.admintool: ERROR: [Errno 2] No such file or directory: '/var/lib/dirsrv/slapd-LINUXTEST-INTRANET-FRITZ-DE/ldif/LINUXTEST-INTRANET-FRITZ-DE-ipaca.ldif'
ipapython.admintool: ERROR: The ipa-backup command failed. See /var/log/ipabackup.log for more information
[root@ipaserver1 ipa-data-2019-05-31-10-23-30]# man ipa-backup
I have tested the command in two different machines, the result and the error log is the same, ipa-backup --data --online works fine.
Did i miss a subcommand for an fully backup or where is my fault?
My OS is Fedora Rawhide with the last IPA Version.
Dirk
4 years, 4 months
What is transient error?
by Andrey Bondarenko
https://pagure.io/389-ds-base/pull-request/50072
says: "Transient errors are temporary conditions that usually resolve
themselves."
What are actually that errors are? We have some amount of them spreading
somtimes. What causes them and what they actually affect or may affect in
future?
Can I ignore them in my automated checks at all?
--
With best regards,
Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com
skype:andrey.bondarenko
phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
4 years, 4 months
ipa server upgrade fails - dirsrv complains about Unknown attribute syntax OID
by Darac Marjal
Hello good people,
Due to being unfamiliar with Fedora, my home FreeIPA server has been
languishing on Fedora version 25 for ages. I recently twigged that it
hadn't been updated in ages to upgraded to Fedora version 30. That
seemed to go OK, but now, when I try to run ipactl start, I get the
following:
# ipactl start
IPA version error: data needs to be upgraded (expected version
'4.7.90.pre1-4.fc30', current version '4.4.4-1.fc25')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
'start', 'dirsrv(a)GHIBLI-DARAC-ORG-UK.service'] returned non-zero exit
status 1: 'Job for dirsrv(a)GHIBLI-DARAC-ORG-UK.service failed because the
control process exited with error code.\nSee "systemctl status
dirsrv(a)GHIBLI-DARAC-ORG-UK.service" and "journalctl -xe" for details.\n')
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
See the upgrade log for more details and/or run
/usr/sbin/ipa-server-upgrade again
Aborting ipactl
Looking into the logs for dirsrv@<REALM>, I see the following:
May 29 20:30:52 yubaba.ghibli.darac.org.uk ns-slapd[9839]:
[29/May/2019:20:30:52.917492045 +0100] - ERR - dse_read_one_file - The
entry cn=schema in file /usr/share/dirsrv/schema/00core.ldif (lineno: 1)
is invalid, error code >
May 29 20:30:52 yubaba.ghibli.darac.org.uk ns-slapd[9839]:
[29/May/2019:20:30:52.989705116 +0100] - ERR - setup_internal_backends -
Please edit the file to correct the reported problems and then restart
the server.
May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]:
dirsrv(a)GHIBLI-DARAC-ORG-UK.service: Main process exited, code=exited,
status=1/FAILURE
May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]:
dirsrv(a)GHIBLI-DARAC-ORG-UK.service: Failed with result 'exit-code'.
May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]: Failed to start
389 Directory Server GHIBLI-DARAC-ORG-UK..
Now, in an attempt to fix this, I spun up a new VM, installed
freeipa-server and then copied /usr/share/dirsrv/schema/*.ldif over, but
that doesn't seem do have had any effect.
Can anyone assist in pointing me in a direction to fixing this?
Many thanks!
4 years, 4 months
ECC keypair generation failed with `ipa-server-instal` on HSM
by チョーチュアン
Hello,
Recently I've been experimenting on HSM with FreeIPA, I got stuck at the CA
generation, but it's a separate issue. I somehow achieve a successful key
generation on HSM with default key_algorimth/size/ settings. RSA 3072/2048
keys showed up on the HSM even after a failed CA installation but not the
case with ECC keys.
The error was:
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned
non-zero exit status 1:
pkihelper : ERROR Server unreachable due to SSL error:
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
sslv3 alert handshake failure (_ssl.c:1056)
configuration : ERROR Server failed to restart
pkispawn : ERROR Exception: server failed to restart
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547,
in main
scriptlet.spawn(deployer)
File
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 670, in spawn
raise Exception("server failed to restart")
')
See the installation logs and the following files/directories for more
information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
and configuration was:
```
[DEFAULT]
ipa_key_algorithm=SHA256withEC
ipa_key_size=nistp384
ipa_key_type=ecc
ipa_signing_algorithm=SHA256withEC
pki_ca_signing_key_size=nistp384
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
pki_hsm_modulename=nitrohsm
pki_token_name=UserPIN (SmartCard-HSM)
pki_token_password=648219
pki_random_serial_numbers_enable=True
```
--
Regards,
Quan Zhou
F2999657195657205828D56F35F9E5CDBD86324B
quanzhou822(a)gmail.com
4 years, 4 months
SOA generation algorythm
by Andrey Bondarenko
Hello,
Is the SOA generation algorithm for zones documented anywhere or anyone by
chance knows what it is?
We have cluster of 8 nodes and SOA is different on some IPAs in some zones
(with huge amount of changes). But if I make a change I actually see it on
different IPA.
Also, restarting IPA increases SOA by 1.
We wanted to relay on SOA on our DNS consistency check but seems like it's
not a working idea, or is it?
--
With best regards,
Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com
skype:andrey.bondarenko
phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
4 years, 4 months
Re: zabbix for monitoring FreeIPA server?
by Alex Corcoles
The output of ipactl looks very similar to systemctl status. Is it doing
much more than that? I'm already monitoring systemd failed units so I
wonder if it's running checking ipactl.
On Wed, Sep 19, 2018 at 1:33 PM Neal Harrington via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> Hi Tony,
>
>
> I'm monitoring using the following userparameter (basically run "ipactl
> status" and grep out lines which are known good so only errors are
> returned):
>
>
> UserParameter=ipa.status,sudo /usr/sbin/ipactl status 2>&1 | egrep -v
> "(INFO\: The ipactl command was successful$|: RUNNING$)"
>
>
> ipactl needs root access so I have a file in /etc/sudoers.d/zabbix with
> these lines to allow the zabbix user to sudo the ipactl status command only
> without a password:
>
>
> ## Allow zabix to query ipa status
> Defaults:zabbix !requiretty
> zabbix ALL = (root) NOPASSWD: /usr/sbin/ipactl status
>
> The final challenge I had was selinux which I had to create a custom rule
> for (but most people seem to just disable selinux).
>
>
> Then just create a trigger to alert if the returned value contains any
> characters. eg this matches on any char apart from whitespace:
>
> {Custom Template IPA Server:ipa.status.regexp([^\s],1200)}=1
>
>
> If anyone else has a better way to do this I'd be interested to hear it.
>
>
> Regards,
>
> Neal.
>
>
>
>
>
> ------------------------------
> *From:* Tony Brian Albers via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org>
> *Sent:* 24 August 2018 10:50
> *To:* freeipa-users(a)lists.fedorahosted.org
> *Cc:* Tony Brian Albers
> *Subject:* [Freeipa-users] zabbix for monitoring FreeIPA server?
>
> Hi guys,
>
> Anyone got this working?
>
> And if so, how did you do it?
>
> I know I can monitor the components separately, but if you know of
> anything that can do it easier I'd be happy to know about it.
>
> /tony
> --
> --
> Tony Albers
> Systems administrator, IT-development
> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 2566 2383 / +45 8946 2316
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
4 years, 4 months
