May 2019 - FreeIPA-users - Fedora mailing-lists

Simple help with User Groups
by SOLER SANGUESA Miguel 17 May '19

17 May '19

Hello, I don't think it is a good idea to create a IPA posix group with the same GID. I think the best option is adding the IPA user to the local group as you tried to do. The only problem is that you used the short username, and you need to use username@domain. Something like this: # groupmems -g admins -a ricky(a)ipa.domain.com Thanks & Regards.

2 1

Simple help with User Groups
by Jim Rice 17 May '19

17 May '19

I have a host (lucee) and a user (ricky). I want to allow ricky to modify files on lucee owned by a group (admins). How is this accomplished using the freeIPA server? I tried adding the host, and the user, then created a user group and added the user to it. The user group was added to the host. The user is able to login to the host, but is not able to modify group owned files, and the group admins does not show up in his id ... [lucee]$ id uid=158600004(ricky) gid=158600004(ricky) groups=158600004(ricky),158600005(devops) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 There is an entry in the local /etc/group file: admins:x:2000:ricky Is this the wrong approach? When the User Group is being added, there is a Group Type selection. What is the difference between Non-POSIX, External, and POSIX? Would I need to set the GID to 2000 in freeIPA, or something else? (Actually, is you select External, the GID becomes grayed out.) I can't seem to find any documentation on how to set this up. admins:x:2000:luceeuser,rick

2 1

AD integration for ssh with kerberos
by lejeczek 13 May '19

13 May '19

hi everyone, I'm having IPA with one-way trust to AD and it all seems to be working okey. What I would like to see is, a ssh which work off kerberos for AD's users logins, and also same for cifs clients to Samba. I'm reading up on OK_AS_DELEGATE but still it's not clear to me whether separate services needs to be created(then configured) for that (as I do not see anything regarding ssh nor cifs after plain trust setup). I'm trying(hoping it's possible) to do it without web/gui. Would you know of a doc/howto showing a process of getting sshd/samba to use kerberos for AD members? many thanks, L.

1 0

Add a new ObjectClass / Attributes / Help
by Karim Bourenane 13 May '19

13 May '19

Hello I would like to authenticate applications with users via IPA. I can't find a Redhat tutorial (unless I'm wrong ??). Can you give me a link with a tutorial please ? My freeipa version is 4.5.4 Mr Karim Bourenane

3 4

Application-specific password or OTP disable for specific external applications
by Furkan İnciroğlu 11 May '19

11 May '19

We use FreeIPA for all our services. OTP is very useful on web but when we try to login on mobile we cannot get OTP password from Google Authenticator or FreeOTP mobile app. For example; if you want to login your mail on mobile you cannot enter your OTP password on the login screen. How can I disable OTP just for mail service. Anybody have any idea?

2 2

Doing SSO on a non-IPA joined OS X system
by Alex Corcoles 10 May '19

10 May '19

So I now have an OS X work laptop and did a kinit user@MYDOMAIN and... it worked! I've seen some guides about joining an OS X system to FreeIPA, but I don't think I want that (we are not currently joining work OS X systems to a domain, but I suppose we will soon- and I guess joining two domains would be hairy), but I'm wondering if it's not crazy to kinit, get my Kerberos tickets and get SSO for https/ssh? While having a ticket seems to not be enough to get SSH/Firefox to work, I'm wondering if it's viable to get it to work or if it's a waste of time because it cannot work or has serious limitations. It's mostly for learning purposes... Cheers, Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/

2 3

Custom attributes error
by Boris Cheperis 10 May '19

10 May '19

Hi, I have a set of custom attributes that were successfully used with FreeIPA version 4.2. Now I’m trying to make them work in the latest version but keep getting an error: ipalib.backend: DEBUG: Created connection context.ldap2_139877799582288 ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DATAROBOT-COM.socket <ldapi://%2fvar%2frun%2fslapd-DATAROBOT-COM.socket> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f37d5fc15a8> ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file employee-a.ldif ipapython.admintool: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 143, in run ldapi=True) or modified File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 129, in update_schema _dn, new_schema = ldap.schema.subentry.urlfetch(url) File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 480, in urlfetch ldif_file = urllib.urlopen(uri) File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen return opener.open(url) File "/usr/lib64/python2.7/urllib.py", line 208, in open return getattr(self, name)(url) File "/usr/lib64/python2.7/urllib.py", line 461, in open_file return self.open_ftp(url) File "/usr/lib64/python2.7/urllib.py", line 520, in open_ftp host = socket.gethostbyname(host) ipapython.admintool: DEBUG: The ipa-ldap-updater command failed, exception: IOError: [Errno socket error] [Errno -2] Name or service not known ipapython.admintool: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details: IOError: [Errno socket error] [Errno -2] Name or service not known ipapython.admintool: ERROR: The ipa-ldap-updater command failed. So far I tried version 4.6.4 and 4.7.2. Here are the ldif files that are used for adding attributes and objectless information. employee-attrs.ldif: dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( 2.25.128424792425578037463837247958458780603.1 NAME 'github' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 2.25.128424792425578037463837247958458780603.2 NAME 'squad' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) employee-objectclass.ldif dn: cn=schema changetype: modify add: objectclasses objectclasses: ( 2.25.128424792425578037463837247958458780603.100 NAME 'Employee' SUP person STRUCTURAL MAY ( github $ squad ) X-ORIGIN 'Extending FreeIPA')

2 2

systemd thinks it or something wants ipa service
by lejeczek 10 May '19

10 May '19

hi guys I have no ipa configured, not even a client set up and yet I see something constantly wants IPA: May 09 16:06:19 swir.private. systemd[1]: ipa.service: main process exited, code=exited, status=6/NOTCONFIGURED May 09 16:06:19 swir.private. systemd[1]: Failed to start Identity, Policy, Audit. May 09 16:06:19 swir.private. systemd[1]: Unit ipa.service entered failed state. May 09 16:06:19 swir.private. systemd[1]: ipa.service failed. ^[May 09 16:06:49 swir.private. systemd[1]: Starting Identity, Policy, Audit... May 09 16:06:49 swir.private. ipactl[42053]: IPA is not configured (see man pages of ipa-server-install for help) May 09 16:06:49 swir.private. systemd[1]: ipa.service: main process exited, code=exited, status=6/NOTCONFIGURED May 09 16:06:49 swir.private. systemd[1]: Failed to start Identity, Policy, Audit. May 09 16:06:49 swir.private. systemd[1]: Unit ipa.service entered failed state. May 09 16:06:49 swir.private. systemd[1]: ipa.service failed. May 09 16:07:20 swir.private. systemd[1]: Starting Identity, Policy, Audit... May 09 16:07:20 swir.private. ipactl[42275]: IPA is not configured (see man pages of ipa-server-install for help) May 09 16:07:20 swir.private. systemd[1]: ipa.service: main process exited, code=exited, status=6/NOTCONFIGURED May 09 16:07:20 swir.private. systemd[1]: Failed to start Identity, Policy, Audit. May 09 16:07:20 swir.private. systemd[1]: Unit ipa.service entered failed state. May 09 16:07:20 swir.private. systemd[1]: ipa.service failed. May 09 16:07:51 swir.private. systemd[1]: Starting Identity, Policy, Audit... May 09 16:07:51 swir.private. ipactl[42503]: IPA is not configured (see man pages of ipa-server-install for help) May 09 16:07:51 swir.private. systemd[1]: ipa.service: main process exited, code=exited, status=6/NOTCONFIGURED May 09 16:07:51 swir.private. systemd[1]: Failed to start Identity, Policy, Audit. May 09 16:07:51 swir.private. systemd[1]: Unit ipa.service entered failed state. May 09 16:07:51 swir.private. systemd[1]: ipa.service failed. Is that normal and if not then what can be the problem? many thanks, L.

2 2

host does not match the primary host name - installing replica
by lejeczek 09 May '19

09 May '19

hi guys, this must be something trivial and I must have gone blind, can you spot what I missed? $ ipa-replica-install --setup-dns --no-forwarders --ip-address=10.5.8.65 WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR The host name rider.xxx does not match the primary host name rider-ring8.xxx. Please check /etc/hosts or DNS name resolution $ host -r 10.5.8.97 97.8.5.10.in-addr.arpa domain name pointer rider.xxx. 97.8.5.10.in-addr.arpa domain name pointer rider-ring8.xxx. $ host -r 10.5.8.49 49.8.5.10.in-addr.arpa domain name pointer whale.xxx. 49.8.5.10.in-addr.arpa domain name pointer whale-ring8.xxx. $ host rider-ring8.. rider-ring8. has address 10.5.8.97 $ host rider.. rider. has address 10.5.8.97 Primary hostname of the box replica-install complains of is rider.xxx. Why IPA thinks it is rider-ring8.xxx ? What can be wrong? many thanks, L.

2 4

ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)
by H. Frenzel 09 May '19

09 May '19

Hi, trying to delete a host failed with "Unable to communicate with CMS (500)" # ipa host-del foo.bar.local ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) Checking the pki logs shows "Subsystem unavailable" # /var/log/pki/pki-tomcat/localhost.YYYY-MM-DD.log SEVERE: Exception Processing /ca/rest/certs/search javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Trying to troubleshoot it with help of https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomca… shows an authentication error on LDAP (/var/log/pki/pki-tomcat/ca/debug), but debug it further failed in the part "Check the subsystemCert cert-pki-ca" The 1st command works: # certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' Certificate: Data: Version: 3 (0x2) Serial Number: 00:9f:ff:01:6c ... # grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt But then the private key can't been read: # certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. # certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'NSS Certificate DB: subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. It looks as it's there: # certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa f7eXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX79c Server-Cert cert-pki-ca < 1> rsa 7e4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX164 NSS Certificate DB:caSigningCert cert-pki-ca < 2> rsa f40XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX978 Server-Cert cert-pki-ca < 3> rsa 097XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXcca NSS Certificate DB:subsystemCert cert-pki-ca < 4> rsa 28cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8f9 (orphan) < 5> rsa 602XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX400 NSS Certificate DB:ocspSigningCert cert-pki-ca < 6> rsa b28XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9fe NSS Certificate DB:auditSigningCert cert-pki-ca < 7> rsa 91cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXb13 (orphan) What could be wrong here? Thanks in advance & b/r H.

2 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2019