ipa ca renewal master and ipa replica
by Rob Verduijn
Hello,
I was doing some rtfm for migration of an ipa ca-renewal master to a
different system.
I figured that the docs on migrating from rhel7 to rhel8 would be a nice
help for me to migrate from one centos7 to another centos 7 system.
Something in the docs gave me pause.
In the doc in chapter 17.4 instruction 4
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
It states that on replicas at the bottom of the file
/etc/httpd/conf.d/ipa-pki-proxy.conf
you should uncomment the rewrite rule and ensure it points to the 'ca
renewal master'
However on the centos 7 freeipa replica it points to the replica.
Is the configuration on the centos7 freeipa replica incorrect ?
Or is the instruction from redhat in need of updates ?
If it's the first, then the installation packages of freeipa on centos need
some attention, because I didn't configure that line as such.
Cheers
Rob
4 years, 8 months
ipa-replica-install ERROR
by Boudjoudad Abdelkader
Hi,
I'm trying to install an IPA server replica from but i have the issue
below, i did:
- Remove the IP of ipa server master from /etc/hosts
- Check if there is a problem with ipa-client-install (working fine)
- dig IP-ipa-server (resolved)
Non of these steps works!
I did some researches and it looks like this is a bug, is there a
workaround ?
ERROR:
WARNING: conflicting time&date synchronization service 'chronyd' will be
disabled in favor of ntpd
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR The host name freeipa-replica.example.com does
not match the primary host name
freeipa-replica.example.com.x.yy.zzz.in-addr.arpa. Please check /etc/hosts
or DNS name resolution
ipapython.admintool: ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Thanks,
4 years, 8 months
ipa-server-install: "does not match the primary host name" - unable to work around
by Florian Dahm
Hallo!
I have been trying to install FreeIPA server and keep hitting this error message:
"ipapython.admintool: ERROR The host name [hostname of the local machine] does not match the primary host name [hostname of ANOTHER machine]. Please check /etc/hosts or DNS name resolution"
I am at my wits' end. The machine has two NICs, one public (which shall serve the FreeIPA UI) and one private (which shall serve the actual domain services). /etc/hosts has entries for the public name for both IPv4 and v6. No amount of fiddling with parameters to ipa-server-install lets me get past this issue. Most frustratingly, the second hostname in the message is from a wholly different machine, the only connection between the two is a private VLAN on the second NIC of the local machine. I have no clue where it gets that hostname from in the first place.
/var/log/ipaserver-install.log gives me:
" [...]
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 455, in install_check
raise ScriptError(e)
2019-07-27T09:13:33Z DEBUG The ipa-server-install command failed, exception: ScriptError: The host name epicurus.cds-infra does not match the primary host name lucan.cds-infra.de. Please check /etc/hosts or DNS name resolution
[...]"
I tried under both Fedora 30 and CentOS 7.6, with no difference. Has anyone encountered a similar issue, and hopefully solved it?
Thank you!
Regards,
Florian
4 years, 8 months
FW: [EXTERNAL] Re: caUserCert
by Patterson, David
The profile: it literally was the caUserCert.cfg profile with a few minor changes: Removed rsa 1024 key length and removed MD5 encryption algorithms.
Command sequence:
Add the modified profile: ipa certprofile-import caUserCert --file caUserCert_mod.cfg --store TRUE --desc "User certificate used for authentication"
Create a dpatte.conf file has the exact same entries like your instructions Requested a key and csr file: openssl req -new -key key.pem -out dpatte.csr -config dpatte.conf ipa cert-request dpatte.csr --principal dpatte --profile-id caUserCert
Result: "Subject Name Not Found"
The debug log shows a trace of a java error. Just a guess on my part, but I suspect that the caUserCert profile requires three inputs one of which is subjectNameinputImpl. I suspect what I'm providing isn't what is required hence the first line of the java trace in debug file: "at com.netscape.cms.profile.input.SubjectNameInput.populate(SubjectNameInput.java:269)"
I've followed your blog post using caIPAserviceCert.cfg making modifications to some defaults/constraints (like above) and it works. Now my ssh keys don't work to permit access to systems. Can I have both a cert and ssh keys? When I have a cert, ssh logs say your sshkey has been rejected by the server. When I remove the cert, sshkey is accepted.
Thanks for the insight and help!
David Patterson
-----Original Message-----
From: Fraser Tweedale <ftweedal(a)redhat.com>
Sent: Sunday, July 07, 2019 11:55 PM
To: Patterson, David <dpatte(a)sandia.gov>
Subject: [EXTERNAL] Re: caUserCert
On Wed, Jul 03, 2019 at 08:42:41PM +0000, Patterson, David wrote:
> Hello,
>
> I followed your blog post from 8-6-2015 about User Certificates and
> Custom Profiles with FreeIPA 4.2 to attempt to create user
> certificates. I'm trying to use the caUserCert template, instead of
> the caIPAserviceCert template.
>
> I've tried variations on different CN=, even modified my ldap entry to
> change my CN to dpatte, but always this error. ipa:
> ERROR: Request failed with status 500: Non-2xx response from CA REST
> API: 500. Subject Name Not Found
>
> I've done a bunch of googling to see what this error means, but
> never found an answer. Can you shed some light?
>
> Thanks!
>
> David Patterson
> Sandia National Laboratories
>
Hi David,
Sorry for belated reply; I was on vacation last week.
The "outer" part of the error comes from the FreeIPA server when an backend HTTP request to the Dogtag CA fails. The "inner" part ("Subject Name Not Found") is used by several Dogtag profile components, and usually indicates that something went wrong constructing the certificate Subject DN.
Can you please provide more detail: what is the profile configuration, what is the exact sequence of commands leading to the failure? The debug log from /var/log/pki/pki-tomcat/ca/ may also shed some light.
Do you want to Cc the public mailing list freeipa-users(a)lists.fedorahosted.org? Then others besides me could assist (and benefit from the solution). Up to you of course.
Cheers,
Fraser
4 years, 9 months
mapping freeipa to local users and group
by Andrew Meyer
I want to map my freeipa users to local users on a particular server. I have read a few sites that say to do sss_override. However I am running into a problem:
[andrew.meyer@server01 ~]$ sudo sss_override user-add andrew.meyer -n ameyer
Other than LOCAL view already exists in domain freeipa.local.
But I remember seeing this somewhere as well:group: files [SUCCESS=merge] sss
Will doing the merge satisfy what I want?
Thanks,Andrew
4 years, 9 months
`users` command shows `user user@domain` when logging in with a smartcard
by Khurrum Maqb
If a user logs in to a Centos 7.6 system with ipa 4.6.4-10 using a Smartcard (gdm-greeter), the output of the `users` command is
user user(a)dom.ain
If a user logs in to the same system with a username and password, the output of the `users` command is
user user
Where could user(a)dom.ain be showing up from? it doesn't show up anywhere else as far as I can tell. It's been a non-issue, but our Cisco AnyConnect VPN configs mandate that only one user be logged in when connecting to VPN. When a user logs in with a username and password, the VPN connects. But when a user logs in with a smartcard + pin, anyConnect complains multiple users logged in and disconnects.
I believe AnyConnect is looking at the output of `users` and is seeing `user user(a)dom.ain` and treating that as two different users.
Why does logging on with a smartcard on this system result in a user called user(a)dom.ain and how can I change it so that either all of them are just called user, or all of them are just called user(a)dom.ain.
Thank you so much!
4 years, 9 months
trust AD - kerberos - how it works?
by lejeczek
hi guys
I've been having my IPA deployment trusting AD for a while now and it's
been behaving pretty good I must say, except for one thing - kerberos,
in some places at least.
What I've needed really, or mainly that trust for, was ssh with gssapi
and that is what I'd like to ask about - interaction between IPA and AD
when it comes to kerberos - my AD win-clients sometimes would have
tickets and be able to ssh with gssapi, some other time it would not
work and ssh would ask for passwords.
I cannot really spot any pattern there and I hope some expert could
decipher this for me and help to understand what and why that happens.
many thanks, L.
4 years, 9 months
Intermitent AD atribute fetch
by Jo Domsic
Hi freeipa-users!
My IPA users occasionally report these issues:
1. Unable to login (failed pub key) via ssh on linux server
2. Missing shell (defaulted to sh, instead of bash or zsh) after ssh login on linux server
3. Missing home directory after ssh login on linux server
All of the users are present in ActiveDirectory (domain=ad.lan), and attributes are set (sshPublicKey and loginShell).
AD and FreeIPA are trusting each other. Linux servers are joined to domain (domain=ipa.lan).
I can confirm (1) fails when I run: /usr/bin/sss_ssh_authorizedkeys user(a)ad.lan. It returns empty. Repeated runs return the same result - nothing.
And both (2) and (3) happen without noticeable correlation to any other event.
I can confirm it by running getent passwd user(a)ad.lan. It displays some fields (either home folder or shell) as empty.
Issue (1) can be fixed with restarting sssd service and sss_cache -E.
Issue (2) mostly fixes itself after X amount of time (sometimes a minute, something an hour).
Issue (3) can be fixed same as (1), but sometimes also when repeating ssh connection (logout/login).
And as you might think: it's tiresome. :)
Does it make sense to you? Which logs would be most useful to get the bottom of this?
Note:
AD servers 2016
Freeipa version v4.6.4 (both servers and clients) on Centos 7.
4 years, 9 months
External CA
by Christian Reiss
Hey folks,
Would it be possible to get FreeIPA to sign an arbitrary, non IPA
managed CA? Background: Before FreeIPA we enrolled our own CA for
internal services and imported the CA into the browsers, which worked
like a charm. Now with FreeIPA we would have to import two CAs into the
browsers and would like to have the external CA as an intermediate.
It's okay to roll out a new CA & certificates.
I also tried to add a 2nd CA via the web-Gui, which worked. But I could
not figure out how to get that private key.
So in short: The way doesn't matter. In the end I would like to have an
intermediate CA, signed by FreeIPA main CA which a 10+ year validity
that I can externally use.
Any approach to that?
Thanks,
Chris.
--
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
4 years, 9 months