HBAC and external groups (AD trust)
by Giulio Casella
Hi,
I have a IPA setup, in trust with active directory.
I noticed a strange behaviour in HBAC.
In details:
I have a group ("extgroup"), defined as external, containing an active
directory user ("user(a)ad.dom.ain").
I defined a HBAC rule ("allow_AD_ssh") to permit ssh to a host to users
belonging to "extgroup", but the HBAC test (performed with
"user(a)ad.dom.ain") fails. I'm sure the cause is the "Who" section of the
HBAC rule (if I leave "Anyone" it works). So the HBAC is defined as:
WHO: User group "extgroup"
ACCESSING: host I want to give access to
SERVICE: sshd
I was pretty sure it was a incompatibility of HBAC rules with external user.
But if I define a standard (POSIX) group (let say "intgroup"), make
"extgroup" member of "intgroup" and use "intgroup" in the definition of
the (section "who" of) HBAC rule, it works like a charm.
Why direct use of external group is not working? Is it a bug? Or is
there a reason I cannot see?
TIA
Cheers,
Giulio
1 year, 8 months
My FreeIPA Server as Domain for Windows
by rodentskie@gmail.com
Good day,
I have successfully deployed my own Freeipa server in my local network. Now I want to configure it as a local domain for our LAN.
All the computers in our LAN has windows installed as OS. Is it possible? How to configure.
Now, my Freeipa server DNS is "example.com". When I try to change the domain of the windows computer I get error.
Please help.
1 year, 8 months
FREEIPA - TLS - CN > 64 characters
by Krzysztof O
Hello,
I'd like to ask of is there any workaround for issuing certificates that will have Common Name longer that 64 characters?
For FREEIPA version less than 4.8.0 which is designated for RHEL 8, when we will have to stay with current version of RHEL 7.
Regards,
Krzysztof
1 year, 8 months
Centralized Authentication and Authorisation System for Gmail and OpenVPN
by kaushalshriyan@gmail.com
Hi,
Is there a way to configure centralized Authentication and Authorization system for Gmail and OpenVPN users? For example, if any new employee joins I grant Gmail and OpenVPN service access. I look forward to hearing from you.
Thanks in Advance.
Best Regards,
Kaushal
1 year, 8 months
ipa-server-install (How to disable checking online DNS) ?
by rodentskie@gmail.com
Hello, I'm currently configuring freeipa. When I run the command "ipa-server-install", I got these errors:
Checking DNS domain biotechfarms.net., please wait ...
ipapython.admintool: ERROR DNS zone biotechfarms.net. already exists in DNS and is handled by server(s): kiki.ns.cloudflare.com., dane.ns.cloudflare.com.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
My boss has this domain "biotechfarms.net" also in cloudflare.
Please help.
1 year, 8 months
Managing a certificate for a non-joined host from a joined host.
by Thomas Letherby
Hello all,
I'm trying to issue some certificates via certmonger and I'm missing a
permission somewhere.
The situation is thus:
I have a small docker swarm of containers which access storage volumes on a
IPA-joined storage server (xstorage1 - Ubuntu 18.04) via NFS, stored on a
ZFS array.
Some of these containers, in this case a WiFi controller can ingest
certificates dropped into their volumes.
I want to use the storage server to request and drop the certificate files
for the controller (in this case called omada) directly into the docker
volume for the container, so the storage server will manage renewals and
the container just sees the cert files as normal.
On xstorage1 I used the following process to create the host, service and
request the certificate:
kinit admin
ipa host-add omada.i.xrs444.net
ipa service-add HTTP://omada.i.xrs444.net
ipa service-add-host --hosts xstorage1.i.xrs444.net
HTTP://omada.i.xrs444.net
ipa-getcert request -f /nasstore/containers/omada-data/cert.crt -k
/nasstore/containers/omada-data/tls.key -r -K HTTP/
omada.i.xrs444.net(a)I.XRS444.NET -N 'CN=omada.i.xrs444.net,O=I.XRS444.NET'
-D omada.i.xrs444.net -C "/usr/local/bin/catcerts.sh
/nasstore/containers/omada-data/cert.crt /etc/ipa/ca.crt
//nasstore/containers/omada-data/tls.crt"
(The -C is calling a script to concatenate the cert change into one file)
This appears to process without error, but when I run ipa-getcert list I
see the following error:
Request ID '20201019194610':
status: CA_REJECTED
ca-error: Server at https://xipa1.i.xrs444.net/ipa/xml denied our request,
giving up: 2100 (RPC failed at server. Insufficient access: Insufficient
'add' privilege to add the entry 'krbprincipalname=HTTP/
omada.i.xrs444.net(a)I.XRS444.NET
,cn=services,cn=accounts,dc=i,dc=xrs444,dc=net'.).
In the GUI of xipa1 (IPA Server) I can see the host and service, with
xstorage1 listed in the 'managed by' tab for both.
I tried from another host with the same results.
What have I missed? I'm sure I've done this before a while back, but I
can't recall how I did it. Looking through guides online I can't see a step
I've skipped.
Thomas
1 year, 8 months
Ticket expired
by Albert Szostkiewicz
Every time I restart on my workstation, I am getting errors with authentication
$ ipa
ipa: ERROR: Ticket expired
$ kinit myuser
Password for myuser(a)HOME.MYDOMAIN.COM: ******
$ ipa cert-show 1
Issuing CA: ipa
Certificate: #######
Subject: CN=Certificate Authority,O=HOME.MYDOMAIN.COM
Issuer: CN=Certificate Authority,O=HOME.MYDOMAIN.COM
Not Before: Thu Sep 19 01:27:28 2019 UTC
Not After: Mon Sep 19 01:27:28 2039 UTC
Serial number: 1
Serial number (hex): 0x1
Revoked: False
$ ipa pwpolicy-show global_policy
Group: global_policy
Max lifetime (days): 20000
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 21
Failure reset interval: 60
Lockout duration: 600
$ ipa
Usage: ipa [global-options] COMMAND [command-options]
Manage an IPA domain
Options:
...
Then, I have to restart services that failed (like autofs) in order to mount NFSv4 properly. Problem is - I have to do it every time I restart machine.
Is there any additional step I should take on my workstation ?
Thanks!
1 year, 8 months
Migrating from LDAP to FreeIPA
by Per Qvindesland
Hi
I am currently in the process of migrating from a LDAP server to IPA installed on a Centos 8 instance.
I been following these instructions on importing users from the LDAP server https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... but it's asking for the Directory Manager password, I took over position very recently and there is a password which is supposed to be for that account but it's not accepted.
Is it possible with the ipa migrate-ds to specify another user, i'd say no since the docs doesn't mention anything but I thought that I ask, or is it possible to use a ldif file to import the users?
Regards
Per
1 year, 8 months
Adding a KRA
by Ronald Wimmer
At the moment we only have KRA on one of our eight IPA servers. Is it
sufficient to issue the ipa-kra-install command on a replica where the
CA role is already present?
Cheers,
Ronald
1 year, 8 months