Ticket expired
by Albert Szostkiewicz
Every time I restart on my workstation, I am getting errors with authentication
$ ipa
ipa: ERROR: Ticket expired
$ kinit myuser
Password for myuser(a)HOME.MYDOMAIN.COM: ******
$ ipa cert-show 1
Issuing CA: ipa
Certificate: #######
Subject: CN=Certificate Authority,O=HOME.MYDOMAIN.COM
Issuer: CN=Certificate Authority,O=HOME.MYDOMAIN.COM
Not Before: Thu Sep 19 01:27:28 2019 UTC
Not After: Mon Sep 19 01:27:28 2039 UTC
Serial number: 1
Serial number (hex): 0x1
Revoked: False
$ ipa pwpolicy-show global_policy
Group: global_policy
Max lifetime (days): 20000
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 21
Failure reset interval: 60
Lockout duration: 600
$ ipa
Usage: ipa [global-options] COMMAND [command-options]
Manage an IPA domain
Options:
...
Then, I have to restart services that failed (like autofs) in order to mount NFSv4 properly. Problem is - I have to do it every time I restart machine.
Is there any additional step I should take on my workstation ?
Thanks!
9 months, 2 weeks
Migrating from LDAP to FreeIPA
by Per Qvindesland
Hi
I am currently in the process of migrating from a LDAP server to IPA installed on a Centos 8 instance.
I been following these instructions on importing users from the LDAP server https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... but it's asking for the Directory Manager password, I took over position very recently and there is a password which is supposed to be for that account but it's not accepted.
Is it possible with the ipa migrate-ds to specify another user, i'd say no since the docs doesn't mention anything but I thought that I ask, or is it possible to use a ldif file to import the users?
Regards
Per
9 months, 2 weeks
Adding a KRA
by Ronald Wimmer
At the moment we only have KRA on one of our eight IPA servers. Is it
sufficient to issue the ipa-kra-install command on a replica where the
CA role is already present?
Cheers,
Ronald
9 months, 2 weeks
Adding Host through FreeIPA web UI
by anilkumar panditi
I am trying to add a host through FreeIPA UI , and followed the below procedure.
Click on Hosts Tab> Add> enter details like Hostname, IP , and checked force And ADD.
My host is added but , under Enrollment section i see Kerberos Key not Present.
How could i add this Kerberos Key. so i could login into this added host using LDAP user? Please help.
9 months, 2 weeks
Adding subjectAltName when the certificate is signed
by Radosław Kujawa
Hi list.
Is it possible to add email subjectAltName to a certificate when it is
being signed by the IPA?
My use case is that I have CSRs generated by the users. The tool used to
generate the CSR does not allow to add me to include an email
subjectAltName. The problem is that private key is held on the external
device, so I am not easily able to manipulate the CSR using openssl.
I already have a specific certificate profile added to IPA, used for
this process. But I am not sure if it is possible to enforce adding SAN
with user's email address when signing the certificate. I'd be grateful
for any hints.
Best regards,
Radoslaw
9 months, 3 weeks
FreeIPA, OSX, DockerDesktop
by james liu
PREP
====
git clone https://github.com/freeipa/freeipa-container.git
cd freeipa-container
mkdir /tmp/ipa-data
docker run --name freeipa-server-container -ti -h ipa.example.test --read-only -v /tmp/ip-data :/data:Z freeipa-server --sysctl net.ipv6.conf.all.disable_ipv6=1
RESULT
======
tar: etc/sysconfig/selinux: Cannot utime: No such file or directory
tar: Exiting with failure status due to previous errors
QUESTION
=========
I'm running DockerDesktop 2.0.4, OSX 10.13.6.
Is there a set of commands that will work?
Thanks
9 months, 3 weeks
How to use the forms based login interface to give IPA admin access to selected federated users?
by Chris Dagdigian
Hi folks,
I've got a three-node replicating FreeIPA cluster running in AWS with a
one-way trust to an Active Directory domain.
Things work well with respect to user overrides and RBAC rules affecting
client machines but I can't for the life of me figure out the order of
operations for allowing a couple of external AD users to have admin
access to the FreeIPA webUI itself.
There are 3 AD users I'd like to give WebUI admin access to.
So far I've tried the standard stuff I've used for non-IPA clients:
1) make group "corp_admins_external" populated with external
"username(a)domain.com" identities
2) Make group "corp_admins_posix" populated with the
corp_admins_external group
3) Added corp_admins_posix group to the admin group
Best I've been able to do so far is give myself login access to just the
user self-service page and even then that failed until
oddjob-mkhomedir() was running and enabled under authconfig
Is there a guide or a documentation set specific to granting admin
access to the webUI for forms-based login users?
Thanks!
Chris
9 months, 3 weeks
Announcing SSSD 2.4.0
by Pavel Březina
# SSSD 2.4.0
The SSSD team is proud to announce the release of version 2.4.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/sssd-2_4_0
See the full release notes at:
https://sssd.io/docs/users/relnotes/notes_2_4_0
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
- `libnss` support was dropped, SSSD now supports only `openssl`
cryptography
### New features
- Session recording can now exclude specific users or groups when
`scope` is set to `all` (see `exclude_users` and `exclude_groups` options)
- Active Directory provider now sends CLDAP pings over UDP protocol to
Domain Controllers in parallel to determine site and forest to speed up
server discovery
### Packaging changes
- python2 bindings are disable by default, use `--with-python2-bindings`
to build it
### Documentation Changes
- Default value of `client_idle_timeout` changed from 60 to 300 seconds
for KCM, this allows more time for user interaction (e.g. during `kinit`)
- Added `exclude_users` and `exclude_groups` option to
`session_recording` section, this allows to exclude user or groups from
session recording when `scope` is set to `all`
- Added `ldap_library_debug_level` option to enable debug messages from
`libldap`
- Added `dyndns_auth_ptr` to set authentication mechanism for PTR DNS
records update
- Added `ad_allow_remote_domain_local_groups` to be compatible with
other solutions
9 months, 3 weeks
Re: Stop/Disable Apache on IdM servers
by Rob Crittenden
Angus Clarke via FreeIPA-users wrote:
> Hello
>
> We have a single mesh of FreeIPA servers in several different locations,
> we capture logs (apache ErrorLog directive) to a log server in each of
> those locations. When auditors ask us questions we have to trawl log
> servers from all locations as our IdM administrators might have used any
> of the IdM servers to make changes.
>
> To limit that access to one site, I am considering stopping and
> disabling apache on all IdM servers at other sites and just wanted to
> check there are no unintended consequences in that action.
>
> I'm not looking for enforcement, merely a means of persuading the team
> to use the web interface or command line tools at one site.
It's completely untested so if something went wrong you'd be pretty far
out on the ledge.
You're purposely creating a single-point-of-failure. You'd need to work
out some system to transition the web server to another server.
The chosen server would need to run a CA, otherwise it will try to find
one and fail at connecting since the CA connect is proxied through Apache.
Establishing a new CA would likewise almost certainly be problematic.
The ipa-ca CNAME is used so clients can use OCSP. You'd have to manually
limit this value to only the available web server. Same with CRL.
Running other administrative commands on those hosts would fail
miserably (ipa-certupdate, ipa-cacert-manage for sure).
I'm not certain if ipa-server-upgrade which is also run at package
installation needs local API access. IPA servers make certain
assumptions about what basic services are available.
So this could well be the kind of thing that seems to work, you relax
and forget about it, then all heck breaks loose.
Either way, masking/stopping the service wouldn't really work since it
is managed via ipactl. You'd have to mark the service as disabled in
IPA, and I'm not sure you can do that to an IPA service so you'd
probably have to do it manually using ldapmodify.
rob
9 months, 3 weeks
