freeipa DNS issues with resolving
by Damjan Kumin
Hello friends,
I have FreeIPA version 4.8.10 on FC 33. Installation went trough and when I try NSLOOKUP, and selected server is 127.0.0.53, I can resolve freeipa host (actual hostname of the server) and internet, for instance google.com. Then in NSLOOKUP I set server to 10.0.0.2 (this is the private IP of the freeipa) and check if it can resolve freeipa server - and it can. But then I try the google.com after and it fails - it fails basically anything outside of what it hosts. I tried installation with forwarders but that failed every time I entered our country's DNS and even with using 1.1.1.1
So in short - freeipa can resolve anything if using 127.0.0.53 but nothing if using 10.0.0.2 - that means that no host on internal network can resolve anything if using freeipa as DNS server.
Please help as I cannot use anything on the net as no global address is resolving right now. THX in advance!
3 years, 5 months
putty gssapi trust
by Natxo Asenjo
hi,
We have a working cross realm trust between AD (2016, domain.local) -> Idm
(rhel 7.9, idm.domain.local).
So we can log in using our AD credentials to the rhel servers, and get
kerberos tickets and the rbac rules are enforced coupled to AD groups
mapped to Idm external groups.
If i run klist.exe on a cmd prompt, I see several DOMAIN.LOCAL tickets on
the Windows client.
One thing I cannot seem to get working is to use putty with gssapi
delegation (user name(a)domain.local and selecting the gssapi credentials
delegation) on a windows client joined to AD. So using name/password it
works, but single sign on does not.
The only thing I can think of is a firewall, but I cannot find any
documentation about firewall requirements between a windows client and a
idm host. The only port open that I know of is 22/tcp for sshd, so the
windows host can get to putty. This is a pretty locked down setup, I have
no access to the firewall logs or administrator rights on the windows
client to run a packet capture.
Do you need kerberos access from the windows clients to the Idm servers for
the trust?
--
regards,
Natxo
3 years, 5 months
Issue with 'unable to perform'
by Daniel Oakes
Apologies – I have searched google unfruitfully for a solution, but I have failed ☹
I have an issue with a FreeRadius / FreeIPA setup and I’m struggling to find how to debug / tune or fix the issue. It’s a pretty simple one, but google fu fail.
Basically, FreeRadius is returning every now and again the following:
Tue Nov 10 21:32:38 2020 : Error: rlm_ldap (ldap): Bind was not permitted: Server was unwilling to perform
And the corresponding entry is in the dirsrv log:
[10/Nov/2020:21:32:38.780133776 +0000] conn=777962 fd=205 slot=205 connection from ::1 to ::1
[10/Nov/2020:21:32:38.780524927 +0000] conn=777962 op=0 BIND dn="uid=admin,cn=users,cn=accounts,dc=freeipa,dc=z,dc=net" method=128 version=3
[10/Nov/2020:21:32:38.781269853 +0000] conn=777962 op=0 RESULT err=53 tag=97 nentries=0 etime=0.000982345
[10/Nov/2020:21:32:38.781549696 +0000] conn=777962 op=1 UNBIND
[10/Nov/2020:21:32:38.781573368 +0000] conn=777962 op=1 fd=205 closed - U1
It eventually resolves, but for a period of time every now and again (it’s completely random as to the timing) FreeIPA will just stop talking to the Radius.
Network issues are not the problem, the Radius and LDAP are on the same server.
I’d love to know how to debug and fix this obviously – but a quick fix would also be nice 😊 FreeIPA is pretty much stock, we just upgrade it every once and a while.
Many thanks for any help.
Cheers,
Daniel
3 years, 5 months
Another Expired Certs Issue
by Sean McLennan
I swear I have been reading and trying everything I can find on here and elsewhere today and I'm still having problems fixing my certs.
As appears to be a common problem, certmonger didn't auto-renew any of them.
IPA v4.6.9 running on Ubuntu 18.04; only the one server
IPA RA is fine
ldap and krbtgt are "CA UNREACHABLE": Server at https://ipa01.simplyws.com/ipa/xml failed request, will retry: 903 (RPC failed at server. an internal error has occurred).
Everything else is NEED_CSR_GEN_PIN including HTTP
Possibly ipa-cert-fix or pki-server cert-fix would take care of it, but they aren't in this version and I'm reluctant to upgrade the distro without proper preparation.
Everything starts without any problems. With the date set, everything is functioning like normal as far as I can tell.
I have rolled back the date successfully making sure to respect the 'notbefore' on ra-agent.pem
I've tried both manually: getcert resubmit -i xxx and restarting certmonger to no avail...
cn=ipa,cn=cas,cn=ca,$BASEDN and ou=authorities,ou=ca,o=ipaca appear to be fine.
Everything in /var/log/pki/pki-tomcat/ca/debug is FINE
There are some errors about missing .jar files in /var/log/pki/pki-tomcat/pki/debug
/var/log/ipa and /var/log/dirsrv don't seem to have anything of note.
Any thoughts would be greatly appreciated!
3 years, 5 months
centos8 freeipa installation fails
by Rob Verduijn
Hello,
I'm trying to install freeipa on centos8,
However it fails with an error related to java.
(see error below)
I found this bugzilla that describes the problem :
https://bugzilla.redhat.com/show_bug.cgi?id=1892216
The downgrade suggestion in that bugzilla does not work for centos8 since
those packages are no longer available in the repos.
Does anybody have a workaround for centos ?
Rob
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpi69b51qe'] returned
non-zero e
xit status 1: 'Notice: Trust flag u is set automatically if the private key
is present.\nERROR: Exception: Server unreachable due to SSL err
or: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:897)\n File
"/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 56
2, in main\n scriptlet.spawn(deployer)\n File
"/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py",
line
836, in spawn\n request_timeout=status_request_timeout,\n File
"/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", l
ine 911, in wait_for_startup\n raise Exception(\'Server unreachable due
to SSL error: %s\' % reason) from exc\n\n')
3 years, 5 months
Kerberos behaviour when OTP is used
by Radoslaw Kujawa
Hi list.
I have 2FA enabled for many users in my organization, however some of
these users work on their own private devices and manually run kinit to
obtain the TGT.
I was wondering why does kinit ask to:
"Enter OTP Token Value: "
This message is slightly confusing. In fact, the user is supposed to
enter password+OTP here.
I've attempted reading RFC 6560. If I understand correctly, OTP is not
really supposed to be used as a 2nd factor with Kerberos?
Another minor trouble with BYOD setups is that the OTP user has to
manually obtain anonymous ticket for FAST, before being able to run kinit.
Interestingly, FAST is not required for Smart Card PKINIT to work.
None of this is really a big problem, it's just troublesome to explain
in one sentence "how does Kerberos authentication work in our organization".
Of course with Linux clients joined to the IPA domain, all of these
details are abstracted by sssd and therefore a non-issue from the user's
perspective.
Best regards,
Radoslaw
3 years, 5 months
question about the scope of FreeIPA LDAPS service - can it authenticate AD trust users or just local IPA users?
by Chris Dagdigian
Dumb question ...
For use cases (temporary/ephemeral/auto-scaling servers) where we can't
do a full ipa-client-install on a managed node is it possible to use the
LDAP service on FreeIPA to check a username and password for an AD-trust
user?
I've been fooling around with making AWS Parallelcluster nodes LDAP
clients of a FreeIPA environment and it actually works really well with
users and groups that are local to FreeIPA; it's quite a nice solution
actually and solves a consistency problem for some users and groups we
need to persist as HPC grids are launched and destroyed.
Was wondering idly if the LDAP service extended to being able to
authenticate a user that exists within an AD-trust. It does not seem to
work out of the box but I was wondering if a change of the LDAP bind DN
or other settings would allow this to work?
Wanted to ask if this was even possible before I spent more time working
on my ldap configs!
Regards
Chris
3 years, 5 months