IPA Kerberos Trust problem with Windows Update kb4586830
by Jerry Träskelin
Hello,
first let me introduce our setup:
- FreeIPA 4.6.5 (I know it's a bit old already) masters CentOS 7
- FreeIPA 4.6.6 client CentOS 7
- Windows Server 2016 DCs
- Netapp Filer NFS server
There's a two-way trust between the AD and IPA domains which works nicely. User accounts exist in the AD domain and can be used on IPA members as well. The Netapp has a computer account in AD. IPA clients mount NFSv4 shares using krb5p encryption.
The problem:
After installing the latest Windows updates on the DCs (kb4586830) the Kerberos authentication to the file server started failing. We were able to identify it as a Kerberos problem by trying to mount without Kerberos, which worked but of course nothing was accessible. After trying a bunch of different things and reading a lot of logs, we finally uninstalled the update on the DCs and everything worked again. There's not a whole lot of error messages to go on even though log/debug levels were set to the highest. The mounting client will simply say "mount.nfs: access denied by server while mounting". On the DC I was a able to find a Failure Code 0x3C for the Kerberos ticket request. 0x3C is a generic error, according to https://docs.microsoft.com/en-us/windows/security/threat-protection/audit.... None of the possible causes listed by Microsoft apply to our situation.
Since uninstalling the update on the DCs made the problem go away, I guess it's safe to assume that Microsoft changed something. The update notes don't really mention anything useful, but after some googling I found https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17049 which seems like something that could have caused this. Is there some settings in the IPA that could be changed to comply with the changes made by Microsoft?
Thanks!
2 months, 2 weeks
CA configuration fails with SEVERE: Unable to start CMS engine: Property internaldb.ldapconn.port missing value
by iulian roman
Hello,
I try to move ahead with the installation of FreeIPA server on Ubuntu, but it always gets stuck in the CA configuration phases. The last error seems to be related to a port value missing (as stated in the subject):
2020-12-14 11:17:29 [localhost-startStop-1] SEVERE: Unable to start CMS engine: Property internaldb.ldapconn.port missing value
Property internaldb.ldapconn.port missing value
at com.netscape.cmscore.base.PropConfigStore.getInteger(PropConfigStore.java:459)
at com.netscape.cmscore.ldapconn.LdapConnInfo.init(LdapConnInfo.java:55)
at com.netscape.cmscore.ldapconn.LdapConnInfo.<init>(LdapConnInfo.java:45)
at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:123)
at com.netscape.cmscore.cert.CrossCertPairSubsystem.init(CrossCertPairSubsystem.java:127)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1082)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:941)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:934)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:545)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:149)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1144)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1091)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:983)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4956)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5270)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:754)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:730)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:624)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1834)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
In /etc/pki/pki-tomcat/ca/CS.cfg , both internaldb.ldapconn.host and internaldb.ldapconn.port variables are empty:
Any idea in which phase those values are set or is there any method to specify them manually during installation ?
2 months, 2 weeks
ipaCertSubject uniqueness check
by Khurrum Maqb
I'm currently running ipaServer 4.6.8 on Centos7. I have an IPA CA, and an external CA for user smartcard authentication provided by a third party. I have used ipa-cacart-manage to add the external CA chain to IPA, and it worked fine.
The external CA re-keyed one of the certs in the chain, and kept the subject name the same. So the key, serial, expiration are different, but the placement in the chain, the the ipaCertSubject are the same. Both the old cert and the new one are valid, and some cards have the old chain still valid, and some have the new chain valid.
So if I go and try to use ipa-cacert-manage to add the NEW cert, I get "Failed to install the certificate: subject public key info mismatch" which I assume is due to the ipaCertSubject being the same (docs: https://www.freeipa.org/page/V4/CA_certificate_renewal )
Is this expected behavior? Is there a workaround? Or will i have to use ldapdelete and certutil -D to delete the old key, and then install the new key. In this process, the users with the OLD key will lose the ability to log in with their smart cards until new certs are issued to them. Thanks!
2 months, 3 weeks
users/groups migration IPA to IPA => NT_STATUS_INVALID_SID
by lejeczek
Hi guys,
I must be missing something I hope. This should just work,
right?
$ ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup --with-compat ldap://10.0.0.6
Prior to above, on the target IPA I run:
$ ipa-adtrust-install
Source IPA is: VERSION: 4.6.8, API_VERSION: 2.237
Target is: VERSION: 4.8.7, API_VERSION: 2.239
$ smbclient -L //love.ccn.mine.domain -Ume
lp_load_ex: changing to config backend registry
Unknown parameter encountered: "includes"
Enter CCN\me's password:
session setup failed: NT_STATUS_INVALID_SID
Any suggestions as what is (not but should)happening are
greatly appreciated.
many thanks, L.
2 months, 3 weeks
Paging and size limit ignored on the compat tree
by Adam Bishop
Setup:
* UI size limit set to 50
* nsslapd-sizelimit default of 2000
* 100 user objects in tree
If I run a paged query with -E pr=10/prompt against the main tree, I the results are paged as expected.
If I run a paged query with -E pr=10/prompt against the compat tree, both the client pr setting and the IPA size limit are ignored and the whole tree is returned.
Is this expected behaviour, or is something amiss?
Adam
2 months, 3 weeks
macOS-X bound to freeIPA - mkhomedir
by Grant Janssen
I’ve been running a number of macs bound to FreeIPA for years now. The biggest nuisance is that I haven’t found a way to make home directory when one doesn’t exist.
Without a home directory, a users logs in, the beachball spins forever and the user never gets a desktop because there is no user home directory.
"createhomedir -c -a" functions (on most systems), but I’d rather not run this in cron.
Has anyone found the PAM secret to have this function like mkhomedir on a CentOS host?
CentOS 7
grant@outhouse:~[20201213-6:51][#1003]$ authconfig --test | grep mkhome
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
grant@outhouse:~[20201213-6:51][#1004]$
I wish there were an authconfig on os-x
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
2 months, 3 weeks
Stateless Machines and Force Join
by Mark Potter
We boot everything stateless in our environment and are using FreeIPA for
authentication. I started discussing this a while ago but ended up with
other things taking priority. The number of machines we have make managing
keys an untenable solution so we are using
ipa-client-install -U -q -p <join user> -w <password --domain=domain.com
--server=ipaserver.domain.com --fixed-primary --force-join
called from rc.local during boot to rejoin machines to the FreeIPA
environment (we will be moving away from --fixed-primary but aren't there
yet). While this works it, potentially, exposes a password. I am looking
for a better way to handle machines that need to re-join at every boot.
We have access to ansible as well a decent, in house, templating system for
configuration. Please forgive my starting this discussion anew and not
resurrecting a zombie and thanks in advance for your help!
--
*Mark Potter*
Senior Linux Administrator
2 months, 3 weeks
odd problem updating to Centos 8.3
by Charles Hedrick
I just upgraded copies of our 3 servers from Centos 8.2 to 8.3. I always try it on copies before doing it on the real thing.
The upgrades all went fine, but on one of the servers, the services weren’t running, and ipactl status complained
Failed to get list of services to probe status!
Configured hostname z does not match any master server in LDAP:
x
y
z
Adding prints to the python code, I found the issue was that the services, e.g.
dn: cn=KPASSWD,cn=z,cn=masters,cn=ipa,cn=etc,dc=cs,dc=rutgers,dc=edu
had
ipaConfigString: configuredService
when they should have had
ipaConfigString: enabledService
It was easy to fix. Things now look OK.
Since I’ve fixed it, I don’t need any help, but I thought it was worth reporting. There were some oddities in getting the copies working. Initially I had bad IP addresses various places. That broke synchronization, and I had to reinitialize server z by copying from x. But that was before the upgrade. Before doing any upgrades I made sure everything worked, and the replicas were all syncing.
The fix did sync to the other servers.
The error message wasn’t entirely helpful.
2 months, 3 weeks
FreeIPA server packages for Ubuntu
by iulian roman
Hello !
Does anyone know what version of Ubuntu does support Freeipa server ? I have tried with 18.04 which fails always due to pki-tomcatd issues and Ubuntu 20 seems to not have the packages in the repository.
Any suggestion/help is appreciated.
Thanks
2 months, 3 weeks
