Allocation of a new value for DNA range failed
by Ronald Wimmer
After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran
into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to
fit in? And that the DNA range of each IPA server has to be distinct
from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago
https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Cheers,
Ronald
3 months
SmartCard-HSM authentication using pinpad card reader for improved security
by Peter Steen
Hello Folks!
We are working on getting smart card authentication working using pinpad card readers for improved security.
To do this we use:
FreeIPA Server is running on Fedora32 with latest updates. FreeIPA is also configured to be Certificate Authority.
FreeIPA Clients are Fedora 32 based with latest updates with connected usb card reader Gemalto C700 with pinpad, we use several user individual SmartCard HSM 4K with FreeIPA signed certificates on them. FreeIPA Clients run OpenSC and are configured to use smartcard certificate based authentication, setup per Smartare HSM best practice. Further clients are using SSSD and not PAM_PKCS#11.
All working great using smartcard for authentication, as long not enabling the pinpad in opensc.
If doing so we are prompted for the PIN not only in the pinpad reader but also GDM prompts you to enter PIN on keyboard.
Expected result is to be logged in directly after entering correct PIN code on pinpad reader, not being prompted by GDM to enter PIN on keyboard as well.
If enabling pinpad, login gets a bit odd:
1. Fedora 32 workstation GDM menu prompts a few users that can login
2. Smartcard is inserted in reader
3. GDM blanks out the screen and smartcard reader prompts to enter PIN.
4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display.
5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of being logged in to the window manager, here Gnome or xfce.
6. Any number can be entered, it does not matter, followed by hitting enter.
7. Once again smartcard reader now prompts for PIN.
8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button.
9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected.
What could this be, anyone who have seen this before or know how to set it up ?
3 months
Question regarding the GUI
by Frederic Ayrault
Bonjour,
I would like to change the password expiration date from the user profile
instead of using a LDAP script.
Is it possible to change a field to editable one ?
Thank you
Best Regards,
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
fred(a)lix.polytechnique.fr
3 months
encrytion type "Triple DES cbc mode with HMAC/sha1" ipa-getkeytab not granted by ipa 4.6.4 server
by Rob van Halteren
Hello,
I try to enable des3-cbc-sha1 encryption type for a nfs service on a linux Centos-7 nfs-server that is enrolled with a ipa 4.6.4 server
I have allow_weak_crypto = true in my keytab.conf on the nfs server.
To check permitted encryption types I do on the nfs server:
$ipa-getkeytab --permitted-enctypes
Supported encryption types:
AES-256 CTS mode with 96-bit SHA-1 HMAC
AES-128 CTS mode with 96-bit SHA-1 HMAC
AES-256 CTS mode with 192-bit SHA-384 HMAC
AES-128 CTS mode with 128-bit SHA-256 HMAC
Triple DES cbc mode with HMAC/sha1
ArcFour with HMAC/md5
Camellia-128 CTS mode with CMAC
Camellia-256 CTS mode with CMAC
DES cbc mode with CRC-32
DES cbc mode with RSA-MD5
DES cbc mode with RSA-MD4
when:
$ ipa-getkeytab -p nfs/myhost.mydomain@MYDOMAIN —e des3-cbc-sha1 -k /etc/krb5.keytab
I get: Keytab successfully retrieved and stored in: /etc/krb5.keytab
However when checking I only see "aes" encryption types are optained.
>klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/myhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96)
1 host/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96)
4 nfs/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96)
4 nfs/rmyhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96)
Not shure what I am doing wrong here.
I would like to experiment with weak encryption type to see if it's possible to mount a kereberized nfs share on a Apple computer
running osx 10.13
If I read the documentation well Apple supports: OS X NFS RPCSEC_GSS supports: des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1.
nfs version 3
Thanks for any help.
Rob.
3 months
Services - Differences between FreeIPA and MS AD
by Ronald Wimmer
I am trying to get a deeper understanding how services are organized.
When browsing the LDAP directory in FreeIPA I can see that services are
organized in a separate (DN:
cn=services,cn=accounts,dc=linux,dc=mydomain,dc=at) and that each
services connection to the computer object can be found in the ManagedBy
attribute. So far, so good.
In the Windows world I see services specified directly in SPN attributes
of a computer object. That makes sense and looks very similar to the IPA
world.
What I do not completely understand is why SPNs cann also be specified
as an attribute of an AD (service account) user. Why? What's the purpose
of that? (almost every tutorial on the web uses the mapuser-parameter of
the ktpass command but none states why this is needed.) I can imagine
that it makes sense for Linux servers when there is no computer object
in the AD. But what are other reasons/use cases?
I do know that this question is slightly off-topic. Nevertheless, I am
sure somebody here has a good answer to it which I would highly
appreciate to hear.
Cheers,
Ronald
3 months
cluster deployment / ansible-freeipa
by Mark Potter
Greetings!
I am attempting to deploy a cluster using ansible-freeipa:
CentOS 8.2
Ansible 2.10.2
The ipaserver role successfully deploys the server but I have a question
about dns specifically: What is the format for "ipaserver_reverse_zones". I
haven't seen an example. We have a LOT of reverse zones and would like to
get them all set out out the gate using vars.
Server is mostly alright and I think I have it figured out but replicas
fail to deploy.
They specifically fail at Install - Replica preparation connection check,
if I set it to ignore the connection check they simply fail later for the
same reason. I have managed to suss out that the replicas aren't added to
DNS on the primary server however I cannot seem to get them to add during
deployment. They show up in Hosts on the primary but not in DNS. I could
add them manually but I will be handing this over for multiple regions to
use to deploy FreeIPA so everything needs to work from the ansible-freeipa
collection and playbooks.
Vars here : https://pastebin.com/hZr0npHH
Playbook:
---
- name: Install FreeIPA Primary
hosts: ipaserver
become: true
roles:
- role: freeipa.ansible_freeipa.ipaserver
state: present
- name: Install FreeIPA replicas
hosts: ipareplicas
become: true
roles:
- role: freeipa.ansible_freeipa.ipareplica
state: present
--
*Mark Potter*
Senior Linux Administrator
3 months
setup ipa server with DNS when domain is managed by existing DNS server but not yet managing the reverse zones I want to configure
by Rob van Halteren
Hello,
I have seen more threats like this but not exactly this topic.
I am setting up an IPA server in a existing internal domain on a B-class network range . I have already a DNS server running for this domain, but it holds only a C-class network range.
I tried to setup the IPA server with the "ipa-server-install --setup-dns --no-forwarders --auto-reverse --allow-zone-overlap" options but this does not work and results in the disability to create PTR records for any network range in my domain. + it than needs the existing DNS server as forwarder to be able to resolve global addresses.
I intent to install the IPA server as qualified DNS server for my domain , next to the existing DNS server and when setup, decommission the existing
DNS server.
Any help would be appreciated
Thanks. Rob.
3 months
