February 2020 - FreeIPA-users - Fedora Mailing-Lists

Additional Check for checkipaconsistency - KRA

by Jochen Hein

Hallo, right now checkipaconsistency reports an error when not all IPA servers havew AD trust enabled. My first two IPA servers running CentOS 7 do have KRA enabled, but installing KRA on a new CentOS 8 replica failed. Would it be useful to check that in checkipaconsistency? If yes, here's my first shot at it. diff --git a/checkipaconsistency/freeipaserver.py b/checkipaconsistency/freeipaserver.py index bdefe70..a58419b 100644 --- a/checkipaconsistency/freeipaserver.py +++ b/checkipaconsistency/freeipaserver.py @@ -49,6 +49,7 @@ class FreeIPAServer(object): self.ghosts = None self.bind = None self.msdcs = None + self.kra = None self.replicas = None self.healthy_agreements = False @@ -94,6 +95,7 @@ class FreeIPAServer(object): self.conflicts = self._count_ldap_conflicts() self.ghosts = self._ghost_replicas() self.bind = self._anon_bind() + self.kra = self._kra() self.msdcs = self._ms_adtrust() self.replicas, self.healthy_agreements = self._replication_agreements() @@ -385,6 +387,25 @@ class FreeIPAServer(object): self._log.debug(r) return r + def _kra(self): + self._log.debug('Checking KRA...%s' % self._fqdn) + r = False + results = self._search( + 'cn=KRA,cn=%s,cn=masters,cn=ipa,cn=etc,%s' % ( self._fqdn , self._base_dn), + '(ipaConfigString=*)', + ['ipaConfigString'] + ) + self._log.debug(results) + if type(results) == list and len(results) > 0: + #dn, attrs = results[0] + + #e = attrs['ipaConfigString'][1].decode('utf-8') + #r = e['enabledService'].decode('utf-8') + r = True + else: + r = False + return r + def _ms_adtrust(self): self._log.debug('Checking for MS ADTrust DNS records...') record = '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.%s' % self._domain diff --git a/checkipaconsistency/main.py b/checkipaconsistency/main.py index 858b89a..242418e 100755 --- a/checkipaconsistency/main.py +++ b/checkipaconsistency/main.py @@ -134,6 +134,7 @@ class Main(object): ('ghosts', 'Ghost Replicas'), ('bind', 'Anonymous BIND'), ('msdcs', 'Microsoft ADTrust'), + ('kra', 'KRA Status'), ('replicas', 'Replication Status') ]) @@ -156,7 +157,7 @@ class Main(object): parser.add_argument('-n', nargs='?', dest='nagios_check', help='Nagios plugin mode', default='not_set', choices=['', 'all', 'users', 'susers', 'pusers', 'hosts', 'services', 'ugroups', 'hgroups', 'ngroups', 'hbac', 'sudo', 'zones', 'certs', 'conflicts', 'ghosts', 'bind', - 'msdcs', 'replicas']) + 'msdcs', 'kra', 'replicas']) parser.add_argument('-w', '--warning', type=int, dest='warning', default=1, help='number of failed checks before warning (default: %(default)s)') parser.add_argument('-c', '--critical', type=int, dest='critical', Jochen -- This space is intentionally left blank.

9 months, 2 weeks

1
0
0 / 0

How to restrict FreeIPA's from registering external IPs on DNS?

by Vinícius Ferrão

Hello, My FreeIPA server have two IP addresses. It registers itself with the internal and the external addresses. There’s a way to only register the IPs from the internal interfaces? Example: ipa-ca A 172.26.255.254 A 146.164.29.90 nodacabeca A 146.164.29.90 A 172.26.255.254 I only want the entries from the network 172.26.0.0/16. Thanks, V.

9 months, 2 weeks

2
2
0 / 0

Kerberos troubles

by Nicholas DeMarco

I'm having trouble with kerberos. On ipa: $ kinit <username> [1625] 1581094928.1017: Response was from master KDC [1625] 1581094928.1018: Processing preauth types: 19 -and- $ kinit admin [1626] 1581094962.274365: Received error from KDC: -1765328360/Preauthentication failed [1626] 1581094962.274368: Preauthenticating using KDC method data and from the logs: Feb 07 12:13:19 ipa1.practichem.com krb5kdc[1224](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.10.1.80: NEEDED_PREAUTH: admin(a)practichem.com for krbtgt/ practichem.com(a)practichem.com, Additional pre-authentication required

9 months, 3 weeks

2
2
0 / 0

Make a certificate for external realm

by iam pollux

Hello, I have: - a CA with Freeipa - a sub CA with Freeipa too - a server with certmonger installed on and connected to the sub CA - an external client without freeipa neither Certmonger. CA, sub CA and server are on the same realm: domaine.fr The external client is on a different realm: newdomaine.fr My goal is to generate a certificate for the external client. So, with the web ui in the sub ca, i've added the DNS zone newdomaine.fr and the host external.domaine.fr . From the server when i run the command below: ipa-getcert request -v -f /etc/pki/tls/certs/externe.crt -k /etc/pki/tls/private/externe.key -N CN=externe.domaine.fr -D externe.newdomaine.fr -K host/externe.newdomaine.fr(a)SUB.DOMAINE.FR -I externe i get the result is: Request ID 'externe': status: CA_REJECTED ca-error: Server at https://subca.domaine.fr/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'fqdn=externe.newdomaine.fr,cn=computers,cn=accounts,dc=sub,dc=domaine,dc=fr'.). I don't understand because the host is added. Could you explain to me how to fix that please? Thank you very much!

9 months, 3 weeks

2
1
0 / 0

Confusion on LDAP changes for NIS automounts

by Russell Jones

I have followed this documentation for enabling an automount to show up for a NIS client that is bound to FreeIPA, and it worked as expected and the NIS client can see the automount: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... I then went back and dumped the entire ldap tree out of curiosity to see my changes I just added, and they are not there. If I search for the keys "nis-base" or "nis-domain" for example, it's no where to be found. Where did this change actually go? I feel like I'm going crazy! :) Thanks for the help in furthering my understanding!

9 months, 3 weeks

3
5
0 / 0

NIS client bound to FreeIPA, passwd file is asterisks instead of hash

by Russell Jones

I have a client bound to FreeIPA using NIS, however when doing a "ypcat passwd" the password fields are an asterisk (*) instead of a password hash. The NIS integration docs are a bit sparse - am I missing something to allow NIS clients to authenticate against FreeIPA as an actual NIS client? Is that supported?

9 months, 3 weeks

2
2
0 / 0

MediaWiki and FreeIPA ?

by White, Daniel E. (GSFC-770.0)[NICS]

I have been trying various LDAP extensions without success. Most Google-able information is years old. Anyone use this : https://www.freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA ? ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

9 months, 3 weeks

2
2
0 / 0

suggestion for password policy

by Charles Hedrick

The NIST recommendations for passwords say they don’t think character classes and expiration are useful. Instead, they recommend using a blacklist of known common passwords. There’s no way to implement this policy without writing your own plugin. It would be useful for IPA’s password policy to allow you to specify a database of forbidden passwords. We’ve done this using a plugin, but I’d rather not have to write C code to implement policy.

9 months, 3 weeks

2
8
0 / 0

Command to export sub-ca certificate

by Jakob Ackermann

The client is joined to the IPA domain and gets a certificate from the sub-ca `puppet` with `ipa-getcert request -x puppet`. In order to have the puppet agent to be able to talk to puppet server I need the puppet sub-ca certificate. How can I distribute the sub-ca certificate to the client? Running `ipa-certupdate` did not work. Thanks

9 months, 3 weeks

4
4
0 / 0

VMware vCenter Single Sign-On

by White, Daniel E. (GSFC-770.0)[NICS]

Reference Links: 12/19/2006 https://bugzilla.redhat.com/show_bug.cgi?id=220222 Bug 220222 - [RFE] support for RFC 4530 entryUUID attribute [NEEDINFO] Product: Red Hat Enterprise Linux 8 Reported: 2006-12-19 19:40 UTC by Victoriano Giralt Modified: 2020-01-17 05:47 UTC (History) 01/04/2012 https://pagure.io/389-ds-base/issue/137 #137 No support for RFC 4530 entryUUID attribute Last Modified 10/18/2017 04/04/2019 https://christopherdamerau.com/freeipa-as-vcsa-identity-source/ 01/30/2019 https://www.reddit.com/r/redhat/comments/al3no8/does_identity_management_... 04/04/2016 https://www.howtovmlinux.com/articles/vmware/vcenter/integrate-freeipa-id... 06/20/2017 https://kb.vmware.com/s/article/2064977 VMware Knowledge Base: OpenLDAP schemas supported in VMware vCenter Single Sign-On (2064977) 11/22/2018 https://www.freeipa.org/page/V4/Data_transformation I have spent the last two days trying to get vSphere 6.7 SSO to talk to Red Hat Identity Manager (FreeIPA v4.6.5) Group permissions from LDAP do not work in vSphere. Period. It tells me, " "Unable to login because you do not have permission on any vCenter server systems connected to this client" I can associate an LDAP user to a vSphere role at the global level, but that won’t scale very far. QUESTION: Does anyone know of an OpenLDAP setup that satisfies the VMware KB description ? I do not believe that such a critter exists unless it is a home-grown, custom cobbled together monstrosity that would be a nightmare to maintain. This was my point to VMware support. They support Active Directory. They should support FreeIPA because their "OpenLDAP" setup probably does not exist. I am looking for any recent information anyone may have about getting this to work. I am also looking for more detail to support my claim to VMware that they need to support FreeIPA. ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

9 months, 3 weeks

3
4
0 / 0