March 2020 - FreeIPA-users - Fedora Mailing-Lists

by Ronald Wimmer

Hi, will Microsofts decision to let domain controllers talk LDAPS only in the near future affect IPA sowehow? Cheers, Ronald

4 years

3
9
0 / 0

LDAP Server stop to response after a period of time

by Lays Dragon

I deployed a two replica FreeIPA Servers,it woks well until this month,it start at the service report the LDAP is Timeout,I try to restart the server,even reinstall two IPA server and maintain the data via replica from another server. And it still happen after several days. The 389ds server just simply stop to response to any connection ,the wierd thing is the connection is established but no response after the connection. LDAP server seems to blocked on something,even replica is dead because the ldap is blocked.simply restart not slove the problem,the ldap server will blocked really soon caused other service like IPA Web service or kinit dead too. I guess the blocked is caused via replica function somehow,since I figure out I have to close the ldap port on blocked server firewall to make it isolate,and restart the server,waiting for about 10 min after the server is start,reopen the ldap port on firewall to let replica recover,and everything will be fine...And I notice there some connection stuck at CLOSE_WAIT of ns-slapd may be related. Need some help . I not so familiar with of freeipa,and trying to deal this problem over the week but nothing works. FreeIPA server version:4.8.4 Server System: Fedora 31 (Cloud Edition) server1 access log ``` krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink krbAuthIndMaxTicke..." [08/Mar/2020:10:01:23.390837315 +0800] conn=4 op=6091 RESULT err=0 tag=101 nentries=1 etime=0.000276689 [08/Mar/2020:10:01:23.390906790 +0800] conn=4 op=6092 SRCH base="cn=ENMD.NET,cn=kerberos,dc=enmd,dc=net" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [08/Mar/2020:10:01:23.391302403 +0800] conn=4 op=6092 RESULT err=0 tag=101 nentries=1 etime=0.000432879 [08/Mar/2020:10:01:23.392418974 +0800] conn=3351 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [08/Mar/2020:10:01:25.953517485 +0800] conn=3352 fd=161 slot=161 connection from <masked>.152 to <masked>.165 [08/Mar/2020:10:01:27.007620375 +0800] conn=3353 fd=162 slot=162 connection from <masked>.154 to <masked>.165 [08/Mar/2020:10:01:27.151656148 +0800] conn=3354 fd=163 slot=163 connection from <masked>.150 to <masked>.165 [08/Mar/2020:10:01:27.559750675 +0800] conn=3355 fd=164 slot=164 connection from <masked>.153 to <masked>.165 [08/Mar/2020:10:01:39.015400434 +0800] conn=3356 fd=165 slot=165 connection from <masked>.154 to <masked>.165 [08/Mar/2020:10:01:51.582586229 +0800] conn=3357 fd=166 slot=166 connection from <masked>.153 to <masked>.165 [08/Mar/2020:10:01:52.513047687 +0800] conn=3358 fd=167 slot=167 connection from <masked>.150 to <masked>.165 [08/Mar/2020:10:01:53.573811317 +0800] conn=3359 fd=168 slot=168 connection from <masked>.152 to <masked>.165 [08/Mar/2020:10:02:44.012371005 +0800] conn=3360 fd=169 slot=169 connection from <masked>.160 to <masked>.165 [08/Mar/2020:10:02:44.419580574 +0800] conn=3361 fd=170 slot=170 connection from <masked>.151 to <masked>.165 [08/Mar/2020:10:02:45.548493596 +0800] conn=3362 fd=171 slot=171 connection from <masked>.153 to <masked>.165 [08/Mar/2020:10:02:50.018712852 +0800] conn=3363 fd=172 slot=172 connection from <masked>.160 to <masked>.165 [08/Mar/2020:10:02:51.081867407 +0800] conn=3364 fd=173 slot=173 connection from <masked>.152 to <masked>.165 [08/Mar/2020:10:03:04.062925765 +0800] conn=3365 fd=174 slot=174 connection from <masked>.154 to <masked>.165 [08/Mar/2020:10:03:06.223438080 +0800] conn=3366 fd=175 slot=175 connection from <masked>.150 to <masked>.165 [08/Mar/2020:10:03:10.063982993 +0800] conn=3367 fd=176 slot=176 connection from <masked>.154 to <masked>.165 [08/Mar/2020:10:03:52.027006125 +0800] conn=3368 fd=177 slot=177 connection from <masked>.153 to <masked>.165 [08/Mar/2020:10:03:57.005297121 +0800] conn=3369 fd=178 slot=178 connection from <masked>.152 to <masked>.165 [08/Mar/2020:10:04:01.001767909 +0800] conn=3370 fd=179 slot=179 connection from <masked>.150 to <masked>.165 [08/Mar/2020:10:04:08.003082421 +0800] conn=3371 fd=180 slot=180 connection from <masked>.154 to <masked>.165 [08/Mar/2020:10:04:12.014090964 +0800] conn=3372 fd=181 slot=181 connection from <masked>.151 to <masked>.165 [08/Mar/2020:10:04:18.140192092 +0800] conn=3373 fd=182 slot=182 connection from <masked>.166 to <masked>.165 [08/Mar/2020:10:04:20.007046774 +0800] conn=3374 fd=183 slot=183 connection from <masked>.154 to <masked>.165 [08/Mar/2020:10:04:24.040348027 +0800] conn=3375 fd=184 slot=184 connection from <masked>.160 to <masked>.165 [08/Mar/2020:10:04:30.139898749 +0800] conn=3376 fd=185 slot=185 connection from <masked>.160 to <masked>.165 [08/Mar/2020:10:05:22.043556910 +0800] conn=3377 fd=186 slot=186 connection from <masked>.160 to <masked>.165 [08/Mar/2020:10:05:34.140357676 +0800] conn=3378 fd=187 slot=187 connection from <masked>.160 to <masked>.165 [08/Mar/2020:10:05:36.006033007 +0800] conn=3379 fd=188 slot=188 connection from <masked>.165 to <masked>.165 [08/Mar/2020:10:06:07.002808000 +0800] conn=3380 fd=189 slot=189 connection from <masked>.150 to <masked>.165 [08/Mar/2020:10:06:12.043478717 +0800] conn=3381 fd=190 slot=190 connection from <masked>.152 to <masked>.165 [08/Mar/2020:10:06:15.007914045 +0800] conn=3382 fd=191 slot=191 connection from <masked>.153 to <masked>.165 [08/Mar/2020:10:06:17.005632290 +0800] conn=3383 fd=192 slot=192 connection from <masked>.154 to <masked>.165 [08/Mar/2020:10:06:19.016341572 +0800] conn=3384 fd=193 slot=193 connection from <masked>.165 to <masked>.165 [08/Mar/2020:10:06:23.007594584 +0800] conn=3385 fd=194 slot=194 connection from <masked>.154 to <masked>.165 [08/Mar/2020:10:06:27.026262632 +0800] conn=3386 fd=195 slot=195 connection from <masked>.165 to <masked>.165 [08/Mar/2020:10:06:30.031700186 +0800] conn=3387 fd=196 slot=196 SSL connection from <masked>.159 to <masked>.180 [08/Mar/2020:10:06:37.009611536 +0800] conn=3388 fd=197 slot=197 connection from <masked>.151 to <masked>.165 [08/Mar/2020:10:06:37.033108567 +0800] conn=3389 fd=198 slot=198 connection from <masked>.165 to <masked>.165 [08/Mar/2020:10:07:23.002813545 +0800] conn=3390 fd=199 slot=199 connection from <masked>.165 to <masked>.165 [08/Mar/2020:10:07:31.011795943 +0800] conn=3391 fd=200 slot=200 connection from <masked>.165 to <masked>.165 [08/Mar/2020:10:07:36.011894960 +0800] conn=3392 fd=201 slot=201 connection from <masked>.160 to <masked>.165 [08/Mar/2020:10:07:41.021108836 +0800] conn=3393 fd=202 slot=202 connection from <masked>.165 to <masked>.165 [08/Mar/2020:10:07:42.014874690 +0800] conn=3394 fd=203 slot=203 connection from <masked>.160 to <masked>.165 [08/Mar/2020:10:09:16.005883198 +0800] conn=3395 fd=204 slot=204 connection from <masked>.165 to <masked>.165 [08/Mar/2020:10:09:24.009940147 +0800] conn=3396 fd=205 slot=205 connection from <masked>.165 to <masked>.165 [08/Mar/2020:10:09:34.015154400 +0800] conn=3397 fd=206 slot=206 connection from <masked>.165 to <masked>.165 [08/Mar/2020:10:10:24.040398249 +0800] conn=3398 fd=207 slot=207 connection from <masked>.153 to <masked>.165 [08/Mar/2020:10:10:27.003675219 +0800] conn=3399 fd=208 slot=208 connection from <masked>.152 to <masked>.165 [08/Mar/2020:10:10:28.005336766 +0800] conn=3400 fd=209 slot=209 connection from <masked>.150 to <masked>.165 ``` server1 error log ``` [08/Mar/2020:09:30:52.966764268 +0800] - ERR - NSMMReplicationPlugin - repl5_inc_waitfor_async_results - Timed out waiting for responses: 0 3074 [08/Mar/2020:09:32:53.684831136 +0800] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) [08/Mar/2020:09:34:53.625806166 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:36:56.570809366 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:38:56.509924342 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:40:59.458123866 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:42:59.402931124 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:45:02.343312876 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:47:02.282487714 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:49:05.220734403 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:51:05.160565112 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:53:08.105641621 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:55:08.040503542 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:57:11.997307120 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:09:59:12.965695447 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:10:01:15.903578926 +0800] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipa2.enmd.net" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [08/Mar/2020:11:26:42.560167019 +0800] - INFO - slapd_extract_cert - CA CERT NAME: ENMD.NET IPA CA [08/Mar/2020:11:26:42.567890161 +0800] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [08/Mar/2020:11:26:42.647668764 +0800] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert [08/Mar/2020:11:26:42.722748631 +0800] - INFO - Security Initialization - SSL info: Enabling default cipher set. [08/Mar/2020:11:26:42.726554182 +0800] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [08/Mar/2020:11:26:42.730304776 +0800] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [08/Mar/2020:11:26:42.733614343 +0800] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [08/Mar/2020:11:26:42.740389595 +0800] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [08/Mar/2020:11:26:42.743830864 +0800] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [08/Mar/2020:11:26:42.748868878 +0800] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [08/Mar/2020:11:26:42.762016895 +0800] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [08/Mar/2020:11:26:42.766962209 +0800] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [08/Mar/2020:11:26:42.779721887 +0800] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [08/Mar/2020:11:26:42.787619421 +0800] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [08/Mar/2020:11:26:42.795024632 +0800] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [08/Mar/2020:11:26:42.799027752 +0800] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [08/Mar/2020:11:26:42.802532993 +0800] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [08/Mar/2020:11:26:42.806279559 +0800] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled ```

4 years

5
14
0 / 0

Re: Running FreeIPA using IPv4

by Jessie James Bowman

I attempted to search through the discussions for an existing thread, but it seems I didn't search thoroughly enough. I appreciate the time taken to answer.

4 years

1
0
0 / 0

Running FreeIPA using IPv4

by Jessie James Bowman

Hello all, So I'm currently trying to install and test FreeIPA on one of my sandboxes. We are not allowed to use IPv6 per STIGs. Is it possible to run the application on IPv4? I've researched and have been unable to find an answer. Our team could really use some of the features the application provides, but we have to navigate the IPv6 STIG to do it. Thanks in advance!

4 years

2
1
0 / 0

2 factor authentication in Freeipa

by dmitriys

Hi! I use Freeipa VERSION: 4.8.0, API_VERSION: 2.233 I want use Freeipa as user store for other web services (like jira, jenkins,gitlab etc). For security reasons we need 2 factor authentication. I read about OTP in Freeipa but allmost post about host authentication ? How i can setup OTP for user login ?

4 years

2
2
1 / 0

Re: Expired Certificates, rolling back time didn't help

by Bhavin Vaidya

Hello, [root@srv01 lib]# certutil -L -d /etc/pki/pki-tomcat/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u Certificate Authority - EXAMPLE.COM CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu [root@ds01 lib]# certutil -L -d /etc/pki/pki-tomcat/alias -n 'Certificate Authority - EXAMPLE.COM' | grep -i after Not After : Thu Aug 03 19:28:18 2034 Is "Certificate Authority - EXAMPLE.COM" valid entry here? this Not After date is of our older CA certificate, which we was replaced couple years ago. can this entry be deleted? the "caSigningCert cert-pki-ca" is the current CA with valid dates. thank you for your help. Rgwards, Bhavin ________________________________ From: Bhavin Vaidya via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> Sent: Monday, March 23, 2020 1:28 PM To: Florence Blanc-Renaud <flo(a)redhat.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> Cc: Bhavin Vaidya <bvaidya(a)hotmail.com> Subject: [Freeipa-users] Re: Expired Certificates, rolling back time didn't help Hello, We carried out following steps, but certificates will still not renew. stop ntpd fall back to 2018-05-11 (Mar 11th, 2018) ipactl stop started all but ntpd service manually systemctl restart certomonger Waited for more than an hour, but certificates still didn't get update. Now our other IPA server's some certiicated also expired. I'm seeing 2 IPA certificates in following output, as earlier we had issue with loosing master CA server and we retain older certificate it seems. Can this be an issue? [root@srv01 log]# /usr/bin/certutil -d /etc/httpd/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u EXAMPLE.COM IPA CA-0 CT,C,C EXAMPLE.COM IPA CA CT,C,C [root@srv01 log]# [root@srv01 ~]# certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert CTu,Cu,Cu EXAMPLE.COM IPA CA CT,C,C [root@srv01 ~]# thank you for your support. regards, Bhavin ________________________________ From: Florence Blanc-Renaud <flo(a)redhat.com> Sent: Tuesday, March 17, 2020 4:26 AM To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> Cc: Bhavin Vaidya <bvaidya(a)hotmail.com> Subject: Re: [Freeipa-users] Re: Expired Certificates, rolling back time didn't help On 3/17/20 11:44 AM, Bhavin Vaidya via FreeIPA-users wrote: > Hello Flo, > > thank you for your response. > > [root@srv01 ~]# ipa config-show | grep renewal > IPA CA renewal master: srv01.arteris.com > > We followed following step, but Certificates will not renew. > > Stopped NTP and went back to 2018-05-11 > systemctl restart certmonger.service > > no luck, so we did > > Stopped NTP and went back to 2018-05-11 > systemctl restart certmonger.service > stopped FreeIPA - ipactl stop > Started services manually as per this RedHat doc > <https://access.redhat.com/solutions/3146271>. > getcert list ---- shows either SUBMITTING, CA_UNREACHABLE or > NEED_TO_SUBMIT > Hi, you need to wait a while for certmonger to renew all the certs. As the new output shows, some progress was made: the LDAP certificate was renewed. You can try: getcert resubmit -i 20180315021503 then wait for the RA cert to move to MONITORING and do the same for each cert that needs to be renewed (resubmit, wait for the cert to move to MONITORING, etc...). flo > [root@srv01 ~]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20180228053337': > > status: MONITORING > > stuck: no > > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > > CA: SelfSign > > issuer: CN=srv01.example.com,O=EXAMPLE.COM > > subject: CN=srv01.example.com,O=EXAMPLE.COM > > expires: 2021-01-11 21:56:57 UTC > > principal name: krbtgt/EXAMPLE.COM(a)EXAMPLE.COM > <mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM> > > certificate template/profile: KDCs_PKINIT_Certs > > pre-save command: > > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > > track: yes > > auto-renew: yes > > Request ID '20180315021457': > > status: SUBMITTING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=CA Audit,O=EXAMPLE.COM > > expires: 2020-02-25 04:27:49 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20180315021500': > > status: SUBMITTING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=OCSP Subsystem,O=EXAMPLE.COM > > expires: 2020-02-25 04:28:38 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20180315021501': > > status: SUBMITTING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=CA Subsystem,O=EXAMPLE.COM > > expires: 2020-02-25 04:31:47 UTC > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20180315021502': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent-reuse > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=Certificate Authority,O=EXAMPLE.COM > > expires: 2038-03-07 03:47:46 UTC > > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20180315021503': > > status: CA_UNREACHABLE > > ca-error: Error 28 connecting to > https://srv01.example.com:8443/ca/agent/ca/profileReview: Timeout was > reached. > > stuck: no > > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=IPA RA,O=EXAMPLE.COM > > expires: 2018-06-15 23:15:23 UTC > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20180315021505': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=srv01.example.com,O=EXAMPLE.COM > > expires: 2020-05-12 01:41:53 UTC > > principal name: ldap/srv01.example.com(a)EXAMPLE.COM > <mailto:ldap/srv01.example.com@EXAMPLE.COM> > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM > > track: yes > > auto-renew: yes > > Request ID '20180315021510': > > status: NEED_TO_SUBMIT > > ca-error: Server at https://srv01.example.com/ipa/xmlfailed request, > will retry: -504 (libcurl failed to execute the HTTP POST transaction, > explaining:Peer's Certificate has expired.). > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=srv01.example.com,O=EXAMPLE.COM > > expires: 2020-03-07 08:49:51 UTC > > principal name: HTTP/srv01.example.com(a)EXAMPLE.COM > <mailto:HTTP/srv01.example.com@EXAMPLE.COM> > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > > > Thank you and with regards, > Bhavin > > > > ------------------------------------------------------------------------ > *From:* Florence Blanc-Renaud <flo(a)redhat.com> > *Sent:* Tuesday, March 17, 2020 1:17 AM > *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > *Cc:* Bhavin Vaidya <bvaidya(a)hotmail.com> > *Subject:* Re: [Freeipa-users] Expired Certificates, rolling back time > didn't help > On 3/16/20 11:44 PM, Bhavin Vaidya via FreeIPA-users wrote: >> Hello, >> >> We had similar issue 2 yrs back, and resurface as it didn't auto-renew. >> Went back in time to 2016-06-11 as well as 2020-02-20, restarted >> "certmonger", didn't update. >> > Hi, > > you need to check first which server is your renewal master: > > $ kinit admin > > $ ipa config-show | grep renewal > > > The output should display the name of the renewal master. This host is > the first server that needs to be fixed. > > > In the getcert list output that you provided, we can see that: > > - the PKI certificates shared between the servers expired on 2020-02-25 > (auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca, > subsystemCert cert-ki-ca) > > - the CA cert is still valid > > - the RA cert expired on 2018-06-15 > > - the HTTP and LDAP server certs expired on 2020-03-07 > > > You need to carefully pick the date you go back in time: at that given > date, all the certs must be valid (not expired yet but *already valid*). > From your output, the date needs to be before 2018-06-15 but after > 2018-03-08 (=the validFrom date for the PKI certs). > > > HTH, > > flo > >> FreeIPA Master:*CentOS 7.4.1708, FreeIPA Version: **4.5.0, >> API_VERSION: 2.228* >> >> whileipactl start, it will not start pki-tomcat with >> message,pki-tomcatd Service: STOPPED. >> >> Referring toRob's blog >> <https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-auth...> >> >> [root@srv01 ~]# curl --cacert /etc/ipa/ca.crt >> -v[https://%60hostname%60:8443/ca/ww/ca/getCertChain]https://`hostname`:8443/ca/ww/ca/getCertChain >> >> * About to connect() to srv01.example.com port 8443 (#0) >> >> *Trying 192.168.10.146... >> >> * Connected to srv01.example.com (192.168.10.146) port 8443 (#0) >> >> * Initializing NSS with certpath: sql:/etc/pki/nssdb >> >> *CAfile: /etc/ipa/ca.crt >> >> CApath: none >> >> * Server certificate: >> >> *subject: CN=srv01.example.com,O=EXAMPLE.COM >> >> *start date: Dec 26 21:02:44 2016 GMT >> >> *expire date: Dec 16 21:02:44 2018 GMT >> >> *common name: srv01.example.com >> >> *issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) >> >> * Peer's certificate issuer has been marked as not trusted by the user. >> >> * Closing connection 0 >> >> curl: (60) Peer's certificate issuer has been marked as not trusted by >> the user. >> >> More details here:http://curl.haxx.se/docs/sslcerts.html >> >> curl performs SSL certificate verification by default, using a "bundle" >> >> of Certificate Authority (CA) public keys (CA certs). If the >> defaultbundle file isn't adequate, you can specify an alternate >> fileusing the --cacert option. >> >> If this HTTPS server uses a certificate signed by a CA represented >> inthe bundle, the certificate verification probably failed due to >> aproblem with the certificate (it might be expired, or the name >> mightnot match the domain name in the URL). >> >> If you'd like to turn off curl's verification of the certificate, >> usethe -k (or --insecure) option. >> >> >> While, CA cert check asper >> <https://www.freeipa.org/page/V4/CA_certificate_renewal>, >> >> [root@srv01 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n >> 'caSigningCert cert-pki-ca' >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20180315021502': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin set >> >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> >> CA: dogtag-ipa-ca-renew-agent >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=Certificate Authority,O=EXAMPLE.COM >> >> expires: 2038-03-07 03:47:46 UTC >> >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "caSigningCert cert-pki-ca" >> >> track: yes >> >> auto-renew: yes >> >> We also have few others certificates, which are not renewed. >> >> >> [root@srv01 ~]# getcert list >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20180228053337': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' >> >> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' >> >> CA: SelfSign >> >> issuer: CN=srv01.example.com,O=EXAMPLE.COM >> >> subject: CN=srv01.example.com,O=EXAMPLE.COM >> >> expires: 2021-01-11 21:56:57 UTC >> >> principal name:krbtgt/EXAMPLE.COM@EXAMPLE.COM >> <mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM> >> >> certificate template/profile: KDCs_PKINIT_Certs >> >> pre-save command: >> >> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20180315021457': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-ca-renew-agent >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=CA Audit,O=EXAMPLE.COM >> >> expires: 2020-02-25 04:27:49 UTC >> >> key usage: digitalSignature,nonRepudiation >> >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20180315021500': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-ca-renew-agent >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >> >> expires: 2020-02-25 04:28:38 UTC >> >> eku: id-kp-OCSPSigning >> >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20180315021501': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS >> Certificate DB',pin set >> >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS >> Certificate DB' >> >> CA: dogtag-ipa-ca-renew-agent >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=CA Subsystem,O=EXAMPLE.COM >> >> expires: 2020-02-25 04:31:47 UTC >> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20180315021502': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin set >> >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> >> CA: dogtag-ipa-ca-renew-agent >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=Certificate Authority,O=EXAMPLE.COM >> >> expires: 2038-03-07 03:47:46 UTC >> >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "caSigningCert cert-pki-ca" >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20180315021503': >> >> status: CA_UNREACHABLE >> >> ca-error: Error 60 connecting >> tohttps://srv01.example.com:8443/ca/agent/ca/profileReview: Peer >> certificate cannot be authenticated with given CA certificates. >> >> stuck: no >> >> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' >> >> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' >> >> CA: dogtag-ipa-ca-renew-agent >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=IPA RA,O=EXAMPLE.COM >> >> expires: 2018-06-15 23:15:23 UTC >> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20180315021505': >> >> status: CA_UNREACHABLE >> >> ca-error: Server athttps://srv01.example.com/ipa/xmlfailed request, >> will retry: 4016 (RPC failed at server.Failed to authenticate to CA >> REST API). >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwd >> >> file.txt' >> >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=srv01.example.com,O=EXAMPLE.COM >> >> expires: 2020-03-07 08:49:36 UTC >> >> principal name:ldap/srv01.example.com@EXAMPLE.COM >> <mailto:ldap/srv01.example.com@EXAMPLE.COM> >> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20180315021510': >> >> status: CA_UNREACHABLE >> >> ca-error: Server athttps://srv01.example.com/ipa/xmlfailed request, >> will retry: 4016 (RPC failed at server.Failed to authenticate to CA >> REST API). >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=srv01.example.com,O=EXAMPLE.COM >> >> expires: 2020-03-07 08:49:51 UTC >> >> principal name:HTTP/srv01.example.com@EXAMPLE.COM >> <mailto:HTTP/srv01.example.com@EXAMPLE.COM> >> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> >> track: yes >> >> auto-renew: yes >> >> >> thank you for your help. >> Bhavin >> >> >> >> _______________________________________________ >> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists... > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >

4 years

1
0
0 / 0

New IPA server

by Andrew Meyer

I am building out a new IPA server environment and I am getting the following error: [user@freeipa001 ~]$ sudo ipa-server-install --setup-dns --setup-kra --setup-adtrust --auto-reverse --ssh-trust-dns --auto-forwarders --allow-zone-overlap IPv6 stack has to be enabled in the kernel and some interface has to have ::1 address assigned. Typically this is 'lo' interface. If you do not wish to use IPv6 globally, disable it on the specific interfaces in sysctl.conf except 'lo' interface. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information [user@freeipa001 ~]$ [root@freeipa001 ~]# sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=0 sysctl: cannot stat /proc/sys/net/ipv6/conf/lo/disable_ipv6: No such file or directory [root@freeipa001 ~]# I am using the latest CentOS 8

4 years

2
5
0 / 0

centos 6.9 with freeipa client 3.0 version Non-interactive

by Faraz Younus

Hi Team, I'm getting below error when running this command. would you help in that ? *IPA Server:* - name: Adding host to IPA server command: ipa host-add ipacentos.example.com --password=abc123 --force *Client: * name: Installing FreeIPA client command: /usr/sbin/ipa-client-install --domain example.com --mkhomedir --password abc123 " --server ipa9.example.com --unattended e, "cmd": ["/usr/sbin/ipa-client-install", "--domain", "fixedandmobile.com", "--mkhomedir", "--password", "abc123", "--server", "ipa9.example.com", "--unattended"], "delta": "0:01:03.451321", "end": "2020-03-29 05:57:22.013451", "msg": "non-zero return code", "rc": 1, "start": "2020-03-29 05:56:18.562130", "stderr": "Hostname: ipacentos.example.com\nRealm: EXAMPLE.COM\nDNS Domain: example.com\nIPA Server: ipa9.example.com\nBaseDN: dc=example,dc=com\nSynchronizing time with KDC...\nUnable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.\nOTP case, CA cert preexisted, use it\nJoining realm failed: Incorrect password.\n\nInstallation failed. Rolling back changes.\nIPA client is not configured on this system.", "stderr_lines": ["Hostname: ipacentos.example.com", "Realm:EXAMPLE.COM", "DNS Domain: example.com", "IPA Server: ipa9.example.com", "BaseDN: dc=example,dc=com", "Synchronizing time with KDC...", "Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.", "OTP case, CA cert preexisted, use it", "Joining realm failed: Incorrect password.", "", "Installation failed. Rolling back changes.", "IPA client is not configured on this system."], "stdout": "\u001b[?1034h", "stdout_lines": ["\u001b[?1034h"]}

4 years

3
6
0 / 0

FreeIPA 4.8.6 released

by Alexander Bokovoy

The FreeIPA team would like to announce FreeIPA 4.8.6 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon. == Highlights in 4.8.6 * 5662: ID Views: do not allow custom Views for the masters Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects. * 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases. * 8233: 4.8.5 master Installation error On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn't actually needed and thus was removed. * 8236: Enforce a check to prevent adding objects from IPA as external members of external groups Command 'ipa group-add-member' allowed to specify any user or group for '--external' option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain. * 8239: Actualize Bootstrap version Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1. * 8241: Build fails on Fedora 30 SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. The policy relied on an SELinux interface that is not available in Fedora 30. The logic was changed to allow better portability across SELinux versions. === Enhancements === Known Issues * 8240: KRA install fails if all KRA members are Hidden Replicas If the first KRA instance is installed on a hidden replica, more KRA instances cannot be added to the cluster. As a workaround, temporarily make the the hidden replica with the KRA role visible before adding more KRA instances. The previously-hidden replica can be hidden again as soon as ipa-kra-install is complete. === Bug fixes FreeIPA 4.8.6 is a stabilization release for the features delivered as a part of 4.8 version series. There are more than 10 bug-fixes details of which can be seen in the list of resolved tickets below. == Upgrading Upgrade instructions are available on Upgrade page. == Feedback Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...) or #freeipa channel on Freenode. == Resolved tickets * https://pagure.io/freeipa/issue/5662[#5662] ID Views: do not allow custom Views for the masters * https://pagure.io/freeipa/issue/6891[#6891] Move FreeIPA SELinux policy from system policy to project policy * https://pagure.io/freeipa/issue/7181[#7181] ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled * https://pagure.io/freeipa/issue/7895[#7895] ipa trust fetch-domains, server parameter ignored * https://pagure.io/freeipa/issue/8159[#8159] please migrate to the new Fedora translation platform * https://pagure.io/freeipa/issue/8193[#8193] Re-order 50-externalmembers.update to be after 80-schema_compat.update * https://pagure.io/freeipa/issue/8228[#8228] Nightly failure in backup/restore while calling 'id admin' * https://pagure.io/freeipa/issue/8233[#8233] 4.8.5 master Installation error * https://pagure.io/freeipa/issue/8236[#8236] Enforce a check to prevent adding objects from IPA as external members of external groups * https://pagure.io/freeipa/issue/8239[#8239] Actualize Bootstrap version * https://pagure.io/freeipa/issue/8240[#8240] KRA install fails if all KRA members are Hidden Replicas * https://pagure.io/freeipa/issue/8241[#8241] Build fails on Fedora 30 == Detailed changelog since 4.8.5 === Alexander Bokovoy (35) * Become FreeIPA 4.8.6 https://pagure.io/freeipa/c/75d04b5e0e5709d98440209f803175242a52d119[commit] * ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager https://pagure.io/freeipa/c/bcbf64b1bf287d2b0b23bc7ac0cca9e8b789ba4a[commit] https://pagure.io/freeipa/issue/7181[#7181] * ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN https://pagure.io/freeipa/c/5bae736bc81eaa1167ec64a69a32506dad2ca286[commit] https://pagure.io/freeipa/issue/7181[#7181] * ipatests: test sysaccount password change with a password policy applied https://pagure.io/freeipa/c/313542e8a125c4904750826ef9eabdead7d874bd[commit] https://pagure.io/freeipa/issue/7181[#7181] * ipatests: allow changing sysaccount passwords as cn=Directory Manager https://pagure.io/freeipa/c/f4dc10b8caac44f5c2a8edbb4c647e6dcf71c3bd[commit] https://pagure.io/freeipa/issue/7181[#7181] * Fix indentation levels https://pagure.io/freeipa/c/c62b9e7f6ab0dec54540dc6cd389fe58f8858275[commit] * ipatests: always skip additional input for group-add-member --external https://pagure.io/freeipa/c/74f36e7c2f7f6d17b56e06b5f05205edb8a286d7[commit] https://pagure.io/freeipa/issue/8236[#8236] * po: update Chinese (China) translation https://pagure.io/freeipa/c/c6adee04068ce946f8c9b8ad5db19721db13c602[commit] * po: update Ukrainian translation https://pagure.io/freeipa/c/855a36b6c093fd21af7cf87524acc5d297692de3[commit] * po: update Tajik translation timestamp https://pagure.io/freeipa/c/3d411cf29f29e1d391ed8f6eb159b88d450a332b[commit] * po: update Slovak translation timestamp https://pagure.io/freeipa/c/3c15e47a7c2212aab0ecdc320093bee2afa0bfdc[commit] * po: update Russian translation https://pagure.io/freeipa/c/db433fbe4e521d08dee2cdc2e65344d8203e03a4[commit] * po: update Portuguese (Brazil) translation timestamp https://pagure.io/freeipa/c/eab195ff3884b482279279326b3a84ced4723b7e[commit] * po: update Portuguese translation timestamp https://pagure.io/freeipa/c/31a9da8efa793d492352f646fc804b902beec088[commit] * po: update Polish translation https://pagure.io/freeipa/c/4e3867fcc49a8d2ff1085e630abd77666a06d838[commit] * po: update Punjabi translation timestamp https://pagure.io/freeipa/c/e4dfb7409bd25dc5bc2cc1e99562f912a98509f8[commit] * po: update Dutch translation timestamp https://pagure.io/freeipa/c/e7945284906998da0a798a1ff15a42dd3fdb96d9[commit] * po: update Marathi translation timestamp https://pagure.io/freeipa/c/28a963eed0f27c214543b02fc34e15182e6fcc04[commit] * po: update Kannada translation timestamp https://pagure.io/freeipa/c/89b048d1408834dde38321ac4f402083ebd30247[commit] * po: update Japanese translation timestamp https://pagure.io/freeipa/c/89dbf88abb108cad7f44f92b4e94e66f21746cd3[commit] * po: update Indonesian translation timestamp https://pagure.io/freeipa/c/124a563eb64d7f9a2190a13e9d68a7b608be2d22[commit] * po: update Hungarian translation timestamp https://pagure.io/freeipa/c/595d5062b9e770a946156f69df2fe522d4745d9e[commit] * po: update Hindi translation timestamp https://pagure.io/freeipa/c/c4dd8b226ae97011bcc0546209f8473fbcd75ab8[commit] * po: update French translation https://pagure.io/freeipa/c/a2ca393d35a1f34b2dbbd54c9c1d24b9f20960f0[commit] * po: update Basque translation timestamp https://pagure.io/freeipa/c/92fb5c5268b8b1b02b7a1d12b9a6417c893a18f1[commit] * po: update Spanish translation https://pagure.io/freeipa/c/7af52df7a8e54afe36649c5436fcfce759111751[commit] * po: update English (United Kingdom) translation timestamp https://pagure.io/freeipa/c/37a1e927a1f123b8b9fdbaf815003cb04726f72c[commit] * po: update German translation https://pagure.io/freeipa/c/0d053d8b1df33f5602ae0e154743f1d1dce2c72d[commit] * po: update Czech translation timestamp https://pagure.io/freeipa/c/c8ba436c0dad467bf12dec4d4f141916d0b3fbbd[commit] * po: update Catalan translation timestamp https://pagure.io/freeipa/c/29e3ade05c8bea23c07ed1a1b5612af01f924d2d[commit] * po: update Bengali translation timestamp https://pagure.io/freeipa/c/16d9556c6f3d19f73256d6698a7659f78961a378[commit] * po: update ipa.pot template https://pagure.io/freeipa/c/e23ba779d3aefd871e348b91e7b0fa003d97c96e[commit] * Update translation infrastructure https://pagure.io/freeipa/c/831f4dd320a93d01df6b06058c3ab618a98c9fd8[commit] https://pagure.io/freeipa/issue/8159[#8159] * Keep ipa.pot translation file in git for weblate https://pagure.io/freeipa/c/9ff7b4a411d13ca148d2f53603dbcc812d92380a[commit] https://pagure.io/freeipa/issue/8159[#8159] * Prevent adding IPA objects as external members of external groups https://pagure.io/freeipa/c/127b8d9cf23bf65aa42e6ee9ed8d7f8628bbac19[commit] https://pagure.io/freeipa/issue/8236[#8236] === Christian Heimes (5) * po: fix LINGUAS to use whitespace separation https://pagure.io/freeipa/c/616ad399c99292542638e9e8f0995873e5c4f311[commit] https://pagure.io/freeipa/issue/8159[#8159] * SELinux: apache_manage_pid_files for F30 https://pagure.io/freeipa/c/f08ced1b25e14f91526c82610a8219ae8ed898a3[commit] https://pagure.io/freeipa/issue/8241[#8241] * Add pytest OpenSSH transport with password https://pagure.io/freeipa/c/42aa86fadd7a7f2209e05291be9c76a8497998dd[commit] * Move freeipa-selinux dependency to freeipa-common https://pagure.io/freeipa/c/7d525ab4308060435808a311de55a76fb26a28c6[commit] https://pagure.io/freeipa/issue/6891[#6891] * Integrate ipa_custodia policy https://pagure.io/freeipa/c/04cc0450125e3c9e989c3e769a25ba2f1f336060[commit] https://pagure.io/freeipa/issue/6891[#6891] === François Cami (1) * ipatests: test_replica_promotion.py: test KRA on Hidden Replica https://pagure.io/freeipa/c/a692212e3bee36fbccba73ed21f7825381eeade4[commit] https://pagure.io/freeipa/issue/8240[#8240] === Florence Blanc-Renaud (3) * ipatests: wait for SSSD to become online in backup/restore tests https://pagure.io/freeipa/c/ebb3c22ddb998997eb05e7bd4da2157e88b6c8f3[commit] https://pagure.io/freeipa/issue/8228[#8228] * xmlrpc tests: add a test for idview-apply on a master https://pagure.io/freeipa/c/c37a84628601d369f83546085b7e29be8fe11a59[commit] https://pagure.io/freeipa/issue/5662[#5662] * idviews: prevent applying to a master https://pagure.io/freeipa/c/7905891341197cb90faf635cf93ce63ae7a7a38b[commit] https://pagure.io/freeipa/issue/5662[#5662] === Mohammad Rizwan Yusuf (3) * ipatests: Skip test using paramiko when FIPS is enabled https://pagure.io/freeipa/c/45507c1e86b634507fdc21dbb88ea9edd43e4166[commit] * Test if schema-compat-entry-attribute is set https://pagure.io/freeipa/c/3f3fa403a944035cf5531939fe3a2e338da99612[commit] https://pagure.io/freeipa/issue/8193[#8193] * Test if schema-compat-entry-attribute is set https://pagure.io/freeipa/c/210619a98f0d8a042a181bab5891bdd595aa5351[commit] https://pagure.io/freeipa/issue/8193[#8193] === Rob Crittenden (4) * Test that pwpolicy only applied on Kerberos entries https://pagure.io/freeipa/c/b34063e700ac4c65b117705bafb0255c26bca060[commit] * Add ability to change a user password as the Directory Manager https://pagure.io/freeipa/c/840671b1cdc508ea86f8412e6423f00b8c3bf809[commit] * Don't save password history on non-Kerberos accounts https://pagure.io/freeipa/c/8b7bb96b327207284c8c0a45cf2979843482cf48[commit] * Test that ipa-healthcheck human output translates error strings https://pagure.io/freeipa/c/7974ac9f8c7969df85f689d94f5b30c18e661daa[commit] === Stanislav Levin (1) * pki-proxy: Don't rely on running apache until it's configured https://pagure.io/freeipa/c/24c6ea3c9f2df757b3d714044c16083716e377ca[commit] https://pagure.io/freeipa/issue/8233[#8233] === Sergey Orlov (2) * ipatests: provide AD admin password when trying to establish trust https://pagure.io/freeipa/c/814b47e85c87bc3c80c91ebd0aa9085ac06b521e[commit] https://pagure.io/freeipa/issue/7895[#7895] * ipatests: remove test_ordering https://pagure.io/freeipa/c/0e9b020db201ff5797f0dabff05c3fc16a9bf79a[commit] === Serhii Tsymbaliuk (1) * Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 https://pagure.io/freeipa/c/f1855dd51e1544a77f1b4a3d4c90f173c29fbed4[commit] https://pagure.io/freeipa/issue/8239[#8239] === sumenon (1) * ipatests: Added testcase to check logrotate is added for healthcheck tool https://pagure.io/freeipa/c/7d4687926e9866c378db8075dd7b55b3c40e71a9[commit] === Vit Mojzis (1) * selinux: disable ipa_custodia when installing custom policy https://pagure.io/freeipa/c/f99cfa1443dfa33422eb4a7613d3dd9e921ccacd[commit] https://pagure.io/freeipa/issue/6891[#6891] -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

4 years

1
1
0 / 0

Allow AD users to manage FreeIPA

by White, David

I'm reviewing the documentation at https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I am hoping to allow members of certain AD groups to login to FreeIPA from the web GUI. Does this documentation only apply to the FreeIPA CLI, or does it also affect access to manage through the web GUI? Let's say we have an AD group named "engineers", and I want those engineers to have admin access over FreeIPA. If the above documentation only affects the CLI, that feels a little bit redundant, because we can of course easily create Sudo / Su rules to allow members of "engineers" to have control over the FreeIPA nodes using HBAC rules and such. (This is already done and working -- members of `engineers` already have CLI admin access over FreeIPA -- I now want them to have GUI admin access). I'm also a little bit confused why the documentation says to add a domain user to the AD "administrators" group (as an ID Override). That feels like a security risk, because I don't want the user to be considered an Active Directory administrator -- I only want the person (well, any members of the `engineers` group) to have admin access over FreeIPA. It sounds like this would have to be done on a user-by-user basis (and is not something we could apply to an entire AD group that already exists)? I ran: `id administrator(a)ad.domain.com` and verified that I do have stdout. But then I ran: `ipa group-show administrator(a)ad.domain.com` and stdout included: ipa: ERROR: administrator(a)ad.domain.com: group not found Is there any way to accomplish what I want? ----- David White Engineer II, Fiber Systems Engineering

4 years

3
8
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users March 2020