HTTP service in a host with multiple cnames and kerberos authentication
by Peter Tselios
I have a few hosts with multiple cnames serving different websites.
I need to have Authentication from Kerberos and LDAP authz. This works just fine when I have one service per host.
But, when I add multple services on the host, it's not working.
What I have is this:
I create a service in IdM:
HTTP/server.example.com
I add the CNAMES as aliases on the keytab.
So, my Principal alias has 3-4 entries:
1. HTTP/server.example.com
2. HTTP/cname1.example.com
3. HTTP/cname2.example.com
4. HTTP/cname3.example.com
Then I download the keytab on the server and I have the following apache configuration:
<VirtualHost *:443>
ServerName cnameX.example.com
ServerAlias cnameX.example.com
<Location />
AuthType Kerberos
AuthName "Login via IdM"
KrbMethodNegotiate on
KrbServiceName HTTP/cnameX.example.com
Krb5Keytab /etc/httpd/http_hostname.keytab
KrbSaveCredentials on
AuthLDAPUrl "ldaps://ipamaster.example.com ipa.example.com/dc=example,dc=com?krbPrincipalName"
AuthLDAPBindDN "uid=appusers,cn=sysaccounts,cn=etc,dc=example,dc=com"
AuthLDAPBindPassword "secret"
require ldap-group cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com
</Location>
</VirtualHost>
But when I try to login I get this error:
failed to verify krb5 credentials: Decrypt integrity check failed
So, how do I enable kerberos authentication for each virtual host? What do I do wrong here?
3 years, 11 months
Questions about IDM Smartcard Login
by David Woods
I'm trying to setup smart card login into an AD user account using an ID Override on RHEL 7.8. I have been looking through Red Hat's documentation and its a bit confusing. I was wondering what is the proper way to export a certificate from my CAC PIV card ? I have been just exporting the certificate in PEM format from the ESC tool and importing it into IDM web GUI. But SSSD isn't able to associate the smart card with the AD user. When I run the ipa certmap-match command, it will match to the AD account that I configured with the ID Override. I was also wondering if I need pam_pkcs11 and pam_krb5 installed anymore ? When I uninstall pam_pkcs11, GDM doesn't prompt me for my smart card PIN. I was looking at the "config-client-for-smart-card-auth" script and it removes the pam_pkcs11 RPM, that's why I am asking.
3 years, 11 months
Plugin problem after upgrade
by Frederic AYRAULT
Bonjour,
I upgraded my Centos servers from 7.7.1908 to 7.8.2003 and ipa upgrades
from 4.6.5 to 4.6.6
In the directory /usr/share/ipa/ui/js/plugins/bureau , I am using the
enclosed file bureau.js
to show the room number field in the gui. But after the upgrade, the
field is there, but empty.
I deleted one of my servers, downgrade ipa packages et reinstall ipa,
and the plugin is working,
I can see the value in the field.
Do you have any idea ?
Thank you
Regards,
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
fred(a)lix.polytechnique.fr
3 years, 11 months
Cannot find KDC for realm (dns on another machine)
by Tony Brian Albers
Hi guys,
So, I'm trying to make this work:
FreeIPA server has hostname: ipa001.pri.some.network
FreeIPA client has hostname: cli001.pri.some.network
The KRB Realm entered during the FreeIPA server setup is: SOME.NETWORK
Now, when I try to add the client, it looks happy and is able to look
up the server using DNS, but then it stops with:
---
The ipa-client-install command failed, exception: KerberosError: Major
(851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529639066): Cannot find KDC for realm
"SOME.NETWORK"
The ipa-client-install command failed. See /var/log/ipaclient-
install.log for more information
---
I've added the output from the ipa-server-install to the relevant dns
zone:
---
; FreeIPA records START
_kerberos-master._tcp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos-master._udp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos._tcp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos._udp.some.network. 86400 IN SRV 0 100 88
ipa001.pri.some.network.
_kerberos.some.network. 86400 IN TXT "SOME.NETWORK"
_kpasswd._tcp.some.network. 86400 IN SRV 0 100 464
ipa001.pri.some.network.
_kpasswd._udp.some.network. 86400 IN SRV 0 100 464
ipa001.pri.some.network.
_ldap._tcp.some.network. 86400 IN SRV 0 100 389
ipa001.pri.some.network.
ipa-ca.some.network. 86400 IN A 192.168.15.83
; FreeIPA records END
---
And if I make a query to the dns server, it answers as expected:
---
[root@indy001 named]# dig @localhost -t TXT _kerberos.some.network
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @localhost -t TXT
_kerberos.some.network
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62456
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8a9f13188f45d098c0a6127a5ebb846645308639d451a496 (good)
;; QUESTION SECTION:
;_kerberos.some.network. IN TXT
;; ANSWER SECTION:
_kerberos.some.network. 5 IN TXT "SOME.NETWORK"
;; AUTHORITY SECTION:
rpz. 10800 IN NS indy02.pri.some.network
.
rpz. 10800 IN NS indy001.pri.some.networ
k.
;; ADDITIONAL SECTION:
indy001.pri.some.network. 10800 IN A 192.168.15.52
indy002.pri.some.network. 10800 IN A 192.168.15.53
;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 13 07:23:50 CEST 2020
;; MSG SIZE rcvd: 181
[root@indy001 named]#
---
So, any idea what's going on? I think it might be looking for the KDC
for PRI.SOME.NETWORK, but I'm not sure and I can't figure out where to
look for that info.
I've attached the ipaclient-install.log the interesting part is:
---
020-05-12T13:32:04Z DEBUG Starting external process
2020-05-12T13:32:04Z DEBUG args=['/usr/bin/certutil', '-d',
'sql:/tmp/tmpaweq3vf2', '-A', '-n', 'CA certificate 1', '-t', 'C,,', '-
a', '-f', '/tmp/t
mpaweq3vf2/pwdfile.txt']
2020-05-12T13:32:05Z DEBUG Process finished, return code=0
2020-05-12T13:32:05Z DEBUG stdout=
2020-05-12T13:32:05Z DEBUG stderr=
2020-05-12T13:32:05Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/cli001.pri.some.network(a)SOME.NETWORK'
2020-05-12T13:32:05Z DEBUG trying
https://ipa001.pri.some.network/ipa/json
2020-05-12T13:32:05Z DEBUG Created connection
context.rpcclient_140399463755392
2020-05-12T13:32:05Z DEBUG [try 1]: Forwarding 'schema' to json server
'https://ipa001.pri.some.network/ipa/json'
2020-05-12T13:32:05Z DEBUG New HTTP connection
(ipa001.pri.some.network)
2020-05-12T13:32:05Z DEBUG HTTP connection destroyed
(ipa001.pri.some.network)
Traceback (most recent call last):
File "/usr/lib/python3.6/site-
packages/ipaclient/remote_plugins/__init__.py", line 126, in
get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
---
Any ideas much appreciated.
/tony
--
Tony Albers - Systems Architect - IT Development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark
Tel: +45 2566 2383 - CVR/SE: 2898 8842 - EAN: 5798000792142
3 years, 11 months
enable 2FA authentication only in particular host
by Dhinakaran M
As per below scenario trying to enable 2FA but no luck , please let me know if any one faced this kind of issue and how it was resolved
I'm trying to enable 2FA authentication only in 2 hosts out-of 5 hosts
test case 1 ) I have enabled 2FA in global configuration of FREEIPA but is working on all 5hosts
test case 2) Disabled 2FA in Global configuration of freeipa and enabled OTP indicator only 2 hosts but OTP mechanism doesn't working
https://www.freeipa.org/page/V4/Authentication_Indicators
3 years, 11 months
Ansible and ipa-getkeytab issues
by Peter Tselios
Hello,
I have a few services that I want to configure for kerberos authentication.
I use ansible for this.
So, I register the host in IPA, get the OTP, install the ipa-client, create the service and then I need to go to the CLI to download the keytab.
I have this in my playbooks:
=====================
- name: Download the Keytab
block:
- name: Login to IPA Master
command: echo '{{ ipa_password }}' | kinit admin
no_log: true
- name: Download the keytab
command: >
ipa-getkeytab -s {{ ipa_master }} -p HTTP/{{ inventory_hostname }} -k /etc/httpd/http_{{ inventory_hostname }}.keytab
=====================
This is failing with the error:
==============================
fatal: [server.example.com]: FAILED! => changed=true
cmd:
- ipa-getkeytab
- -s
- ipamaster.example.com
- -p
- HTTP/server.example.com
- -k
- /etc/httpd/http_server.example.com.keytab
delta: '0:00:00.005696'
end: '2020-05-11 12:43:59.935641'
msg: non-zero return code
rc: 6
start: '2020-05-11 12:43:59.929945'
stderr: Kerberos User Principal not found. Do you have a valid Credential Cache?
stderr_lines: <omitted>
stdout: ''
stdout_lines: <omitted>
==============================
However, if I login to the server, issue a ticket (kinit admin), logout and then re-run the playbook succeeds!!!
Any idea how to fix this? Obviously I cannot login to each host and then run the playbooks, this is not automation.
3 years, 11 months
Ansible and ipa-getkeytab
by Peter Tselios
Hello,
I have a few services that I want to configure for kerberos authentication.
I use ansible for this.
So, I register the host in IPA, get the OTP, install the ipa-client, create the service and then I need to go to the CLI to download the keytab.
I have this in my playbooks:
=====================
- name: Download the Keytab
block:
- name: Login to IPA Master
command: echo '{{ ipa_password }}' | kinit admin
no_log: true
- name: Download the keytab
command: >
ipa-getkeytab -s {{ ipa_master }} -p HTTP/{{ inventory_hostname }} -k /etc/httpd/http_{{ inventory_hostname }}.keytab
=====================
This is failing with the error:
==============================
fatal: [server.example.com]: FAILED! => changed=true
cmd:
- ipa-getkeytab
- -s
- ipamaster.example.com
- -p
- HTTP/server.example.com
- -k
- /etc/httpd/http_server.example.com.keytab
delta: '0:00:00.005696'
end: '2020-05-11 12:43:59.935641'
msg: non-zero return code
rc: 6
start: '2020-05-11 12:43:59.929945'
stderr: Kerberos User Principal not found. Do you have a valid Credential Cache?
stderr_lines: <omitted>
stdout: ''
stdout_lines: <omitted>
==============================
However, if I login to the server, issue a ticket (kinit admin), logout and then re-run the playbook succeeds!!!
Any idea how to fix this? Obviously I cannot login to each host and then run the playbooks, this is not automation.
3 years, 11 months
Re: where to place the freeipa server in a segmented network
by Alex Corcoles
Hi,
On Fri, May 8, 2020 at 3:18 PM Angus Clarke via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> We run out IPA infrastructure globally with VPN connected sites, no issue
> there. I don't have experience of road warrior VPN clients though. I'm not
> sure how IPA behaves when hosts connect with possibly different FQDNs for
> example.
>
I have my laptop joined to a FreeIPA domain and it often moves to
different networks where it has different FQDNs.
It shows up as hostname.ipadomain in FreeIPA (which doesn't match its name
on the networks) and I've never had any issue- I suspect client hostnames
are not really important.
I do run a publicly accessible FreeIPA instance- it's personal, not
commercial, so I'm willing to assume the risks. There are hardening
sections in the official docs, although at no point there's explicit
information about whether it's safe or not to expose FreeIPA to the
Internet. In discussions here I think it's widely considered that you
shouldn't do that, though. I'd love that to be a feature, but I understand
in most places it's not an issue.
Cheers,
Álex
3 years, 11 months
where to place the freeipa server in a segmented network
by Rob van Halteren
Hello,
I have network consisting out a LAN,WLAN,DMZ and a PRODUCTION network, separated by a firewall that performs the routing and connections to the outside world.
I want to introduce Identity management using a FreeIPA server for my network. Most client machines will be on the LAN network, but not all.
Most servers reside on the PRODUCTION network
I am trying to figure out where to place the FeeIPA server in this network.
I want to be able to authenticate all servers,client machines and also be able to authenticate client machines that are connected via a VPN connection that is hosted on the firewall.
Sorry for having to ask this. I have been looking around on the net and this list but found little help on this topic.
Any advice would be welcome.
Kind regards,
Rob.
3 years, 11 months
Issue with memberOf plugin.
by Mary Georgiou
Hello,
In our set-up, we have a DB with all the users and groups, which we use as ground truth for provisioning the forementioned objects in FreeIPA (2 master servers + replicas).
We are continuously synchronizing entries (~60000 users and 60000 groups, where groups might have 0 to 20000 members) from the DB to FreeIPA. In each cycle of synch, we are figuring out the differences and add, delete, or change existing entries.
The first sync (through which we had to import all 120000 objects) clogged the server totally, and after tweaking the 389DS we ended up disabling the memberOf plugin where it finally worked (we followed the FreeIPA documentation[1]).
One of the advice to follow is to do the sync and then run the fixup task in the server where the provisioning happened.
The fixup still clogs the server after some point and stops.
The errors we get in the log are the following:
```
[06/May/2020:18:16:59.862308719 +0200] - INFO - memberof-plugin - memberof_fixup_task_thread - Memberof task starts (filter: "(|(objectclass=inetuser)(objectclass=inetadmin)(objectclass=nsmemberof))") ...
[06/May/2020:20:07:49.545606214 +0200] - ERR - libdb - BDB2055 Lock table is out of available lock entries
[06/May/2020:20:07:49.547921580 +0200] - ERR - idl_new_delete_key - idl_new.c BAD 22, err=12 Cannot allocate memory
[06/May/2020:20:07:49.548930035 +0200] - ERR - addordel_values_sv - database index operation failed BAD 1130, err=12 Cannot allocate memory
[06/May/2020:20:07:49.549779631 +0200] - ERR - addordel_values_sv - database index operation failed BAD 1140, err=12 Cannot allocate memory
[06/May/2020:20:07:49.550612745 +0200] - ERR - index_addordel_values_ext_sv - database index operation failed BAD 1230, err=12 Cannot allocate memory
[06/May/2020:20:07:49.551444741 +0200] - ERR - index_add_mods - database index operation failed BAD 1041, err=12 Cannot allocate memory
[06/May/2020:20:07:49.552457769 +0200] - ERR - index_add_mods - database index operation failed BAD 1040, err=12 Cannot allocate memory
[06/May/2020:20:07:49.553305019 +0200] - ERR - ldbm_back_modify - index_add_mods failed, err=12 Cannot allocate memory
```
We increased the number of DB locks and set the `nsslapd-cache-autosize` to 50% (server has currently 13G of memory).
The only thing we saw was that one thread was using 100% of one of the CPUs.
Any advice on how to deal with this? We would really need to have memberOf attribute.
Thank you in advance!
Best Regards
Mary Georgiou
[1] https://www.freeipa.org/page/V4/Performance_Improvements
3 years, 11 months
