January 2021 - FreeIPA-users - Fedora Mailing-Lists

by Rik Theys

Hi, I'm setting up a test environment with FreeIPA. I have it set up with one-way trusts to 2 AD domains and logging in works ok. The AD trusts are not set up with the "posix" type, so the IPA servers should not be looking up posix attributes from AD. I'm now trying to configure the home directory for AD users on ipa clients. From what I've found online so far, it should be possible to configure this parameter with the "subdomain_homedir" sssd.conf parameter. Is it sufficient to configure this parameter on the IPA server(s), or do I have to configure it on all IPA clients? For now, I've configured it on my 3 IPA servers and restarted sssd. I've also cleared the sssd caches with 'sss_cache -E', but looking up the home directory still returns the old format. Even on the IPA servers themselves (where I've performed the sssd.conf changes). Is there anything else I need to configure/restart? I currently have it configured in the [domain/my-ipa-domain-name] section of sssd.conf on the IPA servers. I have a similar question regarding the login shell for AD users. I've updated the default shell from /bin/sh to /bin/bash using: ipa config-mod --defaultshell=/bin/bash But this does not seem to change the shell for my AD user? If I run 'getent passwd aduser1@addomain' on an IPA client, it shows nothing for the shell!? I know I can configure ID views with overrides for specific users, but is there a way to specify defaults for the homedir and loginshell in an ID view? Regards, Rik

1 month

2
2
0 / 0

Exipred SSL for https and Ldap

by Ahmed ElShafaie

Greeting All, I had a problem renewing the SSL for httpd and ldap. I had a new certificate from http://ssl.com/ . So I need clear instructions to add this new certificate to LDAP service and httpd Thank you in Advance Ahmed

1 month

4
13
0 / 0

No such file or directory: '/etc/authselect/user-nsswitch.conf'

by Jacquelin Charbonnel

For information, on a new virgin host under CentOS Stream release 8 : # ipa-server-install ends with : [Errno 2] No such file or directory: '/etc/authselect/user-nsswitch.conf' The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information Configuration of client side components failed! The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information To solve the problem : # touch /etc/authselect/user-nsswitch.conf # ipa-server-install --uninstall # ipa-server-install -- Jacquelin Charbonnel - (+33)2 4173 5397 CNRS Mathrice/LAREMA - Campus universitaire d'Angers

1 month

3
2
0 / 0

Can an IPA user be member of a local group

by Ronald Wimmer

I would like an IPA user to be member of the local 'docker' group. Is this possible? Cheers, Ronald

1 month

3
16
0 / 0

Scaling and Misc

by Mark Potter

The docs say 2k to 3k hosts per FreeIPA machine. We currently have 1 server and 3 replicas for ~9k hosts. The issue is that the hosts in question are stateless so have to have ipa-client-install run every boot. We've got that part handled but something came up that's got me concerne. I was adding DNS records using ansible-freeipa. With needing DNS for all of our sites along with BMC and such we have about ~38k valid DNS entries. I was running two playbooks to add entries in parallel because we need everything to resolve on example.com and example1.com. This is an artifact that can't be avoided so we end up ~76k entries across two zones. Example.com was adding with reverse and example1.com was adding without reverse. Based on the time it took for each entry to be added this should have taken ~31 hours. At some point the three replicas stopped responding to any requests. For instance ipa1.example.com (primary) would validate while adding a host but example2.com (replica) would hang and never timeout. Eventually both playbooks failed at ~33k DNS entries as ssh wasn't responding on the primary. I wasn't monitoring at that point so I didn't get to see it happen. There is nothing from OOM in the logs so it doesn't look like ssshd got killed from memory usage, when I was monitoring load never got over2. The VMs have 16GiB memory, 6 cores, and a 10Gib connection. They are running CentOS 7 with FreeIPA 4.6.5. Logs on ipa1 show: Jan 27 11:39:14 ipa1 ns-slapd: [27/Jan/2021:11:39:14.363156372 -0600] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn= meToipa2.example.com" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. For both the left and right replicas (ipa2 and ipa3). The replicas show: Jan 27 16:38:02 ipa2 named-pkcs11[2516]: LDAP query timed out. Try to adjust "timeout" parameter Jan 27 16:38:02 ipa2 named-pkcs11[2516]: zone example.com/IN: serial (1611787052) write back to LDAP failed Jan 27 16:38:12 ipa2 named-pkcs11[2516]: LDAP query timed out. Try to adjust "timeout" parameter Jan 27 16:38:12 ipa2 named-pkcs11[2516]: zone 16.172.in-addr.arpa/IN: serial (1611787062) write back to LDAP failed Which eventually became: Jan 27 16:57:32 ipa2 named-pkcs11[2516]: zone example.com/IN: serial (1611788192) write back to LDAP failed Jan 27 16:58:22 ipa2 named-pkcs11[2516]: timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? This was happening in the krb5kdc.log on the replicas around the same time: Jan 27 15:20:41 ipa2.example.com krb5kdc[26712](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.201.1.5: LOOKING_UP_CLIENT: markp(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Server error In dirsrv/slapd-EXAMPLE-COM/error in the same timeframe: [27/Jan/2021:15:58:04.885131721 -0600] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=ipa2.example.com-to-ipa3.example.com" (ipa3:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () While not frequently these appeared again until I rebooted the replicas this morning. I could restart with 'ipactl restart`, it would just hang. I let it sit for ten minutes at one point. `ipactl status` consistently showed everything running. My topology looks like this (both ca and domain are the same) ------------------ 5 segments matched ------------------ Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: both Segment name: ipa1.example.com-to-ipa3.example.com Left node: ipa1.example.com Right node: ipa3.example.com Connectivity: both Segment name: ipa1.example.com-to-ipa4.example.com Left node: ipa1.example.com Right node: ipa4.example.com Connectivity: both Segment name: ipa3.example.com-to-ipa2.example.com Left node: ipa3.example.com Right node: ipa2.example.com Connectivity: both Segment name: ipa4.example.com-to-ipa3.example.com Left node: ipa4.example.com Right node: ipa3.example.com Connectivity: both ---------------------------- Number of entries returned 5 ---------------------------- Since the play takes slightly more than 2 seconds to run when creating with reverse and slightly under 2 seconds when creating without reverse I don't see why this should ever overload anything but I will freely admit I am not all that familiar with the way DNS is handled. If FreeIPA is sending the entire zone file for every update and it all has to be written to the DB then I can see why that would be an issue. I could kill the replication agreements, load the rest of the entries, then re-add the agreements so the zone only needs to be transferred once. But it's still a bit concerning due to the scenario I described above. If we have a power outage and need to boot ~9k machines, all of which will run: ipa-client-install -U -q -p <service account for adding hosts> \ -w <some really secure password> \ --domain=example.com \ --server=ipa1.example.com \ --server=ipa2.example.com \ --server=ipa3.example.com \ --server=ipa4.example.com \ --force-join \ --enable-dns-updates \ --ssh-trust-dns \ --automount-location=<appropriate map> Are we going to see everything fail in a spectacular manner and is there anything I can do to mitigate the failure with adding DNS entries as I still need to complete the addition and have ~5k per zone left for two zones.

1 month

2
2
0 / 0

IPA compat mode

by Jacquelin Charbonnel

Hi folks, Overall, what is the goal of the IPA compat mode, and what are the consequences of enabling/disabling it ? And specifically, what's the differences between : # ipa migrate-ds --with-compat ... and # ipa-compat-manage disable # ipa migrate-ds ... Thanks on advance -- Jacquelin Charbonnel - (+33)2 4173 5397 CNRS Mathrice/LAREMA - Campus universitaire d'Angers

1 month

3
2
0 / 0

CRL Not Updating

by TC Johnson

The CRL being served by the CRL Master has not added a newly revoked certificate for 4 months. The CRL is updated and published as expected every four hours, just with no change to the list of revocations. Currently the CRL lists 34 certificates where as a query with ipa cert-find returns 40. The missing certificates are not expired. I do not see any errors in /var/log/pki/pki-tomcat/ca/debug* I've been through the steps at https://www.freeipa.org/page/Troubleshooting/PKI and checked the CRL settings per https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master The CRL files in /var/lib/ipa/pki-ca/publish/ are being generated/updated.

1 month, 1 week

3
6
1 / 0

Questions about DNS client names in a FreeIPA / Active Directory trust

by White, Daniel E. (GSFC-770.0)[NICS]

OK, I know that the AD-DC and the IDM servers need matching Kerberos realm and DNS domain names Let's say AD.FOO.BAR.URP / IDM.FOO.BAR.URP for Kerberos and ad.foo.bar.urp / idm.foo.bar.urp for DNS I am using 4 labels to parallel the environment for which this is intended. The DNS domain for the environment is foo.bar.urp and there is currently no FOO.BAR.URP AD-DC, but we eventually expect one from "Upstream" and hope to make AD.FOO.BAR.URP a Kerberos sub-realm/domain of it AD.FOO.BAR.URP and ad.foo.bar.urp were created. IDM.FOO.BAR.URP and idm.foo.bar.urp will be created shortly and connected by a cross-forest trust. These, of course, will be sub-domains to AD.FOO.BAR.URP/ad.foo.bar.urp The confuzzlepation is about client domain names. Do Linux clients need to use the idm.foo.bar.urp DNS domain or can they just use foo.bar.urp ? Same question for non-Linux clients -- ad.foo.bar.urp DNS domain or can they just use foo.bar.urp ? And does the lack of the "parent" Kerberos realm/domain FOO.BAR.URP complicate the matter ? ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NASCOM Linux Engineer NASA Goddard Space Flight Center Science Applications International Corporation (SAIC) Office: (301) 286-6919 Mobile: (240) 513-5290

1 month, 1 week

2
3
0 / 0

Removing old/stale KRA requests in FreeIPA 4.6.6

by Attila Salyi

Hi folks, We have been a big time IPA vault users and managed to accumulate a few hundred thousands KRA requests in our IPA LDAP. This had been going on before ephemeral KRA requests were enabled in our installations and now we have these requests sitting in LDAP. Is there any (preferably: a safe) way to remove these KRA requests? Even the newest ones are 6+ months old. Thank you for your help, Attila

1 month, 1 week

1
0
0 / 0

SSO with only freeIPA

by Am Titan

Hi Folks, I wants to implement SSO I have freeIPA installed and working. Can I use cockpit for SSO, or do I have to use keykloack for SSO? Thanks on advance,

1 month, 1 week

2
2
0 / 0

2021

2020

2019

2018

2017

FreeIPA-users January 2021