January 2021 - FreeIPA-users - Fedora Mailing-Lists

by Alexander Bokovoy

The FreeIPA team would like to announce FreeIPA 4.9.1 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon. == Highlights in 4.9.1 * 3226: [RFE] ipa sudorule-add-user should accept more types of characters IPA now supports users and groups from trusted Active Directory domains in SUDO rules to specify runAsUser/runAsGroup properties without an intermediate non-POSIX group membership + IPA now supports adding users and groups from trusted Active Directory domains in SUDO rules without an intermediate non-POSIX group membership * 7599: Leading / trailing white spaces in password are disallowed Allow leading and trailing whitespaces in passwords set through IPA commands. They were already allowed via Kerberos and LDAP. * 7676: ipa-client-install changes system wide ssh configuration Skip ProxyCommand wrapper in SSH configuration in case user is configured with /sbin/nologin to allow automated tools to operate as expected * 8528: Use separate logs for AD Trust and DNS installer ipa-adtrust-install and ipa-dns-install commands now log their activity into separate log files. * 8618: ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg ipa-cert-fix tool now handles situations when a CSR is missing from Dogtag's CA/KRA CS.cfg configuration files. Configuration file is updated with a CSR tracked by Certmonger. * 8634: Install of CA fails on CentOS 8 Stream with pki-core 10.9 IPA will not deploy ACME service if Dogtag PKI version is known to not provide a complete service. A complete ACME support requires Dogtag 10.10.0 or later. * 8635: Memory availability detection does not work with cgroupsv2 environment Containerized environments on Linux with cgroup v2 are now recognized and supported. * 8644: ipa-certupdate drops profile from the caSigningCert tracking ipa-certupdate tool now honors CA profile specified in the certificate request it tries to update * 8646: permission-mod attrs, includedattrs and excludedattrs issues Managed permissions commands now properly rollback changes if a generated ACI has incorrect syntax * 8655: Allow to establish trust to Active Directory in FIPS mode When IPA is deployed in FIPS mode, it is now possible to establish trust to Active Directory forest. * 8659: ipa-kdb: provide correct logon time in MS-PAC from authentication time Trust to Active Directory support was improved to be more compatible with AD DC queries: lookup groups via LSA RPCs, allow user principal name lookups, more complete PAC record generation. === Enhancements === Known Issues === Bug fixes FreeIPA 4.9.1 is a stabilization release for the features delivered as a part of 4.9 version series. There are more than 30 bug-fixes since FreeIPA 4.9.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below. == Upgrading Upgrade instructions are available on Upgrade page. == Feedback Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...) or #freeipa channel on Freenode. == Resolved tickets #3226 (rhbz#871208) [RFE] ipa sudorule-add-user should accept more types of characters #7599 (rhbz#1593745) Leading / trailing white spaces in password are disallowed #7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration #8501 Unify how FreeIPA gets FQDN of current host #8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add #8519 Fedora container platform is incomplete #8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system #8528 Use separate logs for AD Trust and DNS installer #8576 (rhbz#1728015) ipasam: derive parent domain for subdomains automatically #8584 ACME communication with dogtag REST endpoints should be using the cookie it creates #8589 (rhbz#1812871) Intermittent IdM Client Registration Failures #8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find #8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error occurred: #8614 Remove ca.crt from the system-wide store on uninstall #8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg #8631 Nightly failure (389ds master branch) in test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password #8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9 #8635 Memory availability detection does not work with cgroupsv2 environment #8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking #8646 permission-mod attrs, includedattrs and excludedattrs issues #8650 Updated dnspython-2.1.0 causes a test failure #8653 Nightly test failure in test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection #8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode #8656 Use client keytab for 389ds #8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c #8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time #8660 ipasam: implement PASSDB getgrnam call #8661 ipasam: allow search of users by user principal name (UPN) #8662 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner #8664 Nightly test failure (fed33, rawhide) in ipa trust-add --external=True #8668 (rhbz#1915471) Nightly failure in (f33+updates-testing) test_trust.py::TestTrust::test_ipa_commands_run_as_aduser #8670 Nightly failure (fed33) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption #8674 test_ipahealthcheck divides KiB by 1000 #8678 Nightly failure (master) in test_trust.py::TestTrust::test_establish_forest_trust_with_shared_secret #8682 [ipatests] TestIPACommand.test_login_wrong_password time to time fails == Detailed changelog since 4.9.1 === Armando Neto (1) * ipatests: Update PR-CI definitions for ipa-4-9 https://pagure.io/freeipa/c/ccdecaa984ef6ebcc63d754e896b2229bcba3b88[commit] === Alexander Bokovoy (30) * Become FreeIPA 4.9.1 https://pagure.io/freeipa/c/aa58fad8eb98b0e8e248eb76b107b5e1faac4aeb[commit] * Force-update translation po/uk.po https://pagure.io/freeipa/c/a97967ff3b56ba3c3894a5aadffbef68961b3581[commit] * Force-update translation po/ipa.pot https://pagure.io/freeipa/c/cb583ac18e33698f9bd950490482a722cc993a06[commit] * Force-update translation po/hu.po https://pagure.io/freeipa/c/a1c43ac3c91ae045f402610c88141d7f3d387011[commit] * Force-update translation po/de.po https://pagure.io/freeipa/c/6f6dd6240c91b8a4a6c9e6f1090db33ec37c7857[commit] * Update contributors list https://pagure.io/freeipa/c/2ac8028e1f8dca4b8bc37bd4995043da647dbfb8[commit] * baseldap: allow rejecting unknown objects instead of adding to an external attr https://pagure.io/freeipa/c/51ca38772f41d3a26a4253a732338d09a69f9647[commit] https://pagure.io/freeipa/issue/3226[#3226] * ipatests: when talking to AD DCs, use FQDN credentials https://pagure.io/freeipa/c/64b70be65698b12927795a7a8b79ef7aada010b8[commit] https://pagure.io/freeipa/issue/8678[#8678] * test_trust: add tests for using AD users and groups in SUDO rules https://pagure.io/freeipa/c/a7c56fde7727bfad3f885cf50e21182cdc46024e[commit] https://pagure.io/freeipa/issue/3226[#3226] * ipatests: fix test_sudorule_plugin's wrong argument use https://pagure.io/freeipa/c/f4d3c91e7f80659268e006dffa5f064b29b45c98[commit] https://pagure.io/freeipa/issue/3226[#3226] * sudorule runAs: allow to add users and groups from trusted domains directly https://pagure.io/freeipa/c/78043bfb5e2a3b1fc0fae6d55ba605ba469ce5ae[commit] https://pagure.io/freeipa/issue/3226[#3226] * sudorule-add-user: allow to reference users and groups from trusted domains directly https://pagure.io/freeipa/c/054a068f4705cd715789ceda75fa709404d5f884[commit] https://pagure.io/freeipa/issue/3226[#3226] * idviews: add extended validator for users from trusted domains https://pagure.io/freeipa/c/a3563d1c35fbe9e6e96199ead211ec3b4ff1d2d2[commit] https://pagure.io/freeipa/issue/3226[#3226] * baseldap: when adding external objects, differentiate between them and failures https://pagure.io/freeipa/c/ffc2edf61efccbcbd4294fbc8a8613decea299a3[commit] https://pagure.io/freeipa/issue/3226[#3226] * baseldap: refactor validator support in add_external_pre_callback https://pagure.io/freeipa/c/132d7fb0ed21e2e7cc69366e2141ae69e7864afb[commit] https://pagure.io/freeipa/issue/3226[#3226] * Add design document for using AD users/groups in SUDO rules https://pagure.io/freeipa/c/16b30cbe5e4f1fd8965ed27ba2ca9b4b7b295e9c[commit] https://pagure.io/freeipa/issue/3226[#3226] * use a constant instead of /var/lib/sss/keytabs https://pagure.io/freeipa/c/9f63afb4408e308c2ee972a72875525afefa5d54[commit] * trust-fetch-domains: use custom krb5.conf overlay for all trust operations https://pagure.io/freeipa/c/c842d4b5c2404d263d56aa0c4ba33fe32b2ca61e[commit] https://pagure.io/freeipa/issue/8655[#8655], https://pagure.io/freeipa/issue/8664[#8664] * ipaserver/dcerpc: store forest topology as a blob in ipasam https://pagure.io/freeipa/c/3d706b6f57309ec394df617cecb9a73d021fc2f7[commit] https://pagure.io/freeipa/issue/8576[#8576] * ipasam: derive parent domain for subdomains automatically https://pagure.io/freeipa/c/f103172954c259443f0c5b4ac89474e66cf3a1d6[commit] https://pagure.io/freeipa/issue/8576[#8576] * ipasam: free trusted domain context on failure https://pagure.io/freeipa/c/e8f927db7da00d1671f871d3b2e89429aec3beb9[commit] https://pagure.io/freeipa/issue/8576[#8576] * ipasam: allow search of users by user principal name (UPN) https://pagure.io/freeipa/c/2e8eb0f5fe82be58be88fa0d9b07ee7af69d8829[commit] https://pagure.io/freeipa/issue/8661[#8661] * ipasam: implement PASSDB getgrnam call https://pagure.io/freeipa/c/962052a0567b6878843272b1882d0a0b3b2debd1[commit] https://pagure.io/freeipa/issue/8660[#8660] * ipa-kdb: provide correct logon time in MS-PAC from authentication time https://pagure.io/freeipa/c/f8bf37422b7c49a4a39b4704b18158b37ee9ef80[commit] https://pagure.io/freeipa/issue/8659[#8659] * ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available https://pagure.io/freeipa/c/3fa07a108030265dc89921a37216a1184e1e7516[commit] https://pagure.io/freeipa/issue/8655[#8655] * ipaserver/dcerpc.py: use Kerberos authentication for discovery https://pagure.io/freeipa/c/8ab9bf68a4d12c8763c1669d0c14b7771a3289da[commit] https://pagure.io/freeipa/issue/8655[#8655] * ipaserver/dcerpc: use Samba-provided trust helper to establish trust https://pagure.io/freeipa/c/753246f4e82af5697ee51bdc7f667959e1824be1[commit] https://pagure.io/freeipa/issue/8655[#8655] * ipatests: fix race condition in finalizer of encrypted backup test https://pagure.io/freeipa/c/6fe573b3d953913bc94fd06c230703dac70f0e8d[commit] * ipaplatform: add constant for systemd-run binary https://pagure.io/freeipa/c/8c7d1fbad15c5a906ffa261329dd49be048549ed[commit] * Get back to git snapshots https://pagure.io/freeipa/c/0fd4a8936f5b41e83ffdbe00f88309e5a2e94f9f[commit] === Antonio Torres (2) * Check that IPA cert is added to trust store after server install https://pagure.io/freeipa/c/2715fbd4a73115949264298858ed0835fe982164[commit] https://pagure.io/freeipa/issue/8614[#8614] * Test that IPA certs are removed on server uninstall https://pagure.io/freeipa/c/2a86a93e560e1d9ade2f78b0cf82d93b8833eb39[commit] https://pagure.io/freeipa/issue/8614[#8614] === Antonio Torres Moríñigo (2) * ipatests: test that trailing/leading whitespaces in passwords are allowed https://pagure.io/freeipa/c/3f3762ef92a809059f196e5553f1c31e9f1180e7[commit] * Allow leading/trailing whitespaces in passwords https://pagure.io/freeipa/c/89eba7d38db2f510554b3365f9d099190ce80c51[commit] https://pagure.io/freeipa/issue/7599[#7599] === Christian Heimes (1) * Add ccache sweeper files to gitignore https://pagure.io/freeipa/c/56b84973b9f02e74f2518bd58694b673f88f8d5e[commit] https://pagure.io/freeipa/issue/8589[#8589] === François Cami (1) * ipatests: test_ipahealthcheck: fix units https://pagure.io/freeipa/c/34add4a2e091dc7bc6031f8fc6cc80904b1bea20[commit] https://pagure.io/freeipa/issue/8674[#8674] === Florence Blanc-Renaud (12) * ipatests: fix discrepancies in nightly defs https://pagure.io/freeipa/c/bb78693405aab603203e60a174b04cd3264e1855[commit] * ipatests: fix expected output for ipahealthcheck.ipa.files https://pagure.io/freeipa/c/dc2a52abe256d2de09eafe8a07898b0cbea3404b[commit] https://pagure.io/freeipa/issue/8662[#8662] * ipatests: fix healthcheck test for ipahealthcheck.ds.encryption https://pagure.io/freeipa/c/2a207918521b474a39c1689837db146800624af8[commit] https://pagure.io/freeipa/issue/8670[#8670] * ipatests: fix expected errmsg in TestTrust::test_ipa_commands_run_as_aduser https://pagure.io/freeipa/c/bd3bad88ee4d4535416ad5fc5f97b55a939534ef[commit] https://pagure.io/freeipa/issue/8668[#8668] * ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection https://pagure.io/freeipa/c/0db289695c8225cad5c17c6a5846ff0a373c3ce6[commit] https://pagure.io/freeipa/issue/8596[#8596], https://pagure.io/freeipa/issue/8653[#8653] * selinux: modify policy to allow one-way trust https://pagure.io/freeipa/c/952b6bdcceda9f460e17075404084f1f3ddb5eaa[commit] https://pagure.io/freeipa/issue/8508[#8508] * ipatests: add test_ipa_cert_fix to the nightly definitions https://pagure.io/freeipa/c/7f2be8a45a1d4baff0074cf4d8c446e3d08db795[commit] https://pagure.io/freeipa/issue/8618[#8618] * ipa-cert-fix: do not fail when CSR is missing from CS.cfg https://pagure.io/freeipa/c/eb711f781322657b0b3d77332f2462ecfb27db95[commit] https://pagure.io/freeipa/issue/8618[#8618] * ipatests: add a test for ipa-cert-fix https://pagure.io/freeipa/c/f36e518b5704b02b81a4b80a1b84c429594cf5ce[commit] https://pagure.io/freeipa/issue/8618[#8618] * ipatests: clear initgroups cache in clear_sssd_cache https://pagure.io/freeipa/c/286d0680a6d4ae53b79596e545f9291791e36aa5[commit] * ipatests: remove test_acme from gating https://pagure.io/freeipa/c/dd1b596b5711aefd87fd6ec340c3713ee5932425[commit] https://pagure.io/freeipa/issue/8602[#8602] * ipatests: fix expected error message in test_commands https://pagure.io/freeipa/c/8bc341868f9154a625b7aae2604a7aa7b6cd0696[commit] https://pagure.io/freeipa/issue/8631[#8631] === JoeDrane (1) * Update ipa_sam.c https://pagure.io/freeipa/c/b53592492879f87465774eb9a4d6c02a8ba26a5e[commit] === Rob Crittenden (16) * ipatests: test the cgroup v2 memory restrictions https://pagure.io/freeipa/c/85d944cea13725511973fa00c9db6a1ebeb90efa[commit] https://pagure.io/freeipa/issue/8635[#8635] * Add support for cgroup v2 to the installer memory checker https://pagure.io/freeipa/c/1dd4501a9fe1e83964b1f008b91d20b4afe5051a[commit] https://pagure.io/freeipa/issue/8635[#8635] * ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get https://pagure.io/freeipa/c/7b380969241b7f28b2aa275ff1a71fdf78912580[commit] https://pagure.io/freeipa/issue/8658[#8658] * ipa-rmkeytab: convert numeric return values to #defines https://pagure.io/freeipa/c/06ffc7aae7f37bbd03dbd145e30c13f2234ed071[commit] https://pagure.io/freeipa/issue/8658[#8658] * ipa_pwd: Remove unnecessary conditional https://pagure.io/freeipa/c/f6cfbffc8f2e45d0e8e6057e6ead6d35e99bf48a[commit] * ipa_kdb: Fix memory leak https://pagure.io/freeipa/c/df0c2d7e0ca8c3620093a47c9592de4f37e86608[commit] * ipa-kdb: Fix logic to prevent NULL pointer dereference https://pagure.io/freeipa/c/93f8840ed8f484c7880534b86aaad3d1f8fb0d2e[commit] * ipa-kdb: Change mspac base RID logic from OR to AND https://pagure.io/freeipa/c/f0de557063b6db143fd0d2ff47b08610edb39706[commit] * Add missing break statement to password quality switch https://pagure.io/freeipa/c/ec4511ec12dfeff2cc2f3a23171089bd32c5add0[commit] * Revert "Remove test for minimum ACME support and rely on package deps" https://pagure.io/freeipa/c/3aeb9b8e40cc526fd5c5162158b9cc5755670f66[commit] https://pagure.io/freeipa/issue/8634[#8634] * ipatests: See if nologin supports -c before asserting message https://pagure.io/freeipa/c/ca9f8d1c9feda6fd58220f1424970dcca5b730e0[commit] https://pagure.io/freeipa/issue/7676[#7676] * ipatests: test that modifying a permission attrs handles failure https://pagure.io/freeipa/c/bdc383a1a906f97c06b2bfa281a4b290fb4b04b3[commit] https://pagure.io/freeipa/issue/8646[#8646] * Remove virtual attributes before rolling back a permission https://pagure.io/freeipa/c/9ae744254dd845f9a459601cb8a1468aeaad028a[commit] https://pagure.io/freeipa/issue/8646[#8646] * Remove invalid test case for DNS SRV priority https://pagure.io/freeipa/c/071b71290601d4a5f6a65adf2b55c34d3865172d[commit] https://pagure.io/freeipa/issue/8650[#8650] * ipatests: test that no errors are reported after ipa-certupdate https://pagure.io/freeipa/c/ad1764a1fff885e1c386b0a9f50517b2e0725e03[commit] https://pagure.io/freeipa/issue/8644[#8644] * Don't change the CA profile when modifying request in ipa_certupdate https://pagure.io/freeipa/c/10ba43ad35acecdd1c4b7981db31a90cce1b9fab[commit] https://pagure.io/freeipa/issue/8644[#8644] === Robbie Harwood (1) * Set client keytab location for 389ds https://pagure.io/freeipa/c/df411f00a3d1db2fcb0d122a54b9e13a57e35f3f[commit] https://pagure.io/freeipa/issue/8656[#8656] === Stanislav Levin (2) * ipatests: Don't assume sshd flush its logs immediately https://pagure.io/freeipa/c/cbe7d2258d6c900b2e02b2373e720275d9917316[commit] https://pagure.io/freeipa/issue/8682[#8682] * ipatests: Raise log level of 389-ds replication https://pagure.io/freeipa/c/41a9cc637b4ea8794fc17f9fc06c6cf8d3a31caa[commit] === Sergey Orlov (2) * ipatests: use fully qualified name for AD admin when establishing trust https://pagure.io/freeipa/c/dc16c2484c1006bc249848383d86ef828abd921a[commit] * ipatests: do not set dns_lookup to true https://pagure.io/freeipa/c/8d7697af269e68e051ce969ae9cc835f5ba6a3b7[commit] === Sudhir Menon (2) * ipatests: Test for IPATrustControllerPrincipalCheck https://pagure.io/freeipa/c/2035ba9925ae738d2dbdd1274168cb99a2364db0[commit] * ipatests: ipahealthcheck remove test skipped in pytest run https://pagure.io/freeipa/c/27cc011ac286db20a4cd9dbdd65d4a8fd1cb7e3a[commit] -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

1 year, 5 months

4
6
0 / 0

SelfService change password.

by Kiselev Mikhail

I met with the problem that the user cannot update his own password ipa user-show new User login: new First name: new Last name: new Home directory: /home/new Login shell: /bin/bash Principal name: new(a)OPENTECH.LOCAL Principal alias: new(a)OPENTECH.LOCAL Email address: new(a)e2e4online.ru UID: 346726108 GID: 100 Account disabled: False Password: True Member of groups: ipausers, users Indirect Member of group: jira_users, grafana_users, asterisk_users, perspectiva_rdp, bamboo_users, nexus_users, bitbucket_users, moodle_users, harbor_users, inkass_rdp, desktop, confluence_users, jenkins_users, maven_users, ivideon_users, chat_users, mail_users, nextcloud_users Indirect Member of HBAC rule: login_users Kerberos keys available: True ipa user-status new ----------------------- Account disabled: False ----------------------- Server: ipareplica1.opentech.local Failed logins: 0 Last successful authentication: N/A Last failed authentication: N/A Time now: 2021-01-12T06:58:47Z Server: ipareplica2.opentech.local Failed logins: 0 Last successful authentication: N/A Last failed authentication: N/A Time now: 2021-01-12T06:58:47Z Server: ipa.opentech.local Failed logins: 0 Last successful authentication: N/A Last failed authentication: N/A Time now: 2021-01-12T06:58:47Z ---------------------------- Number of entries returned 3 ---------------------------- ipa -vv passwd ipa: INFO: trying https://ipa.opentech.local/ipa/session/json ipa: INFO: Request: { "id": 0, "method": "ping", "params": [ [], {} ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "new(a)OPENTECH.LOCAL", "result": { "messages": [ { "code": 13001, "data": { "server_version": "2.231" }, "message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.231", "name": "VersionMissing", "type": "warning" } ], "summary": "IPA server version 4.6.6. API version 2.231" }, "version": "4.6.6" } ipa: INFO: [try 1]: Forwarding 'command_defaults/1' to json server 'https://ipa.opentech.local/ipa/session/json' ipa: INFO: Request: { "id": 0, "method": "command_defaults/1", "params": [ [ "passwd/1" ], { "kw": null, "params": [ "principal" ], "version": "2.231" } ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "new(a)OPENTECH.LOCAL", "result": { "result": { "principal": "new(a)OPENTECH.LOCAL" } }, "version": "4.6.6" } ipa: INFO: [try 1]: Forwarding 'command_defaults/1' to json server 'https://ipa.opentech.local/ipa/session/json' ipa: INFO: Request: { "id": 0, "method": "command_defaults/1", "params": [ [ "passwd/1" ], { "kw": { "principal": "new(a)OPENTECH.LOCAL" }, "params": [ "current_password" ], "version": "2.231" } ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "new(a)OPENTECH.LOCAL", "result": { "result": {} }, "version": "4.6.6" } Current Password: New Password: Enter New Password again to verify: ipa: INFO: [try 1]: Forwarding 'command_defaults/1' to json server 'https://ipa.opentech.local/ipa/session/json' ipa: INFO: Request: { "id": 0, "method": "command_defaults/1", "params": [ [ "passwd/1" ], { "kw": null, "params": [ "principal" ], "version": "2.231" } ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": "new(a)OPENTECH.LOCAL", "result": { "result": { "principal": "new(a)OPENTECH.LOCAL" } }, "version": "4.6.6" } ipa: INFO: [try 1]: Forwarding 'passwd/1' to json server 'https://ipa.opentech.local/ipa/session/json' ipa: INFO: Request: { "id": 0, "method": "passwd/1", "params": [ [], { "current_password": "test", "password": "123", "version": "2.231" } ] } ipa: INFO: Response: { "error": { "code": 2100, "data": { "info": "Insufficient access rights" }, "message": "Insufficient access: Insufficient access rights", "name": "ACIError" }, "id": 0, "principal": "new(a)OPENTECH.LOCAL", "result": null, "version": "4.6.6" } ipa: ERROR: Insufficient access: Insufficient access rights

1 year, 5 months

3
3
0 / 0

subdomain_homedir parameter

by Rik Theys

Hi, I'm setting up a test environment with FreeIPA. I have it set up with one-way trusts to 2 AD domains and logging in works ok. The AD trusts are not set up with the "posix" type, so the IPA servers should not be looking up posix attributes from AD. I'm now trying to configure the home directory for AD users on ipa clients. From what I've found online so far, it should be possible to configure this parameter with the "subdomain_homedir" sssd.conf parameter. Is it sufficient to configure this parameter on the IPA server(s), or do I have to configure it on all IPA clients? For now, I've configured it on my 3 IPA servers and restarted sssd. I've also cleared the sssd caches with 'sss_cache -E', but looking up the home directory still returns the old format. Even on the IPA servers themselves (where I've performed the sssd.conf changes). Is there anything else I need to configure/restart? I currently have it configured in the [domain/my-ipa-domain-name] section of sssd.conf on the IPA servers. I have a similar question regarding the login shell for AD users. I've updated the default shell from /bin/sh to /bin/bash using: ipa config-mod --defaultshell=/bin/bash But this does not seem to change the shell for my AD user? If I run 'getent passwd aduser1@addomain' on an IPA client, it shows nothing for the shell!? I know I can configure ID views with overrides for specific users, but is there a way to specify defaults for the homedir and loginshell in an ID view? Regards, Rik

1 year, 5 months

2
2
0 / 0

Exipred SSL for https and Ldap

by Ahmed ElShafaie

Greeting All, I had a problem renewing the SSL for httpd and ldap. I had a new certificate from http://ssl.com/ . So I need clear instructions to add this new certificate to LDAP service and httpd Thank you in Advance Ahmed

1 year, 5 months

4
13
0 / 0

No such file or directory: '/etc/authselect/user-nsswitch.conf'

by Jacquelin Charbonnel

For information, on a new virgin host under CentOS Stream release 8 : # ipa-server-install ends with : [Errno 2] No such file or directory: '/etc/authselect/user-nsswitch.conf' The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information Configuration of client side components failed! The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information To solve the problem : # touch /etc/authselect/user-nsswitch.conf # ipa-server-install --uninstall # ipa-server-install -- Jacquelin Charbonnel - (+33)2 4173 5397 CNRS Mathrice/LAREMA - Campus universitaire d'Angers

1 year, 5 months

3
2
0 / 0

Can an IPA user be member of a local group

by Ronald Wimmer

I would like an IPA user to be member of the local 'docker' group. Is this possible? Cheers, Ronald

1 year, 5 months

3
16
0 / 0

Scaling and Misc

by Mark Potter

The docs say 2k to 3k hosts per FreeIPA machine. We currently have 1 server and 3 replicas for ~9k hosts. The issue is that the hosts in question are stateless so have to have ipa-client-install run every boot. We've got that part handled but something came up that's got me concerne. I was adding DNS records using ansible-freeipa. With needing DNS for all of our sites along with BMC and such we have about ~38k valid DNS entries. I was running two playbooks to add entries in parallel because we need everything to resolve on example.com and example1.com. This is an artifact that can't be avoided so we end up ~76k entries across two zones. Example.com was adding with reverse and example1.com was adding without reverse. Based on the time it took for each entry to be added this should have taken ~31 hours. At some point the three replicas stopped responding to any requests. For instance ipa1.example.com (primary) would validate while adding a host but example2.com (replica) would hang and never timeout. Eventually both playbooks failed at ~33k DNS entries as ssh wasn't responding on the primary. I wasn't monitoring at that point so I didn't get to see it happen. There is nothing from OOM in the logs so it doesn't look like ssshd got killed from memory usage, when I was monitoring load never got over2. The VMs have 16GiB memory, 6 cores, and a 10Gib connection. They are running CentOS 7 with FreeIPA 4.6.5. Logs on ipa1 show: Jan 27 11:39:14 ipa1 ns-slapd: [27/Jan/2021:11:39:14.363156372 -0600] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn= meToipa2.example.com" (ipa2:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. For both the left and right replicas (ipa2 and ipa3). The replicas show: Jan 27 16:38:02 ipa2 named-pkcs11[2516]: LDAP query timed out. Try to adjust "timeout" parameter Jan 27 16:38:02 ipa2 named-pkcs11[2516]: zone example.com/IN: serial (1611787052) write back to LDAP failed Jan 27 16:38:12 ipa2 named-pkcs11[2516]: LDAP query timed out. Try to adjust "timeout" parameter Jan 27 16:38:12 ipa2 named-pkcs11[2516]: zone 16.172.in-addr.arpa/IN: serial (1611787062) write back to LDAP failed Which eventually became: Jan 27 16:57:32 ipa2 named-pkcs11[2516]: zone example.com/IN: serial (1611788192) write back to LDAP failed Jan 27 16:58:22 ipa2 named-pkcs11[2516]: timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? This was happening in the krb5kdc.log on the replicas around the same time: Jan 27 15:20:41 ipa2.example.com krb5kdc[26712](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.201.1.5: LOOKING_UP_CLIENT: markp(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Server error In dirsrv/slapd-EXAMPLE-COM/error in the same timeframe: [27/Jan/2021:15:58:04.885131721 -0600] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=ipa2.example.com-to-ipa3.example.com" (ipa3:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () While not frequently these appeared again until I rebooted the replicas this morning. I could restart with 'ipactl restart`, it would just hang. I let it sit for ten minutes at one point. `ipactl status` consistently showed everything running. My topology looks like this (both ca and domain are the same) ------------------ 5 segments matched ------------------ Segment name: ipa1.example.com-to-ipa2.example.com Left node: ipa1.example.com Right node: ipa2.example.com Connectivity: both Segment name: ipa1.example.com-to-ipa3.example.com Left node: ipa1.example.com Right node: ipa3.example.com Connectivity: both Segment name: ipa1.example.com-to-ipa4.example.com Left node: ipa1.example.com Right node: ipa4.example.com Connectivity: both Segment name: ipa3.example.com-to-ipa2.example.com Left node: ipa3.example.com Right node: ipa2.example.com Connectivity: both Segment name: ipa4.example.com-to-ipa3.example.com Left node: ipa4.example.com Right node: ipa3.example.com Connectivity: both ---------------------------- Number of entries returned 5 ---------------------------- Since the play takes slightly more than 2 seconds to run when creating with reverse and slightly under 2 seconds when creating without reverse I don't see why this should ever overload anything but I will freely admit I am not all that familiar with the way DNS is handled. If FreeIPA is sending the entire zone file for every update and it all has to be written to the DB then I can see why that would be an issue. I could kill the replication agreements, load the rest of the entries, then re-add the agreements so the zone only needs to be transferred once. But it's still a bit concerning due to the scenario I described above. If we have a power outage and need to boot ~9k machines, all of which will run: ipa-client-install -U -q -p <service account for adding hosts> \ -w <some really secure password> \ --domain=example.com \ --server=ipa1.example.com \ --server=ipa2.example.com \ --server=ipa3.example.com \ --server=ipa4.example.com \ --force-join \ --enable-dns-updates \ --ssh-trust-dns \ --automount-location=<appropriate map> Are we going to see everything fail in a spectacular manner and is there anything I can do to mitigate the failure with adding DNS entries as I still need to complete the addition and have ~5k per zone left for two zones.

1 year, 5 months

2
2
0 / 0

IPA compat mode

by Jacquelin Charbonnel

Hi folks, Overall, what is the goal of the IPA compat mode, and what are the consequences of enabling/disabling it ? And specifically, what's the differences between : # ipa migrate-ds --with-compat ... and # ipa-compat-manage disable # ipa migrate-ds ... Thanks on advance -- Jacquelin Charbonnel - (+33)2 4173 5397 CNRS Mathrice/LAREMA - Campus universitaire d'Angers

1 year, 5 months

3
2
0 / 0

CRL Not Updating

by TC Johnson

The CRL being served by the CRL Master has not added a newly revoked certificate for 4 months. The CRL is updated and published as expected every four hours, just with no change to the list of revocations. Currently the CRL lists 34 certificates where as a query with ipa cert-find returns 40. The missing certificates are not expired. I do not see any errors in /var/log/pki/pki-tomcat/ca/debug* I've been through the steps at https://www.freeipa.org/page/Troubleshooting/PKI and checked the CRL settings per https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master The CRL files in /var/lib/ipa/pki-ca/publish/ are being generated/updated.

1 year, 5 months

3
6
1 / 0

Questions about DNS client names in a FreeIPA / Active Directory trust

by White, Daniel E. (GSFC-770.0)[NICS]

OK, I know that the AD-DC and the IDM servers need matching Kerberos realm and DNS domain names Let's say AD.FOO.BAR.URP / IDM.FOO.BAR.URP for Kerberos and ad.foo.bar.urp / idm.foo.bar.urp for DNS I am using 4 labels to parallel the environment for which this is intended. The DNS domain for the environment is foo.bar.urp and there is currently no FOO.BAR.URP AD-DC, but we eventually expect one from "Upstream" and hope to make AD.FOO.BAR.URP a Kerberos sub-realm/domain of it AD.FOO.BAR.URP and ad.foo.bar.urp were created. IDM.FOO.BAR.URP and idm.foo.bar.urp will be created shortly and connected by a cross-forest trust. These, of course, will be sub-domains to AD.FOO.BAR.URP/ad.foo.bar.urp The confuzzlepation is about client domain names. Do Linux clients need to use the idm.foo.bar.urp DNS domain or can they just use foo.bar.urp ? Same question for non-Linux clients -- ad.foo.bar.urp DNS domain or can they just use foo.bar.urp ? And does the lack of the "parent" Kerberos realm/domain FOO.BAR.URP complicate the matter ? ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NASCOM Linux Engineer NASA Goddard Space Flight Center Science Applications International Corporation (SAIC) Office: (301) 286-6919 Mobile: (240) 513-5290

1 year, 5 months

2
3
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2021