login to host issue
by Patterson, David
Hello,
IPA version 4.6.8.
Got a host that doesn't allow user logins, but was joined at some point to the domain.
Everything that I can think of to check appears to be working
Log into client system with local credentials
Logs show invalid user attempts
Client Keytab looks valid.....do these ever expire?
Ktutil
read_kt /etc/krb5.keytab
list
Shows the host/hostname.domain
Quit
Cannot 'id admin' or 'id' any other user
Can obtain Kerberos keys for admin
Can run ipa user-show for any user
System appears valid in idmweb gui
What did I miss?
Get a new keytab for the client with ipa-getkeytab?
Is there some server/client certs I should be checking?
Thanks!
David Patterson
3 years, 3 months
A Couple Admin Quality of Life Tools
by Noah Bliss
Hey all,
Just wanted to share a couple of tools I whipped up to flesh out some of the more time consuming or lean feature areas of FreeIPA. Hopefully they help you! Pull Reuquests and Issues are welcome.
https://github.com/noahbliss/freeipa-sam
FreeIPA-SAM is a simple menu-driven bash script for lifecycle management of system (service) accounts in LDAP. As a refresher, these seem to be the accounts you use as connectors to various services, but not for typical human user login. As there doesn't seem to be a convenient way to manage these in the WebUI and consistency is key when doing manual account management, I've found this to be a huge time-saver.
https://github.com/noahbliss/freeipa-pen
FreeIPA-PEN is a bash script designed to be installed on an IPA server and invoked by cron. It uses a system account to check LDAP and notify users via email if their password is going to expire soon. For accounts that do not have an email address or have already expired, it can generate a weekly/monthly report for you as an admin.
Best regards,
Noah
3 years, 3 months
ipa-client-install Behind TLS Proxy
by Robert Gabriel
Hi,
Is it possible to enrol a host using `ipa-client-install` behind a TLS proxy?
I need to enrol hosts that can only reach `my.proxy.host:443` due to networking constraints.
I see there is MS-KKDCP for kinit, kpasswd etc.
We don't have much need for Kerberos ATM and are mainly using user, group lookups along with SSH pubkeys and Sudo rules.
I'm assuming that at the very least we are using 389/636 for the above lookups? Then you would at least have to proxy your LDAPS?
I have not done a `tcpdump` yet to ascertain what ports are in use.
Thank you.
3 years, 3 months
Trusting an AD synchronized towards Azure AD
by Monkey Bizness
Hi all,
I have seen that FreeIPA can't integrate with Azure AD directly. Which
is not that surprising from what I understand of it's internals.
In the case of a trust with a local AD that is itself synchronized with
azure, would it work?
My instinct tells me it should but anything could happen behind the
seen.
Unfortunately, the guys handling azure/ad won't provide a test system
to check it out to I'm asking here.
Follow up question, any plans to support OpenID connect or SAML for
user auth?
My Best
Monkey
3 years, 3 months
ipa-replica-install fails when the forwarder address is a link-local IP address
by Ganesh Kumar
Hi,
I am setting up a 2 node FreeIPA system. One primary and the other is a replica. I want the replica to use the cloud DNS nameserver as a forwarder. In Google cloud, 169.254.169.254 is the nameserver. But when this is used as a forwarder I get the following error,
ipa-replica-install: error: option --forwarder: invalid IP address 169.254.169.254: cannot use link-local IP address 169.254.169.254
Google Cloud does not provide a global DNS name resolver.
Anyone knows why ipa is unhappy about link-local IP address? The closest explanation I could find is here https://pagure.io/freeipa/issue/6296#comment-327224, but I am unable to understand the context of it.
Thanks,
Ganesh
3 years, 3 months
Re: ipa healthcheck issue
by Patterson, David
Hello,
How or what does it use to compare with?
I see a cert in the nssdb with the correct nickname.
certutil -L -d /etc/pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
host/idm2.x.y u,u,u
I also see the other side of the same coin....
getcert list -c IPA | grep -A15 20191122115414
Request ID '20191122115414':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='host/idm2.x.y',token='NSS Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='host/idm2.x.y',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=X.Y
subject: CN=idm2.x.y,O=X.Y
expires: 2021-11-22 11:54:15 UTC
principal name: host/idm2.x.y(a)X.Y
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Not sure that I want to delete either.
Thanks!
David Patterson
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Monday, January 11, 2021 11:07 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Patterson, David <dpatte(a)sandia.gov>
Subject: [EXTERNAL] Re: [Freeipa-users] ipa healthcheck issue
Patterson, David via FreeIPA-users wrote:
> Hello,
>
> Â
>
> Running RHEL 7.9, ipa 4.6.8-5 and freeipa-healthcheck 0.3-2 backported
> for RHEL 7.
>
> Â
>
> Ipa healthcheck output
>
> [
>
> Â {
>
> Â Â Â "source": "ipahealthcheck.ipa.certs",
>
> Â Â Â "kw": {
>
> Â Â Â Â Â "msg": "Unable to retrieve cert 'host/idm2.X.Y' from
> '/etc/pki/nssdb': Failed to get host/idm2.X.Y",
>
> Â Â Â Â Â "nickname": "host/idm2.X.Y",
>
> Â Â Â Â Â "dbdir": "/etc/pki/nssdb",
>
> Â Â Â Â Â "key": "20191122115414",
>
> Â Â Â Â Â "error": "Failed to get host/idm2.X.Y"
>
> Â Â Â },
>
> Â Â Â "uuid": "64d9b118-e588-4dbb-99e1-6ef11e495ed5",
>
> Â Â Â "duration": "0.382404",
>
> Â Â Â "when": "20210107005140Z",
>
> Â Â Â "check": "IPACertfileExpirationCheck",
>
> Â Â Â "result": "ERROR"
>
> Â },
>
> Â {
>
> Â Â Â "source": "ipahealthcheck.ipa.certs",
>
> Â Â Â "kw": {
>
> Â Â Â Â Â "msg": "Unknown certmonger id 20191122115414",
>
> Â Â Â Â Â "key": "20191122115414"
>
> Â Â Â },
>
> Â Â Â "uuid": "1b4bba70-08e0-43dc-8984-657cc47fd339",
>
> Â Â Â "duration": "1.109733",
>
> Â Â Â "when": "20210107005142Z",
>
> Â Â Â "check": "IPACertTracking",
>
> Â Â Â "result": "WARNING"
>
> Â }
>
> ]
>
> Â
>
> How do I correct these issues?
They are two sides of the same coin. You have an unknown certificate request being tracked by certmonger.
In this case the nickname host/idm2.X.Y in /etc/pki/nssdb.
Looks like there isn't a nickname with this value in that NSS database which explains the first error.
I suspect that someone did some manual tracking changes and got this one wrong. It isn't something that IPA would have configured.
Is it safe to delete this tracking request? Probably. But I'd double and triple check before doing so. Its unclear what the original purpose of creating it was.
rob
3 years, 3 months
is it possible to create a bind account with the 'ipa user-add' ?
by Rob Verduijn
Hello,
I am looking into integrating a 3rd party application with ipa.
Last time I checked it was only possible to do this with a bind account
that you would create with an ldiff
ldapmodify -x -D 'cn=Directory Manager' -W <<EOF
dn: uid=mybindaccount,cn=sysaccounts,cn=etc,dc=lab,dc=example,dc=net
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: qwerty123
passwordExpirationTime: 20380101000000Z
nsIdleTimeout: 0
EOF
Is still the recommended way to go ?
Or is there an option to do this with the 'ipa user-add' command ?
Rob
3 years, 3 months
problem with AD user login
by Suchismita Panda
Hi,
We have a pair of FreeIPA servers (1 master and 1 replica)
Freeipa server version 4.6.8
Recently when we are trying to enroll any new freeipa client to the server,
the installation goes successful, but AD user login does not work. Even the
client fails to retrieve AD user information using id command. This works
fine on the FreeIPA server.
Freeipa local user login is working fine on the client.
There are other FreeIPA clients, where the AD user login is working fine.
We generally use Ansible to join FreeIPA. So the installation process is
also the same for all servers. Not sure why, recently it does not work. Any
advice would be really helpful.
Freeipa client version 4.8.6
In the logs mostly I am seeing below error -
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Thanks
Suchi
3 years, 3 months
Samba on IdM member failure
by Alan Latteri
Hello.
I have setup a test FreeIPA server and client, CentOS 8.3, very minimal, exactly as the documentation. I can successfully mount a Samba shared from ipaclient on MacOS, the first access. But any subsequent share mounting fails until winbind is restarted. Please see this screen capture which explicitly shows the issue.
https://youtu.be/8Qd8u67WLkU
These errors appear in /var/log/messages:
Dec 23 13:31:15 ipaclient01 winbindd[1258]: [2020/12/23 13:31:15.265397, 0] ../../source3/winbindd/winbindd_util.c:175(add_trusted_domain)
Dec 23 13:31:15 ipaclient01 winbindd[1258]: add_trusted_domain: SID [S-1-5-21-1037681751-2390144637-354493272] already used by domain [IPA], expected [ipa.instinctual.studio]
Dec 23 13:31:15 ipaclient01 winbindd[1258]: [2020/12/23 13:31:15.265462, 0] ../../source3/winbindd/winbindd_pam_auth_crap.c:169(winbindd_pam_auth_crap_done)
Dec 23 13:31:15 ipaclient01 winbindd[1258]: winbindd_pam_auth_crap_done: add_trusted_domain_from_auth failed
Dec 23 13:31:17 ipaclient01 winbindd[1258]: [2020/12/23 13:31:17.263925, 0] ../../source3/winbindd/winbindd_util.c:175(add_trusted_domain)
Dec 23 13:31:17 ipaclient01 winbindd[1258]: add_trusted_domain: SID [S-1-5-21-1037681751-2390144637-354493272] already used by domain [IPA], expected [ipa.instinctual.studio]
Dec 23 13:31:17 ipaclient01 winbindd[1258]: [2020/12/23 13:31:17.263985, 0] ../../source3/winbindd/winbindd_pam_auth_crap.c:169(winbindd_pam_auth_crap_done)
Dec 23 13:31:17 ipaclient01 winbindd[1258]: winbindd_pam_auth_crap_done: add_trusted_domain_from_auth failed
Below are the exact server and client install steps:
####################
FreeIPA Server Setup
####################
[root@freeipa01 ~]# more /etc/redhat-release
CentOS Linux release 8.3.2011
[root@freeipa01 ~]# uname -a
Linux freeipa01.ipa.instinctual.studio 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@freeipa01 ~]# systemctl disable --now firewalld
[root@freeipa01 ~]# dnf module install -y idm:DL1/{server,client,dns,adtrust}
[root@freeipa01 ~]# ipa-server-install --setup-dns --auto-reverse
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.8.7
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [freeipa01.ipa.instinctual.studio]:
Warning: skipping DNS resolution of host freeipa01.ipa.instinctual.studio
The domain name has been determined based on the host name.
Please confirm the domain name [ipa.instinctual.studio]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [IPA.INSTINCTUAL.STUDIO]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Checking DNS domain ipa.instinctual.studio., please wait ...
DNS check for domain ipa.instinctual.studio. failed: All nameservers failed to answer the query ipa.instinctual.studio. IN SOA: Server 8.8.8.8 UDP port 53 answered SERVFAIL; Server 9.9.9.9 UDP port 53 answered SERVFAIL.
Invalid IP address fe80::5005:3a7d:8c39:957c for freeipa01.ipa.instinctual.studio: cannot use link-local IP address fe80::5005:3a7d:8c39:957c
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 8.8.8.8, 9.9.9.9
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Checking DNS domain 200.0.10.in-addr.arpa., please wait ...
Reverse zone 200.0.10.in-addr.arpa. will be created
Using reverse zone(s) 200.0.10.in-addr.arpa.
Do you want to configure chrony with NTP server or pool address? [no]:
The IPA Master Server will be configured with:
Hostname: freeipa01.ipa.instinctual.studio
IP address(es): 10.0.200.2
Domain name: ipa.instinctual.studio
Realm name: IPA.INSTINCTUAL.STUDIO
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=IPA.INSTINCTUAL.STUDIO
Subject base: O=IPA.INSTINCTUAL.STUDIO
Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 8.8.8.8, 9.9.9.9
Forward policy: only
Reverse zone(s): 200.0.10.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Adding [10.0.200.2 freeipa01.ipa.instinctual.studio] to your /etc/hosts file
Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/44]: creating directory server instance
[2/44]: configure autobind for root
[3/44]: stopping directory server
[4/44]: updating configuration in dse.ldif
[5/44]: starting directory server
[6/44]: adding default schema
[7/44]: enabling memberof plugin
[8/44]: enabling winsync plugin
[9/44]: configure password logging
[10/44]: configuring replication version plugin
[11/44]: enabling IPA enrollment plugin
[12/44]: configuring uniqueness plugin
[13/44]: configuring uuid plugin
[14/44]: configuring modrdn plugin
[15/44]: configuring DNS plugin
[16/44]: enabling entryUSN plugin
[17/44]: configuring lockout plugin
[18/44]: configuring topology plugin
[19/44]: creating indices
[20/44]: enabling referential integrity plugin
[21/44]: configuring certmap.conf
[22/44]: configure new location for managed entries
[23/44]: configure dirsrv ccache and keytab
[24/44]: enabling SASL mapping fallback
[25/44]: restarting directory server
[26/44]: adding sasl mappings to the directory
[27/44]: adding default layout
[28/44]: adding delegation layout
[29/44]: creating container for managed entries
[30/44]: configuring user private groups
[31/44]: configuring netgroups from hostgroups
[32/44]: creating default Sudo bind user
[33/44]: creating default Auto Member layout
[34/44]: adding range check plugin
[35/44]: creating default HBAC rule allow_all
[36/44]: adding entries for topology management
[37/44]: initializing group membership
[38/44]: adding master entry
[39/44]: initializing domain level
[40/44]: configuring Posix uid/gid generation
[41/44]: adding replication acis
[42/44]: activating sidgen plugin
[43/44]: activating extdom plugin
[44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/30]: configuring certificate server instance
[2/30]: Add ipa-pki-wait-running
[3/30]: secure AJP connector
[4/30]: reindex attributes
[5/30]: exporting Dogtag certificate store pin
[6/30]: stopping certificate server instance to update CS.cfg
[7/30]: backing up CS.cfg
[8/30]: disabling nonces
[9/30]: set up CRL publishing
[10/30]: enable PKIX certificate path discovery and validation
[11/30]: starting certificate server instance
[12/30]: configure certmonger for renewals
[13/30]: requesting RA certificate from CA
[14/30]: setting audit signing renewal to 2 years
[15/30]: restarting certificate server
[16/30]: publishing the CA certificate
[17/30]: adding RA agent as a trusted user
[18/30]: authorizing RA to modify profiles
[19/30]: authorizing RA to manage lightweight CAs
[20/30]: Ensure lightweight CAs container exists
[21/30]: configure certificate renewals
[22/30]: Configure HTTP to proxy connections
[23/30]: restarting certificate server
[24/30]: updating IPA configuration
[25/30]: enabling CA instance
[26/30]: migrating certificate profiles to LDAP
[27/30]: importing IPA certificate profiles
[28/30]: adding default CA ACL
[29/30]: adding 'ipa' CA entry
[30/30]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[13/21]: configure certmonger for renewals
[14/21]: publish CA cert
[15/21]: clean up any existing httpd ccaches
[16/21]: configuring SELinux for httpd
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: starting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up kerberos principal
[9/12]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
[10/12]: setting up server configuration
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
This program will set up IPA client.
Version 4.8.7
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: freeipa01.ipa.instinctual.studio
Realm: IPA.INSTINCTUAL.STUDIO
DNS Domain: ipa.instinctual.studio
IPA Server: freeipa01.ipa.instinctual.studio
BaseDN: dc=ipa,dc=instinctual,dc=studio
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.instinctual.studio as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
[root@freeipa01 ~]# yum install ipa-server-trust-ad samba-client
[root@freeipa01 ~]# ipa-adtrust-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
admin password:
WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.
Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: yes
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.
NetBIOS domain name [IPA]:
WARNING: 3 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.
Do you want to run the ipa-sidgen task? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
[1/25]: validate server hostname
[2/25]: stopping smbd
[3/25]: creating samba domain object
[4/25]: retrieve local idmap range
[5/25]: creating samba config registry
[6/25]: writing samba config file
[7/25]: adding cifs Kerberos principal
[8/25]: adding cifs and host Kerberos principals to the adtrust agents group
[9/25]: check for cifs services defined on other replicas
[10/25]: adding cifs principal to S4U2Proxy targets
[11/25]: adding admin(group) SIDs
[12/25]: adding RID bases
[13/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[14/25]: activating CLDAP plugin
[15/25]: activating sidgen task
[16/25]: map BUILTIN\Guests to nobody group
[17/25]: configuring smbd to start on boot
[18/25]: enabling trusted domains support for older clients via Schema Compatibility plugin
[19/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[20/25]: adding fallback group
[21/25]: adding Default Trust View
[22/25]: setting SELinux booleans
[23/25]: starting CIFS services
[24/25]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
[25/25]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================
[root@freeipa01 ~]# reboot
[root@freeipa01 ~]# smbclient -L freeipa01.ipa.instinctual.studio -k
lp_load_ex: changing to config backend registry
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.12.3)
SMB1 disabled -- no workgroup available
[root@freeipa01 ~]# testparm
Load smb config files from /etc/samba/smb.conf
lp_load_ex: changing to config backend registry
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
# Global parameters
[global]
create krb5 conf = No
dedicated keytab file = /etc/samba/samba.keytab
disable spoolss = Yes
domain logons = Yes
domain master = Yes
kerberos method = dedicated keytab
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap ssl = no
ldap suffix = dc=ipa,dc=instinctual,dc=studio
ldap user suffix = cn=users,cn=accounts
log file = /var/log/samba/log.%m
max log size = 100000
max smbd processes = 1000
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-INSTINCTUAL-STUDIO.socket
realm = IPA.INSTINCTUAL.STUDIO
registry shares = Yes
security = USER
workgroup = IPA
idmap config ipa : range = 275600000 - 275800000
idmap config ipa : backend = sss
idmap config * : range = 0 - 0
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
[root@freeipa01 ~]# more /etc/samba/smb.conf
### Added by IPA Installer ###
[global]
debug pid = yes
config backend = registry
########################################
IPA Client with Samba Share Setup
########################################
[root@ipaclient01 ~]# more /etc/redhat-release
CentOS Linux release 8.3.2011
[root@ipaclient01 ~]# uname -a
Linux ipaclient01.ipa.instinctual.studio 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@ipaclient01 log]# systemctl disable --now firewalld
[root@ipaclient01 ~]# yum -y install ipa-client ipa-client-samba
[root@ipaclient01 ~]# ipa-client-install
This program will set up IPA client.
Version 4.8.7
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 10.0.200.2
Enter a NTP source pool address, or press Enter to skip:
Client hostname: ipaclient01.ipa.instinctual.studio
Realm: IPA.INSTINCTUAL.STUDIO
DNS Domain: ipa.instinctual.studio
IPA Server: freeipa01.ipa.instinctual.studio
BaseDN: dc=ipa,dc=instinctual,dc=studio
NTP server: 10.0.200.2
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin(a)IPA.INSTINCTUAL.STUDIO:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.INSTINCTUAL.STUDIO
Issuer: CN=Certificate Authority,O=IPA.INSTINCTUAL.STUDIO
Valid From: 2020-12-23 18:47:32
Valid Until: 2040-12-23 18:47:32
Enrolled in IPA realm IPA.INSTINCTUAL.STUDIO
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.INSTINCTUAL.STUDIO
Systemwide CA database updated.
Hostname (ipaclient01.ipa.instinctual.studio) does not have A/AAAA record.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.instinctual.studio as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@ipaclient01 ~]# reboot
[root@ipaclient01 ~]# ipa-client-samba
Searching for IPA server...
IPA server: DNS discovery
Chosen IPA master: freeipa01.ipa.instinctual.studio
SMB principal to be created: cifs/ipaclient01.ipa.instinctual.studio(a)IPA.INSTINCTUAL.STUDIO
NetBIOS name to be used: IPACLIENT01
Discovered domains to use:
Domain name: ipa.instinctual.studio
NetBIOS name: IPA
SID: S-1-5-21-1037681751-2390144637-354493272
ID range: 275600000 - 275799999
Continue to configure the system with these values? [no]: yes
Samba domain member is configured. Please check configuration at /etc/samba/smb.conf and start smb and winbind services
[root@ipaclient01 ~]# systemctl enable --now smb winbind
Created symlink /etc/systemd/system/multi-user.target.wants/smb.service → /usr/lib/systemd/system/smb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → /usr/lib/systemd/system/winbind.service.
[root@ipaclient01 ~]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
max smbd processes = 1000
realm = IPA.INSTINCTUAL.STUDIO
server role = member server
workgroup = IPA
idmap config ipa : backend = sss
idmap config ipa : range = 275600000 - 275799999
idmap config * : range = 0 - 0
idmap config * : backend = tdb
[share]
path = /share
read only = No
[root@ipaclient01 ~]# cat /etc/samba/smb.conf
[global]
# Limit number of forked processes to avoid SMBLoris attack
max smbd processes = 1000
# Use dedicated Samba keytab. The key there must be synchronized
# with Samba tdb databases or nothing will work
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
# Set up logging per machine and Samba process
log file = /var/log/samba/log.%m
log level = 1
# We force 'member server' role to allow winbind automatically
# discover what is supported by the domain controller side
server role = member server
realm = IPA.INSTINCTUAL.STUDIO
netbios name = IPACLIENT01
workgroup = IPA
# Local writable range for IDs not coming from IPA or trusted domains
idmap config * : range = 0 - 0
idmap config * : backend = tdb
idmap config IPA : range = 275600000 - 275799999
idmap config IPA : backend = sss
# Default homes share
#[homes]
# read only = no
[share]
path = /share
read only = no
[root@ipaclient01 ~]# kinit admin
Password for admin(a)IPA.INSTINCTUAL.STUDIO:
[root@ipaclient01 ~]# smbclient -L ipaclient01.ipa.instinctual.studio -k
Sharename Type Comment
--------- ---- -------
share Disk
IPC$ IPC IPC Service (Samba 4.12.3)
SMB1 disabled -- no workgroup available
3 years, 3 months
Re: web-interface from Master-Server not available, DNSSEC-Service down
by Kay Jeschonneck
Yes, this is it. Thanks, the UI work now.
But i have an other problem with the dnssec-service.
I get this message:
Jan 10 10:56:27 hn-dlp /usr/libexec/ipa/ipa-ods-exporter[10276]: new replica keys in LDAP: {'0xbb…', '0x8c…'}
Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: Traceback (most recent call last):
Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: File "/usr/libexec/ipa/ipa-ods-exporter", line 701, in <module>
Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: ldap2master_replica_keys_sync(ldapkeydb, localhsm)
Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: File "/usr/libexec/ipa/ipa-ods-exporter", line 304, in ldap2master_replica_keys_sync
Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey'])
Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 183, in import_public_key
Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: h = self.p11.import_public_key(**params)
Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: File "/usr/lib/python3.6/site-packages/ipaserver/p11helper.py", line 1451, in import_public_key
Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: raise DuplicationError("Public key with same ID already exists")
Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: ipaserver.p11helper.DuplicationError: Public key with same ID already exists
Best regards
Kay Jeschonneck
3 years, 3 months