Re: FreeIPA integration with Azure AD
by Alexander Bokovoy
On to, 11 maalis 2021, Jonathan Aquilina wrote:
>Hi Alexander,
>
>Thanks for your feedback what would be the best way forward to help
>test and work towards having azure AD connectivity with FreeIPA?
As I said, there is nothing implemented yet. Once we'd have something,
I'll issue a test call on this list. Don't expect anything in upcoming
months though, this is a huge undertaking.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years
Re: FreeIPA integration with Azure AD
by Alexander Bokovoy
On to, 11 maalis 2021, Jonathan Aquilina via FreeIPA-users wrote:
>Hi Ronald,
>
>What kind of work would need to be done to get it to talk to an Azure AD tenant?
A lot. This is not implemented and not supported yet.
>
>Regards,
>Jonathan
>________________________________
>From: Ronald Wimmer via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
>Sent: 11 March 2021 08:22
>To: freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org>
>Cc: Ronald Wimmer <ronaldw(a)ronzo.at>
>Subject: [Freeipa-users] Re: FreeIPA integration with Azure AD
>
>On 11.03.21 06:53, Jonathan Aquilina via FreeIPA-users wrote:
>> Hi Guys,
>>
>> Is it possible to integrate free IPA with Azure AD?
>
>Afaik no. The only thing AD and Azure AD have in common is the name.
>There is no Kerberos for example...
>
>Cheers,
>Ronald
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years
POSIX attributes and Trusts in FreeIPA
by Lachlan Musicman
Can I please get clarification on a FreeIPA instance (as IdM in RHEL8.3) and AD's POSIX attributes?
From what I can see, the POSIX attributes - are ignored?
Specifically, when I run
$ id user(a)ad.domain.com
$ id -u user(a)ad.domain.com
$ id -g user(a)ad.domain.com
The POSIX attribute values are not being returned. I am getting a correct list of AD groups etc, which is great. But no POSIX attributes. Do I need to explicitly request those attributes?
I note that there is an article from 2017 (1) "Configuring an Active Directory Domain with POSIX Attributes" which declares itself deprecated for (2) "Chapter 8. Using ID Views in Active Directory Environments", which is RHEL7. From what I can see both of these are about direct attachment to AD rather than for use in an IPA instance (although they reference IdM)
It looks like AD side POSIX attributes are only available to direct integration and even then only when specifically installed with realm (direct integration) and --automatic-id-mapping=no (3)
(1) https://access.redhat.com/articles/3023821
(2) https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
(3) https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Cheers
L.
3 years
Re: FreeIPA integration with Azure AD
by Ronald Wimmer
On 11.03.21 06:53, Jonathan Aquilina via FreeIPA-users wrote:
> Hi Guys,
>
> Is it possible to integrate free IPA with Azure AD?
Afaik no. The only thing AD and Azure AD have in common is the name.
There is no Kerberos for example...
Cheers,
Ronald
3 years
Old users cannot login to new freeIPA client machine
by Sam Bell
I have a small FreeIPA setup and user login works ok on the client systems. Recently, I wanted to add a new machine as a client.
I loaded Fedora 33 on the machine and installed freeipa-client. Installation seems to be ok and I can see all users with find-user
on the client system. However, when existing users try to log in into the new client machine via ssh, it shows the error permission denied.
These users can login to old client machines and server (to check) without any problems. To debug the problem, I created new user accounts
and they seem to log in with all client machines (old + new) without any trouble. DNS for the machines are set through hosts file.
I don't have deep knowledge about this stuff but after reading some online threads here are few things I tried:
1. Updated to server (Fedora) to latest packages.
2. Made sure new client machine is chrony/ntp synchronized with server.
3. Tried enabling pre-authentication for old user on server.
4. kinit admin; ipa user-find --all lists all freeipa users on new client machine.
5. Set debug_level of sssd to 9.
Checking krb5_child.log shows:
For old users with failed authentication:
[sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
[sss_krb5_prompter] (0x4000): Prompt [0][Password for user5(a)FREEIPA.LAB].
[krb5_child[2789]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
[sss_child_krb5_trace_cb] (0x4000): [2789] 1615347264.001283: Preauth module spake (151) (real) returned: -1765328254/Cannot read password
For newly created users, these logs are bit more detailed and in general, show success of authentication.
I am not sure which part to focus on to debug this problem.
Any help/suggestions are appreciated.
Thank you.
3 years
How to set IPA RA key length
by Yevhen Syvachenko
Hi,
Pease help me to install FreeIPA that uses a 8192 bit key length for IPA RA and the hosts' certificates.
Having all the rumor about quantum computers and being a certified paranoid I need to configure a backbone FreeIPA instance with CA key length equal to 15360. Other keys should be no less than 8192 bits.
The following approach does the trick for most certificates except IPA RA and the hosts' certificates that are still 2048.
# ipa-server-install --pki-config-override $PWD/pki_override.cfg
Where pki_override.cfg is created using:
# cat > pki_override.cfg <<EOF
[DEFAULT]
pki_admin_key_algorithm=SHA512withRSA
pki_admin_key_size=8192
pki_admin_key_type=rsa
pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_key_size=15360
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA512withRSA
pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_signing_algorithm=SHA512withRSA
pki_sslserver_key_size=8192
pki_sslserver_key_type=rsa
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_signing_algorithm=SHA512withRSA
pki_subsystem_key_size=15360
pki_subsystem_key_type=rsa
[CA]
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=15360
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=15360
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA
[KRA]
pki_storage_key_algorithm=SHA512withRSA
pki_storage_key_size=15360
pki_storage_key_type=rsa
pki_storage_signing_algorithm=SHA512withRSA
pki_transport_key_algorithm=SHA512withRSA
pki_transport_key_size=15360
pki_transport_key_type=rsa
pki_transport_signing_algorithm=SHA512withRSA
[OCSP]
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=15360
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA
EOF
I will very appreciate it if we avoid debates about the necessary key length.
3 years
FreeIPA Active Directory trust configuration issues
by iulian roman
Hello,
I try to configure trust between a FreeIPA domain and Active Directory. They are both in different domains (ipa domain: ipadev.test.local , ad domain: iam.intern ) and use external DNS. I have configured/verified all prerequisites, but when I run ipa trust-add command, I get the following error:
ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example
I have enabled debug for samba but I cannot make much sense from the debug information in error.log :
s4_tevent: Added timed event "composite_trigger": 0x7f9324240e30
s4_tevent: Ending timer event 0x7f932424ed50 "composite_trigger"
s4_tevent: Running timer event 0x7f9324240e30 "composite_trigger"
s4_tevent: Ending timer event 0x7f9324240e30 "composite_trigger"
s4_tevent: Added timed event "connect_multi_timer": 0x7f9324240cc0
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f9324403310
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f9324403310
s4_tevent: Destroying timer event 0x7f9324240cc0 "connect_multi_timer"
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 300
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061808
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
s4_tevent: Added timed event "tevent_req_timedout": 0x7f932424ed50
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f9324240cc0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f9324240cc0
s4_tevent: Destroying timer event 0x7f932424ed50 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f932425c370
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f932425c370
s4_tevent: Added timed event "tevent_req_timedout": 0x7f9324016970
Starting GENSEC mechanism spnego
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f9324403310
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f9324403310
s4_tevent: Destroying timer event 0x7f9324016970 "tevent_req_timedout"
s4_tevent: Destroying timer event 0x7f932401f730 "dcerpc_connect_timeout_handler"
[Tue Mar 09 09:51:12.685725 2021] [wsgi:error] [pid 29053:tid 140270172727040] [remote 10.30.214.119:36488] ipa: INFO: [jsonserver_session] cifs/ipadev01.test.local(a)IPADEV.TEST.LOCAL: trust_add/1(u'IAM.INTERN', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', realm_server=u'10.30.201.46', version=u'2.232'): RemoteRetrieveError
Any idea what should I look into ?
3 years
uninstall - Deleting this server will leave your installation without a CRL generation master
by lejeczek
Hi guys.
I'm trying to remove a master from my domain and I get:
-> $ ipa-server-install --uninstall --unattended
Deleting this server will leave your installation without a
CRL generation master.
ipapython.admintool: ERROR Aborting uninstall operation.
ipapython.admintool: ERROR The ipa-server-install command
failed. See /var/log/ipaserver-uninstall.log for more
information
There are two full-KRA masters in the domain so that is bit
puzzling to me.
Would anybody care to share some ideas as to why that one
master is unhappy?
many thanks, L.
3 years
Re: ipausers unable to sudo
by Anestis Karampatziakis
Hi Albert,
Did you by any chance find a solution to this issue?
We are having the same issue over here.
Thanks,
Anestis
3 years