freeIPA Status Debian/Ubuntu
by Nico Maas
Hello there,
with the decline of CentOS I need to migrate away from CentOS 8 to something different.
I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"?
Best regards,
Nico
2 years, 3 months
Cannot add externally-signed IPA CA certificate
by Dmitry Perets
Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with openssl. So I've signed the FreeIPA's request with my self-signed "root ca" certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem --external-cert-file=/root/rootca/certs/ipacert.pem
<...skipped...>
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in /root/rootca/rootcacert.pem, /root/rootca/certs/ipacert.pem is not valid: not a CA certificate
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The subj above is my self-made root CA cert, so it looks like something is missing in it. But what...?
Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else is required, so that FreeIPA accepts it as a root CA?
Should I add it somewhere first, before running the ipa-server-install?
[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Validity
Not Before: Oct 24 11:43:13 2018 GMT
Not After : Oct 21 11:43:13 2028 GMT
Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<...skipped...>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Authority Key Identifier:
keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<...skipped...>
Thanks!!
2 years, 3 months
Changing directory manager password
by Ian Pilcher
Maybe it's just me, but I still find the documentation on this subject
confusing. (This is probably because the docs seem to be telling me
that I don't need to do anything beyond the actual password change, and
I don't trust answers that seem too easy.)
I running a single-node IPA 4.6.8 on RHEL 7. The actual password change
with ldapmodify[1] is simple enough. Am I reading the FreeIPA
documentation[2] correctly, that I don't need to perform any other
steps?
Thanks!
[1]
https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpas...
[2] https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
--
========================================================================
Ian Pilcher Sr. Principal Product Manager
+1 469 892-8704 Red Hat Cloud Platforms
========================================================================
2 years, 4 months
Network I/O error when trying to resolve AD users
by Ronald Wimmer
Today I set up an IPA test web application in our IPA test environment.
I figured out that my AD user was resolved but the user of my colleague
was not. (getent passwd userA/userB)
I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and
started SSSD again. After that I could not resolve any AD user. The sssd
logs showed an Network I/O error:
==> /var/log/sssd/sssd_ipatest.mydomain.at.log <==
(2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: Operations error(1), Failed to
handle the request.
.
(2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation failed, server logs might contain more
details.
(2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done]
(0x0040): s2n exop request failed.
(2021-06-30 11:46:14): [be[ipatest.mydomain.at]]
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed:
[1432158230]: Network I/O Error.
==> /var/log/sssd/sssd_nss.log <==
(2021-06-30 11:46:14): [nss] [cache_req_common_process_dp_reply]
(0x0040): CR #197: Data Provider Error: 3, 1432158230, Network I/O Error
(2021-06-30 11:46:14): [nss] [cache_req_common_process_dp_reply]
(0x0400): CR #197: Due to an error we will return cached data
(2021-06-30 11:46:14): [nss] [cache_req_search_cache] (0x0400): CR #197:
Looking up [aduser271(a)ORG.MYDOMAIN.AT] in cache
(2021-06-30 11:46:14): [nss] [cache_req_search_cache] (0x0400): CR #197:
Object [aduser271(a)ORG.MYDOMAIN.AT] was not found in cache
(2021-06-30 11:46:14): [nss] [cache_req_process_result] (0x0400): CR
#197: Finished: Not found
(2021-06-30 11:46:14): [nss] [client_recv] (0x0200): Client disconnected!
What the hell is going on here? Any hints would be highly appreciated!
Cheers,
Ronald
2 years, 4 months
Compatibility Plugin .update file for Active Directory
by Joseph Fry
My goal is to use the compatibility plugin to display IPA hosts in a format that an Active Directory centric tool can consume. Essentially my solution creates two containers under cn=compat called cn=adComputers and cn=adComputerGroups. An entry is added to adComputers for every ipaHost, and attributes populated that match active directory ldap attributes for a 'computer' object. We do the same for each IPA hostgroup.
I have come pretty close to getting this working, but now I need to get the groups populated with the group members, but not the IPA hosts... instead I need the members to be the corresponding cn=adComputers entries that were created.
So I need to manipulate the members attribute. For example the member attribute of one of the hostgroups in ipa is:
fqdn=test.lab.local,cn=computers,cn=accounts,dc=lab,dc=local
I need to change it to:
cn=test.lab.local,cn=adcomputers,cn=compat,dc=lab,dc=local
Below is my .update file. I want to add a line at the end like:
add:schema-compat-entry-attribute: member=%{member}
But want to rewrite the %{member} value as described above. I know I can do some logic here, as evidenced by https://pagure.io/freeipa/blob/master/f/install/updates/80-schema_compat.... where they use %ifeq and %%%deref_f. But I cannot find any documentation explaining what options are available. Essentially I am hoping there is some sort of regex manipulation capability here?
My .update file so far:
dn: cn=adComputers, cn=Schema Compatibility, cn=plugins, cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: adComputers
add:schema-compat-container-group: cn=compat, $SUFFIX
add:schema-compat-container-rdn: cn=adComputers
add:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
add:schema-compat-search-filter: (&(fqdn=*)(objectClass=ipaHost))
add:schema-compat-entry-rdn: cn=%first("%{fqdn}")
add:schema-compat-check-access: yes
add:schema-compat-entry-attribute: objectclass=computer
add:schema-compat-entry-attribute: cn=%{fqdn}
add:schema-compat-entry-attribute: sAMAccountType=805306369
add:schema-compat-entry-attribute: dNSHostName=%{fqdn}
add:schema-compat-entry-attribute: operatingSystem=%{nsHardwarePlatform}
add:schema-compat-entry-attribute: operatingSystemVersion=%{nsOsVersion}
add:schema-compat-entry-attribute: name=%{serverHostName}
add:schema-compat-entry-attribute: sAMAccountName=$$%{serverHostName}
add:schema-compat-entry-attribute: location=%{nsHostLocation}
dn: cn=adComputerGroups, cn=Schema Compatibility, cn=plugins, cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: adComputerGroups
add:schema-compat-container-group: cn=compat, $SUFFIX
add:schema-compat-container-rdn: cn=adComputerGroups
add:schema-compat-search-base: cn=hostgroups, cn=accounts, $SUFFIX
add:schema-compat-search-filter: (&(member=*)(objectClass=ipahostgroup))
add:schema-compat-entry-rdn: cn=%{cn}
add:schema-compat-entry-check-access: yes
add:schema-compat-entry-attribute: objectclass=group
add:schema-compat-entry-attribute: cn=%{cn}
add:schema-compat-entry-attribute: groupType=-2147483646
add:schema-compat-entry-attribute: sAMAccountType=268435456
add:schema-compat-entry-attribute: name=%{cn}
add:schema-compat-entry-attribute: sAMAccountName=$$%{cn}
2 years, 4 months
FreeIPA server packages upgrade best practice
by Suchismita Panda
Hi,
I would like to know the best practice for patching FreeIPA-Server
packages. We generally have daily patching enabled in our servers. Will it
be a good idea to do automatic patching of FreeIPA-Server packages?
If we want to restrict the FreeIPA-Server packages from automatomatic
upgrade and rather keep it for manual upgrade, what are the packages we
should hold back with a version restriction? And how frequently should we
do the manual upgrade? If the FreeIPA-client packages are upgraded
regularly by daily patching(yum-cron or unattended upgrade) will there be
any problem with authentication, if the FreeIPA-Servers are behind version
upgrade?
We have two FreeIPA environments, one with CentOS7 and another with
CentOS8. And we have FreeIPA clients mostly with Ubuntu(18 and 20) and
CentOS (7 and 8).
Any help and guidance is appreciated.
Thanks
Suchi
2 years, 4 months
healthcheck complains about a removed replica
by Kees Bakker
Hi,
After installing a new replica and running
/usr/bin/ipa-healthcheck --source pki.server.healthcheck.clones.connectivity_and_data
I'm getting this error
keyctl_search: Required key not available
Enter password for Internal Key Storage Token:
Internal server error HTTPSConnectionPool(host='iparep3.ghs.nl', port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fc473262a90>: Failed to establish a new connection: [Errno 113] No route to host',))
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "c2f3ec1d-494b-4f6a-b6e3-0e38108f2005",
"when": "20210528150818Z",
"duration": "30.348789",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA clone. Host: iparep3.ghs.nl Port: 443"
}
}
]
First, it is asking for a password, and I have no clue for what. I've
tried the admin password and the Directory Manager password. It
makes no difference.
Second, it tries to connect to a replica that was removed several months
ago. Both ipa-replica-manage list and ipa-csreplica-manage show the
correct list of masters that we currently have.
Where does ipa-healthcheck get the information from to query the removed
replica?
BTW. Two replica run CentOS 8 Stream, and one runs CentOS 7. The first two give
this healthcheck error, the centos7 master does not.
--
Kees
2 years, 4 months
IPA client + AD Trust + ID Override inconsistent lookup results
by iulian roman
Hello everybody,
I try to make the above combination to work in my environment , and already spent several weeks + open a few threads with different sort of issues. So far, I can say that it works only with workarounds , restarts, clear caches, etc , which is not the setup I can move in production with.
I try to provide the latest update of the setup and the issues I am currently facing:
RedHat Idm with AD trust configured (non-posix)
Default Trust View configured which overrides the UID and GID of the AD users
The UID and GID do exist in Active Directory (the user and group have the same name) , although the group name is in different OU - I do not know if this is an issue or not
On the client, some of the users are resolved, some not. If I manually run getent group <username> before running the id command, it does resolve the group and user. Without running getent group command, sometimes it resolves, sometimes not.
I checked the logs on the client and server and the errors I noticed when running id <username> are:
on the client:
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null)
on the server:
[nss] [nss_protocol_fill_initgr] (0x0080): Unable to find primary gid [2]: No such file or directory
It seems to be related to the magical primary GID which seems to be the source of all my issues, but I. have no idea how to fix it (the GID exist in AD and it is defined in the Default Trust View). I am considering even changing settings in AD, but I do not know what should I change.
I tried to define as well all the AD groups (for which I do group override in Default Trust View) in IPA as posix groups with that specific GID . In that situation for some users the lookup failed first time but after the negative cache expired or sssd is restarted the lookup for the user and group works properly (situation was quite similar with the one in the thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... ).
For AD users which do not have attributes overwritten everything works properly.
2 years, 5 months
FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
by Anthony Joseph Messina
After upgrading FreeIPA from F31 to F32, on startup I now see a lot of these errors from certmonger, ns-slapd, java, etc.
May 08 17:57:28 certmonger[38]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:30 ns-slapd[67]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:33 dogtag-ipa-renew-agent-submit[143]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:42 java[640]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
The server seems to come up without issue, but can you point me in the right direction to resolve these errors?
freeipa-server-4.8.6-1.fc32.x86_64
opendnssec-2.1.6-5.fc32.x86_64
opencryptoki-3.13.0-1.fc32.x86_64
I've installed a fresh F32 freeipa-server (on a test domain) and I don't see these errors.
Thanks. -A
--
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
2 years, 5 months
How does FreeIPA resolve AD group names
by iulian roman
Hello everybody,
Can anyone explain which attribute is used to lookup/resolve group names in AD ? As far as I can see on my ipa clients, it seems to use sAMAccountName . Is that correct ?
2 years, 5 months
