ipa-healthcheck: IPACertDNSSAN error
by Brodie, Kent
I just upgraded a 2-node master/master ipa setup- basically rebuilt it from Centos7 servers to Rocky8.
(the standard process... remove a replica... rebuild it, install freeipa, get back into replica mode, etc).
Everything in the above process seems to have gone very well. Since I am now on a RHEL8-like host, I ran ipa-healthcheck.
Of the two nodes, I am only seeing one error, and only on one node (error message below).
A redhat access article claims this can be fixed by adding entries for the host in the local hosts file (no go, no difference).
DNS records properly exist for the freeipa node as well as the ipa-ca variant. (ipa-ca points to the IP addresses of both servers, been this way for a long time)
Can anyone explain the seriousness of the following error, and perhaps also give me an idea what might fix it?
I of course would prefer my ipa-healthchecks to complete without any issues. (Thanks all!)
[
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "5576f96d-cee4-475e-b5ee-0466fe6bfa58",
"when": "20221007165940Z",
"duration": "0.422118",
"kw": {
"key": "20221006190547",
"hostname": "ipa-ca.rgd.mcw.edu",
"san": [
"voq.rgd.mcw.edu"
],
"ca": "IPA",
"profile": "caIPAserviceCert",
"msg": "Certificate request id {key} with profile {profile} for CA {ca} does not have a DNS SAN {san} matching name {hostname}"
}
}
]
Thank you all for any insight/assistance. -Kent B
1 year, 6 months
Temporary permissions
by Ronald Wimmer
We would like to have the possiblilty to give certain AD users temporary
HBAC and sudo permissions.
My first idea looks something like that:
grantTime = 3600
groupName = "0_temp_permissions_" + str(uuid.uuid4())
hbacName = groupName
sudoRuleName = groupName
externalGroupName = groupName + "_external"
client.group_add(externalGroupName, o_description="TestDesc",
o_external=True)
client.group_add_member(externalGroupName,
o_ipaexternalmember="some_ad_user(a)ad.mydomain.at")
client.group_add(groupName, o_description="TestDesc", o_external=False)
client.group_add_member(groupName, o_group=externalGroupName)
client.hbacrule_add(hbacName)
client.hbacrule_add_user(hbacName, o_group=groupName)
client.hbacrule_add_host(hbacName, o_host="someipahost.mydomain.at")
client.hbacrule_add_service(hbacName, o_hbacsvc="sshd")
client.hbacrule_add_service(hbacName, o_hbacsvc="sudo")
client.hbacrule_add_service(hbacName, o_hbacsvc="sudo-i")
#client.hbacrule_add_host(hbacName, o_hostgroup="somegroupname")
client.sudorule_add(sudoRuleName, o_cmdcategory="all")
client.sudorule_add_host(sudoRuleName, o_host="someipahost.mydomain.at")
client.sudorule_add_user(sudoRuleName, o_group=groupName)
client.sudorule_add_option(sudoRuleName, o_ipasudoopt='!authenticate')
#client.sudorule_add_host(sudoRuleName, o_hostgroup="somehostgroupname")
time.sleep(grantTime)
client.sudorule_del(sudoRuleName)
client.hbacrule_del(hbacName)
client.group_del(groupName)
client.group_del(externalGroupName)
Today I thought maybe there are other IPA users out there who would need
such a solution.
What are the IPA devs thinking about such an extension?
Cheers,
Ronald
1 year, 6 months
[SSSD] Announcing SSSD 2.8.0
by Pavel Březina
# SSSD 2.8.0
The SSSD team is announcing the release of version 2.8.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.8.0
See the full release notes at:
https://sssd.io/release-notes/sssd-2.8.0.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* The new D-Bus function ListByAttr() allows the caller to look for
users that have an attribute with a certain value. For performance
reasons, it is recommended that the attribute is indexed both on the
remote server and on the local cache. The sssctl tool now provides the
cache-index command to help you manage indexes on the local cache.
### New features
* Introduced the dbus function
org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, limit)
listing upto limit users matching the filter attr=value.
* sssctl is now able to create, list and delete indexes on the local
caches. Indexes are useful for the new D-Bus ListByAttr() function.
* sssctl is now able to read and set each component's debug level
independently.
### Important fixes
* `domains` option in `[sssd]` section can now be completely omitted if
domains are enabled via `domains/enabled` option
### Configuration changes
* New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD
processes. Enabled by default.
* New option 'ldap_enumeration_refresh_offset' to set the maximum period
deviation between enumeration updates. Defaults to 30 seconds.
* New option 'subdomain_refresh_interval_offset' to set the maximum
period deviation when refreshing the subdomain list.
* New option 'dyndns_refresh_interval_offset' to set the maximum period
deviation when updating the client's DNS entry. Defaults to 0.
* New option 'refresh_expired_interval_offset' to set the maximum period
deviation when refreshing expired entries in background.
* New option 'ldap_purge_cache_offset' to set the maximum time deviation
between cache cleanups. Defaults to 0.
* Option 'ad_machine_account_password_renewal_opts' now accepts an
optional third part as the maximum deviation in the provided period
(first part) and initial delay (second part). If the period and initial
delay are provided but not the offset, the offset is assumed to be 0. If
no part is provided, the default is 86400:750:300.
* override_homedir now recognizes the %h template which is replaced by
the original home directory retrieved from the identity provider, but in
lower case.
1 year, 6 months
User stuck in preserved
by Ryan Slominski
Hi FreeIPA users,
I've got a username in the preserved list that is bugged. If you try to search for the record on the web UI it throws an error, but still shows a record in the result table. On the UI the error is in a dialog box that reads: "Operations Error" with "Some operations failed.". In the /var/log/dirsrv/slapd-REDACTED/errors file the error is:
[05/Oct/2022:13:20:01.492580320 -0400] - WARN - deref-plugin - deref_do_deref_attr - conn=3223751 op=105 - failed to retrieve the entry [uid=redacted=users,cn=accounts,dc=acc,dc=redacted,dc=org], although the entry exists
Tried to manually restore and manually delete with no luck:
ipa user-undel redacted
ipa: ERROR: redacted: user not found
ipa user-del redacted
ipa: ERROR: redacted: user not found
kadmin.local: delprinc redacted
Are you sure you want to delete the principal "redacted@REDACTED"? (yes/no): yes
delete_principal: Kerberos database constraints violated while deleting principal "redacted@REDACTED"
ldapsearch -Y GSSAPI -LL -b "uid=redacted,cn=deleted users,cn=accounts,cn=provisioning,dc=acc,dc=redacted,dc=org"
SASL/GSSAPI authentication started
SASL username: redacted@REDACTED
SASL SSF: 256
SASL data security layer installed.
version: 1
No such object (32)
Matched DN: cn=deleted users,cn=accounts,cn=provisioning,dc=acc,dc=redacted,dc=org
# Note the above LDAP query finds other preserved users fine
The username is NOT bugged no the other replicas. However, "ipa-replica-manage list" suggests sync is working fine.
Similar, but I think different: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
I'm using the Red Hat Identity Manager version 4.6.8-5.el7_9.9 flavor of FreeIPA.
Ideas?
Thanks,
Ryan
1 year, 6 months
ID view on AD user
by Ronald Wimmer
I am experimenting with ovveriding the default shell (bash) to /bin/zsh
for some users. It works but I am losing the ability to log in with the
short version of the username (without the domain part). Why? Can I
correct this for these users?
Cheers,
Ronald
1 year, 6 months
Free IPA Install Fails Over Logos Dependencies
by Steve Reed
Hi everyone,
I'm using a Centos 7 machine. rpm -q returns that it is centos-release-7-9.2009.1.el7.centos.x86_64.
I am getting an error during the install of FreeIPA.
After entering yum install ipa-server with the current Centos repo, it fails and reports at the end:
Error: Package: ipa-server-4.6.8-5.el7_9.11.x86_64
Requires: system-logos >= 70.7.0
Installed: centos-logos-70.0.6-3.el7.centos.noarch
system-logos = 70.0.6-3.el7.centos
Available: redhat-logos-70.7.0-1.el7.noarch
system-logos = 70.7.0-1.el7
It says to try using --skip-broken to work around the problem.
That doesn't work either.
I'm suspecting that it is the repo,but I'm not sure how to verify that is the problem. Any thoughts or ideas?
1 year, 6 months
NFS Mount idmap on ubuntu
by Kevin Vasko
I think something recently changed on Ubuntu 20.04 where I’m now having to put
Domain = my.domain.com
In /etc/idmapd.conf or run ipa-client-automount to have that do it for me.
No matter, my issue is I effectively have to reboot after making the change.
I can restart sssd, all the rpc* services I can find and no matter what i restart when I “ls -l /mnt/nfs_share”. Everything is still owned by nobody:nogroup.
I have unmounted and restarted all the services I can find and same issue.
If I reboot the whole server and
Domain = my.domain.com
Is in the the conf file, it works.
No matter what services I restart in the client nothing makes it work until I reboot. I’ve tested it by removing it, get the nobody:nogroup and then putting it in the config, restart all the services and nothing fixes it.
Reboot the machine and magically it’s back working.
What services am I missing that I need to restart for force this thing to pick up user and groups on the NFS share?
sssd
rpc-gssd
rpcbind
-Kevin
1 year, 6 months
Unable to disable anonymous bind
by Djerk Geurts
I'm trying to disable anonymous bind, in fact until today I thought I had. But alas nsslapd-allow-anonymous-access is on and I'm unable to turn it off.
```
user@ipa:~$ ldapsearch -x -H LDAP://ipa.domain.com:389 -D 'cn=Directory Manager' -W "(objectClass=*)" -b cn=config -s base nsslapd-allow-anonymous-access
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope baseObject
# filter: (objectClass=*)
# requesting: nsslapd-allow-anonymous-access
#
# config
dn: cn=config
nsslapd-allow-anonymous-access: on
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
```
I don't get any errors, but I don't see the value changed configuration either:
```
user@ipa:~$ ldapmodify -x -D 'cn=Directory Manager' -W -H LDAP://ipa.domain.com:389
Enter LDAP Password:
dc: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
user@ipa:~$
```
1 year, 6 months
Can use LDAPS with ldapsearch but not ldapmodify
by Djerk Geurts
This is locally on the FreeIPA server, so I would expect the certificate to be trusted. Why would one work and not the other?!
user@ipa:~$ ldapsearch -x -H LDAPS://ipa.domain.com:636 -D 'cn=Directory Manager' -W "(objectClass=*)" -b cn=config -s base nsslapd-allow-anonymous-access
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
[...]
# numResponses: 2
# numEntries: 1
user@ipa:~$ ldapmodify -x -D 'cn=Directory Manager' -W -H LDAPS://ipa.domain.com:636
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
1 year, 6 months