expired Server-cert
by Serge Krawczenko
Greetings,all
I've been observing multiple issues for some time, unable to enroll new
clients etc.
Finally found out that the possible root cause is the expired Server-Cert
cert-pki-ca and therefore pki-tomcat service won't start
Here's the output of getcert list -d /etc/pki/pki-tomcat/alias/
Request ID '20171204131518':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=....
subject: CN=....
expires: 2022-04-25 17:06:51 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
Other certs in /etc/pki/pki-tomcat/alias/ seem to be ok but this one.
I'd like to understand how to perform the forced update for this one, i
assume it must be renewed automatically though
I tried to invoke post-save command manually but no luck.
Appreciate any ideas
1 year, 11 months
How to add NOPASSWD for ALL commands (no prompt for password)
by Damola Azeez
I'm trying to create a user to use for my automation. I don't want to have the Users created manually on each host as that's time-consuming. Is there a way I can use IPA to handle this requirement such that the user I create is sudo and runs Sudo commands without asking for a password?
1 year, 11 months
c9s - package conflicts with updates
by lejeczek
Hi
just to let you @devel guys know in case this might affect &
brake IPA as in the (recent) past.
...
Problem 1: package pki-java-11.2.0-0.2.beta1.el9.noarch
requires pki-base = 11.2.0-0.2.beta1.el9, but none of the
providers can be installed
- package idm-pki-base-11.2.0-0.4.beta3.el9.noarch
obsoletes pki-base < 11.2.0-0.4.beta3.el9 provided by
pki-base-11.2.0-0.2.beta1.el9.noarch
- cannot install the best update candidate for package
pki-java-11.2.0-0.2.beta1.el9.noarch
- cannot install the best update candidate for package
pki-base-11.2.0-0.2.beta1.el9.noarch
Problem 2: problem with installed package
pki-java-11.2.0-0.2.beta1.el9.noarch
- package pki-java-11.2.0-0.2.beta1.el9.noarch requires
pki-base = 11.2.0-0.2.beta1.el9, but none of the providers
can be installed
- package pki-base-11.2.0-0.2.beta1.el9.noarch requires
python3-pki = 11.2.0-0.2.beta1.el9, but none of the
providers can be installed
- package python3-idm-pki-11.2.0-0.4.beta3.el9.noarch
obsoletes python3-pki < 11.2.0-0.4.beta3.el9 provided by
python3-pki-11.2.0-0.2.beta1.el9.noarch
- cannot install the best update candidate for package
python3-pki-11.2.0-0.2.beta1.el9.noarch
...
thanks, L
1 year, 11 months
CA not configured on second replica but it is configured
by Pavlo Pocheptsov
Hi list.
ipa2 node was promoted to ca with ipa-ca-instal
and it shows all is good on its side:
[root@ipa2 ~]# ipa-replica-manage list
ipa3: master
ipa2: master
[root@ipa2 ~]# ipa-csreplica-manage list
ipa3: master
ipa2: *master*
[root@ipa2 ~]# ipa config-show |grep CA
Certificate Subject base: O=removed
IPA CA servers: *ipa2, ipa3*
IPA CA renewal master: ipa3
[root@ipa2 ~]# ipa server-role-find | grep -A1 -B1 CA
Server name: ipa2
Role name: CA server
Role status: *enabled*
--
Server name: ipa3
Role name: CA server
Role status: *enabled*
[root@ipa2 ~]# ipa-replica-manage list-ruv
Replica Update Vectors:
ipa2:389: 11
ipa3:389: 9
Certificate Server Replica Update Vectors:
ipa2:389: 12
ipa3:389: 10
But ipa3 node doesn't see ipa2 as ca master:
[root@ipa3 ~]# ipa-replica-manage list
ipa3: master
ipa2: master
[root@ipa3 ~]# ipa-csreplica-manage list
ipa3: master
ipa2: *CA not configured*
[root@ipa3 ~]# ipa config-show |grep CA
Certificate Subject base: O=removed
IPA CA servers: *ipa3* <----- no ipa2 here
IPA CA renewal master: ipa3
[root@ipa3 ~]# ipa server-role-find | grep -B1 -A1 CA
Server name: ipa2
Role name: CA server
Role status: *absent*
--
Server name: ipa3
Role name: CA server
Role status: enabled
[root@ipa3 ~]# ipa-replica-manage list-ruv
Replica Update Vectors:
ipa3:389: 9
ipa2:389: 11
Certificate Server Replica Update Vectors:
ipa3:389: 10
ipa2:389: 12
Centos 7.9
FreeIPA, version: 4.6.8
What is the real situation here? Is there CA replication btw replicas or no?
Is it possible to fix this and make ipa2 CA role visible on ipa3?
Any extra information I can provide to fully understand the issue?
Pavel
1 year, 11 months
Re: hostgroup automember rules
by Florence Blanc-Renaud
Hi,
On Fri, May 20, 2022 at 11:48 AM Angus Clarke via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> Hello
>
> FreeIPA 4.6.8
>
> We are very happy with hostgroup automember rules based on servername
> attribute however one of our internal customers uses a generic servername
> template for all of their servers regardless of its function.
>
> So I'm wondering what other attributes I might use for hostgroup
> automember - perhaps some of the attributes can be configured by the
> ipa-client-install (the host's "description" field perhaps) although I
> don't see such mention in the man page ... Presumably they could use a
> different enrollment user ("enrolledby") for each of their hostgroup
> functions (not ideal.)
>
> There are various attribute fields in the WebUI but I don't find much
> documentation for them. What is the "|" field - perhaps I can exploit this
> somehow?
>
The automember group functionality is described in this chapter: Automating
group membership using IdM CLI
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...>
.
You can define a new hostgroup with an automember rule based on any
attribute defined in the schema. Just be aware that the conditions are
defined using Perl-compatible regular expressions (PCRE) format.
The 'l' attribute is an alias for 'locality' or 'localityname' and can
contain any string. For any attribute you can find its description in the
LDAP schema.
The host entries have multiple object classes. For instance if you run
ipa host-show server.ipa.test --all --raw
you can see all its objectclasses:
objectClass: top
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: ipaservice
objectClass: pkiuser
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: krbticketpolicyaux
objectClass: ipasshhost
objectClass: ipaSshGroupOfPubKeys
Each object class defines the mandatory/optional attributes that the entry
can contain. For instance in order to find the attributes for the *nshost*
objectclass:
ldapsearch -LLL -o ldif-wrap=no -b cn=schema -s base objectclasses | grep
-i nshost
objectclasses: ( nsHost-oid NAME 'nsHost' DESC 'Netscape defined
objectclass' SUP top STRUCTURAL MUST cn MAY ( serverHostName $ description
$ l $ nsHostLocation $ nsHardwarePlatform $ nsOsVersion ) X-ORIGIN
'Netscape' )
The *nshost* objectclass allows the presence of *serverhostname*,
*description*, *l* etc...
Now to find what *description* can contain:
ldapsearch -LLL -o ldif-wrap=no -b cn=schema -s base attributetypes | grep
-i description
attributetypes: ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'RFC 4519' )
The SYNTAX part defines the type of data (the RFC 4517
<https://datatracker.ietf.org/doc/html/rfc4517#section-3.3.6> defines
1.3.6.1.4.1.1466.115.121.1.15 as a DirectoryString).
With this knowledge, you can pick an attribute where you want to store
information that can be used to group the hosts together, and create the
matching rule using this attribute.
If you are curious about LDAP schema in general, you can read the RFC 4519
<https://www.ietf.org/rfc/rfc4519.txt>.
HTH,
flo
> Any advice gladly received.
>
> Thanks a lot
> Angus
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
1 year, 11 months
hostgroup automember rules
by Angus Clarke
Hello
FreeIPA 4.6.8
We are very happy with hostgroup automember rules based on servername attribute however one of our internal customers uses a generic servername template for all of their servers regardless of its function.
So I'm wondering what other attributes I might use for hostgroup automember - perhaps some of the attributes can be configured by the ipa-client-install (the host's "description" field perhaps) although I don't see such mention in the man page ... Presumably they could use a different enrollment user ("enrolledby") for each of their hostgroup functions (not ideal.)
There are various attribute fields in the WebUI but I don't find much documentation for them. What is the "|" field - perhaps I can exploit this somehow?
Any advice gladly received.
Thanks a lot
Angus
1 year, 11 months
FreeIPA and DHCP @home
by Ronald Wimmer
I am aware of the fact that there is no actual need for neatly
integrating DHCP into FreeIPA. At least in enterprise environments.
As my home network has grown over the years I am thinking about using
FreeIPA at home as well. Wouldn't it be sufficient to let a DHCP server
make dynamic updates to the DNS zone managed by FreeIPA's bind server to
make it work? I know a real integration would require much more. But
would it be sufficient for a home setup?
Cheers,
Ronald
1 year, 11 months
Unable to Login using LDAP User
by Damola Azeez
I've installed FreeIPA on all host I manage and everything has been fine until today when had to reboot the whole hosts. Every other host worked except one. checking the log file of the server, i saw the below error
"[sssd[ldap_child[44316]]]: Client 'host/xxx@XXX' not found in Kerberos database"
I've tried uninstalling the IP client and reinstalling it but i still have the same issue.
Host: oracle linux 6.9
IPA server: IPA, version: 4.9.6
1 year, 11 months
RHEL 8.6 and sub ids
by Omar Aloraini
From what I read, with the release of RHEL 8.6, I can use Podman with sub
ids managed by Freeipa.
I managed to generate sub uids and gids for all users. But, I'm unable to
launch containers in rootless mode due to insufficient uids and/or gids.
Perhaps there something missing with PAM or SSSD?
Thanks,
1 year, 11 months
Allowing a user to manage a service's certificates
by Sam Morris
I'm looking into using <https://github.com/guilhem/freeipa-issuer> to
request certificates from FreeIPA on behalf of a (FreeIPA) service.
The project authenticates to the FreeIPA API with a specified username
and password:
<https://github.com/guilhem/freeipa-issuer/blob/174d145616a672b09d3fdb56b2...>
I presume this means that it's only possible for it to authenticate to
the FreeIPA API as a user, as opposed to a host or service.
That being the case, I am trying to lock things down as much as
possible, so that the user is only able to request certificates for a
single service.
I've had a read through Fraiser's excellent blog post
<https://frasertweedale.github.io/blog-redhat/posts/2015-09-02-freeipa-cer...>
which points me towards creating a CA ACL, which I've done.
The CA ACL links together the user, the service and for good measure I
specified the CA and the profile too. But it's not sufficient to allow a
certificate request to work, as when the issuer tries to ask for the
certificate:
Fail to request certificate: ACIError (2100): Insufficient access:
not allowed to perform operations: request certificate
Returning to the blog post, I gather I additionally need to grant the
following two permissions to the user:
* 'Request Certificate'
* 'System: Modify Services'
What I'd like to understand is the scope of these permissions.
Does 'Request certificate' merely unlock the ability to make requests
that are themselves constrained by CA ACLs? That being the case, this
permission alone doesn't let the user request certificates for any other
hosts or services, right?
As for 'System: Modify Services': I guess granting this permission will
allow the user to add certificates to *any* service? In which case, I
suppose I need to create a new privilege that allows the usercertificate
of a particular entry only to be modified. Are there any examples of
this?
Many thanks as always.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
1 year, 11 months