June 2022 - FreeIPA-users - Fedora mailing-lists

SSSD prompting/2fa
by Sigbjorn Lie 16 Jul '22

16 Jul '22

Hi list, When I have a 2FA enabled user account, I receive the two password prompt for sudo at a host, even on hosts where 2FA is not required. This breaks Ansible for me, when using "become" with Ansible. I am testing the [prompting/2fa] options in sssd to remediate this. I have the following configuration: --- [prompting/2fa/sudo] first_prompt = 'Please enter your password and optional OTP token value: ' single_prompt = True --- This provides me with a single prompt, with the configured text when I run sudo on this host. However the 2FA OTP code is no longer optional. If I do not enter both my password and an OTP code, the authentication fails. So still this does not fix Ansible for me. From var/log/secure: --- Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth): authentication failure; logname=myusername uid=12345678 euid=0 tty=/dev/pts/1 ruser= myusername rhost= user= myusername Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth): received for user myusername: 7 (Authentication failure) Jun 3 09:15:18 myhost.mydomain.tld sudo[2289804]: myusername : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/myusername ; USER=root ; COMMAND=list --- The only change performed is to add the above prompting configuration to sssd.conf. If I remove the prompting configuration from sssd.conf, I can now authentiate using only my password, even though with two prompts. In either way, I am unable to run Ansible anymore. Any suggestions on how to fix this? Regards, Siggi

6 11

SSSD Problem after update
by Ronald Wimmer 05 Jul '22

05 Jul '22

Today I updated all packages on one of our IPA servers. Unfortunately, SSSD stopped working: [sssd] [main] (0x0010): SSSD couldn't load the configuration database. [sssd] [ldb] (0x0020): Unable to open tdb '/var/lib/sss/db/config.ldb': Permission denied [sssd] [ldb] (0x0020): Failed to connect to '/var/lib/sss/db/config.ldb' with backend 'tdb': Unable to open tdb '/var/lib/sss/db/config.ldb': Permission denied [sssd] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb] [sssd] [confdb_setup] (0x0010): The confdb initialization failed [5]: Input/output error [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [5]: Input/output error I noticed that owner and group of config.ldb are changed to sssd when I try to restart the sssd.service. On all remaining IPA servers this particular file belongs to root. I will revert to the snapshot I made before updating packages in order to make that IPA server work again properly. Cheers, Ronald

2 6

No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
by roy liang 01 Jul '22

01 Jul '22

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-… I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

3 4

FreeIPA 4.10.0
by Antonio Torres 01 Jul '22

01 Jul '22

The FreeIPA team would like to announce FreeIPA 4.10.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon. == Highlights in 4.10.0 * 2016: [RFE] Support random serial numbers in IPA certificates RSN can be enabled in new server installations. * 7404: Incorrect certs are being updated with "ipa-certupdate" ipa-cacert-manage command now supports the "prune" subcommand, that allows to remove the expired CA certificates. === Bug fixes FreeIPA 4.10.0 is a stabilization release for the features delivered as a part of 4.10 version series. There are 7 bug-fixes since FreeIPA 4.9.10 release. Details of the bug-fixes can be seen in the list of resolved tickets below. == Upgrading Upgrade instructions are available on Upgrade page. == Feedback Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…) or #freeipa channel on libera.chat. == Resolved tickets * https://pagure.io/freeipa/issue/2016[#2016] [RFE] Support random serial numbers in IPA certificates * https://pagure.io/freeipa/issue/2278[#2278] IPA needs better sudo option validation or better documentation * https://pagure.io/freeipa/issue/7404[#7404] Incorrect certs are being updated with "ipa-certupdate" * https://pagure.io/freeipa/issue/8544[#8544] After reboot: Replication bind with GSSAPI auth failed * https://pagure.io/freeipa/issue/8684[#8684] [WebUI] test_hostgroup::test_names_and_button - timeout reached * https://pagure.io/freeipa/issue/9035[#9035] Nightly failure (rawhide) in test_installation_client.py::TestInstallClient * https://pagure.io/freeipa/issue/9105[#9105] Review usage of quiet flag in ipa-join == Detailed changelog since 4.9.10 === Rob Crittenden (9) * Fix test_secure_ajp_connector.py failing with Python 3.6.8 https://pagure.io/freeipa/c/9a97f9b40[commit] * Add tests for Random Serial Number v3 support https://pagure.io/freeipa/c/d241d7405[commit] https://pagure.io/freeipa/issue/2016[#2016] * Add support for Random Serial Numbers v3 https://pagure.io/freeipa/c/beaa0562d[commit] https://pagure.io/freeipa/issue/2016[#2016] * Add a new parameter type, SerialNumber, as a subclass of Str https://pagure.io/freeipa/c/83be923ac[commit] https://pagure.io/freeipa/issue/2016[#2016] * doc/designs: add Random Serial Numbers v3 support https://pagure.io/freeipa/c/d3481449e[commit] https://pagure.io/freeipa/issue/2016[#2016] * Design for IPA-to-IPA migration https://pagure.io/freeipa/c/d4859db4e[commit] * Re-work the quiet option in ipa-join to not suppress errors https://pagure.io/freeipa/c/61650c577[commit] https://pagure.io/freeipa/issue/9105[#9105] * Improve sudooption docs, make the option multi-value https://pagure.io/freeipa/c/47fbe05f7[commit] https://pagure.io/freeipa/issue/2278[#2278] * Design doc to allow LDAP bind using the RADIUS auth type https://pagure.io/freeipa/c/16ab690bf[commit] === Matthew Davis (1) * Add missing parameter to Suse modify_nsswitch_pam_stack https://pagure.io/freeipa/c/6d6b135ff[commit] === Anuja More (3) * ipatests: Fix install_master for test_idp.py https://pagure.io/freeipa/c/ef091c99f[commit] * Add end to end integration tests for external IdP https://pagure.io/freeipa/c/bd57ff356[commit] * ipatests: update prci definitions for test_idp.py https://pagure.io/freeipa/c/a80a98194[commit] === Timo Aaltonen (2) * ipaplatform/debian: Drop the path for ldap.so https://pagure.io/freeipa/c/808ac46ba[commit] * ipaplatform/debian: Use multiarch path for libsofthsm2.so https://pagure.io/freeipa/c/92d718dbf[commit] === Michal Polovka (5) * ipatests: Healthcheck use subject base from IPA not REALM https://pagure.io/freeipa/c/d3c11f762[commit] * ipatests: Increase expect timeout for interactive mode https://pagure.io/freeipa/c/40b3c11bd[commit] * ipatests: Healthcheck should ignore pki errors when CA is not configured https://pagure.io/freeipa/c/b2bbf8165[commit] * test_webui: test_hostgroup: Wait for modal dialog to appear https://pagure.io/freeipa/c/d0269f236[commit] https://pagure.io/freeipa/issue/8684[#8684] * WebUI: Test if links are opened in new tab correctly https://pagure.io/freeipa/c/89c846a1f[commit] === Florence Blanc-Renaud (9) * xmlrpc tests: updated expected output for preserved user https://pagure.io/freeipa/c/3732349bc[commit] * Preserve user: fix the confusing summary https://pagure.io/freeipa/c/cbc18ff8c[commit] * ipatests: update packages in rawhide test test_installation_client.py https://pagure.io/freeipa/c/4c61b9266[commit] https://pagure.io/freeipa/issue/9035[#9035] * ipatests: revert wrong commit on gating definition https://pagure.io/freeipa/c/4b665ccf2[commit] * Design: Integrate SID configuration into base IPA installers https://pagure.io/freeipa/c/bacddb828[commit] * Doc: add a design template https://pagure.io/freeipa/c/5edf144a7[commit] * ipatests: add test_acme.py in nightly previous https://pagure.io/freeipa/c/96a297f3b[commit] * ipatests: fix incomplete nightly def in nightly_previous https://pagure.io/freeipa/c/296f27dce[commit] * ipatests: fix discrepancies in nightly defs https://pagure.io/freeipa/c/9b2c05aff[commit] === Armando Neto (8) * ipatests: update prci template https://pagure.io/freeipa/c/b3085b830[commit] * ipatests: update definitions for custom COPR nightlies https://pagure.io/freeipa/c/1101b22b5[commit] * ipatests: bump PR-CI rawhide template https://pagure.io/freeipa/c/c780504d4[commit] * ipatests: bump rawhide template for PR-CI https://pagure.io/freeipa/c/d6d413628[commit] * ipatests: Bump PR-CI rawhide template https://pagure.io/freeipa/c/c14d52f43[commit] * ipatests: Bump PR-CI Rawhide template https://pagure.io/freeipa/c/c572697d9[commit] * ipatests: Update gating to Fedora 33 https://pagure.io/freeipa/c/a6b487130[commit] * ipatests: update PR-CI templates to Fedora 33 https://pagure.io/freeipa/c/3e8e83654[commit] === Alexander Bokovoy (3) * Fix use of comparison functions to avoid GCC bug 95189 https://pagure.io/freeipa/c/9043b8d53[commit] * doc/designs: fix formatting in LDAPI autobind design https://pagure.io/freeipa/c/3d809c706[commit] * Contributors: add new contributors to the list https://pagure.io/freeipa/c/bef78d16e[commit] === Mohammad Rizwan (1) * ipatest: Test ipa-cert-fix fails when startup directive is missing from CS.cfg https://pagure.io/freeipa/c/16057898a[commit] === Christian Heimes (2) * Add design for LDAPI autobind https://pagure.io/freeipa/c/5b8f37f88[commit] https://pagure.io/freeipa/issue/8544[#8544] * LDAP autobind authenticateAsDN for BIND named https://pagure.io/freeipa/c/16e1cbdc5[commit] https://pagure.io/freeipa/issue/8544[#8544] === François Cami (1) * ipatests: fix nightly_latest_testing_selinux template https://pagure.io/freeipa/c/87304c78a[commit] === Antonio Torres (2) * ipatests: add test for ipa-cacert-manage prune https://pagure.io/freeipa/c/8a2e6ec32[commit] https://pagure.io/freeipa/issue/7404[#7404] * ipa-cacert-manage: add prune option https://pagure.io/freeipa/c/5d8cb1dd1[commit] https://pagure.io/freeipa/issue/7404[#7404] === Peter Keresztes Schmidt (3) * configure: Do not set -Wno-strict-aliasing -Wno-sign-compare https://pagure.io/freeipa/c/f9357cb98[commit] * build: Unify compiler warning flags used https://pagure.io/freeipa/c/a355646c3[commit] * configure: Fix source tree detection to enable more warnings https://pagure.io/freeipa/c/54b42f72f[commit]

3 3

No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.
by roy liang 30 Jun '22

30 Jun '22

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-… I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

2 1

No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
by roy liang 30 Jun '22

30 Jun '22

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-… I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 0

No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
by roy liang 30 Jun '22

30 Jun '22

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-… I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 0

No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
by roy liang 30 Jun '22

30 Jun '22

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-… I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 0

No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
by roy liang 30 Jun '22

30 Jun '22

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-… I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 0

No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.
by roy liang 30 Jun '22

30 Jun '22

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-… I'm going to try this scheme instead of CA Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you 1：Generate ca-key ca-cert #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 2： Generate certificate signing request: #openssl req -new -key ca-key -out csr.csr 3:Generate pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem 4:install freeipa root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert Installing CA certificate, please wait CA certificate successfully installed 5:install http.pem root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ > --dirman-pass xxx \ > --http /root/test_ca/http.pem --pin xxx No server certificates found in /root/test_ca/http.pem The ipa-server-certinstall command failed.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2022