FreeIPA-users March 2023

freeipa-users@lists.fedorahosted.org

31 participants
56 discussions

Host based two factor requirements
by David Harvey 20 Mar '23

20 Mar '23

Hi there, When I try and re-enable TOTP for a host auth indicator I receive "invalid 'krbprincipalauthind': authentication indicators not allowed in service "host"" Running FreeIPA 4.9.10 on Rocky. I'm having some issues working out the current methods of OTP enforcement for SSH interactive as a login method. I've had a look through https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy… but am still stuck. I previously had a host configured (on its own details page) as requiring password and otp as auth indicators. This was a little buggy in that the GUI didn't display it after setting it, but did require an OTP on logging in with SSH and was reflected byt the krbPrincipalAuthInd attr being set. [image: image.png] I cleared this for the host for $reasons - resulting in the attrs being removed, and now if I try and re-enable I get: [image: image.png] Following that clue and those from other posts, I've been looking at the services auth indicators as where to set instead, but as ssh or login don't have services I can't work out how I am supposed to achieve this now? Thanks in advance, David

3 4

Creating and modifying users from an external system
by Ronald Wimmer 20 Mar '23

20 Mar '23

We have several scenarios where we cannot establish an AD Trust. In these cases we are forced to create/modify/delete IPA users triggered from an IAM system. Is the IPA API the one and only way to go or would it also work if we used IPA's LDAP directly? Cheers, Ronald

2 1

access IPA client via ssh does not work
by cdth＠gmx.net 20 Mar '23

20 Mar '23

I have a fresh IPA server setup with a trust to an Active Directory. Alls IPA services are working fine, IPA users can connect to IPA client hosts without problems. I now have added an AD user via creating an ID override in the default trust view and added an ssh key for the user. I made the user a member of an IPA group which has access to the IPA client host (verified via IPA user which is a member of this group). I did this by --idoverrideusers= as --external= seems to be gone. The AD user can't connect, not even that the ssh key is not working also the password does not work. Running the HBAC test in the web UI gives an ACCESS DENIED for the AD user and an ACCESS GRANTED for the IPA user. I also can see that a sssctl user-checks gives me a pam_acct_mgmt: Permission denied while for the IPA user it brings up pam_acct_mgmt: Success The command id aduser(a)example.com lists the AD groups but I can't see the IPA group there. Any hints will be greatly appreciated, thank you. Best regards, Thomas

2 2

FreeIPA-Kubernetes Setup
by Ronald Wimmer 20 Mar '23

20 Mar '23

Hi, are there any plans (or maybe ongoing work already) to let FreeIPA run in a K8s environment? Cheers, Ronald

6 8

backup & restore - 4.9.11 -> 4.10.1
by lejeczek 17 Mar '23

17 Mar '23

Hi guys. I'm trying to migrate IPA from Centos 8 over to Centos 9 but I fail. If the path I try is supported & should work then, first, 'restore' failed with: ... Restoring umask to 18 CalledProcessError(Command ['/usr/sbin/ipactl', 'start'] returned non-zero exit status 1: 'IPA version error: data needs to be upgraded (expected version \'4.10.1-6.el9\', current version \'4.9.8-7.module_el8.6.0+1103+a004f6a8\')\nAutomatically running upgrade, for details see /var/log/ipaupgrade.log\nBe patient, this may take a few minutes.\nAutomatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed.\nError caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed.\nUpdate complete\nUpgrading the configuration of the IPA services\n[Verifying that root certificate is published]\n[Migrate CRL publish directory]\nPublish directory already set to new location\nForcing update of template /usr/share/ipa/ipa-pki-proxy.conf.template\nUpgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 17\n[Ensuring ephemeralRequest is enabled in KRA]\nephemeralRequest is already enabled\n[Verifying that KDC configuration is using ipa-kdb backend]\n[Fix DS schema file syntax]\n[Removing RA cert from DS NSS database]\n[Enable sidgen and extdom plugins by default]\n[Updating HTTPD service IPA configuration]\n[Updating HTTPD service IPA WSGI configuration]\nNothing to do for configure_httpd_wsgi_conf\n[Migrating from mod_nss to mod_ssl]\nAlready migrated to mod_ssl\n[Moving HTTPD service keytab to gssproxy]\n[Removing self-signed CA]\n[Removing Dogtag 9 CA]\n[Set OpenSSL engine for BIND]\n[Checking for deprecated KDC configuration files]\n[Checking for deprecated backups of Samba configuration files]\ndnssec-validation yes\n[Add missing CA DNS records]\nunable to resolve host name c8kubermaster1.private.lot. to IP address, ipa-ca DNS record will be incomplete\nIPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.\nUnexpected error - see /var/log/ipaupgrade.log for details:\nCalledProcessError: CalledProcessError(Command [\'/bin/systemctl\', \'start\', \'named.service\'] returned non-zero exit status 1: \'Job for named.service failed because the control process exited with error code.\\nSee "systemctl status named.service" and "journalctl -xeu named.service" for details.\\n\')\nThe ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information\n\nSee the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again\nAborting ipactl\n') so I try: -> $ ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: saving configuration [2/9]: disabling listeners [3/9]: enabling DS global lock [4/9]: disabling Schema Compat [5/9]: starting directory server [error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'dirsrv(a)PRIVATE-LOT.service'] returned non-zero exit status 1: 'Job for dirsrv(a)PRIVATE-LOT.service failed because a fatal signal was delivered causing the control process to dump core.\nSee "systemctl status dirsrv(a)PRIVATE-LOT.service" and "journalctl -xeu dirsrv(a)PRIVATE-LOT.service" for details.\n') [cleanup]: stopping directory server [cleanup]: restoring configuration IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'dirsrv(a)PRIVATE-LOT.service'] returned non-zero exit status 1: 'Job for dirsrv(a)PRIVATE-LOT.service failed because a fatal signal was delivered causing the control process to dump core.\nSee "systemctl status dirsrv(a)PRIVATE-LOT.service" and "journalctl -xeu dirsrv(a)PRIVATE-LOT.service" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information -> $ journalctl -lf -u dirsrv(a)PRIVATE-LOT.service Mar 17 16:19:03 c8kubermaster2.private.lot ns-slapd[14967]: [17/Mar/2023:16:19:03.748676397 +0000] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=private,dc=lot--no CoS Templates found, which should be added before the CoS Definition. Mar 17 16:19:03 c8kubermaster2.private.lot ns-slapd[14967]: [17/Mar/2023:16:19:03.764528091 +0000] - ERR - libdb - BDB2506 file userRoot/replication_changelog.db has LSN 12/7510992, past end of log at 12/2536210 Mar 17 16:19:03 c8kubermaster2.private.lot ns-slapTrd[14967]: [17/Mar/2023:16:19:03.768119982 +0000] - ERR - libdb - BDB2507 Commonly caused by moving a database from one database environment Mar 17 16:19:03 c8kubermaster2.private.lot ns-slapd[14967]: [17/Mar/2023:16:19:03.771501904 +0000] - ERR - libdb - BDB2508 to another without clearing the database LSNs, or by removing all of Mar 17 16:19:03 c8kubermaster2.private.lot ns-slapd[14967]: [17/Mar/2023:16:19:03.774956063 +0000] - ERR - libdb - BDB2509 the log files from a database environment Mar 17 16:19:03 c8kubermaster2.private.lot ns-slapd[14967]: ns-slapd: ldap/servers/plugins/replication/cl5_api.c:1268: cldb_SetReplicaDB: Assertion `cldb' failed. Mar 17 16:19:03 c8kubermaster2.private.lot systemd-coredump[14993]: [🡕] Process 14967 (ns-slapd) of user 389 dumped core. Mar 17 16:19:03 c8kubermaster2.private.lot systemd[1]: dirsrv(a)PRIVATE-LOT.service: Main process exited, code=dumped, status=6/ABRT Mar 17 16:19:03 c8kubermaster2.private.lot systemd[1]: dirsrv(a)PRIVATE-LOT.service: Failed with result 'core-dump'. Mar 17 16:19:03 c8kubermaster2.private.lot systemd[1]: Failed to start 389 Directory Server PRIVATE-LOT.. If such simple process should work then please share your thoughts on what is failing here which can be fixed. Alternatively, trying the most obvious method - adding new master to existing domain - fails if the new member/master I want to make CA, without CA new master installs/adds. fails: ... [3/30]: creating ACIs for admin [4/30]: creating installation admin user Unable to log in as uid=admin-c9kmaster1.private.lot,ou=people,o=ipaca on ldap://c8kubermaster2.private.lot:389 [hint] tune with replication_wait_timeout [error] NotFound: uid=admin-c9kmaster1.private.lot,ou=people,o=ipaca did not replicate to ldap://c8kubermaster2.private.lot:389 and from log file: ... 2023-03-17T17:32:51Z ERROR Unable to log in as uid=admin-c9kmaster1.private.lot,ou=people,o=ipaca on ldap://c8kubermaster2.private.lot:389 2023-03-17T17:32:51Z INFO [hint] tune with replication_wait_timeout 2023-03-17T17:32:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 789, in setup_admin raise errors.NotFound( ipalib.errors.NotFound: uid=admin-c9kmaster1.private.lot,ou=people,o=ipaca did not replicate to ldap://c8kubermaster2.private.lot:389 2023-03-17T17:32:51Z DEBUG [error] NotFound: uid=admin-c9kmaster1.private.lot,ou=people,o=ipaca did not replicate to ldap://c8kubermaster2.private.lot:389 2023-03-17T17:32:51Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2023-03-17T17:32:51Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute ...

3 2

Win replication
by Алексей Иванов 17 Mar '23

17 Mar '23

Greetings, I'm using ipa-replica-manage connect --winsync to create users from windows to IPA. But it copies all the users from OU. Can I add an LDAP filter somewhere so that I will replicate only a subset of users? Regards, Alex Ivanov.

2 1

Kerberized NFS and IPA
by Ronald Wimmer 16 Mar '23

16 Mar '23

We enrolled a RHEL9 server (ipa client) in order to replace an old one (Centos 7.9). Unfortunately, windows users could not access their kerberized NFS home share. Today I rechecked the server and saw that the "trusted for delegation" flag was not set. (it was set on the old Centos server) I enabled it and now it seems to work. Was this probably just a coincidence or can it be explained somehow? The documentation says: > OK_AS_DELEGATE > Use this flag to specify Kerberos tickets trusted for delegation. > Active directory (AD) clients check the OK_AS_DELEGATE flag on the Kerberos ticket to > determine whether the user credentials can be forwarded or delegated to the specific server. AD > forwards the ticket-granting ticket (TGT) only to services or hosts with OK_AS_DELEGATE set. > With this flag, system security services daemon (SSSD) can add the AD user TGT to the default > Kerberos credentials cache on the IdM client machine. Is it needed that the TGT ticket can be forwarded to the server in order to let the server fetch the NFS-Ticket needed? Cheers, Ronald

2 9

Problem with added host to freeipa with AD Trust setup
by cdth＠gmx.net 15 Mar '23

15 Mar '23

Hi! I am experiencing strange behaviour with a host which is added to an IPA instance. The IPA instance is working as it should and I can't see any problems there. There is a Trust established to an AD domain. The AD domain is in the form of example.com whereas the IPA domain is ipa.example.com domain. However the domain names of the hosts are host-ipa.example.com and client-ipa.example.com (and not host-ipa.ipa.example.com) As already said this works fine for the IPA server itself but for the client I am experiencing weird behaviour. I can add the client to the IPA domain by joining via ipaclient-install script and log on is working during the first minutes, but after some time a login via ssh public key is not possible anymore. When I look into the log files I can see that a connection to the directory server fails with the error message "Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/EXAMPLE.COM(a)IPA.EXAMPLE.COM not found in Kerberos database)]" which seems to be the root cause for my problem as it should be krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM to my knowledge. I already tried a hint from this thread https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos… which tells to check the domain_realm mapping in /etc/krb5.conf (due to includes the [domain_realm] resides in /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com and indeed the mapping looks wrong to me: [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [capaths] EXAMPLE.COM = { IPA.EXAMPLE.COM = EXAMPLE.COM } IPA.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM } I believe this should look like: [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [capaths] EXAMPLE.COM = { IPA.EXAMPLE.COM = IPA.EXAMPLE.COM } IPA.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM } But changing the file does not help as after restarting sssd the file is overwritten again with the former version. Any hints are greatly appreciated! (the domain names are redacted to protect the innocent ;-) ) Best regards, Thomas

2 2

Cannot authenticate using Kerberos after upgrade to 4.10.1
by Gianluca Amato 15 Mar '23

15 Mar '23

Hi all, I have a FreeIPA installation with three servers on CentOS Stream 9. Recently, I upgraded one server from FreeIPA 4.10.0 to 4.10.1. After the upgrade, kinit <user> fails in the new server for all users, with the only exception of the admin user. The following happens: 1) In the command shell, I type "kinit studente" (or any other user but admin) 2) I enter the correct password 3) The result is "kinit: Generic error (see e-text) while getting initial credentials" Kerberos authentication still works correctly on the servers which are still on 4.10.0. LDAP authentication works correctly everywhere. If I check the /var/log/krb5kdc.log, I notice the following: Mar 14 13:35:13 ipa1.labeconomia.unich.it krb5kdc2868: AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.1.68.199: HANDLE_AUTHDATA: studente(a)LABECONOMIA.UNICH.IT for krbtgt/LABECONOMIA.UNICH.IT(a)LABECONOMIA.UNICH.IT, No such file or directory So the problem seems this "No such file or directory" during the HANDLE_AUTHDATA phase, but I have no idea what file it is looking for. This error only appears if I type the correct password. In case of wrong password, I get a standard "Preauthentication failed" error. Note also that "admin" is the only user with a SID (attribute "ipaNTSecurityIdentifier" in LDAP), which is required for generating Kerberos tickets with PACs. Is it possible the new FreeIPA insists in generating PACs? In case, is it possible to disable this behavior ? Thanks for any help, --gianluca

2 4

Help with importing Asterisk LDAP Schema into FreeIPA Server.
by r0 nam1 14 Mar '23

14 Mar '23

Hi, I'm currently attempting to run my asterisk instance and testing instance in realtime mode with the database being my FreeIPA instance. To do this I've looked at every thread and determined that the OpenLDAP structure Asterisk Provides and the 389 structure FreeIPA uses are different. I am not sure how different, so I have no clue how to translate it. I also have two ways of importing it, (I think), either with ldapadd, or by moving the ldif file to a certain directory and restarting the service, issue with that second approach is that I'm not sure what will happen if the ldif file isn't valid. I'll post what the asterisk source provides: https://wiki.asterisk.org/wiki/display/AST/LDAP+Realtime+Driver The ldif and schema file are both on that page, I'm not looking for somebody to translate if it's to much work, but I simply want to know how to. Seems like a valuable skill to have.

2 1

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users March 2023