ipa migrate-ds
by Tony Super
Hello,
I am trying to migrate from my an IPA server that has FIPS disabled to an IPA server that has FIPS enabled. Both the old and the new IPA will have DNS, CA, and etc.
I ran: ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-objectclass=mepOriginEntry --with-compat ldap://oldipa.server.com However, when I login to a client machine connected to the new IPA server, my file ownership becomes htony : nobody.
What steps have I missed within the migration process?
I've tried exporting cn=groups tree from the old IPA server into a LDIF and imported to the new IPA server, but it did not solve the problem.
For everything else, DNS, sudoers, automount, and etc, can I simply export from the old server and import into the new server?
I also have 100+ client machines, is there an easy way where I can unjoin the machines from old-ipa-server and then join to the new-ipa-server? (My infrastructure is Ansible-enabled)
Thanks in advance!
Best,
Tony
11 months, 3 weeks
IPACertNSSTrust Error
by Jeremy Tourville
I ran a health check on my server today and received an error similar to the example from https://github.com/freeipa/freeipa-healthcheck/blob/master/README.md
My system is running FreeIPA 4.9.10
{
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"kw": {
"key": "caSigningCert cert-pki-ca some-random-string-of-numbers",
"expected": "CTu,Cu,Cu",
"got": "u,u,u",
"nickname": "caSigningCert cert-pki-ca some-random-string-of-numbers",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got} expected {expected}"
}
}
How do I troubleshoot/fix? I presume the message is due to the extra "stuff" in the key.
11 months, 4 weeks
AWS Loadbalancer 2 FreeIPA servers
by Finn Fysj
I'm aware that it exists an almost identical thread (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
However, in my case I'm only using FreeIPA as an LDAP server with GUI. I'm not using it as DNS nor as CA.
So, the only thing I should do is to generate certificate for master, replica and the loadbalancer, right?(To avoid the issues described in linked thread)
Where the certificates contains:
master: master fqdn and loadbalancer fqdn
replica: replica fqdn and loadbalancer fqdn
loadbalaner: master fqdn and replica fqdn.
Thank you for any clarification(s).
11 months, 4 weeks
BrowserMatch MSIE
by Finn Fysj
I see that /etc/httpd/conf.d/ssl.conf for my IPA instances includes the following lines:
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is sent and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Would it be a good security practice to remove this? E.g "We do not accept MSIE 2-5 clients
11 months, 4 weeks
Disable anonymous access to ldap
by Mojtaba Ghahari
Is it possible to disable anonymous read access to ldap?
When I try to delete permission related to this, I got an error that this is a managed permission and cannot be deleted.
Command:
ipa permission-del "System: Read Global Configuration"
Result:
ipa: ERROR: Insufficient access: cannot delete managed permissions
Is there any functionality that may be broken by this?
11 months, 4 weeks
Admin account gets constantly locked
by Yavor Marinov
Hello all,
We have a really strange problem with our installation of FreeIPA 4.10. We
are using latest Alma 9.1 as OS, but the default user account admin is
getting constantly locked. After kinit-ing with different admin user and
unlocking the account it becomes available.
Another side effect of this is that WebUI starts reporting that the service
is unavailable with a popup. Once user admin is unlocked and ipa services
are restarted everything becomes available.
Can you give me some heads up what should i check (password policy
expiration is set to 90 days)
12 months
Help please Container install (proxmox)
by Günther J. Niederwimmer
hello list
I would like to install a container with FreeIPA from the github site and then
build it into proxmox. but since I'm a newbie to this environment I need help.
Can someone show me the right way, how to do something like that with FreeIPA.
All my attempts have failed so far.
Maybe there are pros for this environment on this list, even better would be a
template for Proxmox? I'm also a newbie at Proxmox, so I'm in my infancy
everywhere.
Thanks for an answer,
--
mit freundlichen Grüßen / best regards
Günther J. Niederwimmer
12 months
ACIs for replication status monitoring
by Sam Morris
I've created a system account for replication status monitoring:
uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com
... and I've added it to the permissions:
"cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com" permission.
While this allows the account to fetch info from underneath 'cn=mapping
tree,cn=config', it appears that ds-replcheck(1) insists on fetching the
nsds50ruv attribute from the replicated suffix, which is not granted by
the "Read Replication Agreements" permission.
Here's the directory server's access log when running 'ds-replcheck
status -b o=ipaca':
[24/Apr/2023:11:35:34.468602164 +0000] conn=789 op=1 BIND dn="uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com" method=128 version=3
[24/Apr/2023:11:35:34.470810908 +0000] conn=789 op=1 RESULT err=0 tag=97 nentries=0 wtime=0.020082546 optime=0.002246180 etime=0.022324130 dn="uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com"
[24/Apr/2023:11:35:34.475518328 +0000] conn=789 op=2 SRCH base="o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL
[24/Apr/2023:11:35:34.475918861 +0000] conn=789 op=2 RESULT err=0 tag=101 nentries=0 wtime=0.000211040 optime=0.000406466 etime=0.000612026
[24/Apr/2023:11:35:34.477210042 +0000] conn=789 op=3 SRCH base="cn=config" scope=2 filter="(&(objectClass=nsds5replica)(nsDS5ReplicaRoot=o=ipaca))" attrs=ALL
[24/Apr/2023:11:35:34.487675914 +0000] conn=789 op=3 RESULT err=0 tag=101 nentries=1 wtime=0.000248974 optime=0.010471906 etime=0.010715383
[24/Apr/2023:11:35:34.502207252 +0000] conn=789 op=4 SRCH base="o=ipaca" scope=2 filter="(&(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nstombstone))" attrs="nsds50ruv"
[24/Apr/2023:11:35:34.502647379 +0000] conn=789 op=4 RESULT err=0 tag=101 nentries=0 wtime=0.000333635 optime=0.000446668 etime=0.000773723
[24/Apr/2023:11:35:34.504273914 +0000] conn=789 op=5 UNBIND
If I perform these queries manually using my repl-mon user then I see
that the problem is the third search returns nothing.
However, this attribute can be read from the second search! Although
it's not included in the results when 'ALL' attributes are requested,
explicitly adding it to the search query works fine:
$ ldapsearch -LLL -o ldif-wrap=no -H ldaps://ipa0.ipa.example.com -x -D uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com -w ... -s sub -b cn=config '(&(objectClass=nsds5replica)(nsDS5ReplicaRoot=o=ipaca))' '*' nsds50ruv
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaId: 14
nsDS5ReplicaName: 11111111-22222222-33333333-44444444
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaType: 3
nsState:: DgAAAAAAAAA0jUZkAAAAAAAAAAAAAAAAwwAAAAAAAAAAAAAAAAAAAA==
nsds5ReplicaBackoffMax: 300
nsds5ReplicaLegacyConsumer: off
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsds5ReplicaChangeCount: 5254
nsds50ruv: {replicageneration} 5cb8bedf000000060000
nsds50ruv: {replica 14 ldap://ipa1.ipa.example.com:389} 610ad7470001000e0000 64468df50000000e0000
nsds50ruv: {replica 12 ldap://ipa0.ipa.example.com:389} 6082f5e10001000c0000 644695700000000c0000
nsds50ruv: {replica 18 ldap://ipa2.ipa.example.com:389} 628d6a07000100120000 64469383000000120000
Is there a particular reason that ds-replcheck(1) doesn't read the
nsds50ruv attribute from 'cn=o\3Dipaca,cn=mapping tree,cn=config'
returned by the 2nd search above (I expect if I knew more about how
replication is implemented the reason would be obvious...)
I wonder what's the right way I should be doing this?
* RFE against 389 Directory Server to make ds-replcheck ask for
nsds50ruv in the second search it performs above instead of making a
separate search for it in the replicated suffix's entry?
* RFE against FreeIPA to make 'Read Replication Agreements' include
whatever ACI makes
the second search above work?
I can't even figure out the correct aci at the moment. I've added the
following to 'cn=mapping tree,cn=config' (based on
<https://www.spinics.net/linux/fedora/389-users/msg20036.html>)
aci: (targetattr = "*")(version 3.0;acl "for ds-replcheck"; allow (read,compare,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";)
aci: (targetattr = "*")(version 3.0;acl "for ds-replcheck"; allow (read,compare,search) userdn = "ldap:///uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com";)
but my user still can't see the nsds50ruv attribute when searching
with:
$ ldapsearch -H ldaps://ipa0.ipa.example.com -x -D uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com -w ... -s sub -b o=ipaca '(&(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nstombstone))' nsds50ruv
Maybe because of the funky way that the search base is 'o=ipaca' but
the entry returned in the result (when it works, i.e. when I run it
as 'cn=directory manager') is 'cn=replica,cn=o\3Dipaca,cn=mapping
tree,cn=config'?
* Write my own ACIs from scratch avoiding using IPA's 'Read Replication
Agreements' permission? If I can get the above to work then I could
do this as well.
* A better idea? :)
Regards,
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
12 months
WEB UI access issues with AD account
by iulian roman
Hello,
I have a FreeIPA setup with ad trust configured. Everything works, except the login to the WEB UI with an Active Directory account. The only possibility to login to the WEB UI is via the admin account.
In the /var/log/krb5kdc.log i have the following entries after i try to connect to WEB UI:
Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)IPA.EXAMPLE.CORP for krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP, Additional pre-authentication required
Apr 21 13:10:50 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, WELLKNOWN/ANONYMOUS(a)IPA.EXAMPLE.CORP for krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: REFERRAL: ad_user\@example.corp(a)IPA.EXAMPLE.CORP for krbtgt/IPA.EXAMPLE.CORP(a)IPA.EXAMPLE.CORP, Realm not local to KDC
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, ad_user(a)EXAMPLE.CORP for HTTP/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): closing down fd 11
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.110.10.16: ISSUE: authtime 1682075451, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, HTTP/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP for ldap/server1.ipa.example.corp(a)IPA.EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563](info): ... CONSTRAINED-DELEGATION s4u-client=ad_user(a)EXAMPLE.CORP
Apr 21 13:10:51 server1.ipa.example.corp krb5kdc[79563(info): closing down fd 11
In the/var/log/httpd/error_log :
[Fri Apr 21 13:10:51.486185 2023] [wsgi:error] [pid 83736:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: http://server1.ipa.example.corp:80 "GET /ipa/session/cookie HTTP/1.1" 301 264
[Fri Apr 21 13:10:51.489030 2023] [wsgi:error] [pid 83736:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: Starting new HTTPS connection (1): server1.ipa.example.corp:443
[Fri Apr 21 13:10:51.502719 2023] [wsgi:error] [pid 83736:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: https://server1.ipa.example.corp:443 "GET /ipa/session/cookie HTTP/1.1" 200 0
[Fri Apr 21 13:10:51.520267 2023] [wsgi:error] [pid 83735:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Fri Apr 21 13:10:51.520383 2023] [wsgi:error] [pid 83735:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Fri Apr 21 13:10:51.543781 2023] [wsgi:error] [pid 83735:tid 139830049466112] [remote 10.30.93.93:55487] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
[Fri Apr 21 13:10:51.549458 2023] [:warn] [pid 84016:tid 139829933188864] [client 10.30.93.93:55487] failed to set perms (3140) on file (/run/ipa/ccaches/ad_user(a)EXAMPLE.CORP-EejFLz)!, referer: https://server1.ipa.example.corp/ipa/ui/
[Fri Apr 21 13:10:51.550056 2023] [wsgi:error] [pid 83738:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Fri Apr 21 13:10:51.550114 2023] [wsgi:error] [pid 83738:tid 139830049466112] [remote 10.30.93.93:55487] ipa: DEBUG: WSGI KerberosLogin.__call__:
[Fri Apr 21 13:10:51.557831 2023] [wsgi:error] [pid 83738:tid 139830049466112] [remote 10.30.93.93:55487] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (108962060): Credential cache is empty
From WEB UI i tri to connect with ad_user account with and without appending the AD domain (EXAMPLE.CORP).
The error message i get on the UI is : Your session has expired. Please log in again.
Does anyone have any suggestion or idea how can it be fixed ?
12 months
Multiple http services on one host
by Anonymous
I want to authenticate to cockpit with kerberos. Some of the servers however have other services running on the http service in freeipa. Freeipa is also an example. What is the proper way that I can have kerberos authentication on cockpit running on freeipa master and replica servers? I know that I can create a service called cockpit/master.domain.com but from what I've been told, or at least I've understood for kerberos to function the service needs to be HTTP/master.domain.com
1 year