FreeIPA on Fedora and dnf system-upgrade
by Ian Pilcher
I am currently running FreeIPA on CentOS 7, and I am considering moving
it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is
necessary to provision a new server, running the new OS version, add it
as a FreeIPA replica, and then decommission the old system.
How does this work on Fedora? Will I be able to use dnf system-upgrade,
or will I find myself having to use the process described above?
--
========================================================================
Google Where SkyNet meets Idiocracy
========================================================================
9 months, 3 weeks
Limiting access to GUI
by Entrepreneur AJ
Hey all,
I have a wan facing install due to many of my team operating with mobile phone hotspots whilst visiting customers.
An Issue I'm having is I want to restrict the GUI to only our admin team's IP address but editing the Apache Config with;
# webUI is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
SetHandler None
AllowOverride None
Satisfy Any
Require all granted
ExpiresActive On
ExpiresDefault "access plus 1 year"
<FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
ExpiresDefault "access plus 0 seconds"
</FilesMatch>
Order allow,deny
Allow from <ADMIN IP RANGE>
</Directory>
Is still allowing anyone with a browser to reach the IPA gui.
We have Keycloak in place for staff and users to update their passwords.
Any pointers? I would personally prefer to firewall it off but that effects other IPA features.
10 months
PKINIT questions
by alexey safonov
Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was
upgraded many times). It is CA-less setup (Inititally we had CA, but
than it was removed). So now 4 of my servers are saying that PKINIT
is enabled and one server is saying "disabled".
I tried to re-install replica, but it says CA-less mode can't issue a
certificate, so I tried with kdc-cert-file, but than it says cert is
not valid (where it's definitly works for web and ldap).
Anything I can do here and enable pkinit on that replica?
Alex
10 months
Where is root CA private key stored?
by Ian Pilcher
(Hopefully Thunderbird will only send one copy of this. Sorry about the
previous duplicate.)
I run a single FreeIPA server (on CentOS 7) in my home network, and I'm
thinking of migrating it to Fedora. AFAICT, doing this as an actual
upgrade will require multiple cycles of creating a newer FreeIPA server,
adding it as a replica, removing the older server, lather, rinse,
repeat.
I'm only using FreeIPA for its DNS, certificate authority, and LDAP
authentication capabilities, and my home network isn't that large, so
I'm considering simply installing a new server and re-creating the
various users, hosts, services, and DNS zones/entries. (I don't have
any systems that are truly managed with FreeIPA.)
Thus, it would be nice if the new FreeIPA server could use the same
root CA certificate as the existing one. I believe that I can do this
by passing the --external-cert-file option to ipa-server-install, but
I need both the certificate and the private key of the root CA to do so.
Thus, I'm wondering how I can extract the root CA private key from my
existing CentOS 7 (FreeIPA 4.6.8) server.
Thanks!
--
========================================================================
Google Where SkyNet meets Idiocracy
========================================================================
10 months
Replication woes in three discrete environments - 4.6.8-5
by Eric Fox
Hello FreeIPA-Users mailing list,
Appreciate the hard work put into building FreeIPA. I have a bit of a dilemma. On three separate isolated identical network environments, I have a cluster of FreeIPA servers running on CentOS 7 (FreeIPA Server 4.6.8-5). Replication is broken on all three environments - errors in the Dirsrv log indicate communication timeouts, and inability for the replicas to authenticate their Kerberos tickets. All machines have a 15 minute kerberos timeout set in krb5.conf due to security requirements. The environments have consistent NTP time off of the network equipment with drift between sites measured less than 5 seconds.
Trying to manually force-sync does not work - the replication just times out. Eventually user entry changes replicate across the 3 isolated domains, but only on the servers that are on the same layer 2 network. To rule out network security blocking the replication traffic I disabled switch ACLs and VM firewalls temporarily - no change on the broken replicas. On one of the three networks, I rebuilt the malfunctioning replicas from scratch - same hardening baseline. The new instances of IPA were not able to replicate to the original primary server, but they do pull in all of the domain information on first setup. I then tried making a totally new IPA server on the same baseline with a new host name not seen in the domain before - this works perfectly. One of my colleagues who maintains a separate IPA cluster stated that he was unable to reuse replica host names when he rebuilt replica systems on Rocky 8 and RHEL8.
Short questions:
- Can an IPA Server have its krb5.conf Kerberos session timeout set as low as 15 minutes? Or do I need to keep this higher?
- If I can't get force-sync to work, and I can't use re-initialize either, is the only route to rebuild the replica?
- Can host names of IPA servers be reused on rebuild? If so, what needs to be cleaned out of the domain? I did make sure the old instance of a replica was wiped from DNS, CA, and Replication agreements after the ipa-replica-manage del.
- Are there known settings in the DISA STIG for RHEL7 or the CIS Level2 hardening benchmark that break IPA functionality post-install?
- What would be the best replication topology for an environment of 3 IPA servers in 2 locations, and 2 IPA servers in a third location? Network latency between locations is sub-10ms and very consistent.
If you need log entries I can provide general error messages but not the whole log.
Thank you very much for any pointers/advice.
10 months, 1 week
FreeIPA on Fedora and dnf system-upgrade
by Ian Pilcher
I am currently running FreeIPA on CentOS 7, and I am considering moving
it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is
necessary to provision a new server, running the new OS version, add it
as a FreeIPA replica, and then decommission the old system.
How does this work on Fedora? Will I be able to use dnf system-upgrade,
or will I find myself having to use the process described above?
--
========================================================================
Google Where SkyNet meets Idiocracy
========================================================================
10 months, 1 week
FreeIPA on Fedora and dnf system-upgrade
by Ian Pilcher
I am currently running FreeIPA on CentOS 7, and I am considering moving
it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is
necessary to provision a new server, running the new OS version, add it
as a FreeIPA replica, and then decommission the old system.
How does this work on Fedora? Will I be able to use dnf system-upgrade,
or will I find myself having to use the process described above?
--
========================================================================
Google Where SkyNet meets Idiocracy
========================================================================
10 months, 1 week
AD certificate authentication against FreeIPA - is that possible?
by Francis Augusto Medeiros-Logeay
Hi,
We have an application that requires Active Directory. In order to
provide SSO, the application gets a user certificate from AD and, as I
understand, uses it towards a RHEL machine as a smart card. I installed
AD's ca certificates on the RHEL client and it works when sssd.conf is
all configured towards AD.
I've joined the client to AD, as I said, but I do want my `id_provider`
in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA.
But when I do this, the authentication doesn't work.
Is there a way to either force pam/sssd to check the certificates
against AD while still getting groups and names from ldap, or to get
FreeIPA to approve the certificates?
I know this might be a very corner case, but if we make it works, this
would be beautiful.
Best,
Francis
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
10 months, 1 week
sudo and hostnames
by Ronald Wimmer
Is a correct hostname (FQDN) required for sudo rules to work properly?
I do have a host where the hostname is set to its shortname. My user is
allowed to perform sudo on this host (as it is a member of the admin
group which is allowed to do everything on every host) but another user
(who is not member of the admin group) cannot perform sudo on this
particular host. (according to IPA this user should be able to use sudo)
My suspicion is that this might have to do with the hostname incorrectly
set to its shortname and not to its FQDN.
Is this plausible?
Cheers,
Ronald
10 months, 1 week
certmonger certificate renewal stuck in SUBMITTING loop
by Jernej Jakob
Hi, I have a client whose host certificate expired on 2023-06-07.
Today I logged into the FreeIPA webui and went to the certificates page
which was very slow to load. I had this problem before when there was
one host (a different one) stuck in a certificate request loop, so I
immediately suspected the same thing happened again. Sure enough, there
are >3000 certificates for this host listed in IPA.
Running 'getcert list' on the host shows:
Number of certificates and requests being tracked: 1.
Request ID '20190703221417':
status: SUBMITTING
stuck: no
key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt'
certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=redacted.example.com,O=EXAMPLE.com
expires: 2023-06-07 00:14:30 CEST
dns: redacted.example.com
principal name: host/redacted.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
I stopped certmonger to stop the loop. Then checked if the problem was
the same as on that other host some time ago, but it was not.
I saw one error in syslog (this turned out to not be the issue):
"Server at https://ipa1.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Could not resolve host: ipa1.example.com)."
That is a server that has been shut down. It was the first server I
installed IPA onto, which had a replica ipa2. That was on CentOS 7.
This year I migrated to Rocky 8 by adding two new clients, ipa3 and
ipa4, following the official procedure by promoting each client to a
replica, set ipa3 as CA renewal master, and so on. Then after that was
done I removed the old servers from replication, shut down IPA services,
unenrolled them and updated all SRV records in DNS. I forgot about
A/AAAA ipa-ca, which was left pointing at two addresses, that of ipa1
and ipa3.
It's weird becase it can obviously contact and obtain a certificate
from ipa3, whose logs contain these successful issuances. It could
contact it on 2023-06-07, when the ipa-ca record was still pointing to
both the ipa1 and ipa3 servers.
On 2023-06-09 I dist-upgraded both ipa3/4 servers, at which time I also
found the incorrect ipa-ca A/AAAA records (coincidentally as I was
configuring a smart card CA certificate), so I corrected it. But the
failing certmonger client still kept failing which makes me believe
it was not the fault of the incorrect ipa-ca records.
I searched around on the "redacted.example.com" for ipa1. It's not in
/var/lib/certmonger/requests/20190703221417 (the failing request)
but it is in /etc/ipa/default.conf:
server = ipa1.example.com
xmlrpc_uri = https://ipa1.example.com/ipa/xml
I changed these values to ipa3 now, started certmonger and resubmitted
the request. Unfortunately no change. That libcurl error for ipa1 is
gone now:
Jun 16 15:28:01 redacted certmonger[2091940]: 2023-06-16 15:28:01 [2091940] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping.
Jun 16 15:28:01 redacted certmonger[2091940]: 2023-06-16 15:28:01 [2091940] Unable to initialize NSS.
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Setting "CERTMONGER_REQ_SUBJECT" to "CN=redacted.example.com,O=EXAMPLE.COM" for child.
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Setting "CERTMONGER_REQ_PRINCIPAL" to "host/redacted.example.com(a)EXAMPLE.COM" for child.
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child.
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Setting "CERTMONGER_CSR" to "-----BEGIN NEW CERTIFICATE REQUEST-----
Jun 16 15:28:01 redacted certmonger[2091941]: ...redacted..." for child.
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Setting "CERTMONGER_SPKAC" to ...redacted...
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Setting "CERTMONGER_SPKI" to ...redacted...
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Setting "CERTMONGER_LOCAL_CA_DIR" to "/var/lib/certmonger/local" for child.
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Setting "CERTMONGER_KEY_TYPE" to "RSA" for child.
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Setting "CERTMONGER_CA_NICKNAME" to "IPA" for child.
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Setting "CERTMONGER_CERTIFICATE" to "-----BEGIN CERTIFICATE-----
Jun 16 15:28:01 redacted certmonger[2091941]: ...redacted..." for child.
Jun 16 15:28:01 redacted certmonger[2091941]: 2023-06-16 15:28:01 [2091941] Redirecting stdin and stderr to /dev/null, leaving stdout open for child "/usr/lib/certmonger/ipa-submit".
At this point it just keeps repeating the same over and over again.
I would appreciate any help. Thanks.
10 months, 1 week