User Agreement Description Field
by Riccardo Rotondo
Hi,
I defined an Agreement in the web-ui and I can see loaded in noggin.
I was wondering if the description support html, markdown or any other syntax in order to put an url clickable in the description.
I made some tests but with no luck.
Thank you in advance.
Riccardo
3 weeks, 2 days
Not possible to delete ID views from Default Trust View if user is no longer present in AD
by LHEUREUX Bernard
Hello,
I’m trying to delete some anchors on Default Trust View on a FreeIPA with trust to an AD and, I always get the message “…@... user not found »
Effectively those users are no longer part of the organization and have been removed from the AD, but how could I clean them in the Default Trust View
Thanks for your help.
---
Bernard Lheureux
Win S.A.
________________________________
1/Conformément à notre certification ISO 27001, ce message et toute pièce jointe sont la propriété exclusive de Win. L’information contenue dans cet e- mail peut s’avérer confidentielle et dès lors protégée de toute divulgation. Si vous avez reçu cette communication par erreur, veuillez nous en informer immédiatement en répondant à ce message et en le supprimant de votre ordinateur, sans le copier ni le divulguer.
2/L’acceptation de toute offre commerciale (quel qu’en soit le support) emporte l’adhésion aux descriptifs (notamment techniques) inhérents aux solutions offertes, ainsi qu’aux conditions commerciales générales de Win, consultables via https://www.win.be/cgv
DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm
3 weeks, 2 days
Question regarding “Samba on an IdM domain member”
by Thomas Handler
Hello,
beginning of March I have received support running Samba on an IdM domain member from Alexander. Back then my problem was what Alexander pinpoints in his text https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-translation/ under "Mixed realm deployments” where the Linux machine running Samba was in the wrong DNS zone.
After having fixed this things are running fine.
Now it came as it already was obvious back then and what is well noted already in the RedHat Docs https://access.redhat.com/documentation/en-en/red_hat_enterprise_lin... is stated “AD users logged into a Windows machine can not access Samba shares hosted on an IdM domain member”.
So the customer has now stumbled exactly over this and I just wanted to confirm that my understanding of this section in the docs is correct and that there’s no way to ensure that an AD user on a Windows machine can access the shares on the Samba machine joined to IdM.
Thank you.
Best regards,
Thomas
3 weeks, 2 days
pki-tomcat won't start + expired certificates
by Basile Pinsard
Hi freeipa experts.
I have been using freeipa for the past 5 years running in a docker container, no replicas.
currently on VERSION: 4.9.6, API_VERSION: 2.245
I have the following issue, not sure what caused this: pki-tomcat service is not starting, and it is no longer possible to login through the web-ui.
Auth through ldap (some websites) and through sssd on linux servers is still working, kerberos tickets are generated when logging with password or when running kinit, so critical operations are still possible.
The messages in `systemctl status pki-tomcatd(a)pki-tomcat.service` are
```
Apr 12 13:50:33 ipa.domain.com ipa-pki-wait-running[17869]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ipa.domain.com:8080/ca/admin/ca/getStatus
Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd(a)pki-tomcat.service: start-post operation timed out. Terminating.
Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd(a)pki-tomcat.service: Control process exited, code=killed, status=15/TERM
Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd(a)pki-tomcat.service: Failed with result 'timeout'.
Apr 12 13:50:34 ipa.domain.com systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.
```
journalctl give other errors (filtered what seems relevant).
```
Apr 12 13:49:05 ipa.domain.com server[17868]: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/commons-collections.jar], exists: [false], canRead: [false]
Apr 12 13:49:07 ipa.domain.com java[17868]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
Apr 12 13:49:18 ipa.domain.com server[17868]: SEVERE: Context [/acme] startup failed due to previous errors
```
`/var/log/pki/pki-tomcat/pki/debug.2024-04-12.log`
contains the following errors
```
2024-04-12 15:01:12 [main] SEVERE: Exception initializing random number generator using provider [Mozilla-JSS]
java.security.NoSuchProviderException: no such provider: Mozilla-JSS
at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:83)
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
....
```
`/var/log/pki/pki-tomcat/ca/debug.2024-04-12.log`
contains the following type of errors
```
2024-04-12 00:17:37 [main] SEVERE: Unable to start CA engine: Property instanceRoot missing value
Property instanceRoot missing value
at com.netscape.cmscore.base.PropConfigStore.getString(PropConfigStore.java:297)
at com.netscape.cmscore.apps.EngineConfig.getInstanceDir(EngineConfig.java:55)
at com.netscape.cmscore.apps.CMSEngine.loadConfig(CMSEngine.java:233)
at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1025)
....
2024-04-12 17:49:21 [main] SEVERE: Exception sending context initialized event to listener instance of class [org.dogtagpki.server.ca.CAEngine]
java.lang.RuntimeException: Unable to start CA engine: Property instanceRoot missing value
at com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1672)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230)
```
`getcert list` reports all entries except the caCACert as expired.
I tried pretty much everything I could find on the internet (though most of the threads I found were never resolved).
Tried ipa-cert-fix.
Tried ipa-restoring a backup in a new container, same problem occurs.
My guess is that an upgrade years back did break the certificate auto-renewal and went undetected, and now everything is expired it's failing.
If you have any ideas of what to check/try I would be very grateful as I am losing my sanity here.
Also, I am a bit scared of breaking what is currently working (ldap+sssd) and critical to our operations, so if anything can be tested on a copy of the data in a container that would be great.
Thanks!
3 weeks, 2 days
sudo hbac rule resfues to work for AD users (one way trust).
by slek kus
Hi, I posted a similair issue a while ago. then sudo rules magically started working after enabling and disabeling the "allow_all" rule.
This time, I cannot get any sudo command working, while a hbac testing is OK. I can even see in the log of the client that "allow_all" permits the sudo-i.
Issue is on all clients. There is no poblem with ssh/login for the AD users.
```
[admin@idm1 ~]$ ipa hbactest --user user1(a)INFRA.REDACTED.SERVICES --host host01.redacted.services --service sudo-i
--------------------
Access granted: True
--------------------
Matched rules: allow_all
Matched rules: infra-mgmt_clients_hg
< ... >
```
```
user1@INFRA.REDACTED.SERVICES@host01:~$ sudo -i
[sudo] password for user1(a)INFRA.REDACTED.SERVICES:
user1(a)INFRA.REDACTED.SERVICES is not allowed to run sudo on host01.
```
Enabling debugging:
sssd_domain.log
https://pastebin.com/mFGUEnse
sssd_sudo.log
https://pastebin.com/3d3ETTNh
Also enabled debug in /etc/sudo.conf.
In this debug data there is no mention or trace about sss or the user.
Configuration files seem OK. sssd.conf, krb5.conf, nssswithc.conf.
3 weeks, 3 days
Re: Password expired is not requested with Ubuntu clients
by Sumit Bose
Am Fri, Apr 19, 2024 at 08:56:36AM +0000 schrieb Carlos Lopez via FreeIPA-users:
> Good morning,
>
> I have configured some Ubuntu clientes to authenticate via Kerberos against my RHEL9 IdM server. Everything works correctly: clients are authenticated, etc.
>
> The problem comes when a user's password has expired. In the IdM server logs it is clear that the user must change the password:
>
> 2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: REQUIRED PWCHANGE: user1(a)MYDOM.ORG for krbtgt/MYDOM.ORG(a)MYDOM.ORG, Password has expired
> 2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
> 2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: NEEDED_PREAUTH: user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG, Additional pre-authentication required
> 2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
> 2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: ISSUE: authtime 1713515900, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG
>
> But when accessing to Ubuntu client via ssh, it never prompts to change the password and you can log in.
Hi,
can you share your PAM configuration for the sshd service. I'm asking
because the change of expired passwords in handled in the 'account'
section and I guess with your configuration (local users with
authentication by SSSD) pam_sss.so is not called for local users during
'account'.
bye,
Sumit
>
> My sssd's config in Ubuntu client is:
>
> [sssd]
> config_file_version = 2
> services = pam
> domains = mydom.org
>
> [pam]
> pam_pwd_expiration_warning = 2
>
> [domain/mydom.org]
> id_provider = proxy
> proxy_lib_name = files
> auth_provider = krb5
> chpass_provider = krb5
> krb5_server = rhelidmsrv01.mydom.org
> krb5_kpasswd = rhelidmsrv01.mydom.org
> krb5_realm = mydom.org
> krb5_ccname_template = KEYRING:persistent:%U
> krb5_validate = true
> cache_credentials = true
>
> What could be the problem?
>
> Best regards,
> C. L. Martinez
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
3 weeks, 6 days
Expiring password Notification email template - images
by Tania Hagan
Hi FreeIPA Users,
Does anyone know if its possible to include inline images in the email template for Expiring Password Notification? I've experimented with including base64 encoding but the message just shows a white box with a black outline. I think this is a limited of our email client, and tried swapping to using CID embedded image but have no way of pointing the template to the image file.
Many Thanks,
Tania
3 weeks, 6 days
IPA Replica can't authenticate users
by John Doe
I'm playing around with IPA trying to figure out how to set it up to be
redundant. The problem is that the IPA Replica isn't able to authenticate
AD users if IPA Master is down.
My setup;
One Windows Server set up with Active Direcory Domain Services, Active
Directory Certificate Services and DNS server hosting the ad.labnet.org
domain and the Root CA.
Two Linux servers setup in the labnet.org domain. Both using the Windows
Server DNS server.
The first one is setup as a IPA Master server hosting the domain
ipa.labnet.org and act as a subordinate CA server. It was setup with the
following commands;
sudo ipa-server-install --external-ca --external-ca-type=ms-cs
sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer
--external-cert-file=/home/$USER/certnew.cer
kinit admin
sudo ipa-adtrust-install
sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
--password --two-way=true
The second one is setup as a IPA Replica also hosting the domain
ipa.labnet.org It has been setup with the following commands;
sudo ipa-client-install --mkhomedir
sudo ipa-replica-install
sudo ipa-ca-install
kinit admin
sudo ipa-adtrust-install
sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
--password --two-way=true
All needed DNS records have been created in the DNS server on the Windows
server. At least I hope so.
IPA Healthceck on both IPA servers don't complain about anything missing.
sudo ipa-healthcheck --output-type human
One IPA Client also setup in the labnet.org domain and using the Windows
server DNS, was setup with the following command;
sudo ipa-client-install --domain=ipa.labnet.org --mkhomedir
Testing authentication on the IPA Client as a user in the ad.labnet.org
works out like this;
Both IPA Servers up works OK
Only IPA Master up works OK
Only IPA Replica up doesn't work.
After this check with IPA Healthcheck on the IPA Replica now comes back
with this;
WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of ID {}
for ad.labnet.org returned nothing
ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog: AD
Global Catalog not found in /usr/sbin/sssctl 'domain-status' output: Active
servers:
IPA: lab003.labnet.org
ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain Controller:
AD Domain Controller not found in /usr/sbin/sssctl 'domain-status' output:
Active servers:
IPA: lab003.labnet.org
Can anyone suggest what I have done wrong or missed? As far as I can tell
there are no commands that let me write to the GLobal Catalog?
Thanks!
3 weeks, 6 days
Password expired is not requested with Ubuntu clients
by Carlos Lopez
Good morning,
I have configured some Ubuntu clientes to authenticate via Kerberos against my RHEL9 IdM server. Everything works correctly: clients are authenticated, etc.
The problem comes when a user's password has expired. In the IdM server logs it is clear that the user must change the password:
2024-04-19T08:38:20.946335+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: REQUIRED PWCHANGE: user1(a)MYDOM.ORG for krbtgt/MYDOM.ORG(a)MYDOM.ORG, Password has expired
2024-04-19T08:38:20.946413+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
2024-04-19T08:38:20.946712+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: NEEDED_PREAUTH: user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG, Additional pre-authentication required
2024-04-19T08:38:20.946747+00:00 rhelidmsrv01 krb5kdc[21392]: closing down fd 13
2024-04-19T08:38:20.950691+00:00 rhelidmsrv01 krb5kdc[21392]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 172.19.11.14: ISSUE: authtime 1713515900, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, user1(a)MYDOM.ORG for kadmin/changepw(a)MYDOM.ORG
But when accessing to Ubuntu client via ssh, it never prompts to change the password and you can log in.
My sssd's config in Ubuntu client is:
[sssd]
config_file_version = 2
services = pam
domains = mydom.org
[pam]
pam_pwd_expiration_warning = 2
[domain/mydom.org]
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
chpass_provider = krb5
krb5_server = rhelidmsrv01.mydom.org
krb5_kpasswd = rhelidmsrv01.mydom.org
krb5_realm = mydom.org
krb5_ccname_template = KEYRING:persistent:%U
krb5_validate = true
cache_credentials = true
What could be the problem?
Best regards,
C. L. Martinez
3 weeks, 6 days
windows client auth not working
by Anton Menshutin
Hello, list.
I have installed freeipa server 4.10.2-8 under RockyLinux and would like to setup windows clients to join freeipa domain.
I followed the guide https://www.freeipa.org/page/Windows_authentication_against_FreeIPA.
When I enter user credentials for the first time windows asks to change password, after password is changed it does not login.
After that every attempt results in the "wrong user or password" message.
Looking at kerberos log it seems that password is correct but windows does not let the user in for some reason. In audit log it says that login was refused with some error that does not explain anything.
Time is in sync as well as timezone.
There are a lot of posts saying that this should work but I don't have any clues where to look. Any ideas what might be wrong?
1 month
