As part of my debugging efforts (see "Expired certificates" thread), I changed modified the settings for the dogtag-ipa-renew-agent and dogtag-ipa-ca-renew-agent CAs. Unfortunately, I forgot to make a note of the original settings.
Are these correct for IPA 4.4 (on CentOS 7)?
CA 'SelfSign': is-default: no ca-type: INTERNAL:SELF next-serial-number: 01 CA 'IPA': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit CA 'certmaster': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/certmaster-submit CA 'dogtag-ipa-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit CA 'local': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/local-submit CA 'dogtag-ipa-ca-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
On 06/21/2017 07:41 AM, Ian Pilcher via FreeIPA-users wrote:
As part of my debugging efforts (see "Expired certificates" thread), I changed modified the settings for the dogtag-ipa-renew-agent and dogtag-ipa-ca-renew-agent CAs. Unfortunately, I forgot to make a note of the original settings.
Are these correct for IPA 4.4 (on CentOS 7)?
CA 'SelfSign': is-default: no ca-type: INTERNAL:SELF next-serial-number: 01 CA 'IPA': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit CA 'certmaster': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/certmaster-submit CA 'dogtag-ipa-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit CA 'local': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/local-submit CA 'dogtag-ipa-ca-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
Hi,
your CA helpers are properly configured, except for the last one, which should look like the following:
CA 'dogtag-ipa-ca-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
HTH, Flo
On 06/21/2017 01:39 AM, Florence Blanc-Renaud wrote:
your CA helpers are properly configured, except for the last one, which should look like the following:
CA 'dogtag-ipa-ca-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
In other words, dogtag-ipa-ca-renew-agent shouldn't use ipa-server-guard, right?
Thanks for the help (and for the incredibly useful troubleshooting blog post)!
On 06/21/2017 04:13 PM, Ian Pilcher via FreeIPA-users wrote:
On 06/21/2017 01:39 AM, Florence Blanc-Renaud wrote:
your CA helpers are properly configured, except for the last one, which should look like the following:
CA 'dogtag-ipa-ca-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
In other words, dogtag-ipa-ca-renew-agent shouldn't use ipa-server-guard, right?
Yes, that's right. Flo.
Thanks for the help (and for the incredibly useful troubleshooting blog post)!
Hi guys,
We have a setup where the FreeIPA server also hosts the user's homedirs. These are shared via NFSv4 and are automounted when a user logs in.
[root@adm-001 ~]# cat /etc/exports /data/home 172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338)
[root@adm-001 ~]# ipa automountkey-show Location: default Map: auto.home Key: * Key: * Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard adm-001.domain:/data/home/&
While normal ssh logins work (you ssh to the client and put in your password), passwordless ssh does not work. It's obvious that passwordless logins do not activate the kerberos ticket function, but that results in the users being unable to read their own files in their homedirs.
For now we ask users to not do passwordless login, but could we make the latter work?
TIA,
/tony
If you are using gss-api and using putty to log in. Did you do the thing metioned in 5.3.4.5 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... also see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
Rob
2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi guys,
We have a setup where the FreeIPA server also hosts the user's homedirs. These are shared via NFSv4 and are automounted when a user logs in.
[root@adm-001 ~]# cat /etc/exports /data/home 172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i: krb5p,fsid=1338)
[root@adm-001 ~]# ipa automountkey-show Location: default Map: auto.home Key: * Key: * Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard adm-001.domain:/data/home/&
While normal ssh logins work (you ssh to the client and put in your password), passwordless ssh does not work. It's obvious that passwordless logins do not activate the kerberos ticket function, but that results in the users being unable to read their own files in their homedirs.
For now we ask users to not do passwordless login, but could we make the latter work?
TIA,
/tony
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Rob,
Not sure what the redhat docs describe, we're not using AD with this system.
It seems somehow that GSSAPI does not forward the kerberos ticket obtained on the client machine correctly, when I connect to the machine I want to work on, it just says that the ticket has expired.
I'm still trying a few things, I'll post to the list when I've got something new.
/tony
On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
If you are using gss-api and using putty to log in. Did you do the thing metioned in 5.3.4.5 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... also see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
Rob
2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org>:
Hi guys, We have a setup where the FreeIPA server also hosts the user's homedirs. These are shared via NFSv4 and are automounted when a user logs in. [root@adm-001 ~]# cat /etc/exports /data/home 172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338) <http://172.16.216.0/24%28rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338%29> [root@adm-001 ~]# ipa automountkey-show Location: default Map: auto.home Key: * Key: * Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard adm-001.domain:/data/home/& While normal ssh logins work (you ssh to the client and put in your password), passwordless ssh does not work. It's obvious that passwordless logins do not activate the kerberos ticket function, but that results in the users being unable to read their own files in their homedirs. For now we ask users to not do passwordless login, but could we make the latter work? TIA, /tony -- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 <tel:%2B45%202566%202383> / +45 8946 2316 <tel:%2B45%208946%202316> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Do you have something like this in ~.ssh/config?
Host *.example.com GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Am 26.06.2017 um 07:58 schrieb Tony Brian Albers via FreeIPA-users freeipa-users@lists.fedorahosted.org:
Hi Rob,
Not sure what the redhat docs describe, we're not using AD with this system.
It seems somehow that GSSAPI does not forward the kerberos ticket obtained on the client machine correctly, when I connect to the machine I want to work on, it just says that the ticket has expired.
I'm still trying a few things, I'll post to the list when I've got something new.
/tony
On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
If you are using gss-api and using putty to log in. Did you do the thing metioned in 5.3.4.5 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... also see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
Rob
2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org>:
Hi guys,
We have a setup where the FreeIPA server also hosts the user's homedirs. These are shared via NFSv4 and are automounted when a user logs in.
[root@adm-001 ~]# cat /etc/exports /data/home 172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338) http://172.16.216.0/24%28rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338%29
[root@adm-001 ~]# ipa automountkey-show Location: default Map: auto.home Key: * Key: * Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard adm-001.domain:/data/home/&
While normal ssh logins work (you ssh to the client and put in your password), passwordless ssh does not work. It's obvious that passwordless logins do not activate the kerberos ticket function, but that results in the users being unable to read their own files in their homedirs.
For now we ask users to not do passwordless login, but could we make the latter work?
TIA,
/tony
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 tel:%2B45%202566%202383 / +45 8946 2316 tel:%2B45%208946%202316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
For the relevant hosts, yes exactly like that.
/tony
On 06/26/2017 11:22 AM, David Kreitschmann via FreeIPA-users wrote:
Do you have something like this in ~.ssh/config?
Host *.example.com http://example.com GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Am 26.06.2017 um 07:58 schrieb Tony Brian Albers via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org>:
Hi Rob,
Not sure what the redhat docs describe, we're not using AD with this system.
It seems somehow that GSSAPI does not forward the kerberos ticket obtained on the client machine correctly, when I connect to the machine I want to work on, it just says that the ticket has expired.
I'm still trying a few things, I'll post to the list when I've got something new.
/tony
On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
If you are using gss-api and using putty to log in. Did you do the thing metioned in 5.3.4.5 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... also see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
Rob
2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org>:
Hi guys,
We have a setup where the FreeIPA server also hosts the user's homedirs. These are shared via NFSv4 and are automounted when a user logs in.
[root@adm-001 ~]# cat /etc/exports /data/home 172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338) http://172.16.216.0/24%28rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338%29
[root@adm-001 ~]# ipa automountkey-show Location: default Map: auto.home Key: * Key: * Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard adm-001.domain:/data/home/&
While normal ssh logins work (you ssh to the client and put in your password), passwordless ssh does not work. It's obvious that passwordless logins do not activate the kerberos ticket function, but that results in the users being unable to read their own files in their homedirs.
For now we ask users to not do passwordless login, but could we make the latter work?
TIA,
/tony
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 tel:%2B45%202566%202383 / +45 8946 2316 tel:%2B45%208946%202316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
The redhat docs talk about the allow_delegation setting for ad-clients. Setting this boolean on the server principal would allow the server to forward your gssapi credentials to the nfs server on your behalf. Thus authentication you to the nfs4 server allowing you to mount the kerberized export. However you said you did not use ad-ldap so I guess this does not apply to you.
Rob
2017-06-26 7:58 GMT+02:00 Tony Brian Albers via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi Rob,
Not sure what the redhat docs describe, we're not using AD with this system.
It seems somehow that GSSAPI does not forward the kerberos ticket obtained on the client machine correctly, when I connect to the machine I want to work on, it just says that the ticket has expired.
I'm still trying a few things, I'll post to the list when I've got something new.
/tony
On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
If you are using gss-api and using putty to log in. Did you do the thing metioned in 5.3.4.5 https://access.redhat.com/documentation/en-US/Red_Hat_
Enterprise_Linux/7/html/Windows_Integration_Guide/ trust-managing.html#kerberos-flags-services-hosts
also see https://access.redhat.com/documentation/en-US/Red_Hat_
Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ Guide/kerberos-for-entries.html#kerberos-flags-services-hosts
Rob
2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users <
freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists. fedorahosted.org>:
Hi guys, We have a setup where the FreeIPA server also hosts the user's
homedirs. These are shared via NFSv4 and are automounted when a user logs in.
[root@adm-001 ~]# cat /etc/exports /data/home 172.16.216.0/24(rw,no_root_
squash,sec=sys:krb5:krb5i:krb5p,fsid=1338) http://172.16.216.0/24%28rw, no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338%29
[root@adm-001 ~]# ipa automountkey-show Location: default Map: auto.home Key: * Key: * Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard
adm-001.domain:/data/home/&
While normal ssh logins work (you ssh to the client and put in your
password), passwordless ssh does not work. It's obvious that passwordless logins do not activate the kerberos ticket function, but that results in the users being unable to read their own files in their homedirs.
For now we ask users to not do passwordless login, but could we make
the latter work?
TIA, /tony -- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 <tel:%2B45%202566%202383> / +45 8946 2316
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org