On Fri, Jul 21, 2017 at 05:12:20PM +0200, Jacquelin Charbonnel wrote:
> Hi everybody,
> At now, I enroll diskless Fedora26 workstations (with stateless Linux) into
> my IPA domain.
> Inside the readonly root image, /etc/sysconfig/selinux points :
> and /etc/sssd/sssd.conf points :
> selinux_provider = none
> So, authentication of a domain account seems well working, but nevertheless
> at each time, journalctl says :
> juil. 21 16:11:32 pc-f26.math systemd-coredump:
> Process 22017 (selinux_child) of user 0 dumped core.
> Stack trace of thread 22017:
> #0 0x00007f60bac8dd24 semanage_seuser_key_free (libsemanage.so.1)
> #1 0x00005639b0b5326d set_seuser (selinux_child)
> #2 0x00005639b0b52a3f main (selinux_child)
> #3 0x00007f60ba8b94da __libc_start_main (libc.so.6)
> #4 0x00005639b0b52dba _start (selinux_child)
Can you file a bug against sssd and add the core there? This shouldn't
(Also, adding logs would be nice to find out why is selinux child being
called despite selinux_provider=none)
> Hope this helps...
> Le 14/10/2016 à 10:02, Jakub Hrozek a écrit :
> > On Fri, Oct 14, 2016 at 09:44:11AM +0200, Sumit Bose wrote:
> > > On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote:
> > > > Thank you for this information. Yes, /tmp is writable.
> > > >
> > > > My problem is : access are sometimes definitively refused for random user
> > > > who wants to log in diskless workstations.
> > > > But if this banned user tries to connect to the single machine which mounts
> > > > the fs in rw mode, it's work, and this solve immediately its problem on all
> > > > the other stateless machines !? Strange...
> > >
> > > Maybe it is the selinux_provider, iirc at least in older version it used
> > > to write some data somewhere below /etc/selinux/. You can easily test
> > > this by setting 'selinux_provider = none' in the domain section in
> > > ssd.conf.
> > Aah, that's probably it. We no longer write to the directory directly,
> > but we call libsemanage functions that do.
> Jacquelin Charbonnel - (+33)2 4173 5397
> CNRS Mathrice/LAREMA - Campus universitaire d'Angers
Hi all --
I have a couple of offices I am trying to hook up with FreeIPA. We have
point-t-point VPN running between the two. For some reason, whenI try to
add the VPN server as a client to the IPA server on the other side, I am
Failed to update DNS records.
Missing A/AAAA record(s) for host server.example.com: 192.168.2.90.
Incorrect reverse record(s):
during the client install. Obviously, the client, which is the OpenVPN
server, has multiple IPs, but I specify
I would think this would work, but not sure why it is not. Any ideas
where to look?
At now, I enroll diskless Fedora26 workstations (with stateless Linux) into my
Inside the readonly root image, /etc/sysconfig/selinux points :
and /etc/sssd/sssd.conf points :
selinux_provider = none
So, authentication of a domain account seems well working, but nevertheless at
each time, journalctl says :
juil. 21 16:11:32 pc-f26.math systemd-coredump:
Process 22017 (selinux_child) of user 0 dumped core.
Stack trace of thread 22017:
#0 0x00007f60bac8dd24 semanage_seuser_key_free (libsemanage.so.1)
#1 0x00005639b0b5326d set_seuser (selinux_child)
#2 0x00005639b0b52a3f main (selinux_child)
#3 0x00007f60ba8b94da __libc_start_main (libc.so.6)
#4 0x00005639b0b52dba _start (selinux_child)
Hope this helps...
Le 14/10/2016 à 10:02, Jakub Hrozek a écrit :
> On Fri, Oct 14, 2016 at 09:44:11AM +0200, Sumit Bose wrote:
>> On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote:
>>> Thank you for this information. Yes, /tmp is writable.
>>> My problem is : access are sometimes definitively refused for random user
>>> who wants to log in diskless workstations.
>>> But if this banned user tries to connect to the single machine which mounts
>>> the fs in rw mode, it's work, and this solve immediately its problem on all
>>> the other stateless machines !? Strange...
>> Maybe it is the selinux_provider, iirc at least in older version it used
>> to write some data somewhere below /etc/selinux/. You can easily test
>> this by setting 'selinux_provider = none' in the domain section in
> Aah, that's probably it. We no longer write to the directory directly,
> but we call libsemanage functions that do.
Jacquelin Charbonnel - (+33)2 4173 5397
CNRS Mathrice/LAREMA - Campus universitaire d'Angers
I need to create a new certificate for my Asus router. The router is not
part of freeipa domain so I need to manually update the certificate when it
getcert request -k /etc/pki/router_private -f /etc/pki/router_cert -D
router.my.lan -N "cn=router.my.lan" -K http/router.my.lan -c IPA
then getcert list shows this:
Request ID '20170722085458':
ca-error: Server at https://ipa.my.lan/ipa/xml denied our request, giving
up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write'
privilege to the 'userCertificate' attribute of entry
key pair storage: type=FILE,location='/etc/pki/router_private'
I then removed the existing HTTP/router.my.lan principal but then I get:
ca-error: Server at https://ipa.win.lan/ipa/xml denied our request, giving
up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add'
privilege to add the entry 'krbprincipalname=http/router.my.lan(a)MY.LAN
Any hints on how I create the certificate?
We've setup a two-way trust with AD and it seems to have worked, but it
doesn't look like it is working correctly.
The kerberos commands (kinit and kvno) work fine, but things like 'id
aduser(a)addomain.example.com' and 'getent passwd aduser(a)addomain.example.com'
# ipa trust-add --type ad addomain.example.com --admin adadmin --password
Active Directory domain administrator's password:
Added Active Directory trust for realm "addomain.example.com"
Realm name: addomain.example.com
Domain NetBIOS name: ADDOMAIN
Domain Security Identifier: S-1-5-21-2229161606-873856335-779138662
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
# kinit aduser(a)addomain.example.com
Password for aduser(a)addomain.example.com:
Ticket cache: KEYRING:persistent:0:krb_ccache_o3D2R5S
Default principal: aduser(a)ADDOMAIN.EXAMPLE.COM
Valid starting Expires Service principal
07/20/2017 12:16:41 07/20/2017 22:16:41 krbtgt/
renew until 07/21/2017 12:16:38
# id aduser(a)addomain.example.com
id: ‘aduser(a)addomain.example.xn--com-to0a: no such user
Is this the best way to test the trust?
We are running FreeIPA 4.4 and Windows Server 2012 R2
When setting up the trust we needed to modify /etc/hosts as described in
The FreeIPA team would like to announce FreeIPA 4.5.3 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora 25 and 26 will be available in the official COPR repository
== Highlights in 4.5.3 ==
=== Known Issues ===
* When ipa-server-upgrade is executed during dnf system-upgrade, network
should come online and the ipa-server-upgrade should finish
successfully. If ipa-server-upgrade fails during system-upgrade, please
run it manually once network is online.
=== Bug fixes ===
FreeIPA 4.5.3 is a stabilization release for the features delivered as a
part of 4.5.
There are more than 10 bug-fixes details of which can be seen in the
list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on page:
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7039 FreeIPA upgrade script requires network to be up, but network is
not up during upgrade when using dnf system-upgrade
* 7037 Replica installation grants HTTP principal access in WebUI
* 7036 Advice plugins for smart card configuration produce scripts that
configure the feature incompletely
* 7029 Fix inconsistent reporting of server roles/attributes in
* 7026 ipaserver installation fails in FIPS mode: OpenSSL internal
error, assertion failed: Digest MD4 forbidden in FIPS mode!
* 7021 ipa-server-install failure on checking matching interfaces -
invalid format of netmas
* 7007 Use CommonNameToSANDefault in default profile (new installs only)
* 6877 ipasam needs changes for Samba 4.7
* 6838 [ipa-replica-install] - 406 Client Error: Failed to validate
message: Incorrect number of results (0) searching forpublic key for host
* 4317 Allow --ip-address even when not present in local interface
== Detailed changelog since 4.5.2 ==
=== Alexander Bokovoy (2) ===
* ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later
* ipa-sam: use own private structure, not ldapsam_privates
=== Fraser Tweedale (1) ===
* Add CommonNameToSANDefault to default cert profile
=== Martin Babinsky (15) ===
* replica install: drop-in IPA specific config to tmpfiles.d
* Do not remove the old masters when setting the attribute fails
* *config-show: Do not show empty roles/attributes
* smart-card-advises: ensure that krb5-pkinit is installed on client
* smart card advise: use password when changing trust flags on HTTP cert
* smart card advises: use a wrapper around Bash `for` loops
* Use the compound statement formatting API for configuring PKINIT
* Fix indentation of statements in Smart card advises
* delegate formatting of compound Bash statements to dedicated classes
* advise: add an infrastructure for formatting Bash compound statements
* delegate the indentation handling in advises to dedicated class
* add a class that tracks the indentation in the generated advises
* Allow to pass in multiple CA cert paths to the smart card advises
* smart-card advises: add steps to store smart card signing CA cert
* smart-card advises: configure systemwide NSS DB also on master
=== Martin Basti (8) ===
* python-netifaces: update to reflect upstream changes
* Remove network and broadcast address warnings
* replica install: add missing check for non-local IP address
* Remove ip_netmask from option parser
* CheckedIPAddress: remove match_local param
* refactor CheckedIPAddress class
* ipa-dns-install: remove check for local ip address
* Fix local IP address validation
=== Sumit Bose (2) ===
* ipa_pwd_extop: do not generate NT hashes in FIPS mode
* ipa-sam: replace encode_nt_key() with E_md4hash()
=== Simo Sorce (2) ===
* Always check peer has keys before connecting
* Make sure we check ccaches in all rpcserver paths
=== Stanislav Laznicka (1) ===
* Ensure network is online prior to an upgrade
=== Tibor Dudlák (1) ===
* topology.py: Removes error message from dictionary.
=== Tomas Krizek (3) ===
* Become IPA 4.5.3
* Update translations
* 4.5 set back to git snapshot
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
I have installed FreeIPA and try to learn about the concepts.
I’ve been looking around, reading documents that I found and searched but did not find any useful hints how to configure FreeIPA to solve my problem I describe below.
Any hints will be greatly appreciated!
I’m looking for a solution of the following:
Given an organizationm let’s call it IT-Company. This organization has a couple of administrators which are repsonsible for maintaining users and hosts of the organization on FreeIPA. But IT-Company also has customers for whom it hosts some machines and some user accounts.
Each of these customers should be able to manage their own users but they should not see users and hosts outside their scope.
I found messages explaining the restrictions that inhibit users managing/changing anything outside their scope but I did not find anything showing how to filter the users/hosts shown to them.
Can this be done with FreeIPA and if so how?
Thank you for any hints,
Rob Brown wrote:
> yeah, I did find the users in AD under:
> CN=Deleted Objects,DC=foo,DC=domain,DC=com
> and, the users actually have the attribute:
> isDeleted = TRUE
> so, looks like they were actually deleted (from AD perspective).
> It seems like the delete sync is two-way (surprising, since create
> isn't), and this is probably expected, and that IPA simply exposes the
> deleted users via the GUI in "Preserved Users", whereas AD doesn't.
> Still, this kinda took me by surprise, lesson learned. Seems I can
> recover deleted accounts, but going to be a PITA.
> Looking thru the docs, I don't see any options to disable deletes. It
> would be nice to have an option similar to how ipaWinSyncAcctDisable
> works, but for deletes, so we could set it to one-way.
> I am wondering if setting the oneWaySync parameter on the
> synchronization agreement to 'fromWindows' would do the trick. Not sure
> I really want that, though, will have to think it thru.
The delete sync isn't two-way since the user wasn't deleted on the IPA
side, just moved.
The IPA team isn't devoting much, if any time, these days on winsync,
instead focusing on AD trust. Given the complexity of trying to find an
equivalent state in AD of kinda-deleted and implementing, test, etc I
doubt this is something that will be addressed.
Probably worth documenting as an undesirable side-effect though.
> On Thu, Jul 20, 2017 at 11:55 AM, Rob Crittenden <rcritten(a)redhat.com
> <mailto:email@example.com>> wrote:
> Rob Brown via FreeIPA-users wrote:
> > Our company recently implemented freeipa to replace a cent5 kerberos
> > infrastructure. We set it up with a Winsync agreement with an AD
> > and is working pretty well.
> > Our user disposition workflow in AD is this: user account is disabled,
> > and moved to a "terminated users" OU in AD. The account disable
> sync was
> > working fine to IPA, but yesterday I decided to "clean up" the Active
> > Users list in IPA, by deleting (with --preserve) all the disabled
> > accounts (there were many). This looked fine from the IPA side: the
> > accounts got moved into the Preserved users area (in the gui).
> > However, much to my dismay I later discovered that all of the termed
> > accounts in AD are gone. WHAT!!!???
> > This is bad (for historical/compliance), and came as a shock to me,
> > because the docs say: "While modifications are bi-directional (going
> > both from Active Directory to IdM and from IdM to Active Directory),
> > creating or adding accounts are only uni-directional, from Active
> > Directory to Identity Management". So WHY ON EARTH would a delete be
> > bi-directional? I'm suspecting (hoping) that the accounts weren't
> > actually deleted, that they are just hidden somewhere in AD that I
> > see. PLEASE, if anyone can point me in the right direction here as to
> > what happened I would appreciate it.
> As someone mentioned in IRC marking a user as preserved moves them from
> the user container to cn=deleted
> So perhaps AD honored the rename.
Using SSSD 1.15.2-1 and FreeIPA Client 4.4.4-1 on Debian Stretch 9.0 generates a broken SSSD configuration.
Adding the services manually to sssd.conf fixes this:
services = nss, sudo, pam, ssh
For some reason, ipa-client-install thinks we have socket-activated SSSD services, but we don’t. From the SSSD package, we only get:
There seems to be a mismatch between what gets configured in sssd.conf and what is actually on the system.
I should probably report it as a bug against the Debian package, but I wonder where the assumption for SSSD.conf is made. It is definitely generated by ipa-client-install, but maybe it’s because it sees the socket-activated SSSD components as a requirement?
Our company recently implemented freeipa to replace a cent5 kerberos
infrastructure. We set it up with a Winsync agreement with an AD domain,
and is working pretty well.
Our user disposition workflow in AD is this: user account is disabled, and
moved to a "terminated users" OU in AD. The account disable sync was
working fine to IPA, but yesterday I decided to "clean up" the Active Users
list in IPA, by deleting (with --preserve) all the disabled accounts (there
were many). This looked fine from the IPA side: the accounts got moved into
the Preserved users area (in the gui).
However, much to my dismay I later discovered that all of the termed
accounts in AD are gone. WHAT!!!???
This is bad (for historical/compliance), and came as a shock to me, because
the docs say: "While modifications are bi-directional (going both from
Active Directory to IdM and from IdM to Active Directory), creating or
adding accounts are only uni-directional, from Active Directory to Identity
Management". So WHY ON EARTH would a delete be bi-directional? I'm
suspecting (hoping) that the accounts weren't actually deleted, that they
are just hidden somewhere in AD that I can't see. PLEASE, if anyone can
point me in the right direction here as to what happened I would appreciate