Smartcard not working on Ubuntu 16.04
by Steve Weeks
We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA client
version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client
4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on both
systems.
On both systems sssd.conf contains:
[pam]
pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks like
p11_child is never called on the Ubuntu system. On the Ubuntu system
p11_child.log is empty and there is no sign of it being started in the
sssd_pam.log.
Any suggestions on what I should look at next?
Thanks,
Steve
6 years, 6 months
external user in sudo rule
by Behnam Loghmani
Hi
I have an ipa server version 4.5 with one ipa replica and one ipa client,
all on CentOS 7.
I need to manage anythings about sudoers on ipa server so I decided to use
externaluser in sudo rules, such as below:
# ipa sudorule-show behnam
Rule name: behnam
Enabled: TRUE
Host category: all
Command category: all
RunAs User category: all
RunAs Group category: all
External User: behnam
Sudo Option: !authenticate
but when I check sudo in client system, it returns that behnam may not run
sudo.
[behnam@***** ~]$ sudo -l
[sudo] password for behnam:
Sorry, user behnam may not run sudo on *****
6 years, 6 months
"Clock skew too great" when mounting NFS with krb
by Troels Hansen
Hi
We have set up IPA with AD trust on RHEL and this Works fine.
Running IPA 4.5
However, sometimes we are unable to mount home (with autofs).
I have fount that the KDC claims "Clock skew too great" however, I cannot see any problems.
kinit works fine and I have a kerberos TGT:
klist
Ticket cache: KEYRING:persistent:0:0
Default principal: USER@REALM
Valid starting Expires Service principal
09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM
renew until 09/07/2017 09:39:54
To test. Manually mounting fails:
mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p profil01.domain:/var/nfs/profil/user/mnt/
mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017
mount.nfs4: trying text-based options 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting profil01.domain:/var/nfs/profil/user
krb5kdc.log in IPA shows:
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
However, the time between ipa, client and nfs server is within 1 second (and same timezone).
I'm unsure on how to debug further as everything seems fine so any help would be appreciated.
6 years, 6 months
dirsrv locks up when importing zone files with ldapadd
by Andy Stubbs
Hi
We'd like to test FreeIPA in our environment, but I'm having a little bit
of trouble importing DNS zone files.
Running on fresh install of CentOS 7.4.1708 with
FreeIPA 4.5.0-21.el7.centos.1.2
I install a vanilla IPA server from scratch with (something along these
lines):
ipa-server-install --mkhomedir --setup-dns --setup-adtrust
--netbios-name=REALM --enable-compat --no-forwarders --realm=REALM.BLAHBLAH
--domain=realm.blahblah --hostname=ds1.realm.blahblah
--ip-address=10.<something> --reverse-zone=10.in-addr.arpa.
--allow-zone-overlap --no-host-dns
I have prepared an LDIF file for importing our reverse zone (around about
140k entries, thanks to lots of $GENERATE$ in our existing zone files).
I then import the LDIF into 389ds with:
ldapadd -c -d -1 -Y GSSAPI < reverse.ldif
This starts off generally well, but always ends up hanging, with slapd
locking up too.
To cut a long story short, every few minutes there are some entries in the
dirsrv access log which appear to be associated with processes related to
the CA role and the AD trust role, and it's when these accesses happen that
the whole thing locks up so that nothing works at all. Then dirsrv needs to
be killed (-KILL) and restarted.
No load, no massive CPU utilisation, the thing looks to be locked up in
some kind of futex deadlock. The tunables I've found don't appear to offer
any help for this.
I have tried this a number of times now slicing and dicing a number of
different ways: using sudo, using root, using the Directory Manager, using
the admin GSSAPI credentials, 1000k entries at a time with pauses, yadda
yadda. Generally this all fails eventually.
On the other hand, it appears to work OK if I use the ipa dnsrecord-add
command, but on a geological timescale.
So, is this expected behaviour? I haven't seen anybody else on the list
asking about this kind of thing - so am I doing something wrong maybe? Are
there tunables I can - er - tune, at least for a bulk import phase? Or is
it maybe a bug? Certainly it makes me nervous to think there might be a
race condition in an insert operation which can result in deadlock for the
whole directory.
Thanks in advance for consideration
Cheers
Andy
--
<https://www.treatwell.com/>
Andrew Stubbs, PhD
Head of Technical Operations
+44 203 770 4582
treatwell.co.uk
6 years, 6 months
Duplicate Certificate on master.
by Bhavin Vaidya
Hello,
On our master FreeIPA I see multiple (which are duplicate) entries for certificates with different NSS Database.
Some are from /var/lib/pji/pki-tomcat/alias instead of /etc/pki/pki-tomcat/alias. As I inherited the setup and was new to FreeIPA, now don't know which are right.
A set of entries are highlighted below.
As per the ID /var/lib/pki/pki-tomcat was the original and others came up after we had some issue with certificates after upgrade to FreeIPA 4.4.
1. how can I find out which are right? Per FreeIPA doc, it should be /etc/pki/pki-tomcat/alias.
2. how can I remove duplicated, unwanted certificate? Will following will work?
ipa-getcert stop-tracking -i "Request ID"
Thank you,
Bhavin
Number of certificates and requests being tracked: 11.
Request ID '20150203054229':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2018-06-15 23:16:43 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150203054325':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2018-06-15 23:15:10 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150203054400':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2018-06-15 23:16:21 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170726022825':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2018-06-15 23:16:43 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170726022826':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2018-06-15 23:15:10 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170726022827':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2018-06-15 23:16:21 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170726022828':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-06-01 12:55:08 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170726022829':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2018-06-15 23:15:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170726022830':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ds01.example.com,O=EXAMPLE.COM
expires: 2018-12-16 21:02:44 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170726022831':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMP
LE-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ds01.example.com,O=EXAMPLE.COM
expires: 2019-01-07 21:02:49 UTC
principal name: ldap/ds01.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20170726022832':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ds01.example.com,O=EXAMPLE.COM
expires: 2019-01-07 21:04:38 UTC
principal name: HTTP/ds01.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
6 years, 6 months
Apache Group Based Authorization for AD users
by Ronald Wimmer
Hi,
I was reading
https://www.freeipa.org/page/Apache_Group_Based_Authorization but failed
to implement that for AD users. The problem is that Kerberos
authenticates myuser0815(a)mywindows.domain.at but there is no
corresponding entry in on the AD domain controller. The available user
attributes in the LDAP directory look like 'myuser0815' (samaccountname)
or 'myuser0815(a)someupnsuffix.domain.at' (userprincipalname).
GssapiLocalName or KrbLocalUserMapping would only map to locally
existing users, right? I tried them both and still saw
'myuser0815(a)mywindows.domain.at' leading to:
[Tue Sep 26 17:14:40.758545 2017] [authnz_ldap:debug] [pid 11160]
mod_authnz_ldap.c(824): [client 10.66.58.176:32402] AH01710: ldap
authorize: Creating LDAP req structure
[Tue Sep 26 17:14:40.793095 2017] [authnz_ldap:debug] [pid 11160]
mod_authnz_ldap.c(838): [client 10.66.58.176:32402] AH01711: auth_ldap
authorise: User DN not found, User not found
Any ideas what I could try next?
Regards,
Ronald
6 years, 6 months
AD trust setup woes
by Jason Beck
I have been trying to reliably get an AD trust setup for a few weeks and no
matter what I try, when I goto add AD users to an external group in
FreeIPA, I get:
"trusted domain object not found"
Googling around tends to always yield the same suggestions:
1) Check time sync
2) Check DNS
3) Check firewall
I have done all of this ad nauseam in several different environments with
several different versions of FreeIPA and Windows servers. I have gotten a
setup to work maybe 2% of the time out of hundreds of attempts.
I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo). I
am trying to establish trust with a mixed Windows 2012 & 2008 forest. I
have tried both one and two way trusts. Everything seems to work fine up
until I try to add AD users to FreeIPA.
I have verified all of the requisite DNS records exist and return the
proper information on both sides, there are no firewalls between any of the
hosts, and the AD servers and FreeIPA servers are synchronized by the same
NTP servers.
What could I possibly be missing?
6 years, 6 months
Dynamic DNS for DHCP clients using FreeIPA
by David Yaffe
Hi,
I'm trying to get ISC dhcp clients to register dynamically against FreeIPA's DNS server. I have had this working before, now After a system crash, and reinstall, all I get are timeout errors when a device is assigned an IP. The DHCP server configuration has not changed, and I generate a new DDNSupdate key.
I am using Fedora 26 with FreeIPA 4.6 from the copr repository.
I have looked through the logs, and I can see in the named.run logs:
13-Sep-2017 21:32:52.612 client @0x7f88d877d6f0 192.168.1.107#61470: UDP request
13-Sep-2017 21:32:52.612 client @0x7f88d877d6f0 192.168.1.107#61470: using view '_default'
13-Sep-2017 21:32:52.612 client @0x7f88d877d6f0 192.168.1.107#61470: request is not signed
13-Sep-2017 21:32:52.612 client @0x7f88d877d6f0 192.168.1.107#61470: recursion available
13-Sep-2017 21:32:52.612 client @0x7f88d877d6f0 192.168.1.107#61470: query
and in the dhpcd logs..
Sep 13 21:32:47 gizmo.evilduckie.com dhcpd[5823]: DHCPREQUEST for 192.168.1.107 from 18:65:90:01:24:eb (Replicant) via enp5s0
Sep 13 21:32:47 gizmo.evilduckie.com dhcpd[5823]: DHCPACK on 192.168.1.107 to 18:65:90:01:24:eb (Replicant) via enp5s0
Sep 13 21:32:59 gizmo.evilduckie.com dhcpd[5823]: Unable to add forward map from Replicant.evilduckie.com to 192.168.1.107: timed out
Everything else seems to be working correctly with DNS.
How do I fix this?
6 years, 6 months
Re: Restriction for SSH Key per host
by Jakub Hrozek
On Tue, Sep 26, 2017 at 09:54:40AM +0000, Alessandro Perucchi via FreeIPA-users wrote:
> Hello,
>
> We are using Freeipa to our satisfaction.
>
> We are trying to create a bastion/jumphost/... and in order to do it, we want to protect the bastion so that nobody can access it directly (except of course some admin people).
> And at the same time, we want that the users access some hosts through the bastion via ssh proxy.
>
> Manually it works as expected. Let say that I have a user `testuser`, this user has a ssh key like this one `ssh-ed25519 AAAAC3N testuser(a)example.com`.
>
> So on the bastion, I will create the following entry in the authorized_keys for the testuser:
>
> no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 AAAAC3N testuser(a)example.com
>
> And in the other hosts, I will use the ssh key:
>
> ssh-ed25519 AAAAC3N testuser(a)example.com
>
> How can I give some SSH key restrictions per host? From what I’ve seen in freeipa, you can either give the restriction in the ssh key for the user, as the first entry or the second, and it will apply to every server without any possibility to customization.
>
> An extension to that would be, If I am connecting from our internal network (192.168.0.0/24), then you could connect to the bastion directly, but if you are outside the internal network, then you cannot... and in that case, the ssh entries in authorized_keys would be something like that:
>
> from=”192.168.0.0/24” ssh-ed25519 AAAAC3N testuser(a)example.com
> from=”!192.168.0.0/24”,no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 AAAAC3N testuser(a)example.com
>
> Is there a way to do that in freeipa? Because I would like to avoid as much as possible to handle the ssh keys “manually” outside from freeipa...
>
> Thank you very much in advance for your help.
>
> Regards,
> Alessandro
Did you consider creating an ID override for this host and only use the
key in this override?
6 years, 6 months
