I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations.
>The internal DNS does not support:
>Conditional forwarders are not implemented yet
I THINK I got DNS actually working , but had to use solution like here
Although Petr says to stay away from forwarders in IPA
Is it better to attempt AD as subdomain of IPA (which I'm currently doing) , or IPA as subdomain of AD ?
On both samba4 and freeipa machine I can currently dig SRV records for both domains , but when I attempt ipa add-trust, I see in httpd error logs
>[Fri Aug 10 11:58:43.122526 2018] [:error] [pid 6169] ipa: ERROR: Attempt to solve forest trust topology conflicts
>[Fri Aug 10 11:58:43.125865 2018] [:error] [pid 6169] ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified domain did not exist.')
Which leads me to believe that no, DNS is not working correctly ( I have all firewall/iptables off and selinux off).
I can give more concrete/examples , but before get lost in the weeds wanted to know on broad consensus is it even possible or known bad issues with Samba AD ?
Like here https://www.freeipa.org/page/IPAv3_AD_trust#Samba , it says
>In order to get properly working MIT krb5-based Samba4 build one have to use --without-ad-dc --with-system-mitkrb5 options when configuring WAF top level build.
Which I'm confused ... how to get I get AD trust, if I'm setting up samba without AD abilities??
Yet here https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
a. If you have an AD ( Microsoft ) , use it
b. If you don't have a Microsoft AD , setup Samba4
>but it can be configured to trust FreeIPA
Does anyone know of a complete A..Z example of how to do that? (what options were used to configure Samba and Freeipa, etc)
I have a master server that had a replica installed. The replica has been
uninstalled. When I try to run "ipa-replica-manage del --force
replica.server" it fails with:
invalid 'PKINIT enabled server': all masters must have IPA master role
How can I delete this replica?
We have IPA setup in an AD trust to support our Linux fleet. I’m running into a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an NFS-mounted filesystem from an NFS server using NFSv4/krb5. Files and directories show up as ‘nobody’ or an incorrect numerical ID when listed with ‘ls’. RHEL7 clients seem to working fine with a very similar configuration (as far as I can tell).
The particulars are:
- AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user identity is ‘user@localdomain’)
- IPA domain is ‘ipa.localdomain’
- The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf).
I have mounted the NFS volume on the clients with a simple:
mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt
Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see:
$ ls -ld rns
drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns
.. with these corresponding nfsidmap messages:
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: key: 0x2c254c26 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' does not map into domain 'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nfs4_name_to_uid: final return value is -22
.. whereas on the RHEL7 client, I see:
$ ls -ld rns
drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: key: 0xf113fd2 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname 'rns@localdomain'
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_uid: final return value is 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: key: 0x2125a5d2 type: gid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_gid: calling nsswitch->name_to_gid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_gid: final return value is 0
Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into ‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’?
(My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can login and use local filesystems without issue).
The idmapd.conf looks like this:
Verbosity = 4
Pipefs-Directory = /run/rpc_pipefs
Domain = ipa.localdomain
Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN
Nobody-User = nobody
Nobody-Group = nogroup
Method = nsswitch
Any pointers appreciated!
, but there is some stuff that is not clear to me.
As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
Keycloak is the way to go, right?
However, Keycloak setup is not trivial, correct? Running CentOS there
is no straightforward way to install and integrate it with a FreeIPA
What is the special sauce for users using a browser on an IPA-joined
system to log in to apps without even seeing a login form? SPNEGO?
I'm using mod_auth_gssapi for some apps, having httpd do the
authentication and forward it through REMOTE_USER, but it doesn't do
the magic. There are some hints on mod_auth_gssapi's docs, but nothing
3) How should you deliver apps?
Suppose you are a web app developer and you want to deliver a web
application which can easily integrate with FreeIPA. What's the most
comfortable option you can give? (assuming, for instance, that you want
the SSO magic sauce). Is there any difference between apps that will
run on the FreeIPA's domain owner's systems or third party apps?
( Y )
()~*~() mail: alex at corcoles dot net
first of all, we have great success running Freeipa and Freeipa-clients on
Thanks for making this possible! I think this is a really important peace
of software for Linux.
Now it would come in handy if I could field some Debian clients for some
But on the current stable release there is no freeipa client.
I have installed some freeipa-clients from unstable, but it's not ideal.
I'm wondering, is anyone doing this at the moment.
Is there some repo for this?
Can this be compiled from source?
Thanks for any help.
My company's PIV/AD credintial is user(a)example.com. We set up our IPA
credintial as user(a)linux.example.com
example.com and linux.example.com are completedly seperated domain/realms,
no trust or interaction whatsoever.
I took the user and CA certs on the PIV card and put them into ipa. I was
able to authenticate to ipa webui with my PIV card.
My question is does ipa do online certificate status protocol check for the
user(a)example.com cert? Any way to verify that?
I wonder, and hope you guys could tell if it's possible in IPA, when
there is one-way trust established between AD & IPA, to allow only
certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are
initially disallowed to login & access IPA domain, and then admin can
allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
many thanks, L.
If I have a pair of IPA servers and need to reinstall the one currently
holding the CA master, is it actually necessary to promote the other one,
or can I just follow the procedure to rebuild the current master via
replication and then verify its CA configuration after the fact?
 Specifically, everything mentioned in
in the past couple of week I've pushed multiple changes to the
repository, fixing and enabling Fedora 28 and Fedora 29 Dockerfiles,
adding Travis CI configuration where we currently test IPA master and
replica setups in images of Fedoras from 23 to rawhide and on CentOS 7:
Testing on Travis' Ubuntus allowed me to reproduce and fix some issues
that people have observed on non-RHEL/CentOS/Fedora docker hosts. One
of the results is that docker run's --privileged or --cap-add
SYS_ADMIN options should not be needed anymore, making things more
confined and more secure. In fact, it's quite likely that running the
FreeIPA server containers as privileged will result in
... so just don't do it.
Another focus of the effort was to make it possible to run the
containers as read-only (docker run --read-only), making all the
changes that are done during the initial ipa-server-install or during
runtime properly confined to the /data volume, or pointed to
discardable /tmp. While things pass in my local read-only tests, in
Travis CI the initial ipa-server-install phase runs fine but starting
the read-only container afterwars seems to hang:
Any help with investigating why this is happening would be
Senior Principal Software Engineer, Security Engineering, Red Hat