First off thanks to everyone who makes FreeIPA. Its an awesome product that
We're working at breaking our application up into micro services and using
docker containers and deployment automation. As part of this I have a
deploy user in IPA and a rundeck server that performs tasks as this user.
However, we need this user to be part of the local docker hosts "docker"
group. Is this something I have to do manually per host? Is it possible to
create a docker IPA group that will substitute for the local docker group
and do it all in IPA? Our IPA version is 4.4. The servers are Centos 7.2
and the clients are ubuntu 16.04 LTS.
Thanks for the insight, references and help,
Anyone got this working?
And if so, how did you do it?
I know I can monitor the components separately, but if you know of
anything that can do it easier I'd be happy to know about it.
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
maybe I missed something, but shouldn't admin have sufficient
privileges to run
# ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp
# kinit admin
# ipa-getkeytab -s ipa1.example.de -p HTTP/stretch1.vs.example.de -k /etc/apache2/apache2.keytab
ipa-getkeytab failed with
Failed to parse result: PrincipalName not found.
I would have expected it to create the principal on the fly.
"admin" was created at freeipa install time on the first server,
AFAIR. It is member of the "admins" and "trust admins" groups.
I am concerned that I corrupted something. Every helpful comment
is highly appreciated.
I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations.
>The internal DNS does not support:
>Conditional forwarders are not implemented yet
I THINK I got DNS actually working , but had to use solution like here
Although Petr says to stay away from forwarders in IPA
Is it better to attempt AD as subdomain of IPA (which I'm currently doing) , or IPA as subdomain of AD ?
On both samba4 and freeipa machine I can currently dig SRV records for both domains , but when I attempt ipa add-trust, I see in httpd error logs
>[Fri Aug 10 11:58:43.122526 2018] [:error] [pid 6169] ipa: ERROR: Attempt to solve forest trust topology conflicts
>[Fri Aug 10 11:58:43.125865 2018] [:error] [pid 6169] ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified domain did not exist.')
Which leads me to believe that no, DNS is not working correctly ( I have all firewall/iptables off and selinux off).
I can give more concrete/examples , but before get lost in the weeds wanted to know on broad consensus is it even possible or known bad issues with Samba AD ?
Like here https://www.freeipa.org/page/IPAv3_AD_trust#Samba , it says
>In order to get properly working MIT krb5-based Samba4 build one have to use --without-ad-dc --with-system-mitkrb5 options when configuring WAF top level build.
Which I'm confused ... how to get I get AD trust, if I'm setting up samba without AD abilities??
Yet here https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
a. If you have an AD ( Microsoft ) , use it
b. If you don't have a Microsoft AD , setup Samba4
>but it can be configured to trust FreeIPA
Does anyone know of a complete A..Z example of how to do that? (what options were used to configure Samba and Freeipa, etc)
I have a master server that had a replica installed. The replica has been
uninstalled. When I try to run "ipa-replica-manage del --force
replica.server" it fails with:
invalid 'PKINIT enabled server': all masters must have IPA master role
How can I delete this replica?
We have IPA setup in an AD trust to support our Linux fleet. I’m running into a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an NFS-mounted filesystem from an NFS server using NFSv4/krb5. Files and directories show up as ‘nobody’ or an incorrect numerical ID when listed with ‘ls’. RHEL7 clients seem to working fine with a very similar configuration (as far as I can tell).
The particulars are:
- AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user identity is ‘user@localdomain’)
- IPA domain is ‘ipa.localdomain’
- The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf).
I have mounted the NFS volume on the clients with a simple:
mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt
Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see:
$ ls -ld rns
drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns
.. with these corresponding nfsidmap messages:
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: key: 0x2c254c26 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' does not map into domain 'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap: nfs4_name_to_uid: final return value is -22
.. whereas on the RHEL7 client, I see:
$ ls -ld rns
drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: key: 0xf113fd2 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname 'rns@localdomain'
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_uid: final return value is 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: key: 0x2125a5d2 type: gid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_gid: calling nsswitch->name_to_gid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap: nfs4_name_to_gid: final return value is 0
Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into ‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’?
(My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can login and use local filesystems without issue).
The idmapd.conf looks like this:
Verbosity = 4
Pipefs-Directory = /run/rpc_pipefs
Domain = ipa.localdomain
Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN
Nobody-User = nobody
Nobody-Group = nogroup
Method = nsswitch
Any pointers appreciated!
, but there is some stuff that is not clear to me.
As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
Keycloak is the way to go, right?
However, Keycloak setup is not trivial, correct? Running CentOS there
is no straightforward way to install and integrate it with a FreeIPA
What is the special sauce for users using a browser on an IPA-joined
system to log in to apps without even seeing a login form? SPNEGO?
I'm using mod_auth_gssapi for some apps, having httpd do the
authentication and forward it through REMOTE_USER, but it doesn't do
the magic. There are some hints on mod_auth_gssapi's docs, but nothing
3) How should you deliver apps?
Suppose you are a web app developer and you want to deliver a web
application which can easily integrate with FreeIPA. What's the most
comfortable option you can give? (assuming, for instance, that you want
the SSO magic sauce). Is there any difference between apps that will
run on the FreeIPA's domain owner's systems or third party apps?
( Y )
()~*~() mail: alex at corcoles dot net
first of all, we have great success running Freeipa and Freeipa-clients on
Thanks for making this possible! I think this is a really important peace
of software for Linux.
Now it would come in handy if I could field some Debian clients for some
But on the current stable release there is no freeipa client.
I have installed some freeipa-clients from unstable, but it's not ideal.
I'm wondering, is anyone doing this at the moment.
Is there some repo for this?
Can this be compiled from source?
Thanks for any help.
we have an IPA 4.6.4 environment with an AD Trust configured and everything's working perfectly.
My question is: Is it possible to configure, that extra AD user attributes are transfered? I would need the AD user attribute "mail" with the users email address.
This question came up, after I tried to connect GitLab to IPA and authentication with an AD users fails, because IPA doesn't have the "mail" attribute of the user, so logging is denied. (Authentication on Linux systems is working).
Thanks in advance!
Die Information in dieser E-Mail ist vertraulich und ausschließlich für
den/die benannten Adressaten bestimmt. Ein Zugriff auf diese E-Mail
durch andere Personen als den/die benannten Adressaten ist nicht
gestattet. Sollten Sie nicht der benannte Adressat sein, löschen Sie bitte
Upgraded from CentOS 7.5 to 7.6 which includes IPA upgrade.from 4.5.4-10 to 4.6.4-10 upgrade was done via yum upgrade
Upgrade went fine. I see no alarming errors in the logs. It stopped and started all the servers did the ipa upgrade. All was fine once completed.
Reboot and now pki-tomcatd CA will not start. Tomcat starts, gets all the way to were it should start the CA and doesn't. No errors, Debug doesn't show any blatant errors. It does have "Repository: Server not completely started. Returning .." which is the closest thing I see to an error.
All the certs are in monitoring state. None are expired. Domain is not quite a year old. PKI is communicating to LDAP without issues. Validated that. Also checked for and replication errors. There are none.
This is happening on all 4 systems. In the exact same way. DNS is up, we can authenticate, kerbrose is working. Can search LDAP via SSL and non-SSL Rebooted into the older kernel just to make sure. Reverted back to an old CS.cfg also, no different. I'm at a complete loss. Most other posts and pages about this all deal with expired certs. And the one that wasn't (from Redhat) was about replication conflicts. Nothing is panning out.
Fully patched CentOS Linux release 7.6.1810 (Core)