is anyone running Debian as freeipa-client
by Johan Vermeulen
Hello All,
first of all, we have great success running Freeipa and Freeipa-clients on
Centos.
Thanks for making this possible! I think this is a really important peace
of software for Linux.
Now it would come in handy if I could field some Debian clients for some
purposes.
But on the current stable release there is no freeipa client.
I have installed some freeipa-clients from unstable, but it's not ideal.
I'm wondering, is anyone doing this at the moment.
Is there some repo for this?
Can this be compiled from source?
Thanks for any help.
Greetings, J.
5 years, 1 month
AD Trust: Add "mail" user attribute to AD -> IPA transfer
by Lenhardt, Matthias
Hi,
we have an IPA 4.6.4 environment with an AD Trust configured and everything's working perfectly.
My question is: Is it possible to configure, that extra AD user attributes are transfered? I would need the AD user attribute "mail" with the users email address.
This question came up, after I tried to connect GitLab to IPA and authentication with an AD users fails, because IPA doesn't have the "mail" attribute of the user, so logging is denied. (Authentication on Linux systems is working).
Thanks in advance!
Regards
Matthias Lenhardt
System Administrator
BITMARCK
*****************************************************************
Die Information in dieser E-Mail ist vertraulich und ausschließlich für
den/die benannten Adressaten bestimmt. Ein Zugriff auf diese E-Mail
durch andere Personen als den/die benannten Adressaten ist nicht
gestattet. Sollten Sie nicht der benannte Adressat sein, löschen Sie bitte
diese E-Mail.
5 years, 1 month
CentOS 7 ipa upgrade causes pki-tomcatd not to start CA
by Jason Wood
Upgraded from CentOS 7.5 to 7.6 which includes IPA upgrade.from 4.5.4-10 to 4.6.4-10 upgrade was done via yum upgrade
Upgrade went fine. I see no alarming errors in the logs. It stopped and started all the servers did the ipa upgrade. All was fine once completed.
Reboot and now pki-tomcatd CA will not start. Tomcat starts, gets all the way to were it should start the CA and doesn't. No errors, Debug doesn't show any blatant errors. It does have "Repository: Server not completely started. Returning .." which is the closest thing I see to an error.
All the certs are in monitoring state. None are expired. Domain is not quite a year old. PKI is communicating to LDAP without issues. Validated that. Also checked for and replication errors. There are none.
This is happening on all 4 systems. In the exact same way. DNS is up, we can authenticate, kerbrose is working. Can search LDAP via SSL and non-SSL Rebooted into the older kernel just to make sure. Reverted back to an old CS.cfg also, no different. I'm at a complete loss. Most other posts and pages about this all deal with expired certs. And the one that wasn't (from Redhat) was about replication conflicts. Nothing is panning out.
Fully patched CentOS Linux release 7.6.1810 (Core)
ipa-client-4.6.4-10.el7.centos.x86_64
ipa-client-common-4.6.4-10.el7.centos.noarch
ipa-common-4.6.4-10.el7.centos.noarch
ipa-server-4.6.4-10.el7.centos.x86_64
ipa-server-common-4.6.4-10.el7.centos.noarch
ipa-server-dns-4.6.4-10.el7.centos.noarch
libipa_hbac-1.16.2-13.el7.x86_64
python2-ipaclient-4.6.4-10.el7.centos.noarch
python2-ipalib-4.6.4-10.el7.centos.noarch
python2-ipaserver-4.6.4-10.el7.centos.noarch
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.16.2-13.el7.x86_64
sssd-ipa-1.16.2-13.el7.x86_64
krb5-pkinit-1.15.1-34.el7.x86_64
pki-base-10.5.9-6.el7.noarch
pki-base-java-10.5.9-6.el7.noarch
pki-ca-10.5.9-6.el7.noarch
pki-kra-10.5.9-6.el7.noarch
pki-server-10.5.9-6.el7.noarch
pki-tools-10.5.9-6.el7.x86_64
5 years, 1 month
external ocsp ?
by veer Schlansky
My company's PIV/AD credintial is user(a)example.com. We set up our IPA
credintial as user(a)linux.example.com
example.com and linux.example.com are completedly seperated domain/realms,
no trust or interaction whatsoever.
I took the user and CA certs on the PIV card and put them into ipa. I was
able to authenticate to ipa webui with my PIV card.
My question is does ipa do online certificate status protocol check for the
user(a)example.com cert? Any way to verify that?
Thanks.
5 years, 1 month
de/selecting AD's users
by lejeczek
hi guys
I wonder, and hope you guys could tell if it's possible in IPA, when
there is one-way trust established between AD & IPA, to allow only
certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are
initially disallowed to login & access IPA domain, and then admin can
allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
many thanks, L.
5 years, 1 month
Web UI login/certificate issues, IPA 4.5.4
by dbischof@hrz.uni-kassel.de
Hi,
my IPA system consists of 2 masters with their own self-signed CAs, one of
them being the certificate renewal master (ipa1). The system has been
running for years and has been migrated from an IPA 3 system.
Since a while, the Web UI logins on ipa1 don't work anymore ("Login failed
due to an unknown reason.").
Web UI logins on the other server (ipa2) work and everything else is
working fine, too, ipactl status reports all services running.
On login attempt:
--- httpd log
[...]
[:error] [pid 15551] [remote 141.51.X.X:0] mod_wsgi (pid=15551): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[...]
[:error] [pid 15551] [remote 141.51.X.X:0] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15551 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
---
--- krb5kdc.log
[...]
Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Additional pre-authentication required
Dec 20 16:06:54 ipa1.example.com krb5kdc[15517](info): closing down fd 11
Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 141.51.X.Y: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS(a)EXAMPLE.COM for krbtgt/EXAMPLE.COM(a)EXAMPLE.COM, Failed to verify own certificate (depth 0): certificate has expired
Dec 20 16:06:54 ipa1.example.com krb5kdc[15518](info): closing down fd 11
---
--- ipa-checkcerts.py
IPA version 4.5.4-10.el7.centos.3
Check CA status
Check tracking
Check NSS trust
Check dates
Checking certificates in CS.cfg
Comparing certificates to requests in LDAP
Checking RA certificate
Checking authorities
Checking host keytab
Validating certificates
Checking renewal master
End-to-end cert API test
Checking permissions and ownership
Failures:
Unable to find request for serial 268304391
Unable to find request for serial 268304394
Unable to find request for serial 268304393
Unable to find request for serial 268304392
Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57
---
--- ipa pkinit-status --all
-----------------
2 servers matched
-----------------
Server name: ipa2.example.com
PKINIT status: enabled
Server name: ipa1.example.com
PKINIT status: enabled
----------------------------
Number of entries returned 2
----------------------------
To my understanding, proper certificate exchange between my two servers
ceased working at some point. How do i track this down and fix it?
Mit freundlichen Gruessen/With best regards,
--Daniel.
5 years, 2 months
Re: Testing requested - certificate checking tool
by SOLER SANGUESA Miguel
Hello,
I have run the tool on an environment where I've installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"
Thanks & Regards.
5 years, 2 months
PAM OTP login requirements
by Brian Topping
Hi all, I hope this is the best place to ask this, please let me know if not.
I am setting up a PAM client (libreswan, using the `pluto` service). When I log in with a non-OTP account, everything works fine, but not with an OTP account. I have tested the OTP account by logging into the node with SSH and the OTP user and it works fine, so I know both that the token works and that the client configuration are both correct. I’ve tried a few different PAM stacks to see if I could get around this, including the sshd stack to no avail. In all cases, the FreeIPA server logs state `Additional pre-authentication required` and then `Preauthentication failed`.
Preauthentication makes sense, I just don’t understand why sshd works fine with both password factors concatenated in the first factor and libreswan (and xl2tpd when I was testing it) both fail with preauth issues. What am I missing? Are there good docs on this somewhere? [1] was the best I could come up with and it seems to be out-of-date (pam_sss takes different parameters for some of the same functions in the final form).
Cheers! Brian
[1] https://docs.pagure.org/SSSD.sssd/design_pages/pam_conversation_for_otp.html
5 years, 2 months