How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?
by cdknight
When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources.
5 years, 3 months
client ldap issue
by Jaroslav Shejbal
Hi everyone,
I am pretty new to freeipa and i like it a lot but I have one problem which I cannot solve I am using ipa-server (freeipa-server) on ubuntu 18.10 and ipa-clients debian 9, so I am not using ipa-client package only nscd & sssd and configuration. All clients are successfully enrolled provided with keytab file. Some clients works fine and it looks like this (in /var/log/auth.log):
Nov 26 17:54:02 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: NEEDED_PREAUTH: host/some-working-host.domain.com(a)DOMAIN.COM for krbtgt/DOMAIN.COM(a)DOMAIN.COM, Additional pre-authentication required
Nov 26 17:54:02 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: ISSUE: authtime 1543254842, etypes {rep=18 tkt=18 ses=18}, host/some-working-host.domain.com(a)DOMAIN.COM for krbtgt/DOMAIN.COM(a)DOMAIN.COM
Nov 26 17:54:02 ipa krb5kdc[1345]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: ISSUE: authtime 1543254842, etypes {rep=18 tkt=18 ses=18}, host/some-working-host.domain.com(a)DOMAIN.COM for ldap/ipa.domain.com(a)DOMAIN.COM
and some are not provided with the ldap line:
Nov 26 18:12:51 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: NEEDED_PREAUTH: host/some-not-working-host.domain.com(a)DOMAIN.COM for krbtgt/DOMAIN.COM(a)DOMAIN.COM, Additional pre-authentication required
Nov 26 18:12:51 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: ISSUE: authtime 1543255971, etypes {rep=18 tkt=18 ses=18}, host/some-not-working-host.domain.com(a)DOMAIN.COM for krbtgt/DOMAIN.COM(a)DOMAIN.COM
(lines with "closing down fd 12" was omitted, also hostnames IPs and domains was replaced)
I've checked DNS settings, time difference and various logs but with no success. I've also try to remove rm -f /var/lib/sss/db/* and reinstall client packages.
Do you have any idea where and what should I look for regarding this issue?
5 years, 3 months
NoClassDefFoundError: javax/annotation/Priority
by Milos Cuculovic
Trying to run pki cert-show 1 and getting back plenty of warnings about:
WARN: RESTEASY002145: NoClassDefFoundError: Unable to load builtin provider org.jboss.resteasy.plugins.providers.InputStreamProvider from jar:file:/usr/share/java/resteasy-jaxrs.jar!/META-INF/services/javax.ws.rs.ext.Providers
java.lang.NoClassDefFoundError: javax/annotation/Priority
And at the end:
NoClassDefFoundError: javax/annotation/Priority
Anyone has experience with this?
When I try to view the certificate on the FreeIPA web console, I’m getting this:
IPA Error 4301: CertificateOperationError
Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1)
Thank you in advance.
Milos
5 years, 3 months
Problem with Freeipa-client on Ubuntu 16.04 - create_ipa_nssdb
by Milos Cuculovic
I have an issue trying to install freeipa-client on Ubuntu16.04 (worked on other 16.04 servers but this one is somehow failing).
The problem is with the postinst script that fails on this line:
python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
While trying to run from CLI: python2 -c 'from ipapython.certdb import create_ipa_nssdb’, I’m getting:
ImportError: cannot import name create_ipa_nssdb
I have checked the python file in question: /usr/local/lib/python2.7/dist-packages/ipapython/certdb.py, there is no definition for create_ipa_nssdb
Any idea? I already tried to purge and reinstall the freeipa-client, but no luck.
Milos
5 years, 3 months
Announcing FreeIPA v4.7.2
by Alexander Bokovoy
The FreeIPA team would like to announce FreeIPA 4.7.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 29 and Fedora 28 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-7/ COPR
repository] and also published to Fedora 28 and Fedora 29 updates.
== Highlights in 4.7.2 ==
Bugfixes to make FreeIPA 4.7 work well on Fedora 29 and RHEL 8.0 beta.
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.7.2 is a stabilization release for the features delivered as a
part of 4.7 release series.
There are more than 10 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7779 Update PR-CI definitions to use Fedora 29
* 7776 authselect 1.0.2 fails on unknown feature
* 7772 pylint 2.2.0 violations
* 7769 Installer does not detect that kadmin port 749/UDP is blocked
* 7767 make fasttest errors because of missing python3-lib389
* 7758 pylint-2.1.1 errors on Fedora 29
* 7754 Replace archaic term messagebus with dbus
* 7753 CID 323644: logically dead code in ipaserver.install.adtrust.py
* 7741 Smart card advise script uses hard-coded Python interpreter
* 7729 Bad output on failed client installation rollback
* 7728 RFE: Validation and better error messages when novajoin fails because of SSL errors
* 7723 NTP options fails on ipa replica
* 7671 Remove --no-sssd and --noac options
* 7658 [RFE] sysadm_r should be included in default SELinux user map order
* 7651 ipa-replica-install --setup-kra broken on DL1
* 7408 ipa-replica-install command should display proper message on the console.
* 5378 Incorrect error message at wrong password from private key file
== Detailed changelog since 4.7.1 ==
=== Alexander Bokovoy (6) ===
* Become IPA 4.7.2
* ipa-kdb: reduce LDAP operations timeout to 30 seconds
* ipa-4-7: merge translations from zanata
* ipaserver.install.adtrust: fix CID 323644
* net groupmap: force using empty config when mapping Guests
* adtrust: define Guests mapping after creating cifs/ principal
=== Adam Williamson (1) ===
* Fix authselect invocations to work with 1.0.2
=== Christian Heimes (35) ===
* Update temp commit template to F29
* Increase debugging for blocked port 749 and 464
* Address misc pylint issues in CLI scripts
* pylint: also verify scripts
* pylint: Fix duplicate-string-formatting-argument
* pylint 2.2: Fix unnecessary pass statement
* PR-CI: Restart rpcbind when it blocks kadmin port
* Fix pytest deprecation warning
* certdb: validate server cert signature
* Require pylint 2.1.1-2
* Silence comparison-with-itself in tests
* Fix raising-format-tuple
* Fix various dict related pylint warnings
* Fix Module 'pytest' has no 'config' member
* Fix useless-import-alias
* Fix comparison-with-callable
* Address consider-using-in
* Ignore consider-using-enumerate for now
* Address inconsistent-return-statements
* Address pylint violations in lite-server
* Ignore W504 code style like in travis config
* Fix test_cli_fsencoding on Python 3.7, take 2
* Replace messagebus with modern name dbus
* Copy-paste error in permssions plugin, CID 323649
* Allow ipaapi user to access SSSD's info pipe
* Fix test_cli_fsencoding on Python 3.7
* ipapwd_pre_mod: NULL ptr deref
* ipadb_mspac_get_trusted_domains: NULL ptr deref
* has_krbprincipalkey: avoid double free
* Require Dogtag 10.6.7-3
* Use tasks.install_master() in external_ca tests
* Keep Dogtag's client db in external CA step 1
* Replace hard-coded interpreter with sys.executable
* Don't abuse strncpy() length limitation
* Fix ipadb_multires resource handling
=== François Cami (3) ===
* Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
* Add a shared-vault-retrieve test
* Add sysadm_r to default SELinux user map order
=== Florence Blanc-Renaud (19) ===
* ipatests: add upgrade test for double-encoded cacert
* ipa upgrade: handle double-encoded certificates
* ipatests: add xmlrpc test for user|host-find --certificate
* ipaldap.py: fix method creating a ldap filter for IPACertificate
* ipatests: fix test_replica_uninstall_deletes_ruvs
* ipatests: add test for ipa-replica-install options
* ipa-replica-install: password and admin-password options mutually exclusive
* freeipa.spec.in: add BuildRequires for python3-lib389
* ipatests: add integration test for "Read radius servers" perm
* radiusproxy: add permission for reading radius proxy servers
* tests: add xmlrpc test for ipa user-add --radius-username
* ipa user-add: add optional objectclass for radius-username
* ipatest: add functional test for ipa-backup
* ipa-backup: restart services before compressing the backup
* ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad
* ipatests: fix path in expected error message
* Bump requires 389-ds-base
* ipa tests: CA less
* certdb: provide meaningful err msg for wrong PIN
=== Francisco Trivino (2) ===
* PR-CI: Move to Fedora 29 template, version 0.2.0
* prci_definitions: update vagrant memory topology requirements
=== Fraser Tweedale (6) ===
* certdb: validate certificate signatures
* Print correct subject on CA cert verification failure
* certdb: ensure non-empty Subject Key Identifier
* ipaldap: avoid invalid modlist when attribute encoding differs
* rpc: always read response
* Restore KRA clone installation integration test
=== Varun Mylaraiah (1) ===
* Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418
=== Petr Vobornik (1) ===
* ipa-advise: update url of cacerdir_rehash tool
=== Rob Crittenden (10) ===
* Add support for multiple certificates/formats to ipa-cacert-manage
* Add tests for ipa-cacert-manage install
* Enable replica install info logging to match ipa-server-install
* Demote log message in custodia _wait_keys to debug
* Pass a list of values into add_master_dns_records
* Collect the client and server uninstall logs in tests
* Fix misleading errors during client install rollback
* Remove the authselect profile warning if sssd was not configured.
* Handle NTP configuration in a replica server installation
* Enable LDAP debug output in client to display TLS errors in join
=== Stanislav Levin (1) ===
* Move ipa's systemd tmpfiles from /var/run to /run
=== Sergey Orlov (2) ===
* ipatests: add test for ipa-restore in multi-master configuration
* ipatests: add test for ipa-advise for enabling sudo for admins group
=== sudharsanomprakash (1) ===
* Don't use deprecated Apache Access options.
=== Thomas Woerner (5) ===
* Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
* Fix ressource leak in client/config.c get_config_entry
* Update annobin to fix continuous-integration/travis-ci/pr issues
* Find orphan automember rules
* ipaclient: Remove --no-sssd and --no-ac options
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
5 years, 3 months
Replica won't start
by Bret Wortman
After a reboot, my IPA replica won't start. I've tracked it down to an
error in the named startup. From /var/log/messages(all messags from
named-pkcs11):
bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23 2017, complier
4.8.5 20150623 (Red Hat 4.8.5-16)
LDAP error: Invalid credentials: bind to LDAP server failed
couldn't establish connection in LDAP connection pool: permission denied
dynamic database 'ipa' configuration failed:
loading configuration: permission denied
exiting (due to fatal error)
So I tried manually:
# kinit -kt /etc/named.keytab DNS/ipa3.spx.net(a)MY.NET
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/asipa3.spx.net(a)MY.NET
Valid starting Expires Service principal
12/06/2018 12:26:17 12/07/2018 12:26:17 krbtgt/MY.NET(a)MY.NET
I've restarted now using ipactl start --ignore-service-failure but where
should I be looking next to get this fixed?
--
photo
*Bret Wortman*
Founder, Damascus Products, LLC
855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co
<mailto:bret@wrapbuddies.co>
http://wrapbuddies.co/
70 Main St. Suite 23 Warrenton, VA 20186
<http://facebook.com/wrapbuddiesco>
<http://www.linkedin.com/in/bretwortman>
<http://twitter.com/wrapbuddiesco>
<http://instagram.com/wrapbuddies>
5 years, 3 months
new replica has no dnarange
by Grant Janssen
when I added another replica, all appeared to go smooth. But the new server did not receive a dnarange.
I reviewed the man page and this indicated:
"New IPA masters do not automatically get a DNA range assignment. A range assignment is
done only when a user or POSIX group is added on that master.”
no problemo. I added a user on the new replica, this new user appears on all the servers when queried - but still my dna range shows “no range set”
grant@ef-idm03:~[20181206-8:25][#118]$ ipa-replica-manage list
ipa: ERROR: Cannot open log file u'/var/log/ipa/cli.log': [Errno 13] Permission denied: u'/var/log/ipa/cli.log'
ef-idm03.production.efilm.com: master
ef-idm02.production.efilm.com: master
ef-idm01.production.efilm.com: master
grant@ef-idm03:~[20181206-8:28][#119]$ ipa_check_consistency -d PRODUCTION.EFILM.COM -W ********
FreeIPA servers: ef-idm01 ef-idm02 STATE
=================================================
Active Users 126 126 OK
Stage Users 7 7 OK
Preserved Users 0 0 OK
User Groups 22 22 OK
Hosts 158 158 OK
Host Groups 16 16 OK
HBAC Rules 5 5 OK
SUDO Rules 14 14 OK
DNS Zones ERROR ERROR OK
LDAP Conflicts NO NO OK
Ghost Replicas NO NO OK
Anonymous BIND YES YES OK
Replication Status ef-idm02 0 ef-idm01 0
ef-idm03 0
=================================================
grant@ef-idm03:~[20181206-8:36][#120]$ ipa-replica-manage dnarange-show
ipa: ERROR: Cannot open log file u'/var/log/ipa/cli.log': [Errno 13] Permission denied: u'/var/log/ipa/cli.log'
ef-idm01.production.efilm.com: 457200144-457300499
ef-idm02.production.efilm.com: 457300502-457399999
ef-idm03.production.efilm.com: No range set
grant@ef-idm03:~[20181206-8:36][#121]$
should I manually add a range?
also, I had anticipated another column appearing in the consistency check.
and the web interface comes up blank - the page never loads
thanx
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
5 years, 3 months
IPA server replication over IPv6 only network
by William Muriithi
Evening,
I would like to setup an IPA server replica outside of the current IPA
master network. Problem is, I don't have enough IPv4. Only one and its in
use by the edge router. However, I do have an IPv6 enabled network now.
The two systems can therefore reach each other, but only on IPv6
The current master was deployed before IPv6 deployment. I just assigned
the OS stack a global unicast addresses and works fine. Is there anything
I need to do on the IPA application on the master to be IPv6 aware?
Second, and this is where I am kind of worried, can replication happen on
IPv6 connection alone despite the OS having both IPv4 and IPv6 addresses?
Regards,
William
5 years, 3 months
FreeIPA API logout
by Yuri Krysko
Hey Folks,
I’m trying to use API calls to manage entities on our FreeIPA servers per https://access.redhat.com/articles/2728021#end-point-json. The question that I have is how does one log out (terminates) the API session?
Thanks,
Yuri
________________________________
LEGAL DISCLAIMER: M.C. Dean, Inc. and its subsidiaries considers this e-mail and any files transmitted with it to be protected, proprietary or privileged information intended solely for the use of the named recipient(s). Any disclosure of this material or the information contained herein, in whole or in part, to anyone outside of the intended recipient or affiliates is strictly prohibited. M. C. Dean, Inc. accepts no liability for the content of this e-mail or for the consequences of any actions taken on the basis of the information contained in it, unless that information is subsequently confirmed in writing. Employees of M.C. Dean, Inc. are instructed not to infringe on any rights of the recipient; any such communication violates company policy. If you are not the intended recipient, any disclosure, copying, distribution, or action taken or omitted in reliance on this information is strictly prohibited by M.C. Dean, Inc.; please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
5 years, 3 months