AD group name replaced by SID
by Ronald Wimmer
Hi,
for demonstration purposes I added two users to an external group that
already contained an AD group. The AD group had a human readable name.
The users as well.
When I removed these two users the AD group name changed from the human
readable name to the group SID. Why did that happen? Is there a way to
make the human readable name to reappear without re-adding the AD group?
Regards,
Ronald
4 years, 2 months
Automount Question
by Ben Archuleta
Hello,
I have a network with a file server that houses the home directories. The server has 6 NFS export that contain the home directories. Home0,home1,home2,home3,home4,home5 these exports have about 289 home directories between all of them.
In the current NIS environment I have an auto_master that has the following:
# Master map for automounter
#
/net -hosts -nosuid,nobrowse
/xfn -xfn
/homes auto.homes
I have an auto_homes that has entries like the following with 192.168.10.30 being the file server:
barchu02 192.168.10.30:/export/home2/barchu02
I have one entry per user on the system.
How would I configure FreeIPA auto mounts to behave the same way?
Regards,
Ben Archuleta
4 years, 2 months
DNS records erroring when entering main zone
by Andrew Meyer
A while back when I created my FreeIPA servers I added locations to them. I then added 1 more server and removed it for testing purposes. However now when I go into my main zone I am seeing the following errors:
Some operations failed.Hide details
- _kerberos-master._tcp.AWS-us-east-1._locations: DNS resource record not found
- _kerberos-master._tcp.BEL1._locations: DNS resource record not found
- _kerberos-master._tcp.STL2._locations: DNS resource record not found
- _kerberos-master._udp.AWS-us-east-1._locations: DNS resource record not found
- _kerberos-master._udp.STL2._locations: DNS resource record not found
- _kerberos._tcp.AWS-us-east-1._locations: DNS resource record not found
- _kerberos._tcp.BEL1._locations: DNS resource record not found
- _kerberos._tcp.STL2._locations: DNS resource record not found
I did some digging on this error and came across an old article from the mailing list. Re: [Freeipa-users] "DNS resource record not found" error when searching
|
| |
Re: [Freeipa-users] "DNS resource record not found" error when searching
| |
|
Which led me to the RHEL documentation on how to remove it. However I'm confused on which command I need to run in order to resolve the issue.
4 years, 2 months
Authenticating with and external app via LDAP
by Maciej Drobniuch
Hey All,
I want to authenticate with an external app to ldap ipa.
So I've created a user for the bind:
dn: uid=sysaccount,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: somepass123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
The external app runs the LDAP check successfully and can see the users
that belong to the group that's allowed to login.
Problem:
I can not login with the default "admin" account but I can not login with
any other account that's in the dn into the app.
Response is: "Invalid credentials"
base: 'cn=users,cn=accounts,dc=example,dc=com'
user_filter:
'(memberOf=cn=gitlab-users,cn=groups,cn=accounts,dc=example,dc=com)'
Any ideas?
Thank You!
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
4 years, 2 months
PKI Tomcat Server conflict with PWM
by barrykfl@gmail.com
Hi all:
I used to centos 6 freeipa and install PWM together with CA service there
is no problem.
BUt now we change to centos 7 seem PKI Tomcat Server by default will launch
8443 and 8080 port . Now I installed PWM (password manager) but
pki tomcat 8080 port conflict with pwm 's 8080 port , I can changed port no.
But 8443 seem still fail to display if I changed to 8444 etc
Any idea ? can I stop pki tomacat 's 8080 / 8443 ?
barry
4 years, 2 months
DNS forwarder policies
by Andrew Meyer
Is there a way to specify a policy for 1 zone to be on 1 server or on a set of servers in 1 location?
4 years, 2 months
IPA 4.5 on Centos7 - SSLV3_ALERT_HANDSHAKE_FAILURE
by Bob Clough
I'm having some issues talking to our new Freeipa servers via TLS from Python 3.5 on Debian Stretch. Previously we had a Freeipa 4.2 server on Fedora 23 which was not showing this error, but i suspect that's because it had SSLv3 turned on. I'm also having a similar error with etherpad's ldap support which is nodejs, so it isn't limited to just python.
Trying to open the ldap on port 636, or starttls on port 389 gives the following error:
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)
I've written the following minimal test case that shows the error:
#!/usr/bin/env python3
import socket,ssl
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
wrappedSocket = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLS, ciphers='ALL')
wrappedSocket.connect(("ipa1.hz.codethink.co.uk", 636))
wrappedSocket.close()
Connecting with openssl s_client -connect ipa1.hz.codethink.co.uk:636 connects successfully.
Any ideas how I can work around this? I *think* the error is a cipher set incompatibility between the two systems, but i've turned on all available non-null ciphers at both ends and am out of ideas beyond that.
4 years, 2 months
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
by Bret Wortman
Sequence of events in trying to stand up a new IPA server to replace
(wholesale) our old ones.
1. Built new box, which joined the existing IPA infrastructure as a client.
2. # ipa-client-install -U --uninstall
3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders
4. Inserted data using custom scripts which had pulled out and parsed
data from existing servers to set up users, hosts, dns entries, etc.
5. Tried to connect to server via firefox and was denied due to
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
6. Googled a lot.
7. Tried removing existing CA cert from firefox. No joy. It refused to
be removed.
8. Tried setting up a new profile in firefox. It got the old cert as well.
9. Tried removing the cert using certutil -D. Now httpd won't start.
10. Backed up the server using the ipa-backup script.
11. Delete /etc/httpd/alias and restored the data from ipa-backup using
ipa-restore.
12. Httpd won't start. *Sigh*.
13. Ran ipa-server-install -U --uninstall
14. # ipa-server-install as above
15. # ipa-restore -data /path/to/backup
And now I'm back where I was. IPA is running and contains our user,
host, and DNS data (plus others) from the original hosts but I can't
connect to it using firefox. Any other possible solutions to this problem?
We're using the same realm & network name, and we have to do that.
--
photo
*Bret Wortman*
President, Damascus Products LLC
855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> |
bret(a)damascusproducts.com <mailto:bret@damascusproducts.com> |
http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030
<http://facebook.com/wrapbuddiesco> <http://twitter.com/wrapbuddiesco>
<http://instagram.com/wrapbuddies>
<https://facebook.com/wrapbuddiesco><https://instagram.com/wrapbuddies>
4 years, 2 months
errors when adding a new server
by Andrew Meyer
So I rebuilt a server tonight and gave it a new hostname but i'm getting the following error when trying to add the new one.
Skip ipa.domain.local: cannot verify if this is an IPA server
Provide your IPA server name (ex: ipa.example.com): ipa.domain.local
Skip ipa.domain.local: cannot verify if this is an IPA server
Failed to verify that ipa.domain.local is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
There is nothing in the logs in /var/log. However when I run systemctl I see that the IPA service exited. But I can tell why.
The last thing I did was reboot the IPA server. This is a single IPA server domain setup running on CentOS 7.4 latest version of FreeIPA.
4 years, 2 months
Problems with updated ubuntu
by Jeff Goddard
I'm trying to deploy 2 new VMs which will be docker hosts. Our base
template is ubuntu 16.04 last patched on 1.2.18. The process is to spin up
a new VM from the template and then patch it, assign IP, and add to free
ipa domain - all steps which occurred without error. However, I'm not able
to ssh into these new servers and also unable to log on as my user from the
console. Here are the errors from auth.log:
Feb 20 15:16:14 docker-prod-03 sshd[1056]: Server listening on 0.0.0.0 port
22.
Feb 20 15:16:14 docker-prod-03 sshd[1056]: Server listening on :: port 22.
Feb 20 15:16:27 docker-prod-03 login[1155]: pam_unix(login:auth): check
pass; user unknown
Feb 20 15:16:27 docker-prod-03 login[1155]: pam_unix(login:auth):
authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser=
rhost=
Feb 20 15:16:27 docker-prod-03 login[1155]: pam_sss(login:auth):
authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser=
rhost= user=jgoddard
Feb 20 15:16:27 docker-prod-03 login[1155]: pam_unix(login:account): could
not identify user (from getpwnam(jgoddard))
Feb 20 15:16:27 docker-prod-03 login[1155]: Authentication failure
I spooled out a new VM from the template and did not update it, performed
the same tasks (hostname, ip assignment, IPA join), and do not have the
problems. Can I get some assistance in 1) isolating which sets of packages
caused the issue, and 2) reporting a bug if necessary?
Thanks,
Jeff
4 years, 2 months