ipa-server-install --dirsrv-config-file example
by Matveev Alexey
Hi list!
I'm sorry for a dumb question, but i cant find documentation on ldif file syntax, that can be used for unattended installation like ipa-server-install --dirsrv-config-file params.ldif. Can someone point me to this doc or share the example of this file?
Thanks,
Alex M.
6 years, 2 months
IPA 4.5 with radius server
by barrykfl@gmail.com
Hi :
Anyone has exp to use freeipa 4.0 above as radius server ? e.g want wifi
use radius everyone carry ldap password.
How to implement ? need special plugin ? seem it need new
attribute can generate harsh password and syn with LDAP together ?
Thx and Regards
Barry
6 years, 2 months
FreeIPA in EC2
by Andrew Meyer
We are trying to deploy FreeIPA in our environment, this will be a mix of local servers and server to manage auth in EC2. We have a vpn tunnel setup and are able to communicate across it. Ina Amazon Linux 2 instance I was able to get FreeIPA installed as a client and am now trying to promote it to a replica. However I am getting the following error:
[ec2-user@freeipa-host ~]$ sudo ipa-replica-install --setup-ca --ssh-trust-dns --mkhomedir --setup-kra
Password for admin(a)domain.NET:
ipa : ERROR Reverse DNS resolution of address 10.10.52.158 (infra-freeipa1-aws.gatewayblend.net) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Doing some digging on Google I found this
https://yyhh.org/blog/2017/12/freeipa-aws-ec2.
In this instance DNS was NOT setup on the FreeIPA machine in AWS and fqdn were setup in /etc/hosts and /etc/hostname.
1) is the the preferred method?
2) Could I still install DNS on the server in AWS to ONLY manage an internal zone?
6 years, 2 months
Group membership and AD trust problem
by Борис Сухинин
I'm having trouble with group membership and one-way FreeIPA to AD trust. It seems IPA does not update LDAP compat tree entry for a group when there are external users present. Also it "getent group" sometimes shows outdated members list.
IPA master: ipa.idmlab.local, FreeIPA 4.5.0 on CentOS 7.4.1708
AD DC: ad.adlab.local, Windows Server 2012 R2 (W2K8 domain and forest functional level)
On the IPA there are a POSIX group named "posix-group", external group named "external-group" and users named "ipauserX". On AD side there are users with name starting with "aduser". "external-group" is a member of "posix-group". Both groups are initially empty.
[root@ipa ~]# ipa group-show posix-group
Group name: posix-group
GID: 177000030
Member groups: external-group
[root@ipa ~]# ipa group-show external-group
Group name: external-group
Member of groups: posix-group
I add "ipauser1" to "posix-group" and everything works as expected.
[root@ipa ~]# ipa group-add-member posix-group --users=ipauser1
Group name: posix-group
GID: 177000030
Member users: ipauser1
Member groups: external-group
-------------------------
Number of members added 1
-------------------------
[root@ipa ~]# ipa group-show posix-group
Group name: posix-group
GID: 177000030
Member users: ipauser1
Member groups: external-group
[root@ipa ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=groups,cn=compat,dc=idmlab,dc=local' '(cn=posix-group)' '*'
SASL/GSSAPI authentication started
SASL username: admin(a)IDMLAB.LOCAL
SASL SSF: 56
SASL data security layer installed.
dn: cn=posix-group,cn=groups,cn=compat,dc=idmlab,dc=local
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 177000030
memberUid: ipauser1
ipaAnchorUUID:: OklQQTppZG1sYWIubG9jYWw6ODJiOGE5ZjQtMDkyNC0xMWU4LThhNmItMDAwYz
I5MmYxZmFl
cn: posix-group
[root@ipa ~]# getent group posix-group
posix-group:*:177000030:ipauser1
Then I add "aduser1(a)adlab.local" to "external-group" and strange things happen. Notice there are no "aduser1(a)adlab.local" in compat tree members list.
[root@ipa ~]# ipa group-add-member external-group --external=aduser1(a)adlab.local
[member user]:
[member group]:
Group name: external-group
External member: S-1-5-21-669726201-3117635978-240273332-1604
Member of groups: posix-group
-------------------------
Number of members added 1
-------------------------
[root@ipa ~]# ipa group-show external-group
Group name: external-group
External member: aduser1(a)adlab.local
Member of groups: posix-group
[root@ipa ~]# ipa group-show posix-group
Group name: posix-group
GID: 177000030
Member users: ipauser1
Member groups: external-group
[root@ipa ~]# getent group posix-group
posix-group:*:177000030:ipauser1,aduser1@adlab.local
[root@ipa ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=groups,cn=compat,dc=idmlab,dc=local' '(cn=posix-group)' '*'
SASL/GSSAPI authentication started
SASL username: admin(a)IDMLAB.LOCAL
SASL SSF: 56
SASL data security layer installed.
dn: cn=posix-group,cn=groups,cn=compat,dc=idmlab,dc=local
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 177000030
ipaAnchorUUID:: OklQQTppZG1sYWIubG9jYWw6ODJiOGE5ZjQtMDkyNC0xMWU4LThhNmItMDAwYz
I5MmYxZmFl
cn: posix-group
memberUid: ipauser1
Now if I add another user to "posix-group", compat tree gets updated but still one step behind.
[root@ipa ~]# ipa group-add-member posix-group --users=ipauser2
Group name: posix-group
GID: 177000030
Member users: ipauser1, ipauser2
Member groups: external-group
-------------------------
Number of members added 1
-------------------------
[root@ipa ~]# ipa group-show posix-group
Group name: posix-group
GID: 177000030
Member users: ipauser1, ipauser2
Member groups: external-group
[root@ipa ~]# getent group posix-group
posix-group:*:177000030:ipauser1,ipauser2,aduser1@adlab.local
[root@ipa ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=groups,cn=compat,dc=idmlab,dc=local' '(cn=posix-group)' '*'
SASL/GSSAPI authentication started
SASL username: admin(a)IDMLAB.LOCAL
SASL SSF: 56
SASL data security layer installed.
dn: cn=posix-group,cn=groups,cn=compat,dc=idmlab,dc=local
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 177000030
ipaAnchorUUID:: OklQQTppZG1sYWIubG9jYWw6ODJiOGE5ZjQtMDkyNC0xMWU4LThhNmItMDAwYz
I5MmYxZmFl
cn: posix-group
memberUid: ipauser1
memberUid: aduser1(a)adlab.local
Finally I remove "external-group" from "posix-group". This time compat tree gets updated but getent still reports users from AD domain.
[root@ipa ~]# ipa group-remove-member posix-group --groups=external-group
Group name: posix-group
GID: 177000030
Member users: ipauser1, ipauser2
---------------------------
Number of members removed 1
---------------------------
[root@ipa ~]# getent group posix-group
posix-group:*:177000030:ipauser1,ipauser2,aduser1@adlab.local
[root@ipa ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=groups,cn=compat,dc=idmlab,dc=local' '(cn=posix-group)' '*'
SASL/GSSAPI authentication started
SASL username: admin(a)IDMLAB.LOCAL
SASL SSF: 56
SASL data security layer installed.
dn: cn=posix-group,cn=groups,cn=compat,dc=idmlab,dc=local
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 177000030
memberUid: ipauser1
memberUid: ipauser2
ipaAnchorUUID:: OklQQTppZG1sYWIubG9jYWw6ODJiOGE5ZjQtMDkyNC0xMWU4LThhNmItMDAwYz
I5MmYxZmFl
cn: posix-group
And after I run id against AD user getent output gets updated.
[root@ipa ~]# getent group posix-group
posix-group:*:177000030:ipauser1,ipauser2,aduser1@adlab.local
[root@ipa ~]# id aduser1(a)adlab.local
uid=1679001604(aduser1(a)adlab.local) gid=1679001604(aduser1(a)adlab.local) groups=1679001604(aduser1(a)adlab.local),1679000513(domain users(a)adlab.local)
[root@ipa ~]# getent group posix-group
posix-group:*:177000030:ipauser1,ipauser2
I've noticed some caching / data provider issues in sssd_nss.log.
(Sun Feb 4 02:41:15 2018) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error
message: Offline
(Sun Feb 4 02:41:15 2018) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #36: Data Provider Error: 1, 11, Offline
(Sun Feb 4 02:41:15 2018) [sssd[nss]] [cache_req_common_dp_recv] (0x0400): CR #36: Due to an error we will return cached data
(Sun Feb 4 02:41:15 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #36: Looking up [ID:177000030@idmlab.local] in cache
Would be grateful for help in resolving this issue!
6 years, 2 months
FreeIPA and AD trust
by Nathan Harper
Hi,
Clearly my Google skills are lacking, as I've not been able to find
anything definitive (mainly just old versions of IPA)
We have a well used FreeIPA domain, but I have a few appliances and
applications that require Active Directory. I can find information about
configuring AD to trust freeIPA, but not the other way around. Can we
configure our IPA at example.com to be trusted by an AD subdomain at
ad.example.com? And if so, can anyone point me in the right direction?
--
*Nathan Harper* // IT Systems Lead
*e: *nathan.harper(a)cfms.org.uk *t*: 0117 906 1104 *m*: 0787 551 0891
*w: *www.cfms.org.uk
CFMS Services Ltd // Bristol & Bath Science Park // Dirac Crescent // Emersons
Green // Bristol // BS16 7FR
CFMS Services Ltd is registered in England and Wales No 05742022 - a
subsidiary of CFMS Ltd
CFMS Services Ltd registered office // 43 Queens Square // Bristol // BS1
4QPH
6 years, 2 months
something happened - unable to join new clients
by skrawczenko@gmail.com
Hundreds of clients have been joined earlier, never such an issue.
What could have happened please advise?
Client debug - nothing suspicious until:
2018-02-02T10:07:47Z DEBUG args=/usr/sbin/ipa-join -s <arguments>
2018-02-02T10:07:50Z DEBUG Process finished, return code=17
2018-02-02T10:07:50Z DEBUG stdout=
2018-02-02T10:07:50Z DEBUG stderr=No permission to join this host to the IPA domain.
Server debug, not sure if related to the above error:
[Fri Feb 02 02:07:48.515408 2018] [auth_gssapi:error] [pid 28668] [client <ip>:52140] NO AUTH DATA Client did not send any authentication headers, referer: https://ipa.host/ipa/xml
Selinux is disabled on the client side.
Server version 4.5.0
i'm using -p admin to join clients. Therefore permissions are full.
Any ideas please.
6 years, 2 months
Nextcloud with Freeipa and AD
by Николай Савельев
I have Freeipa with AD trust. All works fine.
I want Nextcloud with all users - AD and IPA.
I set up Nextcloud for this article:
https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA
But I want restrict users for only one group.
When I open User Filter tab I get message:
The group box was disabled, because the LDAP / AD server does not support memberOf.
I waches ldap tree:
cn=users,cn=account,dc=domain,dc=lan - there are users have memberof attribute, there are тщ AD users
cn=users,cn=compat,dc=domain,dc=lan - there are AD users, but there ar users don't have memberof attribute.
What's wrong?
---
С уважением, Николай.
6 years, 2 months
Issue with SCEP enrollment to sub-CA
by Trevor Vaughan
Hi All,
I have a setup where I have a root CA and a sub CA and the sub CA is set up
with a KRA and SCEP enabled.
I've fired up certmonger and added the SCEP CA.
When I attempt to request a certificate, the enrollment completes
successfully per the Dogtag side of the equation but the response from the
server cannot be decrypted by the client and I get the following error in
the certmonger debug log:
2018-01-29 23:56:43 [5396] Child output:
"Error: failed to verify signature on server response.
"
2018-01-29 23:56:43 [5396] Error: failed to verify signature on server
response.
The following commands were used for server addition and certificate
registration.
getcert add-scep-ca -c Site_CA -u https://ca.int.localdomain:
8443/ca/cgi-bin/pkiclient.exe -R /etc/pki/site-pki.pem
getcert request -c Site_CA -k /etc/pki/my_cert.pem -f /etc/pki/my_cert.pub
-I Host_Cert -R -w -L password
Looking at the certmonger code, it looks like it is completely skipping all
of the case statements and simply dropping down to the 'goto:'
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
I've tried recompiling certmonger with some debug statements but I haven't
managed to suss out what's going on. If someone could tell me how to print
the actual response from the server, it would be appreciated.
It certainly feels like the SCEP support has taken a back seat to the CMC
features but the CMC features just aren't ready to replace SCEP at this
time and, of course, can't support a lot of hardware requirements.
Any help is appreciated.
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
6 years, 2 months
Versions
by Sean Hogan
Hello,
I used to be able to find a chart that showed RHEL version to IPA
version online but can no longer find it. Do you have a link to such info?
Need it for road-mapping or IPAs.
Sean Hogan
6 years, 2 months
ipa-server-install fails in [27/31] migrating certificate profiles to LDAP
by Felipe_G0NZÁLEZ_SANTIAG0
I'm new with Freeipa.
I'm using:
ipa --version
VERSION: 4.4.3, API_VERSION: 2.215
I've been trying to install Freeipa in ubuntu 16.04 and ubuntu 17.04 , but I get an error:
#ipa-server-install
........................
[26/31]: restarting certificate server
[27/31]: migrating certificate profiles to LDAP
[error] NetworkError: cannot connect to 'https://ubuntu.ipa.cu:8443/ca/rest/account/login': Could not connect to ubuntu.ipa.cu using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
ipa.ipapython.install.cli.install_tool(Server): ERROR cannot connect to 'https://ubuntu.ipa.cu:8443/ca/rest/account/login': Could not connect to ubuntu.ipa.cu using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The output of #tail -f /var/log/ipaserver-install.log command is:
File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/dogtag.py", line 1290, in __enter__
method='GET'
File "/usr/lib/python2.7/dist-packages/ipapython/dogtag.py", line 156, in https_request
method=method, headers=headers)
File "/usr/lib/python2.7/dist-packages/ipapython/dogtag.py", line 207, in _httplib_request
raise NetworkError(uri=uri, error=str(e))
2018-02-05T14:49:51Z DEBUG The ipa-server-install command failed, exception: NetworkError: cannot connect to 'https://ubuntu.ipa.cu:8443/ca/rest/account/login': Could not connect to ubuntu.ipa.cu using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
2018-02-05T14:49:51Z ERROR cannot connect to 'https://ubuntu.ipa.cu:8443/ca/rest/account/login': Could not connect to ubuntu.ipa.cu using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
2018-02-05T14:49:51Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
What's wrong?
Please, answer me via this email, I'm not member of the freeipa-users list.
La @universidad_uci es Fidel: 15 años conectados al futuro... conectados a la Revolución
2002-2017
6 years, 2 months