Integrations with non-linux environments
by Jeffrey Parker
Hello, we have a mixed environment with Windows, Linux, and Mac OSX systems. I was trying to test out FreeIPA for basic authentication in this environment, but so far nothing has worked. Currently for testing I have FreeIPA 4.6.90.pre1 installed. I tried the walkthrough for Mac OSX and kerberos worked, but I could not get the OS login to do anything but local users. Windows desktop system would not even see the kerberos realm so could not do anything, and Windows domain controller when I try to add trust on FreeIPA I get an error that says "ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted login is invalid. This is either duet to a bad username or authentication information." (both may be "None")". In every case I was just following what is shown on the web site for the how to's on this. The Mac system is running high sierra with latest patches. The windows desktop is Windows 10 with latest patches and the windows server is Windows Server 2016, I
used domain functional level 2016, 2008, and 2012, all did the same thing.
5 years, 10 months
LDAP encryption errors
by Per Qvindesland
Hi All
We’re getting the following entries in the error logs
[10/May/2018:15:37:18.628665013 +0100] - ERR - ipapwd_encrypt_encode_key - [file encoding.c, line 143]: no krbPrincipalName present in this entry
[10/May/2018:15:37:18.630473873 +0100] - ERR - ipapwd_gen_hashes - [file encoding.c, line 234]: key encryption/encoding failed
Is this related to the failed binds? is there any ways of turning on debug logging
The connection string is $ds = ldap_connect($hostport, $port); then we are setting some connection options: ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); Then binding using admin credential:$result = ldap_bind($ds, $rdn, $pass)
We can connect to freeipa but we are suspecting that we might be using the wrong encryption {SHA} in plain text then results in err 19 which results in operations error.
Regards
Per
5 years, 10 months
Update Zanata ipa.pot
by Levin Stanislav
Dear Dev Team,
I've checked PR 1926 (Update 4.7 translations) - Russian part.
According to Zanata
(https://fedora.zanata.org/iteration/view/freeipa/master/languages/ru?dswi...
progress is ~99%.
But actually there are missing translations.
The reason - ipa.pot file is slightly outdated:
/"Project-Id-Version: freeipa 4.5.90.dev201709011157+git5dcb0e6fc\n"//
//"POT-Creation-Date: 2017-09-01 13:58+0200\n"./
/
/
According to release page https://www.freeipa.org/page/Release
>
> Push source documents to Zanata server
>
> !!! This should be done periodically *weeks* and *months* before
> release to give time to translators
>
/
/
Please somebody push an updated ipa.pot to Zanata or tell me who can do
it ( i'll contact with ).
Thank you in advance.
5 years, 10 months
Announcing FreeIPA v4.6.90.pre2 release
by Rob Crittenden
The FreeIPA team would like to announce FreeIPA 4.6.90.pre2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora 28 and rawhide will be available in the Fedora repositories.
== Highlights in 4.6.90.pre2 ==
The major new features of this release are:
* Switch from using mod_nss for the Apache TLS engine to using mod_ssl.
Upgrading will move the certificates and keys from /etc/httpd/alias to
/var/lib/ipa/certs/.
* Switch time client and server from ntp to chrony.
* Switch from using authconfig to authselect to configure the PAM stack.
* Kerberos clients can now use SPAKE to strengthen their handshake with
a FreeIPA KDC based on elliptic curve cryptography. See IETF draft
draft-ietf-kitten-krb-spake-preauth-05 and relevant portions of
krb5.conf(5) and kdc.conf(5) for details. SPAKE is enabled for new IPA
servers and clients by default.
* Thanks to our translation volunteers, FreeIPA 4.6.90.pre2 sees a major
update for Chinese, French, Russian, and Ukrainian languages.
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.6.90.pre2 is a preview release for the features delivered as a
part of 4.7.0.
There are more than 70 bug-fixes details of which can be seen ina
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7530 external CA replica installation fails with CA_UNREACHABLE
* 7529 AVC denials and errors for IPA server installed on Fedora28
* 7524 ipa-client-install fails because of missing file
/usr/share/ipa/freeipa.template
* 7523 external CA installation: step two reports self-signed configuration
* 7520 ipa certmap-match throwing "ipa: ERROR: an internal error has
occurred"
* 7519 Adding SSH keys for AD users as I created overrides
* 7518 Improve Custodia client and key distribution handling
* 7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf
despite the migration to ssl.conf
* 7514 Allow to create Kerberos services without a corresponding host object
* 7513 Allow Kerberos services to be members of IPA groups
* 7512 Missing dependency for freeipa-client: python3-augeas
* 7510 validate_selinuxuser does not allow a period in selinux user
identifier
* 7508 Trust tests for Posix support are failing with Assertion Error
None on Windows Server 2016
* 7507 ui_tests: extend test_user suite
* 7505 WebUI tests: Extend netgroup tests
* 7503 multiple occurrences of profileId in certprofile causes incorrect
behaviour
* 7499 Integration tests dns_location in regards of check NTP records
failing
* 7498 [F28] CA replica fails with could not find certificate named
"caSigningCert cert-pki-ca"
* 7496 csrgen fails if subject base contains lower-case attribute names
* 7490 installutils.set_directive doesn't handle debian ssl.conf properly
* 7489 Test test_caless_TestCertInstall is failing in nightly
* 7488 Set nsds5ReplicaReleaseTimeout on all replicas and databases
* 7486 Allow hosts to delete their own services
* 7485 Extending webui user group test
* 7484 Load ipaclient.csrgen on demand to speed up CLI
* 7478 [F28] ipa-backup fails with "Failed to execute authconfig command"
* 7474 ipa-server-install --uninstall on replica fails with
"NoOptionError: No option 'ldap_uri' in section: 'global'"
* 7473 ERROR: No valid Negotiate header in server response
* 7470 TestBasicADTrust.test_ipauser_authentication is failing with
error "Confidentiality required"
* 7469 ipa-replica-prepare fail with "stat: path should be string,
bytes, os.PathLike or integer, not NoneType"
* 7468 test_host.py::test_host::test_crud is failing in nightly tests
* 7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError
* 7463 test_webui: add user life-cycles tests
* 7461 Hardening of topology plugin to prevent erronous deletion of a
replica agreement
* 7459 [RFE] replica-install: warn when only one CA exists in topology
* 7458 ui_tests: extend test_hostgroup.py suite
* 7456 ipa otptoken-add should use LDAP Whoami call
* 7454 Upgrade from F27 to F28 produces an error while updating
ipa.conf.template
* 7450 "This entry already exists" error when upgrading on IPA 4.5
* 7442 Replication agreement status incorrectly checked
* 7441 ui_tests: extend test_service.py suite
* 7436 ipa: Please log something after restarting the KDC
* 7427 User Administrator doesn't have enough privileges to edit
homeDirectory attribute
* 7426 DogtagInstance.backup_config creates backup with wrong owner
* 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn
-s CA
* 7424 Improve Realm Domains doc text
* 7421 Store HTTPD private keys encrypted
* 7415 CA installer need to check availability of port 8080
* 7410 ipa-replica-install --add-agents option doesn't install
trust-agent on replica
* 7377 Investigate and define plan of authconfig replacement in FreeIPA
* 7376 clear sssd cache when uninstalling client
* 7366 RFE: ipa client should setup openldap for GSSAPI
* 7330 ipa-server-install --uninstall does not return error code on error
* 7183 /etc/gssproxy/10-ipa.conf not removed on uninstall
* 7095 [tracker] please rotate & compress
/var/lib/pki/pki-tomcat/logs/ca/debug
* 7041 [ipa-replica-install] - KDC has no support for encryption type -
reoccurence in multireplica scenario
* 7024 freeipa depends on ntp
* 6884 ipa group-del gives ipa: ERROR: Insufficient access: but still
deletes group
* 6843 ipa-backup does not create log file at /var/log/
* 5776 webui: some data disappear from user details page after the save
action is performed
* 5673 contrib/nssciphersuite/nssciphersuite.py raising error in tests
* 4853 Utilize system-wide crypto-policies
== Detailed changelog since 4.6.90.pre1 ==
=== Alexander Bokovoy (13) ===
* group: allow services as members of groups
* service: allow creating services without a host to manage them
* group-del: add a warning to logs when password policy could not be removed
* idoverrideuser-add: allow adding ssh key in web ui
* ACL: Allow hosts to remove services they manage
* install: validate AD trust-related options in installers
* replication: support error messages from 389-ds 1.3.5 or later
* upgrade: treat duplicate entry when updating as not an error
* Allow anonymous access to parentID attribute
* upgrade: Run configuration upgrade under empty ccache collection
* use LDAP Whoami command when creating an OTP token
* Update template directory with new variables when upgrading
ipa.conf.template
* Processing of server roles should ignore errors.EmptyResult
=== Alexey Slaykovsky (1) ===
* Make tox tests to generate results in JUnit XML
=== amitkuma (5) ===
* RFE: ipa client should setup openldap for GSSAPI
* Correcting detect typo in server.m4
* Correction of management spelling.
* clear sssd cache when uninstalling client
* clear sssd cache when uninstalling client
=== Anuja More (2) ===
* Adding test-cases for ipa-cacert-manage
* Adding test-cases for ipa-cacert-manage
=== Christian Heimes (32) ===
* Revert "Validate the Directory Manager password"
* Create missing /etc/httpd/alias for ipasession.key
* Only run subset of external CA tests
* Require Dogtag 10.6.1
* Require nss with fix for nickname bug
* ipa-client package needs sssd-tool
* Make ipatests' create_external_ca a script
* Load certificate files as binary data
* Remove contrib/nssciphersuite
* Compatibility with pytest 3.4
* Use shutil to copy file
* Use single Custodia instance in installers
* Add augeas dependency to client package
* Create users in server-common pre hook
* Require 389-ds-base >= 1.4.0.8-1
* CA replica PKCS12 workaround for SQL NSSDB
* Add nsds5ReplicaReleaseTimeout to replica config
* Fix Python dependencies
* Remove os.chdir() from test_ipap11helper
* certdb: Move chdir into subprocess call
* Provide ldap_uri in Custodia uninstaller
* Defer import of ipaclient.csrgen
* Require more recent glibc on F27
* Load librpm on demand for IPAVersion
* Fix installer CA port check for port 8080
* Temporarily disable authconfig backup and restore
* Cleanup and remove more files on uninstall
* Fix compatibility with latest pytest
* More cleanup after uninstall
* Require Dogtag PKI >= 10.6
* Keep owner when backing up CA.cfg
* Pylint 1.8.3 fixes
=== Felipe Barreto (10) ===
* Fixing tests on TestReplicaManageDel
* Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
* Fixing
TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
* Adding GSSPROXY_CONF to be backed up on ipa-backup
* Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09
* Fix TestSubCAkeyReplication providing the right path to pki log
* temp commit: adding test to PR CI run
* Adding right parameters to install IPA in
TestInstallMasterReservedIPasForwarder
* Changing Django's CoC to reflect FreeIPA CoC
* Adding Django's Code of Conduct
=== Florence Blanc-Renaud (8) ===
* authselect migration: use stable interface to query current config
* authselect test: skip test if authselect is not available
* ipa-advise: adapt config-client-for-smart-card-auth to authselect
* Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a
* New tests for authselect migration
* Migration from authconfig to authselect
* ipa-advise config-server-for-smart-card-auth: use mod-ssl
* ipa-replica-install: make sure that certmonger picks the right master
=== Fraser Tweedale (12) ===
* install: fix reported external CA configuration
* csrgen: fix when attribute shortname is lower case
* csrgen: drive-by docstring
* csrgen: support initialising OpenSSL adaptor with key object
* py3: fix csrgen error handling
* certprofile: add tests for config profileId scenarios
* certprofile: reject config with multiple profileIds
* Fix upgrade (update_replica_config) in single master mode
* Add commentary about PKI admin password
* Fix upgrade when named.conf does not exist
* replica-install: warn when there is only one CA in topology
* install: configure dogtag status request timeout
=== Ganna Kaihorodova (5) ===
* Fix trust tests for Posix Support
* Fix for integration tests dns_locations
* Fix in IPA's multihost fixture
* TestBasicADTrust.test_ipauser_authentication
* Fix for test TestInstallMasterReservedIPasForwarder
=== Takeshi MIZUTA (1) ===
* Fix some typos in man page
=== Michal Reznik (18) ===
* ui_tests: introduce new test_misc cases file
* ui_driver: extension and modifications related to test_user
* ui_tests: extend test_user suite
* test_web_ui: extend ui_driver methods
* test_webui: add user life-cycles tests
* ui_tests: run ipa-get/rmkeytab command on UI host
* ui_tests: select_combobox() fixes
* ui_tests: test cancel and delete without button
* ui_tests: make associations cancelable
* ui_tests: add function to run cmd on UI host
* ui_tests: add funcs to add/remove users public SSH key
* ui_tests: add assert_field_required()
* ui_tests: add assert_notification()
* ui_tests: add more test cases
* ui_tests: add more test cases to test_certification
* ui_tests: add_service() support func in test_service
* ui_tests: add_host() support func in test_service
* ui_tests: change get_http_pkey() function
=== Varun Mylaraiah (3) ===
* WebUI tests: Extend netgroup tests with more scenarios
* Fixed improper clean-up in test_host::test_kerberos_flags added
closing the notification in kerberos flags
* WebUI tests: Extend user group tests with more scenarios
=== Pavel Picka (1) ===
* WebUI Hostgroups tests cases added
=== Petr Vobornik (4) ===
* webui: refresh complex pages after modification
* Fix order of commands in test for removing topology segments
* webui tests: fix test_host:test_crud failure
* realm domains: improve doc text
=== Rob Crittenden (16) ===
* Fix certificate retrieval in ipa-replica-prepare for DL0
* Disable message about log in ipa-backup if IPA is not configured
* Use a regex in installutils.get_directive instead of line splitting
* Handle whitespace, add separator to regex in set_directive_lines
* Validate the Directory Manager password before starting restore
* Log service start/stop/restart message
* Update project metadata in ipasetup.py.in
* Allow dot as a valid character in an selinux identity name
* Remove xfail from CALes test test_http_intermediate_ca
* Some PKCS#12 errors are reported with full path names
* ipa-server-certinstall failing, unknown option realm
* Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c
* Break out of teardown in test_replica_promotion.py if no config
* Remove the Continuous installer class, it is unused
* Return a value if exceptions are raised in server uninstall
* VERSION.m4: Set back to git snapshot
=== Robbie Harwood (2) ===
* Move krb5 snippet into freeipa-client-common
* Enable SPAKE support using krb5.conf.d snippet
=== Stanislav Laznicka (11) ===
* Allow user administrator to change user homedir
* mod_ssl: add SSLVerifyDepth for external CA installs
* Add absolute_import to test_authselect
* Fix typo in ipa-getkeytab --help
* Add absolute_import future imports
* replica-install: pass --ip-address to client install
* ipa_backup: Backup the password to HTTPD priv key
* Fix upgrading of FreeIPA HTTPD
* Remove py35 env from tox testing
* Encrypt httpd key stored on disk
* Dogtag configs: rename deprecated options
=== Thierry Bordaz (1) ===
* Hardening of topology plugin to prevent erronous deletion of a replica
agreement
=== Tibor Dudlák (14) ===
* Use temporary pid file for chronyd -q task
* Fix format string passed to pytest-multihost
* Configure chrony with pool when server not set
* Add enabling chrony daemon when not configured
* Remove unnecessary option --force-chrony
* Remove NTP server role while upgrading
* Removes NTP server role from servroles and description
* Update man pages for FreeIPA client, replica and server install
* Adding method to ipa-server-upgrade to cleanup ntpd
* Add --ntp-pool option to installers
* FreeIPA server is time synchronization client only
* Replace ntpd with chronyd in installation
* Add dependency and paths for chrony
* Removes ntp from dependencies and behave as there is always -N option
5 years, 10 months
Changing configuration to use external certificate instead of self signed
by Bart
Hi all,
I have an instance of FreeIPA with PKI server and self signed certificate. It runs on one of the two instances of FreeIPA server.
Is it possible to rid of it and use external certificate instead? If so, what steps does it take? Or it would require to reinstall everything from scratch?
If both approaches are possible (reinstallation and replacing self-signed certificate with external one), which is more complex to apply?
Thank you for your help.
Bart
5 years, 10 months
Web UI access for the AD domain users
by Bart
I have an instance of FreeIPA with AD trust established. I know that it is possible to enable access for the web ui for AD users by creating id override as it is explained here: https://www.freeipa.org/page/V4/AD_Users_Login. My question is: would it be possible to enable the same by creating an id override for an AD group instead of doing it on per user basis? This approach would be much simpler than iterating members of a group. However, when I tried to test this approach it didn't work for me - ad user could not log in.
5 years, 10 months
some basic questions about FreeIPA
by Udo Rader
Hi,
I'm currently evaluating a couple of options to migrate our dated
OpenLDAP installation to a more up2date, maintainable and and user
friendly solution.
One of the possibilities I found is of course FreeIPA and I hope this
is the right place to as couple of basic questions, in order to get a
better understanding if FreeIPA can meet our requirements.
Our current setup looks like this:
OpenLDAP used as storage for user, DHCP and DNS information:
#1 users are either regular Unix (Linux, FreeBSD) shell users
#2 or they are users accessing our mail services (dovecot/postfix)
#3 (a low number of) certificates are currently handled by TinyCA
#4 DHCP is handled by multiple, distributed ISC DHCP servers,
configured to pull their configuration from OpenLDAP (network
definitions, routers, NTP servers, MAC addresses etc.)
#5 DNS is handled by multiple, distributed PowerDNS instances, which
again retrieve their DNS data from OpenLDAP
As far as I can understand, FreeIPA can easily handle #1, #2 and #3.
But what about DHCP and DNS? I understand that FreeIPA's backbone is
the 389 DS. I guess migrating our DHCP DIT into 389 is doable, but what
about administration of those entries? Can this be done by FreeIPA?
Regarding DHCP, all I found were some older documents describing
intentions to implement it [1], but I'm uncertain if that ever
happened.
Regarding DNS, I am aware that FreeIPA comes with bind, but if
possible, I'd really like to stay with PowerDNS. Is that possible? And
if not, how tightly integrated is bind into FreeIPA? One mandatory
requirement is that we need to have multiple, geographically
distributed nameservers that hold various amounts of DNS data
(currently determined by LDAP filters). I of course understand that
bind is perfectly capable of doing this, but depending on the level of
integration between FreeIPA and bind, I'm not exactly sure how "easy"
this can be done.
Thanks in advance
Udo
[1] https://pagure.io/freeipa/issue/939
--
Udo Rader, GF/CEO
BestSolution.at EDV Systemhaus GmbH
Eduard-Bodem-Gasse 5-7, A-6020 Innsbruck
http://www.bestsolution.at/
Reg. Nr. FN 222302s am Firmenbuchgericht Innsbruck
5 years, 10 months
obtaining initial ticket via keytab
by Josh
Greetings,
I am trying to follow steps at https://kb.iu.edu/d/aumh to create
freeipa admin keytab to use in some scripts but getting an error
kinit: Preauthentication failed while getting initial credentials
Does anyone know what I am missing here?
Thanks,
Josh.
PS. attempt to include detailed report caused message to end up in
moderator approval queue.
5 years, 10 months
adding users to other user groups
by Andrew Meyer
Hello,I am trying to add a new user to another group. This group was setup for another user. When I create the user is seems to do the same thing as when I create them on a local system. I get a User and a group for the user as well. However when I go to add another user to that newly created group I can't find it. If I go to create the group with the same name FIPA says its already created.
Any reason its doing this? Am I doing something wrong?
I am running CentOS 7.4, FreeIPA 4.5.x.
Thank you,
Andrew
5 years, 10 months