Re: Migration FreeIPA to another server
by SOLER SANGUESA Miguel
Hello,
AFAIK you should create a replica on the VPS (with all the IPA services that have the actual server) and once it will be ready, you should decommission the actual server.
Thanks & Regards.
4 years, 6 months
Re: CA Master Confusion
by Rob Crittenden
Auerbach, Steven via FreeIPA-users wrote:
> I am planning to retire the v3.3 ipa servers since they are Linux 6 and replacing them outright.
>
> I am trying to make the v4 ipa the master and I have another server in the wings to make a replica under that server once I know it is the master. All my concerns focus on the elevation of the ipa v4 server to master of all so I can ipa-manage-del the original v3 servers next and then deploy a final ipa v4 as replica.
>
> My understanding of what I am reading in the documentation is the limiting factor.
All masters are the equals. The only differences are:
- optional services: CA, KRA, DNS, etc
- one is the CA renewal master
- one is the CRL generator (usually same as CA renewal master)
- a master doesn't have a DNA range unless it has created a user or group
That's it.
If your certs are not due to expire any time soon you'll save a lot of
time and effort by moving to v4 and running the config-mod command I
pointed out, then you'll have your CA renewal master. Follow the "How to
promote" instructions to set the CRL generator on the same server. Add a
user or group on at least one of the new masters. You're done.
We recommend at least 2 masters have the CA on them for redundancy.
rob
>
> -Steve
>
> -----Original Message-----
> From: Rob Crittenden <rcritten(a)redhat.com>
> Sent: Thursday, October 3, 2019 1:25 PM
> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Florence Blanc-Renaud <flo(a)redhat.com>
> Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu>
> Subject: Re: [Freeipa-users] Re: CA Master Confusion
>
> Auerbach, Steven via FreeIPA-users wrote:
>> After several weeks I am moving back to this project.
>>
>> I am reading the "Howto/Promote CA to Renewal and CRL Master" documentation.
>>
>> Background: When I added the Linux 7 / Ipa v4 system (ipa3) I used an export from the original ipa v3 (ipa1) as the input to an ipa-create-replica command.
>>
>> When I execute the command for ipa version < 4.0 to verify certificate
>> master on all three servers (ipa1 and ipa2 are v3.3, and ipa3 is v4.0)
>> $ getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save the response I get
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
>> is the same on all three servers.
>>
>> Several Questions:
>> Is this as expected or does it indicate a problem?
>
> It depends. On the IPA v4 server what does ipa config-show |grep -i renewal say?
>
>> Since ipa3 is NOT the first master, what is the process to make an ipa v4 server the first master?
>
> I assume by first master you mean the CA renewal master and CRL generator. On the v4 server run: ipa config-mod
> --ca-renewal-master-server=<v4 master fqdn>
>
>> Is this done before unconfiguring master status on the ipa v3 servers or after?
>
> Order doesn't matter as long as you aren't in the middle of a renewal.
>
>> Do I unconfigure master renewal on ipa1 and unconfigure clone renewal on ipa2?
>
> Not sure what you mean. It used to be that the tracking was different between the renewal master and the others. I don't believe that is the case in v3.3+.
>
>> What to do about the same information on ipa3 (the ipa v4 server) at this point?
>
> v4 uses the renewal master config setting to know which is the master.
>
> I'd focus more on migrating the other two masters to v4 first. While different versions can interopate together it is not ideal to run this way in the long term.
>
> rob
>
>>
>> I have no lab in which to try this update, so I am making these changes across a production datacenter and I am EXCEEEDINGLY wary of breaking everything.
>>
>> Advice appreciated.
>>
>>
>> Steven Auerbach
>> ASSISTANT DIRECTOR OF INFORMATION SYSTEMS INFORMATION TECHNOLOGY &
>> SECURITY State University System of Florida Board of Governors
>> 325 W. Gaines Street, Suite 1625
>> Tallahassee, Florida 32399
>> (850) 245-9592
>> https://nam05.safelinks.protection.outlook.com/?url=www.flbog.edu&
>> data=02%7C01%7CSteven.Auerbach%40flbog.edu%7C96b5fdcdaf8343c59acb08d74
>> 8269787%7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C63705720290064630
>> 1&sdata=OVKFsaWC1TBhQ0RxjQV54tfx7qzNuB4U4A7cvrIHNjU%3D&reserve
>> d=0
>>
>>
>>
>> -----Original Message-----
>> From: Florence Blanc-Renaud <flo(a)redhat.com>
>> Sent: Tuesday, August 27, 2019 9:20 AM
>> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu>
>> Subject: Re: [Freeipa-users] CA Master Confusion
>>
>> On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:
>>> As I work through understanding the current state of my CA mastering in this realm I am getting results I do not understand from these ipa commands (on the v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server):
>>> On the v4.6.4 replica (ipa<3>):
>>> $ sudo ipa config-show |grep 'CA renewal master'
>>> [sudo] password for <user>:
>>> $
>>> $
>>>
>>> On the v3.0.0 (ipa<1>):
>>> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W
>>> -b 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn [sudo] password for <user>:
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope
>>> subtree # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))
>>> # requesting: dn
>>> #
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 1
>>>
>>
>> Hi,
>> the ipaConfigString=caRenewalMaster attribute was introduced in
>> freeIPA
>> 4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I am not surprised that the search does not return anything.
>> When the 3.0 server was installed, the attribute did not exist yet. When the 4.x replica was installed, the attribute was not added since the new replica wasn't CA master.
>>
>> As the attribute is not set at all, the ipa config-show command (internally using the same ldapsearch you did) is unable to find a CA master.
>>
>> If you want to move the CA master role to ipa3, just follow the steps in [1], making sure to apply the steps for the corresponding IPA version.
>>
>> Also please note that we do not recommend using versions 3.x and 4.x together over a long period of time. This is completely OK when you want to migrate but once you have ensured all the services are properly working, the 3.x master should be decommissioned. Please see [2].
>> HTH,
>> flo
>>
>> [1]
>> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>> freeipa.org%2Fpage%2FHowto%2FPromote_CA_to_Renewal_and_CRL_Master&
>> data=02%7C01%7CSteven.Auerbach%40flbog.edu%7C96b5fdcdaf8343c59acb08d74
>> 8269787%7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C63705720290064630
>> 1&sdata=UpuRfpRPl69fGfYCGp0GKye95yfgv7TbLyrQt18P4o8%3D&reserve
>> d=0
>> [2]
>> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Facce
>> ss.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_enterprise_linux%2F7%2
>> Fhtml%2Flinux_domain_identity_authentication_and_policy_guide%2Fmigrat
>> e-6-to-7&data=02%7C01%7CSteven.Auerbach%40flbog.edu%7C96b5fdcdaf83
>> 43c59acb08d748269787%7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C6370
>> 57202900646301&sdata=gOAGuDXeb74RRYDOZTqPa%2Fyz%2FpT5WVMMfFn3kL%2B
>> szVI%3D&reserved=0
>>
>>>
>>>
>>> Neither tells me anything. Is it possible that the original installation never had a CA master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4 (ipa<3>) tells me:
>>>
>>> $ sudo ipa server-role-find --role 'CA server'
>>> [sudo] password for <user>:
>>> ----------------------
>>> 3 server roles matched
>>> ----------------------
>>> Server name: ipa<2>.mydomain.local
>>> Role name: CA server
>>> Role status: absent
>>>
>>> Server name: ipa<1>.mydomain.local
>>> Role name: CA server
>>> Role status: enabled
>>>
>>> Server name: ipa<3>.mydomain.local
>>> Role name: CA server
>>> Role status: absent
>>> ----------------------------
>>> Number of entries returned 3
>>> ----------------------------
>>>
>>> And on the v3.0.0 (ipa<1>) I get:
>>>
>>> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W
>>> -b 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local' '(&(cn=CA)(ipaConfigString=caServer))' dn Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree
>>> # filter: (&(cn=CA)(ipaConfigString=caServer))
>>> # requesting: dn
>>> #
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 1
>>>
>>> I know I am missing something basic and fundamental here. Is there a CA Master or not? If not, would I want to just enable the CA Master on the newest server (ipa<3>)?
>>>
>>> The way forward is not clear.
>>> -Steven Auerbach
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
>> .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%
>> 7C01%7CSteven.Auerbach%40flbog.edu%7C96b5fdcdaf8343c59acb08d748269787%
>> 7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C637057202900646301&sd
>> ata=eTb85JO2nVygRB35BJDlhC7MHx%2FgPspKw75qDo5uIT8%3D&reserved=0
>> List Guidelines:
>> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo
>> raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7CStev
>> en.Auerbach%40flbog.edu%7C96b5fdcdaf8343c59acb08d748269787%7C63bf107bc
>> b6f41738c1c1406bb5cb794%7C0%7C0%7C637057202900646301&sdata=mCinJbx
>> vyF5Il9hVqh9iE1RcPPPlTZenTjYMzdkBd6A%3D&reserved=0
>> List Archives:
>> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
>> s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos
>> ted.org&data=02%7C01%7CSteven.Auerbach%40flbog.edu%7C96b5fdcdaf834
>> 3c59acb08d748269787%7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C63705
>> 7202900646301&sdata=jytk0FP%2FtAhyFOTjg6NDTArH2cn5dGd%2FNqGT1F%2BU
>> MDw%3D&reserved=0
>>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
4 years, 6 months
Re: CA Master Confusion
by Rob Crittenden
Auerbach, Steven via FreeIPA-users wrote:
> After several weeks I am moving back to this project.
>
> I am reading the "Howto/Promote CA to Renewal and CRL Master" documentation.
>
> Background: When I added the Linux 7 / Ipa v4 system (ipa3) I used an export from the original ipa v3 (ipa1) as the input to an ipa-create-replica command.
>
> When I execute the command for ipa version < 4.0 to verify certificate master on all three servers (ipa1 and ipa2 are v3.3, and ipa3 is v4.0)
> $ getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save
> the response I get
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
> is the same on all three servers.
>
> Several Questions:
> Is this as expected or does it indicate a problem?
It depends. On the IPA v4 server what does ipa config-show |grep -i
renewal say?
> Since ipa3 is NOT the first master, what is the process to make an ipa v4 server the first master?
I assume by first master you mean the CA renewal master and CRL
generator. On the v4 server run: ipa config-mod
--ca-renewal-master-server=<v4 master fqdn>
> Is this done before unconfiguring master status on the ipa v3 servers or after?
Order doesn't matter as long as you aren't in the middle of a renewal.
> Do I unconfigure master renewal on ipa1 and unconfigure clone renewal on ipa2?
Not sure what you mean. It used to be that the tracking was different
between the renewal master and the others. I don't believe that is the
case in v3.3+.
> What to do about the same information on ipa3 (the ipa v4 server) at this point?
v4 uses the renewal master config setting to know which is the master.
I'd focus more on migrating the other two masters to v4 first. While
different versions can interopate together it is not ideal to run this
way in the long term.
rob
>
> I have no lab in which to try this update, so I am making these changes across a production datacenter and I am EXCEEEDINGLY wary of breaking everything.
>
> Advice appreciated.
>
>
> Steven Auerbach
> ASSISTANT DIRECTOR OF INFORMATION SYSTEMS
> INFORMATION TECHNOLOGY & SECURITY
> State University System of Florida
> Board of Governors
> 325 W. Gaines Street, Suite 1625
> Tallahassee, Florida 32399
> (850) 245-9592
> www.flbog.edu
>
>
>
> -----Original Message-----
> From: Florence Blanc-Renaud <flo(a)redhat.com>
> Sent: Tuesday, August 27, 2019 9:20 AM
> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu>
> Subject: Re: [Freeipa-users] CA Master Confusion
>
> On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:
>> As I work through understanding the current state of my CA mastering in this realm I am getting results I do not understand from these ipa commands (on the v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server):
>> On the v4.6.4 replica (ipa<3>):
>> $ sudo ipa config-show |grep 'CA renewal master'
>> [sudo] password for <user>:
>> $
>> $
>>
>> On the v3.0.0 (ipa<1>):
>> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b
>> 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn [sudo] password for <user>:
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope
>> subtree # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))
>> # requesting: dn
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>
> Hi,
> the ipaConfigString=caRenewalMaster attribute was introduced in freeIPA
> 4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I am not surprised that the search does not return anything.
> When the 3.0 server was installed, the attribute did not exist yet. When the 4.x replica was installed, the attribute was not added since the new replica wasn't CA master.
>
> As the attribute is not set at all, the ipa config-show command (internally using the same ldapsearch you did) is unable to find a CA master.
>
> If you want to move the CA master role to ipa3, just follow the steps in [1], making sure to apply the steps for the corresponding IPA version.
>
> Also please note that we do not recommend using versions 3.x and 4.x together over a long period of time. This is completely OK when you want to migrate but once you have ensured all the services are properly working, the 3.x master should be decommissioned. Please see [2].
> HTH,
> flo
>
> [1] https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.fre...
> [2]
> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess....
>
>>
>>
>> Neither tells me anything. Is it possible that the original installation never had a CA master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4 (ipa<3>) tells me:
>>
>> $ sudo ipa server-role-find --role 'CA server'
>> [sudo] password for <user>:
>> ----------------------
>> 3 server roles matched
>> ----------------------
>> Server name: ipa<2>.mydomain.local
>> Role name: CA server
>> Role status: absent
>>
>> Server name: ipa<1>.mydomain.local
>> Role name: CA server
>> Role status: enabled
>>
>> Server name: ipa<3>.mydomain.local
>> Role name: CA server
>> Role status: absent
>> ----------------------------
>> Number of entries returned 3
>> ----------------------------
>>
>> And on the v3.0.0 (ipa<1>) I get:
>>
>> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b
>> 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local' '(&(cn=CA)(ipaConfigString=caServer))' dn Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree
>> # filter: (&(cn=CA)(ipaConfigString=caServer))
>> # requesting: dn
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>> I know I am missing something basic and fundamental here. Is there a CA Master or not? If not, would I want to just enable the CA Master on the newest server (ipa<3>)?
>>
>> The way forward is not clear.
>> -Steven Auerbach
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
4 years, 6 months
Re: CA Master Confusion
by Florence Blanc-Renaud
On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:
> As I work through understanding the current state of my CA mastering in this realm I am getting results I do not understand from these ipa commands (on the v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server):
> On the v4.6.4 replica (ipa<3>):
> $ sudo ipa config-show |grep 'CA renewal master'
> [sudo] password for <user>:
> $
> $
>
> On the v3.0.0 (ipa<1>):
> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
> [sudo] password for <user>:
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope subtree
> # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))
> # requesting: dn
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
Hi,
the ipaConfigString=caRenewalMaster attribute was introduced in freeIPA
4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I
am not surprised that the search does not return anything.
When the 3.0 server was installed, the attribute did not exist yet. When
the 4.x replica was installed, the attribute was not added since the new
replica wasn't CA master.
As the attribute is not set at all, the ipa config-show command
(internally using the same ldapsearch you did) is unable to find a CA
master.
If you want to move the CA master role to ipa3, just follow the steps in
[1], making sure to apply the steps for the corresponding IPA version.
Also please note that we do not recommend using versions 3.x and 4.x
together over a long period of time. This is completely OK when you want
to migrate but once you have ensured all the services are properly
working, the 3.x master should be decommissioned. Please see [2].
HTH,
flo
[1] https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>
>
> Neither tells me anything. Is it possible that the original installation never had a CA master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4 (ipa<3>) tells me:
>
> $ sudo ipa server-role-find --role 'CA server'
> [sudo] password for <user>:
> ----------------------
> 3 server roles matched
> ----------------------
> Server name: ipa<2>.mydomain.local
> Role name: CA server
> Role status: absent
>
> Server name: ipa<1>.mydomain.local
> Role name: CA server
> Role status: enabled
>
> Server name: ipa<3>.mydomain.local
> Role name: CA server
> Role status: absent
> ----------------------------
> Number of entries returned 3
> ----------------------------
>
> And on the v3.0.0 (ipa<1>) I get:
>
> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local' '(&(cn=CA)(ipaConfigString=caServer))' dn
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree
> # filter: (&(cn=CA)(ipaConfigString=caServer))
> # requesting: dn
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
> I know I am missing something basic and fundamental here. Is there a CA Master or not? If not, would I want to just enable the CA Master on the newest server (ipa<3>)?
>
> The way forward is not clear.
> -Steven Auerbach
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
4 years, 6 months
Online migration from internal CA to no-CA setup
by Marco V.
Hi,
We've installed a replicated 7Server IPA setup with a internal CA.
Now, due to corporate policies we need to migrate to a no-CA setup (because we need to use corporate signed Certificates
and a sub-CA is also not allowed..) So we need to migrate from 7Server internal-CA replicated IPA to 8Server no-CA replicated IPA.
ipa-replica-install does not support --ca-cert-file, so we cannot install the new replica with the corporate certificates straight away.
What would be the correct procedure?
I've come up with the following steps:
1. install the new 8Server replicas without CA, (They will get the self-signed certificates from existing 7Server master (first master))
2. first add corporate root CA to both 7Server and 8Server nodes systems ca-bundle.trust.crt
3. manually replace HTTP and LDAP certificates with corporated signed certificates
4. remove 7Server replica and first master, so we end up with the no-CA 8Server nodes only
I'm wondering whether replication will still be functional when performing step 3, but I can perform additional testing on that.
We are running production with our setup, so we need a 'online' migration strategy.
Would this be the best approach or do I need another solution? ;-)
4 years, 6 months
Migration FreeIPA to another server
by Petar Kozić
Hi,
I have FreeIPA server running in docker. I using FreeIPA for ssh
authentication on servers. I have about 25 servers added there and about 15
users.
I want to migrate that on VPS.
I checked all documentation about migration but I didn’t found some
reasonable process.
Can someone write me what is easiest way to do that.
Thanks.
*—*
*Petar Kozić*
4 years, 6 months
ipa vault: internal error, "Invalid Credential"
by Dmitry Perets
Hi,
Pretty much any vault-related calls in one of my environments result in the internal error, although the call seems to (partially) succeed.
For example:
# ipa vault-add test --type standard
ipa: ERROR: an internal error has occurred
But the vault is created:
# ipa vault-find
---------------
1 vault matched
---------------
Vault name: test
Type: standard
Vault user: admin
----------------------------
Number of entries returned 1
----------------------------
I'll get the same erorr if I try "ipa vault-del", "vault-archive" or "vault-retrieve".
At the same time, the following is written in /var/log/messages:
Sep 19 23:54:39 t-idm-ber800-1 server: Invalid Credential.
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cmscore.authentication.CertUserDBAuthentication.authenticate(CertUserDBAuthentication.java:174)
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:112)
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:85)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:114)
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.doSubAuthenticate(SSLAuthenticatorWithFallback.java:47)
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate(AbstractPKIAuthenticator.java:89)
Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.authenticate(SSLAuthenticatorWithFallback.java:59)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:578)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
Sep 19 23:54:39 t-idm-ber800-1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
Sep 19 23:54:39 t-idm-ber800-1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
Sep 19 23:54:39 t-idm-ber800-1 server: at java.lang.Thread.run(Thread.java:748)
Any idea what could go wrong here....?
Thanks.
Info: ipa-server 4.6.4 on RHEL 7.6, and I am running these commands from the IPA server itself, on which CA and KRA are installed (in fact, it's the only active CA/KRA master in that environment).
---
Regards,
Dmitry Perets
4 years, 6 months
Granting rwx permission to directory or file of host to a user by FREEIPA
by Syed Muhammad Hassan
I am new to freeipa and struggling very hard to achieve a task. Below is my desired task.
I have two hosts watch1.office.com and watch2.office.com and a user john in freeipa. I want that user john can only read,write,execute to /etc/sysconfig directory of watch1.office.com and edit /etc/ssh/sshd_config. How can I achieve this task? I want that user john can edit specific file or execute in a directory of which permission is granted. But I do not know how to make or grant such permission in freeipa. Any help would be much appreciated.
4 years, 6 months
Re: Enabling more FreeIPA CA servers
by Fraser Tweedale
Hi Stuart,
Adding the freeipa-users@ mailing list for visibility.
I'd have to work through your scenario to work out why it fails.
But it may be some time before I get around to that.
I think your idea to first try creating a CA replica on F28 before
moving forward to F30 is a sensible thing to try.
One question though: are you on Domain Level 0 or 1?
(`ipa domainlevel-get`).
Cheers,
Fraser
On Thu, Sep 26, 2019 at 07:35:58PM +0100, Stuart McRobert wrote:
> Dear Fraser,
>
> I've read through lots of posts but I am uncertain about the best way
> forward and wonder if I could seek your guidance? I just don't want to break
> things.
>
> Currently we have three freeipa servers (1-3) on Fedora 26 (clearly need
> updating) with ipa VERSION: 4.4.4, API_VERSION: 2.215 and one new Fedora 30
> server (#4) which I just started to add with VERSION: 4.8.1, API_VERSION:
> 2.233.
>
> The reason for adding a new server before updating the others is the web
> interface warning:
>
> Warning: Only One CA Server Detected
> It is strongly recommended to keep the CA services installed on more than
> one server
>
> which I fully understand is not good, but it doesn't offer to just fix it!
>
> I suspect server #4 may be too new, failing with both
>
> ipa-replica-install --setup-ca
>
> and
>
> ipa-ca-install
>
> in a very similar way, e.g.
>
> 2019-09-26T16:18:15Z ERROR Unable to log in as uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca on ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
> 2019-09-26T16:18:15Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step
> method()
> File "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 503, in setup_admin
> self.admin_dn, master_conn
> ipalib.errors.NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
>
> 2019-09-26T16:18:15Z DEBUG [error] NotFound: uid=admin-freeipa04.services.nsa.stats.ox.ac.uk,ou=people,o=ipaca did not replicate to ldap://freeipa01.services.nsa.stats.ox.ac.uk:389
>
>
> which I think others have also run into.
>
> Next thought was to confirm what we had:
>
> [root@freeipa01 ~]# ipa server-find
> ---------------------
> 4 IPA servers matched
> ---------------------
> Server name: freeipa01.services.nsa.stats.ox.ac.uk F26
>
> Server name: freeipa02.services.nsa.stats.ox.ac.uk F26
>
> Server name: freeipa03.services.nsa.stats.ox.ac.uk F26
>
> Server name: freeipa04.services.nsa.stats.ox.ac.uk F30
> ----------------------------
> Number of entries returned 4
> ----------------------------
> [root@freeipa01 ~]# ipa server-role-find --role "CA server"
> ----------------------
> 4 server roles matched
> ----------------------
> Server name: freeipa01.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: enabled
>
> Server name: freeipa02.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: absent
>
> Server name: freeipa03.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: absent
>
> Server name: freeipa04.services.nsa.stats.ox.ac.uk
> Role name: CA server
> Role status: absent
> ----------------------------
> Number of entries returned 4
> ----------------------------
>
>
> and then find out how to change the "Role status:" to enabled, starting on
> freeipa02 but I am not sure how to achieve this, e.g.
>
>
> [root@freeipa02 ~]# ipa-ca-install
> CA is already installed on this host.
>
> true but doesn't really help. Sorry if this is very easy to do with a
> command I have totally missed.
>
> Currently I know if freeipa01 fails, client logins also fail, and I assume
> this is because it is the only CA server enabled.
>
> Work plan:
>
> 1. Enable more CA servers
>
> 2. Update Fedora 26 to 30, perhaps via 28 first if advised not to jump too
> far at once, probably updating servers #2, then #3 and finally #1.
>
> 3. Add more servers for resiliency
>
>
> Any idea how to get more CA servers enabled or any other suggestions?
>
> Many thanks
>
> Best wishes
>
> Stuart
4 years, 6 months
IPA domain realms
by Ronald Wimmer
I have an IPA installation with an AD trust from ipa.mydomain.at to
ad.mydomain.at.
What is the Realm domains feature for?
Is it possible to define an IPA subdomain (e.g. test.ipa.mydomain.at) as
an additional realm domain? Will Kerberos and AD trust (configured for
ipa.mycomain.at) work for this domain?
Cheers,
Ronald
4 years, 6 months
