Categories vs Groups
by Russell Jones
Hi all,
I am in the beginning stages of researching moving from NIS to FreeIPA. I
am running through the workshop on the FreeIPA github, and am having
difficulty understanding the difference between categories and groups.
For example, I have one HBAC rule that came pre-defined on my FreeIPA
server for "allow_systemd-user" that says it applies for user category and
host category of "all". But then the workshop has me add an HBAC rule to
allow a user to access a specific host by adding user and host groups, not
categories.
I'm sure there is a simple difference between the two, but I am not having
much luck finding these concepts explained anywhere in the documentation.
Can you point me towards where I can find this?
Thank you!
4 years, 6 months
How to change the timeout of 60 seconds on the login with AD users
by SOLER SANGUESA Miguel
Hello,
After a primary DNS server problem, I have realized that the IDM client has a timeout of 60 s for the log in.
As the primary DNS was not working, server used the secondary DNS and it takes 4s for resolving any name, as I use AD users, on the authentication phase, all AD servers must be translated (9 servers) so it makes the authentication very slow and timeout of 60 s is triggered. I have modified the resolv.conf to make the transition to the second DNS server faster (resolving any name takes 2s), and then authentication is done on 48s so it works.
But what I want to know is how to modify those 60s of timeout. I have checked the logs with debug_level = 9 and I don't see the "timeout" log.
I have also changed (on client side):
krb5_auth_timeout = 190
pam_id_timeout = 190
but it still have the timeout at 60s
the client is:
RHEL 6.10 (but I think it happens the same on RHEL 7)
sssd-client-1.13.3-60.el6_10.2.x86_64
ipa-client-3.0.0-51.el6.x86_64
sssd.conf:
[domain/IPAdomain]
krb5_auth_timeout = 190
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = IPAdomain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = CLIENT.domain.org
chpass_provider = ipa
ipa_server = _srv_, IPASERVER1, IPASERVER2
dns_discovery_domain = IPAdomain
[sssd]
config_file_version = 2
services = nss, sudo, pam, ssh
domains = IPAdomain
default_domain_suffix = AD.domain
[nss]
filter_groups = root
filter_users = root,iccsecure,tomcat,oracle
reconnection_retries = 3
[pam]
reconnection_retries = 3
pam_id_timeout = 190
[sudo]
[ssh]
On the Server side:
RHEL 7.6
sssd-1.16.2-13.el7_6.8.x86_64
ipa-server-4.6.4-10.el7_6.3.x86_64
sssd.conf:
[domain/IPAdomain]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = IPAdomain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = IPASERVER1
chpass_provider = ipa
ipa_server = IPASERVER1
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
subdomain_homedir = %o
[sssd]
config_file_version = 2
services = nss, sudo, pam, ssh
domains = IPAdomain
[domain/IPAdomain/ADdomain]
ldap_search_base = ou=XXX,dc=XXXX,dc=XXXXX,dc=XXX
[nss]
filter_groups = root
filter_users = root, iccsecure, tomcat, oracle
reconnection_retries = 3
memcache_timeout = 600
homedir_substring = /home
[pam]
reconnection_retries = 3
[ssh]
[sudo]
I have attached the logs, timeout is triggered at 12:21:50
Thanks & Regards.
4 years, 6 months
Ipa user can't login via ssh
by Elhamsadat Azarian
### Request for enhancement
as a Linux admin i want to login into my ipa client with a user that is defined in ipa-server UI.
### Issue
I installed Ipa-server and an Ipa-client on CentOS7.6
I defined Internal DNS on ipa-server and i defined A and PTR records for client on ipa-server.
now i can see my client in ipa-UI and i defined a user with name "elham" and i expect that it can login into ipa-client.
when i login with root in ipa-client and i do sudo elham, it works and kinit elham works too but
when i do ssh into ipa-client with this user, it show "Access denied"
i have errors with this context:
pam_reply : authentication failure to the client
pam_sss: authentication falure
im tired of this issue. please help me if you know the solution.
#### Steps to Reproduce
1. define new user "elham" in ipa UI
2. SSH to ipa-client with elham
3. access denied
#### Actual behavior
(what happens)
#### Expected behavior
login into ipa-client successfully
#### Version/Release/Distribution
ipa-server 4.6.5-11.el7
ipa-client 4.6.4-10.el7.centos.3
Log files and config files are added below:
krb5.conf
------------
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LSHS.DC
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = true
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
LSHS.DC = {
kdc = ipa-irvlt01.example.dc:88
admin_server = ipa-irvlt01.example.dc:749
default_domain = example.dc
}
[domain_realm]
.example.com = LSHS.DC
example.com = LSHS.DC
############################################
sssd.conf
-------------
[domain/example.dc]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.dc
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = ipacli-irvlt01.example.dc
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa-irvlt01.example.dc
dyndns_iface = ens160
dns_discovery_domain = example.dc
debug_level = 10
[sssd]
########### AFTER IPA ###################
#services = nss, sudo, pam, ssh
services = nss, pam
config_file_version = 2
#########################################
domains = example.dc
debug_level = 10
[nss]
homedir_substring = /home
[pam]
debug_level = 10
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
##########################################
4 years, 6 months
Fwd: mod_rewrite proxying for CA
by Natxo Asenjo
hi,
We need to deploy an Idm environment in a firewalled network with different
layers (untrusted/semi-trusted/trusted).
In the untrusted network there will be no Idm servers. In the trusted, we
will have replicas with the base services (ldap/kerberos/dns). Hosts in
the untrusted zone will talk to these replicas.
In the trusted zone we will have replicas with the CA functionality as
well, and obviously the idm servers will communicate between the
semi-trusted and trusted zone.
According to:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
"If you set up a replica without a CA, it will forward all requests for
certificate operations to the CA server in your topology."
The question is: will certmonger on hosts in the untrusted zone be able to
request and renew certificates and have the requests proxied to the trusted
zone servers with the CA service? I know mod_rewrite can do this using the
[P] flag (https://httpd.apache.org/docs/2.4/rewrite/proxy.html), but is
this something we can use for our goal?
Thanks!
--
Groeten,
natxo
4 years, 6 months
FreeIPA with multiple domains not mappings ids correctly on NFS
by Kevin Vasko
Hello,
I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography.
For example, ca.example.com, and ny.example.com.
I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294
On the clients I’m seeing this issue on I see these error messages in the log.
Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘user(a)ny.example.com' does not map into domain 'ca.example.com’
I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains.
Is there a clean way to handle this?
-Kevin
4 years, 6 months
Re: Enabling more FreeIPA CA servers
by Stuart McRobert
Dear Rob,
> Well, all IPA masters are equals more or less. It would be sort of a
> stigma to mark one as a replica forever, for the only reason that it
> wasn't installed first. This would be particularly confusing if the
> first master was removed.
A good point thanks, in which case may I suggest for clarity simply
revising my suggested name from
ipa-ca-install-replica
to
ipa-ca-install-additional-master
helping to indicate exactly what this will do, i.e. any other CA servers
will be safe and not at risk from this.
> It looks for the existence of /etc/pki/pki-tomcat/ca/CS.cfg.
Which is indeed present on our second server.
> My guess is someone tried to install a CA at some point in the past and
> it failed and they just left it. The installer is not idempotent and
> there is no CA-specific uninstall so the only way around it is to fully
> uninstall the master and try again.
Having had a look around, found the initial install from Sep 2016
(probably F24 release as I have the upgrade to F26 in there), and indeed I
did miss out --setup-ca option at the very start.
Meanwhile returning to CA on this our second server it does indeed appear
to be partially installed, URL to server:8080/ca/admin/ca/getStatus
reports
This XML file does not appear to have any style information
associated with it. The document tree is shown below.
<XMLResponse>
<State>1</State>
<Type>CA</Type>
<Status>running</Status>
<Version>10.3.5-12.fc26</Version>
</XMLResponse>
The install log file is also there, starting with:
2018-09-28T06:40:20Z DEBUG /usr/sbin/ipa-ca-install was invoked with
options: {'external_cert_files': None, 'skip_schema_check': False,
'external_ca_type': None, 'unattended': False, 'no_host_dns': False,
'ca_signing_algorithm': None, 'debug': False, 'external_ca': False,
'skip_conncheck': False},None
With highlights including
Connection from master to replica is OK.
Still goes well
Loading deployment configuration from /tmp/tmpIR6kRz.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Importing certificates from /tmp/ca.p12:
2018-09-28T06:42:47Z DEBUG stderr=
2018-09-28T06:42:47Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300
2018-09-28T06:42:49Z DEBUG Waiting until the CA is running
which seems to be the problem:
2018-09-28T06:42:54Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2018-09-28T06:42:54Z DEBUG Waiting for CA to start...
2018-09-28T06:42:55Z DEBUG request POST URL left out
2018-09-28T06:42:55Z DEBUG request body ''
2018-09-28T06:42:55Z DEBUG response status 500
and ending after five minutes of trying this with:
2018-09-28T06:47:48Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2018-09-28T06:47:48Z DEBUG Waiting for CA to start...
2018-09-28T06:47:49Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 194, in start_instance
self.start('pki-tomcat')
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 346, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 218, in start
self.wait_until_running()
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 212, in wait_until_running
raise RuntimeError('CA did not start in %ss' % timeout)
RuntimeError: CA did not start in 300.0s
2018-09-28T06:47:49Z CRITICAL Failed to restart the Dogtag instance.See the installation log for details.
2018-09-28T06:47:49Z DEBUG duration: 302 seconds
2018-09-28T06:47:49Z DEBUG [16/26]: importing CA chain to RA certificate database
2018-09-28T06:47:49Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2018-09-28T06:47:49Z DEBUG Starting external process
2018-09-28T06:47:49Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L
2018-09-28T06:47:49Z DEBUG Process finished, return code=0
2018-09-28T06:47:49Z DEBUG stdout=
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
.................. IPA CA CT,C,C
ipaCert u,u,u
Server-Cert u,u,u
2018-09-28T06:47:49Z DEBUG stderr=
2018-09-28T06:47:49Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 836, in __import_ca_chain
chain = self.__get_ca_chain()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 829, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500
2018-09-28T06:47:49Z DEBUG [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500
2018-09-28T06:47:49Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 808, in run_script
return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 300, in main
promote(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 272, in promote
install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 197, in install_replica
ca_cert_bundle=ca_data)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1393, in configure_replica
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 836, in __import_ca_chain
chain = self.__get_ca_chain()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 829, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
2018-09-28T06:47:49Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500
A couple of questions:
+ Is there any way now to recover from this set back on our second server
without risking the single CA server and get it fully operational?
+ The third server, also F26, does not appear to have ever had CA
installed
ls -la /etc/pki/pki-tomcat/
ls: cannot access '/etc/pki/pki-tomcat/': No such file or directory
But as the second server failed to install, would it be safe to try here
on the third, again without risking the single CA server?
+ Or is there a better way forward to getting more CA servers operational
before going on to attempt an upgrade, say to F28 then to F30 across all
the servers?
Thanks
Best wishes
Stuart
4 years, 6 months
Re: Enabling more FreeIPA CA servers
by Stuart McRobert
Dear Rob,
Earlier you commented:
> You can run ipa-ca-install at any time to add a CA to an existing
> master.
Indeed, however if I may suggest it might be useful to also have an alias
ipa-ca-install-replica
to clearly indicate it is safe to use this command and it will *not* end
up replacing your current (possibly only) active CA. Experienced admins
may know this couldn't happen, but others may not. I read and searched for
examples first, but one tends to be rather cautious especially once you
realise you only have a single CA installed.
Alas in my case I see
> [root@freeipa02 ~]# ipa-ca-install
> CA is already installed on this host.
yet
ipa server-role-find --role "CA server"
indicates for this server it has status absent, which ties up with other
warnings about there only being one.
> Server name: freeipa02...
> Role name: CA server
> Role status: absent
I've not worked out why yet. Wondered if it might be installed but not
enabled, and if so, would it have up to date information. Puzzled.
Dear Satish,
> All i would say please run multiple CA servers in your ldap
> infrastructure, otherwise you will be in very big trouble like i was
> in...
Thanks and sorry to hear about the trouble you experienced, clearly I
would like to avoid this happening here too.
When I installed the FreeIPA servers a few years' ago I honestly didn't
realise the CA hadn't been replicated along with everything else. Then in
a newer version I happened to notice the warning via the web interface,
only one CA server, although it might be useful to also include how to fix
such an omission with the warning.
As soon as I (and more experienced experts reading) can work out how to
get CA replication operational in this case, I will sleep easier. I have
already noticed the significant impact to services when freeipa01, our
complete server, is even briefly down, which really wasn't my intention.
Thanks to all.
Best wishes
Stuart
4 years, 6 months
Re: Remove stale server entry from LDAP
by Rob Crittenden
Angus Clarke via FreeIPA-users wrote:
> Hi all
>
> After decommissioning 2 IPA servers some time back (reduced from 8 to 6)
> I recently noticed that one of the decommissioned servers still appears
> when issuing commands like "ipa server-find." It only appears on 2 of
> the existing servers, not the other 4.
>
> "ipa server-del" and "ipa-replica-manage del" both report "server not
> found" for the decomm'ed server entry, when issued on any of the 6 IPA
> servers.
>
> So I suspect I have some stale LDAP entry left behind from the
> decommission process (I forget exactly what process I followed, it was
> over a year ago) and was thinking about deleting that entry from LDAP.
>
> Not having much familiarity with LDAP, I found a post here from the
> venerable Rob which tells me how to find such entries (with a bit of
> fumbling with grep!) and indeed I see the entry on the 2 IPA servers but
> not the other 4.
> https://www.redhat.com/archives/freeipa-users/2015-December/msg00089.html
>
>
> [root@ipa6 ~]# ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=dom
> "krbprincipalkey=*" dn 2>/dev/null | grep ipa7.example.dom
> # ipa7.example.dom + 9554ab01-42e811e8-a6dce53f-3a18cb6e, computers, acc
> dn: fqdn=ipa7.example.dom+nsuniqueid=9554ab01-42e811e8-a6dce53f-3a18cb6
This is a replication conflict entry. You can use ldapdelete or
ldapmodify to remove it.
rob
4 years, 6 months
Remove stale server entry from LDAP
by Angus Clarke
Hi all
After decommissioning 2 IPA servers some time back (reduced from 8 to 6) I recently noticed that one of the decommissioned servers still appears when issuing commands like "ipa server-find." It only appears on 2 of the existing servers, not the other 4.
"ipa server-del" and "ipa-replica-manage del" both report "server not found" for the decomm'ed server entry, when issued on any of the 6 IPA servers.
So I suspect I have some stale LDAP entry left behind from the decommission process (I forget exactly what process I followed, it was over a year ago) and was thinking about deleting that entry from LDAP.
Not having much familiarity with LDAP, I found a post here from the venerable Rob which tells me how to find such entries (with a bit of fumbling with grep!) and indeed I see the entry on the 2 IPA servers but not the other 4.
https://www.redhat.com/archives/freeipa-users/2015-December/msg00089.html
[root@ipa6 ~]# ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=dom "krbprincipalkey=*" dn 2>/dev/null | grep ipa7.example.dom
# ipa7.example.dom + 9554ab01-42e811e8-a6dce53f-3a18cb6e, computers, acc
dn: fqdn=ipa7.example.dom+nsuniqueid=9554ab01-42e811e8-a6dce53f-3a18cb6
Assuming this is the right thing to do, I could do with some advice on how to delete this entry from the 2 LDAP servers.
Thanks in advance
Angus
4 years, 6 months