freeipa client on Ubuntu SSH fails
by Will Kay
Hi all,
Issue:
We have freeipa servers set and tests are good with CentOS 7.6 clients. We are trying to test Ubuntu 16.04 and 18.04 clients. After running ipa-client-install, we can't ssh login the Ubuntu's with ipa user accounts. If we login as root, `ipa user-show xxx` looks fine on the Ubuntu's. Where should we start looking from here?
Background:
One freeipa 4.6.4 master and two replicas setup on CentOS 7.6.1810. All seems to work fine. `ipa user-show xxx` test works across the replicas. I also have two CentOS client installed. SSH login and sudo command group tests are good. We are very happy with the test result so far. we just need to move on to client tests with Ubuntu 16.04, 18.04 and RH7
thanks
Wil
5 years
FreeIPA causing issues with SMB shares
by Kristian Petersen
We have been using IPA with a number of Ubuntu workstations, but have had
to remove freeipa-client from them because something that happens when
enrolling them prevents them from mounting SMB shares from our fileserver.
Is there a simple expanation as to why this happens? The shares work fine
before enrollment and after removing freeipa-client.
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
5 years
IPA install with custom CA fails at SSL: CERTIFICATE_VERIFY_FAILED
by Jonny McCullagh
I can install freeipa with ipa-server-install and no parameters fine. However I want to be able to use IPA as a sub-CA. I have created root and intermediate CAs using openssl and attempt to install ipa server with:
/usr/sbin/ipa-server-install --external-cert-file=/root/thisserver.domain.dev.cert.pem \
--external-cert-file=/root/intermediate.cert.pem \
--external-cert-file=/root/root-ca.cert.pem \
--external-ca -n domain.dev -r DOMAIN.DEV \
--hostname="thisserver.domain.dev" \
--subject="O=Acme Inc, L=Springfield, ST=Ohio, C=US" \
--ds-password=topsecret --admin-password=opensesame
It stops at step 24 with the following message:
[20/28]: Configure HTTP to proxy connections
[21/28]: restarting certificate server
[22/28]: updating IPA configuration
[23/28]: enabling CA instance
[24/28]: migrating certificate profiles to LDAP
[error] NetworkError: cannot connect to 'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERROR cannot connect to 'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
If I visit the address on port 8443 I do get an error I believe due to an empty certificate. My browser shows:
Certificate path length constraint is invalid. Error code: SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID
So I have a few questions if anyone can guide me:
1. Can I resume the install to complete the last 4 installation steps?
2. How can I get the install to use a self-signed cert for the http/ldap service OR can I supply a signed cert for that purpose?
Thanks in advance.
IPA version: 4.6.4-10.el7.centos.2.x86_64
OS: CentOS 7.6
5 years
Re: FreeIPA-users Digest, Vol 23, Issue 8
by Julian Gethmann
Hello Anthony,
I don't know if there is an official tool for that, but since I once
wrote a similar script, you might be happy with that. It requires that
your Python 3 installation has got the IPA libraries installed and you
have got a valid Kerberos ticket. I have tested it only on Fedora so far.
I hope it's useful for you and you can modify it to your needs.
Regards,
Julian
On 09/03/2019 05.03, freeipa-users-request(a)lists.fedorahosted.org wrote:
> Date: Fri, 8 Mar 2019 11:50:55 -0500
> From: Anthony Jarvis-Clark<anthonyclarka2(a)gmail.com>
> Subject: [Freeipa-users] list all users and their password expiration
> date?
> To: FreeIPA users list<freeipa-users(a)lists.fedorahosted.org>
> Message-ID:
> <CAJGYKdMpG5ovFfLoa8w0VqSnd1A__awvzbqe3kfTF1w+My86mQ(a)mail.gmail.com>
> Content-Type: multipart/alternative;
> boundary="0000000000006d0281058398074b"
>
> --0000000000006d0281058398074b
> Content-Type: text/plain; charset="UTF-8"
>
> Hello Everyone,
>
> Is there a command line method to get a list of users and their password
> expiration date?
>
> Thanks!
>
> -Anthony
>
> --0000000000006d0281058398074b
> Content-Type: text/html; charset="UTF-8"
>
> <div dir="ltr">Hello Everyone,<div><br></div><div>Is there a command line method to get a list of users and their password expiration date?</div><div><br></div><div>Thanks!</div><div><br></div><div>-Anthony</div></div>
>
> --0000000000006d0281058398074b--
5 years
Web app integration
by Alex Corcoles
Hi,
I've read:
https://www.freeipa.org/page/Web_App_Authentication
, but there is some stuff that is not clear to me.
1) SAML
As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
Keycloak is the way to go, right?
However, Keycloak setup is not trivial, correct? Running CentOS there
is no straightforward way to install and integrate it with a FreeIPA
domain, correct?
2) SSO
What is the special sauce for users using a browser on an IPA-joined
system to log in to apps without even seeing a login form? SPNEGO?
I'm using mod_auth_gssapi for some apps, having httpd do the
authentication and forward it through REMOTE_USER, but it doesn't do
the magic. There are some hints on mod_auth_gssapi's docs, but nothing
really clear.
3) How should you deliver apps?
Suppose you are a web app developer and you want to deliver a web
application which can easily integrate with FreeIPA. What's the most
comfortable option you can give? (assuming, for instance, that you want
the SSO magic sauce). Is there any difference between apps that will
run on the FreeIPA's domain owner's systems or third party apps?
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
5 years
sss_ssh_authorizedkeys returns nothing on client
by Charles Ulrich
Hello, good people of FreeIPA-users,
Short version:
I've run into an issue where a SSH public key authentication doesn't work on the FreeIPA client. When I run `sss_ssh_authorizedkeys <fully-qualified_user>` on the client, there is a brief hang (10-15 seconds, maybe?) and then it returns nothing. The same command run on the FreeIPA server does, however, correctly return the user's public key.
Long version:
The server is FreeIPA 4.6.4 on CentOS 7 (all packages up to date) with a one-way trust to active directory. The client is the ipa-server package version 4.7.0 on Ubuntu 18.04. I added a user to the "Default Trust View" override and pasted in the public key.
The AD trust and client configuration seem to be working for the most part since I can log into the client with my AD username and password. It's just SSH public key authentication that doesn't work. As mentioned above, the `sss_ssh_authorizedkeys` command runs successfully on the server but not on the client.
From the client logs, it looks like the client is having trouble communicating with the server somehow. I don't see anything that looks like errors in the server logs. A sanitized version of the client logs at debug_level 4 are here: https://paste.fedoraproject.org/paste/y3nyxeb13wZMzaQNemhCNQ The sssd.conf from the client is here: https://paste.fedoraproject.org/paste/SK3qx0EcF19ggtrmssYZnw I can provide more detailed logs to individuals.
I double-checked the firewalls on both the client and server and it looks to me like all the necessary ports are open on both sides.
I have done a bunch of Googling and reading of documentation but nothing so far has led me in the right direction. This is something that *was* working just fine on a test deployment a few weeks ago. As far as I can tell, everything is set up the same. Is there any other information I can provide?
Thanks,
Charles
5 years
FreeIPA and laptop question
by Albert Szostkiewicz
Hi!
If os login for domain user is verified by FreeIpa (which sets uid etc) what happens if I use ipa-client on laptop and be outside my network ? If I won't be able to connect to IPA for login verification, is there any kind of fallback ? Or should i make any specific settings for such situation ? (assuming that i don't have access to network at all)
Cheers!
5 years
OTP + SSHKey/Certificate Authentication
by Callum Smith
Dear FreeIPA Gurus,
I was wondering if it's possible to configure `sshd` such that for OTP based authentication the first factor could be passed as a ssh key or certificate.
So specifically: The user's password would not be required for auth, only the key and OTP token. Is there a magic combination of AuthenticationMethods for `sshd_config` that would allow this to work?
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum(a)well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
5 years