Lookups for trust uses fails if member of group that has a user with same name, returned more than one object.
by Henrik Johansson
Hi,
I have a trust setup against an AD domain for existing user accounts, I have then crated groups in FreeIPA and added AD users to external groups which are members of the POSIX groups. All good so far, now I noticed that is was not possible to lookup some users on the clients while it works fine on the server. A little digging showed that:
(Sat Apr 13 22:48:52 2019) [sssd[nss]] [sysdb_search_object_attr] (0x0020): Search with filter [(&(|(objectCategory=user)(objectCategory=group))(|(nameAlias=examplegroup@ipa.net)(name=examplegroup(a)ipa.net)))] returned more than one object.
(Sat Apr 13 22:48:52 2019) [sssd[nss]] [sysdb_search_object_attr] (0x0040): Error: 22 (Invalid argument)
(Sat Apr 13 22:48:52 2019) [sssd[nss]] [cache_req_search_cache] (0x0020): CR #66: Unable to lookup [examplegroup(a)ipa.net] in cache [22]: Invalid argument
(Sat Apr 13 22:48:52 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
This happens when there are both a group and a user with the same name in FreeIPA, and we can see on the filter that it looks for both. So if user AD user X is part of group mariadb by a proxy group and there are a also a mariadb user, lookups for AD user X fails on the SSD clients.
It does work on the FreeIPA server all the time but fails on clients, if I lookup the conflicting group before the use on the client it also woks.
Version is 4.6.2.
Regards
Henrik
5 years
Cert renew error: service with name already exists.
by John Aquino
Hi all,
I was referred to this place by Florence. I'm hoping to get some help in the right direction with this issue I've been having.
I have a FreeIPA system that I inherited from a previous coworker with no install notes so I'm trying to figure out heads/tails out of this thing.
From what I can tell its a 4 node deployment with all of them as CA servers and 1 of them was the CA master.
The issue is the LDAP and HTTP certs expired but from my knowledge they were supposed to auto-renew.
I've tried auto-renewing the certs by rolling back time and restarting certmonger but it keeps returning this error:
---
status: CA_UNREACHABLE
ca-error: Server at https://$hostname/ipa/xml failed request, will retry: 4002 (RPC failed at server. service with name “HTTP/$hostname(a)DOMAIN.xn--com-9o0a already exists).
...
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
---
Similar with the LDAP cert:
ca-error: Server at https://$hostname/ipa/xml failed request, will retry: 4002 (RPC failed at server. service with name "HTTP/$hostname(a)DOMAIN.COM" already exists).
...
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-COM
I've also seen it appear on the other nodes before the certs expired so I'm guessing certmonger was trying to renew it but something snuck into LDAP ?
---
Some diagnostics:
[root@a01-n ~]# ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
[root@a01-n ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20170315010441':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Audit,O=DOMAIN.COM
expires: 2021-01-25 01:52:48 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170315010442':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=OCSP Subsystem,O=DOMAIN.COM
expires: 2021-01-25 01:53:28 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170315010443':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=CA Subsystem,O=DOMAIN.COM
expires: 2021-01-25 01:53:48 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170315010444':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=Certificate Authority,O=DOMAIN.COM
expires: 2039-03-15 01:45:42 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170315010445':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=IPA RA,O=DOMAIN.COM
expires: 2021-01-25 01:53:18 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170315010446':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=a01-n.fqdn,O=DOMAIN.COM
expires: 2021-01-25 01:52:44 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190203000836':
status: SUBMITTING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=a01-n.fqdn,O=DOMAIN.COM
expires: 2019-03-16 01:05:25 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20190329001401':
status: CA_UNREACHABLE
ca-error: Server at https://a01-n.fqdn/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM
subject: CN=a01-n.fqdn,O=DOMAIN.COM
expires: 2019-03-16 01:05:03 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-COM
track: yes
auto-renew: yes
---------
[root@a01-n ~]# ipa config-show
...
IPA masters: a01-e.fqdn, a01-n.fqdn, a02-e.fqdn,
a02-n.fqdn
IPA CA servers: a01-e.fqdn, a01-n.fqdn, a02-e.fqdn,
a02-n.fqdn
IPA NTP servers: a01-e.fqdn, a01-n.fqdn, a02-e.fqdn,
a02-n.fqdn
IPA CA renewal master: a01-n.fqdn
----------
Any help would be greatly appreciated.
5 years
Lost Dogtag admin certificate
by Petr Benas
Hello,
I'm trying to solve following issue in our FreeIPA 4.6.4 deployment and ran our of ideas, so I'm asking for an advice. The main issue is the auditSigningCert having a printablestring subject:
# certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'auditSigningCert cert-pki-ca' -a | openssl x509 -noout -nameopt multiline,show_type -subject -issuer
subject=
organizationName = PRINTABLESTRING:DOMAIN.COM
commonName = PRINTABLESTRING:CA Audit
issuer=
organizationName = UTF8STRING:DOMAIN.COM
commonName = UTF8STRING:Certificate Authority
It gets resubmitted with printablestring subject again, so I was hoping to fix it according to https://pagure.io/dogtagpki/issue/2865 by setting
policyset.caLogSigningSet.1.default.params.useSysEncoding=true
In order to modify the caSignedLogCert profile the Dogtag's admin certificate is required. Our domain is couple of years old and we don't have the original master anymore, neither we have any backups from it that would contain the /root/ca-agent.p12.
So I was attempting to restore the admin cert by the method described in /etc/pki/pki-tomcat/ca/CS.cfg, but after setting
ca.Policy.enable=true
cmsgateway.enableAdminEnroll=true
and restaring Dogtag, but it fails to start with following in /var/log/pki/pki-tomcat/ca/debug
[08/Apr/2019:13:55:32][localhost-startStop-1]: CertificateAuthority init: initRequestQueue
[08/Apr/2019:13:55:32][localhost-startStop-1]: selected policy processor = classic
[08/Apr/2019:13:55:32][localhost-startStop-1]: GenericPolicyProcessor::init begins
[08/Apr/2019:13:55:32][localhost-startStop-1]: GenericPolicyProcessor::init Certificate Policy Framework (deprecated) is ENABLED
java.lang.ClassNotFoundException: com.netscape.cms.policy.constraints.ManualAuthentication
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1892)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1735)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.initSystemPolicies(GenericPolicyProcessor.java:1220)
at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.init(GenericPolicyProcessor.java:200)
at org.dogtagpki.legacy.ca.CAPolicy.init(CAPolicy.java:81)
at com.netscape.ca.CertificateAuthority.initRequestQueue(CertificateAuthority.java:2183)
at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:591)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
No policy implementation exists for: null
at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.initSystemPolicies(GenericPolicyProcessor.java:1247)
at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.init(GenericPolicyProcessor.java:200)
at org.dogtagpki.legacy.ca.CAPolicy.init(CAPolicy.java:81)
at com.netscape.ca.CertificateAuthority.initRequestQueue(CertificateAuthority.java:2183)
at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:591)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
So I wanted to ask two questions. How to reset or obtain the lost /root/ca-agent.p12 certificate? If it's not possible in a way safe enough for replicated production environment, are there any alternative ways how to modify the caSignedLogCert profile without the Dogtag's admin cert or even how to resubmit the auditSigningCert with utf8string encoding without modifying the profile?
Thanks
Petr
5 years
CA Cert and CA Private key, or signing key.
by Ralph Crongeyer
Hello List,
I'm testing SSL decryption on a firewall. The self signed CA Cert and private signing key that I started testing with are generated on the firewall it self which works. So I am now trying to figure out how to generate a Sub CA with it's own private signing key to be imported to the firewall. I'm not having any luck figuring out how to create a CA with it's own key?
Is this possible? If so can someone help me with this task?
Thanks,
Ralph
5 years
after losing and rebuilding replica, message in syslog
by Anthony Jarvis-Clark
Hello Everyone,
Over the weekend we lost a replica during an upgrade and had to rebuild it.
The OS (CentOS 7.6) was reinstalled from scratch, the host then added to
the IPA domain, and then turned into a replica.
Sequence of events:
1) ns01 upgraded from FreeIPA 4.4.0-14 to 4.6.4-10
2) ns02 corrupted during upgrade process
3) on ns01, "ipa-replica-manage del ns02" ran.
4) ns02 rebuilt from scratch with latest CentOS 7.6 packages.
5) ns02 added to IPA domain
6) ns02 added as replica
The process went well, no errors during the "ipa-replica-install --setup-ca
--setup-kra --setup-dns --forwarder=x.x.x.x" process.
However, on ns01, I'm getting the following message in /var/log/messages:
Apr 8 13:54:36 ns01 ns-slapd: [08/Apr/2019:13:54:36.294135188 +0000] - ERR
- slapi_ldap_bind - Error: could not bind id [cn=Replication Manager
cloneAgreement1-ns02.dev.example.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
...
Apr 8 13:59:36 ns01 ns-slapd: [08/Apr/2019:13:59:36.547881587 +0000] - ERR
- slapi_ldap_bind - Error: could not bind id [cn=Replication Manager
cloneAgreement1-ns02.dev.example.net-pki-tomcat,ou=csusers,cn=config]
authentication mechanism [SIMPLE]: error 32 (No such object)
If I run a search in ns01's LDAP I get this result:
[root@ns01 ~]# ldapsearch -xLLL -h ns01.dev.example.net -D "cn=directory
manager" -W -b "ou=csusers,cn=config"
Enter LDAP Password:
dn: ou=csusers,cn=config
objectClass: top
objectClass: organizationalUnit
ou: csusers
dn: cn=Replication Manager masterAgreement1-ns02.dev.example.net-pki-tomca
t,ou=csusers,cn=config
cn: Replication Manager masterAgreement1-ns02.dev.example.net-pki-tomcat
objectClass: top
objectClass: person
sn: manager
userPassword:: redacted!!!
So there's a "masterAgreement1" but no "cloneAgreement1".
Is that something hanging around from the previous replica agreement? If
so, how do I fix whatever is running that query every 5 minutes?
Or is it indicative of something else that is wrong? I ran the tool from
https://github.com/peterpakos/checkipaconsistency and it reports everything
is fine (except that ns01 has a dangling AD trust that was supposed to be
removed, but that's for another post I guess).
How do I identify the process that is running that query that causes the
error message in /var/log/messages?
Many, many thanks,
Anthony Clark
5 years
AD Trust and ipa cli/Web UI
by John Desantis
Hello all,
I'm wondering if anyone could help shed light on why IPA CLI commands
fail for a trusted AD user, and why Web UI logins for the same user
fail with the message "Your session has expired. Please re-login.",
despite creating a view for the user via `ipa idoverrideuser-add
'Default Trust View' ad_user(a)ad_domain.com`. The symptoms appear
almost identical to the post [0], except that the cli and Web UI were
never working previously.
I am able to login via SSH (on a host with an HBAC configured), and
able to `kinit` and obtain the appropriate tickets across the realms.
I've configured the system accordingly, per the URL:
https://www.freeipa.org/page/Active_Directory_trust_setup.
I am running FreeIPA version 4.6.4 with a successful AD Trust (one
way) using the range type "ipa-ad-trust-posix", both nodes completely
re-provisioned (fresh installation purposes). SELinux is disabled,
and the configuration IPA-wise is untouched, with the exception of
enabling debugging and editing krb5.conf per the URL:
https://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fk...
I've attached Apache logs referencing the Web UI and from the console.
From what I have found online, it should be possible to allow an AD
user to login to Web UI and ipa CLI commands should function, too.
All IPA services are running and have been restarted, just in case
something was "stuck". The interesting entries within the logs:
(Failed to unseal session data!, GSSapiImpersonate not On) seem to be
red herrings.
Thanks for any assistance!
John DeSantis
[0] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
5 years
different security policy for login(password+otp) and screenlock (password only) for workstation
by Jelle de Jong
Hello everybody,
I am looking for a way to have different authentication policy for a
freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the
password.
When a user logs out and back in then it needs to use the password+otp
again.
I am aware of the security implications for this.
How can I configure this policy?
Kind regards,
Jelle de Jong
5 years
SSH problems in cross-forest trust
by D
Hello,
We're currently evaluating FreeIPA for handling the linux side of idm, with AD as the upstream provider.
At this time, it seems everything is working well, but SSH into both ipa clients and servers as AD users does not. Sumit has provided a few suggestions in the past which have been addressed.
The setup is stock with the following config:
- M$ AD 2016, FreeIPA 4.6.4, sssd 1.16.2-13, all el7.6
- Verified Two-way trust between IPA and AD
- AD domain is splat.acme.com, IPA domain is ipa.splat.acme.com
- All ipa-clients are on the splat.acme.com domain, and all users are username(a)splat.acme.com
- Only ipa-servers are on the ipa.splat.acme.com domain.
- In our setup, UID == GID, not sure if that matters.
- In SSSD, under ipa.splat.acme.com ldap_search_timeout and krb5_auth_timeout have been increased.
Further info:
- IPA can resolve AD group/user memberships and attributes. The AD users belong in a group which is an external member of an IPA group.
- All relevant AD users and groups have unix attrs which fall within the idrange used by the trust
- ldbsearch of cache and ldapsearch both show proper results when resolving a user.
- SSSD sites work, no indication that any data providers are offline in the logs.
- kinit $user, and kvno -S $cross_domain_stuff works. ID command works.
- The attached logs come from an attempt to ssh into the IPA server as an AD user, attempts to ssh into IPA clients show similar behavior.
Thanks for your time everyone,
D
5 years
Re: [EXTERNAL]Re: Re: Creating CA replica fails
by Alex Santizo
Hi,
This issue was resolved. We had implemented a more restrictive set of ssl cipher suites on the httpd server of the IPA masters that I was trying to initialize from and that was preventing the ipa-replica-install --setup-ca (not sure what the exact component would be) from completing a handshake/CA config on the replica.
These were observed on the master's httpd error log:
[Mon Apr 08 12:36:51.051315 2019] [:error] [pid 40464] SSL Library Error: -12286 No common encryption algorithm(s) with client
[Mon Apr 08 12:36:51.068917 2019] [:error] [pid 39291] SSL Library Error: -12286 No common encryption algorithm(s) with client
For reference, this is what my IPA master's nss.conf looked like, the commented out entries are the ones that the ipa-replica-install setup-ca did not like.
#NSSCipherSuite +ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_rsa_aes_256_gcm_sha_384,+dhe_rsa_aes_128_gcm_sha_256,+dhe_dss_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_rsa_aes_256_sha_384,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha,+dhe_rsa_aes_128_sha_256,+dhe_rsa_aes_128_sha,+dhe_dss_aes_128_sha_256,+dhe_rsa_aes_256_sha_256,+dhe_dss_aes_256_sha_256,+dhe_rsa_aes_256_sha
NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,-ecdh_ecdsa_null_sha,-ecdh_ecdsa_rc4_128_sha,-ecdh_ecdsa_3des_sha,-ecdhe_ecdsa_null_sha,-ecdhe_ecdsa_rc4_128_sha,-ecdhe_ecdsa_3des_sha,-ecdh_rsa_null_sha,-ecdh_rsa_128_sha,-ecdh_rsa_3des_sha,-echde_rsa_null,-ecdhe_rsa_rc4_128_sha,-ecdhe_rsa_3des_sha
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
#NSSProtocol TLSv1.2
5 years