SOA generation algorythm
by Andrey Bondarenko
Hello,
Is the SOA generation algorithm for zones documented anywhere or anyone by
chance knows what it is?
We have cluster of 8 nodes and SOA is different on some IPAs in some zones
(with huge amount of changes). But if I make a change I actually see it on
different IPA.
Also, restarting IPA increases SOA by 1.
We wanted to relay on SOA on our DNS consistency check but seems like it's
not a working idea, or is it?
--
With best regards,
Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com
skype:andrey.bondarenko
phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
4 years, 10 months
Re: zabbix for monitoring FreeIPA server?
by Alex Corcoles
The output of ipactl looks very similar to systemctl status. Is it doing
much more than that? I'm already monitoring systemd failed units so I
wonder if it's running checking ipactl.
On Wed, Sep 19, 2018 at 1:33 PM Neal Harrington via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> Hi Tony,
>
>
> I'm monitoring using the following userparameter (basically run "ipactl
> status" and grep out lines which are known good so only errors are
> returned):
>
>
> UserParameter=ipa.status,sudo /usr/sbin/ipactl status 2>&1 | egrep -v
> "(INFO\: The ipactl command was successful$|: RUNNING$)"
>
>
> ipactl needs root access so I have a file in /etc/sudoers.d/zabbix with
> these lines to allow the zabbix user to sudo the ipactl status command only
> without a password:
>
>
> ## Allow zabix to query ipa status
> Defaults:zabbix !requiretty
> zabbix ALL = (root) NOPASSWD: /usr/sbin/ipactl status
>
> The final challenge I had was selinux which I had to create a custom rule
> for (but most people seem to just disable selinux).
>
>
> Then just create a trigger to alert if the returned value contains any
> characters. eg this matches on any char apart from whitespace:
>
> {Custom Template IPA Server:ipa.status.regexp([^\s],1200)}=1
>
>
> If anyone else has a better way to do this I'd be interested to hear it.
>
>
> Regards,
>
> Neal.
>
>
>
>
>
> ------------------------------
> *From:* Tony Brian Albers via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org>
> *Sent:* 24 August 2018 10:50
> *To:* freeipa-users(a)lists.fedorahosted.org
> *Cc:* Tony Brian Albers
> *Subject:* [Freeipa-users] zabbix for monitoring FreeIPA server?
>
> Hi guys,
>
> Anyone got this working?
>
> And if so, how did you do it?
>
> I know I can monitor the components separately, but if you know of
> anything that can do it easier I'd be happy to know about it.
>
> /tony
> --
> --
> Tony Albers
> Systems administrator, IT-development
> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 2566 2383 / +45 8946 2316
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
4 years, 10 months
Active Directory Integration advise
by Prashant Bapat
Hi All,
I’m to setup FreeIPA in my organization to be the central directory for users/group/SSH keys and maybe sudo rules. All the users and groups are already present in Windows Active Directory.
So far I’ve tried setting up AD Trust but this does not get the users in AD to login to web UI of FreeIPA. I have looked at Passync as well but as per the docs only users will be synced that too only on a password change and groups won’t be.
To give you more details below is my use case.
1. The users and groups are in AD.
2. A user in AD should be able to login to FreeIPA web UI using AD password and manage their SSH keys.
3. Groups on AD should reflect in FreeIPA.
Appreciate if anyone can point me in the right direction.
Regards.
--Prashant
4 years, 10 months
upgrade freeipa from version 4.1.4 to 4.6.4
by Fritjof Konkas
I have a old version of freeipa server version 4.1.4 running on fedora 22.
Is it possible to migrate the data from ditto to version 4.6.4 on another server running centos 7?
/Fritjof
4 years, 10 months
sudo rule does not work for domain user
by Rob Verduijn
Hello,
I'm trying to figure out why an ad-domain user cannot use sudo.
When I test with
ipa hbactest --user=ansible --host ipa01.linux.example.com --service sudo-i
It says access granted: True
however if I issue the command 'sudo -l -U ansible' on the ipa01 host it
says:User ansible(a)windows.example.com is not allowed to run sudo on ipa01
It works for an ipa user using the same sudo rule.
id ansible works as well on the ipa01 host
uid=1958801104(ansible(a)windows.example.com) gid=1958801104(
ansible(a)windows.example.com)
groups=1958801104(ansible(a)windows.example.com),1958800512(domain
admins(a)windows.example.com),1958800513(domain users(a)windows.example.com)
the user ansible can login to the ipa01 host but cannot issue sudo -i.
What am I missing ?
Rob Verduijn
4 years, 11 months
zabbix for monitoring FreeIPA server?
by Tony Brian Albers
Hi guys,
Anyone got this working?
And if so, how did you do it?
I know I can monitor the components separately, but if you know of
anything that can do it easier I'd be happy to know about it.
/tony
--
--
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
4 years, 11 months
Statues of the HSM support?
by チョーチュアン
Hi all,
I just bought a Nitrokey HSM and trying to set it up with the Freeipa; I'm
not sure it's quite supported yet.
`ipa-server-install` aborted everytime during CA configuration, reported
error was "pkihelper : ERROR Server unreachable due to SSL error:
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure
(_ssl.c:1056)"
I wonder if the FreeIPA has some modifications that actually breaks HSM
support?
Environment:
OS: Fedora-30-Cloud-base
freeipa-4.7.90.pre1-4.fc30
opensc-0.19.0-6.fc30
Here's what I've done:
```sudo ipa-server-install -U \
--allow-zone-overlap \
--auto-forwarders \
--no-reverse \
-r DOMAN.TLD \
-a `pass ipa/admin` \
-p `pass ipa/dm` \
--setup-dns \
--ca-subject='CN=CA Subject Name' \
--pki-config-override=/etc/ipa/override.ini```
and in the `/etc/ipa/override.ini`:
```[DEFAULT]
ipa_key_algorithm=SHA256withEC
ipa_key_size=nistp384
ipa_key_type=ecc
ipa_signing_algorithm=SHA256withEC
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
pki_hsm_modulename=nitrohsm
pki_token_name=UserPIN (SmartCard-HSM)
pki_token_password=648219```
don't mind the password, it's the default and testing only.
I have modified the polkit[0] also:
```polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "pkiuser") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
action.lookup("reader").startsWith("Nitrokey Nitrokey
HSM") &&
subject.user == "pkiuser") {
return polkit.Result.YES;
}
});```
`sudo -u pkiuser` gives the right card info.
I have disabled p11-kit-proxy by hand:
``` #cat /etc/crypto-policies/local.d/nss-p11-kit.config
#name=p11-kit-proxy
#library=p11-kit-proxy.so
```
and added nitrohsm for it (maybe not necessary):
```/etc/crypto-policies/local.d/hsm.config
name=nitrohsm
library=opensc-pkcs11.so```
after that, I can successfully add the SmartCard-HSM to
`/etc/pki/pki-tomcat/alias` without a problem.
the original error snippet:
```Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/30]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpciwcfccp'] returned
non-zero exit status 1: 'pkihelper : ERROR Server unreachable due to
SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:1056)\nconfiguration : ERROR Server failed to
restart\npkispawn : ERROR Exception: server failed to restart\n
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547,
in main\n scriptlet.spawn(deployer)\n File
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 670, in spawn\n raise Exception("server failed to restart")\n\n')
See the installation logs and the following files/directories for more
information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.```
[0]: https://gist.github.com/tiran/af7c21882e1732227455a13c3b8ff380
--
Regards,
Quan Zhou
F2999657195657205828D56F35F9E5CDBD86324B
quanzhou822(a)gmail.com
4 years, 11 months
Certmonger spawns many processes, causing huge load due to swapping
by Jonathan Vaughn
I previously had tested FreeIPA running on a Raspberry Pi 3B+ and as long
as I didn't run the Dogtag server on it performance seemed acceptable for
the purpose. These are only being used as local DNS/LDAP/Krb5 replicas,
everything also runs on both physical x86_64 and VM x86_64 servers as well
in more than one location.
However now that I'm trying to set up Pis for actual use (previously had
set up a test environment to validate using them) I'm running into major
performance issues once certmonger starts. Using a systemd timer to delay
start until everything else starts at least lets everything else FreeIPA
related start up and work, but once certmonger starts it still hammers the
system using tons of memory and causing lots of swapping.
Is there any reason for it to spawn so many processes all at once, versus
doing them in a more serial fashion? And did something change in
FreeIPA/certmonger behavior in the last year that would cause such a
performance regression in memory limited scenarios? Previously I just had
zram swap and it was fine, now I have to replace that with actual swap on
storage.
Also, there's currently no certs needing renewal or anything on this
system, so why does it even spawn so many processes ?
root 1699 1 0 03:55 ? 00:00:00 /usr/sbin/certmonger -S -p
/var/run/certmonger.pid -n
root 1720 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1721 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1722 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1723 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1724 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1725 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1726 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1727 1699 0 03:55 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
root 1742 1699 0 03:55 ? 00:00:00
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
root 1759 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1761 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1762 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1763 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1764 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1765 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1767 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1768 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
root 1769 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1770 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1771 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1772 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1773 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1774 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1775 1699 0 03:56 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
root 1776 1699 0 03:57 ? 00:00:00 /usr/bin/python3 -E
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
Eventually these complete and things settle down but it takes a very long
time, and without delaying certmonger until after the rest of FreeIPA it
can cause various IPA services to take so long that they die and fail to
start.
4 years, 11 months
secure freeipa exposed to internet
by Stepan Vardanyan
Hello,
I've proposed to migrate from OpenLDAP to FreeIPA solution in my organization because the former did not met our requirements as we moving to Single Sign On. We migrated to FreeIPA but set it up with internal DNS name. This was dumb decision as we have a lot of external hosts in AWS and other datacenters which we want to join to our FreeIPA for authentication with one credential and utilize policies (HBAC, sudoers) easily and centrally.
We found that there is two solutions:
- setup tunnels between AWS and datacenters for making our DNS zone and FreeIPA servers available;
- redeploy whole FreeIPA with external DNS name and expose FreeIPA servers to Internet.
We end up with second option because first one is very complex, but second option make us think about security.
What came to mind is:
- disable anonymous bind;
- prohibit unencrypted traffic and improve communications security by using options: nsslapd-minssf=128, nsslapd-require-secure-binds=on, sslVersionMin=TLS1.1.
So, there is several questions:
1) Is there anything else from security perspective that we should care, configure properly (Kerberos DC for example)?
2) We want to share with users only one Web service from specific replica so users will not cause replication conflicts by modifying entries in other replicas. Is it ok if we close web ports (80, 443) only to localhost on other replicas and leave all other ports on all replicas opened to internet (389,636,88,464)?
3) How secure and strong is default SASL/GSSAPI replication mechanism? I've noticed that traffic is encrypted but can be decrypted by using servers kerberos keytab
4) Overall, even with all previous concerns taken into account cared is it proper to open FreeIPA to internet? This is kinda rhetorical question as we see that this is only choice for us but just want to hear some advices, expert vision.
P.S. We don't utilize FreeIPA internal DNS service. DNS is configured on external hosts
Thanks in advance.
4 years, 11 months
