Vault: Cannot authenticate agent with certificate
by Peter Oliver
I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I find that operations related to the vault feature fail. For example:
> ipa -v vault-add test --type=standard
ipa: INFO: trying https://ipa-01.example.com/ipa/session/json
ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: ERROR: an internal error has occurred
In /var/log/pki/pki-tomcat/kra/system I see the following message:
0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot authenticate agent with certificate Serial 0x7 Subject DN CN=IPA RA,O=IPA.EXAMPLE.COM. Error: User not found
In /var/log/pki/pki-tomcat/kra/debug is see the following messages:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: Not authenticated.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: mapping: default
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: required auth methods: [*]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: anonymous access allowed
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor.filter: no authorization required
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No ACL mapping; authz not required.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: event AUTHZ
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: content-type: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: accept: [application/json]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: request format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: response format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: Authenticating certificate chain:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA RA, O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: started
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Retrieving client certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got client certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: client certificate found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot map certificate to any userUser not found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH
Any suggestions? Has something gone wrong with the setup?
--
Peter Oliver
1 month
Can login with non-existing user
by Ronald Wimmer
I have managed to login to an IPA client with a non-existing user.
My AD user is z123456(a)addomain.mydomain.at and I have created a similar
user called i123456(a)ipadomain.mydomain.at. What happened now is that I
could log in with the i-User and what I get to see after logging in is this:
[i123456@addomain.mydomain.at(a)as12314 ~]$ id
uid=1246600007(i123456(a)addomain.mydomain.at)
gid=1246600007(i123456(a)addomain.mydomain.at)
groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group(a)ipadomain.mydomain.at)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[i123456@addomain.mydomain.at(a)as12314 ~]$ whoami
i123456(a)addomain.mydomain.at
The user i123456(a)addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
What is wrong here? Are things just displayed wrong or could it be more?
Which files do you need in order to analyze this issue?
Cheers,
Ronald
1 month, 2 weeks
FreeIPA v4.5.0 install lost topology suffixes
by Gavin Williams
Afternoon all
I’ve got a slightly strange one with one of our FreeIPA clusters, whereby the topology suffixes appear to have disappeared.
From what I can see, this is causing replication issues between the hosts, which is causing us issues with bootstrapping new clients against FreeIPA.
I’m not aware of any config changes that have happened on the FreeIPA hosts that could have caused this issue, so am a bit stumped atm.
Is someone able to advise next steps on how to investigate the cause and correct the configuration?
Regards
Gavin
2 months
Automounting homeshares partially stopped working
by Ronald Wimmer
Some days ago a strange problem struck us. When colleagues access a
server using an ipa-automounted share from a Windows client they can
logon to such a server using a Kerberos ticket but they cannot access
their NFS-automounted home-share anymore. When they log on with
username/password they can.
When I try the same from my linux client I do not encounter any problems
(using the same users as in the above scenario).
Where should I start digging in order to find out what is going wrong?
Cheers,
Ronald
2 months
Create kerberos keytab
by Boyd Ako
So, I tried doing the test section in the V4 doc below. However, I get an error.
https://www.freeipa.org/page/V4/Keytab_Retrieval
=====================
[root@ipa home]# ipa-getkeytab -r -s ipa.neverland.ddns.me -p NFS/abyss.neverland.ddns.me -k abyss-nfs.keytab
Failed to parse result: Insufficient access rights
Failed to get keytab
2 months
Removing first freeipa master
by Jo Domsic
Hi to the good people of FreeIPA!
I'm in the process of removing old servers from my datacentar, and I was wondering if I can delete/remove (first created) freeipa server?
I have 4 masters:
[root@server] ipa-replica-manage list
freeipa03.lan: master
freeipa04.lan: master
freeipa01.lan: master <--- I want to delete this one
freeipa02.lan: master
What will happen to servers that have:
[root@server2] cat /etc/ipa/default.conf
#File modified by ipa-client-install
[global]
basedn = dc=lan
realm = LAN
domain = lan
server = freeipa01.lan
host = server2.lan
xmlrpc_uri = https://freeipa01.lan/ipa/xml
enable_ra = True
2 months, 2 weeks
IPA with multiple legs: hostname resolution
by Dmitry Perets
Hi,
I'd like to ask for your advise for the following topology...
On a given site, IPA server has two legs (two NICs), let's call them "inside NIC" and "outside NIC".
The inside NIC subnet is local to the site. The outside NIC subnet is interconnecting sites.
All the local clients talk to IPA via the inside NIC. But to setup a replica on another site, we must reach IPA via outside NIC (the inside subnet is not routable beyond the local site boundaries).
So the question arises: how to configure proper DNS resolution for the hostname of the IPA server itself?
DNS is handled by IPA itself, fully in our control.
So we have two options:
1. We create two A records for the same IPA hostname, let's say "ipa.site1.example.com". But then not sure if it will work fine... Technically, two IPs for the same name means load-balancing, right? So will I have intermittent connectivity issues, because it will return inside and outside IP interchangebly?
2. We create a new DNS name, e.g. "ipa-outside-site1.example.com", for the outside IP, and manually add it to the @ entry of "example.com", so that wannabe-replica on the remote site can use that FQDN as its master IPA. Will this work fine..? Will it not cause issues to the local clients on site1, who must keep using IPA with inside IP? Will it not cause issues on IPA server itself for some reason?
Please share your experience on this!
Thanks.
2 months, 2 weeks
CA subsystem certificates failing to renew.
by Guillermo Fuentes
Hi list,
I'm having an issue where the CA subsystem certificates are failing to renew.
*** Environment:
4 FreeIPA replica servers with CA.
Currently CentOS 7 up-to-date.
Initially setup as FreeIPA 3 on CentOS 6 upgraded to CentOS 7 and kept
up-to-date with the latest stable release available:
ipa-server-4.6.4-10.el7.centos.3.x86_64
389-ds-base-1.3.8.4-23.el7_6.x86_64
pki-ca-10.5.9-13.el7_6.noarch
pki-server-10.5.9-13.el7_6.noarch
This past June third-party wildcard certificate was installed for both
the HTTPS and LDAP servers using the ipa-server-certinstall command.
Trying to be proactive as the following CA subsystem certificates will
expire on August 12, 2019:
subject: CN=CA Audit,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
*** Issue:
Getting the following error when listing the certificate info for each
of them in the CA Renewal and CRL Master:
status: MONITORING
ca-error: Server at
"https://ipa1.example.com:8443/ca/agent/ca/profileProcess" replied: 1:
Server Internal Error
stuck: no
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2019-08-12 ...
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Getting the following error in the other CA replicas for the same
certificates (I'm assuming fixing it in the Master should take care of
the replicas):
ca-error: Invalid cookie: u''
Looking at the logs in the Master, the renewal seems to fail with an
LDAP error code 68 (Entry Already Exists) when adding serial 268304406
(when resubmitting it). Doesn't that serial suppose to exist as it's
being renewed?
These are some relevant logs after resubmitting:
- certmonger journal shows:
...
Jul 22 20:30:19 ipa1.example.com dogtag-ipa-renew-agent-submit[10116]:
GET https://ipa1.example.com:8443/ca/agent/ca/profileProcess?requestId=998004...
Jul 22 20:30:19 ipa1.example.com
dogtag-ipa-ca-renew-agent-submit[10097]: dogtag-ipa-renew-agent
returned 2
Jul 22 20:30:19 ipa1.example.com certmonger[1288]: 2019-07-22 20:30:19
[1288] Server at
"https://ipa1.example.com:8443/ca/agent/ca/profileProcess" replied: 1:
Server Internal Error
- /var/log/pki/pki-tomcat/ca/debug
...
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: Repository: checkRange
mLastSerialNo=268304406
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: Repository:
getNextSerialNumber: returning retSerial 268304406
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: CAService:
issueX509Cert: setting issuerDN using exact CA signing cert subjectDN
encoding
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: About to ca.sign cert.
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: sign cert get algorithm
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: sign cert encoding cert
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: sign cert encoding algorithm
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: CA cert signing: signing cert
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: Getting algorithm
context for SHA256withRSA RSASignatureWithSHA256Digest
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: Signing Certificate
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: storeX509Cert 268304406
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: In storeX509Cert
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: In
LdapBoundConnFactory::getConn()
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: masterConn is connected: true
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: getConn: conn is connected true
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: getConn: mNumConns now 5
[22/Jul/2019:20:30:19][http-bio-8443-exec-16]: returnConn: mNumConns now 6
LDAP operation failure - cn=268304406,ou=certificateRepository, ou=ca,
o=ipaca: error result
at com.netscape.cmscore.dbs.DBSSession.add(DBSSession.java:125)
at com.netscape.cmscore.dbs.CertificateRepository.addCertificateRecord(CertificateRepository.java:737)
at com.netscape.ca.CAService.storeX509Cert(CAService.java:893)
at com.netscape.ca.CAService.storeX509Cert(CAService.java:579)
at com.netscape.ca.CAService.issueX509Cert(CAService.java:564)
at com.netscape.cms.profile.common.CAEnrollProfile.execute(CAEnrollProfile.java:203)
at com.netscape.cms.servlet.cert.RequestProcessor.approveRequest(RequestProcessor.java:371)
at com.netscape.cms.servlet.cert.RequestProcessor.processRequest(RequestProcessor.java:173)
...
- /var/log/dirsrv/slapd-EXAMPLE-COM/access
...
[22/Jul/2019:20:30:18.703610909 +0000] conn=15 op=44 SRCH
base="cn=Certificate Manager Agents,ou=groups,o=ipaca" scope=0
filter="(uniqueMember=uid=ipara,ou=people,o=ipaca)" attrs="cn"
[22/Jul/2019:20:30:18.703958648 +0000] conn=15 op=44 RESULT err=0
tag=101 nentries=1 etime=0.0002262912
[22/Jul/2019:20:30:18.706322783 +0000] conn=14 op=2439 SRCH
base="cn=9980043,ou=ca,ou=requests,o=ipaca" scope=0
filter="(objectClass=*)" attrs=ALL
[22/Jul/2019:20:30:18.706916435 +0000] conn=14 op=2439 RESULT err=0
tag=101 nentries=1 etime=0.0020648732
[22/Jul/2019:20:30:18.758736256 +0000] conn=14 op=2440 SRCH
base="cn=9980043,ou=ca,ou=requests,o=ipaca" scope=0
filter="(objectClass=*)" attrs=ALL
[22/Jul/2019:20:30:18.759537249 +0000] conn=14 op=2440 RESULT err=0
tag=101 nentries=1 etime=0.0051791092
[22/Jul/2019:20:30:18.984013755 +0000] conn=15 op=45 SRCH
base="ou=People,o=ipaca" scope=2
filter="(description=2;268304403;CN=Certificate
Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM)" attrs=ALL
[22/Jul/2019:20:30:18.984630800 +0000] conn=15 op=45 RESULT err=0
tag=101 nentries=1 etime=0.1719630345
[22/Jul/2019:20:30:18.988077577 +0000] conn=15 op=46 SRCH
base="ou=Groups,o=ipaca" scope=2
filter="(&(objectClass=groupofuniquenames)(cn=*))" attrs=ALL
[22/Jul/2019:20:30:18.990404518 +0000] conn=15 op=46 RESULT err=0
tag=101 nentries=14 etime=0.0005432147
[22/Jul/2019:20:30:18.994230483 +0000] conn=15 op=47 SRCH
base="uid=ipara,ou=People,o=ipaca" scope=0 filter="(objectClass=*)"
attrs=ALL
[22/Jul/2019:20:30:18.994648102 +0000] conn=15 op=47 RESULT err=0
tag=101 nentries=1 etime=0.0004001393
[22/Jul/2019:20:30:18.996091715 +0000] conn=15 op=48 SRCH
base="cn=Certificate Manager Agents,ou=groups,o=ipaca" scope=0
filter="(uniqueMember=uid=ipara,ou=people,o=ipaca)" attrs="cn"
[22/Jul/2019:20:30:18.996470330 +0000] conn=15 op=48 RESULT err=0
tag=101 nentries=1 etime=0.0001510753
[22/Jul/2019:20:30:19.023676890 +0000] conn=14 op=2441 ADD
dn="cn=268304406,ou=certificateRepository,ou=ca,o=ipaca"
[22/Jul/2019:20:30:19.024455023 +0000] conn=14 op=2441 RESULT err=68
tag=105 nentries=0 etime=0.1736683576
[22/Jul/2019:20:30:19.037339256 +0000] conn=28692 op=5 UNBIND
[22/Jul/2019:20:30:19.037387249 +0000] conn=28692 op=5 fd=162 closed - U1
...
Can someone shed some light on what the problem could be and what to
try to fix it?
Any help is really appreciated.
Guillermo
2 months, 2 weeks
[Announce] FreeIPA 4.7.3 released
by Alexander Bokovoy
Hello!
The FreeIPA team would like to announce FreeIPA 4.7.3 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 29 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-7/ COPR repository].
== Highlights in 4.7.3 ==
* 6077: [RFE] Support One-Way Trust authenticated by trust secret
With this enhancement, Identity Management (IdM) supports establishing a one-way forest trust
to Active Directory (AD) authenticated by a shared secret from the Windows AD domain controller (DC).
Previous IdM versions did not contain the features that allowed AD DCs to contact an IdM DC in the mentioned
scenario. As a result, IdM now supports establishing a one-way forest trust using a shared secret
from both Active Directory and from IdM.
--------
* 7193: [RFE] Warn or adjust umask if it is too restrictive to break installation
If the umask has been used during the installation of an Identity Management (IdM) it was "too restrictive"
This RFE checks for too-restrictive mask at install time and error out when this happens
to avoid not working deployments of the FreeIPA server.
--------
* 7206: [RFE] Provide an option to include FQDN in IDM topology graph
IdM WebUI is now able to display the fully qualified domain name (FQDN) of the nodes in its Topology Graph.
As a result, the topology graph is able to distinguish nodes with the same short hostname but within different domains.
--------
* 7716: [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None.
In verbose mode, the command ipa-replica-manage list <server> displays additional details such as
the status and timestamp of the last initialization or the last update. When no initialization occurred
on the server, the command doesn't display any more the labels
'last init status: None' and 'last init ended: 1970-01-01 00:00:00+00:00' which were confusing.
--------
* 7747: [RFE] Support interactive prompt for NTP options for FreeIPA
With patches related to this RFE an Identity Management (IdM) is no longer unable to set time servers/pool
when run without NTP related options passed only by command line options.
This prompt for NTP server and pool options applies to interactive installations run without --unattended/-U
option aiming to improve user experience for users not familiar with command line options.
--------
=== Enhancements ===
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.7.3 is a stabilization release for the features delivered as a
part of 4.7.0.
There are more than 130 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 2018 Change hostname length limit to 64
* 4270 CA-less installation should not continue if dirsrv/httpd certificate is revoked
* 4271 CA-less test suite always generate failures
* 4607 ipa-getkeytab fails if -k points to empty file or a symlink to nonexistent file
* 4812 Switch nsslapd-unhashed-pw-switch to nolog
* 5062 [WebUI] Unlock option is enabled for all user.
* 5803 Add utility to promote CA replica to CRL master
* 5880 Second call to ldapmodify in ipatests.test_integration.tasks.enable_replication_debugging fails
* 6077 [RFE] Support One-Way Trust authenticated by trust secret
* 6468 Make ipaclient pip install-able
* 6594 ipa idoverrideuser-find view --anchor fails to return output
* 6627 WebUI: Enable pagination
* 6951 Update samba config file and use sss idmap module
* 6979 Suggest user to install libyubikey package instead of traceback
* 7139 Traceback is seen when modification is done for user from ID Views - Default Trust View Tab.
* 7193 [RFE] Warn or adjust umask if it is too restrictive to break installation
* 7200 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not.
* 7206 [RFE] Provide an option to include FQDN in IDM topology graph
* 7288 set_directive can overwrite wrong directives
* 7305 PKINIT status not displayed in the web UI (IPA Server > Configuration)
* 7329 update_ra_cert_store does not remove private key from NSSDB
* 7347 ipa-server-install breaks if subject base RDN has an escaped comma
* 7369 The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
* 7451 Allow issuing certificates with IP addresses in subjectAltName
* 7492 client install still creates /etc/ipa/nssdb
* 7548 Need integration test for --external-ca-type=ms-cs
* 7578 IPA server upgrade should remove stale kdcinfo_* generated by SSSD
* 7597 IPA: IDM drops all custom attributes when moving account from preserved to stage
* 7598 ipa-client-install: autodiscovery must refuse single label domains
* 7603 In IPA WebUI, a warning appears in the background(warning message behind the dialog box).
* 7647 Error message should be more useful while ipa-backup fails for insufficient space
* 7651 ipa-replica-install --setup-kra broken on DL1
* 7654 ipa-kra-install fails on DL1
* 7667 When setting up mod_ssl, define range o f the TLS protocols within the system-wide crypto policy
* 7708 Create a warning that SSSD needs restart after idrange-mod
* 7716 [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None.
* 7719 Automation added for NTP Replacement test scenarios
* 7723 NTP options fails on ipa replica
* 7744 ipa-replica-install picks wrong replica for CA initial replication
* 7745 nss.conf needs to be zero length, not removed.
* 7746 IPA help command fails in an environment without the `less` binary
* 7747 [RFE] Support interactive prompt for NTP options for FreeIPA
* 7750 ipaldap: invalid modlist when attribute encoding can vary
* 7751 add ipaapi user to the list of allowed uids in [ifp] section in sssd configuration
* 7756 Split Web UI test suite in nightly PR CI configuration
* 7761 External CA renewal accepts issuer key < 2048-bit
* 7762 External CA renewal accepts IPA CA cert with empty Subject Key Identifier
* 7775 IPA Upgrade failed with "unable to convert the attribute u'cACertificate;binary'"
* 7778 test_full_backup_and_restore_with_replica fails with "Unknown host replica1.ipa.test"
* 7780 Make ipa-client-automount --uninstall more robust
* 7781 Don't start/enable nfs-idmap nor nfs-secure
* 7783 use non-symlink (aliases) NFS unit names
* 7786 Index accessruletype, hostcategory, ipaenabledflag, ipserviceport, and ipserviceprotocol by default
* 7787 Missing indexes for automountmapname and automountkey
* 7790 ipa host-del --updatedns FQDN yeilds unindexed searches
* 7792 Missing index on ipaconfigstring
* 7793 ipa service-del service fails with internal error
* 7795 ipa-pkinit-manage enable fails on replica if it doesn't host the CA
* 7796 ipa-replica-install fails migrating CentOS 6 to 7
* 7797 SSSD's getservby*() causes performance issues
* 7803 Missing index on idnsName
* 7805 [NFS] test kerberized NFS
* 7807 Detect container installation to avoid Kernel keyring
* 7809 All Web UI tests fail with UnexpectedAlertPresentException
* 7810 [F28] Require NSS with fix for p11-kit issue.
* 7811 Fix compile issue with new 389-ds
* 7828 ipa trust-add fails with ipa: ERROR: an internal error has occurred
* 7829 ipa-server-upgrade when run displays 'No such file name in the index' on the console
* 7831 add systemd-user HBAC service to default set of HBAC services
* 7835 Cert revokation for services and hosts is inefficient
* 7836 print appropriate message when uninstalling non-existent IPA client
* 7837 Replace os.getenv('HOME') with os.path.expanduser
* 7838 configure_openldap_conf() does not handle multi-value URI
* 7841 Remove tests for client installation with --no-sssd and --noac options
* 7843 [WebUI] Use generated certificates and CSR for testing
* 7844 testcase test_change_sysaccount_password_issue7561 fails with some test configurations
* 7855 Automember XML-RPC test failure
* 7857 Create tests for ipa-winsync-migrate
* 7858 Define C feature macros
* 7860 389-ds-base will no longer use /etc/sysconfig
* 7862 "ccache" may not exist if GSSError occurs in ipa-client-automount causing an exception to be thrown
* 7864 [WebUI] Review and increase timeouts for UI tests in Nightly PR configuration
* 7865 test_topology_TestTopologyOptions:test_add_remove_segment nightly failure in fed28 and fed29
* 7866 FreeIPA server deployment fails due to 'Permission denied' error under /tmp during pki-tomcatd deployment
* 7868 ipa-client-automount exception backing up /etc/sysconfig/nfs
* 7873 remove all occurrences of osinfo.version_id from ipatests/
* 7874 testcase test_commands.py::TestIPACommand::test_ssh_key_connection fails with some test configurations
* 7876 Fail replica install
* 7877 External CA installation: sanity check pathLenConstraints
* 7881 [WebUI] Automember UI tests are broken
* 7883 Cannot install ipa-server on rhel7.7
* 7884 Coverity: New defect found in ipa-4.6.5
* 7885 RFE: wrapper for Dogtag cert-fix command
* 7886 ipa-replica-manage force-sync --from keeps prompting "No status yet"
* 7889 test_integration/test_trust.py need improvement
* 7892 Implement hidden / unadvertised IPA replicas
* 7893 ipasam needs changes for Samba 4.10
* 7895 ipa trust fetch-domains, server parameter ignored
* 7896 ipa-server-upgrade fails with ConversionError: invalid 'cn': must be Unicode text
* 7897 ipa-kra-install failing with invalid 'role_servrole': must be Unicode text error
* 7900 dns and search not fixed for dns enabled deployments
* 7901 IPA Web UI is slow to display user details page.
* 7902 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules
* 7903 d-bus interface signature failure for oddjobd helper trust-fetch-domains
* 7905 ipa-dnskeysync-replica should handle LDAP down gracefully
* 7906 ipa-kra-install fails due to fs.protected_regular=1
* 7907 ipa-replica-install due to permission error, leaves ipa server in unstable condition
* 7916 ipaplatform.debian.services does not implement wait for CA service
* 7918 ipa-client-automount needs option to specify domain
* 7921 Missing deps for `make pylint`
* 7922 Command ipa conole is broken
* 7926 cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign
* 7927 Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd
* 7928 cn=cacert could show expired certificate
* 7929 ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
* 7930 Interactive promt for NTP options after install check.
* 7932 FreeIPA queries rely on missing attribute altsecurityidentities
* 7933 FreeIPA must index certmap attributes.
* 7934 ipa-server-common expected file permissions in package don't match runtime permissions
* 7937 `build_requestinfo` crashes in OpenSSL1.1.0+ enviroments
* 7939 Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured
* 7943 [FIPS] Use PKCS#8 instead of weaker traditional OpenSSL private key format
* 7952 ipa-backup file logging does not work
* 7956 Ipatests don't honor TMPDIR, TEMP or TMP environment variables
* 7959 ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character
* 7962 Different pycodestyle results: Travis vs Azure
* 7963 x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs
* 7964 GSSAPI failure causing LWCA key replication failure on f30
* 7969 test failure in test_caless.py::TestServerInstall
* 7970 test failure in test_backup_and_restore.py::TestBackupAndRestore
* 7972 automember rebuild sometimes appears to return before the rebuild is complete
* 7981 Pytest4.x warnings
* 7982 Cannot modify TTL with ipa dnsrecord-mod --ttl alone on command line
* 7983 Staged user is not being recognized if the user entry doesn't have an objectClass "posixaccount"
* 7984 make sure 'make fastlint' processes Python .in files
* 7986 Increase debugging level of certmonger
* 7988 test_nfs.py: errors when running ipa-client-automount
* 7992 ipa upgrade fails with trust entry already exists
* 8012 test_webui/test_loginscreen.py::TestLoginScreen::()::test_reset_password_and_login_view failure
* 8024 [WebUI] test_webui/test_trust.py failed because of request timeout
== Detailed changelog since 4.7.2 ==
=== Armando Neto (4) ===
* travis: Use Fedora 29 to test ipa-4-7 branch
* Update Travis config to run on Fedora 28
* Bump template version
* Add missing nightly test definitions from master
=== Alexander Bokovoy (29) ===
* translations: update Ukrainian translation from Zanata
* certmaprule: add negative test for altSecurityIdentities
* certmap rules: altSecurityIdentities should only be used for trusted domains
* Create indexes for altSecurityIdentities and ipaCertmapData attributes
* Add altSecurityIdentities attribute from MS-WSPP schema definition
* trust-fetch-domains: make sure we use right KDC when --server is specified
* adtrust upgrade: fix wrong primary principal name, part 2
* adtrust upgrade: fix wrong primary principal name
* upgrade: adtrust - catch empty result when retrieving list of trusts
* Enforce SMBLoris attack protection in default Samba configuration
* Set idmap config for Samba to follow IPA ranges and use SSSD
* Update list of contributors and sort it alphabetically
* Update translations in ipa-4-7
* Update mailmap
* Bypass D-BUS interface definition deficiences for trust-fetch-domains
* Remove DsInstance.request_service_keytab as it is not needed anymore
* oddjob: allow to pass options to trust-fetch-domains
* ipasam: use SID formatting calls to libsss_idmap
* upgrade: add trust upgrade to actual upgrade code
* upgrade: upgrade existing trust agreements to new layout
* trusts: add support for one-way shared secret trust
* trust: allow trust agents to read POSIX identities of trust
* Add design page for one-way trust to AD with shared secret
* domainlevel-get: fix various issues when running as non-admin
* make sure IPA_CONFDIR is used to check that client is configured
* ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned
* ipa-sidgen: make internal fetch_attr helper really internal
* Update ipa-4-7 translations from Zanata
* Revert to development after a release
=== Anuja More (1) ===
* ipatests: POSIX attributes are no longer overwritten or missing
=== Ian Pilcher (1) ===
* Allow issuing certificates with IP addresses in subjectAltName
=== Adam Williamson (1) ===
* Correct default fontawesome path (broken by da2cf1c5)
=== Christian Heimes (96) ===
* Fix CustodiaClient ccache handling
* Use only TLS 1.2 by default
* Replace PYTHONSHEBANG with valid shebang
* Increase default debug level of certmonger
* Forbid imports of ipaserver and install packages
* Don't import ipaserver in conf.py
* Replace imports from ipaserver
* Delay import of SSSDConfig
* Consider configured servers as valid
* Correct path to systemd-detect-virt
* Add helper to look for missing binaries
* Guard dbus.start() with dbus.is_running()
* chmod SYSTEMD_PKI_TOMCAT_IPA_CONF
* Check for SELinux AVCs after installation
* Refactor tasks to include is_selinux_enabled()
* Globally disable softhsm2 in p11-kit-proxy
* Deprecate ipa-client-install --request-cert
* Fix pylint error with absolute_import
* Debian: Use RedHatCAService for pki-tomcatd
* Debian: auto-generate config files for oddjobd
* Debian: Fix replicatio of light weight sub CAs
* Add ODS manager abstraction to ipaplatform
* Debian: Use different paths for KDC cert and key
* Debian: Add fixes for OpenDNSSEC 2.0
* Debian: Add paths for open-sans and font-awesome
* Debian doesn't have authselect
* Debian: use -m lesscpy instead of hard-coded name
* Reduce startup_timeout to 120sec as documented
* Add ExecStartPost hook to wait for Dogtag PKI
* Use Network Manager to configure resolv.conf
* Improve error handling in DNSSEC helpers
* Gating: remove vault and kdcproxy tests
* automount: rmtree temp directory
* Adapt cert-find performance workaround for users
* Make netifaces optional
* Skip orphan automember rule test
* Verify external CA's basic constraint pathlen
* Move DS's Kerberos env vars to unit file
* Add tasks.systemd_daemon_reload()
* Add option to remove lines from a file
* Add test case for configure_openldap_conf
* Don't fail if config-show does not return servers
* Add design draft
* Test replica installation from hidden replica
* Synchronize hidden state from IPA master role
* Don't allow to hide last server for a role
* More test fixes
* Improve config-show to show hidden servers
* Consider hidden servers as role provider
* Implement server-state --state=enabled/hidden
* Simplify and improve tests
* Add hidden replica feature
* Consolidate container_masters queries
* Use api.env.container_masters
* Unify and simplify LDAP service discovery
* replica install: acknowledge ca_host override
* Fix assign instead of compare
* GIT: ignore ipa-crlgen-manage
* Disable dependency on dogtag-pki PyPI package
* Test --external-ca-type=ms-cs
* Remove ZERO_STRUCT() call
* Update build requirements on twine
* Compile IPA modules with C11 extensions
* Require 389-ds 1.4.0.21
* Mark two failing automember tests as xfail
* ipa-getkeytab: resolve symlink
* Optimize cert remove case
* Add workaround for slow host/service del
* Use expanduser instead of HOME env var
* Don't configure KEYRING ccache in containers
* Fix systemd-user HBAC rule
* Create systemd-user HBAC service and rule
* Require krb5 with fix for CVE-2018-20217
* Don't use Python dependency generator yet
* Use debug logger in ntpd_cleanup()
* Make conftest compatible with pytest 4.x
* Add index on idnsName
* Require 3.41.0-3 on Fedora 28
* Create reindex task for ipaca DB
* Add more LDAP indices
* LDAPUpdate: Batch index tasks
* Always collect test logs
* Handle service_del with bad service name
* Add index and container for RFC 2307 IP services
* Python 2 compatibility
* Add install/remove package helpers to advise
* Test smart card advise scripts
* Log stderr in run_command
* Smart card auth advise: Allow Apache user
* Allow HTTPd user to access SSSD IFP
* Remove dead code
* Disable nss-p11-kit crypto policy for tests
* Run idviews integration tests in nightly
* Add integration tests for idviews
* Resolve user/group names in idoverride*-find
* Require Dogtag PKI 10.6.8-3
=== Diogo Nunes (1) ===
* Fix f52e0e31f7c76a3cd6b9b51aeba120c4ba3f38c9 typo in tests label definition.
=== François Cami (24) ===
* test_nfs.py: change pr-ci configuration to run on master_2repl_1client
* ipatests: add proper timeouts to nfs.py
* ipa-client-automount: fix '--idmap-domain DNS' logic
* nfs.py: fix user creation
* Hidden replica documentation: fix typo
* ipa-backup: better error message if ENOSPC
* ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR
* ipatests: add tests for the new NFSv4 domain option of ipa-client-automount
* ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf)
* ipaplatform: add more services
* ipatests: add nfs tests
* ipaserver/install/cainstance.py: unlink before creating new file in /tmp
* ipaserver/install/krainstance.py: chown after write
* ipatests: Exercise hidden replica feature
* ipa-{server,replica}-install: add too-restritive mask detection
* ipatests: add too-restritive mask tests
* ipa-client-automount: fix PEP8 issues
* ipatests: remove all occurrences of osinfo.version_id
* pylintrc: ignore R1720 no-else-raise errors
* ipa-client-automount: handle NFS configuration file changes
* ipa-server-install: fix ca setup when fs.protected_regular=1
* ipatests: add a test for ipa-client-automount
* ipa-client-automount: use nfs-utils unit
* Fix NFS unit names
=== Florence Blanc-Renaud (41) ===
* xmlrpc test: add test for preserved > stage user
* user-stage: transfer all attributes from preserved to stage user
* test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules
* upgrade: remove ipaCert and key from /etc/httpd/alias
* ipatests: fix ipatests/test_xmlrpc/test_dns_plugin.py
* XMLRPC tests: add new test for ipa dsnrecord-mod $ZONE $RECORD --ttl
* dnsrecord-mod: allow to modify ttl without passing the record
* ipatests: add a test for stageuser-find with non-posix account
* stageuser-find: fix search with non-posix user
* ipatests: fix test_backup_and_restore.py::TestBackupAndRestore
* ipatests: fix test_caless.py
* ipatests: add integration test for ipa-replica-manage list
* NSSDatabase: fix get_trust_chain
* ipatests: CA renewal must refresh cn=CAcert
* CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
* ipatests: add integration test checking the files mode
* Fix expected file permissions for ghost files
* ipactl restart: fix wrong logic when checking service list
* ipa-client-install: autodiscovery must refuse single-label domains
* ipa-setup-kra: fix python2 parameter
* ipa-server-upgrade: fix add_systemd_user_hbac
* ipa-replica-manage: fix force-sync
* Coverity: fix issue in ipa_extdom_extop.c
* XML RPC test: fix test_automember_plugin
* ipa server: prevent uninstallation if the server is CRL master
* Test: add new tests for ipa-crlgen-manage
* CRL generation master: new utility to enable|disable
* pkinit setup: fix regression on master install
* test: add non-reg test checking pkinit after server install
* tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment
* ipatests: mark known failures as xfail
* ipatests: add test for replica in forward zone
* replica installation: add master record only if in managed zone
* ipatests: fix CA less expectations
* ipatests: add integration test for pkinit enable on replica
* pkinit enable: use local dogtag only if host has CA
* replication: check remote ds version before editing attributes
* ipatests: fix test_full_backup_and_restore
* PKINIT: fix ipa-pkinit-manage enable|disable
* ipatest: add test for ipa-pkinit-manage enable|disable
* ipatests: fix TestUpgrade::test_double_encoded_cacert
=== Fraser Tweedale (25) ===
* CustodiaClient: fix IPASecStore config on ipa-4-7
* CustodiaClient: use ldapi when ldap_uri not specified
* Handle missing LWCA certificate or chain
* dn: sort AVAs when converting from x509.Name
* .gitignore: add ipa-cert-fix program
* ipa-cert-fix: fix spurious renewal master change
* ipa-cert-fix: handle 'pki-server cert-fix' failure
* require Dogtag 10.7.0-1
* ipa-cert-fix: use customary exit statuses
* ipa-cert-fix: add man page
* Add ipa-cert-fix tool
* constants: add ca_renewal container
* cainstance: add function to determine ca_renewal nickname
* Extract ca_renewal cert update subroutine
* add test for external CA key size sanity check
* dn: handle multi-valued RDNs in Name conversion
* Fix installation when CA subject DN has escapes
* cert-request: handle missing zone
* cert-request: more specific errors in IP address validation
* Add tests for cert-request IP address SAN support
* cert-request: report all unmatched SAN IP addresses
* cert-request: generalise _san_dnsname_ips for arbitrary cname depth
* cert-request: collect only qualified DNS names for IPAddress validation
* cert-request: restrict IPAddress SAN to host/service principals
* certupdate: add commentary about certmonger behaviour
=== German Parente (1) ===
* ipa-replica-manage: remove "last init status" if it's None.
=== Kaleemullah Siddiqui (2) ===
* Tests for autounmembership feature
* Order of master and replica corrected in logger.info
=== Varun Mylaraiah (3) ===
* nightly_rawhide.yaml Added test_integration/test_ntp_options.py
* nightly_master.yaml Added test_integration/test_ntp_options.py
* ipatests: add tests for NTP options usage on server, replica, and client
=== Mohammad Rizwan Yusuf (4) ===
* Test if ipactl restart restarts the pki-tomcatd
* Check if issuer DN is updated after external-ca > self-signed
* Test error when yubikey hardware not present
* Test KRA installtion after ca agent cert renewal
=== Oleg Kozlov (4) ===
* Remove stale kdc requests info files when upgrading IPA server
* Replace nss.conf with zero-length file instead of removing
* Fix python2 compatibility
* Check pager's executable before subprocess.Popen
=== Pavel Picka (1) ===
* PRCI failures fix
=== Rob Crittenden (13) ===
* For Fedora and RHEL use system-wide crypto policy for mod_ssl
* Log the raised message when DNS check_zone_overlap fails
* admintool: don't display log file on errors unless logging is setup
* tests: Wait for automember rebuild --no-wait tasks to finish
* Fix expected return code in tests when server is uninstalled
* Return 0 on uninstall when on_master for case of not installed
* Drop list of return values to be ignored in AdminTool
* When reading SSH pub key don't assume last character is newline
* Add knob to limit hostname length
* Send only the path and not the full URI to httplib.request
* Remove tests which install KRA on replica w/o KRA on master
* tests: Don't provide explicit hostname to ldapmodify
* Update mod_nss cipher list so there is overlap with a 4.x master
=== Robbie Harwood (1) ===
* Fix unnecessary usrmerge assumptions
=== Sumit Bose (2) ===
* ipa_sam: remove dependency to talloc_strackframe.h
* ipa-extdom-exop: add instance counter and limit
=== Stanislav Levin (8) ===
* Fix Pytest4.x warning about `message`
* Fix Pytest4.1+ warnings about pytest.config
* Fix `build_requestinfo` in LibreSSL environments
* Fix `build_requestinfo` in OpenSSL1.1.0+ environments
* Make `pycodestyle` results identical
* Respect TMPDIR, TEMP or TMP environment variables during testing
* Fix `inconsistent-return-statements` in ipa-dnskeysync-replica
* Add missing deps for `make pylint`
=== Sergey Orlov (21) ===
* ipatests: new test for trust with partially unreachable AD topology
* ipatests: mark test_domain_resolution_order as expectedly failing
* ipatests: add test for sudo with runAsUser and domain resolution order.
* ipatests: new tests for establishing one-way AD trust with shared secret
* ipatests: make encoding to base64 compatible with python2
* ipatests: new tests for ipa-winsync-migrate utility
* ipa console: catch proper exception when history file can not be open
* ipatests: refactor test_trust.py
* ipatests: adapt test_trust.py for changes in multihost fixture
* ipatests: allow AD hosts to be placed in separate domain config objects
* ipatests: relax requirements for time server quality
* ipatests: fix expectations of `ipa trust-find` output for trust with root domain
* ipatests: in test_trust.py fix parent class
* ipatests: disable bind dns validation when preparing to establish AD trust
* ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
* Revert "Tests: Remove DNS configuration from trust tests"
* ipatests: fix host name for ssh connection from controller to master
* ipatests: add test for correct modlist when value encoding differs
* Remove obsolete tests from test_caless.py
* ipatests: fix ldap server url
* Remove unused tests
=== Serhii Tsymbaliuk (14) ===
* WebUI tests: Fix request timeout for test_trust
* WebUI: Add PKINIT status field to 'Configuration' page
* WebUI tests: Fix timeout issues for reset password tests
* WebUI: Fix automount maps pagination
* WebUI: Disable 'Unlock' action for users with no password
* WebUI: Fix 'user not found' traceback on user ID override details page
* Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone
* WebUI test: Fix automember tests according to new behavior
* Web UI: Increase timeouts for UI tests in Nightly PR configuration
* Split Web UI test suite in nightly PR CI configuration (IPA 4.7)
* Fix test_arbitrary_certificates for Web UI
* Web UI tests: Get rid of *_cert_path and *_csr_path config variables
* Fix "Configured size limit exceeded" warning on Web UI
* WebUI: Temporary fix for UnexpectedAlertPresentException
=== Thierry Bordaz (1) ===
* Switch nsslapd-unhashed-pw-switch to nolog
=== Tibor Dudlák (4) ===
* ipatests: Add Unattended option to external ca task
* Moving prompt for NTP options to install_check
* Support interactive prompt for ntp options
* Fix test_ntp_options to use tasks' methods
=== Oleg Kozlov (1) ===
* Show a notification that sssd needs restarting after idrange-mod
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
2 months, 2 weeks
