FreeIPA and Windows AD users
by Andrew Meyer
I have successfully gotten FreeIPA to communicate with MS Windows Server 2012r2 using Active Driectory. I am able to log in to my jump hosts via SSH. However when I log using a windows user I get the following:
fedora1 :) > ssh james.kirk@meyerad(a)jump01.asm.meyer.local
Password:
Last login: Thu Jul 25 08:53:18 2019 from 10.150.254.2
-sh-4.2$ logout
Connection to jump01.asm.meyer.local closed.
fedora1 :) >
I am not getting a proper bash prompt. I tried running 'sudo authconfig --enablemkhomedir --update'. Is there something I need to run to make this work?
I tried running 'sudo authconfig --enablemkhomedir --updateall' but that did not fix the problem.
Regards,Andrew
4 years, 9 months
OPEN TOOLS
by NAZAN CENGIZ
Hi,
We communication openstack server with Freeipa server successfull.
We a image setting ipa-client install then using a yaml file.
deneme.yaml;
runcmd:
- hostnamectl set-hostname $(hostname).5ghvl.local
- ipa-client-install --principal admin --password 'xxxxx' --domain 5ghvl.local --server example.5ghvl.local --unattended
#server create;
openstack server create --flavor m1.tiny --config-drive true --availability-zone zonecp2 --image ipa_deneme_imaje --nic net-id=net1man --wait ipa_deneme --user-data /home/stack/deneme.yaml
But we don't want a user deneme.yaml config see.Because config file have freeipa server password.We want use to a Open Tools for communication Openstack server with Freeipa server.
Could you please help me?Are you use to Open tools which?
Best Regards,
Nazan.
This e-mail and any attached files are confidential and may be legally privileged. If you are not the addressee, any disclosure, reproduction, copying, distribution, or other dissemination or use of this communication is strictly prohibited. If you have received this transmission in error please notify the sender immediately and then delete this mail.<br>
4 years, 9 months
setting up a new CA replica in LXC failed
by Harald Dunkel
Hi folks,
installing a new ca replica in an LXC container failed with
[root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca /var/lib/ipa/replica-info-ipa5.example.de.gpg
Directory Manager (existing master) password:
Run connection check to master
admin(a)EXAMPLE.DE password:
Connection check OK
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: enabling ldapi
[3/41]: configure autobind for root
:
:
Installation failed:
com.netscape.certsrv.base.PKIException: Error in populating database: java.io.IOException: Failed to setup the replication for cloning.
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2019-07-17T10:57:43Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
2019-07-17T10:57:43Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpZihcFT' returned non-zero exit status 1
2019-07-17T10:57:43Z CRITICAL See the installation logs and the following files/directories for more information:
2019-07-17T10:57:43Z CRITICAL /var/log/pki/pki-tomcat
2019-07-17T10:57:43Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 660, in __spawn_instance
pki_pin)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 406, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
[root@ipa5 pki-tomcat]# sysctl crypto.fips_enabled -bn
sysctl: cannot stat /proc/sys/crypto/fips_enabled: No such file or directory
sysctl returns the same error on the host.
This crypto.fips_enabled appears to be something optional, so I wonder if
I could tell ipa-replica-install in advance?
The host is running Debian 9.9 and kernel 4.9.168-1+deb9u2.
The client is CentOS 7, ipa 4.6.4-10
Every helpful comment is highly appreciated
Harri
4 years, 9 months
How can I add an additional certificate for a different domain name?
by Raul Gomez
Hello list,
I'm facing a new issue here. My FreeIPA setup has several domains, one for each different environments it provides authentication to, and listening on a different network interface on the same servers for each environment (something like 192.168.0.0/24 for production, 192.168.2.0/24 for staging, and there is no route between these networks), but of course there is just one realm.
My issue here is, when I try to enroll new clients to the FreeIPA, the installation is rejecting the server because it doesn't match the domain in the certificate of the server. You can see the error message bellow:
* About to connect() to ipa-server-03.pro.mydomain.local port 443 (#0)
* Trying 192.168.0.1...
* Connected to ipa-server-03.pro.mydomain.local (192.168.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* Server certificate:
* subject: CN=ipa-server-03.ipa.mydomain.local,O=IPA.MYDOMAIN.LOCAL
* start date: Jun 14 22:11:30 2019 GMT
* expire date: Jun 14 22:11:30 2021 GMT
* common name: ipa-server-03.ipa.mydomain.local
* issuer: CN=Certificate Authority,O=IPA.MYDOMAIN.LOCAL
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
libcurl failed to execute the HTTP POST transaction, explaining: Unable to communicate securely with peer: requested domain name does not match the server's certificate.
This is the command I'm using to enroll the clients:
ipa-client-install -v --enable-dns-updates --mkhomedir --domain=pro.mydomain.local --hostname=client-1.pro.mydomain.local
Why I'm forcing the --domain parameter? In order to enroll the clients with the appropriate DNS zone for their respective domain.
So, I've tried to add a new certificate in the httpd configuration, but I see there are no certificates in plain text (PEM) format in the Apache configuration, but instead it is using NSS for providing certificates (/etc/httpd/conf.d/nss.conf):
NSSEngine on
NSSCipherSuite ... list of cipher suite
NSSProtocol TLSv1.2
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
And after all my explanation here, my question is: how can I add a new NSS certificate for my IPA Servers with the CN in the appropriate doman?, in the example above it would be CN=ipa-server-03.pro.mydomain.local. And probably I need to associate each certificate with the corresponding IP address too
I've already done it via web, but it seems it doesn't work, or I'm probably missing something here. Could anyone point me in the right direction here?
Thank you very much in advance for your time and help, regards...
4 years, 9 months
Migrating from openldap/gosa to FreeIPA
by Ondrej Kolin
Hello,
We are considering migrating to FreeIPA from openldap with gosa
frontend. There are some issues I would like to ask about and I would
like to get some feedback on some of my thoughts
1) All users are not posixAccounts
All users are not posix accounts. These accounts fail on import. I
would like to migrate passwords too. Should I:
a) Add posixAccount entries in old system and migrate afterwards
b) Create some ldif files and import them
c) Some converting python script
d) something else
2) Email addresses aliases
We have some email aliases for some users, who wanted that and
therefore we would like to keep this feature. I've seen the possible
solution for this to add a custom object and then a custom attribute.
We are using SOGo webmail and postfix. Does anybody in this list has
experience with something like this?
Regards,
Ondrej
4 years, 9 months
Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)
by Ben Schofield
Hi folks,
We've got an unusual issue that has started to occur recently when trying to view the Users tab in FreeIPA. Trying to load the page (and display all users) results in a popup with title "HTTP Error 404" and the text "Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)". This error appears after "Working" has been displaying for 60 seconds, so it appears to be a timeout despite the 404 indication.
If we _search_ for a user, any users matching the search term are returned correctly in the UI. Only when no search is applied do we see the error. Hosts and groups also display correctly, though any sub page where all users are listed experiences the same issue (such as parts of Automember). We're able to list all users correctly with "ipa user-find --all".
There are no relevant browser errors (there's what appears to be an unrelated 404 error about a minified JS file). There doesn't seem to be anything useful in /var/log/messages or /var/log/ipa*, though /var/log/httpd/error_log contains the following after a failed lookup:
[Wed Jul 17 15:24:18.475814 2019] [:error] [pid 5383] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed Jul 17 15:24:18.475891 2019] [:error] [pid 5383] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Wed Jul 17 15:24:18.484387 2019] [:error] [pid 5383] ipa: DEBUG: Created connection context.ldap2_139831284142928
[Wed Jul 17 15:24:18.484471 2019] [:error] [pid 5383] ipa: DEBUG: WSGI jsonserver.__call__:
[Wed Jul 17 15:24:18.484520 2019] [:error] [pid 5383] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Wed Jul 17 15:24:18.484830 2019] [:error] [pid 5383] ipa: DEBUG: raw: user_find(u'', sizelimit=0, version=u'2.230', pkey_only=True)
[Wed Jul 17 15:24:18.485157 2019] [:error] [pid 5383] ipa: DEBUG: user_find(None, sizelimit=0, whoami=False, all=False, raw=False, version=u'2.230', no_members=True, pkey_only=True)
[Wed Jul 17 15:24:18.493684 2019] [:error] [pid 5383] ipa: INFO: [jsonserver_session] admin(a)DOMAIN.NZ: user_find(u'', sizelimit=0, version=u'2.230', pkey_only=True): SUCCESS
[Wed Jul 17 15:24:18.494662 2019] [:error] [pid 5383] ipa: DEBUG: Destroyed connection context.ldap2_139831284142928
The server was built 3 weeks ago to the day and has 11 users. I was thinking that 3 weeks is a rather convenient duration and could be something token related with a 21 day expiry, though this may also be a coincidence. However, the server admin assures me that nothing was changed between today and yesterday, so I thought it was worth mentioning.
Any help would be greatly appreciated. Thank you.
4 years, 9 months
Random [Preauthentication failed] error in krb5
by Raul Gomez
Hello list,
I'm facing an issue here that prevents authenticating a user within a client machine.
When an sssd daemon has been running for a few days, suddenly krb5 fails to authenticate a user with the following error from krb5_child.log:
[[sssd[krb5_child[1616]]]] [get_and_save_tgt] (0x0020): 1695: [-1765328360][Preauthentication failed]
[[sssd[krb5_child[1616]]]] [map_krb5_error] (0x0020): 1808: [-1765328360][Preauthentication failed]
[[sssd[krb5_child[1616]]]] [k5c_send_data] (0x0200): Received error code 1432158221
And these messages from sssd_pam.log:
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting user credentials)][server-pro.mydomain.local]
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [17]: Failure setting user credentials.
In order to get authentication back working, I need to restart sssd daemon, sometimes several times!
This is happening in every client machine in my network, I've been trying to figure out for days what could be happening here, but it has been impossible for me to find the cause.
I have to clarify that this fails only when trying to run a command with sudo, because I'm using ssh keys to log into my client machines. Also, I'm using a DNS domain different that the REALM name, and my three FreeIPA servers has multiple network interfaces (a total of 4 nics, 3 of them were added after the IPA installation and initial configuration).
In the followings link you can find logs with debug_level = 10 of a session (ssh login/a failed sudo/logout) where this error were reproduced:
- krb5_child.log: https://pastebin.com/BNtVsJuB
- sssd_pam.log: https://pastebin.com/8ZF50Y92
I'm using FreeIPA from CentOS 7.6 (server and clients), all software updated two weeks ago:
- krb5 1.15.1-37.el7_6
- ipa 4.6.4-10.el7_6.3
- sssd 1.16.2-13.el7_6.8
Does anybody could help me to figure out how to solve this?
Thank you very much in advance, regards...
4 years, 9 months
2FA alternatives
by Andrew Meyer
I think I have emailed about this recently before but is there a way other than using RADIUS to use a 3rd party 2FA provider (Duo, Authy or RSA) with the current version of FreeIPA? I know that you could easily add it using 4.0 and 4.1 ( I could be wrong on the version).
If not is that support coming?
Thanks,Andrew
4 years, 9 months
Ad integration
by Andrew Meyer
Hello,I am working on setting up FreeIPA with AD integration and seem to be running into an issue. Its possible that I am also doing something wrong.
I am setting it up to talk to MS Windows Server 2012r2. Following directions on https://www.freeipa.org/page/Active_Directory_trust_setup
I have not edited the /etc/krb5.conf ( I figured that needed to happen on the client machines.)
I am actually at this step:https://www.freeipa.org/page/Active_Directory_trust_setup#Create_ext...
I am getting the following error:
[andrew.meyer@freeipa01 ~]$ sudo ipa group-add-member ad_admins_external --external 'MEYER-AD\Domain Admins'[member user]: [member group]: Group name: ad_admins_external Description: ad.meyer.local admins external map External member: S-1-5-21-2117027177-2554619188-4034396183-512, S-1-5-21-2117027177-2554619188-4034396183-1106 Member users: andrew.meyer Member groups: ad_admins Member of groups: ad_admins, ipausers Indirect Member groups: ad_admins_external Failed members: member user: member group: MEYER-AD\Domain Admins: invalid 'trusted domain object': no trusted domain matched the specified flat name-------------------------Number of members added 0-------------------------[andrew.meyer@freeipa01 ~]$
What am I doing wrong?
4 years, 9 months
OPENSTACK INSTEANCE AUTO REGISTER ON IPA SERVER DOMAIN
by NAZAN CENGIZ
Hi,
We have a RedHat Openstack (Queens) lab and IPA Server.
We installing IPA Client a Openstack insteance then on insteance is adding DNS on IPA server as below.
openstack server create --image image1 --flavor onap_worker_flavor --key-name onapkeypair --network onapnet1 --security-group onapsg --wait siem --user-data /home/stack/custominit.yaml --user-data /opt/images/openstack-sh
#on siem insteance
sudo hostnamectl set-hostname siem.5ghvl.local
sudo yum install ipa-client
sudo ipa-client-install --hostname=`hostname -f` --mkhomedir --server=ipa.5ghvl.local --domain 5ghvl.local --realm 5GHVL.LOCAL
#on openstack director
openstack server stop siem.5ghvl.local
openstack server image create --name siem_image siem.5ghvl.local
openstack image set siem_image --public
openstack server create --image siem_image --flavor onap_worker_flavor --key-name onapkeypair --network onapnet1 --security-group onapsg --wait new_siem --user-data /home/stack/custominit.yaml --user-data /opt/images/openstack-sh
Then siem machine turn to image (siem_image)
Then siem_image turn to virtual machine .New insteance has ipa client but it is not adding domain.
We goal ;auto register virtual machine on IPA Server.But only host is on IPA server.(siem.5ghvl.local).
new_siem.5ghvl.local is not on IPA server.
Could you please help me?
Best Regards.
This e-mail and any attached files are confidential and may be legally privileged. If you are not the addressee, any disclosure, reproduction, copying, distribution, or other dissemination or use of this communication is strictly prohibited. If you have received this transmission in error please notify the sender immediately and then delete this mail.<br>
4 years, 9 months
