October 2020 - FreeIPA-users - Fedora Mailing-Lists

Something changed regarding enrollment permissions?

by Ronald Wimmer

Today we did not manage to enroll new hosts with our enrollment user. The only thing we changed is that we added the Permission "System: Remove hosts" to the "Host Enrollment" role. The error we get is: Joining realm failed: Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Failed to parse result: Insufficient access rights Failed to get keytab! Failed to get keytab child exited with 9 When I try to add the same host with my admin user it works without any problems. Cheers, Ronald

1 month, 2 weeks

2
2
0 / 0

Unable to install ipa client centos 7.5.1804 (Core)

by William Graboyes

Hello List, I have been searching around for the day and have found an answer for the error I am getting when I am trying to install the client on a brand new install: Version: ipa-client-4.5.4-10.el7.centos.3.x86_64 ipa-client-common-4.5.4-10.el7.centos.3.noarch The error is below (run as root, not via sudo): ipa-client-install Traceback (most recent call last): File "/sbin/ipa-client-install", line 22, in <module> from ipaclient.install import ipa_client_install File "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_client_install.py", line 5, in <module> from ipaclient.install import client File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 34, in <module> from ipalib import api, errors, x509 File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 45, in <module> from pyasn1_modules import rfc2315, rfc2459 File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py", line 67, in <module> class DigestedData(univ.Sequence): File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py", line 72, in DigestedData namedtype.NamedType('digest', Digest) File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py", line 115, in __init__ self.__ambiguousTypes = 'terminal' not in kwargs and self.__computeAmbiguousTypes() or {} File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py", line 232, in __computeAmbiguousTypes ambigiousTypes[idx] = NamedTypes(*partialAmbigiousTypes, **dict(terminal=True)) File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py", line 114, in __init__ self.__tagToPosMap = self.__computeTagToPosMap() File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py", line 205, in __computeTagToPosMap for _tagSet in tagMap.presentTypes: AttributeError: 'property' object has no attribute 'presentTypes' Any help would be greatly appreciated. Thanks, Bill G.

1 month, 3 weeks

3
2
0 / 0

FreeIPA certificate doesn't validate in iOS

by Jochen Kellner

Hello, I'm running IPA on current Fedora 32, freeipa-server-4.8.9-2 and pki-server-10.9.0-0.4 Today the certificate of my IMAP server (running on Debian Buster) was automatically refreshed: ,---- | Request ID '20181003215953': | status: MONITORING | stuck: no | key pair storage: type=FILE,location='/etc/ssl/private/imap.jochen.org.key' | certificate: type=FILE,location='/etc/ssl/certs/imap.jochen.org.crt' | CA: IPA | issuer: CN=Certificate Authority,O=JOCHEN.ORG | subject: CN=imap.jochen.org,O=JOCHEN.ORG | expires: 2022-09-07 09:30:16 CEST | dns: imap.jochen.org | principal name: imap/jupiter.jochen.org(a)JOCHEN.ORG | key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment | eku: id-kp-serverAuth,id-kp-clientAuth | pre-save command: | post-save command: /root/refresh_cyrus_certificate.sh | track: yes | auto-renew: yes `---- On an iPhone one of my users gets a message that the certificate is not valid. Reason seems to be this: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html When I look at the certificate with openssl I see: ,---- | X509v3 extensions: | X509v3 Authority Key Identifier: | keyid:4F:F8:45:3D:E8:06:4B:8D:BB:9D:D2:D1:8B:00:43:A1:07:16:A1:17 | | Authority Information Access: | OCSP - URI:http://ipa-ca.jochen.org/ca/ocsp | | X509v3 Key Usage: critical | Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment | X509v3 Extended Key Usage: | TLS Web Server Authentication, TLS Web Client Authentication `---- My current guess is that the "Key Usage: critical" is the reason for the iOS error. I've looked for the certprofiles and found these files: ,---- | [root@freeipa3 /]# find . -name \*caIPAserviceCert\* -ls | 8510694 8 -rw-rw---- 1 pkiuser pkiuser 6218 Mär 4 2020 ./var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg | 9332162 4 -rw-r--r-- 1 root root 229 Aug 20 12:38 ./usr/lib/python3.8/site-packages/ipaclient/csrgen/profiles/caIPAserviceCert.json | 26138015 8 -rw-r--r-- 1 root root 7014 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.UPGRADE.cfg | 26138016 8 -rw-r--r-- 1 root root 7294 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.cfg | 9323278 8 -rw-r--r-- 1 root root 6272 Jun 25 23:53 ./usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg `---- These files contain: ,---- | policyset.serverCertSet.6.constraint.params.keyUsageCritical=true | policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true | policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true | policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true | policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true | policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false `---- So I think this is where the critical comes from and the keyUsage defaults come from. What I could use help with is the following: 1. I didn't find reports about the problem in pagure or the mailing list. Am I really alone with this? 2. My FreeIPA has been installed years ago on Fedora, moved to CentOS and this year back to Fedora by creating replicas. Has there been a problem with upgrading the certprofiles? 3. How can I remove the options from the certificate request so that certmonger gets a valid certificate? Do I miss something else? -- This space is intentionally left blank.

1 month, 3 weeks

4
16
0 / 0

Stateless Machines and Force Join

by Mark Potter

We boot everything stateless in our environment and are using FreeIPA for authentication. I started discussing this a while ago but ended up with other things taking priority. The number of machines we have make managing keys an untenable solution so we are using ipa-client-install -U -q -p <join user> -w <password --domain=domain.com --server=ipaserver.domain.com --fixed-primary --force-join called from rc.local during boot to rejoin machines to the FreeIPA environment (we will be moving away from --fixed-primary but aren't there yet). While this works it, potentially, exposes a password. I am looking for a better way to handle machines that need to re-join at every boot. We have access to ansible as well a decent, in house, templating system for configuration. Please forgive my starting this discussion anew and not resurrecting a zombie and thanks in advance for your help! -- *Mark Potter* Senior Linux Administrator

3 months, 4 weeks

3
5
0 / 0

Allocation of a new value for DNA range failed

by Ronald Wimmer

After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran into this particular problem. Is it right that I need to have an ID range where all DNA ranges have to fit in? And that the DNA range of each IPA server has to be distinct from the ranges of the other IPA servers? I will start by checking each IPA server with ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' (according to what Rob wrote on his blog some years ago https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ ) Cheers, Ronald

4 months, 1 week

2
7
0 / 0

SmartCard-HSM authentication using pinpad card reader for improved security

by Peter Steen

Hello Folks! We are working on getting smart card authentication working using pinpad card readers for improved security. To do this we use: FreeIPA Server is running on Fedora32 with latest updates. FreeIPA is also configured to be Certificate Authority. FreeIPA Clients are Fedora 32 based with latest updates with connected usb card reader Gemalto C700 with pinpad, we use several user individual SmartCard HSM 4K with FreeIPA signed certificates on them. FreeIPA Clients run OpenSC and are configured to use smartcard certificate based authentication, setup per Smartare HSM best practice. Further clients are using SSSD and not PAM_PKCS#11. All working great using smartcard for authentication, as long not enabling the pinpad in opensc. If doing so we are prompted for the PIN not only in the pinpad reader but also GDM prompts you to enter PIN on keyboard. Expected result is to be logged in directly after entering correct PIN code on pinpad reader, not being prompted by GDM to enter PIN on keyboard as well. If enabling pinpad, login gets a bit odd: 1. Fedora 32 workstation GDM menu prompts a few users that can login 2. Smartcard is inserted in reader 3. GDM blanks out the screen and smartcard reader prompts to enter PIN. 4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display. 5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of being logged in to the window manager, here Gnome or xfce. 6. Any number can be entered, it does not matter, followed by hitting enter. 7. Once again smartcard reader now prompts for PIN. 8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button. 9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected. What could this be, anyone who have seen this before or know how to set it up ?

4 months, 1 week

2
6
0 / 0

setup ipa server with DNS when domain is managed by existing DNS server but not yet managing the reverse zones I want to configure

by Rob van Halteren

Hello, I have seen more threats like this but not exactly this topic. I am setting up an IPA server in a existing internal domain on a B-class network range . I have already a DNS server running for this domain, but it holds only a C-class network range. I tried to setup the IPA server with the "ipa-server-install --setup-dns --no-forwarders --auto-reverse --allow-zone-overlap" options but this does not work and results in the disability to create PTR records for any network range in my domain. + it than needs the existing DNS server as forwarder to be able to resolve global addresses. I intent to install the IPA server as qualified DNS server for my domain , next to the existing DNS server and when setup, decommission the existing DNS server. Any help would be appreciated Thanks. Rob.

4 months, 1 week

1
1
0 / 0

Replication Error

by Ronald Wimmer

By coincidence I found something in /var/log/messages that does not look too good: Oct 2 09:41:30 pipa02.linux.mydomain.at ns-slapd[1905]: [02/Oct/2020:09:41:30.887447735 +0200] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=pipa02.linux.oebb.at-to-pipa06.linux.mydomain.at" (pipa06:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. The error seems to persist. What has do be done? Do i have to uninstall ipa replica and do an ipa-replica-install agein? Cheers, Ronald

4 months, 2 weeks

2
6
0 / 0

Getting status of CA_UNCONFIGURED trying to create certificates for services

by Scott Reed

Hi all, So, I have been working on creating certificates for services on a solid installation of FreeIPA on a machine we have. I did everything that this blog stated to do... https://blog.christophersmart.com/2014/08/24/creating-certs-and-keys-for-... But now when I enter the command, sudo ipa-getcert list. The status is CA_UNCONFIGURED, ca-error is "Error setting up ccache for "host" service on client using default keytab: Preauthentication failed.", stuck is yes. I checked the krb5.keytab it's set to -rw------- and root:root. I'm not sure what else I can do to address the problem. Any help would be appreciated. Thanks!

4 months, 3 weeks

2
5
0 / 0

Another Expired Certs Issue

by Sean McLennan

I swear I have been reading and trying everything I can find on here and elsewhere today and I'm still having problems fixing my certs. As appears to be a common problem, certmonger didn't auto-renew any of them. IPA v4.6.9 running on Ubuntu 18.04; only the one server IPA RA is fine ldap and krbtgt are "CA UNREACHABLE": Server at https://ipa01.simplyws.com/ipa/xml failed request, will retry: 903 (RPC failed at server. an internal error has occurred). Everything else is NEED_CSR_GEN_PIN including HTTP Possibly ipa-cert-fix or pki-server cert-fix would take care of it, but they aren't in this version and I'm reluctant to upgrade the distro without proper preparation. Everything starts without any problems. With the date set, everything is functioning like normal as far as I can tell. I have rolled back the date successfully making sure to respect the 'notbefore' on ra-agent.pem I've tried both manually: getcert resubmit -i xxx and restarting certmonger to no avail... cn=ipa,cn=cas,cn=ca,$BASEDN and ou=authorities,ou=ca,o=ipaca appear to be fine. Everything in /var/log/pki/pki-tomcat/ca/debug is FINE There are some errors about missing .jar files in /var/log/pki/pki-tomcat/pki/debug /var/log/ipa and /var/log/dirsrv don't seem to have anything of note. Any thoughts would be greatly appreciated!

4 months, 4 weeks

4
33
0 / 0

2021

2020

2019

2018

2017

FreeIPA-users October 2020