Stateless Machines and Force Join
by Mark Potter
We boot everything stateless in our environment and are using FreeIPA for
authentication. I started discussing this a while ago but ended up with
other things taking priority. The number of machines we have make managing
keys an untenable solution so we are using
ipa-client-install -U -q -p <join user> -w <password --domain=domain.com
--server=ipaserver.domain.com --fixed-primary --force-join
called from rc.local during boot to rejoin machines to the FreeIPA
environment (we will be moving away from --fixed-primary but aren't there
yet). While this works it, potentially, exposes a password. I am looking
for a better way to handle machines that need to re-join at every boot.
We have access to ansible as well a decent, in house, templating system for
configuration. Please forgive my starting this discussion anew and not
resurrecting a zombie and thanks in advance for your help!
--
*Mark Potter*
Senior Linux Administrator
1 month, 1 week
Allocation of a new value for DNA range failed
by Ronald Wimmer
After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran
into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to
fit in? And that the DNA range of each IPA server has to be distinct
from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago
https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Cheers,
Ronald
1 month, 2 weeks
SmartCard-HSM authentication using pinpad card reader for improved security
by Peter Steen
Hello Folks!
We are working on getting smart card authentication working using pinpad card readers for improved security.
To do this we use:
FreeIPA Server is running on Fedora32 with latest updates. FreeIPA is also configured to be Certificate Authority.
FreeIPA Clients are Fedora 32 based with latest updates with connected usb card reader Gemalto C700 with pinpad, we use several user individual SmartCard HSM 4K with FreeIPA signed certificates on them. FreeIPA Clients run OpenSC and are configured to use smartcard certificate based authentication, setup per Smartare HSM best practice. Further clients are using SSSD and not PAM_PKCS#11.
All working great using smartcard for authentication, as long not enabling the pinpad in opensc.
If doing so we are prompted for the PIN not only in the pinpad reader but also GDM prompts you to enter PIN on keyboard.
Expected result is to be logged in directly after entering correct PIN code on pinpad reader, not being prompted by GDM to enter PIN on keyboard as well.
If enabling pinpad, login gets a bit odd:
1. Fedora 32 workstation GDM menu prompts a few users that can login
2. Smartcard is inserted in reader
3. GDM blanks out the screen and smartcard reader prompts to enter PIN.
4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display.
5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of being logged in to the window manager, here Gnome or xfce.
6. Any number can be entered, it does not matter, followed by hitting enter.
7. Once again smartcard reader now prompts for PIN.
8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button.
9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected.
What could this be, anyone who have seen this before or know how to set it up ?
1 month, 2 weeks
setup ipa server with DNS when domain is managed by existing DNS server but not yet managing the reverse zones I want to configure
by Rob van Halteren
Hello,
I have seen more threats like this but not exactly this topic.
I am setting up an IPA server in a existing internal domain on a B-class network range . I have already a DNS server running for this domain, but it holds only a C-class network range.
I tried to setup the IPA server with the "ipa-server-install --setup-dns --no-forwarders --auto-reverse --allow-zone-overlap" options but this does not work and results in the disability to create PTR records for any network range in my domain. + it than needs the existing DNS server as forwarder to be able to resolve global addresses.
I intent to install the IPA server as qualified DNS server for my domain , next to the existing DNS server and when setup, decommission the existing
DNS server.
Any help would be appreciated
Thanks. Rob.
1 month, 3 weeks
Replication Error
by Ronald Wimmer
By coincidence I found something in /var/log/messages that does not look
too good:
Oct 2 09:41:30 pipa02.linux.mydomain.at ns-slapd[1905]:
[02/Oct/2020:09:41:30.887447735 +0200] - ERR - NSMMReplicationPlugin -
send_updates -
agmt="cn=pipa02.linux.oebb.at-to-pipa06.linux.mydomain.at" (pipa06:389):
Data required to update replica has been purged from the changelog. If
the error persists the replica must be reinitialized.
The error seems to persist. What has do be done? Do i have to uninstall
ipa replica and do an ipa-replica-install agein?
Cheers,
Ronald
1 month, 4 weeks
Another Expired Certs Issue
by Sean McLennan
I swear I have been reading and trying everything I can find on here and elsewhere today and I'm still having problems fixing my certs.
As appears to be a common problem, certmonger didn't auto-renew any of them.
IPA v4.6.9 running on Ubuntu 18.04; only the one server
IPA RA is fine
ldap and krbtgt are "CA UNREACHABLE": Server at https://ipa01.simplyws.com/ipa/xml failed request, will retry: 903 (RPC failed at server. an internal error has occurred).
Everything else is NEED_CSR_GEN_PIN including HTTP
Possibly ipa-cert-fix or pki-server cert-fix would take care of it, but they aren't in this version and I'm reluctant to upgrade the distro without proper preparation.
Everything starts without any problems. With the date set, everything is functioning like normal as far as I can tell.
I have rolled back the date successfully making sure to respect the 'notbefore' on ra-agent.pem
I've tried both manually: getcert resubmit -i xxx and restarting certmonger to no avail...
cn=ipa,cn=cas,cn=ca,$BASEDN and ou=authorities,ou=ca,o=ipaca appear to be fine.
Everything in /var/log/pki/pki-tomcat/ca/debug is FINE
There are some errors about missing .jar files in /var/log/pki/pki-tomcat/pki/debug
/var/log/ipa and /var/log/dirsrv don't seem to have anything of note.
Any thoughts would be greatly appreciated!
2 months, 1 week
How far I can take the use of short unqualified names/groups with an AD integrated FreeIPA setup?
by Chris Dagdigian
Hi folks,
I've got a simple FreeIPA topology with a 1-way trust to a nice
uncomplicated Active Directory environment. Unlike my other projects
there is no complex AD forest or topology to navigate; just a single
integrated domain.
Because of this we have short usernames working for login just fine;
works great. Instead of "chris(a)domain.com" I can login as "chris"
However I was asked if it was possible to also use short aka "not fully
qualified" names when looking at local 'id', user and group info
Basically the question was if it was possible to use short names for
everything including id views, getent output and group output
This is where my knowledge hits a wall -- I think this level of username
and group handling is fed into NSS via IPA? If so is there a way to
alter FreeIPA to use unqualified names -- presumably via altering or
creating a new Trust View and applying it to the hosts? Not really sure
if this is sensible or even advisable but I've been asked to research
Here is an example:
## Short login works fine! my AD username is "dagdigian(a)example.com" ...
$ ssh dagdigian(a)172.17.0.57 <mailto:dagdigian@172.17.0.57>
Last login: Thu Oct 22 22:37:32 2020 from 10.10.210.63
## But user are asking about the OS view of usernames and groups:
## Is there a way to use non fully qualified names in these sorts of
views, possibly via new Trust Views on the IPA server side?
## Is this even reasonable to consider doing?
[dagdigian@example.com(a)ansible-testhost-01
<mailto:dagdigian@dnli.com@ansible-testhost-01> ~]$ id
uid=1087803012(dagdigian(a)example.com <mailto:dagdigian@dnli.com>)
gid=1087803012(dagdigian(a)example.com <mailto:dagdigian@dnli.com>)
groups=1087803012(dagdigian(a)example.com
<mailto:dagdigian@dnli.com>),692600000(admins(a)ipa.example.com
<mailto:admins@ipa.dnli.com>),692600010(example_admins_posix(a)exaple.com
<mailto:denali_admins_posix@dnli.com>),1087800513(domain
users(a)example.com
<mailto:users@dnli.com>),1087803220(consultants(a)example.com
<mailto:consultants@dnli.com>)
[dagdigian@example.com(a)ansible-testhost-01
<mailto:dagdigian@dnli.com@ansible-testhost-01> ~]$
Thanks!
Regards
Chris
2 months, 3 weeks
hide domain of AD users on Solaris clients?
by Amos
Our IPA servers are in a one-way AD trust. Since all of our users are in
AD, I take advantage of the SSSD settings on the clients to hide the
@AD_REALM from their login names, and use AD_REALM as the default_realm.
This works nicely.
Solaris clients, however, do not have the convenience of SSSD. I
understand that the fully-qualified login names are required for systems
using the compat feature so that the IPA servers know to lookup those users
in AD. Still, I was wondering if there is anyway of doing something
similar on Solaris to hide the domain part if it is the default. I had
hoped that maybe an idview would do it, but seems unlikely.
Amos
2 months, 3 weeks
Is it possible to use the FreeIPA LDAP interface to authenticate AD users?
by Chris Dagdigian
My use case on AWS involves ephemeral or auto-scaling servers that do
not live long enough to justify a formal IPA enroll/un-enroll process.
We have a great AD-integrated IPA system running at the moment and I've
been able to configure a light test client that trusts the IPA CA
certificate and will become an LDAPS client of the FreeIPA server
This works great for local IPA users but I'm trying to think this
through and I'm not sure if I can use LDAP to authenticate an AD user?
Is this even possible?
This is my working sssd.conf for a test client that just uses LDAP --
works great for resolving users and groups that are local IPA users but
so far I can't resolve any of the AD resident users:
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = cn=users,cn=accounts,dc=ipa,dc=example,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ipa001.ipa.example.com/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/pki/tls/
default_shell = /bin/bash
override_shell = /bin/bash
Is there any method using ldap_search_base or an override of the Default
Trust View that would allow me to deploy a client that only talks LDAP
to FreeIPA but is able to resolve and authenticate AD users? I'm
wondering if this is even possible or if I'm looking at a lost cause.
Thanks!
Chris
2 months, 3 weeks