October 2020 - FreeIPA-users - Fedora Mailing-Lists

Centralized Authentication and Authorisation System for Gmail and OpenVPN

by kaushalshriyan＠gmail.com

Hi, Is there a way to configure centralized Authentication and Authorization system for Gmail and OpenVPN users? For example, if any new employee joins I grant Gmail and OpenVPN service access. I look forward to hearing from you. Thanks in Advance. Best Regards, Kaushal

3 hours, 25 minutes

1
0
0 / 0

ipa-server-install (How to disable checking online DNS) ?

by rodentskie＠gmail.com

Hello, I'm currently configuring freeipa. When I run the command "ipa-server-install", I got these errors: Checking DNS domain biotechfarms.net., please wait ... ipapython.admintool: ERROR DNS zone biotechfarms.net. already exists in DNS and is handled by server(s): kiki.ns.cloudflare.com., dane.ns.cloudflare.com. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information My boss has this domain "biotechfarms.net" also in cloudflare. Please help.

14 hours, 14 minutes

2
2
1 / 0

FREEIPA - TLS - CN > 64 characters

by Krzysztof O

Hello, I'd like to ask of is there any workaround for issuing certificates that will have Common Name longer that 64 characters? For FREEIPA version less than 4.8.0 which is designated for RHEL 8, when we will have to stay with current version of RHEL 7. Regards, Krzysztof

19 hours, 20 minutes

5
6
0 / 0

Managing a certificate for a non-joined host from a joined host.

by Thomas Letherby

Hello all, I'm trying to issue some certificates via certmonger and I'm missing a permission somewhere. The situation is thus: I have a small docker swarm of containers which access storage volumes on a IPA-joined storage server (xstorage1 - Ubuntu 18.04) via NFS, stored on a ZFS array. Some of these containers, in this case a WiFi controller can ingest certificates dropped into their volumes. I want to use the storage server to request and drop the certificate files for the controller (in this case called omada) directly into the docker volume for the container, so the storage server will manage renewals and the container just sees the cert files as normal. On xstorage1 I used the following process to create the host, service and request the certificate: kinit admin ipa host-add omada.i.xrs444.net ipa service-add HTTP://omada.i.xrs444.net ipa service-add-host --hosts xstorage1.i.xrs444.net HTTP://omada.i.xrs444.net ipa-getcert request -f /nasstore/containers/omada-data/cert.crt -k /nasstore/containers/omada-data/tls.key -r -K HTTP/ omada.i.xrs444.net(a)I.XRS444.NET -N 'CN=omada.i.xrs444.net,O=I.XRS444.NET' -D omada.i.xrs444.net -C "/usr/local/bin/catcerts.sh /nasstore/containers/omada-data/cert.crt /etc/ipa/ca.crt //nasstore/containers/omada-data/tls.crt" (The -C is calling a script to concatenate the cert change into one file) This appears to process without error, but when I run ipa-getcert list I see the following error: Request ID '20201019194610': status: CA_REJECTED ca-error: Server at https://xipa1.i.xrs444.net/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HTTP/ omada.i.xrs444.net(a)I.XRS444.NET ,cn=services,cn=accounts,dc=i,dc=xrs444,dc=net'.). In the GUI of xipa1 (IPA Server) I can see the host and service, with xstorage1 listed in the 'managed by' tab for both. I tried from another host with the same results. What have I missed? I'm sure I've done this before a while back, but I can't recall how I did it. Looking through guides online I can't see a step I've skipped. Thomas

21 hours, 15 minutes

2
2
0 / 0

Is it possible to alter the default two-year expiration of derived certificates

by Bo Lind

I'm generating certificates for a bunch of not-enrolled, not-certmonger-feasible services (our printer, for example) and I'd like a little longer life cycle than the standard two years. I can't for the life of me figure out where I can set that. Thanks in advance.

22 hours, 2 minutes

2
1
0 / 0

Ticket expired

by Albert Szostkiewicz

Every time I restart on my workstation, I am getting errors with authentication $ ipa ipa: ERROR: Ticket expired $ kinit myuser Password for myuser(a)HOME.MYDOMAIN.COM: ****** $ ipa cert-show 1 Issuing CA: ipa Certificate: ####### Subject: CN=Certificate Authority,O=HOME.MYDOMAIN.COM Issuer: CN=Certificate Authority,O=HOME.MYDOMAIN.COM Not Before: Thu Sep 19 01:27:28 2019 UTC Not After: Mon Sep 19 01:27:28 2039 UTC Serial number: 1 Serial number (hex): 0x1 Revoked: False $ ipa pwpolicy-show global_policy Group: global_policy Max lifetime (days): 20000 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 21 Failure reset interval: 60 Lockout duration: 600 $ ipa Usage: ipa [global-options] COMMAND [command-options] Manage an IPA domain Options: ... Then, I have to restart services that failed (like autofs) in order to mount NFSv4 properly. Problem is - I have to do it every time I restart machine. Is there any additional step I should take on my workstation ? Thanks!

1 day, 6 hours

2
3
0 / 0

Migrating from LDAP to FreeIPA

by Per Qvindesland

Hi I am currently in the process of migrating from a LDAP server to IPA installed on a Centos 8 instance. I been following these instructions on importing users from the LDAP server https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... but it's asking for the Directory Manager password, I took over position very recently and there is a password which is supposed to be for that account but it's not accepted. Is it possible with the ipa migrate-ds to specify another user, i'd say no since the docs doesn't mention anything but I thought that I ask, or is it possible to use a ldif file to import the users? Regards Per

1 day, 10 hours

2
1
0 / 0

Replication Error

by Ronald Wimmer

By coincidence I found something in /var/log/messages that does not look too good: Oct 2 09:41:30 pipa02.linux.mydomain.at ns-slapd[1905]: [02/Oct/2020:09:41:30.887447735 +0200] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=pipa02.linux.oebb.at-to-pipa06.linux.mydomain.at" (pipa06:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. The error seems to persist. What has do be done? Do i have to uninstall ipa replica and do an ipa-replica-install agein? Cheers, Ronald

1 day, 13 hours

2
5
0 / 0

Adding a KRA

by Ronald Wimmer

At the moment we only have KRA on one of our eight IPA servers. Is it sufficient to issue the ipa-kra-install command on a replica where the CA role is already present? Cheers, Ronald

1 day, 13 hours

2
3
0 / 0

Something changed regarding enrollment permissions?

by Ronald Wimmer

Today we did not manage to enroll new hosts with our enrollment user. The only thing we changed is that we added the Permission "System: Remove hosts" to the "Host Enrollment" role. The error we get is: Joining realm failed: Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Failed to parse result: Insufficient access rights Failed to get keytab! Failed to get keytab child exited with 9 When I try to add the same host with my admin user it works without any problems. Cheers, Ronald

1 day, 13 hours

1
0
0 / 0

2020

2019

2018

2017

FreeIPA-users October 2020