Is there a process that will renew TGT
by Kees Bakker
Hi,
On my Ubuntu 20.04 system, if I login I'm getting a TGT. So far so good.
Usually I login onto a system and never logout for weeks.
I seem to remember that I didn't have to manually get a new TGT all
the time. Now it expires after 24h and I have to redo a kinit.
My question: is there (or should there be) a mechanism that renews the
TGT if you stay logged in?
--
Kees
3 years, 3 months
Replica DNS records could not be added on master: Insufficient access
by lejeczek
Hi guys.
A replica install process which seemingly completes successfully spits that:
...
[41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Replica DNS records could not be added on master: Insufficient access:
Insufficient 'add' privilege to add the entry
'idnsname=sucker,idnsname=ccnr.ceb.private.cam.ac.uk.,cn=dns,dc=ccnr,dc=ceb,dc=private,dc=cam,dc=ac,dc=uk'.
Configuring Kerberos KDC (krb5kdc)
...
Should that above warrant some investigation?
many thanks, L.
3 years, 3 months
Installation fails in adding CA certificate entry - certutil does not support --seimple-self-signed
by iulian roman
After some plumbing and manual operations I managed to have CA running during installation of the FreeIPA server. Currently the install fails in :
Configuring directory server (dirsrv)
[2/3]: adding CA certificate entry
args=['/usr/bin/certutil', '-d', 'dbm:/etc/dirsrv/slapd-IPA-LOCAL/', '-O', '--simple-self-signed', '-n', 'IPA.LOCAL IPA CA', '-f', '/etc/dirsrv/slapd-IPA-LOCAL/pwdfile.txt']
The installation seems to fail due to the fact that certutil does not support --simple-self-signed parameter.
Does anybody know if there is a version of libnss3-tools for Ubuntu 18.04 which does have a certutil package which support the option invoked or if the option can be disabled/removed during install ?
3 years, 3 months
IPA Kerberos Trust problem with Windows Update kb4586830
by Jerry Träskelin
Hello,
first let me introduce our setup:
- FreeIPA 4.6.5 (I know it's a bit old already) masters CentOS 7
- FreeIPA 4.6.6 client CentOS 7
- Windows Server 2016 DCs
- Netapp Filer NFS server
There's a two-way trust between the AD and IPA domains which works nicely. User accounts exist in the AD domain and can be used on IPA members as well. The Netapp has a computer account in AD. IPA clients mount NFSv4 shares using krb5p encryption.
The problem:
After installing the latest Windows updates on the DCs (kb4586830) the Kerberos authentication to the file server started failing. We were able to identify it as a Kerberos problem by trying to mount without Kerberos, which worked but of course nothing was accessible. After trying a bunch of different things and reading a lot of logs, we finally uninstalled the update on the DCs and everything worked again. There's not a whole lot of error messages to go on even though log/debug levels were set to the highest. The mounting client will simply say "mount.nfs: access denied by server while mounting". On the DC I was a able to find a Failure Code 0x3C for the Kerberos ticket request. 0x3C is a generic error, according to https://docs.microsoft.com/en-us/windows/security/threat-protection/audit.... None of the possible causes listed by Microsoft apply to our situation.
Since uninstalling the update on the DCs made the problem go away, I guess it's safe to assume that Microsoft changed something. The update notes don't really mention anything useful, but after some googling I found https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17049 which seems like something that could have caused this. Is there some settings in the IPA that could be changed to comply with the changes made by Microsoft?
Thanks!
3 years, 3 months
CA configuration fails with SEVERE: Unable to start CMS engine: Property internaldb.ldapconn.port missing value
by iulian roman
Hello,
I try to move ahead with the installation of FreeIPA server on Ubuntu, but it always gets stuck in the CA configuration phases. The last error seems to be related to a port value missing (as stated in the subject):
2020-12-14 11:17:29 [localhost-startStop-1] SEVERE: Unable to start CMS engine: Property internaldb.ldapconn.port missing value
Property internaldb.ldapconn.port missing value
at com.netscape.cmscore.base.PropConfigStore.getInteger(PropConfigStore.java:459)
at com.netscape.cmscore.ldapconn.LdapConnInfo.init(LdapConnInfo.java:55)
at com.netscape.cmscore.ldapconn.LdapConnInfo.<init>(LdapConnInfo.java:45)
at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:123)
at com.netscape.cmscore.cert.CrossCertPairSubsystem.init(CrossCertPairSubsystem.java:127)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1082)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:941)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:934)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:545)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:149)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1144)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1091)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:983)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4956)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5270)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:754)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:730)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:624)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1834)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
In /etc/pki/pki-tomcat/ca/CS.cfg , both internaldb.ldapconn.host and internaldb.ldapconn.port variables are empty:
Any idea in which phase those values are set or is there any method to specify them manually during installation ?
3 years, 3 months
ipaCertSubject uniqueness check
by Khurrum Maqb
I'm currently running ipaServer 4.6.8 on Centos7. I have an IPA CA, and an external CA for user smartcard authentication provided by a third party. I have used ipa-cacart-manage to add the external CA chain to IPA, and it worked fine.
The external CA re-keyed one of the certs in the chain, and kept the subject name the same. So the key, serial, expiration are different, but the placement in the chain, the the ipaCertSubject are the same. Both the old cert and the new one are valid, and some cards have the old chain still valid, and some have the new chain valid.
So if I go and try to use ipa-cacert-manage to add the NEW cert, I get "Failed to install the certificate: subject public key info mismatch" which I assume is due to the ipaCertSubject being the same (docs: https://www.freeipa.org/page/V4/CA_certificate_renewal )
Is this expected behavior? Is there a workaround? Or will i have to use ldapdelete and certutil -D to delete the old key, and then install the new key. In this process, the users with the OLD key will lose the ability to log in with their smart cards until new certs are issued to them. Thanks!
3 years, 3 months
users/groups migration IPA to IPA => NT_STATUS_INVALID_SID
by lejeczek
Hi guys,
I must be missing something I hope. This should just work,
right?
$ ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup --with-compat ldap://10.0.0.6
Prior to above, on the target IPA I run:
$ ipa-adtrust-install
Source IPA is: VERSION: 4.6.8, API_VERSION: 2.237
Target is: VERSION: 4.8.7, API_VERSION: 2.239
$ smbclient -L //love.ccn.mine.domain -Ume
lp_load_ex: changing to config backend registry
Unknown parameter encountered: "includes"
Enter CCN\me's password:
session setup failed: NT_STATUS_INVALID_SID
Any suggestions as what is (not but should)happening are
greatly appreciated.
many thanks, L.
3 years, 3 months
Paging and size limit ignored on the compat tree
by Adam Bishop
Setup:
* UI size limit set to 50
* nsslapd-sizelimit default of 2000
* 100 user objects in tree
If I run a paged query with -E pr=10/prompt against the main tree, I the results are paged as expected.
If I run a paged query with -E pr=10/prompt against the compat tree, both the client pr setting and the IPA size limit are ignored and the whole tree is returned.
Is this expected behaviour, or is something amiss?
Adam
3 years, 3 months