Some users unable to log in to host
by Kristian Petersen
Hey all,
I have a user that is trying to log into a host that is configured to have
access restricted via an HBAC rule. This user is a member of one of the
groups defined in the HBAC rule that should be granted access. When this
user tries to SSH in to this host, they get 3 consecutive password prompts
like "Password:" and then one like "username@domain's password:" and then
they get a response of "Permission denied, please try again." I am not
seeing any entries in the messages log or secure log for this user from
these log in attempts. Anyone have any thoughts about why this is
happening?
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
4 years, 1 month
Expired Certificates, rolling back time didn't help
by Bhavin Vaidya
Hello,
We had similar issue 2 yrs back, and resurface as it didn't auto-renew.
Went back in time to 2016-06-11 as well as 2020-02-20, restarted "certmonger", didn't update.
FreeIPA Master: CentOS 7.4.1708, FreeIPA Version: 4.5.0, API_VERSION: 2.228
while ipactl start, it will not start pki-tomcat with message, pki-tomcatd Service: STOPPED.
Referring to Rob's blog<https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-auth...>
[root@srv01 ~]# curl --cacert /etc/ipa/ca.crt -v [https://%60hostname%60:8443/ca/ww/ca/getCertChain]https://`hostname`:8443/ca/ww/ca/getCertChain
* About to connect() to srv01.example.com port 8443 (#0)
* Trying 192.168.10.146...
* Connected to srv01.example.com (192.168.10.146) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* Server certificate:
* subject: CN=srv01.example.com,O=EXAMPLE.COM
* start date: Dec 26 21:02:44 2016 GMT
* expire date: Dec 16 21:02:44 2018 GMT
* common name: srv01.example.com
* issuer: CN=Certificate Authority,O=EXAMPLE.COM
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
While, CA cert check as per<https://www.freeipa.org/page/V4/CA_certificate_renewal>,
[root@srv01 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca'
Number of certificates and requests being tracked: 8.
Request ID '20180315021502':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2038-03-07 03:47:46 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
We also have few others certificates, which are not renewed.
[root@srv01 ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20180228053337':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=srv01.example.com,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2021-01-11 21:56:57 UTC
principal name: krbtgt/EXAMPLE.COM(a)EXAMPLE.COM<mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM>
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20180315021457':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-02-25 04:27:49 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021500':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-02-25 04:28:38 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021501':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-02-25 04:31:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021502':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2038-03-07 03:47:46 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021503':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://srv01.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2018-06-15 23:15:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20180315021505':
status: CA_UNREACHABLE
ca-error: Server at https://srv01.example.com/ipa/xml failed request, will retry: 4016 (RPC failed at server. Failed to authenticate to CA REST API).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwd
file.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2020-03-07 08:49:36 UTC
principal name: ldap/srv01.example.com(a)EXAMPLE.COM<mailto:ldap/srv01.example.com@EXAMPLE.COM>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20180315021510':
status: CA_UNREACHABLE
ca-error: Server at https://srv01.example.com/ipa/xml failed request, will retry: 4016 (RPC failed at server. Failed to authenticate to CA REST API).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2020-03-07 08:49:51 UTC
principal name: HTTP/srv01.example.com(a)EXAMPLE.COM<mailto:HTTP/srv01.example.com@EXAMPLE.COM>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
thank you for your help.
Bhavin
4 years, 1 month
Expired Certificates, rolling back time didn't help
by Bhavin Vaidya
Hello,
We had similar issue 2 yrs back, and resurface as it didn't auto-renew.
Went back in time to 2016-06-11 as well as 2020-02-20, restarted "certmonger", didn't update.
FreeIPA Master: CentOS 7.4.1708, FreeIPA Version: 4.5.0, API_VERSION: 2.228
while ipactl start, it will not start pki-tomcat with message, pki-tomcatd Service: STOPPED.
Referring to Rob's blog<https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-auth...>
[root@srv01 ~]# curl --cacert /etc/ipa/ca.crt -v https://`hostname`:8443/ca/ww/ca/getCertChain<https://%60hostname%60:8443/ca/ww/ca/getCertChain>
* About to connect() to srv01.example.com port 8443 (#0)
* Trying 192.168.10.146...
* Connected to srv01.example.com (192.168.10.146) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* Server certificate:
* subject: CN=srv01.example.com,O=EXAMPLE.COM
* start date: Dec 26 21:02:44 2016 GMT
* expire date: Dec 16 21:02:44 2018 GMT
* common name: srv01.example.com
* issuer: CN=Certificate Authority,O=EXAMPLE.COM
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
While, CA cert check as per<https://www.freeipa.org/page/V4/CA_certificate_renewal>,
[root@srv01 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca'
Number of certificates and requests being tracked: 8.
Request ID '20180315021502':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2038-03-07 03:47:46 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
We also have few others certificates, which are not renewed.
[root@srv01 ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20180228053337':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=srv01.example.com,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2021-01-11 21:56:57 UTC
principal name: krbtgt/EXAMPLE.COM(a)EXAMPLE.COM<mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM>
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20180315021457':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-02-25 04:27:49 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021500':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-02-25 04:28:38 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021501':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-02-25 04:31:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021502':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2038-03-07 03:47:46 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180315021503':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://srv01.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2018-06-15 23:15:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20180315021505':
status: CA_UNREACHABLE
ca-error: Server at https://srv01.example.com/ipa/xml failed request, will retry: 4016 (RPC failed at server. Failed to authenticate to CA REST API).
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwd
file.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2020-03-07 08:49:36 UTC
principal name: ldap/srv01.example.com(a)EXAMPLE.COM<mailto:ldap/srv01.example.com@EXAMPLE.COM>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20180315021510':
status: CA_UNREACHABLE
ca-error: Server at https://srv01.example.com/ipa/xml failed request, will retry: 4016 (RPC failed at server. Failed to authenticate to CA REST API).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=srv01.example.com,O=EXAMPLE.COM
expires: 2020-03-07 08:49:51 UTC
principal name: HTTP/srv01.example.com(a)EXAMPLE.COM<mailto:HTTP/srv01.example.com@EXAMPLE.COM>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
thank you for your help.
Bhavin
4 years, 1 month
sudo commands doesn't work
by Elham Sadat Azarian
Hi
i define a sudo rule with this feauture based on https://github.com/freeipa/freeipa-workshop/blob/master/8-sudorule.rst instruction:
rule name: sysadmin-sudo
Enabled: TRUE
Host category: all
command category: all
RunAs User Category: all
RunAs Group category: all
then i define a user "sysadmin" and add "sysadmin-sudo" rule to this user.
when i connect with this user and run a command with sudo(ex, sudo systemctl stop rsyslog)
it shows:
sudo: PAM account management error: Permission denied
whats wrong?!
4 years, 1 month
Encryption LVM for Freeipa
by dmitriys
Hi!
I want create Encryption LVM and install Freeipa. In what directory freeipa save all sensetive data ?
4 years, 1 month
FreeIPA with certificates from external CA and KDC
by Peter Tselios
Hello,
I have a small project to install a FreeIPA cluster on CentOS 7.7.
We have our own CA and they provided me already with a private key and a certificate file for the servers.
My problem is that I cannot make ipa-server to install
The command I use is:
==================================
ipa-server-install --realm "EXAMPLE.COM" -p 'mypassword' -a 'mypassword' \
--hostname="freeipam.example.com" -n example.com --ip-address="10.1.8.24" \
--dirsrv-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \
--dirsrv-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \
--dirsrv-pin='' \
--http-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \
--http-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \
--http-pin='' \
--pkinit-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \
--pkinit-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \
--pkinit-pin='' \
--ca-cert-file=/etc/pki/ca-trust/source/anchors/Subordinate-CA.pem \
--ca-cert-file=/etc/pki/ca-trust/source/anchors/External-CA.pem \
--mkhomedir -N --no-host-dns --unattended
==================================
The problem is that I get this error:
-----------
The KDC certificate in /etc/pki/tls/certs/freeipam.example.com.crt, /etc/pki/tls/private/freeipam.example.com.pem is not valid: invalid for a KDC
-----------
Then I read this: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html and it was clear that I cannot use my certificates for the KDC in FreeIPA.
So, now the question is a bit different.
When I tried the above command without the pkinit certs lines, I got this error:
-----------
ipa-server-install: error: --dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file or --no-pkinit are required if any key file options are used.
-----------
This is in contrast with tthis document:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
where it's clear that I **CAN** specify just the LDAP and HTTP certificates!!!!
How can I use my certificates for HTTP and LDAP but ask IPA to use it's self-signed certificates for KDC?
4 years, 1 month
automount failed FreeIPA, Version: 4.6.5
by Markus Roth
I configured an automount location in my freeipa:
#>automount -m
autofs dump map information
===========================
global options: none configured
Mount point: /-
source(s):
100000000|lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
failed to read map
Mount point: /Share
source(s):
instance type(s): sss
map: auto.public
public | -fstype=nfs4,rw.sec=krb5,soft,rsize=8192,rsize=8192 nfs.example.com:/
The /etc/exports on my nfs server looks as follows:
/export/data *(rw,fsid=0,sec=krb5:krb5i:krb5p)
When I mount the nfs share with the root user on the client:
kinit <user>
mount -vvv -t nfs4 -o sec=krb5 idefix.example.com:/ /Share
The root user can access the files mounted on the /Share directory
But the <user> itself get the message:
"access denied"
automount the share on the directory failed. Nothing is mounted.
Any hints to solve this will be appreciated!
4 years, 1 month
sudo commands doesn't work
by Elham Sadat Azarian
Hi
i define a sudo rule with this feauture based on https://github.com/freeipa/freeipa-workshop/blob/master/8-sudorule.rst instruction:
rule name: sysadmin-sudo
Enabled: TRUE
Host category: all
command category: all
RunAs User Category: all
RunAs Group category: all
then i define a user "sysadmin" and add "sysadmin-sudo" rule to this user.
when i connect with this user and run a command with sudo(ex, sudo systemctl stop rsyslog)
it shows:
sudo: PAM account management error: Permission denied
whats wrong?!
4 years, 1 month
Kerberos and 2FA
by Leonid Kanter
Hello,
I'm trying to combine 2FA and kerberos, as described on
https://bugzilla.redhat.com/show_bug.cgi?id=1510734 and on
https://www.freeipa.org/page/V4/Kerberos_PKINIT#How_to_Use
Our main FreeIPA server, for historical reasons, is running without
certificate authority, on Letsencrypt certificates for httpd and slapd.
For test purposes, I installed new instance of FreeIPA (stock CentOS7)
with the same configuration, added CA with ipa-ca-install command,
enabled pkinit and created a user with 2FA enabled. ipa config-show says
this master is capable of PKINIT.
Now "kinit -n" works for me. But if I try "kinit -T $ARMOR_CCACHE
principal@REALM", it's asking me for OTP code, then return "kinit:
Preauthentication failed while getting initial credentials". In
krb5kdc.log I see "Additional pre-authentication required" first, and
"preauth (otp) verify failure: Generic preauthentication failure" next.
But the same OTP authenticator works perfectly for ssh, sudo and FreeIPA
web console.
Could you please help with that.
4 years, 1 month
DNSSec renewal issue
by Arjen Heidinga
Hello all!
I saw my logs, and notices a stacktrace. I have looked thourouhgly, but
I have no clue what goes on. It repeats every minute.
It appears there is no problem with my zone.
Any clues?
Regards,
Arjen
Mar 13 21:54:14 starkey python3[313742]: detected unhandled Python
exception in '/usr/libexec/ipa/ipa-dnskeysyncd'
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: Traceback (most recent
call last):
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: File
"/usr/libexec/ipa/ipa-dnskeysyncd", line 116, in <module>
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: while
ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: File
"/usr/lib64/python3.7/site-packages/ldap/syncrepl.py", line 464, in
syncrepl_poll
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: self.syncrepl_refreshdone()
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: File
"/usr/lib/python3.7/site-packages/ipaserver/dnssec/keysyncer.py", line
128, in syncrepl_refreshdone
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]:
self.bindmgr.sync(self.dnssec_zones)
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: File
"/usr/lib/python3.7/site-packages/ipaserver/dnssec/bindmgr.py", line
226, in sync
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: self.sync_zone(zone)
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: File
"/usr/lib/python3.7/site-packages/ipaserver/dnssec/bindmgr.py", line
199, in sync_zone
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: self.install_key(zone,
uuid, attrs, tempdir)
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: File
"/usr/lib/python3.7/site-packages/ipaserver/dnssec/bindmgr.py", line
139, in install_key
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: result =
ipautil.run(cmd, capture_output=True)
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: File
"/usr/lib/python3.7/site-packages/ipapython/ipautil.py", line 598, in run
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]: p.returncode,
arg_string, output_log, error_log
Mar 13 21:54:14 starkey ipa-dnskeysyncd[313742]:
ipapython.ipautil.CalledProcessError: CalledProcessError(Command
['/usr/sbin/dnssec-keyfromlabel-pkcs11', '-K',
'/var/named/dyndb-ldap/ipa/master/platypusnet.org/tmp2wyxe0ud', '-a',
b'RSASHA256', '-l',
b'pkcs11:object=2c69643f18014fdc31aa96268da2227d;pin-source=/var/lib/ipa/dnssec/softhsm_pin',
'-P', b'20190928191041', '-A', b'20190929101046', '-I',
b'20191228115443', '-D', b'20200117124816', 'platypusnet.org.'] returned
non-zero exit status 1: 'dnssec-keyfromlabel: fatal: failed to get key
platypusnet.org/RSASHA256: not found\n')
4 years, 1 month