Plugin problem after upgrade
by Frederic AYRAULT
Bonjour,
I upgraded my Centos servers from 7.7.1908 to 7.8.2003 and ipa upgrades
from 4.6.5 to 4.6.6
In the directory /usr/share/ipa/ui/js/plugins/bureau , I am using the
enclosed file bureau.js
to show the room number field in the gui. But after the upgrade, the
field is there, but empty.
I deleted one of my servers, downgrade ipa packages et reinstall ipa,
and the plugin is working,
I can see the value in the field.
Do you have any idea ?
Thank you
Regards,
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
fred(a)lix.polytechnique.fr
2 years
pam_subuid for automatic /etc/subuid and /etc/subgid entry creation
by Sam Morris
If you've tried to use container engines such as podman, and other tools that rely on newuidmap/newgidmap for the configuration of user namespaces on systems where users are defined in FreeIPA, you've probably had to create entries in /etc/subuid and /etc/subgid manually.
I created a PAM module that automatically creates /etc/subuid and /etc/subgid entries when a user logs in. It can be found at <https://github.com/yrro/pam_subuid>. It's pretty rudimentary, but it does work on my machines; I hope other users of FreeIPA may find it useful, and maybe even send bug reports and pull requests. :)
I hope this isn't considered spamming--I created it in order to use it as a stopgap measure until shadow/sssd/FreeIPA are able to manage subordinate user/group IDs themselves.
--
Sam Morris <https://robots.org.uk/>
2 years
what service does en 'enrollment administrator' role user use
by Rob Verduijn
Hello,
I've encountered a minor annoyance when using the 'enrollement
administrator' role
I created a user for ipa-client enrolment and made the user a member of the
'enrollement administrator' role.
I've tested it and it was capable of enrolling clients.
After this I disabled the allow_all policy.
Cleared the sssd cache on the ipa server and tried again.
Now the user get's a 'No permission to join this host to the IPA domain.'
It works for ipa admin accounts.
I guess I need to allow a service for the 'enrollement administrator' role.
But I don't know which one.
What service do I need to allow for the 'enrollement administrator' role to
function properly ?
Rob Verduijn
2 years
Re: Administration delegation for multiple hosts services
by Julien Rische
Hello Alexander,
Thank you for answering this quickly.
-----Original message-----
>From: Alexander Bokovoy <abokovoy(a)redhat.com>
>Sent: Wednesday 29th April 2020 15:48
>To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>Cc: Julien Rische <julien.rische(a)cern.ch>
>Subject: Re: [Freeipa-users] Administration delegation for multiple hosts services
>
>On ke, 29 huhti 2020, Julien Rische via FreeIPA-users wrote:
>>Hello everyone,
>>
>>To properly support load-balanced services, we need FreeIPA-managed service
>>hosts to be able to retrieve the following elements, without the intervention
>>of any user (only starting with the host keytab):
>>
>>- Keytab containing keys for:
>> - Service canonical principal
>> - When accessed via service DNS alias (Kerberos rDNS lookup disabled)
>> - Service principal alias for host
>> - When accessed via service DNS alias (Kerberos rDNS lookup enabled)
>> - When accessed via host canonical FQDN
>>- X.509 certificate for:
>> - Service alias FQDN
>> - Host actual FQDN
>>
>>In order to obtain each element of this list, we need to:
>>
>>- Allow the host to retrieve the service key
>> - Creation/reset of the key should be forbidden
>>- Allow the host to request a certificate for both its own FQDN and the service
>> DNS alias (which matches the service canonical principal)
>> - Preferably only these 2 subject names should be allowed
>>- Create a service principal alias matching the host's FQDN
>>
>>We are managing hundreds of services spread across tens of thousands of hosts.
>>Each service is managed by a different user group, hence we can't afford to
>>grant all these users the "Service Administrators" privilege.
>>
>>Ideally, each service would be configured just once (with just maybe a few
>>exceptional updates). On the contrary, hostgroup(s) containing the service
>>hosts would be continuously updated. This way, FreeIPA administrator would give
>>their blessing at service creation, and then let service administrators manage
>>hosts membership.
>>
>>We think the following configuration could be applied for each service:
>>
>>- A hostgroup containing all the service hosts, allowed to:
>> - Retrieve the service key
>> - Request certificate with alternative suject name by:
>> - Being assigned the to "managedBy" service attribute
>> - Or being granted the permission to write the "userCertificate"
>> service attribute
>>- A service administrators group, allowed to:
>> - Write the "member" attribute of the hostgroup
>> - Create/reset the service key
>>
>>The keytab creation/retrieval part is quite straight forward to deal with. But
>>this is not necessarily the case for certificates and service principal aliases:
>>
>>We observed the "managedBy" setting has 2 downsides:
>>
>>- It grants the host the permission to request a certificate with subject
>> alternative names, but it also grants the permission to create/reset the key,
>> which we don't want.
>>- It consists of a list of hosts that must be continuously maintained, since it
>> cannot refer to the hostgroup directly.
>>
>>Therefore it seems that a permission granting the hostgroup to update the
>>service's "userCertificate" attribute sounds more flexible. But both options
>>have the downside of granting any host from the hostgroup to request any other
>>as the alternative subject name.
>>
>>Regarding the service principal aliases, we haven't found any way to
>>dynamically update the list as the service hostgroup changes. We could either
>>grant the service hostgroup the permission to update the "krbPrincipalName"
>>service attribute, but it sounds like an excessive permission. We could also
>>implement a background service continuously updating principal alias list of
>>services according to their associated hostgroups.
>>
>>So I would summarise my questions this way:
>>
>>- Are assumptions used in this message true?
>Yes. Quite good summary, thanks for that.
>
>>- Is granting write permissions on "userCertificate" service attribute the best
>> alternative to "managedBy" for our use case?
>
>With FreeIPA 4.8.4+ we have support for member managers which define who
>can write to the member attribute of the group. See
>https://freeipa.readthedocs.io/en/latest/designs/membermanager.html for
>more details. Since this applies to any group, you can have a service
>administrators group to manage a hostgroup membership and to define a
>group that has write permissions to userCertificate through the normal
>role/permissions mechanism.
>
The "member manager" feature looks convenient indeed to avoid configuring an
extra role and permission for the service administrators group. That's
especially something less to cleanup in case the hostgroup is deleted.
I would have 2 extra questions about the "managedBy" attribute:
- What is the exact list of the permissions it is granting (in addition to
write permission on "userCertificate" service attribute and service key
creation)?
- Would it make sense to extend its scope to hostgroups?
>
>>- What is the best way to keep a service principal alias list up-to-date with a
>> hostgroup?
>To add a KrbPrincipalName alias to a specific service principal on a hostgroup
>change, it is probably would be easier to extend automember feature (see
>details in 'ipa help automember'). Right now it is hard-coded to use two
>types: hostgroup and group even though automember plugin in 389-ds
>allows to define an attribute that would be used for grouping feature
>and define what entry's attribute to use to populate the value.
>
>The problem is that it only takes a value as it is from the entry, there
>is no way to transform it to some other value. If you'd look into
>install/updates/40-automember.update file, you'll see that hostgroup
>poluation is taking a 'dn' value of an entry and asks to add that as a
>'member' of a hostgroup:
>
>dn: cn=Hostgroup,cn=automember,cn=etc,$SUFFIX
>default: objectclass: autoMemberDefinition
>default: cn: Hostgroup
>default: autoMemberScope: cn=computers,cn=accounts,$SUFFIX
>default: autoMemberFilter: objectclass=ipaHost
>default: autoMemberGroupingAttr: member:dn
>
>So I would imagine that one could do something like that for
>krbPrincipalName:some-attribute. And that 'some-attribute' needs to be
>populated in the (host) entry itself to be used by the automember
>plugin. This is not implemented right now in the 389-ds automember
>plugin.
>
>To dive deeper into a rabbit hole, we can generate krbPrincipalName in
>the service entries with the help of CoS plugin. This is a bit more
>weird plugin and you need to read a lot of details about it in RHDS
>documentation, but you can see how I did desktop profile rules pull into
>a host entry with https://github.com/abbra/freeipa-desktop-profile.
>Specifically, https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/updat...
>defines CoS configuration that pulls ipaDeskData attribute into the host
>entry.
>
So relying on the automember plugin we could import the principal alias from an
attribute of the member host. Here also, I guess the main advantage is there
would be no need to cleanup the service principal alias list whenever a host is
removed from the hostgroup.
It's a shame we cannot generate the service principal alias itself, but I
suppose it would require some sort of string composition plugin:
===
dn: krbCanonicalName=HTTP/web.example.com,cn=services,cn=accounts,dc=example,dc=com
service: HTTP
...
dn: fqdn=web01.example.com,cn=computers,cn=accounts,dc=example,dc=com
memberof: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com
...
dn: cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com
member: fqdn=web01.example.com,cn=computers,cn=accounts,dc=example,dc=com
...
dn: cn=web-krb-aliases,...
format: "%/%(a)EXAMPLE.COM"
replace: %
nparam: 2
param1dn: krbCanonicalName=HTTP/web.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
param1attr: service
param2dn: cn=computers,cn=accounts,dc=example,dc=com
param2attr: fqdn
param2filter: (memberof=cn=webservers,cn=hostgroups,cn=accounts,dc=example,dc=com)
targetdn: krbCanonicalName=HTTP/web.example.com,cn=services,cn=accounts,dc=example,dc=com
targetattr: krbPrincipalName
===
I had a look at RHDS documentation about CoS[1], it looks like a kind of
template engine. I am not sure to understand if it can be used to concatenate
multiple values. Is it the case?
>>
>>Since it is my first message on this mailing list, I would like to pay tribute
>>to the development team of FreeIPA and its community. Even if there is still
>>work to do, FreeIPA is a quite impressive piece of work given the complexity of
>>the environment it is trying to integrate into, and the variety of use cases it
>>has to support.
>>
>>Kind regards,
>>
>>---
>>Julien Rische
>>Systems engineer
>>CERN
>
>--
>/ Alexander Bokovoy
>Sr. Principal Software Engineer
>Security / Identity Management Engineering
>Red Hat Limited, Finland
Best regards,
---
Julien Rische
Systems engineer
CERN
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
2 years
IPA and external DNS
by Ronald Wimmer
Hi,
In the company I am working for DNS is managed by a separate department.
Delegating the linux.mydomain.at zone is not an option. Entering DNS
entries (for IPA servers) is done by clicking around in a web interface.
Entries have to be entered manually one by one.
An alternative would be to use nsupdate for the linux.mydomain.at zone
(and subzones). Does IPA provide a way for using nsupdate in combination
with all the required DNS entries upon a IPA server/replica installation?
Cheers,
Ronald
2 years
Samba and winbind not starting
by Ronald Wimmer
I've managed to successfully migrate my ipa server #1 (including CA
renewal master) to RHEL8. After a few checks I found out that the trust
controller role was missing on the new system. So I ran
ipa-adtrust-install. However, the command "id myuser(a)ad.domain" did not
return any results. ipactl status revealed that smbd and winbind were
not running. ipactl restart did not help.
Any ideas on how to get the trust controller role working again on the
new machine?
Cheers,
Ronald
2 years
Samba integration - access without Kerberos
by lejeczek
hi everybody.
I see this subject might have been poked around many times, a couple
times at least for sure. But, I thought I'll poke again and hopefully
get some latest comments & thoughts on - how to make IPA's Samba allow
password authentication to Win clients from outside of IPA/AD domains?
Would there, by now, possibly be a semi-official (by IPA team) way of
getting there, since the subject first came up a longer while ago?
many thanks, L.
2 years
Prevent admin user lock
by Petar Kozić
Hi folks,
My free iPA server works on public IP and need to be public. Because of
that I have problem because admin user is often locked becuase too many
incorrect logins.
Can I filter admin user login to some IP and how?
Thank you.
2 years
Client part of server install failing - KRB5CCNAME not defined in HTTP request environment
by Simon Williams
I am having an issue attempting to install IPA Server. The server
component install processes correctly, but when it comes to set up the
client components it fails:
2020-04-28T22:41:42Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/ipa.mydomain.com(a)MYDOMAIN.COM'
2020-04-28T22:41:42Z INFO trying https://ipa.mydomain.com/ipa/json
2020-04-28T22:41:42Z DEBUG Created connection context.rpcclient_1954644240
2020-04-28T22:41:42Z INFO [try 1]: Forwarding 'schema' to json server
'https://ipa.mydomain.com/ipa/json'
2020-04-28T22:41:42Z DEBUG New HTTP connection (ipa.mydomain.com)
2020-04-28T22:41:53Z DEBUG HTTP connection destroyed (ipa.mydomain.com)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 732, in
single_request
response.msg)
ProtocolError: <ProtocolError for ipa.mydomain.com/ipa/json: 500 Internal
Server Error>
2020-04-28T22:41:53Z DEBUG Destroyed connection context.rpcclient_1954644240
2020-04-28T22:41:53Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
360, in run
return self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
386, in execute
for rval in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
655, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line
3671, in main
install(self)
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line
2392, in install
_install(options)
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line
2734, in _install
api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 739, in
finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 431, in
__do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 619, in
load_plugins
for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 949, in
packages
ipaclient.remote_plugins.get_package(self),
File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
line 134, in get_package
plugins = schema.get_package(server_info, client)
File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line
553, in get_package
schema = Schema(client)
File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line
401, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line
426, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1190, in
forward
raise NetworkError(uri=server, error=e.errmsg)
2020-04-28T22:41:53Z DEBUG The ipa-client-install command failed,
exception: NetworkError: cannot connect to 'https://ipa.mydomain.com/ipa/json':
Internal Server Error
The relevant services appear to be running
certmonger.service loaded active running Certificate monitoring
and
dirsrv(a)MYDOMAIN-COM.service loaded active running 389 Directory S
gssproxy.service loaded active running GSSAPI Proxy Daemon
httpd.service loaded active running The Apache HTTP Server
ipa-custodia.service loaded active running IPA Custodia Service
ipa-dnskeysyncd.service loaded active running IPA key daemon
ipa.service loaded active exited Identity, Policy, Audit
kadmin.service loaded active running Kerberos 5
Password-changin
krb5kdc.service loaded active running Kerberos 5 KDC
named-pkcs11.service loaded active running Berkeley Internet Name
Doma
ntpd.service loaded active running Network Time Service
oddjobd.service loaded active running privileged operations
for u
pki-tomcatd(a)pki-tomcat.service loaded active running PKI Tomcat Server
pki-t
I can use kinit to obtain a ticket for admin, but any ipa command that I
attempt to run gives an error along the following lines
ipa: DEBUG: failed to find session_cookie in persistent storage for
principal 'admin(a)MYDOMAIN.COM'
ipa: INFO: trying https://ipa.mydomain.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_1964217648
ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipa.mydomain
.com/ipa/json'
ipa: DEBUG: New HTTP connection (ipa.mydomain.com)
ipa: DEBUG: HTTP connection destroyed (ipa.mydomain.com)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 732, in
single_request
response.msg)
ProtocolError: <ProtocolError for ipa.mydomain.com/ipa/json: 500 Internal
Server Error>
ipa: DEBUG: Destroyed connection context.rpcclient_1964217648
ipa: ERROR: cannot connect to 'https://ipa.mydomain.com/ipa/json': Internal
Server Error
In the httpd error log, I see the same error for every ipa command issued
[Wed Apr 29 14:51:19.119357 2020] [:error] [pid 8505] ipa: ERROR: 500
Internal Server Error: KerberosWSGIExecutioner.__call__: KRB5CCNAME not
defined in HTTP request environment
[Wed Apr 29 14:51:19.120223 2020] [:error] [pid 8505] [remote
192.168.0.2:16498] mod_wsgi (pid=8505): Exception occurred processing WSGI
script '/usr/share/ipa/wsgi.py'.
[Wed Apr 29 14:51:19.120335 2020] [:error] [pid 8505] [remote
192.168.0.2:16498] RuntimeError: response has not been started
The same error is present at the time the install failed.
The Kerberos ticket is valid as ldapsearch works using it
[root@ipa1 ~]# ldapsearch -h ipa.mydomain.com -b ou=people,o=ipaca -Y
GSSAPI -s sub "(uid=admin)" dn uid
SASL/GSSAPI authentication started
SASL username: admin(a)MYDOMAIN.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=people,o=ipaca> with scope subtree
# filter: (uid=admin)
# requesting: dn uid
#
# admin, people, ipaca
dn: uid=admin,ou=people,o=ipaca
uid: admin
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
but doesn't without it
[root@ipa1 ~]# ldapsearch -h ipa.mydomain.com -b ou=people,o=ipaca -s sub
"(uid=admin)" dn uid
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
Does anyone have any ideas? I'm tearing my hair out here!
2 years
