CSR in PRINTABLESTRING enc when docs says UTF8STRING is default
by Fredrik Arneving
Hi,
I've tried to setup my freeIPA server on a freshly installed CentOS8 as a sub_CA of my existing PKI with private root-CA. My signing-CA has a match policy for (C)ountry and (O)rganizationName.
When trying to sign the CSR generated from freeIPA with command below it fails on a string encryption mismatch.
The string encryption on my organizationName, as well as my server DN is in PRINTABLESTRING encoding but my openssl generated signing cert needs it to be UTF8STRING.
I was under the impression UTF8STRING is default for freeIPA CSR's. What do I miss and how can I force it to be UTF8STRING?
CSR was generated with command:
ipa-server-install -r MYREALM.AS.UPPERCASE.DNSDOMAIN \
--external-ca \
--ca-subject CN=ipa-server-fqdn,C=SE,O=MyOrganizationName \
--ca-base C=SE,O=MyOrganizationName
Installation is successful and I'm supposed to sign the CSR and finalize ipa-install with second step. However, the signing fails because MyOranizationName != MyOrganizationName due to different encodings.
When looking at the CSR with "openssl req -noout -text -in ipa.csr" everything looks OK but when using "openssl asn1parse -in ipa.csr" it shows the mismatch of the organizationName PRINTABLESTRING compared to my successfully signed CSR's UTF8STRING.
Any ideas?
kernel version: 4.18.0-147.5.1.el8_1.x86_64
ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
openssl: openssl-1.1.1c-2.el8.x86_64
Regards,
/Fredrik
1 year, 3 months
Re: EL7 Upgrades
by Rob Crittenden
Angus Clarke via FreeIPA-users wrote:
> Hello
>
> Our environment has grown and as additional IPA servers have been added,
> different versions have been deployed. I am looking to bring IPA servers
> up to the latest version for EL7 and wanted some guidance or reassurance.
>
> Here are my versions, they are all VMWare VMs:
>
> idm001 ipa-server-4.5.4-10.0.1.el7.x86_64 Red Hat Enterprise Linux
> Server release 7.4 (Maipo) * UPGRADED *
> idm002 ipa-server-4.5.0-22.0.1.el7_4.x86_64 Red Hat Enterprise Linux
> Server release 7.4 (Maipo) * CA MASTER *
> idm003 ipa-server-4.5.0-22.0.1.el7_4.x86_64 Red Hat Enterprise Linux
> Server release 7.4 (Maipo)
> idm004 ipa-server-4.5.0-22.0.1.el7_4.x86_64 Red Hat Enterprise Linux
> Server release 7.4 (Maipo)
> idm005 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm006 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm007 ipa-server-4.6.5-11.0.1.el7_7.3.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm008 ipa-server-4.6.5-11.0.1.el7_7.3.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm009 ipa-server-4.6.4-10.0.1.el7_6.6.x86_64 Red Hat Enterprise Linux
> Server release 7.6 (Maipo)
> idm010 ipa-server-4.6.4-10.0.1.el7_6.6.x86_64 Red Hat Enterprise Linux
> Server release 7.6 (Maipo)
>
> I have upgraded idm001 without issue, the path was:
>
> 1) take VMWare snapshot
> 2) ipactl stop
> 3) yum update (channel with latest EL versions)
> 4) reboot
> 5) after a day or so, remove VMWare snapshot
>
> and it now shows:
>
> idm001 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
>
> Post upgrade checks on idm001:
>
> I see network connections to port 88 and 389
> I can obtain a kerberos ticket through kinit
> I can login through the web interface and issue ipa commands.
> I don't see anything particularly alarming in log files.
>
> I understand the distributed LDAP schema was already up-to-date due to
> the roll out of idm005-006 on EL7.7/ipa-server-4.6.5-11.0.1.el7_7.4.
>
> I'm particularly concerned about upgrading idm002, my CA server -
> perhaps I should upgrade through each EL iteration? Are VMWare snapshots
> a suitable roll back mechanism for IPA (and IPA CA master) server upgrades?
Yes and yes, especially given your already mixed versions.
Given you have other CAs in your network there is nothing too special
about idm002 other than it has the additional role as CA renewal master.
> I was reading Rob's reply to Christian Reiss regarding his upgrade path
> to EL8 (bookmarked for future reference,) I don't have the
> ipa-crlgen-manage command on my CA server (presumably due to older
> version) to check if it is the CRL generator - I assume it is though,
> although in any case I'm unsure of the relevance with this EL7 series of
> ipa-server.
There are instructions at
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
which can tell you which one is doing it. If you aren't using CRLs at
all then this is probably not super important but you want to avoid
having 2 or more masters generating one since there is a race condition
where separate CA's could generate different, but otherwise valid, CRLs.
> All my IPA servers have CA capability except for idm001 - I presume I
> deployed it incorrectly in the first place. I would like to add CA
> facility to it, perhaps this is for a different thread though ...
ipa-ca-install should do it but yeah, I'd probably focus on getting the
other masters up to 7.7 or 7.8 before trying to add on the CA. You don't
necessarily need a CA on every master. You want to avoid single point of
failure but you don't need it everywhere.
rob
1 year, 3 months
Sudo command not working
by Faraz Younus
Hi Team,
I'm getting error when executing sudo su on client server what can be the
issue sudo command is there
[faraz.younus@england-web-dev ~]$ sudo su
[sudo] password for faraz.younus:
faraz.younus is not allowed to run sudo on england-web-dev. This incident
will be reported.
1 year, 3 months
replica install fails
by Alexandru David
Hi all
I have two centos 8 servers. One is installed and configured as master and AD trust controller. The second one, I'm trying to configure it as a replica, but what ever I do, the replica server fails to start.
Environment :
OS - CentOS Linux release 8.1.1911 (Core)
ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
Replica install is started with :
#ipa-replica-install -v --principal admin -p XXXXX --domain ipamaster01.example.com --server ipamaster01.example.com --setup-ca --setup-adtrust
The client install goes well, but the server stops at :
Starting replication, please wait until this has completed.
Update in progress, 15 seconds elapsed
[ldap://ipamaster01.example.com:389] reports: Update failed! Status: [Error (-2) - LDAP error: Local error - no response received]
On the ipareplica-install.log, last entries are:
2020-04-14T08:29:13Z DEBUG Created connection context.ldap2_139862275887680
2020-04-14T08:29:13Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2020-04-14T08:29:13Z DEBUG retrieving schema for SchemaCache url=ldap://ipamaster01.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f34367c7080>
2020-04-14T08:29:13Z DEBUG Successfully updated nsDS5ReplicaId.
2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG Added replica config cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG No update to cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config necessary
2020-04-14T08:29:13Z DEBUG Waiting for replication (ldapi://%2Fvar%2Frun%2Fslapd-IPAMASTER01-EXAMPLE-COM.socket) cn=meToipamaster01.example.com,cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree
,cn=config (objectclass=*)
2020-04-14T08:29:13Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToipamaster01.example.com,cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicat
ionagreement', b'top'], 'cn': [b'meToipamaster01.example.com'], 'nsDS5ReplicaHost': [b'ipamaster01.example.com'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=ipamaste
r01,dc=example,dc=com'], 'description': [b'me to ipamaster01.example.com'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth kr
bloginfailedcount'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp']
, 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'197
00101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup'
], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2020-04-14T08:29:13Z", "message": "Error (0) N
o replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})]
2020-04-14T08:29:29Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 427, in __setup_replica
cacert=self.ca_file
File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 1860, in setup_promote_replication
raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication
I can query both ldap servers on the master and replica with :
ldapsearch -h ldap://ipamaster01.example.com -p 389 -Y GSSAPI -b "" -s base -W
ldapsearch -h ldap://ipareplica01.example.com -p 389 -Y GSSAPI -b "" -s base -W
in this point, I'm really run out of options. Could someone tell me what I'm doing wrong?
Cheers
Alex
1 year, 3 months
ipa: ERROR: CIFS server communication error: code "3221225506", message "{Access Denied} A process has requested access to an object but has not been granted those access rights." (both may be "None")
by Bernard Lheureux
Hi all,
After a fresh install of FreeIPA 4.6.5-11.el7.centos.x86_64, fully updated from update repo on a CentOS7 x64 server, it appears that it is totally impossible to establish a trust with an AD running on local AD servers, we did it a few times ago with exactly the same distribution and had really no problem, we tried to completely reinstall the machine and the IPA wit always the same results,
ipa: ERROR: CIFS server communication error: code "3221225506", message "{Access Denied} A process has requested access to an object but has not been granted those access rights." (both may be "None")
Could someone point me to the direction to look for, because we are going nuts on this ?
We found some tips in the /var/log/httpd/errors, but nothing seems to provide sufficient infos...
[Wed Oct 02 12:54:57.868830 2019] [:error] [pid 2036] ipa: INFO: [jsonserver_session] admin(a)DOMAIN.INTRA: trust_add/1(u'domain.intra', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', bidirectional=True, version=u'2.231'): RemoteRetrieveError
The IPA server and the AD servers are in the same VLan with no firewall between them
samba version on the IPA server is the latest available: 4.9.1-6.el7.noarch
Thanks for your help...
1 year, 3 months
Bizarre behavior (SSO+MFA) asking for credentials on some servers, but with extra "specialness"
by Michael S. Moody
Good evening,
First, thank you, again, for FreeIPA. I know I say it every time I send a
message to the list, but it's magic.
We're running into an interesting situation where some of our hosts are
requesting a first/second factor, even once authenticated.
Essentially, we SSH into a bastion host using MFA (PW+TOTP at the moment).
Once we're in, we're able to pretty reliably SSH to other hosts without
issue. However, we've got a few hosts that prompt for "First Factor/Second
Factor". We're able to authenticate against those hosts if we provide
credentials, but if we logout and log back in, we have to do it again.
Interestingly, there's a host we can SSH to (bastion01 to dev-server02)
which we can then SSH to another (dev-server02 to dev-server01) and not be
prompted for credentials, but if we attempt to authenticate against it
directly from the bastion host, we get prompted (bastion01 to dev-server01).
Similarly, we can hop onto other servers, no issues. I can SSH from a host
to another and then try to SSH again back (a circle) and get prompted
(bastion01 too dev-server02 to dev-server01 to bastion01) and it might
work, or it might not, depending on the host in question. It's the most
bizarre behavior I've ever seen with FreeIPA.
Any guidance that you can provide is appreciated.
Thanks in advance,
Michael S. Moody
1 year, 3 months
Maybe use FreeIPA to manage user certificates for Apache/Nginx access?
by Henery Hawk
I've tinkered with FreeIPA a while ago when I was investigating various ways to control WiFi access but have not been very active lately with it.
I have a new topic that popped up where I need to create user certificates for access to a specific web site hosted behind an Nginx Reverse Proxy.
I have manually created a (forgive my incorrect terms) ca cert and pointed nginx to it and then I created user certs for each user that needs to be granted access. This was done manually using openssh in the pilot phase.
Would FreeIPA be able to do this at scale? I see some chatter about FreeIPA 4.x introducing user certs, but that chatter hasn't specifically covered how to get the master ca cert linked to nginx/apache.
The noob question might be useful for someone doing similar research. I am not mission critical in this investigation, just trying to minimize my manual management of user certs.
Thanks,
Henery Hawk
1 year, 3 months
Centos 6 FreeIPA Client install Error
by Faraz Younus
Hi Team,
I'm trying to add client with hostname abc.example.com on freeip server(
ipa1.idm.example.com) but on centos 7 it works fine.
All ports are allowed and accessible from client side
Can you please share what the exactly problem is and how it can be fixed ?
TASK [Enroll host to FreeIPA]
**************************************************************************************************************************
failed: [sherwin-centos6-test.example.com] (item=ipa1.idm.example.com) =>
{"ansible_loop_var": "item", "changed": false, "cmd":
["ipa-client-install", "-U", "-w", "8ekh0Y", "--mkhomedir", "--hostname", "
sherwin-centos6-test.example.com", "--ntp-server", "169.254.169.123",
"--domain", "idm.example.com", "--realm", "IDM.EXAMPLE.COM", "--server", "
ipa1.idm.example.com"], "delta": "0:00:00.202857", "end": "2020-04-16
10:29:37.411081", "failed_when_result": true, "item": "ipa1.idm.example.com",
"msg": "non-zero return code", "rc": 1, "start": "2020-04-16
10:29:37.208224", "stderr": "LDAP Error: Connect error: TLS error
-8172:Peer's certificate issuer has been marked as not trusted by the
user.\nLDAP Error: Connect error: TLS error -8172:Peer's certificate issuer
has been marked as not trusted by the user.\nFailed to verify that
ipa1.idm.example.com is an IPA Server.\nThis may mean that the remote
server is not up or is not reachable due to network or firewall
settings.\nPlease make sure the following ports are opened in the firewall
settings:\n TCP: 80, 88, 389\n UDP: 88 (at least one of TCP/UDP
ports 88 has to be open)\nAlso note that following ports are necessary for
ipa-client working properly after enrollment:\n TCP: 464\n UDP:
464, 123 (if NTP enabled)\nInstallation failed. Rolling back changes.\nIPA
client is not configured on this system.", "stderr_lines": ["LDAP Error:
Connect error: TLS error -8172:Peer's certificate issuer has been marked as
not trusted by the user.", "LDAP Error: Connect error: TLS error
-8172:Peer's certificate issuer has been marked as not trusted by the
user.", "Failed to verify that ipa1.idm.example.com is an IPA Server.",
"This may mean that the remote server is not up or is not reachable due to
network or firewall settings.", "Please make sure the following ports are
opened in the firewall settings:", " TCP: 80, 88, 389", " UDP: 88
(at least one of TCP/UDP ports 88 has to be open)", "Also note that
following ports are necessary for ipa-client working properly after
enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP enabled)",
"Installation failed. Rolling back changes.", "IPA client is not configured
on this system."], "stdout": "\u001b[?1034h", "stdout_lines":
["\u001b[?1034h"]}
1 year, 3 months
