Trying to configure Kerberos-level trust between AD and IPA ('HANDLE_AUTHDATA' error)
by Robert Sturrock
Hi All.
We have an IPA installation in a ‘winsync’ agreement with our AD. We do not (at this stage) want to move this to a full trust, but it would be useful for our users if there were a trust between the two systems at the *Kerberos* level. That way, user desktop TGTs from AD could be used to access Linux servers enrolled in the IPA domain seamlessly, without needing to maintain two separate identities. (We have previously used such a configuration successfully between IPA and a legacy MIT kerberos service).
I followed some (non-IPA related) steps for setting up Kerberos trusts between AD and MIT Kerberos - essentially creating a common TGT principal in both systems with a common password. This works to a point (ie. I can get the TGT for IPA using the AD TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.
Here is what I’m seeing:
(AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')
# Get AD TGT:
Password for rns(a)STAFF.LOCALREALM: XXXXXXXXX
$ klist
Ticket cache: KEYRING:persistent:10846:10846
Default principal: rns(a)STAFF.LOCALREALM
Valid starting Expires Service principal
11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/STAFF.LOCALREALM(a)STAFF.LOCALREALM
renew until 12/06/20 13:34:18
# Use AD TGT to get an IPA TGT:
$ kvno krbtgt/PALLAS.LOCALREALM(a)STAFF.LOCALREALM
krbtgt/PALLAS.LOCALREALM(a)STAFF.LOCALREALM: kvno = 0
$ klist
Ticket cache: KEYRING:persistent:10846:10846
Default principal: rns(a)STAFF.LOCALREALM
Valid starting Expires Service principal
11/06/20 13:34:24 11/06/20 23:34:19 krbtgt/PALLAS.LOCALREALM(a)STAFF.LOCALREALM
renew until 12/06/20 13:34:18
11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/STAFF.LOCALREALM(a)STAFF.LOCALREALM
renew until 12/06/20 13:34:18
# Try to fetch an IPA service ticket:
$ kvno host/palladium1.localdomain(a)PALLAS.LOCALREALM
kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/palladium1.localdomain(a)PALLAS.LOCALREALM
Can anyone provide some idea as to what’s going on here and how I resolve this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not able to find a lot of documentation explaining this.
Thanks!
Robert.
3 years, 10 months
FreeIPA 4.8.7 released
by Alexander Bokovoy
The FreeIPA team would like to announce FreeIPA 4.8.7 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
== Highlights in 4.8.7
* 3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a
machine-readable (JSON) format, or send email notifications to these
users. EPN provides command-line options to display the list of
affected users. This provides data introspection and helps
understand how many emails would be sent for a given day, or a given
date range. The command-line options can also be used by a
monitoring system to alert whenever a number of emails over the SMTP
quota would be sent. EPN is meant to be launched once a day from an
IPA client (preferred) or replica from a systemd timer. EPN does not
keep state: the list of affected users is built at runtime but never
kept.
* 3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI
* 6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod
group-name --rename new-name'. Protected hostgroups ('ipaservers')
cannot be renamed.
* 7577: [RFE] DNS package check should be called earlier in installation
routine
The ``--setup-dns`` knob and interactive installer now both check
for the presence of freeipa-server-dns early and abort the installer
with an error before starting actual deployment.
* 7695: ipa service-del should display principal name instead of Invalid
'principal'.
When deleting services, report exact name of a system required
principal that couldn't be deleted.
* 8106: ca-certificate file not being parsed correctly on Ubuntu with
p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support
multiple certificates in a single file. IPA installers now write
individual files per each certificate for Debian-based platforms.
* 8217: RFE: ipa-backup should compare locally and globally installed
server roles
ipa-backup now checks whether the local replica's roles match those
used in the cluster and exits with a warning if this is not the case
as backups taken on this host would not be sufficient for a proper
restore. FreeIPA administrators are advised to double check whether
the host backups are run has all the necessary (used) roles.
* 8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to
1.16.2.
* 8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to
1024 characters but do not allow to distinguish between passwords
cut off at 1024 characters and passwords with 1024 characters. Thus,
a limit of 1000 characters is now applied everywhere in FreeIPA.
* 8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit
system accounts with krbPrincipalAux object class. This allows
system accounts to have a keytab that does not expire. The "Default
System Accounts Password Policy" has a minimum password length in
case the password is directly modified with LDAP.
* 8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to
3.4.1.
* 8289: ipa servicedelegationtarget-add-member does not allow to add
hosts as targets
service delegation rules and targets now allow to specify hosts as a
rule or a target's member principal.
* 8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal
alias
Memory handling in various FreeIPA KDC functions was improved,
preventing potential crashes when looking up machine account aliases
for Windows machines.
* 8301: The value of the first character in target* keywords is expected
to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr,
targetfilter, etc) to have quoted attributes. Otherwise the aci that
contains unquoted parameters is ignored. Default FreeIPA access
controls were fixed to follow 389-ds syntax. Any third-party ACIs
need to be updated manually.
* 8315: [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises
warnings
389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP
binds. FreeIPA now disables this feature because changing password
hash in FreeIPA is not allowed by the internal plugins that
synchronize password hashes between LDAP and Kerberos.
* 8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember
configuration to prevent unintended modification of a default host
group.
* 8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and
before 3.5.0, passing HTML from untrusted sources - even after
sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html(), .append(), and others) may execute untrusted code. FreeIPA
is not allowing to pass arbitrary code into affected jQuery path but
we applied jQuery fix anyway.
* 8335: [WebUI] manage IPA resources as a user from a trusted Active
Directory domain
When users from trusted Active Directory domains have permissions to
manage IPA resources, they can do so through a Web UI management
console.
* 8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This
makes possible for 3rd-party plugins to supply full set of managed
permissions.
* 8357: Allow managing IPA resources as a user from a trusted Active
Directory forest
A 3rd-party plugin to provide management of IPA resources as users
from trusted Active Directory domains was merged into FreeIPA core.
ID user overrides can now be added to IPA management groups and
roles and thus allow AD users to manage IPA.
* 8362: IPA: Ldap authentication failure due to Kerberos principal
expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password
expiration time in UTC time zone. Previously, a local server time
zone was applied even though UTC was implied in the settings.
=== Enhancements
=== Known Issues
=== Bug fixes
FreeIPA 4.8.7 is a stabilization release for the features delivered as a
part of 4.8 version series.
There are more than 70 bug-fixes details of which can be seen in the
list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets
* https://pagure.io/freeipa/issue/3687[#3687](https://bugzilla.redhat.com/s... [RFE] IPA user account expiry warning.
* https://pagure.io/freeipa/issue/3827[#3827] [RFE] Expose TTL in web UI
* https://pagure.io/freeipa/issue/6474[#6474] Remove ipaplatform dependency from ipa modules
* https://pagure.io/freeipa/issue/6783[#6783] (https://bugzilla.redhat.com/show_bug.cgi?id=1430365[rhbz#1430365]) [RFE] Host-group names command rename
* https://pagure.io/freeipa/issue/6857[#6857] ipa_pwd.c: Use OpenSSL instead of NSS for hashing
* https://pagure.io/freeipa/issue/6884[#6884] (https://bugzilla.redhat.com/show_bug.cgi?id=1441262[rhbz#1441262]) ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
* https://pagure.io/freeipa/issue/7255[#7255] baseidoverride.get_dn() does not default to a default ID view when resolving user IDs
* https://pagure.io/freeipa/issue/7577[#7577] (https://bugzilla.redhat.com/show_bug.cgi?id=1579296[rhbz#1579296]) [RFE] DNS package check should be called earlier in installation routine
* https://pagure.io/freeipa/issue/7695[#7695] (https://bugzilla.redhat.com/show_bug.cgi?id=1623763[rhbz#1623763]) ipa service-del should display principal name instead of Invalid 'principal'.
* https://pagure.io/freeipa/issue/8017[#8017] (https://bugzilla.redhat.com/show_bug.cgi?id=1817927[rhbz#1817927]) host-add --password logs cleartext userpassword to Apache error log
* https://pagure.io/freeipa/issue/8064[#8064] Request for IPA CI to enable DS audit/auditfail logging
* https://pagure.io/freeipa/issue/8066[#8066] (https://bugzilla.redhat.com/show_bug.cgi?id=1750242[rhbz#1750242]) Don't use -t option to klist in adtrust code when timestamp is not needed
* https://pagure.io/freeipa/issue/8082[#8082] (https://bugzilla.redhat.com/show_bug.cgi?id=1756432[rhbz#1756432]) Default client configuration breaks ssh in FIPS mode.
* https://pagure.io/freeipa/issue/8101[#8101] Wrong pytest requirement in specfile
* https://pagure.io/freeipa/issue/8106[#8106] ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
* https://pagure.io/freeipa/issue/8120[#8120] (https://bugzilla.redhat.com/show_bug.cgi?id=1769791[rhbz#1769791]) Invisible part of notification area in Web UI intercepts clicks of some page elements
* https://pagure.io/freeipa/issue/8159[#8159] please migrate to the new Fedora translation platform
* https://pagure.io/freeipa/issue/8163[#8163] (https://bugzilla.redhat.com/show_bug.cgi?id=1782572[rhbz#1782572]) "Internal Server Error" reported for minor issues implies IPA is broken [IdmHackfest2019]
* https://pagure.io/freeipa/issue/8164[#8164] (https://bugzilla.redhat.com/show_bug.cgi?id=1788907[rhbz#1788907]) Renewed certs are not picked up by IPA CAs
* https://pagure.io/freeipa/issue/8186[#8186] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
* https://pagure.io/freeipa/issue/8217[#8217] (https://bugzilla.redhat.com/show_bug.cgi?id=1810154[rhbz#1810154]) RFE: ipa-backup should compare locally and globally installed server roles
* https://pagure.io/freeipa/issue/8222[#8222] Upgrade dojo.js
* https://pagure.io/freeipa/issue/8247[#8247] test_fips PR-CI templates have a too-short timeout
* https://pagure.io/freeipa/issue/8251[#8251] [Azure] Catch coredumps
* https://pagure.io/freeipa/issue/8254[#8254] [Azure] 'Tox' task fails against Python3.8
* https://pagure.io/freeipa/issue/8261[#8261] [ipatests] Integration tests fail on non-firewalld distros
* https://pagure.io/freeipa/issue/8262[#8262] test_ipahealthcheck needs a higher timeout than 3600
* https://pagure.io/freeipa/issue/8264[#8264] Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user
* https://pagure.io/freeipa/issue/8265[#8265] [ipatests] `/var/log/ipaupgrade.log` is not collected
* https://pagure.io/freeipa/issue/8266[#8266] test_webui_server requires a higher timeout than 3600
* https://pagure.io/freeipa/issue/8268[#8268] Prevent use of too long passwords
* https://pagure.io/freeipa/issue/8272[#8272] Use /run instead of /var/run
* https://pagure.io/freeipa/issue/8273[#8273] (https://bugzilla.redhat.com/show_bug.cgi?id=1834385[rhbz#1834385]) Man page syntax issue detected by rpminspect
* https://pagure.io/freeipa/issue/8276[#8276] Add default password policy for sysaccounts
* https://pagure.io/freeipa/issue/8283[#8283] Failures and AVCs with OpenDNSSEC 2.1
* https://pagure.io/freeipa/issue/8284[#8284] Upgrade jQuery version to actual one
* https://pagure.io/freeipa/issue/8287[#8287] named not starting after #8079, ipa-ext.conf breaks bind
* https://pagure.io/freeipa/issue/8289[#8289] ipa servicedelegationtarget-add-member does not allow to add hosts as targets
* https://pagure.io/freeipa/issue/8290[#8290] API inconsistencies
* https://pagure.io/freeipa/issue/8291[#8291] krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
* https://pagure.io/freeipa/issue/8297[#8297] Fix new pylint 2.5.0 warnings and errors
* https://pagure.io/freeipa/issue/8298[#8298] [WebUI] Cover membership management with UI tests
* https://pagure.io/freeipa/issue/8300[#8300] Replace uglify-js with python3-rjsmin
* https://pagure.io/freeipa/issue/8301[#8301] The value of the first character in target* keywords is expected to be a double quote
* https://pagure.io/freeipa/issue/8306[#8306] Adopt Black code style
* https://pagure.io/freeipa/issue/8307[#8307] make devcheck fails for test_ipatests_plugins/test_ipa_run_tests.py
* https://pagure.io/freeipa/issue/8308[#8308] (https://bugzilla.redhat.com/show_bug.cgi?id=1829787[rhbz#1829787]) ipa service-del deletes the required principal when specified in lower/upper case
* https://pagure.io/freeipa/issue/8309[#8309] Convert ipaplatform from namespace package to regular package
* https://pagure.io/freeipa/issue/8311[#8311] (https://bugzilla.redhat.com/show_bug.cgi?id=1825829[rhbz#1825829]) ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
* https://pagure.io/freeipa/issue/8312[#8312] Fix api.env.in_tree detection logic
* https://pagure.io/freeipa/issue/8313[#8313] Values of api.env.mode are inconsistent
* https://pagure.io/freeipa/issue/8315[#8315] (https://bugzilla.redhat.com/show_bug.cgi?id=1833266[rhbz#1833266]) [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings
* https://pagure.io/freeipa/issue/8316[#8316] [Azure] Whitelist clock_adjtime syscall
* https://pagure.io/freeipa/issue/8317[#8317] XML-RCP and CLI tests depend on internal --force option
* https://pagure.io/freeipa/issue/8319[#8319] Support server referrals for enterprise principals
* https://pagure.io/freeipa/issue/8322[#8322] [RFE] Changing default hostgroup is too easy
* https://pagure.io/freeipa/issue/8323[#8323] [Build failure] Race: make po fails on parallel build
* https://pagure.io/freeipa/issue/8325[#8325] [WebUI] Fix htmlPrefilter issue in jQuery
* https://pagure.io/freeipa/issue/8328[#8328] krbtpolicy-mod cannot handle two auth ind options of the same type at the same time
* https://pagure.io/freeipa/issue/8330[#8330] [Azure] Build job fails on `tests` container preparation
* https://pagure.io/freeipa/issue/8335[#8335] [WebUI] manage IPA resources as a user from a trusted Active Directory domain
* https://pagure.io/freeipa/issue/8338[#8338] [WebUI] Host detail with no assigned ID view makes invalid RPC call
* https://pagure.io/freeipa/issue/8339[#8339] [WebUI] User details tab headers don't show member count when on settings tab
* https://pagure.io/freeipa/issue/8348[#8348] Allow managed permissions with ldap:///self bind rule
* https://pagure.io/freeipa/issue/8349[#8349] bind-9.16 and dnssec-enable
* https://pagure.io/freeipa/issue/8350[#8350] bind-9.16 and DLV
* https://pagure.io/freeipa/issue/8352[#8352] RPC API crashes when a user is disabled while a session exists
* https://pagure.io/freeipa/issue/8357[#8357] Allow managing IPA resources as a user from a trusted Active Directory forest
* https://pagure.io/freeipa/issue/8358[#8358] TTL of DNS record can be set to negative value
* https://pagure.io/freeipa/issue/8359[#8359] [WebUI] dnsrecord_mod results in JS error
* https://pagure.io/freeipa/issue/8362[#8362] (https://bugzilla.redhat.com/show_bug.cgi?id=1826659[rhbz#1826659]) IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
* https://pagure.io/freeipa/issue/8363[#8363] DNS config upgrade code fails
== Detailed changelog since 4.8.6
Detailed changelog can be found at https://www.freeipa.org/page/Releases/4.8.7
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 10 months
pam_unix(sshd:auth): authentication failure
by lune voo
Hello !
I send you this mail because I have a problem with an SSH connection with
an IPA user (not a local user) on the client hosts.
Here are the versions I used :
- ipa-server : ipa-server-4.6.6-11.el7.x86_64
- ipa-client : ipa-client-4.4.0-12.el7.x86_64
My nodes are on RHEL7.
When I try to connect from myhost with myuser on the remote host
myremotehost, I have the following error :
###
# ssh myuser@myremotehost
myuser@myremotehost's password:
Permission denied, please try again.
myuser@myremotehost's password:
###
In the /var/log/secure log, I can see the following lines which appear when
I try my SSH connection.
###
Jun 9 19:27:15 myremotehost sshd[9778]: Connection from myip port 62250 on
myremotehostip port 22
Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 126:
Deprecated option RSAAuthentication
Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 129:
Deprecated option RhostsRSAAuthentication
Jun 9 19:27:15 myremotehost sshd[9778]: Failed publickey for myuser from
myip port 62250 ssh2: RSA SHA256:UP4xpD3GE//DpZYT44F+a+i1ryqsntlbFkQsPOHjVe8
Jun 9 19:27:23 myremotehost sshd[9778]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost
user=myuser
Jun 9 19:27:25 myremotehost sshd[9778]: Failed password for myuser from
myip port 62250 ssh2
###
The kinit with this password is OK.
A "su - myuser" is OK with this password.
I don't understand why ssh connection are not working.
/etc/host.allow is configured to allow me to connect with sshd from myip
and myhost to this host.
In /etc/ssh/sshd_config, ALlowGroup line is good. myuser belongs to the
right group in AllowGroup.
Here is the command used to join the realm on myremotehost :
###
ipa-client-install --domain=mydomain --realm=MYREALM --fixed-primary
--server=IPASERVER1 --server=IPASERVER2 --principal=admin
--password=ADMINPWD --mkhomedir --hostname=myremotehost --no-ntp --no-ssh
--no-sshd
###
Does the problem come from --no-ssh or --no-sshd ? How can I solve this
problem without launching this command again ?
Best regards.
Lune
3 years, 10 months
Question about Single Label Domains Support
by tom smith
I am running RHEL 7.9 beta with ipa-server-4.6.8-2.el7.x86_64. I tried to install ipa server and I received the error message "ipapython.admintool: ERROR Invalid domain name: single label domains are not supported". I am trying to use the domain name idm.my.windows.domain.local. (The "my.windows.domain" part I made up for this post.) If I'm understanding the error message correctly I can't use the ".local" domain at the end of the domain name. The reason is because ".local" is not a real top level domain. Is this correct ? Is there any work around for this ?
3 years, 10 months
ipa-healthcheck with fresh replica
by Jochen Kellner
Hi,
I've been running IPA on CentOS 7 for some time on two servers with
integrated CA. With the release of CentOS 8.1 I tried upgrading with a
second replica - but scrapped that due to the problem with the wrong
samba libraries linked. Since no fix is in sight I thought about
migrating to Fedora 32 instead - which I've started yesterday.
Topology:
freeipa1 + freeipa2: CentOS Linux release 7.8.2003 (Core) (upgrade from
older CentOS 7 releases)
DNS, CA, KRA, AD trust
freeipa1 is CA renewal master
freeipa3: current Fedora 32 with the same services, ipa-replica-install
has chosen freeipa2 to replicate from. I've manually added an aditional
replica agreement betwen freeipa1 and freeipa3.
WebUI works, ipactl status is RUNNING, I get kerberos tickets, so I
guess we are most likely ok. Replication is also fine.
Before I start decomissioning freeipa2 I checked ipa-healthcheck:
$ ipa-healthcheck --output-type human --failures-only
ERROR: pki.server.healthcheck.meta.csconfig.DogtagCertsConfigCheck.kra_transport: Certificate 'transportCert cert-pki-kra' does not match the value of kra.transport.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
ERROR: pki.server.healthcheck.meta.csconfig.DogtagCertsConfigCheck.kra_storage: Certificate 'storageCert cert-pki-kra' does not match the value of kra.storage.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
ERROR: pki.server.healthcheck.meta.csconfig.DogtagCertsConfigCheck.kra_audit_signing: Certificate 'auditSigningCert cert-pki-kra' does not match the value of kra.audit_signing.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
ERROR: ipahealthcheck.dogtag.ca.DogtagCertsConfigCheck.transportCert cert-pki-kra: Certificate 'transportCert cert-pki-kra' does not match the value of ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
WARNING: ipahealthcheck.ipa.dna.IPADNARangeCheck: No DNA range defined. If no masters define a range then users and groups cannot be created.
The warning is ok and I know how to deal with that. But for the errors
my expactation was that I shouldn't get any certificate errors on a new
replica. I've checked the certs/log (here for transportCert only):
args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'transportCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
Process finished, return code=0
stdout=-----BEGIN CERTIFICATE-----
MIIDdDCCAlygAwIBAgIED/0AUjANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKDApK
...
LjQX6mD/oR3hZnmE920+ABhk8QcJaRoi
-----END CERTIFICATE-----
And:
kra.transport.cert=
MIIDdDCCAlygAwIBAgIED/wABTANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKDApK
T0NIRU4uT1JHMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcx
^first diff
[other changes...]
Some lines identical
[more differences].
So, ipa-healtcheck seems to be right. What's the best way to fix it? And
why is a fresh replica not clean?
Thanks for your help,
Jochen
--
This space is intentionally left blank.
3 years, 10 months
Trust controllers vs. trust agents
by Ronald Wimmer
After an IPA upgrade all of my 8 IPA servers are trust controllers.
Before the upgrade only half of them were trust controllers. The other
half were trust agents.
In my opinion not all of them have to be trust controllers. Is it safe
to remove the controller role on 4 of the 8 servers? If yes, how would I
do that without breaking anything?
Cheers,
Ronald
3 years, 10 months
Java SIGABRT on PKI spawn process installation step
by David Sastre
Hello,
Although I'm aware that there's no official support for RPi4B on Fedora as
of today,
I've been playing with the mostly functional Fedora Server Minimal and
ansible-freeipa.
The installation process is failing for me at the PKI spawn step due to
Java hitting a SIGSEGV
on JNI code, then generating a core dump.
I have opened a BZ[1] with more details and a couple of attachments.
So in addition to this being mostly a FYI, I'd like to hear from other
users' experience, in case I'm not the first having this problem.
Thanks!
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1844875
3 years, 10 months
FreeIPA: replacing expired SSL (like "AddTrust External CA Root")
by John Burns
Greetings. Like many, I had to track down and remove certs that expired on May 30. I inherited a freeIPA cluster of 3 machines, and have been working on the first. But I am having problems obtaining and applying replacement certs. Here is the scenario:
* In March 2019, a senior engineer applied a chain of certs. He was transitioning from self-signed certs to valid external certs. This included a CAroot and two intermediates. His final concerns were "AddTrustExternalCARoot" and USERTrustRSAAddTrustCA", and an item from inCommon.
* On May 30, the CAroot and one intemediate ("USERTrust") expired. He seemed to have approached a vendor directly for those, but that vendor would not confirm because I am not on their contact list. I had to seek replacements from a school department. (They do not provide support for end-uses like freeIPA.)
* This week, I have been trying to find and remove the SSL certs from the first of the freeIPA systems. I believe I removed them all (using certutil and ldapdelete)
* I have been trying to install certs provided by that department. During the time the expired certs were lingering in some places, I was able to run ipa-certupdate after a "ipa-cacert-manage install" attempt. However, now, after my removal of expired items, I get error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)"
* The three items provided by the other department don't seem to work. I had taken the steps below.
- Since I'm using freeIPA, and prior instructions denoted .crt, I convert each with:
openssl x509 -inform PEM -in <certname>.cer -out <certname>.crt
- I had tried to use each option separately: 1) "Certificate only, PEM encoded", 2) "Root/Intermediate(s) only, PEM encoded", and 3) "Intermediate(s)/Root only, PEM encoded" Results were:
ipa-cacert-manage install succeeded against #2
ipa-cacert-manage install failed against #3 "Peer's Certificate issuer is not recognized."
ipa-server-certinstall failed against #1, "The full certificate chain is not present in <freeipa_server>.crt, <freeipa_server>.crt.key"
- I then tried to substitute another option later in email, "Certificate (w/ chain), PEM encoded." Result was:
ipa-server-certinstall failed, "No matching certificate found for private key from <freeipa_server>.crt.key"
Is it possible the certs provided were incomplete, and that I need to track down something somewhere? Or did I misinterpret the use of what was provided? Is there a missing piece to consider? I appreciate any leads.
3 years, 10 months
AddTrust CA expiration
by Peter Lewis
On May 30, 2020, the AddTrust CA expired as a CA. I'll get to the IPA issue after a bit of background in case everyone is not familiar. The external certs we're using are from InCommon and were cross signed by AddTrust and when we originally got the certs, the trust A path was below:
AddTrust Ext CA -> UserTrust CA (intermediate) -> InCommon CA (Intermediate) -> server_cert
The B path which should have worked was:
UserTrust CA (Root) -> InCommon CA (Intermediate) -> server_cert
How OpenSSL is supposed to work is after path A expires, its supposed to use path B. Unfortunately for OpenSSL and OpenLDAP in CENTOS/RHEL 7 and older there is a bug and that does not happen and will not attempt path B. See bugzilla for more information: https://bugzilla.redhat.com/show_bug.cgi?id=1840767
The only way I could get them to walk to path B was to remove the AddTrust CA from all openssl certificate stores. Also, blacklisting doesn't work either as it just made the certs as self-signed.
Fortunately there is a path C that we can deploy and force that trust path:
Comodo AAA Certificate (Root) -> UserTrust CA (Intermediate) -> InCommon CA (Intermediate) -> server_cert
This is also the cert bundle now provided by InCommon.
The main issue here is when openssl "builds" the extracted certificates, it adds in the CA's from both /etc/ipa/ca.crt and from katello-ca.crt. We've been able to update the katello and push out that as an RPM, we're having issues with the ca distributed by IDM.
====== actual issue with IPA ===============
Post May 30, we could no longer log into IPA. We'd attempted to follow the process for "updating" the certificate. That didn't work. We did an install as we did end up adding a new signed server certificate. That didn't update the Root or the Intermediate CAs. So I went in with a hammer and manually removed the offending AddTrust cert chain A from the following NSSDB files:
/etc/httpd/alias
/etc/pki/pki-tomcat/alias
/etc/dirsrv/slapd-LIDS-VIRGINIA-EDU
/etc/ipa/nssdb
I also manually cleaned up the /etc/ipa/ca.crt and /etc/pki/ca-trust/source/ipa.p11-kit cert stores.
With the above, I was able to get IPA to restart and we could then log into the console and do all we needed to do. The issue now is that the command "ipa-certupdate" still pulls the old AddTrust cert path and I'm pretty sure its because its stored in 389ds.
ldapsearch -x -b dc=dom,dc=example,dc=com "(objectClass=ipaCertificate)" | grep Subject
ipaCertSubject: CN=Certificate Authority,O=DOM.EXAMPLE.COM
ipaCertSubject: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,
ipaCertSubject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Netwo
ipaCertSubject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,
How do I update LDAP without things blowing up (oh we're 3 node clustered as well)?
Or better yet, is was there a better way to replace certs?
Our main com.example.com CA is just fine. All the articles/info I could find was replacing that and not the external CA's.
CENTOS/RHEL8 does not have this problem btw. It's fixed in openssl 1.1.1.
3 years, 10 months
