Kerberos realm trusting ipa realm
by Gerald Vogt
Hi!
I am trying to get a kerberos realm to trust the ipa realm. I'm running ipa-server-4.6.6-11.el7 on a CentOS 7. It uses realm IPA.EXAMPLE.COM.
I have another KDC on another CentOS 7 which has another realm KRB.EXAMPLE.COM with a legacy service connected.
Now I would like all users of my IPA realm to use that legacy service. Thus I need the KRB realm to trust the IPA realm. I don't need the IPA realm to trust the KRB realm.
For the KRB KDC I have no problem adding the necessary krbtgt/KRB.EXAMPLE.COM(a)IPA.EXAMPLE.COM principal with a password.
However, everything I find about adding it to the IPA Kerberos involves kadmin.local which seems not to be supported anymore:
kadmin.local: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': No such file or directory while initializing kadmin.local interface
How do I add this principal correctly to my IPA kerberos? Is it possible?
Thx.
3 years, 8 months
Providing service level access without granting sudo access
by Saurabh Garg
Hi All,
We have a requirement where we need to give a user access to stop and start a service like tomcat8 without giving sudo access on that machine.
I tried adding tomcat8 service (running on an ubuntu host) on the Idm server using "ipa service-add" command. Later, when I tried creating a hbac policy to provide access to a user on that service, it doesn't show up. Is there any other way of providing service level access to a user on Redhat IdM?
Please advice.
Thanks,
Saurabh Garg
3 years, 8 months
idm user access write issue
by Kannappan M
Hi All,
i have granted a bunch of users to a list of servers but except one server all the user are able to touch the files once they login to 3out of 4 servers , in one server alone am able to switch to user but not able to touch any files getting message as permission denied
Regards
Kanna
3 years, 8 months
Re: Last FreeIPA master is failing
by Ricardo Mendes
Hi all,
Came around to post the definite fix for my problem, don't know if it will help anyone since it was all a mess.
As mentioned previously:
> There's the expected "slapd-DOMAIN-IO" but I also have a "try_ca_renew-slapd-DOMAIN-IO" dir dated from 8 of June that resembles a copy of "slapd-DOMAIN-IO" so I was wondering if between one and other maybe copying some files would work?
So I did this, then the error that I got on pki-tomcat/ca/debug was the old message of peer certificate expired.
So since I had already reverted to self signed certificates I issued ipa-cert-fix command, failed.
[root@main ~]# ipa-cert-fix
Failed to get Server-Cert
The ipa-cert-fix command failed.
Then I tried the 'ipa-cacert-manage renew' command which completed successfully.
[root@main ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
And then all ipa services were able to start correctly (finally able to leave out both the --skip-version-check and --ignore-service-failure):
[root@main ~]# ipactl restart
IPA version error: data needs to be upgraded (expected version '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-ods-exporter Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
3 years, 8 months
write permission to all users in idm server
by Kannappan M
Hi All i have problem with Write permission of all the users in a particular server alone
server list
10.1.2.3
10.1.2.4
10.1.2.5
10.1.2.6
users list
sam
kim
alias
moore
In the above users and servers list all the users are able to access all the
2.3,2.4 and 2.5 but non of the users are able to touch any files or folders in
10.1.2.6
but after login to 10.1.2.6
when i give the id sam or id kim or id alias or id moore all the ids are
reflecting
but non of the users not able to touch the files or folders
please guide me to fix the issue.
Regards
Kanna
3 years, 8 months
RADIUS proxy in FreeIPA
by Max Muller
Hi all!
I keep trying to tune my FreeIPA server with FreeRADIUS.
I deployed the FreeRADIUS for control authentication on VPN-server and I want use FreeIPA as RADIUS proxy (I want control from FreeIPA which users can use VPN).
FreeRADIUS and FreeIPA run on one server. I add RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util "radtest" from this server work fine.
What am I doing wrong?
Thanks for reply.
[root@ipa ~]# ipa radiusproxy-find
-----------------------------
1 RADIUS proxy server matched
-----------------------------
RADIUS proxy server name: radius
Server: localhost.localdomain
----------------------------
Number of entries returned 1
----------------------------
3 years, 8 months
Is it normal to ID overrides not show on IPA Replica with its names?
by Vinícius Ferrão
Hello,
I have two FreeIPA servers with AD trust enabled. Usually I do everything on the IPA #1 server, but I just observed that SIDs aren’t resolved on the replica, is it normal?
I’m attaching a picture of the issue to illustrate it.
[cid:E1C493F7-5F5F-437D-BF6F-4A33BDAB61FC]
If this is not right, someone can help with debugging steps?
I observed that I can’t do getent passwd ferrao on the replica either. Only on master:
[root@ipa1 ~]# getent passwd ferrao
ferrao(a)ad.example.com<mailto:ferrao@ad.example.com>:*:1499401105:1499401105:Vinícius Ferrão:/home/ferrao:
[root@ipa2 ~]# getent passwd ferrao
Thanks,
3 years, 8 months
Adding new replica with CA fails.
by Guillermo Fuentes
Hi all,
I'm having an issue creating a new replica with CA.
The Directory Service installation works fine but adding the CA clone
fails with a java.lang.NumberFormatException when getting the serial
number range.
This is the error logged in /var/log/pki/pki-tomcat/ca/debug:
######
...
[20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving
ou=ca, ou=requests,o=ipaca
[20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating
nextRange from 80000001 to 90000001
[20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new
range object: cn=80000001,ou=requests, ou=ranges,o=ipaca
[20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem:
getNextRange Next range has been added: 80000001 - 90000000
[20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection
[20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3
[20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001
[20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min
serial number: 80000001
[20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting
next min requests number: 80000001
[20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting
next max requests number: 90000000
[20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict
[20/Jun/2020:15:09:55][localhost-startStop-1]: In
LdapBoundConnFactory::getConn()
[20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true
[20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true
[20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2
[20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection
[20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3
[20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking
certificate serial number ranges
[20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial
numbers left in range: 65536
[20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial
number: 2415656960
[20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial
numbers available: 65536
[20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water
mark: 33554432
[20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range
[20/Jun/2020:15:09:55][localhost-startStop-1]: In
LdapBoundConnFactory::getConn()
[20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true
[20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true
[20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2
[20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving
ou=certificateRepository, ou=ca,o=ipaca
java.lang.NumberFormatException: For input string: "e0000001"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:580)
at java.math.BigInteger.<init>(BigInteger.java:470)
at java.math.BigInteger.<init>(BigInteger.java:606)
at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417)
at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:204)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1459)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
...
######
This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log:
######
...
2020-06-20 15:09:47 pkispawn : INFO ....... executing
'systemctl stop pki-tomcatd(a)pki-tomcat.service'
2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL
server cert from internal token: Server-Cert cert-pki-ca
2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d
/var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n
Server-Cert cert-pki-ca
2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent
SSL server cert into internal token: Server-Cert cert-pki-ca
2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d
/var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt
-n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,,
2020-06-20 15:09:48 pkispawn : INFO ....... executing
'systemctl daemon-reload'
2020-06-20 15:09:48 pkispawn : INFO ....... executing
'systemctl start pki-tomcatd(a)pki-tomcat.service'
2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is
NOT enabled on this operating system.
2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection -
server may still be down
2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection -
server may still be down
2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection -
exception thrown: ('Connection aborted.', error(111, 'Connection
refused'))
2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection -
server may still be down
2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection -
exception thrown: 500 Server Error: Internal Server Error
2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection -
server may still be down
2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection -
exception thrown: 500 Server Error: Internal Server Error
2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection -
server may still be down
... repeats every second
2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection -
exception thrown: 500 Server Error: Internal Server Error
2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection -
server may still be down
2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection -
exception thrown: 500 Server Error: Internal Server Error
2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart
2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError
2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message:
server failed to restart
2020-06-20 15:10:49 pkispawn : DEBUG ....... File
"/usr/sbin/pkispawn", line 534, in main
scriptlet.spawn(deployer)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 1304, in spawn
raise RuntimeError("server failed to restart")
######
And here is the failure in /var/log/ipareplica-ca-install.log:
######
...
---------------
Import complete
---------------
Imported certificates into /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Third-party RSA CA C,,
caSigningCert cert-pki-ca CTu,Cu,Cu
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Third-party Root CA C,,
ocspSigningCert cert-pki-ca u,u,u
Installation failed: server failed to restart
2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server
failed to restart
2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit
status 1
2020-06-20T15:10:50Z CRITICAL See the installation logs and the
following files/directories for more information:
2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat
2020-06-20T15:10:50Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 567, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 557, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 675, in __spawn_instance
pki_pin)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 167, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 408, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed.
...
######
Has anyone run into this?
Is this a known bug/issue?
Current environment of all replicas:
- CentOS 7.8
- FreeIPA 4.6.6
Any help/guidance on fixing this would be really appreciated.
Thanks so much,
Guillermo
--
*CONFIDENTIALITY NOTICE:* This e-mail message may contain material
protected by the Health Insurance Portability and Accountability Act of
1996 and its implementing regulations and other state and federal laws and
legal privileges. This message is only for the personal and confidential
use of the individuals or organization to whom the message is addressed. If
you are an unintended recipient, you have received this message in error,
and any reading, distributing, copying or disclosure is unauthorized and
strictly prohibited. All recipients are hereby notified that any
unauthorized receipt does not waive any confidentiality obligations or
privileges. If you have received this message in error, please notify the
sender immediately at the above email address and confirm that you have
deleted or destroyed the message.
3 years, 9 months
User based access control to services?
by Dominik Vogt
In our setup, a service is running on some server machine, say,
"sample/servername.domain" and a client for that service is
running on a workstation (using the sample gssapi client and
server code from the kerberos sources). Now, what is the proper
way to do this in freeipa?
1. Allow users foo and bar to log in to the workstation but to no
other machine of the kerberos real.
2. Deny access to sample/servername.domain from any host except
from the workstation.
3. Allow user foo access the service.
4. Deny user bar access the service.
5. Deny both users access to anything else on the server.
I don't quite understand how that fits into chapter 10/19 or 31 of
the "Linux Domain Identity, Authentication, and Policy Guide" for
RHEL 7". Chapter 10 deals with access to freeipa internal
objects, and chapter 31 describes host based access control. But
how is access control done for someuser@clientmachine ->
service@servermachine?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
3 years, 9 months