Re: Integration of freeipa into an azure AD based infrastructure
by Alexander Bokovoy
On la, 29 elo 2020, Jonathan Aquilina wrote:
>Hi Alexander,
>
>That is correct it is a hosted solution from microsoft.
>
>What I do find interesting is you can have a VM in azure running AD
>that connects to Azure AD. Is it possible from freeipa to connect to a
>cloud based VM that is running AD?
If you have a self-hosted and managed Active Directory forest, you can
connect to it, pretty much like in non-cloud case.
The only limiting factor right now is Azure AD, not IPA or 'normal' AD.
;)
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 7 months
Re: Integration of freeipa into an azure AD based infrastructure
by John Keates
You can, but only if you use hybrid Azure AD and have an AD DC to connect to. But then he problem becomes ‘who created the forest’. If you join in to an AAD ‘forest’ you still can’t create a trust.
So far I’ve only had implementations where the AD domains and forests were ‘classic’ and only connected to AD later on.
Regards,
John
> On 29 Aug 2020, at 10:16, Jonathan Aquilina via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Hi Alexander,
>
> That is correct it is a hosted solution from microsoft.
>
> What I do find interesting is you can have a VM in azure running AD that connects to Azure AD. Is it possible from freeipa to connect to a cloud based VM that is running AD?
>
> Regards,
> Jonathan
>
>
> -----Original Message-----
> From: Alexander Bokovoy <abokovoy(a)redhat.com>
> Sent: 28 August 2020 14:30
> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Cc: Jonathan Aquilina <jaquilina(a)eagleeyet.net>
> Subject: Re: [Freeipa-users] Integration of freeipa into an azure AD based infrastructure
>
> On pe, 28 elo 2020, Jonathan Aquilina via FreeIPA-users wrote:
>> Afternoon all,
>> I am just wondering does free ipa have the ability to integrate with azure
>> AD based infrastructure or is a proper active directory domain required?
>
> The latter is the case. My understanding is that internally Azure AD is a hosted solution that does not allow consumers (AD instance admins) to have enough privileges to control their own AD forest to establish a trust to a separate forest.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering Red Hat Limited, Finland
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
3 years, 7 months
Re: Integration of freeipa into an azure AD based infrastructure
by Alexander Bokovoy
On pe, 28 elo 2020, Jonathan Aquilina via FreeIPA-users wrote:
> Afternoon all,
> I am just wondering does free ipa have the ability to integrate with azure
> AD based infrastructure or is a proper active directory domain required?
The latter is the case. My understanding is that internally Azure AD is
a hosted solution that does not allow consumers (AD instance admins) to
have enough privileges to control their own AD forest to establish
a trust to a separate forest.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 7 months
Listing trusted domain users
by Giulio Casella
Hi,
I have a FreeIPA setup, in trust with an AD domain.
Is there a way to list trusted users (e.g. belonging to AD domain) using
FreeIPA (for instance with api)?
I only managed to list local users only (currently only "admin" user in
my setup).
I have no access to AD domain, so I can only perform operation in IPA.
Any ideas?
TIA,
Giulio Casella
3 years, 7 months
Register_pre_callback for user_disable
by Ruslan Skira
Hello, guys could please clarify and help me I need to add pre_callback fo user_disable function. But this object does not have such methods. But user_delete has.
How I should add my extra logic to this method?
3 years, 7 months
Third Party Chain Rekeyed but not replaced
by Khurrum Maqb
I'm using an IPA CA but also a third-party Trusted Root Cert and Chain to allow users with Smartcards issued by the third-party CA for authentication. I'm runing 4.6.6.-11
The external CA rekeyed a cert that is part of their chain which means that newly issued cards are using the new cert chain, and the old smartcards are using the old cert chain. The old cert chain is valid and so is the new cert chain.
Now I thought I would be able to deal with this by using ipa-cacert-manage install <NEW Certs from the chain>
However, when I do that I get an error:
Failed to install the certificate: subject public key info mismatch
or
Not a valid CA certificate: certutil: certificate is invalid: Peer's Certificate issuer is not recognized.
depending on the position in the chain. Now the one that gives Failed to install the certificate: subject public key info mismatch is the rekey which has the same Subject. This article ( https://access.redhat.com/solutions/3237961) shows how I can remove the old one and add the new one but I need both of them in there.
Is there a solution in this situation where I can import both chains even though the subjects are the same but the expiration and ids are unique and have it loaded in IPA properly so it can also be replicated. Thanks!
3 years, 7 months
Re: Not sure if FreeIPA issue or something else - false account is expired message
by Rob Crittenden
Scott Z. via FreeIPA-users wrote:
> It's happened 5 or 6 times over the past year that users attempting to
> log in to various Linux servers (using our IdM servers for
> authentication) are unable to do so. When we look in the
> /var/log/secure file on the client servers, we see messages that look
> like this:
> /pam_unix(sshd:auth): authentication failure; logname= <balhblah>.../
> /pam_sss(sshd:auth): authentication success; logname= <blahblah>... /
> /pam_sss(sshd:account): User info message: Permission denied.
> /
> /pam_sss(sshd:account): system info: [The user account is expired on the
> AD server]/
> /pam_sss(sshd:account): Access denied for user <username>: 13 (User
> account has expired)/
> /pam_unix(sshd:auth): authentication failure; logname= <balhblah>.../
> /pam_sss(sshd:auth): authentication success; logname= <blahblah>... /
> /Failed password for <username> from <ip address> port 64452 ssh2/
> /fatal: Access denied for uesr <username> by PAM account configuration
> [preauth]/
>
> The users account is both good and valid, and his password is correct.Â
> The 'fix' for when we see this is to stop the sssd service, clear the
> local cache ("/rm -rf /var/lib/sss/db/*/"), and then restart the sssd
> service. Once we do that, the user is able to log back in no problem.
>
> As far as I can tell this is a problem with the client server itself,
> NOT FreeIPA because I don't think the client is actually sending the
> login request back to the IdM server, but is there any way I can check
> on logs on the FreeIPA server to see if it's getting the authorization
> request to begin with? I've only ever seen this on our Linux server
> that authorize through FreeIPA, not any other ones.
> Mahalo!
What version of IPA and sssd?
Is the user in fact an AD user?
rob
3 years, 7 months
Not sure if FreeIPA issue or something else - false account is expired message
by Scott Z.
It's happened 5 or 6 times over the past year that users attempting to log in to various Linux servers (using our IdM servers for authentication) are unable to do so. When we look in the /var/log/secure file on the client servers, we see messages that look like this:
pam_unix(sshd:auth): authentication failure; logname= <balhblah>...
pam_sss(sshd:auth): authentication success; logname= <blahblah>...
pam_sss(sshd:account): User info message: Permission denied.
pam_sss(sshd:account): system info: [The user account is expired on the AD server]
pam_sss(sshd:account): Access denied for user <username>: 13 (User account has expired)
pam_unix(sshd:auth): authentication failure; logname= <balhblah>...
pam_sss(sshd:auth): authentication success; logname= <blahblah>...
Failed password for <username> from <ip address> port 64452 ssh2
fatal: Access denied for uesr <username> by PAM account configuration [preauth]
The users account is both good and valid, and his password is correct. The 'fix' for when we see this is to stop the sssd service, clear the local cache ("rm -rf /var/lib/sss/db/*"), and then restart the sssd service. Once we do that, the user is able to log back in no problem.
As far as I can tell this is a problem with the client server itself, NOT FreeIPA because I don't think the client is actually sending the login request back to the IdM server, but is there any way I can check on logs on the FreeIPA server to see if it's getting the authorization request to begin with? I've only ever seen this on our Linux server that authorize through FreeIPA, not any other ones.
Mahalo!
Scott
3 years, 7 months
FreeIPA + Freeradius
by Alessandro Minonzio
Hi,
I'n new about FreeIPA ( v. 4.6.5 ) and I ask help about first configuration with FreeRadius on Centos 7.
I need documentation or suggestion about this implementation.
Could somone help me?
Thanks
Alessandro
3 years, 7 months