Web UI behind Reverse proxy
by Angus Clarke
Hello
We want to give freeipa web ui access to a corporate team, our security guys insist we hide this behind a reverse proxy, we're putting 2 of our 10 freeipa servers behind the RP address.
In our initial testing we get the kerberos error "Unable to verify your Kerberos credentials" in the browser.
I saw this
https://www.redhat.com/archives/freeipa-users/2015-April/msg00597.html
which led me to this
https://ssimo.org/blog/id_019.html
The last paragraph mentions "... until the FreeIPA project provides a way to officially access the Web UI using aliases." - is this a thing now?
Otherwise I presume to follow the step mentioned in the very last sentence and to investigate redirection.
Thanks for any pointers.
Regards
Angus
3 years, 7 months
ipa-replica-install failing
by Mitchell Smith
Hi list,
I wanted to repost this issue with a more appropriate subject line, in
case anyone has come across this issue before and has a work around.
To provide some context, I have two FreeIPA instances running FreeIPA
4.3.1 on Ubuntu 16.04 LTS.
I want to migrate to FreeIPA 4.5.4 running on CentOS 7.
I have a way to migrate by dumping all the users out with ldapsearch
and adding them to the new instance with ldapadd but it is a bit messy
and will result in all users having to reset their password, as it
won't let me add in already encrypted passwords.
My initial thought was to add the new instance as a replica and then
eventually retire the old one.
I ran in to some problems with the ‘ipa-replica-install’ command though.
I was able to join as a client no problem, but when I went to run
‘ipa-replica-install’ it failed while configuring the directory server
component.
[25/42]: restarting directory server
[26/42]: creating DS keytab
[27/42]: ignore time skew for initial replication
[28/42]: setting up initial replication
[error] DatabaseError: Server is unwilling to perform: modification
of attribute nsds5replicareleasetimeout is not allowed in replica
entry
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
I thought this might have something to do with differences between
4.3.1 and 4.5.4 but I wasn’t entirely sure.
If there is a work around for this issue, it would be a significantly
easier transition to the new FreeIPA instance.
Cheers,
Mitch
3 years, 7 months
Re: Add User attributes into the shemas & UI
by Karim Bourenane
Hello Team
I have already added attributes in the User ObjectClass. But unable to see
it in the FreeIPA UI.
Can you help me, to know what I must do, to add section attributes/ into
FreeIPA UI ?
Regard
Bien à vous
Mr Karim Bourenane
+33686464439
+32 493 86 63 54
3 years, 7 months
IPA healthcheck for older versions
by Rob Crittenden
Over the summer we announced the freeipa-healthcheck project which is
designed to look at an IdM cluster and look for common problems so you
can have some level of assurance that the system is running as it should.
It was built against the IPA 4.8.x branch and originally released only
for Fedora 29+. It is also included in the newly released RHEL 8.1.0.
My curious nature led me to see if it would also work in in the IPA
4.6.x branch. It was a bit of a challenge backing down to Python 2 but I
was able to get something working. I tested primarily on Fedora 27 but
it should also work in RHEL/CentOS 7 (I smoke tested 7.8).
I made an EPEL 7 build in COPR,
https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/
Enable the repo and do: yum install freeipa-healthcheck
Then run: ipa-healthcheck --failures-only
Ideally there will be no output but an empty list []. Otherwise the
output is JSON and hopefully has enough information to point you in the
right direction. Feel free to ask if need help.
False positives are always a possibility and many of the checks run
independently so it's possible to get multiple issues from a single root
problem. It's hard to predict all possible installations so some
fine-tuning may be required.
I'd recommend running it every now and then at least, like prior to
updating IPA packages, creating a new master, etc, if not daily. It
will, for example, warn of impending cert expiration.
The more feedback I get on it the better and more useful I can make it.
This is my own personal backport and is not officially supported by
anyone but me. It's preferred to report issues on this mailing list.
I'll see them and others may be able to chime in as well.
rob
3 years, 7 months
FreeIPA + Freeradius
by Alessandro Minonzio
Hi,
I'n new about FreeIPA ( v. 4.6.5 ) and I ask help about first configuration with FreeRadius on Centos 7.
I need documentation or suggestion about this implementation.
Could somone help me?
Thanks
Alessandro
3 years, 7 months
PermitEmptyPasswords and pam_setcred
by Ben Aveling
This is weird.
If /etc/sshd_config contains:
PermitEmptyPasswords yes
Then ssh to the host fails, sort of.
As soon as the ssh command executes, "authentication failure" appears in /var/log/secure
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f
But ssh doesn't get disconnected straight away.
First you get prompted for a password.
If you enter the correct password, then you get disconnected.
e.g.
$ ssh test6f@localhost
Password:
Write failed: Broken pipe
Aug 14 17:44:38 centos25 sshd[4505]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f
Aug 14 17:44:38 centos25 sshd[4505]: pam_sss(sshd:auth): received for user test6f: 7 (Authentication failure)
Aug 14 17:44:51 centos25 sshd[4508]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f
Aug 14 17:44:51 centos25 sshd[4505]: Accepted keyboard-interactive/pam for test6f from ::1 port 47542 ssh2
Aug 14 17:44:51 centos25 sshd[4505]: fatal: PAM: pam_setcred(): Failure setting user credentials
If you enter a wrong password three times (or no password at all), then the prompt changes, and if you now enter a password, it succeeds.
$ ssh test6f@localhost
Password:
Password:
Password:
test6f@localhost's password:
Last failed login: Fri Aug 14 17:32:00 AEST 2020 from localhost on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Fri Aug 14 17:31:11 2020 from localhost
Aug 14 17:47:47 centos25 sshd[4516]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f
Aug 14 17:47:47 centos25 sshd[4516]: pam_sss(sshd:auth): received for user test6f: 7 (Authentication failure)
Aug 14 17:47:48 centos25 sshd[4519]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f
Aug 14 17:47:48 centos25 sshd[4519]: pam_sss(sshd:auth): received for user test6f: 7 (Authentication failure)
Aug 14 17:47:48 centos25 sshd[4516]: error: PAM: Authentication failure for test6f from localhost
Aug 14 17:47:49 centos25 sshd[4521]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f
Aug 14 17:47:49 centos25 sshd[4521]: pam_sss(sshd:auth): received for user test6f: 7 (Authentication failure)
Aug 14 17:47:49 centos25 sshd[4516]: error: PAM: Authentication failure for test6f from localhost
Aug 14 17:47:49 centos25 sshd[4523]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f
Aug 14 17:47:49 centos25 sshd[4523]: pam_sss(sshd:auth): received for user test6f: 7 (Authentication failure)
Aug 14 17:47:49 centos25 sshd[4516]: error: PAM: Authentication failure for test6f from localhost
Aug 14 17:47:49 centos25 sshd[4516]: Failed keyboard-interactive/pam for test6f from ::1 port 47555 ssh2
Aug 14 17:47:52 centos25 sshd[4516]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f
Aug 14 17:47:52 centos25 sshd[4516]: Accepted password for test6f from ::1 port 47555 ssh2
Aug 14 17:47:52 centos25 sshd[4516]: pam_unix(sshd:session): session opened for user test6f by (uid=0)
This behaviour doesn't happen if ipa-client is not installed, or if it is uninstalled.
This behaviour seems to be the same for an IPA user or for a local user
This behaviour doesn't happen if PermitEmptyPasswords is no, which is the default, and a sensible default, and I don't know why anyone set it to something different, but they did, and this was the resulting behaviour, and I tell you, it took a bit of tracking down to work out what was happening.
Without knowing more about why this happens, or what it would take to change it, I'm not sure that this is a bug, or if it is a bug, if it is a but that is worth fixing. But I just thought I'd report it and let you decide if you want to do anything with it.
Regards, Ben
3 years, 7 months
Add User attributes into the shemas & UI
by Karim Bourenane
Hello Team
I want to know how easily I can add new attributes/objectclass into my
FreeIpa platform, version 4.6.4.
I see that I must create a new schema in ldif format beginning by
cn=config....
Thanks you for your help
Bien à vous / Regard
Mr Karim Bourenane
+33686464439
+32 493 86 63 54
3 years, 7 months
getcert status: CA_REJECTED
by Winfried de Heiden
Hi all,
For some reason, I messed up with several certificates in FreeIPA,
version: 4.8. One particular KRA cert seems problematic:
Request ID '20200820113800': status: CA_REJECTED ca-error:
Server at "<some server>:8080/ca/ee/ca/profileSubmit" replied: Missing
credential: sessionID stuck: yes key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='cert-
nickname=transportCert cert-pki-kra',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-
tomcat/alias',nickname='cert-nickname=transportCert cert-pki-
kra',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
subject: expires: unknown pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "transportCert cert-pki-kra"
track: yes auto-renew: yes
How to fix?
Winfried
3 years, 7 months