FreeIPA certificate doesn't validate in iOS
by Jochen Kellner
Hello,
I'm running IPA on current Fedora 32, freeipa-server-4.8.9-2 and pki-server-10.9.0-0.4
Today the certificate of my IMAP server (running on Debian Buster) was
automatically refreshed:
,----
| Request ID '20181003215953':
| status: MONITORING
| stuck: no
| key pair storage: type=FILE,location='/etc/ssl/private/imap.jochen.org.key'
| certificate: type=FILE,location='/etc/ssl/certs/imap.jochen.org.crt'
| CA: IPA
| issuer: CN=Certificate Authority,O=JOCHEN.ORG
| subject: CN=imap.jochen.org,O=JOCHEN.ORG
| expires: 2022-09-07 09:30:16 CEST
| dns: imap.jochen.org
| principal name: imap/jupiter.jochen.org(a)JOCHEN.ORG
| key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
| eku: id-kp-serverAuth,id-kp-clientAuth
| pre-save command:
| post-save command: /root/refresh_cyrus_certificate.sh
| track: yes
| auto-renew: yes
`----
On an iPhone one of my users gets a message that the certificate is not valid.
Reason seems to be this: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html
When I look at the certificate with openssl I see:
,----
| X509v3 extensions:
| X509v3 Authority Key Identifier:
| keyid:4F:F8:45:3D:E8:06:4B:8D:BB:9D:D2:D1:8B:00:43:A1:07:16:A1:17
|
| Authority Information Access:
| OCSP - URI:http://ipa-ca.jochen.org/ca/ocsp
|
| X509v3 Key Usage: critical
| Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
| X509v3 Extended Key Usage:
| TLS Web Server Authentication, TLS Web Client Authentication
`----
My current guess is that the "Key Usage: critical" is the reason for the iOS error.
I've looked for the certprofiles and found these files:
,----
| [root@freeipa3 /]# find . -name \*caIPAserviceCert\* -ls
| 8510694 8 -rw-rw---- 1 pkiuser pkiuser 6218 Mär 4 2020 ./var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg
| 9332162 4 -rw-r--r-- 1 root root 229 Aug 20 12:38 ./usr/lib/python3.8/site-packages/ipaclient/csrgen/profiles/caIPAserviceCert.json
| 26138015 8 -rw-r--r-- 1 root root 7014 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.UPGRADE.cfg
| 26138016 8 -rw-r--r-- 1 root root 7294 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.cfg
| 9323278 8 -rw-r--r-- 1 root root 6272 Jun 25 23:53 ./usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
`----
These files contain:
,----
| policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
| policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
| policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
| policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
| policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
| policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
`----
So I think this is where the critical comes from and the keyUsage defaults come from.
What I could use help with is the following:
1. I didn't find reports about the problem in pagure or the mailing
list. Am I really alone with this?
2. My FreeIPA has been installed years ago on Fedora, moved to CentOS
and this year back to Fedora by creating replicas. Has there been a
problem with upgrading the certprofiles?
3. How can I remove the options from the certificate request so that
certmonger gets a valid certificate?
Do I miss something else?
--
This space is intentionally left blank.
3 years, 1 month
LDAP configuration synchronization failed: socket is not connected - from named-pkcs11
by lejeczek
Hi guys.
I'm trying to setup a first master during which I get:
...
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service
(ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Named service failed to start (CalledProcessError(Command
['/bin/systemctl', 'restart', 'named-pkcs11.service']
returned non-zero exit status 1: 'Job for
named-pkcs11.service failed because a timeout was
exceeded.\nSee "systemctl status named-pkcs11.service" and
"journalctl -xe" for details.\n'))
...
and that is the only error from the setup which seemingly
continues and completes successfully:
...
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: c8kubermaster1.private.openshift.c8
Realm: PRIVATE.OPENSHIFT.C8
DNS Domain: private.openshift.c8
IPA Server: c8kubermaster1.private.openshift.c8
BaseDN: dc=private,dc=openshift,dc=c8
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring private.openshift.c8 as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
DNS query for c8kubermaster1.private.openshift.c8. 1 failed:
The DNS operation timed out after 30.000322580337524 seconds
unable to resolve host name
c8kubermaster1.private.openshift.c8. to IP address, ipa-ca
DNS record will be incomplete
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the
command: 'kinit admin'
This ticket will allow you to use the IPA tools
(e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in
/root/cacert.p12
These files are required to create replicas. The password
for these
files is the Directory Manager password
The ipa-server-install command was successful
Yet, very first reboot and ipa.service fails to start, but
before that reboot if I
-> $ systemctl restart named-pkcs11.service
I takes rather long 10 or so secons and journal shows
...
LDAP configuration synchronization failed: socket is not
connected
...
but socket is there: /var/run/slapd-PRIVATE-OPENSHIFT-C8.socket
More from named's journal:
...
esolver priming query complete
LDAP error: Can't contact LDAP server: ldap_sync_poll() failed
ldap_syncrepl will reconnect in 60 seconds
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 2
successfully reconnected to LDAP server
LDAP configuration for instance 'ipa' synchronized
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 2
LDAP data for instance 'ipa' are being synchronized, please
ignore message 'all zones loaded'
Is it named-pkcs11 looking for wrong bits or something not
good with dirsrv or .. maybe something else... would you
anybody know?
many thanks, L.
3 years, 1 month
Concurrent ssh to the same host fails after few successfully open sessions with Additional pre-authentication krb error.
by mir mal
Hi,
As in the title a very odd behaviour if I keep opening new ssh sessions using same IPA user after few successful ones I have ssh authentication failed error and in krb5 logs on freeipa server, I can see the following errors:
Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.64: NEEDED_PREAUTH: c000000(a)STUXNET.LAB for krbtgt/STUXNET.LAB(a)STUXNET.LAB, Additional pre-authentication required
Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): closing down fd 11
At the same time, I can use the same user and connect to other hosts or use kinit or freeipa web portal. It looks like after N successful attempts I'm hitting some kind of time or max concurrent connections limit, but I can't find any related settings. It's standard Fedora-based freeipa 4.8.10 and hosts to connect are ubuntu. If I wait a few minutes I'm allowed to open another connection but then again if I try to open few I hit the error. I've been checking KRB_TRACE for kinit and sshd DEBUG3 level logs but I can't find why would it happen the only error is the one above with pre-auth.
Thanks
3 years, 1 month
FreeIPA/Red Hat IDM and AD communication
by Jones, Bob (rwj5d)
Hello all,
We currently have Red Hat IDM implemented on our campus local network. It has a one-way trust with our Active Directory and all of our Linux systems that live in our network use IDM for auth/authz. We are looking to start deploying our linux images into AWS and want to use our Red Hat IDM for auth control there as well and would like, if possible, to remove any dependencies on our local network for systems that live in AWS in doing so.
With that being said, I would like to verify my understanding of how auth/authz works with IDM and Active Directory. A client system will query a freeipa server in order to get HBAC policies, sudo rules/commands, authorization for accounts to use certain services, and user account/group information. The client system will authenticate the user, whether for login or sudo/su, directly to Active Directory without going through the freeipa server. Also, the freeipa servers will query AD for user account/group information if it’s not already cached on the freeipa server. Is my understanding here correct? If not, please enlighten me on where my misunderstanding is.
So, if my understanding as outlined above is correct, then to remove any depency on our local network AD and FreeIPA/IDM for clients that live in AWS, we would need IDM servers and Active Directory servers in AWS for the clients to use, correct? If that is the case, is Azure Active Directory (AAD) a usable option in this case? Is there a way to specify for clients to use the IDM servers and AD that are in AWS first, before attempting to use the ones on our local network? Is there a way to specify for FreeIPA/IDM servers to use the AD in AWS before attempting to use the ones on our local network?
I appreciate anyone who can verify or correct what I have above.
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
3 years, 1 month
Another 4.8.7 failed upgrade
by John Obaterspok
Hi,
I'm stuck since about a week when I updated to latest ipa-server. It
seems to be the same problem as Ian had ("FreeIPA centos8 update
Failed to authenticate to CA REST API"). He seem to resolve this using
a replicate which I dont have.
Any ideas on how I get this to work?
ipa-server-4.8.7-13.module_el8.3.0+606+1e8766d7.x86_64
centos-linux-release-8.3-1.2011.el8.noarch
...
IPA version error: data needs to be upgraded (expected version
'4.8.7-13.module_el8.3.0+606+1e8766d7', current version
'4.8.7-12.module_el8.3.0+511+8a502f20')
....
[Migrating certificate profiles to LDAP]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
...
2021-01-22T08:47:46Z DEBUG request GET
https://ipa2.win.lan:8443/ca/rest/account/login
2021-01-22T08:47:46Z DEBUG request body ''
2021-01-22T08:47:47Z DEBUG response status 500
2021-01-22T08:47:47Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: en
Content-Length: 2234
Date: Fri, 22 Jan 2021 08:47:47 GMT
Connection: close
2021-01-22T08:47:47Z DEBUG response body (decoded): b'<!doctype
html><html lang="en"><head><title>HTTP Status 500 \xe2\x80\x93
Internal Server Error</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line"
/><p><b>Type</b> Exception Report</p><p><b>Message</b> CA subsystem
unavailable. Check CA debug log.</p><p><b>Description</b> The server
encountered an unexpected condition that prevented it from fulfilling
the request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException:
CA subsystem unavailable. Check CA debug
log.\n\tcom.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81)\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:149)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Note</b>
The full stack trace of the root cause is available in the server
logs.</p><hr class="line" /><h3>Apache
Tomcat/9.0.30</h3></body></html>'
2021-01-22T08:47:47Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2021-01-22T08:47:47Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179,
in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run
server.upgrade()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1805, in upgrade
upgrade_configuration()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1670, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 414, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 1954, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 1960, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py",
line 1315, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate
to CA REST API'))
2021-01-22T08:47:47Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
-- john
3 years, 1 month
FreeIPA 4.9.1 released
by Alexander Bokovoy
The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
== Highlights in 4.9.1
* 3226: [RFE] ipa sudorule-add-user should accept more types of
characters
IPA now supports users and groups from trusted Active Directory
domains in SUDO rules to specify runAsUser/runAsGroup properties
without an intermediate non-POSIX group membership
+
IPA now supports adding users and groups from trusted Active
Directory domains in SUDO rules without an intermediate non-POSIX
group membership
* 7599: Leading / trailing white spaces in password are disallowed
Allow leading and trailing whitespaces in passwords set through IPA
commands. They were already allowed via Kerberos and LDAP.
* 7676: ipa-client-install changes system wide ssh configuration
Skip ProxyCommand wrapper in SSH configuration in case user is
configured with /sbin/nologin to allow automated tools to operate as
expected
* 8528: Use separate logs for AD Trust and DNS installer
ipa-adtrust-install and ipa-dns-install commands now log their
activity into separate log files.
* 8618: ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing
from CS.cfg
ipa-cert-fix tool now handles situations when a CSR is missing from
Dogtag's CA/KRA CS.cfg configuration files. Configuration file is
updated with a CSR tracked by Certmonger.
* 8634: Install of CA fails on CentOS 8 Stream with pki-core 10.9
IPA will not deploy ACME service if Dogtag PKI version is known to
not provide a complete service. A complete ACME support requires
Dogtag 10.10.0 or later.
* 8635: Memory availability detection does not work with cgroupsv2
environment
Containerized environments on Linux with cgroup v2 are now
recognized and supported.
* 8644: ipa-certupdate drops profile from the caSigningCert tracking
ipa-certupdate tool now honors CA profile specified in the
certificate request it tries to update
* 8646: permission-mod attrs, includedattrs and excludedattrs issues
Managed permissions commands now properly rollback changes if a
generated ACI has incorrect syntax
* 8655: Allow to establish trust to Active Directory in FIPS mode
When IPA is deployed in FIPS mode, it is now possible to establish
trust to Active Directory forest.
* 8659: ipa-kdb: provide correct logon time in MS-PAC from
authentication time
Trust to Active Directory support was improved to be more compatible
with AD DC queries: lookup groups via LSA RPCs, allow user principal
name lookups, more complete PAC record generation.
=== Enhancements
=== Known Issues
=== Bug fixes
FreeIPA 4.9.1 is a stabilization release for the features delivered as a
part of 4.9 version series.
There are more than 30 bug-fixes since FreeIPA 4.9.1 release. Details of
the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets
#3226 (rhbz#871208) [RFE] ipa sudorule-add-user should accept more types of characters
#7599 (rhbz#1593745) Leading / trailing white spaces in password are disallowed
#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
#8501 Unify how FreeIPA gets FQDN of current host
#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
#8519 Fedora container platform is incomplete
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
#8528 Use separate logs for AD Trust and DNS installer
#8576 (rhbz#1728015) ipasam: derive parent domain for subdomains automatically
#8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
#8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
#8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find
#8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error occurred:
#8614 Remove ca.crt from the system-wide store on uninstall
#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
#8631 Nightly failure (389ds master branch) in test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
#8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9
#8635 Memory availability detection does not work with cgroupsv2 environment
#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking
#8646 permission-mod attrs, includedattrs and excludedattrs issues
#8650 Updated dnspython-2.1.0 causes a test failure
#8653 Nightly test failure in test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection
#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
#8656 Use client keytab for 389ds
#8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c
#8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time
#8660 ipasam: implement PASSDB getgrnam call
#8661 ipasam: allow search of users by user principal name (UPN)
#8662 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
#8664 Nightly test failure (fed33, rawhide) in ipa trust-add --external=True
#8668 (rhbz#1915471) Nightly failure in (f33+updates-testing) test_trust.py::TestTrust::test_ipa_commands_run_as_aduser
#8670 Nightly failure (fed33) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
#8674 test_ipahealthcheck divides KiB by 1000
#8678 Nightly failure (master) in test_trust.py::TestTrust::test_establish_forest_trust_with_shared_secret
#8682 [ipatests] TestIPACommand.test_login_wrong_password time to time fails
== Detailed changelog since 4.9.1
=== Armando Neto (1)
* ipatests: Update PR-CI definitions for ipa-4-9
https://pagure.io/freeipa/c/ccdecaa984ef6ebcc63d754e896b2229bcba3b88[commit]
=== Alexander Bokovoy (30)
* Become FreeIPA 4.9.1
https://pagure.io/freeipa/c/aa58fad8eb98b0e8e248eb76b107b5e1faac4aeb[commit]
* Force-update translation po/uk.po
https://pagure.io/freeipa/c/a97967ff3b56ba3c3894a5aadffbef68961b3581[commit]
* Force-update translation po/ipa.pot
https://pagure.io/freeipa/c/cb583ac18e33698f9bd950490482a722cc993a06[commit]
* Force-update translation po/hu.po
https://pagure.io/freeipa/c/a1c43ac3c91ae045f402610c88141d7f3d387011[commit]
* Force-update translation po/de.po
https://pagure.io/freeipa/c/6f6dd6240c91b8a4a6c9e6f1090db33ec37c7857[commit]
* Update contributors list
https://pagure.io/freeipa/c/2ac8028e1f8dca4b8bc37bd4995043da647dbfb8[commit]
* baseldap: allow rejecting unknown objects instead of adding to an
external attr
https://pagure.io/freeipa/c/51ca38772f41d3a26a4253a732338d09a69f9647[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* ipatests: when talking to AD DCs, use FQDN credentials
https://pagure.io/freeipa/c/64b70be65698b12927795a7a8b79ef7aada010b8[commit]
https://pagure.io/freeipa/issue/8678[#8678]
* test_trust: add tests for using AD users and groups in SUDO rules
https://pagure.io/freeipa/c/a7c56fde7727bfad3f885cf50e21182cdc46024e[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* ipatests: fix test_sudorule_plugin's wrong argument use
https://pagure.io/freeipa/c/f4d3c91e7f80659268e006dffa5f064b29b45c98[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* sudorule runAs: allow to add users and groups from trusted domains
directly
https://pagure.io/freeipa/c/78043bfb5e2a3b1fc0fae6d55ba605ba469ce5ae[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* sudorule-add-user: allow to reference users and groups from trusted
domains directly
https://pagure.io/freeipa/c/054a068f4705cd715789ceda75fa709404d5f884[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* idviews: add extended validator for users from trusted domains
https://pagure.io/freeipa/c/a3563d1c35fbe9e6e96199ead211ec3b4ff1d2d2[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* baseldap: when adding external objects, differentiate between them and
failures
https://pagure.io/freeipa/c/ffc2edf61efccbcbd4294fbc8a8613decea299a3[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* baseldap: refactor validator support in add_external_pre_callback
https://pagure.io/freeipa/c/132d7fb0ed21e2e7cc69366e2141ae69e7864afb[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* Add design document for using AD users/groups in SUDO rules
https://pagure.io/freeipa/c/16b30cbe5e4f1fd8965ed27ba2ca9b4b7b295e9c[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* use a constant instead of /var/lib/sss/keytabs
https://pagure.io/freeipa/c/9f63afb4408e308c2ee972a72875525afefa5d54[commit]
* trust-fetch-domains: use custom krb5.conf overlay for all trust
operations
https://pagure.io/freeipa/c/c842d4b5c2404d263d56aa0c4ba33fe32b2ca61e[commit]
https://pagure.io/freeipa/issue/8655[#8655],
https://pagure.io/freeipa/issue/8664[#8664]
* ipaserver/dcerpc: store forest topology as a blob in ipasam
https://pagure.io/freeipa/c/3d706b6f57309ec394df617cecb9a73d021fc2f7[commit]
https://pagure.io/freeipa/issue/8576[#8576]
* ipasam: derive parent domain for subdomains automatically
https://pagure.io/freeipa/c/f103172954c259443f0c5b4ac89474e66cf3a1d6[commit]
https://pagure.io/freeipa/issue/8576[#8576]
* ipasam: free trusted domain context on failure
https://pagure.io/freeipa/c/e8f927db7da00d1671f871d3b2e89429aec3beb9[commit]
https://pagure.io/freeipa/issue/8576[#8576]
* ipasam: allow search of users by user principal name (UPN)
https://pagure.io/freeipa/c/2e8eb0f5fe82be58be88fa0d9b07ee7af69d8829[commit]
https://pagure.io/freeipa/issue/8661[#8661]
* ipasam: implement PASSDB getgrnam call
https://pagure.io/freeipa/c/962052a0567b6878843272b1882d0a0b3b2debd1[commit]
https://pagure.io/freeipa/issue/8660[#8660]
* ipa-kdb: provide correct logon time in MS-PAC from authentication time
https://pagure.io/freeipa/c/f8bf37422b7c49a4a39b4704b18158b37ee9ef80[commit]
https://pagure.io/freeipa/issue/8659[#8659]
* ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available
https://pagure.io/freeipa/c/3fa07a108030265dc89921a37216a1184e1e7516[commit]
https://pagure.io/freeipa/issue/8655[#8655]
* ipaserver/dcerpc.py: use Kerberos authentication for discovery
https://pagure.io/freeipa/c/8ab9bf68a4d12c8763c1669d0c14b7771a3289da[commit]
https://pagure.io/freeipa/issue/8655[#8655]
* ipaserver/dcerpc: use Samba-provided trust helper to establish trust
https://pagure.io/freeipa/c/753246f4e82af5697ee51bdc7f667959e1824be1[commit]
https://pagure.io/freeipa/issue/8655[#8655]
* ipatests: fix race condition in finalizer of encrypted backup test
https://pagure.io/freeipa/c/6fe573b3d953913bc94fd06c230703dac70f0e8d[commit]
* ipaplatform: add constant for systemd-run binary
https://pagure.io/freeipa/c/8c7d1fbad15c5a906ffa261329dd49be048549ed[commit]
* Get back to git snapshots
https://pagure.io/freeipa/c/0fd4a8936f5b41e83ffdbe00f88309e5a2e94f9f[commit]
=== Antonio Torres (2)
* Check that IPA cert is added to trust store after server install
https://pagure.io/freeipa/c/2715fbd4a73115949264298858ed0835fe982164[commit]
https://pagure.io/freeipa/issue/8614[#8614]
* Test that IPA certs are removed on server uninstall
https://pagure.io/freeipa/c/2a86a93e560e1d9ade2f78b0cf82d93b8833eb39[commit]
https://pagure.io/freeipa/issue/8614[#8614]
=== Antonio Torres Moríñigo (2)
* ipatests: test that trailing/leading whitespaces in passwords are
allowed
https://pagure.io/freeipa/c/3f3762ef92a809059f196e5553f1c31e9f1180e7[commit]
* Allow leading/trailing whitespaces in passwords
https://pagure.io/freeipa/c/89eba7d38db2f510554b3365f9d099190ce80c51[commit]
https://pagure.io/freeipa/issue/7599[#7599]
=== Christian Heimes (1)
* Add ccache sweeper files to gitignore
https://pagure.io/freeipa/c/56b84973b9f02e74f2518bd58694b673f88f8d5e[commit]
https://pagure.io/freeipa/issue/8589[#8589]
=== François Cami (1)
* ipatests: test_ipahealthcheck: fix units
https://pagure.io/freeipa/c/34add4a2e091dc7bc6031f8fc6cc80904b1bea20[commit]
https://pagure.io/freeipa/issue/8674[#8674]
=== Florence Blanc-Renaud (12)
* ipatests: fix discrepancies in nightly defs
https://pagure.io/freeipa/c/bb78693405aab603203e60a174b04cd3264e1855[commit]
* ipatests: fix expected output for ipahealthcheck.ipa.files
https://pagure.io/freeipa/c/dc2a52abe256d2de09eafe8a07898b0cbea3404b[commit]
https://pagure.io/freeipa/issue/8662[#8662]
* ipatests: fix healthcheck test for ipahealthcheck.ds.encryption
https://pagure.io/freeipa/c/2a207918521b474a39c1689837db146800624af8[commit]
https://pagure.io/freeipa/issue/8670[#8670]
* ipatests: fix expected errmsg in
TestTrust::test_ipa_commands_run_as_aduser
https://pagure.io/freeipa/c/bd3bad88ee4d4535416ad5fc5f97b55a939534ef[commit]
https://pagure.io/freeipa/issue/8668[#8668]
* ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection
https://pagure.io/freeipa/c/0db289695c8225cad5c17c6a5846ff0a373c3ce6[commit]
https://pagure.io/freeipa/issue/8596[#8596],
https://pagure.io/freeipa/issue/8653[#8653]
* selinux: modify policy to allow one-way trust
https://pagure.io/freeipa/c/952b6bdcceda9f460e17075404084f1f3ddb5eaa[commit]
https://pagure.io/freeipa/issue/8508[#8508]
* ipatests: add test_ipa_cert_fix to the nightly definitions
https://pagure.io/freeipa/c/7f2be8a45a1d4baff0074cf4d8c446e3d08db795[commit]
https://pagure.io/freeipa/issue/8618[#8618]
* ipa-cert-fix: do not fail when CSR is missing from CS.cfg
https://pagure.io/freeipa/c/eb711f781322657b0b3d77332f2462ecfb27db95[commit]
https://pagure.io/freeipa/issue/8618[#8618]
* ipatests: add a test for ipa-cert-fix
https://pagure.io/freeipa/c/f36e518b5704b02b81a4b80a1b84c429594cf5ce[commit]
https://pagure.io/freeipa/issue/8618[#8618]
* ipatests: clear initgroups cache in clear_sssd_cache
https://pagure.io/freeipa/c/286d0680a6d4ae53b79596e545f9291791e36aa5[commit]
* ipatests: remove test_acme from gating
https://pagure.io/freeipa/c/dd1b596b5711aefd87fd6ec340c3713ee5932425[commit]
https://pagure.io/freeipa/issue/8602[#8602]
* ipatests: fix expected error message in test_commands
https://pagure.io/freeipa/c/8bc341868f9154a625b7aae2604a7aa7b6cd0696[commit]
https://pagure.io/freeipa/issue/8631[#8631]
=== JoeDrane (1)
* Update ipa_sam.c
https://pagure.io/freeipa/c/b53592492879f87465774eb9a4d6c02a8ba26a5e[commit]
=== Rob Crittenden (16)
* ipatests: test the cgroup v2 memory restrictions
https://pagure.io/freeipa/c/85d944cea13725511973fa00c9db6a1ebeb90efa[commit]
https://pagure.io/freeipa/issue/8635[#8635]
* Add support for cgroup v2 to the installer memory checker
https://pagure.io/freeipa/c/1dd4501a9fe1e83964b1f008b91d20b4afe5051a[commit]
https://pagure.io/freeipa/issue/8635[#8635]
* ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get
https://pagure.io/freeipa/c/7b380969241b7f28b2aa275ff1a71fdf78912580[commit]
https://pagure.io/freeipa/issue/8658[#8658]
* ipa-rmkeytab: convert numeric return values to #defines
https://pagure.io/freeipa/c/06ffc7aae7f37bbd03dbd145e30c13f2234ed071[commit]
https://pagure.io/freeipa/issue/8658[#8658]
* ipa_pwd: Remove unnecessary conditional
https://pagure.io/freeipa/c/f6cfbffc8f2e45d0e8e6057e6ead6d35e99bf48a[commit]
* ipa_kdb: Fix memory leak
https://pagure.io/freeipa/c/df0c2d7e0ca8c3620093a47c9592de4f37e86608[commit]
* ipa-kdb: Fix logic to prevent NULL pointer dereference
https://pagure.io/freeipa/c/93f8840ed8f484c7880534b86aaad3d1f8fb0d2e[commit]
* ipa-kdb: Change mspac base RID logic from OR to AND
https://pagure.io/freeipa/c/f0de557063b6db143fd0d2ff47b08610edb39706[commit]
* Add missing break statement to password quality switch
https://pagure.io/freeipa/c/ec4511ec12dfeff2cc2f3a23171089bd32c5add0[commit]
* Revert "Remove test for minimum ACME support and rely on package deps"
https://pagure.io/freeipa/c/3aeb9b8e40cc526fd5c5162158b9cc5755670f66[commit]
https://pagure.io/freeipa/issue/8634[#8634]
* ipatests: See if nologin supports -c before asserting message
https://pagure.io/freeipa/c/ca9f8d1c9feda6fd58220f1424970dcca5b730e0[commit]
https://pagure.io/freeipa/issue/7676[#7676]
* ipatests: test that modifying a permission attrs handles failure
https://pagure.io/freeipa/c/bdc383a1a906f97c06b2bfa281a4b290fb4b04b3[commit]
https://pagure.io/freeipa/issue/8646[#8646]
* Remove virtual attributes before rolling back a permission
https://pagure.io/freeipa/c/9ae744254dd845f9a459601cb8a1468aeaad028a[commit]
https://pagure.io/freeipa/issue/8646[#8646]
* Remove invalid test case for DNS SRV priority
https://pagure.io/freeipa/c/071b71290601d4a5f6a65adf2b55c34d3865172d[commit]
https://pagure.io/freeipa/issue/8650[#8650]
* ipatests: test that no errors are reported after ipa-certupdate
https://pagure.io/freeipa/c/ad1764a1fff885e1c386b0a9f50517b2e0725e03[commit]
https://pagure.io/freeipa/issue/8644[#8644]
* Don't change the CA profile when modifying request in ipa_certupdate
https://pagure.io/freeipa/c/10ba43ad35acecdd1c4b7981db31a90cce1b9fab[commit]
https://pagure.io/freeipa/issue/8644[#8644]
=== Robbie Harwood (1)
* Set client keytab location for 389ds
https://pagure.io/freeipa/c/df411f00a3d1db2fcb0d122a54b9e13a57e35f3f[commit]
https://pagure.io/freeipa/issue/8656[#8656]
=== Stanislav Levin (2)
* ipatests: Don't assume sshd flush its logs immediately
https://pagure.io/freeipa/c/cbe7d2258d6c900b2e02b2373e720275d9917316[commit]
https://pagure.io/freeipa/issue/8682[#8682]
* ipatests: Raise log level of 389-ds replication
https://pagure.io/freeipa/c/41a9cc637b4ea8794fc17f9fc06c6cf8d3a31caa[commit]
=== Sergey Orlov (2)
* ipatests: use fully qualified name for AD admin when establishing
trust
https://pagure.io/freeipa/c/dc16c2484c1006bc249848383d86ef828abd921a[commit]
* ipatests: do not set dns_lookup to true
https://pagure.io/freeipa/c/8d7697af269e68e051ce969ae9cc835f5ba6a3b7[commit]
=== Sudhir Menon (2)
* ipatests: Test for IPATrustControllerPrincipalCheck
https://pagure.io/freeipa/c/2035ba9925ae738d2dbdd1274168cb99a2364db0[commit]
* ipatests: ipahealthcheck remove test skipped in pytest run
https://pagure.io/freeipa/c/27cc011ac286db20a4cd9dbdd65d4a8fd1cb7e3a[commit]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 1 month
SelfService change password.
by Kiselev Mikhail
I met with the problem that the user cannot update his own password
ipa user-show new
User login: new
First name: new
Last name: new
Home directory: /home/new
Login shell: /bin/bash
Principal name: new(a)OPENTECH.LOCAL
Principal alias: new(a)OPENTECH.LOCAL
Email address: new(a)e2e4online.ru
UID: 346726108
GID: 100
Account disabled: False
Password: True
Member of groups: ipausers, users
Indirect Member of group: jira_users, grafana_users, asterisk_users,
perspectiva_rdp, bamboo_users, nexus_users, bitbucket_users,
moodle_users, harbor_users, inkass_rdp, desktop, confluence_users,
jenkins_users, maven_users, ivideon_users,
chat_users, mail_users, nextcloud_users
Indirect Member of HBAC rule: login_users
Kerberos keys available: True
ipa user-status new
-----------------------
Account disabled: False
-----------------------
Server: ipareplica1.opentech.local
Failed logins: 0
Last successful authentication: N/A
Last failed authentication: N/A
Time now: 2021-01-12T06:58:47Z
Server: ipareplica2.opentech.local
Failed logins: 0
Last successful authentication: N/A
Last failed authentication: N/A
Time now: 2021-01-12T06:58:47Z
Server: ipa.opentech.local
Failed logins: 0
Last successful authentication: N/A
Last failed authentication: N/A
Time now: 2021-01-12T06:58:47Z
----------------------------
Number of entries returned 3
----------------------------
ipa -vv passwd
ipa: INFO: trying https://ipa.opentech.local/ipa/session/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "new(a)OPENTECH.LOCAL",
"result": {
"messages": [
{
"code": 13001,
"data": {
"server_version": "2.231"
},
"message": "API Version number was not sent, forward
compatibility not guaranteed. Assuming server's API version, 2.231",
"name": "VersionMissing",
"type": "warning"
}
],
"summary": "IPA server version 4.6.6. API version 2.231"
},
"version": "4.6.6"
}
ipa: INFO: [try 1]: Forwarding 'command_defaults/1' to json server
'https://ipa.opentech.local/ipa/session/json'
ipa: INFO: Request: {
"id": 0,
"method": "command_defaults/1",
"params": [
[
"passwd/1"
],
{
"kw": null,
"params": [
"principal"
],
"version": "2.231"
}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "new(a)OPENTECH.LOCAL",
"result": {
"result": {
"principal": "new(a)OPENTECH.LOCAL"
}
},
"version": "4.6.6"
}
ipa: INFO: [try 1]: Forwarding 'command_defaults/1' to json server
'https://ipa.opentech.local/ipa/session/json'
ipa: INFO: Request: {
"id": 0,
"method": "command_defaults/1",
"params": [
[
"passwd/1"
],
{
"kw": {
"principal": "new(a)OPENTECH.LOCAL"
},
"params": [
"current_password"
],
"version": "2.231"
}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "new(a)OPENTECH.LOCAL",
"result": {
"result": {}
},
"version": "4.6.6"
}
Current Password:
New Password:
Enter New Password again to verify:
ipa: INFO: [try 1]: Forwarding 'command_defaults/1' to json server
'https://ipa.opentech.local/ipa/session/json'
ipa: INFO: Request: {
"id": 0,
"method": "command_defaults/1",
"params": [
[
"passwd/1"
],
{
"kw": null,
"params": [
"principal"
],
"version": "2.231"
}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "new(a)OPENTECH.LOCAL",
"result": {
"result": {
"principal": "new(a)OPENTECH.LOCAL"
}
},
"version": "4.6.6"
}
ipa: INFO: [try 1]: Forwarding 'passwd/1' to json server
'https://ipa.opentech.local/ipa/session/json'
ipa: INFO: Request: {
"id": 0,
"method": "passwd/1",
"params": [
[],
{
"current_password": "test",
"password": "123",
"version": "2.231"
}
]
}
ipa: INFO: Response: {
"error": {
"code": 2100,
"data": {
"info": "Insufficient access rights"
},
"message": "Insufficient access: Insufficient access rights",
"name": "ACIError"
},
"id": 0,
"principal": "new(a)OPENTECH.LOCAL",
"result": null,
"version": "4.6.6"
}
ipa: ERROR: Insufficient access: Insufficient access rights
3 years, 1 month
subdomain_homedir parameter
by Rik Theys
Hi,
I'm setting up a test environment with FreeIPA. I have it set up with one-way trusts to 2 AD domains and logging in works ok.
The AD trusts are not set up with the "posix" type, so the IPA servers should not be looking up posix attributes from AD.
I'm now trying to configure the home directory for AD users on ipa clients. From what I've found online so far, it should be possible to configure this parameter with the "subdomain_homedir" sssd.conf parameter.
Is it sufficient to configure this parameter on the IPA server(s), or do I have to configure it on all IPA clients?
For now, I've configured it on my 3 IPA servers and restarted sssd. I've also cleared the sssd caches with 'sss_cache -E', but looking up the home directory still returns the old format. Even on the IPA servers themselves (where I've performed the sssd.conf changes).
Is there anything else I need to configure/restart?
I currently have it configured in the [domain/my-ipa-domain-name] section of sssd.conf on the IPA servers.
I have a similar question regarding the login shell for AD users. I've updated the default shell from /bin/sh to /bin/bash using:
ipa config-mod --defaultshell=/bin/bash
But this does not seem to change the shell for my AD user? If I run 'getent passwd aduser1@addomain' on an IPA client, it shows nothing for the shell!?
I know I can configure ID views with overrides for specific users, but is there a way to specify defaults for the homedir and loginshell in an ID view?
Regards,
Rik
3 years, 1 month
Exipred SSL for https and Ldap
by Ahmed ElShafaie
Greeting All,
I had a problem renewing the SSL for httpd and ldap. I had a new certificate from http://ssl.com/ . So I need clear instructions to add this new certificate to LDAP service and httpd
Thank you in Advance
Ahmed
3 years, 1 month
No such file or directory: '/etc/authselect/user-nsswitch.conf'
by Jacquelin Charbonnel
For information, on a new virgin host under CentOS Stream release 8 :
# ipa-server-install
ends with :
[Errno 2] No such file or directory: '/etc/authselect/user-nsswitch.conf'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for
more information
Configuration of client side components failed!
The ipa-server-install command failed. See /var/log/ipaserver-install.log for
more information
To solve the problem :
# touch /etc/authselect/user-nsswitch.conf
# ipa-server-install --uninstall
# ipa-server-install
--
Jacquelin Charbonnel - (+33)2 4173 5397
CNRS Mathrice/LAREMA - Campus universitaire d'Angers
3 years, 1 month