chronyd support in freeipa server?
by Kent Brodie
I have found online docs proposing chronyd support for freeipa (target 4.7).
I am running 4.8. Does support for using chronyd instead of ntpd exist yet? I have not founnd anything concrete yet to confirm this.
IF this exists, is there a documented procedure to change?
and if the support does not exist yet, does anyone have an insight as to when that might happen?
Thank you all in advance.
3 years, 2 months
ansible-freeipa in RHEL8.1
by Dominik Vogt
For the moment we're stuck with RHEL8.1. The ansible-freeipa
package there (0.1.6-4) does not seem to include the "ipaconf" and
"iparole" modules (maybe others). Are they missing, in a
different package or do we need to upgrade to a newer RHEL
version?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
3 years, 2 months
RHEL IdM update in CentOS 8 Stream
by Alexander Bokovoy
Hi,
[I sent this to centos-devel@ mailing list already, now sending to
freeipa-users@ for wider distribution]
thanks for Carl and Brian, yesterday's compose of CentOS 8 Stream now
includes RHEL IdM bits slated for RHEL 8.4. Several components were
rebased to their upstream versions and are worth noting to those who
want to test them in advance of RHEL 8.4.
Note that these are not final RHEL IdM updates for RHEL 8.4. While RHEL
builds already passed through a comprehensive QA cycle, there are still
few improvements that will come during next month or so. Bugs found by
CentOS 8 Stream users would in general be seen in the same way as those
found by RHEL QE teams during the RHEL minor release development, so it
is your opportunity to help. Also improvements in form of upstream
patches are welcome too.
There are many small and large fixes and improvements in FreeIPA 4.9.0.
For more detailed information I'd point to FreeIPA 4.9.0 release notes:
https://www.freeipa.org/page/Releases/4.9.0#Highlights_in_4.9.0
Among those changes, we are looking for a feedback to following
features of RHEL IdM in CentOS 8 Stream:
== ACME CA integration
With FreeIPA 4.9 and Dogtag 10.10 it is now possible to deploy ACME
support in FreeIPA CA and issue certificates using ACME protocol. For
more details please look at https://www.freeipa.org/page/V4/ACME for
general design overview and Fraser's blogs around the feature:
https://frasertweedale.github.io/blog-redhat/tags/acme.html
CentOS 8 Stream includes mod_md Apache module as one of ACME clients.
Fedora and EPEL do also have a certbot, so there are multiple clients to
use. Interoperability testing with other clients would also be great to
see reported.
== Active Directory integration improvements
There are enhancements for services for user (S4U) feature of Kerberos
protocol extensions in Active Directory. In particular, it is now
possible to run MS SQL server on a server enrolled into RHEL IdM domain
and allow access to it to users of trusted Active Directory forests,
along with IPA users. MS SQL does certain operations that required
functionality not supported by RHEL IdM. This was fixed in RHEL 8.3.
More improvements are available in CentOS 8 Stream, including
performance improvements when creating Kerberos tickets for Active
Directory users with a large AD group membership.
== Non-FQDN host support
FreeIPA requires uniform hostname support -- either all systems defined
with fully-qualified hostnames or they all are using non-FQDN. In
practice, there are checks in the installers to always force FQDN host
names. There are many applications that insist on seeing hostnames as
non-fully qualified. FreeIPA 4.9.0 adds ability to enroll non-FQDN
hosts to otherwise FQDN-based IPA deployment.
In addition, this allows to enroll clients with hostnames of total FQDN
length longer than 64 characters on Linux.
== FIPS support
RHEL IdM in CentOS 8 Stream is now capable to be deployed and operated
in FIPS mode. One notable omission is the support for trusted Active
Directory domains. We are working on FIPS support for trust to AD
upstream and already have a good progress. Hopefully, this work will be
completed in upcoming weeks and will also land in CentOS 8 Stream.
== DNS support improvements
PTR records now supported in any zone type to facilitate DNS-SD
[RFC6763] operations, for example, publishing printers.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 2 months
Advanced RBAC Rules
by Yehuda Katz
Is it possible to create an RBAC rule that includes a userattr filter?
For example, we added a cn=mailinglists and each mailing list has an `owner` attribute. We created a rule to allow anonymous reads in this subtree through RBAC.
I know we can create an ACI that would allow the owner to modify the list members:
(targetattr = "mgrpRFC822MailMember")(target = "ldap:///cn=*,cn=aliases,dc=example,dc=com")(version 3.0;acl "Owner Change Aliases";allow (add,delete,write) userattr = "owner#USERDN";)
Is there any way to create this ACI (or something that would do the same thing) through the RBAC system?
3 years, 2 months
chronyd support in freeipa server?
by Kent Brodie
I have found online docs proposing chronyd support for freeipa (target 4.7).
I am running 4.8. Does support for using chronyd instead of ntpd exist yet? I have not founnd anything concrete yet to confirm this.
IF this exists, is there a documented procedure to change?
and if the support does not exist yet, does anyone have an insight as to when that might happen?
Thank you all in advance.
3 years, 2 months
Login failed due to an unknown reason.
by anilkumar panditi
Hi,
I am running freeipa as a docker container and all of sudden i am getting
an error message while trying to login into free ipa server via web ui.
Login failed due to an unknown reason.
Tried checking for solution as , chmod a+x /var/lib/krb5kdc
But i dont see krb5kdc under /var/lib
Please help.
3 years, 2 months
Let's encrypt SSL changed Intermediate
by Petar Kozić
Hi,
I had Let’s encrypt SSL on my freeipa server. When I setup freeIPA for the first time, I set Let’s encrypt on next way:
I installed DST CA ROOT and LetsEncrypt intermediate with next command:
ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer
ipa-certupdate -v
Then, I issued letsencypt ssl for domain with certbot and make pkcs chain with command:
openssl pkcs12 -export -in my_domain.cer -inkey my.key.key -out my_ipa.p12 -certfile fullchain.cer
and install with command:
ipa-server-certinstall -w ipa.soholab.org.p12
In the last almost two years I didn’t have any problem, letsencrypt was renewed and freeipa was worked. But after last renew sll failed.
In the freeipa gui when I try to access to Authentication tab I get error:
cannot connect to 'https://my_domain:443/ca/rest/certs/search?size=2147483647': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
I checked SSL in browser and I can see Let’s encrypt changed intermediate from Let’s encypt Authority X3 to R3.
I found doc on letsencypt where they said about that intermediate changes:
https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html <https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html>
I tried to install new Intermediate with this new R3 on same way as I do that earlier with old intermediate:
ipa-cacert-manage -n R3 -t C,, install new_intermediate.cer
but without luck.
Maybe someone of you had same probem, or some idea how to solve this?
Thank you in advanced.
3 years, 2 months
FreeIPA centos8 update Failed to authenticate to CA REST API
by Ian Willis
Hi All,
I've been using freeipa configured as a HA pair on Centos for about 12
months and I've been really impressed, however this morning it has
started pumping mud. Any suggestions appreciated.
I did a dnf update of the server which appears to have broken the
FreeIPA server and I see the following errors from the ipa start
ipactl start
IPA version error: data needs to be upgraded (expected version '4.8.7-
13.module_el8.3.0+606+1e8766d7', current version '4.8.7-
12.module_el8.3.0+511+8a502f20')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
...
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
Some information
The broken system.
CentOS Linux release 8.3.2011
ipa-server-4.8.7-13 (the updated server)
The still operational system
CentOS Linux release 8.3.2011
ipa-server-4.8.7-12
The certificate information based upon the following commands appear to
be good.
getcert list -f /var/lib/ipa/ra-agent.pem | grep expires
expires: 2021-12-17 14:43:54 AEDT
ldapsearch -D "cn=directory manager" -W -b o=ipaca "(uid=ipara)"
openssl x509 -text -in /var/lib/ipa/ra-agent.pem
From the /var/log/ipaupgrade.log
2021-01-12T09:51:07Z DEBUG request GET
https://groats.ipa.bogus.com.au:8443/ca/rest/account/login
2021-01-12T09:51:07Z DEBUG request body ''
2021-01-12T09:51:07Z DEBUG response status 500
2021-01-12T09:51:07Z DEBUG response headers Content-Type:
text/html;charset=utf-8
From the ca debug logs /var/log/pki/pki-tomcat/ca/debug.2021-01-12.log
I'm not sure if the following are relevant
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION
_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQU
EST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CL
IENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQU
EST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_S
IGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CON
FIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG
_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KE
Y,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CH
ANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_PO
SSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS
_EXECUTION
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION
_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQU
EST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CL
IENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQU
EST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_S
IGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CON
FIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG
_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KE
Y,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CH
ANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_PO
SSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS
_EXECUTION
2021-01-12 20:50:49 [main] FINE: Event filters:
2021-01-12 20:50:49 [main] FINE: - CMC_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - CMC_USER_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - DELTA_CRL_GENERATION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - FULL_CRL_GENERATION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - OCSP_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - RANDOM_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - SELFTESTS_EXECUTION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINEST: Property
log.instance.SignedAudit.trace not found
However where it dies is
2021-01-12 20:50:50 [main] FINEST: Property internaldb.doCloning not
found
2021-01-12 20:50:50 [main] FINEST: Getting internaldb.doCloning=true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: doCloning: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: mininum: 3
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: maximum: 15
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: host:
oats.ipa.amnesium.com.au
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: port: 636
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: secure: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: authentication:
2
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory:
makeConnection(true)
2021-01-12 20:50:50 [main] FINEST: Getting
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
2021-01-12 20:50:50 [main] FINEST: Property tcp.keepAlive not found
2021-01-12 20:50:50 [main] FINEST: Getting tcp.keepAlive=true
2021-01-12 20:50:50 [main] FINE: TCP Keep-Alive: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnection: Connecting to
oats.ipa.amnesium.com.au:636 with client cert auth
2021-01-12 20:50:50 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2021-01-12 20:50:50 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2021-01-12 20:50:50 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-12 20:50:50 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-12 20:50:50 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java
:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketIm
pl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:1
88)
.....
3 years, 3 months
mkhomedir recommendation?
by Dominik Vogt
ipa-client-install has the --mkhomedir option based on
pam_mkhomedir. RHEL8 seems to prefer oddjob-mkhomedir instead.
What's the recommended method for RHEL8.x please?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
3 years, 3 months
Password authentication fails for AD users on some systems
by Ronald Wimmer
On some systems I cannot login using the password-based method. I see a
pam_sss authentication failure (Permission denied). Using a valid
kerberos ticket for login works. (The same user works password-based on
other systems.)
What could possibly be the problem?
Cheers,
Ronald
3 years, 3 months
