Announcing SSSD 2.4.1
by Pavel Březina
# SSSD 2.4.1
The SSSD team is proud to announce the release of version 2.4.1 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.4.1
See the full release notes at:
https://sssd.io/docs/users/relnotes/notes_2_4_1
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* `SYSLOG_IDENTIFIER` was renamed to `SSSD_PRG_NAME` in journald output,
to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output.
### New features
* New PAM module `pam_sss_gss` for authentication using GSSAPI
* `case_sensitive=Preserving` can now be set for trusted domains with AD
provider
* `case_sensitive=Preserving` can now be set for trusted domains with
IPA provider. However, the option needs to be set to `Preserving` on
both client and the server for it to take effect.
* `case_sensitive` option can be now inherited by subdomains
* `case_sensitive` can be now set separately for each subdomain in
`[domain/parent/subdomain]` section
* `krb5_use_subdomain_realm=True` can now be used when sub-domain user
principal names have upnSuffixes which are not known in the parent
domain. SSSD will try to send the Kerberos request directly to a KDC of
the sub-domain.
### Important fixes
* krb5_child uses proper umask for DIR type ccaches
* Memory leak in the simple access provider
* KCM performance has improved dramatically for cases where large amount
of credentials are stored in the ccache.
### Packaging changes
* Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page
### Configuration changes
* New default value of `debug_level` is 0x0070
* Added `pam_gssapi_check_upn` to enforce authentication only with
principal that can be associated with target user.
* Added `pam_gssapi_services` to list PAM services that can authenticate
using GSSAPI
3 years, 1 month
Samba server in freeIPA domain
by Rik Theys
Hi,
We are currently evaluating FreeIPA (again) for our environment. Our IPA has one-way trusts with two AD domains from two different forests.
Most things seem to be working ok so far.
I'm now looking into setting up a samba server on an IPA-joined machine following the instructions in the documentation.
This works okay for kerberos authentication (as documented), but not (yet) for username/password authentication.
Is this something that is being worked on? Is it on the roadmap for a specific version? Is it technically impossible?
It seems that we are in a situation where none of the direct/indirect options seem to work for us :-(.
- direct integration with sssd does not support one-way AD trusts from different forests
- direct integration with winbind also does not seem to support one-way AD trusts from different forests as it seems to try to use the machine credentials to connect to the domain controllers of the trusted domain but this fails as there is no trust in the other direction. I hoped this would work with idmap_rid but that does not seem to be the case?
- indirect integration with ipa is what gets us as close to what we want to achieve as possible, except for this samba issue. Unfortunately this is somewhat of a blocker for us.
I don't think our setup is that special, so I'm wondering how other (freeIPA) users are handling this type of setup.
Regards,
Rik
3 years, 1 month
Modify user password by accepting hash as input
by Alfred Victor
Hi all,
We have a need to set the password hash value directly, is this possible?
It does not appear that ipa user-mod will support this, and using the API
or other methods looks like it will be fraught with access control
complications.
Andy
3 years, 1 month
Trust external IPA?
by Ian Pilcher
At work, I manage a small lab that is used by my team (< 10 people).
All lab users are currently managed in the lab FreeIPA, but we all use
it extensively, so creating separate credentials for the lab isn't
overly burdensome.
We're now expanding the lab, and the number of users who may need access
to it at some point is set to grow dramatically. Additionally, many of
these people are likely to be "one shot" users; they will need access to
some lab resources for a week or so and then not use it again for
months. For these users, I would *really* like to avoid the usual
user creation/password reset dance.
Fortunately(?) all of these users already have credentials in our
corporate IPA infrastructure. Is it possible to define users in the
local IdM server that will use the corporate server for authentication?
--
========================================================================
In Soviet Russia, Google searches you!
========================================================================
3 years, 1 month
migrating NIS passwords to FreeIPA in Fedora 33 with {CRYPT} and RH sample nis-users.sh script
by Robert Kudyba
Running FreeIPS 4.8.10-6, 5.10.10-200.fc33.x86_64
I'm using the nis-users.sh script from
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
First note that the part (inside 'Now create this entry') that has
--gecos='$gecos' actually inserts $gecos into the FreeIPA record. Also a
simple fix to insert a first and last name would be:
first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}')
last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}')
and adding in the "Now create this entry section":
--first=$first --last=$last
I'm trying to migrate the passwords from NIS so that they are merged in the
/etc/passwd file. (this is a test server). I followed Rob C's previous tips
from here
<https://freeipa-users.redhat.narkive.com/vTJsopZ5/problem-migrating-passw...>
and here
<https://www.redhat.com/archives/freeipa-users/2013-April/msg00058.html>.
Not sure it matters but in /etc/libuser.conf, crypt_style = sha512
In the script I added:
password1=$(echo $line | cut -f2 -d:)
and in the Now create this entry section:
--setattr "userpassword='{CRYPT}$password1'"
Here's what gets logged when debug is turned on:
[Tue Feb 02 22:08:52.541857 2021] [wsgi:error] [pid 16097:tid 16365]
[remote x.x.x.x:59726 <http://150.108.64.156:59726/>] ipa: INFO:
[jsonserver_session] admin(a)OURDOMAIN.EDU <admin(a)OLDDSM.DSM.FORDHAM.EDU>:
user_add/1('john', givenname='John', sn='Smith',
homedirectory='/home/smith', gecos="'John Smith'", loginshell='/bin/tcsh',
uidnumber=5319, gidnumber=150,
setattr=("userpassword='{CRYPT}the-actual-hash-of-the-password'",),
version='2.239'): SUCCESS
So does that appear that {CRYPT} is not being interpreted? I also added
some debug:
echo "Password hash value is $password1"
And what prints is the original hash, sans {CRYPT}.
So to test this outside of the script I added a test user:
ipa user-add --first=test --last=user --setattr userpassword='{CRYPT}
the-actual-hash-of-the-password' testuser
Then I ran the following and the password worked:
ldapsearch -x -D 'uid=testuser,cn=users,cn=accountsdc=ourdomain,dc=edu' -W
# testuser, users, accounts, ourdomain.edu <http://olddsm.dsm.fordham.edu/>
dn: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc=edu
givenName: test
sn: user
uid: testuser
cn: test user
displayName: test user
initials: tu
gecos: test user
krbPrincipalName: testuser(a)OURDOMAIN.EDU <testuser(a)OLDDSM.DSM.FORDHAM.EDU>
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: fasuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/testuser
mail: testuser(a)ourdomain.edu <testuser(a)olddsm.dsm.fordham.edu>
krbCanonicalName: testuser(a)OURDOMAIN.EDU <testuser(a)OLDDSM.DSM.FORDHAM.EDU>
ipaUniqueID: 34ee1f48-65d2-11eb-8c33-001ec9ab7ef0
uidNumber: 1520800007
gidNumber: 1520800007
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ourdomain,dc=edu
krbLastPwdChange: 20210203034524Z
krbPasswordExpiration: 20210504034524Z
# testuser, groups, accounts, ourdomain.edu <http://olddsm.dsm.fordham.edu/>
dn: cn=testuser,cn=groups,cn=accounts,dc=ourdomain,dc=edu
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: testuser
gidNumber: 1520800007
description: User private group for testuser
mepManagedBy: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc
=edu
ipaUniqueID: 34f39b4e-65d2-11eb-8c33-001ec9ab7ef0
# search result
search: 2
result: 0 Success
Is it still possible to do this in the current versions?
Thanks,
Rob
3 years, 1 month
Another 4.8.7 failed upgrade
by John Obaterspok
Hi,
I'm stuck since about a week when I updated to latest ipa-server. It
seems to be the same problem as Ian had ("FreeIPA centos8 update
Failed to authenticate to CA REST API"). He seem to resolve this using
a replicate which I dont have.
Any ideas on how I get this to work?
ipa-server-4.8.7-13.module_el8.3.0+606+1e8766d7.x86_64
centos-linux-release-8.3-1.2011.el8.noarch
...
IPA version error: data needs to be upgraded (expected version
'4.8.7-13.module_el8.3.0+606+1e8766d7', current version
'4.8.7-12.module_el8.3.0+511+8a502f20')
....
[Migrating certificate profiles to LDAP]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
...
2021-01-22T08:47:46Z DEBUG request GET
https://ipa2.win.lan:8443/ca/rest/account/login
2021-01-22T08:47:46Z DEBUG request body ''
2021-01-22T08:47:47Z DEBUG response status 500
2021-01-22T08:47:47Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: en
Content-Length: 2234
Date: Fri, 22 Jan 2021 08:47:47 GMT
Connection: close
2021-01-22T08:47:47Z DEBUG response body (decoded): b'<!doctype
html><html lang="en"><head><title>HTTP Status 500 \xe2\x80\x93
Internal Server Error</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line"
/><p><b>Type</b> Exception Report</p><p><b>Message</b> CA subsystem
unavailable. Check CA debug log.</p><p><b>Description</b> The server
encountered an unexpected condition that prevented it from fulfilling
the request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException:
CA subsystem unavailable. Check CA debug
log.\n\tcom.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81)\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:149)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Note</b>
The full stack trace of the root cause is available in the server
logs.</p><hr class="line" /><h3>Apache
Tomcat/9.0.30</h3></body></html>'
2021-01-22T08:47:47Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2021-01-22T08:47:47Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179,
in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run
server.upgrade()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1805, in upgrade
upgrade_configuration()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1670, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 414, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 1954, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 1960, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py",
line 1315, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate
to CA REST API'))
2021-01-22T08:47:47Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
-- john
3 years, 1 month
FreeIPA sudo command
by Mustapha Aissat
Hi all,
I have a question regarding sudo command and rules in FreeIPA, is it
possible to allow a user to only install packages and not remove?
for example the sudo command will look,like : /usr/bin/dnf install *****
I tried to configure sudo command as "/usr/bin/dnf install" and it didn't
work
If I use set the command to "/usr/bin/dnf" it works. But the user is also
allowed to remove packages!
Any suggestions please?
Best regards,
3 years, 1 month
FreeIPA 4.9.1 released
by Alexander Bokovoy
The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
== Highlights in 4.9.1
* 3226: [RFE] ipa sudorule-add-user should accept more types of
characters
IPA now supports users and groups from trusted Active Directory
domains in SUDO rules to specify runAsUser/runAsGroup properties
without an intermediate non-POSIX group membership
+
IPA now supports adding users and groups from trusted Active
Directory domains in SUDO rules without an intermediate non-POSIX
group membership
* 7599: Leading / trailing white spaces in password are disallowed
Allow leading and trailing whitespaces in passwords set through IPA
commands. They were already allowed via Kerberos and LDAP.
* 7676: ipa-client-install changes system wide ssh configuration
Skip ProxyCommand wrapper in SSH configuration in case user is
configured with /sbin/nologin to allow automated tools to operate as
expected
* 8528: Use separate logs for AD Trust and DNS installer
ipa-adtrust-install and ipa-dns-install commands now log their
activity into separate log files.
* 8618: ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing
from CS.cfg
ipa-cert-fix tool now handles situations when a CSR is missing from
Dogtag's CA/KRA CS.cfg configuration files. Configuration file is
updated with a CSR tracked by Certmonger.
* 8634: Install of CA fails on CentOS 8 Stream with pki-core 10.9
IPA will not deploy ACME service if Dogtag PKI version is known to
not provide a complete service. A complete ACME support requires
Dogtag 10.10.0 or later.
* 8635: Memory availability detection does not work with cgroupsv2
environment
Containerized environments on Linux with cgroup v2 are now
recognized and supported.
* 8644: ipa-certupdate drops profile from the caSigningCert tracking
ipa-certupdate tool now honors CA profile specified in the
certificate request it tries to update
* 8646: permission-mod attrs, includedattrs and excludedattrs issues
Managed permissions commands now properly rollback changes if a
generated ACI has incorrect syntax
* 8655: Allow to establish trust to Active Directory in FIPS mode
When IPA is deployed in FIPS mode, it is now possible to establish
trust to Active Directory forest.
* 8659: ipa-kdb: provide correct logon time in MS-PAC from
authentication time
Trust to Active Directory support was improved to be more compatible
with AD DC queries: lookup groups via LSA RPCs, allow user principal
name lookups, more complete PAC record generation.
=== Enhancements
=== Known Issues
=== Bug fixes
FreeIPA 4.9.1 is a stabilization release for the features delivered as a
part of 4.9 version series.
There are more than 30 bug-fixes since FreeIPA 4.9.1 release. Details of
the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets
#3226 (rhbz#871208) [RFE] ipa sudorule-add-user should accept more types of characters
#7599 (rhbz#1593745) Leading / trailing white spaces in password are disallowed
#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
#8501 Unify how FreeIPA gets FQDN of current host
#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
#8519 Fedora container platform is incomplete
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
#8528 Use separate logs for AD Trust and DNS installer
#8576 (rhbz#1728015) ipasam: derive parent domain for subdomains automatically
#8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
#8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
#8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find
#8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error occurred:
#8614 Remove ca.crt from the system-wide store on uninstall
#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
#8631 Nightly failure (389ds master branch) in test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
#8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9
#8635 Memory availability detection does not work with cgroupsv2 environment
#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking
#8646 permission-mod attrs, includedattrs and excludedattrs issues
#8650 Updated dnspython-2.1.0 causes a test failure
#8653 Nightly test failure in test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection
#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
#8656 Use client keytab for 389ds
#8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c
#8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time
#8660 ipasam: implement PASSDB getgrnam call
#8661 ipasam: allow search of users by user principal name (UPN)
#8662 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
#8664 Nightly test failure (fed33, rawhide) in ipa trust-add --external=True
#8668 (rhbz#1915471) Nightly failure in (f33+updates-testing) test_trust.py::TestTrust::test_ipa_commands_run_as_aduser
#8670 Nightly failure (fed33) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
#8674 test_ipahealthcheck divides KiB by 1000
#8678 Nightly failure (master) in test_trust.py::TestTrust::test_establish_forest_trust_with_shared_secret
#8682 [ipatests] TestIPACommand.test_login_wrong_password time to time fails
== Detailed changelog since 4.9.1
=== Armando Neto (1)
* ipatests: Update PR-CI definitions for ipa-4-9
https://pagure.io/freeipa/c/ccdecaa984ef6ebcc63d754e896b2229bcba3b88[commit]
=== Alexander Bokovoy (30)
* Become FreeIPA 4.9.1
https://pagure.io/freeipa/c/aa58fad8eb98b0e8e248eb76b107b5e1faac4aeb[commit]
* Force-update translation po/uk.po
https://pagure.io/freeipa/c/a97967ff3b56ba3c3894a5aadffbef68961b3581[commit]
* Force-update translation po/ipa.pot
https://pagure.io/freeipa/c/cb583ac18e33698f9bd950490482a722cc993a06[commit]
* Force-update translation po/hu.po
https://pagure.io/freeipa/c/a1c43ac3c91ae045f402610c88141d7f3d387011[commit]
* Force-update translation po/de.po
https://pagure.io/freeipa/c/6f6dd6240c91b8a4a6c9e6f1090db33ec37c7857[commit]
* Update contributors list
https://pagure.io/freeipa/c/2ac8028e1f8dca4b8bc37bd4995043da647dbfb8[commit]
* baseldap: allow rejecting unknown objects instead of adding to an
external attr
https://pagure.io/freeipa/c/51ca38772f41d3a26a4253a732338d09a69f9647[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* ipatests: when talking to AD DCs, use FQDN credentials
https://pagure.io/freeipa/c/64b70be65698b12927795a7a8b79ef7aada010b8[commit]
https://pagure.io/freeipa/issue/8678[#8678]
* test_trust: add tests for using AD users and groups in SUDO rules
https://pagure.io/freeipa/c/a7c56fde7727bfad3f885cf50e21182cdc46024e[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* ipatests: fix test_sudorule_plugin's wrong argument use
https://pagure.io/freeipa/c/f4d3c91e7f80659268e006dffa5f064b29b45c98[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* sudorule runAs: allow to add users and groups from trusted domains
directly
https://pagure.io/freeipa/c/78043bfb5e2a3b1fc0fae6d55ba605ba469ce5ae[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* sudorule-add-user: allow to reference users and groups from trusted
domains directly
https://pagure.io/freeipa/c/054a068f4705cd715789ceda75fa709404d5f884[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* idviews: add extended validator for users from trusted domains
https://pagure.io/freeipa/c/a3563d1c35fbe9e6e96199ead211ec3b4ff1d2d2[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* baseldap: when adding external objects, differentiate between them and
failures
https://pagure.io/freeipa/c/ffc2edf61efccbcbd4294fbc8a8613decea299a3[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* baseldap: refactor validator support in add_external_pre_callback
https://pagure.io/freeipa/c/132d7fb0ed21e2e7cc69366e2141ae69e7864afb[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* Add design document for using AD users/groups in SUDO rules
https://pagure.io/freeipa/c/16b30cbe5e4f1fd8965ed27ba2ca9b4b7b295e9c[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* use a constant instead of /var/lib/sss/keytabs
https://pagure.io/freeipa/c/9f63afb4408e308c2ee972a72875525afefa5d54[commit]
* trust-fetch-domains: use custom krb5.conf overlay for all trust
operations
https://pagure.io/freeipa/c/c842d4b5c2404d263d56aa0c4ba33fe32b2ca61e[commit]
https://pagure.io/freeipa/issue/8655[#8655],
https://pagure.io/freeipa/issue/8664[#8664]
* ipaserver/dcerpc: store forest topology as a blob in ipasam
https://pagure.io/freeipa/c/3d706b6f57309ec394df617cecb9a73d021fc2f7[commit]
https://pagure.io/freeipa/issue/8576[#8576]
* ipasam: derive parent domain for subdomains automatically
https://pagure.io/freeipa/c/f103172954c259443f0c5b4ac89474e66cf3a1d6[commit]
https://pagure.io/freeipa/issue/8576[#8576]
* ipasam: free trusted domain context on failure
https://pagure.io/freeipa/c/e8f927db7da00d1671f871d3b2e89429aec3beb9[commit]
https://pagure.io/freeipa/issue/8576[#8576]
* ipasam: allow search of users by user principal name (UPN)
https://pagure.io/freeipa/c/2e8eb0f5fe82be58be88fa0d9b07ee7af69d8829[commit]
https://pagure.io/freeipa/issue/8661[#8661]
* ipasam: implement PASSDB getgrnam call
https://pagure.io/freeipa/c/962052a0567b6878843272b1882d0a0b3b2debd1[commit]
https://pagure.io/freeipa/issue/8660[#8660]
* ipa-kdb: provide correct logon time in MS-PAC from authentication time
https://pagure.io/freeipa/c/f8bf37422b7c49a4a39b4704b18158b37ee9ef80[commit]
https://pagure.io/freeipa/issue/8659[#8659]
* ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available
https://pagure.io/freeipa/c/3fa07a108030265dc89921a37216a1184e1e7516[commit]
https://pagure.io/freeipa/issue/8655[#8655]
* ipaserver/dcerpc.py: use Kerberos authentication for discovery
https://pagure.io/freeipa/c/8ab9bf68a4d12c8763c1669d0c14b7771a3289da[commit]
https://pagure.io/freeipa/issue/8655[#8655]
* ipaserver/dcerpc: use Samba-provided trust helper to establish trust
https://pagure.io/freeipa/c/753246f4e82af5697ee51bdc7f667959e1824be1[commit]
https://pagure.io/freeipa/issue/8655[#8655]
* ipatests: fix race condition in finalizer of encrypted backup test
https://pagure.io/freeipa/c/6fe573b3d953913bc94fd06c230703dac70f0e8d[commit]
* ipaplatform: add constant for systemd-run binary
https://pagure.io/freeipa/c/8c7d1fbad15c5a906ffa261329dd49be048549ed[commit]
* Get back to git snapshots
https://pagure.io/freeipa/c/0fd4a8936f5b41e83ffdbe00f88309e5a2e94f9f[commit]
=== Antonio Torres (2)
* Check that IPA cert is added to trust store after server install
https://pagure.io/freeipa/c/2715fbd4a73115949264298858ed0835fe982164[commit]
https://pagure.io/freeipa/issue/8614[#8614]
* Test that IPA certs are removed on server uninstall
https://pagure.io/freeipa/c/2a86a93e560e1d9ade2f78b0cf82d93b8833eb39[commit]
https://pagure.io/freeipa/issue/8614[#8614]
=== Antonio Torres Moríñigo (2)
* ipatests: test that trailing/leading whitespaces in passwords are
allowed
https://pagure.io/freeipa/c/3f3762ef92a809059f196e5553f1c31e9f1180e7[commit]
* Allow leading/trailing whitespaces in passwords
https://pagure.io/freeipa/c/89eba7d38db2f510554b3365f9d099190ce80c51[commit]
https://pagure.io/freeipa/issue/7599[#7599]
=== Christian Heimes (1)
* Add ccache sweeper files to gitignore
https://pagure.io/freeipa/c/56b84973b9f02e74f2518bd58694b673f88f8d5e[commit]
https://pagure.io/freeipa/issue/8589[#8589]
=== François Cami (1)
* ipatests: test_ipahealthcheck: fix units
https://pagure.io/freeipa/c/34add4a2e091dc7bc6031f8fc6cc80904b1bea20[commit]
https://pagure.io/freeipa/issue/8674[#8674]
=== Florence Blanc-Renaud (12)
* ipatests: fix discrepancies in nightly defs
https://pagure.io/freeipa/c/bb78693405aab603203e60a174b04cd3264e1855[commit]
* ipatests: fix expected output for ipahealthcheck.ipa.files
https://pagure.io/freeipa/c/dc2a52abe256d2de09eafe8a07898b0cbea3404b[commit]
https://pagure.io/freeipa/issue/8662[#8662]
* ipatests: fix healthcheck test for ipahealthcheck.ds.encryption
https://pagure.io/freeipa/c/2a207918521b474a39c1689837db146800624af8[commit]
https://pagure.io/freeipa/issue/8670[#8670]
* ipatests: fix expected errmsg in
TestTrust::test_ipa_commands_run_as_aduser
https://pagure.io/freeipa/c/bd3bad88ee4d4535416ad5fc5f97b55a939534ef[commit]
https://pagure.io/freeipa/issue/8668[#8668]
* ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection
https://pagure.io/freeipa/c/0db289695c8225cad5c17c6a5846ff0a373c3ce6[commit]
https://pagure.io/freeipa/issue/8596[#8596],
https://pagure.io/freeipa/issue/8653[#8653]
* selinux: modify policy to allow one-way trust
https://pagure.io/freeipa/c/952b6bdcceda9f460e17075404084f1f3ddb5eaa[commit]
https://pagure.io/freeipa/issue/8508[#8508]
* ipatests: add test_ipa_cert_fix to the nightly definitions
https://pagure.io/freeipa/c/7f2be8a45a1d4baff0074cf4d8c446e3d08db795[commit]
https://pagure.io/freeipa/issue/8618[#8618]
* ipa-cert-fix: do not fail when CSR is missing from CS.cfg
https://pagure.io/freeipa/c/eb711f781322657b0b3d77332f2462ecfb27db95[commit]
https://pagure.io/freeipa/issue/8618[#8618]
* ipatests: add a test for ipa-cert-fix
https://pagure.io/freeipa/c/f36e518b5704b02b81a4b80a1b84c429594cf5ce[commit]
https://pagure.io/freeipa/issue/8618[#8618]
* ipatests: clear initgroups cache in clear_sssd_cache
https://pagure.io/freeipa/c/286d0680a6d4ae53b79596e545f9291791e36aa5[commit]
* ipatests: remove test_acme from gating
https://pagure.io/freeipa/c/dd1b596b5711aefd87fd6ec340c3713ee5932425[commit]
https://pagure.io/freeipa/issue/8602[#8602]
* ipatests: fix expected error message in test_commands
https://pagure.io/freeipa/c/8bc341868f9154a625b7aae2604a7aa7b6cd0696[commit]
https://pagure.io/freeipa/issue/8631[#8631]
=== JoeDrane (1)
* Update ipa_sam.c
https://pagure.io/freeipa/c/b53592492879f87465774eb9a4d6c02a8ba26a5e[commit]
=== Rob Crittenden (16)
* ipatests: test the cgroup v2 memory restrictions
https://pagure.io/freeipa/c/85d944cea13725511973fa00c9db6a1ebeb90efa[commit]
https://pagure.io/freeipa/issue/8635[#8635]
* Add support for cgroup v2 to the installer memory checker
https://pagure.io/freeipa/c/1dd4501a9fe1e83964b1f008b91d20b4afe5051a[commit]
https://pagure.io/freeipa/issue/8635[#8635]
* ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get
https://pagure.io/freeipa/c/7b380969241b7f28b2aa275ff1a71fdf78912580[commit]
https://pagure.io/freeipa/issue/8658[#8658]
* ipa-rmkeytab: convert numeric return values to #defines
https://pagure.io/freeipa/c/06ffc7aae7f37bbd03dbd145e30c13f2234ed071[commit]
https://pagure.io/freeipa/issue/8658[#8658]
* ipa_pwd: Remove unnecessary conditional
https://pagure.io/freeipa/c/f6cfbffc8f2e45d0e8e6057e6ead6d35e99bf48a[commit]
* ipa_kdb: Fix memory leak
https://pagure.io/freeipa/c/df0c2d7e0ca8c3620093a47c9592de4f37e86608[commit]
* ipa-kdb: Fix logic to prevent NULL pointer dereference
https://pagure.io/freeipa/c/93f8840ed8f484c7880534b86aaad3d1f8fb0d2e[commit]
* ipa-kdb: Change mspac base RID logic from OR to AND
https://pagure.io/freeipa/c/f0de557063b6db143fd0d2ff47b08610edb39706[commit]
* Add missing break statement to password quality switch
https://pagure.io/freeipa/c/ec4511ec12dfeff2cc2f3a23171089bd32c5add0[commit]
* Revert "Remove test for minimum ACME support and rely on package deps"
https://pagure.io/freeipa/c/3aeb9b8e40cc526fd5c5162158b9cc5755670f66[commit]
https://pagure.io/freeipa/issue/8634[#8634]
* ipatests: See if nologin supports -c before asserting message
https://pagure.io/freeipa/c/ca9f8d1c9feda6fd58220f1424970dcca5b730e0[commit]
https://pagure.io/freeipa/issue/7676[#7676]
* ipatests: test that modifying a permission attrs handles failure
https://pagure.io/freeipa/c/bdc383a1a906f97c06b2bfa281a4b290fb4b04b3[commit]
https://pagure.io/freeipa/issue/8646[#8646]
* Remove virtual attributes before rolling back a permission
https://pagure.io/freeipa/c/9ae744254dd845f9a459601cb8a1468aeaad028a[commit]
https://pagure.io/freeipa/issue/8646[#8646]
* Remove invalid test case for DNS SRV priority
https://pagure.io/freeipa/c/071b71290601d4a5f6a65adf2b55c34d3865172d[commit]
https://pagure.io/freeipa/issue/8650[#8650]
* ipatests: test that no errors are reported after ipa-certupdate
https://pagure.io/freeipa/c/ad1764a1fff885e1c386b0a9f50517b2e0725e03[commit]
https://pagure.io/freeipa/issue/8644[#8644]
* Don't change the CA profile when modifying request in ipa_certupdate
https://pagure.io/freeipa/c/10ba43ad35acecdd1c4b7981db31a90cce1b9fab[commit]
https://pagure.io/freeipa/issue/8644[#8644]
=== Robbie Harwood (1)
* Set client keytab location for 389ds
https://pagure.io/freeipa/c/df411f00a3d1db2fcb0d122a54b9e13a57e35f3f[commit]
https://pagure.io/freeipa/issue/8656[#8656]
=== Stanislav Levin (2)
* ipatests: Don't assume sshd flush its logs immediately
https://pagure.io/freeipa/c/cbe7d2258d6c900b2e02b2373e720275d9917316[commit]
https://pagure.io/freeipa/issue/8682[#8682]
* ipatests: Raise log level of 389-ds replication
https://pagure.io/freeipa/c/41a9cc637b4ea8794fc17f9fc06c6cf8d3a31caa[commit]
=== Sergey Orlov (2)
* ipatests: use fully qualified name for AD admin when establishing
trust
https://pagure.io/freeipa/c/dc16c2484c1006bc249848383d86ef828abd921a[commit]
* ipatests: do not set dns_lookup to true
https://pagure.io/freeipa/c/8d7697af269e68e051ce969ae9cc835f5ba6a3b7[commit]
=== Sudhir Menon (2)
* ipatests: Test for IPATrustControllerPrincipalCheck
https://pagure.io/freeipa/c/2035ba9925ae738d2dbdd1274168cb99a2364db0[commit]
* ipatests: ipahealthcheck remove test skipped in pytest run
https://pagure.io/freeipa/c/27cc011ac286db20a4cd9dbdd65d4a8fd1cb7e3a[commit]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 1 month
High memory and swap usage by sssd_be process
by Miguel Hinojosa
We are having an issue in both IDM servers since 28th, no evidences before this date. Authentication performance is affected, it goes slowly.
We are trying to figure out where is the issue.
We found this messages when server was starting to consume high memory:
Jan 28 20:16:45 icidmpdc1 sssd: Child [10800] ('ipa.unicc.org':'%BE_ipa.unicc.org') was terminated by own WATCHDOG. Consult corresponding logs to figure out the reason.
Jan 28 20:16:45 icidmpdc1 be[ipa.unicc.org]: Starting up
We added more memory to one of them and still using more than 95% of memory and it's still using between 20 to 60% of swap.
And, obviously there are majflt/s:
01:13:02 PM pgpgin/s pgpgout/s fault/s majflt/s pgfree/s pgscank/s pgscand/s pgsteal/s %vmeff
01:14:01 PM 25.46 710.90 8456.75 0.49 7525.51 630.59 0.00 627.25 99.47
01:15:01 PM 207.28 813.30 7768.93 0.68 7458.57 773.50 0.00 581.38 75.16
01:16:01 PM 1110.16 1076.56 7726.09 2.68 7628.36 1041.29 24.97 840.16 78.79
01:17:01 PM 803.00 750.42 7827.29 1.93 7410.60 1144.91 0.00 765.54 66.86
01:18:01 PM 16282.35 6026.31 37911.53 55.44 17653.13 13243.27 52.22 5828.67 43.84
01:19:01 PM 5636.41 5428.07 17209.47 210.48 8604.65 5133.68 11.86 2333.18 45.34
01:20:02 PM 3108.13 4065.21 10127.76 229.49 6610.96 3183.18 8.94 1441.82 45.17
01:21:01 PM 15298.65 4763.03 13467.79 226.12 39224.22 6995.40 27.79 4130.50 58.81
01:22:01 PM 605.23 4454.37 28790.32 12.51 13404.36 0.00 0.00 0.00 0.00
Average: 1212.61 1222.89 18638.83 24.66 8143.57 730.57 2.68 445.85 60.80
In our monitorization, each 5min memory usage goes up to more than 95%, and after it goes down to less than 20%
We made a test with node2 stopped and issue persist. I.e. when both nodes are active (also replication) the issue is accentuated.
3 years, 1 month
AD user unable to ssh to Linux host
by Mustapha Aissat
Hi all,
I'm facing some problems with connecting AD user to Linux host via ssh.
I already configure the trust between IPA server and AD.
I create an external group "*grp_dba*" to point on AD group
I create a posix group "*admindba*" that contain the external group
I create a HBAC rule "*allow_dba*" to allow the group to access the host.
I did an HBAC test and it tells me that the access is granted to the user.
On the Client host, id, getent and even su work. but I still can't do an
ssh!
Can you please guide me?
Thank you in advance.
Here some commands that I used and logs
----------
*on IPA server :*
[root@idm01 ~]# *ipa group-show admindba*
Group name: admindba
GID: 336200005
Member groups: grp_dba
Member of HBAC rule: allow_dba
[root@idm01 ~]# *ipa hbactest --user=admin_dba01(a)dz.corp
--host=zabbix.linux.dz.corp --service=sshd*
--------------------
Access granted: True
--------------------
Matched rules: allow_dba
*On Client host :*
[root@zabbix ~]# *id admin_dba01(a)dz.corp*
uid=1790001108(admin_dba01(a)dz.corp) gid=1790001108(admin_dba01(a)dz.corp)
groups=1790001108(admin_dba01(a)dz.corp),1790000513(domain users(a)dz.corp
),336200005(admindba),1790001107(grp_dba(a)dz.corp)
[root@zabbix ~]# *geten admin_dba01(a)dz.corp*
getenforce getent
[root@zabbix ~]# *getent passwd admin_dba01(a)dz.corp*
admin_dba01(a)dz.corp
:*:1790001108:1790001108:admin_dba01:/home/dz.corp/admin_dba01:
[root@zabbix ~]# *getent group admin_dba01(a)dz.corp*
admin_dba01@dz.corp:*:1790001108:
[root@zabbix ~]# *su - admin_dba01(a)dz.corp*
Last login: Mon Feb 1 16:57:39 CET 2021 on pts/1
*[admin_dba01@dz.corp(a)zabbix ~]$ logout*
[root@zabbix ~]#
[root@zabbix ~]# *journalctl -e*
Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Starting SSSD Kerberos
Cache Manager...
Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Started SSSD Kerberos
Cache Manager.
Feb 01 19:32:33 zabbix.linux.dz.corp sssd[kcm][17086]: Starting up
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]:
Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]:
Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]:
Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]:
Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.122.1 user=admin_dba01(a)dz.corp
Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth):
received for user admin_dba01(a)dz.corp: 6 (Permission denied)
Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: error: PAM:
Authentication failure for admin_dba01(a)dz.corp from 192.168.122.1
Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: Postponed
keyboard-interactive for admin_dba01(a)dz.corp from 192.168.122.1 port 43908
ssh2 [preauth]
Feb 01 19:32:36 zabbix.linux.dz.corp sshd[17076]: Connection closed by
authenticating user admin_dba01(a)dz.corp 192.168.122.1 port 43908 [preauth]
-------
Best regards,
3 years, 1 month