February 2022 - FreeIPA-users - Fedora mailing-lists

Certificat REVOKED_EXPIRED / How to suppress ?
by Karim Bourenane 23 Feb '22

23 Feb '22

Hello Team How to delete expired certificats from IPA PKI and Dogtag definitively. We haven't found any help to do that. Can you help ? Bien à vous Mr Karim Bourenane +33686464439 +32 493 86 63 54

2 2

Not possible to find KDC with Autodiscovery
by David Galarreta 23 Feb '22

23 Feb '22

Hello! we get the next error when we try to create a kerberos ticket: kinit: Cannot find KDC for realm "TEST.INTERN" while getting initial credentials /etc/krb5.conf: [libdefaults] default_realm = TEST.INTERN dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] TEST.INTERN = { pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .domain.net = TEST.INTERN domain.net = TEST.INTERN client1.domain.net = TEST.INTERN The DNS Record from FreeIPA for Autodiscover are working. if I add kdc = ipaserver.domain.net > I get the kerberos Ticket. But we want to use autodiscovery for failover. So we do not want to add the sever address on every client. Do you have some Idea? Thanks

3 3

Local roles CA, DNS, DNSKeySync do not match globally used roles ADTRUST, CA, DNS, DNSKeySync.
by Sigbjorn Lie 23 Feb '22

23 Feb '22

Hi list, After our upgrade from EL7 to EL8, the ipa-backup script is stating a warning: "Warning: Local roles CA, DNS, DNSKeySync do not match globally used roles ADTRUST, CA, DNS, DNSKeySync. A backup done on this host would not be complete enough to restore a fully functional, identical cluster. Proceeding as role check was explicitly disabled." We are performing backup on an IPA server configured as a Hidden Master. Because this is a hidden master it has not been configured to be an ADTRUST Controller, only an ADTRUST Agent. We are currently using the "--disable-role-check" option to force the backup. Is this warning accurate, or is this a bug? If it is accurate, what data is specific to an ADTRUST Controller that would be missing from the backup? Thanks. Regards, Siggi

2 2

Re: FreeIPA, kinit with OTP
by Michael Schwartzkopff 22 Feb '22

22 Feb '22

On 22.02.22 00:08, Angus Clarke wrote: > I was meant to have attached the script sorry! > > Attached now. > > Hope it helps > Angus > ________________________________ > From: Michael Schwartzkopff<ms(a)sys4.de> > Sent: 21 February 2022 23:39 > To: Angus Clarke<angus(a)charworth.com> > Subject: Re: [Freeipa-users] Re: FreeIPA, kinit with OTP > > On 21.02.22 21:34, Angus Clarke wrote: > > Hi Michael > > I wrote this a long time back and we use it extensively. It mentions: > > # requires krb5-pkinit (not installed on ipa client by default) > > Otherwise something else is amiss I suppose. > > Regards > Angus > > > > after installation of the packet I can do a kinit -n and get the ANONYMOUS ticket. > > > But when I do a kinit with my user name I get: > > $ kinit username > kinit: Pre-authentication failed: Invalid argument while getting initial credentials > > > > > Mit freundlichen Grüßen, > > -- > > [*] sys4 AG > > https://sys4.de<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsys4.de%…>, +49 (89) 30 90 46 64 > Schleißheimer Straße 26/MG,80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief > Aufsichtsratsvorsitzender: Florian Kirstein > following the steps of the script I get one step further. but still $ kinit -T KCM:1286400012 username Enter OTP Token Value: kinit: Preauthentication failed while getting initial credentials Are the any log files to check the auth process? Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein

3 3

FreeIPA, kinit with OTP
by Michael Schwartzkopff 21 Feb '22

21 Feb '22

Hi, I want to use OTP for krb tickets. Plain login works as expected. When I start kinit user I get the response: $ kinit user kinit: Generic preauthentication failure while getting initial credentials I read some docs and tried: $ kinit -n Password for WELLKNOWN/ANONYMOUS(a)SYS4.DE: Where do I set this ANONYMOUS password? On my FreeIPA server pkinit is enabled. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein

3 6

Rejoining to domain but getting error - You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
by sharmaji a 21 Feb '22

21 Feb '22

Hi FreeIPA team, I'm verifying FreeIPA backup/restore process. In our lab environment, FreeIPA 4.5.0 was running fine with single instance. I took the backup. Shutdown the VM. Created Fresh CentOS 7 VM and install IPA server 4.6.8 and did restore "data only" backup. FQDN and IP address is same as old VM. After little troubleshooting all services are working fine. I can see all users & host - All good. ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful Now from existing client side, I did ipa-client-install --uninstall. but when i do ipa-client-install --domain example.com --realm EXAMPLE.COM; but getting below error: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. I tried on fresh client but still domain joining is failing with same error. Any suggestion? Also someone can share good document for backup/restore process where backup is restored on completely new & Fresh system... it will be highly appreciated. Regards, Anand

2 3

MemberManager
by Sigbjorn Lie-Soland 20 Feb '22

20 Feb '22

Hi list, We recenlty upgraded our IPA environment from EL7.9 to EL8.5. And now we are testing out the new Member Manager feature. Adding a usergroup (example: "role-groupmanager") as a MemberManager for another group (example: "role-usergroup-A") yields an error message when the user member of the "role-groupmanager” group (example: “thorleif”) attempts to add/remove users from the group "role-usergroup-A”: "Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry" If I add the user “thorleif” directly as a MemberManager of the group "role-usergroup-A”, allows him to successfully add and remove users from the group "role-usergroup-A”. I presume this is a bug? Is there a known BZ for this or do you need me to open one? Regards, Siggi

4 5

zone types - allow both - check for state
by lejeczek 20 Feb '22

20 Feb '22

@devel Hi guys. Not knowing nitty-gritty of the internals if it, I'd dare to suggest, as future enhancement perhaps, this: allow both types of zone, creation of the second type would fail if first is 'enabled' and the same would go for '-mod' - allow(and facilitate switch) enable only if other is disabled(certainly allow both to be 'disabled') that would certainly be handy bit from an admin point of view. many thanks, L.

3 5

Use of OTP in special cases?
by Michael Schwartzkopff 20 Feb '22

20 Feb '22

Hi, I am testing OTP usage of FreeIPA. really cool stuff. Thanks for you work. I have a user with "authentication type: OTP". So every time he wants to log in he is asked for username and token. Works. Sometimes it should be sufficient to provide only password, not OTP (i.e. inside company with company laptop). OTP should only be asked in special cases like VPN access. Is this possible? Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein

3 5

pcks11-bind with DDNS updates from ISC DHCP returns SERVFAIL frequently
by Brian J. Murrell 20 Feb '22

20 Feb '22

Is anyone here running FreeIPA on EL8 (a.k.a. RedHat IdM) with DDNS updates enabled from dhcpd, and running that server as their network's recursive resolver? Successfully? On EL7, this just didn't work for me due to https://bugzilla.redhat.com/show_bug.cgi?id=1409321 and it seems even worse on EL8. The TL;DR: is that if you have DDNS updates coming named-pkcs11 from ISC dhcpd, many (i.e. recursive resolver) queries to named-pkcs11 will frequently, temporarily and intermittently return SERVFAIL. If you stop the DDNS updates from ISC DHCP the recursive resolving behaviour of the server stabilizes and it stops returning SERVFAILs. So, this is just a query to see if anyone is actually running this configuration successfully. If you think you might be successful with this configuration, how many recursive resolvers do you have in your network? If you have more than just the (single) FreeIPA server, it might be that named-pkcs11 on that machine is frequently returning SERVFAIL and that you are just not noticing because your alternate recursive resolvers are masking it. So if you are running in such a configuration with alternate recursive resolvers, it might be interesting to use tcpdump or some such on your FreeIPA server to see if your named-pkcs11 is indeed returning SERVFAIL for many of your queries. Cheers, b.

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2022