Disabled Domain fills IPA client sssd logs
by Ronald Wimmer
We do face the problem that we disabled a domain we do not need and that
this particular domain fills up sssd logs on the client side. Especially
sssd_nss.log. How could we possibly avoid this behavior?
Cheers,
Ronald
2 days, 1 hour
FreeIPA-Kubernetes Setup
by Ronald Wimmer
Hi,
are there any plans (or maybe ongoing work already) to let FreeIPA run
in a K8s environment?
Cheers,
Ronald
3 days, 4 hours
Different results with search in replicas
by danila kuzovlev
Hi, I'm trynig to create centrlized authorization for my services with freeipa cluster in differnet locations. For some reasons I use base search in cn=compat tree for mapping users, but in different replcias result of same ldapsearch quiestions is different:
ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
ldapsearch -h Y.Y.Y.Y -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# some-group, groups, compat, example.com
dn: some_group,cn=groups,cn=compat,dc=example,dc=com
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 12345678
memberUid: user2
memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD
U2YWIxMDNl
cn: some_group
But, if I make search with "Subtree" cope to the first one, I can see entries in answer:
ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s sub -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# some-group, groups, compat, example.com
dn: some_group,cn=groups,cn=compat,dc=example,dc=com
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 12345678
memberUid: user2
memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD
U2YWIxMDNl
cn: some_group
I have 4 ipa-servers with vesrions 4.9.6 and 4.9.10.
This result I can see with a only one replica, with 4.9.6 vesrion. I try delete topology segment, reinstall ipa-replica - but it doesnt work.
Thanks.
2 weeks, 3 days
Configuration of server on DO droplet in Docker container and clients behind router's NAT
by Georgiy Odisharia
Hi there,
I know that it is not secure but I have exposed to the internet FreeIPA instance for uniform logging between all my machines. They're reside at my home network behind OpenWRT-based router (behind NAT). Public IP address of router is getting via ISP's DHCP.
I want to properly set up FreeIPA server in Docker container running on the DigitalOcean droplet, set up DNS entries in DigitalOcean panel, and properly set up client for allowing LDAP authentication (sssd.conf, krb5.conf and so on).
I don't know where to start and debug so if anybody will help me in general I would be highly appreciated.
3 weeks
Re: FreeIPA Replica Install Issue
by Rob Crittenden
Jerome Talbert via FreeIPA-users wrote:
> Hello,
>
>
>
> We had an issue with one of replicas and decided to remove it from the
> topology and run the ipa-server-install –uninstall command on the
> replica. I also went through and removed all the SRV records related to
> the replica.
>
>
>
> The idea was to reinstall the same server as replica again using the
> command:
>
> ipa-replica-install --setup-dns --setup-ca --principal=admin
> --password='############' --no-forwarders
>
>
>
> When I try to run the command, I get the following error message:
>
> ipapython.admintool: ERROR Cannot install replica of a server of
> higher version ((u'00000004', u'00000006', u'00000008', '*final')) than
> the local version ((u'00000004', u'00000006', u'00000006', '*final'))
>
> ipapython.admintool: ERROR The ipa-replica-install command failed.
> See /var/log/ipareplica-install.log for more information
>
>
>
> Any ideas what might be going on here? Do I have something left-over on
> the replica that needs to be cleaned up manually first?
As the message says, you are trying to create a new server using a lower
version than the remote server. A higher local version is allowed for
upgrades but not the other way around. (4.6.8 remote, 4.6.6 local).
Updating the IPA packages on your replica should fix it.
rob
3 weeks
use FreeIPA/certmonger to manage and generate TLS certificates for vHosts
by Carlos Mogas da Silva
Hi list!
I'm trying to figure out a way to get certmonger to manage vhost certificates using FreeIPA. I'm able to use it to
generate and renew certificates for the host itself (`host1.example.com`), but what if I have several websites managed
on this same host (`webapp1.example.com` and `webapp2.example.com` are hosted on `host1.example.com`)? Is this possible
at all?
Thanks,
Carlos Mogas da Silva
3 weeks, 1 day
Accessing the compat subtree requires a specific search base
by Gianluca Amato
Hi,
I have a FreeIPA 4.10 installation with a Squid proxy server using the ext_kerberos_ldap_group_acl helper for authorizations. At some point the helper stopped working correctly. The problem is that ext_kerberos_ldap_group_acl uses the memberuid attribute, which is only available in the "cn=groups,cn=compat,dc=labeconomia,dc=unich,dc=it" subtree. Unfortunately, it seems that traversing the compat subtree is only possible when specifying a search base.
For example, the command
ldapsearch -H <host> "(uid=studente)"
returns the user "uid=studente,cn=users,cn=accounts,dc=labeconomia,dc=unich,dc=it"
If I want to get the corresponding user in the compat subtree, I need to specify a search base as in
ldapsearch -H <host> -b "cn=compat,dc=labeconomia,dc=unich,dc=it" "(uid=studente)"
which correctly returns "uid=studente,cn=users,cn=compat,dc=labeconomia,dc=unich,dc=it"
Now I wonder: is this the correct behavior ? And if this is correct, why did ext_kerberos_ldap_group_acl use to work in the past ?
Thanks for any help.
3 weeks, 2 days
Exception: Invalid instance: pki-tomcat
by Mark Clarke
Hi All,
After a recent system update freeipa pki-tomcat will not start. I have traced the error to where freeipa attempts to upgrade pki-tomcat in the service unit. "ExecStartPre=/usr/sbin/pki-server upgrade %i". I have no idea why it thinks the instance id is wrong. Anyone else with this problem and know how to fix it?
VERSION: 4.9.10, API_VERSION: 2.251
Feb 24 06:42:16 auth-server.abc.com systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: ERROR: Invalid instance: pki-tomcat
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: Traceback (most recent call last):
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 41, in <module>
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: cli.execute(sys.argv)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 145, in execute
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: super(PKIServerCLI, self).execute(args)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 217, in execute
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: module.execute(module_args)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/server/cli/upgrade.py", line 135, in execute
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: raise Exception('Invalid instance: %s' % instance_name)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: Exception: Invalid instance: pki-tomcat
3 weeks, 2 days
Re: any disadvantages to using gssproxy?
by Alexander Bokovoy
On ma, 20 helmi 2023, Charles Hedrick via FreeIPA-users wrote:
>We have a site where some users want to be able to run cron jobs with
>credentials so they can access files via NFS. We are currently using a
>local mechanism to generate those credentials. I'm considering using
>gssproxy instead. I've verified that it will work.
>
>Is there any disadvantage to installing gssproxy on all systems, and
>setting use_gss_proxy in /etc/nfs.conf? We're on Ubuntu 20.04 and
>22.04.
>
>The only issue I can see is that attempts to access files will cause
>something (the server?) to check for delegation entries in LDAP. If
>this only happens when credentials aren't already present, the extra
>overhead should be minimal. But we have lots of calls to rpc.gss,
>particularly since we expire contexts in 30 min, to deal with the
>problem that removing users from a group doesn't remove their access to
>files protected by the group until their NFS session credentials are
>refreshed.
GSSProxy does not look at LDAP at all, it is not written to do so. What
it does is that it allows applications to request operations on behalf
of users (allow_constrained_delegation=true or
allow_constrained_delegation=true in a configuration file) and *that*
requires KDC to perform conditional delegation checks. The check is done
by KDC, not by GSSProxy, at the time when a client (GSSProxy in this
case) would request a protocol transition or constraint delegation, e.g.
to obtain a ticket to a service.
When there is a ticket already, no additional operations would be done.
If you expire tickets in 30 minutes, then at least once in those 30
minutes if you'd get a service performing acquisition of a Kerberos
ticket on behalf of the user, then KDC would get a request.
An additional consideration would be to see if you have any applications
that use Heimdal Kebreros instead of MIT Kerberos. GSSProxy is only
supported for MIT Kerberos-linked applications using GSSAPI. Heimdal has
no interposer mechanism pluggable interface, hence no way to interpose
it this way. That specifically affects Debian and Ubuntu as their Samba
builds are done against Heimdal.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 weeks, 3 days
FreeIPA Replica Install Issue
by Jerome Talbert
Hello,
We had an issue with one of replicas and decided to remove it from the topology and run the ipa-server-install –uninstall command on the replica. I also went through and removed all the SRV records related to the replica.
The idea was to reinstall the same server as replica again using the command:
ipa-replica-install --setup-dns --setup-ca --principal=admin --password='############' --no-forwarders
When I try to run the command, I get the following error message:
ipapython.admintool: ERROR Cannot install replica of a server of higher version ((u'00000004', u'00000006', u'00000008', '*final')) than the local version ((u'00000004', u'00000006', u'00000006', '*final'))
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Any ideas what might be going on here? Do I have something left-over on the replica that needs to be cleaned up manually first?
Thanks,
Jerome Talbert
3 weeks, 5 days
