use FreeIPA/certmonger to manage and generate TLS certificates for vHosts
by Carlos Mogas da Silva
Hi list!
I'm trying to figure out a way to get certmonger to manage vhost certificates using FreeIPA. I'm able to use it to
generate and renew certificates for the host itself (`host1.example.com`), but what if I have several websites managed
on this same host (`webapp1.example.com` and `webapp2.example.com` are hosted on `host1.example.com`)? Is this possible
at all?
Thanks,
Carlos Mogas da Silva
1 year
Accessing the compat subtree requires a specific search base
by Gianluca Amato
Hi,
I have a FreeIPA 4.10 installation with a Squid proxy server using the ext_kerberos_ldap_group_acl helper for authorizations. At some point the helper stopped working correctly. The problem is that ext_kerberos_ldap_group_acl uses the memberuid attribute, which is only available in the "cn=groups,cn=compat,dc=labeconomia,dc=unich,dc=it" subtree. Unfortunately, it seems that traversing the compat subtree is only possible when specifying a search base.
For example, the command
ldapsearch -H <host> "(uid=studente)"
returns the user "uid=studente,cn=users,cn=accounts,dc=labeconomia,dc=unich,dc=it"
If I want to get the corresponding user in the compat subtree, I need to specify a search base as in
ldapsearch -H <host> -b "cn=compat,dc=labeconomia,dc=unich,dc=it" "(uid=studente)"
which correctly returns "uid=studente,cn=users,cn=compat,dc=labeconomia,dc=unich,dc=it"
Now I wonder: is this the correct behavior ? And if this is correct, why did ext_kerberos_ldap_group_acl use to work in the past ?
Thanks for any help.
1 year, 1 month
Exception: Invalid instance: pki-tomcat
by Mark Clarke
Hi All,
After a recent system update freeipa pki-tomcat will not start. I have traced the error to where freeipa attempts to upgrade pki-tomcat in the service unit. "ExecStartPre=/usr/sbin/pki-server upgrade %i". I have no idea why it thinks the instance id is wrong. Anyone else with this problem and know how to fix it?
VERSION: 4.9.10, API_VERSION: 2.251
Feb 24 06:42:16 auth-server.abc.com systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: ERROR: Invalid instance: pki-tomcat
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: Traceback (most recent call last):
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 41, in <module>
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: cli.execute(sys.argv)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 145, in execute
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: super(PKIServerCLI, self).execute(args)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 217, in execute
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: module.execute(module_args)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/server/cli/upgrade.py", line 135, in execute
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: raise Exception('Invalid instance: %s' % instance_name)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: Exception: Invalid instance: pki-tomcat
1 year, 1 month
Re: any disadvantages to using gssproxy?
by Alexander Bokovoy
On ma, 20 helmi 2023, Charles Hedrick via FreeIPA-users wrote:
>We have a site where some users want to be able to run cron jobs with
>credentials so they can access files via NFS. We are currently using a
>local mechanism to generate those credentials. I'm considering using
>gssproxy instead. I've verified that it will work.
>
>Is there any disadvantage to installing gssproxy on all systems, and
>setting use_gss_proxy in /etc/nfs.conf? We're on Ubuntu 20.04 and
>22.04.
>
>The only issue I can see is that attempts to access files will cause
>something (the server?) to check for delegation entries in LDAP. If
>this only happens when credentials aren't already present, the extra
>overhead should be minimal. But we have lots of calls to rpc.gss,
>particularly since we expire contexts in 30 min, to deal with the
>problem that removing users from a group doesn't remove their access to
>files protected by the group until their NFS session credentials are
>refreshed.
GSSProxy does not look at LDAP at all, it is not written to do so. What
it does is that it allows applications to request operations on behalf
of users (allow_constrained_delegation=true or
allow_constrained_delegation=true in a configuration file) and *that*
requires KDC to perform conditional delegation checks. The check is done
by KDC, not by GSSProxy, at the time when a client (GSSProxy in this
case) would request a protocol transition or constraint delegation, e.g.
to obtain a ticket to a service.
When there is a ticket already, no additional operations would be done.
If you expire tickets in 30 minutes, then at least once in those 30
minutes if you'd get a service performing acquisition of a Kerberos
ticket on behalf of the user, then KDC would get a request.
An additional consideration would be to see if you have any applications
that use Heimdal Kebreros instead of MIT Kerberos. GSSProxy is only
supported for MIT Kerberos-linked applications using GSSAPI. Heimdal has
no interposer mechanism pluggable interface, hence no way to interpose
it this way. That specifically affects Debian and Ubuntu as their Samba
builds are done against Heimdal.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1 year, 1 month
FreeIPA Replica Install Issue
by Jerome Talbert
Hello,
We had an issue with one of replicas and decided to remove it from the topology and run the ipa-server-install –uninstall command on the replica. I also went through and removed all the SRV records related to the replica.
The idea was to reinstall the same server as replica again using the command:
ipa-replica-install --setup-dns --setup-ca --principal=admin --password='############' --no-forwarders
When I try to run the command, I get the following error message:
ipapython.admintool: ERROR Cannot install replica of a server of higher version ((u'00000004', u'00000006', u'00000008', '*final')) than the local version ((u'00000004', u'00000006', u'00000006', '*final'))
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Any ideas what might be going on here? Do I have something left-over on the replica that needs to be cleaned up manually first?
Thanks,
Jerome Talbert
1 year, 1 month
Unable to find 'admin' user with 'getent passwd admin@domain.com'!
by Damola Azeez
Hello,
I tried enrolling an Ubuntu 20.04 Server to IPA. At the end of the installation, i get the bellow message
Unable to find 'admin' user with 'getent passwd admin(a)domain.com'!
Unable to reliably detect configuration. Check NSS setup manually.
While attempting to troubleshoot, i tried running "getent passwd admin" but nothing was returned.
sssd service is running
● sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2023-02-21 17:17:40 UTC; 26min ago
Main PID: 1108213 (sssd)
Tasks: 7 (limit: 9439)
Memory: 41.9M
CGroup: /system.slice/sssd.service
├─1108213 /usr/sbin/sssd -i --logger=files
├─1108235 /usr/libexec/sssd/sssd_be --domain domain.com --uid 0 --gid 0 --logger=files
├─1108241 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
├─1108242 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
├─1108243 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
├─1108244 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
└─1108245 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Feb 21 17:17:40 softpayv4prodapp.domain.com sssd_pac[1108245]: Starting up
Feb 21 17:17:40 softpayv4prodapp.domain.com systemd[1]: Started System Security Services Daemon.
Feb 21 17:17:40 softpayv4prodapp.domain.com sssd_be[1108235]: GSSAPI client step 1
Feb 21 17:17:40 softpayv4prodapp.domain.com sssd_be[1108235]: GSSAPI client step 1
Feb 21 17:17:40 softpayv4prodapp.domain.com sssd_be[1108235]: GSSAPI client step 1
Feb 21 17:17:40 softpayv4prodapp.domain.com sssd_be[1108235]: GSSAPI client step 2
Feb 21 17:32:50 softpayv4prodapp.domain.com sssd_be[1108235]: GSSAPI client step 1
Feb 21 17:32:50 softpayv4prodapp.domain.com sssd_be[1108235]: GSSAPI client step 1
Feb 21 17:32:50 softpayv4prodapp.domain.com sssd_be[1108235]: GSSAPI client step 1
Feb 21 17:32:50 softpayv4prodapp.domain.com sssd_be[1108235]: GSSAPI client step 2
Any help where the issue may be?
1 year, 1 month
One-Way Trust between two IPA Realms: Tips for debugging/further research?
by Jostein Fossheim
I know this is not officially supported. But I would still like to make it work.
We have a main IPA-Realm EXAMPLE.COM, and we have subdomain LAB.EXAMPLE.COM as another IPA-Eealm. We wan't a one-way trust-relationship from the LAB-realm to our main realm.
I have testet this with two MIT-kerberos barebone KDCs, and I have been able to establish both one and two way trust between LAB.EXAMPLE.COM and a barebone MIT-realm. But for some reason I am not able to this between our main realm, and the lab realm.
The krbtgt/-principial that establishes the trust is created in both realms with the following command:
kadmin.local -e 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96' -q 'addprinc -requires_preauth krbtgt/LAB.EXAMPLE.COM(a)EXAMPLE.COM' -x ipa-setup-override-restrictions
When I try to log into a service in the lab realm with a valid ticket in the trusted domain via SSH (which work nicely with IPA and the barebone MIT setup), i just keep getting a "HANDLE_AUTHDATA"-error, which I just find briefly mentioned in a few posts online:
debug1: Unspecified GSS failure. Minor code may provide more information
KDC returned error string: HANDLE_AUTHDATA
On the lab-KDC: /var/log/krb5kdc.log
Feb 20 21:47:42 test-ipa.lab.example.com krb5kdc[1540](info): closing down fd 11
Feb 20 21:47:46 test-ipa.lab.example.com krb5kdc[1540](info): TGS_REQ : handle_authdata (22)
Feb 20 21:47:46 test-ipa.lab.example.com krb5kdc[1540](info): TGS_REQ (2 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) fdd0:192:168:250:ad3:e32b:ef6b:486f: HANDLE_AUTHDATA: authtime 1676921750, etypes {rep=UNSUPPORTED:(0)} username(a)EXAMPLE.COM for host/test-ipa.lab.example.com(a)LAB.EXAMPLE.COM, Invalid argument
Any thoughts or tips would be greatly appreciated.
1 year, 1 month
any disadvantages to using gssproxy?
by Charles Hedrick
We have a site where some users want to be able to run cron jobs with credentials so they can access files via NFS. We are currently using a local mechanism to generate those credentials. I'm considering using gssproxy instead. I've verified that it will work.
Is there any disadvantage to installing gssproxy on all systems, and setting use_gss_proxy in /etc/nfs.conf? We're on Ubuntu 20.04 and 22.04.
The only issue I can see is that attempts to access files will cause something (the server?) to check for delegation entries in LDAP. If this only happens when credentials aren't already present, the extra overhead should be minimal. But we have lots of calls to rpc.gss, particularly since we expire contexts in 30 min, to deal with the problem that removing users from a group doesn't remove their access to files protected by the group until their NFS session credentials are refreshed.
1 year, 1 month
Certmonger and SAN fields
by Alex Ivanov
Greetings,
I'm trying to use certmonger to automate certificate signing with FreeIPA. It is working fine but it adds additional values to SAN for issued certificates
Other Name:
Principal Name=HTTP/<principal>@<Kerberos realm>
Other Name:
1.3.6.1.5.2.2=<principal>
If I choose to generate certificates using openssl and manually sign them I have no such issue
I've found old post about that https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Does this issue still persists or I've missed something?
1 year, 1 month
Ensure that IPA user can be resolved upon SystemD-Unit start
by Ronald Wimmer
I do have a sytemd service unit that uses an IPA used. However, upon
reboot it seems that that particular IPA user is not available upon
start of that particular systemd service.
Using "After=sssd.service" is not sufficient.
What would you recommend in this case?
(I am looking for a reliable systemd solution and do not want to rely on
a script checking for a particular user with getent for example)
Cheers,
Ronald
1 year, 1 month