February 2023 - FreeIPA-users - Fedora mailing-lists

One-Way Trust between two IPA Realms: Tips for debugging/further research?
by Jostein Fossheim 22 Feb '23

22 Feb '23

I know this is not officially supported. But I would still like to make it work. We have a main IPA-Realm EXAMPLE.COM, and we have subdomain LAB.EXAMPLE.COM as another IPA-Eealm. We wan't a one-way trust-relationship from the LAB-realm to our main realm. I have testet this with two MIT-kerberos barebone KDCs, and I have been able to establish both one and two way trust between LAB.EXAMPLE.COM and a barebone MIT-realm. But for some reason I am not able to this between our main realm, and the lab realm. The krbtgt/-principial that establishes the trust is created in both realms with the following command: kadmin.local -e 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96' -q 'addprinc -requires_preauth krbtgt/LAB.EXAMPLE.COM(a)EXAMPLE.COM' -x ipa-setup-override-restrictions When I try to log into a service in the lab realm with a valid ticket in the trusted domain via SSH (which work nicely with IPA and the barebone MIT setup), i just keep getting a "HANDLE_AUTHDATA"-error, which I just find briefly mentioned in a few posts online: debug1: Unspecified GSS failure. Minor code may provide more information KDC returned error string: HANDLE_AUTHDATA On the lab-KDC: /var/log/krb5kdc.log Feb 20 21:47:42 test-ipa.lab.example.com krb5kdc[1540](info): closing down fd 11 Feb 20 21:47:46 test-ipa.lab.example.com krb5kdc[1540](info): TGS_REQ : handle_authdata (22) Feb 20 21:47:46 test-ipa.lab.example.com krb5kdc[1540](info): TGS_REQ (2 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) fdd0:192:168:250:ad3:e32b:ef6b:486f: HANDLE_AUTHDATA: authtime 1676921750, etypes {rep=UNSUPPORTED:(0)} username(a)EXAMPLE.COM for host/test-ipa.lab.example.com(a)LAB.EXAMPLE.COM, Invalid argument Any thoughts or tips would be greatly appreciated.

2 8

any disadvantages to using gssproxy?
by Charles Hedrick 20 Feb '23

20 Feb '23

We have a site where some users want to be able to run cron jobs with credentials so they can access files via NFS. We are currently using a local mechanism to generate those credentials. I'm considering using gssproxy instead. I've verified that it will work. Is there any disadvantage to installing gssproxy on all systems, and setting use_gss_proxy in /etc/nfs.conf? We're on Ubuntu 20.04 and 22.04. The only issue I can see is that attempts to access files will cause something (the server?) to check for delegation entries in LDAP. If this only happens when credentials aren't already present, the extra overhead should be minimal. But we have lots of calls to rpc.gss, particularly since we expire contexts in 30 min, to deal with the problem that removing users from a group doesn't remove their access to files protected by the group until their NFS session credentials are refreshed.

1 0

Certmonger and SAN fields
by Alex Ivanov 19 Feb '23

19 Feb '23

Greetings, I'm trying to use certmonger to automate certificate signing with FreeIPA. It is working fine but it adds additional values to SAN for issued certificates Other Name: Principal Name=HTTP/<principal>@<Kerberos realm> Other Name: 1.3.6.1.5.2.2=<principal> If I choose to generate certificates using openssl and manually sign them I have no such issue I've found old post about that https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… Does this issue still persists or I've missed something?

4 5

Ensure that IPA user can be resolved upon SystemD-Unit start
by Ronald Wimmer 17 Feb '23

17 Feb '23

I do have a sytemd service unit that uses an IPA used. However, upon reboot it seems that that particular IPA user is not available upon start of that particular systemd service. Using "After=sssd.service" is not sufficient. What would you recommend in this case? (I am looking for a reliable systemd solution and do not want to rely on a script checking for a particular user with getent for example) Cheers, Ronald

2 3

Plugin help
by Francis Augusto Medeiros-Logeay 15 Feb '23

15 Feb '23

Hi, I am writing a little plugin for FreeIPA, and I'm starting to get the hang of it - I got to insert menus, display a list of entries with the possibility to add, change and delete entries. So far, so good. I have two questions: - How do I use the 'association' type? I want to display entries based on the entry I clicked, the same way I show members of a group when I click on a group. I saw this option when checking the source code for group ui, but I don't know exactly how to display entries queried based on the selected entry; - Is there a drop down menu possibility that shows all entries, as to select them as basis for a nested search of other entries? Best, Francis -- Francis Augusto Medeiros-Logeay Oslo, Norway

1 0

how to identify indirect mount maps
by Rob Verduijn 14 Feb '23

14 Feb '23

Hello, When somebody has created a direct mount map without adding any keys. How can you see that it is an indirect mount map ? Also how can you see what the mount point is of the indirect mount map ? I can't seem to find an option to check for this ? Cheers Rob

2 2

Authority Key Identifier Extension in SSL certificate
by omar gonzales 13 Feb '23

13 Feb '23

FreeIPA Users, I'm unable to generate a SSL certificate with the dirName and serial number fields in X509v3 Authority Key Identifier Extension. I only get the keyid I tried to use a customized certificate profile which was successfully imported. Here is part of the certificate profile that I used to get at least the serial number in the X509v3 Authority Key Identifier Extension policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=authorityKeyIdentifierExtDefaultImpl policyset.serverCertSet.9.default.name=Authority Key Identifier Extension Default policyset.serverCertSet.9.default.params.authorityCertSerialNumber=100 Please see attached capture for the desired output (SSL cert) Please let me know what I should do. Thanks Omar

1 0

LDAP question
by Francis Augusto Medeiros-Logeay 13 Feb '23

13 Feb '23

Hi, I am wondering: 1 - Does the 389 server support aliases? I can't make it work and saw on a few old forum posts that it doesn't. 2 - I am working on a new attribute type and wonder how can I add a constraint so that its value on an entry must be unique across the directory. Any tips? Best, Francis -- Francis Augusto Medeiros-Logeay Oslo, Norway

2 2

log permission issues with "ipa-replica-manage re-initialize" in almalinux 8
by Grant Janssen 13 Feb '23

13 Feb '23

users were reporting password change issues. ipa_check_consistency and cipa showed synchronization issues. grant@ef-idm04:~[20230211-7:01][#211]$ ipa-replica-manage re-initialize --from ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com> ipa: ERROR: Cannot open log file '/var/log/ipa/cli.log': [Errno 13] Permission denied: '/var/log/ipa/cli.log' Update in progress, 6 seconds elapsed Update succeeded grant@ef-idm04:~[20230211-7:02][#212]$ I am in the middle of a migration from 7 —> 8 (3 of 5 servers are still CentOS 7) The almalinux 8 systems showed an issue with log permissions when I executed the sync. The CentOS 7 systems did not output any error. ipa_check_consistency and cipa show these are all “in sync” now. what can I do to resolve these log issues, so next time I won’t see these again? thanx - grant

2 1

Show attributes of objectclass
by Francis Augusto Medeiros-Logeay 11 Feb '23

11 Feb '23

Hi, A very basic question, but can't find a proper answer: How do I show all attributes of an objectclass? I tried a few commands that are supposed to work on openldap, but can't have the same results in FreeIPA. Best, Francis -- Francis Augusto Medeiros-Logeay Oslo, Norway

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2023