FreeIPA-users March 2023

freeipa-users@lists.fedorahosted.org

31 participants
56 discussions

Visibility/access of Freeipa users to windows on trusted AD
by Francis Augusto Medeiros-Logeay 09 Aug '23

09 Aug '23

Hi, I have searched this everywhere, but can't find it. I want to grant access to a FreeIPA user to a Windows machine. When I try to grant the user access on windows, adding it like FREEIPADOMAIN\freeipauser, I get an error. There is a trust between both domains, but every place where I see the trusted domain on Windows (for example when configuring a GPO) I can't search for FreeIPA users. Is this how it is supposed to be, or how can I see my FreeIPA users on Windows the same way I see AD users on my freeipa linux clients? Best, Francis -- Francis Augusto Medeiros-Logeay Oslo, Norway

2 4

Cannot get rid of a replica/agreement
by lejeczek 21 Jul '23

21 Jul '23

Hi guys. Two masters from which third got disconnected in a "dirty" manner. -> $ ipa-replica-manage del midway.ccn.priv.dom Server removal aborted: Replication topology in suffix 'domain' is disconnected: Topology does not allow server love.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom Topology does not allow server midway.ccn.priv.dom to replicate with servers: love.ccn.priv.dom punch.ccn.priv.dom Topology does not allow server punch.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom. -> $ ipa topologysegment-find domain ----------------- 1 segment matched ----------------- Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom Left node: punch.ccn.priv.dom Right node: love.ccn.priv.dom Connectivity: both ---------------------------- Number of entries returned 1 -> $ ipa-replica-manage del midway.ccn.priv.dom --force ipa: WARNING: /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes) Updating DNS system records Not allowed on non-leaf entry I've tried to 'reinitialize' but without success. Anybody care to share suggestions & thoughts? many thanks, L.

4 6

Limiting access to GUI
by Entrepreneur AJ 10 Jul '23

10 Jul '23

Hey all, I have a wan facing install due to many of my team operating with mobile phone hotspots whilst visiting customers. An Issue I'm having is I want to restrict the GUI to only our admin team's IP address but editing the Apache Config with; # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" <Directory "/usr/share/ipa/ui"> SetHandler None AllowOverride None Satisfy Any Require all granted ExpiresActive On ExpiresDefault "access plus 1 year" <FilesMatch "(index.html|loader.js|login.html|reset_password.html)"> ExpiresDefault "access plus 0 seconds" </FilesMatch> Order allow,deny Allow from <ADMIN IP RANGE> </Directory> Is still allowing anyone with a browser to reach the IPA gui. We have Keycloak in place for staff and users to update their passwords. Any pointers? I would personally prefer to firewall it off but that effects other IPA features.

2 5

Do keytabs expire?
by Ronald Wimmer 07 Jun '23

07 Jun '23

Hi, today I found out that some entries in a keytab file seemed to have expired: Request ticket server HTTP/mwc.linux.mydomain.at(a)LINUX.MYDOMAIN.AT kvno 4 not found in keytab; keytab is likely out of date Fetching the keytab again with ipa-getkeytab fixed the problem. But why is this happening? Do keytab entries expire? I have not set any custom password or ticket policies. Regards, Ronald

4 13

Disabled Domain fills IPA client sssd logs
by Ronald Wimmer 22 May '23

22 May '23

We do face the problem that we disabled a domain we do not need and that this particular domain fills up sssd logs on the client side. Especially sssd_nss.log. How could we possibly avoid this behavior? Cheers, Ronald

2 5

Littered /run/ipa/ccaches directory probably causing outage of ipa API
by terrible person 17 Apr '23

17 Apr '23

Hi everyone! We've been experiencing some issues with our FreeIPA setup for the past few months. First of all: Our package versions are: ipa-client-common-4.9.8-7.module_el8.6.0+1103+a004f6a8.noarch ipa-common-4.9.8-7.module_el8.6.0+1103+a004f6a8.noarch ipa-client-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 ipa-server-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 ipa-client-epn-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 ipa-server-common-4.9.8-7.module_el8.6.0+1103+a004f6a8.noarch ipa-server-dns-4.9.8-7.module_el8.6.0+1103+a004f6a8.noarch We are running a peculiar containerized environment based on the CentOS 8 image. Specifically, we've been having trouble accessing the FreeIPA API and performing web UI logins, which we suspect is due to the /run/ipa/ccaches directory becoming littered with too many files. For example, on one of the troubled servers, we ran the command: [root@ipa-server /]# ls -l /run/ipa/ccaches/ | wc -l 174314 We've already tried deleting files in the directory, but the problem persists. The errors we're seeing are something like this: ipa: ERROR: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (69206018): gss_display_status call returned failure (major 327680, minor 100007). Decoding code: 69206018 Or this: ipa: ERROR: No valid Negotiate header in server response I tried looking up the code of mod_auth_gssapi to find the probable cause, but to no effect. I need help with this. First of all, shouldn't the STs in GssapiDelegCcacheDir be deleted by the module? For now the only solution is the container restart which is equivalent to the "ipactl restart" I guess. I'm interested in learning more about how mod_auth_gssapi is handling ST deletion and what might be causing it to fail in general. If anyone has any insights or suggestions, we would greatly appreciate it.

5 7

ipacerts expired
by Omar Pagan 05 Apr '23

05 Apr '23

All my certs in IPA are expired and no matter what I do I can't get `getcert` to renew them. I have changed the date back to before they expired but when I try to restart IPA is trying to do an upgrade and fails. I'm able to start kdc, directory services, http, pki-tomcat and certmonger, but when I try to resubmit a cert for renewal it complains about not connecting to dbus. Please help, I need to get this IPA service up and running and I can't figure out what's wrong.

3 20

DNS Problems
by Anonymous 31 Mar '23

31 Mar '23

So for the last week I'm having trouble with my DNS. It is not working as expected and is giving me all sort of headaches. I have 4 ipa servers and 4 clients. This is test env for evaluation purposes and I wan't to move to production later on. My problem however is DNS. I'm on rhel9.1 and my freeipa version is 4.10.0 [lessfoobar@mserver001p ~]$ ipa dns-update-system-records IPA DNS records: _kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88 mserver001p.test.domain.com. _kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88 rserver001p.test.domain.com. _kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88 rserver002p.test.domain.com. _kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88 rserver003p.test.domain.com. _kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88 mserver001p.test.domain.com. _kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88 rserver001p.test.domain.com. _kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88 rserver002p.test.domain.com. _kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88 rserver003p.test.domain.com. _kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88 mserver001p.test.domain.com. _kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88 rserver001p.test.domain.com. _kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88 rserver002p.test.domain.com. _kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88 rserver003p.test.domain.com. _kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88 mserver001p.test.domain.com. _kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88 rserver001p.test.domain.com. _kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88 rserver002p.test.domain.com. _kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88 rserver003p.test.domain.com. _kerberos.test.domain.com. 3600 IN TXT "TEST.DOMAIN.COM" _kerberos.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:tcp:mserver001p.test.domain.com." _kerberos.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:tcp:rserver001p.test.domain.com." _kerberos.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:tcp:rserver002p.test.domain.com." _kerberos.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:tcp:rserver003p.test.domain.com." _kerberos.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:udp:mserver001p.test.domain.com." _kerberos.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:udp:rserver001p.test.domain.com." _kerberos.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:udp:rserver002p.test.domain.com." _kerberos.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:udp:rserver003p.test.domain.com." _kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464 mserver001p.test.domain.com. _kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464 rserver001p.test.domain.com. _kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464 rserver002p.test.domain.com. _kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464 rserver003p.test.domain.com. _kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464 mserver001p.test.domain.com. _kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464 rserver001p.test.domain.com. _kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464 rserver002p.test.domain.com. _kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464 rserver003p.test.domain.com. _kpasswd.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:tcp:mserver001p.test.domain.com." _kpasswd.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:tcp:rserver001p.test.domain.com." _kpasswd.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:tcp:rserver002p.test.domain.com." _kpasswd.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:tcp:rserver003p.test.domain.com." _kpasswd.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:udp:mserver001p.test.domain.com." _kpasswd.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:udp:rserver001p.test.domain.com." _kpasswd.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:udp:rserver002p.test.domain.com." _kpasswd.test.domain.com. 3600 IN URI 0 100 "krb5srv:m:udp:rserver003p.test.domain.com." _ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389 mserver001p.test.domain.com. _ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389 rserver001p.test.domain.com. _ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389 rserver002p.test.domain.com. _ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389 rserver003p.test.domain.com. ipa-ca.test.domain.com. 3600 IN A 192.168.0.21 [lessfoobar@mserver001p ~]$ sudo ipa dnsconfig-show [sudo] password for lessfoobar: --------------------------------- Global DNS configuration is empty --------------------------------- IPA DNS servers: mserver001p.test.domain.com, rserver001p.test.domain.com, rserver002p.test.domain.com, rserver003p.test.domain.com [lessfoobar@mserver001p ~]$ sudo ipa dns-server-show ipa: ERROR: unknown command 'dns-server-show' [lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show Server name: mserver001p.test.domain.com Server name: mserver001p.test.domain.com SOA mname override: mserver001p.test.domain.com. Forward policy: none [lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show rserver001p.test.domain.com Server name: rserver001p.test.domain.com SOA mname override: rserver001p.test.domain.com. Forwarders: 192.168.0.21 Forward policy: first [lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show rserver003p.test.domain.com Server name: rserver003p.test.domain.com SOA mname override: rserver003p.test.domain.com. Forwarders: 192.168.0.21 Forward policy: first [lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show rserver002p.test.domain.com Server name: rserver002p.test.domain.com SOA mname override: rserver002p.test.domain.com. Forwarders: 192.168.0.21 Forward policy: first [lessfoobar@mserver001p ~]$ sudo ipa dnsrecord-show int.domain.com Record name: rserver001p Record name: rserver001p A record: 192.168.0.22 SSHFP record: REDACTED [lessfoobar@mserver001p ~]$ host 192.168.0.22 Host 22.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN) [lessfoobar@mserver001p ~]$ host rserver001p.test.domain.com Host rserver001p.test.domain.com not found: 2(SERVFAIL) I'd be more than appreciative if someone lets me know what I'm doing wrong. PS something else that I've noticed is that selinux is complaining because of ns-slapd SELinux access control errors SELinux is preventing /usr/bin/pk12util from getattr access on the sock_file /run/pcscd/pcscd.comm. 96 SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory /var/crash. 8 SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory /sys/fs/fuse/connections. 22 SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory /sys/kernel/config. 22 SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory /boot/efi. 22 SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory /sys/fs/pstore. 22 SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory /sys/firmware/efi/efivars. 22 SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory /sys/fs/bpf. 22 SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory /sys/kernel/tracing. 22 SELinux is preventing /usr/bin/qemu-ga from read access on the directory /var/crash. 18

2 6

cn=compat and missing First Name and Email fields
by Djerk Geurts 30 Mar '23

30 Mar '23

Hi List, Using FreeIPA to provide authentication to vSphere which has been working great, but noticed that using the Compat scheme doesn’t yield the First Name and Email fields in vSphere. If I change the base DN for users and groups to the standard scheme cn=accounts then users can’t log in. To date I’ve ignored this, but today figured it would be good to work out if there’s something I can do to modify the compat scheme so that OpenLDAP clients like vSphere that need to use the compat scheme can pull these fields. Thanks, Djerk Geurts

2 2

Creating a binddn for Satelllite/Foreman
by Jeremy Tourville 27 Mar '23

27 Mar '23

When following the documented directions I am getting an error: ValueError: Invalid placeholder in string: line 1, col 30 https://www.freeipa.org/page/Creating_a_binddn_for_Foreman My update file is: dn: uid=satellitebdn,cn=sysaccounts,cn=etc,$SUFFIX add:objectclass:account add:objectclass:simplesecurityobject add:uid:satellitebdn add:userPassword:myPassword add:passwordExpirationTime:20380119031407Z add:nsIdleTimeout:0 Anyone see something wrong with my update file?

2 4

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users March 2023