IPA installation and SSHD configuration - What is being configured?
by J N
When I have a look at either ipa-client-install or Ansible role 'ipaserver' I come across the options for OpenSSH:
ipaclient_no_ssh
ipaclient_no_sshd <--- What I'm interested in.
I want to install a IPA server and my question is:
What exactly is being configured, and should I use this option?
11 months, 3 weeks
[SSSD] Announcing SSSD 2.9.0
by Pavel Březina
# SSSD 2.9.0
The SSSD team is announcing the release of version 2.9.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.9.0
See the full release notes at:
https://sssd.io/release-notes/sssd-2.9.0.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* `sss_simpleifp` library is deprecated and might be removed in further
releases. Those who are interested to keep using it awhile should
configure its build explicitly using `--with-libsifp` `./configure` option.
* "Files provider" (i.e. `id_provider = files`) is deprecated and might
be removed in further releases. Those who are interested to keep using
it awhile should configure its build explicitly using
`--with-files-provider` `./configure` option. Or consider using "Proxy
provider" with `proxy_lib_name = files` instead.
* Previously deprecated `--enable-files-domain` configure option, which
was used to manage default value of the `enable_files_domain` config
option, is now removed.
* Long time unused '--enable-all-experimental-features' configure option
was removed.
* SSSD will no longer warn about changed defaults when using
`ldap_schema = rfc2307` and default autofs mapping. This warning was
introduced in 1.14 to loudly warn about different default values.
### New features
* New passkey functionality, which will allow the use of FIDO2 compliant
devices to authenticate a centrally managed user locally. Moreover, in
the case of a FreeIPA user, it can also issue a Kerberos ticket
automatically with upcoming FreeIPA version 4.11.
* Add support for ldapi:// URLs to allow connections to local LDAP servers
* NSS IDMAP has two new methods: `getsidbyusername` and `getsidbygroupname`
Note: support for passkey is in its initial phase and the authentication
policy will be adjusted in future versions.
#### Packaging changes for passkey
* Include passkey subpackage and dependency for libfido2.
#### Configuration changes for passkey
* New options to enable and tune passkey behavior: `pam_passkey_auth`,
`ldap_user_passkey`, `passkey_verification`, `passkey_child_timeout`,
`interactive`, `interactive_prompt`, `touch` and `touch_prompt`.
* `--with-passkey` is a new configuration option to enable building
passkey authentication.
### Important fixes
* A regression when running sss_cache when no SSSD domain is enabled
would produce a syslog critical message was fixed.
### Configuration changes
* Default value of `cache_first` option was changed to `true` in case
SSSD is built without `files provider`.
* ipa_access_order parameter introduced. It behaves much like
ldap_access_order but affects IPA domains (id_provider = ipa) and
accepts limited values. Please see sssd-ipa(5) for more information.
12 months
ACME client certificate request from FreeIPA with DNS-01 challenge
by Djerk Geurts
Aware that ACME support is still relatively new. I'm looking at how the challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA manages the DNS itself and HTTP-01 is often not an option, for example when using ACME on vSphere.
If the DNS-01 verification is indeed fully local to a FreeIPA server with integrated DNS and CA then can't any machine that can reach the FreeIPA server request an internal certificate anonymously? Surely I'm missing something here?
12 months
broken trust chain resolving using 8.8.8.8 as forwarder
by Rob van Halteren
Hi,
I have trouble resolving some addresses with my freeipa server . in the log there are lots of "broken trust chain" lines. like:
validating gew4-spclient.spotify.com/CNAME: bad cache hit (com/DS)
May 3 14:36:11 myserver named-pkcs11[30906]: validating gew4-spclient.spotify.com/CNAME: bad cache hit (com/DS)
May 3 14:36:11 myserver named-pkcs11[30906]: broken trust chain resolving 'gew4-spclient.spotify.com/A/IN': 8.8.8.8#53
May 3 14:36:11 myserver named-pkcs11[30906]: broken trust chain resolving 'gew4-spclient.spotify.com/TYPE65/IN': 8.8.8.8#53
I setup a global forward to 8.8.8.8 and forward only setting in the web gui.
I tried to change the dnssec settings in /etc/named.conf : dnssec-enable no; dnssec-validation no;
That did not help.
I run freeipa 4.6.8. Release: 5.el7.centos.12 on centos7.9
When I change forwarding to: forward disabled in the webgui, i get lots of "network unreachable resolving" in the logs.
I then can resolve most addresses but not all
To me looks like dns is not resolving as expected, but have no clue in where to look for a solution.
Any help appreciated.
Thanks,
Rob.
12 months
Running 'sudo su' creates kerberos ticket for user on old IPA (4.6) not on new 4.10
by Finn Fysj
I'm trying to setup new IPA server and when I run 'sudo su' I get prompted with password, which is fine.
However, when I successfully type my password on a RHEL7 instance running FreeIPA version 4.6 I get a kerberos ticket as the logged-in user in "root-mode", but when I do the same in the newer IPA instance I do not get any kerberos ticket when in root.
How do I get kerberos ticket when I run 'sudo su'?
12 months
What's the proper way of creating HBAC/SUDO rules in a Primary/replica setup
by J N
Hi,
I'm new to ansible and FreeIPA project, and I'm currently trying to setup HBAC and SUDO rules to my primary server and the replicas.
Is the practice to only apply rules to the primary server and let it replicate to the replicas? The reason I'm asking is because when I try to create HBAC/SUDO rules on the primary and the replicas I get an error in ansible saying:
changed: [192.168.204.10]
fatal: [192.168.204.11]: FAILED! => {"changed": false, "msg": "sudorule_add: test_rule: sudo rule with name \"test_rule\" already exists"}
However, if I try to retun the play it will work as an idempotently:
ok: [192.168.204.10]
ok: [192.168.204.11]
Question:
What's the practice when running a replicas, should only the "main" master be updated?
12 months
Auto create DNS PTR record
by Jeremy Tourville
Is it possible to create the record automatically when registering a new client to IPA? If so, how? Maybe I have missed something when reading the manuals.
12 months
Allow service '--servicecat=all' not visible in GUI
by Finn Fysj
Hi,
I'm trying to set up new FreeIPA servers based on an old setup. I've only migrated users/groups to the new setup.
I wasn't able to SSH into the new IPA server and after investigating it seemed to be some HBAC rules for SSHD service wans't enabled. I've intentionally not migrated the preivous HBAC rules.
On the old system it had been created and included HBAC for rules using the '--servicecat=all' options, meaning I couldn't get any information from the HBAC rules looking in the GUI.
Why isn't this visible?
12 months
SubCA for firewall appliance (CertProcessor: no profile policy set found)
by Djerk Geurts
Trying to follow and adapt https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi... for issuing a Subordinate CA for a firewall appliance. For user VPN certs and testing SSL Interception.
When I try to issue the certificate I get the following error:
ipa-admin@jmp0:~$ ipa cert-request ~/cert_FreeIPA_SubCA.csr --principal host/subca-fw01.domain.local --profile SubCA --certificate-out subca-fw01.pem
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. Unable to create enrollment request: Policy Set Not Found
But the certprofile exists and I'm not sure what a `Policy Set` is...
ipa-admin@ipa1:~$ ipa certprofile-show SubCA
Profile ID: SubCA
Profile description: Subordinate CA
Store issued certificates: True
ipa-admin@ipa1:~$ ipa caacl-show SubCA
ACL name: SubCA
Description: Subordinate CA
Enabled: True
Service category: all
CAs: ipa
Profiles: SubCA
Users: ipa-admin
Hosts: fw01.domain.local, jmp0.domain.local, subca-fw01.domain.local
# /var/log/pki/pki-tomcat/ca/debug.2023-05-01.log
2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: CertProcessor: no profile policy set found
2023-05-01 17:03:56 [ajp-nio-127.0.0.1-8009-exec-9] SEVERE: Unable to create enrollment request: Policy Set Not Found
# /var/log/httpd/error_log
[Tue May 02 01:20:24.946972 2023] [wsgi:error] [pid 406021:tid 406343] [remote 192.168.10.12:42596] ipa: INFO: [jsonserver_kerb] ipa-admin(a)IPA.LOCAL: cert_request/1('-----BEGIN CERTIFICATE REQUEST-----\\*********************=\\n-----END CERTIFICATE REQUEST-----\\n', profile_id='SubCA', principal='host/subca-fw01.domain.local', version='2.245'): HTTPRequestError
Please ignore the different timestamps, they're various attempts all with the same log messages.
12 months
What's the proper way of creating HBAC/SUDO rules in a Primary/replica setup
by J N
Hi,
I'm new to ansible and FreeIPA project, and I'm currently trying to setup HBAC and SUDO rules to my primary server and the replicas.
Is the practice to only apply rules to the primary server and let it replicate to the replicas? The reason I'm asking is because when I try to create HBAC/SUDO rules on the primary and the replicas I get an error in ansible saying:
changed: [192.168.204.10]
fatal: [192.168.204.11]: FAILED! => {"changed": false, "msg": "sudorule_add: test_rule: sudo rule with name \"test_rule\" already exists"}
However, if I try to retun the play it will work as an idempotently:
ok: [192.168.204.10]
ok: [192.168.204.11]
Question:
What's the practice when running a replicas, should only the "main" master be updated?
12 months
