June 2023 - FreeIPA-users - Fedora mailing-lists

2FA only for certain hosts/host groups
by Ronald Wimmer 04 Sep '23

04 Sep '23

Is it possible to enforce the second factor for a user only when trying to login to specific hosts/host groups? List here says yes... https://blog.delouw.ch/2016/10/16/freeipa-selective-2fa-authentication-indi… I'm gonna give it a try. Cheers, Ronald

2 4

Custom ssl cert for freeipa docker
by Leo O 25 Aug '23

25 Aug '23

Hello Guys, I'm would like to use custom ssl certificates for http and ldap, I saw the following: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP But I wonder how would this be done when using freeipa in a docker/podman container. I mean the container is started with "--read-only" flag. So it's not clear to me what the correct approach here would be. I hope it's not that you have to re-build an own image with the ssl certificates every time? Background Info: I'm using acme.sh in a VM, which creates my wildcard letsencrypt certificates and puts them on an nfs share. Freeipa should simply use that certificates for http and ldap and that's it. No renewing as this is done by the acme.sh VM itself.

3 10

Visibility/access of Freeipa users to windows on trusted AD
by Francis Augusto Medeiros-Logeay 09 Aug '23

09 Aug '23

Hi, I have searched this everywhere, but can't find it. I want to grant access to a FreeIPA user to a Windows machine. When I try to grant the user access on windows, adding it like FREEIPADOMAIN\freeipauser, I get an error. There is a trust between both domains, but every place where I see the trusted domain on Windows (for example when configuring a GPO) I can't search for FreeIPA users. Is this how it is supposed to be, or how can I see my FreeIPA users on Windows the same way I see AD users on my freeipa linux clients? Best, Francis -- Francis Augusto Medeiros-Logeay Oslo, Norway

2 4

local root can login but freeipa users can't
by barry y 28 Jul '23

28 Jul '23

This happen randomly, local root can login through SSH to the affected system but for freeipa user, login was successful but there's no prompt. When successfully logged in, it only display a message saying "Last login: xxx" and then no prompt. There's no sssd errors though, restarting the service doesn't help either. While the issue happen to one system, other systems freeipa users can login no problem. Only way to get out of this is to restart the entire system.

3 8

Cannot get rid of a replica/agreement
by lejeczek 21 Jul '23

21 Jul '23

Hi guys. Two masters from which third got disconnected in a "dirty" manner. -> $ ipa-replica-manage del midway.ccn.priv.dom Server removal aborted: Replication topology in suffix 'domain' is disconnected: Topology does not allow server love.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom Topology does not allow server midway.ccn.priv.dom to replicate with servers: love.ccn.priv.dom punch.ccn.priv.dom Topology does not allow server punch.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom. -> $ ipa topologysegment-find domain ----------------- 1 segment matched ----------------- Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom Left node: punch.ccn.priv.dom Right node: love.ccn.priv.dom Connectivity: both ---------------------------- Number of entries returned 1 -> $ ipa-replica-manage del midway.ccn.priv.dom --force ipa: WARNING: /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes) Updating DNS system records Not allowed on non-leaf entry I've tried to 'reinitialize' but without success. Anybody care to share suggestions & thoughts? many thanks, L.

4 6

FreeIPA on Fedora and dnf system-upgrade
by Ian Pilcher 16 Jul '23

16 Jul '23

I am currently running FreeIPA on CentOS 7, and I am considering moving it to Fedora. On RHEL and derivatives, in-place upgrades are not supported. It is necessary to provision a new server, running the new OS version, add it as a FreeIPA replica, and then decommission the old system. How does this work on Fedora? Will I be able to use dnf system-upgrade, or will I find myself having to use the process described above? -- ======================================================================== Google Where SkyNet meets Idiocracy ========================================================================

3 2

Limiting access to GUI
by Entrepreneur AJ 10 Jul '23

10 Jul '23

Hey all, I have a wan facing install due to many of my team operating with mobile phone hotspots whilst visiting customers. An Issue I'm having is I want to restrict the GUI to only our admin team's IP address but editing the Apache Config with; # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" <Directory "/usr/share/ipa/ui"> SetHandler None AllowOverride None Satisfy Any Require all granted ExpiresActive On ExpiresDefault "access plus 1 year" <FilesMatch "(index.html|loader.js|login.html|reset_password.html)"> ExpiresDefault "access plus 0 seconds" </FilesMatch> Order allow,deny Allow from <ADMIN IP RANGE> </Directory> Is still allowing anyone with a browser to reach the IPA gui. We have Keycloak in place for staff and users to update their passwords. Any pointers? I would personally prefer to firewall it off but that effects other IPA features.

2 5

PKINIT questions
by alexey safonov 06 Jul '23

06 Jul '23

Hi, I've a FreeIPA setup 4.10.1 (that's a long-living setup that was upgraded many times). It is CA-less setup (Inititally we had CA, but than it was removed). So now 4 of my servers are saying that PKINIT is enabled and one server is saying "disabled". I tried to re-install replica, but it says CA-less mode can't issue a certificate, so I tried with kdc-cert-file, but than it says cert is not valid (where it's definitly works for web and ldap). Anything I can do here and enable pkinit on that replica? Alex

3 5

Where is root CA private key stored?
by Ian Pilcher 05 Jul '23

05 Jul '23

(Hopefully Thunderbird will only send one copy of this. Sorry about the previous duplicate.) I run a single FreeIPA server (on CentOS 7) in my home network, and I'm thinking of migrating it to Fedora. AFAICT, doing this as an actual upgrade will require multiple cycles of creating a newer FreeIPA server, adding it as a replica, removing the older server, lather, rinse, repeat. I'm only using FreeIPA for its DNS, certificate authority, and LDAP authentication capabilities, and my home network isn't that large, so I'm considering simply installing a new server and re-creating the various users, hosts, services, and DNS zones/entries. (I don't have any systems that are truly managed with FreeIPA.) Thus, it would be nice if the new FreeIPA server could use the same root CA certificate as the existing one. I believe that I can do this by passing the --external-cert-file option to ipa-server-install, but I need both the certificate and the private key of the root CA to do so. Thus, I'm wondering how I can extract the root CA private key from my existing CentOS 7 (FreeIPA 4.6.8) server. Thanks! -- ======================================================================== Google Where SkyNet meets Idiocracy ========================================================================

2 4

Replication woes in three discrete environments - 4.6.8-5
by Eric Fox 30 Jun '23

30 Jun '23

Hello FreeIPA-Users mailing list, Appreciate the hard work put into building FreeIPA. I have a bit of a dilemma. On three separate isolated identical network environments, I have a cluster of FreeIPA servers running on CentOS 7 (FreeIPA Server 4.6.8-5). Replication is broken on all three environments - errors in the Dirsrv log indicate communication timeouts, and inability for the replicas to authenticate their Kerberos tickets. All machines have a 15 minute kerberos timeout set in krb5.conf due to security requirements. The environments have consistent NTP time off of the network equipment with drift between sites measured less than 5 seconds. Trying to manually force-sync does not work - the replication just times out. Eventually user entry changes replicate across the 3 isolated domains, but only on the servers that are on the same layer 2 network. To rule out network security blocking the replication traffic I disabled switch ACLs and VM firewalls temporarily - no change on the broken replicas. On one of the three networks, I rebuilt the malfunctioning replicas from scratch - same hardening baseline. The new instances of IPA were not able to replicate to the original primary server, but they do pull in all of the domain information on first setup. I then tried making a totally new IPA server on the same baseline with a new host name not seen in the domain before - this works perfectly. One of my colleagues who maintains a separate IPA cluster stated that he was unable to reuse replica host names when he rebuilt replica systems on Rocky 8 and RHEL8. Short questions: - Can an IPA Server have its krb5.conf Kerberos session timeout set as low as 15 minutes? Or do I need to keep this higher? - If I can't get force-sync to work, and I can't use re-initialize either, is the only route to rebuild the replica? - Can host names of IPA servers be reused on rebuild? If so, what needs to be cleaned out of the domain? I did make sure the old instance of a replica was wiped from DNS, CA, and Replication agreements after the ipa-replica-manage del. - Are there known settings in the DISA STIG for RHEL7 or the CIS Level2 hardening benchmark that break IPA functionality post-install? - What would be the best replication topology for an environment of 3 IPA servers in 2 locations, and 2 IPA servers in a third location? Network latency between locations is sub-10ms and very consistent. If you need log entries I can provide general error messages but not the whole log. Thank you very much for any pointers/advice.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2023