Migrating from Rhel 7 to Rhel 9 (changing UID/GID_MAX and losing admins group)
by Finn Fysj
Hi,
When I try to migrate from my RHEL 7 instance RHEL 9 most of the stuff seems to work, fine.
I needed to setup the new IPA servers by modifying UID/GID_MAX since in the early versions of the installation there wasn't a "check" for these attributes. I needed to do this since the existing IPA server uses UID/GIDs starting from 6000.
Running:
ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts ipa.example.com
However, I see that all the users that used to belong to "admins" have now dissapeard, is there a way to avoid this? Or is there any attribute I should think of while migrating?
PS: I'm aware that the suggested method of migrating is Rhel7 > Rhel8 > Rhel9, however, it's seems to work fine without.
10 months, 2 weeks
Migrating a Large OpenLDAP directory
by Chris Cowan
One other issue, I've encountered is in our existing OpenLDAP directory, with the private group for the user, the uid != gid. This would be easy to fix but we have our legacy gid space interspersed with the other supplemental groups we created. Presently, we're talking about 9K users and 130K groups. Both the uid and gid spaces were originally started at 100,000.
I started noticing that NSS stuff wasn't working correctly for users where uid != gid. Even though the user object shows the correct uid and gid.
Reading bugzilla, and other posts on this list. It appears that I am not alone. The workaround suggested, which I tried.
- Detach the private group from the user
- Delete the private group
- Recreate with a group-add
Just wondering if there's new advice on this particular scenario: Migration of an existing LDAP directory where the private gid is not in sync with the user's uid
Going forward, it seems the best thing to do would be to pick distinct ranges for users and associated groups, vs the supplemental.
10 months, 2 weeks
Valid characters in group names
by Chris Cowan
Would it be possible to loosen the restrictions on group names to allow a forward slash?
We are migrating a large OpenLDAP directory, and they adopted a pseudo-hierarchical group naming standard using "/". Alphanumerics, and [-_.] were allowed between forward slashes. This was inherited from an older system based upon DCE (yeah, I know old stuff ;)
For Plan B, I'm experimenting with different approaches like use '.' instead of slash. But, wondering if this would be a simple tweak.
10 months, 2 weeks
Without GSSAPIStrictAcceptorCheck=no, sshd shows a "wrong hostname"?
by Alex Corcoles
Hi,
I have a Debian (Proxmox) system joined to FreeIPA. I'm trying to log in via SSH using Kerberos, but it doesn't work. If I start a debug SSH server, I get the following output:
No key table entry found matching host/h1.h1.int.example.net@
, but hostname -f on the same host reports h1.example.net.
/etc/resolv.conf has h1.int.pdp7.net as the domain/search parameter. I think sshd is getting the hostname messed up somehow.
Things work if GSSAPIStrictAcceptorCheck=no, but is there something I can fix?
Cheers,
Álex
10 months, 2 weeks
Without GSSAPIStrictAcceptorCheck=no, sshd shows a "wrong hostname"?
by Alex Corcoles
Hi,
I have a Debian (Proxmox) system joined to FreeIPA. I'm trying to log in via SSH using Kerberos, but it doesn't work. If I start a debug SSH server, I get the following output:
No key table entry found matching host/h1.h1.int.example.net@
, but hostname -f on the same host reports h1.example.net.
/etc/resolv.conf has h1.int.example.net as the domain/search parameter. I think sshd is getting the hostname messed up somehow.
Things work if GSSAPIStrictAcceptorCheck=no, but is there something I can fix?
Cheers,
Álex
10 months, 2 weeks
FreeIPA and AIX - sudoers_base
by Ronald Wimmer
We managed to integrate AIX IPA clients successfully some time ago. sudo
was also working fine. A few weeks ago sudo stopped working.
The /etc/ldap.conf on our AIX clients contains the following line:
sudoers_base cn=users,cn=compat,ou=sudoers,dc=linux,dc=mydomain,dc=at
If we try to look that up with an LDAP browser we do not even find a OU
named "sudoers". Did the LDAP structure change in the recent past? What
should the sudoers_base line contain?
Cheers,
Ronald
10 months, 3 weeks
firewall - masters VS clients
by lejeczek
Hi guys.
Are there any ports/services which clients do not need and
which can be exclusively allowed only to/between
masters/replicas access?
many thanks, L.
10 months, 3 weeks
Windows10 desktop login fails with the FreeIPA users
by Ray R
Hello, I encountered an issue with Windows10 integration with FreeIPA server where at desktop login it says, user name or password is incorrect. RDP session is successful but login to the desktop fails with user name or password is incorrect. The windows client has successfully joined the FreeIPA server. IPA server is also the DNS server. The same user can login linux IPA client successfully.
krb5 log shows (the last line)-
Jun 12 14:01:29 ipa-server.dc1.abc.com krb5kdc[11611](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 10.2.1.23: ISSUE: authtime 1686603689, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, test(a)DC1.ABC.COM for host/desktop-client.dc1.abc.com(a)DC1.ABC.COM
I followed the steps from https://www.freeipa.org/page/Windows_authentication_against_FreeIPA and https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/... but desktop login failed. Any suggestion is appreciated.
10 months, 3 weeks
Re: Authentication failures on a RHEL 9.2 IPA server
by GoNiS
I tried the trick of running:
ipa config-mod --add-sids --enable-sid
on my 2 ipa servers (one in 8 and one in 9) and it did not cure the
authentication problem for my clients hitting the newest sever.
The disable_pac=true trick did the work, but it is unsafe.
I wonder if I need to issue the ipa idrange... command as proposed by
Charles some messages above.
Cheers,
Isidro
10 months, 3 weeks
freeipa and disa stig
by risto hartikainen
Hello,
I am interested to know if there is any documentation available (and kept up to date) about hardening operating system with disa stig and install freeipa server on it.
Since I dont have deeper knowledge about freeipa components, I have managed to create pretty interesting effects after installing freeipa on hardened rhel 7 & 8. With scap-workbench its too easy to select aggressive security settings.. and debug is painful task and difficult to determine if possible problems are related to hardening or to ipa itself. Almost every time its from hardening but finding out exactly which one gives headache.
I guess it might be easier to point out components that clearly are not compatible with freeipa server but I have not found such document. Any tips about this?
Thank you in advance,
risto
10 months, 3 weeks