Auto cleanup old enrolled hosts
by Russ Long
We're adding FreeIPA to an immutable, often rotated environment (AWS ECS Hosts). These hosts are spun up and down at least daily. Is there a way to check FreeIPA to see when a host has last communicated with the FreeIPA Cluster? I'd like to use this information to auto-delete hosts that have not reported in from the FreeIPA host list.
1 week, 2 days
certgmonger not able to renew a certificate: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
by Sam Morris
Hi folks, I've got a machine where certmonger is unable to renew a
certificate request:
# getcert list -i 20220519165212
Number of certificates and requests being tracked: 2.
Request ID '20220519165212':
status: MONITORING
ca-error: Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
stuck: no
key pair storage: type=FILE,location='/etc/cockpit/ws-certs.d/51-xoanon.key'
certificate: type=FILE,location='/etc/cockpit/ws-certs.d/51-xoanon.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
subject: CN=xoanon.ipa.example.com,O=IPA.EXAMPLE.COM
issued: 2023-06-21 07:49:49 UTC
expires: 2023-09-19 07:49:49 UTC
dns: xoanon.ipa.example.com
principal name: host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
I'm manually attempting to renew the certificate with:
[root@xoanon ~]# getcert resubmit -w -v -i 20220519165212
Resubmitting "20220519165212" to "IPA".
State GENERATING_CSR, stuck: no.
State SUBMITTING, stuck: no.
State MONITORING, stuck: no.
On the server side, I'm unable to find any errors being logged anywhere.
Even after I set 'debug = true' in /etc/ipa/default.conf & restarted
httpd.service, the only log messages are:
==> /var/log/httpd/error_log <==
[Wed Aug 23 10:59:50.765980 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed Aug 23 10:59:50.766232 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: WSGI jsonserver.__call__:
[Wed Aug 23 10:59:50.766352 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: KerberosWSGIExecutioner.__call__:
==> /var/log/httpd/access_log <==
192.168.88.3 - host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM [23/Aug/2023:10:59:50 +0000] "POST /ipa/json HTTP/1.1" 200 526
... which show that the API call was successful. On the other hand,
according to 'ipa cert-find --subject=xoanon.ipa.example.com', no
certificates have been issued.
It looks like the API isn't calling out to PKI/Dogtag, since nothing is
logged to /var/log/pki/pki-tomcat/localhost_access_log.*.txt or
/var/log/pki/pki-tomcat/ca/debug.*.log.
I also looked for AVC denials and didn't see anything in /var/log/audit.
So, back to the client. certmonger logs the following:
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_SUBJECT" to "CN=xoanon.ipa.example.com" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_HOSTNAME" to "xoanon.ipa.example.com" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_PRINCIPAL" to "host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CSR" to "-----BEGIN CERTIFICATE REQUEST-----
MIIEpzCCAw8CAQAwIzEhMB8GA1UEAxMYeG9hbm9uLmlwYS5yb2JvdHMub3JnLnVr
[...]
4d6BlUMScGAgCAxfxEb1eXymTxVm/Do/liHaOqnHGVIr+1OjZNftrUODFQ==
-----END CERTIFICATE REQUEST-----
" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_SPKAC" to "[...]" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_SPKI" to "[...]" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_LOCAL_CA_DIR" to "/var/lib/certmonger/local" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_KEY_TYPE" to "RSA" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CA_NICKNAME" to "IPA" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CERTIFICATE" to "-----BEGIN CERTIFICATE-----
MIIFajCCBFKgAwIBAgIET/8AJDANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFJ
[...]
dF6L+2tIIpjYylCxKQISWaexKkv1jVQaIPB1foIKyLGaf9YtyaIwyoM9G80UaQ==
-----END CERTIFICATE-----
" for child.
2023-08-23 11:15:50 [836073] Redirecting stdin to /dev/null, leaving stdout and stderr open for child "/usr/libexec/certmonger/ipa-submit".
2023-08-23 11:15:50 [836073] Running enrollment helper "/usr/libexec/certmonger/ipa-submit".
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
Submitting request to "https://ipa5.ipa.example.com/ipa/json".
JSON-RPC error: 2100: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
2023-08-23 11:15:50 [834693] Certificate submission still ongoing.
2023-08-23 11:15:50 [834693] Certificate submission attempt complete.
2023-08-23 11:15:50 [834693] Child status = 2.
2023-08-23 11:15:50 [834693] Child output:
"Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
"
2023-08-23 11:15:50 [834693] Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
2023-08-23 11:15:50 [834693] Certificate not (yet?) issued.
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
I found that I could add 'OPTS=-d9' to /etc/sysconfig/certmonger &
restart certmonger.service, which does cause it to log more, but it
doesn't give any further insight into the messages exchanged with the
server.
Does anyone know where I can look next?
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
1 week, 5 days
New plugin almost ready - postfixadmin
by Francis Augusto Medeiros-Logeay
Hi,
I have almost finished a plugin for FreeIPA, so that admins can have similar functionality found on Postfix Admin.
https://github.com/oculos/freeipa-postfixadmin/blob/main/README.md
freeipa-postfixadmin/README.md at main · oculos/freeipa-postfixadmin
github.com
There is already a good plugin that does a bit of that, but the goal is a bit different. My main goal is not to mix up postfix configuration with groups and hosts, but have separate entities for domain, aliases and virtual domains, in addition to mailboxes.
It was written mostly to allow me to migrate my mailboxes from MySQL to FreeIPA, and I don’t have a huge postfix configuration - I only have multiple domains, mailboxes, aliases and virtual domains, so that’s the functionality I wanted with this plugin.
There are a few things missing before this can go in production («production» here means to actually migrate my mailboxes to FreeIPA), adding a mailbox to ipa users on the gui being the most important one.
I would appreciate any comments and feedbacks regarding this plugin. It wasn’t easy to understand the logic on how to write one, but I got the hang of it (for simple stuff).
Best,
Francis
4 weeks
Allow sysaccount to view its own entry
by Adam Bishop
I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Many Thanks,
Adam Bishop
1 month
Installing FreeIPA server + replica using Ansible Role FreeIPA
by Finn Fysj
The installation of IPA server and replica does not produce desired result.
Even though the mkhomedir is set to true the feature is not enabled in the authselect. Also the replica server does not replicate SUDO and HBAC rules from the IPA master.
Is the only solution to re-install the whole IPA server/replicas stuff? Kinda stupid.
Example of the IPA server role:
- role: freeipa.ansible_freeipa.ipaserver
vars:
ipaserver: "{{ ansible_hostname }}.example"
ipaserver_hostname: "{{ ansible_hostname }}.example"
ipaadmin_password: "test123"
ipadm_password: "test321"
ipaserver_domain: "example.com"
ipaserver_realm: "EXAMPLE.COM"
ipaserver_no_host_dns: true
ipaserver_mem_check: true
ipaserver_install_packages: true
ipaserver_setup_dns: false
ipaserver_no_pkinit: true
ipaserver_no_hbac_allow: true
ipaserver_no_ui_redirect: false
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_no_sudo: false
1 month, 2 weeks
Free IPA DNS Issues
by Pradeep KNS
Hello Team,
While setting up Freeipa in my Linux infrastructure.I noticed a strange
warning. I would like to clarify before rolling into production.
*DNS zone alpha-grep.com <http://alpha-grep.com>. already exists in DNS and
is handled by server(s): ['ns2.', 'ns1.'] Please make sure that the domain
is properly delegated to this IPA server.*
Detailed installation log i have updated in this link. Please suggest me
will it be any security flaw in future.Before installing it on production.
https://bpa.st/AMITK
2 months
FreeIPA PKI Certs wont renew "Adjustment limit exceeded"
by T A
On FreeIPA version 4.6.8-5 realized that pki-tomcatd wouldnt start
ipactl status
pki-tomcatd Service: STOPPED
Ran 'getcert list' and found the 'pki-tomcat' cert was expired
Rolled back the system clock to before the cert expired, now starts up
ipactl status
pki-tomcatd Service: STARTED
Tried to renew with 'ipa-getcert resubmit -i "123456"' but it shows "status: CA_UNREACHABLE"
'ipa-cert fix' didnt work either
Checked logs again 'journalctl -t certmonger' and found 'ns-slapd' was giving out this error when it tried to renew 'csngen_adjust_local_time - Adjustment limit exceeded: value - 435060 limit - 86400'
Any way to change the adjustment limit or force this cert to renew anyway?
2 months, 2 weeks
kinit: KDC can't fulfill requested option while renewing credentials - which approach?
by Pieter Baele
I tried various approached to get Renewable tickets :
modifying the kdc
modifying krb5.conf
using kadmin.local on every replica to modify the principal; which is not
working - as designed (?)- in IPA
What should I do to get a ticket with the correct R flag from IPA ?
I don't think this is SSSD related (the service needing the renewable
ticket this way is Apache Storm)
Thanks a lot!
2 months, 3 weeks
AIX - IPA group membership
by Ronald Wimmer
I can and use IPA users on an AIX client. As well as groups. But somehow
group membership does not seem to be configured correctly...
# id y179768
uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g
ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
3 months
