- FreeIPA-users - Fedora mailing-lists

Question about file system operations capabilities in an ipaserver plugin
by Данила Скачедубов 13 May '25

13 May '25

1 0

Multi location DNS configuration
by Gareth Blades 13 May '25

13 May '25

We have a multi location internal setup with our own internal DNS setup. These DNS servers are setup with zone transfers from a central location and various customer entries with dns views configured so we have to keep these dns servers as the primary ones used by all servers but we can add extra records or forwarders etc... if required. Initially I thought I would setup the DNS records manually for each location so that a simple 'ipa-client-install' command would use the dns domain and configure everything. This is my dns config :- rsnfreeipa01a IN A 192.168.233.66 rsnfreeipa01b IN A 192.168.233.67 _kerberos-master._tcp IN SRV 0 100 88 rsnfreeipa01a.redstation.xyz.net. _kerberos-master._tcp IN SRV 0 100 88 rsnfreeipa01b.redstation.xyz.net. _kerberos-master._udp IN SRV 0 100 88 rsnfreeipa01a.redstation.xyz.net. _kerberos-master._udp IN SRV 0 100 88 rsnfreeipa01b.redstation.xyz.net. _kerberos._tcp IN SRV 0 100 88 rsnfreeipa01a.redstation.xyz.net. _kerberos._tcp IN SRV 0 100 88 rsnfreeipa01b.redstation.xyz.net. _kerberos._udp IN SRV 0 100 88 rsnfreeipa01a.redstation.xyz.net. _kerberos._udp IN SRV 0 100 88 rsnfreeipa01b.redstation.xyz.net. _kerberos IN TXT "XYZ.NET" _kerberos IN URI 0 100 "krb5srv:m:tcp:rsnfreeipa01a.redstation.xyz.net." _kerberos IN URI 0 100 "krb5srv:m:tcp:rsnfreeipa01b.redstation.xyz.net." _kerberos IN URI 0 100 "krb5srv:m:udp:rsnfreeipa01a.redstation.xyz.net." _kerberos IN URI 0 100 "krb5srv:m:udp:rsnfreeipa01b.redstation.xyz.net." _kpasswd._tcp IN SRV 0 100 464 rsnfreeipa01a.redstation.xyz.net. _kpasswd._tcp IN SRV 0 100 464 rsnfreeipa01b.redstation.xyz.net. _kpasswd._udp IN SRV 0 100 464 rsnfreeipa01a.redstation.xyz.net. _kpasswd._udp IN SRV 0 100 464 rsnfreeipa01b.redstation.xyz.net. _kpasswd IN URI 0 100 "krb5srv:m:tcp:rsnfreeipa01a.redstation.xyz.net." _kpasswd IN URI 0 100 "krb5srv:m:tcp:rsnfreeipa01b.redstation.xyz.net." _kpasswd IN URI 0 100 "krb5srv:m:udp:rsnfreeipa01a.redstation.xyz.net." _kpasswd IN URI 0 100 "krb5srv:m:udp:rsnfreeipa01b.redstation.xyz.net." _ldap._tcp IN SRV 0 100 389 rsnfreeipa01a.redstation.xyz.net. _ldap._tcp IN SRV 0 100 389 rsnfreeipa01b.redstation.xyz.net. ipa-ca IN A 192.168.233.66 ipa-ca IN A 192.168.233.67 I have two main issues with this approach :- 1 The ipa-client-install seems to work but I get this error at the end :- Enrolled in IPA realm XYZ.NET Created /etc/ipa/default.conf Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm XYZ.NET Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm "XYZ.NET" The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information Running tcpdump during this process I see entries like "SRV? _kerberos._udp.XYZ.NET" What is wrong here? If the lookup is always using the realm name at this point I can't see how it can possibly use the defined location without the use of dns views to return different results depending on what the client is and I don't see any requirement for doing this or any configuration for the IP ranges in use in each location for the internal freeipa dns servers to be able to do this. 2 After the ipa-client-install has run I see the following lines in the sssd.conf file and these appear correct and I see mention of _srv_ so it looks like it will use srv records and fail over if one of the server dies so no issues there. ipa_server = _srv_, rsnfreeipa01b.redstation.xyz.net ipa_domain = redstation.xyz.net /etc/ipa/default.conf contains these config lines though [global] basedn = dc=xyz,dc=net realm = XYZ.NET domain = redstation.xyz.net server = rsnfreeipa01b.redstation.xyz.net host = ssotesting.redstation.xyz.net xmlrpc_uri = https://rsnfreeipa01b.redstation.xyz.net/ipa/xml enable_ra = True The server and xmlrpc_uri lines are hard coded to use a specific freeipa server. If this server dies won't this fail? Shouldn't the client installer have specified both servers if this configuration file supports that? Krb5.conf contains this configuration. This generally looks ok but perhaps dns_lookups_realm is the cause of the earlier error and perhaps I am missing a install-ipa-client parameter. The issue being that the xyz.net domain is common and in use across all of our locations and having to add SRV _kerberos._udp.XYZ.NET records which are different in each location would prove very difficult. includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = XYZ.NET dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] XYZ.NET = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .redstation.xyz.net = XYZ.NET redstation.xyz.net = XYZ.NET ssotesting.redstation.xyz.net = XYZ.NET Am I going down the wrong path and there is a better way to do this? I thought of using ipa.xyz.com together with the info at https://www.freeipa.org/page/Howto/IPA_locations but the problem with that is if I use a dedicated domain for ipa then the ipa-client-install auto discovery won't work and I will need to apecify the domain name. It would also not solve the issue of requiring unique per location records for SRV _kerberos._udp.ipa.XYZ.NET or the apparent non redundant config in /etc/ipa/default.conf Thanks Gareth Gareth Blades System Administrator w: eseye.com LinkedIn | Twitter | YouTube | Blog This email is from Eseye , Guildford, Surrey, United Kingdom. Registered in England and Wales - number 06397669. VAT: GB921298326. ISO 27001: 2013 Certified. Eseye accepts no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided unless that information is subsequently confirmed in writing. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. If you are not the intended recipient, please notify the sender and delete this email and any attachments. Eseye, Infinity IoT Platform, AnyNet, AnyNet Secure and Eseye Logos are registered trademarks. © 2025 Eseye Limited. All rights reserved.

1 0

ad login after reinstallation
by Remo Schmid 12 May '25

12 May '25

i have a construct with two freeipa servers and a samba ad that trusts each other. now i have rebuilt a freeipa, since then i have problems with the authentication. logging in via ssh on server works (via ssh key), but doing sudo on the server with the ad user does not work. according to logfiles the password of the ad user is checked correctly and there i also see different logs if the password is correct or wrong. Kerberos says the password is checked successfully. however, it does not work afterwards. in the krbt5_child.log I see the following error. ==> [krb5_child[33538]] [get_and_save_tgt] (0x0020): [RID#45] 2395: [-1765328353][Decrypt integrity check failed] the trust position looks good from samba ad as well as from the ipa side. are there any who have had similar problems after reinstalling? any ideas what else I should check?

3 2

Cant install with external-ca
by Entrepreneur AJ 12 May '25

12 May '25

I have created an internal CA with openssl for my company with a sub ca for signing certain services such as FreeIPA root CA's problem I am having is I have signed the csr and uploaded it back to the freeipa server but when I try to run the second part of the install it errors out. The following is the command used to run the second part of the install: ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/root/internal-ca.cert.pem this is the output: The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: ============================================================================== This program will set up the IPA Server. Version 4.12.2 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure SID generation * Configure the KDC to enable PKINIT IPA CA certificate with subject 'CN=Certificate Authority,O=EAJ Global,OU=UK Internal Certificate Authority,C=GB' was not found in /root/ipa.crt,/root/internal-ca.cert.pem. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information I used openssl to verify the certificate subject matches: root@ipa1:~# openssl x509 -in /root/ipa.crt -noout -subject subject=C=GB, O=EAJ Global, OU=UK Internal Certificate Authority, CN=Certificate Authority Only difference i see is the order of the subject line. But the subject itself is still valid. I am running Fedora 42 with the latest version in the repos installed. Any help would be appreciated.

3 6

"Working" while gettig host / user details
by alexey safonov 12 May '25

12 May '25

Hi. have come to the weird issue, working solution, last week added users, no problems, now I click on host or user (to see details) I onle see rotating "working" sign and that's all. Seems like ipa-show works, can get ssh key from user with sss_sss_known_keys, etc. please let me know what I can do here? that is prod system on Rocky 9.5 Alex

2 4

Re: freeIPA fails update 4.12.2-5.el9 t 4.12.2-9.el9
by Vicente Quintans 12 May '25

12 May '25

We found this issue today, upgrading from Fedora 40 to Fedora 41. In dogtagpki the /ca/rest/account/login endpoint (actually all /ca/rest endpoints) was moved to /ca/v1 in this commit: https://github.com/dogtagpki/pki/commit/850e6b9e5128264a471e57b70ab8d970cf9… We were able to complete the upgrade succesfully modifying the file /usr/lib/python3.13/site-packages/ipaserver/plugins/dogtag.py changing al "/rest" to "/v1". With this modification ipa-server-upgrade completed successfully. It seems there is some kind of version mismatch. Greetings, Vicente Quintáns.

6 24

Activating schema compat plugin remotely
by Adam Bishop 10 May '25

10 May '25

Is there any way that the schema compat plugin can be enabled remotely via LDAP or the HTTP API? I'm running FreeIPA under Gitlab CI as a service container, and due to limitations arbitrary commands can't be run on the container unless they're exposed in the Dockerfile. I'd like to avoid modifying the container with changes just needed for CI, as that then means that we're not testing the same code as we do in production. Calling ipa-compat-manage fails ("IPA is not configured on this system.") even though it accepts parameters and credentials to target a remote server. I can't enrol a client as ipa-client-install doesn't work without systemd/dbus. Adam

2 3

FreeIPA failed after upgrading to fedora 42
by Ian Kumlien 09 May '25

09 May '25

Hi, I have two freeipa servers that failed after the upgrade. On one, i managed to fix it with ipa-cert-fix since they had expired again, but i'm now left with: ipa-backup Preparing backup on freeipa1.... Error: Local roles CA, DNS, DNSKeySync do not match globally used roles CA, DNS, DNSKeySync, KRA. A backup done on this host would not be complete enough to restore a fully functional, identical cluster. The ipa-backup command failed. See /var/log/ipabackup.log for more information And on the other pki-tomcat doesn't start without ca_signing.csr which it never had according to backups... Any clues?

3 10

Impossible to install a KRA replicate with FreeIPA version 4.12.2-1 (RHEL9)
by LHEUREUX Bernard 05 May '25

05 May '25

Hello all, I desperately try to migrate my infrastructure containing 3 FreeIPA Servers 4.9.13-16 running under RHEL8 without any problems, for this I completely uninstall server3, I remove it from the FreeIPA infrastructure, and then install a fresh new RHEL9 FreeIPA Machine with version 4.12.2-1, the "ipa-replica-install --setup-ca --setup-dns --auto-forwarders --auto-reverse" works perfectly well, then I try the ipa-replica-install, but constantly get an error... The /var/log/ipaserver-kra-install.log gives: "Error" : "Unable to add KRA connector for https://server3.domain.local:8443: KRA connector already exists" I found a similar problem in that page, https://forums.rockylinux.org/t/freeipa-kra-install-fails-on-rocky-9-replic… I tried, but that didn't solve the issue... Could you help me finding a solution ? [https://www.win.be/images/fr/logowin.jpg] Bernard LHEUREUX Linux & System Engineer Mob. +32 475 530 311 <tel:+32475530311> win.be <https://www.win.be/> [facebook]<http://www.youtube.com/channel/UC-rXMcRf_tMl5K4EBHKWpGg> [linkedin] <https://www.linkedin.com/company/win-s-a-/> [twitter] <https://twitter.com/win_ICTpartner> ________________________________ 1/Conform?ment ? notre certification ISO 27001, ce message et toute pi?ce jointe sont la propri?t? exclusive de Win. L'information contenue dans cet e- mail peut s'av?rer confidentielle et d?s lors prot?g?e de toute divulgation. Si vous avez re?u cette communication par erreur, veuillez nous en informer imm?diatement en r?pondant ? ce message et en le supprimant de votre ordinateur, sans le copier ni le divulguer. 2/L'acceptation de toute offre commerciale (quel qu'en soit le support) emporte l'adh?sion aux descriptifs (notamment techniques) inh?rents aux solutions offertes, ainsi qu'aux conditions commerciales g?n?rales de Win, consultables via https://www.win.be/cgv DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm

3 4

Using OIDC device code auth for SSH access
by Anders Wittendorff 30 Apr '25

30 Apr '25

I'm currently stuck in an implementation of device code auth for SSH access using External Identity on FreeIPA 4.12. My issue is that when connecting with SSH I get the correct message: Authenticate at https://... with code and press Enter. But after authentication at external IDP and pressing Enter the login just loops, and when looking at logs on the FreeIPA server I can see the Access-Challenge but seems to shutdown the process: Apr 23 13:31:27 ipa-test.int.domain.net ipa-otpd[147396]: username(a)INT.DOMAIN.NET: response sent: Access-Challenge Apr 23 13:31:27 ipa-test.int.domain.net ipa-otpd[147396]: oauth2.c:089: Child finished with status [0]. Apr 23 13:31:27 ipa-test.int.domain.net ipa-otpd[147396]: Socket closed, shutting down... Any inputs?

2 9

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users