[Freeipa-users] Re: How to restrict FreeIPA's from registering external IPs on DNS?
hi Vinícius, On Fri, Feb 7, 2020 at 9:29 PM Vinícius Ferrão via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > My FreeIPA server have two IP addresses. It registers itself with the > internal and the external addresses. There’s a way to only register the IPs > from the internal interfaces? > usually those ip addresses are tied to specific network interfaces (eth0, ens192, tun0, whatever). You can tell sssd to use only those interfaces to register its dyndns (details in man sssd-ipa, look for dyndns_iface directive) dyndns_iface (string) Optional. Applicable only when dyndns_update is true. Choose the interface or a list of interfaces whose IP addresses should be used for dynamic DNS updates. Special value “*” implies that IPs from all interfaces should be used. NOTE: While it is still possible to use the old ipa_dyndns_iface option, users should migrate to using dyndns_iface in their config file. Default: Use the IP addresses of the interface which is used for IPA LDAP connection Example: dyndns_iface = em1, vnet1, vnet2 Regards, Natxo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] sss_ssh_authorizedkeys slow on IPA-server
Hi all, For some reason, for a particular user, sss_ssh_authorizedkeys is extremely slow on the IPA-server: time /usr/bin/sss_ssh_authorizedkeys ~real0m9.520suser 0m0.022ssys 0m0.018s It will return all the public keys, but is is slow, causing SSH-login delays using a ssh-keys. On another CentOS Stream (8.1) IPA-client, using the same IPA-server: time /usr/bin/sss_ssh_authorizedkeys ~real0m0.020suser 0m0.005ssys 0m0.003s Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf on the IPA-server will bring back performance, but sound like a poor workaround. Any idea what is happening here? Some more details:CentOS Linux release 8.1.1911 (Core) (stream)ipa-client-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64sssd-common-2.2.0-19.el8.x86_64 Winfried ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: sss_ssh_authorizedkeys slow on IPA-server
Have you check authentication source order in nsswitch.conf ? Maybe there it hit some timeout or so. From: Winfried de Heiden via FreeIPA-users Sent: dimanche 9 février 2020 13:55 To: freeipa-users@lists.fedorahosted.org Cc: Winfried de Heiden Subject: [Freeipa-users] sss_ssh_authorizedkeys slow on IPA-server Hi all, For some reason, for a particular user, sss_ssh_authorizedkeys is extremely slow on the IPA-server: time /usr/bin/sss_ssh_authorizedkeys ~ real 0m9.520s user 0m0.022s sys 0m0.018s It will return all the public keys, but is is slow, causing SSH-login delays using a ssh-keys. On another CentOS Stream (8.1) IPA-client, using the same IPA-server: time /usr/bin/sss_ssh_authorizedkeys ~ real 0m0.020s user 0m0.005s sys 0m0.003s Some difference... Adding "certificate_verification = no_ocsp" to sssd.conf on the IPA-server will bring back performance, but sound like a poor workaround. Any idea what is happening here? Some more details: CentOS Linux release 8.1.1911 (Core) (stream) ipa-client-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64 sssd-common-2.2.0-19.el8.x86_64 Winfried ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: sss_ssh_authorizedkeys slow on IPA-server
On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote: Hi all, For some reason, for a particular user, sss_ssh_authorizedkeys is extremely slow on the IPA-server: time /usr/bin/sss_ssh_authorizedkeys ~real 0m9.520suser 0m0.022ssys 0m0.018s It will return all the public keys, but is is slow, causing SSH-login delays using a ssh-keys. On another CentOS Stream (8.1) IPA-client, using the same IPA-server: time /usr/bin/sss_ssh_authorizedkeys ~real 0m0.020suser 0m0.005ssys 0m0.003s Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf on the IPA-server will bring back performance, but sound like a poor workaround. Any idea what is happening here? SSSD picks up certificates associated with the user entry for use as SSH keys as well. I guess verification of those certificates via OCSP takes time and that's why switching off the verification helps. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] ipa-ca-install fails on directory manager password
After successfully promoting an IPA server to a replica, ipa-ca-install fails with "Directory Manager password is invalid" This noob would appreciate a command and example to verify I have the correct directory manager password. I've looked through this page: https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html but haven't been successful in getting dsconf or ldapmodify to work. server: ipa1.identity.demarcohome.com. instance: slapd-IDENTITY-DEMARCOHOME-COM # dsconf -D "cn=Directory Manager" slapd-IDENTITY-DEMARCOHOME-COM directory_manager password_change Error: Could not find configuration for instance: slapd-IDENTITY-DEMARCOHOME-COM ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: sss_ssh_authorizedkeys slow on IPA-server
On Sun, Feb 09, 2020 at 11:06:46PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote: > > Hi all, > > For some reason, for a particular user, sss_ssh_authorizedkeys is extremely > > slow on the IPA-server: > > time /usr/bin/sss_ssh_authorizedkeys ~real0m9.520suser > > 0m0.022ssys 0m0.018s > > It will return all the public keys, but is is slow, causing SSH-login > > delays using a ssh-keys. > > On another CentOS Stream (8.1) IPA-client, using the same IPA-server: > > time /usr/bin/sss_ssh_authorizedkeys ~real0m0.020suser > > 0m0.005ssys 0m0.003s > > Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf > > on the IPA-server will bring back performance, but sound like a poor > > workaround. > > Any idea what is happening here? > > SSSD picks up certificates associated with the user entry for use as SSH > keys as well. I guess verification of those certificates via OCSP takes > time and that's why switching off the verification helps. Hi, if you are not interested in this feature at all you can disable it completely in recent versions of SSSD by setting 'ssh_use_certificate_keys = False' in the [ssh] section of sssd.conf. Please check if 'man sssd.conf' shows this option for your version of SSSD. HTH bye, Sumit > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa-ca-install fails on directory manager password
On su, 09 helmi 2020, Nicholas DeMarco via FreeIPA-users wrote: After successfully promoting an IPA server to a replica, ipa-ca-install fails with "Directory Manager password is invalid" This noob would appreciate a command and example to verify I have the correct directory manager password. I've looked through this page: https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html but haven't been successful in getting dsconf or ldapmodify to work. server: ipa1.identity.demarcohome.com. instance: slapd-IDENTITY-DEMARCOHOME-COM # dsconf -D "cn=Directory Manager" slapd-IDENTITY-DEMARCOHOME-COM directory_manager password_change Error: Could not find configuration for instance: slapd-IDENTITY-DEMARCOHOME-COM dsconf expects instance name, not the whole 'slapd-...' part. Your instance name would be IDENTITY-DEMARCOHOME-COME. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org