[Freeipa-users] Re: ipaCertSubject uniqueness check

[Fraser Tweedale via FreeIPA-users]

On Sat, Dec 12, 2020 at 05:49:53PM -, Khurrum Maqb via FreeIPA-users wrote:
> I got it resolved - IPA does not seem to support importing a
> rechained external CA. It doesn't seem to have anything to do with
> ipaCertSubject being unique but it's something else where there
> are two different chains for the same external CA.
> 
> I was able to ldapdelete the old problematic certs from ldap> etc
> > ipa > certificates. And then I was able to successfully run the
> > ipa-advise script for adding the CA certs. This time
> > ipa-cacert-manage worked without throwing the public key info
> > mismatch error. 
> 
> And then I ran ipa-certupdate on all Ipa servers, and clients that
> required smartcard auth. And it seemed to work fine for the new
> certs. Unfortunately, this likely means that the cards with the
> old chain will stop working but they are in the small minority and
> we'll likely have to get them new cards signed by the external CA
> with the new chain. 
> 
> I would like to suggest that the ability to rechain and have two
> different chains for the same external CA be added to FreeIPA.
> It's likely a rare situation but it happens. 

Thanks for the report Khurrum.  Glad you were able to sort it out.

Rob, Flo: this is old validation code (commit de695e688e, 2014) and
probably an oversight.  We should investigate whether anything
breaks when superior certs in the IPA CA chain get rekeyed.  If
nothing breaks, we should remove the SubjectPublicKeyInfo check.

Cheers,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] macOS-X bound to freeIPA - mkhomedir

[Grant Janssen via FreeIPA-users]

I’ve been running a number of macs bound to FreeIPA for years now.  The biggest 
nuisance is that I haven’t found a way to make home directory when one doesn’t 
exist.
Without a home directory, a users logs in, the beachball spins forever and the 
user never gets a desktop because there is no user home directory.

"createhomedir -c -a" functions (on most systems), but I’d rather not run this 
in cron.

Has anyone found the PAM secret to have this function like mkhomedir on a 
CentOS host?

CentOS 7
grant@outhouse:~[20201213-6:51][#1003]$ authconfig --test | grep mkhome
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
grant@outhouse:~[20201213-6:51][#1004]$

I wish there were an authconfig on os-x

- grant
This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org