[Freeipa-users] issue with group's objectclass attributes

[Kathy Zhu via FreeIPA-users]

Hi List,

Here is what happened in a timely order.


the group "it" was created a long time ago without "groupOfUniqueNames"
 objectclass.


I did following to add "groupOfUniqueNames" objectclass:

[root@ipa0 ~]# ipa group-show it --all | grep object

  objectclass: top, groupofnames, nestedgroup, ipausergroup,
ipaobject, posixgroup, ipantgroupattrs

[root@ipa0 ~]#

[root@ipa0 ~]# ipa group-mod it --addattr=objectclass=groupOfUniqueNames

---

Modified group "it"

---

  Group name: it

  Description: IT Team

  GID: 1889600264

  Member users: john, rosy, ben, dan, rob,

  Member of groups: observium

  Member of Sudo rule: itsysadmins

  Member of HBAC rule: allow_it_systems, itadmin_systems, allow_it_sre_systems

[root@ipa0 ~]#

[root@ipa0 ~]# ipa group-show it --all | grep object

  objectclass: top, groupofnames, nestedgroup, ipausergroup,
ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames

[root@ipa0 ~]#


After this, I could not create a group (both GUI and cli) with same error
message:

[root@ipa0 ~]# ipa group-add testgroup

ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object
class "ipaNTGroupAttrs"

[root@ipa0 ~]#


In the log:


[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - Entry
"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing attribute
"ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs"

When checked via GUI - IPA Servers / Configuration, the group attribute
ipaNTGroupAttrs is there.

Any idea what went wrong and how to fix it?

Many thanks.

Kathy.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: certs: SAN without othername / NT Principal name

[Fraser Tweedale via FreeIPA-users]

On Thu, Mar 31, 2022 at 09:14:39PM +0300, Alexander Bokovoy via FreeIPA-users 
wrote:
> On to, 31 maalis 2022, David Harvey via FreeIPA-users wrote:
> > Hi FreeiPA users,
> > 
> > I'm having great fun with a web app that hates the othername/ NT Principal
> > name included with certificates generated with ipa-getcert.
> > 
> > I've tried several variations but can't omit this part of the subject
> > alternative name. Is there any way to do so?
> 
> You may add a separate certificate profile that omits the principal and
> allow issuing with this profile. The check for the Kerberos principal is
> a part of the issuance process before the certificate request is passed
> to the CA for actual signing. Once signed, content of the certificate is
> not validated anymore.
> 
> See Fraser's blog like this one:
> https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html
> for some examples.
> 
Hi David,

+Rob

Actually, a custom profile won't help.  cert-request command
validates the SAN extension, but cannot alter it (e.g. to remove the
UPN value).  So, you need to submit a CSR that does not have the UPN
otherName value.

Unfortunately, that is not possible via Certmonger.  The logic goes
like this:

- `ipa getcert-request` requires the `--principal` option to specify
  the subject principal

- The certmonger-ipa-submit(8) submission helper sets this argument
  using the value of the CERTMONGER_REQ_PRINCIPAL environment
  variable (src/ipa.c ~L768)

- The certmonger code that invokes the submission helper sets that
  environment variable from the requests `template_principal` field,
  if set (src/submit-e.c ~L863)

- If the `template_principal` field is set (as it must be for the
  IPA CA per above premises), the CSR will also include the
  KRB5PrincipalName and UPN otherName values in the SAN extension.

The only workaround I see is to not use Certmonger in this case.

The proper solution is to fix whatever program is complaining about
the certificate.  Are you able to say what program it is?  Can you
file a support/change request?

It would be possible to enhance Certmonger to know the principal to
tell it to `ipa cert-request` *without* also setting the
KRB5PrincipalName and UPN otherNames.  But it's a non-trivial change
to handle a possibly non-conforming verifier implementation.  I
would not count on it happening.

Thanks,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: certs: SAN without othername / NT Principal name

[Alexander Bokovoy via FreeIPA-users]

On to, 31 maalis 2022, David Harvey via FreeIPA-users wrote:

Hi FreeiPA users,

I'm having great fun with a web app that hates the othername/ NT Principal
name included with certificates generated with ipa-getcert.

I've tried several variations but can't omit this part of the subject
alternative name. Is there any way to do so?


You may add a separate certificate profile that omits the principal and
allow issuing with this profile. The check for the Kerberos principal is
a part of the issuance process before the certificate request is passed
to the CA for actual signing. Once signed, content of the certificate is
not validated anymore.

See Fraser's blog like this one:
https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html
for some examples.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] certs: SAN without othername / NT Principal name

[David Harvey via FreeIPA-users]

Hi FreeiPA users,

I'm having great fun with a web app that hates the othername/ NT Principal
name included with certificates generated with ipa-getcert.

I've tried several variations but can't omit this part of the subject
alternative name. Is there any way to do so?

Thanks in advance,

David
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: geo replication - ? - concept of

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

IPA doesn't support read-only replica (see ticket
https://pagure.io/freeipa/issue/5569), but has a notion of hidden replica (
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-replica_installing-identity-management#installing-an-idm-hidden-replica_install-replica
).

More details here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/planning_identity_management/planning-the-replica-topology_planning-identity-management#the-hidden-replica-mode_planning-the-replica-topology

flo

On Thu, Mar 31, 2022 at 3:28 PM lejeczek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi guys.
>
> This must have been asked/covered somewhere I think, as it
> must be trivial concept/question many must have wondered -
> can IPA, in supported manner with built-in way or not, do
> 'geo-repliacation' in some sense?
> What I wonder specifically is - call it a secondary, backup
> or a mirror site(of whole domain) which would _only_
> receive(possibly synchronously) and be read-only but!...
> that direction, the flow of main/primary -> secondary/backup
> could be flipped, reversed(in relatively non-time consuming way)
> Anybody done or contemplated such or similar thing and care
> to share some thoughts?
>
> many thanks, L.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] geo replication - ? - concept of

[lejeczek via FreeIPA-users]

Hi guys.

This must have been asked/covered somewhere I think, as it 
must be trivial concept/question many must have wondered - 
can IPA, in supported manner with built-in way or not, do 
'geo-repliacation' in some sense?
What I wonder specifically is - call it a secondary, backup 
or a mirror site(of whole domain) which would _only_ 
receive(possibly synchronously) and be read-only but!... 
that direction, the flow of main/primary -> secondary/backup 
could be flipped, reversed(in relatively non-time consuming way)
Anybody done or contemplated such or similar thing and care 
to share some thoughts?


many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-ca DNS record - ?

[lejeczek via FreeIPA-users]

On 31/03/2022 13:40, Florence Blanc-Renaud wrote:

Hi,

The command /ipa dns-update-system-records/ can be used to 
add the missing records. If you'd rather add them 
manually, the command can be run with the /--dry-run/ 
option and will display the expected records but will not 
perform any update.


flo

On Thu, Mar 31, 2022 at 2:26 PM Rob Crittenden via 
FreeIPA-users  wrote:


lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> What is 'ipa-ca' for and what should it point to?
> Also, should IPA change that record ever?
>
> Reason I ask - from the docs as I understand - it
should point to all CA
> servers in the domain, but it not happening.

It is a generic name for the CAs initially for the
OCSP and CRL
endpoints. If a fixed hostname was stored there then
if/when that server
disappears, no more resolving OCSP.

It is also used for ACME as a generic name that can be
used across your
infra.

I suppose its possible that you may have some old
enough servers that
predate the ipa-ca name. I have a faint memory that
servers marked as
HIDDEN also don't have this entry.

It's fine to manually add the missing record in this
case. IIRC there is
no task to seek out all CAs and add them.

rob
___


nice - 'ipa dns-update-system-records' - very useful.

I wonder if the fact the my 'ipa-ca' was "incomplete" might 
have something to do with ipa-client-install's

...
Successfully retrieved CA cert
...
Joining realm failed: JSON-RPC call failed: Peer certificate 
cannot be authenticated with given CA certificates

...

My setup is bit, well, awkward so it might be that but still 
- someone please decipher that error if you will.


many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-ca DNS record - ?

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

The command *ipa dns-update-system-records* can be used to add the missing
records. If you'd rather add them manually, the command can be run with the
*--dry-run* option and will display the expected records but will not
perform any update.

flo

On Thu, Mar 31, 2022 at 2:26 PM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> lejeczek via FreeIPA-users wrote:
> > Hi guys.
> >
> > What is 'ipa-ca' for and what should it point to?
> > Also, should IPA change that record ever?
> >
> > Reason I ask - from the docs as I understand - it should point to all CA
> > servers in the domain, but it not happening.
>
> It is a generic name for the CAs initially for the OCSP and CRL
> endpoints. If a fixed hostname was stored there then if/when that server
> disappears, no more resolving OCSP.
>
> It is also used for ACME as a generic name that can be used across your
> infra.
>
> I suppose its possible that you may have some old enough servers that
> predate the ipa-ca name. I have a faint memory that servers marked as
> HIDDEN also don't have this entry.
>
> It's fine to manually add the missing record in this case. IIRC there is
> no task to seek out all CAs and add them.
>
> rob
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-ca DNS record - ?

[Rob Crittenden via FreeIPA-users]

lejeczek via FreeIPA-users wrote:
> Hi guys.
> 
> What is 'ipa-ca' for and what should it point to?
> Also, should IPA change that record ever?
> 
> Reason I ask - from the docs as I understand - it should point to all CA
> servers in the domain, but it not happening.

It is a generic name for the CAs initially for the OCSP and CRL
endpoints. If a fixed hostname was stored there then if/when that server
disappears, no more resolving OCSP.

It is also used for ACME as a generic name that can be used across your
infra.

I suppose its possible that you may have some old enough servers that
predate the ipa-ca name. I have a faint memory that servers marked as
HIDDEN also don't have this entry.

It's fine to manually add the missing record in this case. IIRC there is
no task to seek out all CAs and add them.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] ipa-ca DNS record - ?

[lejeczek via FreeIPA-users]

Hi guys.

What is 'ipa-ca' for and what should it point to?
Also, should IPA change that record ever?

Reason I ask - from the docs as I understand - it should 
point to all CA servers in the domain, but it not happening.


many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: upgrade to FreeIPA 4.7+ from 4.6

[Ivars Strazdins via FreeIPA-users]

Thank you Florence,
this link was exactly what I was looking for, but somehow I missed it.
With kind regards,
Ivars 

> On 30 Mar 2022, at 23:05, Florence Blanc-Renaud  wrote:
> 
> Hi,
> 
> the official Red Hat Enterprise Linux documentation recommends to install a 
> RHEL8 replica (in place upgrade is not supported), ensure everything works 
> properly and then decommission the RHEL7 server: 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/migrate-7-to-8_migrating
>  
> 
> 
> You should make sure to follow the documented steps (adapting with your Linux 
> distribution instead of RHEL) as the new servers must provide exactly the 
> same services as the one you intend to replace (CA, KRA, DNS)
> 
> HTH,
> flo
> 
> On Wed, Mar 30, 2022 at 10:44 AM Ivars Strazdins via FreeIPA-users 
>  > wrote:
> Hello,
> I am planning FreeIPA servers’ upgrade from Centos 7 with FreeIPA 4.6.8 to 
> Alma Linux 8.5.
> Can I just take out replicas one by one and install fresh Alma Linux, then 
> add back with latest FreeIPA on that replica?
> Or do I have to take some special precautions?
> 
> If FreeIPA version compatibility is not a concern, perhaps it is even 
> possible to do in-place upgrade with ELevate 
>  (Leapp utility) ?
> 
> Thank you in advance,
> Ivars Strazdins
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> 
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
> 
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
> 
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
> 
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>  
> 
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure 
> 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure