[Freeipa-users] Install client fails in Ubuntu 22.04
Hello there!
Ubuntu 18.04 (and previous ones) works just fine
In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails with:
root@fisica75:~# ipa-client-install
This program will set up IPA client.
Version 4.9.8
WARNING: conflicting time synchronization service 'ntp' will be
disabled in favor of chronyd
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: fisica75.fisica.cabib
Realm: FISICA.CABIB
DNS Domain: fisica.cabib
IPA Server: ipaserver.fisica.cabib
BaseDN: dc=fisica,dc=cabib
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was
provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: tavo
Password for tavo@FISICA.CABIB:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=FISICA.CABIB
Issuer: CN=Certificate Authority,O=FISICA.CABIB
Valid From: 2014-01-14 12:56:57
Valid Until: 2034-01-14 12:56:57
Enrolled in IPA realm FISICA.CABIB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm FISICA.CABIB
cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
The ipa-client-install command failed. See /var/log/ipaclient-install.log
for more information
root@fisica75:~#
There is no Hostname mismatch for the server certificate. It has been
working just fine for years with multiple distros as clients. I can access
the website with the same URL and cert is just fine.
Any ideas?
Thanks!
--
Gustavo Berman
2022-05-26T12:18:49Z DEBUG Logging to /var/log/ipaclient-install.log
2022-05-26T12:18:49Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': None, 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': False, 'force_join': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'automount_location': None, 'domain_name': None, 'servers': None, 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2022-05-26T12:18:49Z DEBUG IPA version 4.9.8
2022-05-26T12:18:49Z DEBUG IPA platform debian
2022-05-26T12:18:49Z DEBUG IPA os-release Ubuntu 22.04 (Jammy Jellyfish)
2022-05-26T12:18:49Z DEBUG Starting external process
2022-05-26T12:18:49Z DEBUG args=['/usr/sbin/selinuxenabled']
2022-05-26T12:18:49Z DEBUG Process execution failed
2022-05-26T12:18:49Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2022-05-26T12:18:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:18:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2022-05-26T12:18:49Z DEBUG Starting external process
2022-05-26T12:18:49Z DEBUG args=['sudo', '-V']
2022-05-26T12:18:49Z DEBUG Process finished, return code=0
2022-05-26T12:18:49Z DEBUG stdout=Sudo versión 1.9.9
Opciones de configuración: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking -v --with-all-insults --with-pam --with-pam-login --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p: --disable-root-mailer --with-sendmail=/usr/sbin/sendmail --with-rundir=/run/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --enable-zlib=system --with-selinux --with-linux-audit --enable-tmpfiles.d=yes --without-lecture --with-tty-tickets --enable-admin-flag
versión del complemento de políticas de sudoers 1.9.9
versión de gramática del archivo Sudoers 48
Ruta de sudoers: /etc/sudoers
Métodos de autenticicación: 'pam'
Facilidad de syslog, cuando se usa syslog para el registro: authpriv
Prioridad de syslog a usarse cuando el usuario se autentifica con éxito: notice
Prioridad de syslog a usarse cuando el usuario no se autentifica
[Freeipa-users] Re: Extending FreeIPA (Schema, CI, UI)
I wouldn't say "wrong approach in development" rather "wrong approach in FreeIPA development". There are a lot of products which you can extend pretty easy, e.g. by just mounting volumes with your files into the container. Especially a kind of a small extension like this, a ldap schema and a few ui elements makes you go through such a hassle, build a rpm package and an own docker image. That's horrible to be honest. Whoever is responsible here, I hope they read this, too, taking this into consideration on any FreeIPA upgrades making it more friendly for extensions and also give the docs a higher priority (P.S. I had to google how to install the FreeIPA packages on a fresh Rocky Linux VM, as I couldn't find it in the official FreeiPA docs, that's ridiculous). I don't know give us something like a environment variable where we can add a plugin path, then we simply mount a volume with the extensions in whatever format/structure it needs and point to it using the env var. Idk, anything which is less cumbersome than the current approach. Nevertheless, back to the technical part. By the way, thanks for your time Alexander, I appreciate it. I prepared a repo: https://github.com/leonidas-o/freeipa-postfixbook-plugin When I execute the command: "rpmbuild -ba freeipa-userstatus-plugin.spec" I get a "error: Failed build dependencies: python2-ipaserver >= 4.4.0 is needed by freeipa-postfixbook-plugin-0.9.0-1.el8.noarch" So how do you setup your dev env? I've never build a rpm package, so this is pretty new to me. I mean currently is python3-ipaserver with all its dependencies installed, can't simply install python2-ipserver with all its dependencies as there are for sure dependency conflicts. Do you even build with one spec file several packages or having multiple spec files, e.g. one for python3, one for python2 and therefore also multiple dev env VMs where you can build that? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: hostgroup automember rules
Super that worked a treat thanks, however I see that the host can run the
automember rebuild on any other host which might not be desirable.
I'll have a loot at Alexander's previous suggestion too with regards to
creating a host entry with particular attributes set prior to running the
ipa-client-install command.
Thanks again
Angus
From: Rob Crittenden
Sent: 25 May 2022 20:24
To: FreeIPA users list ; Alexander
Bokovoy
Cc: Angus Clarke
Subject: Re: [Freeipa-users] Re: hostgroup automember rules
This is controlled by the permission 'Add Automember Rebuild Membership
Task'. There is a related privilege, 'Automember Task Administrator'.
To limit what you're allowing to the minimum I'd create a new role like
'Hosts can rebuild automember' and add your host(s) to it.
rob
Angus Clarke via FreeIPA-users wrote:
> Hi Alexander
>
>> There are two ways of setting these fields:
>>
>> - prior to enrollment, by pre-creating a host and setting the
>> attributes at that time.
>>
>> - after the enrollment, right from the host using host keytab
>
> I started looking at the latter as it seems a simpler route, the host
> principal seems to lack the write to rebuild automembership for itself -
> is this something I can change?
>
> [root@blah ~]# kinit -k
> [root@blah ~]# ipa automember-rebuild --hosts=`hostname`
> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the
> entry 'cn=automember rebuild membership,cn=tasks,cn=config'.
>
> Thanks a lot
> Angus
>
>
>
>
> *From:* Alexander Bokovoy
> *Sent:* 20 May 2022 13:39
> *To:* FreeIPA users list
> *Cc:* Angus Clarke
> *Subject:* Re: [Freeipa-users] hostgroup automember rules
>
> Hi Angus,
>
> On pe, 20 touko 2022, Angus Clarke via FreeIPA-users wrote:
>>Hello
>>
>>FreeIPA 4.6.8
>>
>>We are very happy with hostgroup automember rules based on servername
>>attribute however one of our internal customers uses a generic
>>servername template for all of their servers regardless of its
>>function.
>>
>>So I'm wondering what other attributes I might use for hostgroup
>>automember - perhaps some of the attributes can be configured by the
>>ipa-client-install (the host's "description" field perhaps) although I
>>don't see such mention in the man page ... Presumably they could use a
>>different enrollment user ("enrolledby") for each of their hostgroup
>>functions (not ideal.)
>>
>>There are various attribute fields in the WebUI but I don't find much
>>documentation for them. What is the "|" field - perhaps I can exploit
>>this somehow?
>
> Few years ago a customer of mine asked a similar question. Here is what
> I answered:
>
> --
> You can use nsHardwarePlatform attribute (part of nsHost objectclass).
> It is exposed as '--platform' in IPA CLI for 'ipa host-*' commands.
>
> Originally it was supposed to be filled by the IPA client join process
> to 'uname -m' value. ipa-join tools still sends it to the server but the
> value is ignored completely by the join process. As the result,
> nsHardwarePlatform attribute is never set on the host object.
>
> I don't see any code in IPA itself that would rely on the content of
> nsHardwarePlatform attribute. We have web UI tests upstream that modify
> the field to test that you can modify it but that's all.
>
> Alternatively, one can use userClass attribute (--class in IPA CLI for
> host-* commands). This one is also not utilized and is left specifically
> for the customers to define its semantics.
>
> Another alternative is nsHostLocation attribute (--location in IPA CLI
> for host-*
> commands). Again, the semantics is totally left for customers to define.
>
> --
>
> There are two ways of setting these fields:
>
> - prior to enrollment, by pre-creating a host and setting the
> attributes at that time.
>
> - after the enrollment, right from the host using host keytab
>
> The former can be done by a designated user/service account and can be
> tuned with custom permissions to allow such modification. The latter
> relies on the fact that the host principal has some write rights
> already:
>
> # kinit -k
>
> # ipa host-show `hostname` --rights --all
>dn: fqdn=dc.ipa.test,cn=computers,cn=accounts,dc=ipa,dc=test
>Host name: dc.ipa.test
>Principal name: host/dc.ipa.t...@ipa.test
>Principal alias: host/dc.ipa.t...@ipa.test
>SSH public key: [skip]
>SSH public key fingerprint: [skip]
>Requires pre-authentication: True
>Trusted for delegation: False
>Trusted to authenticate as user: False
>Password: False
>Member of host-groups: ipaservers
>Keytab: True
>Managed by: dc.ipa.test
>Managing: dc.ipa.test
>attributelevelrights: {'aci': '', 'cn': 'rscwo', 'description':
> 'rscwo', 'enrolledby': 'rsc', 'fqdn': 'rsc',
