[Freeipa-users] Re: Use of certificates to have https secure connection

[John Keates via FreeIPA-users]

Hi Guille, 

The meaning of "Pass --pin-" means: pass along the argument --pin and set it to 
an empty value (because --pin= does exactly that, it says "pin equals to 
nothing").
In your case this might look like:

ipa-server-certinstall -w -d --pin= mysite.key mysite.crt

Or, if the command allows it, you could position it elsewhere, i.e. at the 
beginning:

 ipa-server-certinstall --pin= -w -d mysite.key mysite.crt

If you want to know for sure what the command supports, you can generally use 
the help commands to find out, or use the manual, accessible via the man 
command:

man ipa-server-certinstall

If you have multiple files you can generally combine them. Wildcard 
certificates are the same as normal certificates, so they don't come with 
'extra files' just because their are wildcard.
It is possible that you have three files:

1. The private key
2. The actual certificate
3. An intermediate certificate chain

If that is the case you can often simply combine the certificate and the 
intermediate certificate(s) into a single file. This is not specific for 
FreeIPA and resources on PKI and intermediate certificates are readily 
available online. There are cases where the intermediate certificates are not 
required if they are available in major operating systems by default already.

John

> On 24 Apr 2021, at 14:21, G Col via FreeIPA-users 
>  wrote:
> 
> Hello rob,
> 
> Thank you for your help. The command I try to run is ipa-server-certinstall 
> -w -d mysite.key mysite.crt
> 
> but as it is a wildcard certificate, it has also associated a third file .crt
> 
> So when I run that command, it asks for a passphrase, but certs and key don't 
> have any passphrase associated. What could I do?
> What  this line means " Pass --pin=''."  
> 
> 
> Thx u ;)
> guille
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: FreeIPA and FIPS

[John Keates via FreeIPA-users]

In that case, let's save you some additional time: FIPS mode is not beneficial, 
unless you are contractually required to shoot yourself in the foot and get a 
FIPS audit done.

Aside from that (somewhat obvious) fact, it would be useful for the list if you 
stated why you want this, and if you know what it even means.
Or, in a more organised way, with numbered questions:

1. Do you know what FIPS mode is?

2. Are you aware of the fact that FIPS mode has no upsides, except for 
contractual obligations?

Then, in addition to the above:

FIPS mode doesn't mean a lot in itself, it has nothing to do with your servers, 
clients, network cables or the color of the walls of the datacenter (to further 
the point of FIPS-irrelevance).
If you are asking: "If I toggle this switch, will anything break", the answer 
is no, your servers and clients will still talk to each other, and running 
something in "FIPS mode" on one system has no effect on any other system. That 
means that you can do the following and nothing will change:

- You can run neither clients nor servers in FIPS mode
- You can run a client in FIPS mode but servers in normal complete mode
- You can run a client in normal complete mode but servers in FIPS mode
- You can run both clients and servers in FIPS mode

At the end of the day this technically does nothing for you, unless you also 
get a FIPS audit. If you are not sure if you should or shouldn't do this, 
either don't do it at all, or ask your FIPS auditor.
If you do not have a FIPS audit, and no contractual obligation to comply with 
FIPS, then FIPS has nothing to do with you, and you have nothing to do with 
FIPS.

And just in case FIPS 'sounds cool' and you think it is 'extra secure mode': it 
is neither. Your FreeIPA or RHEL IdM will not be 'better' in FIPS mode.

John


> On 19 Apr 2021, at 21:08, Steve Reed via FreeIPA-users 
>  wrote:
> 
> Hi Stephen,
> 
> True.  I understand that, but I think we are getting off track to my original 
> question.  Can you run a FIPS FreeIPA server and still have the clients work 
> with it?  It't not necessarily required to have the clients FIPS compliant, 
> but the server must since it has to do the encryption for data that it stores.
> 
> And I appreciate that everyone is trying to save me some time, but it has 
> been decided that we will use FIPS unless it proves not beneficial.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: FreeIPA and FIPS

[John Keates via FreeIPA-users]

What Rob (and Alexander) are saying is: your auditor will do an audit and tell 
you if you are FIPS compliant. While using software in FIPS-compliant mode 
might reduce the amount of work you'll need to do to be compliant, it's not 
some sort of labeling procedure where you need show some specs that tell the 
auditor the things you use are FIPS-compliant. It's the auditor that gives you 
compliance, not the software.

John


> On 19 Apr 2021, at 17:32, Steve Reed via FreeIPA-users 
>  wrote:
> 
> Hi Rob,
> 
> So, are you saying that CENTOS is not FIPS compliant?  Because there is a 
> long list of web sites that state that CENTOS and RHEL are FIPS 140-2 
> compliant.
> 
> https://www.google.com/search?q=is+centos+7+fips+compliant=1C1DKCZ_enUS768US768=Is+Centos+7+FIPS+com=chrome.0.0j69i57j0i390l2.6417j0j15=chrome=UTF-8=active
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Auto cleanup old enrolled hosts

[John Keates via FreeIPA-users]

We have a similar situation where we end up with ~50k dead hosts after only a 
week; ended up creating a lambda dat pulls all the hosts out of IPA LDAP and 
then tries to find them each AWS account using the EC2 API. If a host is not 
found to be either running or shut-down but still stored and it's at least 24h 
old it gets deleted using the normal IPA host-del API command.

This works for us because we enforce instance ID's being part of the hostname, 
and DNS suffix being related to an account. Alternatively you could search 
based on IP. Running it every couple of hours using a CloudWatch Job keeps the 
hosts entries clean.

John

> On 16 Feb 2021, at 15:51, Russ Long via FreeIPA-users 
>  wrote:
> 
> We're adding FreeIPA to an immutable, often rotated environment (AWS ECS 
> Hosts).  These hosts are spun up and down at least daily.  Is there a way to 
> check FreeIPA to see when a host has last communicated with the FreeIPA 
> Cluster? I'd like to use this information to auto-delete hosts that have not 
> reported in from the FreeIPA host list. 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: How to migrate Sernet Samba 4.12.6-13 to FreeIPA on CentOS 7.8.2003

[John Keates via FreeIPA-users]

FreeIPA doesn’t do NT domain server of AD server things and does not support 
Windows clients. Are you sure you are on the right track?

As far as the relation between FreeIPA and Microsoft Active Directory goes: 
FreeIPA can ’trust’ an external AD domain so you can authenticate AD users via 
IPA so your AD accounts work on FreeIPA clients as well. That’s about it.

Regards,
John

> On 20 Sep 2020, at 05:32, ganci--- via FreeIPA-users 
>  wrote:
> 
> For many years now I have been using Centos6/7 with Samba to manage a small 
> AD. I have chosen to use the Sernet Centos6/7 packages and as of today have a 
> working AD. However for cost reasons and because FreeIPA is the RHEL 
> supported way to accomplish the same, I would like to migrate from the Sernet 
> Samba packages. Presently I am running CentOS Linux release 7.8.2003 with the 
> Samba 4.12.6-13 packages. Is there any documentation as to how to migrate the 
> Samba configuration to FreeIPA with a minimum of pain?  I have been running 
> Samba for many years now both as an NT domain server and now AD. But would 
> greatly appreciate some help migrating my Samba configuration and getting 
> started with FreeIPA. Suggestions and pointers are greatly appreciated. Thank 
> you for your help.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Integration of freeipa into an azure AD based infrastructure

[John Keates via FreeIPA-users]

You can, but only if you use hybrid Azure AD and have an AD DC to connect to. 
But then he problem becomes ‘who created the forest’. If you join in to an AAD 
‘forest’ you still can’t create a trust.
So far I’ve only had implementations where the AD domains and forests were 
‘classic’ and only connected to AD later on.

Regards,

John


> On 29 Aug 2020, at 10:16, Jonathan Aquilina via FreeIPA-users 
>  wrote:
> 
> Hi Alexander,
> 
> That is correct it is a hosted solution from microsoft.
> 
> What I do find interesting is you can have a VM in azure running AD that 
> connects to Azure AD. Is it possible from freeipa to connect to a cloud based 
> VM that is running AD?
> 
> Regards,
> Jonathan
> 
> 
> -Original Message-
> From: Alexander Bokovoy  
> Sent: 28 August 2020 14:30
> To: FreeIPA users list 
> Cc: Jonathan Aquilina 
> Subject: Re: [Freeipa-users] Integration of freeipa into an azure AD based 
> infrastructure
> 
> On pe, 28 elo 2020, Jonathan Aquilina via FreeIPA-users wrote:
>>  Afternoon all,  
>>  
>>  I am just wondering does free ipa have the ability to integrate with azure  
>>  
>>  AD based infrastructure or is a proper active directory domain required?
>>  
> 
> The latter is the case. My understanding is that internally Azure AD is a 
> hosted solution that does not allow consumers (AD instance admins) to have 
> enough privileges to control their own AD forest to establish a trust to a 
> separate forest.
> 
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering Red Hat Limited, Finland
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Terminating replication agreement

[John Keates via FreeIPA-users]

What do you mean by ‘rebuilt’? Also: is that image a CA master and how does it 
fail when you run it with the clock turned back and network 
unplugged/firewalled?

John

> On 27 Sep 2019, at 00:10, Randy Morgan via FreeIPA-users 
>  wrote:
> 
> Tried everything you just suggested, and it doesn't work.  Yes this is a 
> recovery option, our environment has become damaged somehow, uncertain of all 
> that happened.  This image gives us a path forward, but I need these 
> replication agreements to go away and the image to become a stand alone 
> master.  Once that happens I believe I can get the certs to update, but right 
> now everything seems to be attempting to talk to IPA2 which is still running 
> but the server was rebuilt after this image was made, so we can't talk with 
> the server.
> 
> Randy
> 
> On 9/26/2019 4:05 PM, John Keates via FreeIPA-users wrote:
>> You could turn the clock back, remove the agreements, renew the certs to a 
>> future date, shutdown, reset the clock and renew again to get up and 
>> running. Make sure you’re doing it while the system is offline to prevent 
>> NTP.
>> Also: make sure you don’t run in to this again by making regular recovery 
>> points (backups, snapshots, periodic master updates). I’m assuming this is a 
>> recovery action from total loss of everything? If not: don’t bother with 
>> that image, install a fresh master instead.
>> 
>> 
>> John
>> 
>>> On 26 Sep 2019, at 23:59, Randy Morgan via FreeIPA-users 
>>>  wrote:
>>> 
>>> I have a two year image of one of my IPA servers that I am trying to bring 
>>> live.  Unfortunately all of the certs except the CA are expired.  I have 
>>> attempted to follow the instructions for updating the certs, but it has 
>>> failed to update them.  After careful and extensive digging, I have found 
>>> that the issue is two replication agreements from other IPA servers that 
>>> have since been rebuilt. Because of the expired certs I can't login to the 
>>> web UI, so I can't terminate the agreements that way, and the IPA commands 
>>> fail.  Is there a way to terminate these agreements manually by removing 
>>> the references to the two servers?
>>> 
>>> Randy Morgan
>>> 
>>> -- 
>>> Randy Morgan
>>> CSR
>>> Department of Chemistry/BioChemistry
>>> Brigham Young University
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct: 
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: 
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: 
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> -- 
> Randy Morgan
> CSR
> Department of Chemistry/BioChemistry
> Brigham Young University
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Terminating replication agreement

[John Keates via FreeIPA-users]

You could turn the clock back, remove the agreements, renew the certs to a 
future date, shutdown, reset the clock and renew again to get up and running. 
Make sure you’re doing it while the system is offline to prevent NTP.
Also: make sure you don’t run in to this again by making regular recovery 
points (backups, snapshots, periodic master updates). I’m assuming this is a 
recovery action from total loss of everything? If not: don’t bother with that 
image, install a fresh master instead.


John

> On 26 Sep 2019, at 23:59, Randy Morgan via FreeIPA-users 
>  wrote:
> 
> I have a two year image of one of my IPA servers that I am trying to bring 
> live.  Unfortunately all of the certs except the CA are expired.  I have 
> attempted to follow the instructions for updating the certs, but it has 
> failed to update them.  After careful and extensive digging, I have found 
> that the issue is two replication agreements from other IPA servers that have 
> since been rebuilt. Because of the expired certs I can't login to the web UI, 
> so I can't terminate the agreements that way, and the IPA commands fail.  Is 
> there a way to terminate these agreements manually by removing the references 
> to the two servers?
> 
> Randy Morgan
> 
> -- 
> Randy Morgan
> CSR
> Department of Chemistry/BioChemistry
> Brigham Young University
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ad integration

[John Keates via FreeIPA-users]

So the name is MEYERAD but you typed MEYER-AD.  Remove the dash from your 
earlier command and it should work.

John

> On 22 Jul 2019, at 17:48, Andrew Meyer via FreeIPA-users 
>  wrote:
> 
> Getting this:
> 
> [andrew.meyer@freeipa01 ~]$ sudo ipa trust-find 
> ---
> 1 trust matched
> ---
>   Realm name: ad.meyer.local
>   Domain NetBIOS name: MEYERAD
>   Domain Security Identifier: S-1-5-21-1219070868-1303614073-2179474410
>   Trust type: Active Directory domain
> 
> Number of entries returned 1
> 
> [andrew.meyer@freeipa01 ~]$ 
> 
> 
> 
> On Monday, July 22, 2019, 10:26:29 AM CDT, Alexander Bokovoy 
>  wrote:
> 
> 
> On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote:
> > Hello,  
> >I am working on setting up FreeIPA with AD integration and seem to be
> >running into an issue.  Its possible that I am also doing something wrong.  
> >I am setting it up to talk to MS Windows Server 2012r2.  Following  
> >directions on https://www.freeipa.org/page/Active_Directory_trust_setup   
> >
> >I have not edited the /etc/krb5.conf ( I figured that needed to happen on
> >the client machines.)   
> Please use official documentation instead. The page above was written
> quite a few years ago by test engineers to help themselves to get
> through various test scenarios. You are better to use
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index
>  
> 
> 
> 
> 
> >I am actually at this step:  
> >https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external_and_POSIX_groups_for_trusted_domain_users
> > 
> >
> >I am getting the following error:
> >[andrew.meyer@freeipa01  ~]$ sudo ipa 
> >group-add-member ad_admins_external
> >--external 'MEYER-AD\Domain Admins'  
> >[member user]:   
> >[member group]: 
> >  Group name: ad_admins_external
> >  Description: ad.meyer.local admins external map
> >  External member: S-1-5-21-2117027177-2554619188-4034396183-512,
> >S-1-5-21-2117027177-2554619188-4034396183-1106  
> >  Member users: andrew.meyer
> >  Member groups: ad_admins  
> >  Member of groups: ad_admins, ipausers  
> >  Indirect Member groups: ad_admins_external
> >  Failed members:   
> >member user: 
> >member group: MEYER-AD\Domain Admins: invalid 'trusted domain object':  
> >no trusted domain matched the specified flat name   
> 
> 
> This particular error message tells that there is no a trust to AD with
> 'MEYER-AD' as its NetBIOS name.
> 
> It might be that the trust wasn't established successfully, thus it is
> not possible to use it to resolve users.
> 
> Start with 'ipa trust-find' output.
> 
> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ad integration

[John Keates via FreeIPA-users]

What does the AD Trust list in IPA show for the AD domain you should be using? 
The same one? Or a different notation?

John

> On 22 Jul 2019, at 17:13, Andrew Meyer via FreeIPA-users 
>  wrote:
> 
> Hello,
> I am working on setting up FreeIPA with AD integration and seem to be running 
> into an issue.  Its possible that I am also doing something wrong.
> 
> I am setting it up to talk to MS Windows Server 2012r2.  Following directions 
> on https://www.freeipa.org/page/Active_Directory_trust_setup 
> 
> I have not edited the /etc/krb5.conf ( I figured that needed to happen on the 
> client machines.) 
> 
> I am actually at this step:
> https://www.freeipa.org/page/Active_Directory_trust_setup#Create_external_and_POSIX_groups_for_trusted_domain_users
> 
> I am getting the following error:
> 
> [andrew.meyer@freeipa01 ~]$ sudo ipa group-add-member ad_admins_external 
> --external 'MEYER-AD\Domain Admins'
> [member user]: 
> [member group]: 
>   Group name: ad_admins_external
>   Description: ad.meyer.local admins external map
>   External member: S-1-5-21-2117027177-2554619188-4034396183-512, 
> S-1-5-21-2117027177-2554619188-4034396183-1106
>   Member users: andrew.meyer
>   Member groups: ad_admins
>   Member of groups: ad_admins, ipausers
>   Indirect Member groups: ad_admins_external
>   Failed members: 
> member user: 
> member group: MEYER-AD\Domain Admins: invalid 'trusted domain object': no 
> trusted domain matched the specified flat name
> -
> Number of members added 0
> -
> [andrew.meyer@freeipa01 ~]$ 
> 
> What am I doing wrong?
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: adding external 2FA

[John Keates via FreeIPA-users]

An alternative would be writing your own IPA plugin.

John

> On 9 Jul 2019, at 23:23, Andrew Meyer via FreeIPA-users 
>  wrote:
> 
> I was hoping to not use a radius server in between.
> 
> Sent from Yahoo Mail on Android 
> 
> On Tue, Jul 9, 2019 at 3:59 PM, Jochen Hein
>  wrote:
> Andrew Meyer via FreeIPA-users  >
> 
> writes:
> 
> > I am trying to research how to add other 2FA providers to FreeIPA. 
> > Has anyone added Duo or something else to FreeIPA/IPA in the most
> > recent versions?
> 
> 
> I'm running Privacyidea (https://www.privacyidea.org/ 
> ) and FreeRADIUS
> and have some users authenticate against RADIUS.
> 
> Jochen
> 
> -- 
> This space is intentionally left blank.
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Upgrade path in CentOS 7

[John Keates via FreeIPA-users]

To be safe, I’d just add a new server with the latest of everything, join it to 
the domain and decommission the old one. Not a direct answer to your question, 
I know, but as soon as you are unsure of the upgrade path, putting in those 30 
minutes to do the install-and-replace routine solves it faster than a 
back-and-forth ;-)

In the 3.x and early 4.x versions I’d still upgrade on every release one by 
one, but now, if I miss a few updates, I just don’t bother anymore.

John

> On 3 Jul 2019, at 23:36, Christophe TREFOIS via FreeIPA-users 
>  wrote:
> 
> Hi,
>  
> Is it required to upgrade via every minor release of CentOS, say 7.2,7.3,7.4 
> etc to have a successful IPA upgrade, or can one also go from 7.2 to 7.6 
> directly?
>  
> Any advice will be appreciated,
> Thanks,
>  
> Chris
>  
>  
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> 
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
> 
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
> 
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
> 
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>  
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Install freeipa-client

[John Keates via FreeIPA-users]

That is part of the packaging, not part of freeipa-client. Usually, on apt/deb 
systems you can tell apt or dpkg you are running unattended by setting an 
environment variable like DEBIAN_FRONTEND=noninteractive .

After installing the package, you can setup the client unattended using 
ipa-client-install -U , see the manpage for which parameters you 
need.

John

> On 29 Jun 2019, at 15:27, Vivek Aggarwal via FreeIPA-users 
>  wrote:
> 
> Team,
> 
> I'm installing "freeipa-client" agent on the Ubuntu machine but while 
> installing , UI screen pops up which requires to provide Realm details, 
> kindly suggest is there a way to install freeipaclient in an unattended mode .
> 
> I ran this command >> apt-get install freeipa-client -y
> 
> regards
> Vicky 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: cannot access webui

[John Keates via FreeIPA-users]

Start at the beginning:

- Is the install running? (ipactl status)
- Is apache listening (ss -l or netstar -l or systemctl status 
apache2/httpd/apache/whatverthenameis)
- Is the firewall letting you in?
- What does /var/log/apache2 or /var/log/httpd or whatever it’s configured to 
log to say?

John

> On 20 Jun 2019, at 23:30, Peter Zoltan Keresztes (zozo) via FreeIPA-users 
>  wrote:
> 
> Hello,
> 
> I have just installed the new freeipa on ubuntu18.04 and I am trying to login 
> as admin in the web ui but I am not able to do it so. I was looking for any 
> kind of logs but I don’t seam to find a way to debug the problem
> Any suggestion where to start looking?
> 
> Regards
> Peter
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: HA Client Question

[John Keates via FreeIPA-users]

Ah, that was good to know, you’re converting a plain LDAP + Kerberos setup to 
IPA with integrated LDAP, integrated Kerberos and integrated DNS.
What’s important to know is that you cannot really cleanly convert that as the 
Kerberos tabs will have to be updated. With such a change, updating the 
kerberos config files is an easy next step.

Regarding DNS, NAT, KDCProxy, that’s most for if you wanted to do kerberos over 
the internet. Normally, you wouldn’t give an IPA server a public IP, so you’d 
NAT anyway. Natting an additional IP is a small pain to add ;-)
KDCProxy is meant as a kerberos-over-the-web solution where you can use 
kerberos in a somewhat safer way. Regarding the KDC realm: most people don’t 
really care what their ticket principals look like ;-)

If you have existing DNS, and you must re-use it for some reason, that is a 
more problematic scenario. In those cases it’s easier to just use a CNAME of 
additional A record on your existing DNS and point them to the new DNS.
Say your current setup is:

ldap.company.com <http://ldap.company.com/> for LDAP
kerberos.company.com <http://kerberos.company.com/> for Kerberos

You could setup IPA with:

auth.company.com <http://auth.company.com/> for everything (LDAP, web, KDC, KDC 
Proxy)

And then add a CNAME for ldap.company.com <http://ldap.company.com/> to 
auth.company.com <http://auth.company.com/> for LDAP and a CNAME for 
kerberos.company.com <http://kerberos.company.com/> to auth.company.com 
<http://auth.company.com/> for Kerberos.
That way, the client-side config wouldn’t have to change domain names. The 
Kerberos realm would have to change so that’s a configuration you have to 
update anyway, no getting past that.
Configuring hosts for IPA uses the ipa-client-install script anyway, and that 
script would configure everything automatically anyway, so you don’t actually 
have to mess with the domains anyway. 
The domains and manual naming of things is only relevant if you have to 
manually configure everything.

John


> On 17 Jun 2019, at 14:59, Christian Reiss via FreeIPA-users 
>  wrote:
> 
> Hey John,
> 
> Awesome response :)
> But I am not setting any dns records by hand. I did it *prior* to
> FreeIPA. We are using naked Kerberos and ldap as-is. So thats where the
> DNS RR are coming from.
> 
> Does "Dont run IPA on a domain thats in use" mean "entire domain" or
> "Subdomain is OK"?
> 
> kdcproxy.. nat.. does not really sound awesome to be honest.
> Would a setup on auth.company.com (realm, domain, etc) have and
> disadvantages? I could simply add dns srv records from company.com to
> auth.company.com?
> 
> And it's okay I guess if the host keytabs look like
> 
>   host/server.company@auth.company.com
> 
> I am slowly getting there :)
> 
> -Chris.
> 
> On 17/06/2019 14:06, John Keates via FreeIPA-users wrote:
>> In that case, you’re doing it wrong ;-)
>> 
>> Don’t manually make DNS records, it’s not needed unless you disable the
>> built in DNS server in IPA. Also, don’t try to run IPA on a domain
>> that’s in use for something else. Keeping it simple and ’standard’ will
>> help you a ton here.
>> For example, if you setup your server like this, all should would
>> out-of-the-box:
>> 
>> ipa-server-install —domain=auth.company.com <http://auth.company.com>
>> —realm=AUTH.COMPANY.COM <http://AUTH.COMPANY.COM> --setup-dns
>> 
>> (Note: I’d use ds.company.com <http://ds.company.com> because auth
>> suggests it’s just an authentication server, but IPA is a lot more than
>> dat; then again ds for directory service isn’t a complete picture
>> either, you’d probably end up with ipa.company.com
>> <http://ipa.company.com> if you wanted to do it ‘right’)
>> 
>> For public use, I’d suggest using kdcproxy which is designed for public
>> exposure. It’s supported in IPA.
>> 
>> If you wanted to use separate domain names for TCP/IP communication,
>> that is not connected to what you set in IPA. So if you have IPA setup,
>> you can always make an extra DNS record called kerberos.company.com
>> <http://kerberos.company.com>, point it to an IP, hand then internally
>> NAT that IP to any IPA server(s) you want.
>> 
>> John
>> 
>>> On 17 Jun 2019, at 13:58, Christian Reiss via FreeIPA-users
>>> >> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>> 
>>> Hey John,
>>> 
>>> thanks again for a detailed information. I do understand this, but maybe
>>> I am overthinking it. The current setup (non IPA) is:
>>> 
>>> company.com <http://company.com> Domain name,
>>> Using kerberos on kerberos.c

[Freeipa-users] Re: HA Client Question

[John Keates via FreeIPA-users]

In that case, you’re doing it wrong ;-)

Don’t manually make DNS records, it’s not needed unless you disable the built 
in DNS server in IPA. Also, don’t try to run IPA on a domain that’s in use for 
something else. Keeping it simple and ’standard’ will help you a ton here.
For example, if you setup your server like this, all should would 
out-of-the-box:

ipa-server-install —domain=auth.company.com —realm=AUTH.COMPANY.COM --setup-dns

(Note: I’d use ds.company.com <http://ds.company.com/> because auth suggests 
it’s just an authentication server, but IPA is a lot more than dat; then again 
ds for directory service isn’t a complete picture either, you’d probably end up 
with ipa.company.com <http://ipa.company.com/> if you wanted to do it ‘right’)

For public use, I’d suggest using kdcproxy which is designed for public 
exposure. It’s supported in IPA.

If you wanted to use separate domain names for TCP/IP communication, that is 
not connected to what you set in IPA. So if you have IPA setup, you can always 
make an extra DNS record called kerberos.company.com 
<http://kerberos.company.com/>, point it to an IP, hand then internally NAT 
that IP to any IPA server(s) you want.

John

> On 17 Jun 2019, at 13:58, Christian Reiss via FreeIPA-users 
>  wrote:
> 
> Hey John,
> 
> thanks again for a detailed information. I do understand this, but maybe
> I am overthinking it. The current setup (non IPA) is:
> 
> company.com Domain name,
> Using kerberos on kerberos.company.com.
> SRV & TXT Records all point to kerberos.company.com.
> 
> All user prinicipals are u...@company.com, all kerberized
> services/keytabs have a principal of host/vm4.company@company.com
> 
> What we are aiming for is: A User requests a TGT via
> 
> kinit j...@company.com (ignoring default realms for a bit) and it would
> receive a TGT from either IPA server issues to
> 
>  j...@company.com
> 
> Servers are in the form
> 
>  host/server.company@company.com
> 
> Also, things that use ldap want dc=company,dc=com.
> We will not be using any Windows / AD things. Only UNIX/Linux.
> The Services are used in house as well as from around the world (public).
> 
> Thanks so much.
> -Christian.
> 
> 
> On 17/06/2019 13:44, John Keates via FreeIPA-users wrote:
>> What you are trying to do is possible but not recommended. If you make a
>> distinction between what you want your users to ’see’ and what your
>> domain technically should be you can probably resolve it.
>> For IPA, it’s important that the domain for the built in DNS server is
>> not used. That means: do not use a domain that is in use. Not for your
>> IPA domain and not for the kerberos realm.
>> 
>> So, say you have company.com <http://company.com> and that is in use and
>> you want to setup IPA. Since it’s in use, you’ll have to start on level
>> down on a subdomain.
>> That means (per your choice AFAIK) that you have to set it all to
>> auth.company.com <http://auth.company.com>, both the IPA domain and the
>> kerberos realm. The main zone, company.com <http://company.com> doesn’t
>> actually come into play here.
>> 
>> Afterwards, if you want to, you could make NS delegations to your IPA
>> server(s) from your main zone.
>> 
>> If you can’t make this work out, or if DNS is managed by multiple
>> teams/people, it might be much easier to simply register a second domain
>> just for IPA, remove all of its public zones and just use it inside IPA.
>> So if you have company.com <http://company.com> you could use something
>> like company.net <http://company.net> if that’s available. Could be
>> confusing for users, so maybe companyauth.com
>> <http://companyauth.com> or company-internal.com
>> <http://company-internal.com>.
>> 
>> The “domain” part in the server setup doesn’t mean anything regarding
>> what your users would type to access your web stuff, that can be proxied
>> and renamed as much as you like to anything else.
>> 
>> Something else: what is your goal? Is this IPA setup for internal use,
>> public use, end-users, admin-users, workstations, servers, web applications?
>> 
>> John
>> 
>>> On 17 Jun 2019, at 11:49, Christian Reiss via FreeIPA-users
>>> >> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>> 
>>> Hey John,
>>> 
>>> Thanks for a speedy reply! Sure helped a lot understanding, tho a pity
>>> that some clients simply require a "a/cname" and do not look up any srv,
>>> like pfsense. And your reverse proxy idea is neat.
>>> 
>>> 
>>> Just one issue

[Freeipa-users] Re: HA Client Question

[John Keates via FreeIPA-users]

What you are trying to do is possible but not recommended. If you make a 
distinction between what you want your users to ’see’ and what your domain 
technically should be you can probably resolve it.
For IPA, it’s important that the domain for the built in DNS server is not 
used. That means: do not use a domain that is in use. Not for your IPA domain 
and not for the kerberos realm.

So, say you have company.com <http://company.com/> and that is in use and you 
want to setup IPA. Since it’s in use, you’ll have to start on level down on a 
subdomain.
That means (per your choice AFAIK) that you have to set it all to 
auth.company.com <http://auth.company.com/>, both the IPA domain and the 
kerberos realm. The main zone, company.com <http://company.com/> doesn’t 
actually come into play here.

Afterwards, if you want to, you could make NS delegations to your IPA server(s) 
from your main zone.

If you can’t make this work out, or if DNS is managed by multiple teams/people, 
it might be much easier to simply register a second domain just for IPA, remove 
all of its public zones and just use it inside IPA.
So if you have company.com <http://company.com/> you could use something like 
company.net <http://company.net/> if that’s available. Could be confusing for 
users, so maybe companyauth.com <http://companyauth.com/> or 
company-internal.com.

The “domain” part in the server setup doesn’t mean anything regarding what your 
users would type to access your web stuff, that can be proxied and renamed as 
much as you like to anything else.

Something else: what is your goal? Is this IPA setup for internal use, public 
use, end-users, admin-users, workstations, servers, web applications?

John

> On 17 Jun 2019, at 11:49, Christian Reiss via FreeIPA-users 
>  wrote:
> 
> Hey John,
> 
> Thanks for a speedy reply! Sure helped a lot understanding, tho a pity
> that some clients simply require a "a/cname" and do not look up any srv,
> like pfsense. And your reverse proxy idea is neat.
> 
> 
> Just one issue, either technical or lack of understanding:
> 
> So I went ahead for the domain company.com (exmaple, using real IPs out
> there):
> 
> auth.company.com IN NS 10.0.0.1
> 
> and created
> 
> srv1.auth.company.com (10.0.0.1)
> srv2.auth.company.com (10.0.0.2)
> 
> During setup of srv1 I set:
> 
> The IPA Master Server will be configured with:
> Hostname:   srv1.auth.company.com
> IP address(es): 10.0.0.1
> Domain name:auth.company.com
> Realm name: COMPANY.COOM
> 
> BIND DNS server will be configured to serve IPA domain with:
> Forwarders:   10.0.0.1
> Forward policy:   first
> Reverse zone(s):  0.0.10.in-addr.arpa.
> 
> WARNING: Realm name does not match the domain name.
> You will not be able to establish trusts with Active Directory unless
> the realm name of the IPA server matches its domain name.
> 
> So:
> Server: srv1.auth.company.com
> Domain: auth.company.com
> K5: COMPANY.COM
> 
> Replica adoption failed because auth.company.com is not company.com.
> 
> 
> 2nd try, this time:
> 
> Server: srv1.auth.company.com
> Domain: company.com
> K5: COMPANY.COM
> 
> Primary failed: ERRORDNS zone COMPANY.COM. already exists in DNS and
> is handled by server(s): ns1.ns-serve.net., ns2.ns-serve.net.
> 
> What would be the right approach here?
> 
> Thanks again!
> -Chris.
> 
> 
> On 17/06/2019 10:10, John Keates via FreeIPA-users wrote:
>> A HA-aware client would use SRV records to locate the server(s) and then 
>> connect every returned instance until a working server is found. And by 
>> using locations you can scope the servers you get back.
>> 
>> Regarding the single URL: while there are many options, we decided to simply 
>> register all servers in a load balancer and when you access the URL provided 
>> by the loadbalancer you simply get redirected to any working server.
>> Some people prefer no URL redirects and try to solve it using stick tables 
>> and the likes, but to us that seems like a dirty solution so we ditched it 
>> after a PoC phase. It works but we don’t want it ;-)
>> 
>> If you have a special use case, a separate web app that talks to IPA can be 
>> better, that is what we did for non-tech accounts; a simple self-service app 
>> that allows you to change your own password and manage MFA.
>> For everything else (i.e. SSO, SAML etc.) we often use something else that 
>> talks to IPA, like Keycloak, because the IPA WebUI itself is really not 
>> going to give a user any useful functionality; it’s more of an operator and 
>> admin thing.
>> 
>> John
>> 
>>> On 17 Jun 2019, at 10:02, Christian Reiss

[Freeipa-users] Re: HA Client Question

[John Keates via FreeIPA-users]

A HA-aware client would use SRV records to locate the server(s) and then 
connect every returned instance until a working server is found. And by using 
locations you can scope the servers you get back.

Regarding the single URL: while there are many options, we decided to simply 
register all servers in a load balancer and when you access the URL provided by 
the loadbalancer you simply get redirected to any working server.
Some people prefer no URL redirects and try to solve it using stick tables and 
the likes, but to us that seems like a dirty solution so we ditched it after a 
PoC phase. It works but we don’t want it ;-)

If you have a special use case, a separate web app that talks to IPA can be 
better, that is what we did for non-tech accounts; a simple self-service app 
that allows you to change your own password and manage MFA.
For everything else (i.e. SSO, SAML etc.) we often use something else that 
talks to IPA, like Keycloak, because the IPA WebUI itself is really not going 
to give a user any useful functionality; it’s more of an operator and admin 
thing.

John

> On 17 Jun 2019, at 10:02, Christian Reiss via FreeIPA-users 
>  wrote:
> 
> Hey folks,
> 
> I just recently began planning the deployment of FreeIPA and have
> successfully made several test setups.  Next step would be to integrate
> this in our new datacenter; so we are starting there from scratch.
> 
> I understand HA on the server side. What boogles my head is HA on the
> *client* side.
> 
> For example: Our pfsenses use a LDAP lookup against a single FQDN, and
> the cert must be valid (against any provided CA). Exporting the CA from
> freeIPA and importing that in pfsense is a cake.
> 
> But what do I point the clients towards? Let's say I have 4 FreeIPA servers:
> 
> - ipa01.auth.dc-01.company.com
> - ipa02.auth.dc-01.company.com
> - ipa03.auth.dc-01.company.com
> - ipa04.auth.dc-01.company.com
> 
> Realm company.com, Kerberos COMPANY.COM. If I point the pfsense (I'll
> stick to that as an example) against ipa01.auth.dc-01.company.com and
> this server is offline, then no HA is given. DNS Delegation might yield
> *any* of the four servers, including the one offline, so a 25% fault
> chance in there.
> 
> Second question, same area: If I want my users to have one single url
> for the FreeIPA webservice, like auth.company.com that follows the above
> solution then the self-signed and generated certs do not have this as
> altname.
> 
> 
> So summed up:
> 
> - How can I make (ldap) clients access the current online server(s)?
> - How can I provide access to the webinterace to the current online
> server(s)?
> 
> 
> (Or is this simply by the magic of dns zone delegation and pure faith
> that always an online server will be hit?)
> 
> Thanks for any advice!
> -Christian.
> 
> -- 
> Christian Reiss - em...@christian-reiss.de /"\  ASCII Ribbon
>   supp...@alpha-labs.net   \ /Campaign
> X   against HTML
> WEB alpha-labs.net / \   in eMails
> 
> GPG Retrieval https://gpg.christian-reiss.de
> GPG ID ABCD43C5, 0x44E29126ABCD43C5
> GPG fingerprint = 9549 F537 2596 86BA 733C  A4ED 44E2 9126 ABCD 43C5
> 
> "It's better to reign in hell than to serve in heaven.",
>  John Milton, Paradise lost.
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Introducing ipa-healthcheck

[John Keates via FreeIPA-users]

Sounds great! Where do we find this tool? In an upcoming release or as a 
stand-alone package?

John

> On 14 Jun 2019, at 16:29, Rob Crittenden via FreeIPA-users 
>  wrote:
> 
> I'd like to introduce a new tool for an IPA adminstrators tool kit we're
> working on, currently in a beta state and shipping in Fedora 29+.
> 
> ipa-healthcheck is proactive tool for identifying current, potential and
> future issues within an IPA installation.
> 
> It executes a series of checks in the areas of certificates, AD trust,
> replication and the filesystem (and a few others). These checks can
> return a success, warning or error. Any check executed will return a
> value, the idea being if something with the check blows up and causes it
> to not execute you'd otherwise not know and would have a false sense of
> security.
> 
> A systemd timer is configured which will execute this on a nightly
> basis, dumping the output in JSON format in /var/log/ipa/healthcheck/.
> 
> It can also be executed from the command-line as root and requires an
> admin Kerberos ticket. From the command-line it is probably most useful
> to use the --failures-only option in order to suppress the SUCCESS
> messages: no news is good news in this case.
> 
> It currently only works with IPA 4.7.2+. Will we backport to 4.6? I
> don't know yet.
> 
> I'd appreciate any feedback on whether it:
> 
> - is helpful
> - works
> - doesn't report false positives
> - is usable: a lot of the output is what I think would be useful but we
> won't know until applied in the real world
> - does what you need. We can add more checks so if you have ideas please
> let us know
> 
> Note that there are a few things we run that just produce output that
> needs to be analyzed separately. DNA range checking is an example. It is
> perfectly fine to not have a DNA range assigned on all masters but you'd
> want to know if you had none defined on all masters.
> 
> thanks
> 
> rob
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: [HAProxy / Keepalive] After installation

[John Keates via FreeIPA-users]

IPA als already highly available, from the service side using DNS and multiple 
records for all services, on the web side: every server has a working web 
interface.
If you want to redirect users to any working interface, a generic load balancer 
without keepalive works, redirect them to the IP and the IPA server will take 
care of redirecting to HTTPS and the domain name.
No need to do anything yourself.

John

> On 11 Jun 2019, at 14:54, Karim Bourenane via FreeIPA-users 
>  wrote:
> 
> Thanks François, for your reply.
> 
> The goal, is to have the service IPA available always, if the server 1 will 
> be down, and also for load sharing.
> 
> I thought about roundrobin dns, but sharing service is not mastered for 
> effective sharing and the life test is not present.
> 
> Bien à vous
> 
> Mr Karim Bourenane
> +33686464439
> +32493866354
>  
> 
> 
> Le mar. 11 juin 2019 à 14:03, François Cami  > a écrit :
> Hi Karim,
> 
> On Tue, Jun 11, 2019 at 1:56 PM Karim Bourenane via FreeIPA-users
>  > wrote:
> >
> > Hello team
> >
> > Hope you are well.
> >
> > After an existing installation, we decide to implement a Haproxy + 
> > Keepalive in all our IPA's servers.
> >
> > The haproxy / keepalive work weel but now the IPA doent run weel, because 
> > he want to listen on all interface in the servers.
> >
> > Ho i can to modify the IPA (+ all modules KRB5/DNS...) conf server, to bind 
> > only in  1 local interface and not to the VIP interface ?
> 
> Binding to the local interface is in no way expected and will result
> in some components not working.
> 
> I am not aware of any scenario where adding HAProxy+Keepalived in
> front of FreeIPA would provide a tangible benefit. Could you please
> explain the reasoning behind such a decision?
> 
> Regards,
> François
> 
> > King regard
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> > 
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
> > 
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html 
> > 
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
> > 
> > List Archives: 
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >  
> > 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ILO Card IPA authentication

[John Keates via FreeIPA-users]

ESX has nothing to do with the iLO. The iLO settings can for example be set 
from the iLO web interface, use LDAP authentication and point it to IPA.

John

> On 6 Jun 2019, at 10:57, Karim Bourenane via FreeIPA-users 
>  wrote:
> 
> Hello All
> 
> I want to authenticate Users into our ILO 4 card HP by Freeipa.
> The ESXI server is not enrolled into the IPA, only the DNS was defined.
> Also i can't extract any keytab for easy user authentication.
> 
> Can you help me with this?
> 
> 
> Regards
> 
> Karim Bourenane
>  
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Minimal ipa configuration (inside docker)

[John Keates via FreeIPA-users]

Keep in mind that when you use RHEL, features that aren’t available (due to 
supported versions restrictions) should probably not be hacked/bypassed because 
that would probably void your support just as well.
If you want something unsupported you might as well use something else (Fedora, 
CentOS), but at that point you can also install newer versions and then you 
don’t need to hack around anymore.

Regarding your docker issue; IPA expects more than just a file and a config 
directory, you can check the source code for ipaclient, the cli and the modules 
it imports, you’ll see a large amount of checks it’s using to find out if the 
install is OK and working.
If you just want to use a few specific things, you are probably better off 
using the REST API and writing a normal localised client yourself. For 
authentication you can then use username+password or a kerberos keytab. 
I would not recommend using a docker container that impersonates the host it’s 
running on, but then I’d also not recommend enrolling every docker instance 
that ever gets started. I think a similar question was asked on this list a few 
weeks ago, have you checked the recent archives?

John

> On 5 Jun 2019, at 09:46, Dmitry Perets via FreeIPA-users 
>  wrote:
> 
> Hi,
> 
> Could you please help me configuring ipa tool inside the docker container 
> which is not enrolled? 
> 
> I have a parent Linux VM that is enrolled in FreeIPA. On top of it I run a 
> docker container, and I mount the entire /etc/ipa and /etc/krb5.conf (both in 
> read-only mode).
> My goal is just to be able to use ipa tools, like "ipa vault-*". No need for 
> remote user login and other FreeIPA functionality. 
> 
> I thought that having /etc/ipa/default.conf and /etc/ipa/ca.crt would be 
> enough for ipa tool to work.
> But currently, within the container, ipa says it is not configured:
> 
> # ipa
> IPA client is not configured on this system
> 
> What exactly is it looking for...? 
> Thanks!
> 
> P.S. ipa-client version is 4.6.4. I see that there are plans for zero-config 
> ipa tool, but in later versions... unfortunately, 4.6.4 is what is currently 
> packaged into RHEL7.6 that we are using...
> 
> ---
> Regards,
> Dmitry Perets
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[John Keates via FreeIPA-users]

On *nix I’d test with klist etc to get information on what tickets I have and 
what those tickets are good for.
Perhaps you can do the same on Windows, figure out what tickets you actually 
have and what you can do with them.

John

> On 1 Jun 2019, at 13:04, lejeczek via FreeIPA-users 
>  wrote:
> 
> On 31/05/2019 15:42, Juan Pablo wrote:
>> Hi, first of all: GSSAPI is not imported on openssh for windows
>> unfortunately. So you need to mandatory use putty to have GSSAPI
>> kerberos passwordless from windows to linux domain.
>> 
>> second, from which system on the windows side are you trying to login?
>> can you see if it works from the Active Directory server itself,
>> please? IIRC, you will have to allow the host/pc to delegate kerberos
>> credentials (on windows side). AD domain servers have kerberos ticket
>> delegation enabled by default, regular pc/hosts dont. maybe this is
>> the case...
>> 
>> regards,
>> JP
> 
> I was hoping but was not sure, that nomorefood's stuff ended up in
> Windows version in the latest, thus I stressed, update of 1903, but,
> it's not there.
> 
> Putty I got from ssh.com (I'm not sure if this is the best place or best
> putty to get?) but this putty, on/off the AD server.. yes, works with
> gssapi and I see password-less authentication.
> 
> I thought I delegated Win10 client box to "Trust this computer for
> delegation of any service) in AD Users & Computers but... still password
> prompt. Any ideas, suggestions?
> 
> many thanks, L.
> 
>> 
>> El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users
>> (> >) escribió:
>> 
>>On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via
>>FreeIPA-users wrote:
>>> On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
 On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via
>>FreeIPA-users wrote:
> On 23/05/2019 14:56, Rob Crittenden wrote:
>> lejeczek via FreeIPA-users wrote:
>>> hi guys,
>>> 
>>> reading official guide one may assume - I do - that "Using
>>SSH Without
>>> Passwords" should work out-of-box (centos 7.6) - is such
>>assumption valid?
>>> 
>>> For me this does not work - ssh still asks for passwords.
>>> 
>>> If this is due to some failure/problem, then where to look
>>and how to
>>> troubleshoot?
>> It's hard to know what you're doing, ssh from where to
>>where, using what?
>> 
>> rob
> I made an assumption - which I see now was invalid - that
>>some experts
> may know mentioned guide by heart and if I quoted something
>>then the
> rest will be obvious - wrong, sorry.
> 
> "Using SSH Without Passwords" is a paragraph of "Using SSH
>>from Active
> Directory Machines for IdM Resources" which is about Kerberos
>>I understand.
> 
> My hope was to have AD's clients be able to ssh(and maybe get
>>to other
> things like Samba) without password and with Kerberos.
> 
> I see IPA's users can do that between IPA's servers
> 
> ...
> 
> debug1: PAM: initializing for "tester1"
> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug1: userauth-request for user tester1 service
>>ssh-connection method
> gssapi-with-mic [preauth]
> debug1: attempt 1 failures 0 [preauth]
> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port
>>43604 ssh2
> [preauth]
> debug1: Got no client credentials
> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> /home/tester1/.k5login
> Authorized to tester1, krb5 principal tester1@private
> (ssh_gssapi_krb5_cmdok)
> debug1: do_pam_account: called
> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port
>>43604 ssh2
> ...
> 
> But a Win10Pro which is AD member which I'm trying, when ssh
>>as AD's
> user then I do not see above in the logs and such ssh(Win10
>>own feature)
> is asked for password.
> 
> To sum up: AD's users off/from Win AD win-stations to IPA's
> members/clients with Kerberos if possible. (trust is already
>>established
> and running)
 Hi,
 
 having a trust is the first requirement. Second is a ssh
>>client on the
 Windows side which can do GSSAPI authentication (recent
>>version of putty
 can) and has GSSAPI authentication enabled (iirc this is not
>>the default
 for putty, so you have to switch it on manually). Next is that
>>you have
 to use the fully-qualified DNS name of the IPA client you want
>>to login
 to. If all this is set and authentication still falls back to
>>ask for a
 password plase check with the klist command on the Windows
>>client in
 command.exe or the Powershell if you already got a service
>>ticket for
 the IPA client. If this is missing please check if there is a
 cross-realm ticket, it has a 

[Freeipa-users] Re: deploying Freeipa ith script

[John Keates via FreeIPA-users]

Very odd, those steps look correct to me. And if auto-discovery for the domain, 
realm, hostname and IPA server work, then it’s not the ipa-client-install 
script I think.
What versions are you running? Important bits:

- freeipa packages
- kerberos packages
- sssd packages

also, what does /etc/nsswitch.conf and /etc/sssd/sssd.conf and /etc/krb5.conf 
look like? Do you have a valid keytab in /etc/krb5.keytab?
Other things to compare:

/var/log/ipa-client-install.log 

check if the enrollment is different between the command you run automatically 
vs. running it manually when it works

John

> On 29 May 2019, at 23:04, Boudjoudad Abdelkader  wrote:
> 
> I was using curtin but now i'm using cloud-init post-installatio, after the 
> installation freeipa-client is installed and sssd.conf configured as well as 
> krb5.conf and krb5.keytab but the nfs mount doesn't work !
> 
> The command to deploy the script is:
>  maas $PROFILE  machine deploy $SYSTEM_ID user_data=$(base64 -w 0 
> /opt/myscript.sh)
> The script is executed after the installation i can see that but it seems to 
> have a problem with ipa-client-installation !
> 
> On Wed, May 29, 2019 at 4:59 PM John Keates  > wrote:
> In what phase do you run the script? It should be one of the last scripts in 
> the final phase for the install to work reliably. If it’s in preconfig or 
> config phase it breaks 9 out of 10 times.
> 
> John
> 
>> On 29 May 2019, at 22:53, Boudjoudad Abdelkader > > wrote:
>> 
>> I'm using cloud-init with this script:
>> locale-gen en_CA.utf8
>> locale-gen en_US.utf8
>> 
>> HOSTNAME=$(hostname)
>> IP=$(hostname -i | awk '{print $1}')
>> echo "$HOSTNAME.example.com " > /etc/hostname
>> FQDN="$HOSTNAME.example.com "
>> echo "FQDN is: $FQDN"
>> sed -i  "1 i\
>> $IP $FQDN $HOSTNAME" /etc/hosts
>> apt-get -y update
>> apt-get install -y nfs-kernel-server nfs-common
>> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
>> ipa-client-install  --hostname=$(hostname -f) --server=freeipa.example.com 
>>  --domain example.com  --no-ntp 
>> --unattended --principal admin --password 'Deep201' --realm EXAMPLE.COM 
>>  --enable-dns-updates --force --force-join
>> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
>> 
>> I will test with only --enable-dns-updates, principal and password
>> The network is configured well because i can reach the nfs server.
>> 
>> 
>> On Wed, May 29, 2019 at 4:44 PM John Keates > > wrote:
>> What I meant was that you are already practically disabling it; you specify 
>> the hostname, domain, server, realm on your command line but those should be 
>> discoverable.
>> Here is an enrollment jinja2 template I use:
>> 
>> ipa-client-install -U --enable-dns-updates 
>> --principal={{freeipa.client.enroll.username}} 
>> --password={{freeipa.client.enroll.password}}
>> 
>> It’s all that’s needed as long as your network has the correct setup. You’d 
>> replace the principal and password with your own of course.
>> It would probably look like:
>> 
>> ipa-client-install -U --enable-dns-updates —principal=admin 
>> --password=Deep201qa
>> 
>> John
>> 
>>> On 29 May 2019, at 22:39, Boudjoudad Abdelkader >> > wrote:
>>> 
>>> Hi John,
>>> Thank you for the quick reply,
>>> 
>>> To disable autodiscrovery the option is ?
>>> --autodiscovery=no   
>>> 
>>> On Wed, May 29, 2019 at 4:18 PM John Keates >> > wrote:
>>> I don’t know what you are missing, but I do know that in theory your 
>>> enrolment should work with just -U for unattended and the principal and 
>>> password.
>>> Unless you have a special environment that requires auto discovery to be 
>>> disabled, I’d recommend using it.
>>> 
>>> I’m enrolling clients in three ways that all work this way, one using a 
>>> Cloud-Init module, one using a SaltStack formula and one using a Lambda 
>>> function that uses SSH to connect to a machine and run the enrolment 
>>> remotely.
>>> 
>>> The text from your mount command seems to suggest a timeout issue, perhaps 
>>> the network isn’t up or DNS is broken? I’m also seeing you using an IP, 
>>> it’s usually a sign of an incomplete or improper network setup (but 
>>> technically it should be fine)
>>> 
>>> John
>>> 
 On 29 May 2019, at 22:10, Boudjoudad Abdelkader via FreeIPA-users 
 >>> > wrote:
 
 Hello,
 I'm trying to automate freeipa-client installation on Ubuntu with custom 
 script using MAAS as follow :
 HOSTNAME=$(hostname)
 IP=$(hostname -i | awk '{print $1}')
 echo "$HOSTNAME.example.com " > /etc/hostname
 FQDN="$HOSTNAME.example.com "
 echo "FQDN is: $FQDN"
 sed -i  "1 i\
 $IP $FQDN $HOSTNAME" /etc/hosts
 apt-get 

[Freeipa-users] Re: ipa server upgrade fails - dirsrv complains about Unknown attribute syntax OID

[John Keates via FreeIPA-users]

Yes, while in general upgrades should be possible, the big jump you made 
combined with a distro that isn’t as robust as say, CentOS or RHEL I’d suggest 
always simply rolling a replacement server to replace the old ones one by one.
Also always run at least 2 servers with all the roles so you don’t end up in a 
situation where you cannot recover from a broken system. Keep in mind that 
enrolments and server replication only works as long as you have at least 1 
functional server.

John

> On 29 May 2019, at 22:25, Darac Marjal via FreeIPA-users 
>  wrote:
> 
> Ah, is FreeIPA generally okay with servers being at different versions,
> then? Could I upgrade by creating a new server, enrolling it as a
> replica of then old server and then shut down the old server. Can I do
> that as a general behaviour?
> 
> On 29/05/2019 21:21, John Keates via FreeIPA-users wrote:
>> I’d suggest creating a new server, enrolling it as a replica (well, it’s 
>> multi-master so technically it’s just another FreeIPA server) instead of 
>> upgrading.
>> If you have other servers that still work, do that and nuke this one. If 
>> this is the last/only server you have, I’d restore it from backups (you have 
>> those, right?).
>> 
>> If you neither have additional servers that work, nor backups, prepare for a 
>> nightmare. If you know ahead of time that rebuilding your IPA infrastructure 
>> might be a slight hassle yet only take an hour or so to re-enroll all hosts 
>> and reset your users, do that as it’ll be faster in many cases.
>> 
>> John
>> 
>>> On 29 May 2019, at 21:35, Darac Marjal via FreeIPA-users 
>>>  wrote:
>>> 
>>> Hello good people,
>>> 
>>> Due to being unfamiliar with Fedora, my home FreeIPA server has been
>>> languishing on Fedora version 25 for ages. I recently twigged that it
>>> hadn't been updated in ages to upgraded to Fedora version 30. That
>>> seemed to go OK, but now, when I try to run ipactl start, I get the
>>> following:
>>> 
>>> # ipactl start
>>> IPA version error: data needs to be upgraded (expected version
>>> '4.7.90.pre1-4.fc30', current version '4.4.4-1.fc25')
>>> Automatically running upgrade, for details see /var/log/ipaupgrade.log
>>> Be patient, this may take a few minutes.
>>> Automatic upgrade failed: IPA server upgrade failed: Inspect
>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>> Unexpected error - see /var/log/ipaupgrade.log for details:
>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
>>> 'start', 'dirsrv@GHIBLI-DARAC-ORG-UK.service'] returned non-zero exit
>>> status 1: 'Job for dirsrv@GHIBLI-DARAC-ORG-UK.service failed because the
>>> control process exited with error code.\nSee "systemctl status
>>> dirsrv@GHIBLI-DARAC-ORG-UK.service" and "journalctl -xe" for details.\n')
>>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
>>> more information
>>> 
>>> See the upgrade log for more details and/or run
>>> /usr/sbin/ipa-server-upgrade again
>>> Aborting ipactl
>>> 
>>> Looking into the logs for dirsrv@, I see the following:
>>> 
>>> May 29 20:30:52 yubaba.ghibli.darac.org.uk ns-slapd[9839]:
>>> [29/May/2019:20:30:52.917492045 +0100] - ERR - dse_read_one_file - The
>>> entry cn=schema in file /usr/share/dirsrv/schema/00core.ldif (lineno: 1)
>>> is invalid, error code >
>>> May 29 20:30:52 yubaba.ghibli.darac.org.uk ns-slapd[9839]:
>>> [29/May/2019:20:30:52.989705116 +0100] - ERR - setup_internal_backends -
>>> Please edit the file to correct the reported problems and then restart
>>> the server.
>>> May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]:
>>> dirsrv@GHIBLI-DARAC-ORG-UK.service: Main process exited, code=exited,
>>> status=1/FAILURE
>>> May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]:
>>> dirsrv@GHIBLI-DARAC-ORG-UK.service: Failed with result 'exit-code'.
>>> May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]: Failed to start
>>> 389 Directory Server GHIBLI-DARAC-ORG-UK..
>>> 
>>> Now, in an attempt to fix this, I spun up a new VM, installed
>>> freeipa-server and then copied /usr/share/dirsrv/schema/*.ldif over, but
>>> that doesn't seem do have had any effect.
>>> 
>>> Can anyone assist in pointing me in a direction to fixing this?
>>> 
>>> 
>>> Many thanks!
>>> 
>>> ___
>>> F

[Freeipa-users] Re: deploying Freeipa ith script

[John Keates via FreeIPA-users]

In what phase do you run the script? It should be one of the last scripts in 
the final phase for the install to work reliably. If it’s in preconfig or 
config phase it breaks 9 out of 10 times.

John

> On 29 May 2019, at 22:53, Boudjoudad Abdelkader  wrote:
> 
> I'm using cloud-init with this script:
> locale-gen en_CA.utf8
> locale-gen en_US.utf8
> 
> HOSTNAME=$(hostname)
> IP=$(hostname -i | awk '{print $1}')
> echo "$HOSTNAME.example.com " > /etc/hostname
> FQDN="$HOSTNAME.example.com "
> echo "FQDN is: $FQDN"
> sed -i  "1 i\
> $IP $FQDN $HOSTNAME" /etc/hosts
> apt-get -y update
> apt-get install -y nfs-kernel-server nfs-common
> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
> ipa-client-install  --hostname=$(hostname -f) --server=freeipa.example.com 
>  --domain example.com  --no-ntp 
> --unattended --principal admin --password 'Deep201' --realm EXAMPLE.COM 
>  --enable-dns-updates --force --force-join
> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
> 
> I will test with only --enable-dns-updates, principal and password
> The network is configured well because i can reach the nfs server.
> 
> 
> On Wed, May 29, 2019 at 4:44 PM John Keates  > wrote:
> What I meant was that you are already practically disabling it; you specify 
> the hostname, domain, server, realm on your command line but those should be 
> discoverable.
> Here is an enrollment jinja2 template I use:
> 
> ipa-client-install -U --enable-dns-updates 
> --principal={{freeipa.client.enroll.username}} 
> --password={{freeipa.client.enroll.password}}
> 
> It’s all that’s needed as long as your network has the correct setup. You’d 
> replace the principal and password with your own of course.
> It would probably look like:
> 
> ipa-client-install -U --enable-dns-updates —principal=admin 
> --password=Deep201qa
> 
> John
> 
>> On 29 May 2019, at 22:39, Boudjoudad Abdelkader > > wrote:
>> 
>> Hi John,
>> Thank you for the quick reply,
>> 
>> To disable autodiscrovery the option is ?
>> --autodiscovery=no   
>> 
>> On Wed, May 29, 2019 at 4:18 PM John Keates > > wrote:
>> I don’t know what you are missing, but I do know that in theory your 
>> enrolment should work with just -U for unattended and the principal and 
>> password.
>> Unless you have a special environment that requires auto discovery to be 
>> disabled, I’d recommend using it.
>> 
>> I’m enrolling clients in three ways that all work this way, one using a 
>> Cloud-Init module, one using a SaltStack formula and one using a Lambda 
>> function that uses SSH to connect to a machine and run the enrolment 
>> remotely.
>> 
>> The text from your mount command seems to suggest a timeout issue, perhaps 
>> the network isn’t up or DNS is broken? I’m also seeing you using an IP, it’s 
>> usually a sign of an incomplete or improper network setup (but technically 
>> it should be fine)
>> 
>> John
>> 
>>> On 29 May 2019, at 22:10, Boudjoudad Abdelkader via FreeIPA-users 
>>> >> > wrote:
>>> 
>>> Hello,
>>> I'm trying to automate freeipa-client installation on Ubuntu with custom 
>>> script using MAAS as follow :
>>> HOSTNAME=$(hostname)
>>> IP=$(hostname -i | awk '{print $1}')
>>> echo "$HOSTNAME.example.com " > /etc/hostname
>>> FQDN="$HOSTNAME.example.com "
>>> echo "FQDN is: $FQDN"
>>> sed -i  "1 i\
>>> $IP $FQDN $HOSTNAME" /etc/hosts
>>> apt-get -y update
>>> apt-get install -y nfs-kernel-server nfs-common
>>> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
>>> ipa-client-install  --hostname=$(hostname -f) --server=freeipa.example.com 
>>>  --domain example.com  
>>> --no-ntp --unattended --principal admin --password 'Deep201qa' --realm 
>>> EXAMPLE.COM  --enable-dns-updates
>>> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
>>> service sssd restart
>>> 
>>> After the deployment i can do  kinit domain_user and ipa user-show without 
>>> any problem, but when i tried to mount an nfs in /ec/fstab with the 
>>> following options i get an error:
>>> The  mount in /etc/fstab:  nfs4 
>>> rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none
>>>  0 0
>>> The error:
>>> mount -av
>>> /: ignored
>>> none : ignored
>>> mount.nfs4: timeout set for Wed May 29 20:04:29 2019
>>> mount.nfs4: trying text-based options 
>>> 'vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none,addr=172.16.2.11,clientaddr=IP_ADDR0ESS
>>> 
>>> I tried to install  freeipa-client manually and the nfs mount works:
>>> ipa-client-install
>>> 
>>> 

[Freeipa-users] Re: deploying Freeipa ith script

[John Keates via FreeIPA-users]

What I meant was that you are already practically disabling it; you specify the 
hostname, domain, server, realm on your command line but those should be 
discoverable.
Here is an enrollment jinja2 template I use:

ipa-client-install -U --enable-dns-updates 
--principal={{freeipa.client.enroll.username}} 
--password={{freeipa.client.enroll.password}}

It’s all that’s needed as long as your network has the correct setup. You’d 
replace the principal and password with your own of course.
It would probably look like:

ipa-client-install -U --enable-dns-updates —principal=admin --password=Deep201qa

John

> On 29 May 2019, at 22:39, Boudjoudad Abdelkader  wrote:
> 
> Hi John,
> Thank you for the quick reply,
> 
> To disable autodiscrovery the option is ?
> --autodiscovery=no   
> 
> On Wed, May 29, 2019 at 4:18 PM John Keates  > wrote:
> I don’t know what you are missing, but I do know that in theory your 
> enrolment should work with just -U for unattended and the principal and 
> password.
> Unless you have a special environment that requires auto discovery to be 
> disabled, I’d recommend using it.
> 
> I’m enrolling clients in three ways that all work this way, one using a 
> Cloud-Init module, one using a SaltStack formula and one using a Lambda 
> function that uses SSH to connect to a machine and run the enrolment remotely.
> 
> The text from your mount command seems to suggest a timeout issue, perhaps 
> the network isn’t up or DNS is broken? I’m also seeing you using an IP, it’s 
> usually a sign of an incomplete or improper network setup (but technically it 
> should be fine)
> 
> John
> 
>> On 29 May 2019, at 22:10, Boudjoudad Abdelkader via FreeIPA-users 
>> > > wrote:
>> 
>> Hello,
>> I'm trying to automate freeipa-client installation on Ubuntu with custom 
>> script using MAAS as follow :
>> HOSTNAME=$(hostname)
>> IP=$(hostname -i | awk '{print $1}')
>> echo "$HOSTNAME.example.com " > /etc/hostname
>> FQDN="$HOSTNAME.example.com "
>> echo "FQDN is: $FQDN"
>> sed -i  "1 i\
>> $IP $FQDN $HOSTNAME" /etc/hosts
>> apt-get -y update
>> apt-get install -y nfs-kernel-server nfs-common
>> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
>> ipa-client-install  --hostname=$(hostname -f) --server=freeipa.example.com 
>>  --domain example.com  
>> --no-ntp --unattended --principal admin --password 'Deep201qa' --realm 
>> EXAMPLE.COM  --enable-dns-updates
>> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
>> service sssd restart
>> 
>> After the deployment i can do  kinit domain_user and ipa user-show without 
>> any problem, but when i tried to mount an nfs in /ec/fstab with the 
>> following options i get an error:
>> The  mount in /etc/fstab:  nfs4 
>> rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none
>>  0 0
>> The error:
>> mount -av
>> /: ignored
>> none : ignored
>> mount.nfs4: timeout set for Wed May 29 20:04:29 2019
>> mount.nfs4: trying text-based options 
>> 'vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none,addr=172.16.2.11,clientaddr=IP_ADDR0ESS
>> 
>> I tried to install  freeipa-client manually and the nfs mount works:
>> ipa-client-install
>> 
>> What i'm missing?
>> 
>> Thanks,
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
>> 
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
>> 
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html 
>> 
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
>> 
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>  
>> 
> 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: deploying Freeipa ith script

[John Keates via FreeIPA-users]

I don’t know what you are missing, but I do know that in theory your enrolment 
should work with just -U for unattended and the principal and password.
Unless you have a special environment that requires auto discovery to be 
disabled, I’d recommend using it.

I’m enrolling clients in three ways that all work this way, one using a 
Cloud-Init module, one using a SaltStack formula and one using a Lambda 
function that uses SSH to connect to a machine and run the enrolment remotely.

The text from your mount command seems to suggest a timeout issue, perhaps the 
network isn’t up or DNS is broken? I’m also seeing you using an IP, it’s 
usually a sign of an incomplete or improper network setup (but technically it 
should be fine)

John

> On 29 May 2019, at 22:10, Boudjoudad Abdelkader via FreeIPA-users 
>  wrote:
> 
> Hello,
> I'm trying to automate freeipa-client installation on Ubuntu with custom 
> script using MAAS as follow :
> HOSTNAME=$(hostname)
> IP=$(hostname -i | awk '{print $1}')
> echo "$HOSTNAME.example.com " > /etc/hostname
> FQDN="$HOSTNAME.example.com "
> echo "FQDN is: $FQDN"
> sed -i  "1 i\
> $IP $FQDN $HOSTNAME" /etc/hosts
> apt-get -y update
> apt-get install -y nfs-kernel-server nfs-common
> DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
> ipa-client-install  --hostname=$(hostname -f) --server=freeipa.example.com 
>  --domain example.com  
> --no-ntp --unattended --principal admin --password 'Deep201qa' --realm 
> EXAMPLE.COM  --enable-dns-updates
> sed -i '/ticket_lifetime/a renew_lifetime = 28d' /etc/krb5.conf
> service sssd restart
> 
> After the deployment i can do  kinit domain_user and ipa user-show without 
> any problem, but when i tried to mount an nfs in /ec/fstab with the following 
> options i get an error:
> The  mount in /etc/fstab:  nfs4 
> rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none
>  0 0
> The error:
> mount -av
> /: ignored
> none : ignored
> mount.nfs4: timeout set for Wed May 29 20:04:29 2019
> mount.nfs4: trying text-based options 
> 'vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,timeo=600,retrans=2,sec=krb5,local_lock=none,addr=172.16.2.11,clientaddr=IP_ADDR0ESS
> 
> I tried to install  freeipa-client manually and the nfs mount works:
> ipa-client-install
> 
> What i'm missing?
> 
> Thanks,
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: zabbix for monitoring FreeIPA server?

[John Keates via FreeIPA-users]

It’s not really doing anything more, except doing the status on all of the 
units with one command. If units were to be added/removed, the command would 
stay the same.
But I wouldn’t call this monitoring, it’s more like a health check, you get a 
binary (good/bad). Monitoring would expect metrics IMO, and even health checks 
you’d want to do on the WebUI, REST server, LDAP, KDC to see if they are 
responding in an expected way. 

The service can be up (according to systems or ipactl) but still produce 
garbage.

John

> On 27 May 2019, at 10:25, Alex Corcoles via FreeIPA-users 
>  wrote:
> 
> The output of ipactl looks very similar to systemctl status. Is it doing much 
> more than that? I'm already monitoring systemd failed units so I wonder if 
> it's running checking ipactl.
> 
> On Wed, Sep 19, 2018 at 1:33 PM Neal Harrington via FreeIPA-users 
>  > wrote:
> Hi Tony,
> 
> I'm monitoring using the following userparameter (basically run "ipactl 
> status" and grep out lines which are known good so only errors are returned):
> 
> UserParameter=ipa.status,sudo /usr/sbin/ipactl status 2>&1 | egrep -v 
> "(INFO\: The ipactl command was successful$|: RUNNING$)"
> 
> ipactl needs root access so I have a file in /etc/sudoers.d/zabbix with these 
> lines to allow the zabbix user to sudo the ipactl status command only without 
> a password:
> 
> ## Allow zabix to query ipa status
> Defaults:zabbix !requiretty
> zabbix ALL = (root) NOPASSWD: /usr/sbin/ipactl status
> 
> The final challenge I had was selinux which I had to create a custom rule for 
> (but most people seem to just disable selinux).
> 
> 
> Then just create a trigger to alert if the returned value contains any 
> characters. eg this matches on any char apart from whitespace:
> {Custom Template IPA Server:ipa.status.regexp([^\s],1200)}=1
> 
> If anyone else has a better way to do this I'd be interested to hear it.
> 
> Regards,
> Neal.
> 
> 
> 
> 
> From: Tony Brian Albers via FreeIPA-users 
>  >
> Sent: 24 August 2018 10:50
> To: freeipa-users@lists.fedorahosted.org 
> 
> Cc: Tony Brian Albers
> Subject: [Freeipa-users] zabbix for monitoring FreeIPA server?
>  
> Hi guys,
> 
> Anyone got this working? 
> 
> And if so, how did you do it? 
> 
> I know I can monitor the components separately, but if you know of
> anything that can do it easier I'd be happy to know about it.
> 
> /tony
> -- 
> -- 
> Tony Albers
> Systems administrator, IT-development
> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 2566 2383 / +45 8946 2316
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> 
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
> 
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html 
> 
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
> 
> List Archives: 
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WGYZNKOBXBHHVCGA66GTFVDOG3WJOG5T/
>  
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> 
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
> 
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html 
> 
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
> 
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>  
> 
> 
> 
> -- 
>___
>  {~._.~}
>   ( Y )
>  ()~*~()  mail: alex at corcoles dot net
>  (_)-(_)  http://alex.corcoles.net/ 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an 

[Freeipa-users] Re: upgrade freeipa from version 4.1.4 to 4.6.4

[John Keates via FreeIPA-users]

Yes, that is possible.
The best and most-supported way is installing a second server (or VM) and 
running your desired version on that. Then join it to the domain, install all 
services (ca, domain, trust controller, kra etc.).
Then you can uninstall the ‘old’ server (after testing of course!). Make sure 
you know you have a copy of the root CA key, admin user creds, directory 
manager creds etc.

To be sure everything is working, you can also simply shutdown the old server, 
and then try to enroll a second ‘new’ server, if that one successfully joins, 
start the old server back up and do a normal uninstall so it deletes all 
replications and references so you don’t end up with a ghost server.

John

> On 26 May 2019, at 17:14, Fritjof Konkas via FreeIPA-users 
>  wrote:
> 
> I have a old version of freeipa server version 4.1.4 running on fedora 22.
> Is it possible to migrate the data from ditto  to version 4.6.4 on another 
> server running centos 7?
> 
> /Fritjof
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[John Keates via FreeIPA-users]

For this to work, yes you need to setup AD Trust, and for HBAC to access the 
Linux systems, you need ID View user overrides.
Once you have verified basic password or ssh key login (set key in user 
override!) works, GSSAPI should be an easy next step.
Keep in mind that if you were to kinit on a linux node to an AD domain, you 
need to be able to talk kerberos to the AD systems, if they are firewall off, 
it doesn’t work.

John

> On 26 May 2019, at 14:42, lejeczek via FreeIPA-users 
>  wrote:
> 
> On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
>> On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote:
>>> On 23/05/2019 14:56, Rob Crittenden wrote:
 lejeczek via FreeIPA-users wrote:
> hi guys,
> 
> reading official guide one may assume - I do - that "Using SSH Without
> Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
> 
> For me this does not work - ssh still asks for passwords.
> 
> If this is due to some failure/problem, then where to look and how to
> troubleshoot?
 It's hard to know what you're doing, ssh from where to where, using what?
 
 rob
>>> I made an assumption - which I see now was invalid - that some experts
>>> may know mentioned guide by heart and if I quoted something then the
>>> rest will be obvious - wrong, sorry.
>>> 
>>> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
>>> Directory Machines for IdM Resources" which is about Kerberos I understand.
>>> 
>>> My hope was to have AD's clients be able to ssh(and maybe get to other
>>> things like Samba) without password and with Kerberos.
>>> 
>>> I see IPA's users can do that between IPA's servers
>>> 
>>> ...
>>> 
>>> debug1: PAM: initializing for "tester1"
>>> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
>>> debug1: PAM: setting PAM_TTY to "ssh"
>>> debug1: userauth-request for user tester1 service ssh-connection method
>>> gssapi-with-mic [preauth]
>>> debug1: attempt 1 failures 0 [preauth]
>>> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
>>> [preauth]
>>> debug1: Got no client credentials
>>> debug1: ssh_gssapi_k5login_exists: Checking existence of file
>>> /home/tester1/.k5login
>>> Authorized to tester1, krb5 principal tester1@private
>>> (ssh_gssapi_krb5_cmdok)
>>> debug1: do_pam_account: called
>>> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
>>> ...
>>> 
>>> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
>>> user then I do not see above in the logs and such ssh(Win10 own feature)
>>> is asked for password.
>>> 
>>> To sum up: AD's users off/from Win AD win-stations to IPA's
>>> members/clients with Kerberos if possible. (trust is already established
>>> and running)
>> Hi,
>> 
>> having a trust is the first requirement. Second is a ssh client on the
>> Windows side which can do GSSAPI authentication (recent version of putty
>> can) and has GSSAPI authentication enabled (iirc this is not the default
>> for putty, so you have to switch it on manually). Next is that you have
>> to use the fully-qualified DNS name of the IPA client you want to login
>> to. If all this is set and authentication still falls back to ask for a
>> password plase check with the klist command on the Windows client in
>> command.exe or the Powershell if you already got a service ticket for
>> the IPA client. If this is missing please check if there is a
>> cross-realm ticket, it has a principal starting with 'krbtgt/' followed
>> by the IPA realm, an '@' sign and the AD realm. If this is missing as
>> well the issue is on the AD side and the client either does not try
>> GSSAPI at all or it does not get a cross-realm ticket from the local DC.
>> 
>> HTH
>> 
>> bye,
>> Sumit
> 
> I do not see tickets to IPA's domain - when I'm logged into a Win10Pro
> (a member of win2016 AD domain).
> 
>> klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere
> there I see a mention of IPA domain.
> 
> That is after a one-way trust was established from IPA's side,
> successfully. DNS seems to work, users seem to work.
> 
> My setup IPA is subdomain of AD.
> 
> Win10Pro is 1903 with openssh-client installed as/from optional feature.
> I think it does support gssapi.
> 
> After a trust is established - do we need to create groups & mappings
> for AD users for ssh/samba to work? Guide docs I saw I understand then
> these are only required when one needs HBAC, correct?
> 
> How to start troubleshooting?
> 
> many thanks, L.
> 
>>> many thanks, L.
>>> 
>>> 
>>> 
>>> pub   rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>>>  93059F2411D0769A85F455918ABF21224EBA
>>> uid   lejeczek 
>>> sub   rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code 

[Freeipa-users] Re: sudo rule does not work for domain user

[John Keates via FreeIPA-users]

Turn up the dial on debug logging on SSSD to find out more.

John

> On 24 May 2019, at 13:00, Rob Verduijn via FreeIPA-users 
>  wrote:
> 
> Hello,
> 
> I'm trying to figure out why an ad-domain user cannot use sudo.
> 
> When I test with 
> 
> ipa hbactest --user=ansible --host ipa01.linux.example.com 
>  --service sudo-i
> It says access granted: True
> 
> however if I issue the command 'sudo -l -U ansible' on the ipa01 host it 
> says:User ansi...@windows.example.com  is 
> not allowed to run sudo on ipa01
> 
> It works for an ipa user using the same sudo rule.
> id ansible works as well on the ipa01 host
> uid=1958801104(ansi...@windows.example.com 
> ) 
> gid=1958801104(ansi...@windows.example.com 
> ) 
> groups=1958801104(ansi...@windows.example.com 
> ),1958800512(domain 
> adm...@windows.example.com 
> ),1958800513(domain 
> us...@windows.example.com )
> 
> the user ansible can login to the ipa01 host but cannot issue sudo -i.
> 
> What am I missing ?
> 
> Rob Verduijn
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: secure freeipa exposed to internet

[John Keates via FreeIPA-users]

You don’t need to setup a DNS server or Route 53 Zone, you can use the 
route53resolver. It allows a conditional forwarder for any domain you wish and 
you can point it straight at an IPA DNS server.
It’s built in to AWS: 
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-getting-started.html
 

 + https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html 

 (Announcment: 
https://aws.amazon.com/blogs/aws/new-amazon-route-53-resolver-for-hybrid-clouds/
 

 ) and works great with IPA and even MS AD.

John

> On 23 May 2019, at 18:53, Stepan Vardanyan via FreeIPA-users 
>  wrote:
> 
> After a lot of replies I see that using VPN tunnels to reach servers is the 
> best option.
> 
> But, there is DNS issue also. 
> I see two options with private zone (both are unwanted for us):
> - set up DNS forwarding to our private DNS server in each AWS account (using 
> bind9 for example);
> - create in Route53 zone with exact same domain name and populate it with 
> actual SRV records (this one is pretty ugly).
> So, what about using public DNS domain in FreeIPA (say ipa.example.com)?
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: secure freeipa exposed to internet

[John Keates via FreeIPA-users]

That’s mostly for general redundancy and speed. Speed is both for load 
balancing and querying local servers first.
Say you don’t talk to IPA often and your cross-continental latency isn’t an 
issue, then running 1 server in Iceland would fit.

For us, the redundancy part is relatively important because our sites and DCs 
have to be able to run independently. We don’t want an issue in one DC or AWS 
account to affect another.
This way, we could have 9 out of 10 systems fail and still have a fast and 
reliable system. So far we had some cross connects fail, some undersea fibers 
broken and a few key expiration issues cause inter-DC connectivity issues, but 
it never caused and service interruption. Total cost of running multiple 
instances is negligible as long as you have a reasonable amount of automation 
in place, or as we could say: cattle, not pets.

John

> On 23 May 2019, at 09:11, Angus Clarke via FreeIPA-users 
>  wrote:
> 
> Hello
> 
> Best practises say to deploy 2 - 3 IPA server per site (Deployment 
> Recommendations) however I've never really understood why. We run 2 IPA 
> servers in each of our primary DCs and then connect our smaller remote sites 
> to those IPA servers over IPSEC VPNs. For example, IPA clients in a small 
> site in Italy connect to an IPA server in London and an IPA server in Paris 
> (I haven't yet looked at service discovery.)
> 
> Regards
> Angus
> 
> 
>> On 22 May 2019 at 22:46 Alex Corcoles via FreeIPA-users 
>>  wrote:
>> 
>> 
>> Well, in that scenario site-to-site VPNs should not be too terrible (AWS 
>> provides one, for instance).
>> 
>> I think that certainly having a default install which is "safe" to 
>> expose to the Internet would be a very nice feature. However, I realize 
>> that has its cost and maybe its drawbacks, so of course I'm not sure if 
>> it's the best use of development time for the project.
>> 
>> I can say that it would be one of the top items in my features wishlist 
>> for FreeIPA*, but then again I'm neither a typical, nor paying, nor 
>> particularly smart customer, so I'm just talking here and I don't think 
>> I should be listened much. I think VPNs also have a cost, so not having 
>> to setup them up and maintain them is a huge plus in my book.
>> 
>> Cheers,
>> 
>> Álex
>> 
>> * the other two would be very low effort monitoring (e.g. a built-in 
>> health check URL or command line tool included in the default install) 
>> and low effort full backup/restore + recovery.
>> 
>> On 5/22/19 6:42 PM, Stepan Vardanyan via FreeIPA-users wrote:
>>> See this image to have basic understanding of our infrastructure - 
>>> https://imgur.com/a/R5c8BWW
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: 
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: secure freeipa exposed to internet

[John Keates via FreeIPA-users]

That’s not too bad.

We have a similar setup somewhere, about 39 AWS accounts, some with multiple 
VPCs, three physical locations, one with two separate DCs (the others have one).
For AWS we simply add PCXes where possible with sg source rules, makes it 
pretty secure. For other accounts we run OpenVPN or IPSec site-to-site.
The physical DCs have DirectConnect fiber attachments straight to AWS 
(expensive!) but also fallback IPSec tunnels (relatively cheap).

It’s all automated as well; we build IPA AMIs to auto-deploy IPA everywhere, 
and where we can’t deploy we run OpenVPN AMIs and when we can’t even do that we 
run IPSec.
Those deployments are done using Terraform and Ansible; this means that adding 
a new connection or account or client simply means adding two lines to a YAML 
file and deploying the change.

Doing all of this manually is also possible, but at that point you might ask 
yourself if looking for a better job/employer is less painful ;-)

John

> On 22 May 2019, at 18:42, Stepan Vardanyan via FreeIPA-users 
>  wrote:
> 
> See this image to have basic understanding of our infrastructure - 
> https://imgur.com/a/R5c8BWW
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: secure freeipa exposed to internet

[John Keates via FreeIPA-users]

I’d think that if you can remote-enrol hosts as IPA clients, it would be real 
easy to also enrol them as VPN clients first. Heck, even Wireguard would be 
good enough, even without a full audit.
You’d just add a single route to the route table for that VPN to the IPA server 
and you’re good to go.

> On 22 May 2019, at 18:05, Stepan Vardanyan via FreeIPA-users 
>  wrote:
> 
> But Directory Server is just plain LDAP, without policies (hbac, sudo), isn't 
> it?
> Policies are the reason why we moved from OpenLDAP.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: secure freeipa exposed to internet

[John Keates via FreeIPA-users]

I would never run FreeIPA over the public internet, bad idea. It’s not as bad 
as running AD over the internet, but it’s getting pretty close.

Run servers in all zones/regions and have those servers talk to each other 
(tunnels).
Stuff inside a zone will do a discovery and find the servers that work, which 
would be the local servers as the rest isn’t reachable.

Regarding DNS: would not do external servers, just use the internal DNS and add 
conditional forwarders or subzone delegation. (either way, IPA-to-Zone or 
Zone-to-IPA, as long as it can resolve)
Problem with ’special’ setups like what you’re describing is that it’s harder 
to support, upgrade, troubleshoot etc. It also usually means the infrastructure 
isn’t designed correctly.

John

> On 20 May 2019, at 20:11, Stepan Vardanyan via FreeIPA-users 
>  wrote:
> 
> Hello,
> 
> I've proposed to migrate from OpenLDAP to FreeIPA solution in my organization 
> because the former did not met our requirements as we moving to Single Sign 
> On. We migrated to FreeIPA but set it up with internal DNS name. This was 
> dumb decision as we have a lot of external hosts in AWS and other datacenters 
> which we want to join to our FreeIPA for authentication with one credential 
> and utilize policies (HBAC, sudoers) easily and centrally.
> 
> We found that there is two solutions: 
> - setup tunnels between AWS and datacenters for making our DNS zone and 
> FreeIPA servers available;
> - redeploy whole FreeIPA with external DNS name and expose FreeIPA servers to 
> Internet.
> We end up with second option because first one is very complex, but second 
> option make us think about security.
> What came to mind is:
> - disable anonymous bind;
> - prohibit unencrypted traffic and improve communications security by using 
> options: nsslapd-minssf=128, nsslapd-require-secure-binds=on, 
> sslVersionMin=TLS1.1.
> 
> So, there is several questions:
> 1) Is there anything else from security perspective that we should care, 
> configure properly (Kerberos DC for example)?
> 2) We want to share with users only one Web service from specific replica so 
> users will not cause replication conflicts by modifying entries in other 
> replicas. Is it ok if we close web ports (80, 443) only to localhost on other 
> replicas and leave all other ports on all replicas opened to internet 
> (389,636,88,464)?
> 3) How secure and strong is default SASL/GSSAPI replication mechanism? I've 
> noticed that traffic is encrypted but can be decrypted by using servers 
> kerberos keytab
> 4) Overall, even with all previous concerns taken into account cared is it 
> proper to open FreeIPA to internet? This is kinda rhetorical question as we 
> see that this is only choice for us but just want to hear some advices, 
> expert vision.
> 
> P.S. We don't utilize FreeIPA internal DNS service. DNS is configured on 
> external hosts
> 
> Thanks in advance.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and AD

[John Keates via FreeIPA-users]

The documentation on this is pretty good. Basically, you can ’trust’ AD from 
FreeIPA, which means the users from AD can be used in IPA. Groups too. 
Passwords must be set and reset in AD, but everything you need for Linux (SSH 
keys, host rules etc) can be done in IPA.

https://www.freeipa.org/page/Active_Directory_trust_setup

> On 7 Mar 2019, at 18:34, Kristian Petersen via FreeIPA-users 
>  wrote:
> 
> Hello,
> 
> Where I work we are a small shop.  We are currently using just FreeIPA for 
> authentication and DNS and other Linux management stuff that it does for us.  
> We have enough Windows workstations now that it would be really nice to be 
> able to manage those like we can our Linux stuff.  From what I have read thus 
> far, it seems that if you use FreeIPA with AD AD is the primary user store 
> and FreeIPA kind of takes a back seat.  I am looking for some help in better 
> understanding the implications of using FreeIPA along with AD.  Is there 
> someone who could help me unravel this a bit or point me at some good 
> resources?
> 
> -- 
> Kristian Petersen
> System Administrator
> BYU Dept. of Chemistry and Biochemistry
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multiple dot in hostname - DNS error

[John Keates via FreeIPA-users]

Your specific issue might not be because the .local TLD, but .local is a 
special ‘reserved’ name for multicast DNS. You can use any other (including 
fake) TLD that is not registered.
There are some other TLDs that are ’special’, like the one used for reverse-IP 
records in APIPA. Best to avoid such things as not all network software takes 
care of those special names the way they should.

Some hosts might treat .local special and ignore DNS servers or DNS query 
responses that are not from mDNS. Some hosts might first query DNS and then 
mDNS, some might do it the other way around. Some systems disable mDNS or 
.local mDNS if a static .local zone is detected which breaks Bonjour and 
ZeroConf in most configurations.

In my experience, mixing mDNS and DNS by introducing a .local is just going to 
create more problems.

I would suggest registering a DNS name but not using it externally, just 
internally. For example, you could take something like my-internal-domain.net 
 but simply not host anything externally and 
remove all records, maybe even disable name servers. There probably are better 
conventions for this, but using a ‘real’ (but dead to the outside) has served 
me well.

Multiple subdomains shouldn’t be a problem, but there probably are limits to 
the depth of subzones. For my setups, I usually don’t go deeper than 2 levels, 
i.e. sub1.sub0.ipa.net .
I do tend to make dedicated subzones with NS delegations when I go deeper than 
1 level, but in theory, if you only have 1 sublevel, you can leave it as-is and 
IPA will register your hosts with a dot in the name in the record effectively 
creating a virtual subzone. There is nothing bad about that, but depending on 
the management functionaliteit you are trying to create your needs may call for 
a different setup.

One of the important parts of domain naming isn’t as much about IPA’s idea on 
domains, but very much depends on how kerberos likes names.
So if you can’t provide a strong enough guideline in the IPA community or 
documentation, try the ones for Kerberos (which IPA uses): 
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html 
 The same 
can be (partially) said about Microsof’s AD naming suggestions, as their system 
also depends on correct naming, uses Kerberos and uses SRV records to find the 
correct servers for services: 
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
 


One of the quotes from the above sources:

> In the past, lots of people chose to use a dummy, unofficial TLD 
> (top-level-domain) for their internal network, like domain.lan, domain.local 
> of domain.internal (and also domain.internalhost)
> 
> But this can get you in serious trouble. Because these names are not 
> supported by internet standards, the most important RFC on this is: RFC 2606  
>   (http://tools.ietf.org/html/rfc2606   
>  ) This RFC standard is very explicit on 
> choosing domain names for private testing and documentation
> 


Other sources condense the suggestions into:

> Option 1: Use a valid TLD (Top Level Domain, also known as routable domain) 
> registered to your company. Some examples of this are company.ca or 
> company.com;
> Option 2: Use a subdomain of a valid TLD that is registered to your company
> Option 3: Use non-TLD name (or non-routable domain). (But not an RFC reserved 
> name!)

John

> On 3 Mar 2019, at 19:08, Vivek Aggarwal via FreeIPA-users 
>  wrote:
> 
> Thanks John,
> 
> It would be nice if you can elaborate bit more & share your advise  on:-
> 
> i) Whats wrong in the current hostname convention as still i dont have clear 
> understanding what is that which is causing a problem in the current setup? 
> .. any links/thoughts which can explain this will be of great help . 
> 
> ii) Is ".local" is a problem or can i use any other TLD like ".int" ?
> 
> iii) Thirdly what is the recommendation for naming Hostname FQDN , does it 
> shouldnot have multiple sub domains ??
> 
> Please bear with my questions in case these look bit naive. Thanks a lot for 
> sparing time in answering my concerns.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users 

[Freeipa-users] Re: Multiple dot in hostname - DNS error

[John Keates via FreeIPA-users]

In that case I don’t know how to help (but someone else might). As per 
https://tools.ietf.org/html/rfc6762 .local isn’t supposed to be used the way 
you are using it at this time, and it will conflict with pretty much any 
standard system. I don’t know how to patch/override that without breaking a 
whole lot of other systems.


> On 3 Mar 2019, at 17:43, Vivek Aggarwal via FreeIPA-users 
>  wrote:
> 
> Yes its inheritance & it was done on purpose to generate TLS certificates as 
> per hostnames.
> 
> Hence kindly suggest how to configure IPA to accommodate this mDNS’s TLD. 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPAM that integrates well with FreeIPA

[John Keates via FreeIPA-users]

I used to look for the same thing, but it didn’t make sense in the end: IPA 
isn’t authoritative on what IP adressen are used, and why. That is where 
infrastructure configuration management is for, i.e. your DHCP servers and 
tooling used to static configuration (like Salt and Ansible).

John

> On 3 Mar 2019, at 16:53, TomK via FreeIPA-users 
>  wrote:
> 
> Hey Guy's,
> 
> I'm looking for an IPAM (IP Address Management) tool that will integrate with 
> FreeIPA to provide:
> 
> 1) IP Management
> 2) Provides DHCP
> 3) *Integrates well with FreeIPA*
> 
> Many of the tools I saw provide conflicting capabilities.  Would be great if 
> the IPAM tool checked FreeIPA to see if the IP is already used.
> 
> Has anyone come across such a tool and tried it with FreeIPA?
> 
> -- 
> Cheers,
> Tom K.
> -
> 
> Living on earth is expensive, but it includes a free trip around the sun.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multiple dot in hostname - DNS error

[John Keates via FreeIPA-users]

Did you select mDNS’s TLD .local on purpose? Or was this an inheritance.


> On 3 Mar 2019, at 14:49, Vivek Aggarwal via FreeIPA-users 
>  wrote:
> 
> Our current implementation has multiple dots(.) names in the hostname 
> ,details mentioned below  & we're using below setting while configuring the 
> IPA/Redhat IDM server with integrated DNS.
> 
> Hostname : testing-infra-01-dal1.testing.stg.avtar.local
> realm_name: avtar.local
> domain_name: avtar.local
> 
> Once the setup completes ., we're getting below error . We're suspecting its 
> related to multiple dots in the hostname. 
> Considering the fact we cannot rename these hostname , please suggest how to 
> resolve it . Is there a possibility to resolve it or we have to 
> install/configure BIND DNS separately. 
> 
> Does this error really prevents us from registering other machines within our 
> environment having similar multi dot pattern in hostnames ?
> +
> ipapython.dnsutil: DEBUGThe DNS query name does not exist: 
> testing-infra-01-dal1.testing.stg.avtar.local.
> ipaserver.dns_data_management: ERRORunable to resolve host name 
> testing-infra-01-dal1.testing.stg.avtar.local. to IP address, ipa-ca DNS 
> record will be incomplete
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issues with AD user ssh

[John Keates via FreeIPA-users]

I think the issue is outlined in the PAC error you got.

> On 11 Feb 2019, at 16:51, D via FreeIPA-users 
>  wrote:
> 
> sss_send_pac failed, group membership for user with principal [ username>@AD.DOMAIN.COM] might not be correct.

It seems to indicate that the PAC in the ticket doesn’t match with the 
User+Group membership combo that was expected.

John___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: SSO

[John Keates via FreeIPA-users]

I’m using Keycloak and it works fine with FreeIPA. Ipsilon was not mature 
enough for our use case (which is fine, not everything fits everywhere) but it 
is much simpler in comparison to Keycloak.
As big as it looks, it’s not that much of a beast to deploy and configure; you 
basically have the same style as IPA: use what you need, leave the rest alone 
(as long as it is secure by default).
Most people find the terminology hard to grasp, but once you got that figured 
out it’s pretty simple. This terminology in the authentication, authorization 
and auditing space is universal across most products and systems, so getting to 
know what’s what is very useful.

John

> On 19 Jan 2019, at 07:23, Brian Topping via FreeIPA-users 
>  wrote:
> 
>> On Jan 18, 2019, at 9:18 PM, Николай Савельев via FreeIPA-users 
>>  wrote:
>> 
>> I'm planning use SSO with freeipa and choosing provider between 
>> ipsilon-project and keycloack.
>> I tried ipsilon about year ago, there were some bugs. And I see that project 
>> almost die. Just 2 commits during the year.
> 
> 
> This same project has been on my to-do list. I’d love to collaborate, I do 
> need to start on this soon.
> 
> What I’d like to do is integrate it as part of an overall deployment within 
> Kubernetes. The goal eventually would be to manage the entire installation as 
> a Helm install. There are other options using CRDs and so-called “operators”, 
> but just getting a reliable install of everything with Helm would be a great 
> first start.
> 
> If it were interesting (for anyone, really), I have a set of scripts that I 
> have been using in a preproduction for running FreeIPA. These are loosely 
> based on the work of Jan Pazdziora did for straight Docker, but none of it 
> would have been possible without his tireless work on the Docker image. I 
> also have a VPN that seems to be running, but there’s a lot of 
> parameterization necessary for that and I think it would be a lot more 
> appropriate to set up that VPN with operators.
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: fiddling with Win2016 trust - users

[John Keates via FreeIPA-users]

There is no enumeration support, but if you want to figure out if your 
connection works, try getent on a group or user (or using id on a group or 
user). If those don’t work the AD Trust might not be working correctly.
I start the trusts on the IPA side and use Domain Admin creds (and not a secret 
or token), that always works for me.

If the trust works but something else is wrong, you can check if the trusts are 
listed and domains can be fetched from the trust. If you don’t even have those, 
the trust doesn’t work at all. If do you have those it’s a different problem.

Does the trust show on the DC in the trust settings?

Regards,
John

> On 16 Jan 2019, at 19:19, lejeczek via FreeIPA-users 
>  wrote:
> 
> hi guys
> 
> After a longer break from Windowze, I had Win2012 trust okey in the past, now 
> I'm fiddling with Win2016 and have this question:
> 
> After trust (one-way coming from AD) established okey should AD's users be 
> immediately available to/in IPA?
> 
> Usual things such as id, ipa user-show do find them users. I cannot remember 
> how it was with my Win2012.
> 
> many thanks, L.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: is anyone running Debian as freeipa-client

[John Keates via FreeIPA-users]

We are using FreeIPA Debian clients, been using snapshots or sid packages for 
that since it is very nicely constrained wrt dependencies.
Using our IoC/configuration management/orchestration tooling we simply push a 
number of packages to the clients and install them and their in-repo 
dependencies.

From an older log (few years old?) we seem to mostly push:


freeipa-client_4.4.4-3_amd64.deb
freeipa-common_4.4.4-3_all.deb
libipa-hbac0_1.15.2-1_amd64.deb
libsss-idmap0_1.15.2-1_amd64.deb
python-ipaclient_4.4.4-3_all.deb
python-ipalib_4.4.4-3_all.deb
python-libipa-hbac_1.15.2-1_amd64.deb
python-sss_1.15.2-1_amd64.deb
sssd-ad-common_1.15.2-1_amd64.deb
sssd-ad_1.15.2-1_amd64.deb
sssd-common_1.15.2-1_amd64.deb
sssd-ipa_1.15.2-1_amd64.deb
sssd-krb5-common_1.15.2-1_amd64.deb
sssd-krb5_1.15.2-1_amd64.deb
sssd-ldap_1.15.2-1_amd64.deb
sssd-proxy_1.15.2-1_amd64.deb
sssd_1.15.2-1_amd64.deb

and then auto upgrade from then on.

We have the luxury of running most systems immutable (changes in RAM) or 
re-spin the VMs (and thus deregister/re-enroll) them constantly via CI/CD,
so that mitigates a small amount of security issues with this method as there 
is no persistence on the machines.

We enroll automatically and remove hosts via the API that are no longer in our 
VM inventory.

A newer/more secure setup should be feasible using recent packages etc. but I 
haven’t had this as my main track in Ops projects for a few months.
As far as I know, we have had zero incidents and it’s been running stable for 
years, including upgrades and replacing masters with newer versions.

John

> On 30 Nov 2018, at 17:28, Johan Vermeulen via FreeIPA-users 
>  wrote:
> 
> Hello All,
> 
> first of all,  we have great success running Freeipa and Freeipa-clients on 
> Centos.
> Thanks for making this possible! I think this is a really important peace of 
> software for Linux.
> 
> Now it would come in handy if I could field some Debian clients for some 
> purposes.
> But on the current stable release there is no freeipa client.
> I have installed some freeipa-clients from unstable, but it's not ideal.
> 
> I'm wondering, is anyone doing this at the moment.
> Is there some repo for this?
> Can this be compiled from source?
> 
> Thanks for any help.
> 
> Greetings, J.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Replica install on RPI3

[John Keates via FreeIPA-users]

My suggestion would be: don’t run it on a Pi, it’s not fast enough. But you 
came to that conclusion already, so I guess the next issue would be: where does 
it fail?
I’m assuming the rpm install works out but ipa-server-install doesn’t? Or does 
that work but does the starting of all the components time out?

If it’s just the installation that’s failing, you can get around that by 
running the install in an emulated ARM machine first, and then copying the 
filesystem over to the Pi.

John

> On 3 Nov 2018, at 15:53, Winfried de Heiden via FreeIPA-users 
>  wrote:
> 
> Hi all,
> 
> Just because we can and a Rapsberry Pi 3 is cheap, I'm trying to install a 
> FreeIPA replica on Fedora 29 ARM. It looks like the Raspberry is a bit too 
> slow for default installation settings:
> 
> 018-11-03T12:27:12Z DEBUG stderr=WARNING: Password was garbage collected 
> before it was cleared.
> password file contains no data
> pkispawn: ERROR... server did not start after 60s
> pkispawn: ERROR... server failed to restart
> 
> 2018-11-03T12:27:12Z CRITICAL Failed to configure CA instance: 
> CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', 
> '/tmp/tmpv2y32e9l'] returned non-zero exit status 1: 'WARNING: Password was 
> garbage collected before it was cleared.\npassword file contains no 
> data\npkispawn: ERROR... server did not start after 
> 60s\npkispawn: ERROR... server failed to restart\n')
> 2018-11-03T12:27:12Z CRITICAL See the installation logs and the following 
> files/directories for more information:
> 2018-11-03T12:27:12Z CRITICAL   /var/log/pki/pki-tomcat
> 2018-11-03T12:27:12Z DEBUG Traceback (most recent call last):
>   File 
> "/usr/lib/python3.7/site-packages/ipaserver/install/dogtaginstance.py", line 
> 164, in spawn_instance
> ipautil.run(args, nolog=nolog_list)
>   File "/usr/lib/python3.7/site-packages/ipapython/ipautil.py", line 573, in 
> run
> p.returncode, arg_string, output_log, error_log
> ipapython.ipautil.CalledProcessError: CalledProcessError(Command 
> ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpv2y32e9l'] returned 
> non-zero exit status 1: 'WARNING: Password was garbage collected before it 
> was cleared.\npassword file contains no data\npkispawn: ERROR
> ... server did not start after 60s\npkispawn: ERROR... 
> server failed to restart\n')
> 
> I did change the "startup_timeout" in 
> /usr/lib/python3.7/site-packages/ipalib/constants.py and 
> /etc/ipa/default.conf but it doens't seem to be enough.
> 
> Any sugestion?
> 
> Winfried
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: No httpd service listening on TCP4

[John Keates via FreeIPA-users]

That is normal, they are actually listening on both IPv4 and IPv6. The netstat 
output shows it as :::80 :::*. Listening on both protocol versions makes it 
show up as IPv6. You do not get two separate entries.
You could try to start netcat in listen mode on port 80 and you’ll find that it 
errors out because the port is in use.

Regarding the post-setup network access in general; you’ll need to fix your 
firewall to allow access; by default it is blocked. See firewall-cmd for more 
info (IIRC).

John

> On 3 Nov 2018, at 02:34, 74cmonty via FreeIPA-users 
>  wrote:
> 
> Hi,
> I just completed installation with Fedora 29 in KVM.
> The installation finished w/o errors.
> Setup complete
> 
> Next steps:
>1. You must make sure these network ports are open:
>TCP Ports:
>  * 80, 443: HTTP/HTTPS
>  * 389, 636: LDAP/LDAPS
>  * 88, 464: kerberos
>  * 53: bind
>UDP Ports:
>  * 88, 464: kerberos
>  * 53: bind
>  * 123: ntp
> 
> Checking the open ports I cannot identify any TCP4 port 80,443.
> [root@ipa ~]# netstat -tulpen | egrep "80|443"
> tcp6   0  0 127.0.0.1:8005  :::*LISTEN
>   17 56422  3678/java
> tcp6   0  0 127.0.0.1:8009  :::*LISTEN
>   17 53206  3678/java
> tcp6   0  0 :::80   :::*LISTEN
>   0  60216  4570/httpd
> tcp6   0  0 :::8080 :::*LISTEN
>   17 53200  3678/java
> tcp6   0  0 :::443  :::*LISTEN
>   0  60224  4570/httpd
> tcp6   0  0 :::8443 :::*LISTEN
>   17 53204  3678/java
> 
> Ports 80,443 are listening on TCP6 only.
> 
> How does this happen?
> 
> THX
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Create Certificate for Load Balancer & end2end HTTPS traffic

[John Keates via FreeIPA-users]

I think you can do this if you upload your certificate and key to ACM in AWS, 
and then use the ACM ARN for your uploaded certificate as the certificate for 
the ALB.
You do need to generate the CSR separately indeed.

John

> On 25 Oct 2018, at 19:10, Peter Tselios via FreeIPA-users 
>  wrote:
> 
> Hello,
> I want to create an AWS Load Balancer that will use HTTPS end to end. 
> I want to use my FreeIPA to generate the certificates for the instances and 
> for the ALB. 
> My questions: 
> 1. Is it possible to issue a certificate from FreeIPA for the AWS ALB since 
> the later will not be a FreeIPA client?
> If so, how? 
> 
> 2. If I cannot issue a certificate from the FreeIPA, what alternatives do I 
> have? 
> Generate a CSR from any linux box and just sign it?
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: conflicting hostname requirement from SAP

[John Keates via FreeIPA-users]

I’d say: don’t run FreeIPA server on the same install as the SAP server.

John

> On 10 Oct 2018, at 23:16, Dan Haskell via FreeIPA-users 
>  wrote:
> 
> 
> 
> Per the FreeIPA quickstart guide:
> 
> The rule about /etc/hosts is that the fully-qualified name must come first. 
> It should look like:
> 
> 10.0.0.1   ipa.example.com ipa
> 
> Our servers run SAP, which requires the reverse. An SAP server's canonical 
> name must be its short name. :(
> 
> Is there any way to get freeipa to work with short names? I know it says 
> "must be fully qualified" several times in the docs... Suggestions? 
> Workarounds? Kludges?
> 
> Dan
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Cannot import certificate signed by MS-CA - subject mismatch

[John Keates via FreeIPA-users]

Only UTF-8 is allowed. Re-sign with UTF-8.

John

> On 12 Sep 2018, at 16:37, Peter Tselios via FreeIPA-users 
>  wrote:
> 
> No one
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Global Catalog Support on FreeIPA 4.7 ?

[John Keates via FreeIPA-users]

There is no Global Catalog or support for this. IPA does not host the services 
for the AD->IPA trust yet.

John

> On 26 Aug 2018, at 12:11, Zafer Syed via FreeIPA-users 
>  wrote:
> 
> Good Day,
> 
> I've configured a Two-way Forest trust between  AD (windows-2016) and FreeIPA 
> 4.7(Centos 7).
> 
> I'm able to log into the Linux Box, using the Windows AD username.
> 
> However, when i browse on the Windows AD to add the FreeIPA user to a group 
> for Logging locally, i get a message "Object not found"
> 
> Do we have Global Catalog service supported on FreeIPA 4.7 ?  or is there any 
> workaround for getting this to work ?
> 
> Please advise ?
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] ipa-client-install generates bad sssd.conf

[John Keates via FreeIPA-users]

Hi,

Using SSSD 1.15.2-1 and FreeIPA Client 4.4.4-1 on Debian Stretch 9.0 generates 
a broken SSSD configuration.
Adding the services manually to sssd.conf fixes this:

services = nss, sudo, pam, ssh

For some reason, ipa-client-install thinks we have socket-activated SSSD 
services, but we don’t. From the SSSD package, we only get:

- sssd.service
- sssd-secrets.socket
- sssd-secrets.service

There seems to be a mismatch between what gets configured in sssd.conf and what 
is actually on the system.
I should probably report it as a bug against the Debian package, but I wonder 
where the assumption for SSSD.conf is made. It is definitely generated by 
ipa-client-install, but maybe it’s because it sees the socket-activated SSSD 
components as a requirement?

Kind Regards,
John
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Master -> replica through NAT?

[John Keates via FreeIPA-users]

What you want is not possible because DNS resolves to one IP, not to a NAT’ed 
IP.
Doing this differently is very hacky and totally unsupported. One host, one IP, 
one DNS record. NAT doesn’t belong in this type of networking.

If you really wanted to shoot yourself in the foot, you can use Unbound and a 
Python plugin to do record-rewriting on the fly. The IPA DNS server would 
return 10.3.2.33 for example and that would be rewritten to 172.16.2.33 if you 
desire that.
Queries would have to go to the unbound server and it forwards them to the IPA 
server. Responses are then rewritten on the fly if they contain the foreign IP 
range. This is bad in so many ways…


> On 21 Jun 2017, at 14:26, Kat via FreeIPA-users 
>  wrote:
> 
> Nothing? No suggestions?
> 
> Is it not possible to support DNS through a NAT?
> 
> -K
> 
> 
> On 6/20/17 1:32 PM, Kat wrote:
>> Here is an odd problem (I think).
>> 
>> I am using IPA in one environment, and want to set up a replica in another 
>> environment through natted connections. I can setup the client to the NAT 
>> server, but here is the tricky part - IPA is also DNS. So if I try to bring 
>> the DNS setup over with --
>> 
>> ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca
>> 
>> It fails, because when it tries to lookup the master on the other side of 
>> the NAT FW, of course it resolves incorrectly. The first failure is 
>> conn-check, so even if I --skip-conncheck, it still fails since DNS will not 
>> resolve.
>> 
>> Suggestions?
>> 
>> -K
>> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: certificate has expired?

[John Keates via FreeIPA-users]

Looks to me like Apache isn’t using the correct certificate, or the correct 
certificate was never installed. But I don’t know enough about FreeIPA’s 
certificate replacement process to known which one it is.
Aside from digging deeper and checking to see where Apache is looking for 
certificates and maybe manually refreshing it to see if the certificate gets 
replaced correctly this time I’m afraid someone else is going to have to jump 
in here.

John

> On 7 Jun 2017, at 15:03, Roberto Cornacchia via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> OK, I did so and httpd restarts.
> 
> $ openssl s_client -connect 127.0.0.1:443 <http://127.0.0.1:443/> -showcerts
> CONNECTED(0003)
> depth=1 O = HQ.SPINQUE.COM <http://hq.spinque.com/>, CN = Certificate 
> Authority
> verify return:1
> depth=0 O = HQ.SPINQUE.COM <http://hq.spinque.com/>, CN = 
> spinque04.hq.spinque.com <http://spinque04.hq.spinque.com/>
> verify error:num=10:certificate has expired
> notAfter=Mar 16 18:45:29 2017 GMT
> verify return:1
> depth=0 O = HQ.SPINQUE.COM <http://hq.spinque.com/>, CN = 
> spinque04.hq.spinque.com <http://spinque04.hq.spinque.com/>
> notAfter=Mar 16 18:45:29 2017 GMT
> verify return:1
> ---
> Certificate chain
>  0 s:/O=HQ.SPINQUE.COM/CN=spinque04.hq.spinque.com 
> <http://hq.spinque.com/CN=spinque04.hq.spinque.com>
>i:/O=HQ.SPINQUE.COM/CN=Certificate <http://hq.spinque.com/CN=Certificate> 
> Authority
> ...
> 
> Fair enough, but why does this say it expires in 2019? Are they two different 
> certificates? 
> 
> $ getcert list -d /etc/httpd/alias -n ipaCert
> Number of certificates and requests being tracked: 8.
> Request ID '20160501114633':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>   certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM 
> <http://hq.spinque.com/>
>   subject: CN=IPA RA,O=HQ.SPINQUE.COM <http://hq.spinque.com/>
>   expires: 2019-01-26 19:41:51 UTC
>   key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>   eku: id-kp-serverAuth,id-kp-clientAuth
>   pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
>   post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>   track: yes
>   auto-renew: yes
> 
> What's the right way to solve this?
> 
> 
> On Wed, 7 Jun 2017 at 14:52 John Keates via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org 
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
> I would suggest doing what the last line says: 
> 
> Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the 
> problem can be resolved.
> 
> Then, you can check the certificates and maybe refresh it if it is actually 
> expired.
> 
> John
> 
> 
>> On 7 Jun 2017, at 14:39, Roberto Cornacchia via FreeIPA-users 
>> <freeipa-users@lists.fedorahosted.org 
>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>> 
> 
>> Things are getting worse.
>> 
>> First, the version I reported before was incorrect (taken from a client). 
>> Here's the server one.
>> 
>> $ ipa --version
>> VERSION: 4.2.4, API_VERSION: 2.156
>> 
>> I did a dnf update (Fedora 23). The IPA upgrade failed.
>> I tried running it again, manually, after a reboot:
>> 
>> $ ipa-server-upgrade 
>> session memcached servers not running
>> Upgrading IPA:
>>   [1/8]: saving configuration
>>   [2/8]: disabling listeners
>>   [3/8]: enabling DS global lock
>>   [4/8]: starting directory server
>>   [5/8]: updating schema
>>   [6/8]: upgrading server
>> Add failure attribute "cn" not allowed
>>   [7/8]: stopping directory server
>>   [8/8]: restoring configuration
>> Done.
>> Update complete
>> Upgrading IPA services
>> Upgrading the configuration of the IPA services
>> [Verifying that root certificate is published]
>> [Migrate CRL publish directory]
>> CRL tree already moved
>> [Verifying that CA proxy configuration is correct]
>> [Verifying that KDC configuration is using ipa-kdb backend]
>> [Fix DS schema file syntax]
>> Syntax already fixed
>> [Removing RA cert from DS NSS database]
>> RA cert already removed
>> [Enable sidgen and extdom plugins by default]
>>

[Freeipa-users] Re: certificate has expired?

[John Keates via FreeIPA-users]

I would suggest doing what the last line says: 

Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the 
problem can be resolved.

Then, you can check the certificates and maybe refresh it if it is actually 
expired.

John

> On 7 Jun 2017, at 14:39, Roberto Cornacchia via FreeIPA-users 
>  wrote:
> 
> Things are getting worse.
> 
> First, the version I reported before was incorrect (taken from a client). 
> Here's the server one.
> 
> $ ipa --version
> VERSION: 4.2.4, API_VERSION: 2.156
> 
> I did a dnf update (Fedora 23). The IPA upgrade failed.
> I tried running it again, manually, after a reboot:
> 
> $ ipa-server-upgrade 
> session memcached servers not running
> Upgrading IPA:
>   [1/8]: saving configuration
>   [2/8]: disabling listeners
>   [3/8]: enabling DS global lock
>   [4/8]: starting directory server
>   [5/8]: updating schema
>   [6/8]: upgrading server
> Add failure attribute "cn" not allowed
>   [7/8]: stopping directory server
>   [8/8]: restoring configuration
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command 
> ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> CalledProcessError: Command ''/bin/systemctl' 'start' 'httpd.service'' 
> returned non-zero exit status 1
> 
> The ipaupgrade log only says that starting httpd failed.
> 
> HTTPD log says:
> 
> [Wed Jun 07 14:32:26.822478 2017] [core:notice] [pid 3182] SELinux policy 
> enabled; httpd running as context system_u:system_r:httpd_t:s0
> [Wed Jun 07 14:32:26.823122 2017] [suexec:notice] [pid 3182] AH01232: suEXEC 
> mechanism enabled (wrapper: /usr/sbin/suexec)
> [Wed Jun 07 14:32:26.823467 2017] [:warn] [pid 3182] NSSSessionCacheTimeout 
> is deprecated. Ignoring.
> [Wed Jun 07 14:32:26.913923 2017] [:error] [pid 3182] SSL Library Error: 
> -8181 Certificate has expired
> [Wed Jun 07 14:32:26.913942 2017] [:error] [pid 3182] Unable to verify 
> certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the 
> server can start until the problem can be resolved.
> 
> Any suggestion?
> 
> On Wed, 7 Jun 2017 at 13:17 Roberto Cornacchia  > wrote:
> Not being able to login to the admin console, I checked the httpd log and 
> found the following errors:
> 
> [Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify 
> certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the 
> server can start until the problem can be resolved.
> [Wed Jun 07 12:50:59.353372 2017] [:error] [pid 10237] SSL Library Error: 
> -8181 Certificate has expired
> [Wed Jun 07 12:50:59.353395 2017] [:error] [pid 10237] Unable to verify 
> certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the 
> server can start until the problem can be resolved.
> [Wed Jun 07 12:50:59.986025 2017] [core:error] [pid 11522] AH00546: no record 
> of generation 47 of exiting child 10203
> 
> I also get an error during enrollment of a new client (which seems to 
> retrieve a valid certificate anyway):
> 
> Password for ad...@hq.spinque.com : 
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=HQ.SPINQUE.COM 
> 
> Issuer:  CN=Certificate Authority,O=HQ.SPINQUE.COM 
> 
> Valid From:  Mon Mar 16 18:44:35 2015 UTC
> Valid Until: Fri Mar 16 18:44:35 2035 UTC
> 
> Joining realm failed: libcurl failed to execute the HTTP POST transaction, 
> explaining:  TCP connection reset by peer
> 
> Services are up:
> 
> $ ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
> 
> 
> Certificate monitoring seems ok:
> 
> $ getcert list -d /etc/httpd/alias -n ipaCert
> Number of certificates and requests being tracked: 8.
> Request ID '20160501114633':
>   status: MONITORING
>   stuck: no
>   key pair storage: 
> 

[Freeipa-users] Re: named-pkcs11 systemd service

[John Keates via FreeIPA-users]

Hi,

At the risk of smelling like a thread hijack; I’m experiencing the same issue 
on one server (Fedora 25), but on all others it’s fine. I don’t think this is a 
‘normal’ issue that should be ‘fixed’ by restarting named-pkcs11 all the time.
I tend to check for known issues (and solutions) on this issue from time to 
time, but there doesn’t seem to be a standard issue with a standard solution 
for this case (yet?).

I suppose the FreeIPA team would like a ticket, some logs, maybe some core 
dumps or gdb outputs, but I’d create my own message thread or ticket and not 
bother you here ;-)

Regards,
John

> On 26 May 2017, at 19:11, Sigbjorn Lie via FreeIPA-users 
>  wrote:
> 
> Hi,
> 
> I have experienced named stopping unexpectedly from time to time. After 
> moving to RHEL 7 the I made use of a handy feature in systemd, 
> “Restart=always”, to make sure named is kept alive. 
> 
> This has kept named alive for me, and I was wondering if this perhaps would 
> be a useful addition to the default "named-pkcs11.service” shipped in RHEL? 
> 
> The changes I have done is to copy the file 
> /usr/lib/systemd/system/named-pkcs11.service to 
> /etc/systemd/system/named-pkcs11.service, and adding the following to 
> [service] section:
> ---
> Restart=always
> RestartSec=3
> —
> 
> The underlying issue of why named is crashing would of course also needs to 
> be investigated separately.
> 
> What do you think?
> 
> 
> Regards,
> Siggi
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: CentOS 7 Letsencrypt CA

[John Keates via FreeIPA-users]

Hi,

Instead of using the Let’s Encrypt thing on the IPA server itself, I often just 
use it on a reverse proxy. This way the end-users see the verified CA and 
FreeIPA can keep doing it’s business.
I tried to use ACME on the IPA server in the past, but it wasn’t very well 
integrated and caused problems. Since only web-facing elements benefit from 
external CA signed certificates (for users that access it but don’t have the CA 
on their machine), it doesn’t actually need to be integrated with the rest of 
IPA.

John

> On 25 May 2017, at 13:39, Günther J. Niederwimmer via FreeIPA-users 
>  wrote:
> 
> Hello,
> 
> after the mistake with Startcom CA (Class 3), now I look for a new 
> Certificate..
> 
> Is it possible and functional to install a Letsencrypt CA on a IPA-Server?
> 
> I have found a script on "github" to install a Letsencript CA for FreeIPA 
> (fedora), but can any tell me is this working with CentOS 7.(3).
> 
> Thanks for a answer,
> 
> -- 
> mit freundlichen Grüssen / best regards
> 
>  Günther J. Niederwimmer
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org