[Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work
Hi, Server: FreeIPA 3.3.5, Fedora 20 Client: Ubuntu 14.04 ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1 -P only results in: klist -k /tmp/principal.keytab -e Keytab name: FILE:/tmp/principal.keytab KVNO Principal -- 5 principal@REALM (des3-cbc-sha1) /var/kerberos/krb5kdc/kdc.conf: [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 restrict_anonymous_to_tgt = true [realms] REALM = { master_key_type = aes256-cts max_life = 7d max_renewable_life = 14d acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal des-cbc-crc:v4 des3-hmac-sha1:normal } I added the des3-hmac-sha1:normal entry in supported_enctypes parameter. There is also an attributes entry krbDefaultEncSaltTypes and krbSupportedEncSaltTypes with the value des3-hmac-sha1:normal in 389 LDAP. cheers, Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work
On Mon, 01 Dec 2014 11:53:11 +0100 Andreas Ladanyi andreas.lada...@kit.edu wrote: Hi, Server: FreeIPA 3.3.5, Fedora 20 Client: Ubuntu 14.04 ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1 -P only results in: klist -k /tmp/principal.keytab -e Keytab name: FILE:/tmp/principal.keytab KVNO Principal The 2 enctypes are equivalent and can be interchanged afaik. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] freeipa-freeipa trust relationship
Hi, I know that it is possible to connect a FreeIPA/idm to an Active Directory forest. But is there a way to have a relationship between 2 freeipa domains, and if yes, is there any documentation. Thanks in advance. Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-freeipa trust relationship
On Mon, 01 Dec 2014, Nicolas Zin wrote: Hi, I know that it is possible to connect a FreeIPA/idm to an Active Directory forest. But is there a way to have a relationship between 2 freeipa domains, and if yes, is there any documentation. Not implemented yet. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-freeipa trust relationship
- Mail original - De: Alexander Bokovoy aboko...@redhat.com À: Nicolas Zin nicolas@savoirfairelinux.com Cc: freeipa-users@redhat.com Envoyé: Lundi 1 Décembre 2014 19:28:20 Objet: Re: [Freeipa-users] freeipa-freeipa trust relationship On Mon, 01 Dec 2014, Nicolas Zin wrote: Hi, I know that it is possible to connect a FreeIPA/idm to an Active Directory forest. But is there a way to have a relationship between 2 freeipa domains, and if yes, is there any documentation. Not implemented yet. So even manually it is not possible? like following https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html ? So far, I tried to: kadmin.local -x ipa-setup-override-restrictions -r A.EXAMPLE.COM add_principal krbtgt/b.example@a.example.com kadmin.local -x ipa-setup-override-restrictions -r B.EXAMPLE.COM add_principal krbtgt/a.example@b.example.com edit /etc/krb5.conf to add element in sections [realms], [domain_realm] and [capaths] and add a file into /var/lib/sss/pubconf/kdcinfo.B.EXAMPLE.COM (and /var/lib/sss/pubconf/kdcinfo.A.EXAMPLE.COM). Yes this is ugly. I manage to kinit us...@b.example.com from A.EXAMPLE.COM and with this credential to ssh to the other host. But I don't manage to do it transparently (i.e. ssh B.EXAMPLE.COM -l us...@a.example.com with the good passord, or better: without password) I guess this is not implemented in sssd and this is the problem I face? Regards, Nicolas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-freeipa trust relationship
On Mon, 01 Dec 2014, Nicolas Zin wrote: - Mail original - De: Alexander Bokovoy aboko...@redhat.com À: Nicolas Zin nicolas@savoirfairelinux.com Cc: freeipa-users@redhat.com Envoyé: Lundi 1 Décembre 2014 19:28:20 Objet: Re: [Freeipa-users] freeipa-freeipa trust relationship On Mon, 01 Dec 2014, Nicolas Zin wrote: Hi, I know that it is possible to connect a FreeIPA/idm to an Active Directory forest. But is there a way to have a relationship between 2 freeipa domains, and if yes, is there any documentation. Not implemented yet. So even manually it is not possible? like following https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html ? That one is only covering a 'generic' Kerberos realm trust, not specifically applied to FreeIPA. So far, I tried to: kadmin.local -x ipa-setup-override-restrictions -r A.EXAMPLE.COM add_principal krbtgt/b.example@a.example.com kadmin.local -x ipa-setup-override-restrictions -r B.EXAMPLE.COM add_principal krbtgt/a.example@b.example.com edit /etc/krb5.conf to add element in sections [realms], [domain_realm] and [capaths] and add a file into /var/lib/sss/pubconf/kdcinfo.B.EXAMPLE.COM (and /var/lib/sss/pubconf/kdcinfo.A.EXAMPLE.COM). Yes this is ugly. I manage to kinit us...@b.example.com from A.EXAMPLE.COM and with this credential to ssh to the other host. But I don't manage to do it transparently (i.e. ssh B.EXAMPLE.COM -l us...@a.example.com with the good passord, or better: without password) I guess this is not implemented in sssd and this is the problem I face? Yes, SSSD doesn't know that A.EXAMPLE.COM is a 'subdomain of B.EXAMPLE.COM (this is how we manage all trusts), thus doesn't know how to resolve users/groups from that realm and how to assign them POSIX attributes locally. Our approach is to get FreeIPA/AD trust case finished first and then reuse as much as possible for FreeIPA/FreeIPA trust case. We anyway would have to implement most of the same functionality -- ID range handling, POSIX attributes management, caching of group membership (MS-PAC or UNIX-PAD extensions in Kerberos tickets), discovery of forest topology and so on. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] CA Replication Installation Failing
Hi All, I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38. Servera is the master Serverb is the replica Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica. I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why. Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue. Here is what I get(for the sake of brevity, I am excluding the lines for connection check which were all OK) = /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg Directory Manager (existing master) password: Get credentials to log in to remote master ad...@mydomain.com password: Execute check on remote master Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed = Additional excerpt from the log file /var/log/ipareplica-ca-install.log at the point of failure = # Attempting to connect to: serverb.mydomain.com:9445 Connected. Posting Query = https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Copyright (C) 2007 Red Hat, Inc. All rights reserved. END COPYRIGHT BLOCK -- response paneladmin/console/config/restorekeycertpanel.vm/panel res/ updateStatusfailure/updateStatus password/ errorStringThe pkcs12 file is not correct./errorString size19/size titleImport Keys and Certificates/title panels Vector Panel Idwelcome/Id NameWelcome/Name /Panel Panel Idmodule/Id NameKey Store/Name /Panel Panel Idconfighsmlogin/Id NameConfigHSMLogin/Name /Panel Panel Idsecuritydomain/Id NameSecurity Domain/Name /Panel Panel Idsecuritydomain/Id NameDisplay Certificate Chain/Name