Re: [Freeipa-users] nss unrecognized name alert with SAN name
2016-02-06 23:29 GMT+01:00 Rob Crittenden : > John Obaterspok wrote: > >> Hi, >> >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan >> >> I recently started to get nss error "SSL peer has no certificate for the >> requested DNS name." when I'm accesing my https://gitserver.my.lan >> >> Previously this worked fine if I had set "git config --global >> http.sslVerify false" according to >> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html >> >> Now I tried to solve this by adding a SubjectAltName to the >> HTTP/ipa.my.lan certitficate like this: >> >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=MY.LAN >> subject: CN=ipa.my.lan,O=MY.LAN >> expires: 2018-02-06 19:24:52 UTC >> dns: gitserver.my.lan,ipa.my.lan >> principal name: http/ipa.my@my.lan >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> But I still get the below error: >> >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT) >> * SSL peer has no certificate for the requested DNS name >> > > What version of mod_nss? It recently added support for SNI. You can try > turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but I'd > imagine you were already relying on it. > > Hi, Turning it off didn't help I'm on F23 with latest updates so I have mod_nss-1.0.12-1 I noticed it worked if I set "ServerName gitserver.my.lan" in gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan. I then tried to put ipa.conf in but then I got error about SSL_ERROR_RX_RECORD_TOO_LONG gitserver.conf has this: DocumentRoot /opt/wwwgit SetEnv GIT_PROJECT_ROOT /opt/wwwgit SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER $REDIRECT_REMOTE_USER ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ ServerName gitserver.my.lan Options Indexes AllowOverride None Require all granted Options Indexes AllowOverride None Require all granted #SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealm WIN.LAN Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbMethodNegotiate on KrbMethodK5Passwd off # Set to on to query for pwd if negotiation failed due to no ticket available KrbSaveCredentials on KrbVerifyKDC on KrbServiceName HTTP/ipa.my@my.lan AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName AuthLDAPBindDN "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan" AuthLDAPBindPassword "secret123abc" Require ldap-group cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan Any more ideas what I do wrong? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Login
On Fri, Feb 05, 2016 at 06:21:56PM -0600, Alan P wrote:
> Thanks jhrozek, I have already seen it and applied to my IPA server, but it
> didn't have any significant impact, at least for AD users. In krb5kdc log,
> when I try to login with an IPA user in Windows, I can see the next:
>
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): AS_REQ (6
> etypes {18 17 23 24 -135 3}) 172.19.21.37: NEEDED_PREAUTH:
> ipa.u...@ipa.ad.example.com for krbtgt/ipa.ad.example@ipa.ad.example.com,
> Additional pre-authentication required
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down
> fd 12
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): AS_REQ (6
> etypes {18 17 23 24 -135 3}) 172.19.21.37: ISSUE: authtime 1454716332, etypes
> {rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for
> krbtgt/ipa.ad.example@ipa.ad.example.com
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down
> fd 12
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5
> etypes {18 17 23 24 -135}) 172.19.21.37: ISSUE: authtime 1454716332, etypes
> {rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for
> krbtgt/ad.example@ipa.ad.example.com
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down
> fd 12
> Feb 05 17:58:45 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5
> etypes {18 17 23 24 -135}) 172.19.21.37: ISSUE: authtime 1454716332, etypes
> {rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for
> cifs/master.ipa.ad.example@ipa.ad.example.com
> Feb 05 17:58:45 master.ipa.ad.example.com krb5kdc[14081](info): closing down
> fd 12
> Feb 05 17:58:47 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5
> etypes {18 17 23 24 -135}) 172.19.21.37: LOOKING_UP_SERVER: authtime 0,
> ipa.u...@ipa.ad.example.com for
> ProtectedStorage/master.ipa.ad.example@ipa.ad.example.com, Server not
> found in Kerberos database
> Feb 05 17:58:47 master.ipa.ad.example.com krb5kdc[14081](info): closing down
> fd 12
>
>
> In Windows, I can't find something related.
>
> Any other suggestion?
Which part of the login is slow? Acquiring ticket with kinit or
establishing the user groups etc? Usually it's the latter, so looking at
sssd logs and checking what takes so long is the best way forward in
most cases. You can also confirm if the group resolution takes a long
time with:
sss_cache -E; id $aduser@addomain
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Login
It sounds like you are trying to login to Windows AD clients using IPA
credentials?
If so, I do not believe this functionality is currently supported.
Thanks,
Josh
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: Sunday, February 07, 2016 8:13 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] IPA-AD Login
>
> On Fri, Feb 05, 2016 at 06:21:56PM -0600, Alan P wrote:
> > Thanks jhrozek, I have already seen it and applied to my IPA server, but it
> didn't have any significant impact, at least for AD users. In krb5kdc log,
> when
> I try to login with an IPA user in Windows, I can see the next:
> >
> > Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): AS_REQ
> > (6 etypes {18 17 23 24 -135 3}) 172.19.21.37: NEEDED_PREAUTH:
> > ipa.u...@ipa.ad.example.com for
> > krbtgt/ipa.ad.example@ipa.ad.example.com, Additional
> > pre-authentication required Feb 05 17:52:12 master.ipa.ad.example.com
> > krb5kdc[14081](info): closing down fd 12 Feb 05 17:52:12
> > master.ipa.ad.example.com krb5kdc[14081](info): AS_REQ (6 etypes {18
> > 17 23 24 -135 3}) 172.19.21.37: ISSUE: authtime 1454716332, etypes
> > {rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for
> > krbtgt/ipa.ad.example@ipa.ad.example.com
> > Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info):
> > closing down fd 12 Feb 05 17:52:12 master.ipa.ad.example.com
> > krb5kdc[14081](info): TGS_REQ (5 etypes {18 17 23 24 -135})
> > 172.19.21.37: ISSUE: authtime 1454716332, etypes {rep=18 tkt=18
> > ses=18}, ipa.u...@ipa.ad.example.com for
> > krbtgt/ad.example@ipa.ad.example.com
> > Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info):
> > closing down fd 12 Feb 05 17:58:45 master.ipa.ad.example.com
> > krb5kdc[14081](info): TGS_REQ (5 etypes {18 17 23 24 -135})
> > 172.19.21.37: ISSUE: authtime 1454716332, etypes {rep=18 tkt=18
> > ses=18}, ipa.u...@ipa.ad.example.com for
> > cifs/master.ipa.ad.example@ipa.ad.example.com
> > Feb 05 17:58:45 master.ipa.ad.example.com krb5kdc[14081](info):
> > closing down fd 12 Feb 05 17:58:47 master.ipa.ad.example.com
> > krb5kdc[14081](info): TGS_REQ (5 etypes {18 17 23 24 -135})
> > 172.19.21.37: LOOKING_UP_SERVER: authtime 0,
> > ipa.u...@ipa.ad.example.com for
> > ProtectedStorage/master.ipa.ad.example@ipa.ad.example.com,
> Server
> > not found in Kerberos database Feb 05 17:58:47
> > master.ipa.ad.example.com krb5kdc[14081](info): closing down fd 12
> >
> >
> > In Windows, I can't find something related.
> >
> > Any other suggestion?
>
> Which part of the login is slow? Acquiring ticket with kinit or establishing
> the user groups etc? Usually it's the latter, so looking at sssd logs and
> checking what takes so long is the best way forward in most cases. You can
> also confirm if the group resolution takes a long time with:
> sss_cache -E; id $aduser@addomain
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] devconf.cz talks about FreeIPA
Hi! Every year FreeIPA/SSSD/... developers gather together in Brno, Czech Republic at the beginning of February to participate in DevConf.cz, a local conference which originally started as Red Hat's event and grew quickly into one of biggest free software events in Eastern Europe. This year devconf.cz was also joined by JBoss conference and had up to 7 talks in parallel at the same time. Overall, there were 1200+ visitors on Friday and about 2/3 of that Saturday/Sunday. We had several talks related to FreeIPA and a practical workshop dedicated to deployment of FreeIPA and use of its features. Most of the sessions were streamed live and are now available on youtube. Below are some talks, I'm trying to give links to the time when actual talk did start as often streaming started by schedule: FreeIPA workshop by Torsted Scherf and German Parente Part1: https://youtu.be/cxRK1MExMsc?t=4m57s Part2: https://www.youtube.com/watch?v=RBzL1_3nKH4 Atomic, with and without Atomic, by Jan Pazdziora: https://youtu.be/SBQpYUXLR9I?t=2m20s Enterprise desktop at home with FreeIPA and GNOME, by yours truly: https://youtu.be/L_4oiNr_mVY?t=3m5s Integrating IdM with Red Hat Openstack: Improving security in the Cloud, by Ade Lee and Rob Crittenden: https://youtu.be/utQts81V8mA?t=9m21s Ipsilon: how to deploy federation, by Patrick Uiterwijk: https://youtu.be/_S5uT3RoZgY?t=2m12s New cryptography for binding data to third parties, by Nathaniel McCallum: https://www.youtube.com/watch?v=Ixo8iOpQsNQ?t=0m34s I may have well missed other talks that mentioned or used FreeIPA under the hood, so if you were at the conference or found something about the FreeIPA in other talks recorded by https://www.youtube.com/RedHatCzech, feel free to add to the list! Happy watching! -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Login
On Thu, 04 Feb 2016, Alan P wrote: Hi, I just configured a trust between an IPA and an Active Directory to authenticate IPA users in Windows machines joined in AD domain. The login is successfull, but only after several minutes (nearly 25 minutes) in the first attempt; in the next attempts, the required time goes from 5 to 10 min. So, what can I do to reduce the time to something more acceptable? (For reference, when an AD user authenticates it only takes 10 seconds or less). Alan, this is not yet supported for multiple reasons. We just have worked on this with Michael Brown at DevConf.cz over this weekend and while we have had certain progress, it requires heavily patching several key components, including CyrusSASL library, 389-ds and FreeIPA. Worse to that, we need to write Global Catalog service support in FreeIPA to allow Windows machines to actually assign proper rights to IPA users. This is a plan for FreeIPA 4.4-4.5 releases. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] devconf.cz talks about FreeIPA
On Sun, 07 Feb 2016, Alexander Bokovoy wrote: Hi! Every year FreeIPA/SSSD/... developers gather together in Brno, Czech Republic at the beginning of February to participate in DevConf.cz, a local conference which originally started as Red Hat's event and grew quickly into one of biggest free software events in Eastern Europe. This year devconf.cz was also joined by JBoss conference and had up to 7 talks in parallel at the same time. Overall, there were 1200+ visitors on Friday and about 2/3 of that Saturday/Sunday. We had several talks related to FreeIPA and a practical workshop dedicated to deployment of FreeIPA and use of its features. Most of the sessions were streamed live and are now available on youtube. Below are some talks, I'm trying to give links to the time when actual talk did start as often streaming started by schedule: FreeIPA workshop by Torsted Scherf and German Parente Part1: https://youtu.be/cxRK1MExMsc?t=4m57s Part2: https://www.youtube.com/watch?v=RBzL1_3nKH4 Atomic, with and without Atomic, by Jan Pazdziora: https://youtu.be/SBQpYUXLR9I?t=2m20s Enterprise desktop at home with FreeIPA and GNOME, by yours truly: https://youtu.be/L_4oiNr_mVY?t=3m5s Integrating IdM with Red Hat Openstack: Improving security in the Cloud, by Ade Lee and Rob Crittenden: https://youtu.be/utQts81V8mA?t=9m21s Ipsilon: how to deploy federation, by Patrick Uiterwijk: https://youtu.be/_S5uT3RoZgY?t=2m12s New cryptography for binding data to third parties, by Nathaniel McCallum: https://www.youtube.com/watch?v=Ixo8iOpQsNQ?t=0m34s Forgot to mention -- if you don't see the talk when accessing it with a link above, press a "switch camera" button in right bottom corner -- Youtube has put the talks as 'separate camera streams' under the same streaming view, so some of the links may be misleading. I haven't found a how to get direct link to a specific camera view. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] devconf.cz talks about FreeIPA
On Sun, 07 Feb 2016, Alexander Bokovoy wrote: Hi! Every year FreeIPA/SSSD/... developers gather together in Brno, Czech Republic at the beginning of February to participate in DevConf.cz, a local conference which originally started as Red Hat's event and grew quickly into one of biggest free software events in Eastern Europe. This year devconf.cz was also joined by JBoss conference and had up to 7 talks in parallel at the same time. Overall, there were 1200+ visitors on Friday and about 2/3 of that Saturday/Sunday. We had several talks related to FreeIPA and a practical workshop dedicated to deployment of FreeIPA and use of its features. Most of the sessions were streamed live and are now available on youtube. Below are some talks, I'm trying to give links to the time when actual talk did start as often streaming started by schedule: FreeIPA workshop by Torsted Scherf and German Parente Part1: https://youtu.be/cxRK1MExMsc?t=4m57s Part2: https://www.youtube.com/watch?v=RBzL1_3nKH4 Atomic, with and without Atomic, by Jan Pazdziora: https://youtu.be/SBQpYUXLR9I?t=2m20s Enterprise desktop at home with FreeIPA and GNOME, by yours truly: https://youtu.be/L_4oiNr_mVY?t=3m5s Integrating IdM with Red Hat Openstack: Improving security in the Cloud, by Ade Lee and Rob Crittenden: https://youtu.be/utQts81V8mA?t=9m21s Ipsilon: how to deploy federation, by Patrick Uiterwijk: https://youtu.be/_S5uT3RoZgY?t=2m12s New cryptography for binding data to third parties, by Nathaniel McCallum: https://www.youtube.com/watch?v=Ixo8iOpQsNQ?t=0m34s ... the last one is actually https://www.youtube.com/watch?v=p_M0YEE-esA#t=34 I may have well missed other talks that mentioned or used FreeIPA under the hood, so if you were at the conference or found something about the FreeIPA in other talks recorded by https://www.youtube.com/RedHatCzech, feel free to add to the list! Happy watching! -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Login
On Sun, Feb 07, 2016 at 02:21:28PM +, Baird, Josh wrote: > It sounds like you are trying to login to Windows AD clients using IPA > credentials? > > If so, I do not believe this functionality is currently supported. You're right, for some reason I completely missed that. Thanks for noticing! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Login
> On Feb 7, 2016, at 2:05 PM, Alexander Bokovoy wrote: > > On Thu, 04 Feb 2016, Alan P wrote: >> Hi, >> >> I just configured a trust between an IPA and an Active Directory to >> authenticate IPA users in Windows machines joined in AD domain. The >> login is successfull, but only after several minutes (nearly 25 >> minutes) in the first attempt; in the next attempts, the required time >> goes from 5 to 10 min. So, what can I do to reduce the time to >> something more acceptable? (For reference, when an AD user >> authenticates it only takes 10 seconds or less). > Alan, this is not yet supported for multiple reasons. We just have > worked on this with Michael Brown at DevConf.cz over this weekend and > while we have had certain progress, it requires heavily patching several > key components, including CyrusSASL library, 389-ds and FreeIPA. Worse > to that, we need to write Global Catalog service support in FreeIPA to > allow Windows machines to actually assign proper rights to IPA users. > Wouldn’t a somewhat easier solution for dealing with Windows be to create a one-way trust so that the AD domain trusts the IPA realm? Then use AltSecurityID in Windows land to map a “shadow” user to each real principal? In that way AD gets relegated to a second-class citizen used only for the subset of (likely comparatively unimportant) tasks where one is forced to use Windows? -- Coy Hile coy.h...@coyhile.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using external certificate in IPA 4.1
Hi, On 4.2.2016 17:45, Martin Kosek wrote: On 02/03/2016 06:02 PM, Ossi Ahosalmi wrote: I'm trying to use our organizations wildcard certificate in IPA. Certificate is signed by a trusted CA. Running: ipa-server-certinstall -w -d with next combinations: - separate .key, .crt and ca chain, all in PEM format - .crt and ca bundled into one file, .key as a separate file - everything bundled together into one .p12 pkcs12 file I always end up with this error: "The full certificate chain is not present in ." My CA file contains the whole chain and works in all other programs, just not in IPA. CCing Jan, but I think you are hitting https://fedorahosted.org/freeipa/ticket/5603 Actually I think it's #4786, but if that was fixed, you would hit #5603 as well. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
