[Freeipa-users] Weird problem with DNS updates from dhcp clients
Hi all, I have installed freeipa server in a centos macning with about 70 client machines running linux mint. Since I am in a mixed enviroment my DHCP server is running in windows 2008 r2. The setup and joining the ipa domain went off without a hitch. However I now find that when the IP addresses of my client change they do not update the ipa dns server. And the weird thing is if i log in to the client machine and manually put the network on and off using the NetworkManager applet it updates the ipa dns server with the new ip. That is the only way the update happens. I would appreciate any help in this .. I have been struggling to up my network for a while and its driving me insane with regards, *---Sameer ---* -- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] U2F and ipa for ssh
On Thu, Apr 20, 2017 at 08:04:34AM -0400, Marc Boorshtein wrote: > Has anyone looked into using U2F with freeipa? My guess is you would need > a customized ssh client to interact with the device but in theory you could > just transform the users U2F public key into an ssh key. > > Marc Boorshtein > CTO, Tremolo Security, Inc. Hi Marc, We have had preliminary discussion about U2F. As you suggest, U2F requires client support. U2F does not provide a general signing operation (it only signs a specific kind of message[1]) so some server support is probably required as well. [1] https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success That said, a lot of U2F devices have additional / alternative modes with PKCS #11 interfaces, e.g. PIV, allowing them to be used as generic crypto tokens. Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote: > I can confirm that I see this behaviour too. My ipa server install is a > pretty stock install with no 3rd party certificates. > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < > simon.willi...@thehelpfulcat.com> wrote: > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated to > > version 58.0.3029.81. It appears that this version of Chrome will not > > trust certificates based on Common Name. Looking at the Chrome > > documentation and borne out by one of the messages, from Chrome 58, > > the subjectAltName is required to identify the DNS name of the host that > > the certificate is issued for. I would be grateful if someone could point > > me in the direction of how to recreate my SSL certificates so that > > the subjectAltName is populated. > > > > Thanks in advance > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > Which version of IPA are you using? The first thing you should do, which I think should be sufficient in most cases, is to tell certmonger to submit a new cert request for each affected certificate, instructing to include the relevant DNSName in the subjectAltName extension in the CSR. To list certmonger tracking requests and look for the HTTPS certificate. For example: $ getcert list Number of certificate and requests being tracked: 11 ... Request ID '20170418012901': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317 subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317 expires: 2019-03-22 03:20:19 UTC dns: f25-2.ipa.local key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes ... Using the Request ID of the HTTPS certificate, resubmit the request but use the ``-D `` option to specify a DNSName to include in the SAN extension: $ getcert resubmit -i -D ``-D `` can be specified multiple times, if necessary. This should request a new certificate that will have the server DNS name in the SAN extension. HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
I can confirm that I see this behaviour too. My ipa server install is a pretty stock install with no 3rd party certificates. On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < simon.willi...@thehelpfulcat.com> wrote: > Yesterday, Chrome on both my Ubuntu and Windows machines updated to > version 58.0.3029.81. It appears that this version of Chrome will not > trust certificates based on Common Name. Looking at the Chrome > documentation and borne out by one of the messages, from Chrome 58, > the subjectAltName is required to identify the DNS name of the host that > the certificate is issued for. I would be grateful if someone could point > me in the direction of how to recreate my SSL certificates so that > the subjectAltName is populated. > > Thanks in advance > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA
Yesterday, Chrome on both my Ubuntu and Windows machines updated to version 58.0.3029.81. It appears that this version of Chrome will not trust certificates based on Common Name. Looking at the Chrome documentation and borne out by one of the messages, from Chrome 58, the subjectAltName is required to identify the DNS name of the host that the certificate is issued for. I would be grateful if someone could point me in the direction of how to recreate my SSL certificates so that the subjectAltName is populated. Thanks in advance -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
Andrew Krause wrote: > Sorry for the self bump but no one has any insight on this? > > >> On Apr 17, 2017, at 11:31 AM, Andrew Krause >>wrote: >> >> Many hosts in our web ui show a null status for “enrolled”. When you do a >> search that includes any of these host objects the web UI posts errors, and >> if you click on one of the problem hosts the same error stops anything from >> loading on the host page. >> >> I’ve been trying to solve this problem on my own for quite some time and >> have not been successful. It’s impossible to remove the host through the >> web UI and using CLI commands seem to remove the entry from IPA (host is not >> found with ipa host-find), but it is still visible in the UI. One thing >> that may be common with all of these hosts is that they were enrolled with >> our IPA system back while we were running version 3.0 and likely have had >> issues for quite some time. Multiple updates have happened since then, and >> all of our hosts added within the last year are working fine. I suspect >> there’s an issue with a path somewhere for a certificate database, but I’m >> unable to pinpoint what is going wrong. It should not be possible to have different views in the UI and the CLI since they make the same backend calls. What you'd want to do, hopefully on a semi-quiet system, is to do a host-find on the CLI and then list all hosts in the UI and compare the logs in /var/log/httpd/error_log and look at the LDAP queries in /var/log/dirsrv/slapd-REALM/access (this is a buffered log so be patient). They should be doing more or less the exact same set of queries. Very doubtful that this has anything to do with certs. Anything on the client would be completely separate from what is on the server. One thing you may be seeing though is that in 3.0 clients a host certificate was obtained for it. This was dropped with 4.0, but it wouldn't affect any visibility on the server. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
Sorry for the self bump but no one has any insight on this? > On Apr 17, 2017, at 11:31 AM, Andrew Krause >wrote: > > Many hosts in our web ui show a null status for “enrolled”. When you do a > search that includes any of these host objects the web UI posts errors, and > if you click on one of the problem hosts the same error stops anything from > loading on the host page. > > I’ve been trying to solve this problem on my own for quite some time and have > not been successful. It’s impossible to remove the host through the web UI > and using CLI commands seem to remove the entry from IPA (host is not found > with ipa host-find), but it is still visible in the UI. One thing that may > be common with all of these hosts is that they were enrolled with our IPA > system back while we were running version 3.0 and likely have had issues for > quite some time. Multiple updates have happened since then, and all of our > hosts added within the last year are working fine. I suspect there’s an > issue with a path somewhere for a certificate database, but I’m unable to > pinpoint what is going wrong. > > > I’m currently cloning 2 of my IPA servers into a private dmz to test fixes so > I can try things without worry... > > 1. Realized we had many certificates that were expired and not renewing with > “getcert list” on primary IPA server > 2. Tried every document I could find on renewing the certificates but was > never completely successful (on version 4.1 which is our current in > production) > 3. Upgraded to 4.4 and was actually able to renew all certificates listed on > the main IPA server showing current below > 4. After having success with #3 I was able to start the CA service without > error and everything on the server seems to be working as expected > 5. Have attempted many variations of removing a problem host and adding it > back, but the errors in the web UI persist. > > Output from "getcert list": > > Number of certificates and requests being tracked: 8. > Request ID '20160901214852': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=CA Audit,O=DOMAIN.COM > expires: 2018-08-22 22:13:44 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160901214853': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=OCSP Subsystem,O=DOMAIN.COM > expires: 2018-08-22 21:49:26 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160901214854': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=CA Subsystem,O=DOMAIN.COM > expires: 2018-08-22 21:49:18 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160901214855': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate
Re: [Freeipa-users] cannot add posix group or user
On 04/20/2017 03:05 PM, Cox, Jason wrote: -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 19, 2017 4:27 PM To: Cox, Jason (U.S. Person); freeipa- us...@redhat.com Subject: Re: [Freeipa-users] cannot add posix group or user Cox, Jason wrote: Hi all, I had to reinstall my IPA setup, so I’m using 4.4 and am learning the newer domain levels and topology features. I’ve installed 3 servers. I promoted one of the replicas to master and demoted the original master to replica according to the documentation. According to what documentation? Note that they are all masters, some may just run different services and only one has a few duties (like CRL generation). Here: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master And here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-roles.html#server-roles-promote-to-ca Yes, I was referring to CRL master And yes, I failed to continue reading https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/ to find what I needed to know concerning the id ranges. Sorry about that. I ran into an issue with the original master no longer replicating, so I performed an ipa-server-install –uninstall and removed the host/server from IPA. This is the where the problem started. I re-setup the replica using ipa-client-install and then ipa-replica-install, and had no errors reported in the output. I then went into Web UI and setup replication agreements using the topology graph page between the new replica and the previous replica (the master/new replica agreements being setup by the replica install script). I then attempted to add a posix group account and got an operational error message. This caused ldap to crash on the server I was interfacing with. If you are getting a core it would be very enlightening to get a stack trace from that (you'll need to install the debuginfo package to get any really useful data out of it). I haven't had to get a core file from a systemd service before, so I did it the wrong way, but this is what I managed to get: >From journalctl: *** Error in `/usr/sbin/ns-slapd': free(): invalid pointer: 0x7fbcd82f5fb0 *** Apr 19 17:13:56 server1 ns-slapd[1892]: === Backtrace: = Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libc.so.6(+0x7c503)[0x7fbd4522c503] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libldap_r-2.4.so.2(ldap_mods_free+0x81)[0x7fbd46ba1a11] Apr 19 17:13:56 server1 ns-slapd[1892]: /usr/lib64/dirsrv/libslapd.so.0(do_modify+0x7e0)[0x7fbd479f96a0] Apr 19 17:13:56 server1 ns-slapd[1892]: /usr/sbin/ns-slapd(+0x1b9e0)[0x7fbd47ee29e0] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libnspr4.so(+0x289bb)[0x7fbd45bd89bb] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libpthread.so.0(+0x7dc5)[0x7fbd45578dc5] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libc.so.6(clone+0x6d)[0x7fbd452a773d] >From an eventual core and gdb (and not from the same crash as the journalctl output): (gdb) bt #0 __GI___libc_free (mem=0x41) at malloc.c:2929 #1 0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at memory.c:180 #2 0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at free.c:94 #3 0x7f87f804a6a0 in do_modify (pb=pb@entry=0x7f87b4ff0a90) at ldap/servers/slapd/modify.c:390 #4 0x7f87f85339e0 in connection_dispatch_operation (pb=0x7f87b4ff0a90, op=0x7f87f931bf80, conn=0x7f87d82d0768) at ldap/servers/slapd/connection.c:627 #5 connection_threadmain () at ldap/servers/slapd/connection.c:1759 #6 0x7f87f62299bb in _pt_root () from /lib64/libnspr4.so #7 0x7f87f5bc9dc5 in start_thread (arg=0x7f87b4ff1700) at pthread_create.c:308 #8 0x7f87f58f873d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 Hi, This is looking like the heap corruption and this backstack is unfortunately not enough to identify if it is a known/fixed one or not. This part of code (do_modify) was not recently changed regarding heap corruption and I would rather expect this thread to be the victim than responsible of it. What 389-ds version are you running ? We fixed recently a bug that could be the root cause (of course not 100% sure). Did you update 389-ds to the most recent one ? Do you manage to reproduce this crash ? For heap corruption, you may use valgrind but it could be too impacting for production performance. regards thierry (gdb) bt full #0 __GI___libc_free (mem=0x41) at malloc.c:2929 ar_ptr = p = hook = 0x0 #1 0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at memory.c:180 i = #2 0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at free.c:94 i = #3 0x7f87f804a6a0 in do_modify
Re: [Freeipa-users] cannot add posix group or user
Cox, Jason wrote: > >> Thank you. > Setting the id ranges manually fixed my problem. Great, glad you're up and running again. I forwarded the stack trace to the 389-ds developers, thanks for that. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] cannot add posix group or user
> -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Wednesday, April 19, 2017 4:27 PM > To: Cox, Jason (U.S. Person); freeipa- > us...@redhat.com > Subject: Re: [Freeipa-users] cannot add posix group or user > > Cox, Jason wrote: > > Hi all, > > > > > > > > I had to reinstall my IPA setup, so I’m using 4.4 and am learning the > > newer domain levels and topology features. > > > > I’ve installed 3 servers. > > > > I promoted one of the replicas to master and demoted the original > > master to replica according to the documentation. > > According to what documentation? > > Note that they are all masters, some may just run different services and only > one has a few duties (like CRL generation). > Here: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master And here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-roles.html#server-roles-promote-to-ca Yes, I was referring to CRL master And yes, I failed to continue reading https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/ to find what I needed to know concerning the id ranges. Sorry about that. > > I ran into an issue with the original master no longer replicating, so > > I performed an ipa-server-install –uninstall and removed the > > host/server from IPA. > > This is the where the problem started. > > > > > I re-setup the replica using ipa-client-install and then > > ipa-replica-install, and had no errors reported in the output. > > > > I then went into Web UI and setup replication agreements using the > > topology graph page between the new replica and the previous replica > > (the master/new replica agreements being setup by the replica install > > script). > > > > > > > > I then attempted to add a posix group account and got an operational > > error message. This caused ldap to crash on the server I was > > interfacing with. > > If you are getting a core it would be very enlightening to get a stack trace > from that (you'll need to install the debuginfo package to get any really > useful data out of it). > I haven't had to get a core file from a systemd service before, so I did it the wrong way, but this is what I managed to get: >From journalctl: *** Error in `/usr/sbin/ns-slapd': free(): invalid pointer: 0x7fbcd82f5fb0 *** Apr 19 17:13:56 server1 ns-slapd[1892]: === Backtrace: = Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libc.so.6(+0x7c503)[0x7fbd4522c503] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libldap_r-2.4.so.2(ldap_mods_free+0x81)[0x7fbd46ba1a11] Apr 19 17:13:56 server1 ns-slapd[1892]: /usr/lib64/dirsrv/libslapd.so.0(do_modify+0x7e0)[0x7fbd479f96a0] Apr 19 17:13:56 server1 ns-slapd[1892]: /usr/sbin/ns-slapd(+0x1b9e0)[0x7fbd47ee29e0] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libnspr4.so(+0x289bb)[0x7fbd45bd89bb] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libpthread.so.0(+0x7dc5)[0x7fbd45578dc5] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libc.so.6(clone+0x6d)[0x7fbd452a773d] >From an eventual core and gdb (and not from the same crash as the journalctl >output): (gdb) bt #0 __GI___libc_free (mem=0x41) at malloc.c:2929 #1 0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at memory.c:180 #2 0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at free.c:94 #3 0x7f87f804a6a0 in do_modify (pb=pb@entry=0x7f87b4ff0a90) at ldap/servers/slapd/modify.c:390 #4 0x7f87f85339e0 in connection_dispatch_operation (pb=0x7f87b4ff0a90, op=0x7f87f931bf80, conn=0x7f87d82d0768) at ldap/servers/slapd/connection.c:627 #5 connection_threadmain () at ldap/servers/slapd/connection.c:1759 #6 0x7f87f62299bb in _pt_root () from /lib64/libnspr4.so #7 0x7f87f5bc9dc5 in start_thread (arg=0x7f87b4ff1700) at pthread_create.c:308 #8 0x7f87f58f873d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 (gdb) bt full #0 __GI___libc_free (mem=0x41) at malloc.c:2929 ar_ptr = p = hook = 0x0 #1 0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at memory.c:180 i = #2 0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at free.c:94 i = #3 0x7f87f804a6a0 in do_modify (pb=pb@entry=0x7f87b4ff0a90) at ldap/servers/slapd/modify.c:390 operation = 0x7f87f931bf80 smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0, free_mods = 0} ber = tag = len = 18446744073709551615 normalized_mods = 0x7f876c001fb0 mod = 0x0 mods = 0x7f876c00c200 last = 0x7f876c000e23 "" type = 0x0 old_pw = 0x0 rawdn = 0x7f876c000920 "cn=svcaccount,cn=groups,cn=accounts,dc=MYDOMAIN" minssf_exclude_rootdse =
[Freeipa-users] U2F and ipa for ssh
Has anyone looked into using U2F with freeipa? My guess is you would need a customized ssh client to interact with the device but in theory you could just transform the users U2F public key into an ssh key. Marc Boorshtein CTO, Tremolo Security, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] oddjob_mkhomedir troubles
On 2017-04-19 13:06, Ronald Wimmer wrote: [...] as the default directory (by setting override_homedir in sssd.conf) oddjob_mkhomedir creates the user directory but I still get a permission denied when logging in for the first time. (cd /home/user works) The only thing I see in the logs is: Apr 20 13:10:02 testclient systemd: Starting Session 1260 of user myu...@mydomain.at. Apr 20 13:10:02 testclient oddjob-mkhomedir[15879]: error setting permissions on /home/mydomain.at/myuser: Operation not permitted Apr 20 13:10:02 testclient dbus[770]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Apr 20 13:10:02 testclient dbus-daemon: dbus[770]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Apr 20 13:10:02 testclient dbus[770]: [system] Successfully activated service 'org.freedesktop.problems' Apr 20 13:10:02 testclient dbus-daemon: dbus[770]: [system] Successfully activated service 'org.freedesktop.problems' This is where PAM put the module: /etc/pam.d/fingerprint-auth:session optional pam_oddjob_mkhomedir.so umask=0077 /etc/pam.d/fingerprint-auth-ac:session optional pam_oddjob_mkhomedir.so umask=0077 /etc/pam.d/password-auth:session optional pam_oddjob_mkhomedir.so umask=0077 /etc/pam.d/password-auth-ac:session optional pam_oddjob_mkhomedir.so umask=0077 /etc/pam.d/smartcard-auth:session optional pam_oddjob_mkhomedir.so umask=0077 /etc/pam.d/smartcard-auth-ac:session optional pam_oddjob_mkhomedir.so umask=0077 /etc/pam.d/system-auth:session optional pam_oddjob_mkhomedir.so umask=0077 /etc/pam.d/system-auth-ac:session optional pam_oddjob_mkhomedir.so umask=0077 Maybe it is not placed in the right line in /etc/pam.d/system-auth: session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so Is there a PAM expert around who can tell? Regards, Ronald -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address
On 19.04.2017 17:14, David Goudet wrote: On 04/19/2017 12:31 PM, Martin Bašti wrote: On 17.04.2017 19:42, David Goudet wrote: Hi, Nobody has response about my questions? The main question is: Is it possible to configure SSSD to update DNS (option dyndns_update) with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? Thank you for your help. Best regards, On 03/27/2017 09:40 PM, Jakub Hrozek wrote: On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote: Hi, Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA. Everything is fine on machines which have only one IP adress on network interface. I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address. To reproduce the problem: Host have -IP1- and i add -IP2- ip addr add -IP2-/26 dev em1 ip addr list: em1:mtu 1496 qdisc mq state UP qlen 1000 link/ether inet -IP1-/26 brd scope global em1 inet -IP2-/26 scope global secondary em1 valid_lft forever preferred_lft forever DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2- In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)? dyndns_update (boolean) Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client. The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise specified by using the “dyndns_iface” option. Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine? IIRC we added this to support multiple interfaces (user can choose which one to use) and to update both IPv6 () and IPv4 (A) records. IPA/SSSD cannot reliably determine which IP address to use, it is all or none from interface. With the previous behavior users want to use different/more addresses than the one which has been detected from LDAP connection and it was not possible previously. Do you have set dyndns_iface in sssd.conf? Martin Looks like this was a deliberate change: https://pagure.io/SSSD/sssd/issue/2558 but to be honest, I forgot why exactly we did this. Martin, do you know? Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? Only if the IP addresses are of different families (v4/v6), then it's possible to restrict one of the families. I asked question here https://www.redhat.com/archives/freeipa-users/2017-March/msg00360.html Hi, Thank you for your response. In sssd.conf parameter dyndns_iface is not defined, we are in case: Default: Use the IP addresses of the interface which is used for IPA LDAP connection This point (dyndns_iface) is ok, every IPs of this interface and only this interface is updated on IPA host DNS entry. I use only IPv4, so it is not possible to filter on only one IP ("primary") it is "none" or "all" on one interface. In my case i see two solutions: - Split IP "primary" on one interface (bond0 for exemple) and other virtual IPs on one other interface (bond0.1 or bond1 for exemple) - Disable dyndns_update functionality on this machine You confirm, i have no other solutions? Well, then you have only choices you wrote. Sorry. -- Martin Bašti Software Engineer Red Hat Czech -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project