Re: [Freeipa-users] PKI signing certificate question
I personally haven't done this, but from https://www.freeipa.org/page/PKI "when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure." and from https://www.redhat.com/archives/freeipa-users/2014-January/msg00057.html "First run ipa-server-install with --external-ca, which will create a CSR for IPA CA certificate in /root/ipa.csr. Then sign the CSR with the external CA to get the IPA CA certificate. Finally, run ipa-server-install with --external_cert_file pointing to the IPA CA certificate and --external_ca_file pointing to CA certificate of the external CA." >From that previous paragraph, it looks like the --external-ca option doesn't actually install anything, just creates the correct CSR for the domain you intend to create. If you can create a temporary CentOS virtual machine you could run the "ipa-server-install --external-ca" command and see what happens :) Hope this helps, Anthony Clark On Wed, Jul 27, 2016 at 11:24 PM, William Muriithi < william.murii...@gmail.com> wrote: > Hello > > I want to use an external certificate when setting up a new FreeIPA > next week and plan to send the CSR tomorrow. > > I would like to source a certificate for example.com and use it on > FreeIPA on eng.example.com. I can't specifically set the FreeIPA on > example.com because we have active directory on corp.example.com > > Is there a way for using FreeIPA with such a setup? I am hoping that > if I can setup FreeIPA using example.com, I can be able to generate > certificates for both Windows and Linux plus other like > vpn.example.com that don't sit well on either AD or FreeIPA domain. > > Whats the best way to approach this? If not possible, would setting > FreeIPA as a sub domain for active directory help? > > Regards, > > William > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] vaults and service accounts
I wondered about that, but the docs specifically say public key, and the command line option to "ipa vault-add" is "--public-key" >From "ipa vault-add --help" --public-key=BYTESVault public key --public-key-file=STR File containing the vault public key So I hope you can understand my confusion ;) Can anyone else speak to whether the newer versions of the vault code is any different? Thank you, Martin! On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti wrote: > > > On 24.07.2016 16:33, Anthony Clark wrote: > > Hello All, > > I have a crazy notion of storing a host's SSH private keys in a ipa vault, > so that a rebuilt host can use the same keys. > > I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos > base repository, so I'm constrained to version 1.0 vaults. I'm using this > page: > http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance > > I'm trying these following steps but running into trouble: > > ipa service-add ssh/test01.dev.redacted.net > > certutil -N -d testcertdb > > certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net,O= > DEV.REDACTED.NET' > > > ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K ssh/ > test01.dev.redacted@dev.redacted.net > > ipa vault-add testsshd02 --service ssh/ > > test01.dev.redacted@dev.redacted.net --type asymmetric > --public-key-file testsshd01-cert.pem > > the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey': > Invalid or unsupported vault public key: Could not unserialize key data." > > Is there a preferred way to create a public key for asymmetric encryption > for a service vault? > > Thanks, > > Anthony Clark > > > > Hello, > I suspect you should use just private key, not certificate > > https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL > > Regards, > Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] vaults and service accounts
Hello All, I have a crazy notion of storing a host's SSH private keys in a ipa vault, so that a rebuilt host can use the same keys. I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos base repository, so I'm constrained to version 1.0 vaults. I'm using this page: http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance I'm trying these following steps but running into trouble: ipa service-add ssh/test01.dev.redacted.net certutil -N -d testcertdb certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net,O= DEV.REDACTED.NET' ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K ssh/ test01.dev.redacted@dev.redacted.net ipa vault-add testsshd02 --service ssh/ test01.dev.redacted@dev.redacted.net --type asymmetric --public-key-file testsshd01-cert.pem the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data." Is there a preferred way to create a public key for asymmetric encryption for a service vault? Thanks, Anthony Clark -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] steps to debug SOA serial being out of sync?
Thanks for the answer, I just wanted to confirm: Various "DNS health checks" complain about SOA serials not being the same. Are those safe to ignore? I have 2 FreeIPA servers for basic redundancy. Should I not be pointing my hosts at both FreeIPA hosts for DNS? Thanks, Anthony On Mon, Jul 11, 2016 at 3:33 AM, Petr Spacek wrote: > On 8.7.2016 19:13, Anthony Clark wrote: > > Hello All, > > > > I have two FreeIPA servers set up as follows: > > > > ns01: ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir > --setup-dns > > --ssh-trust-dns --forwarder=1.2.3.4 > > > > ns02: ipa-replica-install > > /var/lib/ipa/replica-info-ns02.dev.redacted.net.gpg --setup-ca > --mkhomedir > > --ssh-trust-dns --setup-dns --forwarder=1.2.3.4 > > > > > > Now, after being in use for a few months, my SOA serial numbers are > > different as reported by the two servers: > > > > ns01 reports 1467996578 > > ns02 reports 1467996455 > > > > [root@ns02 ~]# ipa dnszone-show dev.redacted.net > > ... > > SOA serial: 1467996455 > > ... > > > > Same result on ns01, 1467996455 > > > > ipa-replica-conncheck is fine. > > > > After an "ipactl restart" on ns02 (thinking that I needed to refresh the > > ns02 FreeIPA instance somehow) the SOA serial on ns02 increments *beyond* > > that of ns01: > > > > ns01: 1467996578 > > ns02: 1467997519 > > > > Another "ipactl restart" on ns02 results in: > > > > ns01: 1467996578 > > ns02: 1467997595 > > > > running "ipactl restart" on ns01 results in: > > > > ns01: 1467997873 > > ns02: 1467997595 > > > > ns02 doesn't seem to be getting its serial number from ns01 at all. > > > > Did I set up ns02 incorrectly? Should I have skipped the "--setup-dns" > on > > the replica? > > > > Does anyone have any suggestions on how to debug this further? > > Hello, > > this is in fact expected. IPA has multi-master DNS so serials are not > synced. > > This is documented in > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#zone-transfers > > I hope it helps. > > -- > Petr^2 Spacek > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] steps to debug SOA serial being out of sync?
Hello All, I have two FreeIPA servers set up as follows: ns01: ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir --setup-dns --ssh-trust-dns --forwarder=1.2.3.4 ns02: ipa-replica-install /var/lib/ipa/replica-info-ns02.dev.redacted.net.gpg --setup-ca --mkhomedir --ssh-trust-dns --setup-dns --forwarder=1.2.3.4 Now, after being in use for a few months, my SOA serial numbers are different as reported by the two servers: ns01 reports 1467996578 ns02 reports 1467996455 [root@ns02 ~]# ipa dnszone-show dev.redacted.net ... SOA serial: 1467996455 ... Same result on ns01, 1467996455 ipa-replica-conncheck is fine. After an "ipactl restart" on ns02 (thinking that I needed to refresh the ns02 FreeIPA instance somehow) the SOA serial on ns02 increments *beyond* that of ns01: ns01: 1467996578 ns02: 1467997519 Another "ipactl restart" on ns02 results in: ns01: 1467996578 ns02: 1467997595 running "ipactl restart" on ns01 results in: ns01: 1467997873 ns02: 1467997595 ns02 doesn't seem to be getting its serial number from ns01 at all. Did I set up ns02 incorrectly? Should I have skipped the "--setup-dns" on the replica? Does anyone have any suggestions on how to debug this further? Thanks, Anthony Clark -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What causes the web ui to display a second login dialog ?
Chrome in Windows is trying to be helpful and present your windows-based Kerberos credentials to FreeIPA. To "fix" this, you either disable Kerberos in Chrome (not sure how to do that) or change your FreeIPA httpd config a bit: # /etc/httpd/conf.d/ipa.conf line 64 or thereabouts, the section: AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html Hope this helps, if there's a better way, someone please let me know :) -Anthony On Thu, Jun 23, 2016 at 2:11 PM, Prasun Gera wrote: > Image attached. I don't use Windows much, but I noticed this on a windows > machine with Chrome. Before the actual login page is displayed, this login > dialog is displayed. Further, the credentials don't work in this dialog. > > Env: RHEL 7.2, idm 4.x > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sessions failing when using different hostname
I think I introduced a red herring by accident, I'm deeply embarrassed to say. Our new FreeIPA instance lives in ns01.dev.example.net. The alternative hostname is password.example.net I think that the different domain there was causing some of the problems. I removed mention of the different domain by accident as part of a search and replace to remove the company name. However, by following Jan's directions I've been able to get this to work using an Apache proxy that rewrites the cookie and referer hostnames. On Wed, Jun 8, 2016 at 3:29 AM, Martin Kosek wrote: > On 06/01/2016 07:48 PM, Anthony Clark wrote: > > Hello All, > > > > I've been asked to allow access to our FreeIPA web UI from a more user > friendly > > url than I'm currently using. So I've set up a CNAME > password.example.com > > <http://password.example.com> for ns01.example.com < > http://ns01.example.com> > > > > At the moment, if I go to the real hostname of the FreeIPA server > > (ns01.example.com <http://ns01.example.com>), everything works. > > > > If I go to the new "friendly" url (password.example.com > > <http://password.example.com>) then upon login I get a "your session > has expired > > please re-login" message. > > > > Setting debug to true in /etc/ipa/server.conf shows me that the server > keeps > > using new session IDs. (Host and user names changed to protect the > innocent) > > > > - /var/log/httpd/error_log - > > [Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > > wsgi_dispatch.__call__: > > [Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > > jsonserver_session.__call__: > > [Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no > session > > cookie found > > [Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no > session id > > in request, generating empty session data with > id=d5bc1c4cab8d3bfaee63b84805147995 > > [Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store > > session: session_id=d5bc1c4cab8d3bfaee63b84805147995 > > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 > > expiration_timestamp=1970-01-01T00:00:00 > > [Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG: > > jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995 > > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 > > expiration_timestamp=1970-01-01T00:00:00 > > [Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no > ccache, > > need login > > [Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG: > > jsonserver_session: 401 Unauthorized need login > > [Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI > > wsgi_dispatch.__call__: > > [Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI > > login_password.__call__: > > [Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG: > Obtaining > > armor ccache: principal=HTTP/ns01.example@example.com > > <mailto:ns01.example@example.com> keytab=/etc/httpd/conf/ipa.keytab > > ccache=/var/run/ipa_memcached/krbcc_A_aclark > > [Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG: > Initializing > > principal HTTP/ns01.example@example.com > > <mailto:ns01.example@example.com> using keytab > /etc/httpd/conf/ipa.keytab > > [Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using > ccache > > /var/run/ipa_memcached/krbcc_A_aclark > > [Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG: > Attempt 1/1: > > success > > [Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG: > Initializing > > principal acl...@example.com <mailto:acl...@example.com> using password > > [Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using > armor > > ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth > > [Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG: > Starting > > external process > > [Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG: > > args='/usr/bin/kinit' 'acl...@example.com <mailto:acl...@example.com>' > '-c' > > 'FILE:/var/run/ipa_memcached/krbcc_31492' '-T' > > '/var/run/ipa_memcached/krbcc_A_aclark' > > [Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG: > Process > > finished, return code=0 > > [Wed Jun
Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to do this: AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa WSGIApplicationGroup ipa Apologies for the post spam. On Tue, Jun 7, 2016 at 9:50 AM, Anthony Clark wrote: > One thing I noticed was that once I had set up the proxy as per the > document from Jan, I was getting access denied to /ipa until I disabled the > Kerberos authentication stuff: > > # Protect /ipa and everything below it in webspace with Apache Kerberos > auth > > # AuthType GSSAPI > # AuthName "Kerberos Login" > # GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab > # GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab > # GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches > # GssapiUseS4U2Proxy on > # Require valid-user > # ErrorDocument 401 /ipa/errors/unauthorized.html > WSGIProcessGroup ipa > WSGIApplicationGroup ipa > > > > > Once that change was made, the following proxy worked: > > Listen 9443 > > > > ErrorLog /etc/httpd/logs/password-error_log > TransferLog /etc/httpd/logs/password-access_log > LogLevel debug > > NSSEngine on > > NSSCipherSuite > +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSNickname Server-Cert > > NSSCertificateDatabase /etc/httpd/alias > > NSSProxyEngine on > NSSProxyCipherSuite > +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > ProxyPass / https://ns01.dev.example.net/ > ProxyPassReverse / https://ns01.dev.example.net/ > ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net > RequestHeader edit Referer ^https://password\.example\.net/ > https://ns01.dev.example.net/ > > > I hope this helps someone down the line. > > -Anthony Clark > > > On Mon, Jun 6, 2016 at 7:29 AM, Karl Forner wrote: > >> Thanks a lot Jan. It works perfectly, and it is crystal-clear. >> Best, >> Karl >> >> On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora >> wrote: >> > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: >> >> >> >> Hope this helps. I will likely do another writeup about this setup. >> > >> > >> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name >> > >> > -- >> > Jan Pazdziora >> > Senior Principal Software Engineer, Identity Management Engineering, >> Red Hat >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
One thing I noticed was that once I had set up the proxy as per the document from Jan, I was getting access denied to /ipa until I disabled the Kerberos authentication stuff: # Protect /ipa and everything below it in webspace with Apache Kerberos auth # AuthType GSSAPI # AuthName "Kerberos Login" # GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab # GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab # GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches # GssapiUseS4U2Proxy on # Require valid-user # ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa WSGIApplicationGroup ipa Once that change was made, the following proxy worked: Listen 9443 ErrorLog /etc/httpd/logs/password-error_log TransferLog /etc/httpd/logs/password-access_log LogLevel debug NSSEngine on NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSProxyEngine on NSSProxyCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha ProxyPass / https://ns01.dev.example.net/ ProxyPassReverse / https://ns01.dev.example.net/ ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net RequestHeader edit Referer ^https://password\.example\.net/ https://ns01.dev.example.net/ I hope this helps someone down the line. -Anthony Clark On Mon, Jun 6, 2016 at 7:29 AM, Karl Forner wrote: > Thanks a lot Jan. It works perfectly, and it is crystal-clear. > Best, > Karl > > On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora > wrote: > > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: > >> > >> Hope this helps. I will likely do another writeup about this setup. > > > > https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name > > > > -- > > Jan Pazdziora > > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sessions failing when using different hostname
run/ipa_memcached/krbcc_31492" [Wed Jun 01 17:11:26.097937 2016] [:error] [pid 31492] ipa: DEBUG: get_credential_times: principal=krbtgt/example@example.com, authtime=06/01/16 17:11:26, starttime=06/01/16 17:11:26, endtime=06/02/16 17:11:26, renew_till=01/01/70 00:00:00 [Wed Jun 01 17:11:26.098111 2016] [:error] [pid 31492] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_31492 endtime=1464887486 (06/02/16 17:11:26) [Wed Jun 01 17:11:26.098361 2016] [:error] [pid 31492] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=3600 max_age=1464887186 expiration=1464804686.1 (2016-06-01T18:11:26) [Wed Jun 01 17:11:26.098526 2016] [:error] [pid 31492] ipa: DEBUG: store session: session_id=7ab08ba17d30883cff480af9e923cf82 start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=2016-06-01T18:11:26 [Wed Jun 01 17:11:26.099871 2016] [:error] [pid 31492] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_31492) != KRB5CCNAME environment variable (/var/run/httpd/ipa/krbcache/krb5ccache) [Wed Jun 01 17:11:26.163524 2016] [:error] [pid 31491] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Jun 01 17:11:26.163708 2016] [:error] [pid 31491] ipa: DEBUG: WSGI jsonserver_session.__call__: [Wed Jun 01 17:11:26.163974 2016] [:error] [pid 31491] ipa: DEBUG: no session cookie found [Wed Jun 01 17:11:26.164464 2016] [:error] [pid 31491] ipa: DEBUG: no session id in request, generating empty session data with id=433125db49c7ca9eb286c3ecf605d55d [Wed Jun 01 17:11:26.164713 2016] [:error] [pid 31491] ipa: DEBUG: store session: session_id=433125db49c7ca9eb286c3ecf605d55d start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:26.165181 2016] [:error] [pid 31491] ipa: DEBUG: jsonserver_session.__call__: session_id=433125db49c7ca9eb286c3ecf605d55d start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:26.165301 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, need login [Wed Jun 01 17:11:26.165401 2016] [:error] [pid 31491] ipa: DEBUG: jsonserver_session: 401 Unauthorized need login - /var/log/httpd/error_log - I'm somewhat at a loss to debug this further. I was wondering if the session storage is somehow bound to the original host name. Is there a way to check and/or configure this? Alternatively is there a guide out there for enabling additional host names for the web UI in FreeIPA? Thanks, Anthony Clark -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Best practice for requesting a certificate in Kickstart?
Hello All, TL;DR: what's the best way to grab a SSL cert and key during kickstart? (this is all using CentOS 7.2 latest) I'm using Foreman to manage my kickstart and Puppet services, and its built-in FreeIPA client enrollment works just fine. However I'd like to also request a certificate and key for a Puppet client to use to authenticate to the Foreman-controlled Puppet server. If I manually set up a puppet client then it works just fine. I use something like this: # ipa-getcert request -w -r -f /var/lib/puppet/ssl/certs/<%= @host.name %>.pem -k /var/lib/puppet/ssl/private_keys/<%= @host.name %>.pem # cp /etc/ipa/ca.crt /var/lib/puppet/ssl/certs/ca.pem (then setting the correct paths and settings in /etc/puppet/puppet.conf) I tried to make that work inside the Kickstart process, but as those commands are running inside a kickstart chroot the certmonger service won't start. Is there a better method to grab a SSL cert and key for the host during kickstart? Or should I just wait until firstboot and perform the steps at that point? Many Thanks and FreeIPA is really amazing! Anthony Clark -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] change CA subject or "friendly name"?
Hello All, I'm in the process of deploying FreeIPA 4 in a development environment. One of my testers has imported the ca.pem file into Windows, and indicates that it displays as: Issued to: Certificate Authority Issued by: Certificate Authority Friendly Name: This will unfortunately cause confusion among certain end users, so I was wondering if there's a way to change those attributes? Ideally without reinstalling everything, but thankfully we're still early in the process so it's OK if do blow everything away. Do I need to generate a new CA outside of FreeIPA and then use ipa-cacert-manage to "renew" the base CA? Thanks, Anthony Clark -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project