[Freeipa-users] Confused: LDAP authentication of AD users
With a one-way trust from FreeIPA 4.4 to Active Directory on WinServ2012r2, I am trying to use FreeIPA LDAP for user authentication. Is that supposed to work? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Timing behavior on access to AD groups
I have noticed this behavior when setting up an external AD group: 1. create trust 2. create external group 3. add Group@Domain to external group - FAILS: "trusted domain object not found" 4. retry: add Group@Domain to external group - SUCCESS Two questions: 1. Is this expected behavior? 2. Is there something I can do - short of sleep-retry - to make this reliably succeed? Thank you! Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC warning when DNSSEC should be disabled
I still think there is something wrong here. You say that the DNSSEC reply is "just warning", but when I get that warning, a subsequent trust-add fails every time. When I don't get the warning, the trust-add works. Therefore, the warning cannot just be ignored. Why is that? I have tried the following: - Signing the target Active Directory zone – it does not make a difference - FreeIPA /etc/named.conf – "validation no" makes the warning go away ONLY when I use the CLI on a root login. - Running the ipa CLI from a salt state or a subprocess of my Java webapp ALWAYS gets the warning regardless. If there really should be a warning, then why don't I see it from the CLI? And can you help me understand what would be significantly different between an interactive login and a "su –l root" in salt? Thank you for any insight, Dan From: Dan Dietterich <d...@cazena.com> Date: Wednesday, April 19, 2017 at 9:24 AM To: Martin Bašti <mba...@redhat.com>, "freeipa-users@redhat.com" <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] DNSSEC warning when DNSSEC should be disabled From: Martin Bašti <mba...@redhat.com> Date: Wednesday, April 19, 2017 at 9:23 AM To: Dan Dietterich <d...@cazena.com>, "freeipa-users@redhat.com" <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] DNSSEC warning when DNSSEC should be disabled IPA servers always check if DNSSEC is working on forwarders, but it is just warning. If you have disabled dnssec in named.conf then it is okay. I'm not sure why sometimes you see this warning and sometimes don't, maybe inconsistent replies from forwarder. domain ".internal" should always fail because it is unregistered TLD Martin On 19.04.2017 15:11, Dan Dietterich wrote: My configuration is a single ipa server and both the code path and the bash prompt path are running on the node that is also running the ipa server. I thought that since FreeIPA was installed with --no-dnssec-validation that I should never see this warning. And I confirmed that both dnssec-enabled and dnssec-validation are set to 'no' in the /etc/named.conf. So I'm confused that you say the DNSSEC should always fail. Thanks for your help! From: Martin Bašti <mba...@redhat.com><mailto:mba...@redhat.com> Date: Wednesday, April 19, 2017 at 3:59 AM To: Dan Dietterich <d...@cazena.com><mailto:d...@cazena.com>, "freeipa-users@redhat.com"<mailto:freeipa-users@redhat.com> <freeipa-users@redhat.com><mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] DNSSEC warning when DNSSEC should be disabled On 13.04.2017 22:50, Dan Dietterich wrote: I am seeing inconsistent results configuring a DNS forward zone. At a bash prompt, as root, after kinit admin, I do: ipa dnsforwardzone-add domain.internal --forwarder= ww.xx.yy.zz --forward-policy=only That works fine and does not warn about DNSSEC. In a Java webapp running as root under a Jetty, I run a shell sub-process and issue the kinit and the same ipa statement. _Sometimes_, I get ipa: WARNING: DNSSEC validation failed: record 'domain.internal. SOA' failed DNSSEC validation on server ww.xx.yy.zz. Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA servers. I modified the /etc/named.conf file to say: dnssec-enable no; dnssec-validation no; and systemctl restart ipa Any clue why the results are different? ipa –version: VERSION: 4.4.0, API_VERSION: 2.213 Linux … 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Thanks for any insight! Regards, Dan Hello, checks are done on IPA server side, how many servers do you have? Is possible that CLI connects to different servers. However in this case, DNSSEC check should always fail and report error, so it is weird why it passed. Martin -- Martin Bašti Software Engineer Red Hat Czech -- Martin Bašti Software Engineer Red Hat Czech -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNSSEC warning when DNSSEC should be disabled
My configuration is a single ipa server and both the code path and the bash prompt path are running on the node that is also running the ipa server. I thought that since FreeIPA was installed with --no-dnssec-validation that I should never see this warning. And I confirmed that both dnssec-enabled and dnssec-validation are set to 'no' in the /etc/named.conf. So I'm confused that you say the DNSSEC should always fail. Thanks for your help! From: Martin Bašti <mba...@redhat.com> Date: Wednesday, April 19, 2017 at 3:59 AM To: Dan Dietterich <d...@cazena.com>, "freeipa-users@redhat.com" <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] DNSSEC warning when DNSSEC should be disabled On 13.04.2017 22:50, Dan Dietterich wrote: I am seeing inconsistent results configuring a DNS forward zone. At a bash prompt, as root, after kinit admin, I do: ipa dnsforwardzone-add domain.internal --forwarder= ww.xx.yy.zz --forward-policy=only That works fine and does not warn about DNSSEC. In a Java webapp running as root under a Jetty, I run a shell sub-process and issue the kinit and the same ipa statement. _Sometimes_, I get ipa: WARNING: DNSSEC validation failed: record 'domain.internal. SOA' failed DNSSEC validation on server ww.xx.yy.zz. Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA servers. I modified the /etc/named.conf file to say: dnssec-enable no; dnssec-validation no; and systemctl restart ipa Any clue why the results are different? ipa –version: VERSION: 4.4.0, API_VERSION: 2.213 Linux … 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Thanks for any insight! Regards, Dan Hello, checks are done on IPA server side, how many servers do you have? Is possible that CLI connects to different servers. However in this case, DNSSEC check should always fail and report error, so it is weird why it passed. Martin -- Martin Bašti Software Engineer Red Hat Czech -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNSSEC warning when DNSSEC should be disabled
I am seeing inconsistent results configuring a DNS forward zone. At a bash prompt, as root, after kinit admin, I do: ipa dnsforwardzone-add domain.internal --forwarder= ww.xx.yy.zz --forward-policy=only That works fine and does not warn about DNSSEC. In a Java webapp running as root under a Jetty, I run a shell sub-process and issue the kinit and the same ipa statement. _Sometimes_, I get ipa: WARNING: DNSSEC validation failed: record 'domain.internal. SOA' failed DNSSEC validation on server ww.xx.yy.zz. Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA servers. I modified the /etc/named.conf file to say: dnssec-enable no; dnssec-validation no; and systemctl restart ipa Any clue why the results are different? ipa –version: VERSION: 4.4.0, API_VERSION: 2.213 Linux … 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Thanks for any insight! Regards, Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Possible to fully proxy AD <-> FreeIPA?
I am trying to understand if it is possible to NAT between a network running Active Directory (AD) and a network running FreeIPA and have one-way trust from FreeIPA to the AD. My hypothesis is that it is not possible, for two reasons. First, I understand that Kerberos uses several techniques (ip addresses in the protocol, reverse DNS lookups) to make sure there is no "man in the middle." The proxy is a man in the middle. Second, I understand that FreeIPA retrieves the layout of domain controllers (DC) from the initial AD DC it builds the trust with. The addresses returned are valid in the AD network and are not translated into the FreeIPA network. FreeIPA will not be able to route to those IP addresses. I have read about proxying Kerberos protocol over https (https://web.mit.edu/kerberos/krb5-devel/doc/admin/https.html) I have read about proxying LDAP (https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD) I do not know all of the protocols used to operate AD <-> FreeIPA trust, so I'm not sure there is even software available to do such a thing. Thanks for any insight! Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project