[Freeipa-users] Re: Use of certificates to have https secure connection

2021-04-24 Thread John Keates via FreeIPA-users
Hi Guille, The meaning of "Pass --pin-" means: pass along the argument --pin and set it to an empty value (because --pin= does exactly that, it says "pin equals to nothing"). In your case this might look like: ipa-server-certinstall -w -d --pin= mysite.key mysite.crt Or, if the command allows

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread John Keates via FreeIPA-users
In that case, let's save you some additional time: FIPS mode is not beneficial, unless you are contractually required to shoot yourself in the foot and get a FIPS audit done. Aside from that (somewhat obvious) fact, it would be useful for the list if you stated why you want this, and if you kno

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread John Keates via FreeIPA-users
What Rob (and Alexander) are saying is: your auditor will do an audit and tell you if you are FIPS compliant. While using software in FIPS-compliant mode might reduce the amount of work you'll need to do to be compliant, it's not some sort of labeling procedure where you need show some specs tha

[Freeipa-users] Re: Auto cleanup old enrolled hosts

2021-02-16 Thread John Keates via FreeIPA-users
We have a similar situation where we end up with ~50k dead hosts after only a week; ended up creating a lambda dat pulls all the hosts out of IPA LDAP and then tries to find them each AWS account using the EC2 API. If a host is not found to be either running or shut-down but still stored and it'

[Freeipa-users] Re: How to migrate Sernet Samba 4.12.6-13 to FreeIPA on CentOS 7.8.2003

2020-09-20 Thread John Keates via FreeIPA-users
FreeIPA doesn’t do NT domain server of AD server things and does not support Windows clients. Are you sure you are on the right track? As far as the relation between FreeIPA and Microsoft Active Directory goes: FreeIPA can ’trust’ an external AD domain so you can authenticate AD users via IPA s

[Freeipa-users] Re: Integration of freeipa into an azure AD based infrastructure

2020-08-29 Thread John Keates via FreeIPA-users
You can, but only if you use hybrid Azure AD and have an AD DC to connect to. But then he problem becomes ‘who created the forest’. If you join in to an AAD ‘forest’ you still can’t create a trust. So far I’ve only had implementations where the AD domains and forests were ‘classic’ and only conn

[Freeipa-users] Re: Terminating replication agreement

2019-09-26 Thread John Keates via FreeIPA-users
t happens I believe I can get the certs to update, but right > now everything seems to be attempting to talk to IPA2 which is still running > but the server was rebuilt after this image was made, so we can't talk with > the server. > > Randy > > On 9/26/2019 4:05 PM, Joh

[Freeipa-users] Re: Terminating replication agreement

2019-09-26 Thread John Keates via FreeIPA-users
You could turn the clock back, remove the agreements, renew the certs to a future date, shutdown, reset the clock and renew again to get up and running. Make sure you’re doing it while the system is offline to prevent NTP. Also: make sure you don’t run in to this again by making regular recovery

[Freeipa-users] Re: Ad integration

2019-07-22 Thread John Keates via FreeIPA-users
So the name is MEYERAD but you typed MEYER-AD. Remove the dash from your earlier command and it should work. John > On 22 Jul 2019, at 17:48, Andrew Meyer via FreeIPA-users > wrote: > > Getting this: > > [andrew.meyer@freeipa01 ~]$ sudo ipa trust-find > --- > 1 trust matched >

[Freeipa-users] Re: Ad integration

2019-07-22 Thread John Keates via FreeIPA-users
What does the AD Trust list in IPA show for the AD domain you should be using? The same one? Or a different notation? John > On 22 Jul 2019, at 17:13, Andrew Meyer via FreeIPA-users > wrote: > > Hello, > I am working on setting up FreeIPA with AD integration and seem to be running > into an

[Freeipa-users] Re: adding external 2FA

2019-07-09 Thread John Keates via FreeIPA-users
An alternative would be writing your own IPA plugin. John > On 9 Jul 2019, at 23:23, Andrew Meyer via FreeIPA-users > wrote: > > I was hoping to not use a radius server in between. > > Sent from Yahoo Mail on Android >

[Freeipa-users] Re: Upgrade path in CentOS 7

2019-07-03 Thread John Keates via FreeIPA-users
To be safe, I’d just add a new server with the latest of everything, join it to the domain and decommission the old one. Not a direct answer to your question, I know, but as soon as you are unsure of the upgrade path, putting in those 30 minutes to do the install-and-replace routine solves it fa

[Freeipa-users] Re: Install freeipa-client

2019-06-29 Thread John Keates via FreeIPA-users
That is part of the packaging, not part of freeipa-client. Usually, on apt/deb systems you can tell apt or dpkg you are running unattended by setting an environment variable like DEBIAN_FRONTEND=noninteractive . After installing the package, you can setup the client unattended using ipa-client-

[Freeipa-users] Re: cannot access webui

2019-06-20 Thread John Keates via FreeIPA-users
Start at the beginning: - Is the install running? (ipactl status) - Is apache listening (ss -l or netstar -l or systemctl status apache2/httpd/apache/whatverthenameis) - Is the firewall letting you in? - What does /var/log/apache2 or /var/log/httpd or whatever it’s configured to log to say? Joh

[Freeipa-users] Re: HA Client Question

2019-06-17 Thread John Keates via FreeIPA-users
srv records from company.com to > auth.company.com? > > And it's okay I guess if the host keytabs look like > > host/server.company@auth.company.com > > I am slowly getting there :) > > -Chris. > > On 17/06/2019 14:06, John Keates via FreeIPA-users wrote: >&g

[Freeipa-users] Re: HA Client Question

2019-06-17 Thread John Keates via FreeIPA-users
want dc=company,dc=com. > We will not be using any Windows / AD things. Only UNIX/Linux. > The Services are used in house as well as from around the world (public). > > Thanks so much. > -Christian. > > > On 17/06/2019 13:44, John Keates via FreeIPA-users wrote: >>

[Freeipa-users] Re: HA Client Question

2019-06-17 Thread John Keates via FreeIPA-users
company.com > K5: COMPANY.COM > > Primary failed: ERRORDNS zone COMPANY.COM. already exists in DNS and > is handled by server(s): ns1.ns-serve.net., ns2.ns-serve.net. > > What would be the right approach here? > > Thanks again! > -Chris. > > > On 17/06

[Freeipa-users] Re: HA Client Question

2019-06-17 Thread John Keates via FreeIPA-users
A HA-aware client would use SRV records to locate the server(s) and then connect every returned instance until a working server is found. And by using locations you can scope the servers you get back. Regarding the single URL: while there are many options, we decided to simply register all serv

[Freeipa-users] Re: Introducing ipa-healthcheck

2019-06-14 Thread John Keates via FreeIPA-users
Sounds great! Where do we find this tool? In an upcoming release or as a stand-alone package? John > On 14 Jun 2019, at 16:29, Rob Crittenden via FreeIPA-users > wrote: > > I'd like to introduce a new tool for an IPA adminstrators tool kit we're > working on, currently in a beta state and shi

[Freeipa-users] Re: [HAProxy / Keepalive] After installation

2019-06-11 Thread John Keates via FreeIPA-users
IPA als already highly available, from the service side using DNS and multiple records for all services, on the web side: every server has a working web interface. If you want to redirect users to any working interface, a generic load balancer without keepalive works, redirect them to the IP and

[Freeipa-users] Re: ILO Card IPA authentication

2019-06-06 Thread John Keates via FreeIPA-users
ESX has nothing to do with the iLO. The iLO settings can for example be set from the iLO web interface, use LDAP authentication and point it to IPA. John > On 6 Jun 2019, at 10:57, Karim Bourenane via FreeIPA-users > wrote: > > Hello All > > I want to authenticate Users into our ILO 4 card H

[Freeipa-users] Re: Minimal ipa configuration (inside docker)

2019-06-05 Thread John Keates via FreeIPA-users
Keep in mind that when you use RHEL, features that aren’t available (due to supported versions restrictions) should probably not be hacked/bypassed because that would probably void your support just as well. If you want something unsupported you might as well use something else (Fedora, CentOS),

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-06-01 Thread John Keates via FreeIPA-users
On *nix I’d test with klist etc to get information on what tickets I have and what those tickets are good for. Perhaps you can do the same on Windows, figure out what tickets you actually have and what you can do with them. John > On 1 Jun 2019, at 13:04, lejeczek via FreeIPA-users > wrote:

[Freeipa-users] Re: deploying Freeipa ith script

2019-05-29 Thread John Keates via FreeIPA-users
Very odd, those steps look correct to me. And if auto-discovery for the domain, realm, hostname and IPA server work, then it’s not the ipa-client-install script I think. What versions are you running? Important bits: - freeipa packages - kerberos packages - sssd packages also, what does /etc/ns

[Freeipa-users] Re: ipa server upgrade fails - dirsrv complains about Unknown attribute syntax OID

2019-05-29 Thread John Keates via FreeIPA-users
nerally okay with servers being at different versions, > then? Could I upgrade by creating a new server, enrolling it as a > replica of then old server and then shut down the old server. Can I do > that as a general behaviour? > > On 29/05/2019 21:21, John Keates via FreeIPA-users wro

[Freeipa-users] Re: deploying Freeipa ith script

2019-05-29 Thread John Keates via FreeIPA-users
In what phase do you run the script? It should be one of the last scripts in the final phase for the install to work reliably. If it’s in preconfig or config phase it breaks 9 out of 10 times. John > On 29 May 2019, at 22:53, Boudjoudad Abdelkader wrote: > > I'm using cloud-init with this scr

[Freeipa-users] Re: deploying Freeipa ith script

2019-05-29 Thread John Keates via FreeIPA-users
What I meant was that you are already practically disabling it; you specify the hostname, domain, server, realm on your command line but those should be discoverable. Here is an enrollment jinja2 template I use: ipa-client-install -U --enable-dns-updates --principal={{freeipa.client.enroll.user

[Freeipa-users] Re: ipa server upgrade fails - dirsrv complains about Unknown attribute syntax OID

2019-05-29 Thread John Keates via FreeIPA-users
I’d suggest creating a new server, enrolling it as a replica (well, it’s multi-master so technically it’s just another FreeIPA server) instead of upgrading. If you have other servers that still work, do that and nuke this one. If this is the last/only server you have, I’d restore it from backups

[Freeipa-users] Re: deploying Freeipa ith script

2019-05-29 Thread John Keates via FreeIPA-users
I don’t know what you are missing, but I do know that in theory your enrolment should work with just -U for unattended and the principal and password. Unless you have a special environment that requires auto discovery to be disabled, I’d recommend using it. I’m enrolling clients in three ways th

[Freeipa-users] Re: zabbix for monitoring FreeIPA server?

2019-05-27 Thread John Keates via FreeIPA-users
It’s not really doing anything more, except doing the status on all of the units with one command. If units were to be added/removed, the command would stay the same. But I wouldn’t call this monitoring, it’s more like a health check, you get a binary (good/bad). Monitoring would expect metrics

[Freeipa-users] Re: upgrade freeipa from version 4.1.4 to 4.6.4

2019-05-26 Thread John Keates via FreeIPA-users
Yes, that is possible. The best and most-supported way is installing a second server (or VM) and running your desired version on that. Then join it to the domain, install all services (ca, domain, trust controller, kra etc.). Then you can uninstall the ‘old’ server (after testing of course!). Mak

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-26 Thread John Keates via FreeIPA-users
For this to work, yes you need to setup AD Trust, and for HBAC to access the Linux systems, you need ID View user overrides. Once you have verified basic password or ssh key login (set key in user override!) works, GSSAPI should be an easy next step. Keep in mind that if you were to kinit on a li

[Freeipa-users] Re: sudo rule does not work for domain user

2019-05-24 Thread John Keates via FreeIPA-users
Turn up the dial on debug logging on SSSD to find out more. John > On 24 May 2019, at 13:00, Rob Verduijn via FreeIPA-users > wrote: > > Hello, > > I'm trying to figure out why an ad-domain user cannot use sudo. > > When I test with > > ipa hbactest --user=ansible --host ipa01.linux.exampl

[Freeipa-users] Re: secure freeipa exposed to internet

2019-05-23 Thread John Keates via FreeIPA-users
You don’t need to setup a DNS server or Route 53 Zone, you can use the route53resolver. It allows a conditional forwarder for any domain you wish and you can point it straight at an IPA DNS server. It’s built in to AWS: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-getting-s

[Freeipa-users] Re: secure freeipa exposed to internet

2019-05-23 Thread John Keates via FreeIPA-users
That’s mostly for general redundancy and speed. Speed is both for load balancing and querying local servers first. Say you don’t talk to IPA often and your cross-continental latency isn’t an issue, then running 1 server in Iceland would fit. For us, the redundancy part is relatively important be

[Freeipa-users] Re: secure freeipa exposed to internet

2019-05-23 Thread John Keates via FreeIPA-users
That’s not too bad. We have a similar setup somewhere, about 39 AWS accounts, some with multiple VPCs, three physical locations, one with two separate DCs (the others have one). For AWS we simply add PCXes where possible with sg source rules, makes it pretty secure. For other accounts we run Ope

[Freeipa-users] Re: secure freeipa exposed to internet

2019-05-22 Thread John Keates via FreeIPA-users
I’d think that if you can remote-enrol hosts as IPA clients, it would be real easy to also enrol them as VPN clients first. Heck, even Wireguard would be good enough, even without a full audit. You’d just add a single route to the route table for that VPN to the IPA server and you’re good to go.

[Freeipa-users] Re: secure freeipa exposed to internet

2019-05-20 Thread John Keates via FreeIPA-users
I would never run FreeIPA over the public internet, bad idea. It’s not as bad as running AD over the internet, but it’s getting pretty close. Run servers in all zones/regions and have those servers talk to each other (tunnels). Stuff inside a zone will do a discovery and find the servers that wo

[Freeipa-users] Re: FreeIPA and AD

2019-03-07 Thread John Keates via FreeIPA-users
The documentation on this is pretty good. Basically, you can ’trust’ AD from FreeIPA, which means the users from AD can be used in IPA. Groups too. Passwords must be set and reset in AD, but everything you need for Linux (SSH keys, host rules etc) can be done in IPA. https://www.freeipa.org/pag

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-03 Thread John Keates via FreeIPA-users
Your specific issue might not be because the .local TLD, but .local is a special ‘reserved’ name for multicast DNS. You can use any other (including fake) TLD that is not registered. There are some other TLDs that are ’special’, like the one used for reverse-IP records in APIPA. Best to avoid su

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-03 Thread John Keates via FreeIPA-users
In that case I don’t know how to help (but someone else might). As per https://tools.ietf.org/html/rfc6762 .local isn’t supposed to be used the way you are using it at this time, and it will conflict with pretty much any standard system. I don’t know how to patch/override that without breaking a

[Freeipa-users] Re: IPAM that integrates well with FreeIPA

2019-03-03 Thread John Keates via FreeIPA-users
I used to look for the same thing, but it didn’t make sense in the end: IPA isn’t authoritative on what IP adressen are used, and why. That is where infrastructure configuration management is for, i.e. your DHCP servers and tooling used to static configuration (like Salt and Ansible). John > O

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-03 Thread John Keates via FreeIPA-users
Did you select mDNS’s TLD .local on purpose? Or was this an inheritance. > On 3 Mar 2019, at 14:49, Vivek Aggarwal via FreeIPA-users > wrote: > > Our current implementation has multiple dots(.) names in the hostname > ,details mentioned below & we're using below setting while configuring the

[Freeipa-users] Re: Issues with AD user ssh

2019-02-11 Thread John Keates via FreeIPA-users
I think the issue is outlined in the PAC error you got. > On 11 Feb 2019, at 16:51, D via FreeIPA-users > wrote: > > sss_send_pac failed, group membership for user with principal [ username>@AD.DOMAIN.COM] might not be correct. It seems to indicate that the PAC in the ticket doesn’t match with

[Freeipa-users] Re: SSO

2019-01-19 Thread John Keates via FreeIPA-users
I’m using Keycloak and it works fine with FreeIPA. Ipsilon was not mature enough for our use case (which is fine, not everything fits everywhere) but it is much simpler in comparison to Keycloak. As big as it looks, it’s not that much of a beast to deploy and configure; you basically have the sa

[Freeipa-users] Re: fiddling with Win2016 trust - users

2019-01-16 Thread John Keates via FreeIPA-users
There is no enumeration support, but if you want to figure out if your connection works, try getent on a group or user (or using id on a group or user). If those don’t work the AD Trust might not be working correctly. I start the trusts on the IPA side and use Domain Admin creds (and not a secret

[Freeipa-users] Re: is anyone running Debian as freeipa-client

2018-11-30 Thread John Keates via FreeIPA-users
We are using FreeIPA Debian clients, been using snapshots or sid packages for that since it is very nicely constrained wrt dependencies. Using our IoC/configuration management/orchestration tooling we simply push a number of packages to the clients and install them and their in-repo dependencies

[Freeipa-users] Re: Replica install on RPI3

2018-11-03 Thread John Keates via FreeIPA-users
Ah, so the install went fine but the CA startup is the only remaining issue? John > On 3 Nov 2018, at 16:39, Winfried de Heiden via FreeIPA-users > wrote: > > Hi all, > > Yes, the Pi is too slow but funny enough it can work perfectly. The DogTag CA > server just takes a painfull time to star

[Freeipa-users] Re: Replica install on RPI3

2018-11-03 Thread John Keates via FreeIPA-users
My suggestion would be: don’t run it on a Pi, it’s not fast enough. But you came to that conclusion already, so I guess the next issue would be: where does it fail? I’m assuming the rpm install works out but ipa-server-install doesn’t? Or does that work but does the starting of all the component

[Freeipa-users] Re: No httpd service listening on TCP4

2018-11-02 Thread John Keates via FreeIPA-users
That is normal, they are actually listening on both IPv4 and IPv6. The netstat output shows it as :::80 :::*. Listening on both protocol versions makes it show up as IPv6. You do not get two separate entries. You could try to start netcat in listen mode on port 80 and you’ll find that it errors

[Freeipa-users] Re: Create Certificate for Load Balancer & end2end HTTPS traffic

2018-10-25 Thread John Keates via FreeIPA-users
I think you can do this if you upload your certificate and key to ACM in AWS, and then use the ACM ARN for your uploaded certificate as the certificate for the ALB. You do need to generate the CSR separately indeed. John > On 25 Oct 2018, at 19:10, Peter Tselios via FreeIPA-users > wrote: >

[Freeipa-users] Re: conflicting hostname requirement from SAP

2018-10-10 Thread John Keates via FreeIPA-users
I’d say: don’t run FreeIPA server on the same install as the SAP server. John > On 10 Oct 2018, at 23:16, Dan Haskell via FreeIPA-users > wrote: > > > > Per the FreeIPA quickstart guide: > > The rule about /etc/hosts is that the fully-qualified name must come first. > It should look like:

[Freeipa-users] Re: Cannot import certificate signed by MS-CA - subject mismatch

2018-09-12 Thread John Keates via FreeIPA-users
Only UTF-8 is allowed. Re-sign with UTF-8. John > On 12 Sep 2018, at 16:37, Peter Tselios via FreeIPA-users > wrote: > > No one > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-u

[Freeipa-users] Re: Global Catalog Support on FreeIPA 4.7 ?

2018-08-26 Thread John Keates via FreeIPA-users
There is no Global Catalog or support for this. IPA does not host the services for the AD->IPA trust yet. John > On 26 Aug 2018, at 12:11, Zafer Syed via FreeIPA-users > wrote: > > Good Day, > > I've configured a Two-way Forest trust between AD (windows-2016) and FreeIPA > 4.7(Centos 7). >

[Freeipa-users] ipa-client-install generates bad sssd.conf

2017-07-20 Thread John Keates via FreeIPA-users
Hi, Using SSSD 1.15.2-1 and FreeIPA Client 4.4.4-1 on Debian Stretch 9.0 generates a broken SSSD configuration. Adding the services manually to sssd.conf fixes this: services = nss, sudo, pam, ssh For some reason, ipa-client-install thinks we have socket-activated SSSD services, but we don’t.

[Freeipa-users] Re: Master -> replica through NAT?

2017-06-21 Thread John Keates via FreeIPA-users
What you want is not possible because DNS resolves to one IP, not to a NAT’ed IP. Doing this differently is very hacky and totally unsupported. One host, one IP, one DNS record. NAT doesn’t belong in this type of networking. If you really wanted to shoot yourself in the foot, you can use Unbound

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread John Keates via FreeIPA-users
<http://hq.spinque.com/> > expires: 2019-01-26 19:41:51 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre >

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread John Keates via FreeIPA-users
I would suggest doing what the last line says: Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. Then, you can check the certificates and maybe refresh it if it is actually expired. John > On 7 Jun 2017, at 14:39, Roberto Cornacchia via Fre

[Freeipa-users] Re: named-pkcs11 systemd service

2017-05-26 Thread John Keates via FreeIPA-users
Hi, At the risk of smelling like a thread hijack; I’m experiencing the same issue on one server (Fedora 25), but on all others it’s fine. I don’t think this is a ‘normal’ issue that should be ‘fixed’ by restarting named-pkcs11 all the time. I tend to check for known issues (and solutions) on thi

[Freeipa-users] Re: CentOS 7 Letsencrypt CA

2017-05-25 Thread John Keates via FreeIPA-users
Hi, Instead of using the Let’s Encrypt thing on the IPA server itself, I often just use it on a reverse proxy. This way the end-users see the verified CA and FreeIPA can keep doing it’s business. I tried to use ACME on the IPA server in the past, but it wasn’t very well integrated and caused pr