Recently we've been researching how to set up TPM on our Linux hosts: when they boot, the grub parameters and kernel are checksummed, and if the checksum is as expected the TPM module unseals a key used for decrypting the root filesystem and the machine boots. If there's any tampering, the key isn't unsealed and the computer doesn't boot. Nice and secure. In a similar vein, I'd like to store secrets (e.g. the keys for TLS certificates, maybe even the TLS certificates themselves) on our FreeIPA server, and only deliver them to the host if the host is authenticated. The intent is to supply the certificates to Nginx (or some other web server) without storing them on disk (ramdisk is ok), as described on the nginx website (Google 'Secure Distribution of SSL Private Keys with NGINX'). I also found an article (Google 'Encrypt and decrypt a file using SSH keys') on how to use an ssh public key to encrypt a file and it made me wonder if the same thing could be done here, leveraging the security of Kerberos and FreeIPA. In short, is there a way to do this with existing ipa commands, authenticating the operations by using the host's /etc/krb5.keytab file so it can be done in an unattended way? Thanks! ---- EDIT: To be more concrete, I want to retrieve a string that contains a LetsEncrypt-signed wildcard TLS Certificate and its encrypted key (which I can then load into an Nginx server) without having a human decrypt it. * Step one: have the host authenticate automatically to the LDAP server (this is optional if the string is encrypted). It already does, but I'm not sure how to utilize that for my application. * Step two: get the string that's stored in LDAP (perhaps in jpegPhoto or audio, or if stored in a host object then some other attribute) * Step three: decrypt the string (one way is by using an ssh keypair in an unexpected way: https://www.bjornjohansen.com/encrypt-file-using-ssh-key . Perhaps Kerberos can be (ab)used in a similar way?) * Step four: put the string into the right place; the nginx blog post suggested a file on a tempfs filesystem, although I'd prefer a Kernel keychain. * Step five: start Nginx that's been configured as described in https://www.nginx.com/blog/secure-distribution-ssl-private-keys-nginx/ Since FreeIPA already works with certificates (see ipa help cert) I hoped it wouldn't be too much of a stretch to work with arbitrary certificates (versus FreeIPA-generated ones). Edit^2: It turns out that FreeIPA has a feature for handling secrets like this, called Vaults . No need to stuff data into unrelated LDAP properties, no need to hack together some encryption, and it can link secrets to service principals, users, or groups! It's all in the help text (ipa help vault), but since it's near the end of the alphabet I'd never read that far. They're rivalling AWS for "most features crammed into a single CLI" bragging rights. :-)

I have two FreeIPA servers in my system; ns-1 and ns-2. To my limited knowledge, ns-1 is our main ipa server and ns-2 was setup as a replica. But I may be incorrect in that regard. In my attempts to upgrade the OS on ns-2, the upgrade failed somewhere in the middle and now the machine is toast. ns-1 is still operating fine as I was holding off on upgrading that machine until ns-2 was complete. I blew away ns-2 and rebuilt a new VM in its place and now want to set it up as the new ns-2 replacement. The problem though is that ns-1 still has a record of the original ns-2 and is preventing the ipa-replica-install command from succeeding on my new ns-2. In ns-1's Web UI, it still lists ns-2 as an ipa server and displays ns-2 in the topology graph. From the ns-1 machine I've issued the following commands: # ipa-replica-manage list ns-2..: master ns-1..: master # ipa-replica-manage del --force --cleanup ns-2.. Updating DNS system records Not allowed on non-leaf entry # ldap_delete -x -h 127.0.0.1 -D 'cn=directory manager' -w 'cn=ns-2..,cn=masters,cn=ipa,cn=etc,dc=.' ldap_delete: Operation not allowed on non-leaf (66) additional info: Entry has replication conflicts as children # ipa-replica-manage dnsrange-show ns-2..: Connection failed: cannot connect to 'ldaps://ns-2..:636': Transport endpoint is not connected On my new ns-2 machine I've run the ip-client-install command successfully. And then I ran the "ipa-replica-install --setup-dns --setup-ca --no-forwarders -P " It fails because the ns-1 machine appears to believe that there's already an ns-2 machine defined. I've found the following threads that appears to have experienced the same problem, but no resolution is included: https://www.spinics.net/linux/fedora/fedora-users/msg498296.html I've tried following this documentation, but it does not explain how to resolve replicas that have "children": https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/ipa-replica-manage#repl-conflicts

I am installing freeipa client in ubuntu VM, but getting the following error. failed to obtain host tgt: major (458752): no credentials were supplied, or the credentials were unavailable or inaccessible, minor (2529639107): no credentials cache found Command to install:

ipa-client-install \
  -U \
  --domain="example.prv" \
  --force \
  --force-join \
  --hostname="bastion.example.prv" \
  --mkhomedir \
  --nisdomain="example.prv" \
  --realm="EXAMPLE.PRV" \
  --password=PASSWORD \
  --principal=host-enrollment-global-user \
  --server="internal-hosting-freeipa-01.example.prv"

Traffic to freeipa server **internal-hosting-freeipa-01.example.prv** is open on ports 88, 80, 389 and 464 I have found other posts with similar error, but couldn't understand the work around of this issue. **/var/log/ipaclient-install.log**

023-09-27T18:54:15Z DEBUG Logging to /var/log/ipaclient-install.log
2023-09-27T18:54:15Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': True, 'principal': 'host-enrollment-global-user', 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'force': True, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': True, 'force_join': True, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': 'example.prv', 'no_nisdomain': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'automount_location': None, 'domain_name': 'example.prv', 'servers': ['internal-hosting-freeipa-01.example.prv'], 'realm_name': 'example.PRV', 'host_name': 'faye-bastion-test.example.prv', 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2023-09-27T18:54:15Z DEBUG IPA version 4.9.8
2023-09-27T18:54:15Z DEBUG IPA platform debian
2023-09-27T18:54:15Z DEBUG IPA os-release Ubuntu 22.04.2 LTS (Jammy Jellyfish)
2023-09-27T18:54:15Z DEBUG Starting external process
2023-09-27T18:54:15Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-09-27T18:54:15Z DEBUG Process execution failed
2023-09-27T18:54:15Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2023-09-27T18:54:15Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Starting external process
2023-09-27T18:54:15Z DEBUG args=['sudo', '-V']
2023-09-27T18:54:15Z DEBUG Process finished, return code=0
2023-09-27T18:54:15Z DEBUG stdout=Sudo version 1.9.9
Configure options: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking -v --with-all-insults --with-pam --with-pam-login --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --disable-root-mailer --with-sendmail=/usr/sbin/sendmail --with-rundir=/run/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --enable-zlib=system --with-selinux --with-linux-audit --enable-tmpfiles.d=yes --without-lecture --with-tty-tickets --enable-admin-flag
Sudoers policy plugin version 1.9.9
Sudoers file grammar version 48

Sudoers path: /etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if user authentication fails
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 15.0 minutes
Password prompt timeout: 0.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/lib/sudo/lectured
Path to authentication timestamp dir: /run/sudo/ts
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Path to the editor for use by visudo: /usr/bin/editor
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for safety:
        TZ
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        *=()*
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        BASHOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XDG_CURRENT_DESKTOP
        XAUTHORIZATION
        XAUTHORITY
        PS2
        PS1
        PATH
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        DPKG_COLORS
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Always run commands in a pseudo-tty
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use: sudo
PAM service name to use for login shells: sudo-i
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Perform PAM account validation management
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Log entries larger than this value will be split into multiple syslog messages: 960
File mode to use for the I/O log files: 0600
Execute commands by file descriptor instead of by path: digest_only
Type of authentication timestamp record: tty
Ignore case when matching user names
Ignore case when matching group names
Log when a command is allowed by sudoers
Log when a command is denied by sudoers
Sudo log server timeout in seconds: 30
Enable SO_KEEPALIVE socket option on the socket connected to the logserver
Verify that the log server's certificate is valid
Set the pam remote user to the user running sudo
The format of logs to produce: sudo
Enable SELinux RBAC support
Path to the file that is created the first time sudo is run: ~/.sudo_as_admin_successful
The largest size core dump file that may be created (in bytes): 0,0

Local IP address and netmask pairs:
        10.9.128.149/255.255.240.0
        fe80::bf:a8ff:fe56:bb1f/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.9.9
Sudoers audit plugin version 1.9.9

2023-09-27T18:54:15Z DEBUG stderr=
2023-09-27T18:54:15Z DEBUG Deleting invalid keytab: '/etc/krb5.keytab'.
2023-09-27T18:54:15Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2023-09-27T18:54:15Z DEBUG [IPA Discovery]
2023-09-27T18:54:15Z DEBUG Starting IPA discovery with domain=example.prv, servers=['internal-hosting-freeipa-01.example.prv'], hostname=faye-bastion-test.example.prv
2023-09-27T18:54:15Z DEBUG Server and domain forced
2023-09-27T18:54:15Z DEBUG [Kerberos realm search]
2023-09-27T18:54:15Z DEBUG Kerberos realm forced
2023-09-27T18:54:15Z DEBUG [LDAP server check]
2023-09-27T18:54:15Z DEBUG Verifying that internal-hosting-freeipa-01.example.prv (realm example.PRV) is an IPA server
2023-09-27T18:54:15Z DEBUG Init LDAP connection to: ldap://internal-hosting-freeipa-01.example.prv:389
2023-09-27T18:54:15Z DEBUG Search LDAP server for IPA base DN
2023-09-27T18:54:15Z DEBUG Check if naming context 'dc=example,dc=prv' is for IPA
2023-09-27T18:54:15Z DEBUG Naming context 'dc=example,dc=prv' is a valid IPA context
2023-09-27T18:54:15Z DEBUG Search for (objectClass=krbRealmContainer) in dc=example,dc=prv (sub)
2023-09-27T18:54:15Z DEBUG Found: cn=example.PRV,cn=kerberos,dc=example,dc=prv
2023-09-27T18:54:15Z DEBUG Discovery result: Success; server=internal-hosting-freeipa-01.example.prv, domain=example.prv, kdc=internal-hosting-freeipa-01.example.prv, basedn=dc=example,dc=prv
2023-09-27T18:54:15Z DEBUG Validated servers: internal-hosting-freeipa-01.example.prv
2023-09-27T18:54:15Z DEBUG will use discovered domain: example.prv
2023-09-27T18:54:15Z DEBUG Using servers from command line, disabling DNS discovery
2023-09-27T18:54:15Z DEBUG will use provided server: internal-hosting-freeipa-01.example.prv
2023-09-27T18:54:15Z DEBUG will use discovered realm: example.PRV
2023-09-27T18:54:15Z DEBUG will use discovered basedn: dc=example,dc=prv
2023-09-27T18:54:15Z INFO Client hostname: faye-bastion-test.example.prv
2023-09-27T18:54:15Z DEBUG Hostname source: Provided as option
2023-09-27T18:54:15Z INFO Realm: example.PRV
2023-09-27T18:54:15Z DEBUG Realm source: Discovered from LDAP DNS records in internal-hosting-freeipa-01.example.prv
2023-09-27T18:54:15Z INFO DNS Domain: example.prv
2023-09-27T18:54:15Z DEBUG DNS Domain source: Forced
2023-09-27T18:54:15Z INFO IPA Server: internal-hosting-freeipa-01.example.prv
2023-09-27T18:54:15Z DEBUG IPA Server source: Provided as option
2023-09-27T18:54:15Z INFO BaseDN: dc=example,dc=prv
2023-09-27T18:54:15Z DEBUG BaseDN source: From IPA server ldap://internal-hosting-freeipa-01.example.prv:389
2023-09-27T18:54:15Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2023-09-27T18:54:15Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Starting external process
2023-09-27T18:54:15Z DEBUG args=['/usr/sbin/ipa-rmkeytab', '-k', '/etc/krb5.keytab', '-r', 'example.PRV']
2023-09-27T18:54:15Z DEBUG Process finished, return code=7
2023-09-27T18:54:15Z DEBUG stdout=
2023-09-27T18:54:15Z DEBUG stderr=Failed to set cursor 'No such file or directory'

2023-09-27T18:54:15Z DEBUG Backing up system configuration file '/etc/hostname'
2023-09-27T18:54:15Z DEBUG   -> Not backing up - already have a copy of '/etc/hostname'
2023-09-27T18:54:15Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Starting external process
2023-09-27T18:54:15Z DEBUG args=['/usr/bin/hostnamectl', 'set-hostname', 'faye-bastion-test.example.prv']
2023-09-27T18:54:15Z DEBUG Process finished, return code=0
2023-09-27T18:54:15Z DEBUG stdout=
2023-09-27T18:54:15Z DEBUG stderr=
2023-09-27T18:54:15Z DEBUG Starting external process
2023-09-27T18:54:15Z DEBUG args=['/usr/sbin/service', 'ntp', 'status', '']
2023-09-27T18:54:15Z DEBUG Process finished, return code=4
2023-09-27T18:54:15Z DEBUG stdout=
2023-09-27T18:54:15Z DEBUG stderr=Unit ntp.service could not be found.

2023-09-27T18:54:15Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2023-09-27T18:54:15Z DEBUG Search DNS for SRV record of _ntp._udp.example.prv
2023-09-27T18:54:16Z DEBUG DNS record not found: NXDOMAIN
2023-09-27T18:54:16Z INFO Synchronizing time
2023-09-27T18:54:16Z WARNING No SRV records of NTP servers found and no NTP server or pool address was provided.
2023-09-27T18:54:16Z DEBUG Starting external process
2023-09-27T18:54:16Z DEBUG args=['/bin/systemctl', 'enable', 'chrony.service']
2023-09-27T18:54:17Z DEBUG Process finished, return code=0
2023-09-27T18:54:17Z DEBUG stdout=
2023-09-27T18:54:17Z DEBUG stderr=Synchronizing state of chrony.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable chrony

2023-09-27T18:54:17Z DEBUG Starting external process
2023-09-27T18:54:17Z DEBUG args=['/bin/systemctl', 'restart', 'chrony.service']
2023-09-27T18:54:17Z DEBUG Process finished, return code=0
2023-09-27T18:54:17Z DEBUG stdout=
2023-09-27T18:54:17Z DEBUG stderr=
2023-09-27T18:54:17Z DEBUG Starting external process
2023-09-27T18:54:17Z DEBUG args=['/bin/systemctl', 'is-active', 'chrony.service']
2023-09-27T18:54:17Z DEBUG Process finished, return code=0
2023-09-27T18:54:17Z DEBUG stdout=active

2023-09-27T18:54:17Z DEBUG stderr=
2023-09-27T18:54:17Z DEBUG Restart of chrony.service complete
2023-09-27T18:54:17Z INFO Attempting to sync time with chronyc.
2023-09-27T18:54:17Z DEBUG Starting external process
2023-09-27T18:54:17Z DEBUG args=['/usr/bin/chronyc', '-d', 'waitsync', '4', '0', '0', '3']
2023-09-27T18:54:26Z DEBUG Process finished, return code=0
2023-09-27T18:54:26Z DEBUG stdout=try: 1, refid: 00000000, correction: 0.000000000, skew: 0.000
try: 2, refid: 00000000, correction: 0.000000000, skew: 0.000
try: 3, refid: 00000000, correction: 0.000000000, skew: 0.000
try: 4, refid: A9FEA97B, correction: 0.000011853, skew: 0.220

2023-09-27T18:54:26Z DEBUG stderr=
2023-09-27T18:54:26Z INFO Time synchronization was successful.
2023-09-27T18:54:26Z DEBUG Starting external process
2023-09-27T18:54:26Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-09-27T18:54:26Z DEBUG Process execution failed
2023-09-27T18:54:26Z DEBUG Starting external process
2023-09-27T18:54:26Z DEBUG args=['/bin/keyctl', 'get_persistent', '@s', '0']
2023-09-27T18:54:26Z DEBUG Process finished, return code=0
2023-09-27T18:54:26Z DEBUG stdout=457935527

2023-09-27T18:54:26Z DEBUG stderr=
2023-09-27T18:54:26Z DEBUG Enabling persistent keyring CCACHE
2023-09-27T18:54:26Z DEBUG Writing Kerberos configuration to /tmp/tmpcgm__7ra:
2023-09-27T18:54:26Z DEBUG #File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = example.PRV
  dns_lookup_realm = false
  rdns = false
  dns_canonicalize_hostname = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  example.PRV = {
    kdc = internal-hosting-freeipa-01.example.prv:88
    master_kdc = internal-hosting-freeipa-01.example.prv:88
    admin_server = internal-hosting-freeipa-01.example.prv:749
    kpasswd_server = internal-hosting-freeipa-01.example.prv:464
    default_domain = example.prv
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }


[domain_realm]
  .example.prv = example.PRV
  example.prv = example.PRV
  faye-bastion-test.example.prv = example.PRV



2023-09-27T18:54:26Z DEBUG Writing configuration file /tmp/tmpcgm__7ra
2023-09-27T18:54:26Z DEBUG #File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = example.PRV
  dns_lookup_realm = false
  rdns = false
  dns_canonicalize_hostname = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  example.PRV = {
    kdc = internal-hosting-freeipa-01.example.prv:88
    master_kdc = internal-hosting-freeipa-01.example.prv:88
    admin_server = internal-hosting-freeipa-01.example.prv:749
    kpasswd_server = internal-hosting-freeipa-01.example.prv:464
    default_domain = example.prv
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }


[domain_realm]
  .example.prv = example.PRV
  example.prv = example.PRV
  faye-bastion-test.example.prv = example.PRV



2023-09-27T18:54:26Z DEBUG Initializing principal host-enrollment-global-user@example.PRV using password
2023-09-27T18:54:26Z DEBUG Starting external process
2023-09-27T18:54:26Z DEBUG args=['/usr/bin/kinit', 'host-enrollment-global-user@example.PRV', '-c', '/tmp/krbcc8r0g0xlc/ccache']
2023-09-27T18:54:26Z DEBUG Process finished, return code=0
2023-09-27T18:54:26Z DEBUG stdout=Password for host-enrollment-global-user@example.PRV:

2023-09-27T18:54:26Z DEBUG stderr=
2023-09-27T18:54:26Z DEBUG trying to retrieve CA cert via LDAP from internal-hosting-freeipa-01.example.prv
2023-09-27T18:54:26Z DEBUG retrieving schema for SchemaCache url=ldap://internal-hosting-freeipa-01.example.prv:389 conn=
2023-09-27T18:54:26Z DEBUG Existing CA cert and Retrieved CA cert are identical
2023-09-27T18:54:26Z DEBUG Starting external process
2023-09-27T18:54:26Z DEBUG args=['/usr/sbin/ipa-join', '-s', 'internal-hosting-freeipa-01.example.prv', '-b', 'dc=example,dc=prv', '-h', 'faye-bastion-test.example.prv', '-k', '/etc/krb5.keytab', '-f']
2023-09-27T18:56:36Z DEBUG Process finished, return code=17
2023-09-27T18:56:36Z DEBUG stdout=
2023-09-27T18:56:36Z DEBUG stderr=
2023-09-27T18:56:36Z ERROR Joining realm failed:
2023-09-27T18:56:36Z INFO Use ipa-getkeytab to obtain a host principal for this server.
2023-09-27T18:56:36Z DEBUG Starting external process
2023-09-27T18:56:36Z DEBUG args=['/usr/bin/kdestroy']
2023-09-27T18:56:36Z DEBUG Process finished, return code=0
2023-09-27T18:56:36Z DEBUG stdout=
2023-09-27T18:56:36Z DEBUG stderr=
2023-09-27T18:56:36Z DEBUG Initializing principal host/faye-bastion-test.example.prv@example.PRV using keytab /etc/krb5.keytab
2023-09-27T18:56:36Z DEBUG using ccache /etc/ipa/.dns_ccache
2023-09-27T18:56:36Z INFO Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
2023-09-27T18:56:36Z ERROR Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529639107): No credentials cache found
2023-09-27T18:56:36Z WARNING Installation failed. Force set so not rolling back changes.
2023-09-27T18:56:36Z DEBUG   File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
  File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 342, in run
    return cfgr.run()
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in 
    step = lambda: next(self.__gen)
  File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in 
    step = lambda: next(self.__gen)
  File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3/dist-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 3949, in main
    install(self)
  File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 2649, in install
    _install(options)
  File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 2877, in _install
    raise ScriptError(rval=CLIENT_INSTALL_ERROR)

2023-09-27T18:56:36Z DEBUG The ipa-client-install command failed, exception: ScriptError:
2023-09-27T18:56:36Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

**SOLUTION** It was needed to open port 80,443,749 as well towards freeipa server.

I am facing an issue with automount on a bunch of linux centos hosts. I see the following line in /var/log/messages to thousands automount: do_mount_indirect: indirect trigger not valid or already mounted" I enabled debugging on autofs and the logline is now more verbose. Jul 18 14:43:49 hostname automount: handle_packet: type = 3 Jul 18 14:43:49 hostname automount: handle_packet_missing_indirect: token 12758048, name , request pid 74868 Jul 18 14:43:49 hostname automount: do_mount_indirect: indirect trigger not valid or already mounted /home/nfs/ Jul 18 14:43:49 hostname automount: dev_ioctl_send_ready: token = 12758048 These logfiles are filling up my /var/log partition. I tried to google/chatgpt my problem but no success yet. The only correlation I see at the moment is that I only see these error logs on hosts where containerd is also installed/running. Content of /etc/auto.master [root@hostname ~]# cat /etc/auto.master | grep -v '^#' /misc /etc/auto.misc /net -hosts +dir:/etc/auto.master.d +auto.master The folder /etc/auto.master.d/ is empty. Content of /etc/auto.misc [root@hostname ~]# cat /etc/auto.misc | grep -v '^#' cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom Does anybody know how to fix that issue or give me a hint? We are automounting home folders with freeipa. Works fine on hundreds of hosts except a bunch of hosts. I compared the config files on working and not working hosts. No difference so far.

I have a FreeIPA server set up with a single replica. The admin account has been locked. Here's the log from a kinit admin:

[root@idm-00 ~]# kinit admin
kinit: Client's credentials have been revoked while getting initial credentials

Jun 26 13:04:08 idm-00. krb5kdc(info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) : LOCKED_OUT: admin@ for krbtgt/@, Client's credentials have been revoked

I don't have another admin user on the system, but I do have root access to the server itself. Is it possible to recover from this?

I have set up FreeIPA as IDM software for my network and successfully configured a Kerberos aware NFS server and Kerberos aware NFS clients. When a user logs into a machine, it's user directory on the NFS server is automatically mounted via autofs from nfs:/srv/nfs/home/userdir to /home/userdir on the local machine. I am facing the problem that when I need to create a local user on one machine, like the git user, that I cannot as the **root** user create a new home directory for the git user under /home/git, because it says useradd: cannot create directory /home/git My auto.home map configuration is the following: * nfs:/srv/nfs/home/& and when I log in as any user, only the user's home directory is mounted under /home And my auto.master map has the following entry: /home auto.home the output from mount is the following: auto.home on /home type autofs (rw,relatime,fd=6,pgrp=651,timeout=300,minproto=5,maxproto=5,indirect,pipe_ino=15731) nfs:/srv/nfs/home/userdir on /home/userdir type nfs4 (rw,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=10.110.29.100,local_lock=none,addr=10.110.29.107) I omitted unnecessary information about other file system and devices. getfacl for the home directory returns: file: home owner: root group: root user::rwx group::r-x other::r-x Now, my question is, is this setup preventing my local root account from creating a local home directory on my machine?

I try to setup my own mail server with authentication against a Ldap(FreeIPA). All of them must running within a docker container. I don't know what I'm doing wrong. Maybe it's my ldap configuration.

version: '3.9'

services:
  freeipa:
    image: freeipa/freeipa-server:centos-9-stream-4.10.0
    container_name: ipa
    restart: unless-stopped
    tty: true
    stdin_open: true
    hostname: ipa
    domainname: ipa.example.local
    #read_only: true
    networks:
      priv_network:
        ipv4_address: 172.16.1.10
    extra_hosts:
      - "ipa.example.local:172.16.1.10"
    environment:
      - IPA_SERVER_HOSTNAME=ipa.example.local
      - IPA_SERVER_IP=172.16.1.10
      - TZ=Europe/Berlin
    command:
      - --realm=example.local
      - --domain=example.local
      - --ds-password=secret123
      - --admin-password=secret123
      - --no-host-dns
      - --setup-dns
      - --auto-forwarders
      - --allow-zone-overlap
      - --no-dnssec-validation
      - --unattended
      - --skip-mem-check
      - --auto-forwarders
      - --auto-reverse
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    volumes:
      - ./vol/freeipa/data:/data
      - ./vol/freeipa/logs:/var/logs
      - ./vol/freeipa/config:/root/pw-portal/config
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    tmpfs:
      - /run
      - /var/cache
      - /tmp
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    ports:
      - 443:443
      - 389:389

  roundcubemail:
    image: roundcube/roundcubemail:latest
    container_name: roundcubemail
    volumes:
      - ./vol/roundcube/www:/var/www/html
      - ./vol/roundcube/db/sqlite:/var/roundcube/db
    ports:
      - 9002:80
    environment:
      - ROUNDCUBEMAIL_DB_TYPE=sqlite
      - ROUNDCUBEMAIL_SKIN=elastic
      - ROUNDCUBEMAIL_DEFAULT_HOST=tls://172.16.1.11
      - ROUNDCUBEMAIL_SMTP_SERVER=tls://172.16.1.11
    networks:
      priv_network:

  mailserver:
    image: docker.io/mailserver/docker-mailserver:latest
    container_name: mailserver
    hostname: mail
    domainname: mail.example.local
    restart: unless-stopped
    volumes:
      - ./vol/mailserver/data/:/var/mail/
      - ./vol/mailserver/state/:/var/mail-state/
      - ./vol/mailserver/logs/:/var/log/mail/
      - ./vol/mailserver/config/:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro

    environment:
      - ENABLE_SPAMASSASSIN=0
      - ENABLE_CLAMAV=0
      - ENABLE_FAIL2BAN=0
      - ENABLE_POSTGREY=0
      - ACCOUNT_PROVISIONER=LDAP
      - LDAP_SERVER_HOST=ldap://ipa
      - LDAP_BIND_DN=uid=admin,cn=users,cn=accounts,dc=example,dc=local
      - LDAP_BIND_PW=secret123
      - LDAP_SEARCH_BASE=cn=users,cn=accounts,dc=example,dc=local
      - LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s)
      - LDAP_QUERY_FILTER_USER=(mail=%U@%s)
      - LDAP_QUERY_FILTER_ALIAS=(|) # doesn't match anything
      - LDAP_QUERY_FILTER_GROUP=(|) # doesn't match anything
      - LDAP_QUERY_FILTER_SENDERS=(mail=%s)      
      - SPOOF_PROTECTION=1
      - ENABLE_SASLAUTHD=1
      - SASLAUTHD_MECHANISMS=ldap
      - SASLAUTHD_LDAP_FILTER=(&(mail=%U@example.local)(objectClass=inetOrgPerson))
      - ONE_DIR=1
      - PERMIT_DOCKER=host
      - DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(mail=%u))
      - DOVECOT_PASS_ATTRS==password=%{ldap:userPassword},=user=%{ldap:uid}
      - DOVECOT_USER_ATTRS==home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid
    cap_add:
      - NET_ADMIN
    networks:
      priv_network:
        ipv4_address: 172.16.1.11

networks:
  priv_network:
    name: ext_priv_network
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.16.1.0/24
          gateway: 172.16.1.1

I created an user and logged into IPA for the first time to set password. If I try to login into my Roundcube then I get just a login failure. The Mail Server printed the following message.

Dec 25 08:59:52 mail dovecot: auth: ldap(test.user,172.16.1.2,): unknown user (SHA1 of given password: f2b14f)
Dec 25 08:59:54 mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=172.16.1.2, lip=172.16.1.11, session=
Dec 25 09:00:39 mail postfix/pickup: 517F864B0E: uid=101 from=
Dec 25 09:00:39 mail postfix/cleanup: 517F864B0E: message-id=
Dec 25 09:00:39 mail postfix/cleanup: warning: dict_ldap_lookup: Search error 2: Protocol error 
Dec 25 09:00:39 mail postfix/cleanup: warning: ldap:/etc/postfix/ldap-aliases.cf lookup error for "postmaster@mail.example.local"
Dec 25 09:00:39 mail postfix/cleanup: warning: 517F864B0E: virtual_alias_maps map lookup problem for postmaster@mail.example.local -- message not accepted, try again later
Dec 25 09:00:39 mail postfix/pickup: 5228D64B0E: uid=0 from=
Dec 25 09:00:39 mail postfix/cleanup: 5228D64B0E: message-id=
Dec 25 09:00:39 mail postfix/cleanup: warning: dict_ldap_lookup: Search error 2: Protocol error 
Dec 25 09:00:39 mail postfix/cleanup: warning: ldap:/etc/postfix/ldap-aliases.cf lookup error for "postmaster@mail.example.local"

What's the correct LDAP Syntax for Dovecot DOVECOT_USER_FILTER, DOVECOT_PASS_ATTRS and DOVECOT_USER_ATTRS?

I've been asked to join linux hosts in my company to freeIPA. But the problem is that I'm not allowed to change hostnames. So I should leave hosts NetBios names intact. I am wondering if there is any idea to implement such a thing (like alias name for hostname or something)?

I want to have my home directory be an NFS mount when it's available, or a local directory when it's not. Think of a laptop that I might want to take somewhere off of my normal network. What I have today is an automount map that mounts an NFS share on my home. I've been poking around stack exchange and it suggests coda https://unix.stackexchange.com/questions/17216/keep-local-copy-of-nfs-mount-on-computer However it's a really old project and I'm not seeing it in the apt repository leading me to believe this is probably not going to work well. What I've tried to do is automount nfs home directories into /nethome like this:

bash
/etc/auto.nethome * -fstype=nfs4,rw,sec=sys,soft,rsize=8192,wsize=8192,no_root_squash h2gt2g.deepthot.aa:/volume1/homes/&

mkdir -p /nethome/me

/etc/fstab:  /home/me /nethome/me none defaults,bind 0,0

Sadly this doesn't work at all. Either it ends up with the bind or nothing working at all. I'm thinking I can't do something this simple minded. Has anyone else succeeded at doing something like this? It seems like this would be something people would do. As a side note, I've had nfs automounted home directories on all my machines/vms for 20 or so years. I've been wanting to do something similar to what I just described almost as long, but have never had any luck with it.

would like to get an opinion on how best to do this in bash, thank you for x number of servers, each has it's own list of replication agreements and their status.. it's easy to run a few commands and get this data, ex; get servers, output;

dc1-server1 dc1-server2 dc2-server1 dc2-server2 dc3...

for dc1-server1, get agreements, output;

dc2-server1
dc3-server1
dc4-server1

for dc1-server1, get agreement status codes, output;

0
0
18

so output would be several columns based on the 'get servers' list with each 'replica: status' under each server, for that server this may get munged, but something like;

dc1-server1      dc1-server2      dc2-server1
dc2-server1: 0   dc2-server2: 0   dc1-server1: 0  ...
dc3-server1: 0   dc3-server2: 18  dc3-server1: 13 ...
dc4-server1: 18  dc4-server2: 0   dc4-server1: 0  ...

something vaguely like this (tho this doesn't work);

#!/bin/bash

. ~/.ldap-config
DOMAIN=$(domainname)
ROWSTOT=0

for SERVER in $MASTER $REPLICAS ; do
   ${SERVER}REPLICAS=$(ipa-replica-manage -p $(cat ~/.dsp) list -v $SERVER.$DOMAIN | grep ': replica' | sed 's/: replica//')
   ROWS=$(echo "${SERVER}REPLICAS" | wc -l)
   [ "$ROWS" -gt "$ROWSTOT" ] && ROWSTOT=$ROWS
   ${SERVER}STATUS=$(ipa-replica-manage -p $(cat ~/.dsp) list -v $SERVER.$DOMAIN | grep 'status: Error (' | sed -e 's/.*status: Error (//' -e 's/).*//')
done

for (( C=1; C<=$ROWSTOT; C++ )) ; do
   for SERVER in $MASTER $REPLICAS ; do
      #echo -n "${SERVER}REPLICAS[$C]: ${SERVER}STATUS[$C]"
      printf "%-28s" "${SERVER}REPLICAS[$C]: ${SERVER}STATUS[$C]"
   done
   echo
done

example output from ipa-replica-manage;

# ipa-replica-manage -p $(cat ~/.dsp) list -v $(hostname)
dc1-server2.domain: replica
  last update status: Error (0) Replica acquired successfully: Incremental update succeeded
  last update ended: 2021-04-08 12:13:05+00:00
dc4-server2.domain: replica
  last update status: Error (0) Replica acquired successfully: Incremental update succeeded
  last update ended: 2021-04-08 12:13:05+00:00
dc3-server1.domain: replica
  last update status: Error (0) Replica acquired successfully: Incremental update succeeded
  last update ended: 2021-04-08 12:13:05+00:00
dc2-server1.domain: replica
  last update status: Error (0) Replica acquired successfully: Incremental update succeeded
  last update ended: 2021-04-08 12:13:05+00:00

.ldap-config has local env/cluster settings (there are several clusters w/different server names/quantities), but the only lines used here are, ex;

MASTER=dc1-server1
REPLICAS="dc1-server2 dc2-server1 dc2-server2 dc3...  "

I've setup FreeIpa POC (centos7, freeipa 4.7, two freeipa servers as multimaster with some clients). Added OTP's for several users and made it work with RADIUS for vpn access authentication purposes. Next, I've added AD trust and I am able to log in as AD user. All groovy. Now I'd like to enforce MFA for AD users by adding OTP tokens for them. Is it possible at all? Since AD user authenticates against AD, shouldn't it be AD who provides MFA? FreeIPA behaves strangely when it comes to AD users (mapped via external group and POSIX group): AD user 'ipatest' is visible with 'id' command (and has it's own UID GID and so on) but cannot be found via 'ipa user-find' command even with specific UID provided: admin@ipa-poc-1 ~ $ id ipatest@lab.trusteddomain.com uid=748801177(ipatest@lab.trusteddomain.com) gid=748801177(ipatest@lab.trusteddomain.com) groups=748801177(ipatest@lab.trusteddomain.com),748800513(domain users@lab.trusteddomain.com),748801180(linuxusers@lab.trusteddomain.com),793600008(ad_users) admin@ipa-poc-1 ~ $ ipa user-find ipatest --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- admin@ipa-poc-1 ~ $ ipa user-find ipatest@lab.trusteddomain.com --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- admin@ipa-poc-1 ~ $ ipa user-find ipatest@TRUSTEDOMAIN-LAB --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 admin@ipa-poc-1 ~ $ ipa user-find uid=748801177 --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- I reckon it is due to th one-way trust with AD domain but not sure here. Since "ipa otptoken-add' command requires 'owner' parameter (type string and doesn't work with UID) I cannot add OTP token for this user. Another approach I've tried (since ipa otptoken-add command by default uses current user as owner) was to log on as AD user and create OTP token 'for myself', but it didn't work either: ipatest@lab.trusteddomain.com@ipa-poc-1 ~ $ kinit ipatest@lab.trusteddomain.com Password for ipatest@lab.trusteddomain.com: ipatest@lab.trusteddomain.com@ipa-poc-1 ~ $ ipa otptoken-add --type='TOTP' ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa-poc-1.lab/ipa/json , https://ipa-poc-2.lab/ipa/json So, to make it short: 1. Is it possible to add OTP token to external AD user? 2. How to do it? rgrds noob

Red Hat has a sample script to migrate users from NIS to FreeIPA. nis-user.sh looks like this: #!/bin/sh # $1 is the NIS domain, $2 is the NIS master server ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.passwd) ; do IFS=' ' username=$(echo $line | cut -f1 -d:) # Not collecting encrypted password because we need cleartext password # to create kerberos key uid=$(echo $line | cut -f3 -d:) gid=$(echo $line | cut -f4 -d:) gecos=$(echo $line | cut -f5 -d:) homedir=$(echo $line | cut -f6 -d:) shell=$(echo $line | cut -f7 -d:) # Now create this entry echo passw0rd1 | ipa user-add $username --first=NIS --last=USER \ --password --gidnumber=$gid --uid=$uid --gecos='$gecos' --homedir=$homedir \ --shell=$shell ipa user-show $username done This just sets the First name to NIS and last name to USER. Our /etc/passwd files has users that look like the following: juser:x:4841:200:Jane Q. User:/home/juser:/bin/tcsh kuser:x:5761:200:User, K.:/home/kuser:/bin/bash So that of course complicates things. I got a suggestion that the following could extract the first and last names, and if they were reversed and comma separated (like kuser) it would catch most the names. first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}' last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}' How can I use $first and $last? To test I tried to pipe the results of the $gecos variable to awk: first=$(echo $line | cut -f5 -d: | awk '{print $1}':) awk: cmd. line:1: {print $1}: awk: cmd. line:1: ^ syntax error Same error is I try adding just the following line (after the gecos= line): first=$(echo $gecos | awk '{print $1}':) EDIT: ahhh the colon placement did me in. This works: first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}') last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}') So now on to the next part... And then I want to take this suggestion , to import the passwords that use the CRYPT hash as demonstrated: userpassword='{CRYPT}$6$blahblah$moregibberish' testuser I followed Rob C's previous tips from here and here . Not sure it matters but in /etc/libuser.conf, crypt_style = sha512 In the script I added: password1=$(echo $line | cut -f2 -d:) and in the **Now create this entry** section: --setattr "userpassword='{CRYPT}$password1'" Here's what gets logged when debug is turned on: [Tue Feb 02 22:08:52.541857 2021] [wsgi:error] [pid 16097:tid 16365] [remote x.x.x.x:59726] ipa: INFO: [jsonserver_session] admin@OURDOMAIN.EDU: user_add/1('john', givenname='John', sn='Smith', homedirectory='/home/smith', gecos="'John Smith'", loginshell='/bin/tcsh', uidnumber=5319, gidnumber=150, setattr=("userpassword='{CRYPT}the-actual-hash-of-the-password'",), version='2.239'): SUCCESS So does that appear that {CRYPT} is not being interpreted? I also added some debug: echo "Password hash value is $password1" And what prints is the original hash, sans {CRYPT}. So to test this outside of the script I added a test user: ipa user-add --first=test --last=user --setattr userpassword='{CRYPT} the-actual-hash-of-the-password' testuser Then I ran the following and the password worked: ldapsearch -x -D 'uid=testuser,cn=users,cn=accountsdc=ourdomain,dc=edu' -W # testuser, users, accounts, ourdomain.edu dn: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc=edu givenName: test sn: user uid: testuser cn: test user displayName: test user initials: tu gecos: test user krbPrincipalName: testuser@OURDOMAIN.EDU objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: fasuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh homeDirectory: /home/testuser mail: testuser@ourdomain.edu krbCanonicalName: testuser@OURDOMAIN.EDU ipaUniqueID: 34ee1f48-65d2-11eb-8c33-001ec9ab7ef0 uidNumber: 1520800007 gidNumber: 1520800007 memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ourdomain,dc=edu krbLastPwdChange: 20210203034524Z krbPasswordExpiration: 20210504034524Z # testuser, groups, accounts, ourdomain.edu dn: cn=testuser,cn=groups,cn=accounts,dc=ourdomain,dc=edu objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top cn: testuser gidNumber: 1520800007 description: User private group for testuser mepManagedBy: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc =edu ipaUniqueID: 34f39b4e-65d2-11eb-8c33-001ec9ab7ef0 # search result search: 2 result: 0 Success Is it still possible to do this in the current versions?

I build a trust relationship between FreeIPA and AD, and add some AD users to FreeIPA server, all those users can successfully login to IPA server side. But can login to IPA client. Here is the command I used to add workstations to FreeIPA ipa-client-install -U -f --enable-dns-updates --domain example.com --ntp-server=phoenix.example.com --server=phoenix.example.com -p EXAMPLE.COM -p admin -w '$EXAMPLE' --hostname=$HOSTNAME --automount-location=default --no-dns-sshfp --preserve-sssd And after check the /var/log/message and /var/log/secure I got this warning /var/log/secure:

Jan 24 15:19:00 greentag sshd: Received disconnect from 192.168.5.222: 11: disconnected by user
Jan 24 15:19:00 greentag sshd: pam_unix(sshd:session): session closed for user root
Jan 24 15:19:12 greentag sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.222 user=isaac@adexample.com
Jan 24 15:19:12 greentag sshd: pam_sss(sshd:auth): received for user isaac@adexample.com: 6 (Permission denied)
Jan 24 15:19:12 greentag sshd: error: PAM: Authentication failure for isaac@adexample.com from 192.168.5.222
Jan 24 15:19:16 greentag sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.222 user=isaac@adexample.com
Jan 24 15:19:16 greentag sshd: pam_sss(sshd:auth): received for user isaac@adexample.com: 6 (Permission denied)
Jan 24 15:19:16 greentag sshd: error: PAM: Authentication failure for isaac@adexample.com from 192.168.5.222
Jan 24 15:19:16 greentag sshd: Postponed keyboard-interactive for isaac@adexample.com from 192.168.5.222 port 45318 ssh2 [preauth]
Jan 24 15:19:19 greentag sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.222 user=isaac@adexample.com
Jan 24 15:19:19 greentag sshd: pam_sss(sshd:auth): received for user isaac@adexample.com: 6 (Permission denied)
Jan 24 15:19:19 greentag sshd: error: PAM: Authentication failure for isaac@adexample.com from 192.168.5.222
Jan 24 15:19:26 greentag sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.222 user=isaac@adexample.com
Jan 24 15:19:26 greentag sshd: pam_sss(sshd:auth): received for user isaac@adexample.com: 6 (Permission denied)
Jan 24 15:19:26 greentag sshd: Failed password for isaac@adexample.com from 192.168.5.222 port 45318 ssh2
Jan 24 15:19:30 greentag sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.222 user=isaac@adexample.com
Jan 24 15:19:30 greentag sshd: pam_sss(sshd:auth): received for user isaac@adexample.com: 6 (Permission denied)
Jan 24 15:19:30 greentag sshd: Failed password for isaac@adexample.com from 192.168.5.222 port 45318 ssh2

/var/log/message:

Jan 24 15:19:12 greentag [sssd[krb5_child]]: Cannot find KDC for realm "adexample.COM"
Jan 24 15:19:12 greentag [sssd[krb5_child]]: Cannot find KDC for realm "adexample.COM"
Jan 24 15:19:12 greentag [sssd[krb5_child]]: Cannot find KDC for realm "adexample.COM"
Jan 24 15:19:12 greentag [sssd[krb5_child]]: Cannot find KDC for realm "adexample.COM"

But when I type id isaac@adexample.com it will show me this user information.

What is the difference between openldap and freeipa. Aren’t they same? What is the main work of them and how do they are interconnected or they are separate thing?

We have passwordless login on all hosts through kerberos. We have user accounts and shared accounts - all (host and sudo access) managed through LDAP (FreeIPA by RedHat). Now if we give shell access to a human user for a shared software account on one particular host (this is done through IPA sudorule only) which we have to sometimes, the human user can ssh to some other host where that software account has access as that software account, but the human user was not granted access. To illustrate: * human_user can sudo as software_account because it has access:

-> human_user@host1.com: sudo -u software_account -i
-> software_account@host1.com: ssh host2.com
-> software_account@host2.com:

* human_user was given access to software_account only on host1 but now it has access to host2 also since software_account has access to host2

I have 3 machines with Centos 7. I have FreeIPA server installed on the first machine. This serves as a certificate authority in my network; it's my CA. I have an other machine with FreeIPA client installed. This one can provide web services for a third machine. It has a certificate generated by the CA. The third machine doesn't have freeipa installed and makes https requests on the second machine. I would like to use OCSP stapling. So I have added the lines following in

/etc/httpd/conf.d/ssl.conf

of my 2d machine: SSLUseStapling on SSLStaplingCache shmcb:/run/httpd/sslcache(512000) and restarted httpd. When I make a https request from the third machine with curl it appears **OCSP no response send**. So i think my CA (the Freeipa server on my first machine) is not well configured. I tried to make changes in _nss.conf_ on the CA and I looked in

/etc/pki/pki-tomcat/ca/CS.cfg

but I don't succeed to enable ocsp stapling. I haven't any idea. I add I have checked, in my IPA server, that _ca.ocsp=true_ in

/var/lib/pki/pki-tomcat/ca/conf/CS.cfg

. Can you help me please? I will be very grateful. Thank you so much. EDIT: The certificate of the https server has an Authority info access extension with the ocsp responder's url and the url is correct. The firewall is disabled.

ocsp -issuer ca.cert -cert server.cert -text -url http://ipa-ca.mydomain.com/ca/ocsp 

gives an ocsp response but the command

s_client -connect myserver.mydomain.com:443 -tls1  -tlsextdebug  -status

gives **ocsp response: no response sent**. I understand the ocsp responder is ok but the stapling doesn't work...

First I tried managing dockerroot in freeipa, since that is the only one I saw with sudo getent group | grep dock. I saw somewhere that said I can create a group in freeipa with the same GID and it will sync with the local group. That is not an option for me. I have the group dockerroot on several machines with _different_ GIDs. So I turned to sss_override. I tried sudo sss_override group-add dockerroot -g but I get:

Unable to find group dockerroot@[unknown].

I can't find in the documentation if I am missing something. I tried using dockerroot@localhost but I get:

Unable to parse name dockerroot@localhost.

I started deploying docker to machines and want a couple users to be able to run docker without sudo. I don't want to create rules on every target machine. Any time I spin up a new machine with docker, special users should automatically get the group membership through freeipa rules. Doing yum remove docker && yum install docker doesn't seem to affect the group either. Could I just delete it and recreate it? I don't know what I'm breaking here so I'm hesitant to do more. ---------- Now I've tried following docker's docs which say to do this:

sudo groupadd docker
sudo usermod -aG docker $USER
docker run hello-world

I want this on my domain so instead I create the group in freeipa, and add my user to it. I gave it time to sync, logged out and in, and checked the group:

sudo getent group docker
docker:*::

But I still get permission denied.

I currently manage an IDM (FreeIPA ) cluster and have full sudo rights, i.e. I can become root via sudo -Es. I'd like to verify a sudo rule that I've added to FreeIPA on a specific server to confirm that the rule is being picked up properly by the host via SSSD. How can I do this? **NOTE:** the sudo rule is as follows:

$ ipa sudorule-show prod-abc-dashboard-dba
  Rule name: prod-abc-dashboard-dba
  Enabled: TRUE
  Command category: all
  User Groups: eng-data-svc

I have installed and configured the ipa-server and in my machine I'm running fedora workstation 30. After installing the ipa-client on my machine and well configure it I can not authenticate myself with the credentials that I have on the domain server. as you can see in the attached images, when allocating the machine in the domain gave an error like: 'failed to update dns records missing a reverse record(s) for address(es) could not update dns sshfp records' (please consult the attachments for better understandig) I've removed the machine and re-allocated it in the domain and the problem persists, tried other machines that gave the same error but after upgrading three times I was able to authenticate. but in this my machine in question the authentication problem persists. but only in the password, because the user name it recognizes immediately. -solutions already applied: 1-constant updating of the system; 2-reinstallation and reconfiguration of the machine; 3-reboot the computer countless times. I hope someone here can help me, first to better understand this type of error, which causes and also to solve the same urgently, I have to deliver some work soon.

We have a FreeIPA domain running with several NFS clients auto-mounting a Kerberized NFSv4 server (krb5p). We're running the latest RHEL 7.6 on all nodes and everything is working great with one exception: it takes 24 hours after removing a user from an IPA group for them to lose access to a share.

**Procedure:** 1. User logs into NFS client and browses a group-restricted share. 2. FreeIPA admin removes that user from the group which grants access to the aforementioned share. 3. User logs out of the client, back in and browses the share again without issue (despite the group no longer appearing with the id/groups command). 4. Reboot the client or wait 24 hours and the user loses access as expected.
Is there a way to ensure group changes in IPA are immediately honored by the NFS clients?


I have also tried clearing the SSSD cache (systemctl stop sssd && sss_cache -E && rm -rf /var/lib/sss/db/* && systemctl start sssd) and destroying/re-grabbing the user's kerberos ticket to no avail. The group changes are still not obeyed; I need to either reboot the box or wait a day.
Thanks!