FreeIpa LDAP authentication
by Duarte Petiz
Hey everyone!
I have been using freeipa since 2 months ago.
Now i asked for an internal pentest and the pentesters found this:
Without authentication they can obtain information about our freeipa (that
uses ldap as backend as you know).
ldapsearch -x -b "dc=example,dc=com" -H ldap://10.0.0.9:389
"(objectClass=*)"
There is any way to protect it? How can I achieve that?
--
*Kind Regards*
*Duarte Petiz*
*DevOps Team Lead *| jscrambler.com
8 months
How to set the "no_auth_data_required" Kerberos option on a principal?
by Julien Fremont
Hi everyone,
I'm currently setting up a FreeIPA based central repository for our small business (few users, but a number of VMs and attached services) with 3 IPA servers. As we are a Linux-centric company, FreeIPA seems to be a good fit for our use.
Everything seems to work expected, except regarding our Synology NAS and its NFSv4 shares. If I don’t set the automount to use Kerberos (no ‘-sec=krb5’ parameter), the NFS share works without a itch. But if I do, it seems that said NAS doesn’t to manage Kerberos well. Every time I try to connect a client to a NFS share, DSM more or less hang-up with a svcgssd process pegging up at 100% CPU. The webui lock-up, most of the command-line stop working properly, etc.
This appears to be a relatively well-known issue with svcgssd as noted here for example:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1466654
https://linux-nfs.vger.kernel.narkive.com/rpgli1dr/question-re-no-auth-da...
The fix seems relatively simple, as I just need to set the "no_auth_data_required" setting on the affected Kerberos principal on the FreeIPA side. The problem is, how do I do this?
For a standalone KDC server, it looks like this command should do the trick:
→ kadmin -p "admin(a)INTERNAL.DOMAIN.ORG" modify_principal +no_auth_data_required "nfs/nas.domain.tld(a)INTERNAL.DOMAIN.ORG"
But from what I understand, using kadmin directly with FreeIPA is not an option. But how to set "no_auth_data_required" option with FreeIPA is not clear to me. Can anyone direct me to a solution?
For reference:
→ The NAS is a Synology RS2421RP+ running DSM 7.2-64570 Update 3 (the latest). Its kernel is 4.4.302+
→ We are running FreeIPA 4.10.1
→ The 3 FreeIPA server run on Rocky Linux 9.2
→ The current test client is a Rocky Linux 8.7 VM, but we have a variety of Linux flavor in our environment.
→ We do not have an Active Directory server and do not plan to add one.
→ This FreeIPA deployment is still at an early stage of deployment.
→ I have no previous experience with FreeIPA, LDAP or Kerberos, nor with AD.
Regards,
Julien Fremont
8 months
Recovering from certificate exparation issues
by Cristian Le
I have tried my luck around with all the helpers: `pki-server cert-fix`, `ipa-cacert-manage`, `ipa-certupdate`, etc. but each one is failing on me for multiple reasons.
- `ipa-cacert-manage` Cannot update the CA with `--external-cert-file` because the root ca is not detected to be in the trust list
- `ipa-cert-fix` Was run without overlapping validity time, and the certificate were re-created, so now it is not recoverable, neither back in time, nor in current time
- `pki-tomcat` is failing
It is quite a mess and I would like to ask for some guidance on how one could recover manually from such dependency issues:
- Is it possible to do a `ipa-server-install` and keep the user data?
- If I sign all of the service's certificates manually, what are all of the manual steps needed to get the services back up so that the helpers can be run.
- I've tried to install the CA certificate in the nssdb database, ldap, and /etc/ipa/ca.crt. Are there other locations?
- I've recreated an httpd certificate signed by the root, but I can't figure how to do the same with the ones located in the nssdb database, i.e. to recreate a csr with the same data as one of the certificates there
- What is the order of services that should be updated. My understanding is CA -> `certutil`'s CA -> httpd + slapd + pki-tomcat (not sure where the last one is or how to edit it) -> `ipa-certupdate`
8 months
automount keys on multiple domains
by Nathanaël Blanchet
Hello,
I have a trusted AD domain levant.abes.fr
I'm trying to get my to auto.home map get working with automount keys.
Everything is ok with the wildcard on the trusted domain
* vm701-dev.couchant.abes.fr:/export/home/levant.abes.fr/&
In addition to this, is there a way to do the same with the IPA domain
knowing that the '*' key already exists?
Second question: the same user may exist on both domains. how should I
format the key to determine which domain I want the mapping for(I
already tried with user@domain as the key but it doesn't work)
Thank you by advance (I hope to be clear enough)
--
Nathanaël Blanchet
Administrateur Systèmes et Réseaux
Service Informatique et REseau (SIRE)
Département des systèmes d'information
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax 33 (0)4 67 54 84 14
blanchet(a)abes.fr
8 months
How to I get FreeIPA running in Docker Swarm?
by Jay Smith
I have the following Setup.
MK_INTERNAL_SUB_DOMAIN=example.test
MK_FREEIPA_SERVER_REALM=EXAMPLE.TEST
MK_FREEIPA_SERVER_DS_PASSWORD=password
MK_FREEIPA_SERVER_ADMIN_PASSWORD=password
MK_FREEIPA_SERVER_DNS_REVERSE_ZONE=0.18.172.in-addr.arpa
MK_FREEIPA_SERVER_IP=172.18.0.10
MK_FREEIPA_SERVER_DOMAIN_NAME=ipa.example.test
docker service create \
--hostname ${MK_FREEIPA_SERVER_DOMAIN_NAME} \
--name ipa \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
-e "IPA_SERVER_HOSTNAME=${MK_FREEIPA_SERVER_DOMAIN_NAME}" \
-e "IPA_SERVER_IP=${MK_FREEIPA_SERVER_IP}" \
-e "DEBUG_NO_EXIT=1" \
-e "DEBUG_TRACE=1" \
--ip "${MK_FREEIPA_SERVER_IP}" \
--add-host "${MK_FREEIPA_SERVER_DOMAIN_NAME}:${MK_FREEIPA_SERVER_IP}" \
-p "443:443" \
--privileged=true \
freeipa/freeipa-server:fedora-38-4.10.2 \
--skip-mem-check \
--domain=${MK_INTERNAL_SUB_DOMAIN} \
--realm=${MK_FREEIPA_SERVER_REALM} \
--ds-password=${MK_FREEIPA_SERVER_DS_PASSWORD} \
--ip-address=${MK_FREEIPA_SERVER_IP} \
--admin-password=${MK_FREEIPA_SERVER_ADMIN_PASSWORD} \
--no-host-dns \
--unattended \
--setup-dns \
--allow-zone-overlap \
--auto-reverse \
--reverse-zone=${MK_FREEIPA_SERVER_DNS_REVERSE_ZONE} \
--auto-forwarders \
--no-ntp
The first problem is I can't run the container in privileged mode and --ip and --add-host options are missing.
It is even possible to run FreeIPA in Docker Swarm?
8 months
Another Cert Expiration Problem
by Russ Long
I have a single-server IPA environment in my homelab. I noticed today that I was unable to delete a host from IPA, and found that pki-tomcatd was down and unable to start.
I found that several certificates had expired for some reason. I tried `ipa-cert-fix`, but that failed as pki-tomcat will not start.
I attempted to set the server date/time to a date 24 hours before the certificates expired, and was able to get tomcat to start, however the `ipa-cert-fix` now fails with this error:
CalledProcessError(Command ['pki-server', 'cert-fix', '--ldapi-socket', '/run/slapd-IPA-DOMAIN-CO.socket', '--agent-uid', 'ipara', '--cert', 'sslserver', '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing', '--extra-cert', '16'] returned non-zero exit status 1: "INFO: Loading instance type: pki-tomcatd\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Loading subsystem registry: /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following system certs: ['sslserver', 'subsystem', 'ca_ocsp_signing', 'ca_audit_signing']\nINFO: Renewing the following additional c
erts: ['16']\nINFO: Stopping the instance to proceed with system cert renewal\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser password via ldappasswd\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n")
I reviewed the blog at https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom... (Thanks Flo!) but was still unable to get anything working. The Certificate password test fails with these errors:
[root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
[root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'NSS Certificate DB: subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
Any ideas what I can try?
8 months
Re: Plans for integrating DHCP
by Charles Hedrick
We did most of this, and have been using it for a few years. However it depends upon the ISC DHCP server, which is now EOL. The replacement, KEA, does not support LDAP, and there are no plans for it to.
I think the reason is that they didn't want to put dynamic addresses in LDAP, because LDAP is thought of as read-mostly. The way LDAP is used in IPA, of course, means there are lots of changes going on. For most sites, I suspect putting leases in LDAP would be OK. But ISC isn't going to help, I don't think.
________________________________
From: Ellsworth, Nathan Andrew via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Monday, September 25, 2023 2:09 PM
To: freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org>
Cc: Ellsworth, Nathan Andrew <Nathan.Ellsworth(a)UTDallas.edu>
Subject: [Freeipa-users] Re: Plans for integrating DHCP
There is an interesting design document already for DHCP with FreeIPA.
https://www.freeipa.org/page/DHCP_Integration_Design
8 months
