Recent Posts

IPA-IPA trust progress report

FreeIPA and SSSD teams are working to enable IPA deployments to trust each other. This report outlines the progress we have so far.

Trust across enterprise domains

FreeIPA implements an enterprise domain management: systems enrolled into domain managed centrally and access resources available through the domain controllers. These resources include information about users and groups, machines, Kerberos services and different rules that can bind them. FreeIPA supports a trust to Active Directory forest by posing as a separate Active Directory forest with a single Active Directory domain (a forest root).

The approach helps to integrate with a majority of...

CentOS Connect 2024 report

February 1st-4th I participated in two events in Brussels: CentOS Connect and FOSDEM. FOSDEM is getting closer to its quarter a century anniversary next year. With 67 mini-conferences and another 30 events around it, it is considered one of the largest conferences in Europe, any topic included. This report is about CentOS Connect.

CentOS Connect

CentOS Connect was a two-day event preceding FOSDEM. Organized by the CentOS project, it brought together contributors from multiple projects around CentOS Stream upstreams (such as Fedora Project) and downstreams (from Red Hat Enterprise Linux, AlmaLinux, Rocky Linux, and others), long-time users and...

Multi-homed FreeIPA server investigation

Once in a while people come and ask for FreeIPA servers to work in multi-homed environments. A multi-homed environment in this context is a deployment where the same server is accessible through multiple network interfaces which connect together networks which are not routable to each other. This is typical for administrative and operational networks but there are other types of environments which employ disconnected networks for their operations. FreeIPA server right now has a single host name that resolves to the same IP address in all networks and if one cannot reach the server through that IP address, access to...

Flock to Fedora 2023 report

On August 2nd-4th, 2023, Fedora Project ran its annual contributors conference, Flock to Fedora, in Cork, Ireland. After a previous successful Flock in 2019 in Budapest, Fedora contributors did not meet in person due to rough pandemia years and had created Nest with Fedora online event instead. Nest ran for three years but online meetings aren’t a full replacement for face to face collaboration. Cork’s Flock was supposed to combine both online and offline events together.

I have been attending and presenting at various Flock and Nest events over past seven years. I was looking forward to see and...

FreeIPA authentication improvements and Fedora Infrastructure part 2

This article continues the discussion about FreeIPA authentication improvements and how they could benefit Fedora Infrastructure.

FreeIPA 4.9.10 has added support for relaying authentication to OAuth2 identity providers (IdPs). Users would get their access to FreeIPA resources mediated by an external OAuth2 identity provider which supports OAuth2 device authorization grant flow (RFC 8628). This is not too dissimilar from how smart TVs connect to Youtube and other media services on your behalf. A user would be able to grant access to a scoped information to a FreeIPA OAuth2 client registered with such IdP. In order to authorize the...

FreeIPA authentication improvements and Fedora Infrastructure part 1

The Fedora project exists because of its contributors. Their contributions shape the landscape of Linux distributions in a direct way but they also have made a significant influence on the Open Source projects themselves. Fedora contributors are not only people who participate in package maintenance, there are upstream developers, documentation writers, quality assurance engineers across multiple industries, students, volunteers and many many others. As with many other areas, this participation is bi-directional and practices established in the Fedora project may apply elsewhere too.

One area dear to me is authentication. The FreeIPA project serves as an umbrella to provide a...

Lost in (Kerberos) service translation?

A year ago Brian J. Atkisson from Red Hat IT filed a bug against FreeIPA asking to remove a default [domain_realm] mapping section from the krb5.conf configuration file generated during installation of a FreeIPA client. The bug is still open and I’d like to use this opportunity to discuss some less known aspects of a Kerberos service principal resolution.

When an application uses Kerberos to authenticate to a remote service, it needs to talk to a Kerberos key distribution center (KDC) to obtain a service ticket to that remote service. There are multiple ways how an application could construct...

FOSDEM 2018 IAM devroom

FOSDEM is one of largest free software conferences in Europe. It is run by volunteers for volunteers and since 2001 gathers together more than 8000 people every year. Sure, during first years there were less visitors (I had been lucky to actually present at the first FOSDEM and also ran a workshop there) but the atmosphere didn’t change and it is still has the same classical hacker gathering feeling.

In 2018 FOSDEM will run on the weekend of February 3rd and 4th. Since the event has grown up significantly, there are multiple development rooms in addition to the main...

Flock 2017 day one

I’m attending Flock 2017, which is an annual conference for Fedora Project. This year it happens on a Cape Cod peninsula of the Massachusetts state in the U.S. The conference started on August 29th at a local resort and conference center in Hyannis, a town with a history, most commonly known for JFK legacy.

This year Flock is more action oriented. Many tolks are in fact collaborations where people discuss and hack together rather than being lectured. However, there is plenty of talks that allow others to digest what’s happening within fast moving projects in Fedora project universe.

While containers...

How to debug FreeIPA privilege separation issues

FreeIPA 4.5 has a lot of internal changes. A server side of the FreeIPA framework now runs in a privilege separation mode. This improves security of FreeIPA management operations but complicates debugging of the server. During FreeIPA 4.5 development phase Simo Sorce and I spent a lot of time debugging regressions and decided to document how we log events and how to debug server side operations. As result, this article details on what privilege separation means in FreeIPA management framework context and how to debug it.

FreeIPA JSON-RPC API article

FreeIPA Web UI provides a browser for discovering application programming interface (API) since version FreeIPA 4.2. However, the API itself is not yet officially supported and there is no documentation on how to access it. Some time ago I wrote a blog post detailing on how to access the API from an external client, like curl utility. The blog post was quite popular and allowed to create bindings to FreeIPA API in Perl and other languages. However, the blog post assumed you know what you are doing. In order to help those starting from scratch, I wrote a larger...

Samba and identity tales

Samba is built to bridge Windows and POSIX worlds. Apart from the file system semantics, there are many other differences. The story I’m about to tell concerns users and groups. They have different meaning and representation in both worlds, so translation is required, similar to a real life. In real life translators often have to take into account cultural differences and sometimes lack of certain concepts in the language they are translating to.

Protocol communications which Samba implements, end up bringing in objects which have a certain meaning in one world that doesn’t really have a one to one counterpart...

Creating permissions in FreeIPA

FreeIPA has quite flexible system to define access rights for any resources in the LDAP store. The system consists of three different parts:

  • a permission object
  • a privilege object, and
  • a role object.

Permission object specifies the target of the access grant: what attributes of which objects in LDAP would be subject of the checks.

A privilege allows to combine several permissions together in a logical task. A role defines who can have access to privileges.

An example below is a somewhat complex use of the permission system to allow groups of administrators to manage specific hosts. We...

Single sign-on into virtual machines on Linux

This weekend I looked into making possible a single sign-on into Fedora 24 guests running on libvirt/KVM. Suppose you have a libvirt-based server where a number VMs is deployed with VMs presenting graphical workstations. This is not far from what ovirt.org does (RHEV product). You want to have both your virtualization infrastructure and OS environments in VMs to be enrolled into FreeIPA and thus accessible with single sign-on from an external client.

There are several layers of single sign-on here. Once you signed into your external client, supposedly you have valid Kerberos credentials that can be used to obtain service...

Talking to FreeIPA API with sessions and JSON-RPC

Occasionally I see questions on how to drive FreeIPA programmatically. One can use ipa <command> from enrolled IPA clients or go directly to Python API (as /usr/sbin/ipa utility is just a tiny shim over the Python API). However, if you want to drive operations from other frameworks or from non-IPA clients, there is another way and it is actually very simple.

FreeIPA web UI is one example of such use. It is a JavaScript-based application which is downloaded by the browser when visiting IPA web site. The application bootstraps itself and issues JSON-RPC requests to...

SambaXP 2015 travel report

I’ve attended annual SambaXP conference on May 19th-21st. I’ve presented about FreeIPA ID Views and this year we also had quite a few Red Hat’s talks in the program so that organizers even made a 'Red Hat track' on the last day, with all speakers in that track coming with a Shadowman.

SambaXP is a conference run by SerNet GmbH in Goettingen, Lower Saxony, Germany. SerNet is one of core contributors to Samba project, organized by, among others, Volker Lendecke who is founder of Samba project along with Andrew Tridgell and Jeremy Allison.

...

Playing with FreeIPA ipa-ldap-updater

FreeIPA has a number of well-hidden utilities used to simplify administrative tasks when setting up or upgrading the master servers. Out of these utilities ipa-ldap-updater is one that is helpful for some common tasks which otherwise would require use of ldapadd/ldapmodify.

One strength of ipa-ldap-updater is in the template language it provides to abstract out deployment details. Each FreeIPA server has several constants like LDAP tree suffix, FreeIPA realm, and few more. These constants can be referred in a generic form without explicitly spelling their value. This approach makes ipa-ldap-updater a valuable tool for expressing...

FreeIPA and Fedora 21

I have a terrible secret to confess: despite all the effort we made in FreeIPA to integrate with Fedora releases, Fedora 21 is the first release where FreeIPA is installable from the distribution media. You can finally fetch an ISO image and install FreeIPA from it without first updating from the Fedora updates.

It is amazing that a simple “meet the deadline” goal is hard to actually meet but that is our reality. In Fedora 21 we’ve got FreeIPA as part of a release criteria for the Fedora Server. Starting from an alpha release, a failure to enroll FreeIPA...

Setting up S4U2Proxy with FreeIPA

When using Kerberos to authenticate users, applications often need to talk to another services on behalf of a user. For example, a user connects to a web mail application which, in turn, talks to a mail store. It is often a good idea to limit what an application service could do while pretending to others to be a user. A web mail application accessed by an admin should not be able to create new users or delete them at its own will. A mail store, when presented with user credentials, should also not allowed to create or delete...