When I tried to create Principal ("prabhat/admin") in Kerberos (Kadmind Server) using the addprinc command.
kadmin -q "addprinc prabhat/admin"
I got the following error
Authenticating as principal prabhat/admin with password.
Kadmin: client not found in kerberos database while initializing kadmin interface
In order to create principals in Kadmin server, first you will have to create a principal using kadmin.local command,
kadmin.local -q "addprinc user1/admin"
kadmin.local -q "list_principals"
will give a list of principals, that will help you to get authenticated.
Now, you can use user1/admin as an authorized principal to create further principals, without using kadmin.local
kadmin -p user1/admin -q "addprinc user2/admin"
Related
I'm following the AWS supply chain workshop. I created an EC2 instance and set up a VPC just like the workshop said. Now I'm connected to the EC2 instance using SSH and I've already downloaded the required packages, setup Docker, downloaded fabric-ca-client. My problem is configuring the fabric-ca client.
When I run the command fabric-ca-client enroll with the required params/flags, it retuns the following error: Error: Failed to create default configuration file: Failed to parse URL 'https://$USER:=9_phK63?#$CA_ENDPOINT': parse https://user:password#ca_endpoint: invalid port ":=9_phK63?" after host
Here's the complete command I'm trying to run: fabric-ca-client enroll -u https://$USER\:$PASSWORD#$CA_ENDPOINT --tls.certfiles ~/managedblockchain-tls-chain.pem -M admin-msp -H $HOME
I'm wondering if the ? in the password is causing the problem. If so, where can I change it?
Workshop link for reference: https://catalog.us-east-1.prod.workshops.aws/workshops/ce1e960e-a811-475f-a221-2afcf57e386a/en-US/02-set-up-a-fabric-client/05-configure-client/06-create-fabric-admin
my name is Forrest and I am a Blockchain Specialist Solutions Architect at AWS. I'd be happy to help you with this.
When using passwords with special characters, these need to be URL-encoded. For example, $ equates to %24. As OP mentioned in comments below, there is a Javascript method encodeURIComponent() that can serve this function. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
Please make sure your environment variables are all still correctly set as well:
echo $USER
echo $PASSWORD
echo $CA_ENDPOINT
Your CA endpoint should resolve to something like:
ca.m-XXXXXXXXXXXXX.n-XXXXXXXXXXXXXX.managedblockchain.<AWS_REGION>.amazonaws.com:30002
Currently I'm able to kinit to a service using 2 vms (windows-server and linux). But I generate the keytab on the windows server, which is the domain controller.
I want to create the keytab from linux.
Currently I'm doing the following
in AD windows server [DOMAIN MYNETWORK.NET]
Create a service = aservice
Create a security group = ServiceAcc.
Make aservice member of ServiceAcc
Create a User = auser which is a Domain Controller of an OU
setspn -S HTTP/aservice.mynetwork.net auser
keytab: ktpass -Out service-a.keytab -Princ HTTP/aservice.mynetwork.net#MYNETWORK.NET -mapUser auser -Crypto All -Ptype KRB5_NT_PRINCIPAL -Pass *
In linux with krb5.conf configurated and dns pointing to the AD:
kinit: kinit -kt aservice.keytab HTTP/aservice.mynetwork.net#MYNETWORK.NET
So this works correctly. If I don't do the keytab with the user I can't kinit, etc.
Now, the issue I'm having is how to do all this directly from Linux and I'm not sure how to perfor this. All the documentation I can find is to do the following:
ktutil
ktutil: addent -password -p auser -k 1 -e aes256-cts
Password for auser#MYNETWORK.NET:
ktutil: wkt auser.keytab
But:
I can't kinit after that.
This only adds a user, not the service. I could do the same with the service but then I'm not adding the user.
I saw a way to possible do this with kadmin, but I was having issues with that too as I get identification issues every time I try to use it.
Note: I've tried to keep things as simple as possible in this question as that is as far as my knowledge goes. Any form of help is appreciated
I'm new to FreeIPA and I struggle to request a SSL certificate and key file from FreeIPA as Certificate Authority.
I verify I get a krbtgt using klist using the credentials of Certificate Admin.
$ klist
Valid starting Expires Service principal
01/05/2022 5:35:35 01/06/2022 5:35:35 krbtgt/MYDOM#MYDOM
renew until 01/12/2022 5:35:35
sudo /usr/bin/ipa-getcert request -r -w -k /tmp/test.key \
-f /tmp/test.cert.pem \
-g 4096
-K HTTP/service.mydom \
-T caIPAserviceCert \
-D test.myDom -N CN=test.myDom,O=MYDOM
New signing request "20220105093346" added.
Only thing being created is the private key:
$ ls /tmp
test.key
Why isn't the certificate being created ? Insufficient privileges.
Error:
$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20220105093346':
status: CA_REJECTED
ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom#MYDOM,cn=services,cn=accounts,dc=mydom'.).
stuck: yes
key pair storage: type=FILE,location='/tmp/test.key'
certificate: type=FILE,location='/tmp/test.cert.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Though I am able to run
$ ipa service-mod HTTP/service.mydom --certificate=
Possible duplicatae freeipa-request-certificate-with-cname
Any ideas?
Turns out the machine I am requesting the certificate from needs to be allowed to manage the web service for web host.
Only the target machine can create a certificate (IPA uses the host
kerberos ticket) by default, so to be able to create the certificate
on your IPA server you need to allow it to manage the web service for
the www host.
[root#ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
Source:
Creating certs and keys for services using freeipadogtag/
In my use case I am using single ec2 instance [not a cluster]. I want to create a database and an user with all privileges programmatically? Is there a config file which I can edit and copy to the right location after influxdb is installed.
Could someone help me with this?
There isn't any config option that you can use to do that with InfluxDB itself. After starting up an instance you can use the InfluxDB HTTP to create the users. The curl command to do so would be the following:
curl "http://localhost:8086/query" --data-urlencode "q=CREATE USER myuser WITH PASSWORD 'mypass' WITH ALL PRIVILEGES"
Just run this command for each of the users you'd like to create. After that, you'll need to enabled the auth value of the [http] section of the config.
you can use ansible to setup influxb with your own recipe.
here's the ansible module documentation that you can use
http://docs.ansible.com/ansible/influxdb_database_module.html
or, any config/deploy manager that you prefer. i'd do this anyday instead of some ssh script or who knows what.
https://forge.puppet.com/tags/influxdb
chef.
https://github.com/bdangit/chef-influxdb
and also, you can use any of the above config managers to provision/manipulate your ec2 instance(s).
Use the admin token and this command (InfluxDB 2.3 CLI)
.\influx.exe user create -n yourusername -p yourpassword -o "your org name" --token admintokengoeshere
I'm attempting to test a single node dev cluster for openshift which I've created. I cannot run any basic commands on the cluster, because I haven't set up properly privliged accounts.
In particular I need to:
run pods which make containers which query service endpoints
query the apiserver through an insecure endpoint
run commands like kubectl get pods
Is there a default account somewhere I can use which can do all of these things? I'd prefer not to manually set up a bunch of complicated user accounts for a low-level development task such as this.
Below are a few, somewhat silly attempts I've made to do this, just as examples
First, I created an "admin" account like this:
sudo -u vagrant $oc login https://localhost:8443 -u=admin -p=admin --config=/data/src/github.com/openshift/origin/openshift.local.config/master/openshift-registry.kubeconfig
Then, I went ahead and hacked around in a few attempts to login as an admin:
[vagrant#localhost ~]$ sudo chmod 777 /openshift.local.config/master/admin.kubeconfig
[vagrant#localhost ~]$ oc login
Server [https://localhost:8443]:
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
Authentication required for https://localhost:8443 (openshift)
Username: admin
Password: admin
Login successful.
Using project "project1".
[vagrant#localhost ~]$ oc get nodes --config=/openshift.local.config/master/admin.kubeconfig
This leads to the following error:
Error from server: User "admin" cannot list all nodes in the cluster
I also get this error leaving the config out:
[vagrant#localhost ~]$ oc get nodes
Error from server: User "admin" cannot list all nodes in the cluster
Is there any easy way to list nodes and do basic kube operations in a standalone development cluster for openshift?
You don't login when you are using administrative credentials. You simply set KUBECONFIG=admin.kubeconfig. Login is taking you through a different flow - there is no magic "admin" user.