Broken WebUI
by Kristian Petersen
When trying to reset a password for a user and I pull up the page for a
specific user, it shows them as being disabled even if they aren't. This
causes the reset password option to be grayed-out among other things. I
verified the users weren't actually disabled by running ipa user-show
<username> on a few of them. If you do a user search in the WebUI or show
all of the users in the system the status shows correctly on that page of
the Web UI. This problem appears to happen across the replicas as well.
After playing around with the Web UI for a bit I found that a refresh of
the user's page gives back access to the Reset Password option, but just
for that view. If you go to another user the problem resurfaces. I have
confirmed this happens in both chrome and firefox running in both Windows
or Linux. The httpd logs show nothing there, /var/log/ipa logs aren't
helpful either.
IPA got some updates recently (which also appear to have broken
pki-tomcatd), but I'm not sure if the two problems are related.
--
Kristian Petersen
System Administrator
Dept. of Chemistry and Biochemistry
6 years, 5 months
unexpected upgrade to 4.5
by Charles Hedrick
I just installed a new replica on Centos 7.3. Our existing servers are also on Centos 7.3, and use IPA 4.4, which comes with Centos 7.3. I was somewhat surprised to find that my new replica was IPA 4.5 with a newer version of sssd as well. It appears that the replica install process did the Centos 7.4 upgrades for ipa and sssd, though the rest of the system is still Cento 7.3. The resulting system works, with only minor differences in behavior in sssd. But it was unexpected.
We’ll do a full Centos 7.4 upgrade at the next major break, but had been holding off doing that during a semester.
It’s moderately important to me not to get unexpected versions of software. I didn’t even notice the difference until the replica was in production. In a sense that’s good, because it means 4.5 works fine. But we could also have discovered it that hard way …
6 years, 5 months
Manual client configuration
by Mark Haney
I'm pretty sure ya'll are tired of my stupid questions, but I've got
that new Geek smell with regards to IPA, and definitely with manual
configuration. This should be easy to answer. I've got all the
necessaries manually setup and I'm at the step to get the certificate
from the IPA server. TFM states this is the correct syntax to do so:
[root@ipaclient ~]# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert
-K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM'
The problem I'm having is with the HOST/ and CN options, the reason
being that the host I'm enrolling doesn't have the same domain name as
the IPA server I'm using. The client is 'rad.astacalska.net' and the
IPA server domain (and realm) is neonova.net. In IPA the client
principal alias is host/rad.astacalaska.net(a)NEONOVA.NET. I tried this:
ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K
HOST/rad.astacalaska.net -N 'CN=rad.astacalaska.net,O=NEONOVA.NET'
But after this completes (without an error I might add) and I try to su
into my IPA account on the server I get 'unknown user'. I'm almost
certain I've got things configured correctly except for this last bit.
This box is on a /very slow/ link and the getcert was almost
instantaneous, which makes me wonder if the command is wrong. I can
post logs if need be, but getting them is time consuming so this might
be a long troubleshooting process. So, is the command above correct?
Or should it be changed?
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net
6 years, 5 months
ERROR: CIFS server communication error: Memory allocation error (both may be "None") upon establishing trust
by Bart J
Hi all,
I have been trying to set up one-way trust for quite a while. I thought I have everything sorted out but when I tried to move from test environment to production, I received error below upon trying to set up trust with ipa trust add:
ipa trust-add --type=ad my.domain.com --admin adminaccount --password
ipa: ERROR: CIFS server communication error: code "-1073741801", message "Memory allocation error" (both may be "None")
Googling returned some results that suggested upgrading samba and freeipa versions. I did so and now I am using:
freeipa - 4.5.3-1.fc26
samba - 2:4.6.7-0.fc26
This however didn't change the result.
What can be important here is that my.domain.com is a child domain of domain.com in terms of AD (it is a separate domain controller).
Can you please advise how to fix it?
6 years, 5 months
FREEIPA TACPLUS
by saidireddy ranabothu
Hi,
Please can anyone help me to integrate TACPLUS with FREEIPA for
authentication and authorisation.
6 years, 5 months
several IPA CA certificate entries
by Bhavin Vaidya
Hello,
I'm having various problem on our FreeIPA setup, like can not establish new replica server or add a client anymore. Initially we had certificate issue, then we upgraded the Master FreeIPA server (CentOS 7.0.146) to FreeIPA v4.4.0) few months back.
On master server it shows up 4 entries for IPA CA certificate. Is this normal?
[root@ds01 ~]# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C
EXAMPLE.COM IPA CA CT,C,C
EXAMPLE.COM IPA CA CT,C,C
EXAMPLE.COM IPA CA CT,C,C
thank you,
regards,
Bhavin
6 years, 5 months
IPA curl timeout on slow link
by Mark Haney
I appreciate all the ideas on how to fix the SSL cert issue on updating
to 4.5.0, I'll work on that next week I hope.
This one should be much quicker (hopefully). My boss has insisted that
I get ipa-clients working on a half-dozen or so servers located in
Alaska. (Believe me, I argued strenuously over this, but was told 'no
unicorns'.) I've got all but two working, though login times range from
1-5 minutes depending on the weather. These last two are on incredibly
unstable links, I've spent three weeks updating just the core packages
to get the ipa-client to /install/. We're talking average 20-30% packet
loss and an average download speed for updates of ~500B/s to 10kB/s.
They are satellite links, all of them, by the way.
That said, finished up getting one ready and this morning tried to join
the domain. It took about ten minutes and bombed with:
Joining realm failed: libcurl failed to execute the HTTP POST
transaction. timed out before SSL handshake
So, is there a way to up the timeout for this? I can up the timeout for
curl on the command line, but I don't think that would help with this
issue. Any ideas?
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net
6 years, 5 months
Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)
by Kees Bakker
Hey,
This week I tried to install Samba (which failed because of Ubuntu, but that's
another story).
One of the steps was to do ipa-adtrust-install. It created a cifs/myhost pricipal
on my IPA master server.
But now it keeps switching my default pricipal to cifs/myhost@MYREALM (and
in this case I'm root).
Next I do destroy -A, and a new kinit admin.
root@rotte:~# kdestroy -A
root@rotte:~# klist
klist: Credentials cache keyring 'persistent:0:krb_ccache_SF0wnkh' not found
root@rotte:~# kinit admin
Password for admin(a)GHS.NL:
root@rotte:~# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh
Default principal: admin(a)GHS.NL
Valid starting Expires Service principal
12-10-17 11:39:10 13-10-17 11:39:05 krbtgt/GHS.NL(a)GHS.NL
Great, this is what I expected. But ... within 5 minutes
root@rotte:~# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh
Default principal: cifs/rotte.ghs.nl(a)GHS.NL
Valid starting Expires Service principal
12-10-17 11:42:10 13-10-17 11:42:10 ldap/rotte.ghs.nl(a)GHS.NL
12-10-17 11:42:10 13-10-17 11:42:10 krbtgt/GHS.NL(a)GHS.NL
Argh, who/what is doing this?
--
Kees Bakker
6 years, 5 months
Upgrading with GoDaddy SSL cert for https only
by Mark Haney
I just tried to upgrade one of our IPA servers to 4.5.0 (from 4.4.0) on
C7 (along with updating C7 to 7.4) and it bombed spectacularly. It
seems the upgrade process doesn't like the GoDaddy SSL cert we supplied
for HTTPS only. Is there documentation explaining the process with an
HTTPS only SSL cert for IPA? The last time we tried to set this up it
was two weeks worth of headaches before we managed to get it working
(and I didn't do it, so it wasn't documented), I mention that because I
got a concussion from slamming my head against my desk trying to get it
working.
I don't want to replace the CA cert in IPA, just use the GD cert for
HTTPS so Chrome, et al, won't bark about it.
I've googled this, but there's so much conflicting info, I'm not sure
what's really good or bad. Seems there are fifteen ways to setup SSL
certs, but none are clear (to me) on what's the correct method for just
HTTPS.
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net
6 years, 5 months