Mapping IPA group to Linux system group
by Supratik Goswami
Hello All,
Is there a way to map IPA group to a local Linux system group?
For example I have a Linux group wheel and I want the IPA group ipawheel to
be mapped
such that when I add a user in the ipawheel group in the local system the
user becomes a
member of the wheel group in the Linux machine (IPA client) .
--
Warm Regards
Supratik
6 years, 5 months
replica-install fails
by Nick Campion
Trying to promote a client to a replica and it's failing with:
Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping
directory server [2/9]: saving configuration [3/9]: disabling
listeners [4/9]: enabling DS global lock [5/9]: starting directory
server [6/9]: upgrading server [7/9]: stopping directory server
[8/9]: restoring configuration [9/9]: starting directory
serverDone.Restarting the KDCYour system may be partly configured.Run
/usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR 406 Client Error: Failed to validate message: No recipient
matched the provided key["Failed: [ValueError('Decryption
failed.',)]"]ipa.ipapython.install.cli.install_tool(CompatServerReplica
Install): ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
The replica-install log:
2017-10-04T07:22:06Z DEBUG Restarting the KDC2017-10-04T07:22:06Z DEBUG
Starting external process2017-10-04T07:22:06Z DEBUG args=/bin/systemctl
restart krb5kdc.service2017-10-04T07:22:06Z DEBUG Process finished,
return code=02017-10-04T07:22:06Z DEBUG stdout=2017-10-04T07:22:06Z
DEBUG stderr=2017-10-04T07:22:06Z DEBUG Starting external process2017-
10-04T07:22:06Z DEBUG args=/bin/systemctl is-active
krb5kdc.service2017-10-04T07:22:06Z DEBUG Process finished, return
code=02017-10-04T07:22:06Z DEBUG stdout=active
2017-10-04T07:22:06Z DEBUG stderr=2017-10-04T07:22:06Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute return_value = self.run() File "/usr/lib/python2.7/site-
packages/ipapython/install/cli.py", line 333, in run cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
368, in run self.execute() File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 392, in execute for
_nothing in self._executor(): File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 434, in
__runner exc_handler(exc_info) File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 463, in
_handle_execute_exception self._handle_exception(exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453,
in _handle_exception six.reraise(*exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424,
in __runner step() File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 421, in <lambda> step =
lambda: next(self.__gen) File "/usr/lib/python2.7/site-
packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from six.reraise(*exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from value = gen.send(prev_value) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658,
in _configure next(executor) File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 434, in
__runner exc_handler(exc_info) File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 463, in
_handle_execute_exception self._handle_exception(exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521,
in _handle_exception self.__parent._handle_exception(exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453,
in _handle_exception six.reraise(*exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518,
in _handle_exception super(ComponentBase,
self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 453, in
_handle_exception six.reraise(*exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424,
in __runner step() File "/usr/lib/python2.7/site-
packages/ipapython/install/core.py", line 421, in <lambda> step =
lambda: next(self.__gen) File "/usr/lib/python2.7/site-
packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from six.reraise(*exc_info) File
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from value = gen.send(prev_value) File
"/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
63, in _install for _nothing in self._installer(self.parent): File
"/usr/lib/python2.7/site-
packages/ipaserver/install/server/__init__.py", line 617, in
main replica_install(self) File "/usr/lib/python2.7/site-
packages/ipaserver/install/server/replicainstall.py", line 386, in
decorated func(installer) File "/usr/lib/python2.7/site-
packages/ipaserver/install/server/replicainstall.py", line 1477, in
install custodia.import_dm_password(config.master_host_name) File
"/usr/lib/python2.7/site-
packages/ipaserver/install/custodiainstance.py", line 124, in
import_dm_password cli.fetch_key('dm/DMHash') File
"/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line
101, in fetch_key r.raise_for_status() File
"/usr/lib/python2.7/site-packages/requests/models.py", line 834, in
raise_for_status raise HTTPError(http_error_msg, response=self)
2017-10-04T07:22:06Z DEBUG The ipa-replica-install command failed,
exception: HTTPError: 406 Client Error: Failed to validate message: No
recipient matched the provided key["Failed: [ValueError('Decryption
failed.',)]"]2017-10-04T07:22:06Z ERROR 406 Client Error: Failed to
validate message: No recipient matched the provided key["Failed:
[ValueError('Decryption failed.',)]"]2017-10-04T07:22:06Z ERROR The
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information
Not really sure where to look for what is causing the error from here.
Any help appreciated.
6 years, 5 months
IPA 4.4/4.5 replication and id-range issues
by dbischof@hrz.uni-kassel.de
Dear list,
I ran into a replication and id-range issue recently and need a hint. I
upgraded from FreeIPA 3.0 to 4.x a couple of months ago, everything ran
fine. Configuration is
o201: 4.5 master server
poolsrv: 4.5 replica server
Then, i noticed that new accounts got UIDs starting after around 1100
(instead of after 150600000 as it used to be) and data changes (new
passwords, etc.) weren't propagated from replica to master (it works the
other way round, though). I'm unsure, if these two problems are related to
each other.
Logs on the replica server showed:
---
Oct 1 12:51:25 poolsrv ns-slapd: [01/Oct/2017:12:51:25.971742707 +0200] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=meToo201.example.org" (o201:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized.
Oct 1 12:51:28 poolsrv ns-slapd: [01/Oct/2017:12:51:28.997226017 +0200] - ERR - agmt="cn=meToo201.example.org" (o201:389) - clcache_load_buffer - Can't locate CSN 59ce5686000200070000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized.
Oct 1 12:51:29 poolsrv ns-slapd: [01/Oct/2017:12:51:29.029970733 +0200] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=meToo201.example.org" (o201:389): CSN 59ce5686000200070000 not found, we aren't as up to date, or we purged
Oct 1 12:51:29 poolsrv ns-slapd: [01/Oct/2017:12:51:29.050568545 +0200] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=meToo201.example.org" (o201:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized.
---
I did a
---
ipa-replica-manage re-initialize --from o201.example.org
---
on the replica server and the errors in the logs went away - the problems
(both) didn't, unfortunately.
The logs now show
---
Oct 1 18:45:44 poolsrv ns-slapd: [01/Oct/2017:18:45:44.794912092 +0200] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1103] into an unused SID.
Oct 1 18:45:44 poolsrv ns-slapd: [01/Oct/2017:18:45:44.851503923 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
Oct 1 18:46:53 o201 ns-slapd: [01/Oct/2017:18:46:53.360717035 +0200] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1106] into an unused SID.
Oct 1 18:46:53 o201 ns-slapd: [01/Oct/2017:18:46:53.361100457 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry.
---
Further information:
---
root@o201:~# ipa idrange-find
---------------
1 range matched
---------------
Range name: EXAMPLE.ORG_id_range
First Posix ID of the range: 150600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------
root@o201:~# ipa-replica-manage dnarange-show
o201.example.org: 1108-5000
poolsrv.example.org: 1105-5000
---
The latter looks broken. The above output is identical on both the
master and the replica server. "ipactl status" shows all services running
on both servers.
Best regards,
--Daniel.
6 years, 5 months
Freeipa problem after ipa-restore
by xattab@syneforge.com
Hi! When i restore from a backup i get this error in log
dse_read_one_file - The entry cn=schema in file
/etc/dirsrv/slapd-SF/schema/65ipacertstore.ldif (lineno: 1) is invalid,
error code 21 (Invalid syntax) - object class ipaCertificate: Unknown
required attribute type "ipaPublicKey"
dse - Please edit the file to correct the reported problems and then
restart the server.
I have IPA VERSION: 4.1.4
Thx
6 years, 5 months
could not get zone keys for secure dynamic update
by r3pek
Hi list!
I'm trying to understand why my DNS zone refuses to get updated/signed.
After an "rndc reload" I get this in the named-pkcs11 logs:
<....>
failed to parse RR entry: resource record DN
'idnsname=mail._domainkey,idnsname=example.com.,cn=dns,dc=example,dc=com'
<....>
update_record (syncrepl) failed, resource record DN
'idnsname=mail._domainkey,idnsname=example.com.,cn=dns,dc=example,dc=com'
change type 0x1. Records can be outdated, run `rndc reload`: syntax
error
<....>
zone example.com/IN (signed): could not get zone keys for secure dynamic
update
zone example/IN (signed): receive_secure_serial: unchanged
<....>
Naturally, i checked the DNSSEC Troubleshoot guide [1]:
- Zone is set to have in-line signing
- It appears on the zone list command to ods-ksmutil
- The KSK and ZSK keys are both active and have not expired
- The [...]/localhsm.py script result looks ok according to the expected
results.
The question now is. How can I fix this?
Also, if the only fix is to disable and re-enable DNSSEC, does that have
any implications?
Thanks in advance!
Carlos Mogas da Silva
[1]
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work
6 years, 5 months
OTP Failure For LDAP Bind 4.5
by Callum Guy
Hi All,
We are experiencing a strange fault since updating to CentOS 7.4 / FreeIPA
4.5.
All users on the system require password+OTP authentication. This works
normally for all logins however when authenticating over an interim LDAP
bind (used between our Cisco ASA and FreeIPA) the authentication will
accept password ONLY.
This presents a significant security issue for our platform but I am
struggling to isolate the cause - has anyone seen a similar issue? I can't
get my head around how different authentication methods are requiring
different password formats??
Confused, please let me know if you have any ideas!
Callum
--
Callum Guy
Head of Information Security
X-on
--
*0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | **
<https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel>
<https://twitter.com/xonuk> *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not
use, disclose, disseminate, distribute, copy, print or reply to this email. Views
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.
6 years, 5 months
"Clock skew too great" when mounting NFS with krb
by Troels Hansen
Hi
We have set up IPA with AD trust on RHEL and this Works fine.
Running IPA 4.5
However, sometimes we are unable to mount home (with autofs).
I have fount that the KDC claims "Clock skew too great" however, I cannot see any problems.
kinit works fine and I have a kerberos TGT:
klist
Ticket cache: KEYRING:persistent:0:0
Default principal: USER@REALM
Valid starting Expires Service principal
09/06/2017 09:40:00 09/06/2017 19:40:00 krbtgt/REALM@REALM
renew until 09/07/2017 09:39:54
To test. Manually mounting fails:
mount.nfs4 -v -s -o rw,nodev,nosuid,hard,sec=krb5p profil01.domain:/var/nfs/profil/user/mnt/
mount.nfs4: timeout set for Wed Sep 6 09:42:29 2017
mount.nfs4: trying text-based options 'hard,sec=krb5p,sloppy,addr=10.101.173.91,clientaddr=10.101.11.195'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting profil01.domain:/var/nfs/profil/user
krb5kdc.log in IPA shows:
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): TGS_REQ (4 etypes {18 17 16 23}) 10.101.11.195: PROCESS_TGS: authtime 0, host/oas08d.domain@REALM for nfs/profil01.domain@REALM, Clock skew too great
Sep 06 09:43:56 ipa01.domain krb5kdc[1833](info): closing down fd 11
However, the time between ipa, client and nfs server is within 1 second (and same timezone).
I'm unsure on how to debug further as everything seems fine so any help would be appreciated.
6 years, 6 months