December 2017 - FreeIPA-users - Fedora Mailing-Lists

by Jonathan Kelley

ipa-server-4.5.0-21.el7.centos.2.2.x86_64 ipa-server-common-4.5.0-21.el7.centos.2.2.noarch I was getting this error in errors.log: Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. This has been known to fix the issue: [root@auth2 /]# ipa-replica-manage re-initialize --from auth1.mydomain.com --verbose ipa: ERROR: DNS query for auth1.mydomain.com. A failed: Text input is malformed. Traceback (most recent call last): File "/sbin/ipa-replica-manage", line 1615, in <module> main(options, args) File "/sbin/ipa-replica-manage", line 1530, in main if (not test_connection(realm, host, options.nolookup) or File "/sbin/ipa-replica-manage", line 142, in test_connection enforce_host_existence(host) File "/sbin/ipa-replica-manage", line 840, in enforce_host_existence verify_host_resolvable(host) File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 91, in verify_host_resolvable raise errors.DNSResolverError(exception=ex) DNSResolverError: Text input is malformed. Unexpected error: Text input is malformed. I assumed I had a DNS issue, but can't seem to find one unless PTR records are broken. [root@auth2 /]# nslookup auth1.mydomain.com Server: 127.0.0.1 Address: 127.0.0.1#53 Name: auth1.mydomain.com Address: 192.168.0.33 [root@auth2 /]# dig auth1.mydomain.com @127.0.0.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> auth1.mydomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 433 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;auth1.mydomain.com. IN A ;; ANSWER SECTION: auth1.mydomain.com. 1200 IN A 192.168.0.33 Do I just need to build a new replica and forget this one? -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

6 years, 4 months

1
0
0 / 0

Fwd: Replication Issue on slave servers

by tarak sinha

Hello All, I hope everyone is doing good, Since 1 month getting replication issue on my slave servers. updated logs from Master and Slave server for more info. if you have any suggestion or idea to fix this issue that will be really appreciated Auth Master server :- LOG info. /var/log/dirsrv/slapd-EXPERTCITY-COM/errors ng to perform. Will retry later. [07/Dec/2017:10:29:00 -0800] NSMMReplicationPlugin - agmt="cn=meToauth2.ava. expertcity.com" (auth2:389): Warning: unable to send endReplication extended operation (Server is unwilling to perform) [07/Dec/2017:10:29:02 -0800] agmt="cn=meToauth2.las.expertcity.com" (auth2:389) - Can't locate CSN 52f08ae6000200540000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [07/Dec/2017:10:29:02 -0800] NSMMReplicationPlugin - changelog program - agmt="cn=meToauth2.las.expertcity.com" (auth2:389): CSN 52f08ae6000200540000 not found, we aren't as up to date, or we purged [07/Dec/2017:10:29:02 -0800] NSMMReplicationPlugin - agmt="cn=meToauth2.las. expertcity.com" (auth2:389): Data required to update replica has been purged. The replica must be reinitialized. [07/Dec/2017:10:29:02 -0800] agmt="cn=meToauth4.las2a.expertcity.com" (auth4:389) - Can't locate CSN 57b180b6000000540000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [07/Dec/2017:10:29:02 -0800] NSMMReplicationPlugin - changelog program - agmt="cn=meToauth4.las2a.expertcity.com" (auth4:389): CSN 57b180b6000000540000 not found, we aren't as up to date, or we purged [07/Dec/2017:10:29:02 -0800] NSMMReplicationPlugin - agmt="cn= meToauth4.las2a.expertcity.com" (auth4:389): Data required to update replica has been purged. The replica must be reinitialized. [ Auth Slave Server :- Log info /var/log/dirsrv/slapd-EXPERTCITY-COM/errors [07/Dec/2017:10:28:30 -0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) [07/Dec/2017:10:33:30 -0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [07/Dec/2017:10:33:30 -0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) [07/Dec/2017:10:38:30 -0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [07/Dec/2017:10:38:30 -0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) ############### [root(a)auth1.ffi log]# telnet authmgr1.ops.expertcity.com 636 Trying 10.22.6.249... Connected to authmgr1.ops.expertcity.com. Escape character is '^]'. ^]q telnet> q Connection closed. [root(a)auth1.ffi log]# telnet authmgr1.ops.expertcity.com 389 Trying 10.22.6.249... Connected to authmgr1.ops.expertcity.com. Escape character is '^]'. ^]q telnet> q Connection closed. I have also tried to re-initialize but din't resolve the issue -- *Thanks,* *Tarak Nath Sinha* -- *Thanks,* *Tarak Nath Sinha* *Mobile: **+91 8197522750*

6 years, 4 months

1
0
0 / 0

Change default ldap scheme

by Andrew Radygin

Hello everybody, I want to know, is there possibility to change default ldap scheme, where user and groups are storing. For instance, I have: cn=USER, cn=groups, cn=accounts, dc=domain,dc=net cn=GROUP-OF-USERS, cn=groups, cn=accounts, dc=domain,dc=net It seems to be too straightforward. Can I change it to cn=USER, cn=groups, cn=accounts, dc=domain,dc=net cn=GROUP-OF-USERS, cn=org-groups, cn=accounts, dc=domain,dc=net ? Or to do any other corrections of ldap scheme for placing different objects. Thanks!

6 years, 4 months

3
4
0 / 0

User's personal group not resolving

by Aaron Hicks

Hello the list, We imported all our users with uidnumbers from our old LDAP, but their gidNumber was from 4 groups. This caused us issues with users wanting to grant access to personal spaces to one user, but instead granting access to all the members of the group. To resolve this, when they were imported into FreeIPA we assigned them all new gidNumbers, as reusing their uidNumbers caused large number of gidNumber clashes as many groups were assigned from the same integer range. So now we have a log of users with uidNumber 5XXX and gidNumber 5000XXX. When they log in they see an error like this: /usr/bin/id: cannot find name for group ID 100019 It's pretty much because their gidNumber != uidNumber So getting all the name and group details: [username@ipaserver01:~] $ id username uid=5807(username) gid=100019 groups=100019,66400035(group1),66400007(group2),66400012(group3),66400044(gr oup4),175321(group5),2075295(group6),66400046(group7) [username@ipaserver01:~] 2 $ id -g username 100019 [username@ipaserver01:~] $ getent group 5807 username:*:5807: [username@ipaserver01:~] $ getent group 100019 [username@ipaserver01:~] $ Now, the last part, we can't change their uidNumber. We have a massive filesystem (many terabytes) backed by a tape library (many petabytes) so we need their uidNumber to match that file archived to tape in 1987 and migrated through our tape system upgrades :P So the question is; can we make it resolve those gidNumbers? .I could make 2,500 groups for 2,500 users. Regards, Aaron

6 years, 4 months

2
4
0 / 0

Guide to enabling CA?

by Bret Wortman

Is there an online guide to turning on a CA? We had one, which signed all our SSL Certs and such. It worked quite nicely. Then we rolled an upgrade around our IPA servers to get them from Fedora to Centos, and in the process, we failed to migrate the CA, so we ended up with 3 servers without a CA. Fast-forward to today, and we lost one, which was our intended CA. So now I have two servers (a and z) which are working just fine but we can't create new SSL certs signed by our IPA CA. How can I go about promoting one of these to CA? I know I followed online directions the last time, but that was years ago and I've lost the link. Thanks! It's a private development network, so relying on external CAs isn't an option. -- photo *Bret Wortman* President, Damascus Products LLC 855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> | bret(a)damascusproducts.com <mailto:bret@damascusproducts.com> | http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030 <http://facebook.com/wrapbuddiesco> <http://twitter.com/wrapbuddiesco> <http://instagram.com/wrapbuddies> <https://facebook.com/wrapbuddiesco><https://instagram.com/wrapbuddies>

6 years, 4 months

2
1
0 / 0

openvpn authenticating to freeipa

by Andrew Meyer

Hello, I am trying to configure my openvpn setup to authenticate against FreeIPA. I have OpenVPN configured and is accepting connections. The package for ldap_auth is installed and configured. However I have tried to setup anonymous ldap lookups and authenticated ldap lookups and neither seem to be working. Every time I change the config to test openvpn works just fine. However when I try to connect to the VPN it tells me that the LDAP bind failed w/ invalid credentials. I have been combing through google and found that a few people used pam in the past and still do today. Is this proper procedure for setting this up? Is there a similar pam module that I could copy/link? Thank you, Andrew

6 years, 4 months

3
4
0 / 0

adding new client server and dns failing

by Andrew Meyer

When I add a new server to FreeIPA, and it fails to add DNS, is there a way to go back and rerun a script to add all the records needed?

6 years, 4 months

1
1
0 / 0

Re: Unable to create GSSAPI-encrypted LDAP connection

by Aaron Hicks

Hello the list, It looks like sssd's horrible logging messages were to blame. It looks like when the keytab was initially deployed the system time between the IPA server and the host were not quite in sync and the keytab was invalidated. I redeployed the host's keytab (which because SLES lacks the ipa-client tools, had to be done on the IPA server and delivered via SCP) and the problem was resolved. Regards, Aaron From: Aaron Hicks [mailto:aaron.hicks@nesi.org.nz] Sent: Monday, 4 December 2017 2:51 PM To: 'Aaron Hicks via FreeIPA-users' <freeipa-users(a)lists.fedorahosted.org> Subject: Unable to create GSSAPI-encrypted LDAP connection Hello the list, I've seen this issue on the list several times, but I've not yet seen a solution posted., We're having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt and are unable to log in with FreeIPA accounts. Local accounts are fine. Hostnames have been changed to protect the innocent. In this hosts /var/log/sssd/ldap_child.log <27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. <27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - Preauthentication failed <27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. <27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - Preauthentication failed On the FreeIPA server from /var/log/krb5kdc.log 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org(a)EXAMPLE.ORG <mailto:host/sles01.example.org@EXAMPLE.ORG> for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG <mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG> , Additional pre-authentication required Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11 Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org(a)EXAMPLE.ORG <mailto:host/sles01.example.org@EXAMPLE.ORG> for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG <mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG> , Preauthentication failed Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11 Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org(a)EXAMPLE.ORG <mailto:host/sles01.example.org@EXAMPLE.ORG> for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG <mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG> , Additional pre-authentication required Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11 Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org(a)EXAMPLE.ORG <mailto:host/sles01.example.org@EXAMPLE.ORG> for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG <mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG> , Preauthentication failed On the host in question klist gives the following (note that kinit works, even if ssh login does not): sles01:~ # klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 12/01/17 04:30:40 host/sles01.example.org(a)EXAMPLE.ORG <mailto:host/sles01.example.org@EXAMPLE.ORG> (aes256-cts-hmac-sha1-96) 1 12/01/17 04:30:40 host/sles01.example.org(a)EXAMPLE.ORG <mailto:host/sles01.example.org@EXAMPLE.ORG> (aes128-cts-hmac-sha1-96) sles01:~ # kinit admin Password for admin(a)EXAMPLE.ORG <mailto:admin@EXAMPLE.ORG> : kinit: Preauthentication failed while getting initial credentials sles01:~ # kinit admin Password for admin(a)EXAMPLE.ORG <mailto:admin@EXAMPLE.ORG> : sles01:~ # kvno host/sles01.example.org(a)EXAMPLE.ORG <mailto:host/sles01.example.org@EXAMPLE.ORG> host/sles01.example.org(a)EXAMPLE.ORG <mailto:host/sles01.example.org@EXAMPLE.ORG> : kvno = 3 Also, I've compared NTP and there's only ~2.5ms offset between the two hosts. Increasing the logging level of sssd to debug_level=9 which does not generate more logs.

6 years, 4 months

1
0
0 / 0

Authentication for ipa cli scripting (wsgi, kerberos)

by skrawczenko＠gmail.com

Hello all, i suppose the issue is quite typical but still unable to find any solution. All i need is to run some ipa cli commands from scripts with preliminary kinit I manage to authenticate as kinit -F -k -t <keytab> <principal> That allows me to use ldap for example, i can do ldapsearch -Y GSSAPI etc However, when trying to run cli commands, i'm getting the following sh-4.2# ipa user-find aaa ipa: ERROR: cannot connect to 'any of the configured servers': https://<idm0>/ipa/json, https://<idm1>/ipa/json This is caused by wsgi module, as it said in httpd error log [Mon Dec 04 06:45:45.027199 2017] [:error] [pid 1745] ipa: ERROR: 500 Internal Server Error: KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP request environment [Mon Dec 04 06:45:45.027769 2017] [:error] [pid 1745] [remote ...:60] mod_wsgi (pid=1745): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. At the same time when i do kinit <same principal> with manual password input, everything works as intended. IPA has been upgraded to latest 4.5.0, wsgi module after yum update is Name : mod_wsgi Arch : x86_64 Version : 3.4 Release : 12.el7_0 Size : 197 k I never configured anything manually, so barely broke anything. Please any ideas

6 years, 4 months

2
2
0 / 0

Unable to create GSSAPI-encrypted LDAP connection

by Aaron Hicks

Hello the list, I've seen this issue on the list several times, but I've not yet seen a solution posted., We're having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt and are unable to log in with FreeIPA accounts. Local accounts are fine. Hostnames have been changed to protect the innocent. In this hosts /var/log/sssd/ldap_child.log <27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. <27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - Preauthentication failed <27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. <27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - Preauthentication failed On the FreeIPA server from /var/log/krb5kdc.log 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org(a)EXAMPLE.ORG for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG, Additional pre-authentication required Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11 Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org(a)EXAMPLE.ORG for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG, Preauthentication failed Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11 Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org(a)EXAMPLE.ORG for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG, Additional pre-authentication required Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11 Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org(a)EXAMPLE.ORG for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG, Preauthentication failed On the host in question klist gives the following (note that kinit works, even if ssh login does not): sles01:~ # klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 12/01/17 04:30:40 host/sles01.example.org(a)EXAMPLE.ORG (aes256-cts-hmac-sha1-96) 1 12/01/17 04:30:40 host/sles01.example.org(a)EXAMPLE.ORG (aes128-cts-hmac-sha1-96) sles01:~ # kinit admin Password for admin(a)EXAMPLE.ORG: kinit: Preauthentication failed while getting initial credentials sles01:~ # kinit admin Password for admin(a)EXAMPLE.ORG: sles01:~ # kvno host/sles01.example.org(a)EXAMPLE.ORG host/sles01.example.org(a)EXAMPLE.ORG: kvno = 3 Also, I've compared NTP and there's only ~2.5ms offset between the two hosts. Increasing the logging level of sssd to debug_level=9 which does not generate more logs.

6 years, 4 months

3
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users December 2017