Reinitializing replica fails?
by Jonathan Kelley
ipa-server-4.5.0-21.el7.centos.2.2.x86_64
ipa-server-common-4.5.0-21.el7.centos.2.2.noarch
I was getting this error in errors.log:
Data required to update replica has been purged
from the changelog. If the error persists the replica
must be reinitialized.
This has been known to fix the issue:
[root@auth2 /]# ipa-replica-manage re-initialize --from auth1.mydomain.com
--verbose
ipa: ERROR: DNS query for auth1.mydomain.com. A failed: Text input is
malformed.
Traceback (most recent call last):
File "/sbin/ipa-replica-manage", line 1615, in <module>
main(options, args)
File "/sbin/ipa-replica-manage", line 1530, in main
if (not test_connection(realm, host, options.nolookup) or
File "/sbin/ipa-replica-manage", line 142, in test_connection
enforce_host_existence(host)
File "/sbin/ipa-replica-manage", line 840, in enforce_host_existence
verify_host_resolvable(host)
File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 91, in
verify_host_resolvable
raise errors.DNSResolverError(exception=ex)
DNSResolverError: Text input is malformed.
Unexpected error: Text input is malformed.
I assumed I had a DNS issue, but can't seem to find one unless PTR records
are broken.
[root@auth2 /]# nslookup auth1.mydomain.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: auth1.mydomain.com
Address: 192.168.0.33
[root@auth2 /]# dig auth1.mydomain.com @127.0.0.1
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> auth1.mydomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 433
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;auth1.mydomain.com. IN A
;; ANSWER SECTION:
auth1.mydomain.com. 1200 IN A 192.168.0.33
Do I just need to build a new replica and forget this one?
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error, please notify the system manager.
Please note that any views or opinions presented in this email are solely
those of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the
presence of viruses. The company accepts no liability for any damage caused
by any virus transmitted by this email.
6 years, 4 months
Fwd: Replication Issue on slave servers
by tarak sinha
Hello All,
I hope everyone is doing good, Since 1 month getting replication issue on
my slave servers. updated logs from Master and Slave server for more info.
if you have any suggestion or idea to fix this issue that will be really
appreciated
Auth Master server :- LOG info.
/var/log/dirsrv/slapd-EXPERTCITY-COM/errors
ng to perform. Will retry later.
[07/Dec/2017:10:29:00 -0800] NSMMReplicationPlugin - agmt="cn=meToauth2.ava.
expertcity.com" (auth2:389): Warning: unable to send endReplication
extended operation (Server is unwilling to perform)
[07/Dec/2017:10:29:02 -0800] agmt="cn=meToauth2.las.expertcity.com"
(auth2:389) - Can't locate CSN 52f08ae6000200540000 in the changelog (DB
rc=-30988). If replication stops, the consumer may need to be reinitialized.
[07/Dec/2017:10:29:02 -0800] NSMMReplicationPlugin - changelog program -
agmt="cn=meToauth2.las.expertcity.com" (auth2:389): CSN
52f08ae6000200540000 not found, we aren't as up to date, or we purged
[07/Dec/2017:10:29:02 -0800] NSMMReplicationPlugin - agmt="cn=meToauth2.las.
expertcity.com" (auth2:389): Data required to update replica has been
purged. The replica must be reinitialized.
[07/Dec/2017:10:29:02 -0800] agmt="cn=meToauth4.las2a.expertcity.com"
(auth4:389) - Can't locate CSN 57b180b6000000540000 in the changelog (DB
rc=-30988). If replication stops, the consumer may need to be reinitialized.
[07/Dec/2017:10:29:02 -0800] NSMMReplicationPlugin - changelog program -
agmt="cn=meToauth4.las2a.expertcity.com" (auth4:389): CSN
57b180b6000000540000 not found, we aren't as up to date, or we purged
[07/Dec/2017:10:29:02 -0800] NSMMReplicationPlugin - agmt="cn=
meToauth4.las2a.expertcity.com" (auth4:389): Data required to update
replica has been purged. The replica must be reinitialized.
[
Auth Slave Server :- Log info
/var/log/dirsrv/slapd-EXPERTCITY-COM/errors
[07/Dec/2017:10:28:30 -0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP
server)
[07/Dec/2017:10:33:30 -0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1
(Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not
connected)
[07/Dec/2017:10:33:30 -0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP
server)
[07/Dec/2017:10:38:30 -0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1
(Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not
connected)
[07/Dec/2017:10:38:30 -0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP
server)
###############
[root(a)auth1.ffi log]# telnet authmgr1.ops.expertcity.com 636
Trying 10.22.6.249...
Connected to authmgr1.ops.expertcity.com.
Escape character is '^]'.
^]q
telnet> q
Connection closed.
[root(a)auth1.ffi log]# telnet authmgr1.ops.expertcity.com 389
Trying 10.22.6.249...
Connected to authmgr1.ops.expertcity.com.
Escape character is '^]'.
^]q
telnet> q
Connection closed.
I have also tried to re-initialize but din't resolve the issue
--
*Thanks,*
*Tarak Nath Sinha*
--
*Thanks,*
*Tarak Nath Sinha*
*Mobile: **+91 8197522750*
6 years, 4 months
Change default ldap scheme
by Andrew Radygin
Hello everybody,
I want to know, is there possibility to change default ldap scheme, where user and groups are storing.
For instance, I have:
cn=USER, cn=groups, cn=accounts, dc=domain,dc=net
cn=GROUP-OF-USERS, cn=groups, cn=accounts, dc=domain,dc=net
It seems to be too straightforward. Can I change it to
cn=USER, cn=groups, cn=accounts, dc=domain,dc=net
cn=GROUP-OF-USERS, cn=org-groups, cn=accounts, dc=domain,dc=net
?
Or to do any other corrections of ldap scheme for placing different objects.
Thanks!
6 years, 4 months
User's personal group not resolving
by Aaron Hicks
Hello the list,
We imported all our users with uidnumbers from our old LDAP, but their
gidNumber was from 4 groups. This caused us issues with users wanting to
grant access to personal spaces to one user, but instead granting access to
all the members of the group.
To resolve this, when they were imported into FreeIPA we assigned them all
new gidNumbers, as reusing their uidNumbers caused large number of gidNumber
clashes as many groups were assigned from the same integer range. So now we
have a log of users with uidNumber 5XXX and gidNumber 5000XXX.
When they log in they see an error like this:
/usr/bin/id: cannot find name for group ID 100019
It's pretty much because their gidNumber != uidNumber
So getting all the name and group details:
[username@ipaserver01:~] $ id username
uid=5807(username) gid=100019
groups=100019,66400035(group1),66400007(group2),66400012(group3),66400044(gr
oup4),175321(group5),2075295(group6),66400046(group7)
[username@ipaserver01:~] 2 $ id -g username
100019
[username@ipaserver01:~] $ getent group 5807
username:*:5807:
[username@ipaserver01:~] $ getent group 100019
[username@ipaserver01:~] $
Now, the last part, we can't change their uidNumber. We have a massive
filesystem (many terabytes) backed by a tape library (many petabytes) so we
need their uidNumber to match that file archived to tape in 1987 and
migrated through our tape system upgrades :P
So the question is; can we make it resolve those gidNumbers?
.I could make 2,500 groups for 2,500 users.
Regards,
Aaron
6 years, 4 months
Guide to enabling CA?
by Bret Wortman
Is there an online guide to turning on a CA?
We had one, which signed all our SSL Certs and such. It worked quite
nicely. Then we rolled an upgrade around our IPA servers to get them
from Fedora to Centos, and in the process, we failed to migrate the CA,
so we ended up with 3 servers without a CA.
Fast-forward to today, and we lost one, which was our intended CA. So
now I have two servers (a and z) which are working just fine but we
can't create new SSL certs signed by our IPA CA.
How can I go about promoting one of these to CA? I know I followed
online directions the last time, but that was years ago and I've lost
the link. Thanks!
It's a private development network, so relying on external CAs isn't an
option.
--
photo
*Bret Wortman*
President, Damascus Products LLC
855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> |
bret(a)damascusproducts.com <mailto:bret@damascusproducts.com> |
http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030
<http://facebook.com/wrapbuddiesco> <http://twitter.com/wrapbuddiesco>
<http://instagram.com/wrapbuddies>
<https://facebook.com/wrapbuddiesco><https://instagram.com/wrapbuddies>
6 years, 4 months
openvpn authenticating to freeipa
by Andrew Meyer
Hello,
I am trying to configure my openvpn setup to authenticate against FreeIPA. I have OpenVPN configured and is accepting connections. The package for ldap_auth is installed and configured. However I have tried to setup anonymous ldap lookups and authenticated ldap lookups and neither seem to be working. Every time I change the config to test openvpn works just fine. However when I try to connect to the VPN it tells me that the LDAP bind failed w/ invalid credentials. I have been combing through google and found that a few people used pam in the past and still do today. Is this proper procedure for setting this up?
Is there a similar pam module that I could copy/link?
Thank you,
Andrew
6 years, 4 months
Re: Unable to create GSSAPI-encrypted LDAP connection
by Aaron Hicks
Hello the list,
It looks like sssd's horrible logging messages were to blame. It looks like
when the keytab was initially deployed the system time between the IPA
server and the host were not quite in sync and the keytab was invalidated. I
redeployed the host's keytab (which because SLES lacks the ipa-client tools,
had to be done on the IPA server and delivered via SCP) and the problem was
resolved.
Regards,
Aaron
From: Aaron Hicks [mailto:aaron.hicks@nesi.org.nz]
Sent: Monday, 4 December 2017 2:51 PM
To: 'Aaron Hicks via FreeIPA-users' <freeipa-users(a)lists.fedorahosted.org>
Subject: Unable to create GSSAPI-encrypted LDAP connection
Hello the list,
I've seen this issue on the list several times, but I've not yet seen a
solution posted., We're having this issue on one of our SLES 12 SP2 hosts
(we have other SLES hosts are fine), were seeing this error when users try
and login, they just keep getting the Password: prompt and are unable to log
in with FreeIPA accounts. Local accounts are fine. Hostnames have been
changed to protect the innocent.
In this hosts /var/log/sssd/ldap_child.log
<27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - -
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - -
Preauthentication failed
<27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - -
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - -
Preauthentication failed
On the FreeIPA server from /var/log/krb5kdc.log
17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
host/sles01.example.org(a)EXAMPLE.ORG
<mailto:host/sles01.example.org@EXAMPLE.ORG> for
krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG <mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG> ,
Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
host/sles01.example.org(a)EXAMPLE.ORG
<mailto:host/sles01.example.org@EXAMPLE.ORG> for
krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG <mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG> ,
Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
host/sles01.example.org(a)EXAMPLE.ORG
<mailto:host/sles01.example.org@EXAMPLE.ORG> for
krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG <mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG> ,
Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
host/sles01.example.org(a)EXAMPLE.ORG
<mailto:host/sles01.example.org@EXAMPLE.ORG> for
krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG <mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG> ,
Preauthentication failed
On the host in question klist gives the following (note that kinit works,
even if ssh login does not):
sles01:~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
1 12/01/17 04:30:40 host/sles01.example.org(a)EXAMPLE.ORG
<mailto:host/sles01.example.org@EXAMPLE.ORG> (aes256-cts-hmac-sha1-96)
1 12/01/17 04:30:40 host/sles01.example.org(a)EXAMPLE.ORG
<mailto:host/sles01.example.org@EXAMPLE.ORG> (aes128-cts-hmac-sha1-96)
sles01:~ # kinit admin
Password for admin(a)EXAMPLE.ORG <mailto:admin@EXAMPLE.ORG> :
kinit: Preauthentication failed while getting initial credentials
sles01:~ # kinit admin
Password for admin(a)EXAMPLE.ORG <mailto:admin@EXAMPLE.ORG> :
sles01:~ # kvno host/sles01.example.org(a)EXAMPLE.ORG
<mailto:host/sles01.example.org@EXAMPLE.ORG>
host/sles01.example.org(a)EXAMPLE.ORG
<mailto:host/sles01.example.org@EXAMPLE.ORG> : kvno = 3
Also, I've compared NTP and there's only ~2.5ms offset between the two
hosts.
Increasing the logging level of sssd to debug_level=9 which does not
generate more logs.
6 years, 4 months
Authentication for ipa cli scripting (wsgi, kerberos)
by skrawczenko@gmail.com
Hello all, i suppose the issue is quite typical but still unable to find any solution.
All i need is to run some ipa cli commands from scripts with preliminary kinit
I manage to authenticate as
kinit -F -k -t <keytab> <principal>
That allows me to use ldap for example, i can do ldapsearch -Y GSSAPI etc
However, when trying to run cli commands, i'm getting the following
sh-4.2# ipa user-find aaa
ipa: ERROR: cannot connect to 'any of the configured servers': https://<idm0>/ipa/json, https://<idm1>/ipa/json
This is caused by wsgi module, as it said in httpd error log
[Mon Dec 04 06:45:45.027199 2017] [:error] [pid 1745] ipa: ERROR: 500 Internal Server Error: KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP request environment
[Mon Dec 04 06:45:45.027769 2017] [:error] [pid 1745] [remote ...:60] mod_wsgi (pid=1745): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
At the same time when i do kinit <same principal> with manual password input, everything works as intended.
IPA has been upgraded to latest 4.5.0, wsgi module after yum update is
Name : mod_wsgi
Arch : x86_64
Version : 3.4
Release : 12.el7_0
Size : 197 k
I never configured anything manually, so barely broke anything.
Please any ideas
6 years, 4 months
Unable to create GSSAPI-encrypted LDAP connection
by Aaron Hicks
Hello the list,
I've seen this issue on the list several times, but I've not yet seen a
solution posted., We're having this issue on one of our SLES 12 SP2 hosts
(we have other SLES hosts are fine), were seeing this error when users try
and login, they just keep getting the Password: prompt and are unable to log
in with FreeIPA accounts. Local accounts are fine. Hostnames have been
changed to protect the innocent.
In this hosts /var/log/sssd/ldap_child.log
<27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - -
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - -
Preauthentication failed
<27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - -
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - -
Preauthentication failed
On the FreeIPA server from /var/log/krb5kdc.log
17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
host/sles01.example.org(a)EXAMPLE.ORG for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG,
Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
host/sles01.example.org(a)EXAMPLE.ORG for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG,
Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
host/sles01.example.org(a)EXAMPLE.ORG for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG,
Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
host/sles01.example.org(a)EXAMPLE.ORG for krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG,
Preauthentication failed
On the host in question klist gives the following (note that kinit works,
even if ssh login does not):
sles01:~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
1 12/01/17 04:30:40 host/sles01.example.org(a)EXAMPLE.ORG
(aes256-cts-hmac-sha1-96)
1 12/01/17 04:30:40 host/sles01.example.org(a)EXAMPLE.ORG
(aes128-cts-hmac-sha1-96)
sles01:~ # kinit admin
Password for admin(a)EXAMPLE.ORG:
kinit: Preauthentication failed while getting initial credentials
sles01:~ # kinit admin
Password for admin(a)EXAMPLE.ORG:
sles01:~ # kvno host/sles01.example.org(a)EXAMPLE.ORG
host/sles01.example.org(a)EXAMPLE.ORG: kvno = 3
Also, I've compared NTP and there's only ~2.5ms offset between the two
hosts.
Increasing the logging level of sssd to debug_level=9 which does not
generate more logs.
6 years, 4 months