SSHFP Records on external DNS
by Günther J. Niederwimmer
Hello,
I mean I have a Problem ;-).
I like to include the SSHPF records on a external DNS Server but I don't found
the correct entries created by ipa-client-install ??
Is there a way to found the SSHPF records to include on the external DNS
Server.
Thanks for the Help!
CentOS 7.4
FreeIPA 4.5
--
mit freundlichen Grüssen / best regards,
Günther J. Niederwimmer
6 years, 4 months
freeipa sudoers help
by Andrew Meyer
In preparation for a migration I am trying to setup sudoers within freeipa. I have about a dozen people that will need to sudo to another user and run commands. However I want to add all the commands for that user into my rule.
would this be best practice to add ALL the commands into 1 rule? or should I do a sudocmdgroup?
ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commandsWould I just put a comma after each command? Or should I do this all individually and add all the commands to a cmd group?
6 years, 4 months
Accessing KRB5 NFS from local system accounts
by Gordon Messmer
I'm troubleshooting a problem: A local system account (daemon) needs to
access a file on an NFS4 filesystem with sec=krb5. My understanding is
that only processes which have a Kerberos ticket are able to access
files on such a filesystem, and that seems to be the case on the system
I'm troubleshooting.
Suppose I need a keytab to identify the "daemon" user. I don't think I
want to create a new user in FreeIPA, since it would have a uid/gid that
conflict with the locally defined account. However, I think I do need a
keytab for "daemon@DOMAIN". The ipa command doesn't seem to provide a
means of creating such a principal.
Should I work directly in kadmin to create the principal and export the
keytab? Am I even on the right track?
6 years, 4 months
Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
by Fuji San
Hello,
I have trouble enrolling a ipa client.
I just installed Fedora 27 and all the packages are up-to-date.
I succeeded to enroll 2 previous F27 clients, but this one is giving me a hard time.
Any help would be welcome.
Fuji
------
$ ipa-client-install --enable-dns-updates --mkhomedir --ssh-trust-dns --no-nisdomain --server=ipaserver.mydomain --domain=mydomain
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: ipaclient.mydomain
Realm: MYDOMAIN
DNS Domain: mydomain
IPA Server: ipaserver.mydomain
BaseDN: dc=mydomain
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@MYDOMAIN:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=MYDOMAIN
Issuer: CN=Certificate Authority,O=MYDOMAIN
Valid From: 2015-09-11 08:02:12
Valid Until: 2035-09-11 08:02:12
Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1.
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
-----
------
2017-11-30T10:11:50Z DEBUG Logging to /var/log/ipaclient-install.log
2017-11-30T10:11:50Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': None, 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'no_ac': False, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': True, 'force_join': False, 'ntp_servers': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': True, 'ssh_trust_dns': True, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': True, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'no_sssd': False, 'automount_location': None, 'domain_name': 'mydomain', 'servers': ['ipaserver.mydomain'], 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2017-11-30T10:11:50Z DEBUG IPA version 4.6.1-3.fc27
2017-11-30T10:11:50Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:11:50Z DEBUG Starting external process
2017-11-30T10:11:50Z DEBUG args=/usr/sbin/selinuxenabled
2017-11-30T10:11:50Z DEBUG Process finished, return code=1
2017-11-30T10:11:50Z DEBUG stdout=
2017-11-30T10:11:50Z DEBUG stderr=
2017-11-30T10:11:50Z DEBUG Starting external process
2017-11-30T10:11:50Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2017-11-30T10:11:50Z DEBUG Process finished, return code=0
2017-11-30T10:11:50Z DEBUG stdout=enabled
2017-11-30T10:11:50Z DEBUG stderr=
2017-11-30T10:11:50Z DEBUG [IPA Discovery]
2017-11-30T10:11:50Z DEBUG Starting IPA discovery with domain=mydomain, servers=['ipaserver.mydomain'], hostname=ipaclient.mydomain
2017-11-30T10:11:50Z DEBUG Server and domain forced
2017-11-30T10:11:50Z DEBUG [Kerberos realm search]
2017-11-30T10:11:50Z DEBUG Search DNS for TXT record of _kerberos.mydomain
2017-11-30T10:11:50Z DEBUG DNS record found: "MYDOMAIN"
2017-11-30T10:11:50Z DEBUG [LDAP server check]
2017-11-30T10:11:50Z DEBUG Verifying that ipaserver.mydomain (realm MYDOMAIN) is an IPA server
2017-11-30T10:11:50Z DEBUG Init LDAP connection to: ldap://ipaserver.mydomain:389
2017-11-30T10:11:50Z DEBUG Search LDAP server for IPA base DN
2017-11-30T10:11:50Z DEBUG Check if naming context 'dc=mydomain' is for IPA
2017-11-30T10:11:50Z DEBUG Naming context 'dc=mydomain' is a valid IPA context
2017-11-30T10:11:50Z DEBUG Search for (objectClass=krbRealmContainer) in dc=mydomain (sub)
2017-11-30T10:11:50Z DEBUG Found: cn=MYDOMAIN,cn=kerberos,dc=mydomain
2017-11-30T10:11:50Z DEBUG Discovery result: Success; server=ipaserver.mydomain, domain=mydomain, kdc=ipaserver.mydomain, basedn=dc=mydomain
2017-11-30T10:11:50Z DEBUG Validated servers: ipaserver.mydomain
2017-11-30T10:11:50Z DEBUG will use discovered domain: mydomain
2017-11-30T10:11:50Z DEBUG Using servers from command line, disabling DNS discovery
2017-11-30T10:11:50Z DEBUG will use provided server: ipaserver.mydomain
2017-11-30T10:11:50Z INFO Autodiscovery of servers for failover cannot work with this configuration.
2017-11-30T10:11:50Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all mydomaintions and will not fail over to other servers in case of failure.
2017-11-30T10:11:53Z DEBUG will use discovered realm: MYDOMAIN
2017-11-30T10:11:53Z DEBUG will use discovered basedn: dc=mydomain
2017-11-30T10:11:53Z INFO Client hostname: ipaclient.mydomain
2017-11-30T10:11:53Z DEBUG Hostname source: Machine's FQDN
2017-11-30T10:11:53Z INFO Realm: MYDOMAIN
2017-11-30T10:11:53Z DEBUG Realm source: Discovered from LDAP DNS records in ipaserver.mydomain
2017-11-30T10:11:53Z INFO DNS Domain: mydomain
2017-11-30T10:11:53Z DEBUG DNS Domain source: Forced
2017-11-30T10:11:53Z INFO IPA Server: ipaserver.mydomain
2017-11-30T10:11:53Z DEBUG IPA Server source: Provided as option
2017-11-30T10:11:53Z INFO BaseDN: dc=mydomain
2017-11-30T10:11:53Z DEBUG BaseDN source: From IPA server ldap://ipaserver.mydomain:389
2017-11-30T10:11:55Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:11:55Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:11:55Z DEBUG Starting external process
2017-11-30T10:11:55Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r MYDOMAIN
2017-11-30T10:11:55Z DEBUG Process finished, return code=3
2017-11-30T10:11:55Z DEBUG stdout=
2017-11-30T10:11:55Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
2017-11-30T10:11:55Z INFO Skipping synchronizing time with NTP server.
2017-11-30T10:11:58Z DEBUG will use principal provided as option: admin
2017-11-30T10:11:58Z DEBUG Starting external process
2017-11-30T10:11:58Z DEBUG args=keyctl get_persistent @s 0
2017-11-30T10:11:58Z DEBUG Process finished, return code=0
2017-11-30T10:11:58Z DEBUG stdout=227339787
2017-11-30T10:11:58Z DEBUG stderr=
2017-11-30T10:11:58Z DEBUG Enabling persistent keyring CCACHE
2017-11-30T10:11:58Z DEBUG Writing Kerberos configuration to /tmp/tmp5wx608ci:
2017-11-30T10:11:58Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MYDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MYDOMAIN = {
kdc = ipaserver.mydomain:88
master_kdc = ipaserver.mydomain:88
admin_server = ipaserver.mydomain:749
kpasswd_server = ipaserver.mydomain:464
default_domain = mydomain
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.mydomain = MYDOMAIN
mydomain = MYDOMAIN
ipaclient.mydomain = MYDOMAIN
2017-11-30T10:12:03Z DEBUG Initializing principal admin@MYDOMAIN using password
2017-11-30T10:12:03Z DEBUG Starting external process
2017-11-30T10:12:03Z DEBUG args=/usr/bin/kinit admin@MYDOMAIN -c /tmp/krbcct8vze36h/ccache
2017-11-30T10:12:03Z DEBUG Process finished, return code=0
2017-11-30T10:12:03Z DEBUG stdout=Password for admin@MYDOMAIN:
2017-11-30T10:12:03Z DEBUG stderr=
2017-11-30T10:12:03Z DEBUG trying to retrieve CA cert via LDAP from ipaserver.mydomain
2017-11-30T10:12:03Z DEBUG retrieving schema for SchemaCache url=ldap://ipaserver.mydomain:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f20e73c5b70>
2017-11-30T10:12:03Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=MYDOMAIN
Issuer: CN=Certificate Authority,O=MYDOMAIN
Valid From: 2015-09-11 08:02:12
Valid Until: 2035-09-11 08:02:12
2017-11-30T10:12:03Z DEBUG Starting external process
2017-11-30T10:12:03Z DEBUG args=/usr/sbin/ipa-join -s ipaserver.mydomain -b dc=mydomain -h ipaclient.mydomain
2017-11-30T10:12:03Z DEBUG Process finished, return code=17
2017-11-30T10:12:03Z DEBUG stdout=
2017-11-30T10:12:03Z DEBUG stderr=HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
2017-11-30T10:12:03Z ERROR Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
2017-11-30T10:12:03Z ERROR Installation failed. Rolling back changes.
2017-11-30T10:12:03Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:12:03Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:03Z DEBUG Starting external process
2017-11-30T10:12:03Z DEBUG args=ipa-client-automount --uninstall --debug
2017-11-30T10:12:04Z DEBUG Process finished, return code=1
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=IPA client is not configured on this system
2017-11-30T10:12:04Z ERROR Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1.
2017-11-30T10:12:04Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:12:04Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n Local IPA host -a -f /etc/ipa/nssdb/pwdfile.txt
2017-11-30T10:12:04Z DEBUG Process finished, return code=255
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/usr/bin/certutil -d /etc/pki/nssdb -L -n IPA Machine Certificate - ipaclient.mydomain -a -f /etc/pki/nssdb/pwdfile.txt
2017-11-30T10:12:04Z DEBUG Process finished, return code=255
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - ipaclient.mydomain
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl start certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl is-active certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=active
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl stop certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl disable certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z INFO Disabling client Kerberos and LDAP configurations
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/usr/sbin/authconfig --disableldap --disablekrb5 --disablesssdauth --disablemkhomedir --update
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Error while moving /etc/sssd/sssd.conf to /etc/sssd/sssd.conf.deleted
2017-11-30T10:12:05Z INFO Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl stop sssd.service
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl disable sssd.service
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=Removed /etc/systemd/system/multi-user.target.wants/sssd.service.
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl disable fedora-domainname.service
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl list-unit-files --full
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=UNIT FILE STATE
proc-sys-fs-binfmt_misc.automount static
-.mount generated
boot.mount generated
dev-hugepages.mount static
dev-mqueue.mount static
home.mount generated
proc-fs-nfsd.mount static
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
tmp.mount static
var-lib-nfs-rpc_pipefs.mount static
cups.path enabled
systemd-ask-password-console.path static
systemd-ask-password-plymouth.path static
systemd-ask-password-wall.path static
session-2.scope transient
abrt-ccpp.service disabled
abrt-journal-core.service enabled
abrt-oops.service enabled
abrt-pstoreoops.service disabled
abrt-vmcore.service enabled
abrt-xorg.service enabled
abrtd.service enabled
accounts-daemon.service enabled
alsa-restore.service static
alsa-state.service static
anaconda-direct.service static
anaconda-nm-config.service static
anaconda-noshell.service static
anaconda-pre.service static
anaconda-shell@.service static
anaconda-sshd.service static
anaconda-tmux@.service static
anaconda.service static
arp-ethers.service disabled
auditd.service enabled
auth-rpcgss-module.service static
autofs.service disabled
autovt@.service enabled
avahi-daemon.service enabled
blk-availability.service disabled
bluetooth.service enabled
brltty.service disabled
btattach-bcm@.service static
canberra-system-bootup.service disabled
canberra-system-shutdown-reboot.service disabled
canberra-system-shutdown.service disabled
certmonger.service disabled
chrony-dnssrv@.service static
chrony-wait.service disabled
chronyd.service enabled
clean-mount-point@.service static
colord.service static
configure-printer@.service static
console-getty.service disabled
container-getty@.service static
crond.service enabled
cups-browsed.service disabled
cups.service disabled
dbus-org.bluez.service enabled
dbus-org.fedoraproject.FirewallD1.service enabled
dbus-org.freedesktop.Avahi.service enabled
dbus-org.freedesktop.hostname1.service static
dbus-org.freedesktop.locale1.service static
dbus-org.freedesktop.login1.service static
dbus-org.freedesktop.ModemManager1.service enabled
dbus-org.freedesktop.network1.service enabled
dbus-org.freedesktop.NetworkManager.service enabled
dbus-org.freedesktop.nm-dispatcher.service enabled
dbus-org.freedesktop.resolve1.service enabled
dbus-org.freedesktop.timedate1.service enabled
dbus.service static
dbxtool.service enabled
debug-shell.service disabled
display-manager.service enabled
dm-event.service disabled
dmraid-activation.service enabled
dnf-makecache.service static
dnfdaemon.service static
dnsmasq.service disabled
dracut-cmdline.service static
dracut-initqueue.service static
dracut-mount.service static
dracut-pre-mount.service static
dracut-pre-pivot.service static
dracut-pre-trigger.service static
dracut-pre-udev.service static
dracut-shutdown.service static
ebtables.service disabled
emergency.service static
fcoe.service disabled
fedora-domainname.service disabled
fedora-import-state.service enabled
fedora-loadmodules.service disabled
fedora-readonly.service enabled
firewalld.service enabled
fprintd.service static
fstrim.service static
geoclue.service static
getty@.service enabled
gssproxy.service disabled
halt-local.service static
hypervfcopyd.service static
hypervkvpd.service static
hypervvssd.service static
initial-setup-reconfiguration.service disabled
initial-setup.service disabled
initrd-cleanup.service static
initrd-parse-etc.service static
initrd-switch-root.service static
initrd-udevadm-cleanup-db.service static
instperf.service static
iodine-client.service disabled
ipsec.service disabled
irqbalance.service enabled
iscsi-shutdown.service static
iscsi.service enabled
iscsid.service disabled
iscsiuio.service disabled
kdump.service disabled
kmod-static-nodes.service static
ldconfig.service static
lightdm.service enabled
livesys-late.service generated
livesys.service generated
lldpad.service disabled
lvm2-lvmetad.service disabled
lvm2-lvmpolld.service disabled
lvm2-monitor.service enabled
lvm2-pvscan@.service static
mcelog.service enabled
mdadm-grow-continue@.service static
mdadm-last-resort@.service static
mdmon@.service static
mdmonitor.service enabled
messagebus.service static
mlocate-updatedb.service static
ModemManager.service enabled
multipathd.service enabled
netconsole.service generated
network.service generated
NetworkManager-dispatcher.service enabled
NetworkManager-wait-online.service enabled
NetworkManager.service enabled
nfs-blkmap.service disabled
nfs-config.service static
nfs-idmap.service static
nfs-idmapd.service static
nfs-lock.service static
nfs-mountd.service static
nfs-secure.service static
nfs-server.service disabled
nfs-utils.service static
nfs.service disabled
nscd.service enabled
nslcd.service enabled
ntpd.service disabled
oddjobd.service disabled
openvpn-client@.service disabled
openvpn-server@.service disabled
plymouth-halt.service static
plymouth-kexec.service static
plymouth-poweroff.service static
plymouth-quit-wait.service static
plymouth-quit.service static
plymouth-read-write.service static
plymouth-reboot.service static
plymouth-start.service static
plymouth-switch-root.service static
polkit.service static
powerline.service disabled
pppoe-server.service disabled
psacct.service disabled
qemu-guest-agent.service static
quotaon.service static
rc-local.service static
rdisc.service disabled
realmd.service static
rescue.service static
rngd.service enabled
rpc-gssd.service static
rpc-statd-notify.service static
rpc-statd.service static
rpcbind.service disabled
rsyslog.service enabled
rtkit-daemon.service enabled
selinux-autorelabel-mark.service static
selinux-autorelabel.service static
serial-getty@.service disabled
smartd.service enabled
speech-dispatcherd.service disabled
spice-vdagentd.service enabled
sshd-keygen@.service disabled
sshd.service enabled
sshd@.service static
sssd-autofs.service indirect
sssd-kcm.service indirect
sssd-nss.service indirect
sssd-pac.service indirect
sssd-pam.service indirect
sssd-secrets.service indirect
sssd-ssh.service indirect
sssd-sudo.service indirect
sssd.service disabled
syslog.service enabled
system-update-cleanup.service static
systemd-ask-password-console.service static
systemd-ask-password-plymouth.service static
systemd-ask-password-wall.service static
systemd-backlight@.service static
systemd-binfmt.service static
systemd-bootchart.service disabled
systemd-coredump@.service static
systemd-exit.service static
systemd-firstboot.service static
systemd-fsck-root.service enabled-runtime
systemd-fsck@.service static
systemd-halt.service static
systemd-hibernate-resume@.service static
systemd-hibernate.service static
systemd-hostnamed.service static
systemd-hwdb-update.service static
systemd-hybrid-sleep.service static
systemd-initctl.service static
systemd-journal-catalog-update.service static
systemd-journal-flush.service static
systemd-journald.service static
systemd-kexec.service static
systemd-localed.service static
systemd-logind.service static
systemd-machine-id-commit.service static
systemd-modules-load.service static
systemd-networkd-wait-online.service disabled
systemd-networkd.service enabled
systemd-poweroff.service static
systemd-quotacheck.service static
systemd-random-seed.service static
systemd-reboot.service static
systemd-remount-fs.service static
systemd-resolved.service enabled
systemd-rfkill.service static
systemd-suspend.service static
systemd-sysctl.service static
systemd-sysusers.service static
systemd-timedated.service masked
systemd-timesyncd.service disabled
systemd-tmpfiles-clean.service static
systemd-tmpfiles-setup-dev.service static
systemd-tmpfiles-setup.service static
systemd-udev-settle.service static
systemd-udev-trigger.service static
systemd-udevd.service static
systemd-update-done.service static
systemd-update-utmp-runlevel.service static
systemd-update-utmp.service static
systemd-user-sessions.service static
systemd-vconsole-setup.service static
systemd-volatile-root.service static
tcsd.service disabled
teamd@.service static
timedatex.service enabled
udisks2.service enabled
unbound-anchor.service static
upower.service disabled
usb_modeswitch@.service static
usbmuxd.service static
user@.service static
vboxadd-service.service enabled
vboxadd.service enabled
vgauthd.service enabled
vmtoolsd.service enabled
wacom-inputattach@.service static
wpa_supplicant.service disabled
xl2tpd.service disabled
zram.service static
system.slice static
user-0.slice transient
user.slice static
avahi-daemon.socket enabled
cups.socket enabled
dbus.socket static
dm-event.socket enabled
iscsid.socket enabled
iscsiuio.socket enabled
lldpad.socket disabled
lvm2-lvmetad.socket enabled
lvm2-lvmpolld.socket enabled
multipathd.socket static
nscd.socket enabled
rpcbind.socket disabled
sshd.socket disabled
sssd-autofs.socket disabled
sssd-kcm.socket enabled
sssd-nss.socket disabled
sssd-pac.socket disabled
sssd-pam-priv.socket disabled
sssd-pam.socket disabled
sssd-secrets.socket enabled
sssd-ssh.socket disabled
sssd-sudo.socket disabled
syslog.socket static
systemd-coredump.socket static
systemd-initctl.socket static
systemd-journald-audit.socket static
systemd-journald-dev-log.socket static
systemd-journald.socket static
systemd-networkd.socket disabled
systemd-rfkill.socket static
systemd-udevd-control.socket static
systemd-udevd-kernel.socket static
dev-mapper-fedora00\x2dswap.swap generated
anaconda.target static
basic.target static
bluetooth.target static
cryptsetup-pre.target static
cryptsetup.target static
ctrl-alt-del.target disabled
default.target enabled
emergency.target static
exit.target disabled
final.target static
getty.target static
graphical.target enabled
halt.target disabled
hibernate.target static
hybrid-sleep.target static
initrd-fs.target static
initrd-root-device.target static
initrd-root-fs.target static
initrd-switch-root.target static
initrd.target static
kexec.target disabled
local-fs-pre.target static
local-fs.target static
multi-user.target static
network-online.target static
network-pre.target static
network.target static
nfs-client.target enabled
nss-lookup.target static
nss-user-lookup.target static
paths.target static
poweroff.target disabled
printer.target static
reboot.target disabled
remote-cryptsetup.target disabled
remote-fs-pre.target static
remote-fs.target enabled
rescue.target disabled
rpc_pipefs.target static
rpcbind.target static
runlevel0.target disabled
runlevel1.target disabled
runlevel2.target static
runlevel3.target static
runlevel4.target static
runlevel5.target enabled
runlevel6.target disabled
selinux-autorelabel.target static
shutdown.target static
sigpwr.target static
sleep.target static
slices.target static
smartcard.target static
sockets.target static
sound.target static
spice-vdagentd.target static
sshd-keygen.target static
suspend.target static
swap.target static
sysinit.target static
system-update.target static
time-sync.target static
timers.target static
umount.target static
chrony-dnssrv@.timer disabled
dnf-makecache.timer enabled
fstrim.timer disabled
mdadm-last-resort@.timer static
mlocate-updatedb.timer enabled
systemd-tmpfiles-clean.timer static
unbound-anchor.timer enabled
384 unit files listed.
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl list-unit-files --full
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=UNIT FILE STATE
proc-sys-fs-binfmt_misc.automount static
-.mount generated
boot.mount generated
dev-hugepages.mount static
dev-mqueue.mount static
home.mount generated
proc-fs-nfsd.mount static
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
tmp.mount static
var-lib-nfs-rpc_pipefs.mount static
cups.path enabled
systemd-ask-password-console.path static
systemd-ask-password-plymouth.path static
systemd-ask-password-wall.path static
session-2.scope transient
abrt-ccpp.service disabled
abrt-journal-core.service enabled
abrt-oops.service enabled
abrt-pstoreoops.service disabled
abrt-vmcore.service enabled
abrt-xorg.service enabled
abrtd.service enabled
accounts-daemon.service enabled
alsa-restore.service static
alsa-state.service static
anaconda-direct.service static
anaconda-nm-config.service static
anaconda-noshell.service static
anaconda-pre.service static
anaconda-shell@.service static
anaconda-sshd.service static
anaconda-tmux@.service static
anaconda.service static
arp-ethers.service disabled
auditd.service enabled
auth-rpcgss-module.service static
autofs.service disabled
autovt@.service enabled
avahi-daemon.service enabled
blk-availability.service disabled
[...]
384 unit files listed.
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z INFO Client uninstall complete.
2017-11-30T10:12:05Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 336, in run
cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 364, in run
self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 388, in execute
for _nothing in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 514, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 66, in _install
for _nothing in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 3624, in main
install(self)
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2346, in install
_install(options)
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2568, in _install
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
2017-11-30T10:12:05Z DEBUG The ipa-client-install command failed, exception: ScriptError:
2017-11-30T10:12:05Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
(END)
---------
6 years, 4 months
Re: Recovering from a defect master-crl
by Bjarne Blichfeldt
We are in some trouble here...
ipa-server-4.4.0-14.el7_3.7.x86_64 on rhel7.3
4 x IDM setup.
The directory server on the master CRL server decided to have a fit, every attempt of starting it results in SEGV and core dump. I have the dns started but that is all that is running on the server at the moment.
not event "ipactl -f start" works. It just abort with:
ipactl -f start
Skipping version check
Starting Directory Service
Failed to start Directory Service: Command '/bin/systemctl start dirsrv(a)DOMAINE.service<mailto:dirsrv@DOMAINE.service>' returned non-zero exit status 1
An ongoing ticket at redhat does not bring any solution so I am going to restore server from a backup. Fortunately, it is a vmmware server.
Now while waiting for permissions from the customer to do the swap, I would love to promote another idm as master-crl but I am a little confused as how best do this.
In https://access.redhat.com/solutions/2253241 the procedure is:
on defect server: shutdown pki, reconfigure, start pki - shutdown httpd, reconfigure httpd, start httpd
on new sever: shutdown pki, reconfigure, start pki - shutdown httpd, reconfigure httpd, start httpd
The note also says:
NOTE: The procedure described above requires the first CA master to be reachable by the replica. If this system is no longer available, there is currently no way to setup a CA clone on any replica. The reason for this is, that the replica connects to the master to ask for some CA specific details. A workaround exists by recovering the first master from a backup and make it available to the replica system for installation time of the new CA. To avoid replication conflicts the replication agreements between the master and the replica should be deleted.
In https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
the procedure boils down to:
ipa-csreplica-manage set-renewal-master
with the comment: "The command also automatically reconfigures the previous CA from renewal master to clone."
From the above, I take it there is no way to promote another server to master-crl as long as the dirserver on the original master-crl is down?
Now, when I boot up the restored server, then what?
The restored server is ready in an isolated environment and I have verified that the dirserver and everything starts up as it should.
The server will be 6 days old.
My thought is, I just boot it and run:
ipa-replica-manage re-initialize --from=working-idm
But for peace of mind I would still like to move the master-crl function to a different server. Could this be done before "ipa-replica-manage re-initialize"?
That would give me the freedom to completely scratch the server if something goes wrong.
And for the future: I find this failure to be quite problematic.
We have an extremely redundant setup, if an idm dies, I just remove it from the set, rebuild and rejoin. Tried it a couple of times, works great, nobody notice.
But the master-crl seems to be a real pain. Are the any way to rearrange things to a more robust setup. Maybe copy some directory contents from the master-crl to the other servers and then simply reconfigure
one of the other servers in case of failure? Sort of a cold standby feature.
Any advice is appreciated.
Regards
Bjarne Blichfeldt.
6 years, 4 months
GSSAPI-encrypted LDAP connection
by James Harrison
Hello,One one of our FreeIPA servers we are seeing the following messages from journal -f
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.3.5.88: PREAUTH_FAILED: host/ipa-01.int.domain.com(a)INT.domain.COM for krbtgt/INT.domain.COM(a)INT.domain.COM, Preauthentication failed
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): closing down fd 11
Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9717]]][9717]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9717]]][9717]: Preauthentication failed
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.3.5.88: NEEDED_PREAUTH: host/ipa-01.int.domain.com(a)INT.domain.COM for krbtgt/INT.domain.COM(a)INT.domain.COM, Additional pre-authentication required
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): closing down fd 11
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.3.5.88: PREAUTH_FAILED: host/ipa-01.int.domain.com(a)INT.domain.COM for krbtgt/INT.domain.COM(a)INT.domain.COM, Preauthentication failed
Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): closing down fd 11
Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9721]]][9721]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9721]]][9721]: Preauthentication failed
[root@pul-lv-ipa-01 ~]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
I[root@pul-lv-ipa-01 log]# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)
Many thanks for any help,
Regards,James Harrison
6 years, 4 months
FreeIPA setup third party ssl from Comodo
by randrewg@gmail.com
Hello!
Guys, I had set up FreeIPA 4.5 on Centos 7 with self-signed SSL cert.
Now I want to install my main wildcard cert (from Comodo CA) for domain where IPA-server located, just for web-service, so web browsers won't complain to users about ssl.
As expected - when I'm trying to do:
# ipa-server-certinstall -w comodo.crt comodo.key
I'm getting:
Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
The ipa-server-certinstall command failed.
I've found on https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/9...
all CA certs for Comodo and set them up via
# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate
As pointed on https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
But nontheless, when I'm trying after it - ipa-server-certinstall, I get above error anyway.
I'm starting to go crazy with it and don't know what should I do to solve this :(
Help me please!
Thank you.
6 years, 4 months
Replication failed after ipa-server-upgrade
by skrawczenko@gmail.com
My cluster has been successfully working for over a year with version 4.2
I have replica of two ipa nodes and winsync
Tried to upgrade (ipa-server-upgrade) and replica seems to be ruined after it.
I can't even check its status
[root@idm0 ~]# ipa-replica-manage list --verbose
Traceback (most recent call last):
File "/usr/sbin/ipa-replica-manage", line 1615, in <module>
main(options, args)
File "/usr/sbin/ipa-replica-manage", line 1548, in main
options.nolookup)
File "/usr/sbin/ipa-replica-manage", line 197, in list_replicas
config_string = ent.single_value['ipaConfigString']
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 564, in __getitem__
value = self._entry[name]
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 442, in __getitem__
return self._get_nice(name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 409, in _get_nice
name = self._get_attr_name(name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 405, in _get_attr_name
name = self._names[name]
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 583, in __getitem__
return super(CIDict, self).__getitem__(key.lower())
KeyError: u'ipaconfigstring'
Unexpected error: u'ipaconfigstring'
Please any advises how to restore replication and winsync after upgrade, this is quite critical.
6 years, 4 months
Update of compat tree after change of AD user attributes
by Lenhardt, Matthias
Hi,
any recommendations how to best update the compat tree after changes of AD user attributes?
We use IPA 4.5 with AD trust. After modification of a AD user attribute, e.g. loginShell, the compat tree doesn't get updated automatically and so the unix/linux can't enjoy his new shell.
Accourding to Red Hat's knowledge base article https://access.redhat.com/solutions/1503713 the only way is to restart dirsrv ...
Maybe there's a better way to achieve this.
Thanks in advance!
Mit freundlichen Grüßen
Matthias Lenhardt
System Administrator
BITMARCK Beratung GmbH
Firmensitz: Putzbrunner Straße 93, 81739 München
Geschäftsführer: Christian Niklaus
Registergericht: Amtsgericht München HRB 130163
*****************************************************************
Die Information in dieser E-Mail ist vertraulich und ausschließlich für
den/die benannten Adressaten bestimmt. Ein Zugriff auf diese E-Mail
durch andere Personen als den/die benannten Adressaten ist nicht
gestattet. Sollten Sie nicht der benannte Adressat sein, löschen Sie bitte
diese E-Mail.
[http://postmaster.bitmarck.de/images/signatur_neuer_standort_essen.png]
6 years, 4 months