I've got a test instance of FreeIPA 4.4.4 running on F25 that was
installed with --external-ca, and the resulting CSR signed with a validity
period of 30 days to test behavior around expirations.
Upon booting that instance today, certmonger decided to preemptively renew
every IPA cert -- which is a good thing -- but did so without waiting for
renewal of the IPA CA cert first, which is less good. Now that instance
has a pile of certs that expire in two weeks, since they were signed with
and thus tied to the expiration of the old IPA CA cert.
While I'm guessing certmonger will figure this out and do the right thing
within a couple weeks -- and with the expectation that this would only
happen once per IPA CA renewal with a "real" deployment -- is this the
Logs are a bit of a mess between this and a potentially-resolved SELinux
issue with certmonger, but I'll wedge them all into a proper bug report if
I have noticed that we had a broken replication agreement between replica in amazon and on another physical node. I have attempted to re-initialize but receivedUpdate failed! Status: [2 Replication error acquiring replica: excessive clock skew]
I had triple verified that time on both is correct and at most within seconds of each other.
in dirsrv logs I get
Excessive clock skew from supplier RUVUnable to acquire replica: error: excessive clock skew
After doing a bit of searching I found this beauty:https://www.redhat.com/archives/freeipa-users/2014-February/msg000...
The article mentions that the time skew might occur due to server being virtualied, and I'm wondering if this is applicable to Amazon.
The steps mentioned in the article look intrusive (and intimidating) . I'm curious what other avenues are available to me to fix this?If I blow away the replica and re-set up the new one from scratch would that fix the problem.
Well, technically, I don't think IPA needs DNS entries simply for synchronization, so you could technically give it the same domain suffix. However, if you plan on using it for the purpose of clients to connect, it will need to be on its own domain.
The reason it is highly suggested for different domains to have different suffixes within DNS is because clients will 'dig' that domain for Kerberos and LDAP type records when looking for domain servers. Something like the below, for example:
# dig -t SRV _kerberos._tcp.EXAMPLE.COM.
If this returns both AD /and/ IPA servers, your clients will have a bad time.
Sent via carrier pigeons
-------- Original message --------
From: Striker Leggette via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Date: 6/14/17 8:12 PM (GMT-05:00)
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Striker Leggette <striker(a)terranforge.com>
Subject: [Freeipa-users] Re: FreeIPA - Active Directory integration and domain names
Sent via carrier pigeons
-------- Original message --------
From: bogusmaster--- via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Date: 6/14/17 6:06 AM (GMT-05:00)
Subject: [Freeipa-users] FreeIPA - Active Directory integration and domain names
I have a question regarding establishing one-way trust between FreeIPA
and Active Directory. In the documentation it is stated that to use a
cross-forest trust it is required for FreeIPA to have a different domain
than that of Active Directory. Does it also apply to the synchronization
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
reading some docs about the sync of my two servers :
# ipa-replica-manage list
# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
Certificate Server Replica Update Vectors:
No CS-RUVs found.
My doubt is . To solve this i only need to run the command :
ipa-replica-manage force-sync --from srv2.domain
Thanks for your atention :-)
Ataliba Teixeira via Inbox by Gmail
Once initiating the kinit admin command below error pops up
bash-4.3# kinit admin
Password for admin(a)LANKACLEAR.LK:
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
com.ibm.security.krb5.KrbException, status code: 0
message: java.net.ConnectException: Connection refused
if you have any clue let men know.
Senior Systems Engineer
Mobile: +94 77 294 0396 | Dir: +94 11 235 6949
General:+94 11 235 6949 Ext: 949 | Fax: +94 11 2544346
LankaClear (Pvt) Ltd, Level 18, Bank of Ceylon Head Office,
“BOC Square”, No. 01, Bank of Ceylon Mw, Colombo 01, Sri Lanka.
Confidentiality Notice: The information contained in this message is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. This email has been scanned for all viruses by the Symantec End Point Protection Email Security System.
I have setup a pair of FreeIPA 4.5.2 servers. One via
ipa-server-install, the other via ipa-replica-install. I have tried them
both as trust controllers and I have tried them in a controller/agent setup.
My problem is that no AD users can login to the self service UI on the
secondary IPA server. Is this by design, or is it merely a bug? I can
provide more details/logs/configs on request.
I have been trying to install FreeIPA with integrated dns i found installing freeipa easy without dns but anything todo with the dns portion of it exceeding complicated. I have a internel dns server that i have been using to store all the host names of my internel pcs and then for anything externel it would forward to another dns server. As far as i can tell the freeipa integrated dns is would replace this and would store all the records needed for freeipa also as far as i can tell it would automatically create the A records and AAAA records for the client pcs added to the domain and keep them updated.
I originally tried making the integrated dns handle the root zone i think that is what its called where it could create records for any subdomains I read online that this wasnt a good idea and also seemed extremely hard todo trying this would end up in a zone overlap error. I think I need to make my registrar point to the integrated dns for this to work.
I read some guides and it seems that people suggest to give the integrated dns server power over its own subdomain zone I did this by creating a NS record in my registrars dns management page but when running the command suggested in the redhat guide to check that it works it returns nothing this is the command i am running "dig @RegistrarsNameServerIPAddress +norecurse +short ipa.example.com. NS" but running a normal dig will show the record.
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa.example.com. IN A
;; AUTHORITY SECTION:
ipa.example.com. 1799 IN NS ipa.example.com.
;; ADDITIONAL SECTION:
ipa.example.com. 1799 IN A MyIPAddress
When trying to install using this subdomain I get this error right at the end. I have a feeling it is trying to add records to the integrated dns server but its not working properly.
“Updating DNS system records
ipa : ERROR DNS query for ipa.example.com. 1 failed: All nameservers failed to answer the query ipa.example.com. IN A: Server 127.0.0.1 UDP port 53 anwered SERVFAIL”
I think my main problem with this is I actually dont know how DNS delegates subdomain nameservers it always asks for a FQDN when putting in a nameserver but shouldnt this really be an ip address. If someone could give me and example NS record or how they have set it up that would be great I am extremely lost even some reading materials would be helpful all guides online just assume you already have setup the NS record and don’t give you too much information. Also I have replace all refrences to my domain to example.com (not actually trying to use example.com).
On our clients when attempting to run ipa-certupdate we are seeing the
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x46dc5a8>
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line
87, in run
lwcas = api.Command.ca_find()['result']
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 336, in
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command
failed, exception: AttributeError: ca_find
ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: ca_find
ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command
We have recently migrated to using an external CA and that went smoothly
other than this. We had not tried prior to that to run this command. So
far this is happening on all of the nodes we have tried. It does seem our
server version (4.2.0) and client version (4.4.0) are out of sync. Would
that be the cause, or is there something else I should be looking at.
I have a set of servers that CANNOT become enrolled IDM clients due to a
vendor refusing to support this type of config.
This server fleet is directly bound to an AD system via the standard
non-IPA "realm join ..." type commands
Since I can't bring these servers "into the fold" so to speak at the
very least I would love to offset at least one potential future problem
by seeing if I can help them configure sssd.conf on their local machines
to use the same AD SID-to-UID algorithm (complete with custom ID Range
values that we have enabled on the IPA master) so that they at least get
the same UID and GID values for their AD users as the same user would
get if they logged into the much larger fleet of IDM-managed servers.
Hope I'm asking the question properly -- in a nutshell I'm wondering how
to trick a standalone sssd.conf file so that it uses the same SID-to-UID
algorithm that an IDM master would use. This would at least let me get
consistent UID/GID values across my fleet of enrolled vs. non-enrolled
IDM clients ! Tips or advice appreciated even if the response is "heck
no; you can't do that .. "