Re: Freeipa Certficates issues
by Florence Blanc-Renaud
On 08/29/2017 06:43 PM, Julien Honore wrote:
> Hi Florence,
>
> Thank you for the reply.
>
> When I execute the command sudo kinit -kt /etc/krb5.keytab
> the result is :
> kinit: Clients credentials have been revoked while getting initial credentials
>
> When I try the command ipa-getkeytab, I don't have the same option.
>
Hi,
(putting mailing list back in the recipients list)
you are right, the --retrieve option was added only in IPA 4.x.
If you run ipa-getkeytab without the -r option, it will request a new
host keytab (all other keytabs previously obtained will be invalidated).
So this should unblock certmonger, but if you were using the host keytab
in other places you will need to overwrite them with the new keytab.
Flo
> Thank you.
>
> Julien Honore.
>
> ----- Original Message -----
> From: "Florence Blanc-Renaud" <flo(a)redhat.com>
> To: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
> Cc: "Julien Honore" <jhonore(a)bmad.tech>
> Sent: Tuesday, 29 August, 2017 12:14:10
> Subject: Re: [Freeipa-users] Freeipa Certficates issues
>
> On 08/29/2017 04:09 PM, Julien Honore via FreeIPA-users wrote:
>>
>> Hi,
>>
>> I have an issue with my freeipa server.
>>
>> The certificates expired and I can't resubmit.
>>
>> I put the date before the expiration of the certs.
>>
>> The result of ipa-getcert list :
>>
>>
>> Number of certificates and requests being tracked: 8.
>> Request ID '20150805183502':
>> status: MONITORING
>> ca-error: Error setting up ccache for "host" service on client using
>> default keytab: Clients credentials have been revoked.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=VIT.LAN
>> subject: CN=auth0.vit.lan,O=VIT.LAN
>> expires:2017-08-05 18 <callto:2017-08-05 18>:35:02 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20150805183539':
>> status: MONITORING
>> ca-error: Error setting up ccache for "host" service on client using
>> default keytab: Clients credentials have been revoked.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=VIT.LAN
>> subject: CN=auth0.vit.lan,O=VIT.LAN
>> expires:2017-08-05 18 <callto:2017-08-05 18>:35:39 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20150805183647':
>> status: MONITORING
>> ca-error: Error setting up ccache for "host" service on client using
>> default keytab: Clients credentials have been revoked.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=VIT.LAN
>> subject: CN=auth0.vit.lan,O=VIT.LAN
>> expires:2017-08-05 18 <callto:2017-08-05 18>:36:47 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> If someone can help me with this issue ? It will be very helpful
>>
>> Directory Service: RUNNING
>> KDC Service: RUNNING
>> KPASSWD Service: RUNNING
>> MEMCACHE Service: RUNNING
>> HTTP Service: RUNNING
>> CA Service: RUNNING
>> ADTRUST Service: RUNNING
>> EXTID Service: RUNNING
>>
>> FreeIpa V3.
>>
>> Thank you
>>
>> Julien Honore
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>>
> Hi,
>
> I have very little experience with IPA v3, but let's try anyway... If
> things didn't change too much, certmonger's IPA helper is using
> /etc/krb5.keytab to connect to IPA server. Can you check if this keytab
> is still valid using
> $ sudo kinit -kt /etc/krb5.keytab
>
> If the operation fails, this is probably the root cause of your issue.
> The utility ipa-getkeytab will allow you to get the host keytab (with
> the --retrieve option and --principal=host/$HOSTNAME@$DOMAINNAME).
>
> HTH,
> Flo
>
6 years, 7 months
using external passwords
by Charles Hedrick
We have a department that would like to use IPA, but would like users to use their University passwords.
I conjecture that we can do that by generating users with random passwords, but setting the default authentication as RADIUS, and using a RADIUS server that authenticates with the University using LDAP.
Does this sound workable?
6 years, 7 months
sudo policy doesn't work since host is installed with CNAME
by Z D
Hi there,
we're using ipa-server-4.4.0 (without its own DNS) and are facing the situation with A/CNAME host.
Basically a host is installed with CNAME as the OS, and IPA is aware of only A record since host is joined to IPA domain with its A record. The A record is member of proper host group and there is relevant sudo policy, but that doesn't work since CNAME is not added to IPA domain.
Is there any better resolution for this, except adding CNAME to IPA domain and to relevant hostgroup.
This command as expected reports error.
# ipa host-show <CNAME>
ipa: ERROR: <CNAME>: host not found
and command
# ipa host-show <A_record>
gives expected output ...
Host name: <FQDN>
Principal name: host/<FQDN>@<DOMAIN>
etc
thanks, Zarko
6 years, 7 months
kerbores nfs client problem
by San Zhang
I set up a kerberos-aware nfs server and some clients. I mount with "-o sec=krb5" successfully first time. For some reason, I change the krb5.keytab by copying a backup keytab and rerunnig ipa-getkeytab command, and then reboot the nfs server. Now the client mounting succesfully before is unable to mount any more unless reboot, but other new clients are able to mount. How to fix those clients without rebooting.
6 years, 7 months
nfs server with multiple IP addresses
by San Zhang
I have a ipa server (ipa.example.com) with DNS service and a kerberos-aware nfs server (nfs.example.com). The nfs server has two IP addresses: 192.168.2.10, 192.168.3.10. The two networks 192.168.2.0/24 and 192.168.3.0/24 are not connected to each other directly. I hope the DNS server resolve nfs.example.com to 192.168.2.10 in 192.168.2.0/24 and to 192.168.3.10 in 192.168.3.0/24. How to setup the DNS server?
6 years, 7 months
[CentOS 7.5] error message during LDAP backup
by Jochen Hein
I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have
the following new messages during backup:
Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.225932118 +0200] - ERR - dblayer_copy_directory - Backend instance "cldb" does not exist; Instance path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb could be invalid.
Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.260896691 +0200] - ERR - dblayer_backup - Error in copying directory (/var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb -> /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup): err=-1
The path /var/lib/dirsrv/slapd-EXAMPLE-ORG/cldb is valid and contains the
following files:
[root@freeipa1 cldb]# ls -la
insgesamt 6592
drwxr-xr-x. 2 dirsrv dirsrv 4096 28. Aug 16:12 .
drwxrwx---. 6 dirsrv dirsrv 47 1. Dez 2016 ..
-rw-------. 1 dirsrv dirsrv 5668864 30. Aug 08:54 105a1694-b80711e6-a735c4e0-b4c95686_583b44c1000000040000.db
-rw-r--r--. 1 dirsrv dirsrv 0 28. Aug 16:12 105a1694-b80711e6-a735c4e0-b4c95686.sema
-rw-------. 1 dirsrv dirsrv 1064960 30. Aug 08:52 6464fab3-b80711e6-a735c4e0-b4c95686_5840787c0000000d0000.db
-rw-r--r--. 1 dirsrv dirsrv 0 28. Aug 16:12 6464fab3-b80711e6-a735c4e0-b4c95686.sema
-rw-------. 1 dirsrv dirsrv 30 1. Dez 2016 DBVERSION
The directory
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup
does not exist, all I have is:
[root@freeipa1 cldb]# ls -la /var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/
insgesamt 0
drwxrwx---. 2 dirsrv dirsrv 6 30. Aug 01:34 .
drwxrwx---. 6 dirsrv dirsrv 47 1. Dez 2016 ..
I'll create
/var/lib/dirsrv/slapd-EXAMPLE-ORG/bak/EXAMPLE-ORG/.repl_changelog_backup
manually and will see if that helps. I think it should be created during
upgrade or backup if it is missing. What do you think?
Jochen
--
This space is intentionally left blank.
6 years, 7 months
"Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
by greg@greg-gilbert.com
I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run
ipa-client-install just fine. When I created a new image, though, I get
this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560>
DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't
have a certificate.
DEBUG 'ipa.services.example' doesn't have a certificate.
ERROR In unattended mode without a One Time Password (OTP) or without
--ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
ERROR Cannot obtain CA certificate
HTTP certificate download requires --force
ERROR Installation failed. Rolling back changes.
ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128>
INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.SERVICES.example
Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
Valid From: Wed Apr 05 21:11:13 2017 UTC
Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The
old images still work even now, so I don't think it's a DNS issue. I
tried running update-ca-certificates, but that did nothing. I tried
restarting the FreeIPA server, nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE
Created /etc/ipa/default.conf
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 3099, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3080, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2727, in install
api.finalize()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656,
in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370,
in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534,
in load_plugins
self.import_plugins(module)
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572,
in import_plugins
module = importlib.import_module(name)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in
import_module
__import__(name)
File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line
29, in <module>
from ipalib import pkcs10
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
<module>
class _PrincipalName(univ.Sequence):
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to
fix this? Thanks!
6 years, 7 months
Why "w" does not list AD users
by Supratik Goswami
I have configured trust between AD and IPA and Linux machines are member of
IPA domain.
When I log into any of the Linux machine and type "w" it does not list the
user AD user with which I just logged in.
Is this a expected behaviour or am I missing something?
--
Warm Regards
Supratik
6 years, 7 months
User ID overrides staying persistent in cache for AD users
by Eddleman, David
So I've created a ID override on the IPA master called "TestShellView" to test out changing per-user requirements for shells.
Verify the ID override on the master:
[root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView
--------------------------
1 User ID override matched
--------------------------
Anchor to override: user@domain
GECOS: TEST ID VIEW
Login shell: /bin/ksh
----------------------------
Number of entries returned 1
----------------------------
Good, looks as expected. I also tested the GECOS override just in case such a thing was needed in the future.
[root@rhel7template ~]# getent passwd user@domain
user@domain:*:689709720:689709720:TEST ID VIEW:/home/domain/user:/bin/ksh
Looks good. It's doing what it's supposed to be doing.
So now we remove the GECOS and shell settings in the webUI and verify via CLI that they're gone:
[root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView
--------------------------
1 User ID override matched
--------------------------
Anchor to override: user@domain
----------------------------
Number of entries returned 1
----------------------------
Still good so far. No overrides defined.
Clear the cache to verify that the data is fresh.
[root@rhel7template ~]# sss_cache -E
[root@rhel7template ~]# getent passwd user@domain
user@domain:*:689709720:689709720:TEST ID VIEW:/home/domain/user:/bin/ksh
That's not right...
The default and fallback don't call for ksh either:
[root@rhel7template ~]# cat /etc/sssd/sssd.conf | grep shell
allowed_shells = /bin/bash,/bin/sh,/bin/ksh
shell_fallback = /sbin/nologin
default_shell = /bin/bash
So let's try purging the cache files...
[root@rhel7template ~]# cd /var/lib/sss/db/
[root@rhel7template db]# ls
<cache file listing>
[root@rhel7template db]# rm -f *
[root@rhel7template db]# ls
[root@rhel7template db]# service sssd restart
Redirecting to /bin/systemctl restart sssd.service
[root@rhel7template db]# getent passwd user@domain
user@domain:*:689709720:689709720:Username:/home/domain/user:/bin/bash
Now it's showing what it's supposed to.
This shouldn't be happening. If we have to purge sss cache files each time we make an ID Override change, this won't work. Is this expected behavior, or is this a bug?
David Eddleman
6 years, 7 months
Freeipa Certficates issues
by Julien Honore
Hi,
I have an issue with my freeipa server.
The certificates expired and I can't resubmit.
I put the date before the expiration of the certs.
The result of ipa-getcert list :
Number of certificates and requests being tracked: 8.
Request ID '20150805183502':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked.
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires: 2017-08-05 18 :35:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150805183539':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked.
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires: 2017-08-05 18 :35:39 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150805183647':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked.
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires: 2017-08-05 18 :36:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
If someone can help me with this issue ? It will be very helpful
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
ADTRUST Service: RUNNING
EXTID Service: RUNNING
FreeIpa V3.
Thank you
Julien Honore
6 years, 7 months
