Recall: web UI - login failed after updates on server
by Stefan Uygur
Stefan Uygur would like to recall the message, "web UI - login failed after updates on server".***********************************************************************************************
This email, its contents and any files attached are a confidential communication and are
intended only for the named addressees indicated in the message.
If you are not the named addressee or if you have received this email in error, you may not,
without the consent of First Derivatives, copy, use or rely on any information or attachments in any way.
Please notify the sender by return email and delete it from your email system.
Unless separately agreed, First Derivatives does not accept any responsibility for the accuracy or
completeness of the contents of this email or its attachments. Please note that any views,
opinion or advice contained in this communication are those of the sending individual
and not those of First Derivatives and First Derivatives shall have no liability whatsoever in relation to
this communication (or its content) unless separately agreed.
***********************************************************************************************
6 years, 8 months
Replication health check
by Anthony Clark
Hello All,
I was wondering if anyone has written a health check script for FreeIPA?
How do you all check replication (and IPA server health)?
I did some digging and know that I can run this command to check
replication:
ldapsearch -D "cn=directory manager" -W -b "o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
nscpentrywsi
But the output didn't show an error:
ns01:
nscpentrywsi: nsDS5ReplicaId: 96
nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389} 5711
528b000000600000 599444dd000000600000
nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 5711
529d000000610000 58deae97000500610000
ns02:
nscpentrywsi: nsDS5ReplicaId: 97
nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 5711
529d000000610000 58deae97000500610000
nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389} 5711
528b000000600000 595a8aff000100600000
But running this showed a difference:
[root@ns02 ~]# ipa user-find example
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
[root@ns01 ~]# ipa user-find example
--------------
1 user matched
--------------
User login: example
... extra lines removed ...
----------------------------
Number of entries returned 1
----------------------------
(running "ipa-replica-manage -v re-initialize --from ns01.dev.example.net"
and then "ipa-csreplica-manage -v re-initialize --from ns01.dev.example.net"
did fix the error, but I wasn't certain "why" it worked)
Which log files on my two hosts should I be looking at to find out if
there's an error in IPA?
Normally I'd run a script and then, depending on the exit code, I'd use
"zabbix_sender" to push a status code to my monitoring system. Does anyone
else do something like that?
Sorry if this is a FAQ, I have a lot of freeipa-users in my gmail account
and searched for a bunch of terms, but I could have missed something.
Thanks for any help on this, I'm very puzzled both on the health monitoring
and the replication issue.
-Anthony
6 years, 8 months
Fedora 26 upgrade, mkhomedir stops working
by Steve Weeks
We are running FreeIPA 4.4
I just upgraded a system from fedora 25 to fedora 26 using dnf.
The first problem is that the mkhomedir option is lost. I've reinstated it
with:
authconfig --enablemkhomedir --update
The second problem is that AD users still can't login. This is a server
system with a tty style login. The response from login is "Login
incorrect". When I look in the logs, I see "Permission denied". hbactest
says that the users should have access.
This all worked before the upgrade. Any clues where to look next?
Thanks,
Steve
6 years, 8 months
Ubuntu 16 Desktop trouble with AD credentials
by Steve Weeks
I'm having trouble logging in via the gui console to an Ubuntu 16 Desktop
host that is affiliated with a FreeIPA server, which in turn is affiliated
with an Active Directory server.
When I try to log in with debugging turned up on the SSSD I see an
underlying error in the krb5_child log file: Cannot find KDC for realm "
EXAMPLE.COM" while getting credentials for host/
myhost.example.com(a)EXAMPLE.COM
Following an example from the freeipa-users mailing list, I am just working
with kinit and kvno to identify the underlying problem. I get the same
error, which I suppose is good. But I don't know how to resolve it from
here. The transcript is below. On the first try at kvno, I get the same
error. On the second try, it works. Any idea why? I suspect the failure on
the first try is the real problem with authentication from the console.
Any hints what to try next?
Thanks
----- /etc/krb5.conf -----
#File modified by ipa-client-install
includedir */var/lib/sss/pubconf/krb5.include.d/*
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
----- Transcript -----
$ kdestroy -A
$ kinit aduser(a)AD.EXAMPLE.COM
Password for aduser(a)AD.EXAMPLE.COM:
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: aduser(a)AD.EXAMPLE.COM
Valid starting Expires Service principal
08/14/2017 09:59:22 08/14/2017 19:59:22 krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
renew until 08/15/2017 09:59:17
$ KRB5_TRACE=/dev/stdout kvno host/myhost.example.com(a)EXAMPLE.COM
[1994] 1502719211.714019: Getting credentials aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM using ccache
KEYRING:persistent:1000:1000
[1994] 1502719211.714237: Retrieving aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM from KEYRING:persistent:1000:1000
with result: -1765328243/Matching credential not found
[1994] 1502719211.714318: Retrieving aduser(a)AD.EXAMPLE.COM ->
krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000 with
result: -1765328243/Matching credential not found
[1994] 1502719211.714376: Retrieving aduser(a)AD.EXAMPLE.COM ->
krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM from KEYRING:persistent:1000:1000
with result: 0/Success
[1994] 1502719211.714395: Starting with TGT for client realm:
aduser(a)AD.EXAMPLE.COM -> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
[1994] 1502719211.714439: Retrieving aduser(a)AD.EXAMPLE.COM ->
krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000 with
result: -1765328243/Matching credential not found
[1994] 1502719211.714456: Requesting TGT
krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM using TGT
krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
[1994] 1502719211.714486: Generated subkey for TGS request: aes256-cts/020C
[1994] 1502719211.714525: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1994] 1502719211.714605: Encoding request body and padata into FAST request
[1994] 1502719211.714662: Sending request (1686 bytes) to AD.EXAMPLE.COM
[1994] 1502719211.717532: Resolving hostname ad-host.ad.example.com.
[1994] 1502719211.719053: Sending initial UDP request to dgram 192.168.1.2:88
[1994] 1502719211.742171: Received answer (309 bytes) from dgram 192.168.1.2:88
[1994] 1502719211.743066: Response was not from master KDC
[1994] 1502719211.743082: Decoding FAST response
[1994] 1502719211.743109: Request or response is too big for UDP;
retrying with TCP
[1994] 1502719211.743113: Sending request (1686 bytes) to
AD.EXAMPLE.COM (tcp only)
[1994] 1502719211.743971: Resolving hostname ad-host.ad.example.com.
[1994] 1502719211.744908: Initiating TCP connection to stream 192.168.1.2:88
[1994] 1502719211.764062: Sending TCP request to stream 192.168.1.2:88
[1994] 1502719211.805666: Received answer (1643 bytes) from stream
192.168.1.2:88
[1994] 1502719211.805678: Terminating TCP connection to stream 192.168.1.2:88
[1994] 1502719211.806709: Response was not from master KDC
[1994] 1502719211.806735: Decoding FAST response
[1994] 1502719211.806789: FAST reply key: aes256-cts/820C
[1994] 1502719211.806808: TGS reply is for aduser(a)AD.EXAMPLE.COM ->
krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM with session key aes256-cts/B56C
[1994] 1502719211.806822: TGS request result: 0/Success
[1994] 1502719211.806826: Storing aduser(a)AD.EXAMPLE.COM ->
krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM in KEYRING:persistent:1000:1000
[1994] 1502719211.806912: Received TGT for service realm:
krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM
[1994] 1502719211.806915: Requesting tickets for
host/myhost.example.com(a)EXAMPLE.COM, referrals on
[1994] 1502719211.806924: Generated subkey for TGS request: aes256-cts/D365
[1994] 1502719211.806940: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1994] 1502719211.806968: Encoding request body and padata into FAST request
[1994] 1502719211.806994: Sending request (1676 bytes) to EXAMPLE.COM (tcp only)
kvno: Cannot find KDC for realm "EXAMPLE.COM" while getting
credentials for host/myhost.example.com(a)EXAMPLE.COM
$ KRB5_TRACE=/dev/stdout kvno host/myhost.example.com(a)EXAMPLE.COM
[1995] 1502719219.601419: Getting credentials aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM using ccache
KEYRING:persistent:1000:1000
[1995] 1502719219.601516: Retrieving aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM from KEYRING:persistent:1000:1000
with result: -1765328243/Matching credential not found
[1995] 1502719219.601556: Retrieving aduser(a)AD.EXAMPLE.COM ->
krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000 with
result: 0/Success
[1995] 1502719219.601559: Found cached TGT for service realm:
aduser(a)AD.EXAMPLE.COM -> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM
[1995] 1502719219.601561: Requesting tickets for
host/myhost.example.com(a)EXAMPLE.COM, referrals on
[1995] 1502719219.601573: Generated subkey for TGS request: aes256-cts/5EC1
[1995] 1502719219.601592: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1995] 1502719219.601639: Encoding request body and padata into FAST request
[1995] 1502719219.601666: Sending request (1676 bytes) to EXAMPLE.COM
[1995] 1502719219.603587: Resolving hostname idsg-test16.example.com.
[1995] 1502719219.604856: Sending initial UDP request to dgram 192.168.1.1:88
[1995] 1502719219.621855: Received answer (1680 bytes) from dgram 192.168.1.1:88
[1995] 1502719219.622767: Response was not from master KDC
[1995] 1502719219.622783: Decoding FAST response
[1995] 1502719219.622834: FAST reply key: aes256-cts/14A3
[1995] 1502719219.622852: TGS reply is for aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM with session key aes256-cts/B41C
[1995] 1502719219.622866: TGS request result: 0/Success
[1995] 1502719219.622868: Received creds for desired service
host/myhost.example.com(a)EXAMPLE.COM
[1995] 1502719219.622871: Storing aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM in
KEYRING:persistent:1000:1000host/myhost.example.com@EXAMPLE.COM: kvno
= 7
6 years, 8 months
Kerberos key having multiple sever entries
by Bhavin Vaidya
Hello,
We have Kerberos authentication failing on our replica server as well as client. We are also not able to add any more client or replica server.
Master FreeIPA server ds01:/etc/krb5.keytab, we get multiple entries.
[root@ds01 log]# klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
2 02/02/2015 19:33:04 host/ds01.domain.com(a)DOMAIN.COM
2 02/02/2015 19:33:04 host/ds01.domain.com(a)DOMAIN.COM
2 02/02/2015 19:33:04 host/ds01.domain.com(a)DOMAIN.COM
2 02/02/2015 19:33:04 host/ds01.domain.com(a)DOMAIN.COM
5 06/21/2017 15:44:40 host/ds02.domain.com(a)DOMAIN.COM
5 06/21/2017 15:44:40 host/ds02.domain.com(a)DOMAIN.COM
5 06/21/2017 15:44:40 host/ds02.domain.com(a)DOMAIN.COM
5 06/21/2017 15:44:40 host/ds02.domain.com(a)DOMAIN.COM
5 06/21/2017 15:44:40 host/ds02.domain.com(a)DOMAIN.COM
2 08/07/2017 14:09:27 host/ds01.domain.com(a)DOMAIN.COM
2 08/07/2017 14:09:27 host/ds01.domain.com(a)DOMAIN.COM
2 08/07/2017 14:09:27 host/ds01.domain.com(a)DOMAIN.COM
2 08/07/2017 14:09:27 host/ds01.domain.com(a)DOMAIN.COM
We had someone else trying to help us and now we have this issue.
1. How can we remove newer entries?
2. can we reset the krb5.keytab and if yes what will be the implication on replicas and client?
Thank you,
Bhavin
6 years, 8 months
Unable to login with AD users
by Eddleman, David
Hello,
I have created a FreeIPA solution using Red Hat’s IDM product.
FreeIPA version: 4.5.0
OS version: RHEL 7.4
I have successfully installed the server portion and can authenticate to it using local IDM users, such as the ‘admin’ user. I have created a one-way trust between the IPA realm and an AD realm successfully, as `ipa trust-show` demonstrates, returning the SID of the domain. I have also created the local POSIX and external groups and mapped them. `ipa group-show <extgroupname>` returns the external member SID just fine.
However, I cannot authenticate in the server over SSH using one of those AD users. I’ve checked the HBAC rules and they are fine. One thing I noticed when monitoring the securelog when testing is that the IDM users make a call to pam_sss, as expected, but the AD users do not. I have tried multiple ways of passing the user and all are rejected -- user@netbios, user@domainfqdn, netbios\user, and domainfqdn\user.
The user in question is in a single group in AD, and it has been tested with the group being both Domain Local and Universal with the same results. There is only one member of the group, the user that I am attempting login with.
Have I missed something?
David Eddleman
6 years, 8 months
Failed Upgrade?
by Ian Harding
I had an unexpected restart of an IPA server that had apparently had
updates run but had not been restarted. ipactl says pki-tomcatd would
not start.
Strangely, the actual service appears to be running:
[root@seattlenfs slapd-BPT-ROCKS]# systemctl status
pki-tomcatd(a)pki-tomcat.service
● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled;
vendor preset: disabled)
Active: active (running) since Fri 2017-07-28 11:03:34 PDT; 36min ago
Process: 14289 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited,
status=0/SUCCESS)
Main PID: 14406 (java)
CGroup:
/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
└─14406 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy-base
-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/...
Jul 28 11:39:50 seattlenfs.bpt.rocks server[14406]: Jul 28, 2017
11:39:50 AM org.apache.catalina.core.ContainerBase backgroundProcess
Jul 28 11:39:50 seattlenfs.bpt.rocks server[14406]: WARNING: Exception
processing realm com.netscape.cms.tomcat.ProxyRealm@67cf2df background
process
Jul 28 11:39:50 seattlenfs.bpt.rocks server[14406]:
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Jul 28 11:39:50 seattlenfs.bpt.rocks server[14406]: at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
Jul 28 11:39:50 seattlenfs.bpt.rocks server[14406]: at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1357)
Jul 28 11:39:50 seattlenfs.bpt.rocks server[14406]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1543)
Jul 28 11:39:50 seattlenfs.bpt.rocks server[14406]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553)
Jul 28 11:39:50 seattlenfs.bpt.rocks server[14406]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553)
Jul 28 11:39:50 seattlenfs.bpt.rocks server[14406]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1521)
Jul 28 11:39:50 seattlenfs.bpt.rocks server[14406]: at
java.lang.Thread.run(Thread.java:748)
However, the /var/log/ipaupgrade.log is full of trouble. It ends with:
2017-07-28T17:01:19Z DEBUG The CA status is: check interrupted due to
error: Retrieving CA status failed with status 500
2017-07-28T17:01:19Z DEBUG Waiting for CA to start...
2017-07-28T17:01:20Z DEBUG request POST
http://seattlenfs.bpt.rocks:8080/ca/admin/ca/getStatus
2017-07-28T17:01:20Z DEBUG request body ''
2017-07-28T17:01:20Z DEBUG response status 500
2017-07-28T17:01:20Z DEBUG response headers {'content-length': '2208',
'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection':
'close', 'date': 'Fri, 28 Jul 2017 17:01:20 GMT', 'content-type':
'text/html;charset=utf-8'}
2017-07-28T17:01:20Z DEBUG response body '<html><head><title>Apache
Tomcat/7.0.69 - Error report</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR
size="1" noshade="noshade"><p><b>type</b> Exception
report</p><p><b>message</b> <u>Subsystem
unavailable</u></p><p><b>description</b> <u>The server encountered an
internal error that prevented it from fulfilling this
request.</u></p><p><b>exception</b>
<pre>javax.ws.rs.ServiceUnavailableException: Subsystem
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:499)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:745)\n</pre></p><p><b>note</b>
<u>The full stack trace of the root cause is available in the Apache
Tomcat/7.0.69 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache
Tomcat/7.0.69</h3></body></html>'
2017-07-28T17:01:20Z DEBUG The CA status is: check interrupted due to
error: Retrieving CA status failed with status 500
2017-07-28T17:01:20Z DEBUG Waiting for CA to start...
2017-07-28T17:01:21Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-07-28T17:01:21Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 48, in run
raise admintool.ScriptError(str(e))
2017-07-28T17:01:21Z DEBUG The ipa-server-upgrade command failed,
exception: ScriptError: CA did not start in 300.0s
2017-07-28T17:01:21Z ERROR CA did not start in 300.0s
2017-07-28T17:01:21Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
Should I just blindly run ipa-server-upgrade again?
Googling had me look at certificate expirations, they seem to be good.
[root@seattlenfs slapd-BPT-ROCKS]# getcert list | grep expires
expires: 2019-05-29 05:54:06 UTC
expires: 2019-05-29 05:53:57 UTC
expires: 2019-05-29 05:53:16 UTC
expires: 2035-07-16 12:51:42 UTC
expires: 2019-05-29 05:53:37 UTC
expires: 2018-08-15 05:20:24 UTC
expires: 2018-08-26 05:01:42 UTC
expires: 2018-08-26 05:01:43 UTC
[root@seattlenfs slapd-BPT-ROCKS]# yum list | grep ipa-
ipa-admintools.noarch 4.4.0-14.el7.centos.7
@test-centos7-updates
ipa-client.x86_64 4.4.0-14.el7.centos.7
@test-centos7-updates
ipa-client-common.noarch 4.4.0-14.el7.centos.7
@test-centos7-updates
ipa-common.noarch 4.4.0-14.el7.centos.7
@test-centos7-updates
ipa-python-compat.noarch 4.4.0-14.el7.centos.7
@test-centos7-updates
ipa-server.x86_64 4.4.0-14.el7.centos.7
@test-centos7-updates
ipa-server-common.noarch 4.4.0-14.el7.centos.7
@test-centos7-updates
ipa-server-dns.noarch 4.4.0-14.el7.centos.7
@test-centos7-updates
[root@seattlenfs slapd-BPT-ROCKS]# yum list | grep pki-
pki-base.noarch 10.3.3-19.el7_3
@updates
pki-base-java.noarch 10.3.3-19.el7_3
@updates
pki-ca.noarch 10.3.3-19.el7_3
@updates
pki-kra.noarch 10.3.3-19.el7_3
@updates
pki-server.noarch 10.3.3-19.el7_3
@updates
pki-tools.x86_64 10.3.3-19.el7_3
@updates
[root@seattlenfs slapd-BPT-ROCKS]# yum list | grep tomcat
tomcat.noarch 7.0.69-12.el7_3
@updates
tomcat-el-2.2-api.noarch 7.0.69-12.el7_3
@updates
tomcat-jsp-2.2-api.noarch 7.0.69-12.el7_3
@updates
tomcat-lib.noarch 7.0.69-12.el7_3
@updates
tomcat-servlet-3.0-api.noarch 7.0.69-12.el7_3
@updates
tomcatjss.noarch 7.1.2-3.el7
@base
[root@seattlenfs slapd-BPT-ROCKS]# yum list | grep java
java-1.7.0-openjdk.x86_64 1:1.7.0.141-2.6.10.1.el7_3
@test-centos7-updates
java-1.7.0-openjdk-devel.x86_64 1:1.7.0.141-2.6.10.1.el7_3
@test-centos7-updates
java-1.7.0-openjdk-headless.x86_64 1:1.7.0.141-2.6.10.1.el7_3
@test-centos7-updates
java-1.8.0-openjdk.x86_64 1:1.8.0.141-1.b16.el7_3
@updates
java-1.8.0-openjdk-headless.x86_64 1:1.8.0.141-1.b16.el7_3
@updates
javamail.noarch 1.4.6-8.el7
@base
javapackages-tools.noarch 3.4.1-11.el7
@base
javassist.noarch 3.16.1-10.el7
@base
nuxwdog-client-java.x86_64 1.0.3-5.el7
@base
pki-base-java.noarch 10.3.3-19.el7_3
@updates
python-javapackages.noarch 3.4.1-11.el7
@base
tzdata-java.noarch 2017a-1.el7
@test-centos7-updates
Any other useful information I can provide?
--
Ian Harding
IT Director
Brown Paper Tickets
1-800-838-3006 ext 7186
http://www.brownpapertickets.com
6 years, 8 months
Can’t SSH with AD user to freeipa joined Centos client
by Alexandre Pitre
I’ve been struggling to get SSH to work with an AD user for over 3 weeks
now. I've scraped the bowels of the internet for answers, still no dice.
The issue is pretty simple in itself, I can’t SSH to a freeipa joined
Centos client 7.3 with an AD user. However, kinit with any AD users as well
as su works just fine. I’m running two 4.4.0 IPA servers.
I made sure the entire setup is resolving DNS properly, NTP(external to
freeipa) is in sync. I’m using FQDN for hostnames.
Here’s the output from journalctl -f:
Jul 27 04:37:10 centos.ipa.ad.com sshd[2633]: pam_unix(sshd:session):
session opened for user root by (uid=0)
Jul 27 04:37:35 centos.ipa.ad.com su[2652]: (to admin(a)ad.com) root on pts/1
Jul 27 04:37:35 centos.ipa.ad.com su[2652]: pam_unix(su-l:session): session
opened for user admin(a)ad.com by root(uid=0)
Jul 27 04:37:42 centos.ipa.ad.com su[2652]: pam_unix(su-l:session): session
closed for user admin(a)ad.com
Jul 27 04:38:35 centos.ipa.ad.com sshd[2677]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruse r=
rhost=localhost user=admin(a)ad.com
Jul 27 04:38:35 centos.ipa.ad.com sshd[2677]: pam_sss(sshd:auth): received
for user admin(a)ad.com: 6 (Permission denied)
Jul 27 04:38:35 centos.ipa.ad.com sshd[2674]: error: PAM: Authentication
failure for admin(a)ad.com from localhost
Jul 27 04:38:38 centos.ipa.ad.com sshd[2674]: Connection closed by ::1
[preauth]
Config files:
/etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IP.AD.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IP.AD.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
/etc/sssd/sssd.conf
[domain/ipa.ad.com]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.ad.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = centos.ipa.ad.com
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipaserver02.ipa.ad.com
dyndns_iface = ens192
ldap_tls_cacert = /etc/ipa/ca.crt[sssd]
services = nss, sudo, pam, ssh
debug_level = 9
domains = ipa.ad.com
[nss]
homedir_substring = /home
[pam]
debug_level= 9
[sudo]
[autofs]
[ssh]
debug_level=9
[pac]
[ifp]
/etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
GSSAPICleanupCredentials no
X11Forwarding yes
UsePrivilegeSeparation sandbox # Default for new installations.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommandUser nobody
I uploaded krb5_child.log and ldap_child.log to
https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD
I managed to ssh AD user login to works on both my freeipa servers. I had
to modify the following files See changes in bold.
/etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.AD.COM
* dns_lookup_realm = true*
* dns_lookup_kdc = true*
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.AD.COM = {
kdc = ipaserver01.ipa.ad.com:88
master_kdc = ipaserver01.ipa.ad.com:88
admin_server = ipaserver01.ipa.ad.com:749
default_domain = ipa.ad.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
* auth_to_local = RULE:[1:$1@$0](^.*@AD.COM
<http://AD.COM>)s/@AD.COM/(a)ad.com/ <http://AD.COM/@ad.com/>*
* auth_to_local = DEFAULT*
}
[domain_realm]
.ipa.ad.com = IPA.AD.COM
ipa.ad.com = IPA.AD.COM
ipaserver02.ipa.ad.com = IPA.AD.COM
[dbmodules]
IPA.AD.COM = {
db_library = ipadb.so
}
/etc/resolv.conf
search ipa.ad.com ad.com
nameserver 127.0.0.1
*nameserver 192.168.1.2 #Seconday IPA Server*
In /etc/named.conf, I disabled dnssec-validation(dnssec-validation no;)
Not sure those settings were at all necessary.
Adding the following line sunder the [realms] for krb5.conf on my centos
client machine did not make a difference.
auth_to_local = RULE:[1:$1@$0](^.*@AD.COM)s/@AD.COM/@ad.com/
auth_to_local = DEFAULT
IPv6 has been disabled in /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
If anyone has an idea what may be the issue or where to look, please reply.
Thanks
Alex
6 years, 8 months
Correcting errors in the CA master certificate
by Scott Stevson
Hi all,
We run IPA 3.0.0 and have a cert on the CA master expiring in about 10 days. The problem is that we mistakenly provisioned the last cert using an old hostname which means that automatically renewing the cert fails, and the IPA cert checks we run fails with...
ca-error: Server at "http://correct.hostname:9180/ca/ee/ca/profileSubmit" replied: 1: Server Internal Error.
I also get a java NPE error when curling that endpoint.
Is it possible to zero out the existing cert and resubmit it with the correct hostname? This is a production environment supporting several thousand hosts which means I want to test whatever solution I come up with. We have a few staging environments but they're all configured correctly, so I'm wondering if we can intentionally put one into a similar bad state and revert it.
Happy to provide clarifying information if I'm not making sense here.
thx,
6 years, 8 months
reverse DNS problems
by Karl Forner
Hello,
I'm struggling to setup a new replica.
I am now wondering if the DNS configuration is good, especially the reverse
DNS.
When I run ipa-replica, from the host, using the name server from the
freeIPA master, I get:
ipa : DEBUG Check forward/reverse DNS resolution
ipa : DEBUG Search DNS server ipa.quartzbio.com (['10.9.70.6',
'10.9.70.6', '10.9.70.6']) for ipa.quartzbio.com
ipa : DEBUG Check reverse address 10.9.70.6 (ipa.quartzbio.com)
ipa : DEBUG Check failed: NXDOMAIN The DNS query name does not
exist: 6.70.9.10.in-addr.arpa.
ipa : ERROR Reverse DNS resolution of address 10.9.70.6 (
ipa.quartzbio.com) failed. Clients may not function properly. Please check
your DNS setup. (Note that this check queries IPA DNS directly and ignores
/etc/hosts.)
The master freeIPA servers is ipa.quartzbio.com at 10.9.70.6
Looking at the DNS config using the web UI, in the DNS Zone
70.9.10.in-addr.arpa., there is one entry (name="", type=NS, data=
ipa.quartzbio.com), but no record with name=6.
If I type "host 10.9.70.6" from any IPA-enrolled computer, I get
%host 10.9.70.6
Host 6.70.9.10.in-addr.arpa. not found: 3(NXDOMAIN)
I tried adding a new entry: (name="6", type=PTR, data=ipa.quartzbio.com),
but now I get:
%host 10.9.70.6
6.70.9.10.in-addr.arpa domain name pointer
ipa.quartzbio.com.70.9.10.in-addr.arpa.
and ipa-replica-install now fails with:
DEBUG The ipa-replica-install command failed, exception:
HostLookupError: The host name ipa.quartzbio.com does not match the primary
host name ipa.quartzbio.com.70.9.10.in-addr.arpa. Please check /etc/hosts
or DNS name resolution
ERROR The host name ipa.quartzbio.com does not match the primary host
name ipa.quartzbio.com.70.9.10.in-addr.arpa. Please check /etc/hosts or DNS
name resolution
So: How do I fix my reverse DNS configuration ? How should it look like ?
Thanks.
Karl
6 years, 8 months