Failed to read service file. Hostname does not match any master server in LDAP
by pgb205
Hello everyone.
Periodically and seemingly at random our replicas crash with the above error. Dirsrv shows as stopped and restarting doesn't help.Someone suggested earlier that this is due to problems with topology plugin but I don't think that the cause as we are still ondomainlevel=0.
I'm not sure if it's a problem with 389ds or with some other part of freeipa. The only other clue I can think of is that often we see inconsistenciesbetween replicas. IE a user that is supposed to be present everywhere goes missing on just one of the many replicas.
I'm quite at a loss on how to troubleshoot this further. I hope that someone can assist.
ipactl startStarting Directory ServiceFailed to read data from service file: Failed to get list of services to probe status!Configured hostname 'server.pop.domain.local' does not match any master server in LDAP:No master found because of error: no such entryShutting down
cat errors[26/Dec/2017:21:15:56.234793153 +0000] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.[26/Dec/2017:21:15:56.236060353 +0000] SSL alert: Security Initialization: Enabling default cipher set.[26/Dec/2017:21:15:56.236362922 +0000] SSL alert: Configured NSS Ciphers[26/Dec/2017:21:15:56.236652729 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled[26/Dec/2017:21:15:56.236921632 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled[26/Dec/2017:21:15:56.237114079 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled[26/Dec/2017:21:15:56.237317678 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled[26/Dec/2017:21:15:56.237526365 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled[26/Dec/2017:21:15:56.237746660 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled[26/Dec/2017:21:15:56.237908539 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled[26/Dec/2017:21:15:56.238087338 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled[26/Dec/2017:21:15:56.238306056 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled[26/Dec/2017:21:15:56.238517868 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled[26/Dec/2017:21:15:56.238724920 +0000] SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled[26/Dec/2017:21:15:56.238889982 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled[26/Dec/2017:21:15:56.239048124 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled[26/Dec/2017:21:15:56.239233534 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled[26/Dec/2017:21:15:56.239402097 +0000] SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled[26/Dec/2017:21:15:56.239767245 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled[26/Dec/2017:21:15:56.239997083 +0000] SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled[26/Dec/2017:21:15:56.240177269 +0000] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled[26/Dec/2017:21:15:56.240376177 +0000] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled[26/Dec/2017:21:15:56.240585031 +0000] SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled[26/Dec/2017:21:15:56.240745192 +0000] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled[26/Dec/2017:21:15:56.240897126 +0000] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled[26/Dec/2017:21:15:56.241075071 +0000] SSL alert: TLS_AES_128_GCM_SHA256: enabled[26/Dec/2017:21:15:56.241245788 +0000] SSL alert: TLS_CHACHA20_POLY1305_SHA256: enabled[26/Dec/2017:21:15:56.241456256 +0000] SSL alert: TLS_AES_256_GCM_SHA384: enabled[26/Dec/2017:21:15:56.241617090 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled[26/Dec/2017:21:15:56.241766851 +0000] SSL alert: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled[26/Dec/2017:21:15:56.241947040 +0000] SSL alert: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled[26/Dec/2017:21:15:56.249524586 +0000] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2[26/Dec/2017:21:15:56.249909319 +0000] 389-Directory/1.3.5.10 B2017.102.203 starting up[26/Dec/2017:21:15:56.261829771 +0000] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match[26/Dec/2017:21:15:56.269563770 +0000] WARNING: changelog: entry cache size 2097152 B is less than db size 149151744 B; We recommend to increase the entry cache size nsslapd-cachememsize.[26/Dec/2017:21:15:56.300878069 +0000] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup![26/Dec/2017:21:15:56.399266161 +0000] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist[26/Dec/2017:21:15:56.406444789 +0000] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=domain,dc=local)[26/Dec/2017:21:15:56.406758873 +0000] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped[26/Dec/2017:21:15:56.423696836 +0000] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds![26/Dec/2017:21:15:56.434117007 +0000] slapd started. Listening on All Interfaces port 389 for LDAP requests[26/Dec/2017:21:15:56.434370916 +0000] Listening on All Interfaces port 636 for LDAPS requests[26/Dec/2017:21:15:56.434602326 +0000] Listening on /var/run/slapd-domain-local.socket for LDAPI requests[26/Dec/2017:21:15:56.517403933 +0000] slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1[26/Dec/2017:21:15:56.517944438 +0000] slapd shutting down - waiting for 28 threads to terminate[26/Dec/2017:21:15:56.518216669 +0000] slapd shutting down - closing down local subsystems and plugins[26/Dec/2017:21:16:01.429082375 +0000] Waiting for 4 database threads to stop[26/Dec/2017:21:16:02.283796028 +0000] All database threads now stopped[26/Dec/2017:21:16:02.302693986 +0000] slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects[26/Dec/2017:21:16:02.439672563 +0000] slapd stopped.
6 years, 3 months
migrate/transfer DNS(whole) a zone
by lejeczek
hi everyone
is there a standardized way to migrate DNS or just zones
between IPAs, using standard tools?
Or any other manual-labour way?
many thanks, L.
6 years, 3 months
client fails - requested domain name does not match the server's certificate
by lejeczek
hi everyone
I'm trying with give values to install a client but it fails
quickly:
$ ipa-client-install
--server=lxc-ipa1-rider.priv.xx.xx.priv.xx.xx.x.
--domain=priv.xx.xx.priv.xx.xx.x. --no-ntp
Autodiscovery of servers for failover cannot work with this
configuration.
If you proceed with the installation, services will be
configured to always access the discovered server for all
operations and will not fail over to other servers in case
of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: lxc-ipawhale1.priv.xx.xx.priv.xx.xx.x
Realm: PRIVATE.xx.xx.PRIVATE.xx.xx.x
DNS Domain: priv.xx.xx.priv.xx.xx.x
IPA Server: lxc-ipa1-rider.priv.xx.xx.priv.xx.xx.x.
BaseDN: dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x:
Successfully retrieved CA cert
Subject: CN=Certificate
Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x
Issuer: CN=Certificate
Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x
Valid From: 2018-01-04 17:13:36
Valid Until: 2038-01-04 17:13:36
Joining realm failed: libcurl failed to execute the HTTP
POST transaction, explaining: Unable to communicate
securely with peer: requested domain name does not match the
server's certificate.
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command
'ipa-client-automount --uninstall --debug' returned non-zero
exit status 1
Server's end seems fine but cannot be 100% sure(not an expert).
Would you have some suggestions?
many thanks, L.
6 years, 3 months
debian 8 freeipa-client
by Andrew Radygin
Hello!
I have freeipa server 4.5 on Centos 7.
And want to enroll host on Debian 8 to domain.
I've found freeipa-client 4.4 in the sid repo, installing of it was almost
successful...
apt-get cannot complete configuring for certmonger, and I've got following
error:
======
# journalctl -u certmonger
-- Logs begin at Thu 2017-07-20 18:27:15 MSK, end at Thu 2017-12-21
15:39:01 MSK. --
Dec 21 13:25:36 HOSTNAME systemd[1]: Starting Certificate monitoring and
PKI enrollment...
Dec 21 13:25:36 HOSTNAME certmonger[18411]: 2017-12-21 13:25:36 [18411]
Unable to set well-known bus name "org.fedorahosted.certmonger": Connection
":1.4" is not allowed to own the service "org.fedora
Dec 21 13:25:36 HOSTNAME certmonger[18411]: Error connecting to D-Bus.
Dec 21 13:25:36 HOSTNAME systemd[1]: certmonger.service: main process
exited, code=exited, status=1/FAILURE
Dec 21 13:25:36 HOSTNAME systemd[1]: Failed to start Certificate monitoring
and PKI enrollment.
Dec 21 13:25:36 HOSTNAME systemd[1]: Unit certmonger.service entered failed
state.
========
Does anyone know how to deal with it?
Thanks!
--
Best regards, Andrew.
6 years, 3 months
Re: AD Trust
by Николай Савельев
I have ipa domain with AD trust. id ad_users@ad_domain works. su ad_users@ad_domain works.
kinit ad_users@ad_domain don't works in ubuntu but works in centos 7
What?
/etc/krb5.conf is the same.
ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04.
I also can't get access from AD member windos to SAMBA shares on IPA members linux,
What can i do?
Oh, I forgot to say about error!
For kinit AD user i get:
kinit: KDC reply did not match expectations while getting initial credentials
My krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = FS.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
dns_canonicalize_hostname = false
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
FS.LAN = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.fs.lan = FS.LAN
fs.lan = FS.LAN
--
С уважением, Николай.
6 years, 3 months
AD Trust
by Николай Савельев
I have ipa domain with AD trust. id ad_users@ad_domain works. su ad_users@ad_domain works.
kinit ad_users@ad_domain don't works in ubuntu but works in centos 7
What?
/etc/krb5.conf is the same.
ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04.
I also can't get access from AD member windos to SAMBA shares on IPA members linux,
What can i do?
--
С уважением, Николай.
6 years, 3 months
Correct ownership for /etc/httpd/alias/ipasession.key
by Ian Pilcher
Can someone check the correct ownership and permissions of
/etc/httpd/alias/ipasession.key? I have a feeling I may have messed
mine up as I was copying the directory around.
I currently have:
-rw-------. 1 root root 32 Sep 27 10:07 ipasession.key
Thanks!
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
6 years, 3 months
Renew expired certs with certmonger
by Qing Chang
Greetings,
we have some certs expired on Dec 27, ipaCert among them, IPA (VERSION:
4.4.0, API_VERSION: 2.213) stopped working.
I have spent many hours to renew the certs to no avail.
I have followed a collection of tips on this list:
rolled back the clock to before the expiry (Dec 23),
enabled debug logs for certmonger renewal log (getcert modify-ca -c
dogtag-ipa-ca-renew-agent -e '/usr/libexec/certmonger/
dogtag-ipa-ca-renew-agent-submit -vv')
added debug=true to /etc/ipa/default.conf
ipactl start starts everything successfully
systemctl start pki-tomcatd@pki-tomcat
systemctl restart certmonger
Before resubmit, "getcert list" has this, note ca-error: Invalid cookie: '':
-----
getcert list
Number of certificates and requests being tracked: 8.
Request ID '20170201190112':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=CA Audit,O=CAMHRES.CA
expires: 2017-12-27 14:36:44 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190113':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=OCSP Subsystem,O=CAMHRES.CA
expires: 2017-12-27 14:36:43 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190114':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=CA Subsystem,O=CAMHRES.CA
expires: 2017-12-27 14:36:43 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190115':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=Certificate Authority,O=CAMHRES.CA
expires: 2036-01-07 14:36:42 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190116':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=IPA RA,O=CAMHRES.CA
expires: 2017-12-27 14:37:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170201190117':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-11-19 19:38:26 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190118':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/
dirsrv/slapd-CAMHRES-CA',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-CAMHRES-CA/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-CAMHRES-CA',
nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-12-11 19:38:29 UTC
principal name: ldap/rprshipav01.camhres.ca(a)CAMHRES.CA
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
CAMHRES-CA
track: yes
auto-renew: yes
Request ID '20170201190119':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/
httpd/alias',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/
httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-12-11 19:38:38 UTC
principal name: HTTP/rprshipav01.camhres.ca(a)CAMHRES.CA
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
-----
After resubmitting:
ipa-getcert resubmit -i 20170201190112
ipa-getcert resubmit -i 20170201190113
ipa-getcert resubmit -i 20170201190114
ipa-getcert resubmit -i 20170201190116
getcert list shows this, note status: CA_WORKING:
-----
Number of certificates and requests being tracked: 8.
Request ID '20170201190112':
status: CA_WORKING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=CA Audit,O=CAMHRES.CA
expires: 2017-12-27 14:36:44 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190113':
status: CA_WORKING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=OCSP Subsystem,O=CAMHRES.CA
expires: 2017-12-27 14:36:43 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190114':
status: CA_WORKING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=CA Subsystem,O=CAMHRES.CA
expires: 2017-12-27 14:36:43 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190115':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=Certificate Authority,O=CAMHRES.CA
expires: 2036-01-07 14:36:42 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190116':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=IPA RA,O=CAMHRES.CA
expires: 2017-12-27 14:37:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170201190117':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB',pin set
certificate: type=NSSDB,location='/etc/pki/
pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-11-19 19:38:26 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170201190118':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/
dirsrv/slapd-CAMHRES-CA',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-CAMHRES-CA/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-CAMHRES-CA',
nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-12-11 19:38:29 UTC
principal name: ldap/rprshipav01.camhres.ca(a)CAMHRES.CA
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
CAMHRES-CA
track: yes
auto-renew: yes
Request ID '20170201190119':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/
httpd/alias',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/
httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CAMHRES.CA
subject: CN=rprshipav01.camhres.ca,O=CAMHRES.CA
expires: 2019-12-11 19:38:38 UTC
principal name: HTTP/rprshipav01.camhres.ca(a)CAMHRES.CA
key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
-----
Nothing happens from now on and /var/log/ipa/renew.log does not log new
message after these:
-----
2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG
Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using keytab
/etc/krb5.keytab
2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG using
ccache /var/run/certmonger/tmp-1aYw7c/ccache
2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG Attempt
1/1: success
2017-12-23T05:55:52Z 5538 MainThread ipa DEBUG Loading
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-12-23T05:55:52Z 5538 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Created connection context.ldap2_80840016
2017-12-23T05:55:52Z 5538 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x41b2170>
2017-12-23T05:55:52Z 5538 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Destroyed connection context.ldap2_80840016
2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG
Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using keytab
/etc/krb5.keytab
2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG using
ccache /var/run/certmonger/tmp-VDJjQv/ccache
2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG Attempt
1/1: success
2017-12-23T05:56:02Z 5543 MainThread ipa DEBUG Loading
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-12-23T05:56:03Z 5543 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Created connection context.ldap2_77880784
2017-12-23T05:56:03Z 5543 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4a46e60>
2017-12-23T05:56:03Z 5543 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Destroyed connection context.ldap2_77880784
2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG
Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using keytab
/etc/krb5.keytab
2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG using
ccache /var/run/certmonger/tmp-BQMLXO/ccache
2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG Attempt
1/1: success
2017-12-23T05:56:12Z 5548 MainThread ipa DEBUG Loading
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-12-23T05:56:12Z 5548 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Created connection context.ldap2_82537872
2017-12-23T05:56:12Z 5548 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eba710>
2017-12-23T05:56:13Z 5548 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Destroyed connection context.ldap2_82537872
2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG
Initializing principal host/rprshipav01.camhres.ca(a)CAMHRES.CA using keytab
/etc/krb5.keytab
2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG using
ccache /var/run/certmonger/tmp-zvyYAy/ccache
2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG Attempt
1/1: success
2017-12-23T05:56:22Z 5549 MainThread ipa DEBUG Loading
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-12-23T05:56:22Z 5549 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Created connection context.ldap2_104689040
2017-12-23T05:56:22Z 5549 MainThread
ipa.ipapython.ipaldap.SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-CAMHRES-CA.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x63dbea8>
2017-12-23T05:56:23Z 5549 MainThread
ipa.ipaserver.plugins.ldap2.ldap2
DEBUG Destroyed connection context.ldap2_104689040
-----
/var/log/pki/pki-tomcat/ca/ selftests.log does nt log any errores:
-----
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin logger parameters
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instances
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instance parameters
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in on-demand order
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in startup order
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be executed at
startup:
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1] CAPresence:
CA is present
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [23/Dec/2017:00:02:48 EST] [20] [1]
SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
startup!
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin logger parameters
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instances
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instance parameters
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in on-demand order
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in startup order
0.localhost-startStop-1 - [23/Dec/2017:00:47:25 EST] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be executed at
startup:
0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1] CAPresence:
CA is present
0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1]
SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [23/Dec/2017:00:47:26 EST] [20] [1]
SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
startup!
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin logger parameters
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instances
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: loading all self test plugin instance parameters
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in on-demand order
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: loading self test plugins in startup order
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be executed at
startup:
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1] CAPresence:
CA is present
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SystemCertsVerification: system certs verification success
0.localhost-startStop-1 - [23/Dec/2017:00:48:20 EST] [20] [1]
SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at
startup!
-----
Can someone shed some light on this? I may have missed some logs but can
provide them if required.
Many thanks,
Qing
6 years, 3 months
sssd[nss] failure - cannot login to freeipa console
by Peter Larsen
I'm not sure exactly how to diagnose the actual cause of the issue.
Every login, even as "admin" on the ipa/ui returns a "your session has
expired. Please re-login". I can use kinit and login just fine - it
seems authentication with the host key may be a fault.
Version: 4.5.0-22.el7_4 (RHEL7.4)
When I look at /var/log/sssd/sssd_nss.log I see several lines that looks
like the cause of the issue:
(Mon Jan 1 14:25:11 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The
Data Provider returned an error
[org.freedesktop.sssd.Error.DataProvider.Offline]
(Mon Jan 1 14:25:11 2018) [sssd[nss]] [cache_req_common_dp_recv]
(0x0040): CR #0: Data Provider Error: 3, 5, Failed to get reply from
Data Provider
I'm also seeing a lot of these in krb5kdc.log but from what I gather
from searching I can ignore those:
Jan 01 14:30:17 host.demo.net krb5kdc[9094](info): AS_REQ (8 etypes {18
17 16 23 25 26 20 19}) 10.10.10.70: NEEDED_PREAUTH:
host/host.demo.net(a)DEMO.NET for krbtgt/DEMO.NET(a)DEMO.NET, Additional
pre-authentication required
In /var/log/httpd/errors:
[Mon Jan 01 14:25:11.692739 2018] [:warn] [pid 798] [client
71.63.27.120:55198] failed to set perms (3140) on file
(/var/run/ipa/ccaches/admin(a)DEMO.NET)!, referer:
https://host.demo.net/ipa/ui/
[Mon Jan 01 14:25:11.779316 2018] [:error] [pid 31609] ipa: INFO: 401
Unauthorized: Insufficient access: Invalid credentials
I'm trying to figure out how to diagnose the actual cause here. The file
above (failed to set perms):
-rw-------. ipaapi ipaapi system_u:object_r:ipa_var_run_t:s0 admin(a)DEMO.NET
Now, if apache tries to do something to these files then "duh" of course
it's going to be denied. This used to work - so I'm not sure what's
going on here? Again, trying to figure out a good process to diagnose to
find the root cause.
--
Regards Peter Larsen
6 years, 3 months
How to disable browser-based Kerberos?
by Anthony Clark
In the previous versions of FreeIPA, this worked to disable the
browser-side Kerberos login prompt:
# version 27 ipa.conf
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
<If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</If>
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors 'none'"
</Location>
I've been asked to disable the password dialog popup because it is
confusing to end users.
Before, in ipa.conf this worked to disable the dialog popup:
# version 22 ipa.conf
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
<If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</If>
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors 'none'"
</Location>
But inserting the "If useragent = chrome/ie" now just gives me a
"forbidden" popup.
Does anyone know of a way to disable the browser's Kerberos password popup?
Thanks,
Anthony Clark
6 years, 3 months