New replica (4.5) issues
by john.bowman@zayo.com
After some trial and error I was finally able to get a new replica + CA (RHEL7.4 and ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 4.x) and the ipa-replica-install command completed successfully but now when I run the ipa-manage-replica -v list <host> command I see this:
# ipa-replica-manage -v list ipa5.domain.tld
Directory Manager password:
ipa1.domain.tld: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (3) Replication error acquiring replica: Unable to acquire replica: permission denied. The bind dn does not have permission to supply replication updates to the replica. Will retry later. (permission denied)
last update ended: 1970-01-01 00:00:00+00:00
I ran the ipa-replica-manage re-initialize and it runs successfully and the above permission denied error goes away but the host can not be connected to any other replicas, it no longer sees itself as a replica or csreplica. I assume this is due to the re-init. I'm leery of trying to force it to try and join and potentially cause more issues. I would appreciate any helpful suggestions.
6 years, 2 months
Issue with SCEP enrollment to sub-CA
by Trevor Vaughan
Hi All,
I have a setup where I have a root CA and a sub CA and the sub CA is set up
with a KRA and SCEP enabled.
I've fired up certmonger and added the SCEP CA.
When I attempt to request a certificate, the enrollment completes
successfully per the Dogtag side of the equation but the response from the
server cannot be decrypted by the client and I get the following error in
the certmonger debug log:
2018-01-29 23:56:43 [5396] Child output:
"Error: failed to verify signature on server response.
"
2018-01-29 23:56:43 [5396] Error: failed to verify signature on server
response.
The following commands were used for server addition and certificate
registration.
getcert add-scep-ca -c Site_CA -u https://ca.int.localdomain:
8443/ca/cgi-bin/pkiclient.exe -R /etc/pki/site-pki.pem
getcert request -c Site_CA -k /etc/pki/my_cert.pem -f /etc/pki/my_cert.pub
-I Host_Cert -R -w -L password
Looking at the certmonger code, it looks like it is completely skipping all
of the case statements and simply dropping down to the 'goto:'
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
I've tried recompiling certmonger with some debug statements but I haven't
managed to suss out what's going on. If someone could tell me how to print
the actual response from the server, it would be appreciated.
It certainly feels like the SCEP support has taken a back seat to the CMC
features but the CMC features just aren't ready to replace SCEP at this
time and, of course, can't support a lot of hardware requirements.
Any help is appreciated.
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
6 years, 2 months
Certificates not renewed till 2 hours before expiring
by Christof Schulze
Hi,
some certificates on our freeipa-cluster (3 servers) are have been not
renewed till now, 2 hours before expiring. Can this be a problem?
Some of the certificates, the ones expiring show "ca-error: Invalid
cookie: '' in the "getcert list" output, what makes me nervous.
We also have the problem when certmonger can not reach the CA
CA_UNREACHABLE after restarting a freeipa-server. But when we restart
the certmonger.server after everything being up again everything looks good.
Maybe you can give me some advice what to check and which logs you else
would need.
Thanks
Christof Schulze
--
Christof Schulze
Institute of Materials Simulation (WW8)
Department of Materials Science
Friedrich-Alexander-University Erlangen-Nürnberg
Dr.-Mack-Str. 77,
90762 Fürth, Germany
Tel: 0911/65078-65069
Email: christof.schulze(a)ww.uni-erlangen.de
6 years, 2 months
Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed
by TomK
Hey All,
I'm wondering if anyone came across this error below. We have two RHEL
7.4 servers with SSSD 1.15.2: http-srv01 and http-srv02
Both connect to the same AD DC host below: addc-srv03.addom.com.
Verified krb5.conf and sssd.conf both are identical. We can login on
the http-srv01 and can list all groups for an AD account.
On http-srv02 we cannot login and any group listing from the CLI result
only in the user's local groups. No AD groups.
Logs give us the output below. Short of adding in the entire log which
I might not be able to do till the end of the week, what could we look
at to resolve this?
There's very little available online on this error. The RH solution
doesn't make sense since the first host connects and authenticates users
just fine so it's definitely GC enabled.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
samba-libs-4.6.2-12.el7_4.x86_64
samba-client-libs-4.6.2-12.el7_4.x86_64
sssd-1.15.2-50.el7_4.6.x86_64
openldap-2.4.44-5.el7.x86_64
sssd-ldap-1.15.2-50.el7_4.6.x86_64
sssd-common-pac-1.15.2-50.el7_4.6.x86_64
samba-winbind-clients-4.6.2-12.el7_4.x86_64
samba-common-4.6.2-12.el7_4.noarch
sssd-client-1.15.2-50.el7_4.6.x86_64
sssd-proxy-1.15.2-50.el7_4.6.x86_64
samba-winbind-modules-4.6.2-12.el7_4.x86_64
python-sssdconfig-1.15.2-50.el7_4.6.noarch
sssd-ipa-1.15.2-50.el7_4.6.x86_64
samba-common-libs-4.6.2-12.el7_4.x86_64
sssd-krb5-common-1.15.2-50.el7_4.6.x86_64
samba-winbind-4.6.2-12.el7_4.x86_64
sssd-krb5-1.15.2-50.el7_4.6.x86_64
sssd-ad-1.15.2-50.el7_4.6.x86_64
sssd-common-1.15.2-50.el7_4.6.x86_64
samba-common-tools-4.6.2-12.el7_4.x86_64
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_dispatch] (0x4000):
dbus conn: 0x55b2e22e8700
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_dispatch] (0x4000):
Dispatching.
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_message_handler]
(0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]]
[dp_get_account_info_handler] (0x0200): Got request for
[0x2][BE_REQ_GROUP][name=unix-admin-group@addom]
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_attach_req] (0x0400):
DP Request [Account #4]: New request. Flags [0x0001].
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sss_domain_get_state]
(0x1000): Domain ADDOM is Active
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sss_domain_get_state]
(0x1000): Domain ADDOM is Active
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sdap_id_op_connect_step]
(0x4000): beginning to connect
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'AD_GC'
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [get_server_status]
(0x1000): Status of server 'addc-srv03.addom.com' is 'working'
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [get_port_status] (0x1000):
Port status of port 0 for server 'addc-srv03.addom.com' is 'not working'
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [get_port_status] (0x0080):
SSSD is unable to complete the full connection request, this internal
status does not necessarily indicate network port issues.
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD_GC'
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [be_resolve_server_done]
(0x1000): Server resolution failed: [5]: Input/output error
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sdap_id_op_connect_done]
(0x0400): Failed to connect to server, but ignore mark offline is enabled.
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sdap_id_op_connect_done]
(0x4000): notify error to op #1: 5 [Input/output error]
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_req_done] (0x0400): DP
Request [Account #4]: Request handler finished [0]: Success
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [_dp_req_recv] (0x0400): DP
Request [Account #4]: Receiving request data.
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_req_reply_list_success]
(0x0400): DP Request [Account #4]: Finished. Success.
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_req_reply_std]
(0x1000): DP Request [Account #4]: Returning [Internal Error]: 3,5,Group
lookup failed
(Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_table_value_destructor]
(0x0400): Removing [0:1:0x0001:2::ADDOM:name=unix-admin-group@addom]
from reply
6 years, 2 months
How to recover from "split brain"
by Rob Brown
I have 4 IPA servers, all masters, that were previously configured in a
"full mesh" replication.
2 in "prod", 2 in "preprod".
While trying to fix a replication issue, I accidentally did a:
ipa-replica-manage del
on one of the prod servers for BOTH preprod servers.
Now, the prod servers don't "see" either of the preprod servers, so I
effectively created a "split-brain" between the 2 environments. Preprod
still "knows about" the prod ipa servers, but I can't figure out how to
re-establish the replication agreements.
I was about to just blow away the preprod servers and rebuild them (which i
did before on one of them) but noticed one of them has the "KRA" role, and
it is the only one in the domain that has it.
I don't know what that does, or what the effects would be if it went away.
I'm guessing bad.
I have tried "ipa topologysegment-reinitialize domain" on the segments that
preprod still has, but those segments did not show up in prod.
ipa topologysuffix-verify domain says "in order" everywhere.
At this point I am completely lost on how to proceed.
What details can I provide for any help anyone is willing to provide?
6 years, 2 months
Host certificates association across IPA servers
by David Harvey
Dear ipa-users,
I've recently observed a pattern where adding a host certificate to a host
only shows the association in the GUI for the server which issues the cert.
I'm running FreeIPA 4.4.4.
I request a certificate from the host(s) in question with something like:
ipa-getcert request -f /path -k /path -r
All IPA servers show the cert as being issued and valid on the certificates
page.
Visiting the "https://myserver/ipa/ui/#/e/host/details/hostame.fqdn shows a
host certificate from the machine that issued the cert
Visiting the same host page from other ipa servers does not show the host
cert associated.
Users and hosts continue to synchronise, as do other cert details!
I can manually associate the host to cert on other servers using the "add"
button in the Host certifcate section of the host page, but this feels
wrong.
Any ideas on how to troubleshoot this? It feels like the CAs don't quite
get which one is in charge, and could be a result of me tearing down the
original ubuntu based ones to replace with fedora, or a mistake I have made
whilst doing so.
Any advice appreciated,
David
6 years, 2 months
Announcing freeIPA 4.6.3
by Rob Crittenden
The FreeIPA team would like to announce FreeIPA 4.6.3 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora 27 will be available in the official COPR repository [1].
== Highlights in 4.6.3 ==
=== Bug fixes ===
FreeIPA 4.6.3 is a stabilization release for the features delivered as a
part of 4.6.0.
There are more than 31 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on the Upgrade [2] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7253 Custodia keys are not removed on uninstall
* 7381 Drop PyOpenSSL requirement
* 7373 "An internal error has occurred" show up when trying to add a
user to the Member User table in Vault.
* 7350 ObjectclassViolation seen while adding idview with
domain-resolution-order option.
* 7341 nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during
install even if another value was provided in an LDIF (
--dirsrv-config-file )
* 7338 FreeIPA server install/upgrade does not process schema.d/ files
correctly
* 7333 Need to document kinit_lifetime in /etc/ipa/default.conf
* 7318 Cannot uninstall ipaserver after fresh install - {'desc': "Can't
contact LDAP server", 'errno': 111, 'info': 'Connection refused'}
* 7315 Packaging: use pylint 1.7.5 and remove disable for import stat
* 7312 Turn installutils.set_directive() into a context manager
* 7288 set_directive can overwrite wrong directives
* 7280 CA less IPA install with external certificates fails on RHEL 7 in
FIPS mode
* 7276 ipatest: automation for pagure ticket 7174
* 7265 test_vault: increase WAIT_AFTER_ARCHIVE
* 7264 IPA trust-add internal error (expected security.dom_sid got None)
* 7250 Spelling error in ipa-replica-conncheck man page
* 7247 ipa-backup does not backup Custodia keys and files
* 7237 ipa-getkeytab man page should have more details about
consequences of krb5 key renewal
* 7231 ipa-restore broken with python2
* 7227 389-ds-base crashed as part of ipa-server-intall in ipa-uuid
* 7223 show REPLICA_FILE as optional when ipa-ca-install is executed
with --help
* 7221 Replica installation at domain-level 0 fails against upgraded
ipa-server
* 7220 Third KRA installation in topology fails
* 7202 IPA User Details not being displayed in WebUI
* 7182 ca_less testcase fixes
* 7174 ipa-replica-install might fail because of an already existing
entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFI
* 7169 domain resolution order field in Identity->ID Views->Settings tab
missing in WebUI
* 7168 IPA failing to authenticate via password+OTP on RHEL7.4 with fips
enabled
* 7161 ipaplatform module import error in 4.5 branch on f26 causing
server installation failure
* 7145 ca_certfile is not honored on API requests
* 7111 Incorrect attribute level rights (ipaallowedtoperform) of service
object
* 7016 ipa_server_certinstall - restart krb5kdc service after kdc cert
is installed
* 6968 Consider moving upgrades from rpm install post
* 6703 Enable ephemeral KRA requests
* 6666 Unable to re-add broken AD trust - Unexpected Information received
* 6611 Second phase of --external-ca ipa-server-install setup fails when
dirsrv is not running
* 6371 host-find slowness caused by missing host attributes in index
* 6091 [CI test]: improve DNS locations test
* 5801 ipa-server-install: error: option --forwarder: invalid IP address
127.0.0.11: cannot use loopback IP address when using Docker embedded
DNS server
== Detailed changelog since 4.6.2 ==
=== Alexander Bokovoy (13) ===
* ipaserver/plugins/trust.py: pep8 compliance
* trust: detect and error out when non-AD trust with IPA domain name exists
* ipaserver/plugins/trust.py; fix some indenting issues
* ipa-extdom-extop: refactor nsswitch operations
* test_dns_plugin: cope with missing IPv6 in Travis
* travis-ci: collect logs from cmocka tests
* ipa-kdb: override krb5.conf when testing KDC code in cmocka
* adtrust: filter out subdomains when defining our topology to AD
* ipa-replica-manage: implicitly ignore initial time skew in force-sync
* ds: ignore time skew during initial replication step
* Make sure upgrade also checks for IPv6 stack
* OTP import: support hash names with HMAC- prefix
* dsinstance: Restore context after changing dse.ldif
=== Abhijeet Kasurde (3) ===
* Trivial typo fix.
* ipatests: Fix interactive prompt in ca_less tests
* tests: correct usage of hostname in logger in tasks
=== Alexander Koksharov (2) ===
* ensuring 389-ds plugins are enabled after install
* kra-install: better warning message
=== amitkuma (2) ===
* Custom ca-subject logging
* Documenting kinit_lifetime in /etc/ipa/default.conf
=== Aleksei Slaikovskii (9) ===
* test_backup_and_restore.py AssertionError fix
* ipalib/frontend.py output_for_cli loops optimization
* View plugin/command help in pager
* ipa-restore: Set umask to 0022 while restoring
* Prevent installation with single label domains
* Add a notice to restart ipa services after certs are installed
* Fix TypeError while ipa-restore is restoring a backup
* ipaclient.plugins.dns: Cast DNS name to unicode
* Less confusing message for PKINIT configuration during install
=== Christian Heimes (58) ===
* Remove unused PyOpenSSL from spec file
* Give ODS socket a bit of time
* Require dbus-python on F27
* Fix pylint error in ipapython/dn.py
* Lower python-ldap requirement for F27
* ipa-run-tests: make --ignore absolute, too
* Sort external schema files
* LGTM: unnecessary else in for loop
* LGTM: Use explicit string concatenation
* LGTM: raise handle_not_found()
* LGTM: Fix multiple use before assignment
* LGTM: Remove redundant assignment
* LGTM: Fix exception in permission_del
* LGTM: Membership test with a non-container
* LGTM: Name unused variable in loop
* LGTM: Use of exit() or quit()
* LGTM: Silence unmatchable dollar
* Make fastlint even faster
* ipa-run-tests: replace chdir with plugin
* Include ipa_krb5.h without util prefix
* Custodia uninstall: Don't fail when LDAP is down
* Require python-ldap 3.0.0b2
* Use pylint 1.7.5 with fix for bad python3 import
* Vault: Add argument checks to encrypt/decrypt
* Fix pylint warnings inconsistent-return-statements
* Travis: Add workaround for missing IPv6 support
* Replace nose with unittest and pytest
* Add safe DirectiveSetter context manager
* More log in verbs
* Address more 'to login'
* Fix grammar error: Log out
* Fix grammar in login screen
* Add make targets for fast linting and testing
* Add marker needs_ipaapi and option to skip tests
* Add python_requires to Python package metadata
* Remove Custodia keys on uninstall
* NSSDB: use preferred convert command
* Skip test_rpcclient_context in client tests
* Update to python-ldap 3.0.0
* Update builddep command to install Python 3 and tox deps
* Add workaround for pytest 3.3.0 bug
* Fix dict iteration bug in dnsrecord_show
* Reproducer for bug in structured dnsrecord_show
* Use Python 3 on Travis
* Prevent installation of Py2 and Py3 mod_wsgi
* Require UTF-8 fs encoding
* libotp: add libraries after objects
* Run tox tests for PyPI packages on Travis
* Support sqlite NSSDB
* Py3: Fix vault tests
* Test script for ipa-custodia
* ipa-custodia: use Dogtag's alias/pwdfile.txt
* Use namespace-aware meta importer for ipaplatform
* Remove ignore_import_errors
* Backup ipa-custodia conf and keys
* Py3: fix fetching of tar files
* Use os.path.isfile() and isdir()
* Block PyOpenSSL to prevent SELinux execmem in wsgi
=== David Kupka (2) ===
* schema: Fix internal error in param-{find,show} with nonexistent object
* tests: Add LDAP URI to ldappasswd explicitly
=== Felipe Barreto (12) ===
* Fixing vault-add-member to be compatible with py3
* Fixing test_backup_and_restore assert to do not rely on the order
* Fixing test_testconfig with proper asserts
* Warning the user when using a loopback IP as forwarder
* Removing replica-s4u2proxy.ldif since it's not used anymore
* Fix log capture when running pytests_multihosts commands
* Checks if replica-s4u2proxy.ldif should be applied
* Fixing tox and pylint errors
* Fixing param-{find,show} and output-{find,show} commands
* Checks if Dir Server is installed and running before IPA installation
* Changing idoverrideuser-* to treat objectClass case insensitively
* Fixing how sssd.conf is updated when promoting a client to replica
=== François Cami (1) ===
* 10-config.update: remove nsslapd-sasl-max-buffer-size override as
https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389
Directory Server.
=== Florence Blanc-Renaud (16) ===
* test_integration: backup custodia conf and keys
* Idviews: fix objectclass violation on idview-add
* Improve help message for ipa trust-add --range-type
* Fix ca less IPA install on fips mode
* Fix ipa-replica-install when key not protected by PIN
* Fix ipa-restore (python2)
* ipa-getkeytab man page: add more details about the -r option
* Py3: fix ipa-replica-conncheck
* Fix ipa-replica-conncheck when called with --principal
* py3: fix ipa cert-request --database ...
* ipa-cacert-manage renew: switch from ext-signed CA to self-signed
* ipa-server-upgrade: do not add untracked certs to the request list
* ipa-server-upgrade: fix the logic for tracking certs
* Fix ipa-server-upgrade with server cert tracking
* Python3: Fix winsync replication agreement
* Fix ipa config-mod --ca-renewal-master
=== Fraser Tweedale (32) ===
* Don't use admin cert during KRA installation
* Add uniqueness constraint on CA ACL name
* Add tests for installutils.set_directive
* installutils: refactor set_directive
* pep8: reduce line lengths in CAInstance.__enable_crl_publish
* Prevent set_directive from clobbering other keys
* install: report CA Subject DN and subject base to be used
* ipa_certupdate: avoid classmethod and staticmethod
* Run certupdate after promoting to CA-ful deployment
* ipa-ca-install: run certupdate as initial step
* CertUpdate: make it easy to invoke from other programs
* renew_ra_cert: fix update of IPA RA user entry
* Re-enable some KRA installation tests
* Use correct version of Python in RPM scripts
* Remove caJarSigningCert profile and related code
* CertDB: remove unused method issue_signing_cert
* Remove XPI and JAR MIME types from httpd config
* Remove mention of firefox plugin after CA-less install
* Add missing space in ipa-replica-conncheck error
* ipa-cacert-manage: avoid some duplicate string definitions
* ipa-cacert-manage: handle alternative tracking request CA name
* Add tests for external CA profile specifiers
* ipa-cacert-manage: support MS V2 template extension
* certmonger: add support for MS V2 template
* certmonger: refactor 'resubmit_request' and 'modify'
* ipa-ca-install: add --external-ca-profile option
* install: allow specifying external CA template
* Remove duplicate references to external CA type
* cli: simplify parsing of arbitrary types
* py3: fix pkcs7 file processing
* ipa-pki-retrieve-key: ensure we do not crash
* issue_server_cert: avoid application of str to bytes
=== John Morris (1) ===
* Increase dbus client timeouts during CA install
=== Martin Basti (1) ===
* py3: set samba dependencies
=== Michal Reznik (23) ===
* test_caless: add SAN extension to other certs
* prci: run full external_ca test suite
* tests: move CA related modules to pytest_plugins
* test_external_ca: selfsigned->ext_ca->selfsigned
* test_tasks: add sign_ca_and_transport() function
* paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
* test_caless: test PKINIT install and anchor update
* test_renewal_master: add ipa csreplica-manage test
* test_cert_plugin: check if SAN is added with default profile
* test_help: test "help" command without cache
* test_x509: test very long OID
* test_batch_plugin: fix py2/3 failing assertion
* test_vault: increase WAIT_AFTER_ARCHIVE
* test_caless: fix http.p12 is not valid
* test_caless: fix TypeError on domain_level compare
* manpage: ipa-replica-conncheck - fix minor typo
* test_external_dns: add missing test cases
* test_caless: open CA cert in binary mode
* test_forced_client: decode get_file_contents() result
* tests: add host zone with overlap
* tests_py3: decode get_file_contents() result
* test_caless: add caless to external CA test
* test_external_ca: switch to python-cryptography
=== Mohammad Rizwan Yusuf (1) ===
* ipatest: replica install with existing entry on master
=== Petr Čech (2) ===
* tests: Mark failing tests as failing
* ipatests: Fix on logs collection
=== Petr Vobornik (1) ===
* browser config: cleanup after removal of Firefox extension
=== Pavel Vomacka (16) ===
* WebUI: make keytab tables on service and host pages writable
* Include npm related files into Makefile and .gitignore
* Update jsl.conf in tests subfolder
* Edit TravisCI conf files to run WebUI unit tests
* Update README about WebUI unit tests
* Update tests
* Create symlink to qunit.js
* Update jsl to not warn about module in Gruntfile
* Add Gruntfile and package.json to ui directory
* Update QUnit CSS file to 2.4.1
* Update qunit.js to version 2.4.1
* Extend ui_driver to support geckodriver log_path
* WebUI: make Domain Resolution Order writable
* WebUI: Fix calling undefined method during reset passwords
* WebUI: remove unused parameter from get_whoami_command
* Adds whoami DS plugin in case that plugin is missing
=== Rob Crittenden (13) ===
* Log contents of files created or modified by IPAChangeConf
* Don't manually generate default.conf in server, use IPAChangeConf
* Enable ephemeral KRA requests
* Make the path to CS.cfg a class variable
* Run server upgrade in ipactl start/restart
* If the cafile is not present or readable then raise an exception
* Add test to ensure that properties are being set in rpcclient
* Use the CA chain file from the RPC context
* Fix cert-find for CA-less installations
* Use 389-ds provided method for file limits tuning
* Collect group membership without a size limit
* Add exec to /var/lib/ipa/sysrestore for install status inquiries
* Use TLS for the cert-find operation
=== Robbie Harwood (1) ===
* ipa-kdb: support KDB DAL version 7.0
=== Rishabh Dave (1) ===
* ipa-ca-install: mention REPLICA_FILE as optional in help
=== Sumit Bose (1) ===
* ipa-kdb: reinit trusted domain data for enterprise principals
=== Stanislav Laznicka (53) ===
* replica_prepare: Remove the correct NSS DB files
* Add a helpful comment to ca.py:install_check()
* Don't allow OTP or RADIUS in FIPS mode
* caless tests: decode cert bytes in debug log
* caless tests: make debug log of certificates sensible
* Add indexing to improve host-find performance
* Add the sub operation for fqdn index config
* x509: remove subject_base() function
* x509: remove the strip_header() function
* py3: pass raw entries to LDIFWriter
* ipatests: use python3 if built with python3
* PRCI: use a new template for py3 testing
* travis: pep8 changes to pycodestyle
* csrgen_ffi: cast the DN value to unsigned char *
* Remove pkcs10 module contents
* Add tests for CertificateSigningRequest
* parameters: introduce CertificateSigningRequest
* parameters: relax type checks
* csrgen: update docstring for py3
* csrgen: accept public key info as Bytes
* csrgen_ffi: pass bytes where "char *" is required
* p11-kit: add serial number in DER format
* travis: make tests fail if pep8 does not pass
* Remove the `message` attribute from exceptions
* rpc: don't decode cookie_string if it's None
* Don't write p11-kit EKU extension object if no EKU
* pylint: fix missing module
* travis: run the same tests in python2/3
* certmap testing: fix wrong cert construction
* ldap2: don't use decode() on str instance
* client: fix retrieving certs from HTTP
* uninstall: remove deprecation warning
* ldif: handle attribute names as strings
* pkinit: don't fail when no pkinit servers found
* pkinit: fix sorting dictionaries
* travis: remove "fast" from "makecache fast"
* Change Travis CI container to FreeIPA-owned
* Change the requirements for pylint in wheel
* rpcserver: don't call xmlserver.Command
* secrets: disable relative-imports for custodia
* pylint: disable __hash__ for some classes
* install.util: disable no-value-for-parameter
* pylint: make unsupported-assignment-operation check local
* sudocmd: fix unsupported assignment
* pylint: Iterate through dictionaries
* parameters: convert Decimal.precision to int
* dcerpc: disable unbalanced-tuple-unpacking
* dcerpc: refactor assess_dcerpc_exception
* pylint: fix no-member in schema plugin
* csrgen: fix incorrect codec for pyasn BitString
* pylint: fix not-context-manager false positives
* travis: temporary workaround for Travis CI
* Travis: archive logs of py3 jobs
=== Thierry Bordaz (1) ===
* 389-ds-base crashed as part of ipa-server-intall in ipa-uuid
=== Tomas Krizek (17) ===
* prci: bump ci-master-f27 template to 1.0.2
* prci: define testing topologies
* prci: start testing PRs on fedora 27
* py3 spec: remove python2 dependencies from server-trust-ad
* py3 spec: remove python2 dependencies from freeipa-server
* py3 spec: use proper python2 package names
* ipatests: fix circular import for collect_logs
* ipatests: collect logs for external_ca test suite
* prci: add external_ca test
* ldap: limit the retro changelog to dns subtree
* spec: bump 389-ds-base to 1.3.7.6-1
* ipatests: set default 389-ds log level to 0
* prci: update F26 template
* spec: bump python-pyasn1 to 0.3.2-2
* prci: use f26 template for master
* VERSION: set 4.6 git snapshot
* Contributors.txt: update
=== Thorsten Scherf (1) ===
* Add debug option to ipa-replica-manage and remove references to
api_env var.
[1] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/
[2] https://www.freeipa.org/page/Upgrade
6 years, 2 months
certmonger .service fail to start
by barrykfl@gmail.com
Auto reboot fail , I just try manual bootup cermonger.service still fail
sudo systemctl -f start certmonger.service
Jan 30 11:03:01 dbus[537]: [system] Activating systemd to h
Jan 30 11:03:01 dbus-daemon[537]: dbus[537]: [system] Activ
Jan 30 11:03:13 systemd-logind[2922]: Failed to enable subs
Jan 30 11:03:13 systemd-logind[2922]: Failed to fully start
Jan 30 11:03:13 dbus[537]: [system] Failed to activate serv
Jan 30 11:03:13 systemd[1]: systemd-logind.service: main pr
Jan 30 11:03:13 dbus-daemon[537]: dbus[537]: [system] Faile
Jan 30 11:03:13 systemd[1]: Failed to start Login Service.
*/usr/lib/polkit-1/polkitd*
*10:59:23.458: Loading rules from directory
/etc/polkit-1/rules.d10:59:23.458: Loading rules from directory
/usr/share/polkit-1/rules.d10:59:23.461: Finished loading, compiling and
executing 7 rulesEntering main event loopConnected to the system
bus10:59:23.463: Acquired the name org.freedesktop.PolicyKit1 on the system
bus11:00:28.891: Registered Authentication Agent for
unix-process:2388:46107 (system bus name :1.55 [/usr/bin/pkttyagent
--notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale
en_US.UTF-8)11:01:58.994: Unregistered Authentication Agent for
unix-process:2388:46107 (system bus name :1.55, object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
(disconnected from bus)*
*Any idea ...already no cluster just single server , every systemctl
command fail and slow login.*
6 years, 2 months
Home directory not being created in log in
by Kristian Petersen
I am trying to set up a workstation running RHEL 7 with Gnome graphical
environment. I have enrolled this machine as a client in IPA using the
--mkhomedir flag, however, the home directory is not being created when I
log in. Because the home directory doesn't get created at log in GDM kicks
me back out to the log in screen after authenticating properly. I
also ran authconfig
--mkhomedir update. Thoughts?
--
Kristian Petersen
System Administrator
Dept. of Chemistry and Biochemistry
6 years, 2 months
Howto renew certificates with external CA?
by Harald Husemann
Hello IPA-experts,
we are running FreeIPA version 4.4.0 with an external CA (our own one),
everything was working fine until the CA certificate expired which
happened at January 13th.
Since i was on vacation and the basic functions were still available
no-one created a new certificate, so, it's now my task.
As explained in
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal, I've reset
the time to January 10th, created a new certificate which is valid from
2017 to 2023, and installed it with ipa-cacert-manage.
Afterwards, I did an ipa-certupdate, the server certificates were
updated and the cert8.db in /etc/httpd/alias contains the new valid CA.
But, the expiration date of the certificate itself is still January
13th, so, the certificate is still expired:
root@mat-ipa-master-1:~$ /usr/bin/certutil -d /etc/httpd/alias -L -n
"MATERNA-COM.DE IPA CA"
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 36 (0x24)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "E=oc-ca(a)materna.de,CN=Materna OC CA,OU=OC RZ,O=Materna
GmbH,
L=Dortmund,ST=NRW,C=DE"
Validity:
Not Before: Mon Jan 23 14:45:00 2017
Not After : Mon Jan 23 14:45:00 2023
Subject: "CN=Certificate Authority,O=MATERNA-COM.DE"
(...)
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
Object Signing Flags:
Valid CA
Trusted CA
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 23 (0x17)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "E=oc-ca(a)materna.de,CN=Materna OC CA,OU=OC RZ,O=Materna
GmbH,
L=Dortmund,ST=NRW,C=DE"
Validity:
Not Before: Fri Jan 13 14:45:00 2017
Not After : Sat Jan 13 14:45:00 2018
Subject: "CN=Certificate Authority,O=MATERNA-COM.DE"
(...)
root@mat-ipa-master-1:~$
I have only checked this one, but I'd suppose the others are also not
updated. AFAIK certmonger is responsible the renewal, so, I've restarted
it and hoped it would grab my certificate and renew it - but it seems
there is a problem, journalctl -u certmonger gives
Jan 24 11:22:43 mat-ipa-master-1.materna-com.de systemd[1]: Starting
Certificate monitoring and PKI enrollment...
Jan 24 11:22:44 mat-ipa-master-1.materna-com.de systemd[1]: Started
Certificate monitoring and PKI enrollment.
Jan 24 11:22:48 mat-ipa-master-1.materna-com.de certmonger[1026]:
2018-01-24 11:22:48 [1026] Error setting up ccache for "host" service on
client using default keytab: Cannot contact any KDC for realm
'MATERNA-COM.DE'.
Jan 24 11:22:48 mat-ipa-master-1.materna-com.de certmonger[1026]:
2018-01-24 11:22:48 [1026] Error setting up ccache for "host" service on
client using default keytab: Cannot contact any KDC for realm
'MATERNA-COM.DE'.
Jan 24 11:22:58 mat-ipa-master-1.materna-com.de certmonger[1026]:
2018-01-24 11:22:58 [1026] Error 7 connecting to
https://mat-ipa-master-1.materna-com.de:8443/ca/agent/ca/profileReview:
Couldn't connect to server.
Jan 24 11:23:00 mat-ipa-master-1.materna-com.de
dogtag-ipa-ca-renew-agent-submit[2282]: Traceback (most recent call last):
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line
511, in <module>
sys.exit(main())
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line
490, in main
ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1314,
in kinit_keytab
cred = gssapi.Credentials(name=name, store=store, usage='initiate')
File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in
__new__
store=store)
File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in
acquire
usage)
File "ext_cred_store.pyx", line 182, in
gssapi.raw.ext_cred_store.acquire_cred_from
(gssapi/raw/ext_cred_store.c:1732)
GSSError: Major (851968): Unspecified GSS failure. Minor code may
provide more information, Minor (2529639068): Cannot contact any KDC for
realm 'MA
Jan 24 11:23:00 mat-ipa-master-1.materna-com.de certmonger[1026]:
2018-01-24 11:23:00 [1026] Internal error
Any help is greatly appreciated since I'm stuck here... If it helps, I
have a clean backup of the IPA master which was written yesterday
evening, so, I can use this one to "start over" if I've already mixed up
things.
Thanks and kind regards from Germany,
Harald
6 years, 2 months
