Problems with KeyRetrieverClass when setting up replica with CA
by Aljaž Srebrnič
Hello!
Yesterday I tried migrating a physical machine (ipa1) that was a FreeIPA CA CRL master in my VM cluster. I followed the guide at [1] to migrate che CRL master to another replica (ipa2) and uninstalled the replica ipa1. Then I set up a VM with the same hostname and IP address as the physical machine, and installed Fedora 27.
When I tried setting up the replica with CA, the install stopped at:
[4/25]: configuring certificate server instance
And in my /var/log/pki/pki-tomcat/ca/debug I see a bunch of log entries like this, with increasing time stamps:
Unable to read key retriever class from CS.cfg: Property features.authority.keyRetrieverClass missing value
Retrying in 14778 seconds
I checked the /etc/pki/pki-tomcat/ca/CS.cfg file and I don’t actually have that entry at all, I only have:
features.authority.description=Lightweight CAs
features.authority.enabled=true
features.authority.version=1.0
However, if I manually add them by copying the value from the good replica, nothing changes and the installer is still blocked on that line (maybe the CS.cfg file isn’t re-read on each retry).
Moreover, it looks like that file (CS.cfg) is generated by the installer script…
How can I solve this?
Thanks,
Aljaž
[1]: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#P...
--
Aljaž Srebrnič a.k.a g5pw
My public key: https://g5pw.me/key
Key fingerprint = 2109 8131 60CA 01AF 75EC 01BF E140 E1EE A54E E677
6 years, 2 months
How to re-initialize replication
by William Muriithi
Hello,
I shot myself on the foot the other day by keeping one of the IPA
server down too long during redundancy testing. Now, it can't sync
with the peer. Luckily, its not the cert server so I am suspecting I
can get it working by reinitializing it. However, that isn't working,
and I am getting the error below.
[root@hydrogen ~]# ipa-replica-manage re-initialize --from
lithium.eng.example.com
[ldaps://lithium.eng.example.com:636] reports: Update failed! Status:
[2 Replication error acquiring replica: excessive clock skew]
Now, before I do further change, I am wondering if someone has faced
this problem before and what would the next step. According to google,
this seem to be my only solution, but looks a bit scarily.
http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-t...
Would there be any other better option from your experience?
[15/Jan/2018:07:27:58.296415297 -0500] - INFO - slapd_daemon -
Listening on All Interfaces port 636 for LDAPS requests
[15/Jan/2018:07:27:58.296988661 -0500] - INFO - slapd_daemon -
Listening on /var/run/slapd-ENG-EXAMPLE-COM.socket for LDAPI requests
[15/Jan/2018:07:28:02.794968170 -0500] - ERR - csngen_adjust_time -
Adjustment limit exceeded; value - 7568166, limit - 86400
[15/Jan/2018:07:28:02.796095907 -0500] - ERR - NSMMReplicationPlugin -
repl5_inc_run - agmt="cn=meTolithium.eng.example.com" (lithium:389):
Fatal error - too much time skew between replicas!
[15/Jan/2018:07:28:02.799804827 -0500] - ERR - NSMMReplicationPlugin -
repl5_inc_run - agmt="cn=meTolithium.eng.example.com" (lithium:389):
Incremental update failed and requires administrator action
[15/Jan/2018:07:28:03.400808361 -0500] - ERR - schema-compat-plugin -
warning: no entries set up under cn=computers,
cn=compat,dc=eng,dc=example,dc=com
[15/Jan/2018:07:28:03.401704265 -0500] - ERR - schema-compat-plugin -
Finished plugin initialization.
[15/Jan/2018:07:28:25.023819558 -0500] - ERR - csngen_adjust_time -
Adjustment limit exceeded; value - 7568268, limit - 86400
[15/Jan/2018:07:28:25.025929954 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=28 op=5
repl="dc=eng,dc=example,dc=com": Excessive clock skew from supplier
RUV
[15/Jan/2018:07:28:25.026528807 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=28 op=5
replica="dc=eng,dc=example,dc=com": Unable to acquire replica: error:
excessive clock skew
[15/Jan/2018:07:28:25.107953782 -0500] - ERR - csngen_adjust_time -
Adjustment limit exceeded; value - 7568269, limit - 86400
[15/Jan/2018:07:28:25.137884951 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=29 op=5
repl="dc=eng,dc=example,dc=com": Excessive clock skew from supplier
RUV
[15/Jan/2018:07:28:25.138620189 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=29 op=5
replica="dc=eng,dc=example,dc=com": Unable to acquire replica: error:
excessive clock skew
[15/Jan/2018:07:28:25.204301158 -0500] - ERR - csngen_adjust_time -
Adjustment limit exceeded; value - 7568270, limit - 86400
[15/Jan/2018:07:28:25.205578413 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=30 op=5
repl="dc=eng,dc=example,dc=com": Excessive clock skew from supplier
RUV
[15/Jan/2018:07:28:25.206115922 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=30 op=5
replica="dc=eng,dc=example,dc=com": Unable to acquire replica: error:
excessive clock skew
Regards,
William
6 years, 2 months
setting sudo rule for root
by Kat
Trying to setup a sudo rule for a small group of users to have "sudo su
-" on all hosts, and then use !authenticate, but can't seem to make it
work. Any docs on doing this?
thanks
K
6 years, 2 months
Centos7.4: users not seeing password expired notifications
by Johan Vermeulen
Hello All,
We run some 200 Centos7/Mate laptops, since last year they authenticate
against freeipa.
Lightdm/Mate are installed using epel repo.
On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password
expired, users would get the passwd expired field, the "new password" field
en warnings if the made a mistake.
Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly wrong.
Users very often get no warning if a password expired, just an
authentication failure.
Or they get no message at all.
If at that point you got to tty....and log in you do get the warnings on
the command line.
The log files /var/log/secure also give clear password expired messages,
only the user sees nothing.
This is a big problem because users cannot login and cannot work without
interventions.
Many thanks for any help.
Greetings, J.
6 years, 2 months
help : Enrolled a FreeIPA client but unable to login to it via SSH
by Aravindh Sampathkumar
Hello list.
I'm a new user of FreeIPA trying to use it to manage SSH user
authentication in a cluster of CentOS machines.
I built a server dedicated to run FreeIPA server and have successfully
set it up. I'm able to get the web UI from it, and everything seems as
expected based on the docs.
I tried to enroll a CentOS 7 client to the new FreeIPA server so that I
can login to this client via SSH using the user accounts I created on
the FreeIPA server. This is where I hit a roadblock. The freeipa-client
install went as per the docs, but I'm unable to login via SSH.
Note:
My FreeIPA server is in a different domain than the client. and the
server and client are served by different DNS servers.
FreeIPA server: freeipa1.nghpc.dk
served by a DNS server ns1.nghpc.dk
resolves to an internal ip address 10.x.x.x
reverse lookup is also successful.
FreeIPA client: c10b01.ctrl.ghpc.dk
served by a DNS server dns.ghpc.dk
resolves to an internal ip address 10.x.x.x
reverse lookup is successful.
Added an additional DNS A record to the freeipa server and the client
can successfully resolve freeipa1.nghpc.dk
Trying to login to the newly enrolled client:
localmachine > ssh admin@c10b01
Password:
Password:
Password:
It keeps repeating the password prompts in spite of supplying the
correct password. No meaningful errors thrown either.
On the client,
here is how the krb5.conf looks like:
cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = NGHPC.DK
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
NGHPC.DK = {
kdc = freeipa1.nghpc.dk:88
master_kdc = freeipa1.nghpc.dk:88
admin_server = freeipa1.nghpc.dk:749
kpasswd_server = freeipa1.nghpc.dk:464
default_domain = nghpc.dk
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.nghpc.dk = NGHPC.DK
nghpc.dk = NGHPC.DK
c10b01.ctrl.ghpc.dk = NGHPC.DK
.ctrl.ghpc.dk = NGHPC.DK
ctrl.ghpc.dk = NGHPC.DK
I do not see any errors in any of the logs at /var/log/ and
/var/log/sssd/
However, if I'm logged in as root on the client box, I can see that the
users I created on FreeIPA exist and are accessible.
[root@c10b01 ~]# id nasampath
uid=29756(nasampath) gid=1517 groups=1517
[root@c10b01 ~]# id admin
uid=1768600000(admin) gid=1768600000(admins) groups=1768600000(admins)
I can su into them fine. but not login as them over SSH.
I'm lost trying to troubleshoot this. Appreciate any help figuring out
where to look to understand what is going on..
Thanks,
--
Aravindh Sampathkumar
aravindh(a)fastmail.com
6 years, 2 months
ERR - attrlist_replace - attr_replace
by Harald Dunkel
Hi folks,
/var/log/messages includes tons of error messages like
Jan 15 07:34:56 ipa1 ns-slapd: [15/Jan/2018:07:34:56.684472891 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:34:58 ipa1 ns-slapd: [15/Jan/2018:07:34:58.421020416 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:34:58 ipa1 ns-slapd: [15/Jan/2018:07:34:58.431938703 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:34:58 ipa1 ns-slapd: [15/Jan/2018:07:34:58.444161918 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:34:59 ipa1 ns-slapd: [15/Jan/2018:07:34:59.005555395 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:34:59 ipa1 ns-slapd: [15/Jan/2018:07:34:59.010930343 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:34:59 ipa1 ns-slapd: [15/Jan/2018:07:34:59.014371119 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.078732745 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.085465505 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.088906212 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.259716279 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa4.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.270409631 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa4.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.273799363 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa4.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
I already found https://access.redhat.com/solutions/2741521, cleaned up
the "dangling RUVs" and rebootet the servers.
What is ns-slapd trying to tell me?
Every helpful comment is highly appreciated
Harri
6 years, 2 months
Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)
by Alex Corcoles
Hi,
I have reproduced the problem on the LXC container. The full debug log is
at:
https://gist.github.com/alexpdp7/b3d7fd48660a1ffb78cb64fd5dc34476
The bit failing is:
[root@ctipa ~]# ipa-replica-install -v -n ipa.pdp7.net -P alex -w $pw
--mkhomedir
...
ipa : DEBUG [11/22]: configuring Gssproxy
[11/22]: configuring Gssproxy
ipa : DEBUG Starting external process
ipa : DEBUG args=/usr/sbin/selinuxenabled
ipa : DEBUG Process finished, return code=1
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa : DEBUG Starting external process
ipa : DEBUG args=/bin/systemctl restart gssproxy.service
ipa : DEBUG Process finished, return code=1
ipa : DEBUG stdout=
ipa : DEBUG stderr=A dependency job for gssproxy.service failed.
See 'journalctl -xe' for details.
ipa : DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line
242, in configure_gssproxy
services.knownservices.gssproxy.restart()
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
line 322, in restart
capture_output, wait)
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
line 310, in _restart_base
skip_output=not capture_output)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512,
in run
raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/bin/systemctl restart gssproxy.service'
returned non-zero exit status 1
ipa : DEBUG [error] CalledProcessError: Command
'/bin/systemctl restart gssproxy.service' returned non-zero exit status 1
[error] CalledProcessError: Command '/bin/systemctl restart
gssproxy.service' returned non-zero exit status 1
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
333, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
368, in run
self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
392, in execute
for _nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
658, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
63, in _install
for _nothing in self._installer(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py",
line 617, in main
replica_install(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 386, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1440, in install
ca_file=cafile)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 166, in install_http
subject_base=config.subject_base, master_fqdn=config.master_host_name)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line
190, in create_instance
self.start_creation()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line
242, in configure_gssproxy
services.knownservices.gssproxy.restart()
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
line 322, in restart
capture_output, wait)
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
line 310, in _restart_base
skip_output=not capture_output)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512,
in run
raise CalledProcessError(p.returncode, arg_string, str(output))
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
DEBUG The ipa-replica-install command failed, exception:
CalledProcessError: Command '/bin/systemctl restart gssproxy.service'
returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR Command '/bin/systemctl restart gssproxy.service' returned
non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Cheers,
Álex
On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> do you have a traceback in log? I'm curious where exactly this happened,
> what is your FreeIPA version?
>
> [1]
> I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in
> LXC :-) So it should work
>
> 2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org>:
>
>> Hi Marti,
>>
>> On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users <
>> freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>>> it looks that replica is trying to add records to your forward zone.
>>> What is the hostname of the replica?
>>>
>>
>> Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
>>
>> I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide
>> automatic network configuration to VMs. It's a non-routable network, so I'm
>> not sure what the right setup would be.
>>
>> 1. what is not working on lxc?
>>>
>>
>> It was something about GSSAPI or something like that, I'll try to
>> reproduce and start a new thread about that- but I guess it's more of an
>> LXC problem (ideally I would like to run my replica on LXC so it consumes
>> less RAM, but I can live with a full VM).
>>
>> Cheers,
>>
>> Álex
>>
>> 2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users <
>> freeipa-users(a)lists.fedorahosted.org>:
>>
>>> Hi,
>>>
>>> I'm labbing a FreeIPA environment for personal use, and I'm getting that
>>> while bringing up a replica.
>>>
>>> I set up my first freeipa-server instance on a cheap VPS on a public IP,
>>> intend on making it publicly accessible so I can always authenticate my
>>> laptop even on wild public networks.
>>>
>>> I'm adding the replica as a VM(1) on a Proxmox VE, on a private network
>>> with VPN connectivity to the first public freeipa-server, but I'm getting:
>>>
>>> 2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed,
>>> exception: ValidationError: invalid 'dnszoneidnsname': only master zones
>>> can contain records
>>>
>>> . I'm trying to create the replica with CA and DNS, and I had set up DNS
>>> forwarding to the internal DNS on the Proxmox system with:
>>>
>>> $ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1
>>> $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24
>>> --forwarder=10.42.42.1 --forward-policy=only
>>>
>>> on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 -
>>> h2.int.pdp7.net is the network it manages), and I guess that's messing
>>> with the replica, but I'm not sure how to troubleshoot this.
>>>
>>> Thoughts? Ideas?
>>>
>>> Thanks,
>>>
>>> Álex
>>>
>>> (1) I can't seem to create a freeipa-replica on an LXC container. Is
>>> this something that can be discussed here or should I take it to LXC?
>>>
>>> --
>>> ___
>>> {~._.~}
>>> ( Y )
>>> ()~*~() mail: alex at corcoles dot net
>>> (_)-(_) http://alex.corcoles.net/
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>>> rahosted.org
>>>
>>>
>>
>>
>> --
>> S pozdravom Martin Bašti.
>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>>> rahosted.org
>>>
>>>
>>
>>
>> --
>> ___
>> {~._.~}
>> ( Y )
>> ()~*~() mail: alex at corcoles dot net
>> (_)-(_) http://alex.corcoles.net/
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>> rahosted.org
>>
>>
>
>
> --
> S pozdravom Martin Bašti.
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>
>
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
6 years, 2 months
Help please - Need to install Freeipa client on Fedora 14 talking to FreeIPA server 4.5.0
by Aravindh Sampathkumar
Hello list,
I'm trying to move from NIS to FreeIPA for authentication in a cluster.I already setup FreeIPA server running version 4.5.0 on CentOS 7 and
it works good. I've got a few Centos 7 and Fedora 23 clients talking
to it all good.
We have a few legacy nodes that *fedora 14* and *fedora 20* and I'm not
allowed to replace the nodes just yet. I would like for them to be able
to talk to the same FreeIPA server as well. I tried to install freeIPA
client, but with no success. Appreciate any help/tips with getting the
latest freeipa-client installed and running on fedora 14.
I tried to install "ipa-client" available in Fedora 11 updates
repository..
root@c04b13 ~]# yum install ipa-client
...
---> Package ipa-client.x86_64 0:1.2.2-6.fc14 set to be installed
--> Finished Dependency Resolution
Dependencies Resolved
...
Processing delta metadata
Package(s) data still to download: 48 k
ipa-client-1.2.2-6.fc14.x86_64.rpm
| 48...
Running Transaction
Installing : ipa-client-1.2.2-6.fc14.x86_64Installed:
ipa-client.x86_64 0:1.2.2-6.fc14
Complete!
[root@c04b13 ~]# ipa-client-install
DNS discovery failed to determine your DNS domain
Please provide the domain name of your IPA server (ex: example.com):
freeipa1.nghpc.dkDNS discovery failed to find the IPA Server
Please provide your IPA server name (ex: ipa.example.com):
freeipa1.nghpc.dkFailed to verify that freeipa1.nghpc.dk is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
The same ipa-client-install works just fine on a Fedora 23 box on the
same network.My question: Is there a way to get the latest FreeIPA-client package
installed on this old fedora 14 box?
I tried to download the rpm file from
(http://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everythi...)
and install it using
yum --nogpgcheck localinstall freeipa-client-4.6.1-4.fc28.x86_64.rpm
But, it only throws dependancy errors as in the attached console log.
Any ideas about how I can get the freeipa-client package on f14?
Thanks,
--
Aravindh Sampathkumar
aravindh(a)fastmail.com
6 years, 2 months
FreeIPA NFS Automount with Kerberos troubleshooting help needed
by jcccb
> jcccb via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> writes:
>
>
> Well this is the source of the problem, isn't it? I don't think NFS
> brought up GSSAPI support.
>
> Thanks,
> --Robbie
then its an APPARMOR related problem i guess
thought i fixed this error with systemctl restart rpc-gssd
and why is the auto.home working correctly?
6 years, 2 months
FreeIPA NFS Automount with Kerberos troubleshooting help needed
by jcccb
"getent passwd" gave me on all maschines the same results
some logs from the NFS Server=
journalctl:
Jan 12 14:37:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 14:37:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 14:37:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 14:37:14 nfs_server sssd_be[216]: GSSAPI client step 2
Jan 12 14:52:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 14:52:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 14:52:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 14:52:14 nfs_server sssd_be[216]: GSSAPI client step 2
Jan 12 14:52:38 nfs_server systemd[1]: Stopping RPC security service for NFS client and server...
Jan 12 14:52:38 nfs_server systemd[1]: Starting Preprocess NFS configuration...
Jan 12 14:52:38 nfs_server systemd[1]: Started Preprocess NFS configuration.
Jan 12 14:52:38 nfs_server systemd[1]: Starting RPC security service for NFS client and server...
Jan 12 14:52:38 nfs_server systemd[1]: Started RPC security service for NFS client and server.
Jan 12 14:54:29 nfs_server systemd[1]: Starting RPC bind service...
Jan 12 14:54:29 nfs_server systemd[1]: Started RPC bind service.
Jan 12 15:07:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 15:07:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 15:07:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 15:07:14 nfs_server sssd_be[216]: GSSAPI client step 2
Jan 12 15:22:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 15:22:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 15:22:14 nfs_server sssd_be[216]: GSSAPI client step 1
Jan 12 15:22:14 nfs_server sssd_be[216]: GSSAPI client step 2
Jan 12 15:25:12 nfs_server systemd[1]: Reached target Host and Network Name Lookups.
Jan 12 15:25:12 nfs_server systemd[1]: Starting Host and Network Name Lookups.
Jan 12 15:25:12 nfs_server systemd[1]: Starting Kernel Module supporting RPCSEC_GSS...
Jan 12 15:25:12 nfs_server systemd[1]: Starting Preprocess NFS configuration...
Jan 12 15:25:12 nfs_server systemd[1]: auth-rpcgss-module.service: main process exited, code=exited, status=1/FAILURE
Jan 12 15:25:12 nfs_server systemd[1]: Failed to start Kernel Module supporting RPCSEC_GSS.
Jan 12 15:25:12 nfs_server systemd[1]: Unit auth-rpcgss-module.service entered failed state.
Jan 12 15:25:12 nfs_server systemd[1]: auth-rpcgss-module.service failed.
Jan 12 15:25:12 nfs_server systemd[1]: Started Preprocess NFS configuration.
Jan 12 15:25:12 nfs_server systemd[1]: Starting NFSv4 ID-name mapping service...
Jan 12 15:25:12 nfs_server systemd[1]: Starting NFS Mount Daemon...
Jan 12 15:25:12 nfs_server systemd[1]: Starting NFS status monitor for NFSv2/3 locking....
Jan 12 15:25:12 nfs_server rpc.statd[505]: Version 1.3.0 starting
Jan 12 15:25:12 nfs_server rpc.statd[505]: Flags: TI-RPC
Jan 12 15:25:12 nfs_server systemd[1]: Started NFSv4 ID-name mapping service.
Jan 12 15:25:12 nfs_server rpc.mountd[507]: Version 1.3.0 starting
Jan 12 15:25:12 nfs_server systemd[1]: Started NFS Mount Daemon.
Jan 12 15:25:12 nfs_server systemd[1]: Started NFS status monitor for NFSv2/3 locking..
Jan 12 15:25:12 nfs_server systemd[1]: Starting NFS server and services...
Jan 12 15:25:12 nfs_server systemd[1]: Started NFS server and services.
Jan 12 15:25:12 nfs_server systemd[1]: Starting Notify NFS peers of a restart...
Jan 12 15:25:12 nfs_server sm-notify[513]: Version 1.3.0 starting
Jan 12 15:25:12 nfs_server sm-notify[513]: Already notifying clients; Exiting!
Jan 12 15:25:12 nfs_server systemd[1]: Started Notify NFS peers of a restart.
Jan 12 15:26:11 nfs_server systemd[1]: Stopping RPC security service for NFS client and server...
Jan 12 15:26:11 nfs_server systemd[1]: Starting Preprocess NFS configuration...
Jan 12 15:26:11 nfs_server systemd[1]: Started Preprocess NFS configuration.
Jan 12 15:26:11 nfs_server systemd[1]: Starting RPC security service for NFS client and server...
Jan 12 15:26:11 nfs_server systemd[1]: Started RPC security service for NFS client and server.
i have to do an systemctl restart rpc-gssd in the nfs_server after a reboot otherwise its not even working with my home automount folders like mentioned in my first post.
after the restart i can access the "public" and my personal "home" folder mounted from nfs_server:/home/& on the client at /home/ipa/username
so everythings fine with the auto.home map as far as i can tell
would be nice to fix this little anyoance anyways so i dont need to restart this servbice everytime manually after a reboot
on the ubuntu_client=
Jan 12 14:47:11 ubuntu_client apparmor[89]: /etc/init.d/apparmor: 256: /etc/init.d/apparmor: cannot open /sys/kernel/security/apparmor/.ns_stacked: Permission denied
Jan 12 14:47:11 ubuntu_client apparmor[89]: * Not starting AppArmor in container
Jan 12 14:47:11 ubuntu_client apparmor[89]: ...done.
Jan 12 14:47:11 ubuntu_client systemd[1]: Started AppArmor initialization.
Jan 12 14:47:11 ubuntu_client systemd[1]: networking.service: Failed to reset devices.list: Operation not permitted
...skipping...
Jan 12 16:45:43 ubuntu_client automount[615]: expire_cleanup: sigchld: exp 140530876737280 finished, switching from 5 to 7
Jan 12 16:45:43 ubuntu_client automount[615]: st_shutdown: state 5 path /-
Jan 12 16:45:43 ubuntu_client automount[615]: expire_cleanup: got thid 140530981533440 path /home/ipa stat 0
Jan 12 16:45:43 ubuntu_client automount[615]: expire_cleanup: sigchld: exp 140530981533440 finished, switching from 5 to 7
Jan 12 16:45:43 ubuntu_client automount[615]: st_shutdown: state 5 path /home/ipa
Jan 12 16:45:43 ubuntu_client automount[615]: expire_cleanup: got thid 140530865141504 path /storage stat 0
Jan 12 16:45:43 ubuntu_client automount[615]: expire_cleanup: sigchld: exp 140530865141504 finished, switching from 5 to 7
Jan 12 16:45:43 ubuntu_client automount[615]: st_shutdown: state 5 path /storage
Jan 12 16:45:43 ubuntu_client automount[615]: automount_path_to_fifo: fifo name /var/run/autofs.fifo--
Jan 12 16:45:43 ubuntu_client automount[615]: shut down path /-
Jan 12 16:45:44 ubuntu_client automount[615]: umount_multi: path /home/ipa incl 0
Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /home/ipa/public
Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /home/ipa/username
Jan 12 16:45:44 ubuntu_client automount[615]: umounted indirect mount /home/ipa
Jan 12 16:45:44 ubuntu_client automount[615]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-home-ipa
Jan 12 16:45:44 ubuntu_client automount[615]: shut down path /home/ipa
Jan 12 16:45:44 ubuntu_client automount[615]: umount_multi: path /storage incl 0
Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /storage/software
Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /storage/media
Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /storage/downloads
Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /storage/data
Jan 12 16:45:44 ubuntu_client automount[615]: umounted indirect mount /storage
Jan 12 16:45:44 ubuntu_client automount[615]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-storage
Jan 12 16:45:44 ubuntu_client automount[615]: shut down path /storage
Jan 12 16:45:44 ubuntu_client automount[615]: autofs stopped
Jan 12 16:45:44 ubuntu_client systemd[1]: Stopped Automounts filesystems on demand.
Jan 12 16:45:44 ubuntu_client systemd[1]: autofs.service: Failed to reset devices.list: Operation not permitted
Jan 12 16:45:44 ubuntu_client systemd[1]: Starting Automounts filesystems on demand...
Jan 12 16:45:44 ubuntu_client automount[825]: Starting automounter version 5.1.2, master map /etc/auto.master
Jan 12 16:45:44 ubuntu_client automount[825]: using kernel protocol version 5.02
Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_master: reading master file /etc/auto.master
Jan 12 16:45:44 ubuntu_client automount[825]: do_init: parse(sun): init gathered global options: (null)
Jan 12 16:45:44 ubuntu_client automount[825]: lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d
Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_master: reading master dir /etc/auto.master.d
Jan 12 16:45:44 ubuntu_client automount[825]: lookup(dir): dir map /etc/auto.master.d missing or not readable
Jan 12 16:45:44 ubuntu_client automount[825]: lookup(file): failed to read included master map dir:/etc/auto.master.d
Jan 12 16:45:44 ubuntu_client automount[825]: lookup_read_master: lookup(file): read entry +auto.master
Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_master: reading master sss auto.master
Jan 12 16:45:44 ubuntu_client automount[825]: do_init: parse(sun): init gathered global options: (null)
Jan 12 16:45:44 ubuntu_client automount[825]: master_do_mount: mounting /-
Jan 12 16:45:44 ubuntu_client automount[825]: automount_path_to_fifo: fifo name /var/run/autofs.fifo--
Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_map: reading map sss auto.direct
Jan 12 16:45:44 ubuntu_client automount[825]: do_init: parse(sun): init gathered global options: (null)
Jan 12 16:45:44 ubuntu_client automount[825]: lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
Jan 12 16:45:44 ubuntu_client automount[825]: st_ready: st_ready(): state = 0 path /-
Jan 12 16:45:44 ubuntu_client automount[825]: master_do_mount: mounting /storage
Jan 12 16:45:44 ubuntu_client automount[825]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-storage
Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_map: reading map sss auto.storage
Jan 12 16:45:44 ubuntu_client automount[825]: do_init: parse(sun): init gathered global options: (null)
Jan 12 16:45:44 ubuntu_client automount[825]: mounted indirect on /storage with timeout 300, freq 75 seconds
Jan 12 16:45:44 ubuntu_client automount[825]: st_ready: st_ready(): state = 0 path /storage
Jan 12 16:45:44 ubuntu_client automount[825]: ghosting enabled
Jan 12 16:45:44 ubuntu_client automount[825]: master_do_mount: mounting /home/ipa
Jan 12 16:45:44 ubuntu_client automount[825]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-home-ipa
Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_map: reading map sss auto.home
Jan 12 16:45:44 ubuntu_client automount[825]: do_init: parse(sun): init gathered global options: (null)
Jan 12 16:45:44 ubuntu_client automount[825]: mounted indirect on /home/ipa with timeout 300, freq 75 seconds
Jan 12 16:45:44 ubuntu_client automount[825]: st_ready: st_ready(): state = 0 path /home/ipa
Jan 12 16:45:44 ubuntu_client automount[825]: ghosting enabled
Jan 12 16:45:44 ubuntu_client systemd[1]: Started Automounts filesystems on demand.
after an systemctl restart autofs the sssd_autfs.log looks like
I think also i have the automount setup like u suggested @Tony Brian Albers ?
root@ubuntu_client:~# automount -m
lookup_nss_read_master: reading master file /etc/auto.master
do_init: parse(sun): init gathered global options: (null)
lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d
lookup_nss_read_master: reading master dir /etc/auto.master.d
lookup(dir): dir map /etc/auto.master.d missing or not readable
lookup(file): failed to read included master map dir:/etc/auto.master.d
lookup_read_master: lookup(file): read entry +auto.master
lookup_nss_read_master: reading master sss auto.master
do_init: parse(sun): init gathered global options: (null)
autofs dump map information
===========================
global options: none configured
Mount point: /-
source(s):
lookup_nss_read_map: reading map sss auto.direct
do_init: parse(sun): init gathered global options: (null)
lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
instance type(s): sss
map: auto.direct
no keys found in map
Mount point: /storage
source(s):
lookup_nss_read_map: reading map sss auto.storage
do_init: parse(sun): init gathered global options: (null)
instance type(s): sss
map: auto.storage
software | -fstype=nfs4,rw,no_root_squash,sec=krb5,soft,rsize=8192,wsize=8192 nfs_server.ipa.mydomain.example:/storage/software
data | -fstype=nfs4,rw,no_root_squash,sec=krb5,soft,rsize=8192,wsize=8192 nfs_server.ipa.mydomain.example:/storage/data
downloads | nfs_server.ipa.mydomain.example:/storage/downloads
media | nfs_server.ipa.mydomain.example:/storage/media
Mount point: /home/ipa
source(s):
lookup_nss_read_map: reading map sss auto.home
do_init: parse(sun): init gathered global options: (null)
instance type(s): sss
map: auto.home
* | nfs_server.ipa.mydomain.example:/home/&
public | nfs_server.ipa.mydomain.example:/home/public
i played a bit with the storage mount options, wich options would be recommended
whole kerberos is working fine with no errors at the ipa server
no selinux active at the ubuntu client or at the nfs server freeipa client since both are proxmox lxc containers and apparmor is watching them instead a problem here?
but why are some mounts then work like they should and some not?
freeipa-server is an fedora27 with selinux active but i cant see any errors in the logs while restarting autofs service so far
6 years, 2 months