IPA managed autofs mount timeout
by William Muriithi
Evening,
I have done this before but for the life of me, I can't seem to find a way
to undo my previous change.
I am using autofs to mount home directories. The autofs maps are on IPA
server. A while back, I adjusted the mount idle timeout from the default 5
minutes to 2 hours.
I now want to undo the change, essentially bring down the timeout to 5
minutes. I can't however remember how I had increased it and google just
bring up how to adjust locally from /etc/sysconfig/autofs. I recall
vaguely I had done the change from IPA. Anyone who would have this info
without too much googling?
Regards,
William
5 years, 3 months
Versleuteld bericht
by Arjen Heidinga
All,
I am here again bothering with my seemingly borked installation. The
upgrade from 7.0 to 7.2 on fedora 28-29 finished (finaly), when I
spotted in my journal a stacktrace.
Digging into it, this appears to be the cause. all I find in the
internet are ancient (solved) bugs...
It appears that it has something to do with DNSSEC. Perhaps this is a
clue, I do not remember setting this up.
Kind Regards,
Arjen
[root@starkey ~]# /usr/libexec/ipa/ipa-dnskeysync-replica
ipalib.plugable: DEBUG importing all plugin modules in
ipaserver.plugins...
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.automember
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.automount
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap
ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid
plugin module
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.certprofile
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.delegation
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.dnsserver
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.domainlevel
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac
ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin
module
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.hbacsvcgroup
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.hostgroup
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.krbtpolicy
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.migration
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp
ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.otpconfig
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.permission
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ping
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.pkinit
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.privilege
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.pwpolicy
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.rabase
ipalib.plugable: DEBUG ipaserver.plugins.rabase is not a valid plugin
module
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.radiusproxy
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.realmdomains
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.role
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.schema
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.selfservice
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.selinuxusermap
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.server
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.serverrole
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.serverroles
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.service
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.servicedelegation
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.session
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.stageuser
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.sudo
ipalib.plugable: DEBUG ipaserver.plugins.sudo is not a valid plugin
module
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.sudocmd
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.sudocmdgroup
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.sudorule
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.topology
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.trust
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.user
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.vault
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.virtual
ipalib.plugable: DEBUG ipaserver.plugins.virtual is not a valid
plugin module
ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.whoami
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.xmlserver
ipa-dnskeysync-replica: DEBUG Kerberos principal:
ipa-dnskeysyncd/starkey.platypusnet.org
ipalib.install.kinit: DEBUG Initializing principal
ipa-dnskeysyncd/starkey.platypusnet.org using keytab
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab
ipalib.install.kinit: DEBUG using ccache
/tmp/ipa-dnskeysync-replica.ccache
ipalib.install.kinit: DEBUG Attempt 1/5: success
ipa-dnskeysync-replica: DEBUG Got TGT
ipa-dnskeysync-replica: DEBUG Connecting to LDAP
ipa-dnskeysync-replica: DEBUG Connected
Traceback (most recent call last):
File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 179, in <module>
open(paths.DNSSEC_SOFTHSM_PIN).read())
File "/usr/lib/python3.7/site-packages/ipaserver/dnssec/localhsm.py",
line 104, in __init__
self.p11 = _ipap11helper.P11_Helper(label, pin, library)
File "/usr/lib/python3.7/site-packages/ipaserver/p11helper.py", line
866, in __init__
raise Error("No slot for label {} found".format(self.token_label))
ipaserver.p11helper.Error: No slot for label ipaDNSSEC found
Exception ignored in: <function LocalHSM.__del__ at 0x7fd0d6b77158>
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipaserver/dnssec/localhsm.py",
line 107, in __del__
self.p11.finalize()
AttributeError: 'LocalHSM' object has no attribute 'p11'
5 years, 3 months
Trouble with pki-tomcat
by Arjen Heidinga
Dear all,
I fear somehow my freeipa server is broken. Perhaps it is time to create
a new one, however that would be very time-consuming.
Yesterday everything broke, after FreeIPA was upgraded. It is worth
mentioning that I had certificate issues recently. My root-CA, and
httpd-cert expired.
When I start the tomcat-pki daemon, I get presented the stacktrace
below. Note to mention, the pcscd lines are everytime exactly there when
trying to start.
I'd appreciate it if someone has a clue.
Kind Regards,
Arjen Heidinga
Dec 14 15:31:44 starkey.platypusnet.org systemd[1]: Starting PKI Tomcat
Server pki-tomcat...
-- Subject: Unit pki-tomcatd(a)pki-tomcat.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit pki-tomcatd(a)pki-tomcat.service has begun starting up.
Dec 14 15:31:45 starkey.platypusnet.org pki-server[22909]:
----------------------------
Dec 14 15:31:45 starkey.platypusnet.org pki-server[22909]: pki-tomcat
instance migrated
Dec 14 15:31:45 starkey.platypusnet.org pki-server[22909]:
----------------------------
Dec 14 15:31:46 starkey.platypusnet.org pkidaemon[22936]:
-----------------------
Dec 14 15:31:46 starkey.platypusnet.org pkidaemon[22936]: Banner is not
installed
Dec 14 15:31:46 starkey.platypusnet.org pkidaemon[22936]:
-----------------------
Dec 14 15:31:46 starkey.platypusnet.org pkidaemon[22936]:
----------------------
Dec 14 15:31:46 starkey.platypusnet.org pkidaemon[22936]: Enabled all
subsystems
Dec 14 15:31:46 starkey.platypusnet.org pkidaemon[22936]:
----------------------
Dec 14 15:31:46 starkey.platypusnet.org systemd[1]: Started PKI Tomcat
Server pki-tomcat.
-- Subject: Unit pki-tomcatd(a)pki-tomcat.service has finished start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit pki-tomcatd(a)pki-tomcat.service has finished starting up.
--
-- The start-up result is done.
Dec 14 15:31:46 starkey.platypusnet.org audit[1]: SERVICE_START pid=1
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=pki-tomcatd@pki-tomcat comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 14 15:31:46 starkey.platypusnet.org server[23062]: Java virtual
machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
Dec 14 15:31:46 starkey.platypusnet.org server[23062]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
Dec 14 15:31:46 starkey.platypusnet.org server[23062]: main class used:
org.apache.catalina.startup.Bootstrap
Dec 14 15:31:46 starkey.platypusnet.org server[23062]: flags used:
-DRESTEASY_LIB=/usr/share/java/resteasy
-Djava.library.path=/usr/lib64/nuxwdog-jni
Dec 14 15:31:46 starkey.platypusnet.org server[23062]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.security.manager
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
Dec 14 15:31:46 starkey.platypusnet.org server[23062]: arguments used: start
Dec 14 15:31:48 starkey.platypusnet.org pcscd[18754]: 99999999
auth.c:137:IsClientAuthorized() Process 23062 (user: 985) is NOT
authorized for action: access_pcsc
Dec 14 15:31:48 starkey.platypusnet.org pcscd[18754]: 00000420
winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Dec 14 15:31:48 starkey.platypusnet.org pcscd[18754]: 00029452
auth.c:137:IsClientAuthorized() Process 23062 (user: 985) is NOT
authorized for action: access_pcsc
Dec 14 15:31:48 starkey.platypusnet.org pcscd[18754]: 00000250
winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: SEVERE: Unable to
create CMS engine: com.netscape.cmscore.apps.CMSEngine
Dec 14 15:31:54 starkey.platypusnet.org server[23062]:
java.lang.InstantiationException: com.netscape.cmscore.apps.CMSEngine
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.lang.Class.newInstance(Class.java:427)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:138)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
javax.servlet.GenericServlet.init(GenericServlet.java:158)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.lang.reflect.Method.invoke(Method.java:498)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.security.AccessController.doPrivileged(Native Method)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1132)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1091)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:983)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4978)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5290)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:754)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.security.AccessController.doPrivileged(Native Method)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:629)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1839)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.lang.Thread.run(Thread.java:748)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: Caused by:
java.lang.NoSuchMethodException:
com.netscape.cmscore.apps.CMSEngine.<init>()
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.lang.Class.getConstructor0(Class.java:3082)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: at
java.lang.Class.newInstance(Class.java:412)
Dec 14 15:31:54 starkey.platypusnet.org server[23062]: ... 33 more
Dec 14 15:31:59 starkey.platypusnet.org kernel: FINAL_REJECT: IN=ens6
OUT= MAC=33:33:00:00:00:01:10:be:f5:b2:f9:00:86:dd
SRC=2a00:0f60:0000:0001:0000:0000:0001:0059
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=377 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=UDP SPT=62976 DPT=62976 LEN=337
Dec 14 15:32:04 starkey.platypusnet.org server[23062]: WARNING:
Exception processing realm [com.netscape.cms.tomcat.ProxyRealm@13f78b53]
background process
Dec 14 15:32:04 starkey.platypusnet.org server[23062]:
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Dec 14 15:32:04 starkey.platypusnet.org server[23062]: at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:142)
Dec 14 15:32:04 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1152)
Dec 14 15:32:04 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5648)
Dec 14 15:32:04 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1390)
Dec 14 15:32:04 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1394)
Dec 14 15:32:04 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1362)
Dec 14 15:32:04 starkey.platypusnet.org server[23062]: at
java.lang.Thread.run(Thread.java:748)
Dec 14 15:32:09 starkey.platypusnet.org
[sssd[ldap_child[23172]]][23172]: Failed to initialize credentials using
keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm
'PLATYPUSNET.ORG'. Unable to create GSSAPI-encrypted LDAP connection.
Dec 14 15:32:09 starkey.platypusnet.org
[sssd[ldap_child[23173]]][23173]: Failed to initialize credentials using
keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm
'PLATYPUSNET.ORG'. Unable to create GSSAPI-encrypted LDAP connection.
Dec 14 15:32:14 starkey.platypusnet.org server[23062]: WARNING:
Exception processing realm [com.netscape.cms.tomcat.ProxyRealm@13f78b53]
background process
Dec 14 15:32:14 starkey.platypusnet.org server[23062]:
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Dec 14 15:32:14 starkey.platypusnet.org server[23062]: at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:142)
Dec 14 15:32:14 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1152)
Dec 14 15:32:14 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5648)
Dec 14 15:32:14 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1390)
Dec 14 15:32:14 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1394)
Dec 14 15:32:14 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1362)
Dec 14 15:32:14 starkey.platypusnet.org server[23062]: at
java.lang.Thread.run(Thread.java:748)
Dec 14 15:32:24 starkey.platypusnet.org server[23062]: WARNING:
Exception processing realm [com.netscape.cms.tomcat.ProxyRealm@13f78b53]
background process
Dec 14 15:32:24 starkey.platypusnet.org server[23062]:
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Dec 14 15:32:24 starkey.platypusnet.org server[23062]: at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:142)
Dec 14 15:32:24 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1152)
Dec 14 15:32:24 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5648)
Dec 14 15:32:24 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1390)
Dec 14 15:32:24 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1394)
Dec 14 15:32:24 starkey.platypusnet.org server[23062]: at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1362)
Dec 14 15:32:24 starkey.platypusnet.org server[23062]: at
java.lang.Thread.run(Thread.java:748)
5 years, 3 months
Moving IPA master to a new server fails to start krb5kdc
by Kees Bakker
Hello,
I want to move my IPA master to new hardware, but IPA does not
want to start on that new hardware.
/var/log/krb5kdc.log shows:
krb5kdc: Server error - while fetching master key K/M for realm GHS.NL
And then of course the rest of FreeIPA is not working either.
I've basically copied the whole disk using rsync, and tweaked
some things like ifcfg and fstab.
The rsync command needs --numeric-ids, but other than that nothing
else is needed, I think.
rsync -ai -x --delete --numeric-ids oldmaster:/oldroot/ /croot/
Also force a relabeling for SELINUX
touch /croot/.autorelabel
It boots alright, but IPA isn't started properly.
Can someone shed some light on this? Does krb5kdc depend on its hardware?
Is there documentation how to move an IPA master to other hardware?
--
Kees
5 years, 3 months
Single Sign On (SSO) SSH via IP Address
by Theese, David C
Hello FreeIPA Community,
I am using FreeIPA version 4.4.0 on CentOS Linux 7.3.1611.
Via FreeIPA's use of Kerberos, I have no problem SSHing among hosts in a passwordless manner (Single Sign On (SSO)) as long as I use their hostnames. Example relevant output from the SSH client verbose mode is:
my-user(a)host-1.example.com$ ssh -v host-2.example.com
...
debug1: Authentication succeeded (gssapi-with-mic).
...
my-user(a)host-2.example.com$
However, if I try to SSH to the same host using its (fixed) IP address rather than its hostname, SSO does not succeed as an authentication method, and the client falls back to keyboard-interactive, prompting me for a password, as can be seen here:
my-user(a)host-1.example.com$ ssh -v 10.10.10.5
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server host/10.10.10.5(a)EXAMPLE.COM not found in Kerberos database
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
We have in-house code that performs remote command execution via SSH. We've made sure our code always uses hostnames to avoid this problem. (Being prompted for a password kills the automation we're trying to achieve.)
We also use some external code (over which we have no control and are not permitted to modify), and that code also performs remote command execution via SSH. Unfortunately, however, it does so using an *IP address*, rather than a hostname, as a destination.
For this reason, we need FreeIPA's SSO SSH capability to work when SSHing to a host via that host's IP address.
Is this possible and, if so, how would it be accomplished?
Thanks,
Dave
5 years, 3 months
Limits exceeded for this query
by lune voo
Hello everyone.
I send you this mail because I have a problem with an ipa
group-remove-member command which ends up with the following error message :
"Limits exceeded for this query".
I'm using IPA 3.0.0.
The group for which I want to remove a user contains other groups also
(281).
I was wondering how I could solve this problem ?
I tried to play with the configuration as described here :
https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/searche...
I tried to increase both limits but it did not solve the problem.
I guess as I'm not doing a search but group remove member, this parameters
are not used maybe ?
Thanks for your help o/
Best regards.
Lune.
5 years, 3 months
new replica does not post properly in ipa_check_consistency
by Grant Janssen
New replica looks to be fully joined. I can add users, and I have verified by log examination
that the new replica is actually the server adding the user.
I cannot detect any issues, BUT the 3rd replica does not appear as a column when I execute the
ipa_check_consistency script.
grant@ef-idm03:~[20181219-11:35][#103]$ ipa-replica-manage list
ef-idm03.production.efilm.com: master
ef-idm02.production.efilm.com: master
ef-idm01.production.efilm.com: master
grant@ef-idm03:~[20181219-11:35][#104]$ ipa_check_consistency -d PRODUCTION.EFILM.COM -W ********
FreeIPA servers: ef-idm01 ef-idm02 STATE
=================================================
Active Users 129 129 OK
Stage Users 7 7 OK
Preserved Users 0 0 OK
User Groups 22 22 OK
Hosts 158 158 OK
Host Groups 16 16 OK
HBAC Rules 5 5 OK
SUDO Rules 14 14 OK
DNS Zones ERROR ERROR OK
LDAP Conflicts NO NO OK
Ghost Replicas NO NO OK
Anonymous BIND YES YES OK
Replication Status ef-idm02 0 ef-idm01 0
ef-idm03 0
=================================================
grant@ef-idm03:~[20181219-11:35][#105]$ ipa user_find | grep entries
Number of entries returned 129
grant@ef-idm03:~[20181219-11:35][#106]$ ipa group_find | grep entries
Number of entries returned 22
grant@ef-idm03:~[20181219-11:35][#107]$ ipa host_find | grep entries
Number of entries returned 155
grant@ef-idm03:~[20181219-11:36][#108]$ ipa hostgroup_find | grep entries
Number of entries returned 16
grant@ef-idm03:~[20181219-11:36][#109]$ ipa hbacrule-find | grep entries
Number of entries returned 5
grant@ef-idm03:~[20181219-11:37][#110]$ ipa sudorule-find | grep entries
Number of entries returned 14
grant@ef-idm03:~[20181219-11:37][#111]$
what does this indicate?
thanx
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
5 years, 3 months
freeIPA Host certs
by Azim Siddiqui
Hello,
Hope you are doing good. I have a question regarding freeIPA host
certificates.
We are using FreeIPA as our LDAP. We have some certificates for hosts ex :-
http/uat.com.
And we deploying the certs in Haproxy in PEM format.
But the certificates for this host has been expired.
Can you please let me know in detail how to renew my expired certificates
for the hosts. Please provide me the commands and steps.
FreeIPA, version: 4.2.0
Thanks & Regards,
Azeem
5 years, 3 months