Problems with updated ubuntu
by Jeff Goddard
I'm trying to deploy 2 new VMs which will be docker hosts. Our base
template is ubuntu 16.04 last patched on 1.2.18. The process is to spin up
a new VM from the template and then patch it, assign IP, and add to free
ipa domain - all steps which occurred without error. However, I'm not able
to ssh into these new servers and also unable to log on as my user from the
console. Here are the errors from auth.log:
Feb 20 15:16:14 docker-prod-03 sshd[1056]: Server listening on 0.0.0.0 port
22.
Feb 20 15:16:14 docker-prod-03 sshd[1056]: Server listening on :: port 22.
Feb 20 15:16:27 docker-prod-03 login[1155]: pam_unix(login:auth): check
pass; user unknown
Feb 20 15:16:27 docker-prod-03 login[1155]: pam_unix(login:auth):
authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser=
rhost=
Feb 20 15:16:27 docker-prod-03 login[1155]: pam_sss(login:auth):
authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser=
rhost= user=jgoddard
Feb 20 15:16:27 docker-prod-03 login[1155]: pam_unix(login:account): could
not identify user (from getpwnam(jgoddard))
Feb 20 15:16:27 docker-prod-03 login[1155]: Authentication failure
I spooled out a new VM from the template and did not update it, performed
the same tasks (hostname, ip assignment, IPA join), and do not have the
problems. Can I get some assistance in 1) isolating which sets of packages
caused the issue, and 2) reporting a bug if necessary?
Thanks,
Jeff
6 years, 2 months
slapd shutting down while updating big number of users with ldapmodify
by Alex M
Hello all!
I'm trying to update users of my ldap (with more than 100k users), adding to them new objectclass and new attribute with value. After updating about 31K users (31124 from the script's log), the script fails without any errors. Last modification date of the script's log file is 20/Feb/2018:15:37:19.
ipa user-find | grep "Number of entries returned"
Returns correct value (>100k) without any errors
FreeIPA, version: 4.5.4
My script:
kinit admin
Then
updateUsers() {
baseDn="$(ipa config-show --raw --all |grep -e '^[[:space:]]*dn:' |sed -e 's#^[[:space:]]*dn: cn=ipaConfig,cn=etc,##g')"
ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,${baseDn}" -s one -LLL dn | while read line ; do
if [ -n "$line" ] ; then
echo -e "${line}\nchangetype: modify\nadd: objectclass\nobjectclass: mailRecipient\n\n" | ldapmodify -Y GSSAPI
echo -e "${line}\nchangetype: modify\nadd: mailQuota\nmailQuota: 200\n\n" | ldapmodify -Y GSSAPI
fi
done
}
From /var/log/dirsrv/slapd-MYDOMAIN/errors
~
[20/Feb/2018:15:37:24.869634835 +0300] slapd shutting down - signaling operation threads - op stack size 10 max work q size 6 max work q stack size 6
[20/Feb/2018:15:37:24.877085174 +0300] slapd shutting down - waiting for 24 threads to terminate
[20/Feb/2018:15:37:24.880513622 +0300] slapd shutting down - closing down internal subsystems and plugins
[20/Feb/2018:15:37:32.388250081 +0300] Waiting for 4 database threads to stop
[20/Feb/2018:15:37:33.075482198 +0300] All database threads now stopped
[20/Feb/2018:15:37:34.102540783 +0300] slapd shutting down - freed 6 work q stack objects - freed 10 op stack objects
[20/Feb/2018:15:37:34.694797131 +0300] slapd stopped.
~
I've tried twice. On the first attempt succesfully updated about 32k users.
Any suggestions what is going on and how to prevent this?
6 years, 2 months
user/admin
by Charles Hedrick
There’s a convention of creating admin instances for users, usually named user/admin. IPA doesn’t seem to allow such instances. Is there a way to make them work?
As far as I can tell the instance can only be a hostname. That doesn’t seem like a sensible restriction.
6 years, 2 months
FreeIPA integrated DNS or Bind
by Ben Archuleta
Hello Everybody,
I am currently rolling out a FreeIPA based solution to replace a NIS behind a NAT that’s deteriorating. As I look at the implementation of FreeIPA I was wondering, is it better to use the DNS server thats part of FreeIPA or to use Bind. The new NAT doesn’t yet have a set design so I can implement DNS in whatever form is necessary.
Topology:
NAT: x.my.wonderful.domain
IPA:ipa0.my.wonderful.domian
IPA:ipa1.my.wonderful.domain
Then 250 workstations live behind the NAT.
Regards,
Ben
6 years, 2 months
FreeIpa install failed on CA did not start in 300.0s
by Markovich
Hi FreeIPA users,
Please help find wat's going wrong while reinstalling freeipa...
2018-02-16T16:41:30Z DEBUG response body '<html>\n<head>\n<meta
http-equiv="Content-Type" content="text/html;charset=utf-8"/>\n<title>Error
405 HTTP method POST is not supported by this URL</title$
2018-02-16T16:41:30Z DEBUG The CA status is: check interrupted due to
error: Retrieving CA status failed with status 405
2018-02-16T16:41:30Z DEBUG Waiting for CA to start...
2018-02-16T16:41:31Z DEBUG request POST http://
<hostname>:8080/ca/admin/ca/getStatus
2018-02-16T16:41:31Z DEBUG request body ''
2018-02-16T16:41:31Z DEBUG response status 405
2018-02-16T16:41:31Z DEBUG response headers Date: Fri, 16 Feb 2018 16:41:31
GMT
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 408
Server: Jetty(9.3.z-SNAPSHOT)
CA did not start in 300.0s
CRITICAL Failed to restart the Dogtag instance.See the installation log for
details.
ERROR Unable to retrieve CA chain: Retrieving CA cert chain failed: list
index out of range
Also in log:
2018-02-16T16:35:12Z DEBUG stderr=
2018-02-16T16:35:12Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-02-16T16:35:12Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-02-16T16:35:12Z DEBUG Starting external process
2018-02-16T16:35:12Z DEBUG args=/bin/systemctl disable krb5kdc.service
2018-02-16T16:35:12Z DEBUG Process finished, return code=0
2018-02-16T16:35:12Z DEBUG stdout=
2018-02-16T16:35:12Z DEBUG stderr=
2018-02-16T16:35:12Z DEBUG duration: 0 seconds
2018-02-16T16:35:12Z DEBUG Done configuring Kerberos KDC (krb5kdc).
2018-02-16T16:35:12Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2018-02-16T16:35:12Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2018-02-16T16:35:12Z DEBUG Configuring kadmin
2018-02-16T16:35:12Z DEBUG [1/2]: starting kadmin
2018-02-16T16:35:12Z DEBUG Starting external process
2018-02-16T16:35:12Z DEBUG args=/bin/systemctl is-active kadmin.service
2018-02-16T16:35:12Z DEBUG Process finished, return code=3
2018-02-16T16:35:12Z DEBUG stdout=failed
In /var/log/pki/pki-tomcat/ca/debug
[16/Feb/2018:16:35:22][localhost-startStop-1]: LdapBoundConnFactory: init
Property internaldb.ldapconn.port missing value
...
[16/Feb/2018:16:36:20][http-bio-8443-exec-3]:
CertificateAuthority:initSigUnit: ca.signing.cert not found
Property ca.signing.cacertnickname missing value
...
[16/Feb/2018:16:36:20][http-bio-8443-exec-3]: CA signing unit inited
[16/Feb/2018:16:36:20][http-bio-8443-exec-3]: cachainNum= 0
Could not get or build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate
...
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]:
CertificateAuthority:initSigUnit: ca cert found
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: CertificateAuthority:
initSigUnit 1- setting mIssuerObj and mSubjectObj
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: ca.signing Signing Unit
nickname caSigningCert cert-pki-ca
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: Got token Internal Key
Storage Token by name
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: Found cert by nickname:
'caSigningCert cert-pki-ca' with serial number: 1
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: converted to x509CertImpl
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: Got private key from cert
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: Got public key from cert
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: got signing algorithm
RSASignatureWithSHA256Digest
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: CA signing unit inited
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: cachainNum= 0
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: in init - got CA chain from
JSS.
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: ca.ocsp_signing Signing Unit
nickname ocspSigningCert cert-pki-ca
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: Got token Internal Key
Storage Token by name
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: Unable to find certificate
ocspSigningCert cert-pki-ca
[16/Feb/2018:16:36:23][http-bio-8443-exec-3]: SigningUnit: Certificate
object not found
Regards,
Andrey
6 years, 2 months
odd DNS setting question?
by Kat
Good morning
What, if anything, would cause a TTL to be different in a DNS config for
IPA?
;; ADDITIONAL SECTION:
c.example.com. 1200 IN A 10.1.2.2
c1.example.com 1200 IN A 10.1.2.3
p.example.com. 86400 IN A 10.1.2.4
p1.example.com. 86400 IN A 10.1.3.5
And yet, if I update system records, they all show the same 86400 when
they were updated?
Question - if you are using the "location" function, would this possibly
be related, that values are updated dynamically based on the host I am
running "dig" from is in a different location?
The other question is - how to keep IPA DNS from trying to forward a
lookup.
Trying to add a replica, and Host "A" is already set as a client and
working fine. It can only talk to IPA server "C". "C" is also set in
resolv.conf as nameserver. When you try to add the replica however, it
tries to resolve by way of using "c1" as the DNS resolver, which I don't
understand why?
ipa : DEBUG Check forward/reverse DNS resolution
ipa : DEBUG Search DNS server c1.example.com (['10.1.2.3',
'10.1.2.3', '10.1.2.3']) for c.example.com
ipa : ERROR Could not resolve hostname c.example.com using
DNS. Clients may not function properly. Please check your DNS setup.
(Note that this check queries IPA DNS directly and ignores /etc/hosts.)
DIG works fine for resolution:
# dig +short c.example.com
10.1.2.2
So I am baffled. Is there something in DNS settings of IPA that would
cause a server to forward to another server? (forwarding is disabled)
-K
6 years, 2 months
Fixing limit on DNS searches
by Bret Wortman
I've run up against a limit I can't seem to adjust.
When listing a particular DNS zone which has well over 5000 hosts in it,
we keep getting "Search result has been truncated: Configured
administrative server limit exceeded."
I've tried fixing this in a number of ways. We've shut down the
services, edited dse.ldif to raise nsslapd-searchlimit to 99999 and
restarted, but:
#ldapsearch -D 'cn=directory manager' -W -b cn=config cn=config | grep
nsslapd-sizelimit
snsslapd-sizelimit: 2000
What do I need to do to be able to list all my DNS entries for this
zone? This 5000 limit is enforced through the CLI as well, as "ipa
dnsrecord-find damascusgrp.com --sizelimit=99999" will only return 5000
entries. I know it's taxing and intensive, but I need to be able to
query the WHOLE set of records we have without this restriction.
How can I get around this?
--
photo
*Bret Wortman*
President, Damascus Products LLC
855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> |
bret(a)damascusproducts.com <mailto:bret@damascusproducts.com> |
http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030
<http://facebook.com/wrapbuddiesco> <http://twitter.com/wrapbuddiesco>
<http://instagram.com/wrapbuddies>
<https://facebook.com/wrapbuddiesco><https://instagram.com/wrapbuddies>
6 years, 2 months
mkhomedir option doesn't works
by Felipe_G0NZÁLEZ_SANTIAG0
I have a Freeipa server version 4.3.1 on Ubuntu 16.04. Then I installed freeipa-client, and run
#i pa-client-install --mkhomedir
However, when I try to loggin no freeipa client machine it fails.
I supposed it was because the home directories have not been created.
So, I configured PAM modules manually by editing the /etc/pam.d/common-session and adding this+ line:
session required pam_mkhomedir.so
and then loggin proccess works perfectly!
Any idea why the option -- mkhomedir is not well working here?
Thanks in advance!
La @universidad_uci es Fidel: 15 años conectados al futuro... conectados a la Revolución
2002-2017
6 years, 2 months
restrict pubkeys to specific destination hosts?
by Rob Brown
Hi,
We recently moved from an "old school" setup where we would push different
pubkeys for the same user out to specific hosts in different environments
using configuration management. Likewise, the matching private keys would
only exist in their requisite environment.
This presents a new problem with freeIPA (which serves both environments),
in that pubkeys are now attached to the user, and if we put both the "prod"
and "preprod" pubkeys in the user object, either key will work for that
user on any server.
I know the "right answer" probably lies in HBAC rules, but trying to look
for a simple solution that would restrict which key can be used on which
server. I read about the "fromhost" option, but that is the opposite of
what I am looking for. I would like to be able to say "this key can only be
used to authenticate user foo to xyz host".
Can someone help steer me in the right direction? I'm not seeing it.
6 years, 2 months
dns migration
by Andrew Meyer
While getting my company setup to use FreeIPA and migrate from the old BIND DNS I have setup a forward zone on our nameservers to point exmaple.net to my FreeIPA servers.
When I try to do a query from the main DNS resolvers I get the following:client 10.1.0.66#61548: view internal: query: infra-test-ipa.example.net IN A +E (10.1.6.8)validating @0x7f686c62c150: infra-test-ipa.example.net A: no valid signature found validating @0x7f68640de9a0: example.net SOA: no valid signature found validating @0x7f68640dd990: infra-test-ipa.example.net NSEC: no valid signature founderror (no valid RRSIG) resolving 'infra-test-ipa.example.net/DS/IN': 10.1.6.141#53 validating @0x7f686c69c920: example.net SOA: no valid signature found validating @0x7f686c69a280: infra-test-ipa.example.net NSEC: no valid signature founderror (no valid RRSIG) resolving 'infra-test-ipa.example.net/DS/IN': 10.1.6.140#53error (no valid DS) resolving 'infra-test-ipa.example.net/A/IN': 10.1.6.141#53validating @0x7f68640c7630: infra-test-ipa.example.net A: no valid signature foundvalidating @0x7f68640c7630: infra-test-ipa.example.net A: bad cache hit (infra-test-ipa.example.net/DS)
I looked up the error and saw that DNSSEC might be the culprit. However I checked the resolvers and they say that DNSSEC is not turned on at all://dnssec-enable no;//dnssec-validation no;//dnssec-lookaside auto;
So just for s&g I installed the DNSSEC portion on my FreeIPA master.
Still getting the same results when doing a dig.
Is there something else I should be doing or should have done? Can I uninstall the DNSSEC from FreeIPA?
Cheers,Andrew
6 years, 2 months