timed out waiting on keys?
by Kat
This is a new one I have not seen before.
Have 4 servers, trying to add a 5th.
Master A and B (in one location) can talk to C and D (in another location)
Trying to add E, which is a new location with the master to replicate
from being D.
When I run client install, no issues at all. Then I try to install E as
a replica with DNS and CA setup and it gets almost all the way and ends
up failing with (from the logs):
2018-02-04T20:00:56Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Timed out trying to obtain keys.
2018-02-04T20:00:56Z ERROR Timed out trying to obtain keys.
It actually dies at:
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
What is confusing, the log also shows that it times out waiting for keys
to appear on "A", which it cannot get to because of location/firewall
settings. What I don't understand, since I am building the replica off
"D", why is it trying to communicate with A?
Any ideas on how to resolve this?
-K
4 years, 3 months
Confused by the default group permissions
by Oliver Northam
Hello!
I'd love to use FreeIPA for all of our auth needs (wifi, samba, backups
etc) but I'm a little lost on the configuration of the default groups.
I have my admin user in the 'admins' group and my test user in the
'ipausers' group, but I can't see any permissions or roles or policies that
define permissions in those groups. Logged in as the admin user, I can
change all settings but as my test user, I cannot change anything.
I also see 'editors' but can't see exactly what permissions this group has.
Am I missing something or somewhere where I can change these permissions?
Thanks,
Oli
4 years, 3 months
Sportfire and FreeIPA
by Kat
Hi
Wondering if anyone has tried to integrate Spotfire serer using FreeIPA
and Kerberos.
Thanks
K
4 years, 3 months
2FA and kinit
by John Ratliff
I'm having problems with kinit and a 2FA enabled account.
When I run kinit by itself, it says 'kinit: Generic preauthentication
failure while getting initial credentials'.
I saw on the wiki where that problem is solved by doing one of two
things. You can login with the admin account (or some other non-2FA
account). When I do that, it asks for the OTP, but then I get a similar
error message:
$ klist
Ticket cache: FILE:/tmp/krb5cc_760400007
Default principal: admin(a)IDM.XXX.NET
Valid starting Expires Service principal
02/06/2018 15:58:04 02/07/2018 15:57:52 krbtgt/IDM.XXX.NET(a)IDM.XXX.NET
$ kinit -T FILE:/tmp/krb5cc_760400007 jratliff
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials
The same thing happens when I try to do the anonymous authentication.
I put the output of KRB5_TRACE here https://pastebin.com/jpPDVUXi
This happens on the CentOS 7.4 IdM server (Running 4.5 IPA) and a Debian
9 IdM client machine.
Thanks for any assistance.
4 years, 3 months
FreeIPA replica in AWS
by Andrew Meyer
I just got FreeIPA added as a client and then I tried to promote it as a replica. I got the following error:
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_REJECTED)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[ec2-user@freeipa-replica-aws ~]$
4 years, 3 months
some confusion of reading this doc abt radius
by barrykfl@gmail.com
Hi: all
I m reading this :
http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_t...
It need create a service ac under
radius/host.ipa.example.net.au(a)IPA.EXAMPLE.NET.AU,\
cn=services,cn=accounts,dc=ipa,dc=example,dc=net,dc=au' -
BUt which file ldif I should point to ? or just ignore use anther
paratemeter
ldapmodify -f <path/to/ldif> or ldapmodify -x -D ..??
THX
dn: krbprincipalname=radius/host.ipa.example.net.au(a)IPA.EXAMPLE.NET.AU,cn=
services,\
cn=accounts,dc=ipa,dc=example,dc=net,dc=au
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
add: userPassword
userPassword: <The service account password>
ldapmodify -f <path/to/ldif> -D 'cn=Directory Manager' -W -H ldap://host.ipa
.example.net.au -Z
ldapwhoami -Z -D 'krbprincipalname=radius/
host.ipa.example.net.au(a)IPA.EXAMPLE.NET.AU,\
cn=services,cn=accounts,dc=ipa,dc=example,dc=net,dc=au' -
W
4 years, 3 months
pkinit
by Sergei Gerasenko
Hello,
I recently upgraded to version 4.5 of FreeIPA. I only upgraded the server, not the clients. Do my clients now have to use pkinit? Or is it optional? How can I check what is being used? I’m concerned that if the environment now is so certificate centric, I will someday be locked out because some certificate has expired.
Thanks,
Sergei
4 years, 3 months
freeipa and saml
by Николай Савельев
Hi.
I have freeipa with AD trust.
I want to setup Nextcloud with ipa and ad users.
Ldap in cn=compat,dc=dom,dc=lan doesnt have memberOf atribute.
I setup ipsilon (https://ipsilon-project.org/) for SSO and SAML autentification.
Autentification with login and password works
But i have local domain for ipsilon and nextcloud and kerberos DOM.LAN and internet domain domain.ru
So, when I go to nextcloud with my kerberos tiket, i get 500 internal error.
Maybe anybody knows how correct this mistake?
--
С уважением, Николай.
4 years, 3 months
ipa-server-install --dirsrv-config-file example
by Matveev Alexey
Hi list!
I'm sorry for a dumb question, but i cant find documentation on ldif file syntax, that can be used for unattended installation like ipa-server-install --dirsrv-config-file params.ldif. Can someone point me to this doc or share the example of this file?
Thanks,
Alex M.
4 years, 3 months
