FreeIPA UI not working - Only shows certificate management
by tezarin@yahoo.com
Hi all,
I have installed FreeIPA server on CentOS 6.9 but the GUI is not coming up completely. It only shows the following certificate system messages. Not sure why and here are the files in the /etc/httpd/alias:
lrwxrwxrwx 1 root root 24 Jan 30 14:19 libnssckbi.so -> /usr/lib64/libnssckbi.so
-rw-r----- 1 root apache 16384 Jan 30 14:19 secmod.db.orig
-rw-r----- 1 root apache 24576 Jan 30 14:19 key3.db.orig
-rw-r----- 1 root apache 65536 Jan 30 14:19 cert8.db.orig
-rw------- 1 root root 5274 Jan 30 14:19 install.log
-rw------- 1 root root 32 Feb 1 19:32 ipasession.key
-rw------- 1 root apache 41 Feb 7 16:47 pwdfile.txt.ipasave
-rw-r----- 1 root apache 16384 Feb 7 16:47 secmod.db.ipasave
-rw-r----- 1 root apache 16384 Feb 7 17:09 key3.db.ipasave
-rw-r----- 1 root apache 65536 Feb 7 17:09 cert8.db.ipasave
-rw------- 1 root apache 41 Feb 7 17:49 pwdfile.txt
-rw-r----- 1 root apache 16384 Feb 7 17:49 secmod.db
-rw-r----- 1 root apache 16384 Feb 8 12:00 key3.db
-rw-r----- 1 root apache 65536 Feb 8 12:00 cert8.db
And here are the certs in my /root directory:
-rw-------. 1 root root 1006 Nov 16 2015 anaconda-ks.cfg
-rw-r--r-- 1 pkiuser pkiuser 10328 Feb 7 17:48 cacert.p12
-rw------- 1 root root 2604 Feb 7 17:48 ca-agent.p12
And here is what the GUI shows:
Certificate System
Certificate System
-
The Certificate System is an enterprise-class open source Certificate Authority (CA). It is a full-featured system, and has been hardened by real-world deployments. It supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management, and much more.
Enter
Any info would be much appreciated.
Thank you
6 years, 2 months
timed out waiting on keys?
by Kat
This is a new one I have not seen before.
Have 4 servers, trying to add a 5th.
Master A and B (in one location) can talk to C and D (in another location)
Trying to add E, which is a new location with the master to replicate
from being D.
When I run client install, no issues at all. Then I try to install E as
a replica with DNS and CA setup and it gets almost all the way and ends
up failing with (from the logs):
2018-02-04T20:00:56Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Timed out trying to obtain keys.
2018-02-04T20:00:56Z ERROR Timed out trying to obtain keys.
It actually dies at:
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
What is confusing, the log also shows that it times out waiting for keys
to appear on "A", which it cannot get to because of location/firewall
settings. What I don't understand, since I am building the replica off
"D", why is it trying to communicate with A?
Any ideas on how to resolve this?
-K
6 years, 2 months
Confused by the default group permissions
by Oliver Northam
Hello!
I'd love to use FreeIPA for all of our auth needs (wifi, samba, backups
etc) but I'm a little lost on the configuration of the default groups.
I have my admin user in the 'admins' group and my test user in the
'ipausers' group, but I can't see any permissions or roles or policies that
define permissions in those groups. Logged in as the admin user, I can
change all settings but as my test user, I cannot change anything.
I also see 'editors' but can't see exactly what permissions this group has.
Am I missing something or somewhere where I can change these permissions?
Thanks,
Oli
6 years, 2 months
Sportfire and FreeIPA
by Kat
Hi
Wondering if anyone has tried to integrate Spotfire serer using FreeIPA
and Kerberos.
Thanks
K
6 years, 2 months
2FA and kinit
by John Ratliff
I'm having problems with kinit and a 2FA enabled account.
When I run kinit by itself, it says 'kinit: Generic preauthentication
failure while getting initial credentials'.
I saw on the wiki where that problem is solved by doing one of two
things. You can login with the admin account (or some other non-2FA
account). When I do that, it asks for the OTP, but then I get a similar
error message:
$ klist
Ticket cache: FILE:/tmp/krb5cc_760400007
Default principal: admin(a)IDM.XXX.NET
Valid starting Expires Service principal
02/06/2018 15:58:04 02/07/2018 15:57:52 krbtgt/IDM.XXX.NET(a)IDM.XXX.NET
$ kinit -T FILE:/tmp/krb5cc_760400007 jratliff
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials
The same thing happens when I try to do the anonymous authentication.
I put the output of KRB5_TRACE here https://pastebin.com/jpPDVUXi
This happens on the CentOS 7.4 IdM server (Running 4.5 IPA) and a Debian
9 IdM client machine.
Thanks for any assistance.
6 years, 2 months
FreeIPA replica in AWS
by Andrew Meyer
I just got FreeIPA added as a client and then I tried to promote it as a replica. I got the following error:
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_REJECTED)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[ec2-user@freeipa-replica-aws ~]$
6 years, 2 months
some confusion of reading this doc abt radius
by barrykfl@gmail.com
Hi: all
I m reading this :
http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_t...
It need create a service ac under
radius/host.ipa.example.net.au(a)IPA.EXAMPLE.NET.AU,\
cn=services,cn=accounts,dc=ipa,dc=example,dc=net,dc=au' -
BUt which file ldif I should point to ? or just ignore use anther
paratemeter
ldapmodify -f <path/to/ldif> or ldapmodify -x -D ..??
THX
dn: krbprincipalname=radius/host.ipa.example.net.au(a)IPA.EXAMPLE.NET.AU,cn=
services,\
cn=accounts,dc=ipa,dc=example,dc=net,dc=au
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
add: userPassword
userPassword: <The service account password>
ldapmodify -f <path/to/ldif> -D 'cn=Directory Manager' -W -H ldap://host.ipa
.example.net.au -Z
ldapwhoami -Z -D 'krbprincipalname=radius/
host.ipa.example.net.au(a)IPA.EXAMPLE.NET.AU,\
cn=services,cn=accounts,dc=ipa,dc=example,dc=net,dc=au' -
W
6 years, 2 months
pkinit
by Sergei Gerasenko
Hello,
I recently upgraded to version 4.5 of FreeIPA. I only upgraded the server, not the clients. Do my clients now have to use pkinit? Or is it optional? How can I check what is being used? I’m concerned that if the environment now is so certificate centric, I will someday be locked out because some certificate has expired.
Thanks,
Sergei
6 years, 2 months
freeipa and saml
by Николай Савельев
Hi.
I have freeipa with AD trust.
I want to setup Nextcloud with ipa and ad users.
Ldap in cn=compat,dc=dom,dc=lan doesnt have memberOf atribute.
I setup ipsilon (https://ipsilon-project.org/) for SSO and SAML autentification.
Autentification with login and password works
But i have local domain for ipsilon and nextcloud and kerberos DOM.LAN and internet domain domain.ru
So, when I go to nextcloud with my kerberos tiket, i get 500 internal error.
Maybe anybody knows how correct this mistake?
--
С уважением, Николай.
6 years, 2 months