pki-tomcatd and ipa-otpd Service stopping!!
by Günther J. Niederwimmer
Hello,
can any help me to find out the correct way to renew the certificates
After a Problem I found out my certificates are not renewed on my two ipa
servers ?
My ipa servers Version is 4.5.0-22-22
Centos 7.4
All i found on the list or goo.... is not working for me :-(.
have any a a link to the correct way to renew the certificates.
Thanks for a answer,
--
mit freundlichen Grüssen / best regards,
Günther J. Niederwimmer
6 years
Re: FreeIPA and Automount
by Rob Crittenden
Randy Morgan wrote:
>
> Randy Morgan
> CSR
> Department of Chemistry and Biochemistry
> Brigham Young University
> 801-422-4100
>
> On 03/29/2018 08:34, Rob Crittenden wrote:
>> Randy Morgan wrote:
>>> Randy Morgan
>>> CSR
>>> Department of Chemistry and Biochemistry
>>> Brigham Young University
>>> 801-422-4100
>>>
>>> On 03/28/2018 13:19, Rob Crittenden wrote:
>>>> Randy Morgan via FreeIPA-users wrote:
>>>>> We have been working to get automounting working on RHEL 7.4
>>>>> without any
>>>>> success. I am including how the server has been built, ipa-client
>>>>> installed and configured, etc. I will also include the relevant parts
>>>>> of the logs.
>>>>>
>>>>> 1.
>>>>> Install RHEL 7.4 or other required version
>>>>> 2.
>>>>> subscription-manager register
>>>>> 3.
>>>>> Type username and password
>>>>> 4.
>>>>> subscription-manager repos –enable=rhel-7-server-rpms
>>>>> 5.
>>>>> subscription-manager repos –enable=rhel-7-server-extras-rpms
>>>>> 6.
>>>>> subscription-manager repos –enable=rhel-7-server-optional-rpms
>>>>> 7.
>>>>> yum instll –y
>>>>>
>>>>> http://dl.fedoraproject.org/pub/epel/x86_64/Packages/e/epel-release-7-11....
>>>>>
>>>>>
>>>>> (or whatever the latest is)
>>>>> 8.
>>>>> yum update && install -y samba samba-client samba-common
>>>>> cifs-utils
>>>>> 9.
>>>>> yum install –y ipa-client
>>>>> 10.
>>>>> yum update -y
>>>>> 11.
>>>>> install ipa-client: ipa-client-install –enable-dns-updates
>>>>> –force-join –ssh-trust-dns –hostname <host>.chem.byu.edu
>>>>> –mkhomedir
>>>>> 12.
>>>>> ipa-client-automount –location=defualt
>>>>> 13.
>>>>> authconfig –enablemkhomedir –updateall
>>>>> 14.
>>>>> ipa-getkeytab -s ipa1.chem.byu.edu -p nfs/<host>.chem.byu.edu -k
>>>>> /etc/krb5.keytab
>>>>> 15.
>>>>> ipa-getkeytab -s ipa1.chem.byu.edu -p
>>>>> cifs/<host>.chem.byu.edu -k
>>>>> /etc/krb5.keytab
>>>>>
>>>>> After getting everything setup, when logging in with an IPA user
>>>>> account
>>>>> it acts like it is logging in but then immediately returns to the
>>>>> login
>>>>> page. Looking in the logs shows the following:
>>>>>
>>>>> Mar 27 12:33:41 jdmlab1 journal: g_task_return_error: assertion 'error
>>>>> != NULL' failed
>>>>> Mar 27 12:33:41 jdmlab1 journal: failed to set screen _ICC_PROFILE:
>>>>> Failed to open file
>>>>> '/var/lib/gdm/.local/share/icc/edid-dcf60fecec69cef7bcda72bf1bbc37f5.icc':
>>>>>
>>>>>
>>>>> Permission denied
>>>>> Mar 27 12:33:41 jdmlab1 journal: failed to set screen _ICC_PROFILE:
>>>>> Failed to open file
>>>>> '/var/lib/gdm/.local/share/icc/edid-dcf60fecec69cef7bcda72bf1bbc37f5.icc':
>>>>>
>>>>>
>>>>> Permission denied
>>>>> Mar 27 12:34:00 jdmlab1 systemd-logind: New session 3 of user randym.
>>>>> Mar 27 12:34:00 jdmlab1 systemd: Started Session 3 of user randym.
>>>>> Mar 27 12:34:00 jdmlab1 systemd: Starting Session 3 of user randym.
>>>>> Mar 27 12:34:00 jdmlab1 oddjob-mkhomedir[4291]: error creating
>>>>> /home/csr/randym: No such file or directory
>>>>> Mar 27 12:34:04 jdmlab1 gnome-session: gnome-session-binary[4053]:
>>>>> WARNING: Lost name on bus: org.gnome.SessionManager
>>>>> Mar 27 12:34:04 jdmlab1 gnome-session-binary[4053]: WARNING: Lost name
>>>>> on bus: org.gnome.SessionManager
>>>>> Mar 27 12:34:04 jdmlab1 journal: Error releasing name
>>>>> org.gnome.SettingsDaemon: The connection is closed
>>>>> Mar 27 12:34:04 jdmlab1 journal: Invalid id 5 passed to
>>>>> g_bus_unown_name()
>>>>> Mar 27 12:34:04 jdmlab1 journal: failed to connect to device:
>>>>> Failed to
>>>>> connect to missing device
>>>>> /org/freedesktop/ColorManager/devices/xrandr_Dell_Inc__DELL_1800FP_7R47737N01PX_gdm_42
>>>>>
>>>>>
>>>>> Mar 27 12:34:05 jdmlab1 gnome-session: gnome-session-binary[4338]:
>>>>> WARNING: IceLockAuthFile failed: No such file or directory
>>>>> Mar 27 12:34:05 jdmlab1 gnome-session-binary[4338]: WARNING:
>>>>> IceLockAuthFile failed: No such file or directory
>>>>>
>>>>> The home directories are found on the fileserver, and are both NFS and
>>>>> SMB mountable. We have successfully gotten this to work on RHEL 6.9,
>>>>> and I believe on RHEL 7.2, but not on RHEL 7.4. Searching through the
>>>>> relevant config files shows no differences in their configurations
>>>>> between any of the different versions including 7.4.
>>>> Does automount work for existing directories?
>>> Automount does not work for existing directories, if they are not
>>> local. It appears that it is trying to create a local directory in
>>> /home/csr, for my user, which is a mirror of what is on the fileserver.
>>> It doesn't actually copy the files, but makes the base directory. As we
>>> have been digging into this we have discovered that this appears to be a
>>> permissions issue. This is shown in the logs:
>> You passed the --mkhomedir option to ipa-client-install which explains
>> why it is trying to create directories (and that uses oddjob to do it).
>>
>> I'd suggest trying to simplify the problem and test the mounts directly
>> as another user (say root), like cd /home/csr/randym). That should force
>> automount to mount the dir.
>>
>> rob
> We did pass the --mkhomedir because we want the users to have access to
> their homedir when they login. Mounting the homedir requires the
> creation of a local folder, just like any other nfs mount. I tried just
> cd /home/csr/randym and it does not mount the dir, it does not even see
> it, even if I do a kinit before hand. That is true of both root and
> randym. I was not aware of the change from pam_mkhomedir to the oddjobd
> until I started trying to figure out why this was not working.
So what you expect is that mkhomedir will create the mount point and
then NFS will mount the home directory on that? AFAIK this will not
work. You need to have the structure in place in advance (though I don't
believe the leaf directory in the case of users).
The same question came up last month,
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
rob
>>
>>> Mar 28 14:34:42 jdmlab1 journal: D-Bus service launched with name:
>>> net.reactivated.Fprint
>>> Mar 28 14:34:42 jdmlab1 journal: entering main loop
>>> Mar 28 14:34:42 jdmlab1 kernel: FS-Cache: Loaded
>>> Mar 28 14:34:42 jdmlab1 kernel: FS-Cache: Netfs 'nfs' registered for
>>> caching
>>> Mar 28 14:34:42 jdmlab1 kernel: Key type dns_resolver registered
>>> Mar 28 14:34:42 jdmlab1 kernel: NFS: Registering the id_resolver key
>>> type
>>> Mar 28 14:34:42 jdmlab1 kernel: Key type id_resolver registered
>>> Mar 28 14:34:42 jdmlab1 kernel: Key type id_legacy registered
>>> Mar 28 14:34:51 jdmlab1 dbus[2193]: [system] Activating service
>>> name='org.fedoraproject.Setroubleshootd' (using servicehelper)
>>> Mar 28 14:34:51 jdmlab1 systemd-logind: Failed to mount per-user tmpfs
>>> directory /run/user/8142: Permission denied
>>> Mar 28 14:34:51 jdmlab1 gnome-keyring-daemon[20103]: couldn't create
>>> socket directory: No such file or directory
>>> Mar 28 14:34:51 jdmlab1 gnome-keyring-daemon[20103]: couldn't bind to
>>> control socket: /home/csr/randym/.cache/keyring-6tuN4S/control: No such
>>> file or directory
>>> Mar 28 14:34:52 jdmlab1 colord: device removed: xrandr-Dell Inc.-DELL
>>> 1800FP-7R47737N01PX
>>> Mar 28 14:34:52 jdmlab1 colord: Profile removed:
>>> icc-523909406475d8b7f92f093531d0b19f
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession: mkdir: cannot create
>>> directory âome/csr/randymâPermission denied
>>> Mar 28 14:34:52 jdmlab1 dbus[2193]: [system] Successfully activated
>>> service 'org.fedoraproject.Setroubleshootd'
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession: touch: cannot touch
>>> âome/csr/randym/.cache/imsettings/logâNo such file or directo
>>> y
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> Mar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>> ar 28 14:34:52 jdmlab1 /etc/gdm/Xsession:
>>> /usr/libexec/imsettings-functions: line 37:
>>> /home/csr/randym/.cache/imsettings/log: No such file or directory
>>>
>>> We have disabled selinux just to see if we can get around this issue and
>>> it has not worked, we have also disabled firewalld. Right now this is a
>>> test server so I am not concerned about these, but in a live environment
>>> I would prefer selinux to be running.
>>>
>>> Using the commands listed in the beginning of this post, this works on
>>> RHEL 6.9. The automount connects the home directory that is on the
>>> fileserver and creates it as if it were a local directory that has r/w
>>> permissions, but all data is actually stored on the fileserver, not the
>>> local machine. I have rebuilt my test server back to RHEL 7.0 and we
>>> are still encountering the same problem.
>>>> Are you saying that in RHEL 7.2 and 6.9 you use oddjobd to
>>>> automatically
>>>> create new user directories on NFS mounts?
>>> Not sure we are using addjobd, not familiar with it.
>>>
>>> Randy
>>>> rob
>
6 years
FreeIPA and Automount
by Randy Morgan
We have been working to get automounting working on RHEL 7.4 without any
success. I am including how the server has been built, ipa-client
installed and configured, etc. I will also include the relevant parts
of the logs.
1.
Install RHEL 7.4 or other required version
2.
subscription-manager register
3.
Type username and password
4.
subscription-manager repos –enable=rhel-7-server-rpms
5.
subscription-manager repos –enable=rhel-7-server-extras-rpms
6.
subscription-manager repos –enable=rhel-7-server-optional-rpms
7.
yum instll –y
http://dl.fedoraproject.org/pub/epel/x86_64/Packages/e/epel-release-7-11....
(or whatever the latest is)
8.
yum update && install -y samba samba-client samba-common cifs-utils
9.
yum install –y ipa-client
10.
yum update -y
11.
install ipa-client: ipa-client-install –enable-dns-updates
–force-join –ssh-trust-dns –hostname <host>.chem.byu.edu –mkhomedir
12.
ipa-client-automount –location=defualt
13.
authconfig –enablemkhomedir –updateall
14.
ipa-getkeytab -s ipa1.chem.byu.edu -p nfs/<host>.chem.byu.edu -k
/etc/krb5.keytab
15.
ipa-getkeytab -s ipa1.chem.byu.edu -p cifs/<host>.chem.byu.edu -k
/etc/krb5.keytab
After getting everything setup, when logging in with an IPA user account
it acts like it is logging in but then immediately returns to the login
page. Looking in the logs shows the following:
Mar 27 12:33:41 jdmlab1 journal: g_task_return_error: assertion 'error
!= NULL' failed
Mar 27 12:33:41 jdmlab1 journal: failed to set screen _ICC_PROFILE:
Failed to open file
'/var/lib/gdm/.local/share/icc/edid-dcf60fecec69cef7bcda72bf1bbc37f5.icc':
Permission denied
Mar 27 12:33:41 jdmlab1 journal: failed to set screen _ICC_PROFILE:
Failed to open file
'/var/lib/gdm/.local/share/icc/edid-dcf60fecec69cef7bcda72bf1bbc37f5.icc':
Permission denied
Mar 27 12:34:00 jdmlab1 systemd-logind: New session 3 of user randym.
Mar 27 12:34:00 jdmlab1 systemd: Started Session 3 of user randym.
Mar 27 12:34:00 jdmlab1 systemd: Starting Session 3 of user randym.
Mar 27 12:34:00 jdmlab1 oddjob-mkhomedir[4291]: error creating
/home/csr/randym: No such file or directory
Mar 27 12:34:04 jdmlab1 gnome-session: gnome-session-binary[4053]:
WARNING: Lost name on bus: org.gnome.SessionManager
Mar 27 12:34:04 jdmlab1 gnome-session-binary[4053]: WARNING: Lost name
on bus: org.gnome.SessionManager
Mar 27 12:34:04 jdmlab1 journal: Error releasing name
org.gnome.SettingsDaemon: The connection is closed
Mar 27 12:34:04 jdmlab1 journal: Invalid id 5 passed to g_bus_unown_name()
Mar 27 12:34:04 jdmlab1 journal: failed to connect to device: Failed to
connect to missing device
/org/freedesktop/ColorManager/devices/xrandr_Dell_Inc__DELL_1800FP_7R47737N01PX_gdm_42
Mar 27 12:34:05 jdmlab1 gnome-session: gnome-session-binary[4338]:
WARNING: IceLockAuthFile failed: No such file or directory
Mar 27 12:34:05 jdmlab1 gnome-session-binary[4338]: WARNING:
IceLockAuthFile failed: No such file or directory
The home directories are found on the fileserver, and are both NFS and
SMB mountable. We have successfully gotten this to work on RHEL 6.9,
and I believe on RHEL 7.2, but not on RHEL 7.4. Searching through the
relevant config files shows no differences in their configurations
between any of the different versions including 7.4.
Randy
--
Randy Morgan
CSR
Department of Chemistry and Biochemistry
Brigham Young University
801-422-4100
6 years
named-pkcs11.service disabled?
by Brian J. Murrell
I see on my EL7 machine with IDM (freeipa) installed that named-
pcks11.service is actually set to disabled in systemd, but it is
started at some point, presumably, directly by the ipa.service unit's
/usr/sbin/ipactl.
This causes problems with other systemd unit dependencies, in
particular with nss-lookup.target.
Ultimately we don't want the nss-lookup.target being reached before
(all of) the lookup services have actually started including DNS which
is started with named-pkcs11.service.
However in order for that to happen named-pkcs11.service needs to be in
the same transaction as nss-lookup.target which it normally gets by
being wanted (Wants) by multi-user.target which usually happens as a
result of enabling a unit. When enabled (systemctl enable ...) a
symlink gets created from /usr/lib/systemd/system/named-pkcs11.service
to /etc/systemd/system/multi-user.target.wants/ providing that Wants
relationship that is needed and currently missing.
I have managed to work-around this by adding:
[Unit]
Wants=named-pkcs11.service
to /etc/systemd/system/nss-lookup.target.d/override.conf but according
to the systemd folks, this is not really the correction relationship
and that the Wants really belongs to multi-user.target.
Ultimately, I wonder if it's really necessary to have named-
pkcs11.service disabled and started by ipactl rather than being a more
natural systemd unit, enabled in systemd, and started on boot by
systemd.
Surely the complex set of mechanisms that systemd provides to express
relationships and ordering is sufficient to have systemd start up
named-pkcs11.service itself, isn't it?
As an aside, I also have:
After=named-pkcs11.service
in the [Unit] section of my /etc/systemd/system/nss-
lookup.target.d/override.conf but I'm not positive that that is still
necessary as it was just put there on my debugging path to getting to
where I am now. I have yet tried removing it and seeing if I get the
same correct ordering of nss-lookup.target only starting after named-
pkcs11.service.
Cheers,
b.
6 years
Add attributes
by Per Qvindesland
Hi List
We are currently busy implementing freeipa with a saml idP but we noticed that we are missing the following attributes: edupersontargetedid, edupersonaffiliation, displayname, and mail.
How can we add these attributes into the freeipa server?
Regards
Per
6 years
Best practices for autocreating user home directories when using automount
by Ronald Wimmer
I am using IPA and the automount feature for user home directories.
Where I did not find a suitable solution yet is what to do when a user
logs in for the first time. Due to the fact that /home gets mounted on
demand none of the pam modules (like pam_oddjob_mkhomedir) seem to work.
Is there a solution for this scenario?
Regards,
Ronald
6 years
remote udate vectors
by Andrew Meyer
While doing some troubleshooting on replication I found that I have an old server in my replica list-ruvs. How would I go about removing that?
6 years
certmonger taking a long time to start up
by Brian J. Murrell
I've been experiencing certmonger taking (too) long to start up and
systemd ends up giving up on it:
Mar 25 08:47:41 server.interlinx.bc.ca systemd[1]: Starting Certificate monitoring and PKI enrollment...
Mar 25 08:49:24 server.interlinx.bc.ca systemd[1]: Unit certmonger.service entered failed state.
Mar 25 08:49:24 server.interlinx.bc.ca systemd[1]: certmonger.service failed.
The whole startup with debug logging can be see at:
http://brian.interlinx.bc.ca/certmonger-start-failed
If anyone has any ideas why it's taking so long, I'd be much obliged.
Cheers,
b.
6 years
Deploying FreeIPA server on openSUSE ?
by claude vanderm
Hi,
I have seen that freeIPA is no longer available on openSUSE (since 2015).
The project I am working on has to be based on openSUSE distro and I wish I could use FreeIPA as Identity management.
Does anyone has feedback on freeIPA server deployment on openSUSE (from freeIPA sources for example) ?
Would there be any known issues using openSUSE to run a freeIPA server ?
Kind Regards,
Claude
6 years
FreeIPA Ansible scripts
by Lachlan Musicman
Has anyone on the list used the FreeIPA Ansible scripts?
https://github.com/freeipa/ansible-freeipa
It looks relatively up to date and functional.
Cheers
L.
------
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
together. "
*Greg Bloom* @greggish
https://twitter.com/greggish/status/873177525903609857
6 years
