Re: certmonger upgrade failure
by Rob Crittenden
Harald Dunkel wrote:
> Hi Robert,
>
> On 6/26/18 4:45 PM, Rob Crittenden via FreeIPA-users wrote:
>> Harald Dunkel wrote:
>>>
>>> I see several files with a key_pin or Key_pin_file inside. I would prefer
>>> to send you these files in an encrypted EMail. What would you suggest? Do
>>> you have PGP?
>>
>> Except for the pin the rest of the content is generally safe. My key is
>> available in the MIT keyserver if you want to send it out of band.
>>
I don't see anything obviously wrong. I'd try launching certmonger from
a shell to see what you get:
# certmonger -d 9
rob
5 years, 8 months
SSH Unspecified GSS failure, No key table entry found matching host
by Kees Bakker
Hey,
After installing a PC with Ubuntu 18.04 I'm seeing this problem with
SSH logins. The gssapi-with-mic authentication method does not
work anymore. Strangely enough a system that I upgraded (16.04->18.04)
was working fine.
The debug of sshd shows (fivel being the unqualified hostname):
debug1: Unspecified GSS failure. Minor code may provide more information
No key table entry found matching host/fivel@
After debugging and looking at differences between the installed and upgraded system
I found that the new Ubuntu 18.04 installation has a slightly different krb5 configuration.
These are:
---------8X---------8X---------8X---------8X---------
[libdefaults]
...
dns_canonicalize_hostname = false
...
[domain_realm]
...
fqdn = <kerberos realm>
---------8X---------8X---------8X---------8X---------
Now the workaround for the login problem is to comment out dns_canonicalize_hostname.
Can anyone comment on this? Why was this changed? Why doesn't it work out of the box?
--
Kees
5 years, 9 months
certmonger in container
by Natxo Asenjo
hi,
at work we are deploying a elasticsearch cluster using docker swarm.
Joining the containers to the domain is no problem, but requesting host
certificates is proving more of a challenge.
The ipa-getcert request command executes succesfully, but it takes a long
time (> 1 hour) to get the certificate.
ipa-getcert list shows that it's generating a key, after a while a csr, but
it does not retrieve the signed certificate from the caserver.
This is obviously not desirable for us.
One alternative we are considering is generating the certificates in the
docker host (already joined) as dns aliases and offering those certificate
pairs to the containers running inside it. That way we would not even have
to join the containers to the domain.
How are you solving this problem (if you have it, of course)?
Thanks in advance for your comments.
--
regards,
natxo
5 years, 9 months
Server install fails on Ubuntu due to missing crypto.fips_enabled
by Kees Bakker
Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04.
It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn
On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04.
That should not matter, because none of my Ubuntu systems (16.04 and 18.04)
have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py
When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto
it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be
used in pkihelper.py ?
--
Kees
5 years, 9 months
ipa user-mod --rename failed
by Harald Dunkel
Hi folks,
something got corrupted in my ldap database (again). After running
% ipa user-mod --rename=bobk bobs
I get
% getent passwd bobs
% getent passwd bobk
%
The UID became unusable. (Highly painful, because this user is cut off
from EMails.) This is what I see:
% ipa user-find bobs
--------------
1 user matched
--------------
User login: bobk
First name: Bob
Last name: S
Home directory: /home/bobs
Login shell: /bin/bash
Principal alias: bobk(a)EXAMPLE.DE
Email address: bobs(a)example.de
UID: 1032
GID: 100
Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
% ipa user-find bobk
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
% ipa user-find --login bobk
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
% ipa user-find --login bobs
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
Neither login name is found. Using ldap some data is still
available:
% ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=de '(uid=bobs)'
dn: uid=bobk,cn=users,cn=accounts,dc=example,dc=de
gecos: Bob S
displayName: Bob S
krbPrincipalName: bobk(a)EXAMPLE.DE
mepManagedEntry: cn=bobk,cn=groups,cn=accounts,dc=example,dc=de
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=de
memberOf: cn=projects,cn=groups,cn=accounts,dc=example,dc=de
memberOf: cn=develop,cn=groups,cn=accounts,dc=example,dc=de
uid: bobk
krbLastSuccessfulAuth: 20180607201703Z
krbLoginFailedCount: 0
krbLastFailedAuth: 20180606135524Z
ipaUniqueID: 35292e46-ad70-11e5-8123-0016cc46e69a
givenName: Bob
mail: bobs(a)example.de
homeDirectory: /home/bobs
sn: S
gidNumber: 100
initials: JS
uidNumber: 1032
loginShell: /bin/bash
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
cn: Bob S
krbLastPwdChange: 20160104091328Z
krbPasswordExpiration: 20400825091328Z
krbExtraData:: AAK4N4pWanNjaHVsdGVAQUlYSUdPLkRFAA==
krbLastAdminUnlock: 20160314150305Z
% ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=de '(uid=bobk)'
%
Using jxplorer I see the entry for "bobk" (on 2 replicas), but if I try to
look inside I get an error popup "unable to perform read operation". On the
other 4 replicas I see "bobs" (no problem here).
WTH? How can I cleanup this mess?
Every helpful comment is highly appreciated
Harri
5 years, 9 months
Promoting CA replica to master
by Carlos Fernández Manteiga
Hi,
We've created a new replica from our FreeIPA infrastructure, with CA
capabilities. Now we want it to be the CA renewal master, as it's written
here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is blocking
us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b
'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int'
'(ipaConfigString=caRenewalMaster)' dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree
# filter: (ipaConfigString=caRenewalMaster)
# requesting: dn
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Neither one of the servers have "ca.crl.MasterCRL.enableCRLUpdates=true" on
/etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core)
VERSION: 4.5.4, API_VERSION: 2.228
Thank you
5 years, 9 months
freeIPA backup
by Alfredo De Luca
Hi all.
What's the best procedure/practice to periodically perform a backup on a
single freeipa server with CA?
Cheers
--
*Alfredo*
5 years, 9 months
Backup DNS Zones
by John Petrini
Hi LIst,
I'm looking for a recommendation on how to backup a DNS zone prior to
making changes. I'm already backing up the IPA master nightly but I'd like
to be able to restore a single zone in the event someone accidentally
deletes something we could quickly restore the zone without having to
restore the entire server.
Thanks!
5 years, 9 months