SSH Unspecified GSS failure, No key table entry found matching host
by Kees Bakker
Hey,
After installing a PC with Ubuntu 18.04 I'm seeing this problem with
SSH logins. The gssapi-with-mic authentication method does not
work anymore. Strangely enough a system that I upgraded (16.04->18.04)
was working fine.
The debug of sshd shows (fivel being the unqualified hostname):
debug1: Unspecified GSS failure. Minor code may provide more information
No key table entry found matching host/fivel@
After debugging and looking at differences between the installed and upgraded system
I found that the new Ubuntu 18.04 installation has a slightly different krb5 configuration.
These are:
---------8X---------8X---------8X---------8X---------
[libdefaults]
...
dns_canonicalize_hostname = false
...
[domain_realm]
...
fqdn = <kerberos realm>
---------8X---------8X---------8X---------8X---------
Now the workaround for the login problem is to comment out dns_canonicalize_hostname.
Can anyone comment on this? Why was this changed? Why doesn't it work out of the box?
--
Kees
2 years, 9 months
certmonger in container
by Natxo Asenjo
hi,
at work we are deploying a elasticsearch cluster using docker swarm.
Joining the containers to the domain is no problem, but requesting host
certificates is proving more of a challenge.
The ipa-getcert request command executes succesfully, but it takes a long
time (> 1 hour) to get the certificate.
ipa-getcert list shows that it's generating a key, after a while a csr, but
it does not retrieve the signed certificate from the caserver.
This is obviously not desirable for us.
One alternative we are considering is generating the certificates in the
docker host (already joined) as dns aliases and offering those certificate
pairs to the containers running inside it. That way we would not even have
to join the containers to the domain.
How are you solving this problem (if you have it, of course)?
Thanks in advance for your comments.
--
regards,
natxo
2 years, 9 months
Server install fails on Ubuntu due to missing crypto.fips_enabled
by Kees Bakker
Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04.
It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn
On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04.
That should not matter, because none of my Ubuntu systems (16.04 and 18.04)
have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py
When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto
it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be
used in pkihelper.py ?
--
Kees
2 years, 9 months
ipa user-mod --rename failed
by Harald Dunkel
Hi folks,
something got corrupted in my ldap database (again). After running
% ipa user-mod --rename=bobk bobs
I get
% getent passwd bobs
% getent passwd bobk
%
The UID became unusable. (Highly painful, because this user is cut off
from EMails.) This is what I see:
% ipa user-find bobs
--------------
1 user matched
--------------
User login: bobk
First name: Bob
Last name: S
Home directory: /home/bobs
Login shell: /bin/bash
Principal alias: bobk(a)EXAMPLE.DE
Email address: bobs(a)example.de
UID: 1032
GID: 100
Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
% ipa user-find bobk
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
% ipa user-find --login bobk
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
% ipa user-find --login bobs
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
Neither login name is found. Using ldap some data is still
available:
% ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=de '(uid=bobs)'
dn: uid=bobk,cn=users,cn=accounts,dc=example,dc=de
gecos: Bob S
displayName: Bob S
krbPrincipalName: bobk(a)EXAMPLE.DE
mepManagedEntry: cn=bobk,cn=groups,cn=accounts,dc=example,dc=de
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=de
memberOf: cn=projects,cn=groups,cn=accounts,dc=example,dc=de
memberOf: cn=develop,cn=groups,cn=accounts,dc=example,dc=de
uid: bobk
krbLastSuccessfulAuth: 20180607201703Z
krbLoginFailedCount: 0
krbLastFailedAuth: 20180606135524Z
ipaUniqueID: 35292e46-ad70-11e5-8123-0016cc46e69a
givenName: Bob
mail: bobs(a)example.de
homeDirectory: /home/bobs
sn: S
gidNumber: 100
initials: JS
uidNumber: 1032
loginShell: /bin/bash
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
cn: Bob S
krbLastPwdChange: 20160104091328Z
krbPasswordExpiration: 20400825091328Z
krbExtraData:: AAK4N4pWanNjaHVsdGVAQUlYSUdPLkRFAA==
krbLastAdminUnlock: 20160314150305Z
% ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=de '(uid=bobk)'
%
Using jxplorer I see the entry for "bobk" (on 2 replicas), but if I try to
look inside I get an error popup "unable to perform read operation". On the
other 4 replicas I see "bobs" (no problem here).
WTH? How can I cleanup this mess?
Every helpful comment is highly appreciated
Harri
2 years, 9 months
Promoting CA replica to master
by Carlos Fernández Manteiga
Hi,
We've created a new replica from our FreeIPA infrastructure, with CA
capabilities. Now we want it to be the CA renewal master, as it's written
here:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
However, the first step, knowing which is the present master, is blocking
us. ldapsearch does not return the info we need:
ldapsearch -D 'cn=Directory Manager' -W -b
'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int'
'(ipaConfigString=caRenewalMaster)' dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree
# filter: (ipaConfigString=caRenewalMaster)
# requesting: dn
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Neither one of the servers have "ca.crl.MasterCRL.enableCRLUpdates=true" on
/etc/pki/pki-tomcat/ca/CS.cfg
Is there any more updated doc about this?
All FreeIPA servers are:
CentOS Linux release 7.5.1804 (Core)
VERSION: 4.5.4, API_VERSION: 2.228
Thank you
2 years, 9 months
freeIPA backup
by Alfredo De Luca
Hi all.
What's the best procedure/practice to periodically perform a backup on a
single freeipa server with CA?
Cheers
--
*Alfredo*
2 years, 9 months
Backup DNS Zones
by John Petrini
Hi LIst,
I'm looking for a recommendation on how to backup a DNS zone prior to
making changes. I'm already backing up the IPA master nightly but I'd like
to be able to restore a single zone in the event someone accidentally
deletes something we could quickly restore the zone without having to
restore the entire server.
Thanks!
2 years, 9 months
CIFS insufficient access error when "enterprise admin" AD account is used to establish 1-way trust
by Chris Dagdigian
Dealing with outsourced IT organization that manages an AD domain we are
tying to build an additional trust with so we can upgrade and replace
our fleet of IDM servers.
We got a webex work session going with a domain admin to build the trust
but we keep seeing this on the CLI and WebUI:
ipa: ERROR: Insufficient access: CIFS server XXXXXX.COMPANY.COM denied
your credentials
Running in debug or verbose mode does not reveal more error details and
I can't find much in the logs on the IPA server
The AD admin we were working with claims he used an account that is part
of the Enterprise Admin group and thus should be allowed to do "all the
things" -- they are asking for any docs or details we have on what
permissions the IPA server needs when trust building
Looking for info/tips on the following, thanks!
1) Any log locations or places where I can find more info about why the
ad-trust setup failed?
2) Any docs or listing of specific AD permissions needed by the AD admin
account used to establish the trust
AD is not my strong point - apologies if this is a dumb query!
Regards,
Chris
2 years, 9 months
More on ldap_idmap_range
by Craig H Silva (Cenitex)
As it happens my paranoia seems to be on message.
We have just deployed 4 new sles 12 systems, with the following config:
id_provider = ad
auth_provider = ad
subdomains_provider = none
access_provider = ad
enumerate = false
cache_credentials = true
These systems were deployed without ldap_idmap_default_domain_sid or ldap_idmap_default_domain.
And the range they have started using is different to the range that exists on other deployed systems.
It appears that sssd has returned a different range from that which exists on our other systems.
I would apreciate advice on how to configure a range that will be uniform from the start.
Thanks for your help in advance.
Craig Silva
_________
Craig Silva | Specialist Engineer - Unix Services - Servers, Storage and IDAM
Cenitex | Level 15, 80 Collins Street, Melbourne 3000
ph: 03-8688-1297 mob: 0429 365 609 | www.cenitex.vic.gov.au<http://www.cenitex.vic.gov.au/>
This office is located on the land of the Traditional Owners of the Kulin Nation.
[cenitex logo]<http://www.cenitex.vic.gov.au/> [cid:image004.jpg@01D36DDE.27450B80] <https://www.facebook.com/CenITex.vic.gov.au/> [cid:image006.jpg@01D36DDE.27450B80] <https://twitter.com/cenitex> [cid:image010.jpg@01D36DDE.27450B80] <https://www.linkedin.com/company/314749/>
Accountability, Collaboration, Respect, Initiative and Courage
----------------------------------------------------------------------
Notice:
This email and any attachments may contain information that is personal,
confidential, legally privileged and/or copyright. No part of it should be
reproduced, adapted or communicated without the prior written consent of the
copyright owner.
It is the responsibility of the recipient to check for and remove viruses.
If you have received this email in error, please notify the sender by return
email, delete it from your system and destroy any copies. You are not authorised
to use, communicate or rely on the information contained in this email.
Please consider the environment before printing this email.
2 years, 9 months