June 2018 - FreeIPA-users - Fedora Mailing-Lists

performance tuning IPA 4.5 and SSD for large AD integration

by Chris Dagdigian

At long last I've got a brand new IPA cluster running in our AWS footprint with a modern v4.5.4 install and a proper AD Trust in place to a complex domain forest In my older cluster I made use of a lot of the info here that Alexander and Jakob had written up: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-larg... Just wanted to check and see if the advice in that post still holds true for ipa-server-4.5.4-10 etc. -- is there anything I should avoid or anything new (links, blog posts, URLs) that I should read up on to tune v4.5.4? Thanks! Chris

4 years

2
1
0 / 0

Creating a user keytab

by Bret Wortman

What's the correct way to create a user keytab? I had done this once about 3 years ago and got it working, but can't find my notes anywhere. I need to be able to do this in a script: kinit -k admin -t /root/keytab I've tried various approaches using ktutil and kadmin but haven't had any success just yet. -- photo *Bret Wortman* Founder, Damascus Products, LLC 855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co <mailto:bret@wrapbuddies.co> http://wrapbuddies.co/ 10332 Main St Suite 319 Fairfax, VA 22030 <http://facebook.com/wrapbuddiesco> <http://www.linkedin.com/in/bretwortman> <http://twitter.com/wrapbuddiesco> <http://instagram.com/wrapbuddies>

4 years

5
15
0 / 0

SSH Unspecified GSS failure, No key table entry found matching host

by Kees Bakker

Hey, After installing a PC with Ubuntu 18.04 I'm seeing this problem with SSH logins. The gssapi-with-mic authentication method does not work anymore. Strangely enough a system that I upgraded (16.04->18.04) was working fine. The debug of sshd shows (fivel being the unqualified hostname): debug1: Unspecified GSS failure. Minor code may provide more information No key table entry found matching host/fivel@ After debugging and looking at differences between the installed and upgraded system I found that the new Ubuntu 18.04 installation has a slightly different krb5 configuration. These are: ---------8X---------8X---------8X---------8X--------- [libdefaults] ... dns_canonicalize_hostname = false ... [domain_realm] ... fqdn = <kerberos realm> ---------8X---------8X---------8X---------8X--------- Now the workaround for the login problem is to comment out dns_canonicalize_hostname. Can anyone comment on this? Why was this changed? Why doesn't it work out of the box? -- Kees

4 years

2
2
0 / 0

certmonger in container

by Natxo Asenjo

hi, at work we are deploying a elasticsearch cluster using docker swarm. Joining the containers to the domain is no problem, but requesting host certificates is proving more of a challenge. The ipa-getcert request command executes succesfully, but it takes a long time (> 1 hour) to get the certificate. ipa-getcert list shows that it's generating a key, after a while a csr, but it does not retrieve the signed certificate from the caserver. This is obviously not desirable for us. One alternative we are considering is generating the certificates in the docker host (already joined) as dns aliases and offering those certificate pairs to the containers running inside it. That way we would not even have to join the containers to the domain. How are you solving this problem (if you have it, of course)? Thanks in advance for your comments. -- regards, natxo

4 years

1
0
0 / 0

Server install fails on Ubuntu due to missing crypto.fips_enabled

by Kees Bakker

Hey, Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The failing command is: sysctl crypto.fips_enabled -bn On my system there is no /proc/sys/crypto. BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. That should not matter, because none of my Ubuntu systems (16.04 and 18.04) have /proc/sys/crypto. The problem seems to be in pki/server/deployment/pkihelper.py When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto it raises an exception. Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be used in pkihelper.py ? -- Kees

4 years

5
9
0 / 0

ipa user-mod --rename failed

by Harald Dunkel

Hi folks, something got corrupted in my ldap database (again). After running % ipa user-mod --rename=bobk bobs I get % getent passwd bobs % getent passwd bobk % The UID became unusable. (Highly painful, because this user is cut off from EMails.) This is what I see: % ipa user-find bobs -------------- 1 user matched -------------- User login: bobk First name: Bob Last name: S Home directory: /home/bobs Login shell: /bin/bash Principal alias: bobk(a)EXAMPLE.DE Email address: bobs(a)example.de UID: 1032 GID: 100 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- % ipa user-find bobk --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- % ipa user-find --login bobk --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- % ipa user-find --login bobs --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- Neither login name is found. Using ldap some data is still available: % ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=de '(uid=bobs)' dn: uid=bobk,cn=users,cn=accounts,dc=example,dc=de gecos: Bob S displayName: Bob S krbPrincipalName: bobk(a)EXAMPLE.DE mepManagedEntry: cn=bobk,cn=groups,cn=accounts,dc=example,dc=de memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=de memberOf: cn=projects,cn=groups,cn=accounts,dc=example,dc=de memberOf: cn=develop,cn=groups,cn=accounts,dc=example,dc=de uid: bobk krbLastSuccessfulAuth: 20180607201703Z krbLoginFailedCount: 0 krbLastFailedAuth: 20180606135524Z ipaUniqueID: 35292e46-ad70-11e5-8123-0016cc46e69a givenName: Bob mail: bobs(a)example.de homeDirectory: /home/bobs sn: S gidNumber: 100 initials: JS uidNumber: 1032 loginShell: /bin/bash objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry cn: Bob S krbLastPwdChange: 20160104091328Z krbPasswordExpiration: 20400825091328Z krbExtraData:: AAK4N4pWanNjaHVsdGVAQUlYSUdPLkRFAA== krbLastAdminUnlock: 20160314150305Z % ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=de '(uid=bobk)' % Using jxplorer I see the entry for "bobk" (on 2 replicas), but if I try to look inside I get an error popup "unable to perform read operation". On the other 4 replicas I see "bobs" (no problem here). WTH? How can I cleanup this mess? Every helpful comment is highly appreciated Harri

4 years

4
14
0 / 0

Promoting CA replica to master

by Carlos Fernández Manteiga

Hi, We've created a new replica from our FreeIPA infrastructure, with CA capabilities. Now we want it to be the CA renewal master, as it's written here: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master However, the first step, knowing which is the present master, is blocking us. ldapsearch does not return the info we need: ldapsearch -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int' '(ipaConfigString=caRenewalMaster)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=bitban,dc=int> with scope subtree # filter: (ipaConfigString=caRenewalMaster) # requesting: dn # # search result search: 2 result: 0 Success # numResponses: 1 Neither one of the servers have "ca.crl.MasterCRL.enableCRLUpdates=true" on /etc/pki/pki-tomcat/ca/CS.cfg Is there any more updated doc about this? All FreeIPA servers are: CentOS Linux release 7.5.1804 (Core) VERSION: 4.5.4, API_VERSION: 2.228 Thank you

4 years

2
6
0 / 0

freeIPA backup

by Alfredo De Luca

Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA? Cheers -- *Alfredo*

4 years

6
15
0 / 0

Backup DNS Zones

by John Petrini

Hi LIst, I'm looking for a recommendation on how to backup a DNS zone prior to making changes. I'm already backing up the IPA master nightly but I'd like to be able to restore a single zone in the event someone accidentally deletes something we could quickly restore the zone without having to restore the entire server. Thanks!

4 years

3
4
0 / 0

CIFS insufficient access error when "enterprise admin" AD account is used to establish 1-way trust

by Chris Dagdigian

Dealing with outsourced IT organization that manages an AD domain we are tying to build an additional trust with so we can upgrade and replace our fleet of IDM servers. We got a webex work session going with a domain admin to build the trust but we keep seeing this on the CLI and WebUI: ipa: ERROR: Insufficient access: CIFS server XXXXXX.COMPANY.COM denied your credentials Running in debug or verbose mode does not reveal more error details and I can't find much in the logs on the IPA server The AD admin we were working with claims he used an account that is part of the Enterprise Admin group and thus should be allowed to do "all the things" -- they are asking for any docs or details we have on what permissions the IPA server needs when trust building Looking for info/tips on the following, thanks! 1) Any log locations or places where I can find more info about why the ad-trust setup failed? 2) Any docs or listing of specific AD permissions needed by the AD admin account used to establish the trust AD is not my strong point - apologies if this is a dumb query! Regards, Chris

4 years

2
1
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2018