June 2018 - FreeIPA-users - Fedora Mailing-Lists

by Andrew Meyer

Not sure if this is the right place for support w/ ipsilon. But I got it installed and I'm able to browse the to website and login now. However when I go to the login stack there are some button to the right of the login plugins, and they say ↑ ↓ that's it. What does that mean? Also I've enabled saml2, form, ipa, gssapi and secure as security providers yet I only see saml2. Is this normal? Has anyone configured this with any atlassian products? Regards,Andrew

4 years, 1 month

2
1
0 / 0

pam,mkhomedir and umask with freeIPA

by Alfredo De Luca

Hi all. We have pam entry (below) and we wanna change the umask when a new homedir for an existing user is created. we modified the umaks but doesnt work. We have sssd integrated with freeIPA to manage all user etc. Any clue? session optional pam_oddjob_mkhomedir.so umask=0770 Cheers

4 years, 1 month

2
2
0 / 0

FreeIPA upgrade fails in CentOS 7.4 to CentOS 7.5 upgrade

by Lachlan Musicman

From ipaupgrade.log, the CA isn't coming up? 2018-06-06T01:05:40Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2018-06-06T01:05:40Z DEBUG waiting for port: 8080 2018-06-06T01:05:40Z DEBUG Failed to connect to port 8080 tcp on ::1 2018-06-06T01:05:40Z DEBUG Failed to connect to port 8080 tcp on 127.0.0.1 2018-06-06T01:05:41Z DEBUG SUCCESS: port: 8080 2018-06-06T01:05:41Z DEBUG waiting for port: 8443 2018-06-06T01:05:41Z DEBUG Failed to connect to port 8443 tcp on ::1 2018-06-06T01:05:41Z DEBUG Failed to connect to port 8443 tcp on 127.0.0.1 2018-06-06T01:05:42Z DEBUG SUCCESS: port: 8443 2018-06-06T01:05:42Z DEBUG Waiting until the CA is running 2018-06-06T01:05:42Z DEBUG request POST http://vmpr-linuxidm.unix.company.com:8080/ca/admin/ca/getStatus 2018-06-06T01:05:42Z DEBUG request body '' 2018-06-06T01:05:46Z DEBUG response status 500 2018-06-06T01:05:46Z DEBUG response headers Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 2208 Date: Wed, 06 Jun 2018 01:05:46 GMT Connection: close 2018-06-06T01:05:46Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style></style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' 2018-06-06T01:05:46Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 2018-06-06T01:05:46Z DEBUG Waiting for CA to start... 2018-06-06T01:05:47Z DEBUG request POST http://vmpr-linuxidm.unix.company.com:8080/ca/admin/ca/getStatus 2018-06-06T01:05:47Z DEBUG request body '' 2018-06-06T01:05:47Z DEBUG response status 500 2018-06-06T01:05:47Z DEBUG response headers Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 2208 Date: Wed, 06 Jun 2018 01:05:47 GMT Connection: close I found some old bugs that don't seem to apply, like this one https://bugzilla.redhat.com/show_bug.cgi?id=1318616 and some that do https://pagure.io/freeipa/issue/6766 Doesn't actually fix the problem that my users can't login :/ Gah, I thought this had been fixed - it was in my upgrade of the dev server L. ------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. " *Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857

4 years, 1 month

1
1
0 / 0

Re: Problems setting up replica on Raspberry Pi 3B (ARM)

by Rob Crittenden

Jonathan Vaughn wrote: > Here's the output from ipa-replica-install : > > # ipa-replica-install > WARNING: conflicting time&date synchronization service 'chronyd' will > be disabled in favor of ntpd > > Password for admin(a)COMPANY.INTERNAL: > Run connection check to master > Connection check OK > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 30 seconds > [1/41]: creating directory server instance > [2/41]: enabling ldapi > [3/41]: configure autobind for root > [4/41]: stopping directory server > [5/41]: updating configuration in dse.ldif > [6/41]: starting directory server > [7/41]: adding default schema > [8/41]: enabling memberof plugin > [9/41]: enabling winsync plugin > [10/41]: configuring replication version plugin > [11/41]: enabling IPA enrollment plugin > [12/41]: configuring uniqueness plugin > [13/41]: configuring uuid plugin > [14/41]: configuring modrdn plugin > [15/41]: configuring DNS plugin > [16/41]: enabling entryUSN plugin > [17/41]: configuring lockout plugin > [18/41]: configuring topology plugin > [19/41]: creating indices > [20/41]: enabling referential integrity plugin > [21/41]: configuring certmap.conf > [22/41]: configure new location for managed entries > [23/41]: configure dirsrv ccache > [24/41]: enabling SASL mapping fallback > [25/41]: restarting directory server > [26/41]: creating DS keytab > [27/41]: ignore time skew for initial replication > [28/41]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 11 seconds elapsed > Update succeeded > > [29/41]: prevent time skew after initial replication > [30/41]: adding sasl mappings to the directory > [31/41]: updating schema > [32/41]: setting Auto Member configuration > [33/41]: enabling S4U2Proxy delegation > [error] NetworkError: cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipapython.admintool: ERROR cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > ipapython.admintool: ERROR The ipa-replica-install command failed. > See /var/log/ipareplica-install.log for more information > > And here's the /var/log/ipareplica-install.log from just before it fails > to the failure: > > 2018-05-02T00:22:44Z DEBUG [32/41]: setting Auto Member configuration > 2018-05-02T00:22:44Z DEBUG Starting external process > 2018-05-02T00:22:44Z DEBUG args=/usr/bin/ldapmodify -v -f > /tmp/tmpt7bxf4x1 -H ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket > -Y EXTERNAL > 2018-05-02T00:22:45Z DEBUG Process finished, return code=0 > 2018-05-02T00:22:45Z DEBUG stdout=add nsslapd-pluginConfigArea: > cn=automember,cn=etc,dc=company,dc=internal > modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config" > modify complete > > > 2018-05-02T00:22:45Z DEBUG stderr=ldap_initialize( > ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket/??base ) > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > > 2018-05-02T00:22:45Z DEBUG duration: 0 seconds > 2018-05-02T00:22:45Z DEBUG [33/41]: enabling S4U2Proxy delegation > 2018-05-02T00:22:45Z DEBUG Traceback (most recent call last): > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 979, in error_handler > yield > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 1572, in update_entry > self.conn.modify_s(str(entry.dn), modlist) > File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 600, > in modify_s > return self.modify_ext_s(dn,modlist,None,None) > File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 573, > in modify_ext_s > resp_type, resp_data, resp_msgid, resp_ctrls = > self.result3(msgid,all=1,timeout=self.timeout) > File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 714, > in result3 > resp_ctrl_classes=resp_ctrl_classes > File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 721, > in result4 > ldap_result = > self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) > File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 294, > in _ldap_call > result = func(*args,**kwargs) > ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"} > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 506, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 496, in run_step > method() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line > 977, in __setup_s4u2proxy > __add_principal('ipa-http-delegation', 'HTTP', self) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line > 973, in __add_principal > api.Backend.ldap2.update_entry(entry) > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 1572, in update_entry > self.conn.modify_s(str(entry.dn), modlist) > File "/usr/lib/python3.6/contextlib.py", line 99, in __exit__ > self.gen.throw(type, value, traceback) > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 1028, in error_handler > error=info) > ipalib.errors.NetworkError: cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > > 2018-05-02T00:22:45Z DEBUG [error] NetworkError: cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > 2018-05-02T00:22:45Z DEBUG Destroyed connection context.ldap2_2991558640 > 2018-05-02T00:22:45Z DEBUG Backing up system configuration file > '/etc/ipa/default.conf' > 2018-05-02T00:22:45Z DEBUG Saving Index File to > '/var/lib/ipa/sysrestore/sysrestore.index' > 2018-05-02T00:22:45Z DEBUG File > "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in > execute > return_value = self.run() > File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", > line 319, in run > cfgr.run() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 364, in run > self.execute() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 388, in execute > for _nothing in self._executor(): > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 430, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 459, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 449, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 420, in __runner > step() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 417, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", > line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", > line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 654, in _configure > next(executor) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 430, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 459, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 517, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 449, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 514, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 449, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 420, in __runner > step() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 417, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", > line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", > line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", > line 66, in _install > for unused in self._installer(self.parent): > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", > line 622, in main > replica_install(self) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", > line 388, in decorated > func(installer) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", > line 1407, in install > pkcs12_info=dirsrv_pkcs12_info) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", > line 110, in install_replica_ds > setup_pkinit=not options.no_pkinit, > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line > 419, in create_replica > self.start_creation(runtime=30) > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 506, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 496, in run_step > method() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line > 977, in __setup_s4u2proxy > __add_principal('ipa-http-delegation', 'HTTP', self) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line > 973, in __add_principal > api.Backend.ldap2.update_entry(entry) > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 1572, in update_entry > self.conn.modify_s(str(entry.dn), modlist) > File "/usr/lib/python3.6/contextlib.py", line 99, in __exit__ > self.gen.throw(type, value, traceback) > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 1028, in error_handler > error=info) > > 2018-05-02T00:22:45Z DEBUG The ipa-replica-install command failed, > exception: NetworkError: cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > 2018-05-02T00:22:45Z ERROR cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > 2018-05-02T00:22:45Z ERROR The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > Maybe it just is trying to soon and it hasn't fully started yet? Because > now I see that the previous step ALSO shows the URL encoded socket path, > and it worked fine - but it looks like the previous step used > ldapmodify, but the failing step was accessing LDAP from Python? Perhaps > it works fine one way and not the other ? I won't rule it out but I doubt it. Is ns-slapd still running at this point? This could happen, for example, if ns-slapd crashed after enabling the automember plugin. The DS error log might have something to say as well. rob > > On Wed, May 2, 2018 at 3:29 PM, Rob Crittenden <rcritten(a)redhat.com > <mailto:rcritten@redhat.com>> wrote: > > Jonathan Vaughn via FreeIPA-users wrote: > > Yes, I know, not recommended etc, low performance. I'm not going > to run the CA on it. I just want to have a backup LDAP/Kerberos > server. > > Right now I'm just trying to test things out. I've got a master > and a replica (so you could say two masters I suppose) running > in Virtualbox VMs, and I'm trying to set up a 3rd replica on a > Pi. All are Fedors 27. I had to downgrade httpd due to > https://pagure.io/freeipa/issue/7493 > <https://pagure.io/freeipa/issue/7493> to even set up the first > VM replica, but this issue is separate. > > Currently, the problem is it can't connect to it's own LDAP > instance due to some kind of error ... ipa-replica-install > worked fine on the x86_64 VM but on the armv71 Pi 3B when it > tries to connect to LDAPI instead of > using 'ldapi:///var/run//slapd-COMPANY-INTERNAL.socket' it > uses 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket'. > > So it seems there is yet another ARM (or non-x86_64) bug ... > similar to the problem with httpd and passing the KRB5CCNAME > properly https://pagure.io/freeipa/issue/7337 > <https://pagure.io/freeipa/issue/7337> > > Any ideas on where to look to patch in a fix to this so it uses > the correct filename? The socket file is there ... and (at the > time it tries) LDAP is running. > > > What makes you think the ldapi URI is the problem? > > Can you share the logs? > > rob > >

4 years, 1 month

4
36
0 / 0

Logon by ssh but not console?

by Bret Wortman

Any ideas why I might be prevented from logging in on a system through GDM and the console, but if I log in as root and: # ssh bretw@localhost I'm able to log in without issues? And it'll tell me about failed logins for every time I try through GDM or the console. This is on a brand new IPA server I'm setting up using data from our older ones but it's not set up as a replica. -- photo *Bret Wortman* President, Damascus Products LLC 855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> | bret(a)damascusproducts.com <mailto:bret@damascusproducts.com> | http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030 <http://facebook.com/wrapbuddiesco> <http://twitter.com/wrapbuddiesco> <http://instagram.com/wrapbuddies> <https://facebook.com/wrapbuddiesco><https://instagram.com/wrapbuddies>

4 years, 1 month

4
8
0 / 0

Can't log in through greeter or console after switch to new IPA servers

by Bret Wortman

I've just transitioned my baseline from one set of servers to another, and I'm noticing that some systems will allow me to log in directly from the greeter on workstations while others don't (including my own workstation!). These methods all work on my workstation: * ssh @localhost with password prompt * ssh @remote_host with password prompt * ssh @remote_host with PSK * su - user as root (no password prompt) What could be preventing me from logging in through the greeter (GDM)? Where should I be looking? I've got a workstation that does allow me to log in so comparing to it will be easy, but going file-by-file would take forever. Thanks! -- photo *Bret Wortman* Founder, Damascus Products LLC 855-644-2783 <tel:855-644-2783> | bret(a)damascusproducts.com <mailto:bret@damascusproducts.com> http://damascusproducts.com/ 10332 Main St Suite 319 Fairfax, VA 22030 <http://facebook.com/wrapbuddiesco> <http://www.linkedin.com/in/bretwortman> <http://twitter.com/wrapbuddiesco> <http://instagram.com/wrapbuddies>

4 years, 1 month

1
0
0 / 0

ipa commands suddenly failing on all idM servers when logged in with AD account

by David McDaniel

Began receiving the following error, when attempting to run any ipa commands from all idM servers as AD users, that are members via ext_group of Admin. The stack has been running for well over a year now with AD trust in place and first time seeing this issue. IPA Version 4.5.0 RHEL 7.4 # ipa hbactest ipa: ERROR: cannot connect to 'any of the configured servers': <https://server fqdn//ipa/json>, <https://server fqdn//ipa/json>, <https://server fqdn//ipa/json>, <https://server fqdn//ipa/json> WebUI , replication, both AD and IPA user authentication, AD trust; all appear to be functioning as expected. The only updates that have been applied to the IdM servers since last known working were the below listed security updates. Packages Altered: Updated 389-ds-base-1.3.6.1-28.el7_4.x86_64 @rhui-REGION-rhel-server-releases Update 1.3.7.5-21.el7_5.x86_64 @rhui-REGION-rhel-server-releases Updated 389-ds-base-libs-1.3.6.1-28.el7_4.x86_64 @rhui-REGION-rhel-server-releases Update 1.3.7.5-21.el7_5.x86_64 @rhui-REGION-rhel-server-releases Updated dhclient-12:4.2.5-58.el7_4.3.x86_64 @rhui-REGION-rhel-server-releases Update 12:4.2.5-68.el7_5.1.x86_64 @rhui-REGION-rhel-server-releases Updated dhcp-common-12:4.2.5-58.el7_4.3.x86_64 @rhui-REGION-rhel-server-releases Update 12:4.2.5-68.el7_5.1.x86_64 @rhui-REGION-rhel-server-releases Updated dhcp-libs-12:4.2.5-58.el7_4.3.x86_64 @rhui-REGION-rhel-server-releases Update 12:4.2.5-68.el7_5.1.x86_64 @rhui-REGION-rhel-server-releases Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful The following log entries are created in the httpd error_log when AD user attempts to run ipa cli commands. [Fri Jun 01 20:17:14.442248 2018] [auth_gssapi:error] [pid 5717] [client 10.150.0.226:52676] Failed to unseal session data!, referer: https://server fqdn/ipa/xml [Fri Jun 01 20:17:14.442271 2018] [auth_gssapi:error] [pid 5717] [client 10.150.0.226:52676] NO AUTH DATA Client did not send any authentication headers, referer: https://server fqdn/ipa/xml [Fri Jun 01 20:17:14.468538 2018] [:error] [pid 1668] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials [Fri Jun 01 20:17:14.498108 2018] [:error] [pid 1669] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials Any help is appreciated.

4 years, 1 month

1
1
0 / 0

FreeIPA wiki troubleshooting page re-org

by Fraser Tweedale

Hi all, The troubleshooting page was getting huge and unwieldy. I have broken the various sections out into separate pages. Now the main troubleshooting page is just some high-level info/advice and a list of links to other topics. https://www.freeipa.org/page/Troubleshooting I haven't made any substantial changes to the content itself (yet). As always, contributions (including simply telling us if something is incorrect or missing) are welcome. Thanks, Fraser

4 years, 1 month

1
0
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2018