July 2018 - FreeIPA-users - Fedora Mailing-Lists

by Andrew Meyer

I need some help with this. I am working with FreeIPA runnning on CentOS 7.4 verssion 4.5.0-22. I have 2 servers in my AWS VPC and 2 servers at my local office. For some reason I am not seeing replication happen (over ldaps?) from 1 server in my local office to the two servers up there. AWS servers: [centos@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa01.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:30:31+00:00[centos@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa03.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[centos@freeipa03 ~]$ [root@freeipa04 log]# ipa-replica-manage list -v freeipa03.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[root@freeipa04 log]# ipa-replica-manage list -v freeipa01.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:30:31+00:00[root@freeipa04 log]# Local office:server 1 [gatewayblend@freeipa01 ~]$ sudo ipa-replica-manage list -v freeipa04.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:24:41+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:24:32+00:00freeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa01 ~]$ sudo ipa-replica-manage list -v freeipa03.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:30:53+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:30:53+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa01 ~]$ [gatewayblend@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa04.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:08:00+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:07:54+00:00freeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa03 ~]$ sudo vim /etc/resolv.conf[gatewayblend@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa03.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:40:35+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:40:35+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa03 ~]$ The topologysegment shows we have 2-way connectivity all the way around:[root@freeipa04 log]# ipa topologysegment-find --allSuffix name: domain------------------6 segments matched------------------ dn: cn=freeipa01.stl1.gatewayblend.net-to-freeipa03.stl1.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa01.stl1.gatewayblend.net-to-freeipa03.stl1.gatewayblend.net Left node: freeipa01.stl1.gatewayblend.net Right node: freeipa03.stl1.gatewayblend.net Connectivity: both iparepltoposegmentstatus: autogen objectclass: iparepltoposegment, top dn: cn=freeipa01.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa01.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net Left node: freeipa01.stl1.gatewayblend.net Right node: freeipa04.east.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top dn: cn=freeipa03.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.net Left node: freeipa03.east.gatewayblend.net Right node: freeipa01.stl1.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top dn: cn=freeipa03.east.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.east.gatewayblend.net-to-freeipa04.east.gatewayblend.net Left node: freeipa03.east.gatewayblend.net Right node: freeipa04.east.gatewayblend.net Connectivity: both iparepltoposegmentstatus: autogen objectclass: iparepltoposegment, top dn: cn=freeipa03.stl1.gatewayblend.net-to-freeipa03.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.stl1.gatewayblend.net-to-freeipa03.east.gatewayblend.net Left node: freeipa03.stl1.gatewayblend.net Right node: freeipa03.east.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top dn: cn=freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net Left node: freeipa03.stl1.gatewayblend.net Right node: freeipa04.east.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top----------------------------Number of entries returned 6----------------------------[root@freeipa04 log]# When I add a user everything gets sync'ed. When I add a DNS entry its gets sync'ed all the way around. Is the error i'm getting a false positive? It seems like it is. This is the error I'm getting in /var/log/messages. However I think this pertains to DNSSEC and can be ignored, correct? Mar 21 13:35:25 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:35:25 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:35:25 freeipa01 systemd: ipa-dnskeysyncd.service failed.Mar 21 13:36:25 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 21 13:36:25 freeipa01 systemd: Started IPA key daemon.Mar 21 13:36:25 freeipa01 systemd: Starting IPA key daemon...Mar 21 13:36:28 freeipa01 ipa-dnskeysyncd: ipa : INFO LDAP bind...Mar 21 13:36:28 freeipa01 ipa-dnskeysyncd: ipa : INFO Commencing sync processMar 21 13:36:29 freeipa01 ipa-dnskeysyncd: ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BINDMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: Traceback (most recent call last):Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_pollMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: self.syncrepl_refreshdone()Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in syncrepl_refreshdoneMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: self.hsm_replica_sync()Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in hsm_replica_syncMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in runMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output))Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 21 13:36:33 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:36:33 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:36:33 freeipa01 systemd: ipa-dnskeysyncd.service failed.Mar 21 13:37:33 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 21 13:37:33 freeipa01 systemd: Started IPA key daemon.Mar 21 13:37:33 freeipa01 systemd: Starting IPA key daemon...Mar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa : INFO LDAP bind...Mar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa : INFO Commencing sync processMar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BINDMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: Traceback (most recent call last):Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_pollMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: self.syncrepl_refreshdone()Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in syncrepl_refreshdoneMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: self.hsm_replica_sync()Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in hsm_replica_syncMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in runMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output))Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 21 13:37:40 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:37:40 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:37:40 freeipa01 systemd: ipa-dnskeysyncd.service failed.[gatewayblend@freeipa01 ~]$ I'm not sure what the issue is. Any help is appreciated. Thank you,Andrew Meyer

5 years, 4 months

5
7
0 / 0

IPA server upgrade fails with KDC error

by Johannes Brandstetter

Hi, I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..." Does anybody know how to fix this? Some more info: $ cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) $ tail /var/log/krb5kdc.log krb5kdc: Server error - while fetching master key K/M for realm XXX krb5kdc: Database module does not match KDC version - while initializing database for realm XXX $ sudo less /var/log/ipaupgrade.log 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG duration: 0 seconds 2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade data_upgrade.create_instance() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance runtime=90) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler raise errors.ACIError(info=info) 2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access: 2017-10-16T13:04:14Z ERROR Insufficient access: 2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information $ sudo less /var/log/yum.log Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64 Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64 Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64 Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64 Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64 Cheers, Johannes

5 years, 5 months

4
11
0 / 0

using freeipa with an AWS elastic load balancer

by ridha.zorgui＠infor.com

I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving ldap data and during the authentication, the SSL handshake fails as the certificate sent back from the master or replica has a hostname different than the one used in the sssd ( the ELB CNAME). so the connection is terminated. There is a workaround which is the use reqcert=allow but this bring a security issue with a MITM attack. another solution i found is the use SAN. I was able to add the ELB DNS as a SAN in freeipa servers certificate. i made sure it is there by downloading the certificate and checking that the elb san exist but when testing it the same problem remain. Please help.

5 years, 6 months

3
3
0 / 0

Can't install CA from replica file - Failed to import EncryptedPrivateKeyInfo to token

by H. Frenzel

Hi, I tried to install a CA to the 2nd master a replicafile which was created on the 1st master (with self-signed CA), with fails with: ipa : DEBUG stderr=TokenException: Failed to import EncryptedPrivateKeyInfo to token: (-8152) The key does not support the requested operation. What could be wrong here? - Please find the detailed debug log of ipa-ca-install as attachment. Thx & b/r H.

5 years, 6 months

3
3
0 / 0

How to replace a failed CA?

by Bret Wortman

I may be going about this in the hardest way possible, so let me stop and roll everything back to my root need: I have two IPA servers which manage our infrastructure. We used to have three, but a catastrophic failure on one led to its total loss. And it was our CA. So now we have no CA -- is there a way to promote an existing system to take over? I realize it may well mean distributing a new root CA cert to everyone, but that seems less painful now than trying to set up a brand new cluster of servers and try to port our data over to them... -- photo *Bret Wortman* President, Damascus Products LLC 855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> | bret(a)damascusproducts.com <mailto:bret@damascusproducts.com> | http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030 <http://facebook.com/wrapbuddiesco> <http://twitter.com/wrapbuddiesco> <http://instagram.com/wrapbuddies> <https://facebook.com/wrapbuddiesco><https://instagram.com/wrapbuddies>

5 years, 7 months

5
9
0 / 0

Announcing freeIPA 4.7.0

by Rob Crittenden

The FreeIPA team would like to announce FreeIPA 4.7.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. == Highlights in 4.7.0 == === Enhancements === ==== mod_ssl ===== IPA has switched to mod_ssl as the crypto engine for Apache. This change will be made automatically when upgrading. ==== NSS sqlite database ==== Fedora 28 changed the default database format type from dbm to sqlite. Theoretically there should be no end-user difference but you will see different file names for your NSS databases: cert9.db, key4.db and pkcs11.txt. ==== authselect ==== Fedora 28 switched to a new PAM configuration tool, authselect. https://fedoraproject.org/wiki/Changes/Authselect ==== Time server change to chronyd ==== The ntpd service was deprecated in F28. It was replaced by chronyd. The client also uses chrony as its time client. https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support ==== Python 3 ==== FreeIPA now fully supports Python 3 and can be installed without any python 2 dependencies. === Known Issues === === Bug fixes === FreeIPA 4.7.0 includes all of the bug fixes and enhancements from 4.6.1 - 4.6.4. There are more than 170 bug fixes, details of which can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...) or #freeipa channel on Freenode. == Resolved tickets == * 7615 ipa_tests: ipa-replica-prepare stuck on user input * 7550 [WebUI] extend host test suite * 7547 ui_tests: checkbox click fix * 7546 ui_tests: improve "field_validation" method * 7544 ui_tests: extend test_selinuxusermap.py suite * 7542 CLI and Web UI allow to add more then one radius server into radius proxy * 7540 Extend WebUI test_krbpolicy suite with the following test cases: * 7535 ipa-restore fails because tmp/etc/ipa/ca.crt is missing * 7526 IdM servers:/usr/share/ipa/html/ca.crt does not include the complete chain * 7520 ipa certmap-match throwing "ipa: ERROR: an internal error has occurred" * 7519 Adding SSH keys for AD users as I created overrides * 7510 validate_selinuxuser does not allow a period in selinux user identifier * 7505 WebUI tests: Extend netgroup tests * 7503 multiple occurrences of profileId in certprofile causes incorrect behaviour * 7485 Extending webui user group test * 7474 ipa-server-install --uninstall on replica fails with "NoOptionError: No option 'ldap_uri' in section: 'global'" * 7473 ERROR: No valid Negotiate header in server response * 7468 test_host.py::test_host::test_crud is failing in nightly tests * 7463 test_webui: add user life-cycles tests * 7447 test_create_host_with_ip is not fully covering possible return errors * 7436 ipa: Please log something after restarting the KDC * 7433 CRL url on replicas gets incorrectly redirected * 7432 make fasttest fails on fresh clone. fedora26 * 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn -s CA * 7424 Improve Realm Domains doc text * 7411 Simplify CA, TLS and bytes warning configuration of LDAP connections * 7400 Add excludearch for i686 because 389-ds is no longer doing 32-bit builds * 7397 ipa host-add --ip-address... returns Internal error when forward-policy=none is defined * 7394 file conflicts between python2-mod_wsgi and freeipa-server * 7393 Installing 4.6.3-1 in rawhide/F28 fails with DuplicateEntry enabling TLS in 389-ds * 7390 cert-request: issuance of malformed certificate causes IPA Internal Error * 7389 F-27 upgrade to 4.6.3-1 fails with KRA update * 7383 user-add: user creation proceeds when password is wrong * 7381 Drop PyOpenSSL requirement * 7380 Possible regression for limited OTP characters in host-add * 7378 ipa-ods-exporter fails with socket activation did not return socket * 7374 IPA 'Generate OTP' option in web gui does not show OTP code when no reverse zone is managed * 7373 "An internal error has occurred" show up when trying to add a user to the Member User table in Vault. * 7371 uninstalling replica leaves orphained data in ldap * 7359 [RFE] extend topology plugin to clean up a removed replica ldap/ principal * 7357 IntegrationTests do not fail even if the uninstall process fails * 7342 admins group is not including all permissions of Role "User Administrator" * 7338 FreeIPA server install/upgrade does not process schema.d/ files correctly * 7335 Integration tests are not collecting all logs * 7330 ipa-server-install --uninstall does not return error code on error * 7318 Cannot uninstall ipaserver after fresh install - {'desc': "Can't contact LDAP server", 'errno': 111, 'info': 'Connection refused'} * 7315 Packaging: use pylint 1.7.5 and remove disable for import stat * 7313 trust integration tests need to override test_establish_trust method when using different trust-add options * 7308 Help for ipa trust-add --range-type * 7299 RPM post-install scripts fail because they are run with python2 * 7294 python3 incompatibility in vault_archive * 7275 Viewing DNS Records with WebUI fails * 7254 test_caless: fix http.p12 is not valid and provide domain_level for replica tests * 7253 Custodia keys are not removed on uninstall * 7240 ipa-dnskeysyncd broken (and ipactl doesn't tell) * 7226 Remove remaining references to Firefox configuration extension * 7220 Third KRA installation in topology fails * 7210 Firefox reports insecure TLS configuration when visiting FreeIPA web UI after standard server deployment * 7208 freeipa: binary RPMs require both Python 2 and Python 3 * 7190 Wrong info message from tasks.py * 7189 make check is failed * 7187 ipa-replica-manage should provide a debug option * 7186 testing: get back command outputs when running tests * 7162 [ipatests] disable replication debugging for 389-ds logs in integration tests * 7157 [tracker] pyasn1 fails to parse kerberos principal name * 7155 test_caless: add caless to external CA test * 7154 test_external_ca: switch to python-cryptography * 7151 ipa-server-upgrade performs unneeded steps to stop tracking/start tracking certs * 7150 Ipa-server-install update dse.ldif with wrong SELinux context * 7148 py3: ipa cert-request --principal --database fails with BytesWarning: str() on a bytes instance * 7143 "unknown command 'undefined'" error when changing user's password via the web UI * 7136 ipa-restore command doesn't exit with failure if wrong directory manager's password is provided * 7135 Server deployment still sets up Firefox extension, this is no longer necessary and broken on F27+ * 7134 ipa param-find: command displays internal error * 7132 [4.6] PyPI packages are broken * 7131 Finish Python3 support * 7129 ipa-server/replica-install fails with: "exception: BytesWarning: Comparison between bytes and string" when using '--dirsrv-config-file' parameter * 7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite fails due to missing dns records * 7119 kdc_proxy: kinit admin fails with "Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials" * 7115 ipa-pki-retrieve-key: failure results in crash report * 7033 vault: TypeError: ... is not JSON serializable * 7027 Use TLS for cert-find * 7012 Users can delete their last active OTP token * 6994 RFE: Remove 389-ds tuning step * 6968 Consider moving upgrades from rpm install post * 6874 pylint 1.7.1 fails * 6858 RFE - Option to add custom OID or display name in IPA Cert * 6851 Don't use ctypes.util.find_library in ipaclient * 6844 ipa-restore fails when umask is set to 0027 * 6721 While performing ipa-server-upgrade, sssd goes offline and stalls the upgrade process * 6703 Enable ephemeral KRA requests * 6609 A CA administrator fails to add CA for Insufficient 'add' privilege * 5922 ipa vault-archive overwrites an existing value without warning * 5887 IDNA domains does not work under py3 * 5813 ipa-kra-install disrupts bind-dyndb-ldap * 5776 webui: some data disappear from user details page after the save action is performed * 5638 Port client code to Python 3 * 5442 [tracker] SELinux 'execmem' denials * 7624 [WebUI] wrong link to browser configuration guide on Login page * 7609 [py37] Import from collections.abc * 7604 ipa-client-install --mkhomedir doesn't enable oddjobd * 7591 [freeipa] Drop requirements for 'initscripts' from specfile * 7590 lightweight subca: ca-show fails on replica * 7589 cacert renew fails on replica * 7585 Update to python3-lesscpy 0.13 * 7581 Translated text is formed incorrectly (API Browser) * 7562 Regression: authselect 0.4-3 breaks FreeIPA sudo rules * 7560 Do not depend on gnupg (1.x), use gnupg2 * 7559 UI LoginScreen widget cannot be translated * 7536 [F28] SubCA failing, keys are orphan * 7533 ipa-advise: remove plugin config-fedora-authconfig * 7530 external CA replica installation fails with CA_UNREACHABLE * 7529 AVC denials and errors for IPA server installed on Fedora28 * 7524 ipa-client-install fails because of missing file /usr/share/ipa/freeipa.template * 7523 external CA installation: step two reports self-signed configuration * 7516 [F28] ipa-ca-install fails on replica * 7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf despite the migration to ssl.conf * 7514 Allow to create Kerberos services without a corresponding host object * 7513 Allow Kerberos services to be members of IPA groups * 7500 FreeIPA can remove svrcore-devel requirement * 7498 [F28] CA replica fails with could not find certificate named "caSigningCert cert-pki-ca" * 7491 Unknown user 'ipaapi' when updating packages * 7490 installutils.set_directive doesn't handle debian ssl.conf properly * 7489 Test test_caless_TestCertInstall is failing in nightly * 7478 [F28] ipa-backup fails with "Failed to execute authconfig command" * 7471 [F28] replica pkispawn fails * 7469 ipa-replica-prepare fail with "stat: path should be string, bytes, os.PathLike or integer, not NoneType" * 7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError * 7465 [F28] oddjobd not started, replica install fails with dbus error in conn check * 7464 CI is failing with pkispawn timeout * 7461 Hardening of topology plugin to prevent erronous deletion of a replica agreement * 7426 DogtagInstance.backup_config creates backup with wrong owner * 7421 Store HTTPD private keys encrypted * 7418 [RFE] Improve ipa-client-install behaviour when non-standard ldap.conf is used * 7415 CA installer need to check availability of port 8080 * 7410 ipa-replica-install --add-agents option doesn't install trust-agent on replica * 7396 ipa-client-automount --uninstall should return errcode CLIENT_NOT_CONFIGURED * 7377 Investigate and define plan of authconfig replacement in FreeIPA * 7354 Fedora 28: Support NSSDB SQL format * 7322 cert_find --subject is not finding by cert subject * 7311 Update ui_driver to allow set path for geckodriver.log * 7310 Integration tests don't collect logs from other replicas * 7309 Integration tests: CA-less -> CA-ful promotion; post-promotion checks * 7304 double ca acl provoke console error. * 7302 test_external_ca: add selfsigned > external_ca > selfsigned test case * 7301 Drop dependency on Python nose * 7300 test_x509: test very long OID * 7295 Build freeIPA with Python3 in @freeipa/freeipa-master-nightly * 7278 Run WebUI unit test in TravisCI * 7274 ipa-replica-install fails with PIN error [ CA-less environment ] * 7263 Typo in login screen * 7258 typo in accounts menu * 7257 DNSSEC isn't supported in Python3 * 7251 f.flush() or os.fsync() don't sync * 7246 Report CA Subject DN and subject base before installing. * 7239 Using --auto-reverse and --allow-zone-overlap does not skip zone overlap check * 7225 CLI: view command / plugin help in pager * 7224 Logging: ipa-replica-conncheck is missing a /n * 7207 ipa-server-install should prevent installations with single label domains * 7201 ipa-replica-manage re-initialize TypeError: 'NoneType' object does not support item assignment * 7183 /etc/gssproxy/10-ipa.conf not removed on uninstall * 7095 [tracker] please rotate & compress /var/lib/pki/pki-tomcat/logs/ca/debug * 7049 Prepare for NSS switch default database to sqlite in F-27 * 7024 freeipa depends on ntp * 6931 custodia user isn't created when FreeIPA RPMs are installed * 6890 Quickstart guide: mention how to open firewall ports * 6884 ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group * 6843 ipa-backup does not create log file at /var/log/ * 6837 make ipa.conf and named.conf portable * 6760 Improve console message for "ipa-server-install --uninstall" command * 6604 Make pylint and jsl optional (and other issues) * 6589 client should require /etc/krb5.conf.d/ * 6450 pylint: cyclic dep check sometimes makes build fail * 4853 Utilize system-wide crypto-policies * 4140 Configure the NSS shared database model in IPA servers * 3757 [RFE] Allow IPA to use either mod_ssl or mod_nss * 2536 Create DOAP description for the IPA project == Detailed changelog since 4.6.4 == === Armando Neto (9) === * Disable Pylint 2.0 violations * Fix Pylint 2.0 violations * Fix pylint 2.0 conditional-related violations * Fix pylint 2.0 return-related violations * Replace file.flush() calls with flush_sync() helper * ipa-server-install: fix zonemgr argument validator * ipa-client-install: Update how comments are added by ipachangeconf * ui_tests: fix test_config::test_size_limits * Prevent the creation on users and groups with numeric characters only === Alexander Bokovoy (28) === * ipaserver/dcerpc.py: handle indirect topology conflicts * pylint3: workaround false positives reported for W1662 * group: allow services as members of groups * service: allow creating services without a host to manage them * group-del: add a warning to logs when password policy could not be removed * idoverrideuser-add: allow adding ssh key in web ui * ACL: Allow hosts to remove services they manage * install: validate AD trust-related options in installers * replication: support error messages from 389-ds 1.3.5 or later * upgrade: treat duplicate entry when updating as not an error * Allow anonymous access to parentID attribute * upgrade: Run configuration upgrade under empty ccache collection * use LDAP Whoami command when creating an OTP token * Update template directory with new variables when upgrading ipa.conf.template * Processing of server roles should ignore errors.EmptyResult * ipaserver/plugins/trust.py: pep8 compliance * trust: detect and error out when non-AD trust with IPA domain name exists * ipaserver/plugins/trust.py; fix some indenting issues * ipa-extdom-extop: refactor nsswitch operations * test_dns_plugin: cope with missing IPv6 in Travis * travis-ci: collect logs from cmocka tests * ipa-kdb: override krb5.conf when testing KDC code in cmocka * adtrust: filter out subdomains when defining our topology to AD * ipa-replica-manage: implicitly ignore initial time skew in force-sync * ds: ignore time skew during initial replication step * Make sure upgrade also checks for IPv6 stack * OTP import: support hash names with HMAC- prefix * dsinstance: Restore context after changing dse.ldif === Abhijeet Kasurde (3) === * Trivial typo fix. * ipatests: Fix interactive prompt in ca_less tests * tests: correct usage of hostname in logger in tasks === Alexander Koksharov (4) === * Fix replica_promotion-domlevel0 test failures * preventing ldap principal to be deleted * ensuring 389-ds plugins are enabled after install * kra-install: better warning message === amitkuma (13) === * Match Common Name attribute in Subject * ipa vault-archive overwrites an existing value without warning * ipa-advise: remove plugin config-fedora-authconfig * RFE: ipa client should setup openldap for GSSAPI * Correcting detect typo in server.m4 * Correction of management spelling. * clear sssd cache when uninstalling client * clear sssd cache when uninstalling client * Error message while adding idrange with untrusted domain * Removing extra spaces present in man ipa-server-install * ipa-advise for smartcards updated * Custom ca-subject logging * Documenting kinit_lifetime in /etc/ipa/default.conf === Anuja More (5) === * Test for ipa-client-install should not use hardcoded admin principal * Test that host can remove there own services * Test for ipa-replica-install fails with PIN error for CA-less env. * Adding test-cases for ipa-cacert-manage * Adding test-cases for ipa-cacert-manage === Aleksei Slaikovskii (17) === * Revert "Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users" * Uninstall fix for named-pkcs11 * Radius proxy multiservers fix * test_backup_and_restore.py Fix logging * Enable and start oddjobd after ipa-restore if it's not running. * Fixing translation problems * test_backup_and_restore.py AssertionError fix * ipalib/frontend.py output_for_cli loops optimization * View plugin/command help in pager * ipa-restore: Set umask to 0022 while restoring * Prevent installation with single label domains * Add a notice to restart ipa services after certs are installed * Fix TypeError while ipa-restore is restoring a backup * ipaclient.plugins.dns: Cast DNS name to unicode * Less confusing message for PKINIT configuration during install * Make tox tests to generate results in JUnit XML * Make WebUI unit tests to generate results as JUnit === Brian J. Murrell (1) === * Move ETag disabling to /ipa virtual server === Christian Heimes (191) === * Remove needless use of %defatt * Add more RHEL customizations to spec file * Update builddep command in BUILD.txt * Use python2_sitelib in spec file * Fedora 29: No longer build python2-ipaserver * Add pylint ignore to magic config.Env attributes * Teach pylint how our api works * Fix ipa console filename * Create helper function to upload to temp file * Add tab completion and history to ipa console * Handle races in replica config * pylint 2.0: node.path is a list * Fix XPASS in test_installation * Mark all expected failures as strict * Fix DNSSEC install regression * Wait for client certificates * Auto-retry failed certmonger requests * Tune DS replication settings * Fix race condition in get_locations_records() * Fix CA topology warning * Delay enabling services until end of installer * Only create DNS SRV records for ready server * Query for server role IPA master * Cleanup shebang and executable bit * Import ABCs from collections.abc * Require JSS 4.4.5 with replication fixes * Extend Sub CA replication test * pylint: Class node has been renamed to ClassDef * Pythhon3.7: re module has no re._pattern_type * Catch ACIError instead of invalid credentials * Fix permission of public files in upgrader * Make /etc/httpd/alias world readable & executable * Always make ipa.p11-kit world-readable * Ensure that public cert and CA bundle are readable * Use 4 WSGI workers on 64bit systems * Fix replication races in Dogtag admin code * Use common replication wait timeout of 5min * Improve and fix timeout bug in wait_for_entry() * Remove restarted_named and xfail * Tests: Set default TTL for DNS zones to 1 sec * Always set ca_host when installing replica * Start to deprecate Python 2 and 3.5 * Sort and shuffle SRV record by priority and weight * Increase WSGI process count to 5 on 64bit * Fedora 29 renamed fedora-domainname.service * Use python3-lesscpy 0.13.0 * Split external_ca PR-CI into two jobs * Always build Python 3 packages * Make Python 2 build dependency optional * Use one Custodia peer to retrieve all secrets * Move client templates to separate directory * Print version string in installer * Backport gzip.decompress for Python 2 * Require JSS 4.4.4 with fix for sub CA replication * Refuse PORT, HOST in /etc/openldap/ldap.conf * Apply sane LDAP settings to C code * Use sane default settings for ldap connections * Add test case for allow-create-keytab * Use GnuPG 2 for backup/restore * Use GnuPG 2 for symmentric encryption * Require python-ldap >= 3.1.0 * Reproducer for issue 5923 (bytes in error response) * Run PR-CI with Fedora 28 * Revert "Validate the Directory Manager password" * Create missing /etc/httpd/alias for ipasession.key * Only run subset of external CA tests * Require Dogtag 10.6.1 * Require nss with fix for nickname bug * ipa-client package needs sssd-tool * Make ipatests' create_external_ca a script * Load certificate files as binary data * Remove contrib/nssciphersuite * Compatibility with pytest 3.4 * Use shutil to copy file * Use single Custodia instance in installers * Add augeas dependency to client package * Create users in server-common pre hook * Require 389-ds-base >= 1.4.0.8-1 * CA replica PKCS12 workaround for SQL NSSDB * Add nsds5ReplicaReleaseTimeout to replica config * Fix Python dependencies * Remove os.chdir() from test_ipap11helper * certdb: Move chdir into subprocess call * Provide ldap_uri in Custodia uninstaller * Defer import of ipaclient.csrgen * Require more recent glibc on F27 * Load librpm on demand for IPAVersion * Fix installer CA port check for port 8080 * Temporarily disable authconfig backup and restore * Cleanup and remove more files on uninstall * Fix compatibility with latest pytest * More cleanup after uninstall * Require Dogtag PKI >= 10.6 * Keep owner when backing up CA.cfg * Pylint 1.8.3 fixes * Relax message check in test_create_host_with_ip * Make fasttest pass without ~/.ipa/default.conf * Instrument installer to profile steps * autoconf prefers Python 3 over 2 * Simplify Python package installation * Move DNS related files to server-dns package * Silence GCC warning in ipa_extdom * Silence GCC warning in ipa-kdb * Remove unused modutils wrappers from NSS/CertDB * Update /etc/ipa/nssdb in client scripts * NSS: Force restore of SELinux context * NSSDB: Let certutil decide its default db type * Prepare migration of mod_nss NSSDB to sql format * certmonger: Use explicit storage format * Remove deprecated -p option from ipa-dns-install * Add mocked test for named crypto policy update * Upgrade named.conf to include crypto policy * Use system-wide crypto-policies on Fedora * Add better CalledProcessError and run() logging * freeipa-server no longer supports i686 arch on F28 * ipa-custodia-checker now uses python3 shebang * Unified ldap_initialize() function * Fix multiple uninstallation of server * Fix i18n test for Chinese translation * Run API and ACI under Python 2 and 3 * Generate same API.txt under Python 2 and 3 * Replace wsgi package conflict with config file * Restart named-pkcs11 after KRA installation * Update existing 389-DS cn=RSA,cn=encryption config * Replace hard-coded paths with path constants * Bump python-ldap version to fix syncrepl bug * Bump SELinux policy for DNSSEC * ipa-server-upgrade now checks custodia server keys * DNSSEC code cleanup * DNSSEC: Reformat lines to address PEP8 violations * Decode ODS commands * Run DNSSEC under Python 3 * More DNSSEC house keeping * Remove unused PyOpenSSL from spec file * Give ODS socket a bit of time * Require dbus-python on F27 * Fix pylint error in ipapython/dn.py * Lower python-ldap requirement for F27 * ipa-run-tests: make --ignore absolute, too * Sort external schema files * LGTM: unnecessary else in for loop * LGTM: Use explicit string concatenation * LGTM: raise handle_not_found() * LGTM: Fix multiple use before assignment * LGTM: Remove redundant assignment * LGTM: Fix exception in permission_del * LGTM: Membership test with a non-container * LGTM: Name unused variable in loop * LGTM: Use of exit() or quit() * LGTM: Silence unmatchable dollar * Make fastlint even faster * ipa-run-tests: replace chdir with plugin * Include ipa_krb5.h without util prefix * Custodia uninstall: Don't fail when LDAP is down * Require python-ldap 3.0.0b2 * Use pylint 1.7.5 with fix for bad python3 import * Vault: Add argument checks to encrypt/decrypt * Fix pylint warnings inconsistent-return-statements * Travis: Add workaround for missing IPv6 support * Replace nose with unittest and pytest * Add safe DirectiveSetter context manager * More log in verbs * Address more 'to login' * Fix grammar error: Log out * Fix grammar in login screen * Add make targets for fast linting and testing * Add marker needs_ipaapi and option to skip tests * Add python_requires to Python package metadata * Remove Custodia keys on uninstall * NSSDB: use preferred convert command * Skip test_rpcclient_context in client tests * Update to python-ldap 3.0.0 * Update builddep command to install Python 3 and tox deps * Add workaround for pytest 3.3.0 bug * Fix dict iteration bug in dnsrecord_show * Reproducer for bug in structured dnsrecord_show * Use Python 3 on Travis * Prevent installation of Py2 and Py3 mod_wsgi * Require UTF-8 fs encoding * libotp: add libraries after objects * Run tox tests for PyPI packages on Travis * Support sqlite NSSDB * Py3: Fix vault tests * Test script for ipa-custodia * ipa-custodia: use Dogtag's alias/pwdfile.txt * Use namespace-aware meta importer for ipaplatform * Remove ignore_import_errors * Backup ipa-custodia conf and keys * Py3: fix fetching of tar files * Use os.path.isfile() and isdir() * Block PyOpenSSL to prevent SELinux execmem in wsgi === David Kupka (2) === * schema: Fix internal error in param-{find,show} with nonexistent object * tests: Add LDAP URI to ldappasswd explicitly === Felipe Barreto (38) === * Adding xfail to failing tests * Fixing tests on TestReplicaManageDel * Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs * Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users * Adding GSSPROXY_CONF to be backed up on ipa-backup * Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09 * Fix TestSubCAkeyReplication providing the right path to pki log * temp commit: adding test to PR CI run * Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder * Changing Django's CoC to reflect FreeIPA CoC * Adding Django's Code of Conduct * prci: Bump ci-master-f27 template to 1.0.3 * Adding more tests to PR CI * Fixing cleanup process in test_caless * WebUI Tests: changing the ActionsChains.move_to_element to a new approach * WebUI Tests: fixing test_user.py::test_test_noprivate_posix * WebUI Tests: Changing how the initial load process is done * WebUI Tests: fixing test_range test case * WebUI Tests: changing how the login screen is detected * WebUI Tests: refactoring login method to be more readable * WebUI Tests: fixing test_navigation * WebUI Tests: fixing test_group * WebUI Tests: fixing test_hbac * Check if replication agreement exist before enable/disable it * Make IntegrationTest fail if an error happened during uninstall * IntegrationTests now collects logs from all test methods * Fixing vault-add-member to be compatible with py3 * Fixing test_backup_and_restore assert to do not rely on the order * Fixing test_testconfig with proper asserts * Warning the user when using a loopback IP as forwarder * Removing replica-s4u2proxy.ldif since it's not used anymore * Fix log capture when running pytests_multihosts commands * Checks if replica-s4u2proxy.ldif should be applied * Fixing tox and pylint errors * Fixing param-{find,show} and output-{find,show} commands * Checks if Dir Server is installed and running before IPA installation * Changing idoverrideuser-* to treat objectClass case insensitively * Fixing how sssd.conf is updated when promoting a client to replica === François Cami (1) === * 10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server. === Florence Blanc-Renaud (38) === * ipa client uninstall: clean the state store when restoring hostname * Add test for ticket 7604: ipa-client-install --mkhomedir doesn't enable oddjobd * ipa-client-install: enable and start oddjobd if mkhomedir * fix dependency for *-domainname.service file * Installer: configure authselect with-sudo * Test for 7526 * ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt * authselect migration: use stable interface to query current config * authselect test: skip test if authselect is not available * ipa-advise: adapt config-client-for-smart-card-auth to authselect * Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a * New tests for authselect migration * Migration from authconfig to authselect * ipa-advise config-server-for-smart-card-auth: use mod-ssl * ipa-replica-install: make sure that certmonger picks the right master * ipa-restore: remove /etc/httpd/conf.d/nss.conf * ipa-server-install: handle error when calling kdb5_util create * ipa host-add: do not raise exception when reverse record not added * ACI: grant access to admins group instead of admin user * 389-ds OTP lasttoken plugin: Add unit test * User must not be able to delete his last active otp token * ipa host-add --ip-address: properly handle NoNameservers * test_integration: backup custodia conf and keys * Idviews: fix objectclass violation on idview-add * Improve help message for ipa trust-add --range-type * Fix ca less IPA install on fips mode * Fix ipa-replica-install when key not protected by PIN * Fix ipa-restore (python2) * ipa-getkeytab man page: add more details about the -r option * Py3: fix ipa-replica-conncheck * Fix ipa-replica-conncheck when called with --principal * py3: fix ipa cert-request --database ... * ipa-cacert-manage renew: switch from ext-signed CA to self-signed * ipa-server-upgrade: do not add untracked certs to the request list * ipa-server-upgrade: fix the logic for tracking certs * Fix ipa-server-upgrade with server cert tracking * Python3: Fix winsync replication agreement * Fix ipa config-mod --ca-renewal-master === Fraser Tweedale (52) === * Add missing space in error string * Handle compressed responses from Dogtag * install: fix reported external CA configuration * csrgen: fix when attribute shortname is lower case * csrgen: drive-by docstring * csrgen: support initialising OpenSSL adaptor with key object * py3: fix csrgen error handling * certprofile: add tests for config profileId scenarios * certprofile: reject config with multiple profileIds * Fix upgrade (update_replica_config) in single master mode * Add commentary about PKI admin password * Fix upgrade when named.conf does not exist * replica-install: warn when there is only one CA in topology * install: configure dogtag status request timeout * upgrade: remove fix_trust_flags procedure * ldap2: fix implementation of can_add * ipaldap: allow GetEffectiveRights on individual operations * Update IPA CA issuer DN upon renewal * cert-request: avoid internal error when cert malformed * Improve warning message for malformed certificates * Don't use admin cert during KRA installation * Add uniqueness constraint on CA ACL name * Add tests for installutils.set_directive * installutils: refactor set_directive * pep8: reduce line lengths in CAInstance.__enable_crl_publish * Prevent set_directive from clobbering other keys * install: report CA Subject DN and subject base to be used * ipa_certupdate: avoid classmethod and staticmethod * Run certupdate after promoting to CA-ful deployment * ipa-ca-install: run certupdate as initial step * CertUpdate: make it easy to invoke from other programs * renew_ra_cert: fix update of IPA RA user entry * Re-enable some KRA installation tests * Use correct version of Python in RPM scripts * Remove caJarSigningCert profile and related code * CertDB: remove unused method issue_signing_cert * Remove XPI and JAR MIME types from httpd config * Remove mention of firefox plugin after CA-less install * Add missing space in ipa-replica-conncheck error * ipa-cacert-manage: avoid some duplicate string definitions * ipa-cacert-manage: handle alternative tracking request CA name * Add tests for external CA profile specifiers * ipa-cacert-manage: support MS V2 template extension * certmonger: add support for MS V2 template * certmonger: refactor 'resubmit_request' and 'modify' * ipa-ca-install: add --external-ca-profile option * install: allow specifying external CA template * Remove duplicate references to external CA type * cli: simplify parsing of arbitrary types * py3: fix pkcs7 file processing * ipa-pki-retrieve-key: ensure we do not crash * issue_server_cert: avoid application of str to bytes === Ganna Kaihorodova (7) === * check nsds5ReplicaReleaseTimeout option was set * Fix trust tests for Posix Support * Fix for integration tests dns_locations * Fix in IPA's multihost fixture * TestBasicADTrust.test_ipauser_authentication * Fix for test TestInstallMasterReservedIPasForwarder * Overide trust methods for integration tests === John Morris (1) === * Increase dbus client timeouts during CA install === Justin Stephenson (1) === * Skip zone overlap check with auto-reverse === Kaleemullah Siddiqui (1) === * Test coverage for multiservers for radius proxy === Martin Basti (3) === * py3: bindmgr: fix iteration over bytes * py3: ipa-dnskeysyncd: fix bytes issues * py3: set samba dependencies === Takeshi MIZUTA (1) === * Fix some typos in man page === Michal Reznik (54) === * Mark DL0 TestReplicaManageDel tests as xfail * ipa_tests: ipa-replica-prepare stuck on user input * ui_tests: stabilization fixes * ui_tests: extend test_config.py suite * ui_tests: fixes for issues with sending key and focus on element * ui_tests: add click_undo_button() func * ui_tests: extend test_selinuxusermap.py suite * ui_tests: improve "field_validation" method * ui_tests: checkbox click fix * ui_tests: introduce new test_misc cases file * ui_driver: extension and modifications related to test_user * ui_tests: extend test_user suite * test_web_ui: extend ui_driver methods * test_webui: add user life-cycles tests * ui_tests: run ipa-get/rmkeytab command on UI host * ui_tests: select_combobox() fixes * ui_tests: test cancel and delete without button * ui_tests: make associations cancelable * ui_tests: add function to run cmd on UI host * ui_tests: add funcs to add/remove users public SSH key * ui_tests: add assert_field_required() * ui_tests: add assert_notification() * ui_tests: add more test cases * ui_tests: add more test cases to test_certification * ui_tests: add_service() support func in test_service * ui_tests: add_host() support func in test_service * ui_tests: change get_http_pkey() function * test_caless: adjust try/except to capture also IOError * ipa_tests: test signing request with subca on replica * tests: ca-less to ca-full - remove certupdate * ipa_tests: test subca key replication * test_caless: add SAN extension to other certs * prci: run full external_ca test suite * tests: move CA related modules to pytest_plugins * test_external_ca: selfsigned->ext_ca->selfsigned * test_tasks: add sign_ca_and_transport() function * paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants * test_caless: test PKINIT install and anchor update * test_renewal_master: add ipa csreplica-manage test * test_cert_plugin: check if SAN is added with default profile * test_help: test "help" command without cache * test_x509: test very long OID * test_batch_plugin: fix py2/3 failing assertion * test_vault: increase WAIT_AFTER_ARCHIVE * test_caless: fix http.p12 is not valid * test_caless: fix TypeError on domain_level compare * manpage: ipa-replica-conncheck - fix minor typo * test_external_dns: add missing test cases * test_caless: open CA cert in binary mode * test_forced_client: decode get_file_contents() result * tests: add host zone with overlap * tests_py3: decode get_file_contents() result * test_caless: add caless to external CA test * test_external_ca: switch to python-cryptography === Varun Mylaraiah (5) === * ui_tests: extend test_pwpolicy.py suite * Extend WebUI test_krbpolicy suite with the following test cases: test_verifying_button (verify button's action in various scenarios) test_negative_value (verify invalid values) test_verifying_measurement_unit * WebUI tests: Extend netgroup tests with more scenarios * Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags * WebUI tests: Extend user group tests with more scenarios === Mohammad Rizwan Yusuf (9) === * Check if issuer DN is updated after self-signed > external-ca * Extended UI test for Certificates * Extended UI test for selfservice permission. * Test to check second replica installation after master restore * Before the fix, when ipa-backup was called for the first time, the LDAP database exported to /var/lib/dirsrv/slapd-<instance>/ldif/<instance>-userRoot.ldif. db2ldif is called for this and it runs under root, hence files were owned by root. * Updated the TestExternalCA with the functions introduced for the steps of external CA installation. * When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail. * IANA reserved IP address can not be used as a forwarder. This test checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address. * ipatest: replica install with existing entry on master === Nikhil Dehadrai (1) === * Test for improved Custodia key distribution === Armando Neto (1) === * ipaserver config plugin: Increase search records minimum limit === Nathaniel McCallum (3) === * Revert "Don't allow OTP or RADIUS in FIPS mode" * Increase the default token key size * Fix OTP validation in FIPS mode === Petr Čech (3) === * webui:tests: Add tests for realmd domains * tests: Mark failing tests as failing * ipatests: Fix on logs collection === Pavel Picka (2) === * Adding WebUI Host test cases * WebUI Hostgroups tests cases added === Petr Vobornik (17) === * Update Dojo and Dojo builder to 1.13.0 * WebUI build: use NodeJS instead of Rhino * WebUI build: replace uglifyjs with system package * Fix test_server_del::TestLastServices * server-del do not return early if CA renewal master cannot be changed * webui: refresh complex pages after modification * Fix order of commands in test for removing topology segments * webui tests: fix test_host:test_crud failure * realm domains: improve doc text * webui: hbactest: add tooltips to 'enabled' and 'disabled' checkboxes * Revert "temp commit to run the affected tests" * temp commit to run the affected tests * webui:tests: close big notifications in realm domains tests * webui:tests: realm domain add with DNS check * webui:tests: move DNS test data to separate file * fastcheck: do not test context in pycodestyle * browser config: cleanup after removal of Firefox extension === Pavel Vomacka (16) === * WebUI: make keytab tables on service and host pages writable * Include npm related files into Makefile and .gitignore * Update jsl.conf in tests subfolder * Edit TravisCI conf files to run WebUI unit tests * Update README about WebUI unit tests * Update tests * Create symlink to qunit.js * Update jsl to not warn about module in Gruntfile * Add Gruntfile and package.json to ui directory * Update QUnit CSS file to 2.4.1 * Update qunit.js to version 2.4.1 * Extend ui_driver to support geckodriver log_path * WebUI: make Domain Resolution Order writable * WebUI: Fix calling undefined method during reset passwords * WebUI: remove unused parameter from get_whoami_command * Adds whoami DS plugin in case that plugin is missing === Rob Crittenden (62) === * replicainstall: DS SSL replica install pick right certmonger host * Extend CALessBase::installer_server to accept extra_args * Handle subyptes in ACIs * server install: drop some print statements, change log level * Drop attr defaultServerList if removing the last server * Improve console logging for ipa-server-install * Replace some test case adjectives * Suppress missing cn=schema compat on installation * Use replace instead of add to set new default ipaSELinuxUserMapOrder * Disable Schema Compat plugin during server upgrade * Add tests for ipa-restore with DM password validation check * Validate the Directory Manager password before starting restore * Rename test class for testing simple commands, add test * Don't try to set Kerberos extradata when there is no principal * Client install should handle automount unconfigured on uninstall * Return unique error when automount is already or not configured * VERSION.m4: Set back to git snapshot * Become IPA 4.6.90.pre2 * Update 4.7 translations * Fix certificate retrieval in ipa-replica-prepare for DL0 * Disable message about log in ipa-backup if IPA is not configured * Use a regex in installutils.get_directive instead of line splitting * Handle whitespace, add separator to regex in set_directive_lines * Validate the Directory Manager password before starting restore * Log service start/stop/restart message * Update project metadata in ipasetup.py.in * Allow dot as a valid character in an selinux identity name * Remove xfail from CALes test test_http_intermediate_ca * Some PKCS#12 errors are reported with full path names * ipa-server-certinstall failing, unknown option realm * Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c * Break out of teardown in test_replica_promotion.py if no config * Remove the Continuous installer class, it is unused * Return a value if exceptions are raised in server uninstall * VERSION.m4: Set back to git snapshot * Become IPA 4.6.90.pre1 * Update Contributors.txt * Redirect CRL requests to the http port, not the https port * Don't try to backup CS.cfg during upgrade if CA is not configured * Don't return None on mismatched interactive passwords * Update smart_card_auth advise script for mod_ssl * Add value in set_directive after a commented-out version * Don't backup nss.conf on upgrade with the switch to mod_ssl * Enable upgrades from a mod_nss-installed master to mod_ssl * Convert ipa-pki-proxy.conf to use mod_ssl directives * Remove main function from the certmonger library * Use mod_ssl instead of mod_nss for Apache TLS for new installs * Fix detection of KRA installation so upgrades can succeed * Move Requires: pythonX-sssdconfig into conditional * Log contents of files created or modified by IPAChangeConf * Don't manually generate default.conf in server, use IPAChangeConf * Enable ephemeral KRA requests * Make the path to CS.cfg a class variable * Run server upgrade in ipactl start/restart * If the cafile is not present or readable then raise an exception * Add test to ensure that properties are being set in rpcclient * Use the CA chain file from the RPC context * Fix cert-find for CA-less installations * Use 389-ds provided method for file limits tuning * Collect group membership without a size limit * Add exec to /var/lib/ipa/sysrestore for install status inquiries * Use TLS for the cert-find operation === Robbie Harwood (5) === * Fix elements not being removed in otpd_queue_pop_msgid() * Move krb5 snippet into freeipa-client-common * Enable SPAKE support using krb5.conf.d snippet * Log errors from NSS during FIPS OTP key import * ipa-kdb: support KDB DAL version 7.0 === Rishabh Dave (1) === * ipa-ca-install: mention REPLICA_FILE as optional in help === Sumit Bose (1) === * ipa-kdb: reinit trusted domain data for enterprise principals === Sumit Bose (2) === * ipa-kdb: update trust information in all workers * ipa-kdb: use magic value to check if ipadb is used === John L (1) === * Remove special characters in host_add random OTP generation === Stanislav Laznicka (84) === * Move config directives handling code * Travis: ignore 'line break after binary operator' * Allow user administrator to change user homedir * mod_ssl: add SSLVerifyDepth for external CA installs * Add absolute_import to test_authselect * Fix typo in ipa-getkeytab --help * Add absolute_import future imports * replica-install: pass --ip-address to client install * ipa_backup: Backup the password to HTTPD priv key * Fix upgrading of FreeIPA HTTPD * Remove py35 env from tox testing * Encrypt httpd key stored on disk * Dogtag configs: rename deprecated options * Backup HTTPD's mod_ssl config and cert-key pair * vault: fix vault-retrieve to a file * Backup ssl.conf when migrating from mod_nss * Move HTTPD cert/key pair to /var/lib/ipa/certs * httpinstance fixup: remove commented-out lines * httpinstance: fix publishing of CA cert * httpinstance: verify priv key belongs to certificate * httpinstance: backup mod_nss conf instead of just removing it * service: rename import_ca_certs_* to export_* * fixup: add ipa-rewrite.conf to ssl.conf on upgrade * Make ipa-server-certinstall store HTTPD cert in a file * certupdate: don't update HTTPD NSS db * x509: Fix docstring of write_certificate() * x509: Remove unused argument of load_certificate_from_file() * httpinstance: handle supplied PKCS#12 files in installation * mod_ssl migration: fix upload_cacrt.py plugin * Fix FileStore.backup_file() not to backup same file * Have all the scripts run in python 3 by default * replica_prepare: Remove the correct NSS DB files * Add a helpful comment to ca.py:install_check() * Don't allow OTP or RADIUS in FIPS mode * caless tests: decode cert bytes in debug log * caless tests: make debug log of certificates sensible * Add indexing to improve host-find performance * Add the sub operation for fqdn index config * x509: remove subject_base() function * x509: remove the strip_header() function * py3: pass raw entries to LDIFWriter * ipatests: use python3 if built with python3 * PRCI: use a new template for py3 testing * travis: pep8 changes to pycodestyle * csrgen_ffi: cast the DN value to unsigned char * * Remove pkcs10 module contents * Add tests for CertificateSigningRequest * parameters: introduce CertificateSigningRequest * parameters: relax type checks * csrgen: update docstring for py3 * csrgen: accept public key info as Bytes * csrgen_ffi: pass bytes where "char *" is required * p11-kit: add serial number in DER format * travis: make tests fail if pep8 does not pass * Remove the `message` attribute from exceptions * rpc: don't decode cookie_string if it's None * Don't write p11-kit EKU extension object if no EKU * pylint: fix missing module * travis: run the same tests in python2/3 * certmap testing: fix wrong cert construction * ldap2: don't use decode() on str instance * client: fix retrieving certs from HTTP * uninstall: remove deprecation warning * ldif: handle attribute names as strings * pkinit: don't fail when no pkinit servers found * pkinit: fix sorting dictionaries * travis: remove "fast" from "makecache fast" * Change Travis CI container to FreeIPA-owned * Change the requirements for pylint in wheel * rpcserver: don't call xmlserver.Command * secrets: disable relative-imports for custodia * pylint: disable __hash__ for some classes * install.util: disable no-value-for-parameter * pylint: make unsupported-assignment-operation check local * sudocmd: fix unsupported assignment * pylint: Iterate through dictionaries * parameters: convert Decimal.precision to int * dcerpc: disable unbalanced-tuple-unpacking * dcerpc: refactor assess_dcerpc_exception * pylint: fix no-member in schema plugin * csrgen: fix incorrect codec for pyasn BitString * pylint: fix not-context-manager false positives * travis: temporary workaround for Travis CI * Travis: archive logs of py3 jobs === Stanislav Levin (11) === * Fix link to browser configuration guide on Login page * Fix some untranslatable commands in Web UI API Browser * Apply validate_doc() to NO_CLI commands * Fix formatted translations of error messages in topology plugin * Fix formatted translations of error messages in serverroles plugin * Fix formatted translations in trust plugin * Fix translation of idrange_* commands description * Fix formatted translations in domainlevel plugin * Use intended format() method of translation object * Add support for format method to translation objects * Fix translation of commands description in API Browser === Sudhir Menon (2) === * Adding modified DOAP file * DOAP Description for IPA Project === Thierry Bordaz (2) === * Hardening of topology plugin to prevent erronous deletion of a replica agreement * 389-ds-base crashed as part of ipa-server-intall in ipa-uuid === Tibor Dudlák (15) === * Use temporary pid file for chronyd -q task * Fix format string passed to pytest-multihost * Configure chrony with pool when server not set * Add enabling chrony daemon when not configured * Remove unnecessary option --force-chrony * Remove NTP server role while upgrading * Removes NTP server role from servroles and description * Update man pages for FreeIPA client, replica and server install * Adding method to ipa-server-upgrade to cleanup ntpd * Add --ntp-pool option to installers * FreeIPA server is time synchronization client only * Replace ntpd with chronyd in installation * Add dependency and paths for chrony * Removes ntp from dependencies and behave as there is always -N option * Do not check deleted files with `make fastlint` === Timo Aaltonen (9) === * Fix HTTPD SSL configuration for Debian. * ldapupdate: Add support for Debian multiarch * named.conf: Disable duplicate zone on debian, and modify data dir * Add mkhomedir support for Debian * paths: Fix some path definitions for Debian. * constants: Fix HTTPD_GROUP for Debian * Create kadm5.acl if it doesn't exist * ipaplatform, ipa.conf: Use paths variables in ipa.conf.template * Move config templates from install/conf to install/share === Tomas Krizek (20) === * test_dnssec: re-add named-pkcs11 workarounds * py3 dnssec: convert hexlify to str * py3: bindmgr: fix bytes issues * prci: bump ci-master-f27 template to 1.0.2 * prci: define testing topologies * prci: start testing PRs on fedora 27 * py3 spec: remove python2 dependencies from server-trust-ad * py3 spec: remove python2 dependencies from freeipa-server * py3 spec: use proper python2 package names * ipatests: fix circular import for collect_logs * ipatests: collect logs for external_ca test suite * prci: add external_ca test * ldap: limit the retro changelog to dns subtree * spec: bump 389-ds-base to 1.3.7.6-1 * ipatests: set default 389-ds log level to 0 * prci: update F26 template * spec: bump python-pyasn1 to 0.3.2-2 * prci: use f26 template for master * VERSION: set 4.6 git snapshot * Contributors.txt: update === Thorsten Scherf (1) === * Add debug option to ipa-replica-manage and remove references to api_env var.

5 years, 8 months

3
7
0 / 0

Certificates renewing with the wrong Subject

by Roderick Johnstone

Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/<request id> until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. Thanks Roderick Johnstone

5 years, 8 months

3
21
0 / 0

Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start

by Jokinen Eemeli

Hello all! I have very similiar problem as this one: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... ipa-server-upgrade fails as below -- Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. CA did not start in 300.0s The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information -- And the log tells me that CA returns status 500 -- DEBUG Waiting for CA to start... DEBUG request POST http://<<ipa1.fqdn>>:8080/ca/admin/ca/getStatus<http://%3c%3cipa1.fqdn%3e%3e:8080/ca/admin/ca/getStatus> DEBUG request body '' DEBUG response status 500 DEBUG response headers Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 2208 Date: Fri, 15 Jun 2018 10:05:29 GMT Connection: close DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style></style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 DEBUG Waiting for CA to start... ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run raise admintool.ScriptError(str(e)) The ipa-server-upgrade command failed, exception: ScriptError: CA did not start in 300.0s ERROR CA did not start in 300.0s -- With command "ipactl start --ignore-service-failures" I can start all the services but pki-tomcatd. -- Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful -- Suggested resolution to above problem doesn't help me since the LDAP and NSS DB seem to have same certificates (some difference in wrapping but the string is same if I take out the line breaks) and even the serial number matches. -- certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a -----BEGIN CERTIFICATE----- MIIDjD... ...Prh2G -----END CERTIFICATE----- certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' |grep Serial Serial Number: 4 (0x4) ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso Enter LDAP Password: dn: uid=pkidbuser,ou=people,o=ipaca userCertificate:: MIIDjD... ...Prh2 G description: 2;4;CN=Certificate Authority,O=<<REALM>>;CN=CA Subsystem, O=<<REALM>> seeAlso: CN=CA Subsystem,O=<<REALM>> -- And here's where my actual knowledge of things end. I've been trying to figure out all kind of logs (tomcat, Kerberos, directory server, ...) but haven't found a solid reason for it. I'm starting to believe this is a certificate issue, because although "getcert list" tells me that the certificate status is "Monitoring" on all certificates the expiry date is already in the past (current date 20.6.2018, certificate expiry 21.03.2018) on 4 certificates and it won't update even if I resubmit it or delete certificate and manually redo it (it got the same date as the "old ones"). The "main certs" ("caSigningCert cert-pki-ca", "Server-Cert cert-pki-ca" and two directory server certs) are valid for years (until 2020+). -- Request ID '20160331084234': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<<REALM>> subject: CN=OCSP Subsystem,O=<<REALM>> expires: 2018-03-21 09:42:04 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160331085008': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<<REALM>> subject: CN=<<ipasrv1.fqdn>>,O=<<REALM>> expires: 2020-03-04 09:58:23 UTC principal name: HTTP/<<ipasrv1.fqdn>>@<<REALM>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes -- Has anyone else bumped into same kind of issues? Any ideas where I should continue looking? I'm starting to run out of ideas... Eemeli Jokinen

5 years, 8 months

3
23
0 / 0

Documented monitoring best practices

by Alex Corcoles

Hi all, Is there any official literature about how to monitor FreeIPA? The upstream guide mentions: 1) Testing clients using id https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... 2) Adding a user on a replica and verifying it appears on another server https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... There's also some troubleshooting appendices which look interesting. I see also ipactl, "ipa ping", there seems to be: https://www.freeipa.org/page/V4/Tool_to_Check_Status_of_All_Replicas (but it seems dead) https://www.freeipa.org/page/V4/Monitor_Replication_Topology , and also some indepedent initiatives all over the web. Is there any plan to provide an official way to monitor FreeIPA? My foremost concern would be to ensure that all clients are correctly enrolled and sudo/ssh work, so I am not locked out of my systems. Ensuring that replication works seems good and popular. Of course I can check that all services are running and ports respond. What are the most common ways for FreeIPA to break? Thoughts? Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/

5 years, 8 months

5
5
0 / 0

/etc/httpd/alias not getting renewed cert

by Thomas Letherby

Hello all, I had an issue a short while ago with a replica which turned out to be an expired certificate which I renewed and all seemed good. Seemed... It now appears that although the certificate renewed as seen by getcert -list, it didn't update /etc/httpd/alias and so the httpd and tomcat-pki services won't start unless I set the date to before the certificate expired, and even then sometimes the httpd error_log shows: Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. and the service fails to start. I've tried resubmitting the certificate, and it doesn't seem to throw an error, but it doesn't update /alias either. Trying to access the server via the web page shows the old certificate still in use. I see the same certificate error with the replica server, which was freshly rebuilt and added last week. I've doubtless dug further into the hole trying to troubleshoot this, so I probably need to start from the beginning again, and a pointer in the right direction would be a great help! A getcert list shows all the certificates expiry dates well into the future. How can I get the certs back in sync? I've found a few guides and most seem to be for earlier versions, and I'm not sure if they're still current. I can post whatever logs you think will help, I'm afraid I'm not familiar enough with them all to tell which are the most relevant. Is there a guide for the logs? Thanks for any help you can give, Thomas

5 years, 8 months

5
24
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users July 2018