FreeIPA replica
by Alfredo De Luca
Hi all.
I am trying to add a replica on a freeIPA Server lev 1 (version 4.5.4 on
Centos 7) but I get the following error;
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
Cannot promote this client to a replica. Local domain 'digit.test' does
not match IPA domain 'mytestdomain.it'.
Now I know that on IPA server lev 1 you cannot add a replica from the
server so that's why I tried
1. ipa-client-install (gone well)
2. ipa-replica-install (with errors)
Any idea?
--
*Alfredo*
5 years, 1 month
Issue with creating CA replica/how to do so
by Jared Biel
Hello,
I'm trying to add a CA replica to an already established "regular" replica
and am unable to do so. Can anyone point me to instructions for how to do
this? It seems like maybe some files need to be manually copied over from
the existing replica but none of the instructions that I've found mention
this. The existing CA is running 4.5.4 and the new replica is 4.7.0 (I'm
trying to migrate to 4.7.0 entirely.)
Regarding the output below, /var/log/pki/pki-tomcat does not exist and
there are only 2 uninteresting files in /var/log/pki.
Thanks.
# ipa-ca-install
Directory Manager (existing master) password:
ipaclient.install.ipa_certupdate: ERROR Failed to add lightweight CA
tracking requests
Traceback (most recent call last):
File
"/usr/lib/python3.6/site-packages/ipaclient/install/ipa_certupdate.py",
line 117, in run_with_args
cainstance.add_lightweight_ca_tracking_requests(lwcas)
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 1914, in add_lightweight_ca_tracking_requests
pin=certmonger.get_pin('internal'),
File "/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py",
line 672, in get_pin
with open(paths.PKI_TOMCAT_PASSWORD_CONF, 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/password.conf'
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/26]: creating certificate server db
[2/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded
[3/26]: creating ACIs for admin
[4/26]: creating installation admin user
[5/26]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance:
CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f',
'/tmp/tmp0n1ii3z2'] returned non-zero exit status 1: '')
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and
the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
5 years, 1 month
ERR - attrlist_replace - attr_replace (nsslapd-referral,
by James Harrison
Hello,
We have a machine with the following set up:
CentOS Linux release 7.4.1708 (Core)ipa-server-4.5.0-21.el7.centos.2.2.x86_64
CA-less setup
We're getting a lot of errors on one of our FreeIPA servers. Hope you can help.
Many thanksJames Harrison
[31/Jul/2018:12:19:05.542401358 +0100] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=int,dc=DOMAIN,dc=com--no CoS Templates found, which should be added before the CoS Definition.
[31/Jul/2018:12:19:05.611267011 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:05.613868420 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:05.634974836 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds!
[31/Jul/2018:12:19:05.646685174 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/pul-system-01.DOMAINNAME@DOMAINNAME] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[31/Jul/2018:12:19:05.657290290 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
[31/Jul/2018:12:19:05.660478907 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests
[31/Jul/2018:12:19:05.664268080 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-INT-DOMAIN-COM.socket for LDAPI requests
[31/Jul/2018:12:19:05.712942138 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=pul-system-01.DOMAINNAME-to-pul-system-02.DOMAINNAME" (pul-system-02:389) - Replication bind with GSSAPI auth failed: LDAP error -6 (Unknown authentication method) (SASL(-4): no mechanism available: No worthy mechs found)
[31/Jul/2018:12:19:08.916600270 +0100] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=pul-system-01.DOMAINNAME-to-pul-system-02.DOMAINNAME" (pul-system-02:389): Replication bind with GSSAPI auth resumed
[31/Jul/2018:12:19:11.139026788 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=int,dc=DOMAIN,dc=com
[31/Jul/2018:12:19:11.143128988 +0100] - ERR - schema-compat-plugin - Finished plugin initialization.
[31/Jul/2018:12:19:26.258468102 +0100] - ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: server configuration missing
[31/Jul/2018:12:19:26.261488755 +0100] - ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: cannot create replica
[31/Jul/2018:12:19:41.405312942 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:41.407352984 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:41.409312145 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:44.484329977 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:44.489032389 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:44.490775486 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:46.882743610 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:46.887246145 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
[31/Jul/2018:12:19:46.889667896 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed.
5 years, 1 month
Problem with replication topology after replica removal
by Przemysław Orzechowski
Hi
I removed a replica but after removal i got 3 undeleted replication
agreements
I can't delete it with ipa topologysegment-del
error returned
ipa: ERROR: Server is unwilling to perform: Removal of Segment
disconnects topology.Deletion not allowed.
ipa host-find
Return no results as expected.
Is there any way to fix this ?
Regards
Przemysław Orzechowski
5 years, 1 month
Replacing selfsigned cert with external signed CA
by Jan Gardian
Hello,
Could you please recommend procedure to replace self signed IPA
certificate with external signed CA?
I found this
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
but it is for renewal and I am not sure if it can be used for replacement.
In manual pages for ipa-cacert-manage there is option install but in
statements it has: "Important: this does not replace IPA CA but adds the
provided certificate as a known CA. This is useful for instance when
using ipa-server-certinstall to replace HTTP/LDAP certificates with
third-party certificates signed by this additional CA."
Thank you
--
With kind regards
*Ján Gardian*
Administrator
CYAN RD
**
5 years, 1 month
Re: Forcing ssh key login
by William Muriithi
Hi Alfredo,
>
> Anyone on this question?
> cheers
>
> /Alfredo
>
> On Thu, 26 Jul 2018, 18:35 Alfredo De Luca, <alfredo.deluca(a)gmail.com>
> wrote:
>
>> Hi all.
>> I wonder how to force ssh keys only all the users with freeIPA. We have
>> 4.5.4 version.
>> Is it the only way changing the sshd_config from PasswordAuthentication
>> from yes to *NO*?
>>
Its the same stuff you need to do for none IPA system.
You will also need to:
- Have them generate a public private ssh key pair
- (Have them add it to their IPA user profile) or add their public
key on authorization file.
If you do this, the IPA server don't do any authentication at all. So
if you are using something like a kerberos based NFS, they will have
issues mounting their home directories.
Regards,
William
5 years, 1 month
How can local root execute admin IPA commands?
by Ryan Slominski
Kerberos has kadmin.local, and I'm looking for a similar way to execute admin commands as the local root user. Looks like I could create a keytab, and use kinit on it, but ipa-getkey doesn't seem to work for the admin principal. So I could create a new service account instead, but I can't seem to find a role that grabs everything like the special admin group does. Any tips?
5 years, 2 months
Re: going level up, domain-wise - how?
by William Muriithi
Hi lejeczek,
> >> gee.. I'm really hopping in the dark here. Is such a
> >> scenario a topic covered somewhere in IPA docs(I failed
> >> to find)?
> > So, you want to move from FROM.HERE realm to UP.FROM.HERE
> > realm?
> > Or you still want to use FROM.HERE realm and just deploy
> > new machines in
> > up.from.here DNS domain?
> >
> > For the former you have to stand up a completely new
> > deployment.
> > For the latter you can just enroll machines from
> > up.from.here to
> > FROM.HERE.
> >
> >
> many thanks,
> Would "completely new deployment" also be the case (now I'm
> thinking I phrased that wrongly before, I was going down a
> level instead of up) if change(realm) was:
> DOWN.FROM.HERE => FROM.HERE
> ?
Yes, you would also need a new deployment to change the realm from
DOWN.FROM.HERE to FROM.HERE
Its actually documented and the choice for realm has to be made when
starting IPA server deployment. I am certain I read somewhere changing
IPA realm isn't supported. Actually, just did a quick google and its
explicitly stated here
https://www.freeipa.org/page/Deployment_Recommendations
Regards,
William
5 years, 2 months
Apache unable to use ipa keytab
by William Muriithi
Evening,
I am attempting to get apache authenticating with IPA but not sure why its
rejecting the keytab. I have even recreated the keytab a number of times
but this isn't making any difference. To make sure the problem isn't
anywhere else, I briefly used a httpasswd file and it worked fine, so
confident it has to do with apache IPA integration. Does anybody notice
anything wrong with the setup below?
[Tue Jul 24 17:13:55.754808 2018] [auth_gssapi:debug] [pid 27797]
mod_auth_gssapi.c(857): [client 192.168.20.221:46106] URI: /git/, no main,
no prev
[Tue Jul 24 17:13:55.809525 2018] [auth_gssapi:error] [pid 27797] [client
192.168.20.221:46106] GSS ERROR gss_acquire_cred[_from]() failed to get
server creds: [Unspecified GSS failure. Minor code may provide more
information (Keytab FILE:/etc/httpd/conf.d/httpd.keytab is nonexistent or
empty)]
[Tue Jul 24 17:13:55.811160 2018] [ssl:debug] [pid 27797]
ssl_engine_io.c(993): [client 192.168.20.221:46106] AH02001: Connection
closed to child 3 with standard shutdown (server
gitolite4.eng.example.com:443)
Full log here:
https://pastebin.com/v3KKVs6W
However, the keytab looks fine.
Keytab name: FILE:/etc/httpd/conf.d/httpd.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM
(aes256-cts-hmac-sha1-96)
1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM
(aes128-cts-hmac-sha1-96)
1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM
(des3-cbc-sha1)
1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM
(arcfour-hmac)
[root@gitolite4 ~]#
Also, I have confirmed this isn't selinux related
[root@gitolite4 ~]# getenforce
Permissive
This is the version of apache module that I am using.
[root@gitolite4 ~]# rpm -qa | grep gssapi
mod_auth_gssapi-1.5.1-5.el7.x86_64
python-gssapi-1.2.0-3.el7.x86_64
cyrus-sasl-gssapi-2.1.26-23.el7.x86_64
[root@gitolite4 ~]#
This is the configuration that I am using:
<Location /git>
LimitXMLRequestBody 0
LimitRequestBody 0
AuthType GSSAPI
AuthName "Linux Account"
GssapiConnectionBound On
GssapiBasicAuth On
GssapiNegotiateOnce On
GssapiLocalName on
AuthzSendForbiddenOnFailure On
GssapiCredStore keytab:/etc/httpd/conf.d/httpd.keytab
GssapiSignalPersistentAuth On
GssapiSSLonly On
Require expr %{REMOTE_USER} =~ /(a)eng.example.com$/
</Location>
Regards,
William
5 years, 2 months
