after promoting a clone as new renewal master, pki-tomcatd crashes with "Could not connect to LDAP", "Authentication failed (48)"
by Karl Forner
In the final step of upgrading my freeIPA servers to fedora26/freeIPA 4.4.4, I removed the current demoted the current renewal master, and promoted a CA (sif) as new renewal master, following instructions from < https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#R... >.
Since then, pki-tomcatd will not start, here's an excerpt of /var/log/pki/pki-tomcat/ca/debug :
```
[17/Jul/2018:15:34:57][localhost-startStop-1]: CMSEngine: ready to init id=dbs
[17/Jul/2018:15:34:57][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true
[17/Jul/2018:15:34:57][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem)
[17/Jul/2018:15:34:57][localhost-startStop-1]: LdapBoundConnFactory: init
[17/Jul/2018:15:34:57][localhost-startStop-1]: LdapBoundConnFactory:doCloning true
[17/Jul/2018:15:34:57][localhost-startStop-1]: LdapAuthInfo: init()
[17/Jul/2018:15:34:57][localhost-startStop-1]: LdapAuthInfo: init begins
[17/Jul/2018:15:34:57][localhost-startStop-1]: LdapAuthInfo: init ends
[17/Jul/2018:15:34:57][localhost-startStop-1]: init: before makeConnection errorIfDown is true
[17/Jul/2018:15:34:57][localhost-startStop-1]: makeConnection: errorIfDown true
[17/Jul/2018:15:34:57][localhost-startStop-1]: TCP Keep-Alive: true
[17/Jul/2018:15:34:57][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca
[17/Jul/2018:15:34:57][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca
[17/Jul/2018:15:34:57][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering!
[17/Jul/2018:15:34:57][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null
[17/Jul/2018:15:34:57][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host sif.quartzbio.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
```
I found this very useful blog: < https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom... > and checked all the steps.
From what I checked:
- my certificates are valid
- there was two userCertificate for pkidbuser, one expired. I removed it using Apache Directory Studio
- the pkidbuser certificate match the one from /etc/pki/pki-tomcat/alias
One possibly relevant info: the previous renewal master/CA was the main DNS, it is no longer running since I was about to recreate it when I discovered that the pki-tomcatd was not running when I tried to execute ipa-prepare-replicate.
I would be grateful if you could help me or guide me debugging this.
Thanks,
Karl.
Additional info:
ipa config-show
-----------------------
Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: example.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=QUARTZBIO.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: nfs:NONE, MS-PAC
IPA masters: amora.example.com, sif.example.com
IPA CA servers: amora.example.com, sif.example.com
IPA NTP servers: amora.example.com, sif.example.com
IPA CA renewal master: sif.example.com
grep internaldb.ldap /etc/pki/pki-tomcat/ca/CS.cfg
------------------------------
internaldb.ldapauth.authtype=SslClientAuth
internaldb.ldapauth.bindDN=cn=Directory Manager
internaldb.ldapauth.bindPWPrompt=internaldb
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
internaldb.ldapconn.cloneReplicationPort=389
internaldb.ldapconn.host=sif.example.com
internaldb.ldapconn.masterReplicationPort=389
internaldb.ldapconn.port=636
internaldb.ldapconn.replicationSecurity=TLS
internaldb.ldapconn.secureConn=true
sudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
------------------------------------
Data:
Version: 3 (0x2)
Serial Number: 86 (0x56)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=QUARTZBIO.COM"
Validity:
Not Before: Wed May 31 15:49:31 2017
Not After : Tue May 21 15:49:31 2019
Subject: "CN=CA Subsystem,O=QUARTZBIO.COM"
...
sudo grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt
sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'
-----------------------------------------------------------
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa 4c9dcd686df2a289ef1bcd21d2dfb195a0d7bc9c subsystemCert cert-pki-ca
sudo cat /etc/dirsrv/slapd-IPADOMAIN-COM/certmap.conf
----------------------
default:DNComps
default:FilterComps uid
certmap ipaca CN=Certificate Authority,O=QUARTZBIO.COM
ipaca:CmapLdapAttr seeAlso
ipaca:verifycert on
ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca description
-----------------------------
dn: uid=pkidbuser,ou=people,o=ipaca
description: 2;86;CN=Certificate Authority,O=QUARTZBIO.COM;CN=CA Subsystem,O=Q
UARTZBIO.COM
sudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep Serial
------------------------
Serial Number: 86 (0x56)
getcert list | grep "expires\|status\|subject" | perl -pe 's/quartzbio/example/ig'
status: MONITORING
subject: CN=sif.example.com,O=example.COM
expires: 2020-07-13 13:44:48 CEST
status: MONITORING
subject: CN=CA Audit,O=example.COM
expires: 2019-05-21 17:50:42 CEST
status: MONITORING
subject: CN=OCSP Subsystem,O=example.COM
expires: 2019-05-21 17:50:01 CEST
status: MONITORING
subject: CN=CA Subsystem,O=example.COM
expires: 2019-05-21 17:49:31 CEST
status: MONITORING
subject: CN=Certificate Authority,O=example.COM
expires: 2035-07-09 11:41:54 CEST
status: MONITORING
subject: CN=sif.example.com,O=example.COM
expires: 2020-07-02 16:57:18 CEST
status: MONITORING
subject: CN=sif.example.com,O=example.COM
expires: 2020-07-13 13:44:52 CEST
status: MONITORING
subject: CN=IPA RA,O=example.COM
expires: 2019-05-21 17:50:10 CEST
5 years, 4 months
Kerberos Utilities Integration
by Ryan Slominski
Hi IPA Users,
What is the status of the IPA integration with Kerberos utilities such as kadmin (kadmin.local) and kdb5_util? Can they be used or are they not supported. If not supported maybe they should report an error or warning.
It seems setting a user's password expiration with kadmin works in the short term, but is later overwritten perhaps by multi-master replication? I was testing password expiration and I set a value using kadmin modprinc yesterday and noticed today that the value has reverted back to what it was earlier. As an aside using ipa user-mod --setattr=krbPasswordExpiration=20180715011529Z is clumsy and admin user doesn't even have the privilege to execute it successfully. LDAP modify with directory manager has the privilege, but LDIF is even more clumsy. With kadmin.local modprinc I can use -pwexpire 1day.
Also, importing an existing database of principals with password hashes would make migration from a standalone KDC much less painful. Any chance that feature is added at some point? Looks like one challenge might be what appears to be the 389 directory server storing user passwords in two separate fields (userPassword and krbPrincipalKey), which are presumably hashed differently.
Ryan
5 years, 4 months
How to change nsslapd-cachememsize
by Kees Bakker
Hi,
This is about the infamous log message
WARNING: changelog: entry cache size 2097152B is less than db size 19701760B; We recommend to increase the entry cache size nsslapd-cachememsize.
I've searched the Internet, including this mailing list, but I haven't found
a sensible FreeIPA solution yet. There was a hint to look at [1], that suggested that
I should use ldapmodify. Well OK, but before I do that I want to first see,
using ldapsearch, that I can query the current value. I tried this (with proper
kinit of course):
ldapsearch -Y GSSAPI -b cn=config
That didn't show anything useful, nothing with nsslapd-cachememsize. That makes
me wonder whether the suggested ldapmodify command is correct for me.
My question is basically: what is the recommended FreeIPA way to modify nsslapd-cachememsize?
And will the modification automatically replicate from the master to the replica?
BTW. My FreeIPA servers (one master and one replica) are running Ubuntu 16.04
[1] https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8....
--
Kees
5 years, 4 months
AD group membership information not enumerated in the cn=compat tree?
by Robert Sturrock
Hello.
We are using FreeIPA primarily to connect our Linux fleet efficiently to our organisational AD and it’s working well in that capacity.
However, we are investigating a number of different enterprise NAS solutions to provide (kerberized) NFSv4 file services to this fleet. We were hoping to integrate these NAS appliances with IPA by way of the compat tree, since they don’t offer native IPA providers.
This works to a point, but I’ve noticed that the compat tree does not seem to enumerate *group membership* for the AD trust users.
For example, when I lookup one of my groups with an ldapsearch against one of the the IPA masters I see:
dn: cn=lcm-managedlinux@localdomain,cn=groups,cn=compat,dc=ipa,dc=localdomain
objectClass: ipaOverrideTarget
objectClass: posixGroup
objectClass: ipaexternalgroup
objectClass: top
cn: lcm-managedlinux@localdomain
gidNumber: 1388937688
ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yMDc4Nzk1NTYxLTQyMzMwMDU2NTctMzI2MTkwNjQ2Mi0xMzc2ODg=
I don’t see any ‘memberUid’ attributes, but would expect to see about 8 members.
Is this expected behaviour, or is there some additional configuration needed to obtain this functionality?
Some searching online brought up these references ('Enable compat tree to provide information about AD users and groups on trust agents’)
- https://bugzilla.redhat.com/show_bug.cgi?id=1585020
- https://pagure.io/freeipa/issue/7600
These read very similarly to the behaviour we’re seeing.
Regards,
Robert.
5 years, 4 months
AD Integration
by paul mitchell
We currently have a single AD (2016) domain, company.co.uk. The DNS zone file is managed by Active Directory, so all machines (Windows and Linux) are listed in the zone file. Windows users authenticate against AD and Linux users authenticate against a separate NIS server. We are considering replacing NIS with a FreeIPA server.
The most important consideration is to maintain the *ix users GUID and UID data that is currently stored on the NIS sever. If this data could be stored in AD, then we probable would not be considering FreeIPA. A typical *ix user workflow is for the user to ssh from their local machine to one of 20 developments servers. The user GUID and UID must be the same regardless of which machine they access. We don’t currently have any username/password synchronisation between AD and NIS so this is not a requirement. It’s clear that enable a trust between FreeIPA and AD, we would need to create a separate IPA domain.
I assume all 20 development servers would need to be added to the IPA domain?
5 years, 4 months
Issues with ipa-replica-install
by Peter Tselios
Hello,
I had setup on 2 CentOS 7.5 boxes a FreeIPA Master and a Replica.
Currently the master has all services (DNS, CA, KRA) and it's prepared for one-way trust with AD.
Unfortunately, I have a lot of issues with the replica!
The replica setup was:
ipa-replica-install --setup-ca --setup-dns --setup-kra --no-forwarder
Although the installation was successful, when I tried to create a Trust with our AD, the AD administrator told me that the replica did not responded to DNS and truly, the DNS was down. Actually, the named-pks11 service was not even enabled on the replica. So, the ipactl restart told me to run the ipa-server-upgrade which I did.
The upgrade failed in the KRA section because it could not connect to the MASTER server on port 8443.
I didn't have time to investigate further, so, I just removed the replica and re-installed it (with another issue, that will be posted in another thread later), this time without the KRA.
My question:
If I run the ipa-kra-install, will it REPLICATE the master, or will it create a new KRA server?
Unfortunately, I cannot take a backup and test it and I cannot install a second replica (don't ask plz).
5 years, 4 months
Can I automatically add a new host in a location?
by Peter Tselios
Hello,
I want to use Foreman and/or AWS to provision hosts that will be registered to my FreeIPA.
I have created all the locations that I will use and I have one FreeIPA replica on each location. From the documentation seems that I need to use the ipa-client-install and then use the ipa host-mod to modify the host's location, meaning that I need to modify the permissions the Foreman script created the my user.
Is there any other way to automatically add a host in a location?
5 years, 4 months
Re: Freeipa-client-install - enrolls client/host then crashes
by Rob Crittenden
Miller, Jim via FreeIPA-users wrote:
> Hello everyone,
>
>
>
> I’m trying to add a CentOS 7 64bit host to our FreeIPA domain.
>
>
>
> Client FreeIPA is 4.5.4-10
>
> Server FreeIPA is 4.4.0
>
>
>
> Client FreeIPA rpms:
>
> ipa-common-4.5.4-10.el7.centos.3.noarch
>
> python-ipaddress-1.0.16-2.el7.noarch
>
> python2-ipalib-4.5.4-10.el7.centos.3.noarch
>
> ipa-client-4.5.4-10.el7.centos.3.x86_64
>
> ipa-client-common-4.5.4-10.el7.centos.3.noarch
>
> libipa_hbac-1.16.0-19.el7_5.5.x86_64
>
> python-iniparse-0.4-9.el7.noarch
>
> sssd-ipa-1.16.0-19.el7_5.5.x86_64
>
> python2-ipaclient-4.5.4-10.el7.centos.3.noarch
>
> python-libipa_hbac-1.16.0-19.el7_5.5.x86_64
>
>
>
> The basic steps to reproduce are:
>
> 1. Populate /etc/krb5.conf for IPA.GENERIC.ZONE realm
>
>
>
> 2. kinit admin # for IPA.GENERIC.ZONE
>
>
>
> 3. ipa-client-install --mkhomedir --no-ntp --ssh-trust-dns
> --enable-dns-updates
What is the use-case for doing it this way?
What does the KDC log show? /var/log/krb5kdc.log
rob
>
>
>
> Here’s where the errors start:
>
>
>
> Enrolled in IPA realm IPA.GENERIC.ZONE
>
> Created /etc/ipa/default.conf
>
> New SSSD config will be created
>
> Configured sudoers in /etc/nsswitch.conf
>
> Configured /etc/sssd/sssd.conf
>
> Configured /etc/krb5.conf for IPA realm IPA.GENERIC.ZONE
>
> trying https://sl1mmgplidm0001.ipa.generic.zone/ipa/json
>
> Major (851968): Unspecified GSS failure. Minor code may provide more
> information, Minor (2529638972): KDC returned error string: PROCESS_TGS
>
> The ipa-client-install command failed. See
> /var/log/ipaclient-install.log for more information
>
> [root@sl1aosplsecweb2 ~]# less /var/log/ipaclient-install.log
>
> File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
> line 3628, in main
>
> install(self)
>
> File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
> line 2348, in install
>
> _install(options)
>
> File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
> line 2694, in _install
>
> api.finalize()
>
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714,
> in finalize
>
> self.__do_if_not_done('load_plugins')
>
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421,
> in __do_if_not_done
>
> getattr(self, name)()
>
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592,
> in load_plugins
>
> for package in self.packages:
>
> File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 948,
> in packages
>
> ipaclient.remote_plugins.get_package(self),
>
> File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
> line 126, in get_package
>
> plugins = schema.get_package(server_info, client)
>
> File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 537, in get_package
>
> schema = Schema(client)
>
> File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 385, in __init__
>
> fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
>
> File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 397, in _fetch
>
> client.connect(verbose=False)
>
> File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in
> connect
>
> conn = self.create_connection(*args, **kw)
>
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1034, in
> create_connection
>
> command([], {})
>
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1246, in _call
>
> return self.__request(name, args)
>
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1213, in
> __request
>
> verbose=self.__verbose >= 3,
>
> File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
>
> return self.single_request(host, handler, request_body, verbose)
>
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 677, in
> single_request
>
> self.get_auth_info()
>
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 629, in
> get_auth_info
>
> self._handle_exception(e, service=service)
>
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 588, in
> _handle_exception
>
> raise errors.KerberosError(message=unicode(e))
>
>
>
> 2018-07-11T21:39:19Z DEBUG The ipa-client-install command failed,
> exception: KerberosError: Major (851968): Unspecified GSS failure.
> Minor code may provide more information, Minor (2529638972): KDC
> returned error string: PROCESS_TGS
>
> 2018-07-11T21:39:19Z ERROR Major (851968): Unspecified GSS failure.
> Minor code may provide more information, Minor (2529638972): KDC
> returned error string: PROCESS_TGS
>
> 2018-07-11T21:39:19Z ERROR The ipa-client-install command failed. See
> /var/log/ipaclient-install.log for more information
>
>
>
> If it would help I can attach the entire ipaclient-install.log file
>
>
>
>
>
> Thank you for your help
>
> --Jim
>
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>
5 years, 4 months
Maximum number of sessions reached?
by Greg Gilbert
Hi all,
I'm getting a maximum number of sessions message from FreeIPA:
Failed to create session: Maximum number of sessions (8192) reached,
refusing further sessions.
I think it's causing this error when any server tries to enroll itself:
Cannot connect to the server due to generic error: error marshalling
data for XML-RPC transport: message: need a <type 'unicode'>; got
'No valid Negotiate header in server response' (a <type 'str'>)
Installation failed. Rolling back changes.
Unenrolling client from IPA server
Any ideas? Do I need to just restart FreeIPA every so often to reset
sessions or something?
Thanks,
Greg
5 years, 4 months