July 2018 - FreeIPA-users - Fedora mailing-lists

after promoting a clone as new renewal master, pki-tomcatd crashes with "Could not connect to LDAP", "Authentication failed (48)"
by Karl Forner 18 Jul '18

18 Jul '18

In the final step of upgrading my freeIPA servers to fedora26/freeIPA 4.4.4, I removed the current demoted the current renewal master, and promoted a CA (sif) as new renewal master, following instructions from < https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Rec… >. Since then, pki-tomcatd will not start, here's an excerpt of /var/log/pki/pki-tomcat/ca/debug : ``` [17/Jul/2018:15:34:57][localhost-startStop-1]: CMSEngine: ready to init id=dbs [17/Jul/2018:15:34:57][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [17/Jul/2018:15:34:57][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem) [17/Jul/2018:15:34:57][localhost-startStop-1]: LdapBoundConnFactory: init [17/Jul/2018:15:34:57][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [17/Jul/2018:15:34:57][localhost-startStop-1]: LdapAuthInfo: init() [17/Jul/2018:15:34:57][localhost-startStop-1]: LdapAuthInfo: init begins [17/Jul/2018:15:34:57][localhost-startStop-1]: LdapAuthInfo: init ends [17/Jul/2018:15:34:57][localhost-startStop-1]: init: before makeConnection errorIfDown is true [17/Jul/2018:15:34:57][localhost-startStop-1]: makeConnection: errorIfDown true [17/Jul/2018:15:34:57][localhost-startStop-1]: TCP Keep-Alive: true [17/Jul/2018:15:34:57][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [17/Jul/2018:15:34:57][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [17/Jul/2018:15:34:57][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [17/Jul/2018:15:34:57][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null [17/Jul/2018:15:34:57][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host sif.quartzbio.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) ``` I found this very useful blog: < https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomca… > and checked all the steps. From what I checked: - my certificates are valid - there was two userCertificate for pkidbuser, one expired. I removed it using Apache Directory Studio - the pkidbuser certificate match the one from /etc/pki/pki-tomcat/alias One possibly relevant info: the previous renewal master/CA was the main DNS, it is no longer running since I was about to recreate it when I discovered that the pki-tomcatd was not running when I tried to execute ipa-prepare-replicate. I would be grateful if you could help me or guide me debugging this. Thanks, Karl. Additional info: ipa config-show ----------------------- Maximum username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: example.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=QUARTZBIO.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC IPA masters: amora.example.com, sif.example.com IPA CA servers: amora.example.com, sif.example.com IPA NTP servers: amora.example.com, sif.example.com IPA CA renewal master: sif.example.com grep internaldb.ldap /etc/pki/pki-tomcat/ca/CS.cfg ------------------------------ internaldb.ldapauth.authtype=SslClientAuth internaldb.ldapauth.bindDN=cn=Directory Manager internaldb.ldapauth.bindPWPrompt=internaldb internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca internaldb.ldapconn.cloneReplicationPort=389 internaldb.ldapconn.host=sif.example.com internaldb.ldapconn.masterReplicationPort=389 internaldb.ldapconn.port=636 internaldb.ldapconn.replicationSecurity=TLS internaldb.ldapconn.secureConn=true sudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' ------------------------------------ Data: Version: 3 (0x2) Serial Number: 86 (0x56) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=QUARTZBIO.COM" Validity: Not Before: Wed May 31 15:49:31 2017 Not After : Tue May 21 15:49:31 2019 Subject: "CN=CA Subsystem,O=QUARTZBIO.COM" ... sudo grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' ----------------------------------------------------------- certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 4c9dcd686df2a289ef1bcd21d2dfb195a0d7bc9c subsystemCert cert-pki-ca sudo cat /etc/dirsrv/slapd-IPADOMAIN-COM/certmap.conf ---------------------- default:DNComps default:FilterComps uid certmap ipaca CN=Certificate Authority,O=QUARTZBIO.COM ipaca:CmapLdapAttr seeAlso ipaca:verifycert on ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca description ----------------------------- dn: uid=pkidbuser,ou=people,o=ipaca description: 2;86;CN=Certificate Authority,O=QUARTZBIO.COM;CN=CA Subsystem,O=Q UARTZBIO.COM sudo certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep Serial ------------------------ Serial Number: 86 (0x56) getcert list | grep "expires\|status\|subject" | perl -pe 's/quartzbio/example/ig' status: MONITORING subject: CN=sif.example.com,O=example.COM expires: 2020-07-13 13:44:48 CEST status: MONITORING subject: CN=CA Audit,O=example.COM expires: 2019-05-21 17:50:42 CEST status: MONITORING subject: CN=OCSP Subsystem,O=example.COM expires: 2019-05-21 17:50:01 CEST status: MONITORING subject: CN=CA Subsystem,O=example.COM expires: 2019-05-21 17:49:31 CEST status: MONITORING subject: CN=Certificate Authority,O=example.COM expires: 2035-07-09 11:41:54 CEST status: MONITORING subject: CN=sif.example.com,O=example.COM expires: 2020-07-02 16:57:18 CEST status: MONITORING subject: CN=sif.example.com,O=example.COM expires: 2020-07-13 13:44:52 CEST status: MONITORING subject: CN=IPA RA,O=example.COM expires: 2019-05-21 17:50:10 CEST

3 5

Kerberos Utilities Integration
by Ryan Slominski 18 Jul '18

18 Jul '18

Hi IPA Users, What is the status of the IPA integration with Kerberos utilities such as kadmin (kadmin.local) and kdb5_util? Can they be used or are they not supported. If not supported maybe they should report an error or warning. It seems setting a user's password expiration with kadmin works in the short term, but is later overwritten perhaps by multi-master replication? I was testing password expiration and I set a value using kadmin modprinc yesterday and noticed today that the value has reverted back to what it was earlier. As an aside using ipa user-mod --setattr=krbPasswordExpiration=20180715011529Z is clumsy and admin user doesn't even have the privilege to execute it successfully. LDAP modify with directory manager has the privilege, but LDIF is even more clumsy. With kadmin.local modprinc I can use -pwexpire 1day. Also, importing an existing database of principals with password hashes would make migration from a standalone KDC much less painful. Any chance that feature is added at some point? Looks like one challenge might be what appears to be the 389 directory server storing user passwords in two separate fields (userPassword and krbPrincipalKey), which are presumably hashed differently. Ryan

4 5

How to change nsslapd-cachememsize
by Kees Bakker 17 Jul '18

17 Jul '18

Hi, This is about the infamous log message WARNING: changelog: entry cache size 2097152B is less than db size 19701760B; We recommend to increase the entry cache size nsslapd-cachememsize. I've searched the Internet, including this mailing list, but I haven't found a sensible FreeIPA solution yet. There was a hint to look at [1], that suggested that I should use ldapmodify. Well OK, but before I do that I want to first see, using ldapsearch, that I can query the current value. I tried this (with proper kinit of course): ldapsearch -Y GSSAPI -b cn=config That didn't show anything useful, nothing with nsslapd-cachememsize. That makes me wonder whether the suggested ldapmodify command is correct for me. My question is basically: what is the recommended FreeIPA way to modify nsslapd-cachememsize? And will the modification automatically replicate from the master to the replica? BTW. My FreeIPA servers (one master and one replica) are running Ubuntu 16.04 [1] https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/… -- Kees

3 9

AD group membership information not enumerated in the cn=compat tree?
by Robert Sturrock 17 Jul '18

17 Jul '18

Hello. We are using FreeIPA primarily to connect our Linux fleet efficiently to our organisational AD and it’s working well in that capacity. However, we are investigating a number of different enterprise NAS solutions to provide (kerberized) NFSv4 file services to this fleet. We were hoping to integrate these NAS appliances with IPA by way of the compat tree, since they don’t offer native IPA providers. This works to a point, but I’ve noticed that the compat tree does not seem to enumerate *group membership* for the AD trust users. For example, when I lookup one of my groups with an ldapsearch against one of the the IPA masters I see: dn: cn=lcm-managedlinux@localdomain,cn=groups,cn=compat,dc=ipa,dc=localdomain objectClass: ipaOverrideTarget objectClass: posixGroup objectClass: ipaexternalgroup objectClass: top cn: lcm-managedlinux@localdomain gidNumber: 1388937688 ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yMDc4Nzk1NTYxLTQyMzMwMDU2NTctMzI2MTkwNjQ2Mi0xMzc2ODg= I don’t see any ‘memberUid’ attributes, but would expect to see about 8 members. Is this expected behaviour, or is there some additional configuration needed to obtain this functionality? Some searching online brought up these references ('Enable compat tree to provide information about AD users and groups on trust agents’) - https://bugzilla.redhat.com/show_bug.cgi?id=1585020 - https://pagure.io/freeipa/issue/7600 These read very similarly to the behaviour we’re seeing. Regards, Robert.

2 2

AD Integration
by paul mitchell 17 Jul '18

17 Jul '18

We currently have a single AD (2016) domain, company.co.uk. The DNS zone file is managed by Active Directory, so all machines (Windows and Linux) are listed in the zone file. Windows users authenticate against AD and Linux users authenticate against a separate NIS server. We are considering replacing NIS with a FreeIPA server. The most important consideration is to maintain the *ix users GUID and UID data that is currently stored on the NIS sever. If this data could be stored in AD, then we probable would not be considering FreeIPA. A typical *ix user workflow is for the user to ssh from their local machine to one of 20 developments servers. The user GUID and UID must be the same regardless of which machine they access. We don’t currently have any username/password synchronisation between AD and NIS so this is not a requirement. It’s clear that enable a trust between FreeIPA and AD, we would need to create a separate IPA domain. I assume all 20 development servers would need to be added to the IPA domain?

2 1

Issues with ipa-replica-install
by Peter Tselios 17 Jul '18

17 Jul '18

Hello, I had setup on 2 CentOS 7.5 boxes a FreeIPA Master and a Replica. Currently the master has all services (DNS, CA, KRA) and it's prepared for one-way trust with AD. Unfortunately, I have a lot of issues with the replica! The replica setup was: ipa-replica-install --setup-ca --setup-dns --setup-kra --no-forwarder Although the installation was successful, when I tried to create a Trust with our AD, the AD administrator told me that the replica did not responded to DNS and truly, the DNS was down. Actually, the named-pks11 service was not even enabled on the replica. So, the ipactl restart told me to run the ipa-server-upgrade which I did. The upgrade failed in the KRA section because it could not connect to the MASTER server on port 8443. I didn't have time to investigate further, so, I just removed the replica and re-installed it (with another issue, that will be posted in another thread later), this time without the KRA. My question: If I run the ipa-kra-install, will it REPLICATE the master, or will it create a new KRA server? Unfortunately, I cannot take a backup and test it and I cannot install a second replica (don't ask plz).

2 2

Can I automatically add a new host in a location?
by Peter Tselios 17 Jul '18

17 Jul '18

Hello, I want to use Foreman and/or AWS to provision hosts that will be registered to my FreeIPA. I have created all the locations that I will use and I have one FreeIPA replica on each location. From the documentation seems that I need to use the ipa-client-install and then use the ipa host-mod to modify the host's location, meaning that I need to modify the permissions the Foreman script created the my user. Is there any other way to automatically add a host in a location?

2 2

Re: Freeipa-client-install - enrolls client/host then crashes
by Rob Crittenden 16 Jul '18

16 Jul '18

Miller, Jim via FreeIPA-users wrote: > Hello everyone, > > > > I’m trying to add a CentOS 7 64bit host to our FreeIPA domain. > > > > Client FreeIPA is 4.5.4-10 > > Server FreeIPA is 4.4.0 > > > > Client FreeIPA rpms: > > ipa-common-4.5.4-10.el7.centos.3.noarch > > python-ipaddress-1.0.16-2.el7.noarch > > python2-ipalib-4.5.4-10.el7.centos.3.noarch > > ipa-client-4.5.4-10.el7.centos.3.x86_64 > > ipa-client-common-4.5.4-10.el7.centos.3.noarch > > libipa_hbac-1.16.0-19.el7_5.5.x86_64 > > python-iniparse-0.4-9.el7.noarch > > sssd-ipa-1.16.0-19.el7_5.5.x86_64 > > python2-ipaclient-4.5.4-10.el7.centos.3.noarch > > python-libipa_hbac-1.16.0-19.el7_5.5.x86_64 > > > > The basic steps to reproduce are: > > 1. Populate /etc/krb5.conf for IPA.GENERIC.ZONE realm > > > > 2. kinit admin # for IPA.GENERIC.ZONE > > > > 3. ipa-client-install --mkhomedir --no-ntp --ssh-trust-dns > --enable-dns-updates What is the use-case for doing it this way? What does the KDC log show? /var/log/krb5kdc.log rob > > > > Here’s where the errors start: > > > > Enrolled in IPA realm IPA.GENERIC.ZONE > > Created /etc/ipa/default.conf > > New SSSD config will be created > > Configured sudoers in /etc/nsswitch.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm IPA.GENERIC.ZONE > > trying https://sl1mmgplidm0001.ipa.generic.zone/ipa/json > > Major (851968): Unspecified GSS failure. Minor code may provide more > information, Minor (2529638972): KDC returned error string: PROCESS_TGS > > The ipa-client-install command failed. See > /var/log/ipaclient-install.log for more information > > [root@sl1aosplsecweb2 ~]# less /var/log/ipaclient-install.log > > File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", > line 3628, in main > > install(self) > > File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", > line 2348, in install > > _install(options) > > File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", > line 2694, in _install > > api.finalize() > > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714, > in finalize > > self.__do_if_not_done('load_plugins') > > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421, > in __do_if_not_done > > getattr(self, name)() > > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592, > in load_plugins > > for package in self.packages: > > File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 948, > in packages > > ipaclient.remote_plugins.get_package(self), > > File > "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", > line 126, in get_package > > plugins = schema.get_package(server_info, client) > > File > "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 537, in get_package > > schema = Schema(client) > > File > "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 385, in __init__ > > fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) > > File > "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 397, in _fetch > > client.connect(verbose=False) > > File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in > connect > > conn = self.create_connection(*args, **kw) > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1034, in > create_connection > > command([], {}) > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1246, in _call > > return self.__request(name, args) > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1213, in > __request > > verbose=self.__verbose >= 3, > > File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request > > return self.single_request(host, handler, request_body, verbose) > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 677, in > single_request > > self.get_auth_info() > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 629, in > get_auth_info > > self._handle_exception(e, service=service) > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 588, in > _handle_exception > > raise errors.KerberosError(message=unicode(e)) > > > > 2018-07-11T21:39:19Z DEBUG The ipa-client-install command failed, > exception: KerberosError: Major (851968): Unspecified GSS failure. > Minor code may provide more information, Minor (2529638972): KDC > returned error string: PROCESS_TGS > > 2018-07-11T21:39:19Z ERROR Major (851968): Unspecified GSS failure. > Minor code may provide more information, Minor (2529638972): KDC > returned error string: PROCESS_TGS > > 2018-07-11T21:39:19Z ERROR The ipa-client-install command failed. See > /var/log/ipaclient-install.log for more information > > > > If it would help I can attach the entire ipaclient-install.log file > > > > > > Thank you for your help > > --Jim > > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos… >

1 0

Maximum number of sessions reached?
by Greg Gilbert 14 Jul '18

14 Jul '18

Hi all, I'm getting a maximum number of sessions message from FreeIPA: Failed to create session: Maximum number of sessions (8192) reached, refusing further sessions. I think it's causing this error when any server tries to enroll itself: Cannot connect to the server due to generic error: error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>) Installation failed. Rolling back changes. Unenrolling client from IPA server Any ideas? Do I need to just restart FreeIPA every so often to reset sessions or something? Thanks, Greg

1 0

unable to connect two replicas: Connection unsuccessful, xxxx is an IPA Server, but it might be unknown, foreign or previously deleted one.
by Karl Forner 13 Jul '18

13 Jul '18

Hi again, I tried to connect two of my replicas, but could not: Executed from replica2: `ipa-replica-manage connect -v replica1.example.com replica2.example.com` Connection unsuccessful: replica2.example.com is an IPA Server, but it might be unknown, foreign or previously deleted one. If I invert the order: `ipa-replica-manage connect -v replica2.example.com replica1.example.com` Connection unsuccessful: replica1.example.com is an IPA Server, but it might be unknown, foreign or previously deleted one. I get the same output when executed from other freeIPA servers (e.g. from the CRL). One potential important information: `ipa-replica-manage dnarange-show` -> crl.example.com: 134000170-134050499 replica1.example.com: 134050501-134100499 replica2.example.com: No range set What is the problem ? What should I do ? Thanks.

1 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users July 2018