July 2018 - FreeIPA-users - Fedora mailing-lists

Problem with promoting replica: missing key for auditSigningCert on CA server
by Andy Stubbs 11 Jul '18

11 Jul '18

Hi So, I have what I think seems to be a slightly odd problem. And I think I've worked out what the solution might be - but not the root cause. In any case, I wanted to run it by you all and see whether you agree or have any insight into it. The background running 6 directory servers 4.5.0-21 on CentOS 7.4.1708, 3 of which have the CA role. I've been running the directory blissfully uneventfully for 7ish months now. We have experimented a little bit with the CA features, but nothing that can't be done trivially with the web interface (on reflection I'm sure it probably is trivial to revoke your primary certificate authority with the web interface, but you know what I mean). The problem In the past few days I've had the occasion to try to create a new replica but on each attempt, the process fails around this time: [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. The ipa-replica-install command failed, exception: HTTPError: 404 Client Error: Not Found 404 Client Error: Not Found The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Now, I've learned a fair amount over the past few days digging into this, like what ipa-custodia is, and how to poke it. It seems that at this point, the process is still actually actively doing things - it appears to be generating some kind of NSS certificate/key store. And that process is failing, because apparently it can't find the key for the entry "auditSigningCert cert-pki-ca" - specifically in custodiainstance.__get_keys the call to cli.fetch_key is failing for this nickname (but no others). So, more digging, and I find that yes indeed, the private key appears to be missing from the cert database on one of the directory servers (specifically the "first" directory server). I haven't quite joined the dots on how custodia is working here, but using the following command: sudo certutil -L -d /etc/pki/pki-tomcat/alias I can determine that on the first directory server, the trust attributes for this cert are ",,P" whereas on the other two CA directory servers, the trust attributes are "u,u,uP", and that indeed the key is missing from the first directory server in this database. I also note that the cert databases seem to be divergent in other ways between the CA servers. Which I find interesting. But anyway, so my next action is to copy the cert databases to another machine and to try to import the cert/key from a "good" CA db to the "bad" CA db using pk12util. This gives me a segmentation fault. So, I try with a new DB. I export all the cert/key pairs from the "bad" CA individually and import them into a new DB, replicating the trust attributes. So far so good. I also export the missing cert/key from a "good" CA and import that into the same new DB. Also apparently good. The solution? So, at this point, I feel relatively confident that I have constructed a good DB and I should be able to perform some surgery to remove the old "bad" DB and replace it with this "good" DB. My questions are: 1. Does this approach seem reasonable or am I oversimplifying? 2. If this is a reasonable approach: what's my best method for performing the surgery? ipactl stop, move bad db directory out of way, move "good" db in, don't forget the selinux stuff, then ipactl start again? 3. How could this even happen in the first place? Is it a known issue? 4. Shouldn't the CA databases basically all look the same between servers created at the same time? Why might they diverge? 5. Do you have any other comments or questions which you feel might be pertinent? Thanks in advance for any input or insights shared. Best Regards Andy -- <https://www.treatwell.com/> Andrew Stubbs, PhD Head of Technical Operations treatwell.co.uk

1 1

DNS not resolving IPA Clients or IPA Server
by Sameer Gurung 10 Jul '18

10 Jul '18

Hi all, have weird problem suddenly. I was getting a DNS update error on client installs. My server has been installed with the setup-dns option. While trying to figure that problem out I dont know what I did but now the ipa dns server does not resolve any ipa clients. I had set it up as a forwarding server and it does forward requests (forward only) but now none of my clients hostnames can be resolved. Where do I start figuring this problem out. A nood here so looking for all the help I can get with regards, *-----------------------------------------------------------------------Sameer Kr. Gurung-----------------------------------------------------------------------* -- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in <http://smcs.ac.in>

3 4

Re: How to use HBAC rules on services where is used Ipsion
by SOLER SANGUESA Miguel 10 Jul '18

10 Jul '18

I have added the service on IPA and changed on the HBAC rule form "any service" to "ipsilon", but now I can not login on ipsilon. Also I've checked that there is no '/etc/pam.d/ipsilon' file Thanks & Regards. ______________________________ Miguel Soler Sangüesa Consultant - Linux Systems Administrator OPPV - Linux Server Support [cid:image001.png@01D41870.F204ED80] + 34 96 199 39 24 - EXT 3924 [cid:image002.png@01D41870.F204ED80] + 41 22 929 19 13 [cid:image003.jpg@01D41870.F204ED80]<https://www.unicc.org/Pages/Home.aspx>

1 0

weird problems with passwords and user accounts
by Karl Forner 10 Jul '18

10 Jul '18

[ tried to create the thread by mail, but did not seem to work, so I'm creating it from the web UI. Sorry if there's a duplicate coming in...] Hi, The problem started with a user that could not connect with his initial password from the GUI: Username or password incorrect. I reset it myself, and tried with the new temp password: idem. I retried many many times. Same. I tried creating a new user, same. In the meantime I realized the admin password had expired. I could not update it successfully via the command-line, but I could using the GUI. I tried many things, but now "ipa user-status" fails for a lot of accounts: pa: ERROR: xxxxx: user not found I tried creating a new account from command-line with ipa user-add, then asks for the status using "ipa user-status", it failed the same way. What's happening ? What should I try ? Thanks.

1 1

Unauthorized: kinit: Generic preauthentication failure while getting initial credentials
by Karl Forner 10 Jul '18

10 Jul '18

I tried to dig a little on my problem where new accounts or passwords-reset accounts can no longer connect to the web UI. Looking a /var/log/http.log: for a user that fails (brand new account): [Tue Jul 10 13:46:20.536415 2018] [wsgi:error] [pid 1526] ipa: INFO: 401 Unauthorized: kinit: Generic preauthentication failure while getting initial credentials [Tue Jul 10 13:46:20.536605 2018] [wsgi:error] [pid 1526] for a user that works: [Tue Jul 10 13:48:44.776366 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: i18n_messages(): SUCCESS [Tue Jul 10 13:48:44.783299 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: config_show(): SUCCESS [Tue Jul 10 13:48:44.945623 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: user_find(None, whoami=True, all=True): SUCCESS [Tue Jul 10 13:48:44.946730 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: env(None): SUCCESS [Tue Jul 10 13:48:44.956964 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: dns_is_enabled(): SUCCESS [Tue Jul 10 13:48:44.963362 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: trustconfig_show(): NotFound .... What should I look into next ? Thanks.

1 1

weird problems with passwords and user accounts
by Karl Forner 10 Jul '18

10 Jul '18

Hi, The problem started with a user that could not connect with his initial password from the GUI: Username or password incorrect. I reset it myself, and tried with the new temp password: idem. I retried many many times. Same. I tried creating a new user, same. In the meantime I realized the admin password had expired. I could not update it successfully via the command-line, but I could using the GUI. I tried many things, but now "ipa user-status" fails for a lot of accounts: pa: ERROR: xxxxx: user not found I tried creating a new account from command-line with ipa user-add, then asks for the status using "ipa user-status", it failed the same way. What's happening ? What should I try ? Thanks. Karl

2 2

Re: Certificates renewing with the wrong Subject
by Jakob Ackermann 06 Jul '18

06 Jul '18

I'm getting the same problem. Did you find a solution? I cannot get my certificates renew with the wright subject. It always adding the hostname of a deleted replica into 'cert_subject_der'. Thanks, Jakob

1 0

AIX 7.x with sudo, netgroups, LDAP and Kerberos
by Pieter Baele 05 Jul '18

05 Jul '18

I have currently been assisting an AIX colleague to use IPA as authentication/authz provider for AIX systems. That way we are moving to a common platform We have found some examples on the web (AIX 5.x, AIX 6); information here and there - but for the moment we still have a few issues. The proprietary AIX schema extensions would be a nice to have, but are not required (as I have read in earlier posts) Has anyone seen a complete working example for a AIX client configuration for FreeIPA? Once we have found everything; I'll try to share the information. -- PieterB

2 1

kpasswd: Preauthentication failed getting initial ticket
by lune voo 04 Jul '18

04 Jul '18

Hello ! I contact you because I encounter a problem when I use kpasswd using python popen function. I use freeipa 3.0 and python 2.6.6. Here is what I do in python : input_process = otp + '\n' + password + '\n' + password cmd = 'kpasswd %s' % user_login cmd_and_args = shlex.split(cmd) p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT) (output, error) = p.communicate(input=input_process) Before doing that, I performed the following command in order to have more logs : export KRB5_TRACE=/dev/stdout And here is what I see in the logs : ### [47700] 1530630765.610794: Getting initial credentials for test_user@MYREALM [47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.610998: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611006: Using FAST due to armor ccache negotiation result [47700] 1530630765.611016: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611044: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611089: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key aes256-cts/2559 [47700] 1530630765.611168: FAST armor key: aes256-cts/79AB [47700] 1530630765.611179: Setting initial creds service to kadmin/changepw [47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.611208: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611213: Using FAST due to armor ccache negotiation result [47700] 1530630765.611219: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611240: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611256: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key aes256-cts/2559 [47700] 1530630765.611288: FAST armor key: aes256-cts/62C4 [47700] 1530630765.611299: Encoding request body and padata into FAST request [47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM [47700] 1530630765.611418: Resolving hostname ipamasterhostname [47700] 1530630765.611608: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.675154: Received answer from stream ipamasterIP:88 [47700] 1530630765.675208: Response was from master KDC [47700] 1530630765.675238: Received error from KDC: -1765328359/Additional pre-authentication required [47700] 1530630765.675249: Decoding FAST response [47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133, 137 [47700] 1530630765.675319: Received cookie: MIT Password for test_user@MYREALM: [47700] 1530630765.682884: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47700] 1530630765.682889: Produced preauth for next request: 133, 138 [47700] 1530630765.682891: Encoding request body and padata into FAST request [47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM [47700] 1530630765.682967: Resolving hostname ipamasterhostname [47700] 1530630765.683098: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.756232: Received answer from stream ipamasterIP:88 [47700] 1530630765.756302: Response was from master KDC [47700] 1530630765.756321: Received error from KDC: -1765328360/Preauthentication failed [47700] 1530630765.756325: Decoding FAST response [47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138, 133, 137 kpasswd: Preauthentication failed getting initial ticket ) ### I don't understand yet why the commande kpasswd is failing ? My ticket admin is good. My ticket cache is used only by me. May you help me to understand what is going on please ? Is there a way to use ipa python library to perform a kpasswd instead of popen of kpasswd command ? Best regards. Lune

2 7

AD user shown id command but visible for ldapsearch
by Pieter Baele 04 Jul '18

04 Jul '18

Hi, On a test FreeIPA environment (4.5.0-22), a user is shown using the id command, so ID Override is working as well. id xxxx(a)accmsnet.railb.be uid=8028(xxx(a)Accmsnet.railb.be) gid=4030(ucc) groups=4030(ucc),702800513(domain users(a)Accmsnet.railb.be ),1318400009(ad_users) However this particular (AD) user is not shown using an ldapsearch in the compat ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be '(&(objectClass=posixAccount)(uid=xxxx))' # extended LDIF # # LDAPv3 # base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree # filter: (&(objectClass=posixAccount)(uid=mcj7700)) # requesting: ALL # # search result search: 4 result: 0 Success Any idea? This is not happening in our production environment. I cleared caches, did enable slapi-compat, and even tried adding the resolution by an ldif to be sure I did also re-run ipa-adtrust-install I really don't understand why the AD users are not visible in LDAP.... Sincerely Pieter

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users July 2018