November 2019 - FreeIPA-users - Fedora Mailing-Lists

dnssec - client installation does not create A record

by lejeczek

hi guys Successful clients installation should create A record in the zone, right? Would it fail to do so for a signed zone? Should it fail? many thanks, L.

4 years, 5 months

1
1
0 / 0

one-way AD trust with shared secret - does it really work in 4.6.5 version?

by lejeczek

hi guys I've have AD trust work fine (gssapi), ssh & samba are password-less when the trust is establish with 'admin' credentials. But the strory is very different with 'shared secret'. Kerberos does not work, passwords are asked for and with Windows cifs - asks for username and no authentication even with passwords! And this weird bit, I do: $ ipa trust-add --all --two-way=0 --type=ad bec.private.mac.ac.uk --trust-secret --server=win8-vm.bec.private.mac.ac.uk Shared secret for the trust: ... Here, for the 'secret' I can punch in anything and IPA will say that the trust was added successfully - this surely must not be right, right? So, should 'secret' work for one-way incoming trust in IPA? To me, it does not seem like. many thanks, L.

4 years, 5 months

2
6
0 / 0

Password sync from AD sets passwords to expired

by Eugene V

FreeIPA 4.6.5 Windows 2019 Domain Controller We have 389 Directory Password Synchronization set up according to manual here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... When user changes their password in AD, password gets synced to FreeIPA - this is perfect. But at same time password is immediately set to "expired" in FreeIPA. I understand this is correct behavior for resets. But this page: https://www.freeipa.org/page/New_Passwords_Expired Says that sync agents are exception: One of the features we decided to embed in FreeIPA is that when a password is first set or when a password is later reset we mark this password as immediately expired and require the owner to perform a password change. The only exception is for password synchronization agents.

4 years, 5 months

2
1
0 / 0

SOC documentation

by Shumel Rahman

Hi I would like to know if you have any T&C's and other such documentation that would satisfy a SOC Audit? I understand that FreeIPA is Open Source but perhaps there some relevant documentation on this topic. FreeIPA is used by our organisation for access to a key application and as such falls into scope of our audit. Do let me know if any clarification of the above is required. Or indeed any questions or feedback. I look forward to hearing from you. Regards Shumel *Shumel Rahman* Application Manager for Tech +46 760009846 iZettle – Tools to build your business izettle.com <http://instagram.com/izettle>

4 years, 5 months

2
1
0 / 0

ipa-replica-install latest failure attempt:

by Auerbach, Steven

Executed ipa-replica-prepare on an RHEL 6.9 server running ipa-server 3.0.0.1_51 (name : ipa01) Yum installed ipa-server, ipa-server-dns, bind-dyndb-ldap on the target Linux 7.6 server (name: ipa04) Copied the file to the target server to which ipa-server 4.6.5-11.0.1 is installed (ipa04) Copied the file :/usr/share/ipa/copy-schema-to-ca.py from ipa v4.6 server to the ipa v3.0 server and executed it successfully. Edited the /etc/resolv.con on ipa04 to include ipa01. Did not reboot. Executed ipa-replica-install --setup-dns --forwarder=8.8.8.8 --setup-ca /var/lib/ipa/replica-info-ipa04.fbog.local.gpg (on ipa04) Directory Manager (existing master) password: Checking DNS forwarders, please wait ... Run connection check to master admin(a)FBOG.LOCAL password: Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: enabling ldapi [3/41]: configure autobind for root [4/41]: stopping directory server [5/41]: updating configuration in dse.ldif [6/41]: starting directory server [7/41]: adding default schema [8/41]: enabling memberof plugin [9/41]: enabling winsync plugin [10/41]: configuring replication version plugin [11/41]: enabling IPA enrollment plugin [12/41]: configuring uniqueness plugin [13/41]: configuring uuid plugin [14/41]: configuring modrdn plugin [15/41]: configuring DNS plugin [16/41]: enabling entryUSN plugin [17/41]: configuring lockout plugin [18/41]: configuring topology plugin [19/41]: creating indices [20/41]: enabling referential integrity plugin [21/41]: configuring certmap.conf [22/41]: configure new location for managed entries [23/41]: configure dirsrv ccache [24/41]: enabling SASL mapping fallback [25/41]: restarting directory server [26/41]: creating DS keytab [27/41]: ignore time skew for initial replication [28/41]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [29/41]: prevent time skew after initial replication [30/41]: adding sasl mappings to the directory [31/41]: updating schema [32/41]: setting Auto Member configuration [33/41]: enabling S4U2Proxy delegation [34/41]: initializing group membership [35/41]: adding master entry [36/41]: initializing domain level [37/41]: configuring Posix uid/gid generation [38/41]: adding replication acis [39/41]: activating sidgen plugin [40/41]: activating extdom plugin [41/41]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [error] NotFound: wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Process works all the way down to configuring the HTTP Interface. 2019-11-16T16:18:24Z DEBUG stderr=Keytab successfully retrieved and stored in: /var/lib/ipa/gssproxy/http.keytab 2019-11-16T16:18:24Z DEBUG Waiting for replication (ldap://ipa01.fbog.local:389) krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local (objectclass=*) 2019-11-16T16:18:33Z DEBUG Still waiting for replication of krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local<mailto:krbprincipalname=HTTP/ipa04.fbog.local@FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local> 2019-11-16T16:23:24Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 656, in request_service_keytab timeout=api.env.replication_wait_timeout File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 209, in wait_for_entry connection, dn NotFound: wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local 2019-11-16T16:23:24Z DEBUG [error] NotFound: wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local 2019-11-16T16:23:24Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run return cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 629, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 408, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1507, in install fstore=fstore) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 175, in install_http subject_base=config.subject_base, master_fqdn=config.master_host_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 188, in create_instance self.start_creation() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 656, in request_service_keytab timeout=api.env.replication_wait_timeout File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 209, in wait_for_entry connection, dn 2019-11-16T16:23:24Z DEBUG The ipa-replica-install command failed, exception: NotFound: wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local 2019-11-16T16:23:24Z ERROR wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local Not sure where to go from here. Did I leave out some declaration or specification on the initial command? Steven Auerbach Assistant Director of Information Systems Information Technology & Security State University System of Florida Board of Governors 325 W. Gaines Street Tallahassee, Florida 32399 (850) 245-9592 www.flbog.edu<http://www.flbog.edu/> [Graphic for Email]

4 years, 5 months

1
0
0 / 0

IPA-automounted user home and git

by Ronald Wimmer

Today I've encountered a strange problem on a Centos 7.7 machine with IPA automounted user homes. When I try to do a git clone in my home directory using SSH I it aborts abnormally with the following error message: remote: Enumerating objects: 4045, done. remote: Counting objects: 100% (4045/4045), done. remote: Compressing objects: 100% (3509/3509), done. fatal: write error: Bad file descriptor fatal: index-pack failed Why am I relating this to IPA? It works with a local non-IPA user. (OS is up to date. git version is 1.8.3.1) Any ideas what is going on? Cheers, Ronald

4 years, 5 months

2
1
0 / 0

FreeIPA fails to start on CentOS 8

by Andrew Meyer

I am trying to migrate to CentOS 8 in my home lab. And I have gotten FreeIPA installed. However I am using caprica.space as my domain name but I don't think bind/named likes me using that. Is this an issue the version in FreeIPA or did I do something wrong? I found this out because FreeIPA won't start. Fails on named. 14-Nov-2019 13:00:43.566 zone 100.51.198.IN-ADDR.ARPA/IN: shutting down 14-Nov-2019 13:00:43.566 zone 113.0.203.IN-ADDR.ARPA/IN: shutting down 14-Nov-2019 13:00:43.566 zone 255.255.255.255.IN-ADDR.ARPA/IN: shutting down 14-Nov-2019 13:00:43.566 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN: shutting down 14-Nov-2019 13:00:43.566 zone D.F.IP6.ARPA/IN: shutting down 14-Nov-2019 13:00:43.566 zone 8.E.F.IP6.ARPA/IN: shutting down 14-Nov-2019 13:00:43.566 zone 9.E.F.IP6.ARPA/IN: shutting down 14-Nov-2019 13:00:43.566 zone A.E.F.IP6.ARPA/IN: shutting down 14-Nov-2019 13:00:43.566 zone B.E.F.IP6.ARPA/IN: shutting down 14-Nov-2019 13:00:43.566 zone 8.B.D.0.1.0.0.2.IP6.ARPA/IN: shutting down 14-Nov-2019 13:00:43.566 zone EMPTY.AS112.ARPA/IN: shutting down 14-Nov-2019 13:00:43.620 LDAP configuration for instance 'ipa' synchronized 14-Nov-2019 13:00:43.657 LDAP data for instance 'ipa' are being synchronized, please ignore message 'all zones loaded' 14-Nov-2019 13:00:43.669 managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted 14-Nov-2019 13:00:43.819 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.819 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.819 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type 14-Nov-2019 13:00:43.822 zone 10.150.10.in-addr.arpa/IN: loaded serial 1573758043 14-Nov-2019 13:00:43.822 zone caprica.space/IN: NS 'freeipa01.asm.caprica.space' has no address records (A or AAAA) 14-Nov-2019 13:00:43.822 zone caprica.space/IN: not loaded due to errors. 14-Nov-2019 13:00:43.822 1 master zones from LDAP instance 'ipa' loaded (2 zones defined, 0 inactive, 1 failed to load) 14-Nov-2019 13:00:43.824 zone caprica.space/IN: NS 'freeipa01.asm.caprica.space' has no address records (A or AAAA) 14-Nov-2019 13:00:43.824 zone caprica.space/IN: not loaded due to errors. 14-Nov-2019 13:00:43.824 update_zone (syncrepl) failed for master zone DN 'idnsname=caprica.space.,cn=dns,dc=caprica,dc=space'. Zones can be outdated, run `rndc reload`: bad zone 14-Nov-2019 13:01:38.383 received control channel command 'stop' 14-Nov-2019 13:01:38.384 shutting down: flushing changes 14-Nov-2019 13:01:38.384 stopping command channel on 127.0.0.1#953 14-Nov-2019 13:01:38.384 stopping command channel on ::1#953 14-Nov-2019 13:01:38.385 unloading DynDB instance 'ipa' 14-Nov-2019 13:01:38.386 zone 10.150.10.in-addr.arpa/IN: shutting down 14-Nov-2019 13:01:38.387 no longer listening on ::#53 14-Nov-2019 13:01:38.387 no longer listening on 127.0.0.1#53 14-Nov-2019 13:01:38.387 no longer listening on 10.150.10.15#53 14-Nov-2019 13:01:38.404 exiting

4 years, 5 months

2
5
0 / 0

Can AD admins convert a 1-way trust to a 2-way trust without touching the freeIPA system?

by Chris Dagdigian

I just got CCd on an email chain concerning a conversion of 1-way AD trusts to 2-way trust for some realms and domains we use in one of the public cloud providers. The AD team is finally responding to all the issues they caused us in the cloud by refusing a 2-way trust in the first place. It caused enough hassles on the pure Windows side of things that Senior Management got involved, heh. I was the one who worked with the AD folk to set up the 1-way trust to our custom realm and it involved pre-shared secrets and joint coordinated actions. But this time around the language in the email is sort of like "hey we are just giving you a heads up on a change that will be made live this weekend .." So consider this a vague query along the lines of "Will this actually work?" -- Can a 1-way trust be made into a 2-way trust with actions entirely performed on the AD side of things? The AD people have no access and no idea how FreeIPA works. I was sort of thinking that I'd have to tear down the 1-way and set up a new 2-way trust but then I realized I've never done that before and I'm not sure how it works on the AD side of things. Any tips on FreeIPA and 1-way to 2-way trust conversions would be appreciated, thanks! Chris

4 years, 5 months

2
1
0 / 0

Unable to authorize via HTTP

by Tristan Weis

Hey guys, I set up my very first FreeIPA installation and I'm currently dealing with an issue I hope you can help me with. I'm running FreeIPA version 4.7.1 on CentOS 8. I installed about 3 weeks ago, had been working fine up until a few days ago (after a restart). I'm encountering several symptoms: The WebUI won't let me log in anymore ("Login failed due to an unknown reason.") This was the first error I noticed... since it only happened for users not already logged in, I suspected wrong password entries. After a server restart everyone got locked out though. Other post-restart commands that are not working any more: certutil -L certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. ipa ERROR: cannot connect to 'https://ipa.**.**/ipa/json': [Errno 111] Connection refused ipa-getkeytab -p HTTP/*(a)*.* -s ipa.*.* -k /var/lib/ipa/gssproxy/http.keytab Failed to load translations SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)! Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)! Failed to bind to server! Failed to get keytab (works with binddn though) kinit, klist and other kerberos/ldap logins are working fine! Logfiles: /var/log/httpd/error_log [Thu Nov 14 16:38:43.894373 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote *.*.*.*:*] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS [Thu Nov 14 16:38:44.013990 2019] [:warn] [pid 24265:tid 140302572558080] [client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*(a)*.*) lookup failed!, referer: https://ipa.*.*/ipa/ui/ [Thu Nov 14 16:38:44.036125 2019] [:warn] [pid 24265:tid 140301800822528] [client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*(a)*.*) lookup failed!, referer: https://ipa.*.*/ipa/ui/ [Thu Nov 14 16:38:57.098920 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote *.*.*.*:*] ipa: INFO: 401 Unauthorized: HTTPConnectionPool(host='ipa.*.*', port=80): Max retries exceeded with url: /ipa/session/cookie (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9ae9039f60>: Failed to establish a new connection: [Errno 111] Connection refused',)) /var/log/krb5kdc.log Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)*.* for krbtgt/*.*(a)*.*, Additional pre-authentication required Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS(a)*.* for krbtgt/*.*(a)*.* Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: *(a)*.* for krbtgt/*.*(a)*.*, Additional pre-authentication required Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, *(a)*.* for krbtgt/*.*(a)*.* Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12 Nov 14 17:14:34 ipa.*.* krb5kdc[22507](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, *(a)*.* for HTTP/ipa.*.*(a)*.* Nov 14 17:14:34 ipa.eagleeye-film.de krb5kdc[22507](info): closing down fd 12 I'm suspecting some GSSAPI/certificate error... /run/ipa/ccaches is empty and all non-http authorizations seem to work. I have been working on a samba configuration for the same server; I have a feeling that some of my experiments (ipa-adtrust-install, authconfig, chmod on keytab, net sam provision) messed with the rest of the system... I tried to backtrack/revert as much as I could, but nothing helped so far. I also think the first WebUI errors occured before already. I'd be so happy if anyone could help! So far I've been able to find solutions for every issue, but this seems to be a tough one. Thanks! -Tristan

4 years, 5 months

2
3
0 / 0

ipa-replica-install --setup-ca failing

by Per Qvindesland

Hi I have a centos 7 with ipa server 4.7.1-11 installed. When I run ipa-replica-install --setup-ca it seems to be synchronising with the ipa server but failing the ca setup part Has anyone seen this error before? Regards Per Installation failed: server failed to restart 2019-11-13T16:45:57Z DEBUG stderr=WARNING: Password was garbage collected before it was cleared. WARNING: Password was garbage collected before it was cleared. WARNING: Password was garbage collected before it was cleared. pkispawn : ERROR Server did not start after 60s configuration : ERROR Server failed to restart pkispawn : ERROR Exception: server failed to restart File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn raise Exception("server failed to restart") 2019-11-13T16:45:57Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwhuna0va'] returned non-zero exit status 1: 'WARNING: Password was garbage collected before it was cleared.\nWARNING: Password was garbage collected before it was cleared.\nWARNING: Password was garbage collected before it was cleared.\npkispawn : ERROR Server did not start after 60s\nconfiguration : ERROR Server failed to restart\npkispawn : ERROR Exception: server failed to restart\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn\n raise Exception("server failed to restart")\n\n') 2019-11-13T16:45:57Z CRITICAL See the installation logs and the following files/directories for more information: 2019-11-13T16:45:57Z CRITICAL /var/log/pki/pki-tomcat 2019-11-13T16:45:57Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 164, in spawn_instance ipautil.run(args, nolog=nolog_list) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 574, in run p.returncode, arg_string, output_log, error_log ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwhuna0va'] returned non-zero exit status 1: 'WARNING: Password was garbage collected before it was cleared.\nWARNING: Password was garbage collected before it was cleared.\nWARNING: Password was garbage collected before it was cleared.\npkispawn : ERROR Server did not start after 60s\nconfiguration : ERROR Server failed to restart\npkispawn : ERROR Exception: server failed to restart\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn\n raise Exception("server failed to restart")\n\n') During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 674, in __spawn_instance pki_pin) File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 409, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2019-11-13T16:45:57Z DEBUG [error] RuntimeError: CA configuration failed. 2019-11-13T16:45:57Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2019-11-13T16:45:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 347, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 583, in main replica_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 400, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1262, in install ca.install(False, config, options, custodia=custodia) File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 239, in install install_step_0(standalone, replica_config, options, custodia=custodia) File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 318, in install_step_0 use_ldaps=standalone) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 484, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 674, in __spawn_instance pki_pin) File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 409, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2019-11-13T16:45:57Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed. 2019-11-13T16:45:57Z ERROR CA configuration failed. 2019-11-13T16:45:57Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

4 years, 5 months

3
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users November 2019