one-way AD trust with shared secret - does it really work in 4.6.5 version?
by lejeczek
hi guys
I've have AD trust work fine (gssapi), ssh & samba are password-less
when the trust is establish with 'admin' credentials.
But the strory is very different with 'shared secret'. Kerberos does not
work, passwords are asked for and with Windows cifs - asks for username
and no authentication even with passwords!
And this weird bit, I do:
$ ipa trust-add --all --two-way=0 --type=ad bec.private.mac.ac.uk
--trust-secret --server=win8-vm.bec.private.mac.ac.uk
Shared secret for the trust:
...
Here, for the 'secret' I can punch in anything and IPA will say that the
trust was added successfully - this surely must not be right, right?
So, should 'secret' work for one-way incoming trust in IPA? To me, it
does not seem like.
many thanks, L.
4 years, 5 months
SOC documentation
by Shumel Rahman
Hi
I would like to know if you have any T&C's and other such documentation
that would satisfy a SOC Audit? I understand that FreeIPA is Open Source
but perhaps there some relevant documentation on this topic. FreeIPA is
used by our organisation for access to a key application and as such falls
into scope of our audit.
Do let me know if any clarification of the above is required. Or indeed any
questions or feedback. I look forward to hearing from you.
Regards
Shumel
*Shumel Rahman*
Application Manager for Tech
+46 760009846
iZettle – Tools to build your business
izettle.com <http://instagram.com/izettle>
4 years, 5 months
ipa-replica-install latest failure attempt:
by Auerbach, Steven
Executed ipa-replica-prepare on an RHEL 6.9 server running ipa-server 3.0.0.1_51 (name : ipa01)
Yum installed ipa-server, ipa-server-dns, bind-dyndb-ldap on the target Linux 7.6 server (name: ipa04)
Copied the file to the target server to which ipa-server 4.6.5-11.0.1 is installed (ipa04)
Copied the file :/usr/share/ipa/copy-schema-to-ca.py from ipa v4.6 server to the ipa v3.0 server and executed it successfully.
Edited the /etc/resolv.con on ipa04 to include ipa01. Did not reboot.
Executed ipa-replica-install --setup-dns --forwarder=8.8.8.8 --setup-ca /var/lib/ipa/replica-info-ipa04.fbog.local.gpg (on ipa04)
Directory Manager (existing master) password:
Checking DNS forwarders, please wait ...
Run connection check to master
admin(a)FBOG.LOCAL password:
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: enabling ldapi
[3/41]: configure autobind for root
[4/41]: stopping directory server
[5/41]: updating configuration in dse.ldif
[6/41]: starting directory server
[7/41]: adding default schema
[8/41]: enabling memberof plugin
[9/41]: enabling winsync plugin
[10/41]: configuring replication version plugin
[11/41]: enabling IPA enrollment plugin
[12/41]: configuring uniqueness plugin
[13/41]: configuring uuid plugin
[14/41]: configuring modrdn plugin
[15/41]: configuring DNS plugin
[16/41]: enabling entryUSN plugin
[17/41]: configuring lockout plugin
[18/41]: configuring topology plugin
[19/41]: creating indices
[20/41]: enabling referential integrity plugin
[21/41]: configuring certmap.conf
[22/41]: configure new location for managed entries
[23/41]: configure dirsrv ccache
[24/41]: enabling SASL mapping fallback
[25/41]: restarting directory server
[26/41]: creating DS keytab
[27/41]: ignore time skew for initial replication
[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[29/41]: prevent time skew after initial replication
[30/41]: adding sasl mappings to the directory
[31/41]: updating schema
[32/41]: setting Auto Member configuration
[33/41]: enabling S4U2Proxy delegation
[34/41]: initializing group membership
[35/41]: adding master entry
[36/41]: initializing domain level
[37/41]: configuring Posix uid/gid generation
[38/41]: adding replication acis
[39/41]: activating sidgen plugin
[40/41]: activating extdom plugin
[41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: setting mod_nss port to 443
[3/22]: setting mod_nss cipher suite
[4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[5/22]: setting mod_nss password file
[6/22]: enabling mod_nss renegotiate
[7/22]: disabling mod_nss OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
[10/22]: setting up httpd keytab
[error] NotFound: wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Process works all the way down to configuring the HTTP Interface.
2019-11-16T16:18:24Z DEBUG stderr=Keytab successfully retrieved and stored in: /var/lib/ipa/gssproxy/http.keytab
2019-11-16T16:18:24Z DEBUG Waiting for replication (ldap://ipa01.fbog.local:389) krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local (objectclass=*)
2019-11-16T16:18:33Z DEBUG Still waiting for replication of krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local<mailto:krbprincipalname=HTTP/ipa04.fbog.local@FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local>
2019-11-16T16:23:24Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 656, in request_service_keytab
timeout=api.env.replication_wait_timeout
File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 209, in wait_for_entry
connection, dn
NotFound: wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local
2019-11-16T16:23:24Z DEBUG [error] NotFound: wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local
2019-11-16T16:23:24Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 629, in main
replica_install(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 408, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1507, in install
fstore=fstore)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 175, in install_http
subject_base=config.subject_base, master_fqdn=config.master_host_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 188, in create_instance
self.start_creation()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 656, in request_service_keytab
timeout=api.env.replication_wait_timeout
File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 209, in wait_for_entry
connection, dn
2019-11-16T16:23:24Z DEBUG The ipa-replica-install command failed, exception: NotFound: wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local
2019-11-16T16:23:24Z ERROR wait_for_entry timeout on ldap://ipa01.fbog.local:389 for krbprincipalname=HTTP/ipa04.fbog.local(a)FBOG.LOCAL,cn=services,cn=accounts,dc=fbog,dc=local
Not sure where to go from here. Did I leave out some declaration or specification on the initial command?
Steven Auerbach
Assistant Director of Information Systems
Information Technology & Security
State University System of Florida
Board of Governors
325 W. Gaines Street
Tallahassee, Florida 32399
(850) 245-9592
www.flbog.edu<http://www.flbog.edu/>
[Graphic for Email]
4 years, 5 months
IPA-automounted user home and git
by Ronald Wimmer
Today I've encountered a strange problem on a Centos 7.7 machine with
IPA automounted user homes.
When I try to do a git clone in my home directory using SSH I it aborts
abnormally with the following error message:
remote: Enumerating objects: 4045, done.
remote: Counting objects: 100% (4045/4045), done.
remote: Compressing objects: 100% (3509/3509), done.
fatal: write error: Bad file descriptor
fatal: index-pack failed
Why am I relating this to IPA? It works with a local non-IPA user. (OS
is up to date. git version is 1.8.3.1)
Any ideas what is going on?
Cheers,
Ronald
4 years, 5 months
FreeIPA fails to start on CentOS 8
by Andrew Meyer
I am trying to migrate to CentOS 8 in my home lab. And I have gotten FreeIPA installed. However I am using caprica.space as my domain name but I don't think bind/named likes me using that. Is this an issue the version in FreeIPA or did I do something wrong? I found this out because FreeIPA won't start. Fails on named.
14-Nov-2019 13:00:43.566 zone 100.51.198.IN-ADDR.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 113.0.203.IN-ADDR.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 255.255.255.255.IN-ADDR.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone D.F.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 8.E.F.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 9.E.F.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone A.E.F.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone B.E.F.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone 8.B.D.0.1.0.0.2.IP6.ARPA/IN: shutting down
14-Nov-2019 13:00:43.566 zone EMPTY.AS112.ARPA/IN: shutting down
14-Nov-2019 13:00:43.620 LDAP configuration for instance 'ipa' synchronized
14-Nov-2019 13:00:43.657 LDAP data for instance 'ipa' are being synchronized, please ignore message 'all zones loaded'
14-Nov-2019 13:00:43.669 managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
14-Nov-2019 13:00:43.819 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.819 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.819 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.820 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.821 dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
14-Nov-2019 13:00:43.822 zone 10.150.10.in-addr.arpa/IN: loaded serial 1573758043
14-Nov-2019 13:00:43.822 zone caprica.space/IN: NS 'freeipa01.asm.caprica.space' has no address records (A or AAAA)
14-Nov-2019 13:00:43.822 zone caprica.space/IN: not loaded due to errors.
14-Nov-2019 13:00:43.822 1 master zones from LDAP instance 'ipa' loaded (2 zones defined, 0 inactive, 1 failed to load)
14-Nov-2019 13:00:43.824 zone caprica.space/IN: NS 'freeipa01.asm.caprica.space' has no address records (A or AAAA)
14-Nov-2019 13:00:43.824 zone caprica.space/IN: not loaded due to errors.
14-Nov-2019 13:00:43.824 update_zone (syncrepl) failed for master zone DN 'idnsname=caprica.space.,cn=dns,dc=caprica,dc=space'. Zones can be outdated, run `rndc reload`: bad zone
14-Nov-2019 13:01:38.383 received control channel command 'stop'
14-Nov-2019 13:01:38.384 shutting down: flushing changes
14-Nov-2019 13:01:38.384 stopping command channel on 127.0.0.1#953
14-Nov-2019 13:01:38.384 stopping command channel on ::1#953
14-Nov-2019 13:01:38.385 unloading DynDB instance 'ipa'
14-Nov-2019 13:01:38.386 zone 10.150.10.in-addr.arpa/IN: shutting down
14-Nov-2019 13:01:38.387 no longer listening on ::#53
14-Nov-2019 13:01:38.387 no longer listening on 127.0.0.1#53
14-Nov-2019 13:01:38.387 no longer listening on 10.150.10.15#53
14-Nov-2019 13:01:38.404 exiting
4 years, 5 months
Can AD admins convert a 1-way trust to a 2-way trust without touching the freeIPA system?
by Chris Dagdigian
I just got CCd on an email chain concerning a conversion of 1-way AD
trusts to 2-way trust for some realms and domains we use in one of the
public cloud providers.
The AD team is finally responding to all the issues they caused us in
the cloud by refusing a 2-way trust in the first place. It caused enough
hassles on the pure Windows side of things that Senior Management got
involved, heh.
I was the one who worked with the AD folk to set up the 1-way trust to
our custom realm and it involved pre-shared secrets and joint
coordinated actions.
But this time around the language in the email is sort of like "hey we
are just giving you a heads up on a change that will be made live this
weekend .."
So consider this a vague query along the lines of "Will this actually
work?" -- Can a 1-way trust be made into a 2-way trust with actions
entirely performed on the AD side of things? The AD people have no
access and no idea how FreeIPA works.
I was sort of thinking that I'd have to tear down the 1-way and set up a
new 2-way trust but then I realized I've never done that before and I'm
not sure how it works on the AD side of things.
Any tips on FreeIPA and 1-way to 2-way trust conversions would be
appreciated, thanks!
Chris
4 years, 5 months
Unable to authorize via HTTP
by Tristan Weis
Hey guys,
I set up my very first FreeIPA installation and I'm currently dealing with an issue I hope you can help me with.
I'm running FreeIPA version 4.7.1 on CentOS 8. I installed about 3 weeks ago, had been working fine up until a few days ago (after a restart).
I'm encountering several symptoms:
The WebUI won't let me log in anymore
("Login failed due to an unknown reason.")
This was the first error I noticed... since it only happened for users not already logged in, I suspected wrong password entries. After a server restart everyone got locked out though.
Other post-restart commands that are not working any more:
certutil -L
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
ipa
ERROR: cannot connect to 'https://ipa.**.**/ipa/json': [Errno 111] Connection refused
ipa-getkeytab -p HTTP/*(a)*.* -s ipa.*.* -k /var/lib/ipa/gssproxy/http.keytab
Failed to load translations
SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)!
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Local error (-2) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)!
Failed to bind to server!
Failed to get keytab
(works with binddn though)
kinit, klist and other kerberos/ldap logins are working fine!
Logfiles:
/var/log/httpd/error_log
[Thu Nov 14 16:38:43.894373 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote *.*.*.*:*] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.230'): SUCCESS
[Thu Nov 14 16:38:44.013990 2019] [:warn] [pid 24265:tid 140302572558080] [client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*(a)*.*) lookup failed!, referer: https://ipa.*.*/ipa/ui/
[Thu Nov 14 16:38:44.036125 2019] [:warn] [pid 24265:tid 140301800822528] [client *.*.*.*:*] KRB5CCNAME file (/run/ipa/ccaches/*(a)*.*) lookup failed!, referer: https://ipa.*.*/ipa/ui/
[Thu Nov 14 16:38:57.098920 2019] [wsgi:error] [pid 22560:tid 140303294011136] [remote *.*.*.*:*] ipa: INFO: 401 Unauthorized: HTTPConnectionPool(host='ipa.*.*', port=80): Max retries exceeded with url: /ipa/session/cookie (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9ae9039f60>: Failed to establish a new connection: [Errno 111] Connection refused',))
/var/log/krb5kdc.log
Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS(a)*.* for krbtgt/*.*(a)*.*, Additional pre-authentication required
Nov 14 17:14:34 ipa.*.* krb5kdc[22498](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/ANONYMOUS(a)*.* for krbtgt/*.*(a)*.*
Nov 14 17:14:34 ipa.*.* krb5kdc[22502](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: NEEDED_PREAUTH: *(a)*.* for krbtgt/*.*(a)*.*, Additional pre-authentication required
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, *(a)*.* for krbtgt/*.*(a)*.*
Nov 14 17:14:34 ipa.*.* krb5kdc[22506](info): closing down fd 12
Nov 14 17:14:34 ipa.*.* krb5kdc[22507](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1573748074, etypes {rep=18 tkt=18 ses=18}, *(a)*.* for HTTP/ipa.*.*(a)*.*
Nov 14 17:14:34 ipa.eagleeye-film.de krb5kdc[22507](info): closing down fd 12
I'm suspecting some GSSAPI/certificate error... /run/ipa/ccaches is empty and all non-http authorizations seem to work.
I have been working on a samba configuration for the same server; I have a feeling that some of my experiments
(ipa-adtrust-install, authconfig, chmod on keytab, net sam provision)
messed with the rest of the system... I tried to backtrack/revert as much as I could, but nothing helped so far. I also think the first WebUI errors occured before already.
I'd be so happy if anyone could help! So far I've been able to find solutions for every issue, but this seems to be a tough one.
Thanks!
-Tristan
4 years, 5 months
ipa-replica-install --setup-ca failing
by Per Qvindesland
Hi
I have a centos 7 with ipa server 4.7.1-11 installed.
When I run ipa-replica-install --setup-ca it seems to be synchronising with the ipa server but failing the ca setup part
Has anyone seen this error before?
Regards
Per
Installation failed: server failed to restart
2019-11-13T16:45:57Z DEBUG stderr=WARNING: Password was garbage collected before it was cleared.
WARNING: Password was garbage collected before it was cleared.
WARNING: Password was garbage collected before it was cleared.
pkispawn : ERROR Server did not start after 60s
configuration : ERROR Server failed to restart
pkispawn : ERROR Exception: server failed to restart
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn
raise Exception("server failed to restart")
2019-11-13T16:45:57Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwhuna0va'] returned non-zero exit status 1: 'WARNING: Password was garbage collected before it was cleared.\nWARNING: Password was garbage collected before it was cleared.\nWARNING: Password was garbage collected before it was cleared.\npkispawn : ERROR Server did not start after 60s\nconfiguration : ERROR Server failed to restart\npkispawn : ERROR Exception: server failed to restart\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn\n raise Exception("server failed to restart")\n\n')
2019-11-13T16:45:57Z CRITICAL See the installation logs and the following files/directories for more information:
2019-11-13T16:45:57Z CRITICAL /var/log/pki/pki-tomcat
2019-11-13T16:45:57Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 164, in spawn_instance
ipautil.run(args, nolog=nolog_list)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 574, in run
p.returncode, arg_string, output_log, error_log
ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwhuna0va'] returned non-zero exit status 1: 'WARNING: Password was garbage collected before it was cleared.\nWARNING: Password was garbage collected before it was cleared.\nWARNING: Password was garbage collected before it was cleared.\npkispawn : ERROR Server did not start after 60s\nconfiguration : ERROR Server failed to restart\npkispawn : ERROR Exception: server failed to restart\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn\n raise Exception("server failed to restart")\n\n')
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 674, in __spawn_instance
pki_pin)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 409, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2019-11-13T16:45:57Z DEBUG [error] RuntimeError: CA configuration failed.
2019-11-13T16:45:57Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2019-11-13T16:45:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 347, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 583, in main
replica_install(self)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 400, in decorated
func(installer)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1262, in install
ca.install(False, config, options, custodia=custodia)
File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 239, in install
install_step_0(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 318, in install_step_0
use_ldaps=standalone)
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 484, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 674, in __spawn_instance
pki_pin)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 409, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2019-11-13T16:45:57Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed.
2019-11-13T16:45:57Z ERROR CA configuration failed.
2019-11-13T16:45:57Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
4 years, 5 months