Resolution issues (SERVFAIL)
by Dmitry Perets
Hi,
I am experiencing a strange issue with DNS resolution between my replicas,
could you please help me to figure it out?
My topology is:
rhel-ipa.ims.example.com => rhel-ipa-replica.ams.ims.example.com =>
rhel-ipa-newreplica.ams.ims.example.com
All three are IPA servers with DNS.
And I've created two zones: "ims.example.com" and "ams.ims.example.com".
It worked fine while I had just two first IPA servers, both servers could
resolve any host in any of the two zones. But now I added the third IPA
server (rhel-ipa-newreplica), and that new host cannot resolve anything in
the parent domain "ims.example.com"...
$ dig rhel-ipa.ims.telekom.de
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> rhel-ipa.ims.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61092
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rhel-ipa.ims.example.com. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 14 18:02:46 CET 2019
;; MSG SIZE rcvd: 52
What am I missing here...? As per my understanding, each IPA server should
"feel" authoritative for each of the two zones, because they are
replicated. So even forwarding should not take place here... Btw I tried to
play with forwarder configuration, but so far - no luck.
What am I missing for this setup to work...?
How to make rhel-ipa-newreplica to resolve hosts from parent domain...?
--
Regards,
Dmitry Perets.
"The more one knows, the less opinions he shares"
-- Wilhelm Schwebel
5 years, 1 month
error 32 (No such object)
by Günther J. Niederwimmer
Hello,
I found on the logs this Error, but I can't say what it mean?
I have a primary IPA Server (ipa.example.com) and a secondary IPA Server
(ipa1.example.com) I mean this is running now a long time. But on the "older"
primary now I have this Errors.
[15/Mar/2019:09:55:36.268953631 +0100] - ERR - slapi_ldap_bind - Error: could
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No
such object)
[15/Mar/2019:10:00:36.523786880 +0100] - ERR - slapi_ldap_bind - Error: could
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No
such object)
[15/Mar/2019:10:05:36.658511034 +0100] - ERR - slapi_ldap_bind - Error: could
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No
such object)
[15/Mar/2019:10:10:36.262165631 +0100] - ERR - slapi_ldap_bind - Error: could
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No
such object)
[15/Mar/2019:10:15:36.375852651 +0100] - ERR - slapi_ldap_bind - Error: could
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No
such object)
[15/Mar/2019:10:20:36.318006003 +0100] - ERR - slapi_ldap_bind - Error: could
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No
such object)
[15/Mar/2019:10:25:36.443969376 +0100] - ERR - slapi_ldap_bind - Error: could
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No
such object)
[15/Mar/2019:10:30:36.431541771 +0100] - ERR - slapi_ldap_bind - Error: could
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No
such object)
[15/Mar/2019:10:35:36.411241412 +0100] - ERR - slapi_ldap_bind - Error: could
not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki-
tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No
such object)
Can any please help for this Problem
--
mit freundliche Grüßen / best regards,
Günther J. Niederwimmer
5 years, 1 month
Sub-zone client fails to install, GSS authentication pre-auth issues
by Callum Smith
Dear IPA Gurus
I have a client that's incapable of joining the FreeIPA realm, it's in a different DNS sub-zone but is in the same realm. I get the feeling that there's a kerberos principal missing somewhere to get this all to work, but I can't quite see where it might be. Simple authentication ldapsearch using cn=Directory Manager functions perfectly well to the ipa host in question, however anonymous binds are disabled. I'm not clear why this wouldn't be working.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum(a)well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
5 years, 1 month
problem access Linux shares from Windows "ticket is likely out of date"
by fujisan
I messed up somehow with my samba server.
I'm trying to access a linux share from windows and the log on the linux
server says:
[Unspecified GSS failure. Minor code may provide more information: Request
ticket server cifs/myserver.mydomain.local(a)MYDOMAIN.LOCAL kvno 8 not found
in keytab; ticket is likely out of date]
How can I fix this?
Thank you.
-----------------------------------------
# net ads keytab list
Vno Type Principal
16 AES-256 CTS mode with 96-bit SHA-1 HMAC
cifs/myserver.mydomain.local(a)MYDOMAIN.LOCAL
16 AES-128 CTS mode with 96-bit SHA-1 HMAC
cifs/myserver.mydomain.local(a)MYDOMAIN.LOCAL
-----------------------------------------
# net conf list
[global]
workgroup = MYDOMAIN.LOCAL
netbios name = MYSERVER
realm = MYDOMAIN.LOCAL
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend =
ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=mydomain,dc=local
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
[scratch]
path = /data/scratch
comment = Scratch shared files
create mask = 0644
invalid users = opera
5 years, 1 month
nfsidmap/nss_getpwnam fails to resolve users with IPA/NFSv4+krb5
by Robert Sturrock
Hi All.
We have IPA setup in an AD trust to support our Linux fleet. I’m running into a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an NFS-mounted filesystem from an NFS server using NFSv4/krb5. Files and directories show up as ‘nobody’ or an incorrect numerical ID when listed with ‘ls’. RHEL7 clients seem to working fine with a very similar configuration (as far as I can tell).
The particulars are:
- AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user identity is ‘user@localdomain’)
- IPA domain is ‘ipa.localdomain’
- The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf).
I have mounted the NFS volume on the clients with a simple:
mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt
Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see:
$ ls -ld rns
drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns
.. with these corresponding nfsidmap messages:
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' does not map into domain 'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22
.. whereas on the RHEL7 client, I see:
$ ls -ld rns
drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: key: 0xf113fd2 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname 'rns@localdomain'
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: final return value is 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: key: 0x2125a5d2 type: gid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: calling nsswitch->name_to_gid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: final return value is 0
Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into ‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’?
(My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can login and use local filesystems without issue).
The idmapd.conf looks like this:
[General]
Verbosity = 4
Pipefs-Directory = /run/rpc_pipefs
Domain = ipa.localdomain
Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = nsswitch
Any pointers appreciated!
Regards,
Robert.
5 years, 1 month
Problem with CA replica
by Gregory S
Hi all, i get the following error when i try to get the certificates from a CA replica server
mng-ldap-03 [~] # ipa -d cert-show 1
ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$bd29a1fe...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$bd29a1fe.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin(a)my.domain', cookie: 'ipa_session=MagBearerToken=lsJGxN13dNkJaPLbXlPn9idZCIlIOK%2be7GbleRo4NwXi5em27AGEQpZ4EGU2lduSKdurilHDrpYzlND8kfoA%2fwqpOh%2fSkG4kbXR%2baSeDKKi%2bJov9sTB8Oa1FkUKtLRWbW6nw%2feI1jQIT8lFKjIrfufQnsNz2uI0Jybk7BwelAWc%3d'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=lsJGxN13dNkJaPLbXlPn9idZCIlIOK%2be7GbleRo4NwXi5em27AGEQpZ4EGU2lduSKdurilHDrpYzlND8kfoA%2fwqpOh%2fSkG4kbXR%2baSeDKKi%2bJov9sTB8Oa1FkUKtLRWbW6nw%2feI1jQIT8lFKjIrfufQnsNz2uI0Jybk7BwelAWc%3d;'
ipa: INFO: trying https://mng-ldap-03.my.domain/ipa/session/json
ipa: DEBUG: New HTTP connection (mng-ldap-03.my.domain)
ipa: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=lsJGxN13dNkJaPLbXlPn9idZCIlIOK%2be7GbleRo4NwXi5em27AGEQpZ4EGU2lduSKdurilHDrpYzlND8kfoA%2fwqpOh%2fSkG4kbXR%2baSeDKKi%2bJov9sTB8Oa1FkUKtLRWbW6nw%2feI1jQIT8lFKjIrfufQnsNz2uI0Jybk7BwelAWc%3d;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=lsJGxN13dNkJaPLbXlPn9idZCIlIOK%2be7GbleRo4NwXi5em27AGEQpZ4EGU2lduSKdurilHDrpYzlND8kfoA%2fwqpOh%2fSkG4kbXR%2baSeDKKi%2bJov9sTB8Oa1FkUKtLRWbW6nw%2feI1jQIT8lFKjIrfufQnsNz2uI0Jybk7BwelAWc%3d;' for principal admin(a)my.domain
ipa: DEBUG: Created connection context.rpcclient_140079354213072
ipa: DEBUG: raw: cert_show(u'1', version=u'2.228')
ipa: DEBUG: cert_show(u'1', version=u'2.228')
ipa: INFO: [try 1]: Forwarding 'cert_show/1' to json server 'https://mng-ldap-03.my.domain/ipa/session/json'
ipa: DEBUG: HTTP connection keep-alive (mng-ldap-03.my.domain)
ipa: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=lsJGxN13dNkJaPLbXlPn9idZCIlIOK%2be7GbleRo4NwXi5em27AGEQpZ4EGU2lduSKdurilHDrpYzlND8kfoA%2fwqpOh%2fSkG4kbXR%2baSeDKKi%2bJov9sTB8Oa1FkUKtLRWbW6nw%2feI1jQIT8lFKjIrfufQnsNz2uI0Jybk7BwelAWc%3d;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=lsJGxN13dNkJaPLbXlPn9idZCIlIOK%2be7GbleRo4NwXi5em27AGEQpZ4EGU2lduSKdurilHDrpYzlND8kfoA%2fwqpOh%2fSkG4kbXR%2baSeDKKi%2bJov9sTB8Oa1FkUKtLRWbW6nw%2feI1jQIT8lFKjIrfufQnsNz2uI0Jybk7BwelAWc%3d;' for principal admin(a)my.domain
ipa: DEBUG: Destroyed connection context.rpcclient_140079354213072
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
5 years, 1 month
Unable to login via ssh with AD credentials after upgrade FreeIPA
by Morgan Marodin
Hi everybody.
I have just upgraded my cluster from FreeIPA 4.4.0-14 to 4.6.4-10.
All is good, logging via IPA credentials, HBAC and sudo rules are working.
I have only a issue logging via SSH with AD credentials. Before the upgrade
all was working well.
I think that the trust is ok, because *kinit*, *ipa hbactest* and *ipa
trustdomain-find* (on both ipa servers) are working well:
*[root@mlv-ipasrv01 ~]# ipa trustdomain-find MYDOMAIN.COM
<http://MYDOMAIN.COM> Domain name: mydomain.com <http://mydomain.com>
Domain NetBIOS name: MYDOMAIN Domain Security Identifier:
S-1-5-21-3367759252-2451474351-126822339 Domain enabled:
True----------------------------Number of entries returned
1----------------------------[root@mlv-ipasrv01 ~]# ipa hbactest
--user=morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>
--host=mlv-testipa01.ipa.mydomain.com
<http://mlv-testipa01.ipa.mydomain.com>Service:
sshd--------------------Access granted: True-------------------- Matched
rules: allow_ad_ipa_admins Not matched rules: allow_ad_ipa_apps Not
matched rules: allow_ipa_it_mysite[root@mlv-testipa01 ~]# kinit
morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>Password for
morgan.marodin(a)mydomain.com
<morgan.marodin(a)mydomain.com>:[root@mlv-testipa01 ~]# klistTicket cache:
KEYRING:persistent:0:0Default principal: morgan.marodin(a)MYDOMAIN.COM
<morgan.marodin(a)MYDOMAIN.COM>Valid starting Expires
Service principal02/19/2019 17:55:23 02/20/2019 03:55:23
krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM <MYDOMAIN.COM(a)MYDOMAIN.COM> renew
until 02/20/2019 17:55:18*
This is the error log:
*[root@mlv-testipa01 ~]# tail -f /var/log/secureFeb 19 18:03:21
mlv-testipa01 sshd[378408]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252
user=morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>Feb 19
18:03:21 mlv-testipa01 sshd[378408]: pam_sss(sshd:account): Access denied
for user morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>: 6
(Permission denied)Feb 19 18:03:21 mlv-testipa01 sshd[378401]: error: PAM:
User account has expired for morgan.marodin(a)mydomain.com
<morgan.marodin(a)mydomain.com> from 192.168.100.252Feb 19 18:03:21
mlv-testipa01 sshd[378401]: fatal: monitor_read: unpermitted request 104*
It seems a problem with pam and sssd.
Do you have any suggestions?
Thanks, bye.
Morgan
5 years, 1 month
Web App and Kerberos Delegation
by Dmitry Perets
Hi,
My Web Server is enrolled in the FreeIPA domain, but the clients are external. So login is done via a custom login form - part of the Web Application.
In this setup, I know how to authenticate the clients to the Web Application using FreeIPA as a backend - I can use mod_intercept_form_submit, and it works just fine.
But what if I need to obtain Kerberos credentials on behalf of the current user? (I believe, smart people call it "delegation" in Kerberos world).
To be more specific - suppose that the Web Application features personal secret vaults, and it uses FreeIPA Vaults as a backend. So, a user X logs in, he wants to see his personal vaults - the Web Application must obtain Kerberos credentials on his behalf (not on HTTP/.... service behalf, because I don't want to make it owner of all vaults).
Or another example - suppose that the Web Application manages my infrastructure. So a user X (who is infra-admin) logs in and requests to add a new host to the domain. The Web Application must then go and execute some privileged FreeIPA calls (like host_add etc.). Again, I'd like it to authenticate on behalf of this user X, instead of making the HTTP/... service infra-admin by itself. This way I don't need to store any passwords or keytabs with such sensitive credentials (the infra-admin will always come in person and type his password).
Can you please point me to the right direction?
Thanks.
5 years, 1 month