Re: CA Master Confusion
by Florence Blanc-Renaud
On 8/6/19 9:21 PM, Auerbach, Steven via FreeIPA-users wrote:
> As I work through understanding the current state of my CA mastering in this realm I am getting results I do not understand from these ipa commands (on the v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server):
> On the v4.6.4 replica (ipa<3>):
> $ sudo ipa config-show |grep 'CA renewal master'
> [sudo] password for <user>:
> $
> $
>
> On the v3.0.0 (ipa<1>):
> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
> [sudo] password for <user>:
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope subtree
> # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))
> # requesting: dn
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
Hi,
the ipaConfigString=caRenewalMaster attribute was introduced in freeIPA
4.0 (please see [1] Howto/Promote_CA_to_Renewal_and_CRL_Master), hence I
am not surprised that the search does not return anything.
When the 3.0 server was installed, the attribute did not exist yet. When
the 4.x replica was installed, the attribute was not added since the new
replica wasn't CA master.
As the attribute is not set at all, the ipa config-show command
(internally using the same ldapsearch you did) is unable to find a CA
master.
If you want to move the CA master role to ipa3, just follow the steps in
[1], making sure to apply the steps for the corresponding IPA version.
Also please note that we do not recommend using versions 3.x and 4.x
together over a long period of time. This is completely OK when you want
to migrate but once you have ensured all the services are properly
working, the 3.x master should be decommissioned. Please see [2].
HTH,
flo
[1] https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>
>
> Neither tells me anything. Is it possible that the original installation never had a CA master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4 (ipa<3>) tells me:
>
> $ sudo ipa server-role-find --role 'CA server'
> [sudo] password for <user>:
> ----------------------
> 3 server roles matched
> ----------------------
> Server name: ipa<2>.mydomain.local
> Role name: CA server
> Role status: absent
>
> Server name: ipa<1>.mydomain.local
> Role name: CA server
> Role status: enabled
>
> Server name: ipa<3>.mydomain.local
> Role name: CA server
> Role status: absent
> ----------------------------
> Number of entries returned 3
> ----------------------------
>
> And on the v3.0.0 (ipa<1>) I get:
>
> $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local' '(&(cn=CA)(ipaConfigString=caServer))' dn
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree
> # filter: (&(cn=CA)(ipaConfigString=caServer))
> # requesting: dn
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
> I know I am missing something basic and fundamental here. Is there a CA Master or not? If not, would I want to just enable the CA Master on the newest server (ipa<3>)?
>
> The way forward is not clear.
> -Steven Auerbach
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
4 years, 6 months
Vault: Cannot authenticate agent with certificate
by Peter Oliver
I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I find that operations related to the vault feature fail. For example:
> ipa -v vault-add test --type=standard
ipa: INFO: trying https://ipa-01.example.com/ipa/session/json
ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: ERROR: an internal error has occurred
In /var/log/pki/pki-tomcat/kra/system I see the following message:
0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot authenticate agent with certificate Serial 0x7 Subject DN CN=IPA RA,O=IPA.EXAMPLE.COM. Error: User not found
In /var/log/pki/pki-tomcat/kra/debug is see the following messages:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: Not authenticated.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: mapping: default
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: required auth methods: [*]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: anonymous access allowed
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor.filter: no authorization required
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No ACL mapping; authz not required.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: event AUTHZ
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: content-type: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: accept: [application/json]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: request format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: response format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: Authenticating certificate chain:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA RA, O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: started
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Retrieving client certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got client certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: client certificate found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot map certificate to any userUser not found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH
Any suggestions? Has something gone wrong with the setup?
--
Peter Oliver
4 years, 7 months
Unable to add external domain global groups
by Martijn Bakkes
We have a one way trust set up on our IPA with our AD. ( IPA trusting AD ).
I am able to add domain local groups as external member is an IPA group.
However, when I try to add a domain global group I receive the error:
invalid 'trusted domain object': no trusted domain matched the specified flat name
Has anybody run in to this issue. I can only find this error referenced in cases where the trust wasn't working.
4 years, 7 months
Can login with non-existing user
by Ronald Wimmer
I have managed to login to an IPA client with a non-existing user.
My AD user is z123456(a)addomain.mydomain.at and I have created a similar
user called i123456(a)ipadomain.mydomain.at. What happened now is that I
could log in with the i-User and what I get to see after logging in is this:
[i123456@addomain.mydomain.at(a)as12314 ~]$ id
uid=1246600007(i123456(a)addomain.mydomain.at)
gid=1246600007(i123456(a)addomain.mydomain.at)
groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group(a)ipadomain.mydomain.at)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[i123456@addomain.mydomain.at(a)as12314 ~]$ whoami
i123456(a)addomain.mydomain.at
The user i123456(a)addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
What is wrong here? Are things just displayed wrong or could it be more?
Which files do you need in order to analyze this issue?
Cheers,
Ronald
4 years, 7 months
IPA with "public" exposure and replication
by lejeczek
hi guys,
with IPA replication on a "publicly" exposed network what IPA(and
related) services/ports, if any, can be closed? What is that bare
minimum that need to stay opened so replication cannot be harmed?
No IPA clients in traditional sense, except for DNS, on that "public" net.
many thanks, L.
4 years, 7 months
sub domain/zone on separate network segment
by lejeczek
hi guys
Would a subdomain on a separate subnet (from which nodes do not have
access to IPA's IPs) to which IPA is connect via "secondary" ifaces,
have clients successfully install and connect?
I've crafted a sub domain/zone with, I think, all the records required
and those point to IPAs "secondary" IPs and when I install clients they
fail:
...
Do you want to download the CA cert from
http://ipa2.subdomain.private.freeipa/ipa/config/ca.crt?
(this is INSECURE) [no]: yes
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
Joining realm failed: libcurl failed to execute the HTTP POST
transaction, explaining: Problem with the SSL CA cert (path? access
rights?)
Installation failed. Rolling back changes.
...
Still the same client:
$ curl http://ipa2.subdomain.private.freeipa/ipa/config/ca.crt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a
href="http://ipa2.private.freeipa/ipa/config/ca.crt">here</a>.</p>
</body></html>
That host in returned URL above is where IPA top domain lives, but nodes
on the subnet cannot access there.
This fails by design and what I'm trying will not work? Or it's doable
and I'm only missing something?
If that is how IPA currently works(or rather doesn't) then is this
something that may get included/fixed in the future?
many thanks, L>
4 years, 7 months
can't delete host, apparent problem setting up RA
by Charles Hedrick
On one of 3 IPA servers (most recent centos 7.6, 4.6.4-10.el7.centos.6). I can’t delete hosts. error_log show a bunch of python errors, ending in
Wed Aug 28 15:59:11.634233 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call
[Wed Aug 28 15:59:11.634240 2019] [:error] [pid 18035] ret = self.run(*args, **options)
[Wed Aug 28 15:59:11.634246 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run
[Wed Aug 28 15:59:11.634252 2019] [:error] [pid 18035] return self.execute(*args, **options)
[Wed Aug 28 15:59:11.634258 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 1657, in execute
[Wed Aug 28 15:59:11.634264 2019] [:error] [pid 18035] **options)
[Wed Aug 28 15:59:11.634270 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 1502, in _ca_search
[Wed Aug 28 15:59:11.634277 2019] [:error] [pid 18035] ra = self.api.Backend.ra
[Wed Aug 28 15:59:11.634283 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 339, in __getattr__
[Wed Aug 28 15:59:11.634289 2019] [:error] [pid 18035] raise AttributeError(repr(key) + ' ' + repr(self))
[Wed Aug 28 15:59:11.634295 2019] [:error] [pid 18035] AttributeError: 'ra' <ipalib.plugable.APINameSpace object at 0x7f16bdf4fa10>
(I modified the error to give more info, but without getting much useful.)
Any idea what’s going on. It looks like self.api.Backend doesn’t have ra set. It would take quite a while for me to find out where it’s supposed to be set.
4 years, 7 months