September 2019 - FreeIPA-users - Fedora Mailing-Lists

by Satish Patel

Few days ago my Master CA was messed up and getcert list was showing empty list (no cert to track) So i run following command to add certs manually: getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy Intermediate' -P XXXXXXX And after that i am seeing this status (status: NEED_CA ) it should be MONITORING right? # getcert list Number of certificates and requests being tracked: 12. Request ID '20190915042927': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=example.com subject: CN=Certificate Authority,O=example.com expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190915043150': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alaas',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=example.com subject: CN=ldap-example-5-1.foo.example.com,O=example.com expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190915043212': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=example.com subject: CN=OCSP Subsystem,O=example.com expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes

13 hours, 57 minutes

2
3
0 / 0

hostgroups and netgroups

by Amos

Why is it that hostgroups and netgroups share the same name space? Amos

17 hours, 4 minutes

1
0
0 / 0

remove bad replica from list not working

by Satish Patel

I am trying to remove old and bad replica from list but somehow it didn't like what i am doing [root@ldap-master ~]# ipa-replica-manage list -v `hostname` ldap-1.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-09-19 17:28:00+00:00 ldap-2.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-09-19 17:28:00+00:00 ldap-3.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00 I have tried following way but its still not removing from list [root@ldap-master ~]# ipa-replica-manage del ldap-3.example.com --force --cleanup ipa: INFO: Skipping replication agreement deletion check for suffix 'domain' ipa: INFO: Skipping replication agreement deletion check for suffix 'ca' ipa: WARNING: Forcing removal of ldap-3.example.com ipa: WARNING: Ignoring topology connectivity errors. ipa: WARNING: Ignoring these warnings and proceeding with removal ipa: WARNING: Failed to cleanup ldap-3.example.com DNS entries: DNS is not configured ipa: WARNING: You may need to manually remove them from the tree ipa: WARNING: Server has already been deleted ----------------------------------------------- Deleted IPA server "ldap-3.example.com" ----------------------------------------------- I can still this that replica in list [root@ldap-master ~]# ipa-replica-manage list -v `hostname` … … ldap-3.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00

2 days, 1 hour

3
3
0 / 0

DNS server 10.0.3.10: query '. SOA': The DNS operation timed out after 10.001354217529297 seconds

by Mudassar Rana

Hi , I am trying to deploy ipa server as a docker container on kubernetes cluster . I have build the docker image & run below command . docker run --privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 --name freeipa-server -ti -h ipa.faas.example.lab freeipa-server-new:latest --setup-dns --allow-zone-overlap But facing issue DNS server 10.0.3.10: query '. SOA': The DNS operation timed out after 10.001354217529297 seconds On the host system , i run dig command to verify the forwarding issue . Please find the output below : ``` [root@svpod7mgmt002 ~]# dig @10.0.3.10 . SOA ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @10.0.3.10 . SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55981 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;. IN SOA ;; ANSWER SECTION: . 45023 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019091900 1800 900 604800 86400 ;; ADDITIONAL SECTION: a.root-servers.net. 29958 IN A 198.41.0.4 ;; Query time: 0 msec ;; SERVER: 10.0.3.10#53(10.0.3.10) ;; WHEN: Fri Sep 20 01:49:17 UTC 2019 ;; MSG SIZE rcvd: 120 ```

2 days, 5 hours

1
0
0 / 0

Vault: Cannot authenticate agent with certificate

by Peter Oliver

I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I find that operations related to the vault feature fail. For example: > ipa -v vault-add test --type=standard ipa: INFO: trying https://ipa-01.example.com/ipa/session/json ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: ERROR: an internal error has occurred In /var/log/pki/pki-tomcat/kra/system I see the following message: 0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot authenticate agent with certificate Serial 0x7 Subject DN CN=IPA RA,O=IPA.EXAMPLE.COM. Error: User not found In /var/log/pki/pki-tomcat/kra/debug is see the following messages: [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: Not authenticated. [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: mapping: default [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: required auth methods: [*] [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: anonymous access allowed [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor.filter: no authorization required [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No ACL mapping; authz not required. [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: event AUTHZ [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: content-type: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: accept: [application/json] [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: request format: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: response format: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: Authenticating certificate chain: [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=IPA.EXAMPLE.COM [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA RA, O=IPA.EXAMPLE.COM [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: started [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Retrieving client certificate [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got client certificate [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: client certificate found [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2 [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3 [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot map certificate to any userUser not found [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH Any suggestions? Has something gone wrong with the setup? -- Peter Oliver

2 days, 9 hours

4
7
0 / 0

ipa vault: internal error, "Invalid Credential"

by Dmitry Perets

Hi, Pretty much any vault-related calls in one of my environments result in the internal error, although the call seems to (partially) succeed. For example: # ipa vault-add test --type standard ipa: ERROR: an internal error has occurred But the vault is created: # ipa vault-find --------------- 1 vault matched --------------- Vault name: test Type: standard Vault user: admin ---------------------------- Number of entries returned 1 ---------------------------- I'll get the same erorr if I try "ipa vault-del", "vault-archive" or "vault-retrieve". At the same time, the following is written in /var/log/messages: Sep 19 23:54:39 t-idm-ber800-1 server: Invalid Credential. Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cmscore.authentication.CertUserDBAuthentication.authenticate(CertUserDBAuthentication.java:174) Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:112) Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:85) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:114) Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.doSubAuthenticate(SSLAuthenticatorWithFallback.java:47) Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate(AbstractPKIAuthenticator.java:89) Sep 19 23:54:39 t-idm-ber800-1 server: at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.authenticate(SSLAuthenticatorWithFallback.java:59) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:578) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) Sep 19 23:54:39 t-idm-ber800-1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Sep 19 23:54:39 t-idm-ber800-1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Sep 19 23:54:39 t-idm-ber800-1 server: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) Sep 19 23:54:39 t-idm-ber800-1 server: at java.lang.Thread.run(Thread.java:748) Any idea what could go wrong here....? Thanks. Info: ipa-server 4.6.4 on RHEL 7.6, and I am running these commands from the IPA server itself, on which CA and KRA are installed (in fact, it's the only active CA/KRA master in that environment). --- Regards, Dmitry Perets

2 days, 9 hours

1
1
0 / 0

reinstall freeIPA server without loosing data

by Albert Szostkiewicz

I have an issue with my IPA server. Suddenly, after some recent system update, I am unable to log-in to web UI nor execute any command due to the 'unknown reason' and some "Unspecified GSS failure." I went through the suggested debugging process but no luck. I've seen similar issues in the past marked as a bug, but without clean solution rather than `updating to a newer version of ipa`. So I've filled bug report assuming that it could be a bug again. https://pagure.io/freeipa/issue/8065 Unfortunately, Devs might be too busy to look into that, so I was wondering if there is a way that I could re-install ipa-server without creating complete chaos and keeping all DNS/USER/HOSTS data? Any suggestions? Thanks!

2 days, 10 hours

4
6
0 / 0

automember hostgroup by account?

by Amos

Is it possible to have an automember rule to add a host to a hostgroup based on the account used with ipa-install-client? Amos

2 days, 16 hours

2
1
0 / 0

services disabled by default on replicas ?

by danielle lampert

Hello, I'm running freeipa 4.5.0-20 on CentOS Linux release 7.4.1708 (Core) I've noticed that when rebooting my replica, things are not working anymore on this replica, as I can't get a kinit work for example. It seems that services are disabled by default and I wonder if this is normal ? Should we enable these services manually ? After restarting everything with an ipactl command, it then is working. Thanks in advance for your answers, below are my commands and their results. D.L. # kinit admin kinit: Cannot contact any KDC for realm 'IPB.RHCE.LOCAL' while getting initial credentials # systemctl status kadmin.service ● kadmin.service - Kerberos 5 Password-changing and Administration Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled) Active: inactive (dead) # ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED httpd Service: STOPPED ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful # ipactl restart Failed to get service list from file: Unknown error when retrieving list of services from file: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Restarting ipa-otpd Service ipa: INFO: The ipactl command was successful # kinit admin Password for admin(a)IPB.RHCE.LOCAL: # klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin(a)IPB.RHCE.LOCAL Valid starting Expires Service principal 03/09/19 23:55:09 04/09/19 23:55:08 krbtgt/IPB.RHCE.LOCAL(a)IPB.RHCE.LOCAL

3 days, 12 hours

3
11
0 / 0

FreeIPA CA_REJECT issue during adding new replica

by Satish Patel

Folks, Stay with me while i explain my issue because its little complex, We had 2 working ldap running in datacenter-A for many months and life was good. Last year company decided to shutdown datacenter-A and migrate everything from there to new datacenter-B. This is what i did for migration, I have created two new LDAP server in Datacenter-B and run create replica from Datacenter-A ( but my bad luck we forgot to do --setup-ca option which create CA replica) In short we have no CA running in new datacenter-B Fun part start now. so finally few months back we shutdown datacenter-A and archived all data (LDAP was running in VMware so we archived vmdk), after 8 month we found our LDAP server running under load so we decided to create more replica and we found we have no CA master so we can't create replica. Damn it. We dig into datacenter-A archived and start ldap-ca-master start on new IP address we gave it same DNS name so it won't create any issue, when i start ldap-ca-master it started throwing error that some certs expired blah..blah.. so finally i renew them and this LDAP looks good now CA is also running. Hostname: ldap-ca-master (This is old datacenter LDAP with CA, awakened few days ago) ldap-b-1 (new datacenter LDAP without CA) ldap-b-2 (new datacenter LDAP without CA) Now i am trying to create new ldap-b-3 in new datacenter using ldap-b-1 as my master to create new replica and somehow i am getting following error RuntimeError: Certificate issuance failed (CA_REJECTED: Server at https://ldap-b-1.example.com/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 404: Non-2xx response from CA REST API: 404. ).) Installation failed. Rolling back changes. Unenrolling client from IPA server Unenrolling host failed: RPC failed at server. invalid 'hostname': An IPA master host cannot be deleted or disabled Question: 1. My all other ldap running 4.5.x but new replica is on 4.6 not sure that is the issue here or not? 2. I can see ldap-ca-master node isn't fully sync with ldap-b-1 and ldap-b-2 because i brought that machine in life after 8 month (do you think i should do force sync ldap-ca-master to sync with ldap-b-1 ?) 3. Should i use ldap-ca-master to create replica or i can pick any node to create replica? What are the options i have here to troubleshoot this issue?

3 days, 15 hours

2
6
0 / 0

2019

2018

2017

FreeIPA-users September 2019