Re: log dispatching for IPA servers
by Fraser Tweedale
Hi Nazan,
I'm not sure what are the best practices for log dispatching on IPA
servers, or what is suitable for your customer's environment and
requirement. I assume the customer is running RHEL and therefore
wants the solution to only use supported components. Adding
freeipa-users@ for a wider audience.
Cheers,
Fraser
On Tue, Sep 24, 2019 at 07:50:14AM +0000, Nazan CENGİZ wrote:
> Hi Fraser,
>
>
> I working 5G project in Turkey. Redhat supported me for Openstack 13.
>
>
> We install FreeIPA. We wanted log monitoring on FreeIPA server and clients.I think it should Kibana,Elasticsearch and fluentd.
>
>
> I see https://sysadmin.miniconf.org/2018/lca2018-fraser_tweedale-user_session_r....
>
>
> But I don't know installing on FreeIPA server and clients.Where is installed fluentd on IPA server and clients?
>
>
> I following https://github.com/mzamora9913/Collecting-Syslogs-from-FreeIPA-and-client... but It not answer the questions.
>
>
> Could you please help me?
>
>
> Best Regards,
>
>
> Nazan.
>
>
> [cid:image556c62.PNG@8bf41986.459c739a]<http://www.havelsan.com.tr> [cid:imageb02311.JPG@73a7601e.418b1956]
> Nazan CENGİZ
> AR-GE MÜHENDİSİ
> Mustafa Kemal Mahallesi 2120 Cad. No:39 06510 Çankaya Ankara TÜRKİYE
> [cid:imagea8935c.PNG@9a2bfb11.4c8dd354] +90 312 219 57 87 [cid:image2cbf6d.PNG@6b6c6178.42ba3343] +90 312 219 57 97
>
>
> [cid:image67d26a.JPG@1a093bf4.45953fd9]
> YASAL UYARI: Bu elektronik posta işbu linki kullanarak ulaşabileceğiniz Koşul ve Şartlar dokümanına tabidir. <http://havelsan.com.tr/tr/news/e-posta-yasal-uyari>
> LEGAL NOTICE: This e-mail is subject to the Terms and Conditions document which can be accessed with this link. <http://havelsan.com.tr/tr/news/e-posta-yasal-uyari>
>
> [http://www.havelsan.com.tr/Library/images/mail/email.jpg] Lütfen gerekmedikçe bu sayfa ve eklerini yazdırmayınız / Please consider the environment before printing this email
>
>
2 years, 9 months
remove bad replica from list not working
by Satish Patel
I am trying to remove old and bad replica from list but somehow it
didn't like what i am doing
[root@ldap-master ~]# ipa-replica-manage list -v `hostname`
ldap-1.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
last update ended: 2019-09-19 17:28:00+00:00
ldap-2.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
last update ended: 2019-09-19 17:28:00+00:00
ldap-3.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-1) Problem connecting to replica - LDAP
error: Can't contact LDAP server (connection error)
last update ended: 1970-01-01 00:00:00+00:00
I have tried following way but its still not removing from list
[root@ldap-master ~]# ipa-replica-manage del ldap-3.example.com
--force --cleanup
ipa: INFO: Skipping replication agreement deletion check for suffix 'domain'
ipa: INFO: Skipping replication agreement deletion check for suffix 'ca'
ipa: WARNING: Forcing removal of ldap-3.example.com
ipa: WARNING: Ignoring topology connectivity errors.
ipa: WARNING: Ignoring these warnings and proceeding with removal
ipa: WARNING: Failed to cleanup ldap-3.example.com DNS entries: DNS is
not configured
ipa: WARNING: You may need to manually remove them from the tree
ipa: WARNING: Server has already been deleted
-----------------------------------------------
Deleted IPA server "ldap-3.example.com"
-----------------------------------------------
I can still this that replica in list
[root@ldap-master ~]# ipa-replica-manage list -v `hostname`
…
…
ldap-3.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-1) Problem connecting to replica - LDAP
error: Can't contact LDAP server (connection error)
last update ended: 1970-01-01 00:00:00+00:00
2 years, 9 months
DNS server 10.0.3.10: query '. SOA': The DNS operation timed out after 10.001354217529297 seconds
by Mudassar Rana
Hi ,
I am trying to deploy ipa server as a docker container on kubernetes cluster .
I have build the docker image & run below command .
docker run --privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 --name freeipa-server -ti -h ipa.faas.example.lab freeipa-server-new:latest --setup-dns --allow-zone-overlap
But facing issue
DNS server 10.0.3.10: query '. SOA': The DNS operation timed out after 10.001354217529297 seconds
On the host system , i run dig command to verify the forwarding issue . Please find the output below :
```
[root@svpod7mgmt002 ~]# dig @10.0.3.10 . SOA
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @10.0.3.10 . SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55981
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;. IN SOA
;; ANSWER SECTION:
. 45023 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019091900 1800 900 604800 86400
;; ADDITIONAL SECTION:
a.root-servers.net. 29958 IN A 198.41.0.4
;; Query time: 0 msec
;; SERVER: 10.0.3.10#53(10.0.3.10)
;; WHEN: Fri Sep 20 01:49:17 UTC 2019
;; MSG SIZE rcvd: 120
```
2 years, 9 months
Vault: Cannot authenticate agent with certificate
by Peter Oliver
I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I find that operations related to the vault feature fail. For example:
> ipa -v vault-add test --type=standard
ipa: INFO: trying https://ipa-01.example.com/ipa/session/json
ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: ERROR: an internal error has occurred
In /var/log/pki/pki-tomcat/kra/system I see the following message:
0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot authenticate agent with certificate Serial 0x7 Subject DN CN=IPA RA,O=IPA.EXAMPLE.COM. Error: User not found
In /var/log/pki/pki-tomcat/kra/debug is see the following messages:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: Not authenticated.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: mapping: default
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: required auth methods: [*]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: anonymous access allowed
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor.filter: no authorization required
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No ACL mapping; authz not required.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: event AUTHZ
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: content-type: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: accept: [application/json]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: request format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: response format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: Authenticating certificate chain:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA RA, O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: started
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Retrieving client certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got client certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: client certificate found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot map certificate to any userUser not found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH
Any suggestions? Has something gone wrong with the setup?
--
Peter Oliver
2 years, 9 months
reinstall freeIPA server without loosing data
by Albert Szostkiewicz
I have an issue with my IPA server. Suddenly, after some recent system update, I am unable to log-in to web UI nor execute any command due to the 'unknown reason' and some "Unspecified GSS failure."
I went through the suggested debugging process but no luck. I've seen similar issues in the past marked as a bug, but without clean solution rather than `updating to a newer version of ipa`.
So I've filled bug report assuming that it could be a bug again. https://pagure.io/freeipa/issue/8065
Unfortunately, Devs might be too busy to look into that, so I was wondering if there is a way that I could re-install ipa-server without creating complete chaos and keeping all DNS/USER/HOSTS data?
Any suggestions?
Thanks!
2 years, 9 months
services disabled by default on replicas ?
by danielle lampert
Hello,
I'm running freeipa 4.5.0-20 on CentOS Linux release 7.4.1708 (Core)
I've noticed that when rebooting my replica, things are not working anymore
on this replica, as I can't get a kinit work for example.
It seems that services are disabled by default and I wonder if this is
normal ? Should we enable these services manually ?
After restarting everything with an ipactl command, it then is working.
Thanks in advance for your answers, below are my commands and their results.
D.L.
# kinit admin
kinit: Cannot contact any KDC for realm 'IPB.RHCE.LOCAL' while getting
initial credentials
# systemctl status kadmin.service
● kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor
preset: disabled)
Active: inactive (dead)
# ipactl status
Directory Service: RUNNING
krb5kdc Service: STOPPED
kadmin Service: STOPPED
httpd Service: STOPPED
ipa-custodia Service: STOPPED
ntpd Service: STOPPED
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa: INFO: The ipactl command was successful
# ipactl restart
Failed to get service list from file: Unknown error when retrieving list of
services from file: [Errno 2] No such file or directory:
'/var/run/ipa/services.list'
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful
# kinit admin
Password for admin(a)IPB.RHCE.LOCAL:
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin(a)IPB.RHCE.LOCAL
Valid starting Expires Service principal
03/09/19 23:55:09 04/09/19 23:55:08 krbtgt/IPB.RHCE.LOCAL(a)IPB.RHCE.LOCAL
2 years, 9 months
FreeIPA CA_REJECT issue during adding new replica
by Satish Patel
Folks,
Stay with me while i explain my issue because its little complex, We
had 2 working ldap running in datacenter-A for many months and life
was good.
Last year company decided to shutdown datacenter-A and migrate
everything from there to new datacenter-B.
This is what i did for migration, I have created two new LDAP server
in Datacenter-B and run create replica from Datacenter-A ( but my bad
luck we forgot to do --setup-ca option which create CA replica) In
short we have no CA running in new datacenter-B
Fun part start now. so finally few months back we shutdown
datacenter-A and archived all data (LDAP was running in VMware so we
archived vmdk), after 8 month we found our LDAP server running under
load so we decided to create more replica and we found we have no CA
master so we can't create replica. Damn it.
We dig into datacenter-A archived and start ldap-ca-master start on
new IP address we gave it same DNS name so it won't create any issue,
when i start ldap-ca-master it started throwing error that some certs
expired blah..blah.. so finally i renew them and this LDAP looks good
now CA is also running.
Hostname:
ldap-ca-master (This is old datacenter LDAP with CA, awakened few days ago)
ldap-b-1 (new datacenter LDAP without CA)
ldap-b-2 (new datacenter LDAP without CA)
Now i am trying to create new ldap-b-3 in new datacenter using
ldap-b-1 as my master to create new replica and somehow i am getting
following error
RuntimeError: Certificate issuance failed (CA_REJECTED: Server at
https://ldap-b-1.example.com/ipa/xml failed request, will retry: 4035
(RPC failed at server. Request failed with status 404: Non-2xx
response from CA REST API: 404. ).)
Installation failed. Rolling back changes.
Unenrolling client from IPA server
Unenrolling host failed: RPC failed at server. invalid 'hostname': An
IPA master host cannot be deleted or disabled
Question:
1. My all other ldap running 4.5.x but new replica is on 4.6 not sure
that is the issue here or not?
2. I can see ldap-ca-master node isn't fully sync with ldap-b-1 and
ldap-b-2 because i brought that machine in life after 8 month (do you
think i should do force sync ldap-ca-master to sync with ldap-b-1 ?)
3. Should i use ldap-ca-master to create replica or i can pick any
node to create replica?
What are the options i have here to troubleshoot this issue?
2 years, 9 months
Certmonger managed certificate signed by sub-ca
by Ben Rawson
I'm having some trouble getting sub-ca signed certificates issued and managed by certmonger. The implementation here [https://www.freeipa.org/page/V4/Sub-CAs] describes how that should work. I see that the -X option can be passed to ipa-getcert to specify the issuer, but every time I create a request with -X specified I get an error.
Steps to reproduce:
1. Create a new CA named "Test" through the FreeIPA web UI.
2. Run the following on a host enrolled in freeIPA:
ipa-getcert request -k /root/test.key -f /root/test.crt -I "testrequest" -X "Test"
3. Run ipa-getcert list and receive the an error message:
Request ID 'test':
status: CA_REJECTED
ca-error: Server at https://ipa02.yyy.com/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).
stuck: yes
key pair storage: type=FILE,location='/root/test.key'
certificate: type=FILE,location='/root/test.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Running FreeIPA 4.6.4
Thanks for the help!
2 years, 9 months
Check users last login ? To auto disable in-active users ?
by Morgan Cox
HI.
For PCI DSS compliance I need to be able to disable users not logged in for X amount of days (I think its 90).
I was going to create a script which checks last login time (I have a similar one for expired passwords), however I cannot find a way of doing so..
I have searched for info and found I should be able to get the info from the krbLastSuccessfulAuth value using
# ipa user-find --all --raw
But that field is not there.
Also seen I can use
# ipa user-status user
But the value always shows
' Last successful authentication: N/A'
Also seen using ldapsearch
# ldapsearch -x -D "cn=Directory Manager" -W uid=serviceuser
And the value is also missing.
Reading about this is seems the value is cancelled when using replicas - is that right ?
How can I perform what I need to - i.e how to check last login time for a user from the IPA servers (not on a per ipa client basis) ? Or is there a different way to disable in-active users ?
2 years, 9 months
