remove bad replica from list not working
by Satish Patel
I am trying to remove old and bad replica from list but somehow it
didn't like what i am doing
[root@ldap-master ~]# ipa-replica-manage list -v `hostname`
ldap-1.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
last update ended: 2019-09-19 17:28:00+00:00
ldap-2.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
last update ended: 2019-09-19 17:28:00+00:00
ldap-3.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-1) Problem connecting to replica - LDAP
error: Can't contact LDAP server (connection error)
last update ended: 1970-01-01 00:00:00+00:00
I have tried following way but its still not removing from list
[root@ldap-master ~]# ipa-replica-manage del ldap-3.example.com
--force --cleanup
ipa: INFO: Skipping replication agreement deletion check for suffix 'domain'
ipa: INFO: Skipping replication agreement deletion check for suffix 'ca'
ipa: WARNING: Forcing removal of ldap-3.example.com
ipa: WARNING: Ignoring topology connectivity errors.
ipa: WARNING: Ignoring these warnings and proceeding with removal
ipa: WARNING: Failed to cleanup ldap-3.example.com DNS entries: DNS is
not configured
ipa: WARNING: You may need to manually remove them from the tree
ipa: WARNING: Server has already been deleted
-----------------------------------------------
Deleted IPA server "ldap-3.example.com"
-----------------------------------------------
I can still this that replica in list
[root@ldap-master ~]# ipa-replica-manage list -v `hostname`
…
…
ldap-3.example.com: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-1) Problem connecting to replica - LDAP
error: Can't contact LDAP server (connection error)
last update ended: 1970-01-01 00:00:00+00:00
4 years, 7 months
DNS server 10.0.3.10: query '. SOA': The DNS operation timed out after 10.001354217529297 seconds
by Mudassar Rana
Hi ,
I am trying to deploy ipa server as a docker container on kubernetes cluster .
I have build the docker image & run below command .
docker run --privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 --name freeipa-server -ti -h ipa.faas.example.lab freeipa-server-new:latest --setup-dns --allow-zone-overlap
But facing issue
DNS server 10.0.3.10: query '. SOA': The DNS operation timed out after 10.001354217529297 seconds
On the host system , i run dig command to verify the forwarding issue . Please find the output below :
```
[root@svpod7mgmt002 ~]# dig @10.0.3.10 . SOA
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @10.0.3.10 . SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55981
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;. IN SOA
;; ANSWER SECTION:
. 45023 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019091900 1800 900 604800 86400
;; ADDITIONAL SECTION:
a.root-servers.net. 29958 IN A 198.41.0.4
;; Query time: 0 msec
;; SERVER: 10.0.3.10#53(10.0.3.10)
;; WHEN: Fri Sep 20 01:49:17 UTC 2019
;; MSG SIZE rcvd: 120
```
4 years, 7 months
Vault: Cannot authenticate agent with certificate
by Peter Oliver
I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I find that operations related to the vault feature fail. For example:
> ipa -v vault-add test --type=standard
ipa: INFO: trying https://ipa-01.example.com/ipa/session/json
ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: ERROR: an internal error has occurred
In /var/log/pki/pki-tomcat/kra/system I see the following message:
0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot authenticate agent with certificate Serial 0x7 Subject DN CN=IPA RA,O=IPA.EXAMPLE.COM. Error: User not found
In /var/log/pki/pki-tomcat/kra/debug is see the following messages:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: Not authenticated.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: mapping: default
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: required auth methods: [*]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: anonymous access allowed
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor.filter: no authorization required
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No ACL mapping; authz not required.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: event AUTHZ
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: content-type: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: accept: [application/json]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: request format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: response format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: Authenticating certificate chain:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA RA, O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: started
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Retrieving client certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got client certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: client certificate found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot map certificate to any userUser not found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH
Any suggestions? Has something gone wrong with the setup?
--
Peter Oliver
4 years, 7 months
reinstall freeIPA server without loosing data
by Albert Szostkiewicz
I have an issue with my IPA server. Suddenly, after some recent system update, I am unable to log-in to web UI nor execute any command due to the 'unknown reason' and some "Unspecified GSS failure."
I went through the suggested debugging process but no luck. I've seen similar issues in the past marked as a bug, but without clean solution rather than `updating to a newer version of ipa`.
So I've filled bug report assuming that it could be a bug again. https://pagure.io/freeipa/issue/8065
Unfortunately, Devs might be too busy to look into that, so I was wondering if there is a way that I could re-install ipa-server without creating complete chaos and keeping all DNS/USER/HOSTS data?
Any suggestions?
Thanks!
4 years, 7 months
services disabled by default on replicas ?
by danielle lampert
Hello,
I'm running freeipa 4.5.0-20 on CentOS Linux release 7.4.1708 (Core)
I've noticed that when rebooting my replica, things are not working anymore
on this replica, as I can't get a kinit work for example.
It seems that services are disabled by default and I wonder if this is
normal ? Should we enable these services manually ?
After restarting everything with an ipactl command, it then is working.
Thanks in advance for your answers, below are my commands and their results.
D.L.
# kinit admin
kinit: Cannot contact any KDC for realm 'IPB.RHCE.LOCAL' while getting
initial credentials
# systemctl status kadmin.service
● kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor
preset: disabled)
Active: inactive (dead)
# ipactl status
Directory Service: RUNNING
krb5kdc Service: STOPPED
kadmin Service: STOPPED
httpd Service: STOPPED
ipa-custodia Service: STOPPED
ntpd Service: STOPPED
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa: INFO: The ipactl command was successful
# ipactl restart
Failed to get service list from file: Unknown error when retrieving list of
services from file: [Errno 2] No such file or directory:
'/var/run/ipa/services.list'
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful
# kinit admin
Password for admin(a)IPB.RHCE.LOCAL:
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin(a)IPB.RHCE.LOCAL
Valid starting Expires Service principal
03/09/19 23:55:09 04/09/19 23:55:08 krbtgt/IPB.RHCE.LOCAL(a)IPB.RHCE.LOCAL
4 years, 7 months
FreeIPA CA_REJECT issue during adding new replica
by Satish Patel
Folks,
Stay with me while i explain my issue because its little complex, We
had 2 working ldap running in datacenter-A for many months and life
was good.
Last year company decided to shutdown datacenter-A and migrate
everything from there to new datacenter-B.
This is what i did for migration, I have created two new LDAP server
in Datacenter-B and run create replica from Datacenter-A ( but my bad
luck we forgot to do --setup-ca option which create CA replica) In
short we have no CA running in new datacenter-B
Fun part start now. so finally few months back we shutdown
datacenter-A and archived all data (LDAP was running in VMware so we
archived vmdk), after 8 month we found our LDAP server running under
load so we decided to create more replica and we found we have no CA
master so we can't create replica. Damn it.
We dig into datacenter-A archived and start ldap-ca-master start on
new IP address we gave it same DNS name so it won't create any issue,
when i start ldap-ca-master it started throwing error that some certs
expired blah..blah.. so finally i renew them and this LDAP looks good
now CA is also running.
Hostname:
ldap-ca-master (This is old datacenter LDAP with CA, awakened few days ago)
ldap-b-1 (new datacenter LDAP without CA)
ldap-b-2 (new datacenter LDAP without CA)
Now i am trying to create new ldap-b-3 in new datacenter using
ldap-b-1 as my master to create new replica and somehow i am getting
following error
RuntimeError: Certificate issuance failed (CA_REJECTED: Server at
https://ldap-b-1.example.com/ipa/xml failed request, will retry: 4035
(RPC failed at server. Request failed with status 404: Non-2xx
response from CA REST API: 404. ).)
Installation failed. Rolling back changes.
Unenrolling client from IPA server
Unenrolling host failed: RPC failed at server. invalid 'hostname': An
IPA master host cannot be deleted or disabled
Question:
1. My all other ldap running 4.5.x but new replica is on 4.6 not sure
that is the issue here or not?
2. I can see ldap-ca-master node isn't fully sync with ldap-b-1 and
ldap-b-2 because i brought that machine in life after 8 month (do you
think i should do force sync ldap-ca-master to sync with ldap-b-1 ?)
3. Should i use ldap-ca-master to create replica or i can pick any
node to create replica?
What are the options i have here to troubleshoot this issue?
4 years, 7 months
Certmonger managed certificate signed by sub-ca
by Ben Rawson
I'm having some trouble getting sub-ca signed certificates issued and managed by certmonger. The implementation here [https://www.freeipa.org/page/V4/Sub-CAs] describes how that should work. I see that the -X option can be passed to ipa-getcert to specify the issuer, but every time I create a request with -X specified I get an error.
Steps to reproduce:
1. Create a new CA named "Test" through the FreeIPA web UI.
2. Run the following on a host enrolled in freeIPA:
ipa-getcert request -k /root/test.key -f /root/test.crt -I "testrequest" -X "Test"
3. Run ipa-getcert list and receive the an error message:
Request ID 'test':
status: CA_REJECTED
ca-error: Server at https://ipa02.yyy.com/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).
stuck: yes
key pair storage: type=FILE,location='/root/test.key'
certificate: type=FILE,location='/root/test.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Running FreeIPA 4.6.4
Thanks for the help!
4 years, 7 months
Check users last login ? To auto disable in-active users ?
by Morgan Cox
HI.
For PCI DSS compliance I need to be able to disable users not logged in for X amount of days (I think its 90).
I was going to create a script which checks last login time (I have a similar one for expired passwords), however I cannot find a way of doing so..
I have searched for info and found I should be able to get the info from the krbLastSuccessfulAuth value using
# ipa user-find --all --raw
But that field is not there.
Also seen I can use
# ipa user-status user
But the value always shows
' Last successful authentication: N/A'
Also seen using ldapsearch
# ldapsearch -x -D "cn=Directory Manager" -W uid=serviceuser
And the value is also missing.
Reading about this is seems the value is cancelled when using replicas - is that right ?
How can I perform what I need to - i.e how to check last login time for a user from the IPA servers (not on a per ipa client basis) ? Or is there a different way to disable in-active users ?
4 years, 7 months
ipa-kra-install fails: Failed to update number range.
by Dmitry Perets
Hi,
I've created a new IPA replica.
ipa-replica-install has completed successfully.
ipa-ca-install has completed successfully as well.
However, ipa-kra-install fails.
In the terminal the fails right here:
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
[1/11]: creating ACIs for admin
[2/11]: creating installation admin user
[3/11]: configuring KRA instance
Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmp0w3vD5' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: KRA configuration failed.
This is in /var/log/pki/pki-tomcat/kra/debug:
[12/Sep/2019:15:58:34][http-bio-8443-exec-1]: === Subsystem Configuration ===
[12/Sep/2019:15:58:34][http-bio-8443-exec-1]: SystemConfigService: validate clone URI: https://t-idm-nbg2-1.poc.customer.de:443
[12/Sep/2019:15:58:35][http-bio-8443-exec-1]: SystemConfigService: get configuration entries from master
[12/Sep/2019:15:58:35][http-bio-8443-exec-1]: updateNumberRange start host=t-idm-nbg2-1.poc.customer.de adminPort=443 eePort=443
[12/Sep/2019:15:58:35][http-bio-8443-exec-1]: updateNumberRange content: {xmlOutput=[true], sessionID=[5319570421915120898], type=[request]}
[12/Sep/2019:15:58:35][http-bio-8443-exec-1]: ConfigurationUtils: POST https://t-idm-nbg2-1.poc.customer.de:443/kra/admin/kra/updateNumberRange
[12/Sep/2019:15:58:35][http-bio-8443-exec-1]: Server certificate:
[12/Sep/2019:15:58:35][http-bio-8443-exec-1]: - subject: CN=t-idm-nbg2-1.poc.customer.de,O=poc.customer.de
[12/Sep/2019:15:58:35][http-bio-8443-exec-1]: - issuer: CN=Certificate Authority,O=poc.customer.de
[12/Sep/2019:15:58:35][http-bio-8443-exec-1]: content from admin interface =<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>1</Status><Error>Error: Failed to update number range.</Error></XMLResponse>
[12/Sep/2019:15:58:35][http-bio-8443-exec-1]: updateNumberRange(): status=1
java.io.IOException: Error: Failed to update number range.
I must note that in this environment there were a lot of redeployments of IPA servers, replicating from one another, deleting the original masters etc.
And right now I have about 10 IPA servers running, out of them 2 with working KRA (this was supposed to be the 3rd one).
I found a similar issue with an explanation how the number ranges can get depleted, but I am not sure how I can manually resolve this (without killing the entire environment of course):
https://pagure.io/freeipa/issue/7654
Could you guide me in the right direction please?
ipa-server 4.6.4...
---
Regards,
Dmitry Perets
4 years, 7 months
how do you update certs for kinit -n?
by Charles Hedrick
Recent versions of freeipa support kinit -n. However we need a file that has certificates from all the servers.
We have three servers. Their certificates renew themselves automatically a few hours before expiration. But then we need to concatenate all of them and put them on all clients.
It should be part of the ipa client, or may sssd to retrieve the updated certs.
We depend upon kinit -n as part of the script for doing kinit for users for one-time passwords. I had written a hack that uses a random user with no abilities. Until we ca find a way to distribute certs whenever they change I’m going to return to the hack rather than kinit -n.
4 years, 7 months