can't install replica
by Charles Hedrick
We are moving from Centos 7 to 8. I did a test on copies and it worked with 8.0. i made the mistake of doing it on the production servers under 8.1. It fails.
I removed one server and recreated it as a replica. It worked fine. However the second one failed near the end of the process:
Restart of krb5kdc.service complete
Waiting up to 300 seconds to see our keys appear on host ldap://krb1.cs.rutgers.edu
Starting new HTTPS connection (1): krb1.cs.rutgers.edu:443
https://krb1.cs.rutgers.edu:443 "GET /ipa/keys/dm/DMHash?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.KgdU3jtIIC3bRIoqToXzmZIl3QFUKqbrBbT0sBerqmR2YWNWQTEp8ABbTSHINOUhtgPubXhwaAsqPzXTee3urtrK6lmf9wJ6OkecdVPY1PS9sWhMNUz4gEJkR-vVM8bN6gfk4g2Lc8jq2o2LMFloNMgCqUQyeRuiec09NsjIvR8X18xYQfXJXvlhuz-d2OJW1CsKO6_T1z8O_vsxlZ-vAeB8j3dbZiXJOlzdcxYYqjMHY-IM4LroUzCVNXtHloiq28e6R-uVTX9O7ActEbiSy6UePgE76K0cWVl1kJyHFozEZChH1_rzCgP6zdhAf8QqPOdde_860nxIUmroRuECjA.gnnrHcTs9ucgqLntquJltw.GAWBOG_aMTgwzwxQqSIFrThgTTiqg3fM3POZWccCqqs3PiwJq5vW2S-tF9VsV1topXcRdlKb6fUOyjE6wrffJ5hYRyE1c3ocAlG3QTVC8QWRn7Ol_IfoVfW-hTe-cAhELcdIOIEand_BYjSTEO6rDXv83iXRFxwno9ZYYppF8bQY7EC1r_wW5xTdXftILCDmkJbhXmGPnlCQ2Ah9cG3qZAKNBRsvk400_kRQec-4LBKWGYYd0y56zd6-PpcVO6p72AldDF_YoeettzaaxbYyH0bRFt7y9aHH3GaD5BOkVp_ZgSHZWbWf8-2zB76f1OKrz6TktCfcb4_ChUZ6BZZ41MX6T06Xjp3ft6p5KzPfY_gUq0fKWWESHMLOEZg8fAl15l9ZwMiRmpd1PZW3oLVxF3rO94OM4H7_8WVehrcO3dAuAVA7_ykmIKv-WBWvjNHbsXXTyb76a2ka2WYuVxeKGMklEyQgOaMPJa7BqSOCiPljt7juTXAMGRupuDG62bP9PdFQkervv4p_9wvwpEZkuWPLlHqgzrdspgBbQoXkbcyiv9qf7oyB_xHQaoMxlwfvGwlNu8Go9t8oHJkalVdjxCPL-qG0GxKHuh0uFNYR0Z3uP545HkzVECv8uUkm08Jc.SCBVE0utvtniR8-8qAe02swg5GzDZxfN0O6JkKsWN2Y HTTP/1.1" 502 415
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 590, in main
replica_install(self)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 402, in decorated
func(installer)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1298, in install
custodia.import_dm_password()
File "/usr/lib/python3.6/site-packages/ipaserver/install/custodiainstance.py", line 211, in import_dm_password
cli.fetch_key('dm/DMHash')
File "/usr/lib/python3.6/site-packages/ipaserver/secrets/client.py", line 120, in fetch_key
r.raise_for_status()
File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
The ipa-replica-install command failed, exception: HTTPError: 502 Server Error: Proxy Error for url: https://krb1.cs.rutgers.edu/ipa/keys/dm/DMHash?xxxx
502 Server Error: Proxy Error for url: https://krb1.cs.rutgers.edu/ipa/keys/dm/DMHash?ccc
At this point I’m pretty much stuck.
4 years, 2 months
After install FreeIPA server - ipa: WARNING: Failed to read schema: [Errno 13] Permission denied...
by Bedrosian Baol
I tried to install the FreeIPA server as suggested here: https://computingforgeeks.com/install-and-configure-freeipa-server-on-ubu...
It seems to be all right:
:~$ kinit admin ---- > Ok
:~$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)TEST.BED
Valid starting Expires Service principal
01/20/2020 10:50:10 01/21/2020 10:49:19 HTTP/master1.test.bed(a)TEST.BED
01/20/2020 10:49:24 01/21/2020 10:49:19 krbtgt/TEST.BED(a)TEST.BED
but the command ipa-user-find return:
:~$ ipa-user-find admin
ipa: WARNING: Failed to read schema: [Errno 13] Permission denied: u'/home/bed/.cache/ipa/schema/1/84c19d36'
ipa: WARNING: Failed to write schema: [Errno 13] Permission denied: '/home/bed/.cache/ipa/schema/1/84c19d36mC4GkY'
ipa: WARNING: Failed to write server info: [Errno 13] Permission denied: u'/home/bed/.cache/ipa/servers/master1.test.bed'
--------------
1 user matched
--------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin(a)TEST.BED
UID: 1382000000
GID: 1382000000
Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
If I try to login with the web interface this is answer: "Login failed due to an unknown reason" (browser configured with certificate)
The user "bed" is the sudoer user created during linux server installation, and is the only one at FreeIPA server install time
Any advice?
Thanks
B-)
4 years, 2 months
Remote Replica Setup
by Russ Long
I have a cluster of 1 master and 2 replica servers spread across Availablity Zones in one VPC in AWS. We have a couple remote, locked down VPCs that for security reasons do not have access to the rest of our infrastructure. For this reason, I want to place an IPA Replica in those remote VPCs.
I was wondering what type of proxy I could place in front of the IPA Master to allow communication with these remote replicas on all required ports. I want to use a proxy to avoid having our IPA setup directly connected to the internet as would be required for the remote replicas to communicate.
4 years, 2 months
FreeIPA installs without errors, but then the web interface is not available.
by Scott Reed
I install FreeIPA with my usual options, but when it's done the web interface is not available with the usual.
Service status:
[xadministrator@idm log]$ sudo systemctl enable tomcat.service -l
[xadministrator@idm log]$ sudo systemctl start tomcat.service -l
[xadministrator@idm log]$ sudo systemctl status tomcat.service -l
\u25cf tomcat.service - Apache Tomcat Web Application Container
Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Tue 2020-01-21 14:42:52 EST; 3s ago
Process: 15192 ExecStart=/usr/libexec/tomcat/server start (code=exited, status=0/SUCCESS)
Main PID: 15192 (code=exited, status=0/SUCCESS)
Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.catalina.core.StandardService stopInternal
Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping service Catalina
Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol stop
Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping ProtocolHandler ["http-bio-8080"]
Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol destroy
Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Destroying ProtocolHandler ["http-bio-8080"]
Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol stop
Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping ProtocolHandler ["ajp-bio-8009"]
Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol destroy
Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Destroying ProtocolHandler ["ajp-bio-8009"]
[xadministrator@idm log]$
[xadministrator@idm log]$ sudo systemctl status httpd -l
[sudo] password for xadministrator:
\u25cf httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
\u2514\u2500ipa.conf
Active: active (running) since Tue 2020-01-21 14:18:35 EST; 1 day 2h ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 13471 (httpd)
Status: "Total requests: 4; Current requests/sec: 0; Current traffic: 0 B/sec"
Tasks: 61
CGroup: /system.slice/httpd.service
\u251c\u250013471 /usr/sbin/httpd -DFOREGROUND
\u251c\u250013472 /usr/libexec/nss_pcache 688130 off
\u251c\u250013475 (wsgi:kdcproxy) -DFOREGROUND
\u251c\u250013476 (wsgi:kdcproxy) -DFOREGROUND
\u251c\u250013477 (wsgi:ipa) -DFOREGROUND
\u251c\u250013478 (wsgi:ipa) -DFOREGROUND
\u251c\u250013479 (wsgi:ipa) -DFOREGROUND
\u251c\u250013480 (wsgi:ipa) -DFOREGROUND
\u251c\u250013481 /usr/sbin/httpd -DFOREGROUND
\u251c\u250013482 /usr/sbin/httpd -DFOREGROUND
\u251c\u250013483 /usr/sbin/httpd -DFOREGROUND
\u251c\u250013484 /usr/sbin/httpd -DFOREGROUND
\u251c\u250013485 /usr/sbin/httpd -DFOREGROUND
\u2514\u250013747 /usr/sbin/httpd -DFOREGROUND
Jan 21 14:18:35 idm.cs.xxxx systemd[1]: Started The Apache HTTP Server.
Jan 21 14:18:40 idm.cs.xxxx [13477]: GSSAPI client step 1
Jan 21 14:18:40 idm.cs.xxxx [13477]: GSSAPI client step 1
Jan 21 14:18:40 idm.cs.xxxx [13477]: GSSAPI client step 1
Jan 21 14:18:40 idm.cs.xxxx [13478]: GSSAPI client step 1
Jan 21 14:18:40 idm.cs.xxxx [13478]: GSSAPI client step 1
Jan 21 14:18:40 idm.cs.xxxx [13478]: GSSAPI client step 1
Jan 21 14:18:42 idm.cs.xxxx [13479]: GSSAPI client step 1
Jan 21 14:18:42 idm.cs.xxxx [13479]: GSSAPI client step 1
Jan 21 14:18:42 idm.cs.xxxx [13479]: GSSAPI client step 1
The url that I'm trying is: https://idm.cs.xxxx/ipa/ui/
Any help would be appreciated.
4 years, 2 months
Re: Freeipa and squid
by Aditya
Hi,
I am Aditya from India. I red your article on HYPERKITTY with reference to that I need your help to setup the acl environment as below.
1) I want an internet access with different rules - some group with full access, -some without social networks, ad some group without access to internet,
2) Can you please help me to perform above action in my network by using “ext_kerberos_ldap_group_acl”
3) Coz I am not aware about use of ext_kerberos_ldap_group_acl
I am using centos as a IPA server and centos as squid proxy server and ubuntu 18 as client.
Requesting you to please help.
Regards,
Aditya Pawar.
8976100089
4 years, 2 months
External CA renewal and self-signed surprise
by Rob Foehl
Went to renew an externally-signed IPA CA certificate that was valid
through today, and discovered that FreeIPA had decided to renew it with a
self-signed cert a month ago, and had since reissued all other subsystem
certs against that self-signed CA. After running through the
ipa-cacert-manage renew dance and ipa-certupdate, the system store now
contains the following certs, in this order:
- old, now-expired IPA CA cert
- old, soon-to-be-expired external CA root cert
- self-signed IPA cert
- new IPA CA cert
- new external CA root cert
There's also a chicken-and-egg problem with trying to renew anything, in
that all new requests are signed with the self-signed IPA CA instead of
the new intermediate IPA CA.
How do I unravel this, and completely purge the self-signed cert from
existence? Why did FreeIPA try to renew the intermediate CA cert on its
own, and why did it succeed?
(This is FreeIPA 4.7.2 on Fedora 29, which I'm stuck with until the CA
chains are sorted out -- upgrading is still a manual replica replacement
process, since ipa-server-upgrade and friends *still* insist on verifying
a CA lifetime of >2 years, inexplicable behavior reported years ago...)
-Rob
4 years, 2 months
default ipa users seeing too much
by John Louis
Hi, when a new user is created, she is assigned to the default "ipausers" group. But she can:
1. see the list of all users, at https://server/ipa/ui/#/e/user/search
2. see all the details of any other users, at https://server/ipa/ui/#/e/user/details/another_user
3. for herself, she sees too many info that maybe nobody needs, such as "Car License", in her own landing page
Is it possible to:
A. prevent normal users to see 1. and 2. above
B. customize to remove items not needed in 3. above
?
I checked, looks like:
A. even though we can configure some Roles, Privileges, Permissions, they are all system admins' elevated permissions. There is no way to remove permission from "ipausers".
B. we can configure to disallow users to modify her "Car License" etc, BUT I found no way to not show that item in her landing page.
I googled but can't find anything on the above. Would you help?
Thanks!
4 years, 2 months
IPA client as a Samba server?
by Amos
So, was told a RHEL IPA client (leveraging sssd) could not also be a Samba
server (leveraging winbindd) because sssd and winbindd collide in terms of
the Kerberos bindings. Our IPA servers are configured in "compat" mode in
expectation of having to support a few Solaris systems. Could I configured
this RHEL IPA client to instead use LDAP via the compat method and still be
able to be a Samba server?
Amos
4 years, 3 months
upgrade from centos 8.0 -> 8.1 samba fails to start
by Rami Elias (TECH V)
Hello,
i upgraded one of our replicas from Centos 8.0 -> Centos 8.1
IPA version error: data needs to be upgraded (expected version '4.8.0-11.module_el8.1.0+253+3b90c921', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting smb Service
Failed to start smb Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed
Aborting ipactl
now samba cant start anymore, the google results i found for this error where old and said its a ubuntu / debian problem because debian based derivates have their samba build with Heimdal Kerberos instead of MIT Kerberos:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249
Jan 21 16:05:57 ipa-web-test-c82.lx.domain.at smbd[49686]: [2020/01/21 16:05:57.203922, 0] ../../source3/passdb/pdb_interface.c:171(make_pdb_method_name)
Jan 21 16:05:57 ipa-web-test-c82.lx.domain.at smbd[49686]: No builtin nor plugin backend for ipasam found
Jan 21 16:05:57 ipa-web-test-c82.lx.domain.at systemd[1]: smb.service: Main process exited, code=exited, status=1/FAILURE
Jan 21 16:05:57 ipa-web-test-c82.lx.domain.at systemd[1]: smb.service: Failed with result 'exit-code'.
Jan 21 16:05:57 ipa-web-test-c82.lx.domain.at systemd[1]: Failed to start Samba SMB Daemon.
is this maybe a bug? i attached the ipaupgrade.log
https://mega.nz/#!MANSjQbL!HsNemqP5OGL5muoYvHvsaPwzaCDeoPkz5utY4J7wkIw
the log was to big to send as attachment
best regards,
--
ÖAMTC I BAUMGASSE 129 I 1030 WIEN
Elias Rami | Devops Engineer
M +43 664 613 1346
elias.rami(a)oeamtc.at | www.oeamtc.at<http://www.oeamtc.at/> | ÖAMTC ZVR 7300335108
________________________________
ÖAMTC Schutzbrief
Der umfassende Schutz für Sie und Ihre Familie.
Auf allen Reisen mit Auto, Bahn, Bus, Fahrrad, Schiff oder Flugzeug.
In Österreich, Europa und rund ums Mittelmeer.
www.oeamtc.at/schutzbrief<https://www.oeamtc.at/schutzbrief>
________________________________
Wichtiger Hinweis/Important Information:
Dieses E-Mail samt Anlagen („E-Mail“) dient nur zur Information. Erklärungen via E-Mail sind nicht rechtsverbindlich, sondern bedürfen der schriftlichen Bestätigung samt firmenmäßiger/statutenmäßiger Unterfertigung durch Mitglieder der Geschäftsleitung in vertretungsbefugter Anzahl. Für die Richtigkeit oder Vollständigkeit der übermittelten Informationen/Daten, für Übermittlungsfehler, für fehlgeleitete E-Mails oder für einen verspäteten Empfang wird nicht gehaftet. Eigene elektronische Empfangs- oder Lesebestätigungen gelten nicht als Bestätigung für den Erhalt eines E-Mails. Der Inhalt dieses E-Mails ist vertraulich. Wenn Sie nicht der angegebene Adressat oder dessen Vertreter sind, informieren Sie bitte umgehend den Absender und löschen Sie dieses E-Mail von Ihrem System. Die unerlaubte Weitergabe oder Nutzung ist nicht gestattet.
This e-mail and any attachment (“e-mail”) serves information purposes only. Statements via e-mail are not legally binding but require written confirmation including the signatures of the required number of managing directors under statutory provisions. We are not liable for the accuracy and sufficiency of the provided information/data, for any transmission error, misdirection, loss or delay of an e-mail. Electronic reading receipts are no confirmation for receipt of an e-mail. This e-mail is confidential. If you are not the addressee or his representative, please notify the sender immediately and delete this e-mail from your system. Any disclosure or use is prohibited.
________________________________
4 years, 3 months
Two interfaces on FreeIPA server.. How?
by Tony Brian Albers
Ok guys,
I have a FreeIPA server with 2 interfaces. The primary is for normal
usage and is the one that FreeIPA is set up with with regards to
hostname and services. The other one is on an administrative network.
The Web UI works fine on the primary interface, but I can't really
access it on the other interface. It's obvious that the services bind
to the primary interface, but isn't it possible to access the UI on the
other interface somehow?
TIA
/tony
--
Tony Albers - Systems Architect - IT Development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark
Tel: +45 2566 2383 - CVR/SE: 2898 8842 - EAN: 5798000792142
4 years, 3 months
