January 2020 - FreeIPA-users - Fedora mailing-lists

Re: Where is the "Audit" in IPA?
by Charles Hedrick 15 Jan '20

15 Jan '20

This looks pretty reasonable. Unfortunately it intermixed lots of info. The files grow rapidly enough that it’s probably not practical to keep them for a long time. It might not be hard to pull out just the things that make changes. On Jan 15, 2020, at 4:47 PM, Angus Clarke via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: Just a note from a fellow user ... Changes made through the API are logged via apache's ErrorLog directive, I've been using this to some degree of success to answer 3rd party audit queries. However it does miss things like "which groups was this user a member of when they were deleted" though ... The facilities you are asking about sound excellent Ryan! Regards Angus ________________________________ From: Ryan Slominski via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Sent: 15 January 2020 20:28 To: freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Cc: Ryan Slominski <ryans(a)jlab.org<mailto:ryans@jlab.org>> Subject: [Freeipa-users] Where is the "Audit" in IPA? Hi FreeIPA dudes, What is the status of audit in IPA? Specifically, is there an easy way to determine what was the group membership of a particular group was at a particular point in time, say last October? I noticed there is an audit log file (disabled by default), but that is going to be a not-so-easy way to try to re-construct group membership at a point in time in the past. I was hoping to just navigate to a "history" tab on the GUI, but no such luck. Is this on anyone's todo list? I also noticed a "Centralized Logging" webpage that suggest setting up an ELK stack, but that doesn't quite provide snapshots of group membership. What about the ability to subscribe to changes (as opposed to poll them)? I suppose the replication features could be used somehow, but those are also polling based? Would be nice to configure simple callbacks (perhaps HTTP post) when things change. I believe this is called a webhook. Any support for this kind of notification system? Thanks, Ryan _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…

2 1

Where is the "Audit" in IPA?
by Ryan Slominski 15 Jan '20

15 Jan '20

Hi FreeIPA dudes, What is the status of audit in IPA? Specifically, is there an easy way to determine what was the group membership of a particular group was at a particular point in time, say last October? I noticed there is an audit log file (disabled by default), but that is going to be a not-so-easy way to try to re-construct group membership at a point in time in the past. I was hoping to just navigate to a "history" tab on the GUI, but no such luck. Is this on anyone's todo list? I also noticed a "Centralized Logging" webpage that suggest setting up an ELK stack, but that doesn't quite provide snapshots of group membership. What about the ability to subscribe to changes (as opposed to poll them)? I suppose the replication features could be used somehow, but those are also polling based? Would be nice to configure simple callbacks (perhaps HTTP post) when things change. I believe this is called a webhook. Any support for this kind of notification system? Thanks, Ryan

3 2

can't access the web interface of freeIPA
by cyrine stambouli 15 Jan '20

15 Jan '20

Hello, I have a problem to access the freeIPA interface, well I have installed freeIPA in centos 7 server, the iinstallation was well done without any errors , but i am not able to access web interface , do you have any idea to fix that ? [root@ipa]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful

5 12

Troubles accessing kerberized website
by Ronald Wimmer 14 Jan '20

14 Jan '20

Today I am confronted with an interesting situation. A Kerberos protected website partially stopped working the way it was. I am asked to enter my Kerberos credentials manually. (If I do the site works as expected.) The interesting thing about this issue is that this only happens if I try to access that particular website from a linux client. If I access the same site from a Windows client Kerberos auth is done automatically. The second interesting thing is that another website configured exactly the same way does work without any issues. (Yes I do use the same user on Windows and Linux and I do have a valid TGT.) What could possibly be the problem? Where should I take a closer look? Cheers, Ronald

2 5

Adding Hosts that are not ipa-clients ?
by White, Daniel E. (GSFC-770.0)[NICS] 14 Jan '20

14 Jan '20

I am considering the Host Based Access Control features to help manage things in our infrastructure that cannot be ipa-clients - like network hardware (switches, routers) With the understanding that my servers do not run the DNS, can I create such hosts to use in host groups and HBAC rules ? ______________________________________________________________________________________________

2 2

Disable SSLv3 and RC4 ciphers on ipa-server 3.0.0
by Terry Soucy 14 Jan '20

14 Jan '20

We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS repository). I am having trouble disabling SSL3 and RC4 ciphers on port 9443 (pki-cad) ipa-server-3.0.0 tomcat6-6.0.24 I've been modifying /etc/pki-ca/server.xml with little success. What am I missing? I've been banging my head on this for the past week. <Connector name="Agent" port="9443" protocol="HTTP/1.1" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="false" ocspResponderURL="http://ipa001.local:9080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" clientAuth="true" sslOptions="ssl2=false,ssl3=false,tls=true" tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA" sslVersionRangeStream="tls1_1:tls1_2" sslVersionRangeDatagram="tls1_1:tls1_2" sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf" passwordFile="/var/lib/pki-ca/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" certdbDir="/var/lib/pki-ca/alias" /> -- Terry Soucy Systems Engineering Lead | Salesforce Mobile: +1.506.609.3247 <http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html>

4 6

FreeIPA/PKI CA/KRA Subsystem Certificate Renewal Failure (not yet expired)
by Anthony Joseph Messina 13 Jan '20

13 Jan '20

I am running into trouble with certmonger renewal of KRA subsystem certs on the renewal master, and CA/KRA subsystem certs on the replica. Any help is appreciated as my renewal window ends in 8 days. This is Fedora 31 with freeipa-server-4.8.4-2.fc31.x86_64 on both master and replica. These systems have been upgraded using the recommended method of creating new replicas since 4.6.3. ## The renewal master... The cert is renewed, but the ca-error below is concerning (the same for "CN=KRA Transport Certificate" and "CN=KRA Storage Certificate") Request ID '20191117031707': status: MONITORING ca-error: Server at "http://ipa482a.example.com:8080/ca/ee/ca/profileSubmit" replied: Missing credential: sessionID stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-kra',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-kra',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=KRA Audit,O=EXAMPLE.COM expires: 2022-01-01 12:37:19 CST key usage: digitalSignature,nonRepudiation ## The replica... The cert is not renewed and the ca-error is different. Request ID '20191117040017': status: MONITORING ca-error: Invalid cookie: '' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-kra',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-kra',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MESSINET.COM subject: CN=KRA Audit,O=MESSINET.COM expires: 2020-01-21 20:22:24 CST key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-kra" track: yes auto-renew: yes ## The pki-tomcat debug log on the renewal master... 2020-01-12 15:03:21 [http-nio-8080-exec-13] SEVERE: CAProcessor: authentication error: Missing credential: sessionID Missing credential: sessionID at com.netscape.cms.servlet.common.AuthCredentials.set(AuthCredentials.java:57) at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:416) at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:471) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:179) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:98) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:242) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:496) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) 2020-01-12 15:03:21 [http-nio-8080-exec-13] SEVERE: ProfileSubmitServlet: authentication error in processing request: Missing credential: sessionID Missing credential: sessionID at com.netscape.cms.servlet.common.AuthCredentials.set(AuthCredentials.java:57) at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:416) at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:471) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:179) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:98) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:242) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:496) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) -- Anthony - https://messinet.com F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6

2 2

Problem adding a RHEL 8.1 client
by SOLER SANGUESA Miguel 13 Jan '20

13 Jan '20

Hello, I'm trying to add a RHEL 8.1 client with the following spec: OS: RHEL 8.1 (Ootpa) IPA: ipa-client-4.8.0-10 SSSD: sssd-2.2.0-19.el8.x86_64 My IDM server has: OS: RHEL 7.7 (Maipo) IPA: ipa-server-4.6.5-11.el7_7.3 SSSD: sssd-1.16.4-21.el7_7.1 When I try to add the client using "ipa-client-install" I get the error: This program will set up IPA client. Version 4.8.0 Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: Client hostname: client01.svc.domain.org Realm: IPA.DOMAIN.ORG DNS Domain: ipa.domain.org IPA Server: icidmpdc1.ipa.domain.org BaseDN: dc=ipa,dc=domain,dc=org Continue to configure the system with these values? [no]: yes Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Time synchronization was successful. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG Valid From: 2016-03-04 15:13:38 Valid Until: 2036-03-04 15:13:38 Joining realm failed: Unable to initialize STARTTLS session Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... Unable to initialize STARTTLS session Failed to bind to server! Failed to get keytab child exited with 9 Installation failed. Rolling back changes. Disabling client Kerberos and LDAP configurations Restoring client configuration files nslcd daemon is not installed, skip configuration Client uninstall complete. The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0. Can anyone please, let me know why it is not working? Thanks & Regards.

3 12

sudo rule doesn't work
by Elhamsadat Azarian 13 Jan '20

13 Jan '20

Hi friends i define a SudoRule with this properties: rulename : rsyslog_rule Enabled : true RunAs group Category : All users :user-test hosts: ipacli-irvlt01.mydomain.com sudo Deny Commands : sudo /usr/bin/systemctl restart rsyslog now i login with "user-test" into "ipacli-irvlt01" server and i try to run " sudo /usr/bin/systemctl restart rsyslog" command. i expected to doesnt allow to run this command but no action happend and i could run it!!! why my sudo rule doesnt work? ---------------------------------------------------------- this is less /var/log/sssd/sssd_domain.log: (Sun Jan 12 13:59:01 2020) [sssd[be[lshs.dc]]] [orderly_shutdown] (0x0010): SIGTERM: killing children ---------------------------------------------------------- this is /var/log/sssd/sssd_sudo.log (Sun Jan 12 13:59:01 2020) [sssd[sudo]] [orderly_shutdown] (0x0010): SIGTERM: killing children ---------------------------------------------------------- this is less /var/log/sudo_debug Jan 12 14:19:27 sudo[17370] /etc/sudoers:53 CMNDALIAS ALIAS = COMMAND , COMMAND ARG , COMMAND ARG Jan 12 14:19:27 sudo[17370] -> alias_add @ ./alias.c:120 Jan 12 14:19:27 sudo[17370] -> rcstr_addref @ ./rcstr.c:81 Jan 12 14:19:27 sudo[17370] <- rcstr_addref @ ./rcstr.c:88 := 0x55f2968e7714 Jan 12 14:19:27 sudo[17370] -> rbinsert @ ./redblack.c:177 Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54 Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := -13 Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54 Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := -6 Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54 Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := -6 Jan 12 14:19:27 sudo[17370] -> rotate_right @ ./redblack.c:147 Jan 12 14:19:27 sudo[17370] <- rotate_right @ ./redblack.c:163 Jan 12 14:19:27 sudo[17370] <- rbinsert @ ./redblack.c:265 := 0 Jan 12 14:19:27 sudo[17370] <- alias_add @ ./alias.c:143 := (null) Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_txt @ ./toke_util.c:52 Jan 12 14:19:27 sudo[17370] <- fill_txt @ ./toke_util.c:80 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ff550 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ff650 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ff750 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ff850 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ff950 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ffa50 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ffb50 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ffc50 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] /etc/sudoers:54 CMNDALIAS ALIAS = COMMAND ARG , COMMAND ARG , COMMAND ARG , COMMAND ARG , COMMAND ARG , COMMAND ARG , COMMAND ARG , COMMAND ARG Jan 12 14:19:27 sudo[17370] -> alias_add @ ./alias.c:120 Jan 12 14:19:27 sudo[17370] -> rcstr_addref @ ./rcstr.c:81 Jan 12 14:19:27 sudo[17370] <- rcstr_addref @ ./rcstr.c:88 := 0x55f2968e7714 Jan 12 14:19:27 sudo[17370] -> rbinsert @ ./redblack.c:177 Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54 Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := 7 Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54 Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := -3 Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54 Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := -3 Jan 12 14:19:27 sudo[17370] <- rbinsert @ ./redblack.c:265 := 0 Jan 12 14:19:27 sudo[17370] <- alias_add @ ./alias.c:143 := (null) Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_txt @ ./toke_util.c:52 Jan 12 14:19:27 sudo[17370] <- fill_txt @ ./toke_util.c:80 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ffdd0 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968ffed0 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2968fffd0 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_cmnd @ ./toke_util.c:103 Jan 12 14:19:27 sudo[17370] <- fill_cmnd @ ./toke_util.c:124 := true Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] -> fill_args @ ./toke_util.c:132 Jan 12 14:19:27 sudo[17370] <- fill_args @ ./toke_util.c:162 := true Jan 12 14:19:27 sudo[17370] -> new_member @ gram.y:956 Jan 12 14:19:27 sudo[17370] <- new_member @ gram.y:968 := 0x55f2969000d0 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_append_v1 @ ./lbuf.c:159 Jan 12 14:19:27 sudo[17370] -> sudo_lbuf_expand @ ./lbuf.c:69 Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_expand @ ./lbuf.c:87 := true Jan 12 14:19:27 sudo[17370] <- sudo_lbuf_append_v1 @ ./lbuf.c:190 := true Jan 12 14:19:27 sudo[17370] /etc/sudoers:55 CMNDALIAS ALIAS = COMMAND ARG , COMMAND ARG , COMMAND ARG , COMMAND ARG Jan 12 14:19:27 sudo[17370] -> alias_add @ ./alias.c:120 Jan 12 14:19:27 sudo[17370] -> rcstr_addref @ ./rcstr.c:81 Jan 12 14:19:27 sudo[17370] <- rcstr_addref @ ./rcstr.c:88 := 0x55f2968e7714 Jan 12 14:19:27 sudo[17370] -> rbinsert @ ./redblack.c:177 Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54 Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := -10 Jan 12 14:19:27 sudo[17370] -> alias_compare @ ./alias.c:54 Jan 12 14:19:27 sudo[17370] <- alias_compare @ ./alias.c:62 := -4

2 1

Updating time servers
by Tania Hagan 10 Jan '20

10 Jan '20

Hello, I have recently removed and added a new freeipa replica server and have noticed that the chrony.conf still has the old server listed and the new ones are not listed. How do I ensure that the freeipa-client/chrony is pointing to the correct time servers. e.g. server <freeipa-server> iburst. I have attempted reading the documentation but cannot find any useful. Server: CentOs Linux release 8.0.1905 FreeIPA version: 4.7.1 Thank You, Tania

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2020