User private groups
by Mary Georgiou
Hello,
I'm a bit confused with the private user groups.
If I set a user's A uidNumber to the gidNumber of another group B (not a private user one) then the user will have the same uidNumber with two groups' gidNumbers the group B and their own private group.
How does this affect ldapsearch if I'd like to retrieve the group B and not the private group based on gid? Are there going to be other side effects?
Also, from what I've understood the private user groups are used to manage rights, so I guess we cannot choose to delete them or at least chose to have them created as non POSIX, right?
Thank you very much,
Mary
2 years
Ipa-client-install ldaps
by Per Qvindesland
HI
Is it possible to run ipa-client-install when the host only listens to ldaps (636)?
We have a policy that all traffic must be sent encrypted hence using ldap (389) is not possible.
Regards
Per
2 years
Authentication taking too long
by Raul Dias
Hello,
Authenticating a user is taking about 30s.
This sounds like a dns timeout or something like this.
How can I debug where the problem is?
Thank you,
-rsd
2 years
Samba integration ROLLBACK ?
by lejeczek
hi guys,
I year or so ago it was _not_ possible to rollback Samba
integration in official, orderly fashion.
Would you know if it is still the case or maybe IPA
evolution brought some tools for that?
many thanks, L.
2 years
AD trust nested AD groups
by Natxo Asenjo
hi,
we have a working one way trust between an AD forest and a RHEL 7 forest.
In order to use AD nested groups, do we need to add an external IDM group
for every nested group?
--
Groeten,
natxo
2 years
CSR in PRINTABLESTRING enc when docs says UTF8STRING is default
by Fredrik Arneving
Hi,
I've tried to setup my freeIPA server on a freshly installed CentOS8 as a sub_CA of my existing PKI with private root-CA. My signing-CA has a match policy for (C)ountry and (O)rganizationName.
When trying to sign the CSR generated from freeIPA with command below it fails on a string encryption mismatch.
The string encryption on my organizationName, as well as my server DN is in PRINTABLESTRING encoding but my openssl generated signing cert needs it to be UTF8STRING.
I was under the impression UTF8STRING is default for freeIPA CSR's. What do I miss and how can I force it to be UTF8STRING?
CSR was generated with command:
ipa-server-install -r MYREALM.AS.UPPERCASE.DNSDOMAIN \
--external-ca \
--ca-subject CN=ipa-server-fqdn,C=SE,O=MyOrganizationName \
--ca-base C=SE,O=MyOrganizationName
Installation is successful and I'm supposed to sign the CSR and finalize ipa-install with second step. However, the signing fails because MyOranizationName != MyOrganizationName due to different encodings.
When looking at the CSR with "openssl req -noout -text -in ipa.csr" everything looks OK but when using "openssl asn1parse -in ipa.csr" it shows the mismatch of the organizationName PRINTABLESTRING compared to my successfully signed CSR's UTF8STRING.
Any ideas?
kernel version: 4.18.0-147.5.1.el8_1.x86_64
ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
openssl: openssl-1.1.1c-2.el8.x86_64
Regards,
/Fredrik
2 years
Re: EL7 Upgrades
by Rob Crittenden
Angus Clarke via FreeIPA-users wrote:
> Hello
>
> Our environment has grown and as additional IPA servers have been added,
> different versions have been deployed. I am looking to bring IPA servers
> up to the latest version for EL7 and wanted some guidance or reassurance.
>
> Here are my versions, they are all VMWare VMs:
>
> idm001 ipa-server-4.5.4-10.0.1.el7.x86_64 Red Hat Enterprise Linux
> Server release 7.4 (Maipo) * UPGRADED *
> idm002 ipa-server-4.5.0-22.0.1.el7_4.x86_64 Red Hat Enterprise Linux
> Server release 7.4 (Maipo) * CA MASTER *
> idm003 ipa-server-4.5.0-22.0.1.el7_4.x86_64 Red Hat Enterprise Linux
> Server release 7.4 (Maipo)
> idm004 ipa-server-4.5.0-22.0.1.el7_4.x86_64 Red Hat Enterprise Linux
> Server release 7.4 (Maipo)
> idm005 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm006 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm007 ipa-server-4.6.5-11.0.1.el7_7.3.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm008 ipa-server-4.6.5-11.0.1.el7_7.3.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm009 ipa-server-4.6.4-10.0.1.el7_6.6.x86_64 Red Hat Enterprise Linux
> Server release 7.6 (Maipo)
> idm010 ipa-server-4.6.4-10.0.1.el7_6.6.x86_64 Red Hat Enterprise Linux
> Server release 7.6 (Maipo)
>
> I have upgraded idm001 without issue, the path was:
>
> 1) take VMWare snapshot
> 2) ipactl stop
> 3) yum update (channel with latest EL versions)
> 4) reboot
> 5) after a day or so, remove VMWare snapshot
>
> and it now shows:
>
> idm001 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
>
> Post upgrade checks on idm001:
>
> I see network connections to port 88 and 389
> I can obtain a kerberos ticket through kinit
> I can login through the web interface and issue ipa commands.
> I don't see anything particularly alarming in log files.
>
> I understand the distributed LDAP schema was already up-to-date due to
> the roll out of idm005-006 on EL7.7/ipa-server-4.6.5-11.0.1.el7_7.4.
>
> I'm particularly concerned about upgrading idm002, my CA server -
> perhaps I should upgrade through each EL iteration? Are VMWare snapshots
> a suitable roll back mechanism for IPA (and IPA CA master) server upgrades?
Yes and yes, especially given your already mixed versions.
Given you have other CAs in your network there is nothing too special
about idm002 other than it has the additional role as CA renewal master.
> I was reading Rob's reply to Christian Reiss regarding his upgrade path
> to EL8 (bookmarked for future reference,) I don't have the
> ipa-crlgen-manage command on my CA server (presumably due to older
> version) to check if it is the CRL generator - I assume it is though,
> although in any case I'm unsure of the relevance with this EL7 series of
> ipa-server.
There are instructions at
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
which can tell you which one is doing it. If you aren't using CRLs at
all then this is probably not super important but you want to avoid
having 2 or more masters generating one since there is a race condition
where separate CA's could generate different, but otherwise valid, CRLs.
> All my IPA servers have CA capability except for idm001 - I presume I
> deployed it incorrectly in the first place. I would like to add CA
> facility to it, perhaps this is for a different thread though ...
ipa-ca-install should do it but yeah, I'd probably focus on getting the
other masters up to 7.7 or 7.8 before trying to add on the CA. You don't
necessarily need a CA on every master. You want to avoid single point of
failure but you don't need it everywhere.
rob
2 years
Sudo command not working
by Faraz Younus
Hi Team,
I'm getting error when executing sudo su on client server what can be the
issue sudo command is there
[faraz.younus@england-web-dev ~]$ sudo su
[sudo] password for faraz.younus:
faraz.younus is not allowed to run sudo on england-web-dev. This incident
will be reported.
2 years
replica install fails
by Alexandru David
Hi all
I have two centos 8 servers. One is installed and configured as master and AD trust controller. The second one, I'm trying to configure it as a replica, but what ever I do, the replica server fails to start.
Environment :
OS - CentOS Linux release 8.1.1911 (Core)
ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
Replica install is started with :
#ipa-replica-install -v --principal admin -p XXXXX --domain ipamaster01.example.com --server ipamaster01.example.com --setup-ca --setup-adtrust
The client install goes well, but the server stops at :
Starting replication, please wait until this has completed.
Update in progress, 15 seconds elapsed
[ldap://ipamaster01.example.com:389] reports: Update failed! Status: [Error (-2) - LDAP error: Local error - no response received]
On the ipareplica-install.log, last entries are:
2020-04-14T08:29:13Z DEBUG Created connection context.ldap2_139862275887680
2020-04-14T08:29:13Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2020-04-14T08:29:13Z DEBUG retrieving schema for SchemaCache url=ldap://ipamaster01.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f34367c7080>
2020-04-14T08:29:13Z DEBUG Successfully updated nsDS5ReplicaId.
2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG Added replica config cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG Add or update replica config cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config
2020-04-14T08:29:13Z DEBUG No update to cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config necessary
2020-04-14T08:29:13Z DEBUG Waiting for replication (ldapi://%2Fvar%2Frun%2Fslapd-IPAMASTER01-EXAMPLE-COM.socket) cn=meToipamaster01.example.com,cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree
,cn=config (objectclass=*)
2020-04-14T08:29:13Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToipamaster01.example.com,cn=replica,cn=dc\=ipamaster01\,dc\=example\,dc\=com,cn=mapping tree,cn=config'), {'objectClass': [b'nsds5replicat
ionagreement', b'top'], 'cn': [b'meToipamaster01.example.com'], 'nsDS5ReplicaHost': [b'ipamaster01.example.com'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=ipamaste
r01,dc=example,dc=com'], 'description': [b'me to ipamaster01.example.com'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth kr
bloginfailedcount'], 'nsDS5ReplicaTransportInfo': [b'LDAP'], 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], 'nsds5ReplicaStripAttrs': [b'modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp']
, 'nsDS5ReplicatedAttributeListTotal': [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'197
00101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup'
], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2020-04-14T08:29:13Z", "message": "Error (0) N
o replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})]
2020-04-14T08:29:29Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 427, in __setup_replica
cacert=self.ca_file
File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 1860, in setup_promote_replication
raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication
I can query both ldap servers on the master and replica with :
ldapsearch -h ldap://ipamaster01.example.com -p 389 -Y GSSAPI -b "" -s base -W
ldapsearch -h ldap://ipareplica01.example.com -p 389 -Y GSSAPI -b "" -s base -W
in this point, I'm really run out of options. Could someone tell me what I'm doing wrong?
Cheers
Alex
2 years
ipa: ERROR: CIFS server communication error: code "3221225506", message "{Access Denied} A process has requested access to an object but has not been granted those access rights." (both may be "None")
by Bernard Lheureux
Hi all,
After a fresh install of FreeIPA 4.6.5-11.el7.centos.x86_64, fully updated from update repo on a CentOS7 x64 server, it appears that it is totally impossible to establish a trust with an AD running on local AD servers, we did it a few times ago with exactly the same distribution and had really no problem, we tried to completely reinstall the machine and the IPA wit always the same results,
ipa: ERROR: CIFS server communication error: code "3221225506", message "{Access Denied} A process has requested access to an object but has not been granted those access rights." (both may be "None")
Could someone point me to the direction to look for, because we are going nuts on this ?
We found some tips in the /var/log/httpd/errors, but nothing seems to provide sufficient infos...
[Wed Oct 02 12:54:57.868830 2019] [:error] [pid 2036] ipa: INFO: [jsonserver_session] admin(a)DOMAIN.INTRA: trust_add/1(u'domain.intra', trust_type=u'ad', realm_admin=u'admin', realm_passwd=u'********', bidirectional=True, version=u'2.231'): RemoteRetrieveError
The IPA server and the AD servers are in the same VLan with no firewall between them
samba version on the IPA server is the latest available: 4.9.1-6.el7.noarch
Thanks for your help...
2 years