April 2020 - FreeIPA-users - Fedora mailing-lists

Prevent admin user lock
by Petar Kozić 29 Apr '20

29 Apr '20

Hi folks, My free iPA server works on public IP and need to be public. Because of that I have problem because admin user is often locked becuase too many incorrect logins. Can I filter admin user login to some IP and how? Thank you.

2 3

Client part of server install failing - KRB5CCNAME not defined in HTTP request environment
by Simon Williams 29 Apr '20

29 Apr '20

I am having an issue attempting to install IPA Server. The server component install processes correctly, but when it comes to set up the client components it fails: 2020-04-28T22:41:42Z DEBUG failed to find session_cookie in persistent storage for principal 'host/ipa.mydomain.com(a)MYDOMAIN.COM' 2020-04-28T22:41:42Z INFO trying https://ipa.mydomain.com/ipa/json 2020-04-28T22:41:42Z DEBUG Created connection context.rpcclient_1954644240 2020-04-28T22:41:42Z INFO [try 1]: Forwarding 'schema' to json server 'https://ipa.mydomain.com/ipa/json' 2020-04-28T22:41:42Z DEBUG New HTTP connection (ipa.mydomain.com) 2020-04-28T22:41:53Z DEBUG HTTP connection destroyed (ipa.mydomain.com) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 732, in single_request response.msg) ProtocolError: <ProtocolError for ipa.mydomain.com/ipa/json: 500 Internal Server Error> 2020-04-28T22:41:53Z DEBUG Destroyed connection context.rpcclient_1954644240 2020-04-28T22:41:53Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run return cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3671, in main install(self) File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2392, in install _install(options) File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2734, in _install api.finalize() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 739, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 431, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 619, in load_plugins for package in self.packages: File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 949, in packages ipaclient.remote_plugins.get_package(self), File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 134, in get_package plugins = schema.get_package(server_info, client) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 553, in get_package schema = Schema(client) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 401, in __init__ fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch schema = client.forward(u'schema', **kwargs)['result'] File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1190, in forward raise NetworkError(uri=server, error=e.errmsg) 2020-04-28T22:41:53Z DEBUG The ipa-client-install command failed, exception: NetworkError: cannot connect to 'https://ipa.mydomain.com/ipa/json': Internal Server Error The relevant services appear to be running certmonger.service loaded active running Certificate monitoring and dirsrv(a)MYDOMAIN-COM.service loaded active running 389 Directory S gssproxy.service loaded active running GSSAPI Proxy Daemon httpd.service loaded active running The Apache HTTP Server ipa-custodia.service loaded active running IPA Custodia Service ipa-dnskeysyncd.service loaded active running IPA key daemon ipa.service loaded active exited Identity, Policy, Audit kadmin.service loaded active running Kerberos 5 Password-changin krb5kdc.service loaded active running Kerberos 5 KDC named-pkcs11.service loaded active running Berkeley Internet Name Doma ntpd.service loaded active running Network Time Service oddjobd.service loaded active running privileged operations for u pki-tomcatd(a)pki-tomcat.service loaded active running PKI Tomcat Server pki-t I can use kinit to obtain a ticket for admin, but any ipa command that I attempt to run gives an error along the following lines ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin(a)MYDOMAIN.COM' ipa: INFO: trying https://ipa.mydomain.com/ipa/json ipa: DEBUG: Created connection context.rpcclient_1964217648 ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipa.mydomain .com/ipa/json' ipa: DEBUG: New HTTP connection (ipa.mydomain.com) ipa: DEBUG: HTTP connection destroyed (ipa.mydomain.com) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 732, in single_request response.msg) ProtocolError: <ProtocolError for ipa.mydomain.com/ipa/json: 500 Internal Server Error> ipa: DEBUG: Destroyed connection context.rpcclient_1964217648 ipa: ERROR: cannot connect to 'https://ipa.mydomain.com/ipa/json': Internal Server Error In the httpd error log, I see the same error for every ipa command issued [Wed Apr 29 14:51:19.119357 2020] [:error] [pid 8505] ipa: ERROR: 500 Internal Server Error: KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP request environment [Wed Apr 29 14:51:19.120223 2020] [:error] [pid 8505] [remote 192.168.0.2:16498] mod_wsgi (pid=8505): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Wed Apr 29 14:51:19.120335 2020] [:error] [pid 8505] [remote 192.168.0.2:16498] RuntimeError: response has not been started The same error is present at the time the install failed. The Kerberos ticket is valid as ldapsearch works using it [root@ipa1 ~]# ldapsearch -h ipa.mydomain.com -b ou=people,o=ipaca -Y GSSAPI -s sub "(uid=admin)" dn uid SASL/GSSAPI authentication started SASL username: admin(a)MYDOMAIN.COM SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=people,o=ipaca> with scope subtree # filter: (uid=admin) # requesting: dn uid # # admin, people, ipaca dn: uid=admin,ou=people,o=ipaca uid: admin # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 but doesn't without it [root@ipa1 ~]# ldapsearch -h ipa.mydomain.com -b ou=people,o=ipaca -s sub "(uid=admin)" dn uid SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Does anyone have any ideas? I'm tearing my hair out here!

1 0

HBAC Rule to allow anonymous NFS mounts from specific subnets
by White, David 29 Apr '20

29 Apr '20

Is it possible to allow hosts in specific subnets to connect to a FreeIPA-connected server over NFS anonymously? e.g. I'm wondering if I could setup a HBAC rule by doing something like the following: ipa hbacsvc-add nfs-mount ipahbacrule-add allow_nfs_mount Then attach that to the NFS server And then allow "anyone" to connect over NFS to that server Bonus points if there's a way to restrict the source NFS connection by IP address or subnet Is this possible?

2 1

Administration delegation for multiple hosts services
by Julien Rische 29 Apr '20

29 Apr '20

Hello everyone, To properly support load-balanced services, we need FreeIPA-managed service hosts to be able to retrieve the following elements, without the intervention of any user (only starting with the host keytab): - Keytab containing keys for: - Service canonical principal - When accessed via service DNS alias (Kerberos rDNS lookup disabled) - Service principal alias for host - When accessed via service DNS alias (Kerberos rDNS lookup enabled) - When accessed via host canonical FQDN - X.509 certificate for: - Service alias FQDN - Host actual FQDN In order to obtain each element of this list, we need to: - Allow the host to retrieve the service key - Creation/reset of the key should be forbidden - Allow the host to request a certificate for both its own FQDN and the service DNS alias (which matches the service canonical principal) - Preferably only these 2 subject names should be allowed - Create a service principal alias matching the host's FQDN We are managing hundreds of services spread across tens of thousands of hosts. Each service is managed by a different user group, hence we can't afford to grant all these users the "Service Administrators" privilege. Ideally, each service would be configured just once (with just maybe a few exceptional updates). On the contrary, hostgroup(s) containing the service hosts would be continuously updated. This way, FreeIPA administrator would give their blessing at service creation, and then let service administrators manage hosts membership. We think the following configuration could be applied for each service: - A hostgroup containing all the service hosts, allowed to: - Retrieve the service key - Request certificate with alternative suject name by: - Being assigned the to "managedBy" service attribute - Or being granted the permission to write the "userCertificate" service attribute - A service administrators group, allowed to: - Write the "member" attribute of the hostgroup - Create/reset the service key The keytab creation/retrieval part is quite straight forward to deal with. But this is not necessarily the case for certificates and service principal aliases: We observed the "managedBy" setting has 2 downsides: - It grants the host the permission to request a certificate with subject alternative names, but it also grants the permission to create/reset the key, which we don't want. - It consists of a list of hosts that must be continuously maintained, since it cannot refer to the hostgroup directly. Therefore it seems that a permission granting the hostgroup to update the service's "userCertificate" attribute sounds more flexible. But both options have the downside of granting any host from the hostgroup to request any other as the alternative subject name. Regarding the service principal aliases, we haven't found any way to dynamically update the list as the service hostgroup changes. We could either grant the service hostgroup the permission to update the "krbPrincipalName" service attribute, but it sounds like an excessive permission. We could also implement a background service continuously updating principal alias list of services according to their associated hostgroups. So I would summarise my questions this way: - Are assumptions used in this message true? - Is granting write permissions on "userCertificate" service attribute the best alternative to "managedBy" for our use case? - What is the best way to keep a service principal alias list up-to-date with a hostgroup? Since it is my first message on this mailing list, I would like to pay tribute to the development team of FreeIPA and its community. Even if there is still work to do, FreeIPA is a quite impressive piece of work given the complexity of the environment it is trying to integrate into, and the variety of use cases it has to support. Kind regards, --- Julien Rische Systems engineer CERN

2 1

Cannot delete old server after migration
by Ronald Wimmer 29 Apr '20

29 Apr '20

I followed the guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ht… to migrate my server (including CA renewal master). When I try to uninstall tho old server according to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ht… I get the following error message: ipa server-del idm1.linux.mydomain.at Removing ipa1.linux.mydomain.at from replication topology, please wait... ipa: ERROR: Server removal aborted: Removal of 'ipa1.linux.mydomain.at' leads to disconnected topology in suffix 'ca': Topology does not allow server idm1.linux.mydomain.at to replicate with servers: ipa5.linux.mydomain.at ipa2.linux.mydomain.at ipa6.linux.mydomain.at Topology does not allow server ipa2.linux.mydomain.at to replicate with servers: ipa5.linux.mydomain.at idm1.linux.mydomain.at Topology does not allow server ipa5.linux.mydomain.at to replicate with servers: ipa2.linux.mydomain.at idm1.linux.mydomain.at ipa6.linux.mydomain.at Topology does not allow server ipa6.linux.mydomain.at to replicate with servers: ipa5.linux.mydomain.at idm1.linux.mydomain.at. How do I get rid of the remaining replication agreements? Cheers, Ronald

2 1

SERVFAIL for one hostname
by Tiemen Ruiten 29 Apr '20

29 Apr '20

Hello, Since a few days ago, we're having issues with resolution of this hostname: download.wisselkoersenvoorjeadministratie.nl Our FreeIPA DNS servers return SERVFAIL for that particular hostname. What's funny, after I do a (successful) lookup directly at one of the configured forwarders, 1.1.1.1, resolution works, until the TTL expires. Other hostnames work fine. How can I troubleshoot this? FreeIPA versions: ipa-server-4.6.5-11.el7.centos.4.x86_64 ipa-server-dns-4.6.5-11.el7.centos.4.noarch [ter@i.rdmedia.com@zinc ~]$ dig download.wisselkoersenvoorjeadministratie.nl ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> download.wisselkoersenvoorjeadministratie.nl ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48732 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;download.wisselkoersenvoorjeadministratie.nl. IN A ;; Query time: 40 msec ;; SERVER: 10.100.110.36#53(10.100.110.36) ;; WHEN: Tue Apr 21 11:58:51 CEST 2020 ;; MSG SIZE rcvd: 73 [ter@i.rdmedia.com@zinc ~]$ dig download.wisselkoersenvoorjeadministratie.nl @1.1.1.1 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> download.wisselkoersenvoorjeadministratie.nl @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58424 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1452 ;; QUESTION SECTION: ;download.wisselkoersenvoorjeadministratie.nl. IN A ;; ANSWER SECTION: download.wisselkoersenvoorjeadministratie.nl. 3600 IN A 185.87.187.229 ;; Query time: 43 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Tue Apr 21 11:58:59 CEST 2020 ;; MSG SIZE rcvd: 133 [ter@i.rdmedia.com@zinc ~]$ dig download.wisselkoersenvoorjeadministratie.nl ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> download.wisselkoersenvoorjeadministratie.nl ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57208 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;download.wisselkoersenvoorjeadministratie.nl. IN A ;; ANSWER SECTION: download.wisselkoersenvoorjeadministratie.nl. 3600 IN A 185.87.187.229 ;; Query time: 24 msec ;; SERVER: 10.100.110.36#53(10.100.110.36) ;; WHEN: Tue Apr 21 11:59:01 CEST 2020 ;; MSG SIZE rcvd: 89 -- Tiemen Ruiten Infrastructure Engineer

3 7

Migrate CA from 7 to 8
by Ronald Wimmer 29 Apr '20

29 Apr '20

According to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ht… I should do a "ipa-csreplica-manage list" on the new server after having run "ipa-replica-install" The verbose output in the RedHat-Document has a different output of "ipa-csreplica-manage" than mine. The document says "Incremental update succeeded" whereas mine reports "No replication sessions started since server startup". Is this a problem or should replication not have already taken place at this migration step? Cheers, Ronald

1 1

Apparently transient error cl5DBData2Entry - Invalid data version
by Roderick Johnstone 29 Apr '20

29 Apr '20

Hi We have 3 IPA servers which we are in the process of updating from RHEL 7.7 to RHEL 7.8. Servers X, Z are at: ipa-server-4.6.6-11.el7.x86_64 (RHEL 7.8) Server W is at: ipa-server-4.6.5-11.el7_7.3.x86_64 (RHEL 7.7) Server X was updated some time ago, and server Z was updated last Thursday. I was doing some checks of the log files before our planned update of server W to RHEL 7.8 tomorrow and found the following in /var/log/dirsrv/slapd-REALM/errors: [26/Apr/2020:22:00:21.704887592 +0100] - INFO - dblayer_copy_directory - Backing up file 119 (/var/lib/dirsrv/slapd-REALM/bak/REALM/ipaca/vlv#cacompleterenewalpkitomcatindex.db) [26/Apr/2020:22:00:23.627421118 +0100] - ERR - NSMMReplicationPlugin - changelog program - cl5DBData2Entry - Invalid data version [26/Apr/2020:22:00:24.760704543 +0100] - INFO - dblayer_copyfile - Copying /var/lib/dirsrv/slapd-REALM/db/ipaca/vlv#cacompleterenewalpkitomcatindex.db to /var/lib/dirsrv/slapd-REALM/bak/REALM/ipaca/vlv#cacompleterenewalpkitomcatindex.db [26/Apr/2020:22:00:24.776815976 +0100] - ERR - NSMMReplicationPlugin - changelog program - cl5DBData2Entry - Invalid data version The errors were generated during our cronjob that runs this each night: /sbin/ipa-backup --data --online The errors don't seem to have been present the last two nights. Would I be right to assume that this is just some transient inconsistency caused by doing the online backup or should I be more worried even though the error hasn't occurred since? Thanks for any insights on this. Roderick Johnstone

1 0

DNSSEC between two topologically disjoint domains - ?
by lejeczek 29 Apr '20

29 Apr '20

hi everyone, I want to ask if it's possible setup and if so then how, IPA's DNSes forward directly to each other (let be only two or however many you might have) while those IPAs "fqdn" are "disconnected" - and all this without disabling DNSSEC? In most basic example: private.dom <=> domain.priv many thanks, L.

1 0

ipa-adtrust-install --unattended | did not quite work?
by lejeczek 28 Apr '20

28 Apr '20

hi everyone, I did something pretty vanilla: $ ipa-adtrust-install --unattended --admin-password=xxx Process showed first some warning about "unattended" but then this: Configuring CIFS [1/24]: validate server hostname [2/24]: stopping smbd [3/24]: creating samba domain object [4/24]: retrieve local idmap range [5/24]: creating samba config registry [6/24]: writing samba config file [7/24]: adding cifs Kerberos principal [8/24]: adding cifs and host Kerberos principals to the adtrust agents group [9/24]: check for cifs services defined on other replicas [10/24]: adding cifs principal to S4U2Proxy targets [11/24]: adding admin(group) SIDs [12/24]: adding RID bases [13/24]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [14/24]: activating CLDAP plugin [15/24]: activating sidgen task [16/24]: map BUILTIN\Guests to nobody group [17/24]: configuring smbd to start on boot [18/24]: adding special DNS service records [19/24]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [20/24]: adding fallback group [21/24]: adding Default Trust View [22/24]: setting SELinux booleans [23/24]: starting CIFS services ipaserver.install.adtrustinstance: CRITICAL CIFS services failed to start [24/24]: restarting smbd Done configuring CIFS. Now, Samba would not start and I wonder what that might have to do with the above: tarting Samba SMB Daemon... [2020/02/14 11:21:34.801358, 0] ../../source3/passdb/pdb_interface.c:171(make_pdb_method_name) No builtin nor plugin backend for ipasam found smb.service: Main process exited, code=exited, status=1/FAILURE smb.service: Failed with result 'exit-code'. Failed to start Samba SMB Daemon. Or is is it unrelated? Hot to troubleshoot & fix it? I'm on Centos 8 with ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64 many thanks, L.

2 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users April 2020