Cannot login with AD user on RHEL 6.10
by Ronald Wimmer
We decided to register a bunch of legacy systems with IPA. Despite the
fact that we could not change theses systems's FQDNs it worked for our
use case (allowing AD users to log on to these systems).
Today I found a RHEL 6.10 (SSSD 1.13.3) machine that did not work and I
could not find out why.
I am seeing this in /var/log/secure:
Sep 21 13:40:14 as00093 sshd[2899]: pam_sss(sshd:auth): received for
user myADUser: 4 (System error)
and this in /var/log/messages:
Sep 21 13:40:14 as00093 [sssd[krb5_child[2935]]]: Client not found in
Kerberos database
What could this mean?
Cheers,
Ronald
3 years, 7 months
Suppressing config-mod error
by Dominik Vogt
The config-mod commands generates an error if it does not change
anything:
$ ipa config-mod --ipaselinuxusermap="....."
ipa: ERROR: no modifications to be performed
As for real errors, the return code is 1, so this cannot be used
to detect "nothing to be done" errors.
This makes it very inconvenient to write scripts that overwrite a
value and do not care what the current value is. Is there an easy
way to suppress this kind of errors?
I could do something like
{ ipa config-mod ... 2>&1 && echo && echo succes; } |
grep -qE "(success)|(no modifications to be performed)"
but that's really ugly and depends on the exact wording and
language of the error message.
(This is also a problem for other "add" commands like user-add,
group-add, selinuxusermap-add etc.)
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
3 years, 7 months
Help - using aci for sync of userpassword hashes
by René Johansen
Hello FreeIPA users..
I am currently trying to setup an account for syncing users hashed
userpassword attributes to our google directory.. Basically we use gmail
and sync users ldap passwords so that their login matches their ldap
login.. this a one way sync, and google only requires the hashes (md5,
base64, SHA1)..
From what I can gather, the cn=Directory Manager role is the only one that
can access users userpassword attributes, but I was told it is possible to
maybe create a service account that is able to also access this? It only
needs read permissions.. I have however not been able to get this working,
and I do not find the documentation on this to be vary clear..
Can anyone point me in the right direction? or help me to set this up?
As of right not I have a user account (google), enrolled in a group
(google_sync), and would like to assign permissions to this group to read
the userpassword attribute from a group called "mail"
uid=google,cn=users,cn=accounts,dc=xx,dc=xx
cn=google_sync,cn=groups,cn=accounts,dc=xx,dc=xx
cn=mail,cn=groups,dc=accounts,dc=xx,dc=xx
As an additonal question, are userpasswords hashed in base64 or? I cant
seem to find an answer to this..
Mvh.
René Johansen
Systemadministrator
Christians Brygge 1
1219 København K
Tlf: 31625208
3 years, 7 months
ipa client autofs issue
by Ronald Wimmer
I am confronted with a relatively strange behaviour regarding ipa and
automounting. We are using automounted home shares on some of our systems.
On two almost identical systems I cannot chdir (permission denied) to
user A's home directory on server 1 but chdir to user B's home directory
works. On server 2 it is the exact opposite. On a third server chdir
does not work for both users.
I would highly appreciate any tips on how to debug this issue.
Cheers,
Ronald
3 years, 7 months
How to migrate Sernet Samba 4.12.6-13 to FreeIPA on CentOS 7.8.2003
by ganci@nurdog.com
For many years now I have been using Centos6/7 with Samba to manage a small AD. I have chosen to use the Sernet Centos6/7 packages and as of today have a working AD. However for cost reasons and because FreeIPA is the RHEL supported way to accomplish the same, I would like to migrate from the Sernet Samba packages. Presently I am running CentOS Linux release 7.8.2003 with the Samba 4.12.6-13 packages. Is there any documentation as to how to migrate the Samba configuration to FreeIPA with a minimum of pain? I have been running Samba for many years now both as an NT domain server and now AD. But would greatly appreciate some help migrating my Samba configuration and getting started with FreeIPA. Suggestions and pointers are greatly appreciated. Thank you for your help.
3 years, 7 months
Should all IPA masters in domain be returned by sssctl
by Ranbir
Hello Everyone,
When I run "sssctl domain-status [domain]", should I see a list of all
the masters in the domain under the "Discovered IPA servers" section?
I'm assuming I'm suppose to. Right now, I'm not. I don't know if it's a
DNS problem (maybe a missing SRV record), but basic name resolution
works for all of the masters.
Any help is appreciated!
Thanks.
--
Ranbir
3 years, 7 months
Re: Renewing a failed to auto-renewal certificate
by Stuart McRobert
Dear All,
Thanks to everyone for their help with this.
In summary the problem was an inconsistency between the certificate stored
in a file and in ldap, as described at the bottom of flo's blog:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
Once that was corrected certificates could then finally be renewed.
I also found some (not all) certificates on our other freeipa servers had
recently become stuck with Submitting status and had also expired. These
have now been renewed by again changing time back to when they were still
valid and resubmitting the renewal request.
However afterwards whilst checking the number of accounts with "ipa
user-find" on each freeipa server I found an inconsistency with one user
present on some but not all freeipa servers. Understandably triggering an
error when attempting to update that user on a server with the account
present:
Operations Error
Some operations failed.
Hide details
XXX: user not found
when I assume attempting to update the others.
Is there a good way to correct this and ensure consistency is fully
restored?
Thanks
Best wishes
Stuart
3 years, 7 months
CROND with IPA user
by Ronald Wimmer
I have a script that runs periodically as a CRON job. The user is an IPA
user. Everything works perfectly for a while and at some point in time I
am getting log entries like:
Sep 14 08:56:02 myServer CROND[24516]: (CRON) ERROR chdir failed
(/home/mydomain.at/myADUser): Permission denied
After logging in manually with that particular user everything works
again...
What could be the issue here?
Cheers,
Ronald
3 years, 7 months
Re: Renewing a failed to auto-renewal certificate
by Stuart McRobert
Dear flo,
> At this point you also need to restart pki:
Thanks, restarted and resubmitted the request, then wait, but sadly
I guess something else may also need attention?
Best wishes
Stuart
----------------------------------------------------------------------------------------------------------------
[root@freeipa01 ~]# systemctl status pki-tomcatd(a)pki-tomcat.service
● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-09-16 09:03:41 BST; 1 months 0 days left
Process: 1236 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited, status=0/SUCCESS)
Main PID: 1353 (java)
Tasks: 91 (limit: 4915)
CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
└─1353 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy -Djava.library.path=/usr/lib64/nuxwd
Aug 16 09:42:58 freeipa01.our_domain server[1353]: Aug 16, 2020 9:42:58 AM org.apache.catalina.core.ContainerBase bac
Aug 16 09:42:58 freeipa01.our_domain server[1353]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyR
Aug 16 09:42:58 freeipa01.our_domain server[1353]: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(Pr
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at org.apache.catalina.core.ContainerBase.backgroundProces
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at org.apache.catalina.core.StandardContext.backgroundProc
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at org.apache.catalina.core.ContainerBase$ContainerBackgro
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at org.apache.catalina.core.ContainerBase$ContainerBackgro
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at org.apache.catalina.core.ContainerBase$ContainerBackgro
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at java.lang.Thread.run(Thread.java:748)
[root@freeipa01 ~]# systemctl restart pki-tomcatd(a)pki-tomcat.service
[root@freeipa01 ~]# systemctl status pki-tomcatd(a)pki-tomcat.service
● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-08-16 09:43:19 BST; 3s ago
Process: 1987 ExecStop=/usr/libexec/tomcat/server stop (code=exited, status=0/SUCCESS)
Process: 2021 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited, status=0/SUCCESS)
Main PID: 2135 (java)
Tasks: 17 (limit: 4915)
CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
└─2135 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy -Djava.library.path=/usr/lib64/nuxwd
Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM org.apache.catalina.startup.HostConfig dep
Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catal
Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM org.apache.jasper.servlet.TldScanner scanJ
Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: At least one JAR was scanned for TLDs yet contained no TLDs.
Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM org.apache.catalina.startup.HostConfig dep
Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/C
Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM org.apache.catalina.startup.HostConfig dep
Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catal
Aug 16 09:43:22 freeipa01.our_domain server[2135]: SSLAuthenticatorWithFallback: Creating SSL authenticator with fall
Aug 16 09:43:22 freeipa01.our_domain server[2135]: SSLAuthenticatorWithFallback: Setting container
[root@freeipa01 ~]# getcert resubmit -i 20170405152512
Resubmitting "20170405152512" to "IPA".
[root@freeipa01 ~]# sleep 120
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa01.our_domain/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=OUR_DOMAIN
subject: CN=freeipa01.our_domain,O=OUR_DOMAIN
expires: 2020-09-04 17:46:56 BST
principal name: HTTP/freeipa01.our_domain@OUR_DOMAIN
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 09:46:26 BST 2020
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa01.our_domain/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=OUR_DOMAIN
subject: CN=freeipa01.our_domain,O=OUR_DOMAIN
expires: 2020-09-04 17:46:56 BST
principal name: HTTP/freeipa01.our_domain@OUR_DOMAIN
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 09:53:16 BST 2020
[root@freeipa01 ~]#
3 years, 7 months
Re: Renewing a failed to auto-renewal certificate
by Stuart McRobert
Dear flo,
Thank you for your help with this, but something still seems to be
preventing the renewal from actually happening even after going back in
time, and waiting.
My service slot is open until lunchtime today so hopefully be a quick
additonal step required to get this fixed.
Any ideas?
Thanks
Best wishes
Stuart
After a reboot...
[root@freeipa01 ~]# ipactl start --ignore-service-failures
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting ipa_memcached Service
Starting httpd Service
Failed to start httpd Service
Forced start, ignoring httpd Service, continuing normal operation
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Forced start, ignoring pki-tomcatd Service, continuing normal operation
Starting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@freeipa01 ~]#
[root@freeipa01 ~]# systemctl stop ntpd.service
[root@freeipa01 ~]# date
Wed 16 Sep 09:09:19 BST 2020
[root@freeipa01 ~]# date 08160838
Sun 16 Aug 08:38:00 BST 2020
[root@freeipa01 ~]# date
Sun 16 Aug 08:38:04 BST 2020
[root@freeipa01 ~]# systemctl start httpd
[root@freeipa01 ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─ipa.conf
Active: active (running) since Sun 2020-08-16 08:38:33 BST; 7s ago
Docs: man:httpd.service(8)
Process: 1221 ExecStopPost=/usr/bin/kdestroy -A (code=exited, status=0/SUCCESS)
Process: 1703 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
Main PID: 1704 (httpd)
Status: "Processing requests..."
Tasks: 92 (limit: 4915)
CGroup: /system.slice/httpd.service
├─1704 /usr/sbin/httpd -DFOREGROUND
├─1705 /usr/libexec/nss_pcache 589836 off /etc/httpd/alias
├─1706 (wsgi:kdcproxy) -DFOREGROUND
├─1707 (wsgi:kdcproxy) -DFOREGROUND
├─1708 (wsgi:ipa) -DFOREGROUND
├─1709 (wsgi:ipa) -DFOREGROUND
├─1710 /usr/sbin/httpd -DFOREGROUND
├─1711 /usr/sbin/httpd -DFOREGROUND
├─1712 /usr/sbin/httpd -DFOREGROUND
├─1713 /usr/sbin/httpd -DFOREGROUND
└─1714 /usr/sbin/httpd -DFOREGROUND
Aug 16 08:38:33 freeipa01.OUR_DOMAIN systemd[1]: Starting The Apache HTTP Server...
Aug 16 08:38:33 freeipa01.OUR_DOMAIN ipa-httpd-kdcproxy[1703]: ipa : INFO KDC proxy enabled
Aug 16 08:38:33 freeipa01.OUR_DOMAIN systemd[1]: Started The Apache HTTP Server.
[root@freeipa01 ~]# getcert resubmit -i 20170405152512
Resubmitting "20170405152512" to "IPA".
[root@freeipa01 ~]# sleep 200
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa01.OUR_DOMAIN/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=OUR_DOMAIN_UC
subject: CN=freeipa01.OUR_DOMAIN,O=OUR_DOMAIN_UC
expires: 2020-09-04 17:46:56 BST
principal name: HTTP/freeipa01.OUR_DOMAIN@OUR_DOMAIN_UC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 08:43:50 BST 2020
[root@freeipa01 ~]#
[root@freeipa01 ~]#
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa01.OUR_DOMAIN/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=OUR_DOMAIN_UC
subject: CN=freeipa01.OUR_DOMAIN,O=OUR_DOMAIN_UC
expires: 2020-09-04 17:46:56 BST
principal name: HTTP/freeipa01.OUR_DOMAIN@OUR_DOMAIN_UC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa01.OUR_DOMAIN/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=OUR_DOMAIN_UC
subject: CN=freeipa01.OUR_DOMAIN,O=OUR_DOMAIN_UC
expires: 2020-09-04 17:46:56 BST
principal name: HTTP/freeipa01.OUR_DOMAIN@OUR_DOMAIN_UC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 08:58:23 BST 2020
3 years, 7 months