Problems after replacing SSL certificates
by Andreas Bulling
Dear all,
I have recently started using FreeIPA (4.8.1 on Ubuntu) and now wanted to replace the original SSL certificates for the web UI and the LDAP server with official ones issued by our university.
I've followed the procedure described here (no errors):
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
I could confirm in the browser that the certificate for the web UI has been replaced and I therefore assume so has the LDAP certificate. Authentication from other hosts/services using LDAP still works but in the server log file I see errors like these for all hosts in the domain:
Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: NEEDED_PREAUTH: host/X@X for krbtgt/X@X, Additional pre-authentication required
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for krbtgt/X@X
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Apr 20 19:57:11 auth krb5kdc[24895]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for ldap/X@X
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Also, ipa-certupdate on the respective clients shows
ipa-certupdate
trying https://X/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://X/ipa/json'
cannot connect to 'https://X/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
The ipa-certupdate command failed.
Also, I can't login to the web UI anymore. I tried
ipa-getkeytab -s X -p HTTP/X@X -k /var/lib/ipa/gssproxy/http.keytab
on the freeipa server (followed by ipactl restart) but this didn't help.
Any idea/suggestions for how to get everything working again?
Thanks a lot!
2 years, 6 months
User in AD not found by IPA
by Marc Boorshtein
We added a new account to AD that has a domain trust with FreeIPA. This
one user is having an issue where IPA can't find him. The user is in the
same OU as other users that work fine. The user is unlocked
(userAccountControl is 512) and the userprincipalname is set. When I try
to add the user to an id view or an external group IPA gives me the error
"trusted domain object not found" . Not really sure where to look next to
figure out what's wrong. We see the user when we make LDAP calls to AD.
Thanks
Marc
2 years, 6 months
freeIPA Status Debian/Ubuntu
by Nico Maas
Hello there,
with the decline of CentOS I need to migrate away from CentOS 8 to something different.
I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"?
Best regards,
Nico
2 years, 7 months
Cannot add externally-signed IPA CA certificate
by Dmitry Perets
Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with openssl. So I've signed the FreeIPA's request with my self-signed "root ca" certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem --external-cert-file=/root/rootca/certs/ipacert.pem
<...skipped...>
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in /root/rootca/rootcacert.pem, /root/rootca/certs/ipacert.pem is not valid: not a CA certificate
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The subj above is my self-made root CA cert, so it looks like something is missing in it. But what...?
Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else is required, so that FreeIPA accepts it as a root CA?
Should I add it somewhere first, before running the ipa-server-install?
[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Validity
Not Before: Oct 24 11:43:13 2018 GMT
Not After : Oct 21 11:43:13 2028 GMT
Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<...skipped...>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Authority Key Identifier:
keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<...skipped...>
Thanks!!
2 years, 7 months
FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
by Anthony Joseph Messina
After upgrading FreeIPA from F31 to F32, on startup I now see a lot of these errors from certmonger, ns-slapd, java, etc.
May 08 17:57:28 certmonger[38]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:30 ns-slapd[67]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:33 dogtag-ipa-renew-agent-submit[143]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:42 java[640]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
The server seems to come up without issue, but can you point me in the right direction to resolve these errors?
freeipa-server-4.8.6-1.fc32.x86_64
opendnssec-2.1.6-5.fc32.x86_64
opencryptoki-3.13.0-1.fc32.x86_64
I've installed a fresh F32 freeipa-server (on a test domain) and I don't see these errors.
Thanks. -A
--
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
2 years, 9 months
Login failed due to an unknown reason.
by D R
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the
UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] Traceback (most recent call last):
[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application
[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
start_response)
[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in
__call__
[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return self.route(environ, start_response)
[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in
route
[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return app(environ, start_response)
[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in
__call__
[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in
kinit
[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
paths.KDC_CA_BUNDLE_PEM],
[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in
kinit_armor
[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True)
[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
str(output))
[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_6150 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1
---
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_19265 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
ANONYMOUS(a)A-LABS.COM
[12904] 1609104974.342212: Sending unauthenticated request
[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
[12904] 1609104974.342214: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342216: Received answer (335 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342217: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342218: Response was from master KDC
[12904] 1609104974.342219: Received error from KDC: -1765328359/Additional
pre-authentication required
[12904] 1609104974.342222: Preauthenticating using KDC method data
[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
(133)
[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342225: Received cookie: MIT
[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
[12904] 1609104974.342232: PKINIT client making DH request
[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
0/Success
[12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE
(133), PA-PK-AS-REQ (16)
[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
[12904] 1609104974.342236: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342238: Received answer (1603 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342239: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342240: Response was from master KDC
[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342244: PKINIT client verified DH reply
[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
-1765328308/KDC name mismatch
[12904] 1609104974.342246: Produced preauth for next request: (empty)
[12904] 1609104974.342247: Getting AS key, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=DOMAIN.COM, CN=ipa.domain.com
Validity
Not Before: Dec 27 07:38:54 2020 GMT
Not After : Dec 27 07:38:54 2021 GMT
Subject: O=DOMAIN.COM, CN=ipa.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
b0:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks
some attributes. I'm just not sure how to generate a proper cert.
2 years, 10 months
dirsrv hangs soon after reboot
by Kees Bakker
Hey,
I'm looking for advice how to analyse/debug this.
On one of the masters the dirsrv is unresponsive. It runs, but every
attempt to connect it hangs.
The command "systemctl status" does not show anything alarming
● dirsrv(a)EXAMPLE-COM.service - 389 Directory Server EXAMPLE-COM.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
Active: active (running) since vr 2020-04-17 13:46:25 CEST; 1h 33min ago
Process: 3123 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
Main PID: 3134 (ns-slapd)
Status: "slapd started: Ready to process requests"
CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)EXAMPLE-COM.service
└─3134 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-COM -i /var/run/dirsrv/slapd-EXAMPLE-COM.pid
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 2
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 2
However, an ldapsearch command hangs forever
[root@rotte ~]# ldapsearch -H ldaps://linge.example.com -D uid=keesbtest,cn=users,cn=accounts,dc=example,dc=com -W -LLL -o ldif-wrap=no -b cn=users,cn=accounts,dc=example,dc=com '(&(objectClass=person)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))' uid
Enter LDAP Password:
Even if I use the socket (ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket) the ldapsearch
command hangs.
"ipactl status" hangs
"kinit" hangs
--
Kees Bakker
2 years, 11 months
Something changed regarding enrollment permissions?
by Ronald Wimmer
Today we did not manage to enroll new hosts with our enrollment user.
The only thing we changed is that we added the Permission "System:
Remove hosts" to the "Host Enrollment" role. The error we get is:
Joining realm failed: Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: Insufficient access rights
Failed to get keytab!
Failed to get keytab
child exited with 9
When I try to add the same host with my admin user it works without any
problems.
Cheers,
Ronald
3 years, 2 months
Unable to install ipa client centos 7.5.1804 (Core)
by William Graboyes
Hello List,
I have been searching around for the day and have found an answer for
the error I am getting when I am trying to install the client on a brand
new install:
Version:
ipa-client-4.5.4-10.el7.centos.3.x86_64
ipa-client-common-4.5.4-10.el7.centos.3.noarch
The error is below (run as root, not via sudo):
ipa-client-install
Traceback (most recent call last):
File "/sbin/ipa-client-install", line 22, in <module>
from ipaclient.install import ipa_client_install
File
"/usr/lib/python2.7/site-packages/ipaclient/install/ipa_client_install.py",
line 5, in <module>
from ipaclient.install import client
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
line 34, in <module>
from ipalib import api, errors, x509
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 45, in
<module>
from pyasn1_modules import rfc2315, rfc2459
File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py",
line 67, in <module>
class DigestedData(univ.Sequence):
File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py",
line 72, in DigestedData
namedtype.NamedType('digest', Digest)
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 115, in __init__
self.__ambiguousTypes = 'terminal' not in kwargs and
self.__computeAmbiguousTypes() or {}
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 232, in __computeAmbiguousTypes
ambigiousTypes[idx] = NamedTypes(*partialAmbigiousTypes,
**dict(terminal=True))
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 114, in __init__
self.__tagToPosMap = self.__computeTagToPosMap()
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 205, in __computeTagToPosMap
for _tagSet in tagMap.presentTypes:
AttributeError: 'property' object has no attribute 'presentTypes'
Any help would be greatly appreciated.
Thanks,
Bill G.
3 years, 2 months