November 2021 - FreeIPA-users - Fedora mailing-lists

Could not login with AD user
by Ronald Wimmer 20 Jul '22

20 Jul '22

Today I was not able to log in with an AD user to an IPA client within a test setup. IPA users worked fine. DNS is managed externally. I figured out that the DNS-Record of that particular IPA client has not been created correctly. After having corrected the DNS entry and having dropped the SSSD cache on that client I could login with my AD user. Do you have an explanation for that or was it just a coincidence? Cheers, Ronald

4 13

keycloak - the other way around?
by lejeczek 29 Jun '22

29 Jun '22

Hi guys. I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense? many thanks, L.

4 7

freeipa/certmonger for openvpn user certificates
by Patrick Spinler 27 Jun '22

27 Jun '22

Hi, I'm setting up an openvpn server and I'd like to use our already existing FreeIPA CA to issue user keys/certs for openvpn's use. Since our OpenVPN box is a freeipa client, I thought it'd be nice to use certmonger to issue and keep up to date these certs. Ergo, I've created a certificate profile: pat@apex-freeipa ~$ ipa certprofile-show --all OpenVPNUserCert dn: cn=OpenVPNUserCert,cn=certprofiles,cn=ca,dc=int,dc=apexmw,dc=com Profile ID: OpenVPNUserCert Profile description: OpenVPN User Certificates Store issued certificates: FALSE objectclass: ipacertprofile, top And also a CA acl. For experimentation (and working vs our test freeipa) I've left this as wide open as I can: [pat@apex-freeipa ~]$ ipa caacl-show --all OpenVPN_User_Certificate_ACL dn: ipaUniqueID=6dde33a6-7849-11e9-aa05-525400b52c7b,cn=caacls,cn=ca,dc=int,dc=apexmw,dc=com ACL name: OpenVPN_User_Certificate_ACL Enabled: TRUE CA category: all Profile category: all User category: all Host category: all Service category: all ipauniqueid: 6dde33a6-7849-11e9-aa05-525400b52c7b objectclass: ipaassociation, ipacaacl Then, on my openvpn server, I ask for a cert for use for one of my users (myself, in this case): root@apex-openvpn:~# ipa-getcert request -f /etc/openvpn/client/pat.crt -k /etc/openvpn/client/pat.key -r -N 'CN=pat,O=INT.APEXMW.COM' -K pat -g 4096 --profile OpenVPNUserCert New signing request "20190603014016" added. But, it fails due to an access err vs the 'userCertificate' attribute of my account: root@apex-openvpn:~# ipa-getcert list (...snippy snip excess...) Request ID '20190603014016': status: CA_REJECTED ca-error: Server at https://apex-freeipa.int.apexmw.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com'.). stuck: yes key pair storage: type=FILE,location='/etc/openvpn/client/pat.key' certificate: type=FILE,location='/etc/openvpn/client/pat.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes If I look at the dirsrv log, here's the accesses I see for this request (trimmed off the date/time to make the lines a _little_ shorter): root@apex-freeipa slapd-INT-APEXMW-COM# grep conn=178 access | cut -d' ' -f3- conn=178 fd=114 slot=114 connection from 10.10.200.1 to 10.10.200.1 conn=178 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO conn=178 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0025554208 dn="fqdn=apex-openvpn.int.apexmw.com,cn=computers,cn=accounts,dc=int,dc=apexmw,dc=com" conn=178 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL conn=178 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0001319554 conn=178 op=2 SRCH base="cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL conn=178 op=2 RESULT err=0 tag=101 nentries=1 etime=0.0000979573 conn=178 op=3 SRCH base="cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL conn=178 op=3 RESULT err=0 tag=101 nentries=1 etime=0.0000736730 conn=178 op=4 SRCH base="cn=cas,cn=ca,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaca)(cn=ipa))" attrs="" conn=178 op=4 RESULT err=0 tag=101 nentries=1 etime=0.0000499142 conn=178 op=5 SRCH base="cn=ipa,cn=cas,cn=ca,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaCaId ipaCaSubjectDN cn ipaCaIssuerDN description" conn=178 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0000482726 conn=178 op=6 SRCH base="cn=apex-freeipa.int.apexmw.com,cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(ipaConfigString=enabledService)(cn=CA))" attrs=ALL conn=178 op=6 RESULT err=0 tag=101 nentries=1 etime=0.0000950646 notes=U conn=178 op=7 SRCH base="cn=accounts,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=krbprincipalaux)(krbPrincipalName=pat(a)INT.APEXMW.COM))" attrs=ALL conn=178 op=7 RESULT err=0 tag=101 nentries=1 etime=0.0002747849 conn=178 op=8 EXT oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin" conn=178 op=8 RESULT err=0 tag=120 nentries=0 etime=0.0000135034 conn=178 op=9 SRCH base="cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass" conn=178 op=9 RESULT err=0 tag=101 nentries=1 etime=0.0000932668 - entryLevelRights: none conn=178 op=10 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="distinguishedName" conn=178 op=10 RESULT err=0 tag=101 nentries=1 etime=0.0000640289 conn=178 op=11 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="telephoneNumber ipaSshPubKey uid krbCanonicalName ipatokenRadiusUserName ipaUserAuthType krbPrincipalExpiration homeDirectory nsAccountLock usercertificate;binary title loginShell uidNumber mail ipaCertMapData memberOf memberofindirect krbPrincipalName givenName gidNumber sn ou userClass ipatokenRadiusConfigLink" conn=178 op=11 RESULT err=0 tag=101 nentries=1 etime=0.0001401737 conn=178 op=12 SRCH base="dc=int,dc=apexmw,dc=com" scope=2 filter="(|(member=uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com)(memberUser=uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com)(memberHost=uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com))" attrs="" conn=178 op=12 RESULT err=0 tag=101 nentries=7 etime=0.0001492344 notes=P pr_idx=0 pr_cookie=-1 conn=178 op=13 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(userPassword=*)" attrs="userPassword" conn=178 op=13 RESULT err=0 tag=101 nentries=1 etime=0.0000524838 conn=178 op=14 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey" conn=178 op=14 RESULT err=0 tag=101 nentries=1 etime=0.0000597589 conn=178 op=15 SRCH base="ipaUniqueID=80b23b30-6a0c-11e9-baa3-525400b52c7b,cn=sudorules,cn=sudo,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="cn" conn=178 op=15 RESULT err=0 tag=101 nentries=1 etime=0.0000379744 conn=178 op=16 SRCH base="ipaUniqueID=5fb3a640-705a-11e9-aa05-525400b52c7b,cn=hbac,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="cn" conn=178 op=16 RESULT err=0 tag=101 nentries=1 etime=0.0000337904 conn=178 op=17 SRCH base="cn=caacls,cn=ca,dc=int,dc=apexmw,dc=com" scope=1 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" attrs="serviceCategory cn ipaMemberCertProfile ipaMemberCa ipaCertProfileCategory memberUser userCategory hostCategory memberHost ipaEnabledFlag ipaCaCategory memberService description" conn=178 op=17 RESULT err=0 tag=101 nentries=2 etime=0.0001647058 conn=178 op=18 EXT oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin" conn=178 op=18 RESULT err=0 tag=120 nentries=0 etime=0.0000138321 conn=178 op=19 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="userCertificate" conn=178 op=19 RESULT err=0 tag=101 nentries=1 etime=0.0001475052 - entryLevelRights: none conn=178 op=20 UNBIND conn=178 op=20 fd=114 closed - U1 To begin with, I note that this session does a BIND with 'dn=""', right at the beginning, it's essentially an anonymous bind, yah? That operation near the end, here: op=17 SRCH base="cn=caacls,cn=ca,dc=int,dc=apexmw,dc=com" scope=1 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" seems like it might be kinda key. and indeed, if I attempt to run this by hand as an anonymous bind, I get no results: root@apex-freeipa slapd-INT-APEXMW-COM# ldapsearch -x -h localhost -b dc=int,dc=apexmw,dc=com -s sub "(|(objectClass=ipaassociation)(objectClass=ipacaacl))" # extended LDIF # # LDAPv3 # base <dc=int,dc=apexmw,dc=com> with scope subtree # filter: (|(objectClass=ipaassociation)(objectClass=ipacaacl)) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 It's only if I run this as an _authenticated_ bind, that I can find my ACL: root@apex-freeipa slapd-INT-APEXMW-COM# ldapsearch -x -D "cn=Directory Manager" -W -h localhost -b dc=int,dc=apexmw,dc=com -s sub "(&(objectClass=ipaassociation)(objectClass=ipacaacl))" cn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=int,dc=apexmw,dc=com> with scope subtree # filter: (&(objectClass=ipaassociation)(objectClass=ipacaacl)) # requesting: cn # # c98b740c-6903-11e9-ad1b-525400b52c7b, caacls, ca, int.apexmw.com dn: ipaUniqueID=c98b740c-6903-11e9-ad1b-525400b52c7b,cn=caacls,cn=ca,dc=int,dc =apexmw,dc=com cn: hosts_services_caIPAserviceCert # 6dde33a6-7849-11e9-aa05-525400b52c7b, caacls, ca, int.apexmw.com dn: ipaUniqueID=6dde33a6-7849-11e9-aa05-525400b52c7b,cn=caacls,cn=ca,dc=int,dc =apexmw,dc=com cn: OpenVPN_User_Certificate_ACL # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 Is this (using certmonger to auto-issue signed certs/keys for my openvpn users) going to be essentially impossible to do, here? Do I need to go a more traditional route of creating a seperate keystore/certdb, issuing a CSR, and feeding that to FreeIPA to sign? Any advice appreciated, and thanks in advance, -- Pat

4 6

Broken ipa replica
by Giulio Casella 08 May '22

08 May '22

Hi everyone, I'm stuck with a broken replica. I had a setup with two ipa server in replica (ipa-server-4.6.4 on CentOS 7.6), let's say "idc01" and "idc02". Due to heavy load idc01 crashed many times, and was not working anymore. So I tried to redo the replica again. At first I tried to "ipa-replica-manage re-initialize", with no success. Now I'm trying to redo from scratch the replica setup: on idc02 I removed the segments (ipa topologysegment-del, for both ca and domain suffix), on idc01 I removed everything (ipa-server-install --uninstall), then I joined domain (ipa-client-install), and everything is working so far. When doing "ipa-replica-install" on idc01 I get: [...] [28/41]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 22 seconds elapsed [ldap://idc02.my.dom.ain:389] reports: Update failed! Status: [Error (-11) connection error: Unknown connection error (-11) - Total update aborted] And on idc02 (the working server), in /var/log/dirsrv/slapd-MY-DOM-AIN/errors I find lines stating: [20/Mar/2019:09:28:06.545187923 +0100] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning total update of replica "agmt="cn=meToidc01.my.dom.ain" (idc01:389)". [20/Mar/2019:09:28:26.528046160 +0100] - ERR - NSMMReplicationPlugin - perform_operation - agmt="cn=meToidc01.my.dom.ain" (idc01:389): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server) [20/Mar/2019:09:28:26.530763939 +0100] - ERR - NSMMReplicationPlugin - repl5_tot_log_operation_failure - agmt="cn=meToidc01.my.dom.ain" (idc01:389): Received error -1 (Can't contact LDAP server): for total update operation [20/Mar/2019:09:28:26.532678072 +0100] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn=meToidc01.my.dom.ain" (idc01:389): Unable to send endReplication extended operation (Can't contact LDAP server) [20/Mar/2019:09:28:26.534307539 +0100] - ERR - NSMMReplicationPlugin - repl5_tot_run - Total update failed for replica "agmt="cn=meToidc01.my.dom.ain" (idc01:389)", error (-11) [20/Mar/2019:09:28:26.561763168 +0100] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidc01.my.dom.ain" (idc01:389): Replication bind with GSSAPI auth resumed [20/Mar/2019:09:28:26.582389258 +0100] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=meToidc01.my.dom.ain" (idc01:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. It seems that idc02 remembers something about the old replica. Any hint? Thank you in advance, Giulio

5 10

IPA CA allow CSR SAN names in external domains
by Steve Dainard 14 Mar '22

14 Mar '22

Hello I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be able to add SAN's for a different dns domain than exists in the IPA realm. The dns for 'otherdomain.com' is handled by active directory which my IPA server has a cross-forest trust with. ie: host: client1.ipadomain.com certificate: CN = client1.ipadomain.com, SAN = client1.ipadomain.com, servicename.otherdomain.com When I try to submit this CSR with 'ipa-getcert request' the IPA server denies with: "The service principal for subject alt name servicename.otherdomain.com in certificate request does not exist" It seems that the default CAACL enforces a profile named 'caIPAserviceCert', but I'm having some trouble determining what can be modified (or cloned and changed in a new profile) that would allow the CA to sign a CSR that contains *.ipadomain.com and *.otherdomain.com in the SAN. This is the only section in the profile that contains SAN: policyset.serverCertSet.12.constraint.class_id=noConstraintImpl policyset.serverCertSet.12.constraint.name=No Constraint policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Thanks, Steve

3 3

ipa-dnskeysyncd DEBUG messages
by Kees Bakker 28 Feb '22

28 Feb '22

Hi, On the two CentOS 8 Stream masters (upgraded a few days ago) we now get quite a few DEBUG messages. I haven't seen these before. There is also a WARN - content-sync-plugin. Is this something to be worried about? Jul 13 14:06:56 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG Detected modify of entry: idnsname=example.com.,cn=dns,dc=example,dc=com 1e89eb86-e201-11e8-8820-f96efc0c60a4 Jul 13 14:06:56 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG New cookie is: linge.example.com:389#krbprincipalname=ipa-dnskeysyncd/linge.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))#206227 Jul 13 14:06:56 linge.example.com named-pkcs11[283005]: zone example.com/IN: sending notifies (serial 1626178016) Jul 13 14:06:56 linge.example.com named-pkcs11[283005]: client @0x7f54e416c880 172.16.16.31#45677: received notify for zone 'example.com' Jul 13 14:06:56 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG Detected modify of entry: idnsname=example.com.,cn=dns,dc=example,dc=com 1e89eb86-e201-11e8-8820-f96efc0c60a4 Jul 13 14:06:56 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG New cookie is: linge.example.com:389#krbprincipalname=ipa-dnskeysyncd/linge.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))#206230 Jul 13 14:06:56 linge.example.com ns-slapd[282944]: [13/Jul/2021:14:06:56.745067868 +0200] - WARN - content-sync-plugin - sync_update_persist_betxn_pre_op - DB retried operation targets "changenumber=206231,cn=changelog" (op=0x7fd372024000 idx_pl=1) => op not changed in PL Jul 13 14:06:56 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG Detected modify of entry: idnsname=example.com.,cn=dns,dc=example,dc=com 1e89eb86-e201-11e8-8820-f96efc0c60a4 Jul 13 14:06:56 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG New cookie is: linge.example.com:389#krbprincipalname=ipa-dnskeysyncd/linge.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))#206232 Jul 13 14:06:56 linge.example.com named-pkcs11[283005]: client @0x7f54e416c880 172.16.16.75#48866: received notify for zone '30.16.172.in-addr.arpa' Jul 13 14:06:57 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG Detected modify of entry: idnsname=example.com.,cn=dns,dc=example,dc=com 1e89eb86-e201-11e8-8820-f96efc0c60a4 Jul 13 14:06:57 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG New cookie is: linge.example.com:389#krbprincipalname=ipa-dnskeysyncd/linge.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))#206235 Jul 13 14:06:57 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG Detected modify of entry: idnsname=30.16.172.in-addr.arpa.,cn=dns,dc=example,dc=com d79d0401-e29b-11e8-8820-f96efc0c60a4 Jul 13 14:06:57 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG New cookie is: linge.example.com:389#krbprincipalname=ipa-dnskeysyncd/linge.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))#206236 Jul 13 14:06:57 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG Detected modify of entry: idnsname=30.16.172.in-addr.arpa.,cn=dns,dc=example,dc=com d79d0401-e29b-11e8-8820-f96efc0c60a4 Jul 13 14:06:57 linge.example.com ipa-dnskeysyncd[283246]: ipaserver.dnssec.syncrepl: DEBUG New cookie is: linge.example.com:389#krbprincipalname=ipa-dnskeysyncd/linge.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))#206237 -- Kees

3 5

freeipa with sudo and 2FA (OTP)
by John Ratliff 31 Jan '22

31 Jan '22

I'm trying to setup freeipa with OTP. I created a TOTP under my user in freeipa and updated my user to use 2FA (password + OTP). When I try to do sudo, it only asks for my password and it fails every time (presumably because it isn't getting the OTP first). I didn't see anything useful in the sss_sudo logs, even after adding debug_level = 6 in the config. What can I do to further troubleshoot this? Thanks.

4 6

IPA broken after dnf update on CentOS 8
by Vinícius Ferrão 15 Jan '22

15 Jan '22

Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host. After def -y update and reboot, IPA fails to load an it’s in broken state. [root@headnode ~]# systemctl status ipa ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) Main PID: 1278 (code=exited, status=1/FAILURE) Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details: Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'. Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit. If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something. The relevant thing that I’ve found by myself is: 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service> failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n’) Is that Java regression again that happened a month or two ago? Thank you all.

5 7

Unable to communicate with CMS (403)
by lejeczek 17 Dec '21

17 Dec '21

Hi guys. I get: -> $ ipa host-del c8kubernode1.private.lot ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (403) -> $ ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403) I searched mailing list and what I found about certs being out or in sync I checked, I verified but it's still possible I missed something there. I also see this: https://access.redhat.com/solutions/3624671 - which I thought was a bit dated issue thus I want to ask: Should that be in ipa-server-4.9.6-4 ? because my '/etc/httpd/conf.d/ipa-pki-proxy.conf' indeed lacks "^/ca/rest/account/login... many thanks, L

9 24

Certificate Authority master cert shows revoked somehow (refresh issue due bad hosts file?)
by Andrius Jurkus 02 Dec '21

02 Dec '21

ipa --version VERSION: 4.8.7 So I have no idea what actually happened, but today I cant login into freeipa webui. There is 3 instances on 2 and 3rd I can login. Sync is on and working. I noticed that in webui it shows that first certificate CN=Certificate Authority,O=xx ipa REVOKED Obviously I didint revoke it. ipa-getcert list shows only two certificates and noone is master getcert list shows more and this is master cert as you can see server was installed ~2 years ago. Request ID '20201218102240': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=xxx subject: CN=Certificate Authority,O=xxx expires: 2039-12-16 13:38:03 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes CN=localhost... :facepalm: This is I guess new(not really) and probably this was tickint time bomb for quite some time. Request ID '20210317111052': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.O4.LT subject: CN=localhost expires: 2041-03-17 11:11:01 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09" track: yes auto-renew: yes I have bad feeling that it is because hosts file is not cleared from localhost entries? cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 ipa-healthcheck complainas about this is SUBCA caSigningCert cert-pki-ca 86623fac-5d11-4ac6-9972-ea80ef16f711 not found, assuming 3rd party { "source": "ipahealthcheck.ipa.certs", "check": "IPACertfileExpirationCheck", "result": "ERROR", "uuid": "a77e06d1-ee90-4574-8c68-750ec3f5d6bd", "when": "20211124184538Z", "duration": "0.366900", "kw": { "key": "20210317111052", "dbdir": "/etc/pki/pki-tomcat/alias", "nickname": "caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09", "error": "Failed to get caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09", "msg": "Unable to retrieve cert 'caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09' from '/etc/pki/pki-tomcat/alias': Failed to get caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "c8e78e6d-794c-41cb-a12f-f57d0dda23d6", "when": "20211124184538Z", "duration": "0.416846", "kw": { "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCer t cert-pki-ca\", template-profile=caCACert", "msg": "Missing tracking for cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_c a_cert \"caSigningCert cert-pki-ca\", template-profile=caCACert" } }, and more question how I can fix this?

2 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users November 2021