Hello!
I have several SMB shares served by Samba using Kerberos accounts managed
by FreeIPA. I have no AD integrations and no AD itself. Windows clients are
configured using this
<https://www.freeipa.org/page/Windows_authentication_against_FreeIPA>
guide, linux clients use ipa-client and "smbclient -k". Servers and linux
clients use CentOS 7.
Today I received updates for ipa-* (to 4.6.8-5.el7.centos.*10* from
4.6.8-5.el7.centos.*9*) and samba-* (to 4.10.16-*17*.el7_9 from
4.10.16-*15*.el7_9)
packages and authentication broke, no clients can connect to shares
anymore. Here are logs from linux client:
$ klist
Ticket cache: KEYRING:persistent:1696200001:1696200001
Default principal: me(a)MYDOMAIN.LOC
Valid starting Expires Service principal
12/30/2021 18:04:03 12/31/2021 18:03:46
cifs/samba.server.mydomain.loc(a)MYDOMAIN.LOC
12/30/2021 18:04:02 12/31/2021 18:03:46
nfs/samba.server.mydomain.loc(a)MYDOMAIN.LOC
12/30/2021 18:03:49 12/31/2021 18:03:46 krbtgt/MYDOMAIN.LOC(a)MYDOMAIN.LOC
$ smbclient -k -L //samba.server.mydomain.loc
session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Server logs:
*log.smbd:*
[2021/12/30 19:03:23.597495, 2]
../../source3/lib/smbldap.c:847(smbldap_open_connection)
smbldap_open_connection: connection opened
[2021/12/30 19:03:23.695598, 3]
../../source3/lib/smbldap.c:1069(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2021/12/30 19:03:23.737401, 1] ipa_sam.c:4896(pdb_init_ipasam)
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
mydomain.loc
[2021/12/30 19:03:23.737597, 3] ../../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.10.1 (192.168.10.1)
*log.192.168.10.1:*
...
[2021/12/30 19:05:22.458992, 3]
../../source3/smbd/negprot.c:776(reply_negprot)
Selected protocol SMB 2.???
[2021/12/30 19:05:22.459495, 3]
../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2021/12/30 19:05:22.524677, 3]
../../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob)
gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute
failed: The operation or option is not available or unsupported: No such
file or directory
[2021/12/30 19:05:22.524750, 1]
../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
gensec_generate_session_info_pac: Unable to find PAC in ticket from
me(a)MYDOMAIN.LOC, failing to allow access
[2021/12/30 19:05:22.524784, 3]
../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NO_IMPERSONATION_TOKEN] || at
../../source3/smbd/smb2_sesssetup.c:146
[2021/12/30 19:05:22.525565, 3]
../../source3/smbd/server_exit.c:236(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)
Googling, source-digging and "log level = 5" were not helpful. However, I
find changelogs somewhat interesting:
$ rpm -q --changelog ipa-server | head
* Thu Dec 16 2021 CentOS Sources <bugs(a)centos.org> - 4.6.8-5.el7.centos.10
- Roll in CentOS Branding
* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud(a)redhat.com> -
4.6.8-5.el7_9.10
- Resolves: 2025848 - RHEL 8.6 IPA Replica Failed to configure PKINIT setup
against a RHEL 7.9 IPA server
- Fix cert_request for KDC cert
- Resolves: 2021444 - CVE-2020-25719 ipa: samba: *Samba AD DC did not
always rely on the SID and PAC in Kerberos tickets*
- SMB: switch IPA domain controller role
$ rpm -q --changelog samba | head
* Mon Nov 15 2021 Andreas Schneider <asn(a)redhat.com> - 4.10.16-17
- related: #2019673 - *Add missing checks for IPA DC server role*
* Mon Nov 08 2021 Andreas Schneider <asn(a)redhat.com> - 4.10.16-16
- resolves: #2019661 - Fix CVE-2016-2124
- resolves: #2019673 - Fix CVE-2020-25717
- resolves: #2021428 - *Add missing PAC buffer types to krb5pac.idl*
I don't have access to the mentioned bugs in Bugzilla unfortunately. Maybe
someone knows if I need to do something after upgrading these packages?
Rolling back samba packages is unwanted given that Samba sources mention
this is unsafe.
Thanks!
--
Konstantin Khankin
Hello Scott,
Lots of fun things going on with the above. I experienced the same issue, and your thread was at the top of my search results when I first started investigating. Sadly, it does not appear that a solution was posted to it there yet, hence my reply below.
What I found:
https://access.redhat.com/solutions/4796941 This talks about disabling TLS 1.3. I checked, and on our server 1.3 was disabled by default.
After a little more searching I found the thread below, which for me at least contained the solution:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…
Reading through the thread it appears there is a conflict that can occur during updates that can cause secretRequired in /etc/pki/pki-tomcat/server.xml to not be set correctly. secretRequired should match secret in that file (it's in 2 different spots, so make sure to update both).
For the past couple months, I've been struggling to get replicas up and running. Have tried using containers and VMs, ended up rebuilding my FreeIPA install from the ground up to eliminate corruption as an issue. The failures are consistent, regardless of install options and appear to be related to replication itself. Initial replication works, but replication after that fails. Attached are the errors encountered during the ipa-replica-install command, along with the relevant log entries.
The primary server is currently on a Fedora 35 VM running the following RPMs.
freeipa-client-common-4.9.8-1.fc35.noarch
freeipa-server-common-4.9.8-1.fc35.noarch
freeipa-common-4.9.8-1.fc35.noarch
freeipa-client-4.9.8-1.fc35.x86_64
freeipa-healthcheck-core-0.9-3.fc35.noarch
freeipa-server-4.9.8-1.fc35.x86_64
freeipa-server-dns-4.9.8-1.fc35.noarch
freeipa-server-trust-ad-4.9.8-1.fc35.x86_64
freeipa-selinux-4.9.8-1.fc35.noarch
freeipa-healthcheck-0.9-3.fc35.noarch
Here are the replica installs for the container and VM along with the relevant ipareplica-install.log entries.
Container first, here's the output from ipa-replica-install command.
[9/21]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/21]: setting up httpd keytab
[error] NotFound: wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
/var/log/ipareplica-install.log entries
2021-12-28T18:46:57Z DEBUG stderr=Keytab successfully retrieved and stored in: /var/lib/ipa/gssproxy/http.keytab
2021-12-28T18:46:57Z DEBUG Waiting up to 300 seconds for replication (ldap://primary.example.com:389) krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=ac
counts,dc=example,dc=com (objectclass=*)
2021-12-28T18:47:06Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:47:16Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:47:26Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:47:36Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:47:46Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:47:56Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:48:06Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:48:16Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:48:26Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:48:36Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:48:46Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:48:56Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:49:06Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:49:16Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:49:26Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:49:36Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:49:46Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:49:56Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:50:06Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:50:16Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:50:26Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:50:36Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:50:46Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:50:56Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:51:06Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:51:16Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:51:26Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:51:36Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:51:46Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:51:56Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:51:57Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/ipaserver/install/service.py", line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.10/site-packages/ipaserver/install/service.py", line 621, in run_step
method()
File "/usr/lib/python3.10/site-packages/ipaserver/install/httpinstance.py", line 634, in request_service_keytab
replication.wait_for_entry(
File "/usr/lib/python3.10/site-packages/ipaserver/install/replication.py", line 208, in wait_for_entry
raise errors.NotFound(
ipalib.errors.NotFound: wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=roadfel
dt,dc=com
2021-12-28T18:51:57Z DEBUG [error] NotFound: wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services
,cn=accounts,dc=example,dc=com
2021-12-28T18:51:57Z DEBUG File "/usr/lib/python3.10/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.10/site-packages/ipapython/install/cli.py", line 342, in run
return cfgr.run()
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.10/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.10/site-packages/ipaserver/install/server/__init__.py", line 603, in main
replica_install(self)
File "/usr/lib/python3.10/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated
func(installer)
File "/usr/lib/python3.10/site-packages/ipaserver/install/server/replicainstall.py", line 1315, in install
install_http(
File "/usr/lib/python3.10/site-packages/ipaserver/install/server/replicainstall.py", line 163, in install_http
http.create_instance(
File "/usr/lib/python3.10/site-packages/ipaserver/install/httpinstance.py", line 151, in create_instance
self.start_creation()
File "/usr/lib/python3.10/site-packages/ipaserver/install/service.py", line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.10/site-packages/ipaserver/install/service.py", line 621, in run_step
method()
File "/usr/lib/python3.10/site-packages/ipaserver/install/httpinstance.py", line 634, in request_service_keytab
replication.wait_for_entry(
File "/usr/lib/python3.10/site-packages/ipaserver/install/replication.py", line 208, in wait_for_entry
raise errors.NotFound(
2021-12-28T18:51:57Z DEBUG The ipa-replica-install command failed, exception: NotFound: wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:51:57Z ERROR wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
2021-12-28T18:51:57Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
VM install output
Done configuring ipa-otpd.
Custodia uses 'primary.example.com' as master peer.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Incorrect number of results (0) searching for public key for host/primary.example.com(a)EXAMPLE.COM
/var/log/ipareplica-install.log entries
2021-12-29T00:40:10Z DEBUG Done configuring ipa-custodia.
2021-12-29T00:40:10Z DEBUG service duration: ipa-custodia 2.37 sec
2021-12-29T00:40:10Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-12-29T00:40:10Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-12-29T00:40:10Z DEBUG Waiting up to 300 seconds to see our keys appear on host ldap://primary.example.com
2021-12-29T00:40:10Z DEBUG File "/usr/lib/python3.10/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.10/site-packages/ipapython/install/cli.py", line 342, in run
return cfgr.run()
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise
raise value
File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.10/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.10/site-packages/ipaserver/install/server/__init__.py", line 603, in main
replica_install(self)
File "/usr/lib/python3.10/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated
func(installer)
File "/usr/lib/python3.10/site-packages/ipaserver/install/server/replicainstall.py", line 1345, in install
ca.install(False, config, options, custodia=custodia)
File "/usr/lib/python3.10/site-packages/ipaserver/install/ca.py", line 270, in install
install_step_0(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python3.10/site-packages/ipaserver/install/ca.py", line 306, in install_step_0
custodia.get_ca_keys(
File "/usr/lib/python3.10/site-packages/ipaserver/install/custodiainstance.py", line 296, in get_ca_keys
self._get_keys(cacerts_file, cacerts_pwd, data)
File "/usr/lib/python3.10/site-packages/ipaserver/install/custodiainstance.py", line 252, in _get_keys
cli = self._get_custodia_client()
File "/usr/lib/python3.10/site-packages/ipaserver/install/custodiainstance.py", line 241, in _get_custodia_client
return CustodiaClient(
File "/usr/lib/python3.10/site-packages/ipaserver/secrets/client.py", line 70, in __init__
self._server_keys(), self._client_keys()
File "/usr/lib/python3.10/site-packages/ipaserver/secrets/client.py", line 80, in _server_keys
sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG)))
File "/usr/lib/python3.10/site-packages/ipaserver/secrets/kem.py", line 224, in find_key
return conn.get_key(usage, kid)
File "/usr/lib/python3.10/site-packages/ipaserver/secrets/kem.py", line 78, in get_key
raise ValueError("Incorrect number of results (%d) searching for "
2021-12-29T00:40:10Z DEBUG The ipa-replica-install command failed, exception: ValueError: Incorrect number of results (0) searching for public key for host/primary.example.com(a)EXAMPLE.COM
2021-12-29T00:40:10Z ERROR Incorrect number of results (0) searching for public key for host/primary.example.com(a)EXAMPLE.COM
2021-12-29T00:40:10Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Hi,
I have managed to setup an IPA cluster which is still replicating changes to users and CA's, but thinks it has no replication configured. I'm not sure how I have managed this and have not been able to figure it out so would appreciate any pointers anyone can provide.
I setup an initial IPA server, successfully joined a further 5 and setup the replication using the web based GUI with 3 being domain+ca and the remaining 3 being just domain. All seemed good, a user created on one server appeared on remote IPA servers and I left for Christmas.
Returning for work yesterday and the web based GUI does not show any links between the servers and will not let me add any with error "leftnode does not support suffix 'domain'". However if I create or edit a user then it appears on the other IPA servers and adding a new root CA also is visible from all IPA servers. I can also successfully join client servers, and then login to them with IPA based credentials.
The "ipa topology*" commands show no suffixes or segments, however an LDAP search does show the links as I set them up (output below). The only errors I have seen in the logs are for things which google searches list as "normal" - but I'm obviously missing something. Disabling firewall/selinux does not seem to have any impact and DNS/reverse DNS is resolving correctly from all the servers. The only difference to the guides is that FreeIPA is not hosting the reverse zones itself - I'm using forwarders to my main DNS servers which host those records - but I can't see that being related as resolution is working.
Any pointers for where to look and what to look for next greatly appreciated. This is a fresh deploy, so I can wipe and restart if needed, but I'd like to at least understand what is going on so I can avoid repeating it in the future.
versions installed :
ipa-client-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
ipa-server-dns-4.9.6-10.module+el8.5.0+719+4f06efb6.noarch
# ipa topologysuffix-show
Suffix name: domain
ipa: ERROR: domain: suffix not found
# ipa topologysuffix-find --all
---------------------------
0 topology suffixes matched
---------------------------
----------------------------
Number of entries returned 0
----------------------------
# ipa topologysegment-find domain --all
------------------
0 segments matched
------------------
----------------------------
Number of entries returned 0
----------------------------
$ ldapsearch -D "cn=directory manager" -W -b "cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# topology, ipa, etc, ipa.mydomain.net
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
objectClass: top
objectClass: nsContainer
cn: topology
# domain, topology, ipa, etc, ipa.mydomain.net
dn: cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
objectClass: top
objectClass: iparepltopoconf
ipaReplTopoConfRoot: dc=ipa,dc=mydomain,dc=net
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
ternalModifyTimestamp
cn: domain
# ca, topology, ipa, etc, ipa.mydomain.net
dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
objectClass: top
objectClass: iparepltopoconf
ipaReplTopoConfRoot: o=ipaca
cn: ca
# ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net, domain, topology, ipa, et
c, ipa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net
ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa2-c.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
# ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, domain, topology, ipa, et
c, ipa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
# ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, ca, topology, ipa, etc, i
pa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net,cn=ca,cn=topology,cn
=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
# ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, ipa, et
c, ipa.mydomain.net
dn: cn=ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net
ipaReplTopoSegmentLeftNode: ipa2-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa2-b.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
# ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, ipa, et
c, ipa.mydomain.net
dn: cn=ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentLeftNode: ipa1-b.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa2-b.ipa.mydomain.net
ipaReplTopoSegmentDirection: both
cn: ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net
objectClass: iparepltoposegment
objectClass: top
# ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net, domain, topology, ipa, et
c, ipa.mydomain.net
dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net,cn=domain,cn=topolog
y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net
ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net
ipaReplTopoSegmentRightNode: ipa1-a.ipa.mydomain.net
ipaReplTopoSegmentStatus: autogen
<SNIP several more links>
# search result
search: 2
result: 0 Success
# numResponses: 17
# numEntries: 16
Follow us:
Neal Harrington | System Administrator
Direct - 01256831040 | Mobile - 07849089832
Office - 01494410000 | https://www.myphones.com
*** Please consider your environmental responsibility before printing this e-mail ***
MyPhones.com is the trading name of Et Al Innovations Limited, registered in the United Kingdom.
Company Number: 03718039 | VAT Registration Number: GB 697877637
Registered Address: Glebe Farm, Down Street, Dummer, Basingstoke RG25 2AD
This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential and/or legally privileged.
Unauthorised use is strictly prohibited and may be unlawful. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, including any picture or graphic and any attachment,
except for the purpose of delivery to the addressee. We make every effort to keep our network free from viruses. However, you do need to verify this e-mail and any attachments to it to be virus free as we can
take no responsibility for any computer virus which might be transferred by way of this e-mail.
On 12/27/21 15:27, Angus Clarke wrote:
> Ok let's try this:
>
> I've just registered angusclarke.com with a public DNS provider and am
> ready to deploy FreeIPA for my corporate network which uses a private
> IP space. How do I do this?
This is where things get odd for me. Why are you registering a TLD for a
private DNS server? That makes no sense. Public domain servers require
public access by definition. Otherwise they don't work.
> According to this
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht…
>
> then I should have a domain delegated to me, but I am not a public DNS
> provider,
Which means you shouldn't register a domain. Just add the domain to
freeIPA and have your clients use your FreeIPA dns server(s). Done. All
free!
> I'm just Angus Clarke ... Nor do I want my private IP space available
> to be looked up in a public DNS record
You don't. You cannot blow and have flour in your mouth at the same
time. When you register a domain you MUST provide public NS servers
which are authoritative for that domain which anyone querying your
domain will be forwarded to. By definition they HAVE to be public. You
can absolutely expose your FreeIPA name servers to the public, but it's
a whole other issue if you want to, as the configuration and security
gets a bit convoluted - but it can be done.
> ... And I'd rather have my private IP records handled by my internal
> DNS system - all of this is standard practise for companies and
> individuals however I dont think this topic is suitably addressed in
> the redhat documentation - I see a disconnect in the recommendation
> pasted above vs the installation documentation for FreeIPA.
For internal ONLY domains there is absolutely NO NEED to register a
domain with a public DNS service. You can even pretend to be "cisco.com"
or other addresses and your clients will happily use your DNS server
(well, if DNSSEC is on it may not be that simple) instead of Cisco's.
Public domains are for public access only. Your own network is your own
domain (sic) and you can do what you want, without having to register
anything.
>
> Maybe I've missed it, maybe I can promote the topic here and it can be
> championed in the right direction, maybe I can even help on the topic
> myself.
You're making it a lot harder. Just install FreeIPA, configure DNS and
add your domain. Set your DHCP server to use your FreeIPA server's IP
the DNS server address for the clients, renew the DHCP leases and voila,
they're using that domain you just defined, internally only resolving to
internal addresses etc.
--
Regards
Peter Larsen
Same problem here. Any solution?
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
Hi,
I have the same problem as described in:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…
So it seem to be related to my update to version 4.9.6-10.
Any ideas what went wrong?
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
Hi Angus,
Just be aware that maintaining parrellel records is an overhead in the
longer term as it's a manual process of keeping things in sync.
Delegation is a simpler more natural solution in general.
Your pubic DNS servers can delegate to an internal DNS domain and then
you'll only have the internal addresses of your DNS servers in the
public domain.
For example angusclark.com has public nameservers a.b.c.d and a.b.c.e
which delegates
int.angusclark.com to internal freeipa nameservers
ipa1.int.angusclark.com 10.10.10.10 and ipa2.int.angusclark.com
10.10.10.11 using glue records on the public servers.
The you just follow the bouncing ball for setting up freeipa with
integrated DNS.
Outbound Name resolution would use the freeipa servers which would
forward to a convenient resolver or you do resolution via the root
nameservers which is probably a more secure solution.
-----Original Message-----
From: Angus Clarke via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>
Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
To: Rafael Jeffman <rjeffman(a)redhat.com>, Peter Larsen <
peter(a)peterlarsen.org>
Cc: Dave Mintz <davemintz64(a)gmail.com>, FreeIPA users list <
freeipa-users(a)lists.fedorahosted.org>, Angus Clarke <
angus(a)charworth.com>
Subject: [Freeipa-users] Re: DNS and FreeIPA
Date: Mon, 27 Dec 2021 23:26:31 +0000
Thanks for your replies, I think I need to focus on internal resolver
configuration and less on public subdomain delegation.
Cheers
Angus
From: Rafael Jeffman <rjeffman(a)redhat.com>
Sent: Monday, 27 December 2021, 11:11 pm
To: Peter Larsen
Cc: Angus Clarke; FreeIPA users list; Dave Mintz
Subject: Re: [Freeipa-users] Re: DNS and FreeIPA
Hello Angus,
Besides what Peter has written, let's get this warning from FreeIPA
site [1]:
> **Avoid name collisions**
> We strongly recommend that you do not use a domain name that is not
> delegated to you, even on a private network. For example, you should
> not use domain name
company.int if you don't have valid delegation for
> it in public DNS tree.
As you can see, it is similar to what was on the Red Hat documentation
you
mentioned before.
This first part of the warning says that you should not configure your
domain
name with some "random" name if you don't own the domain. For example,
you should not use "cisco.com",
"google.com"
or "redhat.com",
even if your
network is a private one. Note that, if it is a private network, you
"could" do it,
but you shouldn't do it.
Why? The answer is on the warning itself:
> If this rule is not respected, the domain name will be resolved
differently
> depending on the network configuration. As a result, network
resources
> will become unavailable.
> Using domain names that are not delegated to
> you also makes DNSSEC more difficult to deploy and maintain. For
> further information about this issue please see the ICANN FAQ on
> domain name collisions.
Imagine you try to access google search and your private network uses
'google.com'
as the domain. You would probably be redirected to an internal
server, instead of Google's search engine. (I'll not even get into
DNSSEC
issues.)
So, you find everywhere about "a domain that is delegated to you",
well,
that domain is any domain you have registered (e.g.:
angusclark.com)
Even as your domain have nameserver which is probably not under your
control (and controlled by whom you registered your domain), you have
control over your domain, and as such, you can create subdomains on
your private network that will not collide with any other domain (say,
ipa.angusclark.com)
If you manage this domain from your internal FreeIPA servers, there
will be no name collision.
I have a (few) registered domain(s), which I use both as a public
facing server (static, github pages), and within my private network,
which no one from outside can see, I have a subdomain (ipa) which
I use for managing my users and hosts.
Regards,
Rafael
[1]:
https://www.freeipa.org/page/Deployment_Recommendations
On Mon, Dec 27, 2021 at 6:08 PM Peter Larsen <peter(a)peterlarsen.org>
wrote:
> On 12/27/21 15:27, Angus Clarke wrote:
>
>
>
> > Ok let's try this:
>
> >
>
> > I've just registered
> angusclarke.com with a public DNS provider and am
>
> > ready to deploy FreeIPA for my corporate network which uses a
> private
>
> > IP space. How do I do this?
>
>
>
> This is where things get odd for me. Why are you registering a TLD
> for a
>
> private DNS server? That makes no sense. Public domain servers
> require
>
> public access by definition. Otherwise they don't work.
>
>
>
> > According to this
>
> >
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht…
>
> >
>
> > then I should have a domain delegated to me, but I am not a public
> DNS
>
> > provider,
>
>
>
> Which means you shouldn't register a domain. Just add the domain to
>
> freeIPA and have your clients use your FreeIPA dns server(s). Done.
> All
>
> free!
>
>
>
> > I'm just Angus Clarke ... Nor do I want my private IP space
> available
>
> > to be looked up in a public DNS record
>
>
>
> You don't. You cannot blow and have flour in your mouth at the same
>
> time. When you register a domain you MUST provide public NS servers
>
> which are authoritative for that domain which anyone querying your
>
> domain will be forwarded to. By definition they HAVE to be public.
> You
>
> can absolutely expose your FreeIPA name servers to the public, but
> it's
>
> a whole other issue if you want to, as the configuration and
> security
>
> gets a bit convoluted - but it can be done.
>
>
>
> > ... And I'd rather have my private IP records handled by my
> internal
>
> > DNS system - all of this is standard practise for companies and
>
> > individuals however I dont think this topic is suitably addressed
> in
>
> > the redhat documentation - I see a disconnect in the
> recommendation
>
> > pasted above vs the installation documentation for FreeIPA.
>
>
>
> For internal ONLY domains there is absolutely NO NEED to register a
>
> domain with a public DNS service. You can even pretend to be
> "cisco.com"
>
>
> or other addresses and your clients will happily use your DNS server
>
> (well, if DNSSEC is on it may not be that simple) instead of
> Cisco's.
>
> Public domains are for public access only. Your own network is your
> own
>
> domain (sic) and you can do what you want, without having to
> register
>
> anything.
>
> >
>
> > Maybe I've missed it, maybe I can promote the topic here and it can
> be
>
> > championed in the right direction, maybe I can even help on the
> topic
>
> > myself.
>
>
>
> You're making it a lot harder. Just install FreeIPA, configure DNS
> and
>
> add your domain. Set your DHCP server to use your FreeIPA server's
> IP
>
> the DNS server address for the clients, renew the DHCP leases and
> voila,
>
> they're using that domain you just defined, internally only resolving
> to
>
> internal addresses etc.
>
>
>
> --
>
> Regards
>
> Peter Larsen
>
>
>
>
_______________________________________________FreeIPA-users mailing
list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
Angus,
There are two 'happy medium' approaches you can try with FreeIPA to
resolve the private/public issues you mention.
If you have just one or two addresses you want the public to see, get
one or two 'static ips' from your ISP, set them in your registrar's
setup for your name, do the routing at your isp interface and provide
the public services you prefer. Then in Freeipa duplicate the domain,
duplicate the one or two ips the public can see, then set your in house
shop to use freeipa for resolution. It's not 'pretty', but it is
'pretty easy' and for one or two addresses the public can see really not
so bad. And in your use case dnssec for your domain appears to add
little of value.
The other approach for a 'happy medium' that is not the dreaded
split-view DNS is to have the ISP point to your static public IPs and
FreeIPA's dns to resolve, but with none of your private addresses in the
public domain. Then create in the public domain a subdomain
'private.mydomain.com' or 'p.mydomain.com', but have the A record for
that point to a __ private , non routeable, __ local ipaddress -- one on
which your freeipa also listens.
Set that subdomain up in freeipa to not answer any but local IP queries.
So: One authoritative DNS server, for which dnssec will work (it's
buggy, but for one domain you probably won't hit it), no split view DNS,
boxes checked. Harder, and you have to deal with the
'myhost.p.mydomain' instead of 'myhost.mydomain' but checks the boxes.
HTH
Harry Coin