February 2021 - FreeIPA-users - Fedora mailing-lists

using SSH with password authentication when NIS is still running with FreeIPA
by Robert Kudyba 07 Apr '21

07 Apr '21

We have freeipa-server-4.8.10-6.fc33 running on top of NIS and I'm trying to determine why ssh -k from any client is hanging and not even connecting. Does sssd need to be configured as in this 2013 training document? https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf The goal is to eliminate NIS so perhaps the issue is running both concurrently? The good news is, thanks to tips here last week, all the NIS users migrated along with their passwords. And kinit on the Free IPA server even prompts to change their password. sssd is running: sssd_be[2329]: GSSAPI client step 1 sssd_be[2329]: GSSAPI client step 2 /etc/krb.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = ourserver.EDU dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] ourserver.EDU = { kdc = ourserver.edu:88 master_kdc = ourserver.edu:88 admin_server = ourserver.edu:749 default_domain = ourserver.edu pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .ourserver.edu = ourserver.EDU ourserver.edu = ourserver.EDU ourserver.edu = ourserver.EDU [dbmodules] ourserver.EDU = { db_library = ipadb.so } [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } HBAC is wide open: ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE Rule name: allow_systemd-user User category: all Host category: all Description: Allow pam_systemd to run user@.service to create a system user session Enabled: TRUE Here are some debug ssh server logs: Feb 8 16:23:27 ourserver sshd[381563]: debug1: Forked child 510395. Feb 8 16:23:27 ourserver sshd[510395]: debug1: Set /proc/self/oom_score_adj to 0 Feb 8 16:23:27 ourserver sshd[510395]: debug1: rexec start in 5 out 5 newsock 5 pipe 10 sock 11 Feb 8 16:23:27 ourserver sshd[510395]: debug1: inetd sockets after dupping: 4, 4 Feb 8 16:23:27 ourserver sshd[510395]: Connection from 150.108.68.26 port 45806 on 150.108.64.156 port 22 rdomain "" Feb 8 16:23:27 ourserver sshd[510395]: debug1: Local version string SSH-2.0-OpenSSH_8.4 Feb 8 16:23:27 ourserver sshd[510395]: debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4 Feb 8 16:23:27 ourserver sshd[510395]: debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000 Feb 8 16:23:27 ourserver sshd[510395]: debug1: SELinux support disabled [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: permanently_set_uid: 74/74 [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT sent [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT received [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: algorithm: curve25519-sha256 [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: client->server cipher: aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: server->client cipher: aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: rekey out after 4294967296 blocks [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS sent [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: Sending SSH2_MSG_EXT_INFO [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS received [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: rekey in after 4294967296 blocks [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: KEX done [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user ouruser service ssh-connection method none [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: attempt 0 failures 0 [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: initializing for "ouruser" Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_RHOST to "xx.xx.xx.xx" Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_TTY to "ssh" Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user ouruser service ssh-connection method publickey [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: attempt 1 failures 0 [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth_pubkey: test pkalg rsa-sha2-256 pkblob RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk [preauth] Feb 8 16:23:27 ourserver sshd[510395]: debug1: temporarily_use_uid: 5879/200 (e=0/0) Feb 8 16:23:27 ourserver sshd[510395]: debug1: trying public key file /home/ouruser/.ssh/authorized_keys and ssh -k from a Fedora client, note the user I'm logged in as is NOT the same user I'm trying to log in to: ssh -vv -k ouruser@ourserver OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS 8 Dec 2020 debug1: Reading configuration data /home/ouruser/.ssh/config debug1: /home/ouruser/.ssh/config line 1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug2: checking match for 'final all' host ourserver originally ourserver debug2: match not found debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: configuration requests final Match pass debug1: re-parsing configuration debug1: Reading configuration data /home/ouruser/.ssh/config debug1: /home/ouruser/.ssh/config line 1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug2: checking match for 'final all' host ourserver originally ourserver debug2: match found debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: auto-mux: Trying existing master debug1: Control socket "/home/ouruser/.ssh/sockets/ouruser@ourserver-22" does not exist debug2: resolving "ourserver" port 22 debug2: ssh_connect_direct debug1: Connecting to ourserver [150.108.64.156] port 22. debug1: Connection established. debug1: identity file /home/ouruser/.ssh/id_rsa type 0 debug1: identity file /home/ouruser/.ssh/id_rsa-cert type -1 debug1: identity file /home/ouruser/.ssh/id_dsa type -1 debug1: identity file /home/ouruser/.ssh/id_dsa-cert type -1 debug1: identity file /home/ouruser/.ssh/id_ecdsa type -1 debug1: identity file /home/ouruser/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/ouruser/.ssh/id_ed25519 type 3 debug1: identity file /home/ouruser/.ssh/id_ed25519-cert type -1 debug1: identity file /home/ouruser/.ssh/id_ed25519_sk type -1 debug1: identity file /home/ouruser/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/ouruser/.ssh/id_xmss type -1 debug1: identity file /home/ouruser/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4 debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to ourserver:22 as 'ouruser' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256(a)libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01(a)openssh.com, ecdsa-sha2-nistp384-cert-v01(a)openssh.com, ecdsa-sha2-nistp521-cert-v01(a)openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com ,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com ,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com ,aes256-ctr,aes128-gcm(a)openssh.com,aes128-ctr debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com ,aes256-ctr,aes128-gcm(a)openssh.com,aes128-ctr debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com, umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com ,hmac-sha2-256,hmac-sha1,umac-128(a)openssh.com,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com, umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com ,hmac-sha2-256,hmac-sha1,umac-128(a)openssh.com,hmac-sha2-512 debug2: compression ctos: none,zlib(a)openssh.com,zlib debug2: compression stoc: none,zlib(a)openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256(a)libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305(a)openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm(a)openssh.com, aes256-gcm(a)openssh.com debug2: ciphers stoc: chacha20-poly1305(a)openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm(a)openssh.com, aes256-gcm(a)openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib(a)openssh.com debug2: compression stoc: none,zlib(a)openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: aes256-gcm(a)openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: aes256-gcm(a)openssh.com MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:XUXhRKNYwxAGhwVIMa3fuo8uNMay6q4/qVeSWlQAOpM debug1: Host 'ourserver' is known and matches the ECDSA host key. debug1: Found key in /home/ouruser/.ssh/known_hosts:46 debug2: set_newkeys: mode 1 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /home/ouruser/.ssh/id_rsa RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk debug1: Will attempt key: /home/ouruser/.ssh/id_dsa debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519 ED25519 SHA256:OoedE0VhmLFtl9nifW57Mca+GHDD0xKkJ2BCLGlV9xc debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519_sk debug1: Will attempt key: /home/ouruser/.ssh/id_xmss debug2: pubkey_prepare: done debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519, sk-ssh-ed25519(a)openssh.com ,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp256(a)openssh.com, webauthn-sk-ecdsa-sha2-nistp256(a)openssh.com> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KCM:) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KCM:) debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Offering public key: /home/ouruser/.ssh/id_rsa RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk debug2: we sent a publickey packet, wait for reply What am I missing? I appreciate the help last week! Rob

3 28

Missing mandatory attribute ipaNTSecurityIdentifier.
by Lachlan Simpson 06 Mar '21

06 Mar '21

Last week I was having SSSD issues and Sumit was sharp enough to pick out that I didn't allow enough RIDs. ( https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.… ) I increase the range by 5,000,000 via the GUI, restarted all two SSSD services (test ipa server, test client) after clearing their caches and it started to work. For reasons, the IPA test server was power cycled and when it came back up, IPA wont start. `ipactl start` aborts because "Failed to start smb Service" I am seeing the following in the samba logs: [2021/02/23 14:57:23.259648, 0] ../../source3/smbd/server.c:1782(main) smbd version 4.12.3 started. Copyright Andrew Tridgell and the Samba Team 1992-2020 [2021/02/23 14:57:23.312207, 1] ../../source3/profile/profile.c:55(set_profile_level) INFO: Profiling turned OFF from pid 2360 [2021/02/23 14:57:23.345139, 0] ipa_sam.c:3980(get_fallback_group_sid) Missing mandatory attribute ipaNTSecurityIdentifier. [2021/02/23 14:57:23.345184, 0] ipa_sam.c:4950(pdb_init_ipasam) Cannot find SID of fallback group. [2021/02/23 14:57:23.345194, 0] ../../source3/passdb/pdb_interface.c:180(make_pdb_method_name) pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-TEST-IDM-COMPANY-COM.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER) [2021/02/23 15:05:11.201577, 0] ../../source3/smbd/server.c:1782(main) smbd version 4.12.3 started. Copyright Andrew Tridgell and the Samba Team 1992-2020 [2021/02/23 15:05:11.212856, 1] ../../source3/profile/profile.c:55(set_profile_level) INFO: Profiling turned OFF from pid 3146 [2021/02/23 15:05:11.234448, 0] ipa_sam.c:3980(get_fallback_group_sid) Missing mandatory attribute ipaNTSecurityIdentifier. A quick search suggests that potentially my change of the RID has affected SMB but I'm not 100% sure what to do next. I guess I need to add an ipaNTSecurityIdentifier variable - but I'm not sure where. This page https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ipa… suggests that I need to add a sidgen to the FreeIPA users that exist, but those users were created via the GUI - shouldn't the SID have been created then? And if they didn't, how come I've been able to reboot successfully relatively frequently without this issue happening before - is it because I changed the value of that one domain's ID range? Cheers L.

3 9

Problem adding DKIM record in DNS
by Kees Bakker 28 Feb '21

28 Feb '21

Hi, This is a heads-up for people who want to add a DKIM TXT record in FreeIPA. Adding a (long) TXT record with the DKIM key fails with a syntax error from named-pkcs11 The FreeIPA web UI did not show an error but with journalctl I see there is one. feb 27 21:51:58 rotte.ghs.nl named-pkcs11[9314]: failed to parse RR entry: resource record DN 'idnsname=key._domainkey,idnsname=ghs.nl.,cn=dns,dc=ghs,dc=nl': data 'v=DKIM1; k=rsa; p=MIICIjANBgkqhkiG9w0B...Svu91xOnS5UfjsCAwEAAQ==': syntax error feb 27 21:51:58 rotte.ghs.nl named-pkcs11[9314]: update_record (syncrepl) failed, resource record DN 'idnsname=key._domainkey,idnsname=ghs.nl.,cn=dns,dc=ghs,dc=nl' change type 0x2. Records can be outdated, run `rndc reload`: syntax error There are two links that helped me solve the problem, [1] and [2]. Now I can see the DKIM record in DNS. [1] https://robots.org.uk/FreeIPA#DNS:_long_TXT_records [2] https://kb.isc.org/docs/aa-00356 -- Kees

1 0

Apache Guacamole LDAP client 2FA authetication fails with Invalid Credentails.
by mir mal 27 Feb '21

27 Feb '21

Hi, After 2FA sssd split into two prompts the LDAP client from Guacamole is failing. I've also opened a ticket with the Guacamole team but the response from LDAP is not indicating much is just an Invalid Credentials. It could be down to the way they do authentication as they do authentication once to check credentials and this part is working correctly but then they use TokenInjectingConnection and try to authenticate again to query Guacamole related properties if LDAP has been used to store Guacamole data, that part is failing and the whole process ends up with Invalid Login. When I switch back to password-only or password and top then it's working as expected. I had a similar issue with RDP and the solution was to change sssd.conf to a single prompt, however sssd.conf is for pam services not LDAP clients. Is there something I have to tweak in FreeIPA to get it to work with LDAP clients so the password and top is sent as a single password string, the same way you do it with RDP? Also, o ther LDAP clients like Apache Directory or OPNSense PHP Ldap clients are working fine sending pwd+otp as a single string so I think it's down to the TokenInjectingConnection, maybe FreeIPA won't allow you to provided OTP twice in the same session and therefore sending InvalidCredentials. The ticket I've open with the Guacamole team: https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jir…

2 2

default certificate validity length should be less than 1 year.
by Alan Latteri 27 Feb '21

27 Feb '21

Now that Mozilla and other browsers will not Trust a certificate with a validity length longer than a year, FreeIPA should change the default length to match. Currently IPA issues 2 year certificates, which make all the browsers view them as Un-Trusted. This defeats the purpose of cert issuance.

3 3

ipa-adtrust-install on replicas
by Alan Latteri 27 Feb '21

27 Feb '21

Does ipa-adtrust-install need to be run on replicas for environments where there are ipa-clients being used as samba file servers? Thanks, Alan

1 0

blank page for migration URL: File does not exist: /usr/share/ipa/ui/js/freeipa/menu.js
by Robert Kudyba 25 Feb '21

25 Feb '21

Running freeipa-server-4.9.1-1.fc33.x86_64 with httpd-2.4.46-9.fc33.x86_64 and the domain/ipa/migration page is blank. The only thing in the page source is:  <meta name="viewport" content="width=device-width, initial-scale=1.0"> <base href="../ui/" target="_blank"> <script type="text/javascript" src="../ui/js/libs/loader.js"></script> <script type="text/javascript"> var dojoConfig = { baseUrl: "js", has: { 'dojo-firebug': false, 'dojo-debug-messages': true }, parseOnLoad: false, async: true, packages: [ { name:'dojo', location:'dojo' }, { name: 'freeipa', location: 'freeipa' } ], cacheBust: ipa_loader.num_version || "" }; (function() { var ie = !!document.getElementById('ie-detector'); var styles = [ 'css/patternfly.css', 'css/ipa.css', 'ipa.css' ]; if (ie) styles.push('ie.css'); var icons = ['favicon.ico']; var scripts = [ 'js/libs/jquery.js', 'js/libs/jquery.ordered-map.js', 'js/dojo/dojo.js' ]; ipa_loader.scripts(scripts, function() { require([ 'freeipa/core', 'dojo/domReady!' ], function(app) { app.run_simple('migrate'); }); }); ipa_loader.styles(styles); ipa_loader.icons(icons); })(); </script> </head> <body> <noscript>This application requires JavaScript enabled.</noscript> </body> With debug logging enabled lots of log noise, anything particular stick out such as: SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46) or File does not exist: /usr/share/ipa/ui/js/freeipa/menu.js It sounds like menu.js might be important... [Fri Feb 19 16:23:34.231671 2021] [core:debug] [pid 3423167:tid 3423380] protocol.c(2338): [client x.x.x.x:34558] AH03155: select protocol from , choices=h2,http/1.1 for server ourserver.edu [Fri Feb 19 16:23:34.238036 2021] [ssl:info] [pid 3423167:tid 3423377] [client x.x.x.x:34560] AH02008: SSL library error 1 in handshake (server ourserver.edu:443) [Fri Feb 19 16:23:34.238088 2021] [ssl:info] [pid 3423167:tid 3423377] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46) [Fri Feb 19 16:23:34.238106 2021] [ssl:info] [pid 3423167:tid 3423377] [client x.x.x.x:34560] AH01998: Connection closed to child 147 with abortive shutdown (server ourserver.edu:443) [Fri Feb 19 16:23:34.238350 2021] [ssl:info] [pid 3423167:tid 3423380] [client x.x.x.x:34558] AH02008: SSL library error 1 in handshake (server ourserver.edu:443) [Fri Feb 19 16:23:34.238395 2021] [ssl:info] [pid 3423167:tid 3423380] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46) [Fri Feb 19 16:23:34.238443 2021] [ssl:info] [pid 3423167:tid 3423380] [client x.x.x.x:34558] AH01998: Connection closed to child 150 with abortive shutdown (server ourserver.edu:443) [Fri Feb 19 16:23:34.239792 2021] [ssl:info] [pid 3423166:tid 3423299] [client x.x.x.x:34562] AH01964: Connection to child 69 established (server ourserver.edu:443) [Fri Feb 19 16:23:34.240047 2021] [ssl:debug] [pid 3423166:tid 3423299] ssl_engine_kernel.c(2374): [client x.x.x.x:34562] AH02043: SSL virtual host for servername ourserver.edu found [Fri Feb 19 16:23:34.240115 2021] [core:debug] [pid 3423166:tid 3423299] protocol.c(2338): [client x.x.x.x:34562] AH03155: select protocol from , choices=h2,http/1.1 for server ourserver.edu [Fri Feb 19 16:23:34.246809 2021] [ssl:debug] [pid 3423166:tid 3423299] ssl_engine_kernel.c(2254): [client x.x.x.x:34562] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits) [Fri Feb 19 16:23:34.247008 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xf4 -> subcache 20) [Fri Feb 19 16:23:34.247037 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(730): AH00842: expiring 1 and reclaiming 1 removed socache entries [Fri Feb 19 16:23:34.247049 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(750): AH00843: we now have 0 socache entries [Fri Feb 19 16:23:34.247059 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32) [Fri Feb 19 16:23:34.247068 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/229 [Fri Feb 19 16:23:34.247077 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Fri Feb 19 16:23:34.247269 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0x7f -> subcache 31) [Fri Feb 19 16:23:34.247296 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(730): AH00842: expiring 2 and reclaiming 0 removed socache entries [Fri Feb 19 16:23:34.247306 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(750): AH00843: we now have 0 socache entries [Fri Feb 19 16:23:34.247315 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32) [Fri Feb 19 16:23:34.247324 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/229 [Fri Feb 19 16:23:34.247333 2021] [socache_shmcb:debug] [pid 3423166:tid 3423299] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Fri Feb 19 16:23:34.248150 2021] [ssl:debug] [pid 3423166:tid 3423299] ssl_engine_kernel.c(415): [client x.x.x.x:34562] AH02034: Initial (No.1) HTTPS request received for child 69 (server ourserver.edu:443) [Fri Feb 19 16:23:34.249128 2021] [deflate:debug] [pid 3423166:tid 3423299] mod_deflate.c(867): [client x.x.x.x:34562] AH01384: Zlib: Compressed 1853 to 734 : URL /ipa/migration/index.html [Fri Feb 19 16:23:34.519107 2021] [ssl:debug] [pid 3423166:tid 3423306] ssl_engine_kernel.c(415): [client x.x.x.x:34562] AH02034: Subsequent (No.2) HTTPS request received for child 76 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:34.525342 2021] [ssl:debug] [pid 3423166:tid 3423295] ssl_engine_kernel.c(415): [client x.x.x.x:34562] AH02034: Subsequent (No.3) HTTPS request received for child 65 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:34.526073 2021] [ssl:info] [pid 3423824:tid 3423866] [client x.x.x.x:34566] AH01964: Connection to child 194 established (server ourserver.edu:443) [Fri Feb 19 16:23:34.526299 2021] [ssl:debug] [pid 3423824:tid 3423866] ssl_engine_kernel.c(2374): [client x.x.x.x:34566] AH02043: SSL virtual host for servername ourserver.edu found [Fri Feb 19 16:23:34.526523 2021] [core:debug] [pid 3423824:tid 3423866] protocol.c(2338): [client x.x.x.x:34566] AH03155: select protocol from , choices=h2,http/1.1 for server ourserver.edu [Fri Feb 19 16:23:34.527712 2021] [ssl:info] [pid 3423167:tid 3423361] [client x.x.x.x:34568] AH01964: Connection to child 131 established (server ourserver.edu:443) [Fri Feb 19 16:23:34.527908 2021] [ssl:debug] [pid 3423167:tid 3423361] ssl_engine_kernel.c(2374): [client x.x.x.x:34568] AH02043: SSL virtual host for servername ourserver.edu found [Fri Feb 19 16:23:34.528093 2021] [core:debug] [pid 3423167:tid 3423361] protocol.c(2338): [client x.x.x.x:34568] AH03155: select protocol from , choices=h2,http/1.1 for server ourserver.edu [Fri Feb 19 16:23:34.528262 2021] [socache_shmcb:debug] [pid 3423824:tid 3423866] mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0x7f -> subcache 31) [Fri Feb 19 16:23:34.528299 2021] [socache_shmcb:debug] [pid 3423824:tid 3423866] mod_socache_shmcb.c(939): AH00852: possible match at idx=0, data=0 [Fri Feb 19 16:23:34.528312 2021] [socache_shmcb:debug] [pid 3423824:tid 3423866] mod_socache_shmcb.c(944): AH00853: shmcb_subcache_remove removing matching entry [Fri Feb 19 16:23:34.528322 2021] [socache_shmcb:debug] [pid 3423824:tid 3423866] mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully [Fri Feb 19 16:23:34.528338 2021] [ssl:info] [pid 3423824:tid 3423866] [client x.x.x.x:34566] AH02008: SSL library error 1 in handshake (server ourserver.edu:443) [Fri Feb 19 16:23:34.528369 2021] [ssl:info] [pid 3423824:tid 3423866] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46) [Fri Feb 19 16:23:34.528383 2021] [ssl:info] [pid 3423824:tid 3423866] [client x.x.x.x:34566] AH01998: Connection closed to child 194 with abortive shutdown (server ourserver.edu:443) [Fri Feb 19 16:23:34.528762 2021] [ssl:info] [pid 3423824:tid 3423871] [client x.x.x.x:34570] AH01964: Connection to child 199 established (server ourserver.edu:443) [Fri Feb 19 16:23:34.529011 2021] [ssl:debug] [pid 3423824:tid 3423871] ssl_engine_kernel.c(2374): [client x.x.x.x:34570] AH02043: SSL virtual host for servername ourserver.edu found [Fri Feb 19 16:23:34.529077 2021] [core:debug] [pid 3423824:tid 3423871] protocol.c(2338): [client x.x.x.x:34570] AH03155: select protocol from , choices=h2,http/1.1 for server ourserver.edu [Fri Feb 19 16:23:34.529562 2021] [socache_shmcb:debug] [pid 3423167:tid 3423361] mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0xf4 -> subcache 20) [Fri Feb 19 16:23:34.529590 2021] [socache_shmcb:debug] [pid 3423167:tid 3423361] mod_socache_shmcb.c(939): AH00852: possible match at idx=0, data=0 [Fri Feb 19 16:23:34.529612 2021] [socache_shmcb:debug] [pid 3423167:tid 3423361] mod_socache_shmcb.c(944): AH00853: shmcb_subcache_remove removing matching entry [Fri Feb 19 16:23:34.529624 2021] [socache_shmcb:debug] [pid 3423167:tid 3423361] mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully [Fri Feb 19 16:23:34.529642 2021] [ssl:info] [pid 3423167:tid 3423361] [client x.x.x.x:34568] AH02008: SSL library error 1 in handshake (server ourserver.edu:443) [Fri Feb 19 16:23:34.529670 2021] [ssl:info] [pid 3423167:tid 3423361] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46) [Fri Feb 19 16:23:34.529684 2021] [ssl:info] [pid 3423167:tid 3423361] [client x.x.x.x:34568] AH01998: Connection closed to child 131 with abortive shutdown (server ourserver.edu:443) [Fri Feb 19 16:23:34.531096 2021] [ssl:info] [pid 3423165:tid 3423230] [client x.x.x.x:34572] AH01964: Connection to child 0 established (server ourserver.edu:443) [Fri Feb 19 16:23:34.531294 2021] [ssl:debug] [pid 3423165:tid 3423230] ssl_engine_kernel.c(2374): [client x.x.x.x:34572] AH02043: SSL virtual host for servername ourserver.edu found [Fri Feb 19 16:23:34.531323 2021] [ssl:info] [pid 3423165:tid 3423240] [client x.x.x.x:34574] AH01964: Connection to child 10 established (server ourserver.edu:443) [Fri Feb 19 16:23:34.531349 2021] [core:debug] [pid 3423165:tid 3423230] protocol.c(2338): [client x.x.x.x:34572] AH03155: select protocol from , choices=h2,http/1.1 for server ourserver.edu [Fri Feb 19 16:23:34.531487 2021] [ssl:debug] [pid 3423165:tid 3423240] ssl_engine_kernel.c(2374): [client x.x.x.x:34574] AH02043: SSL virtual host for servername ourserver.edu found [Fri Feb 19 16:23:34.531538 2021] [core:debug] [pid 3423165:tid 3423240] protocol.c(2338): [client x.x.x.x:34574] AH03155: select protocol from , choices=h2,http/1.1 for server ourserver.edu [Fri Feb 19 16:23:34.535262 2021] [deflate:debug] [pid 3423166:tid 3423295] mod_deflate.c(867): [client x.x.x.x:34562] AH01384: Zlib: Compressed 88090 to 30602 : URL /ipa/ui/js/libs/jquery.js, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:34.535414 2021] [ssl:info] [pid 3423824:tid 3423871] [client x.x.x.x:34570] AH02008: SSL library error 1 in handshake (server ourserver.edu:443) [Fri Feb 19 16:23:34.535467 2021] [ssl:info] [pid 3423824:tid 3423871] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46) [Fri Feb 19 16:23:34.535484 2021] [ssl:info] [pid 3423824:tid 3423871] [client x.x.x.x:34570] AH01998: Connection closed to child 199 with abortive shutdown (server ourserver.edu:443) [Fri Feb 19 16:23:34.537555 2021] [ssl:info] [pid 3423824:tid 3423868] [client x.x.x.x:34576] AH01964: Connection to child 196 established (server ourserver.edu:443) [Fri Feb 19 16:23:34.537726 2021] [ssl:debug] [pid 3423824:tid 3423868] ssl_engine_kernel.c(2374): [client x.x.x.x:34576] AH02043: SSL virtual host for servername ourserver.edu found [Fri Feb 19 16:23:34.537781 2021] [core:debug] [pid 3423824:tid 3423868] protocol.c(2338): [client x.x.x.x:34576] AH03155: select protocol from , choices=h2,http/1.1 for server ourserver.edu [Fri Feb 19 16:23:34.538052 2021] [ssl:debug] [pid 3423165:tid 3423240] ssl_engine_kernel.c(2254): [client x.x.x.x:34574] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits) [Fri Feb 19 16:23:34.538203 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0x74 -> subcache 20) [Fri Feb 19 16:23:34.538223 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(730): AH00842: expiring 0 and reclaiming 1 removed socache entries [Fri Feb 19 16:23:34.538233 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(750): AH00843: we now have 0 socache entries [Fri Feb 19 16:23:34.538241 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32) [Fri Feb 19 16:23:34.538249 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/229 [Fri Feb 19 16:23:34.538258 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Fri Feb 19 16:23:34.538428 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xfa -> subcache 26) [Fri Feb 19 16:23:34.538464 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(730): AH00842: expiring 1 and reclaiming 0 removed socache entries [Fri Feb 19 16:23:34.538494 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(750): AH00843: we now have 0 socache entries [Fri Feb 19 16:23:34.538505 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32) [Fri Feb 19 16:23:34.538498 2021] [ssl:debug] [pid 3423165:tid 3423230] ssl_engine_kernel.c(2254): [client x.x.x.x:34572] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits) [Fri Feb 19 16:23:34.538514 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/229 [Fri Feb 19 16:23:34.538537 2021] [socache_shmcb:debug] [pid 3423165:tid 3423240] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Fri Feb 19 16:23:34.538701 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xbf -> subcache 31) [Fri Feb 19 16:23:34.538730 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(730): AH00842: expiring 0 and reclaiming 1 removed socache entries [Fri Feb 19 16:23:34.538742 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(750): AH00843: we now have 0 socache entries [Fri Feb 19 16:23:34.538751 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32) [Fri Feb 19 16:23:34.538760 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/228 [Fri Feb 19 16:23:34.538769 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Fri Feb 19 16:23:34.538941 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0x1d -> subcache 29) [Fri Feb 19 16:23:34.538979 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(730): AH00842: expiring 1 and reclaiming 0 removed socache entries [Fri Feb 19 16:23:34.538990 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(750): AH00843: we now have 0 socache entries [Fri Feb 19 16:23:34.539000 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32) [Fri Feb 19 16:23:34.539008 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/228 [Fri Feb 19 16:23:34.539017 2021] [socache_shmcb:debug] [pid 3423165:tid 3423230] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Fri Feb 19 16:23:34.541010 2021] [ssl:debug] [pid 3423165:tid 3423240] ssl_engine_kernel.c(415): [client x.x.x.x:34574] AH02034: Initial (No.1) HTTPS request received for child 10 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:34.541165 2021] [ssl:debug] [pid 3423165:tid 3423230] ssl_engine_kernel.c(415): [client x.x.x.x:34572] AH02034: Initial (No.1) HTTPS request received for child 0 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:34.541781 2021] [ssl:debug] [pid 3423166:tid 3423298] ssl_engine_kernel.c(415): [client x.x.x.x:34562] AH02034: Subsequent (No.4) HTTPS request received for child 68 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:34.542289 2021] [deflate:debug] [pid 3423165:tid 3423230] mod_deflate.c(867): [client x.x.x.x:34572] AH01384: Zlib: Compressed 8147 to 2293 : URL /ipa/ui/css/ipa.css, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:34.542837 2021] [deflate:debug] [pid 3423166:tid 3423298] mod_deflate.c(867): [client x.x.x.x:34562] AH01384: Zlib: Compressed 8809 to 2459 : URL /ipa/ui/ipa.css, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:34.544983 2021] [ssl:debug] [pid 3423824:tid 3423868] ssl_engine_kernel.c(2254): [client x.x.x.x:34576] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits) [Fri Feb 19 16:23:34.545144 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xbb -> subcache 27) [Fri Feb 19 16:23:34.545169 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(730): AH00842: expiring 0 and reclaiming 1 removed socache entries [Fri Feb 19 16:23:34.545180 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(750): AH00843: we now have 0 socache entries [Fri Feb 19 16:23:34.545188 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32) [Fri Feb 19 16:23:34.545196 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/229 [Fri Feb 19 16:23:34.545204 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Fri Feb 19 16:23:34.545360 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xae -> subcache 14) [Fri Feb 19 16:23:34.545397 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(730): AH00842: expiring 2 and reclaiming 0 removed socache entries [Fri Feb 19 16:23:34.545407 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(750): AH00843: we now have 0 socache entries [Fri Feb 19 16:23:34.545416 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(847): AH00847: insert happened at idx=0, data=(0:32) [Fri Feb 19 16:23:34.545424 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/228 [Fri Feb 19 16:23:34.545432 2021] [socache_shmcb:debug] [pid 3423824:tid 3423868] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store successfully [Fri Feb 19 16:23:34.552996 2021] [deflate:debug] [pid 3423165:tid 3423240] mod_deflate.c(867): [client x.x.x.x:34574] AH01384: Zlib: Compressed 201946 to 31837 : URL /ipa/ui/css/patternfly.css, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:34.567942 2021] [ssl:debug] [pid 3423165:tid 3423244] ssl_engine_kernel.c(415): [client x.x.x.x:34574] AH02034: Subsequent (No.2) HTTPS request received for child 14 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:34.568753 2021] [deflate:debug] [pid 3423165:tid 3423244] mod_deflate.c(867): [client x.x.x.x:34574] AH01384: Zlib: Compressed 4425 to 1337 : URL /ipa/ui/js/libs/jquery.ordered-map.js, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.712960 2021] [ssl:debug] [pid 3423165:tid 3423239] ssl_engine_kernel.c(415): [client x.x.x.x:34574] AH02034: Subsequent (No.3) HTTPS request received for child 9 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.728347 2021] [deflate:debug] [pid 3423165:tid 3423239] mod_deflate.c(867): [client x.x.x.x:34574] AH01384: Zlib: Compressed 142079 to 41307 : URL /ipa/ui/js/dojo/dojo.js, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.757444 2021] [ssl:debug] [pid 3423165:tid 3423241] ssl_engine_kernel.c(415): [client x.x.x.x:34574] AH02034: Subsequent (No.4) HTTPS request received for child 11 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.788804 2021] [deflate:debug] [pid 3423165:tid 3423241] mod_deflate.c(867): [client x.x.x.x:34574] AH01384: Zlib: Compressed 353973 to 79203 : URL /ipa/ui/js/freeipa/core.js, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.850989 2021] [ssl:debug] [pid 3423165:tid 3423236] ssl_engine_kernel.c(415): [client x.x.x.x:34574] AH02034: Subsequent (No.5) HTTPS request received for child 6 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.851240 2021] [authz_core:debug] [pid 3423165:tid 3423236] mod_authz_core.c(815): [client x.x.x.x:34574] AH01626: authorization result of Require all granted: granted, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.851266 2021] [authz_core:debug] [pid 3423165:tid 3423236] mod_authz_core.c(815): [client x.x.x.x:34574] AH01626: authorization result of <RequireAny>: granted, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.851657 2021] [authz_core:debug] [pid 3423165:tid 3423236] mod_authz_core.c(815): [client x.x.x.x:34574] AH01626: authorization result of Require all granted: granted, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.851685 2021] [authz_core:debug] [pid 3423165:tid 3423236] mod_authz_core.c(815): [client x.x.x.x:34574] AH01626: authorization result of <RequireAny>: granted, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.851706 2021] [auth_gssapi:debug] [pid 3423165:tid 3423236] mod_auth_gssapi.c(737): [client x.x.x.x:34574] GSSapiImpersonate not On, skipping impersonation., referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.852504 2021] [wsgi:error] [pid 3423161:tid 3423516] [remote x.x.x.x:34574] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Fri Feb 19 16:23:35.852742 2021] [wsgi:error] [pid 3423161:tid 3423516] [remote x.x.x.x:34574] ipa: DEBUG: WSGI jsonserver_i18n_messages.__call__: [Fri Feb 19 16:23:35.853047 2021] [wsgi:error] [pid 3423161:tid 3423516] [remote x.x.x.x:34574] ipa: DEBUG: WSGI jsonserver.__call__: [Fri Feb 19 16:23:35.853182 2021] [wsgi:error] [pid 3423161:tid 3423516] [remote x.x.x.x:34574] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Fri Feb 19 16:23:35.853590 2021] [wsgi:error] [pid 3423161:tid 3423516] [remote x.x.x.x:34574] ipa: DEBUG: raw: i18n_messages(version='2.240') [Fri Feb 19 16:23:35.853829 2021] [wsgi:error] [pid 3423161:tid 3423516] [remote x.x.x.x:34574] ipa: DEBUG: i18n_messages(version='2.240') [Fri Feb 19 16:23:35.862845 2021] [wsgi:error] [pid 3423161:tid 3423516] [remote x.x.x.x:34574] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.240'): SUCCESS [Fri Feb 19 16:23:35.873590 2021] [deflate:debug] [pid 3423165:tid 3423236] mod_deflate.c(867): [client x.x.x.x:34574] AH01384: Zlib: Compressed 74510 to 14081 : URL /ipa/i18n_messages, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.896395 2021] [ssl:debug] [pid 3423165:tid 3423245] ssl_engine_kernel.c(415): [client x.x.x.x:34574] AH02034: Subsequent (No.6) HTTPS request received for child 15 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:35.897876 2021] [deflate:debug] [pid 3423165:tid 3423245] mod_deflate.c(867): [client x.x.x.x:34574] AH01384: Zlib: Compressed 69 to 71 : URL /ipa/wsgi/plugins.py, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:36.380770 2021] [ssl:debug] [pid 3423165:tid 3423246] ssl_engine_kernel.c(415): [client x.x.x.x:34574] AH02034: Subsequent (No.7) HTTPS request received for child 16 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:36.381518 2021] [deflate:debug] [pid 3423165:tid 3423246] mod_deflate.c(867): [client x.x.x.x:34574] AH01384: Zlib: Compressed 3120 to 799 : URL /ipa/ui/js/plugins/userfas/userfas.js, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:36.381532 2021] [ssl:debug] [pid 3423166:tid 3423297] ssl_engine_kernel.c(415): [client x.x.x.x:34562] AH02034: Subsequent (No.5) HTTPS request received for child 67 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:36.382464 2021] [ssl:debug] [pid 3423165:tid 3423253] ssl_engine_kernel.c(415): [client x.x.x.x:34572] AH02034: Subsequent (No.2) HTTPS request received for child 23 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:36.382510 2021] [deflate:debug] [pid 3423166:tid 3423297] mod_deflate.c(867): [client x.x.x.x:34562] AH01384: Zlib: Compressed 4580 to 1251 : URL /ipa/ui/js/plugins/groupfas/groupfas.js, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:36.383392 2021] [deflate:debug] [pid 3423165:tid 3423253] mod_deflate.c(867): [client x.x.x.x:34572] AH01384: Zlib: Compressed 5255 to 1061 : URL /ipa/ui/js/plugins/fasagreement/fasagreement.js, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:36.390937 2021] [ssl:debug] [pid 3423165:tid 3423254] ssl_engine_kernel.c(415): [client x.x.x.x:34572] AH02034: Subsequent (No.3) HTTPS request received for child 24 (server ourserver.edu:443), referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:36.391264 2021] [core:info] [pid 3423165:tid 3423254] [client x.x.x.x:34572] AH00128: File does not exist: /usr/share/ipa/ui/js/freeipa/menu.js, referer: https://ourserver.edu/ipa/migration/ [Fri Feb 19 16:23:36.391307 2021] [headers:debug] [pid 3423165:tid 3423254] mod_headers.c(899): AH01503: headers: ap_headers_error_filter() [Fri Feb 19 16:23:54.565642 2021] [reqtimeout:info] [pid 3423824:tid 3423868] [client x.x.x.x:34576] AH01382: Request header read timeout [Fri Feb 19 16:23:54.565889 2021] [ssl:debug] [pid 3423824:tid 3423868] ssl_engine_io.c(1102): [client x.x.x.x:34576] AH02001: Connection closed to child 196 with standard shutdown (server ourserver.edu:443) [Fri Feb 19 16:24:06.382971 2021] [ssl:debug] [pid 3423165:tid 3423238] ssl_engine_io.c(1102): [client x.x.x.x:34574] AH02001: Connection closed to child 8 with standard shutdown (server ourserver.edu:443) [Fri Feb 19 16:24:06.384886 2021] [ssl:debug] [pid 3423166:tid 3423294] ssl_engine_io.c(1102): [client x.x.x.x:34562] AH02001: Connection closed to child 64 with standard shutdown (server ourserver.edu:443) [Fri Feb 19 16:24:06.391593 2021] [ssl:debug] [pid 3423165:tid 3423250] ssl_engine_io.c(1102): [client x.x.x.x:34572] AH02001: Connection closed to child 20 with standard shutdown (server ourserver.edu:443)

2 2

Re: Why does openssl respond to tlsv1.0 and tlsv1.1 when I have set the NSSProtocol to tlsv1.2?
by Rob Crittenden 22 Feb '21

22 Feb '21

Auerbach, Steven via FreeIPA-users wrote: > I have tried to set this server to clear SecureWorks Vulnerabilities. > This warning I do not understand. I have the following in nss.conf: > > # SSL Cipher Suite: > > # List the ciphers that the client is permitted to negotiate. > > # See the mod_nss documentation for a complete list. > > > > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha > > # SSL Protocol: > > NSSProtocol TLSv1.2 > > > > When I execute openssl s_client -connect 127.0.0.1:636 tlsv1 (or > tlsv1_1) I get a successful response of my certificate, a handshake, > and a 0 return code. SecureWorks reports SSL/TLS Server supports > TLSv1.0 port 636/tcp over SSL (LDAP port). What have I done wrong > here? Would the syntax > > NSSProtocol ALL +TLSv1.2 work better? You are tweaking the Apache TLS configuration and testing the LDAP TLS port 636. You can set the minimum TLS version in LDAP with: $ ldapmodify -x -D 'cn=directory manager' -W LDAP Password: dn: cn=encryption,cn=config changetype: modify replace: sslVersionMin sslVersionMin: TLS1.2 ^D $ sudo systemctl restart dirsrv.target rob

1 0

Why does openssl respond to tlsv1.0 and tlsv1.1 when I have set the NSSProtocol to tlsv1.2?
by Auerbach, Steven 22 Feb '21

22 Feb '21

I have tried to set this server to clear SecureWorks Vulnerabilities. This warning I do not understand. I have the following in nss.conf: # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha # SSL Protocol: NSSProtocol TLSv1.2 When I execute "openssl s_client -connect 127.0.0.1:636 -tlsv1 (or -tlsv1_1)" I get a successful response of my certificate, a handshake, and a 0 return code. SecureWorks reports "SSL/TLS Server supports TLSv1.0 port 636/tcp over SSL" (LDAP port). What have I done wrong here? Would the syntax NSSProtocol -ALL +TLSv1.2 work better? Steven Auerbach Assistant Director of Information Systems Information Technology & Security State University System of Florida Board of Governors 325 W. Gaines Street Tallahassee, Florida 32399 (850) 245-9592 www.flbog.edu<http://www.flbog.edu/>

1 0

Re: [EXTERNAL] Separate Topic -- FreeIPA and RADIUS
by White, Daniel E. (GSFC-770.0)[NICS] 22 Feb '21

22 Feb '21

Mariusz, I do not want to hijack your thread, so I am starting another. I would be very interested to know your FreeIPA/RADIUS configuration. ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NASCOM Linux Engineer NASA Goddard Space Flight Center Science Applications International Corporation (SAIC) Office: (301) 286-6919 Mobile: (240) 513-5290 From: FreeIPA-Users <freeipa-users(a)lists.fedorahosted.org> Reply-To: FreeIPA-Users <freeipa-users(a)lists.fedorahosted.org> Date: Friday, February 19, 2021 at 08:51 To: FreeIPA-Users <freeipa-users(a)lists.fedorahosted.org> Cc: Mariusz Stysiak <server.is.not.responding(a)gmail.com> Subject: [EXTERNAL] [Freeipa-users] MFA for AD users Hello List, I'd really appreciate some insight here. I've setup FreeIpa POC (centos7, freeipa 4.7, two freeipa servers as multimaster along with some clients). Added OTP's for several users and made it work with RADIUS for vpn access authentication purpose. Next, I've added AD trust and I am able to log in as AD user. All groovy. Now I'd like to enforce MFA for AD users by adding OTP tokens for them. Is it possible at all? Since AD user authenticates against AD, shouldn't it be AD who provides MFA? FreeIPA behaves strangely when it comes to AD users (mapped via external group and POSIX group): AD user 'ipatest' is visible with 'id' command (and has it's own UID GID and so on) but cannot be found via 'ipa user-find' command even with specific UID provided: admin@ipa-poc-1 ~ $ id ipatest(a)lab.trusteddomain.com<mailto:ipatest@lab.trusteddomain.com> uid=748801177(ipatest(a)lab.trusteddomain.com<mailto:ipatest@lab.trusteddomain.com>) gid=748801177(ipatest(a)lab.trusteddomain.com<mailto:ipatest@lab.trusteddomain.com>) groups=748801177(ipatest(a)lab.trusteddomain.com<mailto:ipatest@lab.trusteddomain.com>),748800513(domain users(a)lab.trusteddomain.com<mailto:users@lab.trusteddomain.com>),748801180(linuxusers(a)lab.trusteddomain.com<mailto:linuxusers@lab.trusteddomain.com>),793600008(ad_users) admin@ipa-poc-1 ~ $ ipa user-find ipatest --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- admin@ipa-poc-1 ~ $ ipa user-find ipatest(a)lab.trusteddomain.com<mailto:ipatest@lab.trusteddomain.com> --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- admin@ipa-poc-1 ~ $ ipa user-find ipatest@TRUSTEDOMAIN-LAB --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 admin@ipa-poc-1 ~ $ ipa user-find uid=748801177 --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- I reckon it is due to the one-way trust with AD domain but not sure here. Since "ipa otptoken-add' command requires 'owner' parameter (type string and doesn't work with UID) I cannot add OTP token for this user. Another approach I've tried (since ipa otptoken-add command by default uses current user as owner) was to log on as AD user and create OTP token 'for myself', but it didn't work either: ipatest(a)lab.trusteddomain.com<mailto:ipatest@lab.trusteddomain.com>@ipa-poc-1 ~ $ kinit ipatest(a)lab.trusteddomain.com<mailto:ipatest@lab.trusteddomain.com> Password for ipatest(a)lab.trusteddomain.com<mailto:ipatest@lab.trusteddomain.com>: ipatest(a)lab.trusteddomain.com<mailto:ipatest@lab.trusteddomain.com>@ipa-poc-1 ~ $ ipa otptoken-add --type='TOTP' ipa: ERROR: cannot connect to 'any of the configured servers': https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fipa-poc-1…, https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fipa-poc-2… So, to make it short: Is it possible to add OTP token to external AD user? How to do it? rgrds M. _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedo… List Guidelines: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorapro… List Archives: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fed… Do not reply to spam on the list, report it: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io…

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2021