ipa-client-install returns success, but auth isn't working
by Braden McGrath
I have a 3-server (replicating) FreeIPA environment running on CentOS7. ipa --version shows: VERSION: 4.6.8, API_VERSION: 2.237
I have successfully "joined" two Ubuntu Server 20.04 LTS clients to the FreeIPA environment without issue. Let's call those Alpha and Beta.
Alpha and Beta were installed using Ubuntu's freeipa packages; they show ipa --version: VERSION: 4.8.6, API_VERSION: 2.236
Alpha and Beta work as expected, even though their client version is newer than the servers.
I now have a 3rd Ubuntu Server 20.04 LTS VM ("Gamma") that I am trying to enroll/setup, and ipa-client-install returns success, but near the end of the install, 'getent' fails to pull info about the user account that was used during the install, and I can't login to this VM with an account from the FreeIPA database.
I looked through the install log and didn't see anything obvious, but I've also only installed freeipa on 5 other systems at this point, so I don't really know what to look for. :)
Key differences between Alpha/Beta and Gamma:
Alpha/Beta are both VMs installed from a Ubuntu 20.04 LTS ISO;
Gamma is an Ubuntu "cloud-image" VM (cloned from their image and then run through cloud-init for a hostname/etc)
Alpha/Beta are using static IP addresses with manual DNS configuration;
Gamma is using DHCP, but has a reservation (the IP won't change). DHCP is issuing the IPs of the 3 FreeIPA server VMs as DNS servers, and the DNS search domain is correct.
Note that all 3 Ubuntu systems *are* still using Systemd-Resolve for DNS, which is then sending queries to the CentOS 7 Servers. Alpha and Beta are fine with this, so I don't think systemd-resolve is the problem.
Any help would be greatly appreciated, because I'm not sure what to look at next (and I also don't understand why what should be a nearly identical install is not working).
Rather than attaching the entirety of ipaclient-install.log, here is a github gist link with it. I've sanitized the domain, hostname, enroll username, and kerberos realm, but everything else has not been touched.
https://gist.github.com/ZPrimed/1040499a744286690745a7d93bcd3d10
3 years, 1 month
Creating Certs for Services
by Techmail
Hello!
I'm setting up a RabbitMQ server on our internal network, and I thought
now would be a good time to figure out how to use FreeIPA to issue certs
for services to enable TLS. (Only internal systems with the IPA cert
will access the system.) However, I'm running into a couple of problems.
I'm following the FreeIPA PKI Docs [1] on how to setup an automated cert
request with Certmonger which will put cert renewal on autopilot,
hopefully, and I'm getting stuck on step #6 of the instructions where
I'm supposed to import the IPA `ca.crt` into the nssdb which was created
for RabbitMQ.
Command and results of step #6:
```
[me(a)rabbitserver.sub.domain.tld]# certutil -A -d /etc/rabbitmq/nssdb -n
'SUB.DOMAIN.TLD IPA CA' -t CT,, -a < /etc/ipa/ca.crt
Enter Password or Pin for "NSS Certificate DB":
```
I don't know what password or pin it would like.
I read something which suggested `/etc/dirsrv/slapd-DOMAIN-TLD/pin.txt`
on the IPA server contained the magic words which would unlock the
database, so I copied the token which is not what certutil wants to
unlock `/etc/ipa/nssdb`.
Example contents of `/etc/ipa/nssdb/pin.txt` on IPA server:
```
Internal (Software) Token:<thispartiswhaticopied>
```
Here are the problems:
1. I don't know the PIN or password for `/etc/ipa/nssdb`.
2. Would like the cert to be auto managed.
3. FreeIPA docs and RHEL docs disagree. [2][3]
IPA Server:
* CentOS 7
* ipa-server: 4.6.8-5.el7.centos
Rabbit Server:
* CentOS Stream 8
* ipa-client: 4.9.0-1.module_el8.4.0+635+535c2b80
Ryan
1:
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Cert...
2:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
3:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
3 years, 1 month
Something changed regarding enrollment permissions?
by Ronald Wimmer
Today we did not manage to enroll new hosts with our enrollment user.
The only thing we changed is that we added the Permission "System:
Remove hosts" to the "Host Enrollment" role. The error we get is:
Joining realm failed: Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: Insufficient access rights
Failed to get keytab!
Failed to get keytab
child exited with 9
When I try to add the same host with my admin user it works without any
problems.
Cheers,
Ronald
3 years, 1 month
Set "Description" on ipa-client-install
by Russ Long
Is there a way, when using ipa-client-install, to set the Description field for a server? If not, is "ipa host-mod" the preferred method to set this after install?
3 years, 1 month
Question about AD trust and yum IPA server upgrade
by John Desantis
Hello all,
I couldn't easily find a direct answer regarding a yum upgrade of the
IPA server with an active AD trust, so I'll just ask here.
When one performs a yum upgrade of the IPA server, does the AD trust
have to be re-established?
Thanks,
John DeSantis
3 years, 1 month
Unable to install ipa client centos 7.5.1804 (Core)
by William Graboyes
Hello List,
I have been searching around for the day and have found an answer for
the error I am getting when I am trying to install the client on a brand
new install:
Version:
ipa-client-4.5.4-10.el7.centos.3.x86_64
ipa-client-common-4.5.4-10.el7.centos.3.noarch
The error is below (run as root, not via sudo):
ipa-client-install
Traceback (most recent call last):
File "/sbin/ipa-client-install", line 22, in <module>
from ipaclient.install import ipa_client_install
File
"/usr/lib/python2.7/site-packages/ipaclient/install/ipa_client_install.py",
line 5, in <module>
from ipaclient.install import client
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
line 34, in <module>
from ipalib import api, errors, x509
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 45, in
<module>
from pyasn1_modules import rfc2315, rfc2459
File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py",
line 67, in <module>
class DigestedData(univ.Sequence):
File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py",
line 72, in DigestedData
namedtype.NamedType('digest', Digest)
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 115, in __init__
self.__ambiguousTypes = 'terminal' not in kwargs and
self.__computeAmbiguousTypes() or {}
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 232, in __computeAmbiguousTypes
ambigiousTypes[idx] = NamedTypes(*partialAmbigiousTypes,
**dict(terminal=True))
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 114, in __init__
self.__tagToPosMap = self.__computeTagToPosMap()
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 205, in __computeTagToPosMap
for _tagSet in tagMap.presentTypes:
AttributeError: 'property' object has no attribute 'presentTypes'
Any help would be greatly appreciated.
Thanks,
Bill G.
3 years, 1 month
FreeIPA certificate doesn't validate in iOS
by Jochen Kellner
Hello,
I'm running IPA on current Fedora 32, freeipa-server-4.8.9-2 and pki-server-10.9.0-0.4
Today the certificate of my IMAP server (running on Debian Buster) was
automatically refreshed:
,----
| Request ID '20181003215953':
| status: MONITORING
| stuck: no
| key pair storage: type=FILE,location='/etc/ssl/private/imap.jochen.org.key'
| certificate: type=FILE,location='/etc/ssl/certs/imap.jochen.org.crt'
| CA: IPA
| issuer: CN=Certificate Authority,O=JOCHEN.ORG
| subject: CN=imap.jochen.org,O=JOCHEN.ORG
| expires: 2022-09-07 09:30:16 CEST
| dns: imap.jochen.org
| principal name: imap/jupiter.jochen.org(a)JOCHEN.ORG
| key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
| eku: id-kp-serverAuth,id-kp-clientAuth
| pre-save command:
| post-save command: /root/refresh_cyrus_certificate.sh
| track: yes
| auto-renew: yes
`----
On an iPhone one of my users gets a message that the certificate is not valid.
Reason seems to be this: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html
When I look at the certificate with openssl I see:
,----
| X509v3 extensions:
| X509v3 Authority Key Identifier:
| keyid:4F:F8:45:3D:E8:06:4B:8D:BB:9D:D2:D1:8B:00:43:A1:07:16:A1:17
|
| Authority Information Access:
| OCSP - URI:http://ipa-ca.jochen.org/ca/ocsp
|
| X509v3 Key Usage: critical
| Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
| X509v3 Extended Key Usage:
| TLS Web Server Authentication, TLS Web Client Authentication
`----
My current guess is that the "Key Usage: critical" is the reason for the iOS error.
I've looked for the certprofiles and found these files:
,----
| [root@freeipa3 /]# find . -name \*caIPAserviceCert\* -ls
| 8510694 8 -rw-rw---- 1 pkiuser pkiuser 6218 Mär 4 2020 ./var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg
| 9332162 4 -rw-r--r-- 1 root root 229 Aug 20 12:38 ./usr/lib/python3.8/site-packages/ipaclient/csrgen/profiles/caIPAserviceCert.json
| 26138015 8 -rw-r--r-- 1 root root 7014 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.UPGRADE.cfg
| 26138016 8 -rw-r--r-- 1 root root 7294 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.cfg
| 9323278 8 -rw-r--r-- 1 root root 6272 Jun 25 23:53 ./usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
`----
These files contain:
,----
| policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
| policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
| policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
| policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
| policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
| policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
`----
So I think this is where the critical comes from and the keyUsage defaults come from.
What I could use help with is the following:
1. I didn't find reports about the problem in pagure or the mailing
list. Am I really alone with this?
2. My FreeIPA has been installed years ago on Fedora, moved to CentOS
and this year back to Fedora by creating replicas. Has there been a
problem with upgrading the certprofiles?
3. How can I remove the options from the certificate request so that
certmonger gets a valid certificate?
Do I miss something else?
--
This space is intentionally left blank.
3 years, 1 month
Kerberos appears to be broken on a FreeIPA server on CentOS 7.8
by Vinícius Ferrão
Hello,
FreeIPA on CentOS 7.8 just stopped working and I’m unable to fix it by myself. After reading a lot of threads here on the list, it appears that I’ve the same issue as this topic: https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg0550...
Since Kerberos is apparently not working as expected, I cannot use FreeIPA and none of the services are working correctly. Following the debug guide I was able to at least start named with single authentication to further debug. (Workaround 1 of https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html)
And now I’m stuck on item 5 of the same manual.
[root@neumann2 ~]# KRB5_TRACE=/dev/stderr ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket' -Y GSSAPI -b 'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br<ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket'%20-Y%20GSSAPI%20-b%20'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br>'
SASL/GSSAPI authentication started
[6588] 1612932571.244080: ccselect module realm chose cache KEYRING:persistent:0:krb_ccache_UuVdVRC with client principal DNS/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR> for server principal ldap/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
[6588] 1612932571.244081: Getting credentials DNS/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR> -> ldap/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR> using ccache KEYRING:persistent:0:krb_ccache_UuVdVRC
[6588] 1612932571.244082: Retrieving DNS/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR> -> ldap/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR> from KEYRING:persistent:0:krb_ccache_UuVdVRC with result: 0/Success
[6588] 1612932571.244084: Creating authenticator for DNS/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR> -> ldap/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>, seqnum 1040975659, subkey aes256-cts/48E9, session key aes256-cts/DF1E
ldap_sasl_interactive_bind_s: Invalid credentials (49)
[root@neumann2 ~]# ipa privilege-show 'DNS Servers' --all --raw
ipa: ERROR: Insufficient access: Invalid credentials
[root@neumann2 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_UuVdVRC
Default principal: DNS/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:DNS/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
Valid starting Expires Service principal
02/10/2021 01:52:43 02/11/2021 01:49:04 HTTP/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:HTTP/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
02/10/2021 01:49:16 02/11/2021 01:49:04 ldap/neumann2.cluster.cetene.gov.br(a)CLUSTER.CETENE.GOV.BR<mailto:ldap/neumann2.cluster.cetene.gov.br@CLUSTER.CETENE.GOV.BR>
02/10/2021 01:49:04 02/11/2021 01:49:04 krbtgt/CLUSTER.CETENE.GOV.BR(a)CLUSTER.CETENE.GOV.BR<mailto:krbtgt/CLUSTER.CETENE.GOV.BR@CLUSTER.CETENE.GOV.BR>
Any ideia on how to fix this?
Thanks,
Vinícius.
PS: Before the workaround named-pkcs11 fails to start with the following error:
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading DynDB instance 'ipa' driver '/usr/lib64/bind/ldap.so'
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: bind-dyndb-ldap version 11.1 compiled at 02:16:24 Apr 1 2020, compiler 4.8.5 20150623 (Red Hat 4.8.5-39)
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: LDAP error: Invalid credentials: bind to LDAP server failed
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: couldn't establish connection in LDAP connection pool: permission denied
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: dynamic database 'ipa' configuration failed: permission denied
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading configuration: permission denied
Feb 10 01:40:46 neumann2 named-pkcs11[4532]: exiting (due to fatal error)
Feb 10 01:40:46 neumann2 systemd: named-pkcs11.service: control process exited, code=exited status=1
Feb 10 01:40:46 neumann2 systemd: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
3 years, 1 month
IPA certs expired, pki-tomcatd fails to start
by Manuel Gugliucci
Hello,
I'm running a freeipa server over a cloudera cluster, on 2020-12-31 all the certs expired and did not renew by itself.
After I set the system date before the expiration date, I tried ipa-cacert-renew but returns an error saying that ca cert are not managed by certmonger so I did a getcert resubmit for every cert.
Almos all went on "Monitoring" state, except for one that says "NEED_CSR_GEN_PIN".
If I try to do 'ipactl start', it starts to first upgrade IPA and fails because of the pki-tomcat service:
```
2019-12-31T19:12:01Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this requ
est.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThrea
d$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>'
2019-12-31T19:12:01Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2019-12-31T19:12:01Z DEBUG Waiting for CA to start...
```
I also looked for the previous threads listed on this forum, but none of them provided a solution
3 years, 1 month