LDAP configuration synchronization failed: socket is not connected - from named-pkcs11
by lejeczek
Hi guys.
I'm trying to setup a first master during which I get:
...
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service
(ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Named service failed to start (CalledProcessError(Command
['/bin/systemctl', 'restart', 'named-pkcs11.service']
returned non-zero exit status 1: 'Job for
named-pkcs11.service failed because a timeout was
exceeded.\nSee "systemctl status named-pkcs11.service" and
"journalctl -xe" for details.\n'))
...
and that is the only error from the setup which seemingly
continues and completes successfully:
...
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: c8kubermaster1.private.openshift.c8
Realm: PRIVATE.OPENSHIFT.C8
DNS Domain: private.openshift.c8
IPA Server: c8kubermaster1.private.openshift.c8
BaseDN: dc=private,dc=openshift,dc=c8
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring private.openshift.c8 as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
DNS query for c8kubermaster1.private.openshift.c8. 1 failed:
The DNS operation timed out after 30.000322580337524 seconds
unable to resolve host name
c8kubermaster1.private.openshift.c8. to IP address, ipa-ca
DNS record will be incomplete
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the
command: 'kinit admin'
This ticket will allow you to use the IPA tools
(e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in
/root/cacert.p12
These files are required to create replicas. The password
for these
files is the Directory Manager password
The ipa-server-install command was successful
Yet, very first reboot and ipa.service fails to start, but
before that reboot if I
-> $ systemctl restart named-pkcs11.service
I takes rather long 10 or so secons and journal shows
...
LDAP configuration synchronization failed: socket is not
connected
...
but socket is there: /var/run/slapd-PRIVATE-OPENSHIFT-C8.socket
More from named's journal:
...
esolver priming query complete
LDAP error: Can't contact LDAP server: ldap_sync_poll() failed
ldap_syncrepl will reconnect in 60 seconds
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 2
successfully reconnected to LDAP server
LDAP configuration for instance 'ipa' synchronized
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 2
LDAP data for instance 'ipa' are being synchronized, please
ignore message 'all zones loaded'
Is it named-pkcs11 looking for wrong bits or something not
good with dirsrv or .. maybe something else... would you
anybody know?
many thanks, L.
3 years, 1 month
unsubscribr
by Elhamsadat Azarian
plz guide me how to unsubscribe from this list
3 years, 1 month
Please help me find what broke down with my AD authentications
by Mike Conner
I have a one-way trust configured to AD. It has been working for a long time but has stopped and I can't track down what has happened.
`getent passwd user` works on users in IPA, but fails (nothing returned) on AD users.
**** Contents of sssd.conf on client:
[domain/ipa.domain.edu]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.domain.edu
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = test.ipa.domain.edu
chpass_provider = ipa
ipa_server = _srv_,ipa.ipa.grinnell.edu
ipa_server_mode = true
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_validate = False
debug_level=8
[sssd]
services = nss, sudo, pam, ssh
domains = ipa.domain.edu
[nss]
homedir_substring = /home
****
`ipa trustdomain-find` returns the trusted AD domain
I haven't found anything I can make sense of in the logs, but this might be a clue to someone else:
**** From the sssd_ipa.domain.edu.log
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [sss_domain_get_state] (0x1000): Domain ipa.domain.edu is Active
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [sss_domain_get_state] (0x1000): Domain domain.edu is Active
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [sss_domain_get_state] (0x1000): Domain ipa.domain.edu is Active
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [sss_domain_get_state] (0x1000): Domain domain.edu is Active
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [be_mark_dom_offline] (0x1000): Marking subdomain domain.edu offline
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [be_mark_subdom_offline] (0x1000): Marking subdomain domain.edu as inactive
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [dp_req_done] (0x0400): DP Request [Account #20]: Request handler finished [0]: Success
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [_dp_req_recv] (0x0400): DP Request [Account #20]: Receiving request data.
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #20]: Finished. Success.
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [dp_req_reply_std] (0x1000): DP Request [Account #20]: Returning [Internal Error]: 3,22,Invalid argument
(Thu Feb 11 12:07:19 2021) [sssd[be[ipa.domain.edu]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::domain.edu:name=connerms@domain.edu] from reply table
****
3 years, 1 month
Problems with use of Keytabs for Authentication
by Kevin Cassar
Hi,
I'm running FreeIPA v4.8.7. I have a requirement that end user systems (not enrolled in FreeIPA) be allowed SSH access on FreeIPA enrolled servers through Kerberos authentication. As of now I'm using user keytabs on the end systems to get a ticket and then authenticate to SSH with GSSAPI.
However, I've run into few issues:
1) I've read about authentication indicators in FreeIPA, how can enforce a policy where the end user is required to enter their password+OTP when authenticating to the web UI? But, OTP remains optional for SSH login. This policy assumes that I've both "Password and Two factor authentication (password + OTP)" set as user authentication method.
2) Probably a long shot, but, is there any way that user keytabs can be generated and retrieved via an API call? I'd like to have some automation so that when a new user is created on the FreeIPA server or
a user changes their password, the new resulting keytab can be downloaded on the end user systems via an API call to the JSON RPC endpoint.
Any help is appreciated.
Thanks.
3 years, 1 month
Concurrent ssh to the same host fails after few successfully open sessions with Additional pre-authentication krb error.
by mir mal
Hi,
As in the title a very odd behaviour if I keep opening new ssh sessions using same IPA user after few successful ones I have ssh authentication failed error and in krb5 logs on freeipa server, I can see the following errors:
Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.64: NEEDED_PREAUTH: c000000(a)STUXNET.LAB for krbtgt/STUXNET.LAB(a)STUXNET.LAB, Additional pre-authentication required
Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): closing down fd 11
At the same time, I can use the same user and connect to other hosts or use kinit or freeipa web portal. It looks like after N successful attempts I'm hitting some kind of time or max concurrent connections limit, but I can't find any related settings. It's standard Fedora-based freeipa 4.8.10 and hosts to connect are ubuntu. If I wait a few minutes I'm allowed to open another connection but then again if I try to open few I hit the error. I've been checking KRB_TRACE for kinit and sshd DEBUG3 level logs but I can't find why would it happen the only error is the one above with pre-auth.
Thanks
3 years, 1 month
How To Renew Expired Certificates & pki-tomcatd not starting
by SRM
I see some one else opened another thread with similar issue, but the error messages are different so I'm going ahead & seeking help on a new thread.
I've inherited a FreeIPA installation from somebody used among 5 physical servers with one FreeIPA server (everything CA etc on it) while other 4 physical servers act as clients. Being someone very new at LDAP & FreeIPA, I tried to troublshoot by googling.
System / Server Info:
OS - CentOS 7.6, Installed IPA packages version - 4.6.4, Self-Signed CA
Here are the issues & what steps I've taken so far.
1) Before certificates were expired the pki-tomcatd service was failing & I see the following message in /var/log/pki/pki-tomcat/ca/debug:
Error: netscape.ldap.LDAPException: Authentication failed (48)
After some googling I've found this link (https://access.redhat.com/solutions/3081821) which asks to check if certificate blob & serial number in pkiuser matches to the 'subsystemCert cert-pki-ca' in our case it does so there was nothing to do but we still get that error.
2) Certificates have expired - Now the certificates have expired, they were not auto-renewed, was it because above (pki-tomcatd service failure) not sure.
2a) For this I've tried to move back the date & tried to renew them through ipa-certupdate, the output says sucessfull but the certificates are not getting renewed. Here is the output of one such output(renamed domain to ourorg.com for privacy).
ipapython.admintool: DEBUG: Not logging to a file
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$5131ac65...
ipalib.plugable: DEBUG: importing plugin module ipaclient.remote_plugins.schema$5131ac65.plugins
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.csrgen
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.vault
ipalib.rpc: INFO: trying https://login1.ourorg.com/ipa/json
ipalib.backend: DEBUG: Created connection context.rpcclient_139790894262416
ipalib.install.kinit: DEBUG: Initializing principal host/login1.ourorg.com(a)ourorg.COM using keytab /etc/krb5.keytab
ipalib.install.kinit: DEBUG: using ccache /tmp/tmp-O7QeRu/ccache
ipalib.install.kinit: DEBUG: Attempt 1/1: success
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.107')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.107')
ipalib.rpc: INFO: [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://login1.ourorg.com/ipa/json'
ipalib.rpc: DEBUG: New HTTP connection (login1.ourorg.com)
ipalib.rpc: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=3bDSVwqoHDuM1MRVLGVRKY2DhplAszGxcdGLUBtRRZTLVV3vj8%2bNHrexIE9KX2JdrFkcYUtCfGkQmUVoYuCUj4DRqwJBoe9Z7i3J14DadLtOVCi2fNwxNR8irDD%2fG2bn4T7ULiLR6b7k1dpS%2bXWo
iJGHOknn5EYLzi0wEOz88PauUZ7Qh1HioKfddyQhOLl1kQ6LnAsu%2fm2cACveJ8JSe2Mfmqruu8a%2fbQAIXPmRwXnC5oGN8cIk0omO4KuFQaRHWmjSNiLyG1%2bdyPiyWlxKBw%3d%3d;path=/ipa;httponly;secure;']'
ipalib.rpc: DEBUG: storing cookie 'ipa_session=MagBearerToken=3bDSVwqoHDuM1MRVLGVRKY2DhplAszGxcdGLUBtRRZTLVV3vj8%2bNHrexIE9KX2JdrFkcYUtCfGkQmUVoYuCUj4DRqwJBoe9Z7i3J14DadLtOVCi2fNwxNR8irDD%2fG2bn4T7ULiLR6b7k1dpS%2bXWoiJGHOknn5EYLzi0wEOz88P
auUZ7Qh1HioKfddyQhOLl1kQ6LnAsu%2fm2cACveJ8JSe2Mfmqruu8a%2fbQAIXPmRwXnC5oGN8cIk0omO4KuFQaRHWmjSNiLyG1%2bdyPiyWlxKBw%3d%3d;' for principal None
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://login1.ourorg.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f239a5242d8>
ipalib.frontend: DEBUG: raw: ca_find(None, version=u'2.230')
ipalib.frontend: DEBUG: ca_find(None, version=u'2.230')
ipalib.rpc: INFO: [try 1]: Forwarding 'ca_find/1' to json server 'https://login1.ourorg.com/ipa/json'
ipalib.rpc: DEBUG: HTTP connection keep-alive (login1.ourorg.com)
ipalib.rpc: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=kmtXWE4j%2buLPMXwC6RCOBvqfLCIBziy9XiM7f%2fep%2b7FYBiSPmVPwjf6USK94djhkQ6k0Rleh9KhokFWNf1AWxcH5SyVe5V6QZYLIIGzt%2fF%2f1mHl3uKOLocAauyCAz%2bVxm2FUG%2fR8ORi5
YghKrOidtRk%2bQvERwvHJKOJ8jjikvPzlWcj1x8CjO1b6ricWSigD3%2bl1UbPEYTOMKxNSL0JEW8Q0ghkPt1bryt9aEuWZVRBU%2f%2fAYnQN6WgYkrvgyBBeYXuceYPKQFtpxUmnl2js%2bDg%3d%3d;path=/ipa;httponly;secure;']'
ipalib.rpc: DEBUG: storing cookie 'ipa_session=MagBearerToken=kmtXWE4j%2buLPMXwC6RCOBvqfLCIBziy9XiM7f%2fep%2b7FYBiSPmVPwjf6USK94djhkQ6k0Rleh9KhokFWNf1AWxcH5SyVe5V6QZYLIIGzt%2fF%2f1mHl3uKOLocAauyCAz%2bVxm2FUG%2fR8ORi5YghKrOidtRk%2bQvERwvHJ
KOJ8jjikvPzlWcj1x8CjO1b6ricWSigD3%2bl1UbPEYTOMKxNSL0JEW8Q0ghkPt1bryt9aEuWZVRBU%2f%2fAYnQN6WgYkrvgyBBeYXuceYPKQFtpxUmnl2js%2bDg%3d%3d;' for principal None
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-ourorg-COM -A -n ourorg.COM IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-ourorg-COM/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-ourorg-COM -A -n ourorg.COM IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-ourorg-COM/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active dirsrv(a)ourorg-COM.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl --system daemon-reload
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart dirsrv(a)ourorg-COM.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active dirsrv(a)ourorg-COM.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: wait_for_open_ports: localhost [389] timeout 300
ipapython.ipautil: DEBUG: waiting for port: 389
ipapython.ipautil: DEBUG: SUCCESS: port: 389
ipaplatform.base.services: DEBUG: Restart of dirsrv(a)ourorg-COM.service complete
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n ourorg.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n ourorg.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active httpd.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active
ipapython.ipautil: DEBUG: stderr=
ipaplatform.base.services: DEBUG: Restart of httpd.service complete
ipaclient.install.ipa_certupdate: DEBUG: resubmitting certmonger request '20190129222612'
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipaclient.install.ipa_certupdate: DEBUG: modifying certmonger request '20190129222612'
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n IPA CA -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n External CA cert -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n ourorg.COM IPA CA -t CT,C,C -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n ourorg.COM IPA CA -t CT,C,C -a -f /etc/ipa/nssdb/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/update-ca-trust
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/update-ca-trust
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_139790894262416
ipapython.admintool: INFO: The ipa-certupdate command was successful
In above output there are two occasions where it is mentioned "ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found" not sure if these are relevant, if so how to debug
2b) I've also used "ipa-cacert-manage renew" following this link https://www.freeipa.org/page/V4/CA_certificate_renewal. Not sure if this was necessary or if doing this caused any more issues.
3) Since certificates have expired kerberos broke, can't do "kinit admin" any longer. Can't change passwords / create users & of course can't access webui. For any of these actions need to move the date back. For now 'sudo' works (without having to move the date back) & general logins work, but not sure how long they continue to work before completely break?.
4) This is a production installation with hardly any time to take down FreeIPA let alone physical server. Is there any way to recover from this situation?.
5) If it can't be recovered can we setup another FreeIPA server installation with the same realm / domain(need to procure another system /server) with a new CA & etc from scratch and make all the current 5 physical servers (including current broken FreeIPA server) as clients to the new FreeIPA installation with the same domain / realm?.
3 years, 1 month
FreeIPA/Red Hat IDM and AD communication
by Jones, Bob (rwj5d)
Hello all,
We currently have Red Hat IDM implemented on our campus local network. It has a one-way trust with our Active Directory and all of our Linux systems that live in our network use IDM for auth/authz. We are looking to start deploying our linux images into AWS and want to use our Red Hat IDM for auth control there as well and would like, if possible, to remove any dependencies on our local network for systems that live in AWS in doing so.
With that being said, I would like to verify my understanding of how auth/authz works with IDM and Active Directory. A client system will query a freeipa server in order to get HBAC policies, sudo rules/commands, authorization for accounts to use certain services, and user account/group information. The client system will authenticate the user, whether for login or sudo/su, directly to Active Directory without going through the freeipa server. Also, the freeipa servers will query AD for user account/group information if it’s not already cached on the freeipa server. Is my understanding here correct? If not, please enlighten me on where my misunderstanding is.
So, if my understanding as outlined above is correct, then to remove any depency on our local network AD and FreeIPA/IDM for clients that live in AWS, we would need IDM servers and Active Directory servers in AWS for the clients to use, correct? If that is the case, is Azure Active Directory (AAD) a usable option in this case? Is there a way to specify for clients to use the IDM servers and AD that are in AWS first, before attempting to use the ones on our local network? Is there a way to specify for FreeIPA/IDM servers to use the AD in AWS before attempting to use the ones on our local network?
I appreciate anyone who can verify or correct what I have above.
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
3 years, 1 month