IPA broken after dnf update on CentOS 8
by Vinícius Ferrão
Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host.
After def -y update and reboot, IPA fails to load an it’s in broken state.
[root@headnode ~]# systemctl status ipa
● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago
Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE)
Main PID: 1278 (code=exited, status=1/FAILURE)
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i>
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details:
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '>
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more >
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade>
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'.
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit.
If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something.
The relevant thing that I’ve found by myself is:
2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service> failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n’)
Is that Java regression again that happened a month or two ago?
Thank you all.
2 years, 2 months
Problems after replacing SSL certificates
by Andreas Bulling
Dear all,
I have recently started using FreeIPA (4.8.1 on Ubuntu) and now wanted to replace the original SSL certificates for the web UI and the LDAP server with official ones issued by our university.
I've followed the procedure described here (no errors):
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
I could confirm in the browser that the certificate for the web UI has been replaced and I therefore assume so has the LDAP certificate. Authentication from other hosts/services using LDAP still works but in the server log file I see errors like these for all hosts in the domain:
Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: NEEDED_PREAUTH: host/X@X for krbtgt/X@X, Additional pre-authentication required
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for krbtgt/X@X
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Apr 20 19:57:11 auth krb5kdc[24895]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for ldap/X@X
Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12
Also, ipa-certupdate on the respective clients shows
ipa-certupdate
trying https://X/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://X/ipa/json'
cannot connect to 'https://X/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
The ipa-certupdate command failed.
Also, I can't login to the web UI anymore. I tried
ipa-getkeytab -s X -p HTTP/X@X -k /var/lib/ipa/gssproxy/http.keytab
on the freeipa server (followed by ipactl restart) but this didn't help.
Any idea/suggestions for how to get everything working again?
Thanks a lot!
2 years, 5 months
User in AD not found by IPA
by Marc Boorshtein
We added a new account to AD that has a domain trust with FreeIPA. This
one user is having an issue where IPA can't find him. The user is in the
same OU as other users that work fine. The user is unlocked
(userAccountControl is 512) and the userprincipalname is set. When I try
to add the user to an id view or an external group IPA gives me the error
"trusted domain object not found" . Not really sure where to look next to
figure out what's wrong. We see the user when we make LDAP calls to AD.
Thanks
Marc
2 years, 5 months
freeIPA Status Debian/Ubuntu
by Nico Maas
Hello there,
with the decline of CentOS I need to migrate away from CentOS 8 to something different.
I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"?
Best regards,
Nico
2 years, 6 months
Cannot add externally-signed IPA CA certificate
by Dmitry Perets
Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with openssl. So I've signed the FreeIPA's request with my self-signed "root ca" certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem --external-cert-file=/root/rootca/certs/ipacert.pem
<...skipped...>
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in /root/rootca/rootcacert.pem, /root/rootca/certs/ipacert.pem is not valid: not a CA certificate
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The subj above is my self-made root CA cert, so it looks like something is missing in it. But what...?
Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else is required, so that FreeIPA accepts it as a root CA?
Should I add it somewhere first, before running the ipa-server-install?
[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Validity
Not Before: Oct 24 11:43:13 2018 GMT
Not After : Oct 21 11:43:13 2028 GMT
Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<...skipped...>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Authority Key Identifier:
keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<...skipped...>
Thanks!!
2 years, 7 months
FreeIPA server packages upgrade best practice
by Suchismita Panda
Hi,
I would like to know the best practice for patching FreeIPA-Server
packages. We generally have daily patching enabled in our servers. Will it
be a good idea to do automatic patching of FreeIPA-Server packages?
If we want to restrict the FreeIPA-Server packages from automatomatic
upgrade and rather keep it for manual upgrade, what are the packages we
should hold back with a version restriction? And how frequently should we
do the manual upgrade? If the FreeIPA-client packages are upgraded
regularly by daily patching(yum-cron or unattended upgrade) will there be
any problem with authentication, if the FreeIPA-Servers are behind version
upgrade?
We have two FreeIPA environments, one with CentOS7 and another with
CentOS8. And we have FreeIPA clients mostly with Ubuntu(18 and 20) and
CentOS (7 and 8).
Any help and guidance is appreciated.
Thanks
Suchi
2 years, 8 months
FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
by Anthony Joseph Messina
After upgrading FreeIPA from F31 to F32, on startup I now see a lot of these errors from certmonger, ns-slapd, java, etc.
May 08 17:57:28 certmonger[38]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:30 ns-slapd[67]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:33 dogtag-ipa-renew-agent-submit[143]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
May 08 17:57:42 java[640]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
The server seems to come up without issue, but can you point me in the right direction to resolve these errors?
freeipa-server-4.8.6-1.fc32.x86_64
opendnssec-2.1.6-5.fc32.x86_64
opencryptoki-3.13.0-1.fc32.x86_64
I've installed a fresh F32 freeipa-server (on a test domain) and I don't see these errors.
Thanks. -A
--
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
2 years, 9 months
Login failed due to an unknown reason.
by D R
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the
UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] Traceback (most recent call last):
[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application
[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
start_response)
[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in
__call__
[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return self.route(environ, start_response)
[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in
route
[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return app(environ, start_response)
[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in
__call__
[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in
kinit
[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
paths.KDC_CA_BUNDLE_PEM],
[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in
kinit_armor
[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True)
[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
str(output))
[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_6150 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1
---
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_19265 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
ANONYMOUS(a)A-LABS.COM
[12904] 1609104974.342212: Sending unauthenticated request
[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
[12904] 1609104974.342214: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342216: Received answer (335 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342217: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342218: Response was from master KDC
[12904] 1609104974.342219: Received error from KDC: -1765328359/Additional
pre-authentication required
[12904] 1609104974.342222: Preauthenticating using KDC method data
[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
(133)
[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342225: Received cookie: MIT
[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
[12904] 1609104974.342232: PKINIT client making DH request
[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
0/Success
[12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE
(133), PA-PK-AS-REQ (16)
[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
[12904] 1609104974.342236: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342238: Received answer (1603 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342239: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342240: Response was from master KDC
[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342244: PKINIT client verified DH reply
[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
-1765328308/KDC name mismatch
[12904] 1609104974.342246: Produced preauth for next request: (empty)
[12904] 1609104974.342247: Getting AS key, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=DOMAIN.COM, CN=ipa.domain.com
Validity
Not Before: Dec 27 07:38:54 2020 GMT
Not After : Dec 27 07:38:54 2021 GMT
Subject: O=DOMAIN.COM, CN=ipa.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
b0:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks
some attributes. I'm just not sure how to generate a proper cert.
2 years, 10 months
dirsrv hangs soon after reboot
by Kees Bakker
Hey,
I'm looking for advice how to analyse/debug this.
On one of the masters the dirsrv is unresponsive. It runs, but every
attempt to connect it hangs.
The command "systemctl status" does not show anything alarming
● dirsrv(a)EXAMPLE-COM.service - 389 Directory Server EXAMPLE-COM.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
Active: active (running) since vr 2020-04-17 13:46:25 CEST; 1h 33min ago
Process: 3123 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
Main PID: 3134 (ns-slapd)
Status: "slapd started: Ready to process requests"
CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)EXAMPLE-COM.service
└─3134 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-COM -i /var/run/dirsrv/slapd-EXAMPLE-COM.pid
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 2
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 2
However, an ldapsearch command hangs forever
[root@rotte ~]# ldapsearch -H ldaps://linge.example.com -D uid=keesbtest,cn=users,cn=accounts,dc=example,dc=com -W -LLL -o ldif-wrap=no -b cn=users,cn=accounts,dc=example,dc=com '(&(objectClass=person)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))' uid
Enter LDAP Password:
Even if I use the socket (ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket) the ldapsearch
command hangs.
"ipactl status" hangs
"kinit" hangs
--
Kees Bakker
2 years, 10 months
Use of certificates to have https secure connection
by G Col
Hello,
I have configured and installed freeipa, but I have some issues trying to add the certificates to freeipa configuration to get https correctly setup.
I have my own .key .crt and an additional .crt certificates as follows the use of wildcard certificates. Following this guide, it didn't help as in my case I do use 3 files related with the certificate configuration.
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
ipa-server-certinstall -w -d mysite.key mysite.crt
(But I use 3 files, also running the command asks for a passphrase key, but my certs don't have any passphrase key associated. How I did it in the past was to add the route of those files in the virtualhost section of the config file for the web service, but in this case I am not 100% sure which procedures we have apart of the command above that may not work for my case.
I would really appreciate your thoughts on this.
Thank you so much,
2 years, 10 months