ipa-healtcheck complains about kra
by Rob Verduijn
Hello,
I've updated my ipa server to the latest version today.
But now the ipa healthcheck gives a warning about kra.
ipa-healthcheck --failures-only
Internal error testing KRA clone. 'NoneType' object has no attribute
'config'
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "2adc9f06-05aa-4e6f-af7f-0cad33e0e179",
"when": "20210526104303Z",
"duration": "0.749857",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing KRA clone.
Host: freeipa02.tjako.thuis Port: 443"
}
}
]
Googling doesn't really help.
Anybody know how to solve this ?
Rob
2 years, 10 months
Login failed due to an unknown reason.
by D R
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the
UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] Traceback (most recent call last):
[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application
[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
start_response)
[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in
__call__
[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return self.route(environ, start_response)
[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in
route
[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return app(environ, start_response)
[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in
__call__
[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in
kinit
[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
paths.KDC_CA_BUNDLE_PEM],
[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in
kinit_armor
[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True)
[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
str(output))
[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_6150 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1
---
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_19265 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
ANONYMOUS(a)A-LABS.COM
[12904] 1609104974.342212: Sending unauthenticated request
[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
[12904] 1609104974.342214: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342216: Received answer (335 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342217: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342218: Response was from master KDC
[12904] 1609104974.342219: Received error from KDC: -1765328359/Additional
pre-authentication required
[12904] 1609104974.342222: Preauthenticating using KDC method data
[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
(133)
[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342225: Received cookie: MIT
[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
[12904] 1609104974.342232: PKINIT client making DH request
[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
0/Success
[12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE
(133), PA-PK-AS-REQ (16)
[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
[12904] 1609104974.342236: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342238: Received answer (1603 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342239: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342240: Response was from master KDC
[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342244: PKINIT client verified DH reply
[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
-1765328308/KDC name mismatch
[12904] 1609104974.342246: Produced preauth for next request: (empty)
[12904] 1609104974.342247: Getting AS key, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=DOMAIN.COM, CN=ipa.domain.com
Validity
Not Before: Dec 27 07:38:54 2020 GMT
Not After : Dec 27 07:38:54 2021 GMT
Subject: O=DOMAIN.COM, CN=ipa.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
b0:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks
some attributes. I'm just not sure how to generate a proper cert.
2 years, 10 months
IRC server change
by Rob Crittenden
Due to the changes at freenode [1], the freeIPA IRC channel is
transitioning to the libera.chat IRC server with the same channel name:
irc://irc.libera.chat/freeipa
There is currently no hard cut-off date but its likely to be sooner than
later.
rob
[1] https://www.kline.sh/
2 years, 10 months
FreeIPA Bastion
by G Col
Hello Team,
I was wondering how I can configure FreeIPA as a bastion server when I ssh other hosts.
Basically FreeIPA would be in the middle of the ssh approval to access to the specific server via ssh. Is a functionality that FreeIPA has at the moment?
Thank you for your help,
gcol
2 years, 11 months
Disable SSH Key login
by Russ Long
In my environment, I need to force password + OTP for users. I have "Default user authentication types" set to "Two factor..." and "Disable per-user override". However, I'm seeing that SSH Keys that users add to the FreeIPA console are allowing them to login without a second factor.
Any ideas how to resolve this?
2 years, 11 months
Removal of host certificates
by Gerrard Geldenhuis
Hi
I am trying to remove old host certificates.
I generated a list using:
ipa cert-find --sizelimit 0
One of the certs are:
Issuing CA: ipa
Subject: CN=server.example.com,O=COMPANY.COM
Issuer: CN=Certificate Authority,O=COMPANY.COM
Not Before: Fri May 20 15:56:37 2016 UTC
Not After: Mon May 21 15:56:37 2018 UTC
Serial number: 268238888
Serial number (hex): 0xFFD002D
Status: REVOKED_EXPIRED
Revoked: True
I also did:
ipa cert-show 268238888
I then tried to remove the cert by using:
ipa host-remove-cert server.example.com
which then prompts me for the certificate, I enter the certificate as I got it from ipa cert-show command, using the "Certificate: " part.
But I get the error:
ipa: ERROR: server.examle.com: host not found
I also tried to remove the certificate from the UI, which shows quite a lot more expired certificates for the host, but does not give me any option to delete/remove the certificates
Am I missing something obvious with regards to the steps required to remove old certificates? Am I not supposed to remove them?
FreeIPA, version: 4.5.4
Regards
2 years, 11 months
Removal of host certificates
by Gerrard Geldenhuis
Hi
I am trying to remove old host certificates.
I generated a list using:
ipa cert-find --sizelimit 0
One of the certs are:
Issuing CA: ipa
Subject: CN=server.example.com,O=COMPANY.COM
Issuer: CN=Certificate Authority,O=COMPANY.COM
Not Before: Fri May 20 15:56:37 2016 UTC
Not After: Mon May 21 15:56:37 2018 UTC
Serial number: 268238888
Serial number (hex): 0xFFD002D
Status: REVOKED_EXPIRED
Revoked: True
I also did:
ipa cert-show 268238888
I then tried to remove the cert by using:
ipa host-remove-cert server.example.com
which then prompts me for the certificate, I enter the certificate as I got it from ipa cert-show command, using the "Certificate: " part.
But I get the error:
ipa: ERROR: server.examle.com: host not found
I also tried to remove the certificate from the UI, which shows quite a lot more expired certificates for the host, but does not give me any option to delete/remove the certificates
Am I missing something obvious with regards to the steps required to remove old certificates? Am I not supposed to remove them?
FreeIPA, version: 4.5.4
Regards
2 years, 11 months
Non-caching ipa-clients
by Dominik Vogt
Using freeipa from RHEL8.1, we need to set up the ipa-clients in a
way that login is only possible if the ipa-server can be
contacted. Local logi from the cache must be impossible. Is
there a way to achieve this?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
2 years, 11 months
sudorule not working for external user
by Dominik Vogt
Using freeipa from RHEL8.1, I try to create sudo rules (from the
GUI).
* "foo" and "bar" are ipa users
* "ext" is a local user present on all machines
The rule
allow user "foo" to run "/bin/bash" on any host as user "bar"
works fine, i.e. I can log in as "foo" and run
# su - foo
$ sudo -u bar /bin/bash
-> OK
However, if I create a similar rule for the external user it does
not work
allow external user "ext" to run "/bin/bash" on any host as user "bar"
=>
# su - ext
$ sudo -u bar /bin/bash
-> denied
--
$ ipa sudorule-show test
Rule name: test
Enabled: TRUE
Host category: all
External User: ext
Sudo Allow Commands: /bin/bash
RuaAs Users: bar
What am I doing wrong?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
2 years, 11 months