ID views/override issues for AD trust
by iulian roman
Hello everybody,
I try to override some uid and gid for AD users in Idm (I added all users for which I need to override attributes in Default Trust View) and although everything works properly on both IdM server and replica, I cannot query the users on the ipa clients. Any other users (which are not part of the Default Trust View) are visible and groups displayed correctly on ipa clients.
So far, I have removed cache on both ipa server and client, restarted sssd , removed /var/lib/sss/db/* but no success. I have enabled debugging as well for sss, nss , but nothing relevant . The odd thing is that sometimes I could query some of the users for which override was configured , but I do not know why (I tried to correlate with the group membership, number of groups the user is member of, etc but unsuccessfully ).
On the ipa clients the sssd version I use is 1.16.1 and on the ipa server sssd version is 2.3.0 . Can that make a difference or be the cause of the issue ?
Any hint where I should look into would be really appreciated.
2 years, 11 months
dirsrv hangs soon after reboot
by Kees Bakker
Hey,
I'm looking for advice how to analyse/debug this.
On one of the masters the dirsrv is unresponsive. It runs, but every
attempt to connect it hangs.
The command "systemctl status" does not show anything alarming
● dirsrv(a)EXAMPLE-COM.service - 389 Directory Server EXAMPLE-COM.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
Active: active (running) since vr 2020-04-17 13:46:25 CEST; 1h 33min ago
Process: 3123 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS)
Main PID: 3134 (ns-slapd)
Status: "slapd started: Ready to process requests"
CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)EXAMPLE-COM.service
└─3134 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-COM -i /var/run/dirsrv/slapd-EXAMPLE-COM.pid
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 2
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1
apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 2
However, an ldapsearch command hangs forever
[root@rotte ~]# ldapsearch -H ldaps://linge.example.com -D uid=keesbtest,cn=users,cn=accounts,dc=example,dc=com -W -LLL -o ldif-wrap=no -b cn=users,cn=accounts,dc=example,dc=com '(&(objectClass=person)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))' uid
Enter LDAP Password:
Even if I use the socket (ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket) the ldapsearch
command hangs.
"ipactl status" hangs
"kinit" hangs
--
Kees Bakker
2 years, 11 months
FreeIPA and SSL with the Web GUI
by Steve Reed
Hey,
This is a general question. What is providing SSL for the web GUI? I don't see the ssl module installed with the apache server. That would be the usual way it is done. How is it done for FreeIPA?
Thanks,
Steve
2 years, 11 months
when client install ask to download CA cert
by lejeczek
Hi guys
I do not see any clear problems and no errors in client log
but each time I try to install client process stops:
...
No SRV records of NTP servers found and no NTP server or
pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Do you want to download the CA cert from
http://c8kubermaster2.ton.mko.priv.com/ipa/config/ca.crt ?
(this is INSECURE) [no]:
---
If I go with 'yes' as the answer then:
...
Joining realm failed: SASL Bind failed
Invalid credentials
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command failed. See
/var/log/ipaclient-install.log for more information
----
One thing is new and different from all freeIPA deployments
I have done in the past, namely
REALM =! FQDN
but both share a "top level/part".
I do not think about that being the root cause.
Client install would succeed if I gave it:
--server= --domain= --realm= (which is bit weir cause those
seem to get discovered as expected)
Any thought on routes of troubleshooting very appreciated.
many thanks, L.
2 years, 11 months
primary group ID for AD users
by iulian roman
Hello ,
I would like to know how is the primary group id calculated for trusted users from AD. For example, all users in AD have primary group 'domain users' . I see on the IPA side that the gid is different for all users who have primary group 'domain users' in AD . Is the algorithm different when calculating primary groups than when generating an ID for all other groups ?
2 years, 11 months
How to import OpenLDAP data to FreeIPA
by G Col
Hello,
I would like to get more details about how to import openldap data to FreeIPA. Perhaps, there is some documentation in reference to this topic.
Thank you for your help,
gcol
2 years, 11 months
Error issuing cert with IP address in SAN
by Ian Pilcher
I am getting an odd error when trying to issue a certificate with an IP
address in its SAN. I am using IPA 4.6.8 on RHEL 7.9, so it's a bit
old, but it should work, AFAIK.
Here is the host for which I want to issue the certificate:
$ ipa host-show node01-idrac.pemlab.rdu2.redhat.com
Host name: node01-idrac.pemlab.rdu2.redhat.com
Principal name:
host/node01-idrac.pemlab.rdu2.redhat.com(a)PEMLAB.RDU2.REDHAT.COM
Principal alias:
host/node01-idrac.pemlab.rdu2.redhat.com(a)PEMLAB.RDU2.REDHAT.COM
Password: False
Keytab: False
Managed by: node01-idrac.pemlab.rdu2.redhat.com
Here is the CSR:
$ openssl req -noout -text -in node01-idrac.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=node01-idrac.pemlab.rdu2.redhat.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
⋮
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:node01-idrac.pemlab.rdu2.redhat.com,
DNS:node01-idrac, DNS:10.11.173.11
Signature Algorithm: sha256WithRSAEncryption
⋮
The DNS records:
$ ipa dnsrecord-show pemlab.rdu2.redhat.com node01-idrac
Record name: node01-idrac
A record: 10.11.173.11
$ ipa dnsrecord-show 173.11.10.in-addr.arpa 11
Record name: 11
PTR record: node01-idrac.pemlab.rdu2.redhat.com.
$ ipa cert-request node01-idrac.csr --certificate-out node01-idrac.crt \
--principal
host/node01-idrac.pemlab.rdu2.redhat.com(a)PEMLAB.RDU2.REDHAT.COM
ipa: ERROR: The service principal for subject alt name 10.11.173.11 in
certificate request does not exist
From my examination of ipaserver/plugins/cert.py, I don't think that
this has anything to do with validation of the IP address, as the
exception seem to be raised before _validate_san_ips ever gets called.
Beyond that, however, I really don't know what's going on.
I've filed this as https://bugzilla.redhat.com/show_bug.cgi?id=1960041,
but I was wondering if anyone on this list has seen this behavior or can
spot an error that I'm making.
Thanks!
--
========================================================================
In Soviet Russia, Google searches you!
========================================================================
2 years, 11 months
kinit: Cannot find KDC for realm "mgmt-062-ad.internal2.example.com@NTERNAL2.EXAMPLE.COM" while getting initial credentials
by pxg51214 r
Hello,
I apologize if this has been previously resolved. I am new to FreeIPA product. Our ops team has created a keytab (please kindly see below for the command used)
on a Windows AD server. I copied the keytab file, along with the KDC and root-CA certificates to a RedHat Linux
added a second REALM entry in the /etc/krb5.conf (per Google blogs recommendations) and and tried 'kinit' (please
see the command used below).
The cli response (error) is listed below and I appreciate guidance on the possible root causes and remedies.
Thank you very much.
-Chris
#----- Linux system configuration (the server where the keytab is placed for automation) --------------------------------------------------------
$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.3 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.3"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.3 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.3:GA"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.3
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.3"
#---- Windows AD server configuration (the server where the keytab is created) ---------------------------------------------------------------
PS C:\temp> systeminfo
Host Name: MGMT-062-AD
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: EXAMPLE, Inc
Registered Organization: EXAMPLE.COM
Product ID: 00429-70000-00000-AA235
Original Install Date: 3/25/2020, 8:52:14 PM
System Boot Time: 4/14/2021, 5:18:21 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2600 Mhz
BIOS Version: Xen 4.7<denied>, 12/14/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 16,380 MB
Available Physical Memory: 12,006 MB
Virtual Memory: Max Size: 18,812 MB
Virtual Memory: Available: 14,772 MB
Virtual Memory: In Use: 4,040 MB
Page File Location(s): C:\pagefile.sys
Domain: internal2.example.com
Logon Server: \\MGMT-062-AD
Hotfix(s): 16 Hotfix(s) Installed.
[01]: KB4601558
[02]: KB4494174
[03]: KB4516115
[04]: KB4523204
[05]: KB4535680
[06]: KB4539571
[07]: KB4549947
[08]: KB4562562
[09]: KB4580325
[10]: KB4587735
[11]: KB4598480
[12]: KB4601393
[13]: KB5000859
[14]: KB5001404
[15]: KB5003243
[16]: KB5003171
Network Card(s): 1 NIC(s) Installed.
[01]: XenServer PV Network Device
Connection Name: Ethernet 2
DHCP Enabled: No
IP address(es)
[01]: 10.93.178.118
[02]: fe80::580:2a39:3c96:efa0
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
PS C:\temp>
#----- Command used on Windows AD server (mgmt-062-ad) to create the keytab file ---------------------------------------------------------------
C:/> ktpass -out ldap-ad-2.keytab -princ ldap@mgmt-062-ad.internal2.example.com(a)INTERNAL2.EXAMPLE.COM +rndPass -mapUser ldap(a)INTERNAL2.EXAMPLE.COM -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL
#------ Error message ---------------------------------------------------------------
$ klist -kt ldap-ad-2.keytab
Keytab name: FILE:ldap-ad-2.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
18 12/31/1969 18:00:00 ldap@mgmt-062-ad.internal2.example.com\(a)INTERNAL2.EXAMPLE.COM
#------ KRB5 Configuration File ---------------------------------------------------------------
$ cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = INTERNAL.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
INTERNAL.EXAMPLE.COM = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
INTERNAL2.EXAMPLE.COM = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/mgmt-062-ad.internal2..example.com.DomainController.Cert.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/mgmt-062-ad.internal2..example.com.RootCA.Cert.pem
}
[domain_realm]
.internal..example.com = INTERNAL.EXAMPLE.COM
internal..example.com = INTERNAL.EXAMPLE.COM
mgmt-027-auto.mgmt.internal..example.com = INTERNAL.EXAMPLE.COM
.mgmt.internal..example.com = INTERNAL.EXAMPLE.COM
mgmt.internal..example.com = INTERNAL.EXAMPLE.COM
2 years, 11 months