May 2021 - FreeIPA-users - Fedora Mailing-Lists

by iulian roman

Hello everybody, I try to override some uid and gid for AD users in Idm (I added all users for which I need to override attributes in Default Trust View) and although everything works properly on both IdM server and replica, I cannot query the users on the ipa clients. Any other users (which are not part of the Default Trust View) are visible and groups displayed correctly on ipa clients. So far, I have removed cache on both ipa server and client, restarted sssd , removed /var/lib/sss/db/* but no success. I have enabled debugging as well for sss, nss , but nothing relevant . The odd thing is that sometimes I could query some of the users for which override was configured , but I do not know why (I tried to correlate with the group membership, number of groups the user is member of, etc but unsuccessfully ). On the ipa clients the sssd version I use is 1.16.1 and on the ipa server sssd version is 2.3.0 . Can that make a difference or be the cause of the issue ? Any hint where I should look into would be really appreciated.

2 years, 11 months

4
11
0 / 0

dirsrv hangs soon after reboot

by Kees Bakker

Hey, I'm looking for advice how to analyse/debug this. On one of the masters the dirsrv is unresponsive. It runs, but every attempt to connect it hangs. The command "systemctl status" does not show anything alarming ● dirsrv(a)EXAMPLE-COM.service - 389 Directory Server EXAMPLE-COM. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Active: active (running) since vr 2020-04-17 13:46:25 CEST; 1h 33min ago Process: 3123 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS) Main PID: 3134 (ns-slapd) Status: "slapd started: Ready to process requests" CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)EXAMPLE-COM.service └─3134 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-COM -i /var/run/dirsrv/slapd-EXAMPLE-COM.pid apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 2 apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 2 However, an ldapsearch command hangs forever [root@rotte ~]# ldapsearch -H ldaps://linge.example.com -D uid=keesbtest,cn=users,cn=accounts,dc=example,dc=com -W -LLL -o ldif-wrap=no -b cn=users,cn=accounts,dc=example,dc=com '(&(objectClass=person)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))' uid Enter LDAP Password: Even if I use the socket (ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket) the ldapsearch command hangs. "ipactl status" hangs "kinit" hangs -- Kees Bakker

2 years, 11 months

5
16
0 / 0

Re: [Freeipa-devel] How to promote replicated master server in freeIPA, if lost first master?

by Florence Renaud

Hi, I'm moving the thread to freeipa-users mailing list as it's a better place for this conversation. The chapter Adjusting IdM clients during recovery <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...> of IdM guide Performing disaster recovery with Identity Management <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...> explains the required steps when a server is removed from the topology. You may also need to update the configuration of your applications if they hard-coded the server name. If the first master was the CA renewal master / CRL generation master, you also need to move these functions to the replica, using the steps from Assigning the CA renewal server role to the RHEL 8 IdM server <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...> and Starting CRL generation on the new RHEL 8 IdM CA server <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...> . HTH, flo On Sat, May 15, 2021 at 6:43 PM Anubhav Gupta via FreeIPA-devel < freeipa-devel(a)lists.fedorahosted.org> wrote: > I have replicated multi-master environment of freeIPA server. Suppose I > have follwoing master server of freeIPA- > > First Master - ipa-server.xyz.com > > Replicated master - ipa-replica.xyz.com > > My all application like Jenkins, GitLab etc use ipa-server.xyz.com to > authenticate. Now I lost my first master server. How can i use my > replicated master server in place of first one ? > _______________________________________________ > FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-devel-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedoraho... > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >

2 years, 11 months

1
0
0 / 0

FreeIPA and SSL with the Web GUI

by Steve Reed

Hey, This is a general question. What is providing SSL for the web GUI? I don't see the ssl module installed with the apache server. That would be the usual way it is done. How is it done for FreeIPA? Thanks, Steve

2 years, 11 months

3
5
0 / 0

when client install ask to download CA cert

by lejeczek

Hi guys I do not see any clear problems and no errors in client log but each time I try to install client process stops: ... No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. Do you want to download the CA cert from http://c8kubermaster2.ton.mko.priv.com/ipa/config/ca.crt ? (this is INSECURE) [no]: --- If I go with 'yes' as the answer then: ... Joining realm failed: SASL Bind failed Invalid credentials Installation failed. Rolling back changes. Disabling client Kerberos and LDAP configurations nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ---- One thing is new and different from all freeIPA deployments I have done in the past, namely REALM =! FQDN but both share a "top level/part". I do not think about that being the root cause. Client install would succeed if I gave it: --server= --domain= --realm= (which is bit weir cause those seem to get discovered as expected) Any thought on routes of troubleshooting very appreciated. many thanks, L.

2 years, 11 months

2
2
0 / 0

primary group ID for AD users

by iulian roman

Hello , I would like to know how is the primary group id calculated for trusted users from AD. For example, all users in AD have primary group 'domain users' . I see on the IPA side that the gid is different for all users who have primary group 'domain users' in AD . Is the algorithm different when calculating primary groups than when generating an ID for all other groups ?

2 years, 11 months

2
2
0 / 0

How to import OpenLDAP data to FreeIPA

by G Col

Hello, I would like to get more details about how to import openldap data to FreeIPA. Perhaps, there is some documentation in reference to this topic. Thank you for your help, gcol

2 years, 11 months

4
5
0 / 0

Error issuing cert with IP address in SAN

by Ian Pilcher

I am getting an odd error when trying to issue a certificate with an IP address in its SAN. I am using IPA 4.6.8 on RHEL 7.9, so it's a bit old, but it should work, AFAIK. Here is the host for which I want to issue the certificate: $ ipa host-show node01-idrac.pemlab.rdu2.redhat.com Host name: node01-idrac.pemlab.rdu2.redhat.com Principal name: host/node01-idrac.pemlab.rdu2.redhat.com(a)PEMLAB.RDU2.REDHAT.COM Principal alias: host/node01-idrac.pemlab.rdu2.redhat.com(a)PEMLAB.RDU2.REDHAT.COM Password: False Keytab: False Managed by: node01-idrac.pemlab.rdu2.redhat.com Here is the CSR: $ openssl req -noout -text -in node01-idrac.csr Certificate Request: Data: Version: 0 (0x0) Subject: CN=node01-idrac.pemlab.rdu2.redhat.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ⋮ Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:node01-idrac.pemlab.rdu2.redhat.com, DNS:node01-idrac, DNS:10.11.173.11 Signature Algorithm: sha256WithRSAEncryption ⋮ The DNS records: $ ipa dnsrecord-show pemlab.rdu2.redhat.com node01-idrac Record name: node01-idrac A record: 10.11.173.11 $ ipa dnsrecord-show 173.11.10.in-addr.arpa 11 Record name: 11 PTR record: node01-idrac.pemlab.rdu2.redhat.com. $ ipa cert-request node01-idrac.csr --certificate-out node01-idrac.crt \ --principal host/node01-idrac.pemlab.rdu2.redhat.com(a)PEMLAB.RDU2.REDHAT.COM ipa: ERROR: The service principal for subject alt name 10.11.173.11 in certificate request does not exist From my examination of ipaserver/plugins/cert.py, I don't think that this has anything to do with validation of the IP address, as the exception seem to be raised before _validate_san_ips ever gets called. Beyond that, however, I really don't know what's going on. I've filed this as https://bugzilla.redhat.com/show_bug.cgi?id=1960041, but I was wondering if anyone on this list has seen this behavior or can spot an error that I'm making. Thanks! -- ======================================================================== In Soviet Russia, Google searches you! ========================================================================

2 years, 11 months

1
1
0 / 0

kinit: Cannot find KDC for realm "mgmt-062-ad.internal2.example.com@NTERNAL2.EXAMPLE.COM" while getting initial credentials

by pxg51214 r

Hello, I apologize if this has been previously resolved. I am new to FreeIPA product. Our ops team has created a keytab (please kindly see below for the command used) on a Windows AD server. I copied the keytab file, along with the KDC and root-CA certificates to a RedHat Linux added a second REALM entry in the /etc/krb5.conf (per Google blogs recommendations) and and tried 'kinit' (please see the command used below). The cli response (error) is listed below and I appreciate guidance on the possible root causes and remedies. Thank you very much. -Chris #----- Linux system configuration (the server where the keytab is placed for automation) -------------------------------------------------------- $ cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="8.3 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.3" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.3 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8.3:GA" HOME_URL="https://www.redhat.com/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.3 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.3" #---- Windows AD server configuration (the server where the keytab is created) --------------------------------------------------------------- PS C:\temp> systeminfo Host Name: MGMT-062-AD OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763 OS Manufacturer: Microsoft Corporation OS Configuration: Primary Domain Controller OS Build Type: Multiprocessor Free Registered Owner: EXAMPLE, Inc Registered Organization: EXAMPLE.COM Product ID: 00429-70000-00000-AA235 Original Install Date: 3/25/2020, 8:52:14 PM System Boot Time: 4/14/2021, 5:18:21 PM System Manufacturer: Xen System Model: HVM domU System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2600 Mhz BIOS Version: Xen 4.7<denied>, 12/14/2020 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-06:00) Central Time (US & Canada) Total Physical Memory: 16,380 MB Available Physical Memory: 12,006 MB Virtual Memory: Max Size: 18,812 MB Virtual Memory: Available: 14,772 MB Virtual Memory: In Use: 4,040 MB Page File Location(s): C:\pagefile.sys Domain: internal2.example.com Logon Server: \\MGMT-062-AD Hotfix(s): 16 Hotfix(s) Installed. [01]: KB4601558 [02]: KB4494174 [03]: KB4516115 [04]: KB4523204 [05]: KB4535680 [06]: KB4539571 [07]: KB4549947 [08]: KB4562562 [09]: KB4580325 [10]: KB4587735 [11]: KB4598480 [12]: KB4601393 [13]: KB5000859 [14]: KB5001404 [15]: KB5003243 [16]: KB5003171 Network Card(s): 1 NIC(s) Installed. [01]: XenServer PV Network Device Connection Name: Ethernet 2 DHCP Enabled: No IP address(es) [01]: 10.93.178.118 [02]: fe80::580:2a39:3c96:efa0 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. PS C:\temp> #----- Command used on Windows AD server (mgmt-062-ad) to create the keytab file --------------------------------------------------------------- C:/> ktpass -out ldap-ad-2.keytab -princ ldap@mgmt-062-ad.internal2.example.com(a)INTERNAL2.EXAMPLE.COM +rndPass -mapUser ldap(a)INTERNAL2.EXAMPLE.COM -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL #------ Error message --------------------------------------------------------------- $ klist -kt ldap-ad-2.keytab Keytab name: FILE:ldap-ad-2.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 18 12/31/1969 18:00:00 ldap@mgmt-062-ad.internal2.example.com\(a)INTERNAL2.EXAMPLE.COM #------ KRB5 Configuration File --------------------------------------------------------------- $ cat /etc/krb5.conf #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = INTERNAL.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] INTERNAL.EXAMPLE.COM = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } INTERNAL2.EXAMPLE.COM = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/mgmt-062-ad.internal2..example.com.DomainController.Cert.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/mgmt-062-ad.internal2..example.com.RootCA.Cert.pem } [domain_realm] .internal..example.com = INTERNAL.EXAMPLE.COM internal..example.com = INTERNAL.EXAMPLE.COM mgmt-027-auto.mgmt.internal..example.com = INTERNAL.EXAMPLE.COM .mgmt.internal..example.com = INTERNAL.EXAMPLE.COM mgmt.internal..example.com = INTERNAL.EXAMPLE.COM

2 years, 11 months

2
3
0 / 0

Is there an owner or manager of this list?

by Steve Reed

If so, who can I contact? Thanks. Steve

2 years, 11 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2021