No more automatic web UI login with Kerberos
by Kees Bakker
Hi,
Before I recently upgraded my CentOS 8 Stream masters I was able
to automatically login using the Kerberos ticket.
On the older (CentOS 7) that still works. But not on the two newer
systems.
Everytime I refresh the login page a new file is created in /run/ipa/ccaches
And the following shows up in the log.
jul 13 14:49:36 iparep4.example.com [577]: GSSAPI client step 1
jul 13 14:49:36 iparep4.example.com [577]: GSSAPI client step 1
jul 13 14:49:36 iparep4.example.com [577]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
jul 13 14:49:37 iparep4.example.com [576]: GSSAPI client step 1
jul 13 14:49:37 iparep4.example.com [576]: GSSAPI client step 1
jul 13 14:49:37 iparep4.example.com [576]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
Logging with a username and password still works, but not the
automatic Kerberos login.
How can I debug this further?
--
Kees
2 years, 8 months
Changing IPA AD Account sync to new AD domain
by Jim Kilborn
We have migrated our AD users to a new domain (ie example.com -> examplenew.com)
and I now need to change our IPA AD sync replication to use the new
domain. I can remove the old replication agreement and create the new
one, but my question is what happens to the users accounts. The AD
usernames didnt change during the migration, but the SID will be
different due to it being a new account in a new domain. Will IPA just
associated that username with the one already in IPA, or will it try
to create another account with a different UID/GID in ipa?
2 years, 8 months
healthcheck complains about a removed replica
by Kees Bakker
Hi,
After installing a new replica and running
/usr/bin/ipa-healthcheck --source pki.server.healthcheck.clones.connectivity_and_data
I'm getting this error
keyctl_search: Required key not available
Enter password for Internal Key Storage Token:
Internal server error HTTPSConnectionPool(host='iparep3.ghs.nl', port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fc473262a90>: Failed to establish a new connection: [Errno 113] No route to host',))
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "c2f3ec1d-494b-4f6a-b6e3-0e38108f2005",
"when": "20210528150818Z",
"duration": "30.348789",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA clone. Host: iparep3.ghs.nl Port: 443"
}
}
]
First, it is asking for a password, and I have no clue for what. I've
tried the admin password and the Directory Manager password. It
makes no difference.
Second, it tries to connect to a replica that was removed several months
ago. Both ipa-replica-manage list and ipa-csreplica-manage show the
correct list of masters that we currently have.
Where does ipa-healthcheck get the information from to query the removed
replica?
BTW. Two replica run CentOS 8 Stream, and one runs CentOS 7. The first two give
this healthcheck error, the centos7 master does not.
--
Kees
2 years, 8 months
ldap_extended_operation fails on the client
by iulian roman
Hello everybody,
In the client logs I get the error bellow when querying AD users:
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Time limit exceeded(3), (null).
(Tue Jul 13 10:47:46 2021) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation failed, server logs might contain more details.
(Tue Jul 13 10:47:46 2021) [sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
(Tue Jul 13 10:47:46 2021) [sssd[be[ipa.example.com]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [1432158229]: Network I/O Error.
I've enabled nss debug on the server, and for that timestamp, the error is:
(2021-07-13 10:47:46): [nss] [cache_req_search_cache] (0x0020): CR #415: Multiple objects were found when only one was expected!
(2021-07-13 10:47:46): [nss] [cache_req_process_result] (0x0400): CR #415: Finished: Error 1432158305: Multiple objects were found when only one was expected
(2021-07-13 10:47:46): [nss] [nss_protocol_done] (0x4000): Sending reply: error [1432158305]: Multiple objects were found when only one was expected
(2021-07-13 10:47:46): [nss] [client_recv] (0x0200): Client disconnected!
(2021-07-13 10:47:46): [nss] [client_close_fn] (0x2000): Terminated client [0x55930a1916f0][12]
The GID it is trying to search corresponds to "Domain Users" group from AD (GID:1768200513), which is the default primary group for all users.
ldbsearch against the cache shows only one dn: entry for the "Domain Users". Nevertheless , when running groups command for any user, it displays:
"cannot find name for group ID 1768200513 "
getent group 1768200513 does not resolve the group name to "Domain Users" either.
Any hint or help would be really appreciated.
2 years, 8 months
Using Subject Alternative Name in smart card certificate for authentication
by Angelo Alvarez
Aloha. I've configured our IdM server as an OpenLDAP identity provider for our VMware vCenter 6.7 server. I'm able to login to our vCenter as the IdM user with username and password, but I'm unable to authenticate using smart card authentication. My IdM domain is "xxxx.xxxx.mil", but my smart card is issued by the DoD, and the Subject Alternative Name (SAN) on my identity certificate shows ex."Principal Name=1234567897000@mil". When we used Active Directory authentication with vCenter, the user account properties for UPN needed to match the SAN value (ex.1234567897000@mil) from the users identiy certificate. That said, if our domain name is ""xxxx.xxxx.mil", is it possible to have an IdM user account with username "first.last.usr" and a SSL certificate mapping that uses all or a portion of the SAN value (ex. "Principal Name=123456789700@mil") for smart card authentication?
2 years, 8 months
smart card authentication
by Angelo Alvarez
Aloha. If I configure users to authenticate using smart card, is it possible to disable the user's password, so it can no longer be used for authentication and does not require updating every 60 days, etc.?
2 years, 8 months
ipahealthcheck: ldapsearch finds no replconflict but nsconf does
by Kees Bakker
Hi,
ipahealthcheck gives me this warning
[
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "WARNING",
"uuid": "237f4271-6e93-4d42-a15d-accdb936e51b",
"when": "20210709182051Z",
"duration": "45.967890",
"kw": {
"key": "DSREPLLE0002",
"items": [
"Replication",
"Conflict Entries"
],
"msg": "There were 1 conflict entries found under the replication suffix \"o=ipaca\"."
}
}
]
ldapsearch does not reveal any hit, however nsconf does.
[root@linge ~]# ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory Manager' -b 'o=ipaca' '(nsds5ReplConflict=*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (nsds5ReplConflict=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[root@linge ~]# dsconf slapd-EXAMPLE-COM repl-conflict list o=ipaca
dn: cn=iparep4.example.com:443+nsuniqueid=ee993401-84ef11eb-93f498e2-54354ddc,cn=CAList,ou=Security Domain,o=ipaca
Clone: TRUE
DomainManager: TRUE
SecureAdminPort: 443
SecureAgentPort: 443
SecureEEClientAuthPort: 443
SecurePort: 443
SubsystemName: CA iparep4.example.com 8443
UnSecurePort: 80
cn: iparep4.example.com:443
host: iparep4.example.com
nsds5replconflict: namingConflict (ADD) cn=iparep4.example.com:443,cn=calist,ou=security domain,o=ipaca
objectClass: top
objectClass: pkiSubsystem
objectClass: ldapsubentry
How is that possible?
--
Kees
2 years, 8 months
Certificate profile to ignore (drop) email in SAN - possible?
by Ian Pilcher
I've hit a roadblock while trying to generate a certificate for a VMware
vSphere appliance.
The VMware "Certificate Management" tool doesn't allow one to upload a
certificate and key. Instead, one has to generate a CSR in the VMware
GUI which then gets submitted to the CA (IPA in this case).
Unfortunately, the VMware tool refuses to generate a CSR that does not
include an email address in its subject alternative names extension, and
IPA refuses to issue a host or service certificate that includes an
email address.
Is it possible to create a certificate profile that will simply ignore
the email address (i.e. not include it in the SAN of the issued
certificate)?
--
========================================================================
In Soviet Russia, Google searches you!
========================================================================
2 years, 8 months
Multiple ID views question
by iulian roman
Hello,
Due to the fact that I have some issues with ID views and different sssd versions, I tried a different approach. I created a second ID view , where I do override some users only for a group of systems. The override in the second id view (both for users and groups) is different that the one in the main Default Trust View.
Is that supported , because as far as I can see on the IPA server, it still uses the main ID view when it does the query instead of the second ID view I created , although on the client I can see that the query is on the second ID view ? How will the cache on the ipa client and ipa server get in sync ?
2 years, 8 months