August 2021 - FreeIPA-users - Fedora Mailing-Lists

ipa user-del fails with `ipa: ERROR: non-public: KeyError: 'ipauniqueid'`

by Tiemen Ruiten

Hello, OS: up-to-date CentOS 8, ipa versions 4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 I'm getting a traceback in the httpd log when I try to delete a test user. See below. It appears the ipaUniqueId is missing for the user? I can see the user with ipa user-show: [root@ipa-02 /]# ipa user-show tet User login: tet First name: Last name: Account disabled: True Password: False Kerberos keys available: False But not with ipa user-find: [root@ipa-02 /]# ipa user-find tet --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- It also isn't visible in the web interface. How can I delete this user? [Tue Aug 03 12:22:02.769800 2021] [:warn] [pid 69915:tid 139855196710656] [client 10.100.120.13:34894] failed to set perms (3140) on file (/run/ipa/ccaches/admin(a)I.TECH-LAB.IO-59LxxO)!, referer: https://ipa-02.i.tech-lab.io/ipa/xml [Tue Aug 03 12:22:02.786834 2021] [wsgi:error] [pid 69340:tid 139855208355584] [remote 10.100.120.13:34894] ipa: INFO: [jsonserver_session] admin(a)I.TECH-LAB.IO: ping(): SUCCESS [Tue Aug 03 12:22:02.790684 2021] [:warn] [pid 69915:tid 139855179925248] [client 10.100.120.13:34894] failed to set perms (3140) on file (/run/ipa/ccaches/admin(a)I.TECH-LAB.IO-59LxxO)!, referer: https://ipa-02.i.tech-lab.io/ipa/xml *[Tue Aug 03 12:22:03.126949 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894 <http://10.100.120.13:34894>] ipa: ERROR: non-public: KeyError: 'ipauniqueid'* [Tue Aug 03 12:22:03.127067 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] Traceback (most recent call last): [Tue Aug 03 12:22:03.127075 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 397, in wsgi_execute [Tue Aug 03 12:22:03.127081 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] result = command(*args, **options) [Tue Aug 03 12:22:03.127086 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Tue Aug 03 12:22:03.127092 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] return self.__do_call(*args, **options) [Tue Aug 03 12:22:03.127133 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Tue Aug 03 12:22:03.127140 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] ret = self.run(*args, **options) [Tue Aug 03 12:22:03.127145 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Tue Aug 03 12:22:03.127150 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] return self.execute(*args, **options) [Tue Aug 03 12:22:03.127155 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipaserver/plugins/user.py", line 802, in execute [Tue Aug 03 12:22:03.127160 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] return super(user_del, self).execute(*keys, **options) [Tue Aug 03 12:22:03.127165 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line 1678, in execute [Tue Aug 03 12:22:03.127171 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] delete_entry(pkey) [Tue Aug 03 12:22:03.127176 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line 1629, in delete_entry [Tue Aug 03 12:22:03.127181 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] dn = callback(self, ldap, dn, *nkeys, **options) [Tue Aug 03 12:22:03.127186 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipaserver/plugins/user.py", line 759, in pre_callback [Tue Aug 03 12:22:03.127191 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn) [Tue Aug 03 12:22:03.127197 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipaserver/plugins/idviews.py", line 700, in remove_ipaobject_overrides [Tue Aug 03 12:22:03.127202 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] object_uuid = entry.single_value['ipaUniqueID'] [Tue Aug 03 12:22:03.127207 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 639, in __getitem__ [Tue Aug 03 12:22:03.127212 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] value = self._entry[name] [Tue Aug 03 12:22:03.127217 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 514, in __getitem__ [Tue Aug 03 12:22:03.127222 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] return self._get_nice(name) [Tue Aug 03 12:22:03.127227 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 481, in _get_nice [Tue Aug 03 12:22:03.127233 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] name = self._get_attr_name(name) [Tue Aug 03 12:22:03.127237 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 477, in _get_attr_name [Tue Aug 03 12:22:03.127243 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] name = self._names[name] [Tue Aug 03 12:22:03.127248 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 656, in __getitem__ [Tue Aug 03 12:22:03.127276 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] return super(CIDict, self).__getitem__(key.lower()) [Tue Aug 03 12:22:03.127295 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] KeyError: 'ipauniqueid' [Tue Aug 03 12:22:03.127309 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] [Tue Aug 03 12:22:03.127736 2021] [wsgi:error] [pid 69338:tid 139855208355584] [remote 10.100.120.13:34894] ipa: INFO: [jsonserver_session] admin(a)I.TECH-LAB.IO: user_del/1(['tet'], version='2.240'): InternalError -- Tiemen Ruiten Infrastructure Engineer

2 years, 8 months

2
2
0 / 0

Accepting CSR with multiple, wrong Subject Alternate Names

by Nerd Invert

I have a piece of equipment with a web interface, for which I would like to generate a certificate. The web interface supports generating a CSR, but it's not possible to customize very much, and this gives problems when trying to feed the CSR into FreeIPA. The relevant parts of the CSR look like this: Certificate Request: Data: Version: 2 (0x2) Subject: emailAddress=redacted(a)example.com, C=redacted, ST=redacted, L=redacted, O=redacted, OU=redacted, CN=equipment0.example.local Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... Exponent: redacted Attributes: Requested Extensions: X509v3 Subject Key Identifier: AB:84:B3:86:45:E9:66:86:F2:35:FB:88:56:B4:36:B4:1A:6A:B1:86 X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:equipment0.example.local, DNS:169.254.0.1, IP Address:169.254.0.1 Signature Algorithm: sha256WithRSAEncryption ... When feeding this CSR to FreeIPA, I get the following error: The service principal for subject alt name 169.254.0.1 in certificate request does not exist I don't know where this 169.254.0.1 comes from, or how to change this. Is there a workaround to make FreeIPA accept this? Can I create that as a HTTP service and attach to the host?

2 years, 8 months

2
2
0 / 0

post-save command to "ipa-getcert request" not working

by Ranbir

Hello Everyone, I'm running an updated CentOS 8 KVM on an up to date CentOS 7 host. My freeipa servers CentOS 7 hosts and fully updated, too. In the KVM I'm requesting a certificate from my freeipa CA, which in and of itself works just find. But, when I add a post-save command, that command is never executed. Here's the request I'm making: ipa-getcert request -g 2048 -k /etc/pki/containers/sabnzbd- server/sabnzbd-server.key -f /etc/pki/containers/sabnzbd- server/sabnzbd-server.cert -K HTTP/sabnzbd.theinside.rnr -N "CN=sabnzbd.theinside.rnr,O=THEINSIDE.RNR" -D sabnzbd.theinside.rnr -C /usr/local/sbin/sabnzbd-server-certs -v -w The content of that script is just a one liner for podman to copy the contents of the /etc/pki/containers/sabnzbd-server/ directory to my container. The script works without issue if I run it manually. I'm also able to successfully run the podman command at a terminal. At first I had the command in the script entered directly in the request, which also didn't work. The bash script was my last attempt at getting the post-save command to work. I don't see any errors in the logs or in the terminal. In fact, it looks like certmonger doesn't even attempt to run the post-save command. Here's a short snippet from the log: -- Logs begin at Sat 2021-07-24 17:02:34 EDT, end at Mon 2021-07-26 00:43:48 EDT. -- Jul 26 00:16:16 containment01 certmonger[109481]: Certificate in file "/etc/pki/containers/sabnzbd-server/sabnzbd-server.cert" issued by CA and saved. Jul 26 00:16:16 containment01 certmonger[30743]: 2021-07-26 00:16:16 [30743] No hooks set for pre-save command. Jul 26 00:16:16 containment01 certmonger[30743]: 2021-07-26 00:16:16 [30743] Certificate issued (0 chain certificates, 0 roots). Jul 26 00:16:16 containment01 certmonger[30743]: ". Jul 26 00:16:16 containment01 certmonger[30743]: -----END CERTIFICATE----- Am I doing something wrong or have I hit a bug? -- Ranbir

2 years, 8 months

4
14
0 / 0

Directory server won't start

by Fred Wittekind

CentOS 7 machine, this happened after a power outage. Not sure if issue is because of some damage done during the power outage itself, or the fact the server uptime and last restart of IPA was a long time ago. This is the error I get in the logs: [02/Aug/2021:13:55:21.187419692 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/typhoon.dragon(a)DRAGON.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Server name I'm trying to start the service on is typhoon.dragon. I'm not sure how to fix this one, any help would be appreciated.

2 years, 8 months

2
1
0 / 0

ipahealthcheck.ds.dse.DSECheck.DSSKEWLE0003: The time skew is over 24 hours.

by Louis Lagendijk

Some time ago I hosed my freeipa setup (RHEL8, 3 servers), probably by starting yum update pretty much at the same time, without realizing that it would be better to spread it out a bit. This was at the time I got the RHEL 8.4 updates. One server seemed pretty messed up, so I deleted it from the topology and re-executed the ipa-replica-install. I deleted some duplicates from the replication, manally fixed the password issue from https://github.com/dogtagpki/pki/issues/3650 on the re-installed server. ipa-healthcheck now reports: [root@ipa1 ipa-tools]# ipa-healthcheck --failures-only --output-type human CRITICAL: ipahealthcheck.ds.dse.DSECheck.DSSKEWLE0003: The time skew is over 24 hours. Setting nsslapd-ignore-time-skew to "on" on each replica will allow replication to continue, but if the time skew continues to increase other serious replication problems can occur. ERROR: ipahealthcheck.ds.dse.DSECheck.DSSKEWLE0002: The time skew is over 12 hours. If this time skew continues to increase to 24 hours then replication can potentially stop working. Please continue to monitor the time skew offsets for increasing values. Setting nsslapd- ignore-time-skew to "on" on each replica will allow replication to continue, but if the time skew continues to increase other more serious replication problems can occur. I got the following from ds389: [root@ipa1 ipa-tools]# dsctl slapd-HOME-FAZANT-NET get-nsstate Replica DN: cn=replica,cn=dc\3dhome\2cdc\3dfazant\2cdc\3dnet,cn=mappi ng tree,cn=config Replica Suffix: dc=home,dc=fazant,dc=net Replica ID: 21 Gen Time: 1627578955 Gen Time String: Thu Jul 29 19:15:55 2021 Gen as CSN: 6102e24b000400210000 Local Offset: 0 Local Offset String: 0 seconds Remote Offset: 591807 Remote Offset String: 6 days, 20 hours, 23 minutes, 27 seconds Time Skew: 591807 Time Skew String: 6 days, 20 hours, 23 minutes, 27 seconds Seq Num: 4 System Time: Thu Jul 29 19:17:08 2021 Diff in Seconds: 73 Diff in days/secs: 0:73 Endian: Little Endian Replica DN: cn=replica,cn=o\3dipaca,cn=mapping tree,cn=config Replica Suffix: o=ipaca Replica ID: 22 Gen Time: 1627578483 Gen Time String: Thu Jul 29 19:08:03 2021 Gen as CSN: 6102e073000000220000 Local Offset: 0 Local Offset String: 0 seconds Remote Offset: 81231 Remote Offset String: 22 hours, 33 minutes, 51 seconds Time Skew: 81231 Time Skew String: 22 hours, 33 minutes, 51 seconds Seq Num: 0 System Time: Thu Jul 29 19:17:08 2021 Diff in Seconds: 545 Diff in days/secs: 0:545 Endian: Little Endian I have no idea how to solve this issue. Apparently my google-fu is not strong enough to find a solution. Can you guys please give me some hints? Thanks. Louis

2 years, 8 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users August 2021