ipa user-del fails with `ipa: ERROR: non-public: KeyError: 'ipauniqueid'`
by Tiemen Ruiten
Hello,
OS: up-to-date CentOS 8, ipa
versions 4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
I'm getting a traceback in the httpd log when I try to delete a test user.
See below. It appears the ipaUniqueId is missing for the user? I can see
the user with ipa user-show:
[root@ipa-02 /]# ipa user-show tet
User login: tet
First name:
Last name:
Account disabled: True
Password: False
Kerberos keys available: False
But not with ipa user-find:
[root@ipa-02 /]# ipa user-find tet
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
It also isn't visible in the web interface. How can I delete this user?
[Tue Aug 03 12:22:02.769800 2021] [:warn] [pid 69915:tid 139855196710656]
[client 10.100.120.13:34894] failed to set perms (3140) on file
(/run/ipa/ccaches/admin(a)I.TECH-LAB.IO-59LxxO)!, referer:
https://ipa-02.i.tech-lab.io/ipa/xml
[Tue Aug 03 12:22:02.786834 2021] [wsgi:error] [pid 69340:tid
139855208355584] [remote 10.100.120.13:34894] ipa: INFO:
[jsonserver_session] admin(a)I.TECH-LAB.IO: ping(): SUCCESS
[Tue Aug 03 12:22:02.790684 2021] [:warn] [pid 69915:tid 139855179925248]
[client 10.100.120.13:34894] failed to set perms (3140) on file
(/run/ipa/ccaches/admin(a)I.TECH-LAB.IO-59LxxO)!, referer:
https://ipa-02.i.tech-lab.io/ipa/xml
*[Tue Aug 03 12:22:03.126949 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894 <http://10.100.120.13:34894>]
ipa: ERROR: non-public: KeyError: 'ipauniqueid'*
[Tue Aug 03 12:22:03.127067 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] Traceback (most recent call
last):
[Tue Aug 03 12:22:03.127075 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 397, in
wsgi_execute
[Tue Aug 03 12:22:03.127081 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] result = command(*args,
**options)
[Tue Aug 03 12:22:03.127086 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__
[Tue Aug 03 12:22:03.127092 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] return
self.__do_call(*args, **options)
[Tue Aug 03 12:22:03.127133 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in
__do_call
[Tue Aug 03 12:22:03.127140 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] ret = self.run(*args,
**options)
[Tue Aug 03 12:22:03.127145 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run
[Tue Aug 03 12:22:03.127150 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] return
self.execute(*args, **options)
[Tue Aug 03 12:22:03.127155 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/user.py", line 802, in
execute
[Tue Aug 03 12:22:03.127160 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] return super(user_del,
self).execute(*keys, **options)
[Tue Aug 03 12:22:03.127165 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line
1678, in execute
[Tue Aug 03 12:22:03.127171 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] delete_entry(pkey)
[Tue Aug 03 12:22:03.127176 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line
1629, in delete_entry
[Tue Aug 03 12:22:03.127181 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] dn = callback(self, ldap,
dn, *nkeys, **options)
[Tue Aug 03 12:22:03.127186 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/user.py", line 759, in
pre_callback
[Tue Aug 03 12:22:03.127191 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894]
remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
[Tue Aug 03 12:22:03.127197 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/idviews.py", line 700,
in remove_ipaobject_overrides
[Tue Aug 03 12:22:03.127202 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] object_uuid =
entry.single_value['ipaUniqueID']
[Tue Aug 03 12:22:03.127207 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 639, in
__getitem__
[Tue Aug 03 12:22:03.127212 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] value = self._entry[name]
[Tue Aug 03 12:22:03.127217 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 514, in
__getitem__
[Tue Aug 03 12:22:03.127222 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] return
self._get_nice(name)
[Tue Aug 03 12:22:03.127227 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 481, in
_get_nice
[Tue Aug 03 12:22:03.127233 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] name =
self._get_attr_name(name)
[Tue Aug 03 12:22:03.127237 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 477, in
_get_attr_name
[Tue Aug 03 12:22:03.127243 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] name = self._names[name]
[Tue Aug 03 12:22:03.127248 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] File
"/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 656, in
__getitem__
[Tue Aug 03 12:22:03.127276 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] return super(CIDict,
self).__getitem__(key.lower())
[Tue Aug 03 12:22:03.127295 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] KeyError: 'ipauniqueid'
[Tue Aug 03 12:22:03.127309 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894]
[Tue Aug 03 12:22:03.127736 2021] [wsgi:error] [pid 69338:tid
139855208355584] [remote 10.100.120.13:34894] ipa: INFO:
[jsonserver_session] admin(a)I.TECH-LAB.IO: user_del/1(['tet'],
version='2.240'): InternalError
--
Tiemen Ruiten
Infrastructure Engineer
2 years, 8 months
Accepting CSR with multiple, wrong Subject Alternate Names
by Nerd Invert
I have a piece of equipment with a web interface, for which I would like to generate a certificate. The web interface supports generating a CSR, but it's not possible to customize very much, and this gives problems when trying to feed the CSR into FreeIPA.
The relevant parts of the CSR look like this:
Certificate Request:
Data:
Version: 2 (0x2)
Subject: emailAddress=redacted(a)example.com, C=redacted, ST=redacted, L=redacted, O=redacted, OU=redacted, CN=equipment0.example.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: redacted
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
AB:84:B3:86:45:E9:66:86:F2:35:FB:88:56:B4:36:B4:1A:6A:B1:86
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:equipment0.example.local, DNS:169.254.0.1, IP Address:169.254.0.1
Signature Algorithm: sha256WithRSAEncryption
...
When feeding this CSR to FreeIPA, I get the following error:
The service principal for subject alt name 169.254.0.1 in certificate request does not exist
I don't know where this 169.254.0.1 comes from, or how to change this. Is there a workaround to make FreeIPA accept this? Can I create that as a HTTP service and attach to the host?
2 years, 8 months
post-save command to "ipa-getcert request" not working
by Ranbir
Hello Everyone,
I'm running an updated CentOS 8 KVM on an up to date CentOS 7 host. My
freeipa servers CentOS 7 hosts and fully updated, too. In the KVM I'm
requesting a certificate from my freeipa CA, which in and of itself
works just find. But, when I add a post-save command, that command is
never executed.
Here's the request I'm making:
ipa-getcert request -g 2048 -k /etc/pki/containers/sabnzbd-
server/sabnzbd-server.key -f /etc/pki/containers/sabnzbd-
server/sabnzbd-server.cert -K HTTP/sabnzbd.theinside.rnr -N
"CN=sabnzbd.theinside.rnr,O=THEINSIDE.RNR" -D sabnzbd.theinside.rnr -C
/usr/local/sbin/sabnzbd-server-certs -v -w
The content of that script is just a one liner for podman to copy the
contents of the /etc/pki/containers/sabnzbd-server/ directory to my
container. The script works without issue if I run it manually. I'm
also able to successfully run the podman command at a terminal.
At first I had the command in the script entered directly in the
request, which also didn't work. The bash script was my last attempt at
getting the post-save command to work.
I don't see any errors in the logs or in the terminal. In fact, it
looks like certmonger doesn't even attempt to run the post-save
command. Here's a short snippet from the log:
-- Logs begin at Sat 2021-07-24 17:02:34 EDT, end at Mon 2021-07-26 00:43:48 EDT. --
Jul 26 00:16:16 containment01 certmonger[109481]: Certificate in file "/etc/pki/containers/sabnzbd-server/sabnzbd-server.cert" issued by CA and saved.
Jul 26 00:16:16 containment01 certmonger[30743]: 2021-07-26 00:16:16 [30743] No hooks set for pre-save command.
Jul 26 00:16:16 containment01 certmonger[30743]: 2021-07-26 00:16:16 [30743] Certificate issued (0 chain certificates, 0 roots).
Jul 26 00:16:16 containment01 certmonger[30743]: ".
Jul 26 00:16:16 containment01 certmonger[30743]: -----END CERTIFICATE-----
Am I doing something wrong or have I hit a bug?
--
Ranbir
2 years, 8 months
Directory server won't start
by Fred Wittekind
CentOS 7 machine, this happened after a power outage. Not sure if issue is because of some damage done during the power outage itself, or the fact the server uptime and last restart of IPA was a long time ago.
This is the error I get in the logs:
[02/Aug/2021:13:55:21.187419692 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/typhoon.dragon(a)DRAGON.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
Server name I'm trying to start the service on is typhoon.dragon.
I'm not sure how to fix this one, any help would be appreciated.
2 years, 8 months
ipahealthcheck.ds.dse.DSECheck.DSSKEWLE0003: The time skew is over 24 hours.
by Louis Lagendijk
Some time ago I hosed my freeipa setup (RHEL8, 3 servers), probably by
starting yum update pretty much at the same time, without realizing
that it would be better to spread it out a bit. This was at the time I
got the RHEL 8.4 updates.
One server seemed pretty messed up, so I deleted it from the topology
and re-executed the ipa-replica-install.
I deleted some duplicates from the replication, manally fixed the
password issue from https://github.com/dogtagpki/pki/issues/3650
on the re-installed server.
ipa-healthcheck now reports:
[root@ipa1 ipa-tools]# ipa-healthcheck --failures-only --output-type
human
CRITICAL: ipahealthcheck.ds.dse.DSECheck.DSSKEWLE0003: The time skew is
over 24 hours. Setting nsslapd-ignore-time-skew
to "on" on each replica will allow replication to continue, but if the
time skew continues to increase other serious replication problems can
occur.
ERROR: ipahealthcheck.ds.dse.DSECheck.DSSKEWLE0002: The time skew is
over 12 hours. If this time skew continues to increase
to 24 hours then replication can potentially stop working. Please
continue to
monitor the time skew offsets for increasing values. Setting nsslapd-
ignore-time-skew
to "on" on each replica will allow replication to continue, but if the
time skew
continues to increase other more serious replication problems can
occur.
I got the following from ds389:
[root@ipa1 ipa-tools]# dsctl slapd-HOME-FAZANT-NET get-nsstate
Replica
DN: cn=replica,cn=dc\3dhome\2cdc\3dfazant\2cdc\3dnet,cn=mappi
ng tree,cn=config
Replica Suffix: dc=home,dc=fazant,dc=net
Replica ID: 21
Gen Time: 1627578955
Gen Time String: Thu Jul 29 19:15:55 2021
Gen as CSN: 6102e24b000400210000
Local Offset: 0
Local Offset String: 0 seconds
Remote Offset: 591807
Remote Offset String: 6 days, 20 hours, 23 minutes, 27 seconds
Time Skew: 591807
Time Skew String: 6 days, 20 hours, 23 minutes, 27 seconds
Seq Num: 4
System Time: Thu Jul 29 19:17:08 2021
Diff in Seconds: 73
Diff in days/secs: 0:73
Endian: Little Endian
Replica DN: cn=replica,cn=o\3dipaca,cn=mapping tree,cn=config
Replica Suffix: o=ipaca
Replica ID: 22
Gen Time: 1627578483
Gen Time String: Thu Jul 29 19:08:03 2021
Gen as CSN: 6102e073000000220000
Local Offset: 0
Local Offset String: 0 seconds
Remote Offset: 81231
Remote Offset String: 22 hours, 33 minutes, 51 seconds
Time Skew: 81231
Time Skew String: 22 hours, 33 minutes, 51 seconds
Seq Num: 0
System Time: Thu Jul 29 19:17:08 2021
Diff in Seconds: 545
Diff in days/secs: 0:545
Endian: Little Endian
I have no idea how to solve this issue. Apparently my google-fu is not
strong enough to find a solution. Can you guys please give me some
hints?
Thanks. Louis
2 years, 8 months