missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"
by Brian J. Murrell
I'm trying to add a replica but it's failing on step "[23/38]: creating DS keytab" with:
[error] CalledProcessError: CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/server.example.com(a)EXAMPLE.COM', '-H', 'ldaps://server-staging.example.com'] returned non-zero exit status 9: 'Failed to parse result: Insufficient access rights\n\nRetrying with pre-4.0 keytab retrieval method…\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
This is trying to add back an ipa server that was previously removed (for O/S major version upgrade per the supported upgrade/migration process). Maybe the previous removal was not complete?
After running the recommended --uninstall and then examining the principals in the master server, I see an ldap/server.example.com(a)EXAMPLE.COM still remaining. Surely that should not be there, correct?
So I tried to remove it, but that gave yet another error:
missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"
and logged the error:
ERR - oc_check_required - Entry "krbprincipalname=ldap/server.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=interlinx,dc=bc,dc=ca" missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"
in the journal.
So how to proceed now?
2 years, 1 month
1 server not syncing with the others
by Russell Jones
Hi all,
I have a setup of 4 FreeIPA servers, version 4.6.5, all on CentOS 7.
I've discovered that #4 is not syncing a new "video" group I created, while
the other 3 all have the group.
When looking at dirsrv error log, I am seeing the following after running
an ipactl stop / ipactl start:
[27/Jan/2022:11:35:55.158724429 -0600] - ERR - set_krb5_creds - Could not
get initial credentials for principal
[ldap/freeipa4.cluster(a)US.EP.CORP.LOCAL] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
[27/Jan/2022:11:35:55.169790450 -0600] - INFO - slapd_daemon - slapd
started. Listening on All Interfaces port 389 for LDAP requests
[27/Jan/2022:11:35:55.173079823 -0600] - INFO - slapd_daemon - Listening on
All Interfaces port 636 for LDAPS requests
[27/Jan/2022:11:35:55.175096801 -0600] - INFO - slapd_daemon - Listening on
/var/run/slapd-US-EP-CORP-LOCAL.socket for LDAPI requests
[27/Jan/2022:11:35:55.235218894 -0600] - ERR - schema-compat-plugin -
schema-compat-plugin tree scan will start in about 5 seconds!
[27/Jan/2022:11:35:58.368835716 -0600] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=meTofreeipa.us.ep.corp.local" (freeipa:389) -
Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid
credentials) ()
I am unsure what the issue is or how to resolve this. Could I get some
assistance with being pointed in the right direction?
Thank you!
2 years, 1 month
Re: SSL error after upgrade
by Nathanaël Blanchet
Thanks to all for the fix, you save my day!
Le 25/12/2021 à 17:06, Dungan, Scott A. via FreeIPA-users a écrit :
>
> Hi, Per.
>
> I ran into the same problem and Alexander referred me to this link:
> https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg1258...
>
> The fix for us was is pretty easy:
>
> 1. Make a backup of /etc/pki/pki-tomcat/server.xml
> 2. On lines 129 and 171 of server.xml, you’ll see a value for
> “secret=” and “sharedSecret=.” Those values will be different and
> that is the cause of the problem. Both values should match what is
> found in the ProxyPassMatch statements located in the file
> /etc/httpd/conf.d/ipa-pki-proxy.conf. In my case, the value for
> secret= was correct and I just had to change the sharedSecert= to
> match.
> 3. Restart services with ipactl restart
>
> -Scott
>
> *From:* Per Qvindesland via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org>
> *Sent:* Wednesday, December 22, 2021 7:22 AM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Per Qvindesland <perq(a)icloud.com>
> *Subject:* [Freeipa-users] SSL error after upgrade
>
> Hi All
>
> After an update to 4.9.6-10, I am unable to view any of the
> certificates that the IPA server has signed, I get error: An error has
> occurred (IPA Error 4301: CertificateOperationError) when I click on
> Authnticaiton -> Certificates, if I click on "Certificate Autorities"
> then I get popup message with the error "Failed to authenticate to CA
> REST API" and "An error has occurred (IPA Error 4016:
> RemoteRetrieveError)" is showing on the screen.
>
> ipactl status is showing everything as running:
>
> ipactl status
>
> Directory Service: RUNNING
>
> krb5kdc Service: RUNNING
>
> kadmin Service: RUNNING
>
> named Service: RUNNING
>
> httpd Service: RUNNING
>
> ipa-custodia Service: RUNNING
>
> pki-tomcatd Service: RUNNING
>
> smb Service: RUNNING
>
> winbind Service: RUNNING
>
> ipa-otpd Service: RUNNING
>
> ipa-dnskeysyncd Service: RUNNING
>
> ipa: INFO: The ipactl command was successful
>
> Does anyone know what's causing this error?
>
> I ran ipa-healthcheck and pasted the output below, it reports that
> it's missing SRV records but the IPA server is the DNS server and it
> has the SRV records.
>
> Regards
>
> Per
>
> ipa-healthcheck
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> ra.get_certificate(): Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)
>
> [
>
> {
>
> "source": "ipahealthcheck.dogtag.ca",
>
> "check": "DogtagCertsConnectivityCheck",
>
> "result": "ERROR",
>
> "uuid": "ac0200eb-3ec8-405f-ba5e-523cbb40ad6b",
>
> "when": "20211222151125Z",
>
> "duration": "0.016156",
>
> "kw": {
>
> "msg": "Request for certificate failed, Certificate operation
> cannot be completed: Request failed with status 403: Non-2xx response
> from CA REST API: 403. (403)"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "2f010c35-7d7d-431f-89b0-c342516cf296",
>
> "when": "20211222151130Z",
>
> "duration": "0.412221",
>
> "kw": {
>
> "key": "20211104170633",
>
> "serial": 7,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "10a946e2-e511-417a-b189-a66f1b555470",
>
> "when": "20211222151130Z",
>
> "duration": "0.519989",
>
> "kw": {
>
> "key": "20211104170628",
>
> "serial": 5,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "7c85e383-8508-4b8e-a10b-838b0b70eb73",
>
> "when": "20211222151130Z",
>
> "duration": "0.618106",
>
> "kw": {
>
> "key": "20211104170629",
>
> "serial": 2,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "1776678c-d997-435b-b809-52576128a2e9",
>
> "when": "20211222151130Z",
>
> "duration": "0.709013",
>
> "kw": {
>
> "key": "20211104170630",
>
> "serial": 4,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "f02ff5d9-13cf-4582-9bd3-7567b32c415d",
>
> "when": "20211222151130Z",
>
> "duration": "0.789825",
>
> "kw": {
>
> "key": "20211104170631",
>
> "serial": 1,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "d30b17b3-f45e-4317-bf8e-c1c13c3f77e3",
>
> "when": "20211222151131Z",
>
> "duration": "0.903311",
>
> "kw": {
>
> "key": "20211104170632",
>
> "serial": 3,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "32ff9bb7-69b8-4af3-8c20-9f2ab4394a73",
>
> "when": "20211222151131Z",
>
> "duration": "0.969296",
>
> "kw": {
>
> "key": "20211104170635",
>
> "serial": 34,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "18fb96f0-7a64-4c1c-b03b-bb21e3f90bf1",
>
> "when": "20211222151131Z",
>
> "duration": "1.065584",
>
> "kw": {
>
> "key": "20211104170634",
>
> "serial": 8,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertRevocation",
>
> "result": "ERROR",
>
> "uuid": "d82cdf6d-4d4b-44e4-9aa8-33211aa55c96",
>
> "when": "20211222151131Z",
>
> "duration": "1.116597",
>
> "kw": {
>
> "key": "20210811074531",
>
> "serial": 10,
>
> "error": "Certificate operation cannot be completed: Request
> failed with status 403: Non-2xx response from CA REST API: 403. (403)",
>
> "msg": "Request for certificate serial number {serial} in
> request {key} failed: {error}"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "cc0c7d5c-1132-4b18-ac8e-c7625d3963f0",
>
> "when": "20211222151131Z",
>
> "duration": "0.015692",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key": "_ldap._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "f0d6873f-b681-457d-8006-9e5bb051b9df",
>
> "when": "20211222151131Z",
>
> "duration": "0.017296",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "92a5517d-5f73-4f49-8874-bf6bbeb2ed9d",
>
> "when": "20211222151131Z",
>
> "duration": "0.018275",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "7f1994fb-e1dc-4d8c-93c5-5ba2e6652427",
>
> "when": "20211222151131Z",
>
> "duration": "0.019243",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos-master._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "e9bbd202-8f37-4a44-b9b0-377ae5a53d08",
>
> "when": "20211222151131Z",
>
> "duration": "0.020150",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos-master._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "2d4a438f-6271-470e-a6f5-68a30858d928",
>
> "when": "20211222151131Z",
>
> "duration": "0.021502",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kpasswd._tcp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "828efbaf-2071-4693-94f4-0e4c2ec884c0",
>
> "when": "20211222151131Z",
>
> "duration": "0.022772",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kpasswd._udp.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "b0a73e45-da65-43a6-a540-8e092e3e4d76",
>
> "when": "20211222151131Z",
>
> "duration": "0.023895",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com.:lda...."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "3329eea5-c794-4201-a973-82f22b58f151",
>
> "when": "20211222151131Z",
>
> "duration": "0.025341",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_ldap._tcp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "dde9dd12-e044-4bde-a75f-2ea4d96910dc",
>
> "when": "20211222151131Z",
>
> "duration": "0.027364",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com....."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "9ebec84f-aa7d-4ba9-8c4e-ca8dd2aa98c8",
>
> "when": "20211222151131Z",
>
> "duration": "0.029421",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.proxdynamics.com....."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "cd921441-98bf-4fc1-a043-ed35a056e818",
>
> "when": "20211222151131Z",
>
> "duration": "0.030800",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._tcp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "93f21c35-a10d-418b-a549-c0c70d6330cd",
>
> "when": "20211222151131Z",
>
> "duration": "0.031808",
>
> "kw": {
>
> "msg": "Expected SRV record missing",
>
> "key":
> "_kerberos._udp.dc._msdcs.proxdynamics.com.:ldap2.inne.proxdynamics.com."
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.idns",
>
> "check": "IPADNSSystemRecordsCheck",
>
> "result": "WARNING",
>
> "uuid": "331ef74f-e5d6-47d8-a666-a352320772de",
>
> "when": "20211222151131Z",
>
> "duration": "0.034319",
>
> "kw": {
>
> "msg": "Got {count} ipa-ca A records, expected {expected}",
>
> "count": 0,
>
> "expected": 1
>
> }
>
> }
>
> ]
>
>
> _______________________________________________
> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
> Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure
--
Nathanaël Blanchet
Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax 33 (0)4 67 54 84 14
blanchet(a)abes.fr
2 years, 2 months
403 Error
by Christian Reiss
Hey folks,
happyily using FreeIPA in my personal hobbyist space across 50vms and 8
hosts. It worked like a charm. Ever since a few days ago I am unable to
delete hosts, disabling/ enabling users for example works, but not
deleting hosts. I am using AlmaLinux 8 with vendor-supplied FreeIPA version.
I duckduckgo'd around the net, tried to solve the issue myself. But no
errors our there helped me debug. I think I found the issue with
ipa-healthcheck, but I am unsure on how to fix. This is the output:
---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ----
Internal server error 403 Client Error: 403 for url:
http://auth1.alpha-labs.net:80/ca/rest/securityDomain/domainInfo
Directory Server CA certificate not found, assuming 3rd party
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "c76c5f53-1869-4cd5-95e3-dd7f3e0b7e0c",
"when": "20220128091051Z",
"duration": "0.361963",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not match
the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
},
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "e98075a4-5d85-4ccf-a97e-b202fcc92789",
"when": "20220128091054Z",
"duration": "0.566005",
"kw": {
"msg": "Request for certificate failed, Certificate operation
cannot be completed: Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "WARNING",
"uuid": "d9dcf871-1a5d-47a6-8d2e-bcf4f61f09d1",
"when": "20220128091056Z",
"duration": "0.788714",
"kw": {
"key": "DSREPLLE0002",
"items": [
"Replication",
"Conflict Entries"
],
"msg": "There were 4 conflict entries found under the replication
suffix \"dc=alpha-labs,dc=net\"."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPADogtagCertsMatchCheck",
"result": "ERROR",
"uuid": "1c96ee54-e8ca-4045-9bfc-294c261e4ab8",
"when": "20220128091101Z",
"duration": "0.198242",
"kw": {
"key": "caSigningCert cert-pki-ca",
"nickname": "caSigningCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "{nickname} certificate in NSS DB {dbdir} does not match
entry in LDAP"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "17140733-ba3f-4d34-a48c-3b1e159b3488",
"when": "20220128091105Z",
"duration": "0.731259",
"kw": {
"key": "20201208073945",
"serial": 1073676292,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "9833fce2-5f98-480b-9a69-d2d41db21ef0",
"when": "20220128091105Z",
"duration": "0.888676",
"kw": {
"key": "20201208073937",
"serial": 1073676293,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c3f1b686-a74b-42d6-8b55-b6fe36671933",
"when": "20220128091105Z",
"duration": "1.065141",
"kw": {
"key": "20201208073940",
"serial": 1073676291,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "f6073d14-b9eb-466b-ab29-6151c857d387",
"when": "20220128091105Z",
"duration": "1.226933",
"kw": {
"key": "20201208073942",
"serial": 1073676290,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "a465aaca-67b8-419e-8a38-a16c227d5db1",
"when": "20220128091105Z",
"duration": "1.394251",
"kw": {
"key": "20201208073943",
"serial": 20,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "33de05f4-1e8b-4d26-94ec-e742f4b7b8dc",
"when": "20220128091106Z",
"duration": "1.569087",
"kw": {
"key": "20201208073944",
"serial": 268238852,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "d723658c-74ab-41a4-a3e0-5b643a70e15d",
"when": "20220128091106Z",
"duration": "1.676748",
"kw": {
"key": "20201208073949",
"serial": 1073676289,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "5d67c6e0-785e-456c-9ae3-b2199c5d2051",
"when": "20220128091106Z",
"duration": "1.855003",
"kw": {
"key": "20201208073947",
"serial": 268238849,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "9c0441dc-2f20-41b0-816e-7690fca47448",
"when": "20220128091106Z",
"duration": "1.945158",
"kw": {
"key": "20200406205351",
"serial": 268238851,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.dna",
"check": "IPADNARangeCheck",
"result": "WARNING",
"uuid": "480e0baf-8814-47d5-bb71-e8d780867107",
"when": "20220128091107Z",
"duration": "0.687667",
"kw": {
"range_start": 0,
"range_max": 0,
"next_start": 0,
"next_max": 0,
"msg": "No DNA range defined. If no masters define a range then
users and groups cannot be created."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "37d1c6ed-982c-4046-b6b3-4c47ef6ed249",
"when": "20220128091107Z",
"duration": "0.779401",
"kw": {
"msg": "Got {count} ipa-ca A records, expected {expected}",
"count": 2,
"expected": 3
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "ERROR",
"uuid": "a7a5039b-7e4d-4501-ac39-f6b1d2080107",
"when": "20220128091108Z",
"duration": "0.006982",
"kw": {
"key": "_etc_hosts_mode",
"path": "/etc/hosts",
"type": "mode",
"expected": "0644",
"got": "0444",
"msg": "Permissions of /etc/hosts are too restrictive: 0444 and
should be 0644"
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "WARNING",
"uuid": "71556f6a-b914-41a5-8f88-932b37edcf35",
"when": "20220128091108Z",
"duration": "0.007897",
"kw": {
"key": "_var_log_kadmind.log_mode",
"path": "/var/log/kadmind.log",
"type": "mode",
"expected": "0600",
"got": "0640",
"msg": "Permissions of /var/log/kadmind.log are too permissive:
0640 and should be 0600"
}
}
]
---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ----
Any help is sooo greatly appreciated!
--
with kind regards,
mit freundlichen Gruessen,
Christian Reiss
2 years, 2 months
parse the audit logs
by Kathy Zhu
Hello list,
I had FreeIPA audit log on. I feed audit logs to Graylog. Since there are
multiple lines of logs for each event, I could not find a suitable
extractor to parse the logs. Therefore, the logs are very hard to read.
Could anyone in the list share how you process the logs if you are in a
similar situation?
Thanks!
Kathy.
2 years, 2 months
FreeIPA and XCP hosts
by Christian Reiss
Hey folks,
I am running into a bit of trouble installing the FreeIPA Client on
XCP-NG (https://xcp-ng.org/, Fork of XenServer). They are based on CentOS 7.
Running "yum install --enablerepo=epel,base freeipa-client" results in this:
--> Running transaction check
---> Package ipa-client.x86_64 0:4.6.8-5.el7.centos will be installed
--> Processing Dependency: ntp for package:
ipa-client-4.6.8-5.el7.centos.x86_64
Package ntp-4.2.6p5-29.el7.centos.2.x86_64 is obsoleted by
xcp-ng-deps-8.2.0-10.noarch which is already installed
---> Package python-tdb.x86_64 0:1.3.18-1.el7 will be installed
--> Finished Dependency Resolution
Error: Package: ipa-client-4.6.8-5.el7.centos.x86_64 (base)
Requires: ntp
Available: ntp-4.2.6p5-29.el7.centos.2.x86_64 (base)
ntp = 4.2.6p5-29.el7.centos.2
any chance of getting this resolved in any way?
Thanks for your kind help :-)
--
with kind regards,
mit freundlichen Gruessen,
Christian Reiss
2 years, 2 months
Question about autoregistration
by Boris Behrens
Hi,
this might be a dump question:
Is there a way to let hosts register themself and force them into a
hostgroup?
Currently we have one enrollment user that allows systems to join our IPA
installation. This user is in a lot of our automation scripts.
Now I want to have some customer facing systems enrolled with IPA but I
want to force these hosts into a specific host group. Because of the nature
of the systems it's hard to determine the hosts via hostname or IP address.
Cheers
Boris
--
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im
groüen Saal.
2 years, 2 months
first replica master - Internal error testing KRA clone
by lejeczek
Hi guys.
I believe that is reproducible every time - clean
deployment, first master's ipa-healthcheck no problems,
replica added still no problems, then on that first replica
'ipa-kra-install' and immediately:
-> $ ipa-healthcheck
Internal error testing KRA clone. KRA clone problem detected
Host: swir.mine.private Port: 443
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
[
{
"source":
"pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "eed4f41f-27fe-4f37-aa01-d47602f2c58f",
"when": "20220126174106Z",
"duration": "1.207738",
"kw": {
"status": "ERROR: pki-tomcat : Internal error
testing KRA clone. Host: swir.mine.private Port: 443"
}
}
]
How critical is that and what to do to fix it?
many thanks, L.
2 years, 2 months
crypto policies but for SAMBA only - ?
by lejeczek
Hi guys.
If that can be a news for some - I'd like to share a finding: it's
possible to have ipa-integrated Samba serving non-enrolled clients, both
Linux & Windows, with passwords for authentication. (which has been long
& will continue to be a must-have for me)
Question for @devel - above I get with simply by switching to 'LEGACY' -
is it possible to do that but only for IPA-Samba(+ whatever required
bits) as oppose to system-widely?
It would be great to have IPA capable of that - perhaps an "enhancement"
to future releases.
many thanks, L.
2 years, 2 months
IPA removal/uninstall renders box unable to login, including console - ?
by lejeczek
Hi guys.
Has anybody seen, experienced that/similar? - this is a second master
from which I uninstalled IPA successfully, cleanly and immediately after
reboot system does not login users(not even tty console)
Something to do with SELinux/fcontext - I had to def-policy-relabeled
whole '/etc'
many thanks, L.
2 years, 2 months