IPA-Error 903: InternalError on Certificate page
by Nico Maas
Dear all,
I am using FreeIPA, Version: 4.8.4 on CentOS 8
ipa-client.x86_64 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-client-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-healthcheck-core.noarch 0.4-4.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-server.x86_64 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-server-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-server-dns.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
Whenever I open the "Authentication" tab in the freeIPA webserver, I get the error
"IPA-Error 903: InternalError. An internal error has happend".
Retry does not help, within Authentication I can use all tabs, except from the Authentication -> Certificate -> Certificate one. This one gives the error. I can also not search for a certificate. The other areas of Authentication -> Certificate (Certificate Profiles, CA ACLS, Certificate Authorities) work without problems.
As a test I cloned the machine and updated it to the latest CentOS 8 version with a newer freeIPA version on it, but that did not solve the problem and I scrapped this vm and idea again.
Any idea on how to resolve the issue / what could be broken?
Which logs and things would be useful to look into?
Thanks a lot for your help and have a nice day
Nico
1 year, 5 months
LoadBalancer vs. DNS
by Ronald Wimmer
IPA heavily relies on DNS entries. In my opinion, this design makes it
more difficult to quickly disable one or more IPA servers - especially
when using IPA in combination with external DNS (managed by a different
department).
Would it be possible to put all relevant DNS entries on a Loadbalancer
VIP and let the LB resolve to all IPA servers?
e.g. instead of having 8 DNS entries for
_kerberos-master._tcp.linux.oebb.at for every of our 8 IPA servers I
would have just one _kerberos-master._tcp.linux.oebb.at entry. The LB
would distribute requests in such a setup.
Is it possible to do that or would it break some IPA functionality?
Cheers,
Ronald
1 year, 5 months
What is the client connection mechanism of kdc
by roy liang
What is the access mechanism of kdc? For example, I have the following configuration. When a kdc user logs in, is his access mechanism sequential or random or hash access?
So when will the second visit, the third visit...Or the last one?
Or will you only access the second one when the first one fails?
Is there any documentation? I looked up the documentation, and it doesn't specify this, because I don't know how to optimize and determine where the problem is when the number of connections is under pressure.
Ask for help, thank you!
.....
[realms]
YYDEVOPS.COM = {
admin_server = kdc01.xx.com
kdc = kdc01.xx.com:41012
kdc = kdc01.xx.com:41013
kdc = kdc01.xx.com:41011
kdc = kdc01.xx.com:41014
kdc = kdc01.xx.com:88
kdc = kdc02.xx.com:88
kdc = kdc03.xx.com:88
kdc = kdc04.xx.com:88
}
.....
1 year, 5 months
How do I increase the kdc connection concurrency
by roy liang
my freeipa 4.8 kdc5 1.13.2
How do I increase the connection concurrency of kdc? It is found that kdc processes are blocked when the network traffic is heavy, but the physical resource usage of the server is low.
1: Can you increase krb5kdc numworkers? I check that the default value is 32.
ps -ef | grep krb
....
/usr/sbin/krb5kdc -w 32 -P /var/run/krb5-kdc.pid
.....
2: kdc_max_tcp_connections Whether this configuration is valid, and whether the number of UDP and TCP connections of the kdc is limited?How to make it bigger, I looked up the relevant documents, but did not get the relevant documents clearly explain.
Request guidance, thank you!
1 year, 5 months
Need Information regarding "ipa host-del" command
by Abhishek Dasgupta
Newbie here. I have a use-case where I need to delete host principals only
when no service principals exist on the host. Does "ipa host-del" perform
this check? If No, then when I run this command would it delete the host
principal and along with it delete all the service principals associated ?
I tried to run the command on a host but got the following error:
ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete
the entry
What privileges are needed to run this command ? I was already kinit as an
admin.
1 year, 5 months
Duplicate radacct entries
by Djerk Geurts
Hi,
Today I noticed that some usernames have multiple entries in the database where acctstoptime is null. Which confused me as I would assume each username should only ever have one null acctstoptime entry. I checked the other parameters to check if the account was used twice from different clients and this isn’t the case.
Any ideas what could be the cause?
I’ve resolved my telemetry issue by using DISTINCT when counting active credentials.
--
Djerk Geurts
1 year, 5 months
Release schedule for EL9
by Russ Long
Is the release schedule for FreeIPA on EL9 available somewhere? I'm looking to see when 4.9.9 might be available for EL9 distros.
Thanks,
Russ
1 year, 5 months
ipasam failure with BACKTRACE
by Kees Bakker
Hi,
This weekend I installed CentOS 9 stream on a server that had CentOS 7 on it.
One on it's main tasks is to be a Samba server. I completely reinstalled and
set up Samba. I used ipasam before and it was working.
I copied the smb.conf from the old system. But now it gives me a fatal error.
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.614868, 0] ipa_sam.c:5174(pdb_init_ipasam)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: Failed to get base DN.
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615001, 0] ../../source3/passdb/pdb_interface.c:181(make_pdb_method_name)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: pdb backend ipasam:ldaps://rotte.example.com did not correctly init (error was NT_STATUS_UNSUCCESSFUL)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615111, 0] ../../lib/util/fault.c:172(smb_panic_log)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: ===============================================================
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615185, 0] ../../lib/util/fault.c:173(smb_panic_log)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: INTERNAL ERROR: pdb_get_methods: failed to get pdb methods for backend ipasam:ldaps://rotte.example.com
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in pid 271493 (4.16.4)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615268, 0] ../../lib/util/fault.c:177(smb_panic_log)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615322, 0] ../../lib/util/fault.c:182(smb_panic_log)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: ===============================================================
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615373, 0] ../../lib/util/fault.c:183(smb_panic_log)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: PANIC (pid 271493): pdb_get_methods: failed to get pdb methods for backend ipasam:ldaps://rotte.example.com
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in 4.16.4
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615940, 0] ../../lib/util/fault.c:287(log_stack_trace)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: BACKTRACE: 13 stack frames:
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #0 /lib64/libsamba-util.so.0(log_stack_trace+0x34) [0x7f2c94aebd74]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #1 /lib64/libsamba-util.so.0(smb_panic+0xd) [0x7f2c94aebfcd]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #2 /lib64/libsamba-passdb.so.0(+0x1c6df) [0x7f2c94a8f6df]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #3 /lib64/libsamba-passdb.so.0(pdb_get_aliasinfo+0x16) [0x7f2c94a8ff86]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #4 /usr/libexec/samba/samba-dcerpcd(finalize_local_nt_token+0x16a) [0x559ea4bed72a]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #5 /usr/libexec/samba/samba-dcerpcd(create_local_nt_token_from_info3+0x30c) [0x559ea4bee03c]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #6 /usr/libexec/samba/samba-dcerpcd(+0x175f3) [0x559ea4bf05f3]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #7 /usr/libexec/samba/samba-dcerpcd(+0x1f42c) [0x559ea4bf842c]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #8 /usr/libexec/samba/samba-dcerpcd(init_guest_session_info+0x21) [0x559ea4beaa71]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #9 /usr/libexec/samba/samba-dcerpcd(main+0x54a) [0x559ea4be5dba]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #10 /lib64/libc.so.6(+0x3feb0) [0x7f2c94333eb0]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #11 /lib64/libc.so.6(__libc_start_main+0x80) [0x7f2c94333f60]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #12 /usr/libexec/samba/samba-dcerpcd(_start+0x25) [0x559ea4be78e5]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.616354, 0] ../../source3/lib/dumpcore.c:317(dump_core)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern
The versions of some packages:
#############################################################
# dnf list samba\* ipa\*
Last metadata expiration check: 0:30:46 ago on Mon 17 Oct 2022 11:04:25 AM CEST.
Installed Packages
ipa-client.x86_64 4.10.0-6.el9 @appstream
ipa-client-common.noarch 4.10.0-6.el9 @appstream
ipa-client-samba.x86_64 4.10.0-6.el9 @appstream
ipa-common.noarch 4.10.0-6.el9 @appstream
ipa-healthcheck-core.noarch 0.9-3.el9 @appstream
ipa-selinux.noarch 4.10.0-6.el9 @appstream
ipa-server.x86_64 4.10.0-6.el9 @appstream
ipa-server-common.noarch 4.10.0-6.el9 @appstream
ipa-server-trust-ad.x86_64 4.10.0-6.el9 @appstream
samba.x86_64 4.16.4-101.el9 @baseos
samba-client.x86_64 4.16.4-101.el9 @appstream
samba-client-libs.x86_64 4.16.4-101.el9 @anaconda
samba-common.noarch 4.16.4-101.el9 @anaconda
samba-common-libs.x86_64 4.16.4-101.el9 @anaconda
samba-common-tools.x86_64 4.16.4-101.el9 @baseos
samba-libs.x86_64 4.16.4-101.el9 @baseos
samba-winbind.x86_64 4.16.4-101.el9 @baseos
samba-winbind-modules.x86_64 4.16.4-101.el9 @baseos
#############################################################
The smb.conf, the [global] part
#############################################################
# Global parameters
[global]
create krb5 conf = No
dedicated keytab file = /etc/samba/samba.keytab
disable spoolss = Yes
domain logons = Yes
domain master = Yes
kerberos method = dedicated keytab
ldap debug level = 99
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap ssl = no
ldap suffix = dc=example,dc=com
ldap user suffix = cn=users,cn=accounts
#ldap admin dn = uid=samba_admin,cn=users,cn=accounts,dc=example,dc=com
#log level = 99
log level = 1
log file = /var/log/samba/log.%m
max log size = 100000
passdb backend = ipasam:ldaps://rotte.example.com
realm = EXAMPLE.COM
registry shares = Yes
security = USER
workgroup = EXAMPLE
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
#rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
#############################################################
Unfortunately I couldn't really find much documentation about ipasam. Is this
still the best approach for a Samba server in a FreeIPA environment?
--
Kees
1 year, 5 months
Options for remote home directories
by Kevin Vasko
Trying to find the best option for me for better “shared” “/home” directories.
I ideally would like to give everyone a network based /home directory so I could quota the folders so people would quit filling up every severs /home directory.
We have two major use cases, the first isn’t much of a problem, but combined with the second it makes a problem.
* We have servers that people login to with their LDAP that are always connected to our NFS server.
* We also have laptops that users login with their LDAP account and connect to the network via VPN.
I realize I can force everyone’s home directory to like /nfshome/<user> in freeIPA, but the problem with this is if they are remote on the laptop it causes all kinds of issues when they aren’t on the VPN.
What are my options for handling this? Should I just quota everyone on the severs and tell everyone to use /nfshome/<user> and then leave the laptops alone?
1 year, 6 months
