FYI: Centos 8 Stream issues during Thanksgiving weekend
by Alexander Bokovoy
Hi,
this is just to inform to not attempt upgrading CentOS 8 Stream
installations, if you have any, for this Thanksgiving weekend. The
compose as of today contains conflicting packages which will cause
errors when trying to upgrade IPA deployment.
https://bugzilla.redhat.com/show_bug.cgi?id=2148138 contains more
details.
In short, we are rebasing samba+sssd+freeipa and all related packages in
RHEL 8.8, this required a side-tag build. CentOS 8 Stream update was
synchronized once testing was completed by RHEL quality engineering
team. However, the order of rebuilds on CentOS 8 Stream side was not
preserved and at least sssd was rebuilt against old samba version. Since
one of internal Samba libraries did change its soname, this causes
installation conflicts.
CentOS Stream team in US is now out for Thanksgiving, so we probably
need to wait until next week before this problem will be fixed.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1 year, 5 months
/var/log volume filling up due to growing logs of signedaudit
by Natxo Asenjo
hi,
our ca master role got its /var/log disk full and after a quick analysis
the directory /var/log/pki/pki-tomcat/ca/signedAudit was the problem.
First time I come across this problem after 10 years ;-)
This directory has a lot of files called ca_audit.yyyymmddhhmmss, each 2M
large. It ended up costing 30G in total before we noticed.
So the quick fix was fast, deleting files, but what can I tweak to not have
this happen again in the future? And is this auditing crucial for some
process? Or can it be turned off somewhere?
Thanks in advance for your input.
--
regards,
natxo
1 year, 5 months
"ipa-cacert-manage renew" is failing
by Sean McLennan
Went onto my IPA server today to discover the certificate had not been automatically renewed. It's a self-signed cert.
I set the date back before the expiry and tried:
ipa-cacert-manage renew
which results in:
'NoneType' object has no attribute 'is_self_signed'
The ipa-cacert-manage command failed.
adding '--self-signed' just punts the same error to another attribute:
Renewing CA certificate, please wait
'NoneType' object has no attribute 'issuer'
The ipa-cacert-manage command failed.
I assume the same thing caused the autorenewal to not happen. Any recommendations? IPA version is 4.6.90.pre1+git20180411, API_VERSION: 2.229 which I know is old. It's on an old Ubuntu distro that I can't upgrade without destroying and I've have tried many times to replicate the thing to a different VM but have yet to successfully do so.
1 year, 5 months
Prometheus exporter ldap search monitoring FreeIPA servers
by Tania Hagan
Hi FreeIPA-Users,
I have a prometheus server and I am trying to setup an alert to test if an ldap search succeeds. Searching there seems to be a few exporters (389ds exporter, openldap exporter ) but all rather old and I'm struggling to get any useful metrics out of them.
Could anyone recommend a good way to achieve this (preferably not putting a password a text file), afraid I've had a good search, but struggling to find a good way to do this.
Current version of IPA: 4.9.10
Many Thanks,
Tania
1 year, 5 months
NFSv4 id mapping through IPA ldap server
by Yanlish Hesap
Hi All.
We have IPA setup in an AD trust to support our Linux fleet. User home
directories are mounted from a Netapp filer (nfs4 with krb5). The filer
performs uid <-> uidNumber mapping required by kerberized nfs4 via IPA ldap
server.
This setup was working well until we patched our RHEL8 IPA servers last
week, specifically:
389-ds-base-1.4.3.23-14.module+el8.5.0+14377+c731dc97.x86_64
was updated to:
389-ds-base-1.4.3.28-7.module+el8.6.0+15293+4900ec12.x86_64
and,
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
was updated to:
ipa-server-4.9.8-7.module+el8.6.0+14337+19b76db2.x86_64
This seems to have broken something in IPA, the Netapp filer is no longer
able to resolve uid,uidNumber mappings for AD trust users (it still works
for IPA users.
Ad trust is still working, and IPA clients are able to resolve AD users
through sssd, and log them in (only the home directories are not working).
Directory server logs an entry like the following when the filer attempt lo
look up an AD trust user:
[21/Nov/2022:16:46:22.551318734 +1100] conn=14684 op=1 BIND
dn="uid=netapp-ldap-bind,cn=users,cn=accounts,dc=ipa,dc=localdomain"
method=128 version=3
[21/Nov/2022:16:46:22.552177201 +1100] conn=14684 op=1 RESULT err=0 tag=97
nentries=0 wtime=0.000044925 optime=0.000864628 etime=0.000908138
dn="uid=netapp-ldap-bind,cn=users,cn=accounts,dc=ipa,dc=localdomain"
[21/Nov/2022:16:46:22.554028669 +1100] conn=14684 op=2 SRCH
base="dc=ipa,dc=localdomain" scope=2 filter=
"(&(objectClass=posixAccount)(uid=username@localdomain))"
<(&(objectClass=posixAccount)(uid=baybars(a)unimelb.edu.au))> attrs="uid
uidNumber gidNumber userPassword gecos homeDirectory loginShell"
[21/Nov/2022:16:46:22.554212462 +1100] conn=14684 op=2 RESULT err=0 tag=101
nentries=0 wtime=0.000072472 optime=0.000185686 etime=0.000256338
[21/Nov/2022:16:46:24.003556166 +1100] conn=14205 op=10 UNBIND
Any pointers appreciated!
Regards, Yanlish
1 year, 5 months
SSSD unable to retrieve secondary groups after upgrade of ipa-server
by Krishna Pulluru
Hello Community,
We recently updated ipa-server and a bunch of related packages from 4.6.8-5.el7.centos.11 to 4.6.8-5.el7.centos.12. This also updated the IPA data. After that, the clients are unable to retrieve group information. However, they can load SSH public keys and other user details fine. When I query the FreeIPA server using ipa and ldapsearch against a user, I see all group memberships. So, the data on the FreeIPA server seems fine, but only how SSSD talks to FreeIPA has changed.
On the clients, there were no changes, and I tried all combinations of ldap_schema (rfc2307, rfc2307bis, ipa) and ldap_group_member (memberUid, uniqueMember) every time, removing the cache and restarting SSSD. However, I don't see any change when I run id <username> or getent group <group>. They return the user id and primary group; group and gid. I also tried to add initgroups sss files in /etc/nsswitch.conf, but that didn't make a difference.
I tried to revert the packages on the server, but it failed to say data schema is incompatible. So, the current status is our users can SSH to the instances but can't sudo as group information is missing.
Since it seems like an issue with SSSD, I raised an issue with SSSD last week: https://github.com/SSSD/sssd/issues/6443. I'm reaching out here hoping someone might have resolved this as an upgrade of the FreeIPA server that triggered this. Please let me know if you've any questions.
Additional details:
==============
On client:
=======
id
uid=1987401269(user_name) gid=1987401269(user_name) groups=1987401269(user_name) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
getent group sudo
sudo:*:27:
On FreeIPA server:
==============
id
uid=1987401269(user_name) gid=1987401269(user_name) groups=1987401269(user_name),27(sudo),1987400000(group1),1987400473(group2),1987401284(group3), context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
ipa user-show --all --raw user_name
dn: uid=user_name,cn=users,cn=accounts,dc=REDACTED,dc=com
REDACTED
ipaSshPubKey: REDACTED
..
memberof: cn=group1,cn=groups,cn=accounts,dc=REDACTED,dc=com
memberof: cn=greoup2,cn=groups,cn=accounts,dc=REDACTED,dc=com
memberof: cn=sudo,cn=groups,cn=accounts,dc=REDACTED,dc=com
memberof: cn=group3,cn=groups,cn=accounts,dc=REDACTED,dc=com
..
ldapsearch -Y GSSAPI -b 'uid=<user_name>,cn=users,cn=accounts,dc=REDACTED,dc=com'
Shows output similar to above.
I enabled debug logs(debug_level=6) on the SSSD client for all nss, pam and be calls to see if there are any issues, but I didn't find anything obvious. I thought it is not very useful to share it here, but I'm sharing the relevant commands SSSD initiates to the FreeIPA server.
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [dc=REDACTED,dc=com]
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberUid=<user_name>)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=REDACTED,dc=com].
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
and
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=REDACTED,dc=com]
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=<gid_name>)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=REDACTED,dc=com].
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
More details below
FreeIPA server OS details
==================
cat /etc/*release*
CentOS Linux release 7.9.2009 (Core)
Derived from Red Hat Enterprise Linux 7.9 (Source)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.9.2009 (Core)
CentOS Linux release 7.9.2009 (Core)
cpe:/o:centos:centos:7
Relevant upgrade logs on the FreeIPA server
=========================
---> Package ipa-client.x86_64 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-client.x86_64 0:4.6.8-5.el7.centos.12 will be an update
---> Package ipa-client-common.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-client-common.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package ipa-common.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-common.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package ipa-python-compat.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-python-compat.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package ipa-server.x86_64 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-server.x86_64 0:4.6.8-5.el7.centos.12 will be an update
---> Package ipa-server-common.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-server-common.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package python2-ipaclient.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package python2-ipaclient.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package python2-ipalib.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package python2-ipalib.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package python2-ipaserver.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package python2-ipaserver.noarch 0:4.6.8-5.el7.centos.12 will be an update
Client OS and sssd versions
=====================
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3⭕amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)
cpe:2.3⭕amazon:amazon_linux:2
yum list installed|grep sssd
python-sssdconfig.noarch 1.16.5-10.amzn2.10 @amzn2-core
sssd.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-ad.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-client.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-common.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-common-pac.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-ipa.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-krb5.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-krb5-common.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-ldap.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-proxy.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd.conf on Client
================
[domain/REDACTED]
ldap_search_base = cn=users,cn=accounts,dc=REDACTED,dc=com
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://freeipa.REDACTED.com,ldaps://ipa-slave.REDACTED.com
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_schema = rfc2307
ldap_user_ssh_public_key = ipaSshPubKey
ldap_group_search_base = dc=REDACTED,dc=com
ldap_page_size = 1900
group_name_attribute = cn
ldap_group_member = memberUid
group_class = posixGroup
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, ssh, sudo
domains = REDACTED.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
homedir_substring = /home
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[ssh]
Thanks,
Krishna.
1 year, 5 months
ipa-client-install randomly fails with slapi_access_allowed does not allow WRITE to ipaProtectedOperation; write_keys!
by Paulina Budzon
Hi there,
We have IPA (VERSION: 4.9.10, API_VERSION: 2.248) running on Alma Linux on 8.7 with total of 4 replicas. We're running in a cloud, so have an automated process in place where new instances automatically enrol to IPA when launching (they all use the same IPA user and fetch the password from a secrets manager). For a while now we have been seeing instances fail to enrol to IPA on random occasions, which is more pronounced when multiple instances are starting at the same time.
Each instance runs ipa-client-install, like below, when it starts:
ipa-client-install --mkhomedir --ssh-trust-dns --domain=example.com -w${PASSW} -phost-enrollment --unattended --force-join --no-dns-sshfp
This sometimes fails with the following:
Starting external process
args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpdqzuq_ts', '-A', '-n', 'CA certificate 1', '-t', 'C,,', '-a', '-f', '/tmp/tmpdqzuq_ts/pwdfile.txt']
Process finished, return code=0
stdout=
stderr=
failed to find session_cookie in persistent storage for principal 'host/ip-172-26-1-238.xxx(a)EXAMPLE.COM'
trying https://ipa2.example.com/ipa/json
New HTTP connection (ipa2.example.com)
HTTP connection destroyed (ipa2.example.com)
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 644, in get_auth_info
response = self._sec_context.step()
File "<decorator-gen-15>", line 2, in step
File "/usr/lib64/python3.6/site-packages/gssapi/_utils.py", line 167, in check_last_err
return func(self, *args, **kwargs)
File "<decorator-gen-5>", line 2, in step
File "/usr/lib64/python3.6/site-packages/gssapi/_utils.py", line 127, in catch_and_return_token
return func(self, *args, **kwargs)
File "/usr/lib64/python3.6/site-packages/gssapi/sec_contexts.py", line 521, in step
return self._initiator_step(token=token)
File "/usr/lib64/python3.6/site-packages/gssapi/sec_contexts.py", line 542, in _initiator_step
token)
File "gssapi/raw/sec_contexts.pyx", line 244, in gssapi.raw.sec_contexts.init_sec_context
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'EXAMPLE.COM'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 697, in single_request
self.get_auth_info()
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 646, in get_auth_info
self._handle_exception(e, service=service)
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 605, in _handle_exception
raise errors.KerberosError(message=unicode(e))
ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'EXAMPLE.COM'
File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 344, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 3961, in main
install(self)
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2655, in install
_install(options)
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2972, in _install
api.finalize()
File "/usr/lib/python3.6/site-packages/ipalib/plugable.py", line 753, in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python3.6/site-packages/ipalib/plugable.py", line 432, in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python3.6/site-packages/ipalib/plugable.py", line 632, in load_plugins
for package in self.packages:
File "/usr/lib/python3.6/site-packages/ipalib/__init__.py", line 952, in packages
ipaclient.remote_plugins.get_package(self),
File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 128, in get_package
plugins = schema.get_package(server_info, client)
File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/schema.py", line 546, in get_package
schema = Schema(client)
File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/schema.py", line 395, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/schema.py", line 407, in _fetch
client.connect(verbose=False)
File "/usr/lib/python3.6/site-packages/ipalib/backend.py", line 69, in connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 1064, in create_connection
command([],
{}
)
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 1276, in _call
return self.__request(name, args)
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 1243, in __request
verbose=self.__verbose >= 3,
File "/usr/lib64/python3.6/xmlrpc/client.py", line 1154, in request
return self.single_request(host, handler, request_body, verbose)
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 697, in single_request
self.get_auth_info()
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 646, in get_auth_info
self._handle_exception(e, service=service)
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 605, in _handle_exception
raise errors.KerberosError(message=unicode(e))
The ipa-client-install command failed, exception: KerberosError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'EXAMPLE.COM'
Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'EXAMPLE.COM'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
This program will set up IPA client.
Version 4.9.10
On IPA server the following pops up in logs:
ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 825]: slapi_access_allowed does not allow WRITE to ipaProtectedOperation;write_keys!
ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1714]: Not allowed to set keytab on [host/ip-172-26-1-238.xxx(a)EXAMPLE.COM]!
This doesn't happen every time - even when multiple instances are launched from the same image, some will fail and some will enrol successfully. It's worse when instances are in different cloud region that IPA (even when they are very close, network-wise, so latency shouldn't be an issue), but can still happen within the same region. For some reason, this has also become worse when we switched from forcing a specific IPA server (--server to ipa-client-install) to DNS auto-discovery.
We commonly have situations where 5 instances try to launch at mostly the same time and try to enrol using 2 replicas - and all 5 will fail, both IPAs showing the same errors (as above).
We've run out of ideas of what to debug and how, so any clues would be appreciated.
1 year, 5 months
broken installation -> how to migrate it?
by Florian Hilgenberg
hello people. -> this is already posted here, maybe check there for better formatting? https://www.reddit.com/r/FreeIPA/comments/yzcln7/broken_installation_how_...
i broke my ipa installation on a centos 7 somehow... can't root cause it anymore. but since i basically use only ldap i managed to have it running in a crutch manner...
i run into two problems:
- when i try to uninstall & install same ipa on that vm (but snapshot clone) then i get an error that it cant connect to ldapi:///var/run/slapd*sock -> i gave up at some point.
- cant join new machines via ipa-client-install
- problem with kerberos keys i guess, see below.
anyway, i found exporting a backup, importing it on a rockylinux 9 does import the same problems... so i am kinda lost and guess am seeking some help here... at this point i start hating the fullfeatureset of ipa which brings lots of complexity... anyways here we're....
dont be surprised about the date+timestamps, i got my shells PS settings that way.
old system centos7 mgmt01:
root@mgmt01 14:29:28 ~$ kinit admin
Password for admin@REALM:
root@mgmt01 14:29:51 ~$ ipa user-find
ERROR: No valid Negotiate header in server response
new system rocky9 mgmt02 after completely fresh install.
14:32:46-root@mgmt02:RC0:~ ↳ kinit admin
19.11.2022 14:32:48
Password for admin@REALM:
14:32:52-root@mgmt02:RC0:~ ↳ ipa user-find
19.11.2022 14:32:55
--------------1 user matched--------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@REALM, root@REALM
UID: 1037800000
GID: 1037800000
Account disabled: False
----------------------------Number of entries returned 1----------------------------
i do export backup on mgmt01:
ipa-backup --data --online
on mgmt02:
go login to webinterface of new server, find default/empty user list
↳ ipa-restore --data --online --backend userRoot /home/sshadmin/ipa-data-2022-11-18-19-40-45/
19.11.2022 14:48:14
Directory Manager (existing master) password:
Preparing restore from /home/sshadmin/ipa-data-2022-11-18-19-40-45/ on mgmt01
Performing DATA restore from DATA backup
Restoring data from a different release of IPA.
Data is version 4.6.8.
Server is running 4.9.8.
Continue to restore? [no]: yes
Temporary setting umask to 022
Restoring data will overwrite existing live data. Continue to restore? [no]: yes
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Starting Directory Server
Restoring from userRoot in REALM
Waiting for LDIF to finish
Restoring umask to 18
The ipa-restore command was successful
↳ ipa user-find ->
can find users
↳ refresh website ->
i can see my ldap users.
↳ logout of website, relogin with admin user gives me:
Login failed due to an unknown reason (same on old system)
↳ reboot and ipa user-find will give me this one:
ipa: ERROR: No valid Negotiate header in server response
At this point again i cant join new machines to the new server via ipa-client-install
I am pretty lost.
I also tried exporting ldap data with db2ldif -> and added to new server with ldapmodify -ac -f ldiffile and seeeeem to run into pretty similar issues.
luckily i can read the ldif file and connect to old and new server with apache studio, that might help in more manual efforts to restore the service.
I tried something else now...
I've exported LDIFs from cn=groups,cn=accounts and cn=users,cn=accounts seperately.
Tried to import groups first (did work).
Tried to import users then -> only a feeeew users are imported in the end. must of them are declined with this error:
#!ERROR [LDAP result code 53 - unwillingToPerform] Managed Entry Plugin rejected add operation (see errors log).
i have no damn clue...
Nov 19 16:59:37 mgmt.doma.in ns-slapd[1257]: [19/Nov/2022:16:59:37.145273724 +0100] - ERR - managed-entries-plugin - mep_add_managed_entry - Unable to add pointer to managed entry "cn=user,cn=groups,cn=accounts,dc=doma,dc=in" in origin entry "uid=user,cn=users,cn=accounts,dc=doma,dc=in" (Type or value exists).
1 year, 5 months
DNS Caching w/ FreeIPA
by TomK
Hello,
How do I manipulate the DNS caching settings in FreeIPA? For example,
how do I adjust the cache size, ttl etc ?
I'm looking to speed up external queries by caching them in FreeIPA to
allow faster lookups on subsequent requests, thereby reducing response
times.
--
Thx,
TK.
1 year, 5 months
