ipa: ERROR: Failed to authenticate to CA REST API
by junhou he
ipactl status shows that the services are running normally
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
but ipa cert-show prompts an error:
ipa: ERROR: Failed to authenticate to CA REST API
I can't find the relevant error in the ipa log file, does anyone know how to debug this problem?
1 year, 3 months
Install client fails in Ubuntu 22.04
by Gustavo Berman
Hello there!
Ubuntu 18.04 (and previous ones) works just fine
In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails with:
root@fisica75:~# ipa-client-install
This program will set up IPA client.
Version 4.9.8
WARNING: conflicting time&date synchronization service 'ntp' will be
disabled in favor of chronyd
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: fisica75.fisica.cabib
Realm: FISICA.CABIB
DNS Domain: fisica.cabib
IPA Server: ipaserver.fisica.cabib
BaseDN: dc=fisica,dc=cabib
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was
provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: tavo
Password for tavo(a)FISICA.CABIB:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=FISICA.CABIB
Issuer: CN=Certificate Authority,O=FISICA.CABIB
Valid From: 2014-01-14 12:56:57
Valid Until: 2034-01-14 12:56:57
Enrolled in IPA realm FISICA.CABIB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm FISICA.CABIB
cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
The ipa-client-install command failed. See /var/log/ipaclient-install.log
for more information
root@fisica75:~#
There is no Hostname mismatch for the server certificate. It has been
working just fine for years with multiple distros as clients. I can access
the website with the same URL and cert is just fine.
Any ideas?
Thanks!
--
Gustavo Berman
1 year, 3 months
Cannot authenticate using enterprise principal
by Oleg Baranov
Hi Community,
Cannot authenticate using user's secondary email as an alternative name
(need to setup an email server with several virtual domains).
According to https://bugzilla.redhat.com/show_bug.cgi?id=1328552 this is
expected to work but seems I'm missing something.
Created a fresh VM just to deal with the issue:
[root@mgsauth02 ol]# cat /etc/fedora-release
Fedora release 37 (Thirty Seven)
[root@mgsauth02 ol]# ipa --version
VERSION: 4.10.1, API_VERSION: 2.251
all packages updated.
Repeating commands from the testscript
https://bugzilla.redhat.com/show_bug.cgi?id=1328552#c13
[root@mgsauth02 ol]# ipa user-add tuser --first test --last user --password
Password:
Enter Password again to verify:
------------------
Added user "tuser"
------------------
User login: tuser
First name: test
Last name: user
Full name: test user
Display name: test user
Initials: tu
Home directory: /home/tuser
GECOS: test user
Login shell: /bin/sh
Principal name: tuser(a)TESTRELM.CO
Principal alias: tuser(a)TESTRELM.CO
User password expiration: 20221224134753Z
Email address: tuser(a)testrelm.co
UID: 1563000004
GID: 1563000004
Password: True
Member of groups: ipausers
Kerberos keys available: True
[root@mgsauth02 ol]# kinit admin
Password for admin(a)TESTRELM.CO:
[root@mgsauth02 ol]# ipa user-add-principal tuser talias talias\\(a)ent.test
---------------------------------
Added new aliases to user "tuser"
---------------------------------
User login: tuser
Principal alias: tuser(a)TESTRELM.CO, talias\@ent.test(a)TESTRELM.CO,
talias(a)TESTRELM.CO
[root@mgsauth02 ol]# kinit talias
Password for talias(a)TESTRELM.CO:
Password expired. You must change it now.
Enter new password:
Enter it again:
[root@mgsauth02 ol]# klist
Ticket cache: KCM:0:60382
Default principal: tuser(a)TESTRELM.CO
Valid starting Expires Service principal
12/24/2022 13:51:02 12/25/2022 13:10:41 krbtgt/TESTRELM.CO(a)TESTRELM.CO
[root@mgsauth02 ol]# kinit -C talias
Password for talias(a)TESTRELM.CO:
[root@mgsauth02 ol]# klist
Ticket cache: KCM:0:52413
Default principal: tuser(a)TESTRELM.CO
Valid starting Expires Service principal
12/24/2022 13:52:32 12/25/2022 13:18:25 krbtgt/TESTRELM.CO(a)TESTRELM.CO
=== So far OK. But when trying alias in email-form:
[root@mgsauth02 ol]# kinit talias\\(a)ent.test
kinit: Client 'talias\@ent.test(a)TESTRELM.CO' not found in Kerberos
database while getting initial credentials
[root@mgsauth02 ol]# kinit -E talias\\(a)ent.test
kinit: Client 'talias\@ent.test(a)TESTRELM.CO' not found in Kerberos
database while getting initial credentials
And the following appears in /var/log/krb5kdc.log:
Dec 24 13:54:32 mgsauth02.infra.smartshell.gg krb5kdc[1119](info):
AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18),
aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17),
camellia128-cts-cmac(25)}) 10.255.0.252: CLIENT_NOT_FOUND:
talias\@ent.test(a)TESTRELM.CO for krbtgt/TESTRELM.CO(a)TESTRELM.CO, Client
not found in Kerberos database
Dec 24 13:54:32 mgsauth02.infra.smartshell.gg krb5kdc[1119](info):
closing down fd 11
Tried adding "|krb5_use_enterprise_principal = True|" to sssd.conf as
mentioned in
https://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains but
without any change .
Any advice, please?
1 year, 4 months
ipa upgrade failed
by Martin (Lists)
Hallo all
I have a strange issue with one of my ipa servers. after an upgrade from
fedora 35 to fedora 37 the ipa-server-upgrade failed on the pki-tomcat
part. The ipaupgrade.log says:
2022-12-21T15:27:52Z INFO Migrating profile 'caECFullCMCSharedTokenCert'
2022-12-21T15:27:52Z DEBUG request GET
https://ipa1.server.org:8443/ca/rest/account/login
2022-12-21T15:27:52Z DEBUG request body ''
2022-12-21T15:27:52Z DEBUG response status 404
2022-12-21T15:27:52Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: de
Content-Length: 795
Date: Wed, 21 Dec 2022 15:27:52 GMT
2022-12-21T15:27:52Z DEBUG response body (decoded): b'<!doctype
html><html lang="de"><head><title>HTTP Status 404 \xe2\x80\x93 nicht
gefunden</title><style
type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3,
b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;
} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 40
4 \xe2\x80\x93 nicht gefunden</h1><hr class="line" /><p><b>Type</b>
Status Report</p><p><b>Message</b> The requested resource
[/ca/rest/account
/login] is not available</p><p><b>Beschreibung</b> The origin server
did not find a current representation for the target resource or is not
willing to
disclose that one exists.</p><hr class="line" /><h3>Apache
Tomcat/9.0.68</h3></body></html>'
2022-12-21T15:27:52Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2022-12-21T15:27:52Z DEBUG File
"/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in
execute
return_value = self.run()
^^^^^^^^^^
File
"/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run server.upgrade()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 2061, in upgrade upgrade_configuration()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 1914, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 458, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2155, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2209, in _create_dogtag_profile with api.Backend.ra_certprofile
as profile_api:
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py",
line 1211, in __enter__ raise
errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST
API'))
2022-12-21T15:27:52Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
The catalina logfile says:
21-Dec-2022 16:27:26.946 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal One or more
listeners failed to start. Full details will be found in the appropriate
container log file
21-Dec-2022 16:27:26.948 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal Context [/ca]
startup failed due to previous errors
the CA debug log file says:
2022-12-21 16:27:26 [main] FINE: LdapBoundConnection: Connecting to
ipa1.server.org:636 with client cert auth
2022-12-21 16:27:26 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2022-12-21 16:27:26 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2022-12-21 16:27:26 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Verbindungsaufbau abgelehnt
with many java traceback errors following. directory server is running
at this time and there is no connection reported at the given time.
ipa-healthceck does not give anny errors or warnings. Re-starting the
pki-tomcat server manually afterwards ist working fine and does not give
any errors. starting ipa in force mode gives no errors as well. What can
I do?
Regards
Martin
1 year, 4 months
Re: LDAP error after re-initializing replica server
by Hirata, Tyler
I was able to get it working by doing the following.
I tore down the primary server and stood it up again with ipa-server installed and then I restored it from a backup taken today. On the replica server I created another user account because if my understanding of how the re-initialize command works is correct, that user account shouldn’t be on the replica anymore once it re-initializes with the master since it was created after the backup was taken.
After I got the primary restored, I ran the re-initialize command on the replica and it worked!
Because I was curious, I performed the same steps I mentioned above, but this time I used an older backup and I started running into the LDAP issues again.
My question is, do the backups get a little wonky the older they are?
Tyler
From: Hirata, Tyler via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Date: Wednesday, December 21, 2022 at 8:18 AM
To: Rob Crittenden <rcritten(a)redhat.com>, FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Hirata, Tyler <thirata(a)caltech.edu>
Subject: [Freeipa-users] Re: LDAP error after re-initializing replica server
Hi Rob,
I took two backups from this month. The 1st one I tried was from December 5th, and the more recent one was from the 16th. The replica did exist at the time I took the backup.
Are there implications deleting the replica VMs and starting from scratch? The only way I was able to get the restore to work was, I just restored the primary server and then I deleted the VM the replica was on and I rebuilt it and setup replication from scratch.
Tyler
From: Rob Crittenden <rcritten(a)redhat.com>
Date: Wednesday, December 21, 2022 at 5:49 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Hirata, Tyler <thirata(a)caltech.edu>
Subject: Re: [Freeipa-users] LDAP error after re-initializing replica server
Hirata, Tyler via FreeIPA-users wrote:
> I’m testing out IPA and wanted to see how restoring backups work. I
> successfully restored an older backup to my master node, but when I hop
> on my replica nodes and run the re-initialization command, I get an LDAP
> error. I was wondering if anyone has experienced this?
>
> ipa-replica-manage re-initialize --from ipa1.domain.com
>
> Update in progress, 15 seconds elapsed
>
> [ldaps:// ipa1.domain.com:636] reports: Update failed! Status: [Error
> (49) - LDAP error: Invalid credentials - no response received]
>
>
>
> I’ve cleared all my Kerberos cache by running kdestroy and I restarted
> directory services and rebooted the primary and secondary servers.
How old was this restore? Did the replica exist when the backup was taken?
rob
1 year, 4 months
Re: LDAP error after re-initializing replica server
by Rob Crittenden
Hirata, Tyler via FreeIPA-users wrote:
> I’m testing out IPA and wanted to see how restoring backups work. I
> successfully restored an older backup to my master node, but when I hop
> on my replica nodes and run the re-initialization command, I get an LDAP
> error. I was wondering if anyone has experienced this?
>
> ipa-replica-manage re-initialize --from ipa1.domain.com
>
> Update in progress, 15 seconds elapsed
>
> [ldaps:// ipa1.domain.com:636] reports: Update failed! Status: [Error
> (49) - LDAP error: Invalid credentials - no response received]
>
>
>
> I’ve cleared all my Kerberos cache by running kdestroy and I restarted
> directory services and rebooted the primary and secondary servers.
How old was this restore? Did the replica exist when the backup was taken?
rob
1 year, 4 months
How FreeIPA is connected to 389 Directory Server
by Federico Ferrari
Hi i'm new to this channel and i'm studying the FreeIPA code in order to understand how things works, so i was wondering how FreeIPA works with 389 Directory Server in order to create the LDAP database and how dose it syncs with the OS users, if you can provide me a link to the code or a brief explanation on how it works it would be very appreciated.
Also I was thinking if for FreeIPA it would be possible to support other Directory server such as OpenLDAP or it dose already support other servers, in this case does someone knows which other LDAP server does support, thanks a lot to everyone.
1 year, 4 months
How FreeIPA is connected to 389 Directory Server
by Federico Ferrari
Hi i'm new to this channel and i'm studying the FreeIPA code in order to understand how things works, so i was wondering how FreeIPA works with 389 Directory Server in order to create the LDAP database and how dose it syncs with the OS users, if you can provide me a link to the code or a brief explanation on how it works it would be very appreciated.
Also I was thinking if for FreeIPA it would be possible to support other Directory server such as OpenLDAP or it dose already support other servers, in this case does someone knows which other LDAP server does support, thanks a lot to everyone.
1 year, 4 months
How FreeIPA is connected to 389 Directory Server
by Federico Ferrari
Hi i'm new to this channel and i'm studying the FreeIPA code in order to understand how things works, so i was wondering how FreeIPA works with 389 Directory Server in order to create the LDAP database and how dose it syncs with the OS users, if you can provide me a link to the code or a brief explanation on how it works it would be very appreciated.
Also I was thinking if for FreeIPA it would be possible to support other Directory server such as OpenLDAP or it dose already support other servers, in this case does someone knows which other LDAP server does support, thanks a lot to everyone.
1 year, 4 months
