createTimestamp
by phiroc@free.fr
Hello,
is there a way in FreeIPA to access LDAP fields which are not normally accessible, such as createTimeStamp?
Many thanks.
1 year, 4 months
ipa-restore in docker container
by Simon Thorley
Hi all,
I am currently migrating a server from a locally installed FreeIPA setup to a CoreOS container setup and cannot find any documentation for this. I am assuming i am doing something wrong or missing something as i cannot find anyone else having an issue or even attempting it either. This is a fresh installed OS from an ignition file so should have no weirdness coming in from anywhere else.
podman launch line:
bin/podman run --name ipa \
-h thenom-srv1.thenom.local --read-only \
-v /var/lib/ipa-data:/data:Z \
-e IPA_SERVER_IP=192.168.101.6 \
-p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp -p 123:123/udp \
quay.io/freeipa/freeipa-server:fedora-36
I have finally got a fresh install running in a container but i am now trying to restore a backup into it from my old server. I have copied a ipa-full directory from my old service into the containers data volume folder on the host. I bash exec into the running IPA container then run ipa-restore /data/ipa-full-2022-11-11-04-03-19, type in my directory manager password and accept the prompts then just get a mass stream of tar errors and then fail:
...
tar: setfileconat: Cannot set SELinux context for file 'var/lib/ipa/pki-ca': Permission denied
tar: var/lib/ipa: Directory renamed before its status could be extracted
tar: setfileconat: Cannot set SELinux context for file 'var/lib/pki/pki-tomcat/lib': Permission denied
tar: setfileconat: Cannot set SELinux context for file 'var/lib/pki/pki-tomcat/ca': Permission denied
tar: setfileconat: Cannot set SELinux context for file 'var/lib/pki/pki-tomcat': Permission denied
tar: var/lib/pki: Directory renamed before its status could be extracted
tar: etc/httpd/alias: Directory renamed before its status could be extracted
tar: setfileconat: Cannot set SELinux context for file 'etc/pki/pki-tomcat/ca': Permission denied
tar: etc/pki/pki-tomcat: Directory renamed before its status could be extracted
tar: Exiting with failure status due to previous errors
Restoring umask to 18
NSS is built without support of the legacy database(DBM) directory '/etc/ipa/nssdb'
The ipa-restore command failed. See /data/var/log/iparestore.log for more information
I get similar in the iparestore.log:
...
tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL/DBVERSION': Operation not supported
tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL/dse_instance.ldif': Operation not supported
tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL/dse_index.ldif': Operation not supported
tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL': Operation not supported
tar: setfileconat: Cannot set SELinux context for file './files.tar': Operation not supported
tar: setfileconat: Cannot set SELinux context for file '.': Operation not supported
2022-11-13T11:55:38Z DEBUG Starting external process
2022-11-13T11:55:38Z DEBUG args=['tar', '--xattrs', '--selinux', '-xzf', '/tmp/tmp7pt67l7sipa/ipa/files.tar', 'etc/ipa/default.conf']
2022-11-13T11:55:40Z DEBUG Process finished, return code=0
2022-11-13T11:55:40Z DEBUG stdout=
2022-11-13T11:55:40Z DEBUG stderr=tar: setfileconat: Cannot set SELinux context for file 'etc/ipa/default.conf': Operation not supported
This seems to make sense because from what i have read the selinux context on these /data files should be system_u:object_r:container_file_t and i am guessing unchanged\unchangeable due to the environment its running in.
Any advice appreciated, thanks in advance.
Simon
1 year, 4 months
[SSSD] Announcing SSSD 2.8.2
by Pavel Březina
# SSSD 2.8.2
The SSSD team is announcing the release of version 2.8.2 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.8.2
See the full release notes at:
https://sssd.io/release-notes/sssd-2.8.2.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* SSSD can be configured not to perform a DNS search during DNS name
resolution. This behavior is governed by the new
dns_resolver_use_search_list. This parameter can be used in the domain
section. Default value is true - that means that SSSD follows the system
settings.
* `--enable-files-domain` configure option is deprecated and will be
removed in one of the next versions of SSSD.
* `sssctl analyze` tool doesn't require anymore to be run under root.
### New features
* New mapping template for serial number, subject key id, SID,
certificate hashes and DN components are added to libsss_certmap.
1 year, 4 months
Using the 'member managers' functionality in the FreeIPA web GUI: is it currently possible?
by Martin Gignac
Hi,
I've recently gone from an old version of IDM on CentOS 7 to FreeIPA 4.10.1 on Fedora 37. One difference I noticed on FreeIPA is the additional of the 'member managers' attribute for groups. I initially thought that adding a user to the 'member managers' attribute of a given group would allow this user to manage membership for that group in the FreeIPA web GUI, but when an unprivileged accesses the GUI, all they see are the 'Users' and 'OTP Tokens' tabs. This section of the documentation (https://freeipa.readthedocs.io/en/latest/designs/membermanager.html) gives an example of how to do it with the ipa CLI, but I didn't see any reference to performing the same operation with the GUI.
Is there a way for unprivileged users to use the 'member managers' functionality in the GUI, or is the feature currently limited to the CLI and API?
Thanks,
-Martin
1 year, 4 months
Re: Indirect/nested group membership behaviour change in 4.6.8
by Rob Crittenden
Trond Strømme via FreeIPA-users wrote:
> Hi,
>
> We experienced the same where we now only see direct memberships.
> During the wee hours of Dec 7. We saw a crash in our IPA server, running
> Centos 7
>
>
>
> (were using nss-pam-ldapd on our hosts, which are running OEL7)
>
> Theyve gotten indirect/nested memberships without any problems previously.
>
>
>
> From our yum logs we can see that the last few days weve got the
> following updated packages:
>
> Nov 22 05:24:29 Installed: kernel.x86_64 3.10.0-1160.80.1.el7
>
> Nov 22 05:25:27 Updated: microcode_ctl.x86_64 2:2.1-73.15.el7_9
>
> Dec 01 05:22:47 Updated: krb5-libs.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:47 Updated: libkadm5.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:47 Updated: krb5-workstation.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:47 Updated: krb5-devel.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:48 Updated: krb5-server.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:48 Updated: krb5-pkinit.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:50 Updated: tzdata.noarch 2022f-1.el7
>
> Dec 01 05:22:50 Updated: hsqldb.noarch 1:1.8.1.3-15.el7_9
>
> Dec 01 05:22:51 Updated: tzdata-java.noarch 2022f-1.el7
>
> Dec 01 05:22:51 Updated: kpartx.x86_64 0.4.9-136.el7_9
>
>
> We did see the Derectory Service being in a STOPPED state, on `ipactl start`
>
> We get the following:
>
> [root@ipa slapd-REDACTED-REDACTEDSOMEMORE]# ipactl start
>
> IPA version error: data needs to be upgraded (expected version
> '4.6.8-5.el7.centos.12', current version '4.6.8-5.el7.centos.11')
>
> Automatically running upgrade, fordetails see /var/log/ipaupgrade.log
>
> Be patient, thismay take a few minutes.
>
> [76068899.913648] ns-slapd[6185]: segfault at 10 ip 00007f997c761460 sp
> 00007f99886cc760 error 4 in libcos-plugin.so[7f997c75e000+a000]
A crash is bad though probably not related to nesting. I'd suggest
opening a bug against your package provider, Oracle I presume, and/or
against the 389-ds project. You'll want to install the debuginfo
packages and reproduce the crash so you can get a stack trace which may
show what is going on.
rob
>
> Starting Directory Service
>
> Starting krb5kdc Service
>
> Starting kadmin Service
>
> Starting named Service
>
> Starting httpd Service
>
> Starting ipa-custodia Service
>
> Starting ntpd Service
>
> Starting pki-tomcatd Service
>
> Starting ipa-otpd Service
>
> Starting ipa-dnskeysyncd Service
>
> ipa: INFO: The ipactl command was successful
>
> from the ipaupgrade.log
>
> 2022-12-07T03:07:58Z ERROR Introspect error on
> :1.25883111:/org/fedorahosted/certmonger: dbus.exceptions.DBusException:
> org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible
> causes include: the remote application did not send a reply, the message
> bus security policy blocked the reply, the reply timeout expired, or the
> network connection was broken.
>
> 2022-12-07T03:07:58Z DEBUG Executing introspect queue due to error
>
> 2022-12-07T03:08:23Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>
> 2022-12-07T03:08:23Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
> execute
>
> return_value = self.run()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 54, in run
>
> server.upgrade()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 2190, in upgrade
>
> upgrade_configuration()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1930, in upgrade_configuration
>
> http.configure_certmonger_renewal_guard()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py",
> line 335, in configure_certmonger_renewal_guard
>
> path = iface.find_ca_by_nickname('IPA')
>
> File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in
> __call__
>
> returnself._proxy_method(*args, **keywords)
>
> File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145,
> in __call__
>
> **keywords)
>
> File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line
> 651, in call_blocking
>
> message, timeout)
>
>
>
> 2022-12-07T03:08:23Z DEBUG The ipa-server-upgrade command failed,
> exception: DBusException: org.freedesktop.DBus.Error.NoReply: Did not
> receive a reply. Possible causes include: the remote application did not
> send a reply, the message bus security policy blocked the reply, the
> reply timeout expired, or the network connection was broken.
>
> 2022-12-07T03:08:23Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log fordetails:
>
> DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a
> reply. Possible causes include: the remote application did not send a
> reply, the message bus security policy blocked the reply, the reply
> timeout expired, or the network connection was broken.
>
> And
>
> 2022-12-07T07:05:05Z DEBUG stderr=certutil: Could not find cert: ipaCert
>
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> The upgrade log can be provided if needed
>
>
>
> Best Regards
>
> Trond Strømme
>
> "This email with attachments is solely for the use of the individual or
> entity to which it is addressed. It may contain confidential or
> privileged information. If you are not the addressee, please notify the
> sender and delete this message and all attachments from your files."
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>
1 year, 4 months
Re: Indirect/nested group membership behaviour change in 4.6.8
by Trond Strømme
Hi,
We experienced the same where we now only see direct memberships.
During the wee hours of Dec 7. We saw a crash in our IPA server, running Centos 7
(we're using nss-pam-ldapd on our hosts, which are running OEL7)
They've gotten indirect/nested memberships without any problems previously.
From our yum logs we can see that the last few days we've got the following updated packages:
Nov 22 05:24:29 Installed: kernel.x86_64 3.10.0-1160.80.1.el7
Nov 22 05:25:27 Updated: microcode_ctl.x86_64 2:2.1-73.15.el7_9
Dec 01 05:22:47 Updated: krb5-libs.x86_64 1.15.1-55.el7_9
Dec 01 05:22:47 Updated: libkadm5.x86_64 1.15.1-55.el7_9
Dec 01 05:22:47 Updated: krb5-workstation.x86_64 1.15.1-55.el7_9
Dec 01 05:22:47 Updated: krb5-devel.x86_64 1.15.1-55.el7_9
Dec 01 05:22:48 Updated: krb5-server.x86_64 1.15.1-55.el7_9
Dec 01 05:22:48 Updated: krb5-pkinit.x86_64 1.15.1-55.el7_9
Dec 01 05:22:50 Updated: tzdata.noarch 2022f-1.el7
Dec 01 05:22:50 Updated: hsqldb.noarch 1:1.8.1.3-15.el7_9
Dec 01 05:22:51 Updated: tzdata-java.noarch 2022f-1.el7
Dec 01 05:22:51 Updated: kpartx.x86_64 0.4.9-136.el7_9
We did see the Derectory Service being in a STOPPED state, on `ipactl start`
We get the following:
[root@ipa slapd-REDACTED-REDACTEDSOMEMORE]# ipactl start
IPA version error: data needs to be upgraded (expected version '4.6.8-5.el7.centos.12', current version '4.6.8-5.el7.centos.11')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
[76068899.913648] ns-slapd[6185]: segfault at 10 ip 00007f997c761460 sp 00007f99886cc760 error 4 in libcos-plugin.so[7f997c75e000+a000]
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
from the ipaupgrade.log
2022-12-07T03:07:58Z ERROR Introspect error on :1.25883111:/org/fedorahosted/certmonger: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2022-12-07T03:07:58Z DEBUG Executing introspect queue due to error
2022-12-07T03:08:23Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2022-12-07T03:08:23Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2190, in upgrade
upgrade_configuration()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1930, in upgrade_configuration
http.configure_certmonger_renewal_guard()
File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 335, in configure_certmonger_renewal_guard
path = iface.find_ca_by_nickname('IPA')
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
return self._proxy_method(*args, **keywords)
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
**keywords)
File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
2022-12-07T03:08:23Z DEBUG The ipa-server-upgrade command failed, exception: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2022-12-07T03:08:23Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
And
2022-12-07T07:05:05Z DEBUG stderr=certutil: Could not find cert: ipaCert
: PR_FILE_NOT_FOUND_ERROR: File not found
The upgrade log can be provided if needed
Best Regards
Trond Strømme
"This email with attachments is solely for the use of the individual or entity to which it is addressed. It may contain confidential or privileged information. If you are not the addressee, please notify the sender and delete this message and all attachments from your files."
1 year, 4 months
idranges & NT_STATUS_NO_IMPERSONATION_TOKEN - ?
by lejeczek
Hi Gents.
I have a user with UID of 57500500 and Samba's clients would
fail with: NT_STATUS_NO_IMPERSONATION_TOKEN while trying to
connect/authenticate.
There was not idrange in the domain for that ID )so I
created one:
...
Range name: CCN.PRIVATE_id_range
First Posix ID of the range: 57400000
Number of IDs in the range: 9999
First RID of the corresponding RID range: 57400000
First RID of the secondary RID range: 57409999
Range type: local domain range
and
-> $ ipa-replica-manage dnarange-show
drunk.in.ccn: 57400000-57409999
sucker.in.ccn: 1600700501-160079999
but I still cannot samba-connect to the service/server,
still fails with the same error.
Would you know what is wrong and/or what I'm missing - all
thoughts share are much appreciated.
many thanks, L.
1 year, 4 months
New fields
by phiroc@free.fr
Good morning,
Is it possible to create new fields in Freeipa using the IPA CLI?
Furthermore, how can you access LDAP fields (eg. the account creation date) from ipa ?
Many thanks.
Philippe
1 year, 4 months
Dumping Freeipa
by Philippe de Rochambeau
Hello,
In Freeipa 2.0, is there a way to dump the FI for backup purposes?
Many thanks.
Philippe
1 year, 4 months
