March 2022 - FreeIPA-users - Fedora Mailing-Lists

by lejeczek

Hi guys. According to 'ipa-healthcheck' there are lots of problems with my IPA ... "key": "cert-file=/var/lib/ipa/ra-agent.pem, key-file=/var/lib/ipa/ra-agent.key, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/renew_ra_cert_pre, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ra_cert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" ... "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"auditSigningCert cert-pki-ca\", template-profile=caSignedLogCert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" ... ... { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "1f431916-88ae-4cf0-8dd1-c55914cf3801", "when": "20220315184602Z", "duration": "0.178625", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, ... 'ipa-restore' does not seem to fix anything there. What happens there and more importantly, how to troubleshoot/fix? many thanks, L.

2 years, 1 month

2
1
0 / 0

IPA CA allow CSR SAN names in external domains

by Steve Dainard

Hello I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be able to add SAN's for a different dns domain than exists in the IPA realm. The dns for 'otherdomain.com' is handled by active directory which my IPA server has a cross-forest trust with. ie: host: client1.ipadomain.com certificate: CN = client1.ipadomain.com, SAN = client1.ipadomain.com, servicename.otherdomain.com When I try to submit this CSR with 'ipa-getcert request' the IPA server denies with: "The service principal for subject alt name servicename.otherdomain.com in certificate request does not exist" It seems that the default CAACL enforces a profile named 'caIPAserviceCert', but I'm having some trouble determining what can be modified (or cloned and changed in a new profile) that would allow the CA to sign a CSR that contains *.ipadomain.com and *.otherdomain.com in the SAN. This is the only section in the profile that contains SAN: policyset.serverCertSet.12.constraint.class_id=noConstraintImpl policyset.serverCertSet.12.constraint.name=No Constraint policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Thanks, Steve

2 years, 1 month

3
3
2 / 0

Expired (web/dirsv) 3rd party cert - pki-tomcatd unable to start - cannot update cert - IPA Error 4301: CertificateOperationError - help!

by Morgan Cox

Hi We have a pair of Freeipa (4.9.x) Rhel8 Freeipa servers. Previously we had installed a 3rd party cert for httpd + dirsrv (only) - this expired recently. I was unable to login to ui . This issue however may not be connected with this. It appears to be linked to Tomcat -> LDAPS connectiopn ?? - error when trying to login was 'Login failed due to an unknown reason' I could login if I changed server time to the past - but the certificates page is broken 'Certificate operation cannot be completed: Unable to communicate with CMS (503)' (time has been set back to normal now) As a result I cannot renew my httpd/dirsv cert Can anyone help me restore pki-tomcatd ? This may not be connected to web/dirsv cert expiry (and just be a coincidence) If I try using # ipa-server-certinstall --http --dirsrv ireland.idm.domain.uk.key ireland.idm.domain.uk.crt I get ----- Directory Manager password: Enter private key unlock password: cannot connect to 'https://london.idm.domain.uk:443/acme/directory': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) The ipa-server-certinstall command failed. ---- I can however install the cert to just the dirsv --- [root@london mcox]# ipa-server-certinstall --dirsrv london.idm.domain.uk.key london.idm.domain.uk.crt Directory Manager password: Enter private key unlock password: Please restart ipa services after installing certificate (ipactl restart) --- However after ipactl restart -> pki-tomcatd Service: STOPPED (all other services are working) The main IPA system aside from this appears to work - i.e I can login and sudo to clients, and kinit, etc works As a work-around I can login to the UI if I manually copy the cert/key to /var/lib/ipa/certs/httpd.crt /var/lib/ipa/private/httpd.key However the pki-tomcatd service is still down - I see these errors - On certifcates tab : IPA Error 4301: CertificateOperationError - Certificate operation cannot be completed: Unable to communicate with CMS (503) - On Certificate authorities pages I see : Some operations failed -> details -> Failed to authenticate to CA REST API pki-tomcatd logs show ------- Mar 11 12:54:10 london.idm.domain.uk systemd[1]: Starting PKI Tomcat Server pki-tomcat... Mar 11 12:54:15 london.idm.domain.uk server[509585]: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Mar 11 12:54:15 london.idm.domain.uk server[509585]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar Mar 11 12:54:15 london.idm.domain.uk server[509585]: main class used: org.apache.catalina.startup.Bootstrap Mar 11 12:54:15 london.idm.domain.uk server[509585]: flags used: -Dcom.redhat.fips=false Mar 11 12:54:15 london.idm.domain.uk server[509585]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Mar 11 12:54:15 london.idm.domain.uk server[509585]: arguments used: start Mar 11 12:54:16 london.idm.domain.uk ipa-pki-wait-running[509586]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:63: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). Mar 11 12:54:16 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Created connection http://london.idm.domain.uk:8080/ca Mar 11 12:54:16 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='london.idm.domain.uk', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb6c264e668>: Failed to establish a new connection: [Errno 111] Connection refused',)) Mar 11 12:54:17 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='london.idm.domain.uk', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb6c264ea58>: Failed to establish a new connection: [Errno 111] Connection refused',)) Mar 11 12:54:18 london.idm.domain.uk server[509585]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]] Mar 11 12:54:19 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='london.idm.domain.uk', port=8080): Read timed out. (read timeout=1.0) Mar 11 12:54:21 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='london.idm.domain.uk', port=8080): Read timed out. (read timeout=1.0) Mar 11 12:54:23 london.idm.domain.uk server[509585]: SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file Mar 11 12:54:23 london.idm.domain.uk server[509585]: SEVERE: Context [/ca] startup failed due to previous errors Mar 11 12:54:23 london.idm.domain.uk server[509585]: WARNING: The web application [ca] appears to have started a thread named [LDAPConnThread-0 ldaps://london.idm.domain.uk:636] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread: Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.net.SocketInputStream.socketRead0(Native Method) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.net.SocketInputStream.socketRead(SocketInputStream.java:116) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:171) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:141) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:127) Mar 11 12:54:23 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLSocket.socketRead(Native Method) Mar 11 12:54:23 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1505) Mar 11 12:54:23 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:43) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.io.BufferedInputStream.fill(BufferedInputStream.java:246) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.io.BufferedInputStream.read(BufferedInputStream.java:265) Mar 11 12:54:23 london.idm.domain.uk server[509585]: netscape.ldap.ber.stream.BERElement.getElement(Unknown Source) Mar 11 12:54:23 london.idm.domain.uk server[509585]: netscape.ldap.LDAPConnThread.run(Unknown Source) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.lang.Thread.run(Thread.java:748) Mar 11 12:54:23 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='london.idm.domain.uk', port=8080): Read timed out. (read timeout=1.0) Mar 11 12:54:24 london.idm.domain.uk server[509585]: SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file Mar 11 12:54:24 london.idm.domain.uk server[509585]: SEVERE: Context [/acme] startup failed due to previous errors Mar 11 12:54:24 london.idm.domain.uk server[509585]: WARNING: The web application [acme] appears to have started a thread named [LDAPConnThread-1 ldaps://london.idm.domain.uk:636] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread: Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.net.SocketInputStream.socketRead0(Native Method) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.net.SocketInputStream.socketRead(SocketInputStream.java:116) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:171) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:141) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:127) Mar 11 12:54:24 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLSocket.socketRead(Native Method) Mar 11 12:54:24 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1505) Mar 11 12:54:24 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:43) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.io.BufferedInputStream.fill(BufferedInputStream.java:246) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.io.BufferedInputStream.read(BufferedInputStream.java:265) Mar 11 12:54:24 london.idm.domain.uk server[509585]: netscape.ldap.ber.stream.BERElement.getElement(Unknown Source) Mar 11 12:54:24 london.idm.domain.uk server[509585]: netscape.ldap.LDAPConnThread.run(Unknown Source) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.lang.Thread.run(Thread.java:748) Mar 11 12:54:25 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://london.idm.domain.uk:8080/ca/admin/ca/getStatus Mar 11 12:54:26 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://london.idm.domain.uk:8080/ca/admin/ca/getStatus Mar 11 12:54:27 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://london.idm.domain.uk:8080/ca/admin/ca/getStatus ... ------- Other logs show : (i've just added the main error - not entire java error /var/log/pki/pki-tomcat/acme/debug.2022-03-11.log : ----- 12:34:01 [main] SEVERE: Exception sending context initialized event to listener instance of class [org.dogtagpki.acme.server.ACMEEngine] java.lang.RuntimeException: Unable to start ACME engine: Unable to connect to LDAP server: Authentication failed ----- /var/log/pki/pki-tomcat/ca/debug.2022-03-11.log : ----- 2022-03-11 12:33:59 [main] SEVERE: Unable to start CA engine: Unable to connect to LDAP server: Authentication failed Unable to connect to L2022-03-11 12:33:59 [main] INFO: Shutting down CA subsystem .... 2022-03-11 12:33:59 [main] SEVERE: Exception sending context destroyed event to listener instance of class [org.dogtagpki.server.ca.CAEngine] java.lang.NullPointerException DAP server: Authentication failed ----- I have checked this -> # getcert list |grep expire expires: 2024-02-13 00:32:37 GMT expires: unknown expires: unknown expires: unknown expires: unknown expires: 2024-01-22 00:29:51 GMT expires: 2024-01-22 00:30:38 GMT And I have ran ipa-healthcheck I can see ---- Expired Cert: ocsp_signing Expired Cert: subsystem Expired Cert: audit_signing Internal server error 503 Server Error: Service Unavailable for url: http://london.idm.domain.uk:80/ca/rest/securityDomain/domainInfo Internal server error HTTPSConnectionPool(host='london.idm.domain.uk', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fc4e6c58198>: Failed to establish a new connection: [Errno 111] Connection refused',)) --- Also some expired certs "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "ERROR", "uuid": "36c8fbed-571d-4d38-9919-53322fea4aa2", "when": "20220311130832Z", "duration": "0.188329", "kw": { "cert_id": "ocsp_signing", "expiry_date": "Mar 01 2022", "msg": "Certificate has ALREADY EXPIRED" } }, { "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "ERROR", "uuid": "195970e4-e2fd-4eca-aeac-f1e97e9c3b13", "when": "20220311130832Z", "duration": "0.360146", "kw": { "cert_id": "subsystem", "expiry_date": "Mar 01 2022", "msg": "Certificate has ALREADY EXPIRED" } }, { "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "ERROR", "uuid": "a84a9bc5-de4d-4cdc-b7fd-41b83f3a11af", "when": "20220311130833Z", "duration": "0.454225", "kw": { "cert_id": "audit_signing", "expiry_date": "Mar 01 2022", "msg": "Certificate has ALREADY EXPIRED" } I have attached the full output of healthcheck to : https://pastebin.com/xfNLR0Ja (domain name changed) On the last ipa update there was also a issue with pki-tomcatd - i.e - I have to remove the block 'requiredSecret=' in /etc/pki/pki-tomcat/server.xml to fix it, this was however working for a month or so after . Any help to troubleshooting this would be welcomed Thanks

2 years, 1 month

2
1
0 / 0

Unable to add a new replica - "adding fallback group" fails

by Ricardo Mendes

Hi there, I'm unable to add a new replica to the cluster as it fails: Configuring SID generation [1/8]: creating samba domain object Samba domain object already exists [2/8]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/8]: adding RID bases RID bases already set, nothing to do [4/8]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/8]: activating sidgen task [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/8]: adding fallback group Failed to load default-smb-group.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') Failed to add fallback group. [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ==================== From ipareplica-install.log ==================== adding new entry "cn=Default SMB Group,cn=groups,cn=accounts,dc=dom0,dc=io" 2022-02-04T16:41:54Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_add: Operations error (1) additional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. 2022-02-04T16:41:54Z CRITICAL Failed to load default-smb-group.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL au thentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2022-02-04T16:41:54Z DEBUG Failed to add fallback group. 2022-02-04T16:41:54Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1087, in error_handler yield File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1587, in find_entries raise e File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1547, in find_entries result = self.conn.result3(id, 0) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 767, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 774, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 340, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 46, in reraise raise exc_value File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 324, in _ldap_call result = func(*args,**kwargs) ldap.NO_SUCH_OBJECT: {'msgtype': 101, 'msgid': 4, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'matched': 'cn=groups,cn=accounts,dc=dom0,dc=io'} During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 327, in __add_fallback_group api.Backend.ldap2.get_entry(fb_group_dn) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1941, in get_entry dn, attrs_list, time_limit, size_limit, get_effective_rights File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1644, in get_entry size_limit=size_limit, get_effective_rights=get_effective_rights, File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1456, in get_entries **kwargs) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1594, in find_entries break File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1097, in error_handler raise errors.NotFound(reason=arg_desc or 'no such entry') ipalib.errors.NotFound: no such entry During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 333, in __add_fallback_group raise e File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 330, in __add_fallback_group self._ldap_mod('default-smb-group.ldif', self.sub_dict) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 399, in _ldap_mod ipautil.run(args, nolog=nologlist) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in run p.returncode, arg_string, output_log, error_log ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2022-02-04T16:41:54Z DEBUG [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2022-02-04T16:41:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 603, in main replica_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1371, in install adtrust.install(False, options, fstore, api) File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrust.py", line 483, in install smb.create_instance() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 895, in create_instance self.start_creation(show_service_name=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 333, in __add_fallback_group raise e File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 330, in __add_fallback_group self._ldap_mod('default-smb-group.ldif', self.sub_dict) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 399, in _ldap_mod ipautil.run(args, nolog=nologlist) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in run p.returncode, arg_string, output_log, error_log 2022-02-04T16:41:54Z DEBUG The ipa-replica-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2022-02-04T16:41:54Z ERROR CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2022-02-04T16:41:54Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Before this failed entry, other entries have been added successfully. Best regards. Ricardo M.

2 years, 1 month

2
14
0 / 0

services & certificates for domain record

by lejeczek

Hi guys. I've fiddled a bit - IPA allows me to create host/service/cert for its domain/realm - @ record - will I not brake something having services/certs like that? many thanks, L.

2 years, 1 month

2
1
0 / 0

make some order into host list

by Nathanaël Blanchet

Hello, I try to order my host list by filtering out the enrollment field. I tried *ipa host-show vm500-dev.couchant.abes.fr --all* and I can get the keytab param to false, which seems to be the equivalent of non enrollment. Now I try to find an option to *ipa host-find* to filter out all those non enrolled hosts but none such option seems to exist. My goal is to create a loop with correspondant hostnames to delete such hosts. Thank you -- Nathanaël Blanchet Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet(a)abes.fr

2 years, 1 month

2
1
0 / 0

Strange CA error during FreeIPA connection

by Alessandro Minonzio

Hi, I report this issue about FreeIPA server: ------------------------------------------------------------------------------------------------------------------ Request for enhancement A strange error is occurring when I try to access my FreeIPA. Issue The problem occurs when I try to access the FreeIPA portal. "The message occurs saying IPA Error 4301: CertificateOperationError" "Certificate operation cannot be completed: Unable to communicate with CMS (500)" in Certificate Authority appear: "cannot connect to 'https://xyz.xxxxxhq.it:443/ca/rest/account/login': <https://xyz.xxxxxhq.it/ca/rest/account/login':> [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)" and if I try to connect with KINIT ADMIN command on the console appear this error: "kinit: Cannot contact any KDC for realm 'SUBITOHQ.IT' while getting initial credentials" Actual behavior Serverweb and console with kinit admin doesn't work. LDAPADMIN tool too. Version/Release/Distribution package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.6.5-11.el7.centos.3.x86_64 ipa-client-4.6.5-11.el7.centos.3.x86_64 389-ds-base-1.3.9.1-12.el7_7.x86_64 pki-ca-10.5.16-5.el7_7.noarch krb5-server-1.15.1-37.el7_7.2.x86_64 Additional info: maybe it's a problem with CA but how is the process to solve that issue? The fact is that this behavior it's on a replica FreeIPA server with CA and DOMAIN. There is a resolution or a command to solve that? ------------------------------------------------------------------------------------------------------------------ could you help me please? Best regards, AM

2 years, 1 month

2
5
0 / 0

Error "IPA Error 4002: DuplicateEntry"

by Charles P

Hi Folks, I'm new here so please kindly let me know if I go wrong... I'm hoping someone can help me with diagnosing this problem. I recently installed FreeIPA on a CentOS 8 LXC container. Everything was working quite well, I had a few users set up and my first objective was to set up Postfix/Dovecot for virtual user/mailbox support using LDAP against FreeIPA. Background: Following the excellent instructions here https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfi... was mostly straight forward. I'm fairly familiar with Postfix but the instructions called for extending the LDAP schema to add a new class with two attributes (At least i think that's how it's correctly described) for *maildrop* and *mailacceptinggeneralid*. The article doesn't specifically relate to FreeIPA or 389Dir so to work out how to extend the schema I had to cross reference other material and this may be where I have gone wrong - it took a couple of goes. However I eventually added an ldif file to /etc/dirsrv/slapd-PILLARAMA-NET/schema/ and restarted FreeIPA without error. I also wrote and installed a js plugin for the webUI to /usr/share/ipa/ui/js/plugins/ which was based closely on a NextCloud Quota plugin found here https://github.com/radiorabe/freeipa-extending-ldap-schema-and-ui/issues/2 Here is the content of my LDIF: *dn: cn=schema cn: postfix attributetypes: (1.3.6.1.4.1.4203.666.1.200 NAME 'mailacceptinggeneralid' DESC 'Postfix mail local address alias attribute' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024}) attributetypes: (1.3.6.1.4.1.4203.666.1.201 NAME 'maildrop' DESC 'Postfix mail final destination attribute' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024}) objectclasses: (1.3.6.1.4.1.4203.666.1.100 NAME 'postfixuser' DESC 'Postfix mail user class' SUP top AUXILIARY MAY(mailacceptinggeneralid $ maildrop))* I can supply the web UI plugin code as well if anyone thinks it's related but it's probably a bit long to paste in here. This mostly seems to work (I have one issue where only the Directory Admin can read those attributes not the new PostFix bind user I created, but that's not what concerned about fixing yet unless it's somehow related). The Problem: After successfully getting Postfix and Dovecot up and running with virtual user accounts I momentarily celebrated... until I tried to create another new user in FreeIPA to discover that every single user account I try to create complains that it's a duplicate user - no matter what random and definitely unique username I choose. Here is the error in the webinterface: IPA Error 4002: DuplicateEntry *user with name "newuserthatsdefinitelyunique" already exists* I have looked for logs but not found much that was helpful. The most relevant I found was actually /var/log/httpd/error_log which says: *[Tue Mar 08 12:08:19.420195 2022] [wsgi:error] [pid 28301:tid 139989980104448] [remote 192.168.100.26:49712 <http://192.168.100.26:49712>] ipa: INFO: [jsonserver_session] admin(a)PILLARAMA.NET <n(a)PILLARAMA.NET>: user_add('newuserthatsdefinitelyunique', givenname='New', sn='User', version='2.245'): DuplicateEntry * But again - not much to go on. I have tried to remove the schema extension but when I remove the class from IPAServer->Configuration>Default user objectclasses in the web interface I get this error: IPA Error 3009: ValidationError *invalid 'ipauserobjectclasses': user default attribute postfixmailacceptinggeneralid would not be allowed!* Which I could guess what that means - I suppose because those attributes are now in use the class can't be safely removed? Either way I don't know how to proceed and don't even know if the schema extension is the problem or not trying hard to removine it straight after I got it working doesn't seem that appealing. I really don't know where to look from here - I've been Googling for days but being new to the whole LDAP/FreeIPA stack I may not be searching well. I don't know if this is a FreeIPA issue or a 389Dir issue nor if I created the problem with the schema extension or something else I did trying to install that extension, or if it's unrelated. Please can someone give me some direction about where to look? I would rather try to learn from my mistakes and fix this install than scrap it and just blindly start from scratch, possibly repeating the same mistake again. Thanks in advance! Pillarama

2 years, 1 month

2
3
0 / 0

IPA users accessing AD machines

by Cyrus

Hello!, I'm in a interop puzzle dilemma, hope you can help me out. Currently all our user accounts are hosted in an Active Directory environment we don't own (another team handles that for us), acme.tld for this discussion. We're in the need to implement: - FreeIPA to handle our linux machine accounts and process/app users with ipa.domain.tld - FreeIPA (same as above or different cluster?) to handle external provider accounts with ext.domain.tld - Own AD Controllers to handle our Windows machines with ad.domain.tld The aim is: 1. Allow acme.tld users to access ipa.domain.tld machines. 2. Allow acme.tld users to access ad.domain.tld machines 3. Allow ext.domain.tld users to access ipa.domain.tld machines 4. Allow ext.domain.tld users to access ad.domain.tld machines 1 seems to be solved trusting acme.tld on FreeIPA side 2 seems to be solved trusting acme.tld on AD side Not sure how to solve 3 and 4, can you provide any recommendation?. Regards, CI.-

2 years, 1 month

2
3
0 / 0

Problem with "Login failed due to an unknown reason" / PKINIT OpenSSL error

by Ville Teronen

Hello, We are currently experiencing strange behavior on FreeIPA system related to PKINIT OpenSSL error when trying to log in through FreeIPA web gui. This started happening as we upgraded our second replica with "dnf ugprade". Freeipa packages in themself haven't been updated. Our setup is basically as follows. ipa.tre-1.web1.fi ipa.tku-2.web1.fi <-- the one not working. GUI throws an error "Login failed due to an unknown reason" httpd error log has the following line after error: [Fri Feb 25 19:32:50.776457 2022] [wsgi:error] [pid 17977:tid 18319] [remote 10.20.11.2:49472] ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_17977', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\\n') Now if I try to run " KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15581 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem" I get the following output [19260] 1645812760.557398: Getting initial credentials for WELLKNOWN/ANONYMOUS(a)IPA.WEB1.FI [19260] 1645812760.557400: Sending unauthenticated request [19260] 1645812760.557401: Sending request (186 bytes) to IPA.WEB1.FI [19260] 1645812760.557402: Initiating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557403: Sending TCP request to stream 10.20.13.5:88 [19260] 1645812760.557404: Received answer (538 bytes) from stream 10.20.13.5:88 [19260] 1645812760.557405: Terminating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557406: Response was from primary KDC [19260] 1645812760.557407: Received error from KDC: -1765328359/Additional pre-authentication required [19260] 1645812760.557410: Preauthenticating using KDC method data [19260] 1645812760.557411: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [19260] 1645812760.557412: Selected etype info: etype aes256-cts, salt "IPA.WEB1.FIWELLKNOWNANONYMOUS", params "" [19260] 1645812760.557413: Received cookie: MIT1\x00\x00\x00\x01\x8f\xcb\x99\x9c~\xed!^Qj\xa3\x0a\x82~\xe94\x04\x0ck[j=\x08\xd2\x97j'K2\x8f\xa0\xf6\xc3\x89Z@\x8b]\xc3K\xc2h\xfa\xaek\x11\x91y\xc9\xf0\xadG\x13\x9a\xb2\xb6\x1c\x12\xbfr\x0a'Z\xfe\x12\x81\x1a>2\x8c\x1a\xf2\x96\xdc]&qH\x08\x1f\x0d\xc0a{\xe8\xff\xbbF\x9c\x86`\xd6G\xc4*5\xccL\xc1m\xc0\xa7b\x8b]od\xfa*\xd4.bmB\x9d\x92\xb7\xf9($\xa4D\xea\xcd\xc6\xe3p\xac$\xf4 [19260] 1645812760.557414: Preauth module pkinit (147) (info) returned: 0/Success [19260] 1645812760.557415: PKINIT client received freshness token from KDC [19260] 1645812760.557416: Preauth module pkinit (150) (info) returned: 0/Success [19260] 1645812760.557417: PKINIT loading CA certs and CRLs from FILE [19260] 1645812760.557418: PKINIT loading CA certs and CRLs from FILE [19260] 1645812760.557419: PKINIT loading CA certs and CRLs from FILE [19260] 1645812760.557420: PKINIT client computed kdc-req-body checksum 9/B79768B0DAD630709ABFE35C1E2B6FDAB714913D [19260] 1645812760.557422: PKINIT client making DH request [19260] 1645812760.557423: Preauth module pkinit (16) (real) returned: 0/Success [19260] 1645812760.557424: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [19260] 1645812760.557425: Sending request (1674 bytes) to IPA.WEB1.FI [19260] 1645812760.557426: Initiating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557427: Sending TCP request to stream 10.20.13.5:88 [19260] 1645812760.557428: Received answer (2619 bytes) from stream 10.20.13.5:88 [19260] 1645812760.557429: Terminating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557430: Response was from primary KDC [19260] 1645812760.557431: Processing preauth types: PA-PK-AS-REP (17), PA-PKINIT-KX (147) [19260] 1645812760.557432: Preauth module pkinit (147) (info) returned: 0/Success [19260] 1645812760.557433: PKINIT OpenSSL error: Failed to verify CMS message [19260] 1645812760.557434: PKINIT OpenSSL error: error:1700006B:CMS routines::content type not enveloped data [19260] 1645812760.557435: PKINIT OpenSSL error: error:03000098:digital envelope routines::invalid digest [19260] 1645812760.557436: PKINIT client could not verify DH reply [19260] 1645812760.557437: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: content type not enveloped data [19260] 1645812760.557438: Produced preauth for next request: (empty) [19260] 1645812760.557439: Getting AS key, salt "IPA.WEB1.FIWELLKNOWNANONYMOUS", params "" Password for WELLKNOWN/ANONYMOUS(a)IPA.WEB1.FI: [19260] 1645812776.928337: AS key obtained from gak_fct: aes256-cts/3840 kinit: Password incorrect while getting initial credentials But this only happens on the "dc2" one. If I would run this on the "dc1" it would work just fine. I have tried running ipa-pkinit-manage disable ipa-pkinit-manage enable to regen the cert but it didn't help. Any suggestions / pointers at why the OpenSSL error on the tku-2 is showing up.

2 years, 1 month

5
9
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users March 2022