March 2022 - FreeIPA-users - Fedora mailing-lists

Add custom subentry to UID object.
by Jean Tomaz da Silva 17 Mar '22

17 Mar '22

Dears, Is it possible to add a custom subentry to UID object without using the ldapmodifty tool? Using the ipa cli commands or through of the web ui. My ldif file content is bellow. dn: Affiliation=1,uid=john,cn=users,cn=accounts,dc=example,dc=com changetype: add Affiliation: 1 AffiliationType: employee objectClass: CustomPerson objectClass: top Best regards, Jean Tomaz

3 8

IPA AD Authentication not successfull if using alernative logon domain
by Florian Wilhelm 17 Mar '22

17 Mar '22

We are successfully running a FreeIPA setup connected to an AD using kerberos to authenticate. (IPA is used as provider). Our windows domain name is not identical to our main mail domain. For some users the User logon name in windows (the one with @ not the old pre-win2000 one) is using a domain name which has no kerberos servers etc. In windows authentication works perfectly, but in our IPA setup we run into a big issue. No matter which domain the user chooses to authenticate against our linux servers, the linux server tries to authenticate against the kerberos servers of the domain which has no servers. In the krb5.conf we manually configured the kerberos servers of the windows AD for this domain. Now we get [Realm not local to KDC] in the krb5_child.log. Is there any way to forcefully replace the domain name when authenticating? We tried using auth_to_local without success so far.

3 3

ldap_add: Insufficient access for ldap subtree
by iulian roman 16 Mar '22

16 Mar '22

Hello everybody, I have modified the ipa schema in order to automate Oracle TNS entries. When I try to add entries with ipa-ldap-updater it works, but not when running ldapadd (which is used by Oracle). The error i get is : /bin/ldapadd -h ipaprd04.ipa.example.corp -p 389 -D "uid=tnsadmin,cn=users,cn=accounts,dc=ipa,dc=example,dc=corp" -W -x -f orcl1.ldif Enter LDAP Password: adding new entry "cn=SP7DEV,cn=oraclecontext,dc=ipa,dc=example,dc=corp" ldap_add: Insufficient access (50) additional info: Insufficient 'add' privilege to add the entry 'cn=SP7DEV,cn=oraclecontext,dc=ipa,dc=example,dc=corp'. The permission on the ldap subtree: ipa permission-show 'write oracle context' Permission name: write oracle context Granted rights: write, compare, delete, add, read, search, all Bind rule type: permission Subtree: cn=oraclecontext,dc=ipa,dc=example,dc=corp Target DN: cn=*,cn=oraclecontext,dc=ipa,dc=example,dc=corp Permission flags: SYSTEM, V2 Granted to Privilege: tns administrators Any ideas/hints would be really appreciated. Regards, iulian roman

2 2

When 'certmonger' looses it ? all
by lejeczek 15 Mar '22

15 Mar '22

Hi guys. According to 'ipa-healthcheck' there are lots of problems with my IPA ... "key": "cert-file=/var/lib/ipa/ra-agent.pem, key-file=/var/lib/ipa/ra-agent.key, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/renew_ra_cert_pre, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ra_cert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" ... "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"auditSigningCert cert-pki-ca\", template-profile=caSignedLogCert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" ... ... { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "1f431916-88ae-4cf0-8dd1-c55914cf3801", "when": "20220315184602Z", "duration": "0.178625", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, ... 'ipa-restore' does not seem to fix anything there. What happens there and more importantly, how to troubleshoot/fix? many thanks, L.

2 1

IPA CA allow CSR SAN names in external domains
by Steve Dainard 14 Mar '22

14 Mar '22

Hello I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be able to add SAN's for a different dns domain than exists in the IPA realm. The dns for 'otherdomain.com' is handled by active directory which my IPA server has a cross-forest trust with. ie: host: client1.ipadomain.com certificate: CN = client1.ipadomain.com, SAN = client1.ipadomain.com, servicename.otherdomain.com When I try to submit this CSR with 'ipa-getcert request' the IPA server denies with: "The service principal for subject alt name servicename.otherdomain.com in certificate request does not exist" It seems that the default CAACL enforces a profile named 'caIPAserviceCert', but I'm having some trouble determining what can be modified (or cloned and changed in a new profile) that would allow the CA to sign a CSR that contains *.ipadomain.com and *.otherdomain.com in the SAN. This is the only section in the profile that contains SAN: policyset.serverCertSet.12.constraint.class_id=noConstraintImpl policyset.serverCertSet.12.constraint.name=No Constraint policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Thanks, Steve

3 3

Expired (web/dirsv) 3rd party cert - pki-tomcatd unable to start - cannot update cert - IPA Error 4301: CertificateOperationError - help!
by Morgan Cox 11 Mar '22

11 Mar '22

Hi We have a pair of Freeipa (4.9.x) Rhel8 Freeipa servers. Previously we had installed a 3rd party cert for httpd + dirsrv (only) - this expired recently. I was unable to login to ui . This issue however may not be connected with this. It appears to be linked to Tomcat -> LDAPS connectiopn ?? - error when trying to login was 'Login failed due to an unknown reason' I could login if I changed server time to the past - but the certificates page is broken 'Certificate operation cannot be completed: Unable to communicate with CMS (503)' (time has been set back to normal now) As a result I cannot renew my httpd/dirsv cert Can anyone help me restore pki-tomcatd ? This may not be connected to web/dirsv cert expiry (and just be a coincidence) If I try using # ipa-server-certinstall --http --dirsrv ireland.idm.domain.uk.key ireland.idm.domain.uk.crt I get ----- Directory Manager password: Enter private key unlock password: cannot connect to 'https://london.idm.domain.uk:443/acme/directory': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) The ipa-server-certinstall command failed. ---- I can however install the cert to just the dirsv --- [root@london mcox]# ipa-server-certinstall --dirsrv london.idm.domain.uk.key london.idm.domain.uk.crt Directory Manager password: Enter private key unlock password: Please restart ipa services after installing certificate (ipactl restart) --- However after ipactl restart -> pki-tomcatd Service: STOPPED (all other services are working) The main IPA system aside from this appears to work - i.e I can login and sudo to clients, and kinit, etc works As a work-around I can login to the UI if I manually copy the cert/key to /var/lib/ipa/certs/httpd.crt /var/lib/ipa/private/httpd.key However the pki-tomcatd service is still down - I see these errors - On certifcates tab : IPA Error 4301: CertificateOperationError - Certificate operation cannot be completed: Unable to communicate with CMS (503) - On Certificate authorities pages I see : Some operations failed -> details -> Failed to authenticate to CA REST API pki-tomcatd logs show ------- Mar 11 12:54:10 london.idm.domain.uk systemd[1]: Starting PKI Tomcat Server pki-tomcat... Mar 11 12:54:15 london.idm.domain.uk server[509585]: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Mar 11 12:54:15 london.idm.domain.uk server[509585]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar Mar 11 12:54:15 london.idm.domain.uk server[509585]: main class used: org.apache.catalina.startup.Bootstrap Mar 11 12:54:15 london.idm.domain.uk server[509585]: flags used: -Dcom.redhat.fips=false Mar 11 12:54:15 london.idm.domain.uk server[509585]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Mar 11 12:54:15 london.idm.domain.uk server[509585]: arguments used: start Mar 11 12:54:16 london.idm.domain.uk ipa-pki-wait-running[509586]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:63: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes) Mar 11 12:54:16 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Created connection http://london.idm.domain.uk:8080/ca Mar 11 12:54:16 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='london.idm.domain.uk', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb6c264e668>: Failed to establish a new connection: [Errno 111] Connection refused',)) Mar 11 12:54:17 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='london.idm.domain.uk', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb6c264ea58>: Failed to establish a new connection: [Errno 111] Connection refused',)) Mar 11 12:54:18 london.idm.domain.uk server[509585]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]] Mar 11 12:54:19 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='london.idm.domain.uk', port=8080): Read timed out. (read timeout=1.0) Mar 11 12:54:21 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='london.idm.domain.uk', port=8080): Read timed out. (read timeout=1.0) Mar 11 12:54:23 london.idm.domain.uk server[509585]: SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file Mar 11 12:54:23 london.idm.domain.uk server[509585]: SEVERE: Context [/ca] startup failed due to previous errors Mar 11 12:54:23 london.idm.domain.uk server[509585]: WARNING: The web application [ca] appears to have started a thread named [LDAPConnThread-0 ldaps://london.idm.domain.uk:636] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread: Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.net.SocketInputStream.socketRead0(Native Method) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.net.SocketInputStream.socketRead(SocketInputStream.java:116) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:171) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:141) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:127) Mar 11 12:54:23 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLSocket.socketRead(Native Method) Mar 11 12:54:23 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1505) Mar 11 12:54:23 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:43) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.io.BufferedInputStream.fill(BufferedInputStream.java:246) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.io.BufferedInputStream.read(BufferedInputStream.java:265) Mar 11 12:54:23 london.idm.domain.uk server[509585]: netscape.ldap.ber.stream.BERElement.getElement(Unknown Source) Mar 11 12:54:23 london.idm.domain.uk server[509585]: netscape.ldap.LDAPConnThread.run(Unknown Source) Mar 11 12:54:23 london.idm.domain.uk server[509585]: java.lang.Thread.run(Thread.java:748) Mar 11 12:54:23 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='london.idm.domain.uk', port=8080): Read timed out. (read timeout=1.0) Mar 11 12:54:24 london.idm.domain.uk server[509585]: SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file Mar 11 12:54:24 london.idm.domain.uk server[509585]: SEVERE: Context [/acme] startup failed due to previous errors Mar 11 12:54:24 london.idm.domain.uk server[509585]: WARNING: The web application [acme] appears to have started a thread named [LDAPConnThread-1 ldaps://london.idm.domain.uk:636] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread: Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.net.SocketInputStream.socketRead0(Native Method) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.net.SocketInputStream.socketRead(SocketInputStream.java:116) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:171) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:141) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.net.SocketInputStream.read(SocketInputStream.java:127) Mar 11 12:54:24 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLSocket.socketRead(Native Method) Mar 11 12:54:24 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1505) Mar 11 12:54:24 london.idm.domain.uk server[509585]: org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:43) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.io.BufferedInputStream.fill(BufferedInputStream.java:246) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.io.BufferedInputStream.read(BufferedInputStream.java:265) Mar 11 12:54:24 london.idm.domain.uk server[509585]: netscape.ldap.ber.stream.BERElement.getElement(Unknown Source) Mar 11 12:54:24 london.idm.domain.uk server[509585]: netscape.ldap.LDAPConnThread.run(Unknown Source) Mar 11 12:54:24 london.idm.domain.uk server[509585]: java.lang.Thread.run(Thread.java:748) Mar 11 12:54:25 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://london.idm.domain.uk:8080/ca/admin/ca/getStatus Mar 11 12:54:26 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://london.idm.domain.uk:8080/ca/admin/ca/getStatus Mar 11 12:54:27 london.idm.domain.uk ipa-pki-wait-running[509586]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://london.idm.domain.uk:8080/ca/admin/ca/getStatus ... ------- Other logs show : (i've just added the main error - not entire java error /var/log/pki/pki-tomcat/acme/debug.2022-03-11.log : ----- 12:34:01 [main] SEVERE: Exception sending context initialized event to listener instance of class [org.dogtagpki.acme.server.ACMEEngine] java.lang.RuntimeException: Unable to start ACME engine: Unable to connect to LDAP server: Authentication failed ----- /var/log/pki/pki-tomcat/ca/debug.2022-03-11.log : ----- 2022-03-11 12:33:59 [main] SEVERE: Unable to start CA engine: Unable to connect to LDAP server: Authentication failed Unable to connect to L2022-03-11 12:33:59 [main] INFO: Shutting down CA subsystem .... 2022-03-11 12:33:59 [main] SEVERE: Exception sending context destroyed event to listener instance of class [org.dogtagpki.server.ca.CAEngine] java.lang.NullPointerException DAP server: Authentication failed ----- I have checked this -> # getcert list |grep expire expires: 2024-02-13 00:32:37 GMT expires: unknown expires: unknown expires: unknown expires: unknown expires: 2024-01-22 00:29:51 GMT expires: 2024-01-22 00:30:38 GMT And I have ran ipa-healthcheck I can see ---- Expired Cert: ocsp_signing Expired Cert: subsystem Expired Cert: audit_signing Internal server error 503 Server Error: Service Unavailable for url: http://london.idm.domain.uk:80/ca/rest/securityDomain/domainInfo Internal server error HTTPSConnectionPool(host='london.idm.domain.uk', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fc4e6c58198>: Failed to establish a new connection: [Errno 111] Connection refused',)) --- Also some expired certs "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "ERROR", "uuid": "36c8fbed-571d-4d38-9919-53322fea4aa2", "when": "20220311130832Z", "duration": "0.188329", "kw": { "cert_id": "ocsp_signing", "expiry_date": "Mar 01 2022", "msg": "Certificate has ALREADY EXPIRED" } }, { "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "ERROR", "uuid": "195970e4-e2fd-4eca-aeac-f1e97e9c3b13", "when": "20220311130832Z", "duration": "0.360146", "kw": { "cert_id": "subsystem", "expiry_date": "Mar 01 2022", "msg": "Certificate has ALREADY EXPIRED" } }, { "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "ERROR", "uuid": "a84a9bc5-de4d-4cdc-b7fd-41b83f3a11af", "when": "20220311130833Z", "duration": "0.454225", "kw": { "cert_id": "audit_signing", "expiry_date": "Mar 01 2022", "msg": "Certificate has ALREADY EXPIRED" } I have attached the full output of healthcheck to : https://pastebin.com/xfNLR0Ja (domain name changed) On the last ipa update there was also a issue with pki-tomcatd - i.e - I have to remove the block 'requiredSecret=' in /etc/pki/pki-tomcat/server.xml to fix it, this was however working for a month or so after . Any help to troubleshooting this would be welcomed Thanks

2 1

Unable to add a new replica - "adding fallback group" fails
by Ricardo Mendes 11 Mar '22

11 Mar '22

Hi there, I'm unable to add a new replica to the cluster as it fails: Configuring SID generation [1/8]: creating samba domain object Samba domain object already exists [2/8]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/8]: adding RID bases RID bases already set, nothing to do [4/8]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [5/8]: activating sidgen task [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/8]: adding fallback group Failed to load default-smb-group.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') Failed to add fallback group. [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ==================== From ipareplica-install.log ==================== adding new entry "cn=Default SMB Group,cn=groups,cn=accounts,dc=dom0,dc=io" 2022-02-04T16:41:54Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_add: Operations error (1) additional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. 2022-02-04T16:41:54Z CRITICAL Failed to load default-smb-group.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL au thentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2022-02-04T16:41:54Z DEBUG Failed to add fallback group. 2022-02-04T16:41:54Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1087, in error_handler yield File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1587, in find_entries raise e File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1547, in find_entries result = self.conn.result3(id, 0) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 767, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 774, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 340, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 46, in reraise raise exc_value File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 324, in _ldap_call result = func(*args,**kwargs) ldap.NO_SUCH_OBJECT: {'msgtype': 101, 'msgid': 4, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'matched': 'cn=groups,cn=accounts,dc=dom0,dc=io'} During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 327, in __add_fallback_group api.Backend.ldap2.get_entry(fb_group_dn) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1941, in get_entry dn, attrs_list, time_limit, size_limit, get_effective_rights File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1644, in get_entry size_limit=size_limit, get_effective_rights=get_effective_rights, File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1456, in get_entries **kwargs) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1594, in find_entries break File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1097, in error_handler raise errors.NotFound(reason=arg_desc or 'no such entry') ipalib.errors.NotFound: no such entry During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 333, in __add_fallback_group raise e File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 330, in __add_fallback_group self._ldap_mod('default-smb-group.ldif', self.sub_dict) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 399, in _ldap_mod ipautil.run(args, nolog=nologlist) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in run p.returncode, arg_string, output_log, error_log ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2022-02-04T16:41:54Z DEBUG [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2022-02-04T16:41:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 603, in main replica_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1371, in install adtrust.install(False, options, fstore, api) File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrust.py", line 483, in install smb.create_instance() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 895, in create_instance self.start_creation(show_service_name=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 333, in __add_fallback_group raise e File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 330, in __add_fallback_group self._ldap_mod('default-smb-group.ldif', self.sub_dict) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 399, in _ldap_mod ipautil.run(args, nolog=nologlist) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in run p.returncode, arg_string, output_log, error_log 2022-02-04T16:41:54Z DEBUG The ipa-replica-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2022-02-04T16:41:54Z ERROR CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpnwzpa12h', '-H', 'ldapi://%2Frun%2Fslapd-DOM0-IO.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-DOM0-IO.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2022-02-04T16:41:54Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Before this failed entry, other entries have been added successfully. Best regards. Ricardo M.

2 14

services & certificates for domain record
by lejeczek 09 Mar '22

09 Mar '22

Hi guys. I've fiddled a bit - IPA allows me to create host/service/cert for its domain/realm - @ record - will I not brake something having services/certs like that? many thanks, L.

2 1

make some order into host list
by Nathanaël Blanchet 09 Mar '22

09 Mar '22

Hello, I try to order my host list by filtering out the enrollment field. I tried *ipa host-show vm500-dev.couchant.abes.fr --all* and I can get the keytab param to false, which seems to be the equivalent of non enrollment. Now I try to find an option to *ipa host-find* to filter out all those non enrolled hosts but none such option seems to exist. My goal is to create a loop with correspondant hostnames to delete such hosts. Thank you -- Nathanaël Blanchet Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet(a)abes.fr

2 1

Strange CA error during FreeIPA connection
by Alessandro Minonzio 09 Mar '22

09 Mar '22

Hi, I report this issue about FreeIPA server: ------------------------------------------------------------------------------------------------------------------ Request for enhancement A strange error is occurring when I try to access my FreeIPA. Issue The problem occurs when I try to access the FreeIPA portal. "The message occurs saying IPA Error 4301: CertificateOperationError" "Certificate operation cannot be completed: Unable to communicate with CMS (500)" in Certificate Authority appear: "cannot connect to 'https://xyz.xxxxxhq.it:443/ca/rest/account/login': <https://xyz.xxxxxhq.it/ca/rest/account/login':> [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)" and if I try to connect with KINIT ADMIN command on the console appear this error: "kinit: Cannot contact any KDC for realm 'SUBITOHQ.IT' while getting initial credentials" Actual behavior Serverweb and console with kinit admin doesn't work. LDAPADMIN tool too. Version/Release/Distribution package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.6.5-11.el7.centos.3.x86_64 ipa-client-4.6.5-11.el7.centos.3.x86_64 389-ds-base-1.3.9.1-12.el7_7.x86_64 pki-ca-10.5.16-5.el7_7.noarch krb5-server-1.15.1-37.el7_7.2.x86_64 Additional info: maybe it's a problem with CA but how is the process to solve that issue? The fact is that this behavior it's on a replica FreeIPA server with CA and DOMAIN. There is a resolution or a command to solve that? ------------------------------------------------------------------------------------------------------------------ could you help me please? Best regards, AM

2 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users March 2022