Replica and different location behind NAT - any concerns?
by Francis Augusto Medeiros-Logeay
Hi,
I have a few cloud servers and would like to have FreeIPA as an IdM for
them, reusing what I have on a different location.
My current FreeIPA install sits on a LAN, so all IP's are private. That
will be a similar design on the cloud. So, for the replicas to
communicate with each other, I thought about creating some
port-forwarding rules/openings on both firewalls, but the catch is that
the replica creation command would point to the public address of the
destination.
Any problems I might encounter with a setup like this, or is this a
common practice?
Best,
Francis
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
1 year, 11 months
"Invalid range" authentication errors after failed replica install / upgrade
by Noah Walden
Hi all,
I recently attempted to add a replica running FreeIPA v4.9.6 to our domain, which consists of two servers running FreeIPA v4.9.2. I was prompted to set a NetBIOS domain name. The installation then failed with the error “Too many ID ranges.” In order to avoid needing to delete ID ranges to accommodate the new replica, I removed the replica from FreeIPA and reinstalled it with an earlier version (v4.9.2). Since then, users have been unable to perform password-based authentication (tested with ssh & sudo). "Preauthentication failed" errors have also been appearing in /var/log/sssd/krb5_child.log on the server I've been attempting to login to via ssh. Does anyone know the root cause of this issue and/or a possible solution?
Repeated message in /var/log/sssd/sssd_example.org.log of the server I’ve been attempting to ssh to:
(2022-04-12 8:29:34): [be[example.org]] [sysdb_range_create] (0x0040): Invalid range, skipping. Expected that either the secondary base RID or the SID of the trusted domain is set, but not both or none of them.
Our ID ranges:
[root@ipaserver ~]$ ipa idrange-find --all --raw
----------------
2 ranges matched
----------------
dn: cn=example-freeipa-service-accounts,cn=ranges,cn=etc,dc=example,dc=org
cn: example-freeipa-service-accounts
ipabaseid: 900000
ipaidrangesize: 99999
iparangetype: ipa-local
objectclass: ipaIDrange
objectclass: ipadomainidrange
dn: cn=EXAMPLE.ORG_id_range,cn=ranges,cn=etc,dc=example,dc=org
cn: EXAMPLE.ORG_id_range
ipabaseid: 1014000
ipaidrangesize: 200000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
----------------------------
Number of entries returned 2
----------------------------
[root@ipaserver ~]$
Last ~100 lines from /var/log/ipareplica-install.log:
2022-04-01T16:55:16Z DEBUG Configuring SID generation
2022-04-01T16:55:16Z DEBUG [1/7]: creating samba domain object
2022-04-01T16:55:16Z DEBUG step duration: SID generation __create_samba_domain_object 0.02 sec
2022-04-01T16:55:16Z DEBUG [2/7]: adding admin(group) SIDs
2022-04-01T16:55:16Z DEBUG step duration: SID generation __add_admin_sids 0.01 sec
2022-04-01T16:55:16Z DEBUG [3/7]: adding RID bases
2022-04-01T16:55:16Z CRITICAL Found more than one local domain ID range with no RID base set.
2022-04-01T16:55:16Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 380, in __add_rid_bases
raise RuntimeError("Too many ID ranges\n")
RuntimeError: Too many ID ranges
2022-04-01T16:55:16Z DEBUG [error] RuntimeError: Too many ID ranges
2022-04-01T16:55:16Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 603, in main
replica_install(self)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated
func(installer)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1371, in install
adtrust.install(False, options, fstore, api)
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrust.py", line 483, in install
smb.create_instance()
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 895, in create_instance
self.start_creation(show_service_name=False)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 380, in __add_rid_bases
raise RuntimeError("Too many ID ranges\n")
2022-04-01T16:55:16Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Too many ID ranges
2022-04-01T16:55:16Z ERROR Too many ID ranges
2022-04-01T16:55:16Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
1 year, 11 months
pki-tomcatd service doesn't start on multiple servers in the domain
by Yajith Dayarathna
Hello everyone,
I'm trying to fix an issue with our freeipa setup where multiple servers in the domain are failing to start the pki-tomcatd service.
At present we have used "pactl start --ignore-service-failure" just to get the rest of the services up and running and now trying to figure out how to fix the overall problem.
Below is a summary of the current state from what I've managed to find so far:
- We have 6 servers in our freeipa domain running version 4.5.4
- Three servers including the "IPA CA renewal master" is having an issue when starting up the pki-tomcatd service, with slightly different observations.
- Problem started at different times, other two servers starting the problem many weeks ago, which we haven't been able to fix
On the IPA CA renewal master server (this server only started having the problem few days ago following a crash > reboot ) -
- All the certificates listed in "getcert list" are valid (one closest to expiry has about 2 years left)
- Cerfificate in /etc/pki/pki-tomcat/alias/ and LDAP match along with the "description" field that has the correct serial
- Logs contain this error : Internal Database Error encountered: Could not connect to LDAP server host <FQDN> port 636 Error netscape.ldap.LDAPException: Authentication failed (49)
On the other two servers (where the problem started weeks apart following a server reboot or a ipactl restart ) -
- Most of the certificates listed "getcert list" are already expired
- Logs contain this error : Internal Database Error encountered: Could not connect to LDAP server host <FQDN> port 636 Error netscape.ldap.LDAPException: Authentication failed (49)
- Cerfificate in /etc/pki/pki-tomcat/alias/ and LDAP does NOT match
Other than that there are many other errors on the logs on all the servers related to replication : ERR - NSMMReplicationPlugin - send_updates"
and messages like : Certificate in file "/var/kerberos/krb5kdc/kdc.crt" is no longer valid.
To try to come up with some method to fix the servers, I've taken a clone(disconnected from the network) of a non IPA CA renewal master.
Below steps I've found on various articles were all done within the clone.
Some things I've tried within the clone out so far along with the errors:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
$ sudo grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt
$ sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
I did notice is that the message says "NSS Certificate DB" but on the "getcert list" this certificate shows with token='NSS FIPS 140-2 Certificate DB', not sure if there is an actual problem with the password or if I'm not using the command correctly.
Tried resetting the time back to a point where the expired certs are still valid as mentioned in https://access.redhat.com/solutions/3357261 and to get the pki-tomcatd to come up, tried to update the cert. in LDAP to match what is in /etc/pki/pki-tomcat/alias/ using this method https://access.redhat.com/solutions/3614001 fails for me.
It updates the certificate serial in "description" field but never changes the certificate blob. ldapmodify command and the contents of the .ldif file I used are below.
# ldapmodify -x -h localhost -p 389 -D “cn=directory manager” -w -f updatecert.ldif -v
ldap_initializer( ldap://localhost:389 )
replace usercertificate:
NOT ASCII (894 bytes)
replace description:
2;32;CN=Certificate Authority,O=;CN=CA Subsystem,O=<OUR.DOMAIN>
modifying entry “uid=pkidbuser,ou=people,o=ipaca”
modify complete
# cat updatecert.ldif
dn: uid=pkidbuser,ou=people,o=ipaca
changetype: modify
replace: usercertificate
usercertificate::MII..
–
replace: description
description: 2;32;CN=Certificate Authority,O=;CN=CA Subsystem,O=<OUR.DOMAIN>
I've used various combinations here even a delete of "userCertificate" field to add the correct one later but none of which worked for me.
I'm hoping someone can point me in the right direction.
Thanks in advance,
yajith
1 year, 11 months
DNS record with all IPA servers
by Boris Behrens
Hi,
I am currently trying to cleanup our IPA installation and saw that all our
clients only got a single server configured, which doesn't sound good.
(we've currently got two IPA servers).
Is there some sort of record that can be used?
root@host1:/etc/ipa# cat /etc/ipa/default.conf
#File modified by ipa-client-install
[global]
basedn = dc=domain,dc=ca
realm = DOMAIN.CA
domain = DOMAIN.CA
server = ipa1.domain.ca
xmlrpc_uri = https://ipa1.domain.ca/ipa/xml
enable_ra = True
Cheers
Boris
--
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im
groüen Saal.
1 year, 11 months
IPA not starting at boot - how to enable?
by Ian Pilcher
I was overly casual with yum this morning, and almost removed all of the
IPA-related RPMs from my server (CentOS 7). Fortunately, I was able to
abort the transaction before too much damage was done. After
(re)installing a couple RPMs, everything seems to be pretty much
working.
The exception is that the IPA services are not being started when the
system boots (but everything comes up fine with 'ipactl start' later).
Looking into this, I realize that I'm not even sure of the exact
mechanism that IPA (4.6.8 on CentOS 7) normally uses to start. Looking
at the various systemd units on my system (targets and services), I
don't see anything that looks like an overall IPA unit, just the units
for the individual services and a couple of targets (dirsrv.target and
pki-tomcatd.target) that aren't enabled.
It's very possible that I'm missing the package that provides the
"master" target or service, but I don't know what it is.
Anyone know?
Thanks!
--
========================================================================
Google Where SkyNet meets Idiocracy
========================================================================
1 year, 11 months
Is it possible to create hosts in AD via FreeIPA?
by Francis Augusto Medeiros-Logeay
Hi,
This is probably a stupid question, but here we go...
I would like to use FreeIPA to manage Linux VDI machines, but VMware is
Active Directory-centric, and it's Horizon Connection Server creates
machine objects on AD that the VM's join to when created - and these
objects are deleted automatically when the corresponding VM ceases to
exist.
I wonder if would be possible to simply join the machine to FreeIPA but
to an object that exists on AD, so that AD could delete it when the VM
ceases to exist.
Anything that would achieve the same ends would be very interesting. Any
thoughts on that?
Best,
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
1 year, 11 months
Require OTP on a single service or host
by John Petrini
Hello,
I've been trying to work out how to require OTP on a single service or
host. I've set the OTP authentication indicator on a test host but so
far the only way I've gotten OTP to work is by enabling it as an
authentication type for my user, but when I do this, regular password
based login no longer works on other hosts.
Is there something I'm doing wrong or just not understanding about how
this is supposed to work?
As a supplemental question, how will this impact LDAP based login?
Will password + OTP work with ldap clients?
Thanks!
John
1 year, 11 months
Change admin user name
by Jim Kinney
Is it possible to use a different name than 'admin' for the admin account. Same name change need for the admins group.
--
Computers amplify human error
Super computers are really cool
1 year, 11 months