Install client fails in Ubuntu 22.04
by Gustavo Berman
Hello there!
Ubuntu 18.04 (and previous ones) works just fine
In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails with:
root@fisica75:~# ipa-client-install
This program will set up IPA client.
Version 4.9.8
WARNING: conflicting time&date synchronization service 'ntp' will be
disabled in favor of chronyd
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: fisica75.fisica.cabib
Realm: FISICA.CABIB
DNS Domain: fisica.cabib
IPA Server: ipaserver.fisica.cabib
BaseDN: dc=fisica,dc=cabib
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was
provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: tavo
Password for tavo(a)FISICA.CABIB:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=FISICA.CABIB
Issuer: CN=Certificate Authority,O=FISICA.CABIB
Valid From: 2014-01-14 12:56:57
Valid Until: 2034-01-14 12:56:57
Enrolled in IPA realm FISICA.CABIB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm FISICA.CABIB
cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
The ipa-client-install command failed. See /var/log/ipaclient-install.log
for more information
root@fisica75:~#
There is no Hostname mismatch for the server certificate. It has been
working just fine for years with multiple distros as clients. I can access
the website with the same URL and cert is just fine.
Any ideas?
Thanks!
--
Gustavo Berman
1 month, 1 week
FreeIPA CA failing to login with new admin user
by Stasiek Michalski
Hello,
I installed FreeIPA replica on 4.8.4 on CentOS 8 from 4.4.4 from Fedora
25 with `ipa-replica-install --setup-dns --auto-forwarders`, without
`--setup-ca` due to errors, which went fine. I do want to install CA
though, which failed when I did `--setup-ca` and then later
`ipa-ca-install` with the following error:
```
[4/29]: creating installation admin user
Unable to log in as uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca on ldap://freeipa.infra.opensuse.org:389
[hint] tune with replication_wait_timeout
[error] NotFound: uid=admin-freeipa2.infra.opensuse.org,ou=people,o=ipaca did not replicate to ldap://freeipa.infra.opensuse.org:389
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
```
Obviously I did try try extending the timeout based on that, but I don't
think that was helpful in the end, considering the logs produced by the
old server:
httpd access_log
```
192.168.47.90 - - [23/Jul/2020:00:25:36 +0000] "GET /ca/rest/account/login HTTP/1.1" 401 994
```
server process in journal
```
SSLAuthenticatorWithFallback: Authenticating with BASIC authentication
Invalid Credential.
at com.netscape.cmscore.authentication.PasswdUserDBAuthentication.authenticate(PasswdUserDBAuthentication.java:167)
at com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:63)
at com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:78)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:94)
at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.doSubAuthenticate(SSLAuthenticatorWithFallback.java:37)
at com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate(AbstractPKIAuthenticator.java:98)
at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.authenticate(SSLAuthenticatorWithFallback.java:47)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:579)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:877)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
SSLAuthenticatorWithFallback: Fallback auth header: WWW-Authenticate=Basic realm="Certificate Authority"
SSLAuthenticatorWithFallback: Fallback auth return code: 401
SSLAuthenticatorWithFallback: Result: false
```
and from pki logs
```
Failed to authenticate as admin UID=admin-freeipa2.infra.opensuse.org. Error: netscape.ldap.LDAPException: error result (49)
```
I don't particularly know how to proceed from here, since those errors
don't mean much to me. I see however it's not just me having issues with
`ipa-ca-install` at least similar to this one (although by the looks of
it, the reason is already different ;)
Thanks in advance for trying,
LCP [Stasiek]
https://lcp.world/
1 month, 2 weeks
'transportCert cert-pki-kra' mix up
by GH
I've got two ancient (3.1?) IPA servers that have been upgraded over time. Last January things got really goofy with certificates and I got it all sorted. However, now I've got an old issue creeping back in. The 'transportCert cert-pki-kra' is mismatched between the CS.cfg and the tracked certificate. This is a multi-master setup. The signing master seems to be the one that's off. It's tracking the updated original 'transportCert cert-pki-kra' certificate. However, the "secondary" master is tracking a newly generated 'transportCert cert-pki-kra', which is also what both CS.cfg's are referencing. Neither one of the certificates is expired. Everything else seems to be in working order. Here is ipa-healthcheck's only relevant error:
"source": "ipahealthcheck.dogtag.ca",
"kw": {
"msg": "Certificate 'transportCert cert-pki-kra' does not match the value of ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"directive": "ca.connector.KRA.transportCert",
"key": "transportCert cert-pki-kra"
},
So, what should I copy where to get this sorted? It seems like the updated original 'transportCert cert-pki-kra' should be copied into the CS.cfg and then manually scp the NSS files from "primary" to "secondary"? What commands would you use to do this? I've got a lot of commands noted and am beginning to get confused as to which ones should be used to get this sorted. Thanks.
2 months
IPA-Error 903: InternalError on Certificate page
by Nico Maas
Dear all,
I am using FreeIPA, Version: 4.8.4 on CentOS 8
ipa-client.x86_64 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-client-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-healthcheck-core.noarch 0.4-4.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-server.x86_64 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-server-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-server-dns.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
Whenever I open the "Authentication" tab in the freeIPA webserver, I get the error
"IPA-Error 903: InternalError. An internal error has happend".
Retry does not help, within Authentication I can use all tabs, except from the Authentication -> Certificate -> Certificate one. This one gives the error. I can also not search for a certificate. The other areas of Authentication -> Certificate (Certificate Profiles, CA ACLS, Certificate Authorities) work without problems.
As a test I cloned the machine and updated it to the latest CentOS 8 version with a newer freeIPA version on it, but that did not solve the problem and I scrapped this vm and idea again.
Any idea on how to resolve the issue / what could be broken?
Which logs and things would be useful to look into?
Thanks a lot for your help and have a nice day
Nico
2 months, 3 weeks
LoadBalancer vs. DNS
by Ronald Wimmer
IPA heavily relies on DNS entries. In my opinion, this design makes it
more difficult to quickly disable one or more IPA servers - especially
when using IPA in combination with external DNS (managed by a different
department).
Would it be possible to put all relevant DNS entries on a Loadbalancer
VIP and let the LB resolve to all IPA servers?
e.g. instead of having 8 DNS entries for
_kerberos-master._tcp.linux.oebb.at for every of our 8 IPA servers I
would have just one _kerberos-master._tcp.linux.oebb.at entry. The LB
would distribute requests in such a setup.
Is it possible to do that or would it break some IPA functionality?
Cheers,
Ronald
3 months
more rpm conflicts on CentOS
by lejeczek
Hi guys.
I this Samba end of packages having issues (again) ?
-> $ dnf update
Last metadata expiration check: 0:08:36 ago on Mon 08 Aug
2022 08:14:21 BST.
Error:
Problem 1: package
ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64
requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the
providers can be installed
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.16.2-1.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.13.3-3.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.4-4.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.5-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.5-2.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.3-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.4-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-3.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-4.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-5.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-8.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.16.1-0.el8.x86_64
- cannot install the best update candidate for package
samba-client-libs-4.16.2-1.el8.x86_64
- cannot install the best update candidate for package
ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64
Problem 2: problem with installed package
ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64
- package
ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64
requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the
providers can be installed
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.16.2-1.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.13.3-3.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.4-4.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.5-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.5-2.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.3-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.4-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-3.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-4.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-5.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-8.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.16.1-0.el8.x86_64
- package libsmbclient-4.16.4-1.el8.x86_64 requires
libsamba-debug-samba4.so(SAMBA_4.16.4_SAMBA4)(64bit), but
none of the providers can be installed
- package libsmbclient-4.16.4-1.el8.x86_64 requires
libsmbconf.so.0(SMBCONF_0.0.1)(64bit), but none of the
providers can be installed
and also, I wonder why would a "regular" package want to
depend in a debug package - that should not be needed normally.
many thanks, L.
4 months, 3 weeks
Need 'dns notify' sequence clarification please!
by Harry G Coin
In a 'standard' freeipa setup with two freeipa masters that provide
authoritative DNS for a zone (in this instance using the named-pkcs11
bind version) and no other DNS slaves:
When an IP address is changed in freeipa DNS for a host:
Question 1: Does the 'notify' feature of bind9/named from one machine
to the other accomplish any actual value (TTL related or otherwise)
given they both rely on bind-dyndbldap and as such the dns change is
migrated via ldap? In other words, would any performance suffer if I
just turned off notifies among the freeipa masters?
Question 2: What is the sequence of operations when an IP address is
changed in freeipa? I expect it would be the first ldap db gets
updated, then the replicas ldap dbs get updated, then after all ldaps
are updated each of them tells 'their respective' bind instances to
update. Yes? No?
Thanks!
Harry Coin
4 months, 4 weeks
How to check the number of read/write locks on /usr/sbin/ns-slapd process?
by Kathy Zhu
Hi Team,
We used following to get the number of rwlocks for /usr/sbin/ns-slapd
process in Centos 7.9 to catch deadlocks:
PID=`pidof ns-slapd`
gdb -ex 'set confirm off' -ex 'set pagination off' -ex 'thread apply all bt
full' -ex 'quit' /usr/sbin/ns-slapd $PID |& grep '^#0.*lock' | grep
pthread_rwlock | sort -u
That helped us to detect ns-slapd hang caused by deadlocks.
After migrating to Red Hat 8.6, we had a lot of hangs (dirsvr is running
but not responding) and could not find why. We use the same above method,
however, we are not able to catch anything. I wonder if there is a
different way to count the rwlocks in Red Hat 8.6?
We realize that there are multiple reasons to cause hangs, however, we
would like to rule out the possibility of the deadlock.
The OS and packages:
Red Hat Enterprise Linux release 8.6 (Ootpa)
ipa-server.x86_64 4.9.8-7.module+el8.6.0+14337+19b76db2
@rhel-8-for-x86_64-appstream-rpms
slapi-nis-0.56.6-4.module+el8.6.0+12936+736896b2.x86_64
389-ds-base-libs-1.4.3.28-6.module+el8.6.0+14129+983ceada.x86_64
389-ds-base-1.4.3.28-6.module+el8.6.0+14129+983ceada.x86_64
Many thanks.
Kathy.
5 months
Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails
by Polavarapu Manideep Sai
Hi Team,
Need help from freeipa,
Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails
please check the below issue and let us know the fix and please let us know if any more details required
Master server: aaa01
Replica server1: dir01 (currently installing replica server )
Replica server2: dirus02 (which was a replica server previously that has been removed from replication)
As noticed while installing ipa replica server, replica server retrieving two certificates from the master server, and saving it in /etc/ipa/ca.crt in this process at the stage Configuring the web interface (httpd) we got the below error i.e.
ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
===============================================
While installing Replica /var/log/ipaclient-install.log
---------------------------------------------------
2022-08-15T13:52:08Z DEBUG stderr=
2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from aaa01.ipa.subdomain.com
2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache url=ldap://aaa01.ipa.subdomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17fe812440>
2022-08-15T13:52:11Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Valid From: 2018-04-12 14:15:30
Valid Until: 2038-04-12 14:15:30
Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Valid From: 2019-01-21 11:54:13
Valid Until: 2021-01-21 11:54:13
2022-08-15T13:52:11Z DEBUG Starting external process
2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s aaa01.ipa.subdomain.com -b dc=ipa,dc=example,dc=com -h dirpav01-tfln-mdr1-omes.ipa.subdomain.com
2022-08-15T13:52:15Z DEBUG Process finished, return code=0
2022-08-15T13:52:15Z DEBUG stdout=
2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=IPA.SUBDOMAIN.COM
2022-08-15T13:52:15Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM
2022-08-15T13:52:15Z DEBUG Starting external process
2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy
2022-08-15T13:52:15Z DEBUG Process finished, return code=0
2022-08-15T13:52:15Z DEBUG stdout=
==================================
While installing replica /var/log/ipareplica-install.log
--------------------------------------------------
2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP
2022-08-15T15:07:11Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2022-08-15T15:07:11Z DEBUG Starting external process
2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n IPA.SUBDOMAIN.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
2022-08-15T15:07:11Z DEBUG Process finished, return code=0
2022-08-15T15:07:11Z DEBUG stdout=
2022-08-15T15:07:11Z DEBUG stderr=
2022-08-15T15:07:11Z DEBUG Starting external process
2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt
2022-08-15T15:07:12Z DEBUG Process finished, return code=255
2022-08-15T15:07:12Z DEBUG stdout=
2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.
2022-08-15T15:07:12Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
Observation in Master server(aaa01) ldap database :
=======================================
[root@aaa01~]# ldapsearch -D 'cn=directory manager' -w XXXXXXXXX | grep "ipaCertSubject"
ipaCertSubject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
ipaCertSubject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
[root@aaa01~]#
====================
We could see this certificate "CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM" in IPA master server GUI as well we have revoked it too , but still it retrieves the same and installation got fails everytime
=================
In ideal case while installing replica it has to retrieve only one certificate i.e. CN=Certificate Authority,O=IPA.SUBDOMAIN.COM but this case it retrieves
Please let us know if any more details required and let us know how can we fix this issue, without impact on whole setup
ipaCertIssuerSerial
ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;1 [which is a valid certificate]
ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;32 [ invalid certificate retrieves from ipa master while installing ipa replica]
[root@aaa01]# ipa cert-show
Serial number: 32
Issuing CA: ipa
Certificate: MIIFGTCCBAGgAwIBAgIBIDANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMR4wHAYDVQQ
DDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwMTIxMTE1NDEzWhcNMjEwMTIxMTE1NDEzWjBMMRkwFwYDVQQKDBBJUEEuT
05NT0JJTEUuQ09NMS8wLQYDVQQDDCZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAKln0qNlB+38cXbyOurkVgK+GMYM9loUVFAvZGlydXMwMi1taWEtdGxmbi1vbXVzLmlwYS5vbm1vYmlsZS5
jb21ASVBBLk9OTU9CSUxFLkNPTaBbBgYrBgEFAgKgUTBPoBIbEElQQS5PTk1PQklMRS5DT02hOTA3oAMCAQGhMDAuGwRIVFRQGyZkaXJ
1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcFbSY4tVpZHWVDGsahRNfCqv/x/xCT
BEYHvCSdycHAV7Ogq6zEENviRDOEOYqe1x7BxyF7B/hhB3PX2uqYmFrgPffyfwCxGZb0DRnnOLnwldxe3QdwjIIuUptY9fOgvbjx+bd5iLIgNp
aAZcN70PePdPA0xYpAo3CQkowCojAke2QGsPp6DrXS1wRrE4maH0LmEtu56hSbARoN4DgJ91PKgPkZ+BNyq9BmoPTRsxpAGBvms2SAbx
q1iUmNcVCurqvF/Gu2Z8L5rlpPiVjSbup9Zq5LuhLtfeMsgrwfZOcwZQfSCCykMUH9eAipvsNoHvPxiJeHhDk8Zx+cADESTL4w==
Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
Subject DNS name: dirus02.ipa.subdomain.com
Subject UPN: HTTP/dirus02.ipa.subdomain.com(a)IPA.SUBDOMAIN.COM
Subject Kerberos principal name: HTTP/dirus02.ipa.subdomain.com(a)IPA.SUBDOMAIN.COM
Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Not Before: Mon Jan 21 11:54:13 2019 UTC
Not After: Thu Jan 21 11:54:13 2021 UTC
Serial number: 32
Serial number (hex): 0x20
Revoked: True
Revocation reason: 2
[root@aaa01~]#
Regards
ManideepSai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
5 months
error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>)
by liang fei
hello
Since the keytab file is invalid, I manually generated a new IPA. keytab file, but now it seems that encryption-types does not match. What should I do with this?thank you
#ipa user-find devop
ipa: DEBUG: importing all plugin modules in ipalib.plugins...
ipa: DEBUG: importing plugin module ipalib.plugins.aci
ipa: DEBUG: importing plugin module ipalib.plugins.automember
ipa: DEBUG: importing plugin module ipalib.plugins.automount
ipa: DEBUG: importing plugin module ipalib.plugins.baseldap
ipa: DEBUG: importing plugin module ipalib.plugins.baseuser
ipa: DEBUG: importing plugin module ipalib.plugins.batch
ipa: DEBUG: importing plugin module ipalib.plugins.caacl
ipa: DEBUG: importing plugin module ipalib.plugins.cert
ipa: DEBUG: importing plugin module ipalib.plugins.certprofile
ipa: DEBUG: importing plugin module ipalib.plugins.config
ipa: DEBUG: importing plugin module ipalib.plugins.delegation
ipa: DEBUG: importing plugin module ipalib.plugins.dns
ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel
ipa: DEBUG: importing plugin module ipalib.plugins.group
ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule
ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc
ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup
ipa: DEBUG: importing plugin module ipalib.plugins.hbactest
ipa: DEBUG: importing plugin module ipalib.plugins.host
ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup
ipa: DEBUG: importing plugin module ipalib.plugins.idrange
ipa: DEBUG: importing plugin module ipalib.plugins.idviews
ipa: DEBUG: importing plugin module ipalib.plugins.internal
ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy
ipa: DEBUG: importing plugin module ipalib.plugins.migration
ipa: DEBUG: importing plugin module ipalib.plugins.misc
ipa: DEBUG: importing plugin module ipalib.plugins.netgroup
ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig
ipa: DEBUG: importing plugin module ipalib.plugins.otptoken
ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipalib.plugins.passwd
ipa: DEBUG: importing plugin module ipalib.plugins.permission
ipa: DEBUG: importing plugin module ipalib.plugins.ping
ipa: DEBUG: importing plugin module ipalib.plugins.pkinit
ipa: DEBUG: importing plugin module ipalib.plugins.privilege
ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy
ipa: DEBUG: Starting external process
ipa: DEBUG: args=klist -V
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=Kerberos 5 version 1.13.2
ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy
ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains
ipa: DEBUG: importing plugin module ipalib.plugins.role
ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient
ipa: DEBUG: importing plugin module ipalib.plugins.selfservice
ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap
ipa: DEBUG: importing plugin module ipalib.plugins.server
ipa: DEBUG: importing plugin module ipalib.plugins.service
ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation
ipa: DEBUG: importing plugin module ipalib.plugins.session
ipa: DEBUG: importing plugin module ipalib.plugins.stageuser
ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd
ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup
ipa: DEBUG: importing plugin module ipalib.plugins.sudorule
ipa: DEBUG: importing plugin module ipalib.plugins.topology
ipa: DEBUG: importing plugin module ipalib.plugins.trust
ipa: DEBUG: importing plugin module ipalib.plugins.user
ipa: DEBUG: importing plugin module ipalib.plugins.vault
ipa: DEBUG: importing plugin module ipalib.plugins.virtual
ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin(a)YYDEVOPS.COM'
ipa: INFO: trying https://xx/ipa/json
ipa: DEBUG: Created connection context.rpcclient_140659301866000
ipa: DEBUG: raw: user_find(u'devop', whoami=False, all=False, raw=False, version=u'2.164', no_members=False)
ipa: DEBUG: user_find(u'devop', whoami=False, all=False, raw=False, version=u'2.164', no_members=False, pkey_only=False)
ipa: INFO: Forwarding 'user_find' to json server 'https://xx/ipa/json'
ipa: DEBUG: NSSConnection init xx
ipa: DEBUG: Connecting: 10.21.117.149:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=xx,O=YYDEVOPS.COM"
ipa: DEBUG: handshake complete, peer = 10.21.117.149:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ipa: DEBUG: Destroyed connection context.rpcclient_140659301866000
ipa: ERROR: error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>)
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin(a)YYDEVOPS.COM
Valid starting Expires Service principal
08/29/2022 20:40:14 08/30/2022 20:40:07 krbtgt/YYDEVOPS.COM(a)YYDEVOPS.COM
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
08/29/2022 20:40:31 08/30/2022 20:40:07 HTTP/xx(a)YYDEVOPS.COM
Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
# klist -kte /etc/apache2/ipa.keytab
Keytab name: FILE:/etc/apache2/ipa.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 08/29/2022 19:30:22 HTTP/xx (arcfour-hmac)
5 08/29/2022 19:30:42 HTTP/xx (camellia128-cts-cmac)
6 08/29/2022 19:30:46 HTTP/xx (camellia256-cts-cmac)
7 08/29/2022 19:33:02 HTTP/xx (camellia128-cts-cmac)
8 08/29/2022 19:33:41 HTTP/xx (aes128-cts-hmac-sha1-96)
9 08/29/2022 19:33:47 HTTP/xx (aes256-cts-hmac-sha1-96)
10 08/29/2022 19:35:05 HTTP/xx (des3-cbc-sha1)
5 months, 1 week
