more rpm conflicts on CentOS
by lejeczek
Hi guys.
I this Samba end of packages having issues (again) ?
-> $ dnf update
Last metadata expiration check: 0:08:36 ago on Mon 08 Aug
2022 08:14:21 BST.
Error:
Problem 1: package
ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64
requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the
providers can be installed
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.16.2-1.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.13.3-3.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.4-4.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.5-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.5-2.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.3-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.4-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-3.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-4.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-5.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-8.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.16.1-0.el8.x86_64
- cannot install the best update candidate for package
samba-client-libs-4.16.2-1.el8.x86_64
- cannot install the best update candidate for package
ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64
Problem 2: problem with installed package
ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64
- package
ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64
requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the
providers can be installed
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.16.2-1.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.13.3-3.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.4-4.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.5-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.14.5-2.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.3-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.4-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-0.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-3.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-4.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-5.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.15.5-8.el8.x86_64
- cannot install both
samba-client-libs-4.16.4-1.el8.x86_64 and
samba-client-libs-4.16.1-0.el8.x86_64
- package libsmbclient-4.16.4-1.el8.x86_64 requires
libsamba-debug-samba4.so(SAMBA_4.16.4_SAMBA4)(64bit), but
none of the providers can be installed
- package libsmbclient-4.16.4-1.el8.x86_64 requires
libsmbconf.so.0(SMBCONF_0.0.1)(64bit), but none of the
providers can be installed
and also, I wonder why would a "regular" package want to
depend in a debug package - that should not be needed normally.
many thanks, L.
1 year, 6 months
Need 'dns notify' sequence clarification please!
by Harry G Coin
In a 'standard' freeipa setup with two freeipa masters that provide
authoritative DNS for a zone (in this instance using the named-pkcs11
bind version) and no other DNS slaves:
When an IP address is changed in freeipa DNS for a host:
Question 1: Does the 'notify' feature of bind9/named from one machine
to the other accomplish any actual value (TTL related or otherwise)
given they both rely on bind-dyndbldap and as such the dns change is
migrated via ldap? In other words, would any performance suffer if I
just turned off notifies among the freeipa masters?
Question 2: What is the sequence of operations when an IP address is
changed in freeipa? I expect it would be the first ldap db gets
updated, then the replicas ldap dbs get updated, then after all ldaps
are updated each of them tells 'their respective' bind instances to
update. Yes? No?
Thanks!
Harry Coin
1 year, 6 months
How to check the number of read/write locks on /usr/sbin/ns-slapd process?
by Kathy Zhu
Hi Team,
We used following to get the number of rwlocks for /usr/sbin/ns-slapd
process in Centos 7.9 to catch deadlocks:
PID=`pidof ns-slapd`
gdb -ex 'set confirm off' -ex 'set pagination off' -ex 'thread apply all bt
full' -ex 'quit' /usr/sbin/ns-slapd $PID |& grep '^#0.*lock' | grep
pthread_rwlock | sort -u
That helped us to detect ns-slapd hang caused by deadlocks.
After migrating to Red Hat 8.6, we had a lot of hangs (dirsvr is running
but not responding) and could not find why. We use the same above method,
however, we are not able to catch anything. I wonder if there is a
different way to count the rwlocks in Red Hat 8.6?
We realize that there are multiple reasons to cause hangs, however, we
would like to rule out the possibility of the deadlock.
The OS and packages:
Red Hat Enterprise Linux release 8.6 (Ootpa)
ipa-server.x86_64 4.9.8-7.module+el8.6.0+14337+19b76db2
@rhel-8-for-x86_64-appstream-rpms
slapi-nis-0.56.6-4.module+el8.6.0+12936+736896b2.x86_64
389-ds-base-libs-1.4.3.28-6.module+el8.6.0+14129+983ceada.x86_64
389-ds-base-1.4.3.28-6.module+el8.6.0+14129+983ceada.x86_64
Many thanks.
Kathy.
1 year, 6 months
Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails
by Polavarapu Manideep Sai
Hi Team,
Need help from freeipa,
Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails
please check the below issue and let us know the fix and please let us know if any more details required
Master server: aaa01
Replica server1: dir01 (currently installing replica server )
Replica server2: dirus02 (which was a replica server previously that has been removed from replication)
As noticed while installing ipa replica server, replica server retrieving two certificates from the master server, and saving it in /etc/ipa/ca.crt in this process at the stage Configuring the web interface (httpd) we got the below error i.e.
ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
===============================================
While installing Replica /var/log/ipaclient-install.log
---------------------------------------------------
2022-08-15T13:52:08Z DEBUG stderr=
2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from aaa01.ipa.subdomain.com
2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache url=ldap://aaa01.ipa.subdomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17fe812440>
2022-08-15T13:52:11Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Valid From: 2018-04-12 14:15:30
Valid Until: 2038-04-12 14:15:30
Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Valid From: 2019-01-21 11:54:13
Valid Until: 2021-01-21 11:54:13
2022-08-15T13:52:11Z DEBUG Starting external process
2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s aaa01.ipa.subdomain.com -b dc=ipa,dc=example,dc=com -h dirpav01-tfln-mdr1-omes.ipa.subdomain.com
2022-08-15T13:52:15Z DEBUG Process finished, return code=0
2022-08-15T13:52:15Z DEBUG stdout=
2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=IPA.SUBDOMAIN.COM
2022-08-15T13:52:15Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM
2022-08-15T13:52:15Z DEBUG Starting external process
2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy
2022-08-15T13:52:15Z DEBUG Process finished, return code=0
2022-08-15T13:52:15Z DEBUG stdout=
==================================
While installing replica /var/log/ipareplica-install.log
--------------------------------------------------
2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP
2022-08-15T15:07:11Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2022-08-15T15:07:11Z DEBUG Starting external process
2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n IPA.SUBDOMAIN.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
2022-08-15T15:07:11Z DEBUG Process finished, return code=0
2022-08-15T15:07:11Z DEBUG stdout=
2022-08-15T15:07:11Z DEBUG stderr=
2022-08-15T15:07:11Z DEBUG Starting external process
2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt
2022-08-15T15:07:12Z DEBUG Process finished, return code=255
2022-08-15T15:07:12Z DEBUG stdout=
2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.
2022-08-15T15:07:12Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
Observation in Master server(aaa01) ldap database :
=======================================
[root@aaa01~]# ldapsearch -D 'cn=directory manager' -w XXXXXXXXX | grep "ipaCertSubject"
ipaCertSubject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
ipaCertSubject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
[root@aaa01~]#
====================
We could see this certificate "CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM" in IPA master server GUI as well we have revoked it too , but still it retrieves the same and installation got fails everytime
=================
In ideal case while installing replica it has to retrieve only one certificate i.e. CN=Certificate Authority,O=IPA.SUBDOMAIN.COM but this case it retrieves
Please let us know if any more details required and let us know how can we fix this issue, without impact on whole setup
ipaCertIssuerSerial
ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;1 [which is a valid certificate]
ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;32 [ invalid certificate retrieves from ipa master while installing ipa replica]
[root@aaa01]# ipa cert-show
Serial number: 32
Issuing CA: ipa
Certificate: MIIFGTCCBAGgAwIBAgIBIDANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMR4wHAYDVQQ
DDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwMTIxMTE1NDEzWhcNMjEwMTIxMTE1NDEzWjBMMRkwFwYDVQQKDBBJUEEuT
05NT0JJTEUuQ09NMS8wLQYDVQQDDCZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAKln0qNlB+38cXbyOurkVgK+GMYM9loUVFAvZGlydXMwMi1taWEtdGxmbi1vbXVzLmlwYS5vbm1vYmlsZS5
jb21ASVBBLk9OTU9CSUxFLkNPTaBbBgYrBgEFAgKgUTBPoBIbEElQQS5PTk1PQklMRS5DT02hOTA3oAMCAQGhMDAuGwRIVFRQGyZkaXJ
1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcFbSY4tVpZHWVDGsahRNfCqv/x/xCT
BEYHvCSdycHAV7Ogq6zEENviRDOEOYqe1x7BxyF7B/hhB3PX2uqYmFrgPffyfwCxGZb0DRnnOLnwldxe3QdwjIIuUptY9fOgvbjx+bd5iLIgNp
aAZcN70PePdPA0xYpAo3CQkowCojAke2QGsPp6DrXS1wRrE4maH0LmEtu56hSbARoN4DgJ91PKgPkZ+BNyq9BmoPTRsxpAGBvms2SAbx
q1iUmNcVCurqvF/Gu2Z8L5rlpPiVjSbup9Zq5LuhLtfeMsgrwfZOcwZQfSCCykMUH9eAipvsNoHvPxiJeHhDk8Zx+cADESTL4w==
Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
Subject DNS name: dirus02.ipa.subdomain.com
Subject UPN: HTTP/dirus02.ipa.subdomain.com(a)IPA.SUBDOMAIN.COM
Subject Kerberos principal name: HTTP/dirus02.ipa.subdomain.com(a)IPA.SUBDOMAIN.COM
Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Not Before: Mon Jan 21 11:54:13 2019 UTC
Not After: Thu Jan 21 11:54:13 2021 UTC
Serial number: 32
Serial number (hex): 0x20
Revoked: True
Revocation reason: 2
[root@aaa01~]#
Regards
ManideepSai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
1 year, 6 months
error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>)
by liang fei
hello
Since the keytab file is invalid, I manually generated a new IPA. keytab file, but now it seems that encryption-types does not match. What should I do with this?thank you
#ipa user-find devop
ipa: DEBUG: importing all plugin modules in ipalib.plugins...
ipa: DEBUG: importing plugin module ipalib.plugins.aci
ipa: DEBUG: importing plugin module ipalib.plugins.automember
ipa: DEBUG: importing plugin module ipalib.plugins.automount
ipa: DEBUG: importing plugin module ipalib.plugins.baseldap
ipa: DEBUG: importing plugin module ipalib.plugins.baseuser
ipa: DEBUG: importing plugin module ipalib.plugins.batch
ipa: DEBUG: importing plugin module ipalib.plugins.caacl
ipa: DEBUG: importing plugin module ipalib.plugins.cert
ipa: DEBUG: importing plugin module ipalib.plugins.certprofile
ipa: DEBUG: importing plugin module ipalib.plugins.config
ipa: DEBUG: importing plugin module ipalib.plugins.delegation
ipa: DEBUG: importing plugin module ipalib.plugins.dns
ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel
ipa: DEBUG: importing plugin module ipalib.plugins.group
ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule
ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc
ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup
ipa: DEBUG: importing plugin module ipalib.plugins.hbactest
ipa: DEBUG: importing plugin module ipalib.plugins.host
ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup
ipa: DEBUG: importing plugin module ipalib.plugins.idrange
ipa: DEBUG: importing plugin module ipalib.plugins.idviews
ipa: DEBUG: importing plugin module ipalib.plugins.internal
ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy
ipa: DEBUG: importing plugin module ipalib.plugins.migration
ipa: DEBUG: importing plugin module ipalib.plugins.misc
ipa: DEBUG: importing plugin module ipalib.plugins.netgroup
ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig
ipa: DEBUG: importing plugin module ipalib.plugins.otptoken
ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipalib.plugins.passwd
ipa: DEBUG: importing plugin module ipalib.plugins.permission
ipa: DEBUG: importing plugin module ipalib.plugins.ping
ipa: DEBUG: importing plugin module ipalib.plugins.pkinit
ipa: DEBUG: importing plugin module ipalib.plugins.privilege
ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy
ipa: DEBUG: Starting external process
ipa: DEBUG: args=klist -V
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=Kerberos 5 version 1.13.2
ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy
ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains
ipa: DEBUG: importing plugin module ipalib.plugins.role
ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient
ipa: DEBUG: importing plugin module ipalib.plugins.selfservice
ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap
ipa: DEBUG: importing plugin module ipalib.plugins.server
ipa: DEBUG: importing plugin module ipalib.plugins.service
ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation
ipa: DEBUG: importing plugin module ipalib.plugins.session
ipa: DEBUG: importing plugin module ipalib.plugins.stageuser
ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd
ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup
ipa: DEBUG: importing plugin module ipalib.plugins.sudorule
ipa: DEBUG: importing plugin module ipalib.plugins.topology
ipa: DEBUG: importing plugin module ipalib.plugins.trust
ipa: DEBUG: importing plugin module ipalib.plugins.user
ipa: DEBUG: importing plugin module ipalib.plugins.vault
ipa: DEBUG: importing plugin module ipalib.plugins.virtual
ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin(a)YYDEVOPS.COM'
ipa: INFO: trying https://xx/ipa/json
ipa: DEBUG: Created connection context.rpcclient_140659301866000
ipa: DEBUG: raw: user_find(u'devop', whoami=False, all=False, raw=False, version=u'2.164', no_members=False)
ipa: DEBUG: user_find(u'devop', whoami=False, all=False, raw=False, version=u'2.164', no_members=False, pkey_only=False)
ipa: INFO: Forwarding 'user_find' to json server 'https://xx/ipa/json'
ipa: DEBUG: NSSConnection init xx
ipa: DEBUG: Connecting: 10.21.117.149:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=xx,O=YYDEVOPS.COM"
ipa: DEBUG: handshake complete, peer = 10.21.117.149:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ipa: DEBUG: Destroyed connection context.rpcclient_140659301866000
ipa: ERROR: error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>)
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin(a)YYDEVOPS.COM
Valid starting Expires Service principal
08/29/2022 20:40:14 08/30/2022 20:40:07 krbtgt/YYDEVOPS.COM(a)YYDEVOPS.COM
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
08/29/2022 20:40:31 08/30/2022 20:40:07 HTTP/xx(a)YYDEVOPS.COM
Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
# klist -kte /etc/apache2/ipa.keytab
Keytab name: FILE:/etc/apache2/ipa.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 08/29/2022 19:30:22 HTTP/xx (arcfour-hmac)
5 08/29/2022 19:30:42 HTTP/xx (camellia128-cts-cmac)
6 08/29/2022 19:30:46 HTTP/xx (camellia256-cts-cmac)
7 08/29/2022 19:33:02 HTTP/xx (camellia128-cts-cmac)
8 08/29/2022 19:33:41 HTTP/xx (aes128-cts-hmac-sha1-96)
9 08/29/2022 19:33:47 HTTP/xx (aes256-cts-hmac-sha1-96)
10 08/29/2022 19:35:05 HTTP/xx (des3-cbc-sha1)
1 year, 6 months
Replica not syncing
by Simon Matthews
Some time back I set up an IPA replica. The initial setup was successful, but now I see that it is not syncing. It's possible that it has never successfully synced. I suspect that something related to DNS may not be working properly. Advice on debugging and fixing this would be appreciated.
# ipa-replica-manage list -v ipa2.sj.bps
ipa1.sj.bps: replica
last update status: Error (18) Replication error acquiring replica: Incremental update transient warning. Backing off, will retry update later. (transient warning)
last update ended: 1970-01-01 00:00:00+00:00
I think that something related to DNS is not working correctly on my replica. My IPA domain is "ipa.<mycompany>.com". However, the DNS domain used on the network is "sj.bps" and the primary nameserver is not ether of the IPA servers.
Both the primary and replica have DNS that works for the "sj.bps" domain to an extent. I can ping using names in the "sj.bps" domain on the replica (ipa2):
[root@ipa2 ~]# ping ipa1.sj.bps.
PING ipa1.sj.bps (192.168.254.18) 56(84) bytes of data.
64 bytes from ipa1.sj.bps (192.168.254.18): icmp_seq=1 ttl=64 time=0.451 ms
^C
--- ipa1.sj.bps ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms
But a local lookup doesn't work:
[root@ipa2 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34740
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps. IN A
;; Query time: 5 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 29 20:37:37 EDT 2022
;; MSG SIZE rcvd: 40
A similar dig command on the primary works:
[root@ipa1 ~]# dig @localhost ipa1.sj.bps.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63201
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps. IN A
;; ANSWER SECTION:
ipa1.sj.bps. 2222 IN A 192.168.254.18
;; AUTHORITY SECTION:
sj.bps. 2222 IN NS ns.bps.
;; ADDITIONAL SECTION:
ns.bps. 2222 IN A 192.168.254.2
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 29 20:38:34 EDT 2022
;; MSG SIZE rcvd: 89
1 year, 7 months
certmonger not updating
by IPA Listmail
client: el8
ipa server: el7
I created a cert via:
sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname
-f)\
-k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\
-f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
Everything about the cert _appears_ to be fine. Openssl output looks normal
and the puppet agent runs fine.
During testing I have radically reduced the certificate validity down to 10
minutes. The output of ipa-getcert list is:
Number of certificates and requests being tracked: 1.
Request ID '20220830202305':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem'
certificate:
type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM 20220829230619
subject: CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM
20220829230619
issued: 2022-08-30 21:29:11 UTC
expires: 2022-08-30 21:39:11 UTC
dns: ip-10-0-82-56.eu-west-1.compute.internal
principal name: host/
ip-10-0-82-56.eu-west-1.compute.internal(a)DOMAIN.COM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
However, it never actually updates before (or after) expiration. I have
tried restarting the service and rebooting. This is happening on two hosts.
I see no failures in the log or anything in the log after the last resubmit
command. I have manually used rekey and resubmit. Both worked fine. Using a
blog post from Fraser, I tried start-tracking with --no-renew, then
--renew. I looked for errors. The only thing that seem kind of odd to me is
in /var/lib/certmonger/requests/20220830202305:
last_need_notify_check=20220830205312
last_need_enroll_check=20220830205312
1 year, 7 months
Ubuntu 22 and sssd 2.6.3
by Ranbir
Hello All,
Has anyone successfully enrolled an Ubuntu 22 client into an AlmaLinux
9 IdM or Rocky Linux 9 IdM domain in a trust with AD _and_ managed to
have consistently fast and reliable logins into that Ubuntu 22 client
with AD users? I sure haven't.
I have been smashing my head into a wall trying to get stupid Ubuntu 22
to work. After enabling debug_level 9, I managed to figure out that my
test client was missing the krb5-pkinit package so I installed that. I
also noticed errors in sssd_pac.log about the backend being offline. I
eventually figured out that I needed to add "services = pac" to the
client's sssd.conf. Note: I had removed the services line because in
Ubuntu 22, the various services are instead started as needed via their
sockets (e.g. sssd-autofs.socket, sssd-nss.socket, etc.). If you leave
them defined in the services line, you get tons of errors during system
startup.
I've resolved those errors, but I'm still seeing extremely slow logins
when it works. Usually, the login just fails. However, if I login as
root and lookup AD users, they are found and returned to the terminal.
The sssd.conf from the client running sssd 2.6.3 is below. If anyone
has any pointers, please send them over. I wish I didn't have to get
Ubuntu 22 clients working with freeipa, but I do. :(
[domain/idm.domain.com]
id_provider = ipa
ipa_server = _srv_, p1idma01.idm.domain.com
ipa_domain = idm.domain.com
ipa_hostname = u22test.idm.domain.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_deref_threshold = 0
krb5_store_password_if_offline = True
selinux_provider = none
sudo_provider = ipa
autofs_provider = ipa
subdomains_provider = ipa
session_provider = ipa
hostid_provider = ipa
ipa_automount_location = yow
debug_level = 9
[domain/idm.domain.com/corp.ad.domain.com]
ad_site = ottawa
[sssd]
#services = nss, pam, ssh, sudo, autofs
services = pac
domains = idm.domain.com
debug_level = 9
[nss]
default_shell = /bin/bash
homedir_substring = /home
debug_level = 9
[pam]
debug_level = 9
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
--
Ranbir
1 year, 7 months
Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert
by Erling Andersen
Hi,
We have a problem connecting with CA REST API (403).
Any ideas how to troubleshoot?
Setup: IPA 4.9.8 on CentOS Stream 8, two IPA CA servers
Only looking at the CA renewal master (ipa1.example.com)
# ipa cert-show 1
ipa: DEBUG: trying https://ipa1.example.com/ipa/session/json
ipa: ERROR: Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)
# pki-healthcheck
Internal server error 403 Client Error: 403 for url: http://ipa1.example.com:80/ca/rest/securityDomain/domainInfo
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "58153e6c-98ed-4264-a622-e8f6e23d58ca",
"when": "20220809080611Z",
"duration": "0.164052",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
}
]
LDAP and IPA RA appear to have identical certificates and serial number:
# ldapsearch -LLL -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca userCertificate description
dn: uid=ipara,ou=people,o=ipaca
userCertificate:: MIID...Ovix8
description: 2;1878982672;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM
# openssl x509 -text -in /var/lib/ipa/ra-agent.pem
Serial Number: 1878982672 (0x6fff0010)
Validity
Not Before: Aug 8 10:02:19 2022 GMT
Not After : Jul 28 10:02:19 2024 GMT
-----BEGIN CERTIFICATE-----
MIID...Ovix8
-----END CERTIFICATE-----
PKI appear to have identical certificates in LDAP and /etc/pki/pki-tomcat/alias:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' |grep Serial
Serial Number: 1878982665 (0x6fff0009)
# ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso
dn: uid=pkidbuser,ou=people,o=ipaca
userCertificate:: MIID...eluPug==
description: 2;1878982665;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM
seeAlso: CN=CA Subsystem,O=EXAMPLE.COM
And, the certificate in CS.cfg appears to match the caSigningCert in LDAP:
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
ca.signing.cert=MIID...yfc5a
# ldapsearch -LLL -D 'cn=directory manager' -W \
-b 'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com'
dn: cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
userCertificate:: MIID...yfc5a
Additional details:
# ldapsearch -LLL -D 'cn=directory manager' -W -b ou=authorities,ou=ca,o=ipaca
dn: ou=authorities,ou=ca,o=ipaca
ou: authorities
objectClass: top
objectClass: organizationalUnit
dn: cn=58d7a049-ada3-4146-b39a-84aa1b6f4add,ou=authorities,ou=ca,o=ipaca
authoritySerial: 1878982673
description: Host authority
authorityDN: CN=Certificate Authority,O=EXAMPLE.COM
authorityEnabled: TRUE
authorityKeyNickname: caSigningCert cert-pki-ca
authorityID: 58d7a049-ada3-4146-b39a-84aa1b6f4add
cn: 58d7a049-ada3-4146-b39a-84aa1b6f4add
objectClass: authority
objectClass: top
# ldapsearch -LLL -D 'cn=directory manager' -W -b cn=ipa,cn=cas,cn=ca,dc=example,dc=com
dn: cn=ipa,cn=cas,cn=ca,dc=example,dc=com
cn: ipa
ipaCaId: 58d7a049-ada3-4146-b39a-84aa1b6f4add
ipaCaSubjectDN: CN=Certificate Authority,O=EXAMPLE.COM
objectClass: top
objectClass: ipaca
ipaCaIssuerDN: CN=Certificate Authority,O=EXAMPLE.COM
description: IPA CA
# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
EXAMPLE.COM IPA CA CTu,Cu,Cu
EXAMPLE.COM IPA CA CTu,Cu,Cu
# certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'EXAMPLE.COM IPA CA'
3 certificates
# certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert cert-pki-ca'
3 certificates (identical with above 3 certificates)
# pki ca-cert-show 1878982672
Serial Number: 0x6fff0010
Subject DN: CN=IPA RA,O=EXAMPLE.COM
Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM
Status: VALID
Not Valid Before: Mon Aug 08 12:02:19 CEST 2022
Not Valid After: Sun Jul 28 12:02:19 CEST 2024
1 year, 7 months