Free IPA Install Fails Over Logos Dependencies
by Steve Reed
Hi everyone,
I'm using a Centos 7 machine. rpm -q returns that it is centos-release-7-9.2009.1.el7.centos.x86_64.
I am getting an error during the install of FreeIPA.
After entering yum install ipa-server with the current Centos repo, it fails and reports at the end:
Error: Package: ipa-server-4.6.8-5.el7_9.11.x86_64
Requires: system-logos >= 70.7.0
Installed: centos-logos-70.0.6-3.el7.centos.noarch
system-logos = 70.0.6-3.el7.centos
Available: redhat-logos-70.7.0-1.el7.noarch
system-logos = 70.7.0-1.el7
It says to try using --skip-broken to work around the problem.
That doesn't work either.
I'm suspecting that it is the repo,but I'm not sure how to verify that is the problem. Any thoughts or ideas?
1 year, 5 months
Help ipa-server-upgrade command failed, exception: NetworkError: cannot connect to https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
by Polavarapu Manideep Sai
Hi Team,
Facing below error while upgrading the IPA server using ipa-server-upgrade command
Please let us know the fix if any , let us know if any more details required on the same
ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://hostname.ipa.example.com:8443/ca/rest/account/login': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
1 year, 5 months
LDAP not starting for IPA-Server
by Nick Polites
Hello,
I ran into this issue which was compounded when I ran a yum update and IPA needed to run an upgrade. I rolled back the update to get it to stop requesting an upgrade. I see two issues here and not sure if they are related. Note I removed our domain name and replaced it with DOMAIN.
1) Running "getcert list | egrep -e status -e expire -e certificate" I see one cert which has expired but two are showing a status of CA_UNREACHABLE
getcert list | egrep -e status -e expire -e certificate
Number of certificates and requests being tracked: 8.
status: MONITORING
certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB'
expires: 2023-10-09 05:38:11 UTC
status: MONITORING
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
expires: 2023-10-09 05:40:10 UTC
status: MONITORING
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
expires: 2024-05-06 15:43:26 UTC
status: MONITORING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-06 15:44:27 UTC
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2022-06-14 06:59:34 UTC
status: CA_UNREACHABLE
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2036-09-08 13:37:52 UTC
status: MONITORING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
expires: 2023-09-23 05:38:11 UTC
status: MONITORING
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
expires: 2023-06-08 15:43:24 UTC
certificate template/profile: KDCs_PKINIT_Certs
I think this could be what is throwing this error in my messages
Sep 27 11:55:38 hlipa03 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 515, in <module>#012
sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 489, in main#012 kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)#012 File "/us
r/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in kinit_keytab#012 cred = gssapi.Credentials(name=name, store=store, usage='initiate')#012 File "/usr/lib64/python2.7/s
ite-packages/gssapi/creds.py", line 64, in __new__#012 store=store)#012 File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire#012 usage)#012 File "ext_cred
_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732)#012GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more i
nformation, Minor (2529639068): Cannot contact any KDC for realm 'DOMAIN.COM'
So what I tried to do is roll back the date to Dec 25,2021 and try to restart everything but LDAP is still not starting and here are a few errors I am seeing
Dec 25 12:50:06 hlipa03 systemd: Starting 389 Directory Server DOMAIN-COM....
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.472160613 -0500] - NOTICE - config_set_port - Non-Secure Port Disabled
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.568296397 -0500] - INFO - main - 389-Directory/1.3.10.2 B2022.179.1321 starting up
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.570071317 -0500] - INFO - main - Setting the maximum file descriptor limit to: 16384
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.267883144 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.282267183 -0500] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.287484618 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.303941493 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.320417322 -0500] - NOTICE - ldbm_back_start - found 30613432k physical memory
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.321743123 -0500] - NOTICE - ldbm_back_start - found 29044884k available
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.322958961 -0500] - NOTICE - ldbm_back_start - cache autosizing: db cache: 765335k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.324023640 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.328954216 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.330907096 -0500] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.336102686 -0500] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.337870481 -0500] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.342750894 -0500] - NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.344621870 -0500] - NOTICE - ldbm_back_start - total cache size: 3400949555 B;
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.467376898 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.468965116 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.470221810 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.471510458 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.472703756 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.473949469 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.475191460 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.476506914 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.477702221 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
18516,1 99%
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.481346463 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.482548595 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.483735174 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.484936731 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.486290254 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.487505855 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.488679941 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.489957510 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.491180117 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.492446197 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.499046420 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.502451715 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.504012530 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.639427471 -0500] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.688774307 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.691560843 -0500] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTohlipa06.domain.com" (hlipa06:389) - Repl
ication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.693497359 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
Dec 25 12:50:11 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_389))
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.721198701 -0500] - INFO - slapd_daemon - slapd started. Listening on /var/run/slapd-DOMAIN-COM.socket for LDAPI requests
Dec 25 12:50:11 hlipa03 systemd: Started 389 Directory Server DOMAIN-COM..
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.723579661 -0500] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Tr
ansport endpoint is not connected)
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.724902033 -0500] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=cloneAgreement1-hlipa03.domain.com-pki-tomca
t" (hlipa01:389) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ()
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.728132510 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.731080779 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
Dec 25 12:50:14 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_389))
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.735789980 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.738768442 -0500] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
Dec 25 12:50:20 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_389))
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.747472483 -0500] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
Does anyone know what could be happening here?
Thanks
1 year, 5 months
FreeIPA Migration to RHEL 9 or Cent OS 9 or Alma Linux 9 or Rocky Linux 9
by TomK
Hey Folks,
I'm looking into migrating my FreeIPA 4.6.6 setup to RHEL 9 or any of
the subject *nix 9 environments.
The immediate steps I can see doing is:
0) Take snapshots
1) Spin up RHEL 9 or Cent OS 9 boxes etc.
2) Install the latest FreeIPA version.
3) Enable replication from the older RHEL 7 FreeIPA 4.6.6 installation
to this newer installation. (Possible?)
4) Decomm old nodes or rebuild with latest *nix 9.X image.
5) Rinse and repeat till all done.
For step 3) is it even possible to migrate from an older FreeIPA version
to a newer one? Any known issues? Should I target the install on the
*nix 9 hosts to the exact same version as FreeIPA on RHEL 7 nodes?
--
Cheers and Thanks,
Tom
1 year, 6 months
ipa-healthcheck change log location
by Tania Hagan
Hi,
Using the ipa-healthcheck it will export logs to /var/log/ipa/healthcheck/healthcheck.log
However I'm trying to use the ipahealthcheck_exporter using a created user and group (ipahealthcheck_exporter) which requires permission to read the file /var/log/healthcheck/healthcheck.log. Unfortunately my created user or group isn't allowed to read this file. If i copy the file to /var/log/ipa-healthcheck.log I'm able to read it, is it possible to change the default location?
Many Thanks,
Tania
1 year, 6 months
IPA-Domain not shown
by Ronald Wimmer
We set up IPA in a new network segment. Everything works fine but when I
issue
getent passwd someipausername
I do not get
somipausername(a)ipadomain.xyz
Only someipausername is shown without the domain part. Why? Did this
become something I need to enable explicitly?
Cheers,
Ronald
1 year, 6 months
Internal Database Error encountered: Could not connect to LDAP server host idmipa02.nix.mds.xyz port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
by TomK
Hey Everyone!
Wondering if anyone could help nudge me along in the right direction on
this one. Getting the following on my FreeIPA master and replica:
Internal Database Error encountered: Could not connect to LDAP server
host idmipa01.nix.mds.xyz port 636 Error netscape.ldap.LDAPException:
Authentication failed (48)
Internal Database Error encountered: Could not connect to LDAP server
host idmipa02.nix.mds.xyz port 636 Error netscape.ldap.LDAPException:
Authentication failed (48)
These appeared after some power outages occurred 2-3 times and both
hosts were affected. Went over a few pages online to try to get to the
bottom of these errors on these VM's however no luck so far:
https://access.redhat.com/solutions/3081821
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
and about a dozen other pages with little luck.
Here's what I tried. First, wanted to and did kick off the following on
idmipa02:
ipa-cacert-manage renew
I've read on a few posts that command will cause the running server to
become the renewal master, so was cautious to check first:
[idmipa01]
# ipa config-show | grep 'IPA CA renewal master'
IPA CA renewal master: idmipa02.nix.mds.xyz
[idmipa02]
# ipa config-show | grep 'IPA CA renewal master'
IPA CA renewal master: idmipa02.nix.mds.xyz
Checked the certs and indeed the serial was different:
# ldapsearch -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=pkidbuser,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# pkidbuser, people, ipaca
dn: uid=pkidbuser,ou=people,o=ipaca
userPassword:: e1NTSEE1MTJ9NUs3N......................................g4
description: 2;26;CN=Certificate Authority,O=NIX.MDS.XYZ;CN=CA
Subsystem,O=NIX
.MDS.XYZ
seeAlso: CN=CA Subsystem,O=NIX.MDS.XYZ
userCertificate:: MIIDdjCCAl6............................IYL9mJQXhHIxpc=
userCertificate:: MIIDcTCCAlmgAwIBAg.........Mdr8SvD9uWfMPwUE4Tf2csf0z+Z
userCertificate:: MIIDcTCCAlmgA..............yShSmujM9PJrJPBBjLmTCIle9Xl
userCertificate:: MIIDdDCCAlygAwIBAg......................cgDVlPYm3LmKk+
userstate: 1
usertype: agentType
mail:
cn: pkidbuser
sn: pkidbuser
uid: pkidbuser
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
# certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'subsystemCert
cert-pki-ca' -a
-----BEGIN CERTIFICATE-----
MIIDdDC..........................................dJmcMKreZ7cgDVlPYm3LmKk+
-----END CERTIFICATE-----
# certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'subsystemCert
cert-pki-ca' |grep -i serial
Serial Number: 268369925 (0xfff0005)
So updated it using:
ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -W << EOF
dn:uid=pkidbuser,ou=people,o=ipaca
changetype: modify
replace: description
description: 2;268369925;CN=Certificate Authority,O=NIX.MDS.XYZ;CN=CA
Subsystem,O=NIX.MDS.XYZ
EOF
Then verified that only the serial changed (the cert was already in the
list anyway so did not need to change) by comparing the before and after:
# diff 1.txt 2.txt
11a12,13
> description: 2;268369925;CN=Certificate Authority,O=NIX.MDS.XYZ;CN=CA
Subsyste
> m,O=NIX.MDS.XYZ
14,15d15
< description: 2;26;CN=Certificate Authority,O=NIX.MDS.XYZ;CN=CA
Subsystem,O=NIX
< .MDS.XYZ
Confirmed trust attributes are fine:
certutil -d /etc/dirsrv/slapd-NIX-MDS-XYZ/ -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
NIX.MDS.XYZ IPA CA CT,C,C
Yet on restart on idmipa02, still the same issue:
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Failed to restart pki-tomcatd Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in
case that a non-critical service failed
Aborting ipactl
I have dated snapshots of both servers however, they both are with the
above mentioned issue. These hosts were also offline for a couple of
months meaning cert expiration could be an issue. Likewise, I could
have caused a slight mess myself trying various online solutions that
don't always match 100%.
In regards to the certificate expiration, below are the expiration dates
for various certs though admittedly, I can't be sure of how impacting
any of these dates are since I don't yet understand the usage of each of
these certs as much as I would like to, which the exception of the
subsystemCert:
# getcert list|grep -Ei "expires|status|key pair storage"
status: CA_UNREACHABLE
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
expires: 2022-09-10 22:14:56 UTC
status: CA_UNREACHABLE
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
expires: 2022-09-10 22:13:56 UTC
status: CA_UNREACHABLE
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
expires: 2022-09-10 22:13:54 UTC
status: MONITORING
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
expires: 2036-11-21 07:32:02 UTC
status: CA_UNREACHABLE
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
expires: 2022-09-21 22:13:57 UTC
status: CA_UNREACHABLE
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
expires: 2022-08-27 17:23:10 UTC
status: CA_UNREACHABLE
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-NIX-MDS-XYZ',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-NIX-MDS-XYZ/pwdfile.txt'
expires: 2022-09-29 17:22:58 UTC
status: CA_UNREACHABLE
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
expires: 2022-09-29 17:22:45 UTC
status: MONITORING
key pair storage:
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
expires: 2023-09-25 02:17:17 UTC
Both hosts are reachable from each other. Verified a couple of ports to
be sure. F/W is off on both, for the moment and both hosts exist on the
same VLAN.
--
Thx,
TK.
1 year, 6 months
Slow ssh authentication due to sysdb_update_members_ex errors
by ahmed zakraoui
Hello,
I have a cluster of 6 FreeIPA servers in production that are connected to Active Directory cluster via the Active directory trust. The goal is to make users access linux VMs using their Active directory credentials. This workes fine for the majority of our servers, but lately we started to notice slow ssh authentication for Active Directory users. this is caused by, sometimes (I dont know when, or why) sssd is trying to enumerate all the users (or part of the users) on the AD and trying to update their group membership (below an example of the error message).
Our freeIPA clients OS are Debian 9 + 10 + 11 and CentOS 7 + 8. This behavior was only noticed on Debian 11 (sssd version 2.4.1-2).
Below the error message:
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowmediaaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowhomepagelinks@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wsealertadministrators@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowcomputeraccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowdashboardaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=administrateurs de l'entreprise@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremoteaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremotewebaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowaddinaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowshareaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=administrateurs du schéma@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=cmp_wifi_admin@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=admins du domaine@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowmediaaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowhomepagelinks@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wsealertadministrators@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowcomputeraccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowdashboardaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremoteaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremotewebaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowaddinaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowshareaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
(2022-09-28 9:38:58): [be[ipa.transatel.net]] [ipa_pam_session_handler_get_deskprofile_user_info] (0x0020): sysdb_getpwnam() returned unexpected amount of users. Expected [1], got [0]
(2022-09-28 9:38:58): [be[ipa.transatel.net]] [ipa_pam_session_handler_send] (0x0020): ipa_deskprofile_get_user_info() failed [22]: Invalid argument
This is my sssd configuration file:
[domain/ipa.company.net]
timeout=30000
default_shell = /bin/bash
override_shell = /bin/bash
ipa_domain = ipa.company.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = dev-it-activiti-pa2-01.priv.company.net
chpass_provider = ipa
ipa_server = ipa-master-pa2-01.priv.company.net, ipa-replica-pa2-01.priv.company.net, ipa-replica-pa2-02.priv.company.net
ipa_backup_server = ipa-replica-th2-01.priv.company.net, ipa-replica-th2-02.priv.company.net, ipa-master-th2-01.priv.company.net
dns_discovery_domain = ipa.company.net
krb5_use_enterprise_principal = True
ldap_group_nesting_level = 0
[sssd]
domains = ipa.company.net
[nss]
timeout=30000
homedir_substring = /home
[pam]
timeout=30000
[sudo]
timeout=30000
[autofs]
[ssh]
timeout=30000
[pac]
[ifp]
[secrets]
[session_recording]
Important notice: I tried this option
ldap_schema=rfc2307bis
ignore_group_members = True
ldap_group_nesting_level = 0
ldap_use_tokengroups = false
It worked fine after clearing the cache and restarting the service, but few hours later the same behavior was reproduced.
Any help with this please?
Thanks !
1 year, 6 months
Anycast Installation
by Entrepreneur AJ
Hi all,
We have our own ASN and IP pool and was hoping to anycast our servers so
that as our employees travel they just connect to the nearest
operational instance.
I have tried by just setting up an anycast IP but can't enroll using the
anycast hostname because it errors out getting the root cert with the
domain not matching.
We want our setup to be as follows;
London:
ipa1.gb-lon.domain.tld
ipa2.gb-lon.domain.tld
ipa3.gb-lon.domain.tld
Dallas:
ipa1.us-dal.domain.tld
ipa2.us-dal.domain.tld
ipa3.us-dal.domain.tld
Singapore
ipa1.sg-sg.domain.tld
ipa2.sg-sg.domain.tld
ipa3.sg-sg.domain.tld
ECMP Anycast Routed Hostname: ipa.domain.tld
Ideally we want to be able to have the dns srv records point to
ipa.eajglobal.net and nothing else, relying on anycast but looks like I
would need a way of adding a SAN to the root certificate. Can anybody
advise on the best way of doing this?
1 year, 6 months