Intermittent login issues with SSSD/IDM
by Master Blaster
Howdy,
We are having intermittent login issues with our SSSD/IPA clients using Identity Manager in a read-only cross-forest trust configuration.
The SSSD/IPA servers themselves don't seem to be having this issue, just the SSSD/IPA clients using the IDM/IPA servers as their identity provider.
In addition, the problem only affects AD accounts, not native IDM accounts.
The issue manifests itself as either failed logins or the 'id' command returning user unknown.
All of our IDM servers are RHEL 8. Clients are various mixes of RHEL 7 and RHEL 8, all exhibiting the same issue.
We have a P2 open with Red Hat, and it feels like they are having a problem pinpointing the issue.
Red Hat support seems to be indicating our AD environment is to blame, at least partially, as most our of AD groups don't have GIDs. We have 80K + users in our AD (not all of them assigned a Unix UID in AD as most of them have no need to log in to Unix). However, the users that are logging in via SSSD obviously have UIDs and many groups attached to them, most of which may not have Possix GIDs as many of those groups will never need to touch Unix. (ie, email groups, Windows only access groups, etc, etc, etc)
Red Hat seems to indicate this is a highly unusual configuration for AD, where not all groups have Possix GIDs assigned.
I'm curious to know if those who have large AD environments like this with a mix of Unix and non-Unix uses, truly assign a Possix GID to each and every group, even if that group will never be utilized by Unix.
Also curious to know if anyone else is experiencing intermittent loging problems like this, and if you were able to solve it, and how?
Thank you...
1 year, 7 months
I can't access the WebUI on my IPA Master ...
by Sascha Kolanos
Hello all,
since one or two days I can't access the WebUI on my IPA Master (4.9.10). With the Replica it works without problems.
In the /var/log/messages I have the following message
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caTPSCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wit>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg:83: policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg:83: policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg:83: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg:82: policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wi>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRACert.cfg:82: policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRARouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserSMIMEcapCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAagentCert.cfg:92: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAserverCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg:79: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,S>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384wi>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_DirUserCert.cfg:101: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA51>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wit>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg:101: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512wi>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualRAuserCert.cfg:91: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caSigningUserCert.cfg:82: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caECDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthOCSPCert.cfg:68: policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caEncUserCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInstallCACert.cfg:83: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w>
Sep 3 10:44:49 fedora server[2507]: Java virtual machine used: /usr/lib/jvm/jre-17-openjdk/bin/java
Sep 3 10:44:49 fedora server[2507]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:
Sep 3 10:44:49 fedora server[2507]: main class used: org.apache.catalina.startup.Bootstrap
Sep 3 10:44:49 fedora server[2507]: flags used: -Dcom.redhat.fips=false
Sep 3 10:44:49 fedora server[2507]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pk>
Sep 3 10:44:49 fedora server[2507]: arguments used: start
Sep 3 10:44:49 fedora server[2507]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.co>
Sep 3 10:44:49 fedora server[2507]: WARNING: A command line option has enabled the Security Manager
Sep 3 10:44:49 fedora server[2507]: WARNING: The Security Manager is deprecated and will be removed in a future release
Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Created connection http://ipa.kolanos.net:8080/ca
Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:51 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:52 fedora certmonger[2542]: 2022-09-03 10:44:52 [2542] Certificate "KOLANOS.NET IPA CA" valid for 589414559s.
Sep 3 10:44:52 fedora pcscd[833]: 03957038 auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000451 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Sep 3 10:44:52 fedora pcscd[833]: 00048514 auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000400 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Sep 3 10:44:52 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:52 fedora pcscd[833]: 00035722 auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000293 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Sep 3 10:44:52 fedora pcscd[833]: 00039624 auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000335 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Sep 3 10:44:53 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:54 fedora server[2507]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]]
Sep 3 10:44:55 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Read timed out. (read timeout=1.0)
Does anyone have a tip for me how I can proceed here?
Thanks a lot
vapaa
1 year, 7 months
Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails
by Polavarapu Manideep Sai
Hi Team,
Need help from freeipa,
Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails
please check the below issue and let us know the fix and please let us know if any more details required
Master server: aaa01
Replica server1: dir01 (currently installing replica server )
Replica server2: dirus02 (which was a replica server previously that has been removed from replication)
As noticed while installing ipa replica server, replica server retrieving two certificates from the master server, and saving it in /etc/ipa/ca.crt in this process at the stage Configuring the web interface (httpd) we got the below error i.e.
ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
===============================================
While installing Replica /var/log/ipaclient-install.log
---------------------------------------------------
2022-08-15T13:52:08Z DEBUG stderr=
2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from aaa01.ipa.subdomain.com
2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache url=ldap://aaa01.ipa.subdomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17fe812440>
2022-08-15T13:52:11Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Valid From: 2018-04-12 14:15:30
Valid Until: 2038-04-12 14:15:30
Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Valid From: 2019-01-21 11:54:13
Valid Until: 2021-01-21 11:54:13
2022-08-15T13:52:11Z DEBUG Starting external process
2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s aaa01.ipa.subdomain.com -b dc=ipa,dc=example,dc=com -h dirpav01-tfln-mdr1-omes.ipa.subdomain.com
2022-08-15T13:52:15Z DEBUG Process finished, return code=0
2022-08-15T13:52:15Z DEBUG stdout=
2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=IPA.SUBDOMAIN.COM
2022-08-15T13:52:15Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM
2022-08-15T13:52:15Z DEBUG Starting external process
2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy
2022-08-15T13:52:15Z DEBUG Process finished, return code=0
2022-08-15T13:52:15Z DEBUG stdout=
==================================
While installing replica /var/log/ipareplica-install.log
--------------------------------------------------
2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP
2022-08-15T15:07:11Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2022-08-15T15:07:11Z DEBUG Starting external process
2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n IPA.SUBDOMAIN.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
2022-08-15T15:07:11Z DEBUG Process finished, return code=0
2022-08-15T15:07:11Z DEBUG stdout=
2022-08-15T15:07:11Z DEBUG stderr=
2022-08-15T15:07:11Z DEBUG Starting external process
2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt
2022-08-15T15:07:12Z DEBUG Process finished, return code=255
2022-08-15T15:07:12Z DEBUG stdout=
2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.
2022-08-15T15:07:12Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
Observation in Master server(aaa01) ldap database :
=======================================
[root@aaa01~]# ldapsearch -D 'cn=directory manager' -w XXXXXXXXX | grep "ipaCertSubject"
ipaCertSubject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
ipaCertSubject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
[root@aaa01~]#
====================
We could see this certificate "CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM" in IPA master server GUI as well we have revoked it too , but still it retrieves the same and installation got fails everytime
=================
In ideal case while installing replica it has to retrieve only one certificate i.e. CN=Certificate Authority,O=IPA.SUBDOMAIN.COM but this case it retrieves
Please let us know if any more details required and let us know how can we fix this issue, without impact on whole setup
ipaCertIssuerSerial
ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;1 [which is a valid certificate]
ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;32 [ invalid certificate retrieves from ipa master while installing ipa replica]
[root@aaa01]# ipa cert-show
Serial number: 32
Issuing CA: ipa
Certificate: MIIFGTCCBAGgAwIBAgIBIDANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMR4wHAYDVQQ
DDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwMTIxMTE1NDEzWhcNMjEwMTIxMTE1NDEzWjBMMRkwFwYDVQQKDBBJUEEuT
05NT0JJTEUuQ09NMS8wLQYDVQQDDCZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAKln0qNlB+38cXbyOurkVgK+GMYM9loUVFAvZGlydXMwMi1taWEtdGxmbi1vbXVzLmlwYS5vbm1vYmlsZS5
jb21ASVBBLk9OTU9CSUxFLkNPTaBbBgYrBgEFAgKgUTBPoBIbEElQQS5PTk1PQklMRS5DT02hOTA3oAMCAQGhMDAuGwRIVFRQGyZkaXJ
1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcFbSY4tVpZHWVDGsahRNfCqv/x/xCT
BEYHvCSdycHAV7Ogq6zEENviRDOEOYqe1x7BxyF7B/hhB3PX2uqYmFrgPffyfwCxGZb0DRnnOLnwldxe3QdwjIIuUptY9fOgvbjx+bd5iLIgNp
aAZcN70PePdPA0xYpAo3CQkowCojAke2QGsPp6DrXS1wRrE4maH0LmEtu56hSbARoN4DgJ91PKgPkZ+BNyq9BmoPTRsxpAGBvms2SAbx
q1iUmNcVCurqvF/Gu2Z8L5rlpPiVjSbup9Zq5LuhLtfeMsgrwfZOcwZQfSCCykMUH9eAipvsNoHvPxiJeHhDk8Zx+cADESTL4w==
Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM
Subject DNS name: dirus02.ipa.subdomain.com
Subject UPN: HTTP/dirus02.ipa.subdomain.com(a)IPA.SUBDOMAIN.COM
Subject Kerberos principal name: HTTP/dirus02.ipa.subdomain.com(a)IPA.SUBDOMAIN.COM
Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM
Not Before: Mon Jan 21 11:54:13 2019 UTC
Not After: Thu Jan 21 11:54:13 2021 UTC
Serial number: 32
Serial number (hex): 0x20
Revoked: True
Revocation reason: 2
[root@aaa01~]#
Regards
ManideepSai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
1 year, 7 months
what is the best way to integrate dovecot to FreeIPA
by Günther J. Niederwimmer
Hello,
I have a question to integrate dovecot / postfix to FreeIPA?
Have any a functional wiki or redme for this situation.
what is the "correct" way?
Thanks for answers and help,
--
mit freundlichen Grüßen / best Regards,
Günther J. Niederwimmer
1 year, 7 months
Intermittent login issues with SSSD/IDM
by Master Blaster
Howdy,
We are having intermittent login issues with our SSSD/IPA clients using Identity Manager in a read-only cross-forest trust configuration.
The SSSD/IPA servers themselves don't seem to be having this issue, just the SSSD/IPA clients using the IDM/IPA servers as their identity provider.
In addition, the problem only affects AD accounts, not native IDM accounts.
The issue manifests itself as either failed logins or the 'id' command returning user unknown.
All of our IDM servers are RHEL 8. Clients are various mixes of RHEL 7 and RHEL 8, all exhibiting the same issue.
We have a P2 open with Red Hat, and it feels like they are having a problem pinpointing the issue.
Red Hat support seems to be indicating our AD environment is to blame, at least partially, as most our of AD groups don't have GIDs. We have 80K + users in our AD (not all of them assigned a Unix UID in AD as most of them have no need to log in to Unix). However, the users that are logging in via SSSD obviously have UIDs and many groups attached to them, most of which may not have Possix GIDs as many of those groups will never need to touch Unix. (ie, email groups, Windows only access groups, etc, etc, etc)
Red Hat seems to indicate this is a highly unusual configuration for AD, where not all groups have Possix GIDs assigned.
I'm curious to know if those who have large AD environments like this with a mix of Unix and non-Unix uses, truly assign a Possix GID to each and every group, even if that group will never be utilized by Unix.
Also curious to know if anyone else is experiencing intermittent loging problems like this, and if you were able to solve it, and how?
Thank you...
1 year, 8 months
error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>)
by liang fei
hello
Since the keytab file is invalid, I manually generated a new IPA. keytab file, but now it seems that encryption-types does not match. What should I do with this?thank you
#ipa user-find devop
ipa: DEBUG: importing all plugin modules in ipalib.plugins...
ipa: DEBUG: importing plugin module ipalib.plugins.aci
ipa: DEBUG: importing plugin module ipalib.plugins.automember
ipa: DEBUG: importing plugin module ipalib.plugins.automount
ipa: DEBUG: importing plugin module ipalib.plugins.baseldap
ipa: DEBUG: importing plugin module ipalib.plugins.baseuser
ipa: DEBUG: importing plugin module ipalib.plugins.batch
ipa: DEBUG: importing plugin module ipalib.plugins.caacl
ipa: DEBUG: importing plugin module ipalib.plugins.cert
ipa: DEBUG: importing plugin module ipalib.plugins.certprofile
ipa: DEBUG: importing plugin module ipalib.plugins.config
ipa: DEBUG: importing plugin module ipalib.plugins.delegation
ipa: DEBUG: importing plugin module ipalib.plugins.dns
ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel
ipa: DEBUG: importing plugin module ipalib.plugins.group
ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule
ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc
ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup
ipa: DEBUG: importing plugin module ipalib.plugins.hbactest
ipa: DEBUG: importing plugin module ipalib.plugins.host
ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup
ipa: DEBUG: importing plugin module ipalib.plugins.idrange
ipa: DEBUG: importing plugin module ipalib.plugins.idviews
ipa: DEBUG: importing plugin module ipalib.plugins.internal
ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy
ipa: DEBUG: importing plugin module ipalib.plugins.migration
ipa: DEBUG: importing plugin module ipalib.plugins.misc
ipa: DEBUG: importing plugin module ipalib.plugins.netgroup
ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig
ipa: DEBUG: importing plugin module ipalib.plugins.otptoken
ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipalib.plugins.passwd
ipa: DEBUG: importing plugin module ipalib.plugins.permission
ipa: DEBUG: importing plugin module ipalib.plugins.ping
ipa: DEBUG: importing plugin module ipalib.plugins.pkinit
ipa: DEBUG: importing plugin module ipalib.plugins.privilege
ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy
ipa: DEBUG: Starting external process
ipa: DEBUG: args=klist -V
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=Kerberos 5 version 1.13.2
ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy
ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains
ipa: DEBUG: importing plugin module ipalib.plugins.role
ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient
ipa: DEBUG: importing plugin module ipalib.plugins.selfservice
ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap
ipa: DEBUG: importing plugin module ipalib.plugins.server
ipa: DEBUG: importing plugin module ipalib.plugins.service
ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation
ipa: DEBUG: importing plugin module ipalib.plugins.session
ipa: DEBUG: importing plugin module ipalib.plugins.stageuser
ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd
ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup
ipa: DEBUG: importing plugin module ipalib.plugins.sudorule
ipa: DEBUG: importing plugin module ipalib.plugins.topology
ipa: DEBUG: importing plugin module ipalib.plugins.trust
ipa: DEBUG: importing plugin module ipalib.plugins.user
ipa: DEBUG: importing plugin module ipalib.plugins.vault
ipa: DEBUG: importing plugin module ipalib.plugins.virtual
ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin(a)YYDEVOPS.COM'
ipa: INFO: trying https://xx/ipa/json
ipa: DEBUG: Created connection context.rpcclient_140659301866000
ipa: DEBUG: raw: user_find(u'devop', whoami=False, all=False, raw=False, version=u'2.164', no_members=False)
ipa: DEBUG: user_find(u'devop', whoami=False, all=False, raw=False, version=u'2.164', no_members=False, pkey_only=False)
ipa: INFO: Forwarding 'user_find' to json server 'https://xx/ipa/json'
ipa: DEBUG: NSSConnection init xx
ipa: DEBUG: Connecting: 10.21.117.149:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=xx,O=YYDEVOPS.COM"
ipa: DEBUG: handshake complete, peer = 10.21.117.149:443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ipa: DEBUG: Destroyed connection context.rpcclient_140659301866000
ipa: ERROR: error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>)
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin(a)YYDEVOPS.COM
Valid starting Expires Service principal
08/29/2022 20:40:14 08/30/2022 20:40:07 krbtgt/YYDEVOPS.COM(a)YYDEVOPS.COM
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
08/29/2022 20:40:31 08/30/2022 20:40:07 HTTP/xx(a)YYDEVOPS.COM
Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
# klist -kte /etc/apache2/ipa.keytab
Keytab name: FILE:/etc/apache2/ipa.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 08/29/2022 19:30:22 HTTP/xx (arcfour-hmac)
5 08/29/2022 19:30:42 HTTP/xx (camellia128-cts-cmac)
6 08/29/2022 19:30:46 HTTP/xx (camellia256-cts-cmac)
7 08/29/2022 19:33:02 HTTP/xx (camellia128-cts-cmac)
8 08/29/2022 19:33:41 HTTP/xx (aes128-cts-hmac-sha1-96)
9 08/29/2022 19:33:47 HTTP/xx (aes256-cts-hmac-sha1-96)
10 08/29/2022 19:35:05 HTTP/xx (des3-cbc-sha1)
1 year, 8 months
