January 2023 - FreeIPA-users - Fedora mailing-lists

new server gives error on old server healthcheck
by Rob Verduijn 19 Jan '23

19 Jan '23

Hello all, I wanted to migrate my old el8 freeipa server to el9. So I installed a new system with el9 and configured a replica on it. After this was completed I ran ipa-healthcheck on the new el9 replica and all was well. However after this I ran ipa-healthcheck on the old el8 ipa server and I got the following error. ipa-healthcheck Internal server error 'Link' [ { "source": "pki.server.healthcheck.clones.connectivity_and_data", "check": "ClonesConnectivyAndDataCheck", "result": "ERROR", "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f", "when": "20230117082651Z", "duration": "0.402024", "kw": { "status": "ERROR: pki-tomcat : Internal error testing CA clone. Host: freeipa01.tjako.thuis Port: 443" } } ] I double checked the firewall and all ports were open on the el9 server firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: br0 enp1s0 sources: services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps http https ntp ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: On the el9 server ipa-healthcheck yields no errors and ipactl status shows everything is running. Anybody know why the old el8 server fails the ipa-healthcheck ? Rob

3 8

Samba 4.10 and higher doesnt take freeipa groups
by Николай Савельев 18 Jan '23

18 Jan '23

2 1

Installing Third-Party Certificates-Help
by Polavarapu Manideep Sai 17 Jan '23

17 Jan '23

Hi Team, We need your help or support I have a master IPA server and 2 Replica IPA Servers, i want to install third party certificates in my setup a. master.ipa.example.com b. replica1.ipa.example.com c. replica2.ipa.example.com 1. Generated new CSR/wildcard certificate on master IPA server for the domain "*.ipa.example.com" and shared to third party vendor and they have shared two zip files one for apache and other for tomcat as shown below, i see crt and pem files in zip files as shown below after unzip a. _.ipa.onmobile.com_Apache.zip b. _.ipa.onmobile.com_TOMCAT.zip unzipped: [root@dir01 tmp]# tree Apache/ Apache/ ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt └── _.ipa.onmobile.com_Apache.zip 0 directories, 4 files [root@dir01 tmp]# tree Tomcat/ Tomcat/ ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt ├── gdig2.crt.pem └── _.ipa.onmobile.com_TOMCAT.zip 0 directories, 5 files 2. Followed the Redhat documentation but not understood which of the following one is applicable in my case for the received certificates Installing Third-Party Certificates for HTTP or LDAP Installing a CA Certificate Manually https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht… Can you please let us know the step by step procedure that how to install the certificates can you please also comment on below query 3. If i install the certificate will it get replaced in "/etc/pki/pki-tomcat/alias/" database as well? along with httpd and dirsrv databases ? /etc/pki/pki-tomcat/alias/ /etc/httpd/alias/ /etc/dirsrv/slapd-IPA-EXAMPLE-COM Please let us know if any more details required Sai ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.

3 6

IPA Healthcheck Warning for IPA Trust on Replica
by Jeremy Tourville 17 Jan '23

17 Jan '23

I have recently added a replica to my existing setup. Everything seems to work except for 2 issues that I have noted: #1 IPA health check generates a warning from the replica only (master is ok) similar to this: { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "WARNING", "uuid": "my_uuid", "when": "20191121135331Z", "duration": "2.128808", "kw": { "key": "my_key", "error": "returned nothing", "msg": "Look up of {key} {error}" } }, #2 id some_user returns: id: 'some_user': no such user I have also noted that: ipa trust-fetch-domains "gsil.smil" return an error - Fetching domains from trusted forest failed ipa trustdomain-find is able to find the domain ipa idrange-find returns the same set of results for both the master and the replica ipa-replica-manage dnarange-show shows that the dna ranges are not overlapping (my understanding is this is a good thing) My environment: Rocky 8.7 FreeIPA 4.9.10 Master: gsil-ipa01 Replica: gsil-ipa02 Both master and replica are configured with server roles: AD trust agent, AD trust controller, CA server, DNS server, KRA server. Are issues #1 and #2 related? ie- fix one and the other will work as expected? I am still reviewing possible solutions for why ldap lookup using the id command is not working. But maybe it will never work unless I fix the healthcheck issue... Your input is greatly appreciated!

2 3

Trust-Agents
by Ronald Wimmer 17 Jan '23

17 Jan '23

I have a setup where we have four IPA servers. Two of them are able to talk to the AD Domain Controllers directly. I set them up as AD Trust controllers. The other two IPA servers can only talk to these IPA servers and not to the AD DCs directly. Thats why I wanted them to have the Trust Agent Role only. I used "ipa-adtrust-install --add-agents" on these servers. After configuring the roles and finishing the setup I did a "ipa server-role-find" to check if the roles where set correctly. I found out that all four IPA servers do have the Trust Controller role. And here comes my question... why? Why have the two servers been added as trust controllers and not as agents only? Cheers, Ronald

2 10

Re: AD Conditional Forwarder to IdM failure
by Jeremy Tourville 16 Jan '23

16 Jan '23

That worked! Thank you. In short: - Add the A record - Add the NS record - Create the delegation of authority Now create the forwarder.

2 1

AD Conditional Forwarder to IdM failure
by Jeremy Tourville 13 Jan '23

13 Jan '23

I am following the directions from here: Section: 32.6.4. Configuring DNS forwarding in AD https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ht… I get an error message from AD DNS "The server with this IP Address is not authoritative for the required zone" This error makes me think there is a problem with my IdM DNS server. My setup is AD integrated and a one way trust is established with AD. I was able to create a forwarder from IdM to AD without issue. My domains: AD = gsil.mil IdM = idm.gsil.mil I have been reading: 86.1. Supported DNS zone types https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ht… and 6.1. The two roles of an IdM DNS server https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ht… as well as several articles on DNS forwarding vs DNS delegation for AD. This is a step that I was able to make work with no issues in a previous setup/installation. Red Hat documentation states: 86.1 Supported DNS Zone Types "Forward DNS zones From the perspective of IdM, forward DNS zones do not contain any authoritative data. In fact, a forward "zone" usually only contains two pieces of information: - A domain name - The IP address of a DNS server associated with the domain " 6.1. The two roles of an IdM DNS server By default, the Berkeley Internet Name Domain (BIND) service integrated with IdM acts as both an authoritative and a recursive DNS server: Authoritative DNS server When a DNS client queries a name belonging to a DNS zone for which the IdM server is authoritative, BIND replies with data contained in the configured zone. Authoritative data always takes precedence over any other data. I am still having some confusion why this is not working. Can someone enlighten me?

2 2

Cannot Login with IPA user account
by Damola Azeez 11 Jan '23

11 Jan '23

After setting up my IPA environment, I am unable to log in successfully on some of my Linux servers. When I check /var/log/secure for authentication logs, I see the errors below Dec 30 12:18:31 e-recondbtest su: pam_sss(su-l:auth): authentication failure; logname=dazeez uid=1001 euid=0 tty=pts/1 ruser=dazeez rhost= user=daazeez Dec 30 12:18:31 e-recondbtest su: pam_sss(su-l:auth): received for user daazeez: 6 (Permission denied) Dec 30 12:18:46 e-recondbtest su: pam_sss(su-l:auth): authentication failure; logname=dazeez uid=1001 euid=0 tty=pts/1 ruser=dazeez rhost= user=daazeez Dec 30 12:18:46 e-recondbtest su: pam_sss(su-l:auth): received for user daazeez: 6 (Permission denied) From the root user, I can switch to the user (daazeez) but when I try sudo, inputting password return authentication failed Host: oracle linux 7.4 IPA server: IPA, version: 4.9.8

2 9

Essential ports between IPA servers and clients
by Ronald Wimmer 10 Jan '23

10 Jan '23

Which Ports have to be open (on which side) in order to enable basic IPA functionality between IPA servers and clients. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht… states 80 and 443 as well as 389 and 636 - despite the use of StartTLS. So which ports in the list could probably be omitted? (if we do not need Kerberos functionality in that particular setup) Cheers, Ronald

2 1

DNS issues when installing a replica
by Francis Augusto Medeiros-Logeay 10 Jan '23

10 Jan '23

Hi, I am managing now to install a replica, but I am facing these issues, and feel things are not working as it should, as changes in one replica are not replicating on the others. I am getting this when installing the replica: Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=freeipa02,idnsname=francis.local.,cn=dns,dc=ipa,dc=med-lo’ This, together with "Lookup failed: Preferred host freeipa02.francis.local does not provide DNS.” and with "Lookup failed: Preferred host freeipa02.francis.local does not provide CA.” , are really preventing me to install a problem-free replica. Any clues on how to solve it? I tried this: https://access.redhat.com/solutions/4094761 but it didn’t help. Best, Francis

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2023