cn=compat and missing First Name and Email fields
by Djerk Geurts
Hi List,
Using FreeIPA to provide authentication to vSphere which has been working great, but noticed that using the Compat scheme doesn’t yield the First Name and Email fields in vSphere. If I change the base DN for users and groups to the standard scheme cn=accounts then users can’t log in.
To date I’ve ignored this, but today figured it would be good to work out if there’s something I can do to modify the compat scheme so that OpenLDAP clients like vSphere that need to use the compat scheme can pull these fields.
Thanks,
Djerk Geurts
1 year
ipa-replica-install -- cannot get past [26/41]: creating DS keytab
by Jonathon Jenkins
Greetings,
I cannot get the ipa-replica-install to proceed past step 26/41 - creating DS keytab. I see the command that is to be run, and I can run that just fine before and after the ipa-replica-install command, and it creates the keytab. I am not sure how to proceed from here - the bug reports I see all pertain to earlier versions, and my files reflect those changes.
I have also tried running this with all manner of password flags, which are correct, but still getting insufficient access rights.
particulars:
centos 7 3.10.0-957.1.3.el7.x86_64
ipa-server-4.6.4-10.el7.centos.x86_64
ipa-common-4.6.4-10.el7.centos.noarch
ipa-server-common-4.6.4-10.el7.centos.noarch
ipa-client-4.6.4-10.el7.centos.x86_64
ipa-server-dns-4.6.4-10.el7.centos.noarch
ipa-client-common-4.6.4-10.el7.centos.noarch
* Note: anonymized output below
ipapython.ipautil: DEBUG stderr=
ipalib.backend: DEBUG Created connection context.ldap2_139891568509776
ipaserver.install.service: DEBUG duration: 7 seconds
ipaserver.install.service: DEBUG [26/41]: creating DS keytab
[26/41]: creating DS keytab
ipalib.frontend: DEBUG raw: service_add(u'ldap/<ipa-replica-host>@<domain>.NET', force=True, version=u'2.229')
ipalib.frontend: DEBUG service_add(ipapython.kerberos.Principal('ldap/<ipa-replica-host>@<domain>.NET'), force=True, all=False, raw=False, version=u'2.229', no_members=False)
ipalib.frontend: DEBUG raw: host_show(u'<ipa-replica-host>', version=u'2.229')
ipalib.frontend: DEBUG host_show(u'<ipa-replica-host>', rights=False, all=False, raw=False, version=u'2.229', no_members=False)
ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab'
ipalib.install.sysrestore: DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>
ipapython.ipautil: DEBUG Process finished, return code=9
ipapython.ipautil: DEBUG stdout=
ipapython.ipautil: DEBUG stderr=Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: Insufficient access rights
Failed to get keytab!
Failed to get keytab
ipaserver.install.service: DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab
super(DsInstance, self).request_service_keytab()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab
ipautil.run(args, nolog=nolog)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipaserver.install.service: DEBUG [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
[error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipalib.backend: DEBUG Destroyed connection context.ldap2_139891548583120
ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/ipa/default.conf'
ipalib.install.sysrestore: DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run
return self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute
for rval in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 622, in main
replica_install(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 406, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1431, in install
fstore=fstore)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 113, in install_replica_ds
setup_pkinit=not options.no_pkinit,
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 419, in create_replica
self.start_creation(runtime=30)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab
super(DsInstance, self).request_service_keytab()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab
ipautil.run(args, nolog=nolog)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
ipapython.admintool: DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipapython.admintool: ERROR Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
1 year
Creating a binddn for Satelllite/Foreman
by Jeremy Tourville
When following the documented directions I am getting an error: ValueError: Invalid placeholder in string: line 1, col 30
https://www.freeipa.org/page/Creating_a_binddn_for_Foreman
My update file is:
dn: uid=satellitebdn,cn=sysaccounts,cn=etc,$SUFFIX
add:objectclass:account
add:objectclass:simplesecurityobject
add:uid:satellitebdn
add:userPassword:myPassword
add:passwordExpirationTime:20380119031407Z
add:nsIdleTimeout:0
Anyone see something wrong with my update file?
1 year
Re: Creating and modifying users from an external system
by Rob Crittenden
Ronald Wimmer wrote:
> On 20.03.23 13:44, Rob Crittenden wrote:
>> Ronald Wimmer via FreeIPA-users wrote:
>>> We have several scenarios where we cannot establish an AD Trust. In
>>> these cases we are forced to create/modify/delete IPA users triggered
>>> from an IAM system. Is the IPA API the one and only way to go or would
>>> it also work if we used IPA's LDAP directly?
>>
>> Using the stageuser and user API is recommended. It's certainly possible
>> to do it directly in LDAP but we don't encourage it. It requires
>> knowledge of how the entry is structured, what gets added automatically,
>> etc. We also can't guarantee that there won't be changes to the
>> objectclasses, etc. that would break any direct LDAP comms.
>
> Apart from the obvious, what will be created when upon user creation? Is
> there something we would most likly not think of?
>
> In the IPA WebGUI it looks like that a user's UID and GID could be
> chosen freely? That would be perfect I we want to match a user's UID
> with another system...
This is why we recommend stageusers so you don't have to worry about
such things. See
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
rob
1 year
Healthcheck for IPATrustCatalog contradicts ipa trust-show - false positive?
by Jeremy Tourville
Question: Why are these healthcheck issues present? IPA03 can run a trust show and the Domain Security Identifier matches the kw key.
Should the uuid be the same or different between IPA02 and IPA03?
Scenario:
3 IPA servers
Replication pattern:
1 -> 2 & 3
2 -> 1 & 3
3 -> 1 & 2
All servers are:
AD trust agent
AD trust controller
CA server
DNS server
health check on IPA01 is completely healthy
[root@gsil-ipa03 ~]# ipa-healthcheck --failures-only
CN=GSIL-CA,DC=gsil,DC=smil not found, assuming 3rd party
[
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustDomainsCheck",
"result": "WARNING",
"uuid": "82ff4156-efd4-4bab-a092-ce5d5736c7e8",
"when": "20230324133158Z",
"duration": "0.235919",
"kw": {
"key": "domain-status",
"domain": "gsil.x",
"msg": "Domain {domain} is not online"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "WARNING",
"uuid": "c8a1bebe-fd44-4ea6-8d98-f20ad6726d00",
"when": "20230324133158Z",Domain Security Identifier
"duration": "0.008165",
"kw": {
"key": "S-1-5-21-3568498085-2952124370-1649233135",
"error": "returned nothing",
"msg": "Look up of {key} {error}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "ERROR",
"uuid": "c0aed85c-9c0a-42df-83ab-d69b4bc054a5",
"when": "20230324133158Z",
"duration": "0.114333",
"kw": {
"key": "AD Global Catalog",
"output": "Active servers:\nIPA: gsil-ipa03.idm.x.x",
"sssctl": "/usr/sbin/sssctl",
"domain": "gsil.x",
"msg": "{key} not found in {sssctl} 'domain-status' output: {output}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "ERROR",
"uuid": "6542b352-88ae-4524-ba76-94960adfe9a7",
"when": "20230324133158Z",
"duration": "0.114378",
"kw": {
"key": "AD Domain Controller",
"output": "Active servers:\nIPA: gsil-ipa03.idm.x.x",
"sssctl": "/usr/sbin/sssctl",
"domain": "gsil.x",
"msg": "{key} not found in {sssctl} 'domain-status' output: {output}"
}
}
]
[root@gsil-ipa03 ~]# ipa trust-show
Realm name: gsil.x
Realm name: gsil.x
Domain NetBIOS name: GSIL
Domain Security Identifier: S-1-5-21-3568498085-2952124370-1649233135
Trust direction: Trusting forest
Trust type: Active Directory domain
[root@gsil-ipa02 ~]# ipa-healthcheck --failures-only
caSigningCert External CA not found, assuming 3rd party
[
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustDomainsCheck",
"result": "WARNING",
"uuid": "319ec55d-6d71-48fa-bb80-4ab5acb9a62b",
"when": "20230324133810Z",
"duration": "0.281341",
"kw": {
"key": "domain-status",
"domain": "gsil.x",
"msg": "Domain {domain} is not online"
}
}
]
1 year
Check ticket expiration for all users
by Francis Augusto Medeiros-Logeay
Hi,
We use RHEL 8 with kerberos, and we are using NFSv4 for mounting home directories.
We have experienced that some machines become unresponsive if a user has a job that writes to the home directory after his ticket has expired after the default lifetime (7 days in our case).
While we are looking for ways to allow people to automatically get new tickets, we also want to have a mechanism to log users out if their tickets are too close expiration (as well as all their jobs and cron jobs).
Is there a way to get the expiration date for user tickets for a given user with for example “klist", or only the user himself can get that info?
Best,
Francis
1 year
Replica Server can not join to master server
by Can Chang
Old Replica Server Faild, so rebuild new replica server, when success join to master us ipa-client-install with --force-join, run ipa-replica-install, on "Configuring directory server (dirsrv). Estimated time: 30 seconds" step [27/42]: creating DS keytab, has error.
[error] CalledProcessErroe: Command '/usr/sbin/ipa-getkeytab -k /etc/firsrv/ds.keytab -p ldap/aaaa.ipa.bbbb.cccc.dddd(a)IPA.BBBB.CCCC.DDDD -H ldaps://xxxx.ipa.bbbb.cccc.dddd' returned non-zero exit status 9
who to fix this problem?
This replica server is fresh install.
Thanks
1 year
Changing userPassword attribute on a plugin
by Francis Augusto Medeiros-Logeay
Hi,
I am developing a plugin for FreeIPA (mostly to handle Postfix and virtual mailboxes/domains).
The thing is that I created an objectClass (postfixMailbox), where the user has the following attributes:
- mail
- userPassword
- mailQuota
- active
I don’t know what are the requirements for the user to be able to choose his own password by logging into FreeIPA’s gui.
What I did was to add the inetOrgPerson and inetUser objectClasses, just to see if the user would be allowed to log in for changing password-purposes. Still no go.
These users are in a totally different container (every virtual domain is a container).
I also am not sure if I want these users to be like a normal user, but at the same time I want to be able to change their password.
Any tips on how to achieve something like this, besides using a command-line plugin?
Best,
Francis
1 year, 1 month
Need assistance to troubleshoot named not starting
by Jeremy Tourville
This problem started when someone deleted my /etc/krb5.keytab file. I am trying to get the named service working again. I am following the docs: What to do when named with bind-dyndb-ldap cannot start https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html
1 Gather logs-
A. my system is Rocky 8.7 and does not contain /var/log/messages. Really! I was surprised too and wondering why not. I thought that was a standard log that all EL systems had.
B /var/named/data/named.run is a file with zero size. Yes, it's unfortunately empty.
>>>What did you change before it started to fail? :-) /etc/krb5.keytab was deleted. See post - https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
2. >>>Server ldap/srv01(a)EXAMPLE.COM not found in Kerberos database
This is not an issue. hostname displays FQDN and /etc/hosts is correctly formatted as shown in the correct line example
3>>>Failed to init credentials or Failed to get initial credentials
This is not an issue for /etc/named.keytab, the version of klist and kvno match
HOWEVER, /etc/krb5.keytab does not match when running klist and kvno
Could this have the same effect? To cause named not to start?
Should I continue down the list and also get some more info from setting up the trace export KRB5_TRACE=/tmp/named_krb5.log or fix the issue with /etc/krb5.keytab first?
At this point I think I will stop investigating until I get a more clear understanding of my questions. I hope someone can assist. Many thanks in advance!
1 year, 1 month
