June 2023 - FreeIPA-users - Fedora Mailing-Lists

'ipa-ca-install' conncheck failure on freeIPA

by Arne Verheyden

I'm facing a problem while trying to set up a replica of our main FreeIPA server. We're planning to migrate from an old server to a new one. ipa-replica-install and ipa-dns-install runs without issue but the problem arises when I try to use the ipa-ca-install command. The command fails at the connection check phase with this output: $ ipa-ca-install Directory Manager (existing master) password: Run connection check to master Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Connection check failed! See /var/log/ipareplica-conncheck.log for more information. If the check results are not valid it can be skipped with --skip-conncheck parameter. Logs of /var/log/ipa-replica-conncheck.log 2023-06-27T14:25:28Z DEBUG Ports opened, notify original thread 2023-06-27T14:25:28Z DEBUG Original thread resumed 2023-06-27T14:25:28Z INFO Get credentials to log in to remote master 2023-06-27T14:25:28Z DEBUG KRB5CCNAME set to /tmp/krbcc2_1ny8e1/ccache 2023-06-27T14:25:28Z INFO Check RPC connection to remote master 2023-06-27T14:25:28Z DEBUG Starting external process 2023-06-27T14:25:28Z DEBUG args=['/usr/bin/certutil', '-d', '/tmp/tmp66e_2bfv', '-N', '-f', '/tmp/tmp66e_2bfv/pwdfile.txt', '-@', '/tmp/tmp66e_2bfv/pwdfile.txt'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout= 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout= 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout= 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv/cert9.db'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv/cert9.db 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout= 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv/key4.db'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv/key4.db 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout= 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv/pkcs11.txt'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv/pkcs11.txt 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout= 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv/pwdfile.txt'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv/pwdfile.txt 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG Starting external process 2023-06-27T14:25:29Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp66e_2bfv', '-A', '-n', 'CN=Certificate Authority,O=EXAMPLE.COM', '-t', 'C,,', '-a', '-f', '/tmp/tmp66e_2bfv/pwdfile.txt'] 2023-06-27T14:25:29Z DEBUG Process finished, return code=0 2023-06-27T14:25:29Z DEBUG stdout= 2023-06-27T14:25:29Z DEBUG stderr= 2023-06-27T14:25:29Z DEBUG importing all plugin modules in ipaclient.remote_plugins.schema$8182589c... 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.remote_plugins.schema$8182589c.plugins 2023-06-27T14:25:29Z DEBUG importing all plugin modules in ipaclient.plugins... 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.automember 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.automount 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.ca 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.cert 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.certmap 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.certprofile 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.dns 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.hbacrule 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.hbactest 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.host 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.idrange 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.internal 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.location 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.migration 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.misc 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.otptoken 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.otptoken_yubikey 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.passwd 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.permission 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.rpcclient 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.server 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.service 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.sudorule 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.topology 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.trust 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.user 2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.vault 2023-06-27T14:25:30Z DEBUG failed to find session_cookie in persistent storage for principal 'host/replica1.example.com(a)EXAMPLE.COM' 2023-06-27T14:25:30Z DEBUG trying https://ipa01.example.com/ipa/json 2023-06-27T14:25:30Z DEBUG New HTTP connection (ipa01.example.com) 2023-06-27T14:25:31Z DEBUG [details redacted for brevity] 2023-06-27T14:25:31Z INFO Connection to https://ipa01.example.com/ipa/json failed with Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) 2023-06-27T14:25:31Z DEBUG trying https://replica1.example.com/ipa/json 2023-06-27T14:25:31Z DEBUG New HTTP connection (replica1.example.com) 2023-06-27T14:25:31Z DEBUG [details redacted for brevity] 2023-06-27T14:25:31Z DEBUG Created connection context.rpcclient_140381866522064 2023-06-27T14:25:31Z DEBUG raw: ping(version='2.251') 2023-06-27T14:25:31Z DEBUG ping(version='2.251') 2023-06-27T14:25:31Z DEBUG [try 1]: Forwarding 'ping/1' to json server 'https://replica1.example.com/ipa/json' 2023-06-27T14:25:31Z DEBUG HTTP connection keep-alive (replica1.example.com) 2023-06-27T14:25:31Z DEBUG [details redacted for brevity] 2023-06-27T14:25:31Z INFO Execute check on remote master 2023-06-27T14:25:31Z DEBUG [try 1]: Forwarding 'server_conncheck' to json server 'https://replica1.example.com/ipa/json' 2023-06-27T14:25:31Z DEBUG HTTP connection keep-alive (replica1.example.com) 2023-06-27T14:25:31Z DEBUG [details redacted for brevity] 2023-06-27T14:25:31Z DEBUG Destroyed connection context.rpcclient_140381866522064 2023-06-27T14:25:31Z ERROR ERROR: Remote master check failed with following error message(s): invalid 'cn': must be "replica1.example.com" I don't know how to debug this, i have searched the web for similar issue and the only one i have managed to find is this one: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... . The problem is similar but not the same as the one i have, so it did not help me much. I would greatly appreciate any suggestions or advice on how to resolve this problem. Sincerely, Arne

10 months, 1 week

3
3
0 / 0

how to set the RIDs during migration to Rocky 8?

by Harald Dunkel

Hi folks, I am trying to migrate FreeIPA from CentOS7 to Rocky 8. No AD trust relationship involved by now. Problem: ipa-replica-install on the first Rocky 8 host to join the IPA servers complained # -------------------------------------------------------------------------- [root@ipaca8 ~]# ipa-replica-install --setup-ca --ip-address 172.19.96.100 Trust is configured but no NetBIOS domain name found, setting it now. Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters, digits and dashes are allowed. Example: EXAMPLE. NetBIOS domain name [EXAMPLE]: WARNING: 564 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: yes Run connection check to master Connection check OK Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 seconds [1/39]: creating directory server instance Validate installation settings ... Create file system structures ... selinux is disabled, will not relabel ports or files. Create database backend: dc=example,dc=de ... Perform post-installation tasks ... [2/39]: tune ldbm plugin [3/39]: adding default schema [4/39]: enabling memberof plugin [5/39]: enabling winsync plugin [6/39]: configure password logging : : [20/30]: starting certificate server instance [21/30]: Finalize replication settings [22/30]: configure certmonger for renewals [23/30]: Importing RA key [24/30]: configure certificate renewals [25/30]: Configure HTTP to proxy connections [26/30]: updating IPA configuration [27/30]: enabling CA instance [28/30]: importing IPA certificate profiles Lookup failed: Preferred host ipaca8.example.de does not provide CA. Lookup failed: Preferred host ipaca8.example.de does not provide CA. Failed to import profile 'acmeIPAServerCert': Request failed with status 500: Non-2xx response from CA REST API: 500. . Running ipa-server-upgrade when installation is completed may resolve this issue. [29/30]: configuring certmonger renewal for lightweight CAs [30/30]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server Could not get dnaHostname entries in 60 seconds [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Restarting the KDC Configuring SID generation [1/8]: creating samba domain object [2/8]: adding admin(group) SIDs [3/8]: adding RID bases Found more than one local domain ID range with no RID base set. [error] RuntimeError: Too many ID ranges Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Too many ID ranges The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information # -------------------------------------------------------------------------- Here is the list of id ranges: # -------------------------------------------------------------------------- [root@ipaca8 ~]# ipa idrange-find --all --raw ---------------- 3 ranges matched ---------------- dn: cn=EXAMPLE.DE_id_range,cn=ranges,cn=etc,dc=example,dc=de cn: EXAMPLE.DE_id_range ipabaseid: 379400000 ipaidrangesize: 200000 iparangetype: ipa-local objectclass: top objectclass: ipaIDrange objectclass: ipaDomainIDRange dn: cn=EXAMPLE.DE_posix,cn=ranges,cn=etc,dc=example,dc=de cn: EXAMPLE.DE_posix ipabaseid: 1000 ipaidrangesize: 99000 iparangetype: ipa-local objectclass: ipadomainidrange objectclass: ipaIDrange dn: cn=EXAMPLE.DE_subid_range,cn=ranges,cn=etc,dc=example,dc=de cn: EXAMPLE.DE_subid_range ipabaseid: 2147483648 ipaidrangesize: 2147352576 ipabaserid: 2147283648 ipanttrusteddomainsid: S-1-5-21-738065-838566-194929194 iparangetype: ipa-ad-trust objectclass: top objectclass: ipaIDrange objectclass: ipaTrustedADDomainRange ---------------------------- Number of entries returned 3 ---------------------------- # -------------------------------------------------------------------------- I didn't ask for an AD trust relationship, introducing even more complexity to something that should be kept as simple as possible. And now its making problems :-(. Is there some way to drop this again? AFAICT ipa idrange-mod cannot set the RID, so how can I resolve this nightmare? Every helpful comment is highly appreciated. Harri

10 months, 1 week

4
5
0 / 0

ipa-pkinit-manage failure

by Алексей Иванов

Greetings, I'm trying to configure my replica IPA servers to support PKINIT. [root@office-ipa-1 ~]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Server at https://office-ipa-1.<domain>/ipa/json failed request, will retry: 4301 (Certificate operation cannot be completed: Key Parameters 4096,8192 Not Matched).) Failed to configure PKINIT Full PKINIT configuration did not succeed The setup will only install bits essential to the server functionality You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful [root@office-ipa-1 ~]# I've manually installed the correct KDC cert with ipa-server-certinstall -k, but it seems I'm missing something out. Error regarding Key Parameters 4096,8192 Not Matched is expected, as we've changed all our certificate templates to support 4096 key and above. But I don't understand why ipa-pkinit-manage enable command tries to issue a new certificate and does not utilise the existing one? Regards, Alex Ivanov.

10 months, 1 week

2
1
0 / 0

pki-tomcat fails to start after upgrade

by Tania Hagan

Hi FreeIPA, I am currently using FreeIPA version 4.9.10 with 6 ipareaplicas. I went to upgrade the server to 4.9.11 but the ipa-server-upgrade failed where it attempted to start pki-tomcat. In the /var/log/pki/pki-tomcat/ca/debug.log I see: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) … At netscape.ldap.LDAPConnection(Uknown Source) Unable to start CA engine: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectionExection: Connection refused (Connection refused) …. I've been through the guide https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom... where I can confirm the /etc/pki/pki-tomcat/ca/CS.cfg is using: internaldb.ldapauth.authtype=SslClientAuth internaldb.ldapauth.bindDN=cn=Directory Manager internaldb.ldapauth.bindPWPrompt=internaldb internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca internaldb.ldapconn.host=<servername> internaldb.ldapconn.port=636 internaldb.ldapconn.secureConn=true certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' shows the cert with the correct Serial number and the cert does not expire until next year. If I read the private key, I have checked the Nickname is correct and does work on another ipareplica but not the one I'm troubleshooting. grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. The ldap server configuration looks to be using the correct certificate. I rolled back the server to my last known working server, and find that commands such as ipa cert-find work fine, all my replicas have the same cert, but the command certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' fails on 4 out of 6 ipareplicas. 2 replicas see the correct result. Could any one help point me to how I might resolve this issue? Many Thanks, Tania

10 months, 1 week

2
2
0 / 0

Install Error - RuntimeError: CA configuration failed - java.nio.file.AccessDeniedException: /tmp/nss-cert-11721189233651257758.crt

by Jacob Chapman

I am installing on Docker for MacOS. During initial install, it reaches step [1/30]: configuring certificate server instance when it shows the error. I looked in the /data/var/log/ipaserver-install.log and it looks like everything is OK until it hits the errors below. Any ideas what could cause this? FINE: NSSDatabase: Issuing cert for CN=freeipa.mydomain.cloud,O=2023-06-25 23:40:10 FINE: NSSDatabase: - issuer: CN=freeipa.mydomain.cloud,O=2023-06-25 23:40:10 FINE: NSSDatabase: - public key algorithm: RSA FINE: NSSDatabase: - serial number: 0x79a6edffa89c946d7cb055c19b4befa4 FINE: NSSDatabase: - not before: Sun Jun 25 23:42:17 UTC 2023 FINE: NSSDatabase: - not after: Mon Sep 25 23:42:17 UTC 2023 FINE: NSSDatabase: - hash algorithm: SHA256 FINE: NSSDatabase: - key algorithm: SHA256withRSA FINE: NSSDatabase: Finding request private key FINE: NSSDatabase: - private key: 0xdbb9f417bd81a12aa00c1b20227c91a6b2ccefd6 FINE: NSSDatabase: Private key algorithm: RSA FINE: NSSDatabase: Signing algorithm: SHA256withRSA FINE: CryptoUtil: Signing certificate FINE: CryptoUtil: - signing algorithm: RSASignatureWithSHA256Digest FINE: CryptoUtil: - algorithm name: SHA256withRSA FINE: CryptoUtil: - algorithm ID: SHA256withRSA DEBUG: NSSDatabase.add_cert(temp Server-Cert cert-pki-ca) DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -C /tmp/tmp5y2f9zop/XXXXXXXX.txt nss-cert-import --cert /tmp/tmp_tmyllsd/sslserver.crt --debug temp Server-Cert cert-pki-ca INFO: Initializing NSS INFO: Logging into internal token INFO: Using internal token java.nio.file.AccessDeniedException: /tmp/nss-cert-11721189233651257758.crt at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218) at java.base/java.nio.file.Files.newByteChannel(Files.java:380) at java.base/java.nio.file.Files.createFile(Files.java:658) at java.base/java.nio.file.TempFileHelper.create(TempFileHelper.java:136) at java.base/java.nio.file.TempFileHelper.createTempFile(TempFileHelper.java:159) at java.base/java.nio.file.Files.createTempFile(Files.java:923) at org.dogtagpki.nss.NSSDatabase.addCertificate(NSSDatabase.java:342) at com.netscape.cmstools.nss.NSSCertImportCLI.execute(NSSCertImportCLI.java:104) at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:658) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:697)

10 months, 1 week

2
2
0 / 0

Removing dead servers with tombstone entries

by Joe Rhodes

Hello all! I have a CentOS 7 based FreeIPA system that I’m migrating to Rocky 9. As suggested, I’ve created a Rocky 8 instance replica first. As I’ve been working on this (in a dev environment first), I’ve gotten myself into a state where I have two servers in the config that I cannot delete. (The VMs have been uninstalled and deleted.) ipa server-find --------------------- 7 IPA servers matched --------------------- Server name: ia-ipa-1.dev.purestake.tech Min domain level: 0 Max domain level: 1 Server name: ia-ipa-2.dev.purestake.tech Min domain level: 0 Max domain level: 1 Server name: joe-rocky-8.dev.purestake.tech Min domain level: 1 Max domain level: 1 Server name: joe-rocky-9.dev.purestake.tech Min domain level: 1 Max domain level: 1 Server name: oh-ipa-1.dev.purestake.tech Min domain level: 0 Max domain level: 1 Server name: oh-ipa-2.dev.purestake.tech Min domain level: 0 Max domain level: 1 Server name: oh-ipa-21.dev.purestake.tech Min domain level: 1 Max domain level: 1 The two servers I want to delete are joe-rocky-9 and oh-ipa-21. Trying to delete either give me: ipa server-del joe-rocky-9.dev.purestake.tech Removing joe-rocky-9.dev.purestake.tech from replication topology, please wait... ipa: ERROR: Server removal aborted: Replication topology in suffix 'domain' is disconnected: Topology does not allow server ia-ipa-1.dev.purestake.tech to replicate with servers: joe-rocky-9.dev.purestake.tech Topology does not allow server ia-ipa-2.dev.purestake.tech to replicate with servers: joe-rocky-9.dev.purestake.tech Topology does not allow server joe-rocky-8.dev.purestake.tech to replicate with servers: joe-rocky-9.dev.purestake.tech Topology does not allow server joe-rocky-9.dev.purestake.tech to replicate with servers: joe-rocky-8.dev.purestake.tech oh-ipa-1.dev.purestake.tech oh-ipa-2.dev.purestake.tech ia-ipa-1.dev.purestake.tech oh-ipa-21.dev.purestake.tech ia-ipa-2.dev.purestake.tech Topology does not allow server oh-ipa-1.dev.purestake.tech to replicate with servers: joe-rocky-9.dev.purestake.tech Topology does not allow server oh-ipa-2.dev.purestake.tech to replicate with servers: joe-rocky-9.dev.purestake.tech Topology does not allow server oh-ipa-21.dev.purestake.tech to replicate with servers: joe-rocky-9.dev.purestake.tech. and attempting to delete, ignoring the replication topology: ipa server-del joe-rocky-9.dev.purestake.tech --ignore-topology-disconnect Removing joe-rocky-9.dev.purestake.tech from replication topology, please wait... ipa: ERROR: Not allowed on non-leaf entry When I do a: ipa topologysegment-find domain the server joe-rocky-9 is not listed in any of the segments. I believe the issue is I have a bunch of replication issues regarding these two servers. (I had been adding and removing them as I was finding the right way to go about my upgrade) This command shows both of the servers: ldapsearch "nsds5ReplConflict=*" When I do the following search I see quite a few nsTombstone entries as children, which I assume is what’s blocking me from removing this DN (either using the ipa server-del command or the ldapdelete command). ldapsearch -D "cn=Directory Manager” -W "(objectclass=nsTombstone)" dn When I do this command: ipa-replica-manage list-ruv Replica Update Vectors: ia-ipa-1.dev.purestake.tech:389: 4 oh-ipa-1.dev.purestake.tech:389: 7 ia-ipa-2.dev.purestake.tech:389: 3 oh-ipa-2.dev.purestake.tech:389: 8 joe-rocky-8.dev.purestake.tech:389: 19 Certificate Server Replica Update Vectors: ia-ipa-1.dev.purestake.tech:389: 6 joe-rocky-8.dev.purestake.tech:389: 20 ia-ipa-2.dev.purestake.tech:389: 5 I get the expected list of RUVs, without the two servers I want to delete. Only the serves that are really on-line and legit show up. So I cannot use the “clean-ruv” command because the bad servers don’t show up with a replication ID. When I do this: ipa-replica-manage -p Extraordinary-northern-Conditioning-Idaho-7 clean-dangling-ruv The server 'joe-rocky-9.dev.purestake.tech' appears to be offline. The server 'oh-ipa-21.dev.purestake.tech' appears to be offline. No dangling RUVs found I see the two problematic entries timing out (as expected, since they don’t exist). I’m just not sure how to remove these two dead servers. It seems like I need to resolve or delete the nsTombstone children, but that doesn’t seem to be possible. I’m kind of wondering if I’m at a point where I’ll need to do an ipa-backup/modify the ldif/ipa-restore to get rid of these? I’m not even sure that’s possible. Any help would be greatly appreciated.

10 months, 1 week

3
4
0 / 0

Replication of account lock state

by Djerk Geurts

Hi all, Having read up on whether replica servers can also replicate the lock status of an account. I'm trying to find out what the current status is on the latest FreeIPA v4.x. What are the available options? Right now having to log into multiple IPA servers to find lockouts is a real pita and security wise it like either failed Auth counters or the lockout status to be replicated. The ability to unlock from a single IPA server would also be pretty sweet. Is there any way to get either working? Thanks, Djerk

10 months, 1 week

3
2
0 / 0

Antivirus/malware scan

by Ronald Wimmer

If a company policy forces you to install an antivirus/malware scan tool on Linux servers which IPA directories should be excluded because a severe performance impact would be very likely? I would start with: /var/lib/sss /etc/dirsrv/slapd-LINUX-MYDOMAIN-AT What else? Cheers, Ronald

10 months, 1 week

2
3
0 / 0

Problem joining a windows pc to freeipa realm without an AD server

by fujisan

Hello everyone, Since I upgraded our server to Fedora 38, we cannot access samba shares on that Linux server from windows pc. So i'm trying now to log in to a windows pc using a freeipa user account. I followed instructions I found in the following documentations: https://freeipa.org/page/Windows_authentication_against_FreeIPA https://computingforgeeks.com/join-windows-system-to-freeipa-realm/ https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/... . https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=8 Basically, I added the windows PC (winpc) in the freeipa host list using the web UI then $ ipa-getkeytab -s server.domain.local -p host/winpc.domain.local(a)DOMAIN.LOCAL -e aes256-cts,aes128-cts,aes256-sha2,aes128-sha2,camellia256-cts-cmac,camellia128-cts-cmac -k /etc/krb5.keytab -P and in a terminal on the windows PC: > ksetup /setdomain DOMAIN.LOCAL > ksetup /addkdc DOMAIN.LOCAL server.domain.local > ksetup /addkpasswd DOMAIN.LOCAL server.domain.local > ksetup /setcomputerpassword p4$$w0rD > ksetup /mapuser * * I also created a local user 'smith' on the windows PC which also exists on the freeipa server: $ ipa user-show smith User login: smith First name: John Last name: Smith Home directory: /home/smith Login shell: /usr/bin/zsh Principal name: smith(a)DOMAIN.LOCAL Principal alias: smith(a)DOMAIN.LOCAL Email address: smith(a)DOMAIN.LOCAL UID: 1010 GID: 1025 SMB Home Directory Drive: A: Account disabled: False Password: True Member of groups: admins, ipausers, trust admins, editors Roles: helpdesk, User Administrator, Enrollment Administrator, Security Architect, IT Security Specialist, FleetCommander Desktop Profile Administrators, IT Specialist Kerberos keys available: True But everytime I try to login with smith(a)DOMAIN.LOCAL and freeipa password of that user, I get the following message: "We could not connect you with these credentials because your domain was not available. ..." and when I check the logs in krb5dc.log Jun 26 09:14:12 server.domain.local krb5kdc[75284](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204: NEEDED_PREAUTH: smith(a)DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL, Additional pre-authentication required Jun 26 09:14:12 server.domain.local krb5kdc[75292](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204: ISSUE: authtime 1687763652, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, smith(a)DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL Jun 26 09:14:12 server.domain.local krb5kdc[4979](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 10.0.21.204: ISSUE: authtime 1687763652, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, smith(a)DOMAIN.LOCAL for host/winpc.domain.local(a)DOMAIN.LOCAL Also I don't know if this is related to the login problem, but when i reboot the windows pc, i get in the same log file a message saying 'Client not found in Kerberos database.' Jun 26 09:13:49 server.domain.local krb5kdc[75284](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204: CLIENT_NOT_FOUND: winpc$(a)DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL, Client not foundin Kerberos database Jun 26 09:13:49 server.domain.local krb5kdc[75284](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204: CLIENT_NOT_FOUND: winpc$(a)DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL, Client not foundin Kerberos database So what am I missing? Best regards F.

10 months, 1 week

1
0
0 / 0

[SSSD] Announcing SSSD 2.9.1

by Pavel Březina

# SSSD 2.9.1 The SSSD team is announcing the release of version 2.9.1 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.9.1 See the full release notes at: https://sssd.io/release-notes/sssd-2.9.1.html RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users ## Highlights ### New features * Passkey: added option to write key mapping data to file. ### Important fixes * A regression was fixed that prevented autofs lookups to function correctly when cache_first is set to True. Since this was set as a new default value in sssd-2.9.1, it is considered as a regression. * A regression where SSSD failed to properly watch for changes in '/etc/resolv.conf' when it was a symbolic link or was a relative path, was fixed.

10 months, 2 weeks

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2023