'ipa-ca-install' conncheck failure on freeIPA
by Arne Verheyden
I'm facing a problem while trying to set up a replica of our main FreeIPA server. We're planning to migrate from an old server to a new one. ipa-replica-install and ipa-dns-install runs without issue but the problem arises when I try to use the ipa-ca-install command. The command fails at the connection check phase with this output:
$ ipa-ca-install
Directory Manager (existing master) password:
Run connection check to master
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck parameter.
Logs of /var/log/ipa-replica-conncheck.log
2023-06-27T14:25:28Z DEBUG Ports opened, notify original thread
2023-06-27T14:25:28Z DEBUG Original thread resumed
2023-06-27T14:25:28Z INFO Get credentials to log in to remote master
2023-06-27T14:25:28Z DEBUG KRB5CCNAME set to /tmp/krbcc2_1ny8e1/ccache
2023-06-27T14:25:28Z INFO Check RPC connection to remote master
2023-06-27T14:25:28Z DEBUG Starting external process
2023-06-27T14:25:28Z DEBUG args=['/usr/bin/certutil', '-d', '/tmp/tmp66e_2bfv', '-N', '-f', '/tmp/tmp66e_2bfv/pwdfile.txt', '-@', '/tmp/tmp66e_2bfv/pwdfile.txt']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv/cert9.db']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv/cert9.db
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv/key4.db']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv/key4.db
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv/pkcs11.txt']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv/pkcs11.txt
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv/pwdfile.txt']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv/pwdfile.txt
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp66e_2bfv', '-A', '-n', 'CN=Certificate Authority,O=EXAMPLE.COM', '-t', 'C,,', '-a', '-f', '/tmp/tmp66e_2bfv/pwdfile.txt']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG importing all plugin modules in ipaclient.remote_plugins.schema$8182589c...
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.remote_plugins.schema$8182589c.plugins
2023-06-27T14:25:29Z DEBUG importing all plugin modules in ipaclient.plugins...
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.automember
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.automount
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.ca
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.cert
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.certmap
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.certprofile
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.dns
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.hbacrule
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.hbactest
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.host
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.idrange
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.internal
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.location
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.migration
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.misc
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.otptoken
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.otptoken_yubikey
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.passwd
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.permission
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.rpcclient
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.server
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.service
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.sudorule
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.topology
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.trust
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.user
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.vault
2023-06-27T14:25:30Z DEBUG failed to find session_cookie in persistent storage for principal 'host/replica1.example.com(a)EXAMPLE.COM'
2023-06-27T14:25:30Z DEBUG trying https://ipa01.example.com/ipa/json
2023-06-27T14:25:30Z DEBUG New HTTP connection (ipa01.example.com)
2023-06-27T14:25:31Z DEBUG [details redacted for brevity]
2023-06-27T14:25:31Z INFO Connection to https://ipa01.example.com/ipa/json failed with Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
2023-06-27T14:25:31Z DEBUG trying https://replica1.example.com/ipa/json
2023-06-27T14:25:31Z DEBUG New HTTP connection (replica1.example.com)
2023-06-27T14:25:31Z DEBUG [details redacted for brevity]
2023-06-27T14:25:31Z DEBUG Created connection context.rpcclient_140381866522064
2023-06-27T14:25:31Z DEBUG raw: ping(version='2.251')
2023-06-27T14:25:31Z DEBUG ping(version='2.251')
2023-06-27T14:25:31Z DEBUG [try 1]: Forwarding 'ping/1' to json server 'https://replica1.example.com/ipa/json'
2023-06-27T14:25:31Z DEBUG HTTP connection keep-alive (replica1.example.com)
2023-06-27T14:25:31Z DEBUG [details redacted for brevity]
2023-06-27T14:25:31Z INFO Execute check on remote master
2023-06-27T14:25:31Z DEBUG [try 1]: Forwarding 'server_conncheck' to json server 'https://replica1.example.com/ipa/json'
2023-06-27T14:25:31Z DEBUG HTTP connection keep-alive (replica1.example.com)
2023-06-27T14:25:31Z DEBUG [details redacted for brevity]
2023-06-27T14:25:31Z DEBUG Destroyed connection context.rpcclient_140381866522064
2023-06-27T14:25:31Z ERROR ERROR: Remote master check failed with following error message(s):
invalid 'cn': must be "replica1.example.com"
I don't know how to debug this, i have searched the web for similar issue and the only one i have managed to find is this one: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... . The problem is similar but not the same as the one i have, so it did not help me much.
I would greatly appreciate any suggestions or advice on how to resolve this problem.
Sincerely,
Arne
10 months, 1 week
how to set the RIDs during migration to Rocky 8?
by Harald Dunkel
Hi folks,
I am trying to migrate FreeIPA from CentOS7 to Rocky 8. No AD trust
relationship involved by now. Problem: ipa-replica-install on the
first Rocky 8 host to join the IPA servers complained
# --------------------------------------------------------------------------
[root@ipaca8 ~]# ipa-replica-install --setup-ca --ip-address 172.19.96.100
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.
NetBIOS domain name [EXAMPLE]:
WARNING: 564 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.
Do you want to run the ipa-sidgen task? [no]: yes
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/39]: creating directory server instance
Validate installation settings ...
Create file system structures ...
selinux is disabled, will not relabel ports or files.
Create database backend: dc=example,dc=de ...
Perform post-installation tasks ...
[2/39]: tune ldbm plugin
[3/39]: adding default schema
[4/39]: enabling memberof plugin
[5/39]: enabling winsync plugin
[6/39]: configure password logging
:
:
[20/30]: starting certificate server instance
[21/30]: Finalize replication settings
[22/30]: configure certmonger for renewals
[23/30]: Importing RA key
[24/30]: configure certificate renewals
[25/30]: Configure HTTP to proxy connections
[26/30]: updating IPA configuration
[27/30]: enabling CA instance
[28/30]: importing IPA certificate profiles
Lookup failed: Preferred host ipaca8.example.de does not provide CA.
Lookup failed: Preferred host ipaca8.example.de does not provide CA.
Failed to import profile 'acmeIPAServerCert': Request failed with status 500: Non-2xx response from CA REST API: 500. . Running ipa-server-upgrade when installation is completed may resolve this issue.
[29/30]: configuring certmonger renewal for lightweight CAs
[30/30]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
Could not get dnaHostname entries in 60 seconds
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
Configuring SID generation
[1/8]: creating samba domain object
[2/8]: adding admin(group) SIDs
[3/8]: adding RID bases
Found more than one local domain ID range with no RID base set.
[error] RuntimeError: Too many ID ranges
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Too many ID ranges
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
# --------------------------------------------------------------------------
Here is the list of id ranges:
# --------------------------------------------------------------------------
[root@ipaca8 ~]# ipa idrange-find --all --raw
----------------
3 ranges matched
----------------
dn: cn=EXAMPLE.DE_id_range,cn=ranges,cn=etc,dc=example,dc=de
cn: EXAMPLE.DE_id_range
ipabaseid: 379400000
ipaidrangesize: 200000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=EXAMPLE.DE_posix,cn=ranges,cn=etc,dc=example,dc=de
cn: EXAMPLE.DE_posix
ipabaseid: 1000
ipaidrangesize: 99000
iparangetype: ipa-local
objectclass: ipadomainidrange
objectclass: ipaIDrange
dn: cn=EXAMPLE.DE_subid_range,cn=ranges,cn=etc,dc=example,dc=de
cn: EXAMPLE.DE_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-194929194
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
----------------------------
Number of entries returned 3
----------------------------
# --------------------------------------------------------------------------
I didn't ask for an AD trust relationship, introducing even more complexity
to something that should be kept as simple as possible. And now its making
problems :-(. Is there some way to drop this again?
AFAICT ipa idrange-mod cannot set the RID, so how can I resolve this
nightmare?
Every helpful comment is highly appreciated.
Harri
10 months, 1 week
ipa-pkinit-manage failure
by Алексей Иванов
Greetings,
I'm trying to configure my replica IPA servers to support PKINIT.
[root@office-ipa-1 ~]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed
(CA_UNREACHABLE: Server at https://office-ipa-1.<domain>/ipa/json failed
request, will retry: 4301 (Certificate operation cannot be completed: Key
Parameters 4096,8192 Not Matched).)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
[root@office-ipa-1 ~]#
I've manually installed the correct KDC cert with ipa-server-certinstall -k,
but it seems I'm missing something out.
Error regarding Key Parameters 4096,8192 Not Matched is expected, as we've
changed all our certificate templates to support 4096 key and above. But I
don't understand why ipa-pkinit-manage enable command tries to issue a new
certificate and does not utilise the existing one?
Regards,
Alex Ivanov.
10 months, 1 week
pki-tomcat fails to start after upgrade
by Tania Hagan
Hi FreeIPA,
I am currently using FreeIPA version 4.9.10 with 6 ipareaplicas. I went to upgrade the server to 4.9.11 but the ipa-server-upgrade failed where it attempted to start pki-tomcat. In the /var/log/pki/pki-tomcat/ca/debug.log I see:
Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused)
…
At netscape.ldap.LDAPConnection(Uknown Source)
Unable to start CA engine: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectionExection: Connection refused (Connection refused)
….
I've been through the guide https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom... where I can confirm the /etc/pki/pki-tomcat/ca/CS.cfg is using:
internaldb.ldapauth.authtype=SslClientAuth
internaldb.ldapauth.bindDN=cn=Directory Manager
internaldb.ldapauth.bindPWPrompt=internaldb
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
internaldb.ldapconn.host=<servername>
internaldb.ldapconn.port=636
internaldb.ldapconn.secureConn=true
certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' shows the cert with the correct Serial number and the cert does not expire until next year.
If I read the private key, I have checked the Nickname is correct and does work on another ipareplica but not the one I'm troubleshooting.
grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt
certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
The ldap server configuration looks to be using the correct certificate.
I rolled back the server to my last known working server, and find that commands such as ipa cert-find work fine, all my replicas have the same cert, but the command certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' fails on 4 out of 6 ipareplicas. 2 replicas see the correct result.
Could any one help point me to how I might resolve this issue?
Many Thanks,
Tania
10 months, 1 week
Install Error - RuntimeError: CA configuration failed - java.nio.file.AccessDeniedException: /tmp/nss-cert-11721189233651257758.crt
by Jacob Chapman
I am installing on Docker for MacOS. During initial install, it reaches step [1/30]: configuring certificate server instance when it shows the error.
I looked in the /data/var/log/ipaserver-install.log and it looks like everything is OK until it hits the errors below. Any ideas what could cause this?
FINE: NSSDatabase: Issuing cert for CN=freeipa.mydomain.cloud,O=2023-06-25 23:40:10
FINE: NSSDatabase: - issuer: CN=freeipa.mydomain.cloud,O=2023-06-25 23:40:10
FINE: NSSDatabase: - public key algorithm: RSA
FINE: NSSDatabase: - serial number: 0x79a6edffa89c946d7cb055c19b4befa4
FINE: NSSDatabase: - not before: Sun Jun 25 23:42:17 UTC 2023
FINE: NSSDatabase: - not after: Mon Sep 25 23:42:17 UTC 2023
FINE: NSSDatabase: - hash algorithm: SHA256
FINE: NSSDatabase: - key algorithm: SHA256withRSA
FINE: NSSDatabase: Finding request private key
FINE: NSSDatabase: - private key: 0xdbb9f417bd81a12aa00c1b20227c91a6b2ccefd6
FINE: NSSDatabase: Private key algorithm: RSA
FINE: NSSDatabase: Signing algorithm: SHA256withRSA
FINE: CryptoUtil: Signing certificate
FINE: CryptoUtil: - signing algorithm: RSASignatureWithSHA256Digest
FINE: CryptoUtil: - algorithm name: SHA256withRSA
FINE: CryptoUtil: - algorithm ID: SHA256withRSA
DEBUG: NSSDatabase.add_cert(temp Server-Cert cert-pki-ca)
DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -C /tmp/tmp5y2f9zop/XXXXXXXX.txt nss-cert-import --cert /tmp/tmp_tmyllsd/sslserver.crt --debug temp Server-Cert cert-pki-ca
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
java.nio.file.AccessDeniedException: /tmp/nss-cert-11721189233651257758.crt
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
at java.base/java.nio.file.Files.createFile(Files.java:658)
at java.base/java.nio.file.TempFileHelper.create(TempFileHelper.java:136)
at java.base/java.nio.file.TempFileHelper.createTempFile(TempFileHelper.java:159)
at java.base/java.nio.file.Files.createTempFile(Files.java:923)
at org.dogtagpki.nss.NSSDatabase.addCertificate(NSSDatabase.java:342)
at com.netscape.cmstools.nss.NSSCertImportCLI.execute(NSSCertImportCLI.java:104)
at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:658)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:697)
10 months, 1 week
Removing dead servers with tombstone entries
by Joe Rhodes
Hello all!
I have a CentOS 7 based FreeIPA system that I’m migrating to Rocky 9. As suggested, I’ve created a Rocky 8 instance replica first.
As I’ve been working on this (in a dev environment first), I’ve gotten myself into a state where I have two servers in the config that I cannot delete. (The VMs have been uninstalled and deleted.)
ipa server-find
---------------------
7 IPA servers matched
---------------------
Server name: ia-ipa-1.dev.purestake.tech
Min domain level: 0
Max domain level: 1
Server name: ia-ipa-2.dev.purestake.tech
Min domain level: 0
Max domain level: 1
Server name: joe-rocky-8.dev.purestake.tech
Min domain level: 1
Max domain level: 1
Server name: joe-rocky-9.dev.purestake.tech
Min domain level: 1
Max domain level: 1
Server name: oh-ipa-1.dev.purestake.tech
Min domain level: 0
Max domain level: 1
Server name: oh-ipa-2.dev.purestake.tech
Min domain level: 0
Max domain level: 1
Server name: oh-ipa-21.dev.purestake.tech
Min domain level: 1
Max domain level: 1
The two servers I want to delete are joe-rocky-9 and oh-ipa-21.
Trying to delete either give me:
ipa server-del joe-rocky-9.dev.purestake.tech
Removing joe-rocky-9.dev.purestake.tech from replication topology, please wait...
ipa: ERROR: Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server ia-ipa-1.dev.purestake.tech to replicate with servers:
joe-rocky-9.dev.purestake.tech
Topology does not allow server ia-ipa-2.dev.purestake.tech to replicate with servers:
joe-rocky-9.dev.purestake.tech
Topology does not allow server joe-rocky-8.dev.purestake.tech to replicate with servers:
joe-rocky-9.dev.purestake.tech
Topology does not allow server joe-rocky-9.dev.purestake.tech to replicate with servers:
joe-rocky-8.dev.purestake.tech
oh-ipa-1.dev.purestake.tech
oh-ipa-2.dev.purestake.tech
ia-ipa-1.dev.purestake.tech
oh-ipa-21.dev.purestake.tech
ia-ipa-2.dev.purestake.tech
Topology does not allow server oh-ipa-1.dev.purestake.tech to replicate with servers:
joe-rocky-9.dev.purestake.tech
Topology does not allow server oh-ipa-2.dev.purestake.tech to replicate with servers:
joe-rocky-9.dev.purestake.tech
Topology does not allow server oh-ipa-21.dev.purestake.tech to replicate with servers:
joe-rocky-9.dev.purestake.tech.
and attempting to delete, ignoring the replication topology:
ipa server-del joe-rocky-9.dev.purestake.tech --ignore-topology-disconnect
Removing joe-rocky-9.dev.purestake.tech from replication topology, please wait...
ipa: ERROR: Not allowed on non-leaf entry
When I do a: ipa topologysegment-find domain the server joe-rocky-9 is not listed in any of the segments.
I believe the issue is I have a bunch of replication issues regarding these two servers. (I had been adding and removing them as I was finding the right way to go about my upgrade) This command shows both of the servers:
ldapsearch "nsds5ReplConflict=*"
When I do the following search I see quite a few nsTombstone entries as children, which I assume is what’s blocking me from removing this DN (either using the ipa server-del command or the ldapdelete command).
ldapsearch -D "cn=Directory Manager” -W "(objectclass=nsTombstone)" dn
When I do this command:
ipa-replica-manage list-ruv
Replica Update Vectors:
ia-ipa-1.dev.purestake.tech:389: 4
oh-ipa-1.dev.purestake.tech:389: 7
ia-ipa-2.dev.purestake.tech:389: 3
oh-ipa-2.dev.purestake.tech:389: 8
joe-rocky-8.dev.purestake.tech:389: 19
Certificate Server Replica Update Vectors:
ia-ipa-1.dev.purestake.tech:389: 6
joe-rocky-8.dev.purestake.tech:389: 20
ia-ipa-2.dev.purestake.tech:389: 5
I get the expected list of RUVs, without the two servers I want to delete. Only the serves that are really on-line and legit show up. So I cannot use the “clean-ruv” command because the bad servers don’t show up with a replication ID.
When I do this:
ipa-replica-manage -p Extraordinary-northern-Conditioning-Idaho-7 clean-dangling-ruv
The server 'joe-rocky-9.dev.purestake.tech' appears to be offline.
The server 'oh-ipa-21.dev.purestake.tech' appears to be offline.
No dangling RUVs found
I see the two problematic entries timing out (as expected, since they don’t exist).
I’m just not sure how to remove these two dead servers. It seems like I need to resolve or delete the nsTombstone children, but that doesn’t seem to be possible.
I’m kind of wondering if I’m at a point where I’ll need to do an ipa-backup/modify the ldif/ipa-restore to get rid of these? I’m not even sure that’s possible.
Any help would be greatly appreciated.
10 months, 1 week
Replication of account lock state
by Djerk Geurts
Hi all,
Having read up on whether replica servers can also replicate the lock
status of an account. I'm trying to find out what the current status is on
the latest FreeIPA v4.x.
What are the available options? Right now having to log into multiple IPA
servers to find lockouts is a real pita and security wise it like either
failed Auth counters or the lockout status to be replicated. The ability to
unlock from a single IPA server would also be pretty sweet.
Is there any way to get either working?
Thanks,
Djerk
10 months, 1 week
Antivirus/malware scan
by Ronald Wimmer
If a company policy forces you to install an antivirus/malware scan tool
on Linux servers which IPA directories should be excluded because a
severe performance impact would be very likely?
I would start with:
/var/lib/sss
/etc/dirsrv/slapd-LINUX-MYDOMAIN-AT
What else?
Cheers,
Ronald
10 months, 1 week
Problem joining a windows pc to freeipa realm without an AD server
by fujisan
Hello everyone,
Since I upgraded our server to Fedora 38, we cannot access samba shares on
that Linux server from windows pc.
So i'm trying now to log in to a windows pc using a freeipa user account.
I followed instructions I found in the following documentations:
https://freeipa.org/page/Windows_authentication_against_FreeIPA
https://computingforgeeks.com/join-windows-system-to-freeipa-realm/
https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/...
.
https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=8
Basically, I added the windows PC (winpc) in the freeipa host list using
the web UI
then
$ ipa-getkeytab -s server.domain.local -p
host/winpc.domain.local(a)DOMAIN.LOCAL -e
aes256-cts,aes128-cts,aes256-sha2,aes128-sha2,camellia256-cts-cmac,camellia128-cts-cmac
-k /etc/krb5.keytab -P
and in a terminal on the windows PC:
> ksetup /setdomain DOMAIN.LOCAL
> ksetup /addkdc DOMAIN.LOCAL server.domain.local
> ksetup /addkpasswd DOMAIN.LOCAL server.domain.local
> ksetup /setcomputerpassword p4$$w0rD
> ksetup /mapuser * *
I also created a local user 'smith' on the windows PC which also exists on
the freeipa server:
$ ipa user-show smith
User login: smith
First name: John
Last name: Smith
Home directory: /home/smith
Login shell: /usr/bin/zsh
Principal name: smith(a)DOMAIN.LOCAL
Principal alias: smith(a)DOMAIN.LOCAL
Email address: smith(a)DOMAIN.LOCAL
UID: 1010
GID: 1025
SMB Home Directory Drive: A:
Account disabled: False
Password: True
Member of groups: admins, ipausers, trust admins, editors
Roles: helpdesk, User Administrator, Enrollment Administrator, Security
Architect, IT Security Specialist, FleetCommander Desktop Profile
Administrators, IT Specialist
Kerberos keys available: True
But everytime I try to login with smith(a)DOMAIN.LOCAL and freeipa password
of that user, I get the following message:
"We could not connect you with these credentials because your domain was
not available. ..."
and when I check the logs in krb5dc.log
Jun 26 09:14:12 server.domain.local krb5kdc[75284](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204:
NEEDED_PREAUTH: smith(a)DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL,
Additional pre-authentication required
Jun 26 09:14:12 server.domain.local krb5kdc[75292](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204: ISSUE:
authtime 1687763652, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
smith(a)DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL
Jun 26 09:14:12 server.domain.local krb5kdc[4979](info): TGS_REQ (5 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135)}) 10.0.21.204: ISSUE: authtime 1687763652, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, smith(a)DOMAIN.LOCAL for
host/winpc.domain.local(a)DOMAIN.LOCAL
Also I don't know if this is related to the login problem, but when i
reboot the windows pc, i get in the same log file a message saying
'Client not found in Kerberos database.'
Jun 26 09:13:49 server.domain.local krb5kdc[75284](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204:
CLIENT_NOT_FOUND: winpc$(a)DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL,
Client not foundin Kerberos database
Jun 26 09:13:49 server.domain.local krb5kdc[75284](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204:
CLIENT_NOT_FOUND: winpc$(a)DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL,
Client not foundin Kerberos database
So what am I missing?
Best regards
F.
10 months, 1 week