September 2024 - FreeIPA-users - Fedora mailing-lists

Re: Create IPA user via LDAP
by Ronald Wimmer 21 Jan '25

21 Jan '25

On 08.01.24 17:58, Alexander Bokovoy wrote: > On Пан, 08 сту 2024, Ronald Wimmer wrote: >> On 02.01.24 17:57, Ronald Wimmer via FreeIPA-users wrote: >>> On 02.01.24 16:27, Rob Crittenden wrote: >>>> Ronald Wimmer via FreeIPA-users wrote: >>>>> >>>>> >>>>> On 14.12.23 14:42, Alexander Bokovoy wrote: >>>>>> On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote: >>>>>>> In our company we do have an IAM tool for user management. We >>>>>>> need to >>>>>>> create IPA users via this particular tool. I am aware of all IPA >>>>>>> commands or API calls to create/modify or delete a user. >>>>>>> >>>>>>> As the tool does not support FreeIPA yet they asked if there is a >>>>>>> way >>>>>>> to manage users by using LDAP only. Could that work? What about >>>>>>> attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber? >>>>>> >>>>>> Learn about lifecycle management. This is your way of integrating >>>>>> with >>>>>> such tools bvy creating staged users: >>>>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/ht… >>>>>> >>>>> >>>>> I followed the instructions from the documentation. >>>>> >>>>> How could I possibly overcome >>>>> >>>>> Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: >>>>> ipa: ERROR: Constraint violation: pre-hashed passwords are not valid >>>>> >>>>> I need to set passwords from the external system. >>>> >>>> You need to enable migration mode (ipa config-mod --enable-migration >>>> true). >>>> >>>> By default a pre-hashed password can only be set once: during the user >>>> add operation. >>> >>> Ok. So this would not work for a password change. So if we need to >>> set an initial password and change that particular password in some >>> point in time the only feasible way is the IPA API, right? >>> >>> Can the immediate password expiration be overridden? >> >> As we have an upcoming please allow me to ask if I got the point here. >> >> I appreciate your support in this matter! >> > > I was looking over the code. The only way to accept pre-hashed passwords > is when they also have Kerberos keys set. This means you cannot use > external LDAP modify/add for that as you cannot create the Kerberos key > without knowing a Kerberos master key. > > So the only other option is to submit a clear-text password: > > userPassword: {CLEAR}text-password > > That will be accepted and if bind DN that performed this change is > either a cn=Directory Manager or a one from the passsync managers, it > would also not be marked for expiration immediately. If I try to set the userPassword attribute to some value with an LDAP browser and chose "plaintext" the value gets hashed immediately. I do see {PBKDF2_SHA256}. As a consequence the user cannot be activated. What am I doing wrong? I tried to enable migration mode and wanted to try it again but now I cannot connect to IPA's LDAP directory at all anymore... [root@tipa01 ~]# ipa config-mod --enable-migration=true Maximum username length: 32 Maximum hostname length: 64 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: ipatest.mydomain.at Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: True Certificate Subject base: O=IPATEST.MYDOMAIN.AT Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: tipa01.ipatest.mydomain.at, tipa02.ipatest.mydomain.at IPA master capable of PKINIT: tipa01.ipatest.mydomain.at, tipa02.ipatest.mydomain.at IPA CA servers: tipa01.ipatest.mydomain.at IPA CA renewal master: tipa01.ipatest.mydomain.at Domain resolution order: org.mydomain.at:ipatest.mydomain.at [root@tipa01 ~]# ipa config-mod --enable-migration=false ipa: ERROR: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638972): KDC returned error string: PROCESS_TGS

4 47

2FA not working with OpenVPN Free IPA Integration
by Tinku Goyal 20 Jan '25

20 Jan '25

My setup includes a set of FreeIPA servers running on 4.9.2 version and a OpenVPN configured for the users to connect to VPN. Previously I was using IPA version 4.6.8 on CentOS7 and now installed IPA replica on 4.9.2 on OL8 and decommissioned the old one. I am using openvpn-plugin-auth-pam.so with login pam file to authenticate the IPA users logging in to OpenVPN. when I am resetting the password of users now, then users are not able to login to OpenVPN with 2FA (password+otp) whereas, with otp disabled it is working for old users for whom password is not resetted recently after change in IPA cluster, their authentication is working through OpenVPN with/without OTP both. All users(old + users whose password is resetted recently) are able to login to linux servers using password and OTP both combination, its just not authenticating in OpenVPN. I have tried multiple things but still couldn't able to get it work. Hoping if someone can help with this!!

3 7

Disabling "kinit admin" on all machines
by Dominik Vogt 18 Nov '24

18 Nov '24

What is the correct way to disable "kinit admin" on all ipa clients? In our setup, becoming admin should only possible on the ipa server. (Everything is done by scripts runn through ssh; nobody ever logs in to the server directly.) Ciao Dominik ^_^ ^_^ -- Dominik Vogt

3 12

Unable to install KRA Replica - 4.8.7
by David Andrzejewski 04 Nov '24

04 Nov '24

I'm attempting to reinstall a replica that I had previously removed. When I run ipa-replica-install and include the --setup-kra option, it eventually fails. I've included the output of the ipa-replica-install command, and the only "bad" thing I can find is the following in the tomcat debug log: > 2020-11-29 03:51:35 [ajp-nio-127.0.0.1-8009-exec-3] SEVERE: addConnector: Connector is already defined I've gone through and run ipa-healthcheck, all is well there. After uninstalling, I couldn't find any old references to the replica in the LDAP database.... the ipa-replica-install works fine if I do not include --setup-kra. Any help would be appreciated. I'm happy to provide whatever additional logs that may be needed. I've replaced my internal DNS suffix with 'example.com'. Thanks! - Dave Failed to configure KRA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'KRA', '-f', '/tmp/tmpf6kaucv2', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldaps://ipa.example.com:636\nINFO: Connecting to LDAP server at ldaps://ipa.example.com:636\nINFO: Connecting to security domain at https://ipa.example.com:443\nINFO: Getting security domain info\nINFO: Logging into security domain IPA\nDEBUG: Installing Maven dependencies: False\nINFO: BEGIN spawning KRA subsystem in pki-tomcat instance\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Setting up pkiuser group\nINFO: Reusing existing pkiuser group with GID 17\nINFO: Setting up pkiuser user\nINFO: Reusing existing pkiuser user with UID 17\nDEBUG: Retrieving UID for \'pkiuser\'\nDEBUG: UID of \'pkiuser\' is 17\nDEBUG: Retrieving GID for \'pkiuser\'\nDEBUG: GID of \'pkiuser\' is 17\nINFO: Initialization\nINFO: Appending logs to /var/log/pki/pki-tomcat\nINFO: Setting up infrastructure\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chmod 770 /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra\nINFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: cp -p /usr/share/pki/server/etc/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg\nDEBUG: Command: touch /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nDEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg\nINFO: Creating /var/lib/pki/pki-tomcat\nINFO: Creating /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra\nDEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra\nINFO: Preparing pki-tomcat instance\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating /etc/pki/pki-tomcat\nWARNING: Directory already exists: /etc/pki/pki-tomcat\nINFO: Creating /etc/pki/pki-tomcat/password.conf\nINFO: Reusing server NSS database password\nINFO: Using specified internal database password\nINFO: Reusing replication manager password\nINFO: Installing pki-tomcat instance\nINFO: Creating KRA subsystem\nINFO: Creating /var/log/pki/pki-tomcat/kra\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra\nINFO: Creating /var/log/pki/pki-tomcat/kra/archive\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/archive\nINFO: Creating /var/log/pki/pki-tomcat/kra/signedAudit\nDEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/signedAudit\nINFO: Creating /etc/pki/pki-tomcat/kra\nDEBUG: Command: mkdir /etc/pki/pki-tomcat/kra\nINFO: Creating /etc/pki/pki-tomcat/kra/CS.cfg\nDEBUG: Command: cp /usr/share/pki/kra/conf/CS.cfg /etc/pki/pki-tomcat/kra/CS.cfg\nINFO: Creating /etc/pki/pki-tomcat/kra/registry.cfg\nINFO: Creating /var/lib/pki/pki-tomcat/kra/conf\nDEBUG: Command: ln -s /etc/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/conf\nINFO: Creating /var/lib/pki/pki-tomcat/kra/logs\nDEBUG: Command: ln -s /var/log/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/logs\nINFO: Creating /var/lib/pki/pki-tomcat/kra/registry\nDEBUG: Command: ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/kra/registry\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Getting transport cert info from CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Deploying /kra web application\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra/webapps\nDEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Setting up ownerships, permissions, and ACLs on /var/lib/pki/pki-tomcat/kra/webapps\nINFO: Creating /etc/pki/pki-tomcat/Catalina/localhost/kra.xml\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Creating password file: /etc/pki/pki-tomcat/pfile\nINFO: Updating /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chmod 660 /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: chown 17:17 /etc/pki/pki-tomcat/password.conf\nDEBUG: Command: ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/kra/alias\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Certificates in PKCS #12 file:\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile --debug pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Server URL: https://ipa.example.com:8443\nINFO: Loading NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database: /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command: pkcs12-cert-find --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug\nINFO: Module: pkcs12\nINFO: Module: cert\nINFO: Module: find\nINFO: Initializing NSS\nINFO: Logging into internal token\nINFO: Using internal token\nINFO: - auditSigningCert cert-pki-kra\nINFO: - caSigningCert cert-pki-ca\nINFO: - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO: Importing CA certificates:\nINFO: - caSigningCert cert-pki-ca\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n caSigningCert cert-pki-ca -a\nWARNING: Certificate already exists: caSigningCert cert-pki-ca\nINFO: Importing user certificates:\nINFO: - auditSigningCert cert-pki-kra\nINFO: - storageCert cert-pki-kra\nINFO: - subsystemCert cert-pki-ca\nINFO: - transportCert cert-pki-kra\nINFO: Java command: /usr/lib/jvm/jre-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/pki/pki-tomcat/alias -C /etc/pki/pki-tomcat/pfile --debug pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug auditSigningCert cert-pki-kra storageCert cert-pki-kra subsystemCert cert-pki-ca transportCert cert-pki-kra\nINFO: Server URL: https://ipa.example.com:8443\nINFO: Loading NSS password from /etc/pki/pki-tomcat/pfile\nINFO: NSS database: /etc/pki/pki-tomcat/alias\nINFO: Message format: null\nINFO: Command: pkcs12-import --pkcs12 /tmp/tmp3plm5h3l --password-file /tmp/tmpm1sa32dg/password.txt --debug "auditSigningCert cert-pki-kra" "storageCert cert-pki-kra" "subsystemCert cert-pki-ca" "transportCert cert-pki-kra"\nINFO: Module: pkcs12\nINFO: Module: import\nINFO: Initializing NSS\nINFO: Logging into internal token\nINFO: Using internal token\nDEBUG: Command: certutil -M -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n auditSigningCert cert-pki-kra -t u,u,Pu\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias\nDEBUG: Result of CA certificate export: \nINFO: Removing /etc/pki/pki-tomcat/pfile\nDEBUG: Command: rm -f /etc/pki/pki-tomcat/pfile\nINFO: Getting transport cert info from CS.cfg\nINFO: Getting storage cert info from CS.cfg\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting subsystem cert info from CS.cfg\nINFO: Getting audit_signing cert info from CS.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Creating /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: mkdir -p /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chmod 755 /root/.dogtag/pki-tomcat/kra\nDEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra\nINFO: Creating password file: /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Updating /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/password.conf\nDEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Storing PKCS #12 password in /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nINFO: Updating /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nDEBUG: Command: chown 17:17 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf\nWARNING: Directory already exists: /var/lib/ipa/tmp-6ae9ficu\nDEBUG: Command: certutil -N -d /var/lib/ipa/tmp-6ae9ficu -f /root/.dogtag/pki-tomcat/kra/password.conf\nINFO: Creating SELinux contexts\nINFO: Generating system keys\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nINFO: Configuring subsystem\nINFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: - user: pkiuser\nINFO: - group: pkiuser\nDEBUG: Setting ephemeral requests to true\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Importing sslserver cert data from CA\nINFO: Importing subsystem cert data from CA\nINFO: Importing sslserver request data from CA\nINFO: Importing subsystem request data from CA\nINFO: Joining existing domain\nINFO: Getting install token\nINFO: Using CA at https://ipa.example.com:443\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Reusing replicated database\nINFO: Initializing database\nDEBUG: Command: sudo -u pkiuser /usr/lib/jvm/jre-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/kra/webapps/kra/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI kra-db-init --setup-schema --setup-db-manager --setup-vlv-indexes --debug\nINFO: Loading /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Initializing database ipaca for o=kra,o=ipaca\nINFO: Creating com.netscape.cmsutil.password.PlainPasswordFile\nFINE: PlainPasswordFile: Initializing PlainPasswordFile\nFINE: LdapAuthInfo: init()\nFINE: LdapAuthInfo: init begins\nFINE: LdapAuthInfo: init ends\nFINE: TCP Keep-Alive: true\nFINE: LdapAuthInfo: init: prompt is internaldb\nFINE: LdapAuthInfo: init: try getting from memory cache\nFINE: LdapAuthInfo: init: password not in memory\nFINE: LdapAuthInfo: getPasswordFromStore: try to get it from password store\nFINE: LdapAuthInfo: getPasswordFromStore: about to get from passwored store: internaldb\nFINE: LdapAuthInfo: getPasswordFromStore: password store available\nFINE: LdapAuthInfo: getPasswordFromStore: password found for prompt in password store\nFINE: LdapAuthInfo: password ok: store in memory cache\nFINE: LdapBoundConnection: Connecting to ipa.example.com:636 with basic auth as cn=Directory Manager\nFINE: ldapconn/PKISocketFactory.makeSSLSocket: begins\nFINE: PKIClientSocketListener.handshakeCompleted: begins\nFINE: Handshake completed:\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH\nFINE: PKIClientSocketListener.handshakeCompleted: CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS\nFINE: PKIClientSocketListener.handshakeCompleted: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636\nFINE: SSL handshake happened\nINFO: Configuring directory\nINFO: Importing /usr/share/pki/server/conf/database.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-549427834453303422.ldif\nINFO: Modifying cn=config\nINFO: - replacing nsslapd-maxbersize: 209715200\nINFO: Enabling USN\nINFO: Importing /usr/share/pki/server/conf/usn.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-784255222034676900.ldif\nINFO: Modifying cn=USN,cn=plugins,cn=config\nINFO: - replacing nsslapd-pluginenabled: on\nINFO: Setting up PKI schema\nINFO: Importing /usr/share/pki/server/conf/schema.ldif\nINFO: Adding attributetypes: ( usertype-oid NAME \'usertype\' DESC \'Distinguish whether the user is administrator, agent or subsystem.\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userstate-oid NAME \'userstate\' DESC \'Distinguish whether the user is administrator, agent or subsystem.\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( cmsuser-oid NAME \'cmsuser\' DESC \'CMS User\' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( archivedBy-oid NAME \'archivedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( adminMessages-oid NAME \'adminMessages\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( algorithm-oid NAME \'algorithm\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( algorithmId-oid NAME \'algorithmId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( signingAlgorithmId-oid NAME \'signingAlgorithmId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( autoRenew-oid NAME \'autoRenew\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( certStatus-oid NAME \'certStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlName-oid NAME \'crlName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlSize-oid NAME \'crlSize\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( deltaSize-oid NAME \'deltaSize\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlNumber-oid NAME \'crlNumber\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( deltaNumber-oid NAME \'deltaNumber\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( firstUnsaved-oid NAME \'firstUnsaved\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlCache-oid NAME \'crlCache\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedCerts-oid NAME \'revokedCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( unrevokedCerts-oid NAME \'unrevokedCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( expiredCerts-oid NAME \'expiredCerts\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( crlExtensions-oid NAME \'crlExtensions\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfArchival-oid NAME \'dateOfArchival\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfRecovery-oid NAME \'dateOfRecovery\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfRevocation-oid NAME \'dateOfRevocation\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( duration-oid NAME \'duration\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( extension-oid NAME \'extension\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issuedBy-oid NAME \'issuedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issueInfo-oid NAME \'issueInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( issuerName-oid NAME \'issuerName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keySize-oid NAME \'keySize\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( clientId-oid NAME \'clientId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dataType-oid NAME \'dataType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( status-oid NAME \'status\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyState-oid NAME \'keyState\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( metaInfo-oid NAME \'metaInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( nextUpdate-oid NAME \'nextUpdate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( notAfter-oid NAME \'notAfter\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( notBefore-oid NAME \'notBefore\' DESC \'CMS defined attribute\'SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( ownerName-oid NAME \'ownerName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( password-oid NAME \'password\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( p12Expiration-oid NAME \'p12Expiration\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( proofOfArchival-oid NAME \'proofOfArchival\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publicKeyData-oid NAME \'publicKeyData\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publicKeyFormat-oid NAME \'publicKeyFormat\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( privateKeyData-oid NAME \'privateKeyData\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestId-oid NAME \'requestId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestInfo-oid NAME \'requestInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestState-oid NAME \'requestState\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestResult-oid NAME \'requestResult\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestOwner-oid NAME \'requestOwner\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestAgentGroup-oid NAME \'requestAgentGroup\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestSourceId-oid NAME \'requestSourceId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestType-oid NAME \'requestType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestFlag-oid NAME \'requestFlag\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( requestError-oid NAME \'requestError\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( resourceACLS-oid NAME \'resourceACLS\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revInfo-oid NAME \'revInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedBy-oid NAME \'revokedBy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( revokedOn-oid NAME \'revokedOn\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( serialno-oid NAME \'serialno\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( nextRange-oid NAME \'nextRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( publishingStatus-oid NAME \'publishingStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( beginRange-oid NAME \'beginRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( endRange-oid NAME \'endRange\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( subjectName-oid NAME \'subjectName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( sessionContext-oid NAME \'sessionContext\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( thisUpdate-oid NAME \'thisUpdate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transId-oid NAME \'transId\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transStatus-oid NAME \'transStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transName-oid NAME \'transName\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( transOps-oid NAME \'transOps\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userDN-oid NAME \'userDN\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( userMessages-oid NAME \'userMessages\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( version-oid NAME \'version\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( Clone-oid NAME \'Clone\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( DomainManager-oid NAME \'DomainManager\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecurePort-oid NAME \'SecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureAgentPort-oid NAME \'SecureAgentPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureAdminPort-oid NAME \'SecureAdminPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SecureEEClientAuthPort-oid NAME \'SecureEEClientAuthPort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( UnSecurePort-oid NAME \'UnSecurePort\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( SubsystemName-oid NAME \'SubsystemName\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( cmsUserGroup-oid NAME \'cmsUserGroup\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( realm-oid NAME \'realm\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( CertACLS-oid NAME \'CertACLS\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( repository-oid NAME \'repository\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ou MAY ( serialno $ description $ nextRange $ publishingStatus ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( request-oid NAME \'request\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( transaction-oid NAME \'transaction\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStatus $ transOps ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( crlIssuingPointRecord-oid NAME \'crlIssuingPointRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaRevocationList $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( certificateRecord-oid NAME \'certificateRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( userDetails-oid NAME \'userDetails\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( keyRecord-oid NAME \'keyRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $ status $ realm ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSecurityDomain-oid NAME \'pkiSecurityDomain\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( ou $ name ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSecurityGroup-oid NAME \'pkiSecurityGroup\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiSubsystem-oid NAME \'pkiSubsystem\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $SecureEEClientAuthPort $ UnSecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( pkiRange-oid NAME \'pkiRange\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ beginRange $ endRange $ Host $ SecurePort ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( securityDomainSessionEntry-oid NAME \'securityDomainSessionEntry\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST ( cn $ host $ uid $ cmsUserGroup $ dateOfCreate ) X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfCreate-oid NAME \'dateOfCreate\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( dateOfModify-oid NAME \'dateOfModify\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( modified-oid NAME \'modified\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenUserID-oid NAME \'tokenUserID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenStatus-oid NAME \'tokenStatus\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenAppletID-oid NAME \'tokenAppletID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( keyInfo-oid NAME \'keyInfo\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfResets-oid NAME \'numberOfResets\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfEnrollments-oid NAME \'numberOfEnrollments\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfRenewals-oid NAME \'numberOfRenewals\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( numberOfRecoveries-oid NAME \'numberOfRecoveries\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( allowPinReset-oid NAME \'allowPinReset\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( extensions-oid NAME \'extensions\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenOp-oid NAME \'tokenOp\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenID-oid NAME \'tokenID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenMsg-oid NAME \'tokenMsg\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenResult-oid NAME \'tokenResult\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenIP-oid NAME \'tokenIP\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenPolicy-oid NAME \'tokenPolicy\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenIssuer-oid NAME \'tokenIssuer\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenSubject-oid NAME \'tokenSubject\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenSerial-oid NAME \'tokenSerial\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenOrigin-oid NAME \'tokenOrigin\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenType-oid NAME \'tokenType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenKeyType-oid NAME \'tokenKeyType\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenReason-oid NAME \'tokenReason\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenNotBefore-oid NAME \'tokenNotBefore\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( tokenNotAfter-oid NAME \'tokenNotAfter\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( profileID-oid NAME \'profileID\' DESC \'CMS defined attribute\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenRecord-oid NAME \'tokenRecord\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ modified $ tokenReason $ tokenUserID $ tokenStatus $ tokenAppletID $ keyInfo $ tokenPolicy $ extensions $ numberOfResets $ numberOfEnrollments $ numberOfRenewals $ numberOfRecoveries $ userCertificate $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenActivity-oid NAME \'tokenActivity\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ tokenOp $ tokenIP $ tokenResult $ tokenID $ tokenUserID $ tokenMsg $ extensions $ tokenType ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tokenCert-oid NAME \'tokenCert\' DESC \'CMS defined class\' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ userCertificate $ tokenUserID $ tokenID $ tokenIssuer $ tokenOrigin $ tokenSubject $ tokenSerial $ tokenStatus $ tokenType $ tokenKeyType $ tokenNotBefore $ tokenNotAfter $ extensions ) X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( tpsProfileID-oid NAME \'tpsProfileID\' DESC \'CMS defined class\' SUP top AUXILIARY MAY ( profileID ) X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: ( classId-oid NAME \'classId\' DESC \'Certificate profile class ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( certProfileConfig-oid NAME \'certProfileConfig\' DESC \'Certificate profile configuration\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( certProfile-oid NAME \'certProfile\' DESC \'Certificate profile\' SUP top STRUCTURAL MUST cn MAY ( classId $ certProfileConfig ) X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityID-oid NAME \'authorityID\' DESC \'Authority ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityKeyNickname-oid NAME \'authorityKeyNickname\' DESC \'Authority key nickname\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN \'user-defined\' )\nINFO: Adding attributetypes: ( authorityParentID-oid NAME \'authorityParentID\' DESC \'Authority Parent ID\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityEnabled-oid NAME \'authorityEnabled\' DESC \'Authority Enabled\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityDN-oid NAME \'authorityDN\' DESC \'Authority DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authoritySerial-oid NAME \'authoritySerial\' DESC \'Authority certificate serial number\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityParentDN-oid NAME \'authorityParentDN\' DESC \'Authority Parent DN\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN \'user defined\' )\nINFO: Adding attributetypes: ( authorityKeyHost-oid NAME \'authorityKeyHost\' DESC \'Authority Key Hosts\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN \'user defined\' )\nINFO: Adding objectclasses: ( authority-oid NAME \'authority\' DESC \'Certificate Authority\' SUP top STRUCTURAL MUST ( cn $ authorityID $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY ( authoritySerial $ authorityParentID $ authorityParentDN $ authorityKeyHost $ description ) X-ORIGIN \'user defined\' )\nINFO: Setting up ACME schema\nINFO: Importing /usr/share/pki/acme/database/ldap/schema.ldif\nINFO: Adding attributetypes: ( acmeExpires-oid NAME \'acmeExpires\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeValidatedAt-oid NAME \'acmeValidatedAt\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeStatus-oid NAME \'acmeStatus\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeError-oid NAME \'acmeError\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeNonceId-oid NAME \'acmeNonceId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountId-oid NAME \'acmeAccountId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeAccountContact-oid NAME \'acmeAccountContact\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch )\nINFO: Adding attributetypes: ( acmeAccountKey-oid NAME \'acmeAccountKey\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeOrderId-oid NAME \'acmeOrderId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeIdentifier-oid NAME \'acmeIdentifier\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch )\nINFO: Adding attributetypes: ( acmeAuthorizationId-oid NAME \'acmeAuthorizationId\' SUP name )\nINFO: Adding attributetypes: ( acmeAuthorizationWildcard-oid NAME \'acmeAuthorizationWildcard\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 EQUALITY booleanMatch SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeChallengeId-oid NAME \'acmeChallengeId\' SUP name SINGLE-VALUE )\nINFO: Adding attributetypes: ( acmeToken-oid NAME \'acmeToken\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\nINFO: Adding attributetypes: ( acmeCertificateId-oid NAME \'acmeCertificateId\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SINGLE-VALUE )\nINFO: Adding objectclasses: ( acmeNonce-oid NAME \'acmeNonce\' STRUCTURAL MUST ( acmeNonceId $ acmeExpires ) )\nINFO: Adding objectclasses: ( acmeAccount-oid NAME \'acmeAccount\' STRUCTURAL MUST ( acmeAccountId $ acmeAccountKey $ acmeStatus ) MAY acmeAccountContact )\nINFO: Adding objectclasses: ( acmeOrder-oid NAME \'acmeOrder\' STRUCTURAL MUST ( acmeOrderId $ acmeAccountId $ acmeStatus $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) )\nINFO: Adding objectclasses: ( acmeAuthorization-oid NAME \'acmeAuthorization\' STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires )\nINFO: Adding objectclasses: ( acmeChallenge-oid NAME \'acmeChallenge\' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) )\nINFO: Adding objectclasses: ( acmeChallengeDns01-oid NAME \'acmeChallengeDns01\' SUP acmeChallenge STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: ( acmeChallengeHttp01-oid NAME \'acmeChallengeHttp01\' SUP acmeChallenge STRUCTURAL MUST acmeToken )\nINFO: Adding objectclasses: ( acmeCertificate-oid NAME \'acmeCertificate\' STRUCTURAL MUST ( acmeCertificateId $ userCertificate ) MAY acmeExpires )\nINFO: Creating indexes\nINFO: Importing /usr/share/pki/kra/conf/index.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-25296192129415365.ldif\nINFO: Adding cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revokedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=issuedby,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=publicKeyData,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=clientId,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=dataType,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=status,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=description,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=serialno,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=metaInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=certstatus,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requesttype,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requeststate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestowner,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=notbefore,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=notafter,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=duration,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=dateOfCreate,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revokedOn,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=archivedBy,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=ownername,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=subjectname,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=requestsourceid,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=revInfo,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nWARNING: Unable to add cn=extension,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Adding cn=realm,cn=index,cn=ipaca,cn=ldbm database, cn=plugins, cn=config\nINFO: Setting up database manager\nINFO: Importing /usr/share/pki/server/conf/manager.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-3984013368624234966.ldif\nINFO: Adding ou=csusers,cn=config\nWARNING: Unable to add ou=csusers,cn=config: netscape.ldap.LDAPException: error result (68); Already exists\nINFO: Modifying o=kra,o=ipaca\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "cert manager access v2"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify o=kra,o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nINFO: Modifying cn=ldbm database,cn=plugins,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying cn=config\nINFO: - adding aci: (targetattr != "aci")(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying ou=csusers,cn=config\nINFO: - adding aci: (targetattr != "aci")(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn="o=kra,o=ipaca",cn=mapping tree,cn=config\nINFO: - adding aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nWARNING: Unable to modify cn="o=kra,o=ipaca",cn=mapping tree,cn=config: netscape.ldap.LDAPException: error result (32); No such object\nINFO: Modifying cn=tasks,cn=config\nINFO: - adding aci: (targetattr = "*")(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=kra,o=ipaca";)\nINFO: Creating VLV indexes\nINFO: Importing /usr/share/pki/kra/conf/vlv.ldif\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-import-1261970238527115258.ldif\nINFO: Adding cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=allKeys-pki-tomcatIndex, cn=allKeys-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraAll-pki-tomcatIndex, cn=kraAll-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraArchival-pki-tomcatIndex, cn=kraArchival-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRecovery-pki-tomcatIndex, cn=kraRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceled-pki-tomcatIndex, cn=kraCanceled-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledEnrollment-pki-tomcatIndex, cn=kraCanceledEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCanceledRecovery-pki-tomcatIndex, cn=kraCanceledRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejected-pki-tomcatIndex, cn=kraRejected-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedEnrollment-pki-tomcatIndex, cn=kraRejectedEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraRejectedRecovery-pki-tomcatIndex, cn=kraRejectedRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraComplete-pki-tomcatIndex, cn=kraComplete-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteEnrollment-pki-tomcatIndex, cn=kraCompleteEnrollment-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Adding cn=kraCompleteRecovery-pki-tomcatIndex, cn=kraCompleteRecovery-pki-tomcat, cn=ipaca, cn=ldbm database, cn=plugins, cn=config\nINFO: Rebuilding VLV indexes\nINFO: Creating /var/lib/pki/pki-tomcat/temp/pki-kra-reindex-8248341685647863582.ldif\nINFO: Adding cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Waiting for task cn=index1160527115, cn=index, cn=tasks, cn=config (1s)\nINFO: Getting cn=index1160527115, cn=index, cn=tasks, cn=config\nINFO: Task cn=index1160527115, cn=index, cn=tasks, cn=config complete\nFINE: PKIClientSocketListener.alertReceived: begins\nFINE: SSL alert received:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertReceived: CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertReceived: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE: PKIClientSocketListener.alertSent: begins\nFINE: PKIClientSocketListener.alertSent: got description:0\nFINE: PKIClientSocketListener.alertSent: got reason:CLOSE_NOTIFY\nFINE: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nFINE: SSL alert sent:\nFINE: - reason: CLOSE_NOTIFY\nFINE: - client: 10.1.1.7\nFINE: - server: 10.1.1.7\nFINE: - subject: SYSTEM\nFINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED\nFINE: PKIClientSocketListener.alertSent: CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE\nFINE: PKIClientSocketListener.alertSent: clientIP=10.1.1.7 serverIP=10.1.1.7 serverPort=636 reason=CLOSE_NOTIFY\nINFO: Updating ranges for KRA clone\nINFO: Updating request ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request request --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:24 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting request range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 57\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:25 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 165\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>99980001</beginNumber><endNumber>99990000</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 99980001\nINFO: End: 99990000\nINFO: Updating serial number range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request serialNo --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:28 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting serialNo range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 58\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:29 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 167\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>11ffe0001</beginNumber><endNumber>11fff0000</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 11ffe0001\nINFO: End: 11fff0000\nINFO: Updating replica ID range\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-range-request replicaId --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:32 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Requesting replicaId range\nINFO: HTTP request: POST /kra/admin/kra/updateNumberRange HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 59\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:32 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 157\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><beginNumber>1285</beginNumber><endNumber>1289</endNumber></XMLResponse>\nFINE: Status: 0\nINFO: Begin: 1285\nINFO: End: 1289\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Updating configuration for KRA clone\nINFO: Updating configuration\nDEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa2.example.com:443 kra-config-export --names internaldb.ldapauth.password,internaldb.replication.password,cloning.ca.type --substores internaldb,internaldb.ldapauth,internaldb.ldapconn,kra.transport,kra.storage,kra.subsystem,kra.audit_signing --session 7645071616159216931 --output-format json --debug\nINFO: Connecting to https://ipa2.example.com:443\nINFO: HTTP request: GET /pki/rest/info HTTP/1.1\nINFO: Accept: application/xml\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: Server certificate: CN=ipa2.example.com,O=example.com\nINFO: HTTP response: HTTP/1.1 404 Not Found\nINFO: Date: Sun, 29 Nov 2020 07:38:36 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Length: 196\nINFO: Keep-Alive: timeout=30, max=100\nINFO: Connection: Keep-Alive\nINFO: Content-Type: text/html; charset=iso-8859-1\nWARNING: Unable to get server info: Not Found\nINFO: Getting configuration properties\nINFO: HTTP request: POST /kra/admin/kra/getConfigEntries HTTP/1.1\nINFO: Content-Type: application/x-www-form-urlencoded\nINFO: Content-Length: 269\nINFO: Host: ipa2.example.com:443\nINFO: Connection: Keep-Alive\nINFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)\nINFO: HTTP response: HTTP/1.1 200 200\nINFO: Date: Sun, 29 Nov 2020 07:38:36 GMT\nINFO: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.6 Python/3.7 mod_auth_gssapi/1.6.1\nINFO: Content-Type: application/xml\nINFO: Content-Length: 10909\nINFO: Keep-Alive: timeout=30, max=99\nINFO: Connection: Keep-Alive\nFINE: Status: 0\nINFO: Properties:\nINFO: - internaldb._000\nINFO: - internaldb._001\nINFO: - internaldb._002\nINFO: - internaldb.basedn\nINFO: - internaldb.database\nINFO: - internaldb.maxConns\nINFO: - internaldb.minConns\nINFO: - internaldb.ldapauth.authtype\nINFO: - internaldb.ldapauth.bindDN\nINFO: - internaldb.ldapauth.bindPWPrompt\nINFO: - internaldb.ldapauth.clientCertNickname\nINFO: - internaldb.ldapconn.host\nINFO: - internaldb.ldapconn.port\nINFO: - internaldb.ldapconn.secureConn\nINFO: - kra.transport.cert\nINFO: - kra.transport.certreq\nINFO: - kra.transport.nickname\nINFO: - kra.transport.tokenname\nINFO: - kra.storage.cert\nINFO: - kra.storage.certreq\nINFO: - kra.storage.nickname\nINFO: - kra.storage.tokenname\nINFO: - kra.subsystem.cert\nINFO: - kra.subsystem.certreq\nINFO: - kra.subsystem.dn\nINFO: - kra.subsystem.nickname\nINFO: - kra.subsystem.tokenname\nINFO: - kra.audit_signing.cert\nINFO: - kra.audit_signing.certreq\nINFO: - kra.audit_signing.nickname\nINFO: - kra.audit_signing.tokenname\nINFO: - internaldb.replication.password\nINFO: - cloning.ca.type\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg\nINFO: Restarting server\nDEBUG: Command: systemctl restart pki-tomcatd(a)pki-tomcat.service\nINFO: FIPS mode is not enabled\nINFO: Subsystem status: running\nINFO: Configuring KRA subsystem\nINFO: Setting up clone\nINFO: Creating clone setup request\n/usr/lib/python3.6/site-packages/urllib3/connection.py:362: SubjectAltNameWarning: Certificate for ipa.example.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)\n SubjectAltNameWarning\nINFO: Setting up database\nINFO: Creating database setup request\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting sslserver cert info from NSS database\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpl_0lpu4u/password.txt -n Server-Cert cert-pki-ca -a\nDEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpef27un35/password.txt\nINFO: Setting up transport certificate\nINFO: transport certificate is already set up\nINFO: Setting up storage certificate\nINFO: storage certificate is already set up\nINFO: Setting up sslserver certificate\nINFO: sslserver certificate is already set up\nINFO: Setting up subsystem certificate\nINFO: subsystem certificate is already set up\nINFO: Setting up audit_signing certificate\nINFO: audit_signing certificate is already set up\nINFO: Backing up keys into /etc/pki/pki-tomcat/alias/kra_backup_keys.p12\nDEBUG: Command: pki-server subsystem-cert-export kra -i pki-tomcat --pkcs12-file /etc/pki/pki-tomcat/alias/kra_backup_keys.p12 --pkcs12-password-file /tmp/tmpdeq3qnpk/password.txt\nINFO: Setting up security domain\nINFO: Creating security domain setup request\nINFO: Finalizing KRA configuration\nINFO: Creating finalize config request\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. KRA configuration failed. The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@ipa]~#

4 4

freeipa.py plugin for AWX dynamic inventory not available
by slek kus 23 Oct '24

23 Oct '24

Hi, is there a possibility to have the below plugin avialable in Ansible Galaxy FreeIPA collection? https://github.com/ansible/ansible/blob/stable-2.9/contrib/inventory/freeip… Trying to use dynamic inventory by using the plugin. but this is not being included/downloaded with the collection. I create a dynamic inventory (sourced from project, a git where I have the following folder and file): inventories/clients_and_controllers.yml, where the contents of the .yml is a single line: ``` plugin: freeipa ``` The collections used are: ``` collections: - name: freeipa.ansible_freeipa - name: community.general ``` The error message trying to sync the resource for the dynamic inventory is: [WARNING]: * Failed to parse /runner/project/inventories/clients_and_controllers.yml with auto plugin: inventory config ‘/runner/project/inventories/clients_and_controllers.yml ’ specifies unknown plugin ‘freeipa.py’ Kind regards!

3 4

disable admin user in FreeIPA 4.10.2
by Ales Rozmarin 23 Oct '24

23 Oct '24

Hi Guys I'm trying to disable admin user in Freeipa 4.10.2 and I get this: user admin cannot be deleted/modified: privileged user I did create new user with admin privileges add to group admins. But I can't disable admin user. This worked up to version FreeIPA 4.10.1 but not anymore. anyone know why is that or how can I disable admin user in 4.10.2. thanks Ales

3 6

Fedora 40: new warning in ipa-healthckeck
by Jochen Kellner 22 Oct '24

22 Oct '24

Hi, I've upgraded my freeipa server to Fedora 40 (the system was installed several releases ago). After the upgrade I get the following new warning from ipa-healthcheck: { "source": "ipahealthcheck.ds.backends", "check": "BackendsCheck", "result": "WARNING", "uuid": "875db8e3-029c-46f7-87e5-bf9a216d9637", "when": "20240426184431Z", "duration": "0.031642", "kw": { "key": "DSBLE0005", "items": [ "nsslapd-dbcachesize", "nsslapd-db-logdirectory", "nsslapd-db-transaction-wait", "nsslapd-db-checkpoint-interval", "nsslapd-db-compactdb-interval", "nsslapd-db-compactdb-time", "nsslapd-db-transaction-batch-val", "nsslapd-db-transaction-batch-min-wait", "nsslapd-db-transaction-batch-max-wait", "nsslapd-db-logbuf-size", "nsslapd-db-page-size", "nsslapd-db-locks", "nsslapd-db-locks-monitoring-enabled", "nsslapd-db-locks-monitoring-threshold", "nsslapd-db-locks-monitoring-pause", "nsslapd-db-private-import-mem", "nsslapd-db-deadlock-policy" ], "msg": "Found configuration attributes that are not applicable for the configured backend type." } }, According to https://www.port389.org/docs/389ds/FAQ/Berkeley-DB-deprecation.html the bdb backend is deprecated. The system was installed with 389-ds-base < 1.4.4.9-1.fc33.x86_64 (I see the upgrade to that version in /var/log/dnf.rpm.log*. Since 3.0 new installations should use LMBD as the backend. Is that true for new installations? What is the desired action that I should take? I can remove the options from the dirsrv configuration. Should I? Shall I switch to lmdb manually? Or is that something that ipa-server-upgrade should be doing? Otherwise I can suppress the message in ipa-healthcheck for now. But I guess I should fix my installation before the deprecated support really gets dropped... Is deploying a new replica and decommisioning the old server we the preferred action? Jochen -- This space is intentionally left blank.

3 2

One freeipa replica install fails, while other is going through
by D S 16 Oct '24

16 Oct '24

Hello, I am trying to install 3 replicas agains the same master. Two out of 3 installs succeed, while the other one fails with On replica: Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check RPC connection to remote master Execute check on remote master ERROR: Remote master check failed with following error message(s): an internal error has occurred 2024-03-28T09:09:28Z DEBUG Starting external process 2024-03-28T09:09:28Z DEBUG args=['/usr/sbin/ipa-client-install', '--unattended', '--uninstall'] 2024-03-28T09:09:31Z DEBUG Process finished, return code=0 2024-03-28T09:09:31Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 358, in run self.validate() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 368, in validate for _nothing in self._validator(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 633, in _configure next(validator) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 597, in main replica_promote_check(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 423, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1196, in promote_check ca_cert_file=cafile) File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 129, in replica_conn_check "Connection check failed!" 2024-03-28T09:09:31Z DEBUG The ipa-replica-install command failed, exception: ScriptError: Connection check failed! See /var/log/ipareplica-conncheck.log for more information. If the check results are not valid it can be skipped with --skip-conncheck parameter. 2024-03-28T09:09:31Z ERROR Connection check failed! See /var/log/ipareplica-conncheck.log for more information. If the check results are not valid it can be skipped with --skip-conncheck parameter. 2024-03-28T09:09:31Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information On master: [Thu Mar 28 09:09:27.891561 2024] [:error] [pid 22098] ipa: ERROR: non-public: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. [Thu Mar 28 09:09:27.891666 2024] [:error] [pid 22098] Traceback (most recent call last): [Thu Mar 28 09:09:27.891683 2024] [:error] [pid 22098] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute [Thu Mar 28 09:09:27.891694 2024] [:error] [pid 22098] result = command(*args, **options) [Thu Mar 28 09:09:27.891705 2024] [:error] [pid 22098] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__ [Thu Mar 28 09:09:27.891717 2024] [:error] [pid 22098] return self.__do_call(*args, **options) [Thu Mar 28 09:09:27.891727 2024] [:error] [pid 22098] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call [Thu Mar 28 09:09:27.891737 2024] [:error] [pid 22098] ret = self.run(*args, **options) [Thu Mar 28 09:09:27.891748 2024] [:error] [pid 22098] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run [Thu Mar 28 09:09:27.891928 2024] [:error] [pid 22098] return self.execute(*args, **options) [Thu Mar 28 09:09:27.891951 2024] [:error] [pid 22098] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/server.py", line 933, in execute [Thu Mar 28 09:09:27.891962 2024] [:error] [pid 22098] ret, stdout, _stderr = server.conncheck(keys[-1]) [Thu Mar 28 09:09:27.891973 2024] [:error] [pid 22098] File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__ [Thu Mar 28 09:09:27.891983 2024] [:error] [pid 22098] return self._proxy_method(*args, **keywords) [Thu Mar 28 09:09:27.891994 2024] [:error] [pid 22098] File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__ [Thu Mar 28 09:09:27.892005 2024] [:error] [pid 22098] **keywords) [Thu Mar 28 09:09:27.892016 2024] [:error] [pid 22098] File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking [Thu Mar 28 09:09:27.892026 2024] [:error] [pid 22098] message, timeout) [Thu Mar 28 09:09:27.892037 2024] [:error] [pid 22098] DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. [Thu Mar 28 09:09:27.892955 2024] [:error] [pid 22098] ipa: INFO: [jsonserver_kerb] local_admin(a)EXAMPLE.COM: server_conncheck(u'ipamaster01.example.com', u'ipa-replica03.example.com', version=u'2.162'): InternalError [Thu Mar 28 09:09:30.121019 2024] [:error] [pid 20997] ipa: INFO: [jsonserver_kerb] host/ipa-replica03.example.com(a)EXAMPLE.COM: host_disable(u'ipa-replica03.example.com'): SUCCESS

5 7

How does RBAC work?
by Francis Augusto Medeiros-Logeay 08 Oct '24

08 Oct '24

Ok, I am not sure how this works: I created this user, called biding. I want it to be able to create users on FreeIPA, mailing by biding Keycloak to it. So I created the role: [francis@freeipa]~% ipa role-show Role name: Keycloak biding Role name: Keycloak biding Member users: biding Privileges: User Administrators, Group Administrators, Stage User Administrators, Stage User Provisioning, Modify Users and Reset passwords, Modify Group membership, Keycloak admin Yes, too many roles, because it simply wasn’t doing it. Keycloak would fail saying the user didn’t have permissions. So what I did was to add this user to the admin group. Then it created users. But not even my admin user can delete those users created that way. Why isn’t this working? And why when giving it permissions it is creating objects that simply can’t be read by my previous biding users? Best, Francis

3 9

Can't login after creating a user account
by Kris C 04 Oct '24

04 Oct '24

Not sure if anyone is experiencing this or not and apologize if it's already answered, but I've created an FreeIPA account and with a random password using the command line (ipa user-add user1 --uid=6543 --random). I then, within the WebUI, have the admin account reset user1's password to something more human friendly. I then, as user1, attempt to log into the WebUI to set the final password. I provide the user1 username and the more human friendly password and I can't log in. I've created the user through the WebUI and reset the password and it works just like I want it to. The reason I'm creating the accounts using the CLI is to migrate accounts from an old LDAP instance into FreeIPA via script. I want to then have an admin reset the users password so the user can then log in and set their final password in FreeIPA's WebUI. Thoughts? Thank you!

3 12

Removal & clean up certificates from o=ipaca
by David Goudet 30 Sep '24

30 Sep '24

Hello all, I have to clean up lot of useless certificate in dirsrv database. Because of resubmit loop on Certmonger client, i have 99,9% of certificate in dirsrv database that are useless and not obsolete (expiration in 2020) (it represent ~85 000 certificates). These useless certificates produce some issues on FreeIPA: - decrease FreeIPA performances on CLI and GUI - increase the LDAP size - increase size and time of FreeIPA backup ... Is it possible to purge these certificates in dirsrv database and how? I found two branches in LDAP directory about these certificates: dn: cn=xxx,ou=ca,ou=requests,o=ipaca dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca I can remove all requests and certificates entry from dirsrv database but how it is supported by PKI manager Dogtag (CRL, certificate generation, OCSP)? (This topic has already been discuss on https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…) Thank you for you help -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574

4 7

Replication between Fedora 39 and 41 Beta does not work
by Dirk Streubel 30 Sep '24

30 Sep '24

Hello, I have the following problem, maybe one of you has a solution and can tell me where to look to solve the problem. Here on site I have two Raspberry Pi 4, one Fedora 39 and one Fedora 41 Server Beta, both equipped with the latest Freeipa packages. Both have identical IPA versions installed: “ssh ipa1 -t ipa --version VERSION: 4.12.1, API_VERSION: 2.254 Connection to ipa1 closed.” “ssh ipa9 -t ipa --version VERSION: 4.12.1, API_VERSION: 2.254 Connection to ipa9 closed.” Replication from ipa1 to ipa9 with : “ipa-replica-install --setup-ca --setup-kra --setup-dns --forwarder=1.1.1.1 --setup-adtrust --add-agents” works fine, an ‘ipa-replica-manage re-initialize --from ipa1.linux.schnell.er" also works, I can also access via the web frontend. After a reboot of ipa9 does not work anymore, I get the following error message: “ipa-replica-manage re-initialize --from ipa1.linux.schnell.er Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: cannot connect to 'ldaps://ipa9.linux.schnell.er:636': error:0A000086:SSL routines::certificate verify failed (certificate is not yet valid)” I then installed Fedora41 Server Beta again to rule out an error, but that didn't help. What I do not understand, it is a “fresh” installation and after a reboot or restart of Fedora 41 nothing works anymore :( Am I doing something wrong? Kind regards Dirk

2 2

Client's credentials have been revoked
by Dungan, Scott A. 27 Sep '24

27 Sep '24

We see random user permission denied issues on RHEL8 client, that resolves itself after about 10 minutes. In this case, the user is authenticating using the remote desktop software NoMachine (nx). journalctl: Sep 26 12:41:35 server1.id.int nxexec[3011890]: pam_sss(nx:auth): authentication failure; logname= uid=969 euid=0 tty= ruser= rhost=192.168.55.202 user=rsmith Sep 26 12:41:35 server1.id.int nxexec[3011890]: pam_sss(nx:auth): received for user rsmith: 6 (Permission denied) Sep 26 12:41:47 server1.id.int krb5_child[3011927]: Client's credentials have been revoked Sep 26 12:41:47 server1.id.int krb5_child[3011927]: Client's credentials have been revoked Sep 26 12:41:47 server1.id.int nxexec[3011925]: pam_sss(nx:auth): authentication failure; logname= uid=969 euid=0 tty= ruser= rhost=192.168.55.202 user=rsmith Sep 26 12:41:47 server1.id.int nxexec[3011925]: pam_sss(nx:auth): received for user rsmith: 6 (Permission denied) Sep 26 12:42:11 server1.id.int krb5_child[3011965]: Client's credentials have been revoked Sep 26 12:42:11 server1.id.int krb5_child[3011965]: Client's credentials have been revoked Sep 26 12:42:11 server1.id.int nxexec[3011963]: pam_sss(nx:auth): authentication failure; logname= uid=969 euid=0 tty= ruser= rhost=192.168.55.202 user=rsmith Sep 26 12:42:11 server1.id.int nxexec[3011963]: pam_sss(nx:auth): received for user rsmith: 6 (Permission denied) Sep 26 12:43:35 server1.id.int nxexec[3012022]: pam_sss(nx:auth): authentication success; logname= uid=969 euid=0 tty= ruser= rhost=192.168.55.202 user=rsmith Sep 26 12:45:15 server1.id.int systemd-logind[4695]: New session 526 of user rsmith. Sep 26 12:45:15 server1.id.int systemd[1]: Started Session 526 of user rsmith. Sep 26 12:45:15 server1.id.int nxexec[3012073]: pam_unix(nx:session): session opened for user rsmith by (uid=969) krb5_child.log: (2024-09-26 12:41:24): [krb5_child[3011820]] [map_krb5_error] (0x0020): [RID#12745] 2399: [-1765328366][Client's credentials have been revoked] (2024-09-26 12:41:35): [krb5_child[3011892]] [get_and_save_tgt] (0x0020): [RID#12751] 2270: [-1765328366][Client's credentials have been revoked] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2024-09-26 12:41:35): [krb5_child[3011892]] [main] (0x0400): [RID#12751] krb5_child started. * (2024-09-26 12:41:35): [krb5_child[3011892]] [unpack_buffer] (0x1000): [RID#12751] total buffer size: [124] * (2024-09-26 12:41:35): [krb5_child[3011892]] [unpack_buffer] (0x0100): [RID#12751] cmd [241 (auth)] uid [866900186] gid [2070] validate [true] enterprise principal [false] offline [false] UPN [rsmith(a)ID.INT] * (2024-09-26 12:41:35): [krb5_child[3011892]] [unpack_buffer] (0x0100): [RID#12751] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab] * (2024-09-26 12:41:35): [krb5_child[3011892]] [switch_creds] (0x0200): [RID#12751] Switch user to [866900186][2070]. * (2024-09-26 12:41:35): [krb5_child[3011892]] [switch_creds] (0x0200): [RID#12751] Switch user to [0][0]. * (2024-09-26 12:41:35): [krb5_child[3011892]] [k5c_check_old_ccache] (0x4000): [RID#12751] Ccache_file is [KCM:] and is active and TGT is valid. * (2024-09-26 12:41:35): [krb5_child[3011892]] [k5c_setup_fast] (0x0100): [RID#12751] Fast principal is set to [host/server1.id.int(a)ID.INT] * (2024-09-26 12:41:35): [krb5_child[3011892]] [find_principal_in_keytab] (0x4000): [RID#12751] Trying to find principal host/server1.id.int(a)ID.INT<mailto:host/server1.id.int@ID.INT> in keytab. * (2024-09-26 12:41:35): [krb5_child[3011892]] [match_principal] (0x1000): [RID#12751] Principal matched to the sample (host/server1.id.int(a)ID.INT<mailto:host/server1.id.int@ID.INT>). * (2024-09-26 12:41:35): [krb5_child[3011892]] [check_fast_ccache] (0x0200): [RID#12751] FAST TGT is still valid. * (2024-09-26 12:41:35): [krb5_child[3011892]] [become_user] (0x0200): [RID#12751] Trying to become user [866900186][2070]. * (2024-09-26 12:41:35): [krb5_child[3011892]] [main] (0x2000): [RID#12751] Running as [866900186][2070]. * (2024-09-26 12:41:35): [krb5_child[3011892]] [set_lifetime_options] (0x0100): [RID#12751] No specific renewable lifetime requested. * (2024-09-26 12:41:35): [krb5_child[3011892]] [set_lifetime_options] (0x0100): [RID#12751] No specific lifetime requested. * (2024-09-26 12:41:35): [krb5_child[3011892]] [set_canonicalize_option] (0x0100): [RID#12751] Canonicalization is set to [true] * (2024-09-26 12:41:35): [krb5_child[3011892]] [main] (0x0400): [RID#12751] Will perform auth * (2024-09-26 12:41:35): [krb5_child[3011892]] [main] (0x0400): [RID#12751] Will perform online auth * (2024-09-26 12:41:35): [krb5_child[3011892]] [tgt_req_child] (0x1000): [RID#12751] Attempting to get a TGT * (2024-09-26 12:41:35): [krb5_child[3011892]] [get_and_save_tgt] (0x0400): [RID#12751] Attempting kinit for realm [ID.INT] * (2024-09-26 12:41:35): [krb5_child[3011892]] [get_and_save_tgt] (0x0020): [RID#12751] 2270: [-1765328366][Client's credentials have been revoked] ********************** BACKTRACE DUMP ENDS HERE ********************************* Any help would be appreciated.

2 1

multi domain support
by Marco Naimoli 27 Sep '24

27 Sep '24

Hello, I've setup freeipa for domain and realm mydomain.com I would like to manage, with the same instance, subdomains like staff.mydomain.com guests.mydomain.com and people should authenticate using accounts like: user1(a)staff.mydomain.com user2(a)guests.mydomain.com I see I can add realms, under "IPA server" -> "Realm domain" and I've added the new realms staff.mydomain.com and guests.mydomain.com, but when I create a new user user, it is created under mydomain.com and I cannot change it So is it possibile to create and manage multiple domains under a single freeipa instance ? If not, is there a way to manage multiple domains (e.g. using a freeipa instance for every realm and create a trust among them) so that clients can be configured to permit user login from all of the subdomains ? I have found a multi tenancy documentation, but it's not very clear Thank you Marco

2 2

sssd: disable password cache?
by Harald Dunkel 24 Sep '24

24 Sep '24

Hi folks, is there some way to disable sssd's password cache? Everytime a colleague changes his password, he has problems with our dovecot server, because it runs into a permission denied, until some privileged user runs "sss_cache -u name" or "sss_cache -E" or similar. AFAIU the password is stored for 5400 seconds. Apparently thats too long. Caching passwords while sssd is connected to LDAP and Kerberos might be considered a bad idea, anyway. There is an undocumented option krb5_store_password_if_offline in sssd.conf. Maybe there are other undocumented options as well? Regards Harri

2 4

"Correct way" to do service accounts?
by Schrock, Chad - 0336 - MITLL 23 Sep '24

23 Sep '24

Hi -- We have been using IdM/FreeIPA for a while, and as these things tend to happen, we have a process to create “service accounts” in the domain that is quite cumbersome and was what “just worked” at the time so it is what we have been doing. Currently using IdM/FreeIPA 4.9.13 on RHEL 8.10. (When I say “service accounts” I mean an account that an application would use to bind to the LDAP domain, read records, and do something like allow the user to use the application.) What is the ‘suggested’ or preferred method to create this kind of user in IdM? Is “system account” the better name? I found: * https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… * https://www.freeipa.org/page/HowTo/LDAP * https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… * https://github.com/noahbliss/freeipa-sam Which all seem good, especially freeipa-sam. But they are also all pretty old. Thanks, Chad -- Chad Schrock, he/him Supporting MIT Lincoln Laboratory, Lexington, MA chad.schrock(a)ll.mit.edu

2 2

Problems with ipa-ods-exporter
by Yavor Marinov 20 Sep '24

20 Sep '24

Hello all, Last few weeks I've been having issues with ipa-ods-export because it's failing to start. Our infra is not impacted by the problem but will be glad to know what could be the issue as I've tried to regenerate the keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Below is the error message ipa-ods-exporter[487019]: Traceback (most recent call last): ipa-ods-exporter[487019]: File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1096, in error_handler ipa-ods-exporter[487019]: yield ipa-ods-exporter[487019]: File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1672, in add_entry ipa-ods-exporter[487019]: self.conn.add_s(str(entry.dn), list(attrs.items())) ipa-ods-exporter[487019]: File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in add_s ipa-ods-exporter[487019]: return self.add_ext_s(dn,modlist,None,None) ipa-ods-exporter[487019]: File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 222, in add_ext_s ipa-ods-exporter[487019]: resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) ipa-ods-exporter[487019]: File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 543, in result3 ipa-ods-exporter[487019]: resp_type, resp_data, resp_msgid, decoded_resp_ctrls, retoid, retval = self.result4( ipa-ods-exporter[487019]: File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 553, in result4 ipa-ods-exporter[487019]: ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) ipa-ods-exporter[487019]: File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call ipa-ods-exporter[487019]: result = func(*args,**kwargs) ipa-ods-exporter[487019]: ldap.INSUFFICIENT_ACCESS: {'msgtype': 105, 'msgid': 9, 'result': 50, 'desc': 'Insufficient access', 'ctrls': []} ipa-ods-exporter[487019]: During handling of the above exception, another exception occurred: ipa-ods-exporter[487019]: Traceback (most recent call last): ipa-ods-exporter[487019]: File "/usr/libexec/ipa/ipa-ods-exporter", line 719, in <module> ipa-ods-exporter[487019]: master2ldap_master_keys_sync(ldapkeydb, localhsm) ipa-ods-exporter[487019]: File "/usr/libexec/ipa/ipa-ods-exporter", line 346, in master2ldap_master_keys_sync ipa-ods-exporter[487019]: ldapkeydb.import_master_key(mkey) ipa-ods-exporter[487019]: File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/ldapkeydb.py", line 375, in import_master_key ipa-ods-exporter[487019]: self.ldap.add_entry(new_key.entry) ipa-ods-exporter[487019]: File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1672, in add_entry ipa-ods-exporter[487019]: self.conn.add_s(str(entry.dn), list(attrs.items())) ipa-ods-exporter[487019]: File "/usr/lib64/python3.9/contextlib.py", line 137, in __exit__ ipa-ods-exporter[487019]: self.gen.throw(typ, value, traceback) ipa-ods-exporter[487019]: File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1122, in error_handler ipa-ods-exporter[487019]: raise errors.ACIError(info=info) ipa-ods-exporter[487019]: ipalib.errors.ACIError: Insufficient access:

2 5

Re: Error upgrading to version 4.11.0
by flo＠redhat.com 19 Sep '24

19 Sep '24

The content of this message was lost. It was probably cross-posted to multiple lists and previously handled on another list.

3 11

Heathcheck error: expiring unused external CA
by Dungan, Scott A. 18 Sep '24

18 Sep '24

Running ipa-server version 4.9.13-12 on RHEL8 we are getting the following error/warning with ipa-healthcheck: [ { "source": "ipahealthcheck.ds.nss_ssl", "check": "NssCheck", "result": "ERROR", "uuid": "1a2798fd-7fa5-4132-a288-7975f2c32b60", "when": "20240916211906Z", "duration": "0.498443", "kw": { "key": "DSCERTLE0001", "items": [ "Expiring Certificate" ], "msg": "The certificate (CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US) will expire in less than 30 days" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACAChainExpirationCheck", "result": "WARNING", "uuid": "7c1317a8-fbf6-46c4-98a1-15b62f655df8", "when": "20240916211911Z", "duration": "0.014042", "kw": { "path": "/etc/ipa/ca.crt", "key": "CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US", "days": 19, "msg": "CA '{key}' in {path} is expiring in {days} days." } } ] This is the external commercial CA that I believe was added at the inception of the domain to allow for trusted user connections to the web UI for self-service. That was reverted back to using an internal certificate for the web UI more than three years ago, so the InCommon CA is no longer required. Running getcert list shows that certmonger is not tracking either the CA (which makes sense), nor any certificates issued by the CA. ipa cert-find shows 50 certificates all issued by the internal IPA CA. I would like to remove all references to the old CA from IPA and resolve the healthcheck error. Any help would be appreciated.

3 5

Errors in dirsrv logs
by Yavor Marinov 18 Sep '24

18 Sep '24

Hello all, Checking further today with our master, I can see the below errors in logs. Can anyone point me to what could be wrong with dirsrv. Sep 17 18:39:57 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:39:57.423261726 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:41:02 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:41:02.371706423 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:42:07 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:42:07.536617629 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:43:08 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:08 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:08 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:08 login.example.com ns-slapd[1211146]: GSSAPI client step 2 Sep 17 18:43:12 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:43:12.407945045 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:43:25 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:25 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:25 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:25 login.example.com ns-slapd[1211146]: GSSAPI client step 2 Sep 17 18:44:17 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:44:17.162382582 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:45:21 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:45:21.968805241 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:46:26 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:46:26.920389972 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:47:32 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:47:32.060808138 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:48:26 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:26 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:26 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:27 login.example.com ns-slapd[1211146]: GSSAPI client step 2 Sep 17 18:48:36 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:48:36.710204866 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:48:57 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:57 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:57 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:57 login.example.com ns-slapd[1211146]: GSSAPI client step 2

1 0

Networking requirements between non-peer replicas
by William Faulk 17 Sep '24

17 Sep '24

What level of network connectivity is required between replicas that do not share a replication agreement? For years I have been running an IdM environment where there is often limited connectivity between replicas that do not have replication agreements with each other, and I don't believe that I've seen any problems that result from that. Recently, I have been working to upgrade from RHEL7's IdM to RHEL8's IdM and encountered a situation where this did become a problem: certmonger, via ipa-submit, tried to get a certificate during the installation of the second upgraded replica. It tried a significant number of replicas other than the one it had a replication agreement with, and ended up timing out due to multiple network connection timeouts to those remote replicas. The total number of connections it tried was exacerbated by the fact that there was literally only one replica that could respond positively, regardless of network issues, since it required the newer version of IdM. First, is it expected that it try all of the CA replicas instead of just the one it has a replication agreement with? I think the answer here might be "yes" just because it's just an IdM client during this transaction, and, in fact, might have no CA replication agreements at all, but some confirmation would be appreciated. Second, are there any other network connectivity requirements between replicas that don't have replication agreements? Am I going to run into other problems because my replicas in Spain can't directly communicate with my replicas in New Zealand? Third, I've been relying on specifying specific replicas in sssd.conf's ipa_server to ensure that clients connect only to specific replicas. Should I be doing something else instead? I know that I probably should be using IPA Locations, and I'll pursue that after upgrades, but is there something else? Should I also be using the host and ca_host directives in /etc/ipa/default.conf, and, if so, can multiple hosts be listed there? Thanks, -- William Faulk

1 0

Errors in dirsrv logs
by Yavor Marinov 17 Sep '24

17 Sep '24

Hello all, Checking further today with our master, I can see the below errors in logs. Can anyone point me to what could be wrong with dirsrv. Sep 17 18:39:57 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:39:57.423261726 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:41:02 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:41:02.371706423 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:42:07 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:42:07.536617629 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:43:08 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:08 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:08 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:08 login.example.com ns-slapd[1211146]: GSSAPI client step 2 Sep 17 18:43:12 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:43:12.407945045 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:43:25 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:25 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:25 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:43:25 login.example.com ns-slapd[1211146]: GSSAPI client step 2 Sep 17 18:44:17 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:44:17.162382582 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:45:21 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:45:21.968805241 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:46:26 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:46:26.920389972 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:47:32 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:47:32.060808138 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:48:26 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:26 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:26 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:27 login.example.com ns-slapd[1211146]: GSSAPI client step 2 Sep 17 18:48:36 login.example.com ns-slapd[1211146]: [17/Sep/2024:18:48:36.710204866 +051800] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. Sep 17 18:48:57 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:57 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:57 login.example.com ns-slapd[1211146]: GSSAPI client step 1 Sep 17 18:48:57 login.example.com ns-slapd[1211146]: GSSAPI client step 2

1 0

ipa automember-rebuild --type=hostgroup---> timeout
by Tolgay Gul 17 Sep '24

17 Sep '24

Hi, I am trying to rebuild "Automember" for host groups and am getting the error below. ipa: ERROR: Automember LDAP task timeout, Task DN: 'cn=XYZ,cn=automember rebuild membership,cn=tasks,cn=config' I understand I need to add to "nsslapd-idletimeout: 3600" /etc/dirsrv/slapd-zya-abc.comdse.ldif So I added and restarted the dirsrv@ service. But it reverted to the original one. I tried to change with the below command which is not on the freeipa server. dsconf -D "cn=Directory Manager" ldap://localhost config replace nsslapd-idletimeout=3600 bash: dsconf: command not found I also tried below method. cat /tmp/modify-idletimeout.ldif dn: cn=config changetype: modify replace: nsslapd-idletimeout nsslapd-idletimeout: 3600 ldapmodify -x -D "cn=Directory Manager" -W -H ldap://localhost -f modify-idletimeout.ldif It requires the LDAP password, which I don't have even though I have an admin account. My question is, how can I increase the timeout for the automember rebuild? Thanks

2 2

Is there a way to list hosts by provisioning state?
by Przemysław Orzechowski 16 Sep '24

16 Sep '24

I have a bunch of defined hosts in IPA - created them waiting for different admins to enrol them. Is there a way to list hosts that have not been provisioned? (no Kerberos Key Present) from cli ? Same any way to list Provisioned hosts (regardless which person provisioned them)? Regards Przemysław Orzechowski

2 1

converting admin account to service account or disable its webui login.
by Tolgay Gul 16 Sep '24

16 Sep '24

Hi, One of the regulators asked to disable the admin account, the idea being that we cannot use a shared user account for any reason. But all the host registrations use the admin account and its password. I cannot disable it as is. Either I need to create a new user with the same privileges or use another login method, as I do for the below. The other option might be to disable the admin account from the GUI access. ipa-client-install --mkhomedir --server=auth.abc --domain bbb.abs.com--realm BBB.ABC.COM -p admin -w "${FREEIPA_PASS}" --force-join -U Is there a way to disable the admin account while using another user for a service account? Or any other suggestion?

4 5

converting admin account to service account or disable its webui login.
by Tolgay Gul 13 Sep '24

13 Sep '24

Hi, One of the regulators asked to disable the admin account, the idea being that we cannot use a shared user account for any reason. But all the host registrations use the admin account and its password. I cannot disable it as is. Either I need to create a new user with the same privileges or use another login method, as I do for the below. The other option might be to disable the admin account from the GUI access. ipa-client-install --mkhomedir --server=auth.abc --domain bbb.abs.com--realm BBB.ABC.COM -p admin -w "${FREEIPA_PASS}" --force-join -U Is there a way to disable the admin account while using another user for a service account? Or any other suggestion?

1 0

FreeIPA nodes doesn't automatically replicated after continues shutdown
by Yossi Hayat 13 Sep '24

13 Sep '24

Hi, We have a setup of 3 replicated FreeIPA servers for H/A. We noticed that when one of the servers is being taken offline for a few hours the replication doesn't continue and manual intervention is required. The replication stops until the "ipa-replica-manage re-initialize --from {up_to_date_IPA_server}" Has anyone else encountered this behavior? Any idea what can be the cause or provide steps for resolution? Thanks.

2 1

ipaDomainResolutionOrder in SSSD not found in bind DN
by Daniel Paetzold 12 Sep '24

12 Sep '24

I have setup FreeIPA to use a domain like clients.ipa.example.com When starting SSSD now, it tries to find th ipaDomainResolutionOrder in [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=clients,dc=ipa,dc=example,dc=com] at this DN, my LDAP Instance has no informations (no result). So SSSD is refusing to work with: [sdap_get_generic_ext_step] (0x0400): [RID#1] calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=clients,dc=ipa,dc=example,dc=com]. [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [ipaDomainResolutionOrder] [ipa_domain_resolution_order_done] (0x0040): [RID#1] Failed to get the domains' resolution order configuration from the server [22]: Wrong Argument I can sucessfully query the LDAP- Tree at [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=penta-energy,dc=de] at the server neither cn=etc,dc=ipa,dc=penta-energy,dc=de nor cn=etc,dc=clients,dc=ipa,dc=example,dc=com is working. i setup freeipa-install with domain=clients.ipa.example.com what have i done wrong? Should LDAP deliver dc=clients,dc=ipa,dc=example,dc=com or is cn=etc,dc=penta-energy,dc=de right and SSSD is doing it wrong? Regard, Daniel

5 5

Cert renewal fails, error 4001 ipa: Certificate Authority not found
by Nick Allen 11 Sep '24

11 Sep '24

Hello, we have two FreeIPA servers, one is configured as CA master. We noticed the 2-year expiration of the certificates on one of the replicas is approaching and the auto-renewal is failing with a CA_UNREACHABLE status, error code 4001. Note that these two FreeIPA servers are replicas of a since decommissioned original that was removed from the topology a while back. Per Florence's suggestion to add debug logs to http daemon and resending a cert request (thank you), we see the following errors in /var/log/httpd/error_log: [Mon Sep 09 15:16:37.590119 2024] [:error] [pid 148275] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Sep 09 15:16:37.590182 2024] [:error] [pid 148275] ipa: DEBUG: KerberosWSGIExecutioner.__call__: [Mon Sep 09 15:16:37.598332 2024] [:error] [pid 148275] ipa: DEBUG: Created connection context.ldap2_139787230862608 [Mon Sep 09 15:16:37.598389 2024] [:error] [pid 148275] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Mon Sep 09 15:16:37.603355 2024] [:error] [pid 148275] ipa: DEBUG: raw: cert_request(u'xxxxxxx', profile_id=u'caIPAserviceCert', principal=u'ldap/host.company.local(a)COMPANY.LOCAL', add=True, version=u'2.51') [Mon Sep 09 15:16:37.603985 2024] [:error] [pid 148275] ipa: DEBUG: cert_request(<cryptography.hazmat.backends.openssl.x509._CertificateSigningRequest object at 0x7f22c5221f90>, request_type=u'pkcs10', profile_id=u'caIPAserviceCert', cacn=u'ipa', principal=ipapython.kerberos.Principal('ldap/host.company.local(a)COMPANY.LOCAL'), add=True, chain=False, all=False, raw=False, version=u'2.51') [Mon Sep 09 15:16:37.604207 2024] [:error] [pid 148275] ipa: DEBUG: raw: ca_is_enabled(version=u'2.237') [Mon Sep 09 15:16:37.604264 2024] [:error] [pid 148275] ipa: DEBUG: ca_is_enabled(version=u'2.237') [Mon Sep 09 15:16:37.605642 2024] [:error] [pid 148275] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-COMPANY-LOCAL.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f22bfaa0a70> [Mon Sep 09 15:16:37.851204 2024] [:error] [pid 148275] ipa: DEBUG: raw: ca_show(u'ipa', chain=False, all=False, version=u'2.237') [Mon Sep 09 15:16:37.851345 2024] [:error] [pid 148275] ipa: DEBUG: ca_show(u'ipa', rights=False, chain=False, all=False, raw=False, version=u'2.237') [Mon Sep 09 15:16:37.851457 2024] [:error] [pid 148275] ipa: DEBUG: raw: ca_is_enabled(version=u'2.237') [Mon Sep 09 15:16:37.851521 2024] [:error] [pid 148275] ipa: DEBUG: ca_is_enabled(version=u'2.237') [Mon Sep 09 15:16:37.858466 2024] [:error] [pid 148275] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Mon Sep 09 15:16:37.858486 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute [Mon Sep 09 15:16:37.858489 2024] [:error] [pid 148275] result = command(*args, **options) [Mon Sep 09 15:16:37.858506 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__ [Mon Sep 09 15:16:37.858510 2024] [:error] [pid 148275] return self.__do_call(*args, **options) [Mon Sep 09 15:16:37.858512 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call [Mon Sep 09 15:16:37.858515 2024] [:error] [pid 148275] ret = self.run(*args, **options) [Mon Sep 09 15:16:37.858518 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run [Mon Sep 09 15:16:37.858520 2024] [:error] [pid 148275] return self.execute(*args, **options) [Mon Sep 09 15:16:37.858522 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 657, in execute [Mon Sep 09 15:16:37.858525 2024] [:error] [pid 148275] ca_obj = api.Command.ca_show(ca, all=all, chain=chain)['result'] [Mon Sep 09 15:16:37.858527 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__ [Mon Sep 09 15:16:37.858530 2024] [:error] [pid 148275] return self.__do_call(*args, **options) [Mon Sep 09 15:16:37.858532 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call [Mon Sep 09 15:16:37.858535 2024] [:error] [pid 148275] ret = self.run(*args, **options) [Mon Sep 09 15:16:37.858537 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run [Mon Sep 09 15:16:37.858539 2024] [:error] [pid 148275] return self.execute(*args, **options) [Mon Sep 09 15:16:37.858542 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ca.py", line 249, in execute [Mon Sep 09 15:16:37.858544 2024] [:error] [pid 148275] result = super(ca_show, self).execute(*keys, **options) [Mon Sep 09 15:16:37.858555 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1330, in execute [Mon Sep 09 15:16:37.858557 2024] [:error] [pid 148275] raise self.obj.handle_not_found(*keys) [Mon Sep 09 15:16:37.858560 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 766, in handle_not_found [Mon Sep 09 15:16:37.858562 2024] [:error] [pid 148275] 'pkey': pkey, 'oname': self.object_name, [Mon Sep 09 15:16:37.858565 2024] [:error] [pid 148275] NotFound: ipa: Certificate Authority not found [Mon Sep 09 15:16:37.858567 2024] [:error] [pid 148275] [Mon Sep 09 15:16:37.858774 2024] [:error] [pid 148275] ipa: INFO: [xmlserver] host/host.company.local(a)COMPANY.LOCAL: cert_request(u'xxxxxxxxx', profile_id=u'caIPAserviceCert', principal=u'ldap/host.company.local(a)COMPANY.LOCAL', add=True, version=u'2.51'): NotFound [Mon Sep 09 15:16:37.858837 2024] [:error] [pid 148275] ipa: DEBUG: response: NotFound: ipa: Certificate Authority not found [Mon Sep 09 15:16:37.859575 2024] [:error] [pid 148275] ipa: DEBUG: Destroyed connection context.ldap2_139787230862608 There is a "handle_not_found" error, apparently, but not sure which handle that refers to or how to resolve. Any help would be appreciated!

3 5

Old accounts can't login to UI starting from FreeIPA 4.10.1
by Zack Richards 09 Sep '24

09 Sep '24

Greetings! Old freeipa accounts get "The password or username you entered is incorrect" when trying to login to UI of any ipa replica with version higher than 4.10.0 Checked userPassword hash on all replicas, and it identical. Tested different base OS docker containers with freeipa-server, no luck.

2 2

CentOS 7.9, IPA version 4.6.8 named-pkcs11.service issues
by Sina Owolabi 06 Sep '24

06 Sep '24

Hi all Really seeking for some help. My IPA servers (CentOS 7.9, VERSION: 4.6.8, API_VERSION: 2.237) both have their named-pkcs11 service stop working, and they create core files when restart is attempted. Ive been able to partially mitigate the issue by manually standing up a bind9 service on a Debian 12 vm for now. Please, how can I fix this, or if not possible, I would like to know if there are steps to follow to setup IPA on another Debian 12 Vm and hopefully migrate services and settings there. Typical logs from a named-pkcs11 restart attempt: journalctl -xeu named-pkcs11 Sep 04 21:24:55 ipa0.qriospay.local named-pkcs11[30894]: #6 0x7f7422325b89 in ?? Sep 04 21:24:55 ipa0.qriospay.local named-pkcs11[30894]: #7 0x7f742232f528 in ?? Sep 04 21:24:55 ipa0.qriospay.local named-pkcs11[30894]: #8 0x7f742b286713 in ?? Sep 04 21:24:55 ipa0.qriospay.local named-pkcs11[30894]: #9 0x7f742b28728b in ?? Sep 04 21:24:55 ipa0.qriospay.local named-pkcs11[30894]: #10 0x7f742935cea5 in ?? Sep 04 21:24:55 ipa0.qriospay.local named-pkcs11[30894]: #11 0x7f74283cfb0d in ?? Sep 04 21:24:55 ipa0.qriospay.local named-pkcs11[30894]: exiting (due to assertion failure) Sep 04 21:24:55 ipa0.qriospay.local systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Sep 04 21:24:55 ipa0.qriospay.local systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. -- Subject: Unit named-pkcs11.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit named-pkcs11.service has failed. -- -- The result is failed. Sep 04 21:24:55 ipa0.qriospay.local systemd[1]: Unit named-pkcs11.service entered failed state. Sep 04 21:24:55 ipa0.qriospay.local systemd[1]: named-pkcs11.service failed. Core files: ls /var/named/ core.1569 core.22344 core.22692 core.30894 core.31834 core.3585 core.4117 core.6927 data dynamic named.ca named.localhost slaves core.21923 core.22461 core.2584 core.31739 core.32646 core.3947 core.4723 core.6984 _default.tsigkeys dyndb-ldap named.empty named.loopback tmp-8bAnLCWdq7 cordially yours, Sina Owolabi

3 7

Re: Certificate not renewing CA_UNREACHEABLE
by Rob Crittenden 04 Sep '24

04 Sep '24

Azim Siddiqui wrote: > ipa-cert-fix command is not working on the Freeipa master server. > > The FreeIpa version on the master server is - VERSION: 4.2.0 > And on the replica server is - VERSION: 4.6.8 Please keep responses on the list. Oh geez, RHEL 7.2. Man that is ancient. You'll need to stop ntpd/chronyd if they are running and use the date command to go back in time to when all the certificates are valid. Then run ipactl restart If all the services start ok and you can validate that things seem to be working back in time (ipa user-show admin, ipa cert-show 1) then restart the certmonger service and sit back and wait. It can take a bit to renew everything. You can follow along by occasionally running getcert list. Once everything is in MONITORING you can return to present time, restart ntpd/chronyd and run ipactl restart again. Then you need to focus on bringing these systems up-to-date. RHEL, and therefore CentOS, 7 is EOL and 7.2 particularly so. You should have more than one system running a CA too. You currently have a single-point-of-failure. rob

2 1

Re: Certificate not renewing CA_UNREACHEABLE
by Rob Crittenden 04 Sep '24

04 Sep '24

Try ipa-cert-fix. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/li… rob Azim Siddiqui wrote: > I just checked the FreeIpa master server and the CA is managed > internally by FreeIpa. > > Validity > Not Before: Oct 30 19:52:54 2015 GMT > Not After : Oct 30 19:52:54 2035 GMT > > > Ok so you have to handle the renewals on master.ipa.free.ipa.com > <http://master.ipa.free.ipa.com> as it > is both the only CA and it is the renewal master. All work needs to > focus on that machine. > > Please advise what I can do next on this. > > > Yes, we need to see getcert list on master. > > Here's the getcert list from the master server :- > > getcert list > Number of certificates and requests being tracked: 8. > Request ID '20160825202629': > status: SUBMITTING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IPA-FREE-IPA-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-FREE-IPA-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IPA-FREE-IPA-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=master.IPA-FREE-IPA-COM,O=IPA-FREE-IPA-COM > expires: 2023-12-18 15:52:08 UTC > principal name: ldap/master.IPA-FREE-IPA-COM@IPA-FREE-IPA-COM > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > IPA-FREE-IPA-COM > track: yes > auto-renew: yes > Request ID '20160825202951': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=CA Audit,O=IPA-FREE-IPA-COM > expires: 2025-06-12 00:01:52 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160825202952': > status: SUBMITTING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=OCSP Subsystem,O=IPA-FREE-IPA-COM > expires: 2023-06-29 10:16:09 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160825202953': > status: SUBMITTING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=CA Subsystem,O=IPA-FREE-IPA-COM > expires: 2023-06-29 10:16:29 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160825202954': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=Certificate Authority,O=IPA-FREE-IPA-COM > expires: 2035-10-30 19:52:54 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160825202955': > status: SUBMITTING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=master.IPA-FREE-IPA-COM,O=IPA-FREE-IPA-COM > expires: 2024-04-23 15:52:18 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160825203104': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=master.IPA-FREE-IPA-COM,O=IPA-FREE-IPA-COM > expires: 2024-10-14 20:01:14 UTC > principal name: HTTP/master.IPA-FREE-IPA-COM@IPA-FREE-IPA-COM > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20160825203110': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=IPA RA,O=IPA-FREE-IPA-COM > expires: 2025-06-12 00:00:31 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > On Wed, 4 Sept 2024 at 13:39, Rob Crittenden <rcritten(a)redhat.com > <mailto:rcritten@redhat.com>> wrote: > > Azim Siddiqui wrote: > > HI Rob, > > > > We need a bit more information. > > > > What version of IPA are you running on what distribution? > > I am running FreeIPA VERSION: 4.6.8 on Centos 7 > > > > What is your topology? Is this your only server? Does this server have > > the CA service installed? Did you use an external CA to sign the > IPA CA > > on installation? > > > > I currently have one master and one replica server in the topology. It > > appears that the certificate on the master server has expired. The > > CA_UNREACHABLE error is occurring on the replica server. > > Unfortunately, I'm not sure whether an external CA was used during the > > original installation, as I inherited the server a couple of > months ago > > and don’t have details on the initial setup. > > You'll be able to tell with the getcert output by the Issuer of your IPA > CA certificate. If the subjects match then it is self-signed and is > probably good for another decade or more. > > > > > Will ipa config-show run? What does it tell you? > > Yes the ipa config-show command is ruining on the replica server and > > this is the output :- > > > > ipa config-show > > Maximum username length: 32 > > Home directory base: /home > > Default shell: /bin/bash > > Default users group: users > > Default e-mail domain: > > Search time limit: 2 > > Search size limit: 1000 > > User search fields: uid,givenname,sn,telephonenumber,ou,title > > Group search fields: cn,description > > Enable migration mode: FALSE > > Certificate Subject base: O=IPA-FREE-IPA-COM > > Password Expiration Notification (days): 4 > > Password plugin features: AllowNThash > > SELinux user map order: > > Default SELinux user: > > Default PAC types: MS-PAC, nfs:NONE > > IPA masters: xyz.ipa.free-ipa.com <http://xyz.ipa.free-ipa.com> > <http://xyz.ipa.free-ipa.com>, > > master.ipa.free.ipa.com <http://master.ipa.free.ipa.com> > <http://master.ipa.free.ipa.com> > > IPA CA servers: master.ipa.free.ipa.om > <http://master.ipa.free.ipa.om> <http://master.ipa.free.ipa.om> > > IPA NTP servers: xyz.ipa.free-ipa.com > <http://xyz.ipa.free-ipa.com> <http://xyz.ipa.free-ipa.com> > > IPA CA renewal master: master.ipa.free.ipa.com > <http://master.ipa.free.ipa.com> > > <http://master.ipa.free.ipa.com> > > IPA DNS servers: xyz.ipa.free-ipa.com > <http://xyz.ipa.free-ipa.com> <http://xyz.ipa.free-ipa.com>, > > master.ipa.free.ipa.com <http://master.ipa.free.ipa.com> > <http://master.ipa.free.ipa.com> > > Ok so you have to handle the renewals on master.ipa.free.ipa.com > <http://master.ipa.free.ipa.com> as it > is both the only CA and it is the renewal master. All work needs to > focus on that machine. > > > > > You didn't include how you got this output. You want to use > getcert list > > to see all of the tracked certificates and not ipa-getcert list. > > > > I got that output by running the ipa-getcert list command. > > Yes, we need to see getcert list on master. > > rob > > > > On Tue, 3 Sept 2024 at 17:14, Rob Crittenden <rcritten(a)redhat.com > <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > > > Azim Siddiqui via FreeIPA-users wrote: > > > Hello, > > > > > > On one of the FreeIPA servers, I’m encountering an issue > with the > > > certificate: > > > > > > Number of certificates and requests being tracked: 1. > > > Request ID '20220930041156': > > > status: CA_UNREACHABLE > > > ca-error: Server > > at https://xyz.ipa.free-ipa.com/ipa/xml failed > > > request, will retry: 4001 (RPC failed at server. ipa: > Certificate > > > Authority not found). > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-IPA-FREE-IPA-COM',nickname='Server-Cert',token='NSS > > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-IPA-FREE-IPA-COM/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-IPA-FREE-IPA-COM',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > > > subject: CN=xyz.ipa.free-ipa.com > <http://xyz.ipa.free-ipa.com> <http://xyz.ipa.free-ipa.com> > > > <http://xyz.ipa.free-ipa.com/>,O=IPA-FREE-IPA-COM > > > expires: 2024-09-30 02:22:56 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > /usr/libexec/ipa/certmonger/restart_dirsrv > > > IPA-FREE-IPA-COM > > > track: yes > > > auto-renew: yes > > > > > > Could someone please guide me on how to troubleshoot and resolve > > this issue? > > > > > > > We need a bit more information. > > > > What version of IPA are you running on what distribution? > > > > What is your topology? Is this your only server? Does this > server have > > the CA service installed? Did you use an external CA to sign > the IPA CA > > on installation? > > > > Will ipa config-show run? What does it tell you? > > > > ipa: Certificate Authority not found. I'm not entirely sure > what is > > throwing this error. I think the systemd journal might tell us. > > > > You didn't include how you got this output. You want to use > getcert list > > to see all of the tracked certificates and not ipa-getcert list. > > > > rob > > >

1 0

LDAP System User permissions
by Ronald Wimmer 04 Sep '24

04 Sep '24

As I do not now anything about LDAP users and permissions I would like to ask for advice in this matter. I need an LDAP user that is capable of creating users in the staging area as well as modifying or deleting existing users. I am aware of how to create a system user (https://www.freeipa.org/page/HowTo/LDAP ) but I do not know if there is some kind of permission management (apart from putting the user in cn=sysaccounts and assigning the right objectclasses). Cheers, Ron

3 13

FreeIPA + LDAP + HOTP -Problems
by John Bublitz 04 Sep '24

04 Sep '24

Hi, We use freeipa on centos to establish vpn-connections with Yubikey + HOTP. The VPN-Server is connected via LDAPS and Password+otp is the only way to authenticate. Everything works perfect until the last FreeIPA-Updates. Password+otp still works fine, but now it is possible to authenticate with password to. The checkboxes for password in the web interface are not activated. A test with phpldapadmin shows the same behavior. The FreeIPA web interface works correctly, only password + otp. It looks like the ldap server is not working properly. Does anyone have the same problems? Our Setup: - Centos 9 - FreeIPA 4.12.2 - Sophos XG (LDAPS-Connection to FreeIPA)

2 1

time out for an external domain
by Ranbir 04 Sep '24

04 Sep '24

Hi Everyone, I'm running into a weird DNS resolution problem (at home) for an external subdomain. rogersbank.com can be looked up from my Fedora 40 host joined to a two server AlmaLinux 9 IdM domain: $ dig rogersbank.com ; <<>> DiG 9.18.28 <<>> rogersbank.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40375 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;rogersbank.com. IN A ;; ANSWER SECTION: rogersbank.com. 20 IN A 23.9.149.95 ;; Query time: 26 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Wed Aug 28 13:39:18 EDT 2024 ;; MSG SIZE rcvd: 5 But, the lookup for rbaccess.rogersbank.com fails: $ dig rbaccess.rogersbank.com ;; communications error to 127.0.0.53#53: timed out ;; communications error to 127.0.0.53#53: timed out ;; communications error to 127.0.0.53#53: timed out ; <<>> DiG 9.18.28 <<>> rbaccess.rogersbank.com ;; global options: +cmd ;; no servers could be reached It doesn't actually work from any of the IdM enrolled hosts or the IdM servers themselves. However, from outside my network, the name rbaccess.rogersbank.com resolves without issue. $ dig @8.8.8.8 rbaccess.rogersbank.com ; <<>> DiG 9.18.28 <<>> @8.8.8.8 rbaccess.rogersbank.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49010 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;rbaccess.rogersbank.com. IN A ;; ANSWER SECTION: rbaccess.rogersbank.com. 72 IN CNAME rbaccess.rogersbank.tsysecom.com. rbaccess.rogersbank.tsysecom.com. 0 IN A 67.231.80.94 ;; Query time: 48 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP) ;; WHEN: Wed Aug 28 15:18:27 EDT 2024 ;; MSG SIZE rcvd: 111 Here are the errors from query_errors.log: (rbaccess.rogersbank.com) query failed (timed out) for rbaccess.rogersbank.com/IN/A at ../../../lib/ns/query.c:7389 (rbaccess.rogersbank.com) query failed (timed out) for rbaccess.rogersbank.com/IN/A at ../../../lib/ns/query.c:7389 (rbaccess.rogersbank.com) query failed (timed out) for rbaccess.rogersbank.com/IN/A at ../../../lib/ns/query.c:7389 (rbaccess.rogersbank.tsysecom.com) query failed (SERVFAIL) for rbaccess.rogersbank.tsysecom.com/IN/A at ../../../lib/ns/query.c:6659 While trying to figure out what the problem is, I found the "authoritative nameserver" setting for the zone had the name of a decommissioned IdM host. I ran 'ipa-healthcheck --failures-only', got an error for "ipa-ca" missing one of my two IdM servers, updated the "authoritative nameserver" and saw no more DNS related failures reported by ipa-healthcheck. But, the DNS resolution for rbaccess.rogersbank.com is still failing. A couple of times the resolution has worked (ping was successful). I don't understand what's happening. Anyone have any tips that would help me narrow this down? Thanks. -- Ranbir

2 5

Certificate not renewing CA_UNREACHEABLE
by Azim Siddiqui 04 Sep '24

04 Sep '24

Hello, On one of the FreeIPA servers, I’m encountering an issue with the certificate: Number of certificates and requests being tracked: 1. Request ID '20220930041156': status: CA_UNREACHABLE ca-error: Server at https://xyz.ipa.free-ipa.com/ipa/xml failed request, will retry: 4001 (RPC failed at server. ipa: Certificate Authority not found). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-FREE-IPA-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-FREE-IPA-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-FREE-IPA-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM subject: CN=xyz.ipa.free-ipa.com,O=IPA-FREE-IPA-COM expires: 2024-09-30 02:22:56 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-FREE-IPA-COM track: yes auto-renew: yes Could someone please guide me on how to troubleshoot and resolve this issue?

2 1

FreeIPA / sudo rules / option / secure_path
by alexey safonov 03 Sep '24

03 Sep '24

Hi, I've checked all related output in Google search and this mailing list, but still have no answer to a question, why secure_path option is ignored by IPA? here is what I have in IPA Sudo Option: !requiretty, !authenticate, secure_path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin here is the output [aaa@bbbb ~]$ sudo printenv PATH /sbin:/bin:/usr/sbin:/usr/bin for some reason that path is only taken from /etc/sudoers file thanks in advance for your help Alex

2 2

ipa-replica-manage re-initialize fails with [Error (49) - LDAP error: Invalid credentials - no response received]
by Tomas Dusek 03 Sep '24

03 Sep '24

Hello, where to find additional information to "ipa-replica-manage re-initialize --from master.example.com fails with [Error (49) - LDAP error: Invalid credentials - no response received]"? root@serverB: ipa-replica-manage re-initialize --from master.example.com -d ... ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://master.example.com:636 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fbafdaaa748> ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://master.example.com:636 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fbafd451828> ipa: INFO: Setting agreement cn=serverB.example.com-to-master.example.com,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=serverB.example.com-to-master.example.com,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config Update in progress, 15 seconds elapsed [ldaps://serverB.example.com:636] reports: Update failed! Status: [Error (49) - LDAP error: Invalid credentials - no response received] ipa: DEBUG: Destroyed connection context.ldap2_140441096464368 ... On serverB in /var/log/slapd-serverB/errors: [29/Aug/2024:12:20:11.311481133 +0200] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/serverB.example.com(a)EXAMPLE.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328360 (Preauthentication failed) The admin PWD has been recently changed, but the change has not been replicated to serverB. Which credentials are invalid? serverB: RHEL 8.10 & IPA 4.9.13 master: RHEL 9.4 & IPA 4.11 Thanks Tomas

2 2

proper sssd timeout configuration to prevent NAT timeout
by Jaehwan Kim 03 Sep '24

03 Sep '24

Hello. We've got a number (thousands) of hosts inside a private network of cloud environment. These all query the FreeIPA server for user and group information using NAT and a gateway server. However we're having issues with the LDAP queries timing out or becoming unresponsive due to NAT timeout. In order to prevent hosts (clients) from being disconnected due to NAT timeout, we wish to try some sssd timeout values. Because we have difficulty to find out proper timeout of sssd.conf.5 manual pages (website), can you advice us on the proper timeout or propose other way? Thank you. JHK

2 3

Error upgrading to version 4.11.0
by Luis Correia 02 Sep '24

02 Sep '24

Hello all. I'm currently running a FreeIPA server on Docker using the rocky-9-4.10.2 and trying to upgrade my installation to version rocky-9-4.11.0, but currently getting this error: 2024-08-28T09:21:52Z DEBUG Failed to check CA status: cannot connect to 'http://<my-freeipa-hostname>:8080/ca/admin/ca/getStatus': [Errno 111] Connection refused 2024-08-28T09:22:38Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2024-08-28T09:22:38Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 2081, in upgrade upgrade_configuration() File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 1803, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 575, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.9/site-packages/ipaplatform/base/services.py", line 304, in start ipautil.run([paths.SYSTEMCTL, "start", File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( 2024-08-28T09:22:38Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service canceled.\n') 2024-08-28T09:22:38Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service canceled.\n') 2024-08-28T09:22:38Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information The endpoint that FreeIPA tries to connect to eventually generates a 404 error (logs from var/log/pki/pki-tomcat/localhost_access_log.2024-08-28.txt): 172.18.0.2 - - [28/Aug/2024:09:22:33 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 172.18.0.2 - - [28/Aug/2024:09:22:34 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 172.18.0.2 - - [28/Aug/2024:09:22:35 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 172.18.0.2 - - [28/Aug/2024:09:22:36 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 172.18.0.2 - - [28/Aug/2024:09:22:37 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 172.18.0.2 - - [28/Aug/2024:09:22:38 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 Can anyone help? This makes it so that I'm completely unable to update FreeIPA to the latest version, which I currently need to do. Thanks!

4 8

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users September 2024