June 2025 - FreeIPA-users - Fedora mailing-lists

Replication error not corrected by reinitializing replication
by David Brown 06 Nov '25

06 Nov '25

Hi, I have a small two node FreeIPA setup. (auth1 & auth2) I noticed today that I was getting a replication error on node 2 (auth2) about missing CSN in the changelog. I reinitialized the two nodes replicating auth1 -> auth2 and this has fixed replication issues in the past, but the error persists. I can create users and delete users from each side of the replication and it appears to be replicating those changes and they seem (non-definitively) to be in sync, but this error concerns me and reinitializing doesn't appear to solve it. Here are the logs. Any help is resolving this would be fantastic as I'm not finding much help via web searches. Thanks, David The sanitized error: Apr 16 10:50:31 auth2 ns-slapd[8419]: [16/Apr/2025:10:50:31.682835677 -0400] - ERR - agmt="cn=caToauth1...." (auth1:389) - clcache_load_buffer - Can't locate CSN 66587eaa000100050000 in the changelog (DB rc=-12797). If replication stops, the consumer may need to be reinitialized. Apr 16 10:50:31 auth2 ns-slapd[8419]: [16/Apr/2025:10:50:31.684721395 -0400] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=caToauth1...." (auth1:389): CSN 66587eaa000100050000 not found, we aren't as up to date, or we purged Apr 16 10:50:31 auth2 ns-slapd[8419]: [16/Apr/2025:10:50:31.685877312 -0400] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=caToauth1...." (auth1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. Santitized re-initialization ipa topologysegment-reinitialize domain auth1....-to-auth2.... --right -------------------------------------------------------------------------------------------- Replication refresh for segment: "auth1....-to-auth2...." requested. -------------------------------------------------------------------------------------------- The sanitized logs of the re-initialization Apr 16 10:45:59 auth2 ns-slapd[8419]: [16/Apr/2025:10:45:59.963872886 -0400] - ERR - ipa-topology-plugin - ipa_topo_be_state_changebackend userRoot is going offline; inactivate plugin Apr 16 10:45:59 auth2 ns-slapd[8419]: [16/Apr/2025:10:45:59.966877380 -0400] - NOTICE - NSMMReplicationPlugin - multisupplier_be_state_change - Replica dc=...,dc=... is going offline; disabling replication Apr 16 10:46:00 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:00.189646600 -0400] - INFO - bdb_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database Apr 16 10:46:00 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:00.891598813 -0400] - ERR - agmt="cn=caToauth1...." (auth1:389) - clcache_load_buffer - Can't locate CSN 66587eaa000100050000 in the changelog (DB rc=-12797). If replication stops, the consumer may need to be reinitialized. Apr 16 10:46:00 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:00.893083190 -0400] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn=caToauth1...." (auth1:389): CSN 66587eaa000100050000 not found, we aren't as up to date, or we purged Apr 16 10:46:00 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:00.894538030 -0400] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=caToauth1...." (auth1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.403074677 -0400] - INFO - bdb_import_monitor_threads - import userRoot: Workers finished; cleaning up... Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.605238770 -0400] - INFO - bdb_import_monitor_threads - import userRoot: Workers cleaned up. Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.606678188 -0400] - INFO - bdb_public_bdb_import_main - import userRoot: Indexing complete. Post-processing... Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.607860375 -0400] - INFO - bdb_public_bdb_import_main - import userRoot: Generating numsubordinates (this may take several minutes to complete)... Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.618231549 -0400] - INFO - bdb_public_bdb_import_main - import userRoot: Generating numSubordinates complete. Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.620014951 -0400] - INFO - bdb_get_nonleaf_ids - import userRoot: Gathering ancestorid non-leaf IDs... Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.621434375 -0400] - INFO - bdb_get_nonleaf_ids - import userRoot: Finished gathering ancestorid non-leaf IDs. Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.622574267 -0400] - INFO - ldbm_get_nonleaf_ids - import userRoot: Starting sort of ancestorid non-leaf IDs... Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.623757818 -0400] - INFO - ldbm_get_nonleaf_ids - import userRoot: Finished sort of ancestorid non-leaf IDs. Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.626748319 -0400] - INFO - bdb_ancestorid_new_idl_create_index - import userRoot: Creating ancestorid index (new idl)... Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.632623820 -0400] - INFO - bdb_ancestorid_new_idl_create_index - import userRoot: Created ancestorid index (new idl). Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.633896253 -0400] - INFO - bdb_public_bdb_import_main - import userRoot: Flushing caches... Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.635305588 -0400] - INFO - bdb_public_bdb_import_main - import userRoot: Closing files... Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.728196646 -0400] - INFO - bdb_public_bdb_import_main - import userRoot: Import complete. Processed 729 entries in 3 seconds. (243.00 entries/sec) Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.737959417 -0400] - ERR - ipa-topology-plugin - ipa_topo_be_state_change - backend userRoot is coming online; checking domain level and init shared topology Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.744152900 -0400] - NOTICE - NSMMReplicationPlugin - multisupplier_be_state_change - Replica dc=...,dc=... is coming online; enabling replication Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.754743353 -0400] - WARN - NSMMReplicationPlugin - replica_reload_ruv - New data for replica dc=...,dc=... does not match the data in the changelog. Apr 16 10:46:02 auth2 ns-slapd[8419]: Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.862749463 -0400] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUVs - Rebuilding the replication changelog RUV, this may take several minutes... Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.864263319 -0400] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUVs - Rebuilding replication changelog RUV complete. Result 0 (Success) Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.872479720 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=...,dc=...--no CoS Templates found, which should be added before the CoS Definition. Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.874025309 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.875303781 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.876489711 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.877770904 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.879231097 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.880458410 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.881648891 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.882722133 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.884124162 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.885222292 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.886404863 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.887615474 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.889102423 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.890327963 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.891412886 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.892586141 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.899706161 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.901020418 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=...,dc=... does not exist Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.907037194 -0400] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUVs - Rebuilding the replication changelog RUV, this may take several minutes... Apr 16 10:46:02 auth2 ns-slapd[8419]: [16/Apr/2025:10:46:02.908357262 -0400] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUVs - Rebuilding replication changelog RUV complete. Result 0 (Success)

3 5

Problem with "Login failed due to an unknown reason" / PKINIT OpenSSL error
by Ville Teronen 06 Nov '25

06 Nov '25

Hello, We are currently experiencing strange behavior on FreeIPA system related to PKINIT OpenSSL error when trying to log in through FreeIPA web gui. This started happening as we upgraded our second replica with "dnf ugprade". Freeipa packages in themself haven't been updated. Our setup is basically as follows. ipa.tre-1.web1.fi ipa.tku-2.web1.fi <-- the one not working. GUI throws an error "Login failed due to an unknown reason" httpd error log has the following line after error: [Fri Feb 25 19:32:50.776457 2022] [wsgi:error] [pid 17977:tid 18319] [remote 10.20.11.2:49472] ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_17977', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\\n') Now if I try to run " KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_15581 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem" I get the following output [19260] 1645812760.557398: Getting initial credentials for WELLKNOWN/ANONYMOUS(a)IPA.WEB1.FI [19260] 1645812760.557400: Sending unauthenticated request [19260] 1645812760.557401: Sending request (186 bytes) to IPA.WEB1.FI [19260] 1645812760.557402: Initiating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557403: Sending TCP request to stream 10.20.13.5:88 [19260] 1645812760.557404: Received answer (538 bytes) from stream 10.20.13.5:88 [19260] 1645812760.557405: Terminating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557406: Response was from primary KDC [19260] 1645812760.557407: Received error from KDC: -1765328359/Additional pre-authentication required [19260] 1645812760.557410: Preauthenticating using KDC method data [19260] 1645812760.557411: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [19260] 1645812760.557412: Selected etype info: etype aes256-cts, salt "IPA.WEB1.FIWELLKNOWNANONYMOUS", params "" [19260] 1645812760.557413: Received cookie: MIT1\x00\x00\x00\x01\x8f\xcb\x99\x9c~\xed!^Qj\xa3\x0a\x82~\xe94\x04\x0ck[j=\x08\xd2\x97j'K2\x8f\xa0\xf6\xc3\x89Z@\x8b]\xc3K\xc2h\xfa\xaek\x11\x91y\xc9\xf0\xadG\x13\x9a\xb2\xb6\x1c\x12\xbfr\x0a'Z\xfe\x12\x81\x1a>2\x8c\x1a\xf2\x96\xdc]&qH\x08\x1f\x0d\xc0a{\xe8\xff\xbbF\x9c\x86`\xd6G\xc4*5\xccL\xc1m\xc0\xa7b\x8b]od\xfa*\xd4.bmB\x9d\x92\xb7\xf9($\xa4D\xea\xcd\xc6\xe3p\xac$\xf4 [19260] 1645812760.557414: Preauth module pkinit (147) (info) returned: 0/Success [19260] 1645812760.557415: PKINIT client received freshness token from KDC [19260] 1645812760.557416: Preauth module pkinit (150) (info) returned: 0/Success [19260] 1645812760.557417: PKINIT loading CA certs and CRLs from FILE [19260] 1645812760.557418: PKINIT loading CA certs and CRLs from FILE [19260] 1645812760.557419: PKINIT loading CA certs and CRLs from FILE [19260] 1645812760.557420: PKINIT client computed kdc-req-body checksum 9/B79768B0DAD630709ABFE35C1E2B6FDAB714913D [19260] 1645812760.557422: PKINIT client making DH request [19260] 1645812760.557423: Preauth module pkinit (16) (real) returned: 0/Success [19260] 1645812760.557424: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [19260] 1645812760.557425: Sending request (1674 bytes) to IPA.WEB1.FI [19260] 1645812760.557426: Initiating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557427: Sending TCP request to stream 10.20.13.5:88 [19260] 1645812760.557428: Received answer (2619 bytes) from stream 10.20.13.5:88 [19260] 1645812760.557429: Terminating TCP connection to stream 10.20.13.5:88 [19260] 1645812760.557430: Response was from primary KDC [19260] 1645812760.557431: Processing preauth types: PA-PK-AS-REP (17), PA-PKINIT-KX (147) [19260] 1645812760.557432: Preauth module pkinit (147) (info) returned: 0/Success [19260] 1645812760.557433: PKINIT OpenSSL error: Failed to verify CMS message [19260] 1645812760.557434: PKINIT OpenSSL error: error:1700006B:CMS routines::content type not enveloped data [19260] 1645812760.557435: PKINIT OpenSSL error: error:03000098:digital envelope routines::invalid digest [19260] 1645812760.557436: PKINIT client could not verify DH reply [19260] 1645812760.557437: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: content type not enveloped data [19260] 1645812760.557438: Produced preauth for next request: (empty) [19260] 1645812760.557439: Getting AS key, salt "IPA.WEB1.FIWELLKNOWNANONYMOUS", params "" Password for WELLKNOWN/ANONYMOUS(a)IPA.WEB1.FI: [19260] 1645812776.928337: AS key obtained from gak_fct: aes256-cts/3840 kinit: Password incorrect while getting initial credentials But this only happens on the "dc2" one. If I would run this on the "dc1" it would work just fine. I have tried running ipa-pkinit-manage disable ipa-pkinit-manage enable to regen the cert but it didn't help. Any suggestions / pointers at why the OpenSSL error on the tku-2 is showing up.

6 11

IPA DNS ACL (respond with a different IP depending on the requester)
by Daniel PC 24 Oct '25

24 Oct '25

I would like to configure DNS to respond with a different IP depending on the requester source IP. Bind allow it using ACL. Do you know if it is possible to implement this feature on IPA integrated DNS? thank you

3 4

Error upgrading to version 4.11.0
by Luis Correia 19 Oct '25

19 Oct '25

Hello all. I'm currently running a FreeIPA server on Docker using the rocky-9-4.10.2 and trying to upgrade my installation to version rocky-9-4.11.0, but currently getting this error: 2024-08-28T09:21:52Z DEBUG Failed to check CA status: cannot connect to 'http://<my-freeipa-hostname>:8080/ca/admin/ca/getStatus': [Errno 111] Connection refused 2024-08-28T09:22:38Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2024-08-28T09:22:38Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 2081, in upgrade upgrade_configuration() File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 1803, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 575, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.9/site-packages/ipaplatform/base/services.py", line 304, in start ipautil.run([paths.SYSTEMCTL, "start", File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 599, in run raise CalledProcessError( 2024-08-28T09:22:38Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service canceled.\n') 2024-08-28T09:22:38Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service canceled.\n') 2024-08-28T09:22:38Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information The endpoint that FreeIPA tries to connect to eventually generates a 404 error (logs from var/log/pki/pki-tomcat/localhost_access_log.2024-08-28.txt): 172.18.0.2 - - [28/Aug/2024:09:22:33 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 172.18.0.2 - - [28/Aug/2024:09:22:34 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 172.18.0.2 - - [28/Aug/2024:09:22:35 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 172.18.0.2 - - [28/Aug/2024:09:22:36 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 172.18.0.2 - - [28/Aug/2024:09:22:37 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 172.18.0.2 - - [28/Aug/2024:09:22:38 +0000] "GET /ca/admin/ca/getStatus HTTP/1.1" 404 784 Can anyone help? This makes it so that I'm completely unable to update FreeIPA to the latest version, which I currently need to do. Thanks!

5 9

Unable to delete ID range
by Jeremy Tourville 14 Oct '25

14 Oct '25

We are running IPA server 4.9.11 We previously had a domain trust established with AD. Presently, the trust has been removed and we are trying to remove / clean up the ID range for AD. When doing so, using the command ipa idrange-del <range_name>, we get the error: "ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed" Any suggestions to troubleshoot and remove this range?

5 9

Issue with ipa-replica-install Failing at pki-tomcatd
by Pierre Labanowski 24 Jul '25

24 Jul '25

Hello everyone, I'm currently managing several FreeIPA servers running on RHEL 8 (version 4.9.12-7.module_el8). I'm attempting to set up a replica on a new RHEL 9 server (version 4.12.2-14.el9_6.1) following the official documentation. However, during the execution of ipa-replica-install, the process halts at the "Configuring certificate server (pki-tomcatd)" step with the following error: [33/33]: deploying ACME service Done configuring certificate server (pki-tomcatd). Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.:contentReference[oaicite:25]{index=25} CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service failed because the control process exited with error code.\n See "systemctl status pki-tomcatd(a)pki-tomcat.service" and "journalctl -xeu pki-tomcatd(a)pki-tomcat.service" for details.\n') Upon investigation, I discovered that the pki-tomcatd service fails to start due to low default limits in the dse.ldif configuration. By increasing the lock and time limits and restarting the dirsrv service, I was able to start pki-tomcatd successfully. My challenge now is completing the replica installation without performing a full uninstall using ipa-server-install --uninstall, as this would erase my configuration changes, causing the same issue to recur. Is there a method to resume or complete the installation process from its current state without starting over? Any guidance or suggestions would be greatly appreciated. Thank you for your assistance. Best regards, -- *Pierre Labanowski*

3 7

No valid Negotiate header in server response, keytabs regenerated
by Felix O 16 Jul '25

16 Jul '25

Hi, when trying to run any ipa cli commands, they fail with the message ipa: ERROR: No valid Negotiate header in server response. Trying to sign into the web ui fails by unknown error. The instance has had its certificates expired and then renewed using ipa-cert-fix, after which the problem occurred. I have regenerated the host keytab and gssproxy keytab using the following commands, to no success. (the command succeeds, but it doesn't help the issue) ipa-getkeytab -s ipa.example.com -p host/ipa.example.com(a)EXAMPLE.COM -k /etc/krb5.keytab ipa-getkeytab -s ipa.example.com -p HTTP/ipa.example.com(a)EXAMPLE.COM -k /var/lib/ipa/gssproxy/http.keytab Felix

5 9

pki-tomcat won't start after CA certs updated, getcert still shows a lot of expired certs
by Schrier, William (Contractor) 07 Jul '25

07 Jul '25

Our FreeIPA CA cert (externally signed via a Microsoft AD CA) recently expired. Unfortunately, I didn't notice it until after it expired. After jumping through some hoops and some help from Florence's blog, I was able to get new certificates installed successfully (at least according to the ipa-cacert-manage and ipa-certupdate commands). However, at this point, pki-tomcat will not start and ipa-getcert and getcert don't really show what I would expect... Oh - also, I should point out that I'm running on Oracle Linux 7.9 and FreeIPA VERSION: 4.6.8, API_VERSION: 2.237 - yes, I know I'm far from the latest out there, but until I can upgrade this server to a new OS, I'm kind of stuck... and unfortunately, my situation here is making upgrading the OS difficult, so please forgive me that I'm asking for assistance on such an old setup, but know that the goal is to upgrade, but that's not possible at this exact moment, so if I can fix this current setup to see me through until I can upgrade, that would be really good. Any suggestions so we can get these certs installed properly and get pki-tomcat started would be appreciated! When I run ipa-getcert list, I get the following (which is still showing the old cert): # ipa-getcert list Number of certificates and requests being tracked: 7. Request ID '20210201172924': status: NEED_TO_SUBMIT ca-error: Server at https://[hostname]/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://[hostname]:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=[DOMAIN] subject: CN=[hostname],O=[DOMAIN] expires: 2025-05-31 15:41:32 UTC principal name: krbtgt/[DOMAIN@DOMAIN]<mailto:krbtgt/PEACECORPS.GOV@PEACECORPS.GOV> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes And running getcert list returns mostly the old expired cert, but with one entry with the new cert: # getcert list | egrep "Request ID|status:|CA:|expires:" Request ID '20210201172746': status: CA_UNREACHABLE CA: dogtag-ipa-ca-renew-agent expires: 2025-05-31 15:41:32 UTC Request ID '20210201172819': status: MONITORING CA: dogtag-ipa-ca-renew-agent expires: 2025-05-31 15:41:32 UTC Request ID '20210201172820': status: MONITORING CA: dogtag-ipa-ca-renew-agent expires: 2025-05-31 15:41:32 UTC Request ID '20210201172821': status: MONITORING CA: dogtag-ipa-ca-renew-agent expires: 2025-05-31 15:41:32 UTC Request ID '20210201172822': status: MONITORING CA: dogtag-ipa-ca-renew-agent expires: 2027-06-09 13:26:26 UTC Request ID '20210201172823': status: MONITORING CA: dogtag-ipa-ca-renew-agent expires: 2025-05-31 15:41:32 UTC Request ID '20210201172924': status: CA_UNREACHABLE CA: IPA expires: 2025-05-31 15:41:32 UTC I do see the following in /var/log/pki/pki-tomcat/ca/debug: Could not connect to LDAP server host [hostname] port 636 Error netscape.ldap.LDAPException: Authentication failed (48) Internal Database Error encountered: Could not connect to LDAP server host [hostname] port 636 Error netscape.ldap.LDAPException: Authentication failed (48) And /var/log/pki/pki-tomcat/localhost.[date].log gets tons of these: SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:750) SEVERE: Exception Processing /ca/ee/ca/profileSubmit javax.ws.rs.ServiceUnavailableException: Subsystem unavailable at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:750)

3 14

I can't promote to "replica server"
by Daniel Ruiz 02 Jul '25

02 Jul '25

Hello, I want to configure a "replica server". I need that because in my scenario, main FreeIPA server is for some clients that are on the same net but I have an small HPC cluster where server is on the same public net but all compute nodes are running with private IP, so that clients connect to the HPC server to get users and $HOMEs. My idea is configure HPC server as "replica" to get all users from the main server and, then, all HPC clients could connect with the same users. I have done these steps: 1. Install FreeIPA server on main server (OK!) 2. Configure all public clients as FreeIPA clients from server in point 1. (OK!) 3. Configure HPC server as client from domain that main servers is serving in point 1 (OK!) 4. Promote HPC server as FreeIPA replica server --> NO, ERROR! After running "ipa-replica-install", error is: "Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up". Cannot promote this client to a replica. Local domain 'MYDOMAIN' does not match IPA domain "machine.domain". The ipa-replica-innstall command failed." Yes, "MYDOMAIN" is the FreeIPA domain (get from my old YPSERV system). That domain is different from the machine domain name because I domain name is for whole organitzation and I think is better not to take that, so I have configured a different FreeIPA domain name. During configuration as FreeIPA server, system didn't return any problem about machine domain name and FreeIPA domain name. I assigned "realm name" as MYDOMAIN and all process ended correctly. However, HPC server can't promote to replica. What am I doing wrong? Thanks.

2 1

ipalockout_postop - User fqdn=... is locked out. Too many failed authentication attempts.
by Anthony Messina 01 Jul '25

01 Jul '25

With FreeIPA 4.12.2-14.fc42 (and likely before), I have two hosts created in February 2025 that trigger the following: ns-slapd: ALERT - ipalockout_postop - User fqdn=ws1.example.com,cn=computers,cn=accounts,dc=example,dc=com is locked out. Too many failed authentication attempts. They were enrolled using OTP just like my other hosts in the past have been. They are the only two hosts in my dual-master FreeIPA setup with multiple hosts that show krbLastFailedAuth and krbLoginFailedCount: ~]# ipa host-show ws1 --all --raw ... has_password: FALSE has_keytab: TRUE krbLastFailedAuth: 20250217182326Z krbLastPwdChange: 20250216234605Z krbLoginFailedCount: 0 How do they get this way and is there a way to "unlock" these hosts? Thanks. -- Anthony - https://messinet.com

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2025