September 2018 - FreeIPA-users - Fedora mailing-lists

Extending schema
by Henrik Johansson 17 Sep '18

17 Sep '18

Hi, I am going to migrate an existing environment to FreeIPA 4.5. The current LDAP has a few site-specific attributes and I have been trying to figure out how I add these in an easy was that also keeps them when upgrading etc. I was thinking that making them optional would allow us to ad them without expanding the IPA web-interface. But which is the best way to place the additional LDIF file for extending the schema, I have read different location and some documentation point to using ldapmodify directly and most of the stuff I find regarding this is from 2014 or earlier so I’m unsure if it’s still relevant. I would like to add something like this to all users: dn: cn=schema changetype: modify add: attributetypes attributeTypes: ( OurUserType-oid NAME 'OurUserType' DESC 'Specifies account type: user / sys' SYNTAX IA5String SINGLE-VALUE ) attributeTypes: ( OurSysOwner-oid NAME 'OurSysOwner' DESC 'Owner of Sys account / Roles' SYNTAX IA5String SINGLE-VALUE ) - add: objectclasses objectclasses: ( ourUserSpec-oid NAME 'ourUserSpec' SUP top AUXILIARY DESC 'Holds user-specific attr' MAY ( ourUserType $ OurSysOwner ) ) Should this be located under /usr/share/ipa/updates, /usr/share/ipa/schema.d or should it be added in some other place? I want to be able to set the attributes while creating users, user-add … —setattr ourUserType=“usertype1” …. Regards Henrik

3 2

Migrate IPA from Centos 6.9 to Centos 7.5 - CA install error
by Collin Douglas 17 Sep '18

17 Sep '18

I have looked through the mailing list as best as I know how and while I have found some similar issues, I am unable to find anything that I think will help me progress through this error. We are trying to migrate FreeIPA services from centos 6.9 (IPA 3.0) to Centos 7.5 (IPS 4.5) by performing the migration steps located on the following link: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht… I am trying to create a replica on a new server and then eventually migrate all services to that version of the server. I can add an ipa 4.5 replica to a 3.x infrastructure by performing a replica prepare and ipa-replica-install (there are some errors with DNS replication but I am going to ignore those for now. I will elaborate if anyone asks). However, when I try to add a CA with the ipa-ca-install command is where I run into trouble. I run the following on the newly created replica: ipa-ca-install -p "CENSORED" -w "CENSORED" -d --skip-conncheck /var/lib/ipa/replica-info-newreplica.domain.com.gpg This generates the following error: 2018-09-12T06:30:59Z DEBUG [22/26]: migrating certificate profiles to LDAP 2018-09-12T06:30:59Z DEBUG Created connection context.ldap2_140117177941904 2018-09-12T06:30:59Z DEBUG Destroyed connection context.ldap2_140117177941904 2018-09-12T06:30:59Z DEBUG request GET https://ipaserver01.domain.com:8443/ca/rest/account/login 2018-09-12T06:30:59Z DEBUG request body '' 2018-09-12T06:30:59Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 218, in _httplib_request conn.request(method, uri, body=request_body, headers=headers) File "/usr/lib64/python2.7/httplib.py", line 1041, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 843, in send self.connect() File "/usr/lib64/python2.7/httplib.py", line 1251, in connect HTTPConnection.connect(self) File "/usr/lib64/python2.7/httplib.py", line 824, in connect self.timeout, self.source_address) File "/usr/lib64/python2.7/socket.py", line 571, in create_connection raise err error: [Errno 111] Connection refused 2018-09-12T06:30:59Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1732, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1738, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1293, in __enter__ method='GET' File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 165, in https_request method=method, headers=headers) File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 227, in _httplib_request raise NetworkError(uri=uri, error=str(e)) NetworkError: cannot connect to 'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111] Connection refused 2018-09-12T06:30:59Z DEBUG [error] NetworkError: cannot connect to 'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111] Connection refused 2018-09-12T06:30:59Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 998, in run_script return_value = main_function() File "/usr/sbin/ipa-ca-install", line 311, in main install(safe_options, options, filename) File "/usr/sbin/ipa-ca-install", line 250, in install install_replica(safe_options, options, filename) File "/usr/sbin/ipa-ca-install", line 207, in install_replica ca.install(True, config, options, custodia=custodia) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 202, in install install_step_0(standalone, replica_config, options, custodia=custodia) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 279, in install_step_0 use_ldaps=standalone) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 448, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1732, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1738, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1293, in __enter__ method='GET' File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 165, in https_request method=method, headers=headers) File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 227, in _httplib_request raise NetworkError(uri=uri, error=str(e)) 2018-09-12T06:30:59Z DEBUG The ipa-ca-install command failed, exception: NetworkError: cannot connect to 'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111] Connection refused On the Centos 7.5 server, there is a Tomcat (I think) process listening on port 8443 but on the older machine, there is nothing listening on this port. This certainly seems like an obvious problem but I just don't know where to go from here. SELinux is running in permissive mode on both servers. I've considered disabling this to see if there's any effect but this seems like a reach. Any help would be greatly appreciated. Thanks, Collin CONFIDENTIALITY NOTICE: We intend only the individual or entity to which we have addressed this electronic message to view it. This message w/attachments (message) may contain information that is privileged, confidential or proprietary. You may not disseminate, distribute, copy or otherwise disclose the contents of this communication without our prior written consent. If you are not the intended recipient, or if you have received this communication in error, notify us immediately by return e-mail and delete the original message and any copies of it from your computer system.

3 2

LDAP sql view analog?
by Andrew Gurinovich 12 Sep '18

12 Sep '18

Hi. I'm trying to enable ldap auth for our server ipmi interface. I would like to allow access to members of ipmi_admin group only. I constructed the following query and it works OK: ldapsearch -W -b "cn=users,cn=accounts,dc=deleted,dc=loc" "(memberOf=cn=ipmi_admins,cn=groups,cn=accounts,dc= deleted,dc=loc)" However, due to ipmi limitations, there is no way to specify search query, i can only customize searchbase. Is there any way to create a DIT subtree that will only contain users of a ipmi_admin group? I'm thinking maybe there is an analog of sql views where you can create a `view` that searches some other subtree with predefined search query? Thanks.

2 1

FreeIPA and AD
by Ryan 12 Sep '18

12 Sep '18

Hi, All Off the bat I would like to say being new to freeIPA and rolling out successful deployment to manage our servers has been amazing, very few hiccups. Which brings me to my next question, I have been asked if FreeIPA can be uses with Samba4 as a Domain Controller in our environment. After much reading its not as simple as it might sound. In saying that, my question is simple. How or what would be the best way to keep the AD users and FreeIPA users in sync. All I am really looking for is to Auth Users on the new Samba4 AD server. Can this be done or not. Am I going to have to accept the fact that I may need to manage users in Samba and FreeIPA. Thanks in advance on any advice. R

2 4

NIS password migration using {crypt} not working
by van Cooten, Cas (NL - Amsterdam) 11 Sep '18

11 Sep '18

Hello, I am deploying FreeIPA (RHEL IdM) for a client that wants to use it to replace NIS. To ensure user convenience we want to migrate user accounts from the NIS map including (hashed) passwords. We have followed the FreeIPA guide for migration with passwords<https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords> (as well as the Red Hat NIS migration guide<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht…>) to develop migration scripts that import the required maps. Everything is working fine, except the importing of hashed passwords. As the guide specifies, the import script creates a new user by calling the following: ipa user-add $username --first=NIS --last=USER [...more arguments...] --setattr userpassword=$password In this context, $password is the hashed password from the NIS passwd map (which is hashed with DEScrypt) with the {crypt}-prefix as required by 389-DS, as below. encpass=$(echo $line | cut -f2 -d:) password="{crypt}$encpass" Subsequently, we try to finalize account migration by accessing the migration page https://ipa.clientdomain.loc/ipa/migration as well as attempting to connect to an onboarded host's SSH, but the credentials seem to fail (ergo no Kerberos hash can be generated). The ssh auth log throws the below log message, the IPA migration page fails with an "incorrect username or password" message. pam_sss(sshd:auth): received for user testvry: 8 (Insufficient credentials to access authentication data) We have performed this procedure with test users as well as actual users from the NIS map to no avail. We have also tried all variants of password quoting, capitalizing, etc. Do you have any idea what might be going wrong here? Thanks a lot in advance! Best regards, Cas van Cooten *Disclaimer:* ________________________________ This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte: http://www2.deloitte.com/nl/nl/legal/Disclaimer.html Deloitte Risk Advisory B.V is registered with the trade register in The Netherlands under number 50340158. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.… for a more detailed description of DTTL and its member firms.

1 0

ldapsearch output formatting assistance
by William Muriithi 11 Sep '18

11 Sep '18

Morning, I have a system that isn't an IPA client but would like to get it to mount some of the NFS share that IPA clients are using. The problem is, the IPA clients are using kerberos to access this NFS shares. Since this system isn't in the REALM, that isn't possible. So I am trying to dump the map and then use a script to mount these directories without kerberos and this is where I am struggling with the data format. ldapsearch -Y GSSAPI -h ipa2.eng.example.com -b "cn=automount,dc=eng,dc=example,dc=com" > `hostname`_autofs_maps.txt When I however attempt to search though the resulting autofs dumped maps, I have noticed that there are lines that break after the 78 character. automountInformation: -fstype=nfs4,sec=krb5,intr barium213.eng.example.com:/e xport/eng/projects/falcon/alan Is there a way of dumping the maps without the above line break? It is problematic as I intend to process the file through a script. Above is a sample of a line in the resulting dump. Regards, William

2 2

Re: FreeIPA crashing during service start - Unknown Error - Invalid Argument
by Rob Crittenden 10 Sep '18

10 Sep '18

zwolfinger(a)campaignmonitor.com wrote: > On September 10, 2018 at 1:16:20 PM, Rob Crittenden (rcritten(a)redhat.com > <mailto:rcritten@redhat.com>) wrote: >> Zak Wolfinger via FreeIPA-users wrote: >> > Please Help! >> > >> > Running FreeIPA 4.5.4 under Centos 7. >> > >> > We have 3 FreeIPA replicas called auth01, auth02, and auth03. All are >> > masters. Auth02 and Auth03 replicate to / from Auth01 only. >> > >> > Auth01 is DOWN. >> > >> > When I try to start it, here is what I see: >> > >> > # ipactl start >> > Existing service file detected! >> > Assuming stale, cleaning and proceeding >> > Starting Directory Service >> > Failed to read data from service file: Unknown error when retrieving >> > list of services from LDAP: [Errno 22] Invalid argument >> > Shutting down >> > >> > I’m not seeing anything obvious in the logs files, no am I finding >> > anything interesting on that error message via google. Can anyone help >> > me troubleshoot this, please? >> >> Try starting dirsrv manually using systemctl. >> >> rob > > > Thanks rob, I get this: > > > /bin/systemctl start dirsrv(a)INT.service > > [root@auth01 ~]# > > [root@auth01 ~]# ipactl status > > Unknown error when retrieving list of services from LDAP: [Errno 22] > Invalid argument > > [root@auth01 ~]# ps aux | grep dirsrv > > dirsrv 21957 64.6 0.8 1541076 141044 ? Ssl 13:42 0:49 > /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-INT -i /var/run/dirsrv/slapd-INT.pid > What it's doing here is waiting for the port to accept connections and then trying to find the list of services. I'd start by looking at the access log in /var/log/dirsrv/slapd-INT/access to see what the last set of queries was and what the response(s) were. You can try duplicating that search ipactl is doing from the commandline: $ ldapsearch -x -D 'cn=directory manager' -W -b cn=`hostname`,cn=masters,cn=ipa,cn=etc,dc=example,dc=com "(ipaConfigString=enabledService)" cn ipaConfigString rob

2 1

FreeIPA crashing during service start - Unknown Error - Invalid Argument
by Zak Wolfinger 10 Sep '18

10 Sep '18

Please Help! Running FreeIPA 4.5.4 under Centos 7. We have 3 FreeIPA replicas called auth01, auth02, and auth03. All are masters. Auth02 and Auth03 replicate to / from Auth01 only. Auth01 is DOWN. When I try to start it, here is what I see: # ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Failed to read data from service file: Unknown error when retrieving list of services from LDAP: [Errno 22] Invalid argument Shutting down I’m not seeing anything obvious in the logs files, no am I finding anything interesting on that error message via google. Can anyone help me troubleshoot this, please? Zachery Wolfinger Infrastructure Engineer campaignmonitor.com <https://www.campaignmonitor.com/> (800) 595-4401 Emma is now a Campaign Monitor company! Learn more <https://content.myemma.com/blog/family-of-brands?utm_campaign=rebrand-launc…>

2 1

Re: FreeIPA crashing during service start - Unknown Error - Invalid Argument
by Zak Wolfinger 10 Sep '18

10 Sep '18

And apparently auth01 is my only CA server :-( Just FYI Zak Wolfinger Infrastructure Engineer campaignmonitor.com <https://www.campaignmonitor.com/> (800) 595-4401 Emma is now a Campaign Monitor company! Learn more <https://content.myemma.com/blog/family-of-brands?utm_campaign=rebrand-launc…>

1 0

Can't ssh using GSSAPI delegation from one freeipa client to another consistently
by Ranbir 07 Sep '18

07 Sep '18

Hello, I have a Fedora 26 desktop joined to a freeipa domain running two ipa 4.5.4-10 servers on CentOS 7.5.1804. I have an odd "problem" I hope someone here can help me fix. I can ssh from my desktop to any server in the domain using my password (i.e. interactive) or GSSAPI. Once on a server, I can ssh to some hosts in the domain using GSSAPI delegation, but not to others. When GSSAPI delegation doesn't work, I see this error: debug1: Unspecified GSS failure. Minor code may provide more information Server host/ipa01(a)THEINSIDE.RNR not found in Kerberos database I think I solved this once before, but it was a very, very long time ago and I don't have any notes to refer to. What am I messing up? -- Ranbir

4 11

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users September 2018