January 2019 - FreeIPA-users - Fedora mailing-lists

Freeipa fails to renew CA certificate with external CA.
by Pedro Perdido 10 Jan '19

10 Jan '19

Hello, I'm trying to renew the CA certificate and I keep getting the error "CA certificate chain in ipaRenew.crt, extCA.crt is incomplete: missing certificate with subject 'CN=pedroperdido.com'". I have found some people complaining about DN encode mismatch during the renewal process, so I installed a test server and made sure the trustchain had PRINTABLESTRING encoding. No problem there, FreeIPA accepted the certificate and everything is working great, but when I try to renew it the error comes back: ============================================================================================== # ipa-cacert-manage renew --external-cert-file=ipaRenew.crt --external-cert-file=extCA.crt Importing the renewed CA certificate, please wait CA certificate chain in ipaRenew.crt, extCA.crt is incomplete: missing certificate with subject 'CN=pedroperdido.com' ============================================================================================== Both the new certificate and the external CA cert have the PRINTABLESTRING encoding: ============================================================================================== # openssl x509 -in extCARenew.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= commonName = PRINTABLESTRING:pedroperdido.com issuer= commonName = PRINTABLESTRING:pedroperdido.com a5851e5b a5851e5b ============================================================================================== ============================================================================================== # openssl x509 -in ipaRenew.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= organizationName = PRINTABLESTRING:TESTCA.ETUX commonName = PRINTABLESTRING:Certificate Authority issuer= commonName = PRINTABLESTRING:pedroperdido.com 48a8b126 a5851e5b ============================================================================================== And the certs I used during the installation also have PRINTABLESTRING encoding: ============================================================================================== # openssl x509 -in ipaInstall.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= organizationName = PRINTABLESTRING:TESTCA.ETUX commonName = PRINTABLESTRING:Certificate Authority issuer= commonName = PRINTABLESTRING:pedroperdido.com 48a8b126 a5851e5b ============================================================================================== ============================================================================================== # openssl x509 -in extCAInstall.crt -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash subject= commonName = PRINTABLESTRING:pedroperdido.com issuer= commonName = PRINTABLESTRING:pedroperdido.com a5851e5b a5851e5b ============================================================================================== Also as you can see the CN is the same. Can someone please help me figuring out what seems to be the problem? Some more info: FreeIPA, version: 4.6.4 OS: CentOS7

2 2

IPA location on replica servers with different domain suffixes
by I AM USER 10 Jan '19

10 Jan '19

Hi Experts, We have several IPA servers (pair of 8), and they are all replicas of each other with domain level-1. For example, -- No location set for these two servers server-1.ex1.net server-2.ex1.net -- locname1 server-1.mgmt-ex2.net server-2.mgmt-ex2.net We are using ipa version 4.5.4 from EL7. There are many clients that are configured to use each of these pairs using /etc/resolv.conf. We tried setting ipa-location info for each of these pairs, but must be missing something because a query like the following returns the default records. $ dig +short -t SRV _ldap._tcp.ex1.net 0 100 389 server2.mgmt.ex2.net 0 100 389 server1.ex1.net 0 100 389 server2.ex1.net 0 100 389 server1.mgmt.ex2.net whereas a location specific query returns with correct priority, $ dig +short -t SRV _ldap._tcp.locname1._locations.ex1.net 0 100 389 server1.mgmt.ex2.net 50 100 389 server2.ex1.net 0 100 389 server2.mgmt.ex2.net ..... ..... Question is, what's the recommended way to do the ipa-location in a case like ours ? What are we missing in our setup that causes the query to always provide a default record. Thanks

2 3

ipa-server Upgrade to 4.6.4 warning: %posttrans(bind-32:9.9.4-72.el7.x86_64)
by Christopher Lamb 10 Jan '19

10 Jan '19

3 3

system time
by Md. Khairul Hasan 09 Jan '19

09 Jan '19

Hi Experts, I want to change the system time for my IPA server from UTC time to local time. Is it mandatory to restart the service after changing the system time ? Regards, Khairul +8801962400409 sojib2bd(a)gmail.com

3 4

PAM OTP login requirements
by Brian Topping 09 Jan '19

09 Jan '19

Hi all, I hope this is the best place to ask this, please let me know if not. I am setting up a PAM client (libreswan, using the `pluto` service). When I log in with a non-OTP account, everything works fine, but not with an OTP account. I have tested the OTP account by logging into the node with SSH and the OTP user and it works fine, so I know both that the token works and that the client configuration are both correct. I’ve tried a few different PAM stacks to see if I could get around this, including the sshd stack to no avail. In all cases, the FreeIPA server logs state `Additional pre-authentication required` and then `Preauthentication failed`. Preauthentication makes sense, I just don’t understand why sshd works fine with both password factors concatenated in the first factor and libreswan (and xl2tpd when I was testing it) both fail with preauth issues. What am I missing? Are there good docs on this somewhere? [1] was the best I could come up with and it seems to be out-of-date (pam_sss takes different parameters for some of the same functions in the final form). Cheers! Brian [1] https://docs.pagure.org/SSSD.sssd/design_pages/pam_conversation_for_otp.html

2 2

uid/gid mapping from windows to IPA
by Charles Hedrick 09 Jan '19

09 Jan '19

We’re in the process of setting up Windows machines to authenticate against IPA and use home directories from our NFS servers with Kerberized NFS. The process is not easy, but possible. One thing I’ve found frustrating is that documentation on Windows NFS is terrible. In particular, when you do a mount, it’s critical to get it mounted with the right UID and GID. The procedure most people are using is to set the UID and GID in the registry. That’s fine if the same person always uses the system, but it won’t work for us. In older versions of windows, you could set up /windows/system32/drivers/etc/passwd. But in Windows 10 they no longer seem to pay attention. The only real way to do it is with active directory lookup. Fortunately, IPA can handle that. The query is GSSAPI authenticate as machine$ ldapsearch -Y GSSAPI -b dc=cs,dc=rutgers,dc=edu '(sAMAccountName=clh)’ uidnumber gidnumber To get the GSSAPI authentication to work, you need MACHINE$ set as an alias for the host. And you need to configure Windows to use principal canonicalization. Otherwise Kerberos ignores the alias. That means doing "ksetup /setrealmflags DOMAIN ncsupported” on Windows. You also need to add samaccountname as an attribute for users, populate it, and make it readable and searchable. With this, mapping works. Off course this assumes that Windows Kerberos is set up pointing to IPA as the KDC, but there are plenty of other instructions on how to do that.

1 1

Re: Peer certificate cannot be authenticated with given CA certificates
by Petr Beňas 09 Jan '19

09 Jan '19

Hi German, thanks for having a look into this. There is no customer case in the RedHat portal. We're using the upstream FreeIPA from CentOS. Attaching the /var/log/pki/pki-tomcat/ca/debug log. The timestamp of the resubmission was Sat Nov 10 12:03:23 CET 2018 (time set back prior the expiration). I don't see anything interesting from that time, though the getcert list suggests it tried to talk to the ipa07 from which the debug log was collected. ca-error: Error 60 connecting to https://ipa07.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. Did not perform a full restore from backup since it would require a re-initialization from single replica, which possesses a risk of losing more CA replicas. However I confirmed the contents of /etc/pki/pki-tomcat/alias are identical to other replicas, where no manual changes were made. Can't restore the deleted CSR from o=ipaca, since I don't have a backup of it. We have full backups (/usr/sbin/ipa-backup) of other replica, so theoretically it should be possible to get if from there, but we're getting the same error regardless the CSR removal. I've also checked that cn=EXAMPLE.COM IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com contains the latest CA cert. This is the output of requested commands. Same output also on a different replica. [root@ipa07:/] certutil -V -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" -u O certutil: certificate is valid [root@ipa07:/] certutil -V -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" -u C certutil: certificate is valid [root@ipa07:/] certutil -V -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" -u V certutil: certificate is valid [root@ipa07:/] certutil -V -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" -u J certutil: certificate is valid [root@ipa07:/] certutil -V -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" -u L certutil: certificate is valid Thanks Petr On Tue, Jan 8, 2019 at 5:13 PM German Parente <gparente(a)redhat.com> wrote: > Hi Petr, > > I was asked to take a look at this issue. I wanted to know if, in > parallel, there is a customer case open in redhat portal. > > If not, could you provide the /var/log/pki-tomcat/ca/debug log file and > the timestamp of resubmission ? > > I would not change manually the cert db's under /etc/pki/pki-tomcat/alias > not delete or recreate any object under o=ipaca, as possible. If you have > backups, please restore to original ones. > > I know about issues with certificate encoding. In general, the error I use > to see is a little bit different like "error -8179:Peer's Certificate > issuer is not recognized". > > It could be interesting to check your certificates in cert db once date > has been set back by doing: > > certutil -V -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" -u O > > certutil -V -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" -u C > > certutil -V -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" -u V > > certutil -V -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" -u J > > certutil -V -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" -u L > > that is more or less where our selftests are doing for PKI component. > > Thanks and regards, > > German. > > > > > On Fri, Jan 4, 2019 at 1:44 PM Petr Benas via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org> wrote: > >> Hello, >> >> we have an issue with resubmitting several certificates. >> >> We suspect the reason might be the encoding mismatch between the >> certificate and the CA certificate. >> >> Our environment was upgraded during the years from some 3.x version to >> current 4.5.4. So the very first CA certificate was encoded in >> PRINTABLESTRING. >> >> Issuer: >> organizationName = PRINTABLESTRING:EXAMPLE.COM >> commonName = PRINTABLESTRING:Certificate >> Authority >> Validity >> Not Before: Dec 1 14:14:37 2014 GMT >> Not After : Dec 1 14:14:37 2034 GMT >> Subject: >> organizationName = PRINTABLESTRING:EXAMPLE.COM >> commonName = PRINTABLESTRING:Certificate >> Authority >> >> When we renew-ed (due to SHA1) we got to PRINTABLESTRING X UTF8STRING and >> after we renewed again, so now we have: >> >> Issuer: >> organizationName = UTF8STRING:EXAMPLE.COM >> commonName = UTF8STRING:Certificate Authority >> Validity >> Not Before: Oct 9 07:34:24 2017 GMT >> Not After : Oct 9 07:34:24 2037 GMT >> Subject: >> organizationName = UTF8STRING:EXAMPLE.COM >> commonName = UTF8STRING:Certificate Authority >> >> And most certificated were renewed fine. >> >> However, recently we noticed that several certificated can't be >> resubmitted, all of them seem to be like this: >> >> Issuer: >> organizationName = PRINTABLESTRING:EXAMPLE.COM >> commonName = PRINTABLESTRING:Certificate >> Authority >> Validity >> Not Before: Nov 24 12:17:12 2016 GMT >> Not After : Nov 14 12:17:12 2018 GMT >> Subject: >> organizationName = UTF8STRING:EXAMPLE.COM >> commonName = UTF8STRING:ipa07.example.com >> >> The error when resubmitting is: >> Peer certificate cannot be authenticated with given CA certificates. The >> tcpdump from 8443 says Unknown CA. >> >> Is the assumption that the encoding mismatch is blocking the submitting >> certificate correct? >> One of the certificate which we also can't renew is the 'IPA RA' >> (/var/lib/ipa/ra-agent.pem) >> >> What we tried: >> Add all versions of CA certificate to /etc/pki/pki-tomcat/alias >> trust store (also add them one-by-one) >> Setting date back before the expiration. >> Advises from: >> https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authen… >> Deleting the related CSR from o=ipaca, supposing that newly >> generated csr will be fine. >> >> Any suggestions what else we could try? >> >> Thanks >> Petr >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-leave(a)lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… >> >

1 0

Recommendation for adding client with 2 NICs (laptop with LAN & WLAN)
by 74cmonty 09 Jan '19

09 Jan '19

Hi, adding a client in WebUI is simple. However, what do you recommend when adding a client with 2 NICs, e.g. laptop? These devices have typically different NICs for LAN and WLAN. And consequently there are 2 MAC addresses and 2 IPs. But there's only 1 hostname (FQHN). Any advise is appreciated. THX & happy new year!

3 3

pki tomcat issue: Unable to communicate with CMS 500
by Stijn De Weirdt 09 Jan '19

09 Jan '19

hi all, we are running centos76 with ipa-server-4.6.4-10.el7 (one master and one replica; the upgrade went fine on both) and we have a problem with pki tomcat. (we are not sure since when this occurs, but it might be from after the update) ipactl status is ok on both master and replica, pki-tomcatd is running (ports 8080, 8443, 8005 and 8009 are listening) running 'ipa host-disable' fails with > Certificate operation cannot be completed: Unable to communicate with CMS (500) and the only hints i can find are in the /var/log/pki/pki-tomcat/localhost.2019-01-08.log file (the .../ca/debug has nothing relevant). i pasted the backtrace below. any help only how to further investiagte or debug are welcome. stijn > SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception > org.jboss.resteasy.spi.UnhandledException: Response is committed, can't handle exception > at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:148) > at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:432) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:376) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) > at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) > at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) > at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > Caused by: org.jboss.resteasy.plugins.providers.jaxb.JAXBMarshalException: javax.xml.bind.MarshalException > - with linked exception: > [org.apache.catalina.connector.ClientAbortException: java.net.SocketException: Broken pipe (Write failed)] > at org.jboss.resteasy.plugins.providers.jaxb.AbstractJAXBProvider.writeTo(AbstractJAXBProvider.java:128) > at org.jboss.resteasy.core.interception.AbstractWriterInterceptorContext.writeTo(AbstractWriterInterceptorContext.java:129) > at org.jboss.resteasy.core.interception.ServerWriterInterceptorContext.writeTo(ServerWriterInterceptorContext.java:62) > at org.jboss.resteasy.core.interception.AbstractWriterInterceptorContext.proceed(AbstractWriterInterceptorContext.java:118) > at org.jboss.resteasy.plugins.interceptors.encoding.GZIPEncodingInterceptor.aroundWriteTo(GZIPEncodingInterceptor.java:100) > at org.jboss.resteasy.core.interception.AbstractWriterInterceptorContext.proceed(AbstractWriterInterceptorContext.java:122) > at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:99) > at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:427) > ... 54 more > Caused by: javax.xml.bind.MarshalException > - with linked exception: > [org.apache.catalina.connector.ClientAbortException: java.net.SocketException: Broken pipe (Write failed)] > at com.sun.xml.internal.bind.v2.runtime.MarshallerImpl.write(MarshallerImpl.java:313) > at com.sun.xml.internal.bind.v2.runtime.MarshallerImpl.marshal(MarshallerImpl.java:236) > at javax.xml.bind.helpers.AbstractMarshallerImpl.marshal(AbstractMarshallerImpl.java:95) > at org.jboss.resteasy.plugins.providers.jaxb.AbstractJAXBProvider.writeTo(AbstractJAXBProvider.java:124) > ... 61 more > Caused by: org.apache.catalina.connector.ClientAbortException: java.net.SocketException: Broken pipe (Write failed) > at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:410) > at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:480) > at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:366) > at org.apache.catalina.connector.OutputBuffer.writeBytes(OutputBuffer.java:435) > at org.apache.catalina.connector.OutputBuffer.write(OutputBuffer.java:423) > at org.apache.catalina.connector.CoyoteOutputStream.write(CoyoteOutputStream.java:91) > at org.jboss.resteasy.plugins.server.servlet.HttpServletResponseWrapper$DeferredOutputStream.write(HttpServletResponseWrapper.java:46) > at org.jboss.resteasy.util.CommitHeaderOutputStream.write(CommitHeaderOutputStream.java:71) > at com.sun.xml.internal.bind.v2.runtime.output.UTF8XmlOutput.write(UTF8XmlOutput.java:396) > at com.sun.xml.internal.bind.v2.runtime.output.Encoded.write(Encoded.java:152) > at com.sun.xml.internal.bind.v2.runtime.output.UTF8XmlOutput.doText(UTF8XmlOutput.java:308) > at com.sun.xml.internal.bind.v2.runtime.output.UTF8XmlOutput.text(UTF8XmlOutput.java:290) > at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.leafElement(XMLSerializer.java:313) > at com.sun.xml.internal.bind.v2.model.impl.RuntimeBuiltinLeafInfoImpl$StringImplImpl.writeLeafElement(RuntimeBuiltinLeafInfoImpl.java:1036) > at com.sun.xml.internal.bind.v2.model.impl.RuntimeBuiltinLeafInfoImpl$StringImplImpl.writeLeafElement(RuntimeBuiltinLeafInfoImpl.java:1015) > at com.sun.xml.internal.bind.v2.runtime.reflect.TransducedAccessor$CompositeTransducedAccessorImpl.writeLeafElement(TransducedAccessor.java:239) > at com.sun.xml.internal.bind.v2.runtime.property.SingleElementLeafProperty.serializeBody(SingleElementLeafProperty.java:115) > at com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(ClassBeanInfoImpl.java:345) > at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.childAsXsiType(XMLSerializer.java:681) > at com.sun.xml.internal.bind.v2.runtime.property.ArrayElementNodeProperty.serializeItem(ArrayElementNodeProperty.java:54) > at com.sun.xml.internal.bind.v2.runtime.property.ArrayElementProperty.serializeListBody(ArrayElementProperty.java:157) > at com.sun.xml.internal.bind.v2.runtime.property.ArrayERProperty.serializeBody(ArrayERProperty.java:144) > at com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(ClassBeanInfoImpl.java:350) > at com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(ClassBeanInfoImpl.java:336) > at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.childAsSoleContent(XMLSerializer.java:578) > at com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl.serializeRoot(ClassBeanInfoImpl.java:326) > at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.childAsRoot(XMLSerializer.java:479) > at com.sun.xml.internal.bind.v2.runtime.MarshallerImpl.write(MarshallerImpl.java:308) > ... 64 more > Caused by: java.net.SocketException: Broken pipe (Write failed) > at java.net.SocketOutputStream.socketWrite0(Native Method) > at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111) > at java.net.SocketOutputStream.write(SocketOutputStream.java:155) > at org.apache.coyote.ajp.AjpProcessor.output(AjpProcessor.java:298) > at org.apache.coyote.ajp.AbstractAjpProcessor$SocketOutputBuffer.doWrite(AbstractAjpProcessor.java:1275) > at org.apache.coyote.Response.doWrite(Response.java:499) > at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:405) > ... 91 more

2 2

FreeIPA web UI Failed
by mustafa taha 08 Jan '19

08 Jan '19

Hi i am new user of Freeipa i have built two Freeipa one server and other replica . the problem is when i enter authenticate in the web UI , this message appear : >>> Some operations failed. Hide details The search criteria was not specific enough. Expected 1 and found 2. <<< if i press ok , then this page appear : >>> Runtime error Web UI got in unrecoverable state during "runtime" phase. Technical details: Unable to get property 'ipapwdexpadvnotify' of undefined or null reference TypeError: Unable to get property 'ipapwdexpadvnotify' of undefined or null reference at y.update_password_expiration (https://ipa0.exalt.ps/ipa/ui/js/freeipa/app.js?40604:1:37107) at start_runtime (https://ipa0.exalt.ps/ipa/ui/js/freeipa/app.js?40604:1:17251) at Anonymous function (https://ipa0.exalt.ps/ipa/ui/js/freeipa/app.js?40604:1:1246) at Anonymous function (https://ipa0.exalt.ps/ipa/ui/js/freeipa/app.js?40604:1:3474) at a.forEach (https://ipa0.exalt.ps/ipa/ui/js/dojo/dojo.js?v=40604:1:29752) at _run_phase (https://ipa0.exalt.ps/ipa/ui/js/freeipa/app.js?40604:1:3440) at next_phase (https://ipa0.exalt.ps/ipa/ui/js/freeipa/app.js?40604:1:3899) at Anonymous function (https://ipa0.exalt.ps/ipa/ui/js/freeipa/app.js?40604:1:3570) at c (https://ipa0.exalt.ps/ipa/ui/js/dojo/dojo.js?v=40604:1:60954) at t.then (https://ipa0.exalt.ps/ipa/ui/js/dojo/dojo.js?v=40604:1:62155) <<< i reach to this problem after i use "ipa idrange" i use this command because i have two ID range and i want to delete the deleted one but when i try that , a suggestion note appear an tell me to use this command . can anybody help ?

2 1

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2019