December 2019 - FreeIPA-users - Fedora mailing-lists

FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
by Wulf C. Krueger 05 Feb '20

05 Feb '20

Hello, my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start: ---- # ipactl start IPA version error: data needs to be upgraded (expected version '4.8.1-4.fc31', current version '4.8.1-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl ---- Logs: ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log pki-tomcatd@pki-tomcat log: https://mailstation.de/ipa-logs/pki-tomcatd@pki-tomcat.log pki-tomcat-ca-debug log: https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log So it looks like the LDAP server isn't reachable but its log says it's running: https://mailstation.de/ipa-logs/dirsrv@MAILSTATION-DE.log There's nothing listening on ports 389 and 636, though. Help would be highly appreciated. Best regards, Wulf

6 24

WARNING Could not update DNS SSHFP records.
by Ron Blom 20 Jan '20

20 Jan '20

Hi, We have problems with client’s registering dns records at enrollment. Most of the time all works ok but about 10% of the machines don’t create the A records or the SHHFP records. Sometimes they don’t create both. In the ipaclient-install.log we see the following on machines that doesn’t create the records. In this example the creation of the A records succeeded but the creation of the SSHFP records failed with the following error: 2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub 2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub 2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub 2019-12-20T13:19:51Z INFO [try 1]: Forwarding 'host_mod' to json server 'https://freeipa-002.ipa.cloud/ipa/session/json' 2019-12-20T13:19:51Z DEBUG HTTP connection keep-alive (freeipa-002.ipa.cloud) 2019-12-20T13:19:51Z DEBUG received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=tR1VkWrpjmoNh7aZDYiPzXSwFlkhsp1ENg%2b5y8orMo9P7EkiLQXey11TH9wIgc2xJjJ2xdly2hFyi6v58o2HhzEeQBi%2fcR%2flZ7nwFv8VX3WxCSwS%2beDVSu7%2f%2fjsSB%2b1NzyVHTNe5jkJK9pGXL1nR7QMtNrV2gFY7RyFrJns50dEC%2fi5C%2fEn0BgZAE4aLAiThG4SW3iGc0bfOGy%2bDpAGE17XzB8G978uKpqqHGC9aFDmMmXVFCfpwHoIWoBtJctgy7y6Q97rJnpkjbe2heYMwLQFbDkrTRlrjSDfla0XXCNvd7in6zEu0MZloOXqyXHiu;path=/ipa;httponly;secure;']' 2019-12-20T13:19:51Z DEBUG storing cookie 'ipa_session=MagBearerToken=tR1VkWrpjmoNh7aZDYiPzXSwFlkhsp1ENg%2b5y8orMo9P7EkiLQXey11TH9wIgc2xJjJ2xdly2hFyi6v58o2HhzEeQBi%2fcR%2flZ7nwFv8VX3WxCSwS%2beDVSu7%2f%2fjsSB%2b1NzyVHTNe5jkJK9pGXL1nR7QMtNrV2gFY7RyFrJns50dEC%2fi5C%2fEn0BgZAE4aLAiThG4SW3iGc0bfOGy%2bDpAGE17XzB8G978uKpqqHGC9aFDmMmXVFCfpwHoIWoBtJctgy7y6Q97rJnpkjbe2heYMwLQFbDkrTRlrjSDfla0XXCNvd7in6zEu0MZloOXqyXHiu;' for principal host/adm-sdrn6419-2062.aal.ipa.cloud(a)RINIS.CLOUD 2019-12-20T13:19:51Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2019-12-20T13:19:51Z DEBUG debug update delete adm-sdrn6419-2062.aal.ipa.cloud. IN SSHFP show send update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 1 1 6134C7CDE12FDDFA33A068A273941697928FBCD7 update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 1 2 2F41772E6CAD9C328730BFCED0E27350A6C20DE8499E60158635ED8419BF2022 update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 3 1 FFE99F20A5C32D857535D13425A7F85F3A63E198 update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 3 2 D2C7FC741E834D4E1FE51B7867AFA2D34D0685C769D9019D98093E01C8312118 update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 4 1 ED5416B39F419E4F631AB6C9A9CFC0139907232E update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 4 2 7794DBAA391B2939476EDD3A0173162F9CD3BBE1E16B52754BB8C6B56DA26435 show send 2019-12-20T13:19:51Z DEBUG Starting external process 2019-12-20T13:19:51Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2019-12-20T13:19:51Z DEBUG Process finished, return code=1 2019-12-20T13:19:51Z DEBUG stdout=Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: adm-sdrn6419-2062.aal.ipa.cloud. 0 ANY SSHFP Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22636 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3648384014.sig-freeipa-001.ipa.cloud. ANY TKEY ;; ADDITIONAL SECTION: 3648384014.sig-freeipa-001.ipa.cloud. 0 ANY TKEY gss-tsig. 1576847991 1576847991 3 NOERROR 677 YIICoQYJKoZIhvcSAQICAQBuggKQMIICjKADAgEFoQMCAQ6iBwMFACAA AACjggGCYYIBfjCCAXqgAwIBBaENGwtSSU5JUy5DTE9VRKIpMCegAwIB AaEgMB4bA0ROUxsXYWRtLWFhYS0wMDEucmluaXMuY2xvdWSjggE3MIIB M6ADAgESoQMCAQKiggElBIIBIWJzJaNElw4aQs2ZFHDopnUdH6vqowdG ojmiCBIpmgFjPsHEl98zY+UX6OqfF3ovB/uMAuCF1eq3spIRtPjb7hUO +lva9UtuvUJSV0pT9WI1B0ROZxzspkBQmZEYLRUCACxjW3Kw1F123ryy Ga4JJ4cROOFf1GtTdEW3CmIJLlyKqWXDFSQzgnqvP/acb0mQIr0Wid6P DJFaxYmm+uRHw5KBTg7hjeAQPFwgZxNdardv9hUvfhzElxtOK0Kj3ZDy 9lFdpemEtO+osfnwrwyX28xWGLZds/Gfpy0kfdihkUxT082eTWNftaE7 dX0LOb46j9sbMAFDbgHESCkXq5VFRBmtotnf3SRru/eBQFdbYq0/o/oY PCmaTJ4HSymhjbkrVVqkgfAwge2gAwIBEqKB5QSB4tPwDLt7qpKesLJg lGFXpoNqHOsGlFheQslzzkcWzjgoJDDRSJtjoaLgLFv0cITj+rr4dXcu tdMNESwRObXQofsbO9E0HYfZWijSDEIVJlXETm+x8ca4Qf938u3RHV/U +ZXmepZIBnMR4d70Vo+vz6CuXt0+HI0Dh6ot2whzX5g0MWHI0SfJElhO pgWN59uMUC4E8HtLzNEoWljX25acK3mi8ZBgq8iFihfObfEP0Xmx11NE Gru9QOiwMoxRUblws44U3sNOFRUgF9Ua3kKWXEfJ4wpPC3GwdMUajMkr V3wCXBc= 0 2019-12-20T13:19:51Z DEBUG stderr=Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13244 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;adm-sdrn6419-2062.aal.ipa.cloud. IN SOA ;; AUTHORITY SECTION: aal.ipa.cloud. 0 IN SOA freeipa-001.ipa.cloud. hostmaster.aal.ipa.cloud. 1576848002 3600 60 1209600 60 Found zone name: aal.ipa.cloud The master is: freeipa-001.ipa.cloud start_gssrequest Found realm from ticket: RINIS.CLOUD send_gssrequest recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22636 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;3648384014.sig-freeipa-001.ipa.cloud. ANY TKEY ;; ANSWER SECTION: 3648384014.sig-freeipa-001.ipa.cloud. 0 ANY TKEY gss-tsig. 0 0 3 BADNAME 0 0 dns_tkey_gssnegotiate: TKEY is unacceptable 2019-12-20T13:19:51Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 2019-12-20T13:19:51Z WARNING Could not update DNS SSHFP records. When I run the nsupdate command manually after enrollment it will succeed and add the missing records. any ideas?

3 2

Server-Cert cert-pki-ca was expired and wasn't renewed automatically
by luckydog xf 16 Jan '20

16 Jan '20

Hi, I have 2 nodes of IPA system. The 'Server-Cert cert-pki-ca' of master node was expired unexpectedly. Based on https://ftweedal.fedorapeople.org/ipa-cert-renewal-deep-dive.pdf, this cert is for HTTS( pki-tomcat), AKA Dogtag website. As it was expired, Dogtag is OOS, either. Right now, those services are not running, --- pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED --- This is /var/log/pki/pki-tomcat/ca/selftests.log --------------------- 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peers Certificate has expired. 0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! ----------------- And /var/log/pki/pki-tomcat/ca/debug ------------ [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(Server-Cert cert-pki-ca, SSLServer) [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(Server-Cert cert-pki-ca, true, SSLServer) [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. [25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. ----------------- Output from certutil: ------- Issuer: "CN=Certificate Authority,O=IPA.PTHL.HK" Validity: Not Before: Tue Nov 21 08:43:11 2017 Not After : Mon Nov 11 08:43:11 2019 Subject: "CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK" ---------- This certificate was expired, so here comes the point, 1. Why ipa cert-mon did monitor and renew it? So weired. getcert list | grep tomcat -i does not return this certificate. 2. How to fix it? it's renewal master by 'ipa config-show | grep 'IPA CA renewal master' 1) I reset the clock during the valid period, and restart services. it failed. 2) I plan to renew or recreate a Server-Cert since my CA is still valid, but I'm not sure it's doable and don't know how. Not sure it's a bug or not, my slave node is good, both are running freeipa v4.6.4. Thanks a lot.

5 25

How to allow users to manage their own certs
by Michael Plemmons 03 Jan '20

03 Jan '20

We have a need where we want to allow a user to submit their own CSR to generate their own SSL certificate and to be able to download their own certificate. I get the following error: Insufficient access: Principal 'testplem(a)MGMT.EXAMPLE.COM' is not permitted to use CA 'ipa' with profile 'IECUserRoles' for certificate issuance. Here are the permissions I have setup. * Create a new Privilege called SelfService * Add the following permissions to the SelfService Privilege * Request Certificate (FreeIPA builtin permission) * Retrieve Certificates from the CA (FreeIPA builtin permission) * UserSelfSerivceCertificate (custom permission) * ReadCAProfile (custom permission) * ReadIPACA (custom permission) * Create Role called SelfService * Attach the SelfService Privilege to this Role * I then attach that Role to a test user. I am sure I am missing other permissions but I am not sure what. If there is already documentation that explains how to do this I am happy to reference that. If not, what else am I missing. ============ dn: cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermRight: write ipaPermRight: add ipaPermTargetFilter: (objectclass=posixaccount) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: UserSelfSerivceCertificate objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: usercertificate ============ dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermBindRuleType: permission ipaPermTarget: cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co m ipaPermRight: read ipaPermRight: search ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadCAProfile objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacertprofilestoreissued ipaPermIncludedAttr: objectclass ============ dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermTargetFilter: (objectclass=ipaca) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadIPACA objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacaid ipaPermIncludedAttr: ipacaissuerdn ipaPermIncludedAttr: ipacasubjectdn ipaPermIncludedAttr: objectclass Thank you for any insight you are able to provide. -- *Mike Plemmons * Senior Infrastructure Engineer 614-427-2411 <https://oliveai.com/> 99 E. Main Street Columbus, OH 43215 oliveai.com Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y>

2 2

Looking for a way to get a list of users that can log in to a server
by White, Daniel E. (GSFC-770.0)[NICS] 30 Dec '19

30 Dec '19

Ideally, a command/script I can run on each host that outputs a list of users that can log in to that host. I found this: FreeIPA Issue #7199 [RFE] Central report that will show who can access which systems (attestation)<https://pagure.io/freeipa/issue/7199> and followed it upstream to this BugZilla Bug 1492993 - [RFE] Central report that will show who can access which systems (attestation)<https://bugzilla.redhat.com/show_bug.cgi?id=1492993> which says it is targeted for RHEL 8 ! Is there any way to do this in the meantime ? I can get a list of users, but how do I get to the HBAC rules to filter them ? ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

2 2

How to Connect to FreeIPA Web UI with AD DC Users?
by Alex Kobin 29 Dec '19

29 Dec '19

Just installed a FreeIPA server on Centos7 already did the all trust by the guides and seems that everything is working and i can connect with *admin* user on the Web UI and i can SSH to FreeIPA server with AD user that in specific Security Group only. But i want to connect on the Web UI with the AD Users to the FreeIPA console(*for now i can only connect with the admin user which I prescribed during FreeIPA installation*), what do i need to do that the users from AD DC that in specific group can connect with their credentials to FreeIPA on the Web UI? Thanks Best Regards -- Alex Kobin *System/Security Engineer* alex.kobin(a)sizmek.com <greg.wasson(a)sizmek.com> *Herzliya, IL*

2 1

LE SSl on replica server
by Petar Kozić 27 Dec '19

27 Dec '19

I have strange problem on replication server. I set master server and I generate and set Let's encrypt. On replica server I do same step but when I try to install pk12 I get error about invalid credentials. For private key unlock password I using weak pass which I set in the proces of generated pk12 in step before. Directory Manager password is right, because when I do: ldapsearch -x -D "cn=directory manager" -w mypassword -s base -b "" "objectclass=*" I get this, which mean DM pass is ok. # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL # . . . . lastusn: 2382 changeLog: cn=changelog firstchangenumber: 0 lastchangenumber: 0 ipatopologypluginversion: 1.0 ipatopologyismanaged: on ipaDomainLevel: 1 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 When I try to install cert: ipa-server-certinstall -w /path/to/.pk12 I get this error: ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 110, in run api.Backend.ldap2.connect(bind_pw=self.options.dirman_password) File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 175, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1142, in simple_bind bind_dn, bind_password, server_controls, client_controls) File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1030, in error_handler raise errors.ACIError(info="%s %s" % (info, desc)) ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ACIError: Insufficient access: Invalid credentials ipapython.admintool: ERROR: Insufficient access: Invalid credentials ipapython.admintool: ERROR: The ipa-server-certinstall command failed. *—* *Petar Kozić*

2 1

Letsencrypt and IPA
by Petar Kozić 27 Dec '19

27 Dec '19

Hi folks, I have one IPA server in production for my small environment. There I set Let’s Encrypt CA root and issue .p12 cert without problem. Now, I want to install FreeIPA on VPS, but I have problem with Let’s encrypt SSL. I can’t import SSL. First, I imported CA certficates: ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer ipa-certupdate -v That’s all ok. But than, I generate new p12 with command: openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12 -certfile fullchain.pem Than, ask me for pass and that all is ok. When I run: ipa-server-certinstall -w ipa.p12 -v ask me for Directory pass and pass which I enter in step above, than I get error: ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736 ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmpauWQ5Z', '-N', '-f', '/tmp/tmpauWQ5Z/pwdfile.txt', '-@', '/tmp/tmpauWQ5Z/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12', '-k', '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w', '/tmp/tmp66gfLt'] ipapython.ipautil: DEBUG: Process finished, return code=10 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12: PR_FILE_NOT_FOUND_ERROR: File not found ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 116, in run self.replace_http_cert() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 156, in replace_http_cert host_name=api.env.host File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1151, in load_pkcs12 raise ScriptError(str(e)) ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Failed to load ipa.p12 ipapython.admintool: ERROR: Failed to load ipa.p12 ipapython.admintool: ERROR: The ipa-server-certinstall command failed. Some ideas ? *—* *Petar Kozić* System Administrator *mobile: *+381 6 <callto:+381%2060%2006%2088%20008>4 83 44 310 *e-mail:* petar.kozic(a)mint.rs Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija

2 5

IPA AD Trust - The attempted logon is invalid. This is either due to a bad username or authentication information.
by Kevin Olbrich 25 Dec '19

25 Dec '19

Hi! This is my first FreeIPA setup that needs to be trusted against AD. I spent some hours to debug my issue but I need some help: root@auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com --admin administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted logon is invalid. This is either due to a bad username or authentication information." (both may be "None") I've also tried "administrator(a)intra.example.com" as well as another administrative account with domain admin privileges. The password is 100% fine and works for ldapadmin (windows tool) as well as windows logons. DNS is also fine: I set up forwarding of "intra.example.com" from IPA to the AD domain and reverse "auth.example.com" from AD to IPA. WORKS: ldapsearch -H ldap://192.168.80.1:389 -x -W -D " administrator(a)intra.example.com" -b "dc=intra,dc=example,dc=com" -d8 Environment: Debian Sid, FreeIPA 4.7.2 Did I miss something? What am I doing wrong here? Kind regards Kevin

2 4

Yum Update - Failed to authenticate to CA REST API - Past Fixes Don't Work
by Michael Plemmons 23 Dec '19

23 Dec '19

I am updating from 4.6.4-10 to 4.6.5-11 on on CentOS 7. The server I am working on is one of three in a production cluster. The yum update failed and I get the Failed to authenticate to CA REST API in the ipa upgrade log. I have followed past emails that state the contents of ldapsearch -D cn=directory\ manager -W -b uid=ipara,ou=people,o=ipaca must match /var/lib/ipa/ra-agent.pem I did find that they did not match so I created an LDIF file to make the LDAP entry match the uid=ipara,ou=people,o=ipaca match /var/lib/ipa/ra-agent.pem but I still get the same problem. ============ BEFORE dn: uid=ipara,ou=people,o=ipaca description: 2;234;CN=Certificate Authority,O=MGMT.CROSSCHX.COM;CN=IPA RA,O=MG MT.CROSSCHX.COM uid: ipara sn: ipara usertype: agentType userstate: 1 userCertificate:: MIIDfTC...CUirreECTetw== objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser cn: ipara snippet of ra-agent.pem MIIDfTCCA...SLZXf2l (root)>openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem Certificate: Data: Version: 3 (0x2) Serial Number: 7 (0x7) Signature Algorithm: sha256WithRSAEncryption Issuer: O=MGMT.CROSSCHX.COM, CN=Certificate Authority Validity Not Before: Jan 24 16:44:17 2018 GMT Not After : Jan 14 16:44:17 2020 GMT Subject: O=MGMT.CROSSCHX.COM, CN=IPA RA The serial number, issuer, and subject do not match so I created the following LDIFs. ipaca-1.ldif dn: uid=ipara,ou=people,o=ipaca changetype: modify replace: userCertificate userCertificate: MIIDfTCCA...SLZXf2l ipaca-2.ldif dn: uid=ipara,ou=people,o=ipaca changetype: modify replace: description description: 2;7;O=MGMT.CROSSCHX.COM, CN=Certificate Authority;O= MGMT.CROSSCHX.COM, CN=IPA RA I then applied them like this # ldapmodify -x -D 'cn=Directory Manager' -W -f /root/ipaca-1.ldif # ldapmodify -x -D 'cn=Directory Manager' -W -f /root/ipaca-2.ldif AFTER dn: uid=ipara,ou=people,o=ipaca usercertificate: MIIDfTCCA...SLZXf2l description: 2;7;O=MGMT.CROSSCHX.COM, CN=Certificate Authority;O= MGMT.CROSSCHX.COM, CN=IPA RA =========== None of the certs have expired (root)>getcert list | grep -i expires expires: 2020-01-25 18:20:55 UTC expires: 2020-01-14 16:43:59 UTC expires: 2020-01-14 16:43:59 UTC expires: 2020-01-14 16:43:59 UTC expires: 2038-01-24 16:43:58 UTC expires: 2020-01-14 16:44:17 UTC expires: 2021-12-07 15:49:57 UTC expires: 2039-09-04 17:51:34 UTC expires: 2020-01-25 18:17:26 UTC expires: 2020-01-25 18:18:20 UTC When I rerun ipa-server-upgrade manually I still get the same problem. I am able to validate that the contents of the ra-agent.pem file and ldap entry are the same by match content and verifying their MD5 checksum. When I attempt an ipactl stop / ipactl start it notices that the server needs to be upgrade and attempts the upgrade. How do I recover the server? -- *Mike Plemmons * Senior Infrastructure Engineer 614-427-2411 <https://oliveai.com/> 99 E. Main Street Columbus, OH 43215 oliveai.com Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y>

2 2

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users December 2019