April 2019 - FreeIPA-users - Fedora mailing-lists

User's primary group set to recently deleted user group
by Devin Roark 16 Apr '19

16 Apr '19

Hello, I have inherited a freeipa cluster and during a cleanup of groups. We discovered one of the groups that was deleted was set as a couple user's primary gid in the past, which I'm assuming was a manual process because it looks like the default behavior is the standard groupname/gid matching the username/uid in FreeIPA. This causes errors when on enrolled hosts, bash runs the id command behind the scenes and subsequently breaks some automated pipelines for these users. Although doing an `ipa group-find --gid=${CORRESPONDING_UID}` doesn't return any groups but users still match uid's and gid's, my thinking is if we modify these two users to use their UID's as their primary group again the issues will be resolved. My question is will this have any known unintended consequences? Thanks, Devin

2 2

How to move FreeIPA to new server?
by fujisan 16 Apr '19

16 Apr '19

Hello, I just got a new server on which I'd like to install a FreeIPA server. Today it is installed on the old server. I just tried to install it with ipa-server-install but of course it complained saying the DNS domain is handled by the old server. What is the best way to install FreeIPA on the new server without disturbing the users too much? Regards, F.

3 6

ID-View for AD group to use GECOS umask
by Ronald Wimmer 16 Apr '19

16 Apr '19

Afaik it should be possible to set a users umask by putting something like "umask=0007" in the GECOS field in combination with pam_umask.so. pam_umask.so seems to be present on our systems. What I do not know is in which file (at which exact position) I would have to put "session optional pam_umask.so". Should it work in general or would pam_umask.so only respect the GECOS field of local users? Cheers, Ronald

2 1

Lookups for trust uses fails if member of group that has a user with same name, returned more than one object.
by Henrik Johansson 15 Apr '19

15 Apr '19

Hi, I have a trust setup against an AD domain for existing user accounts, I have then crated groups in FreeIPA and added AD users to external groups which are members of the POSIX groups. All good so far, now I noticed that is was not possible to lookup some users on the clients while it works fine on the server. A little digging showed that: (Sat Apr 13 22:48:52 2019) [sssd[nss]] [sysdb_search_object_attr] (0x0020): Search with filter [(&(|(objectCategory=user)(objectCategory=group))(|(nameAlias=examplegroup@ipa.net)(name=examplegroup@ipa.net)))] returned more than one object. (Sat Apr 13 22:48:52 2019) [sssd[nss]] [sysdb_search_object_attr] (0x0040): Error: 22 (Invalid argument) (Sat Apr 13 22:48:52 2019) [sssd[nss]] [cache_req_search_cache] (0x0020): CR #66: Unable to lookup [examplegroup(a)ipa.net] in cache [22]: Invalid argument (Sat Apr 13 22:48:52 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected! This happens when there are both a group and a user with the same name in FreeIPA, and we can see on the filter that it looks for both. So if user AD user X is part of group mariadb by a proxy group and there are a also a mariadb user, lookups for AD user X fails on the SSD clients. It does work on the FreeIPA server all the time but fails on clients, if I lookup the conflicting group before the use on the client it also woks. Version is 4.6.2. Regards Henrik

2 2

How to grant CSR from command line
by Bret Wortman 12 Apr '19

12 Apr '19

I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line? I've been working with this: # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr But that's giving me an error that the principal doesn't exist. Then (admittedly, I picked up this command from a discussion I found): # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem How do I get the serial number? Basically, I'm trying to wrap and automate the process of granting a new cert to a server. Bret Wortman Founder, Damascus Products, LLC 855-644-2783 (tel:855-644-2783) | bret(a)wrapbuddies.co (https://link.getmailspring.com/link/25BB3F29-8D3D-4B5A-8DA5-E701F2C56AF8@ge…) http://wrapbuddies.co/ (https://link.getmailspring.com/link/25BB3F29-8D3D-4B5A-8DA5-E701F2C56AF8@ge…) 70 Main St. Suite 23 Warrenton, VA 20186

3 7

Cert renew error: service with name already exists.
by John Aquino 12 Apr '19

12 Apr '19

Hi all, I was referred to this place by Florence. I'm hoping to get some help in the right direction with this issue I've been having. I have a FreeIPA system that I inherited from a previous coworker with no install notes so I'm trying to figure out heads/tails out of this thing. From what I can tell its a 4 node deployment with all of them as CA servers and 1 of them was the CA master. The issue is the LDAP and HTTP certs expired but from my knowledge they were supposed to auto-renew. I've tried auto-renewing the certs by rolling back time and restarting certmonger but it keeps returning this error: --- status: CA_UNREACHABLE ca-error: Server at https://$hostname/ipa/xml failed request, will retry: 4002 (RPC failed at server. service with name “HTTP/$hostname(a)DOMAIN.xn--com-9o0a already exists). ... pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd --- Similar with the LDAP cert: ca-error: Server at https://$hostname/ipa/xml failed request, will retry: 4002 (RPC failed at server. service with name "HTTP/$hostname(a)DOMAIN.COM" already exists). ... pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-COM I've also seen it appear on the other nodes before the certs expired so I'm guessing certmonger was trying to renew it but something snuck into LDAP ? --- Some diagnostics: [root@a01-n ~]# ipa --version VERSION: 4.4.0, API_VERSION: 2.213 [root@a01-n ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20170315010441': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Audit,O=DOMAIN.COM expires: 2021-01-25 01:52:48 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170315010442': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=OCSP Subsystem,O=DOMAIN.COM expires: 2021-01-25 01:53:28 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170315010443': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Subsystem,O=DOMAIN.COM expires: 2021-01-25 01:53:48 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170315010444': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=Certificate Authority,O=DOMAIN.COM expires: 2039-03-15 01:45:42 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170315010445': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=IPA RA,O=DOMAIN.COM expires: 2021-01-25 01:53:18 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20170315010446': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=a01-n.fqdn,O=DOMAIN.COM expires: 2021-01-25 01:52:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190203000836': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=a01-n.fqdn,O=DOMAIN.COM expires: 2019-03-16 01:05:25 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190329001401': status: CA_UNREACHABLE ca-error: Server at https://a01-n.fqdn/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=a01-n.fqdn,O=DOMAIN.COM expires: 2019-03-16 01:05:03 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-COM track: yes auto-renew: yes --------- [root@a01-n ~]# ipa config-show ... IPA masters: a01-e.fqdn, a01-n.fqdn, a02-e.fqdn, a02-n.fqdn IPA CA servers: a01-e.fqdn, a01-n.fqdn, a02-e.fqdn, a02-n.fqdn IPA NTP servers: a01-e.fqdn, a01-n.fqdn, a02-e.fqdn, a02-n.fqdn IPA CA renewal master: a01-n.fqdn ---------- Any help would be greatly appreciated.

3 2

Lost Dogtag admin certificate
by Petr Benas 11 Apr '19

11 Apr '19

Hello, I'm trying to solve following issue in our FreeIPA 4.6.4 deployment and ran our of ideas, so I'm asking for an advice. The main issue is the auditSigningCert having a printablestring subject: # certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'auditSigningCert cert-pki-ca' -a | openssl x509 -noout -nameopt multiline,show_type -subject -issuer subject= organizationName = PRINTABLESTRING:DOMAIN.COM commonName = PRINTABLESTRING:CA Audit issuer= organizationName = UTF8STRING:DOMAIN.COM commonName = UTF8STRING:Certificate Authority It gets resubmitted with printablestring subject again, so I was hoping to fix it according to https://pagure.io/dogtagpki/issue/2865 by setting policyset.caLogSigningSet.1.default.params.useSysEncoding=true In order to modify the caSignedLogCert profile the Dogtag's admin certificate is required. Our domain is couple of years old and we don't have the original master anymore, neither we have any backups from it that would contain the /root/ca-agent.p12. So I was attempting to restore the admin cert by the method described in /etc/pki/pki-tomcat/ca/CS.cfg, but after setting ca.Policy.enable=true cmsgateway.enableAdminEnroll=true and restaring Dogtag, but it fails to start with following in /var/log/pki/pki-tomcat/ca/debug [08/Apr/2019:13:55:32][localhost-startStop-1]: CertificateAuthority init: initRequestQueue [08/Apr/2019:13:55:32][localhost-startStop-1]: selected policy processor = classic [08/Apr/2019:13:55:32][localhost-startStop-1]: GenericPolicyProcessor::init begins [08/Apr/2019:13:55:32][localhost-startStop-1]: GenericPolicyProcessor::init Certificate Policy Framework (deprecated) is ENABLED java.lang.ClassNotFoundException: com.netscape.cms.policy.constraints.ManualAuthentication at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1892) at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1735) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.initSystemPolicies(GenericPolicyProcessor.java:1220) at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.init(GenericPolicyProcessor.java:200) at org.dogtagpki.legacy.ca.CAPolicy.init(CAPolicy.java:81) at com.netscape.ca.CertificateAuthority.initRequestQueue(CertificateAuthority.java:2183) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:591) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) No policy implementation exists for: null at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.initSystemPolicies(GenericPolicyProcessor.java:1247) at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.init(GenericPolicyProcessor.java:200) at org.dogtagpki.legacy.ca.CAPolicy.init(CAPolicy.java:81) at com.netscape.ca.CertificateAuthority.initRequestQueue(CertificateAuthority.java:2183) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:591) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) So I wanted to ask two questions. How to reset or obtain the lost /root/ca-agent.p12 certificate? If it's not possible in a way safe enough for replicated production environment, are there any alternative ways how to modify the caSignedLogCert profile without the Dogtag's admin cert or even how to resubmit the auditSigningCert with utf8string encoding without modifying the profile? Thanks Petr

2 3

CA Cert and CA Private key, or signing key.
by Ralph Crongeyer 10 Apr '19

10 Apr '19

Hello List, I'm testing SSL decryption on a firewall. The self signed CA Cert and private signing key that I started testing with are generated on the firewall it self which works. So I am now trying to figure out how to generate a Sub CA with it's own private signing key to be imported to the firewall. I'm not having any luck figuring out how to create a CA with it's own key? Is this possible? If so can someone help me with this task? Thanks, Ralph

2 4

after losing and rebuilding replica, message in syslog
by Anthony Jarvis-Clark 10 Apr '19

10 Apr '19

Hello Everyone, Over the weekend we lost a replica during an upgrade and had to rebuild it. The OS (CentOS 7.6) was reinstalled from scratch, the host then added to the IPA domain, and then turned into a replica. Sequence of events: 1) ns01 upgraded from FreeIPA 4.4.0-14 to 4.6.4-10 2) ns02 corrupted during upgrade process 3) on ns01, "ipa-replica-manage del ns02" ran. 4) ns02 rebuilt from scratch with latest CentOS 7.6 packages. 5) ns02 added to IPA domain 6) ns02 added as replica The process went well, no errors during the "ipa-replica-install --setup-ca --setup-kra --setup-dns --forwarder=x.x.x.x" process. However, on ns01, I'm getting the following message in /var/log/messages: Apr 8 13:54:36 ns01 ns-slapd: [08/Apr/2019:13:54:36.294135188 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ns02.dev.example.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) ... Apr 8 13:59:36 ns01 ns-slapd: [08/Apr/2019:13:59:36.547881587 +0000] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ns02.dev.example.net-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) If I run a search in ns01's LDAP I get this result: [root@ns01 ~]# ldapsearch -xLLL -h ns01.dev.example.net -D "cn=directory manager" -W -b "ou=csusers,cn=config" Enter LDAP Password: dn: ou=csusers,cn=config objectClass: top objectClass: organizationalUnit ou: csusers dn: cn=Replication Manager masterAgreement1-ns02.dev.example.net-pki-tomca t,ou=csusers,cn=config cn: Replication Manager masterAgreement1-ns02.dev.example.net-pki-tomcat objectClass: top objectClass: person sn: manager userPassword:: redacted!!! So there's a "masterAgreement1" but no "cloneAgreement1". Is that something hanging around from the previous replica agreement? If so, how do I fix whatever is running that query every 5 minutes? Or is it indicative of something else that is wrong? I ran the tool from https://github.com/peterpakos/checkipaconsistency and it reports everything is fine (except that ns01 has a dangling AD trust that was supposed to be removed, but that's for another post I guess). How do I identify the process that is running that query that causes the error message in /var/log/messages? Many, many thanks, Anthony Clark

2 3

AD Trust and ipa cli/Web UI
by John Desantis 09 Apr '19

09 Apr '19

Hello all, I'm wondering if anyone could help shed light on why IPA CLI commands fail for a trusted AD user, and why Web UI logins for the same user fail with the message "Your session has expired. Please re-login.", despite creating a view for the user via `ipa idoverrideuser-add 'Default Trust View' ad_user(a)ad_domain.com`. The symptoms appear almost identical to the post [0], except that the cli and Web UI were never working previously. I am able to login via SSH (on a host with an HBAC configured), and able to `kinit` and obtain the appropriate tickets across the realms. I've configured the system accordingly, per the URL: https://www.freeipa.org/page/Active_Directory_trust_setup. I am running FreeIPA version 4.6.4 with a successful AD Trust (one way) using the range type "ipa-ad-trust-posix", both nodes completely re-provisioned (fresh installation purposes). SELinux is disabled, and the configuration IPA-wise is untouched, with the exception of enabling debugging and editing krb5.conf per the URL: https://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fkrb… I've attached Apache logs referencing the Web UI and from the console. From what I have found online, it should be possible to allow an AD user to login to Web UI and ipa CLI commands should function, too. All IPA services are running and have been restarted, just in case something was "stuck". The interesting entries within the logs: (Failed to unseal session data!, GSSapiImpersonate not On) seem to be red herrings. Thanks for any assistance! John DeSantis [0] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…

2 4

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users April 2019