August 2022 - FreeIPA-users - Fedora mailing-lists

more rpm conflicts on CentOS
by lejeczek 14 Sep '22

14 Sep '22

Hi guys. I this Samba end of packages having issues (again) ? -> $ dnf update Last metadata expiration check: 0:08:36 ago on Mon 08 Aug 2022 08:14:21 BST. Error: Problem 1: package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the providers can be installed - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.16.2-1.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.13.3-3.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.4-4.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.5-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.5-2.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.3-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.4-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-3.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-4.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-5.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-8.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.16.1-0.el8.x86_64 - cannot install the best update candidate for package samba-client-libs-4.16.2-1.el8.x86_64 - cannot install the best update candidate for package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 Problem 2: problem with installed package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 - package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the providers can be installed - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.16.2-1.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.13.3-3.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.4-4.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.5-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.5-2.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.3-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.4-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-3.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-4.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-5.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-8.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.16.1-0.el8.x86_64 - package libsmbclient-4.16.4-1.el8.x86_64 requires libsamba-debug-samba4.so(SAMBA_4.16.4_SAMBA4)(64bit), but none of the providers can be installed - package libsmbclient-4.16.4-1.el8.x86_64 requires libsmbconf.so.0(SMBCONF_0.0.1)(64bit), but none of the providers can be installed and also, I wonder why would a "regular" package want to depend in a debug package - that should not be needed normally. many thanks, L.

2 4

Need 'dns notify' sequence clarification please!
by Harry G Coin 09 Sep '22

09 Sep '22

In a 'standard' freeipa setup with two freeipa masters that provide authoritative DNS for a zone (in this instance using the named-pkcs11 bind version) and no other DNS slaves: When an IP address is changed in freeipa DNS for a host: Question 1: Does the 'notify' feature of bind9/named from one machine to the other accomplish any actual value (TTL related or otherwise) given they both rely on bind-dyndbldap and as such the dns change is migrated via ldap? In other words, would any performance suffer if I just turned off notifies among the freeipa masters? Question 2: What is the sequence of operations when an IP address is changed in freeipa? I expect it would be the first ldap db gets updated, then the replicas ldap dbs get updated, then after all ldaps are updated each of them tells 'their respective' bind instances to update. Yes? No? Thanks! Harry Coin

2 1

How to check the number of read/write locks on /usr/sbin/ns-slapd process?
by Kathy Zhu 06 Sep '22

06 Sep '22

Hi Team, We used following to get the number of rwlocks for /usr/sbin/ns-slapd process in Centos 7.9 to catch deadlocks: PID=`pidof ns-slapd` gdb -ex 'set confirm off' -ex 'set pagination off' -ex 'thread apply all bt full' -ex 'quit' /usr/sbin/ns-slapd $PID |& grep '^#0.*lock' | grep pthread_rwlock | sort -u That helped us to detect ns-slapd hang caused by deadlocks. After migrating to Red Hat 8.6, we had a lot of hangs (dirsvr is running but not responding) and could not find why. We use the same above method, however, we are not able to catch anything. I wonder if there is a different way to count the rwlocks in Red Hat 8.6? We realize that there are multiple reasons to cause hangs, however, we would like to rule out the possibility of the deadlock. The OS and packages: Red Hat Enterprise Linux release 8.6 (Ootpa) ipa-server.x86_64 4.9.8-7.module+el8.6.0+14337+19b76db2 @rhel-8-for-x86_64-appstream-rpms slapi-nis-0.56.6-4.module+el8.6.0+12936+736896b2.x86_64 389-ds-base-libs-1.4.3.28-6.module+el8.6.0+14129+983ceada.x86_64 389-ds-base-1.4.3.28-6.module+el8.6.0+14129+983ceada.x86_64 Many thanks. Kathy.

3 3

Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails
by Polavarapu Manideep Sai 02 Sep '22

02 Sep '22

Hi Team, Need help from freeipa, Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails please check the below issue and let us know the fix and please let us know if any more details required Master server: aaa01 Replica server1: dir01 (currently installing replica server ) Replica server2: dirus02 (which was a replica server previously that has been removed from replication) As noticed while installing ipa replica server, replica server retrieving two certificates from the master server, and saving it in /etc/ipa/ca.crt in this process at the stage Configuring the web interface (httpd) we got the below error i.e. ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 =============================================== While installing Replica /var/log/ipaclient-install.log --------------------------------------------------- 2022-08-15T13:52:08Z DEBUG stderr= 2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from aaa01.ipa.subdomain.com 2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache url=ldap://aaa01.ipa.subdomain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17fe812440> 2022-08-15T13:52:11Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM Valid From: 2018-04-12 14:15:30 Valid Until: 2038-04-12 14:15:30 Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM Valid From: 2019-01-21 11:54:13 Valid Until: 2021-01-21 11:54:13 2022-08-15T13:52:11Z DEBUG Starting external process 2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s aaa01.ipa.subdomain.com -b dc=ipa,dc=example,dc=com -h dirpav01-tfln-mdr1-omes.ipa.subdomain.com 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 2022-08-15T13:52:15Z DEBUG stdout= 2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=IPA.SUBDOMAIN.COM 2022-08-15T13:52:15Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM 2022-08-15T13:52:15Z DEBUG Starting external process 2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 2022-08-15T13:52:15Z DEBUG stdout= ================================== While installing replica /var/log/ipareplica-install.log -------------------------------------------------- 2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP 2022-08-15T15:07:11Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-08-15T15:07:11Z DEBUG Starting external process 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n IPA.SUBDOMAIN.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt 2022-08-15T15:07:11Z DEBUG Process finished, return code=0 2022-08-15T15:07:11Z DEBUG stdout= 2022-08-15T15:07:11Z DEBUG stderr= 2022-08-15T15:07:11Z DEBUG Starting external process 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt 2022-08-15T15:07:12Z DEBUG Process finished, return code=255 2022-08-15T15:07:12Z DEBUG stdout= 2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database. 2022-08-15T15:07:12Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step Observation in Master server(aaa01) ldap database : ======================================= [root@aaa01~]# ldapsearch -D 'cn=directory manager' -w XXXXXXXXX | grep "ipaCertSubject" ipaCertSubject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM ipaCertSubject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM [root@aaa01~]# ==================== We could see this certificate "CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM" in IPA master server GUI as well we have revoked it too , but still it retrieves the same and installation got fails everytime ================= In ideal case while installing replica it has to retrieve only one certificate i.e. CN=Certificate Authority,O=IPA.SUBDOMAIN.COM but this case it retrieves Please let us know if any more details required and let us know how can we fix this issue, without impact on whole setup ipaCertIssuerSerial ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;1 [which is a valid certificate] ipaCertIssuerSerial: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM;32 [ invalid certificate retrieves from ipa master while installing ipa replica] [root@aaa01]# ipa cert-show Serial number: 32 Issuing CA: ipa Certificate: MIIFGTCCBAGgAwIBAgIBIDANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBJUEEuT05NT0JJTEUuQ09NMR4wHAYDVQQ DDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwMTIxMTE1NDEzWhcNMjEwMTIxMTE1NDEzWjBMMRkwFwYDVQQKDBBJUEEuT 05NT0JJTEUuQ09NMS8wLQYDVQQDDCZkaXJ1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTCCASIwDQYJKoZIhvcNAQE BBQADggEPADCCAQoCggEBAKln0qNlB+38cXbyOurkVgK+GMYM9loUVFAvZGlydXMwMi1taWEtdGxmbi1vbXVzLmlwYS5vbm1vYmlsZS5 jb21ASVBBLk9OTU9CSUxFLkNPTaBbBgYrBgEFAgKgUTBPoBIbEElQQS5PTk1PQklMRS5DT02hOTA3oAMCAQGhMDAuGwRIVFRQGyZkaXJ 1czAyLW1pYS10bGZuLW9tdXMuaXBhLm9ubW9iaWxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcFbSY4tVpZHWVDGsahRNfCqv/x/xCT BEYHvCSdycHAV7Ogq6zEENviRDOEOYqe1x7BxyF7B/hhB3PX2uqYmFrgPffyfwCxGZb0DRnnOLnwldxe3QdwjIIuUptY9fOgvbjx+bd5iLIgNp aAZcN70PePdPA0xYpAo3CQkowCojAke2QGsPp6DrXS1wRrE4maH0LmEtu56hSbARoN4DgJ91PKgPkZ+BNyq9BmoPTRsxpAGBvms2SAbx q1iUmNcVCurqvF/Gu2Z8L5rlpPiVjSbup9Zq5LuhLtfeMsgrwfZOcwZQfSCCykMUH9eAipvsNoHvPxiJeHhDk8Zx+cADESTL4w== Subject: CN=dirus02.ipa.subdomain.com,O=IPA.SUBDOMAIN.COM Subject DNS name: dirus02.ipa.subdomain.com Subject UPN: HTTP/dirus02.ipa.subdomain.com(a)IPA.SUBDOMAIN.COM Subject Kerberos principal name: HTTP/dirus02.ipa.subdomain.com(a)IPA.SUBDOMAIN.COM Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM Not Before: Mon Jan 21 11:54:13 2019 UTC Not After: Thu Jan 21 11:54:13 2021 UTC Serial number: 32 Serial number (hex): 0x20 Revoked: True Revocation reason: 2 [root@aaa01~]# Regards ManideepSai ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.

3 5

error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>)
by liang fei 01 Sep '22

01 Sep '22

hello Since the keytab file is invalid, I manually generated a new IPA. keytab file, but now it seems that encryption-types does not match. What should I do with this?thank you #ipa user-find devop ipa: DEBUG: importing all plugin modules in ipalib.plugins... ipa: DEBUG: importing plugin module ipalib.plugins.aci ipa: DEBUG: importing plugin module ipalib.plugins.automember ipa: DEBUG: importing plugin module ipalib.plugins.automount ipa: DEBUG: importing plugin module ipalib.plugins.baseldap ipa: DEBUG: importing plugin module ipalib.plugins.baseuser ipa: DEBUG: importing plugin module ipalib.plugins.batch ipa: DEBUG: importing plugin module ipalib.plugins.caacl ipa: DEBUG: importing plugin module ipalib.plugins.cert ipa: DEBUG: importing plugin module ipalib.plugins.certprofile ipa: DEBUG: importing plugin module ipalib.plugins.config ipa: DEBUG: importing plugin module ipalib.plugins.delegation ipa: DEBUG: importing plugin module ipalib.plugins.dns ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel ipa: DEBUG: importing plugin module ipalib.plugins.group ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup ipa: DEBUG: importing plugin module ipalib.plugins.hbactest ipa: DEBUG: importing plugin module ipalib.plugins.host ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup ipa: DEBUG: importing plugin module ipalib.plugins.idrange ipa: DEBUG: importing plugin module ipalib.plugins.idviews ipa: DEBUG: importing plugin module ipalib.plugins.internal ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy ipa: DEBUG: importing plugin module ipalib.plugins.migration ipa: DEBUG: importing plugin module ipalib.plugins.misc ipa: DEBUG: importing plugin module ipalib.plugins.netgroup ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig ipa: DEBUG: importing plugin module ipalib.plugins.otptoken ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipalib.plugins.passwd ipa: DEBUG: importing plugin module ipalib.plugins.permission ipa: DEBUG: importing plugin module ipalib.plugins.ping ipa: DEBUG: importing plugin module ipalib.plugins.pkinit ipa: DEBUG: importing plugin module ipalib.plugins.privilege ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy ipa: DEBUG: Starting external process ipa: DEBUG: args=klist -V ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains ipa: DEBUG: importing plugin module ipalib.plugins.role ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient ipa: DEBUG: importing plugin module ipalib.plugins.selfservice ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap ipa: DEBUG: importing plugin module ipalib.plugins.server ipa: DEBUG: importing plugin module ipalib.plugins.service ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation ipa: DEBUG: importing plugin module ipalib.plugins.session ipa: DEBUG: importing plugin module ipalib.plugins.stageuser ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup ipa: DEBUG: importing plugin module ipalib.plugins.sudorule ipa: DEBUG: importing plugin module ipalib.plugins.topology ipa: DEBUG: importing plugin module ipalib.plugins.trust ipa: DEBUG: importing plugin module ipalib.plugins.user ipa: DEBUG: importing plugin module ipalib.plugins.vault ipa: DEBUG: importing plugin module ipalib.plugins.virtual ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin(a)YYDEVOPS.COM' ipa: INFO: trying https://xx/ipa/json ipa: DEBUG: Created connection context.rpcclient_140659301866000 ipa: DEBUG: raw: user_find(u'devop', whoami=False, all=False, raw=False, version=u'2.164', no_members=False) ipa: DEBUG: user_find(u'devop', whoami=False, all=False, raw=False, version=u'2.164', no_members=False, pkey_only=False) ipa: INFO: Forwarding 'user_find' to json server 'https://xx/ipa/json' ipa: DEBUG: NSSConnection init xx ipa: DEBUG: Connecting: 10.21.117.149:0 ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for "CN=xx,O=YYDEVOPS.COM" ipa: DEBUG: handshake complete, peer = 10.21.117.149:443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ipa: DEBUG: Destroyed connection context.rpcclient_140659301866000 ipa: ERROR: error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>) # klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin(a)YYDEVOPS.COM Valid starting Expires Service principal 08/29/2022 20:40:14 08/30/2022 20:40:07 krbtgt/YYDEVOPS.COM(a)YYDEVOPS.COM Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 08/29/2022 20:40:31 08/30/2022 20:40:07 HTTP/xx(a)YYDEVOPS.COM Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1 # klist -kte /etc/apache2/ipa.keytab Keytab name: FILE:/etc/apache2/ipa.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 4 08/29/2022 19:30:22 HTTP/xx (arcfour-hmac) 5 08/29/2022 19:30:42 HTTP/xx (camellia128-cts-cmac) 6 08/29/2022 19:30:46 HTTP/xx (camellia256-cts-cmac) 7 08/29/2022 19:33:02 HTTP/xx (camellia128-cts-cmac) 8 08/29/2022 19:33:41 HTTP/xx (aes128-cts-hmac-sha1-96) 9 08/29/2022 19:33:47 HTTP/xx (aes256-cts-hmac-sha1-96) 10 08/29/2022 19:35:05 HTTP/xx (des3-cbc-sha1)

3 5

Replica not syncing
by Simon Matthews 31 Aug '22

31 Aug '22

Some time back I set up an IPA replica. The initial setup was successful, but now I see that it is not syncing. It's possible that it has never successfully synced. I suspect that something related to DNS may not be working properly. Advice on debugging and fixing this would be appreciated. # ipa-replica-manage list -v ipa2.sj.bps ipa1.sj.bps: replica last update status: Error (18) Replication error acquiring replica: Incremental update transient warning. Backing off, will retry update later. (transient warning) last update ended: 1970-01-01 00:00:00+00:00 I think that something related to DNS is not working correctly on my replica. My IPA domain is "ipa.<mycompany>.com". However, the DNS domain used on the network is "sj.bps" and the primary nameserver is not ether of the IPA servers. Both the primary and replica have DNS that works for the "sj.bps" domain to an extent. I can ping using names in the "sj.bps" domain on the replica (ipa2): [root@ipa2 ~]# ping ipa1.sj.bps. PING ipa1.sj.bps (192.168.254.18) 56(84) bytes of data. 64 bytes from ipa1.sj.bps (192.168.254.18): icmp_seq=1 ttl=64 time=0.451 ms ^C --- ipa1.sj.bps ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms But a local lookup doesn't work: [root@ipa2 ~]# dig @localhost ipa1.sj.bps. ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps. ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34740 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa1.sj.bps. IN A ;; Query time: 5 msec ;; SERVER: ::1#53(::1) ;; WHEN: Mon Aug 29 20:37:37 EDT 2022 ;; MSG SIZE rcvd: 40 A similar dig command on the primary works: [root@ipa1 ~]# dig @localhost ipa1.sj.bps. ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost ipa1.sj.bps. ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63201 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa1.sj.bps. IN A ;; ANSWER SECTION: ipa1.sj.bps. 2222 IN A 192.168.254.18 ;; AUTHORITY SECTION: sj.bps. 2222 IN NS ns.bps. ;; ADDITIONAL SECTION: ns.bps. 2222 IN A 192.168.254.2 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Mon Aug 29 20:38:34 EDT 2022 ;; MSG SIZE rcvd: 89

2 4

certmonger not updating
by IPA Listmail 31 Aug '22

31 Aug '22

client: el8 ipa server: el7 I created a cert via: sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname -f)\ -k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\ -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem Everything about the cert _appears_ to be fine. Openssl output looks normal and the puppet agent runs fine. During testing I have radically reduced the certificate validity down to 10 minutes. The output of ipa-getcert list is: Number of certificates and requests being tracked: 1. Request ID '20220830202305': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem' certificate: type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem' CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.COM 20220829230619 subject: CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM 20220829230619 issued: 2022-08-30 21:29:11 UTC expires: 2022-08-30 21:39:11 UTC dns: ip-10-0-82-56.eu-west-1.compute.internal principal name: host/ ip-10-0-82-56.eu-west-1.compute.internal(a)DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes However, it never actually updates before (or after) expiration. I have tried restarting the service and rebooting. This is happening on two hosts. I see no failures in the log or anything in the log after the last resubmit command. I have manually used rekey and resubmit. Both worked fine. Using a blog post from Fraser, I tried start-tracking with --no-renew, then --renew. I looked for errors. The only thing that seem kind of odd to me is in /var/lib/certmonger/requests/20220830202305: last_need_notify_check=20220830205312 last_need_enroll_check=20220830205312

2 2

[SSSD] Announcing SSSD 2.7.4
by Pavel Březina 26 Aug '22

26 Aug '22

# SSSD 2.7.4 The SSSD team is announcing the release of version 2.7.4 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.7.4 See the full release notes at: https://sssd.io/release-notes/sssd-2.7.4.html RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users ## Highlights ### General information * Lock-free client support will be only built if libc provides `pthread_key_create()` and `pthread_once()`. For glibc this means version 2.34+

1 0

Ubuntu 22 and sssd 2.6.3
by Ranbir 25 Aug '22

25 Aug '22

Hello All, Has anyone successfully enrolled an Ubuntu 22 client into an AlmaLinux 9 IdM or Rocky Linux 9 IdM domain in a trust with AD _and_ managed to have consistently fast and reliable logins into that Ubuntu 22 client with AD users? I sure haven't. I have been smashing my head into a wall trying to get stupid Ubuntu 22 to work. After enabling debug_level 9, I managed to figure out that my test client was missing the krb5-pkinit package so I installed that. I also noticed errors in sssd_pac.log about the backend being offline. I eventually figured out that I needed to add "services = pac" to the client's sssd.conf. Note: I had removed the services line because in Ubuntu 22, the various services are instead started as needed via their sockets (e.g. sssd-autofs.socket, sssd-nss.socket, etc.). If you leave them defined in the services line, you get tons of errors during system startup. I've resolved those errors, but I'm still seeing extremely slow logins when it works. Usually, the login just fails. However, if I login as root and lookup AD users, they are found and returned to the terminal. The sssd.conf from the client running sssd 2.6.3 is below. If anyone has any pointers, please send them over. I wish I didn't have to get Ubuntu 22 clients working with freeipa, but I do. :( [domain/idm.domain.com] id_provider = ipa ipa_server = _srv_, p1idma01.idm.domain.com ipa_domain = idm.domain.com ipa_hostname = u22test.idm.domain.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt ldap_deref_threshold = 0 krb5_store_password_if_offline = True selinux_provider = none sudo_provider = ipa autofs_provider = ipa subdomains_provider = ipa session_provider = ipa hostid_provider = ipa ipa_automount_location = yow debug_level = 9 [domain/idm.domain.com/corp.ad.domain.com] ad_site = ottawa [sssd] #services = nss, pam, ssh, sudo, autofs services = pac domains = idm.domain.com debug_level = 9 [nss] default_shell = /bin/bash homedir_substring = /home debug_level = 9 [pam] debug_level = 9 [sudo] [autofs] [ssh] [pac] [ifp] [session_recording] -- Ranbir

4 9

Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert
by Erling Andersen 25 Aug '22

25 Aug '22

Hi, We have a problem connecting with CA REST API (403). Any ideas how to troubleshoot? Setup: IPA 4.9.8 on CentOS Stream 8, two IPA CA servers Only looking at the CA renewal master (ipa1.example.com) # ipa cert-show 1 ipa: DEBUG: trying https://ipa1.example.com/ipa/session/json ipa: ERROR: Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403) # pki-healthcheck Internal server error 403 Client Error: 403 for url: http://ipa1.example.com:80/ca/rest/securityDomain/domainInfo [ { "source": "pki.server.healthcheck.meta.csconfig", "check": "CADogtagCertsConfigCheck", "result": "ERROR", "uuid": "58153e6c-98ed-4264-a622-e8f6e23d58ca", "when": "20220809080611Z", "duration": "0.164052", "kw": { "key": "ca_signing", "nickname": "caSigningCert cert-pki-ca", "directive": "ca.signing.cert", "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", "msg": "Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" } } ] LDAP and IPA RA appear to have identical certificates and serial number: # ldapsearch -LLL -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca userCertificate description dn: uid=ipara,ou=people,o=ipaca userCertificate:: MIID...Ovix8 description: 2;1878982672;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM # openssl x509 -text -in /var/lib/ipa/ra-agent.pem Serial Number: 1878982672 (0x6fff0010) Validity Not Before: Aug 8 10:02:19 2022 GMT Not After : Jul 28 10:02:19 2024 GMT -----BEGIN CERTIFICATE----- MIID...Ovix8 -----END CERTIFICATE----- PKI appear to have identical certificates in LDAP and /etc/pki/pki-tomcat/alias: # certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' |grep Serial Serial Number: 1878982665 (0x6fff0009) # ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso dn: uid=pkidbuser,ou=people,o=ipaca userCertificate:: MIID...eluPug== description: 2;1878982665;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM seeAlso: CN=CA Subsystem,O=EXAMPLE.COM And, the certificate in CS.cfg appears to match the caSigningCert in LDAP: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg: ca.signing.cert=MIID...yfc5a # ldapsearch -LLL -D 'cn=directory manager' -W \ -b 'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com' dn: cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com userCertificate:: MIID...yfc5a Additional details: # ldapsearch -LLL -D 'cn=directory manager' -W -b ou=authorities,ou=ca,o=ipaca dn: ou=authorities,ou=ca,o=ipaca ou: authorities objectClass: top objectClass: organizationalUnit dn: cn=58d7a049-ada3-4146-b39a-84aa1b6f4add,ou=authorities,ou=ca,o=ipaca authoritySerial: 1878982673 description: Host authority authorityDN: CN=Certificate Authority,O=EXAMPLE.COM authorityEnabled: TRUE authorityKeyNickname: caSigningCert cert-pki-ca authorityID: 58d7a049-ada3-4146-b39a-84aa1b6f4add cn: 58d7a049-ada3-4146-b39a-84aa1b6f4add objectClass: authority objectClass: top # ldapsearch -LLL -D 'cn=directory manager' -W -b cn=ipa,cn=cas,cn=ca,dc=example,dc=com dn: cn=ipa,cn=cas,cn=ca,dc=example,dc=com cn: ipa ipaCaId: 58d7a049-ada3-4146-b39a-84aa1b6f4add ipaCaSubjectDN: CN=Certificate Authority,O=EXAMPLE.COM objectClass: top objectClass: ipaca ipaCaIssuerDN: CN=Certificate Authority,O=EXAMPLE.COM description: IPA CA # certutil -L -d /etc/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu EXAMPLE.COM IPA CA CTu,Cu,Cu EXAMPLE.COM IPA CA CTu,Cu,Cu # certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'EXAMPLE.COM IPA CA' 3 certificates # certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert cert-pki-ca' 3 certificates (identical with above 3 certificates) # pki ca-cert-show 1878982672 Serial Number: 0x6fff0010 Subject DN: CN=IPA RA,O=EXAMPLE.COM Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM Status: VALID Not Valid Before: Mon Aug 08 12:02:19 CEST 2022 Not Valid After: Sun Jul 28 12:02:19 CEST 2024

3 4

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users August 2022