Hello, I have a problem to access the freeIPA interface, well I have installed freeIPA in centos 7 server, the iinstallation was well done without any errors , but i am not able to access web interface , do you have any idea to fix that ?
[root@ipa]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
Hello Cyrine,
Firewall Ports on IPA Server are open?
Dirk
Am 15. Januar 2020 09:12:54 MEZ schrieb cyrine stambouli via FreeIPA-users freeipa-users@lists.fedorahosted.org:
Hello, I have a problem to access the freeIPA interface, well I have installed freeIPA in centos 7 server, the iinstallation was well done without any errors , but i am not able to access web interface , do you have any idea to fix that ?
[root@ipa]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello, Thank you Dirk for reply , I think yes , here is the output of netstat -aunt
[root@ipa ~]# netstat -aunt Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN tcp 0 0 10.80.1.2:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 80 10.80.1.2:22 10.80.1.101:58475 ESTABLISHED tcp 0 0 10.80.1.2:34656 10.80.1.2:389 ESTABLISHED tcp6 0 0 :::88 :::* LISTEN tcp6 0 0 ::1:953 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::8443 :::* LISTEN tcp6 0 0 :::443 :::* LISTEN tcp6 0 0 :::636 :::* LISTEN tcp6 0 0 127.0.0.1:8005 :::* LISTEN tcp6 0 0 :::389 :::* LISTEN tcp6 0 0 127.0.0.1:8009 :::* LISTEN tcp6 0 0 :::11211 :::* LISTEN tcp6 0 0 :::749 :::* LISTEN tcp6 0 0 :::111 :::* LISTEN tcp6 0 0 :::8080 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::464 :::* LISTEN tcp6 0 0 :::53 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 10.80.1.2:389 10.80.1.2:34656 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39268 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39250 ESTABLISHED tcp6 0 0 10.80.1.2:39266 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39262 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39250 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39252 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39264 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39252 ESTABLISHED tcp6 0 0 10.80.1.2:39264 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39262 ESTABLISHED tcp6 0 0 10.80.1.2:39254 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39258 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39268 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39266 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39254 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39260 ESTABLISHED tcp6 0 0 10.80.1.2:39260 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39256 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39258 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39256 ESTABLISHED udp 0 0 0.0.0.0:899 0.0.0.0:* udp 0 0 0.0.0.0:11211 0.0.0.0:* udp 0 0 10.80.1.2:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 0.0.0.0:88 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* udp 0 0 10.80.1.2:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 0.0.0.0:464 0.0.0.0:* udp6 0 0 :::899 :::* udp6 0 0 :::11211 :::* udp6 0 0 :::53 :::* udp6 0 0 :::88 :::* udp6 0 0 :::111 :::* udp6 0 0 fe80::20c:29ff:fe6d:123 :::* udp6 0 0 ::1:123 :::* udp6 0 0 :::123 :::* udp6 0 0 :::464 :::*
Maybe i am blind, but i don't see a open 443 Port. What says " telnet ( IP Address Ipa Server ) 443? Ist there no Output you have to open Port 443
Am 15. Januar 2020 10:43:16 MEZ schrieb cyrine stambouli via FreeIPA-users freeipa-users@lists.fedorahosted.org:
Hello, Thank you Dirk for reply , I think yes , here is the output of netstat -aunt
[root@ipa ~]# netstat -aunt Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN tcp 0 0 10.80.1.2:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 80 10.80.1.2:22 10.80.1.101:58475 ESTABLISHED tcp 0 0 10.80.1.2:34656 10.80.1.2:389 ESTABLISHED tcp6 0 0 :::88 :::* LISTEN tcp6 0 0 ::1:953 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::8443 :::* LISTEN tcp6 0 0 :::443 :::* LISTEN tcp6 0 0 :::636 :::* LISTEN tcp6 0 0 127.0.0.1:8005 :::* LISTEN tcp6 0 0 :::389 :::* LISTEN tcp6 0 0 127.0.0.1:8009 :::* LISTEN tcp6 0 0 :::11211 :::* LISTEN tcp6 0 0 :::749 :::* LISTEN tcp6 0 0 :::111 :::* LISTEN tcp6 0 0 :::8080 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::464 :::* LISTEN tcp6 0 0 :::53 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 10.80.1.2:389 10.80.1.2:34656 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39268 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39250 ESTABLISHED tcp6 0 0 10.80.1.2:39266 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39262 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39250 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39252 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39264 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39252 ESTABLISHED tcp6 0 0 10.80.1.2:39264 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39262 ESTABLISHED tcp6 0 0 10.80.1.2:39254 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39258 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39268 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39266 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39254 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39260 ESTABLISHED tcp6 0 0 10.80.1.2:39260 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:39256 10.80.1.2:636 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39258 ESTABLISHED tcp6 0 0 10.80.1.2:636 10.80.1.2:39256 ESTABLISHED udp 0 0 0.0.0.0:899 0.0.0.0:* udp 0 0 0.0.0.0:11211 0.0.0.0:* udp 0 0 10.80.1.2:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 0.0.0.0:88 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* udp 0 0 10.80.1.2:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 0.0.0.0:464 0.0.0.0:* udp6 0 0 :::899 :::* udp6 0 0 :::11211 :::* udp6 0 0 :::53 :::* udp6 0 0 :::88 :::* udp6 0 0 :::111 :::* udp6 0 0 fe80::20c:29ff:fe6d:123 :::* udp6 0 0 ::1:123 :::* udp6 0 0 :::123 :::* udp6 0 0 :::464 :::* _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
yes it is open
tcp6 0 0 :::443 :::* LISTEN
and telnet mention that the ip adress in connected
On 1/15/20 9:12 AM, cyrine stambouli via FreeIPA-users wrote:
Hello, I have a problem to access the freeIPA interface, well I have installed freeIPA in centos 7 server, the iinstallation was well done without any errors , but i am not able to access web interface , do you have any idea to fix that ?
Are you able to use the CLI or is it also failing? For instance: kinit admin ipa host-find
When you write, "not able to access web interface", what do you mean? If you type the URL in a browser, do you see the login web page? Is the login failing?
There are a few tips that could help you troubleshoot, please read https://www.freeipa.org/page/Troubleshooting/Administration_and_Web_UI
flo
[root@ipa]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
hello Florence, well yes i am able to connect with kinit admin , also ipa host-find works correctly and I obtain the Host name , Principal name , Principal alias and SSH public key fingerprint .
You have correctly understand what i mean " not able to access the URL i have the error message : Unable to connect to server at address .....
Hi Cyrine,
Where did you run the (successful) telnet test from? Localhost is treated differently, firewall-wise, in that it's not firewalled by default, while external connections are and I assume your browser test comes from outside the IPA server.
On the IPA server, first check if you are running firewalld: # firewall-cmd --state If yes, list the status: # firewall-cmd --list-all If not, use iptables to see what's open: # iptables -vnL
Regards, François
On Wed, Jan 15, 2020 at 11:25 AM cyrine stambouli via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
hello Florence, well yes i am able to connect with kinit admin , also ipa host-find works correctly and I obtain the Host name , Principal name , Principal alias and SSH public key fingerprint .
You have correctly understand what i mean " not able to access the URL i have the error message : Unable to connect to server at address ..... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I have this output :
[root@ipa ~]# firewall-cmd --state running
[root@ipa ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: dhcpv6-client dns freeipa-ldap freeipa-ldaps ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
On Wed, Jan 15, 2020 at 11:48 AM cyrine stambouli via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I have this output :
[root@ipa ~]# firewall-cmd --state running
[root@ipa ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: dhcpv6-client dns freeipa-ldap freeipa-ldaps ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
The web server is firewalled.
Note: If this server is accessible from the internet, the command below will expose your httpd server and kerberos KDC to everyone which is probably not what you want. With that said, the following command should fix the issue: # firewall-cmd --runtime-to-permanent --add-port={80/tcp,443/tcp,88/tcp,88/udp,464/tcp,464/udp,123/udp}
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
François Cami via FreeIPA-users wrote:
On Wed, Jan 15, 2020 at 11:48 AM cyrine stambouli via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I have this output :
[root@ipa ~]# firewall-cmd --state running
[root@ipa ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: dhcpv6-client dns freeipa-ldap freeipa-ldaps ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
The web server is firewalled.
Note: If this server is accessible from the internet, the command below will expose your httpd server and kerberos KDC to everyone which is probably not what you want. With that said, the following command should fix the issue: # firewall-cmd --runtime-to-permanent --add-port={80/tcp,443/tcp,88/tcp,88/udp,464/tcp,464/udp,123/udp}
According to /usr/lib/firewalld/services/freeipa-ldap.xml (and freeipa-ldaps.xml) it should cover those ports already.
It could also be a DNS problem where the machine thinks it knows it's IP address based on /etc/hosts but the outside world thinks it is a different machine.
rob
probably yes ! it s a DNS problem , so what I have to verify ?? Do you have an idea ?
freeipa-users@lists.fedorahosted.org