Accessing KRB5 NFS from local system accounts
by Gordon Messmer
I'm troubleshooting a problem: A local system account (daemon) needs to
access a file on an NFS4 filesystem with sec=krb5. My understanding is
that only processes which have a Kerberos ticket are able to access
files on such a filesystem, and that seems to be the case on the system
I'm troubleshooting.
Suppose I need a keytab to identify the "daemon" user. I don't think I
want to create a new user in FreeIPA, since it would have a uid/gid that
conflict with the locally defined account. However, I think I do need a
keytab for "daemon@DOMAIN". The ipa command doesn't seem to provide a
means of creating such a principal.
Should I work directly in kadmin to create the principal and export the
keytab? Am I even on the right track?
6 years, 6 months
Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
by Fuji San
Hello,
I have trouble enrolling a ipa client.
I just installed Fedora 27 and all the packages are up-to-date.
I succeeded to enroll 2 previous F27 clients, but this one is giving me a hard time.
Any help would be welcome.
Fuji
------
$ ipa-client-install --enable-dns-updates --mkhomedir --ssh-trust-dns --no-nisdomain --server=ipaserver.mydomain --domain=mydomain
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: ipaclient.mydomain
Realm: MYDOMAIN
DNS Domain: mydomain
IPA Server: ipaserver.mydomain
BaseDN: dc=mydomain
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@MYDOMAIN:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=MYDOMAIN
Issuer: CN=Certificate Authority,O=MYDOMAIN
Valid From: 2015-09-11 08:02:12
Valid Until: 2035-09-11 08:02:12
Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1.
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
-----
------
2017-11-30T10:11:50Z DEBUG Logging to /var/log/ipaclient-install.log
2017-11-30T10:11:50Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': None, 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'no_ac': False, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': True, 'force_join': False, 'ntp_servers': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': True, 'ssh_trust_dns': True, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': True, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'no_sssd': False, 'automount_location': None, 'domain_name': 'mydomain', 'servers': ['ipaserver.mydomain'], 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False}
2017-11-30T10:11:50Z DEBUG IPA version 4.6.1-3.fc27
2017-11-30T10:11:50Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:11:50Z DEBUG Starting external process
2017-11-30T10:11:50Z DEBUG args=/usr/sbin/selinuxenabled
2017-11-30T10:11:50Z DEBUG Process finished, return code=1
2017-11-30T10:11:50Z DEBUG stdout=
2017-11-30T10:11:50Z DEBUG stderr=
2017-11-30T10:11:50Z DEBUG Starting external process
2017-11-30T10:11:50Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2017-11-30T10:11:50Z DEBUG Process finished, return code=0
2017-11-30T10:11:50Z DEBUG stdout=enabled
2017-11-30T10:11:50Z DEBUG stderr=
2017-11-30T10:11:50Z DEBUG [IPA Discovery]
2017-11-30T10:11:50Z DEBUG Starting IPA discovery with domain=mydomain, servers=['ipaserver.mydomain'], hostname=ipaclient.mydomain
2017-11-30T10:11:50Z DEBUG Server and domain forced
2017-11-30T10:11:50Z DEBUG [Kerberos realm search]
2017-11-30T10:11:50Z DEBUG Search DNS for TXT record of _kerberos.mydomain
2017-11-30T10:11:50Z DEBUG DNS record found: "MYDOMAIN"
2017-11-30T10:11:50Z DEBUG [LDAP server check]
2017-11-30T10:11:50Z DEBUG Verifying that ipaserver.mydomain (realm MYDOMAIN) is an IPA server
2017-11-30T10:11:50Z DEBUG Init LDAP connection to: ldap://ipaserver.mydomain:389
2017-11-30T10:11:50Z DEBUG Search LDAP server for IPA base DN
2017-11-30T10:11:50Z DEBUG Check if naming context 'dc=mydomain' is for IPA
2017-11-30T10:11:50Z DEBUG Naming context 'dc=mydomain' is a valid IPA context
2017-11-30T10:11:50Z DEBUG Search for (objectClass=krbRealmContainer) in dc=mydomain (sub)
2017-11-30T10:11:50Z DEBUG Found: cn=MYDOMAIN,cn=kerberos,dc=mydomain
2017-11-30T10:11:50Z DEBUG Discovery result: Success; server=ipaserver.mydomain, domain=mydomain, kdc=ipaserver.mydomain, basedn=dc=mydomain
2017-11-30T10:11:50Z DEBUG Validated servers: ipaserver.mydomain
2017-11-30T10:11:50Z DEBUG will use discovered domain: mydomain
2017-11-30T10:11:50Z DEBUG Using servers from command line, disabling DNS discovery
2017-11-30T10:11:50Z DEBUG will use provided server: ipaserver.mydomain
2017-11-30T10:11:50Z INFO Autodiscovery of servers for failover cannot work with this configuration.
2017-11-30T10:11:50Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all mydomaintions and will not fail over to other servers in case of failure.
2017-11-30T10:11:53Z DEBUG will use discovered realm: MYDOMAIN
2017-11-30T10:11:53Z DEBUG will use discovered basedn: dc=mydomain
2017-11-30T10:11:53Z INFO Client hostname: ipaclient.mydomain
2017-11-30T10:11:53Z DEBUG Hostname source: Machine's FQDN
2017-11-30T10:11:53Z INFO Realm: MYDOMAIN
2017-11-30T10:11:53Z DEBUG Realm source: Discovered from LDAP DNS records in ipaserver.mydomain
2017-11-30T10:11:53Z INFO DNS Domain: mydomain
2017-11-30T10:11:53Z DEBUG DNS Domain source: Forced
2017-11-30T10:11:53Z INFO IPA Server: ipaserver.mydomain
2017-11-30T10:11:53Z DEBUG IPA Server source: Provided as option
2017-11-30T10:11:53Z INFO BaseDN: dc=mydomain
2017-11-30T10:11:53Z DEBUG BaseDN source: From IPA server ldap://ipaserver.mydomain:389
2017-11-30T10:11:55Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:11:55Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:11:55Z DEBUG Starting external process
2017-11-30T10:11:55Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r MYDOMAIN
2017-11-30T10:11:55Z DEBUG Process finished, return code=3
2017-11-30T10:11:55Z DEBUG stdout=
2017-11-30T10:11:55Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory
2017-11-30T10:11:55Z INFO Skipping synchronizing time with NTP server.
2017-11-30T10:11:58Z DEBUG will use principal provided as option: admin
2017-11-30T10:11:58Z DEBUG Starting external process
2017-11-30T10:11:58Z DEBUG args=keyctl get_persistent @s 0
2017-11-30T10:11:58Z DEBUG Process finished, return code=0
2017-11-30T10:11:58Z DEBUG stdout=227339787
2017-11-30T10:11:58Z DEBUG stderr=
2017-11-30T10:11:58Z DEBUG Enabling persistent keyring CCACHE
2017-11-30T10:11:58Z DEBUG Writing Kerberos configuration to /tmp/tmp5wx608ci:
2017-11-30T10:11:58Z DEBUG #File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MYDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MYDOMAIN = {
kdc = ipaserver.mydomain:88
master_kdc = ipaserver.mydomain:88
admin_server = ipaserver.mydomain:749
kpasswd_server = ipaserver.mydomain:464
default_domain = mydomain
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.mydomain = MYDOMAIN
mydomain = MYDOMAIN
ipaclient.mydomain = MYDOMAIN
2017-11-30T10:12:03Z DEBUG Initializing principal admin@MYDOMAIN using password
2017-11-30T10:12:03Z DEBUG Starting external process
2017-11-30T10:12:03Z DEBUG args=/usr/bin/kinit admin@MYDOMAIN -c /tmp/krbcct8vze36h/ccache
2017-11-30T10:12:03Z DEBUG Process finished, return code=0
2017-11-30T10:12:03Z DEBUG stdout=Password for admin@MYDOMAIN:
2017-11-30T10:12:03Z DEBUG stderr=
2017-11-30T10:12:03Z DEBUG trying to retrieve CA cert via LDAP from ipaserver.mydomain
2017-11-30T10:12:03Z DEBUG retrieving schema for SchemaCache url=ldap://ipaserver.mydomain:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f20e73c5b70>
2017-11-30T10:12:03Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=MYDOMAIN
Issuer: CN=Certificate Authority,O=MYDOMAIN
Valid From: 2015-09-11 08:02:12
Valid Until: 2035-09-11 08:02:12
2017-11-30T10:12:03Z DEBUG Starting external process
2017-11-30T10:12:03Z DEBUG args=/usr/sbin/ipa-join -s ipaserver.mydomain -b dc=mydomain -h ipaclient.mydomain
2017-11-30T10:12:03Z DEBUG Process finished, return code=17
2017-11-30T10:12:03Z DEBUG stdout=
2017-11-30T10:12:03Z DEBUG stderr=HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
2017-11-30T10:12:03Z ERROR Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200
2017-11-30T10:12:03Z ERROR Installation failed. Rolling back changes.
2017-11-30T10:12:03Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:12:03Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:03Z DEBUG Starting external process
2017-11-30T10:12:03Z DEBUG args=ipa-client-automount --uninstall --debug
2017-11-30T10:12:04Z DEBUG Process finished, return code=1
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=IPA client is not configured on this system
2017-11-30T10:12:04Z ERROR Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1.
2017-11-30T10:12:04Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-11-30T10:12:04Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n Local IPA host -a -f /etc/ipa/nssdb/pwdfile.txt
2017-11-30T10:12:04Z DEBUG Process finished, return code=255
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/usr/bin/certutil -d /etc/pki/nssdb -L -n IPA Machine Certificate - ipaclient.mydomain -a -f /etc/pki/nssdb/pwdfile.txt
2017-11-30T10:12:04Z DEBUG Process finished, return code=255
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - ipaclient.mydomain
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl start certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl is-active certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=active
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl stop certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/bin/systemctl disable certmonger.service
2017-11-30T10:12:04Z DEBUG Process finished, return code=0
2017-11-30T10:12:04Z DEBUG stdout=
2017-11-30T10:12:04Z DEBUG stderr=
2017-11-30T10:12:04Z INFO Disabling client Kerberos and LDAP configurations
2017-11-30T10:12:04Z DEBUG Starting external process
2017-11-30T10:12:04Z DEBUG args=/usr/sbin/authconfig --disableldap --disablekrb5 --disablesssdauth --disablemkhomedir --update
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Error while moving /etc/sssd/sssd.conf to /etc/sssd/sssd.conf.deleted
2017-11-30T10:12:05Z INFO Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl stop sssd.service
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl disable sssd.service
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=Removed /etc/systemd/system/multi-user.target.wants/sssd.service.
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl disable fedora-domainname.service
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl list-unit-files --full
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=UNIT FILE STATE
proc-sys-fs-binfmt_misc.automount static
-.mount generated
boot.mount generated
dev-hugepages.mount static
dev-mqueue.mount static
home.mount generated
proc-fs-nfsd.mount static
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
tmp.mount static
var-lib-nfs-rpc_pipefs.mount static
cups.path enabled
systemd-ask-password-console.path static
systemd-ask-password-plymouth.path static
systemd-ask-password-wall.path static
session-2.scope transient
abrt-ccpp.service disabled
abrt-journal-core.service enabled
abrt-oops.service enabled
abrt-pstoreoops.service disabled
abrt-vmcore.service enabled
abrt-xorg.service enabled
abrtd.service enabled
accounts-daemon.service enabled
alsa-restore.service static
alsa-state.service static
anaconda-direct.service static
anaconda-nm-config.service static
anaconda-noshell.service static
anaconda-pre.service static
anaconda-shell@.service static
anaconda-sshd.service static
anaconda-tmux@.service static
anaconda.service static
arp-ethers.service disabled
auditd.service enabled
auth-rpcgss-module.service static
autofs.service disabled
autovt@.service enabled
avahi-daemon.service enabled
blk-availability.service disabled
bluetooth.service enabled
brltty.service disabled
btattach-bcm@.service static
canberra-system-bootup.service disabled
canberra-system-shutdown-reboot.service disabled
canberra-system-shutdown.service disabled
certmonger.service disabled
chrony-dnssrv@.service static
chrony-wait.service disabled
chronyd.service enabled
clean-mount-point@.service static
colord.service static
configure-printer@.service static
console-getty.service disabled
container-getty@.service static
crond.service enabled
cups-browsed.service disabled
cups.service disabled
dbus-org.bluez.service enabled
dbus-org.fedoraproject.FirewallD1.service enabled
dbus-org.freedesktop.Avahi.service enabled
dbus-org.freedesktop.hostname1.service static
dbus-org.freedesktop.locale1.service static
dbus-org.freedesktop.login1.service static
dbus-org.freedesktop.ModemManager1.service enabled
dbus-org.freedesktop.network1.service enabled
dbus-org.freedesktop.NetworkManager.service enabled
dbus-org.freedesktop.nm-dispatcher.service enabled
dbus-org.freedesktop.resolve1.service enabled
dbus-org.freedesktop.timedate1.service enabled
dbus.service static
dbxtool.service enabled
debug-shell.service disabled
display-manager.service enabled
dm-event.service disabled
dmraid-activation.service enabled
dnf-makecache.service static
dnfdaemon.service static
dnsmasq.service disabled
dracut-cmdline.service static
dracut-initqueue.service static
dracut-mount.service static
dracut-pre-mount.service static
dracut-pre-pivot.service static
dracut-pre-trigger.service static
dracut-pre-udev.service static
dracut-shutdown.service static
ebtables.service disabled
emergency.service static
fcoe.service disabled
fedora-domainname.service disabled
fedora-import-state.service enabled
fedora-loadmodules.service disabled
fedora-readonly.service enabled
firewalld.service enabled
fprintd.service static
fstrim.service static
geoclue.service static
getty@.service enabled
gssproxy.service disabled
halt-local.service static
hypervfcopyd.service static
hypervkvpd.service static
hypervvssd.service static
initial-setup-reconfiguration.service disabled
initial-setup.service disabled
initrd-cleanup.service static
initrd-parse-etc.service static
initrd-switch-root.service static
initrd-udevadm-cleanup-db.service static
instperf.service static
iodine-client.service disabled
ipsec.service disabled
irqbalance.service enabled
iscsi-shutdown.service static
iscsi.service enabled
iscsid.service disabled
iscsiuio.service disabled
kdump.service disabled
kmod-static-nodes.service static
ldconfig.service static
lightdm.service enabled
livesys-late.service generated
livesys.service generated
lldpad.service disabled
lvm2-lvmetad.service disabled
lvm2-lvmpolld.service disabled
lvm2-monitor.service enabled
lvm2-pvscan@.service static
mcelog.service enabled
mdadm-grow-continue@.service static
mdadm-last-resort@.service static
mdmon@.service static
mdmonitor.service enabled
messagebus.service static
mlocate-updatedb.service static
ModemManager.service enabled
multipathd.service enabled
netconsole.service generated
network.service generated
NetworkManager-dispatcher.service enabled
NetworkManager-wait-online.service enabled
NetworkManager.service enabled
nfs-blkmap.service disabled
nfs-config.service static
nfs-idmap.service static
nfs-idmapd.service static
nfs-lock.service static
nfs-mountd.service static
nfs-secure.service static
nfs-server.service disabled
nfs-utils.service static
nfs.service disabled
nscd.service enabled
nslcd.service enabled
ntpd.service disabled
oddjobd.service disabled
openvpn-client@.service disabled
openvpn-server@.service disabled
plymouth-halt.service static
plymouth-kexec.service static
plymouth-poweroff.service static
plymouth-quit-wait.service static
plymouth-quit.service static
plymouth-read-write.service static
plymouth-reboot.service static
plymouth-start.service static
plymouth-switch-root.service static
polkit.service static
powerline.service disabled
pppoe-server.service disabled
psacct.service disabled
qemu-guest-agent.service static
quotaon.service static
rc-local.service static
rdisc.service disabled
realmd.service static
rescue.service static
rngd.service enabled
rpc-gssd.service static
rpc-statd-notify.service static
rpc-statd.service static
rpcbind.service disabled
rsyslog.service enabled
rtkit-daemon.service enabled
selinux-autorelabel-mark.service static
selinux-autorelabel.service static
serial-getty@.service disabled
smartd.service enabled
speech-dispatcherd.service disabled
spice-vdagentd.service enabled
sshd-keygen@.service disabled
sshd.service enabled
sshd@.service static
sssd-autofs.service indirect
sssd-kcm.service indirect
sssd-nss.service indirect
sssd-pac.service indirect
sssd-pam.service indirect
sssd-secrets.service indirect
sssd-ssh.service indirect
sssd-sudo.service indirect
sssd.service disabled
syslog.service enabled
system-update-cleanup.service static
systemd-ask-password-console.service static
systemd-ask-password-plymouth.service static
systemd-ask-password-wall.service static
systemd-backlight@.service static
systemd-binfmt.service static
systemd-bootchart.service disabled
systemd-coredump@.service static
systemd-exit.service static
systemd-firstboot.service static
systemd-fsck-root.service enabled-runtime
systemd-fsck@.service static
systemd-halt.service static
systemd-hibernate-resume@.service static
systemd-hibernate.service static
systemd-hostnamed.service static
systemd-hwdb-update.service static
systemd-hybrid-sleep.service static
systemd-initctl.service static
systemd-journal-catalog-update.service static
systemd-journal-flush.service static
systemd-journald.service static
systemd-kexec.service static
systemd-localed.service static
systemd-logind.service static
systemd-machine-id-commit.service static
systemd-modules-load.service static
systemd-networkd-wait-online.service disabled
systemd-networkd.service enabled
systemd-poweroff.service static
systemd-quotacheck.service static
systemd-random-seed.service static
systemd-reboot.service static
systemd-remount-fs.service static
systemd-resolved.service enabled
systemd-rfkill.service static
systemd-suspend.service static
systemd-sysctl.service static
systemd-sysusers.service static
systemd-timedated.service masked
systemd-timesyncd.service disabled
systemd-tmpfiles-clean.service static
systemd-tmpfiles-setup-dev.service static
systemd-tmpfiles-setup.service static
systemd-udev-settle.service static
systemd-udev-trigger.service static
systemd-udevd.service static
systemd-update-done.service static
systemd-update-utmp-runlevel.service static
systemd-update-utmp.service static
systemd-user-sessions.service static
systemd-vconsole-setup.service static
systemd-volatile-root.service static
tcsd.service disabled
teamd@.service static
timedatex.service enabled
udisks2.service enabled
unbound-anchor.service static
upower.service disabled
usb_modeswitch@.service static
usbmuxd.service static
user@.service static
vboxadd-service.service enabled
vboxadd.service enabled
vgauthd.service enabled
vmtoolsd.service enabled
wacom-inputattach@.service static
wpa_supplicant.service disabled
xl2tpd.service disabled
zram.service static
system.slice static
user-0.slice transient
user.slice static
avahi-daemon.socket enabled
cups.socket enabled
dbus.socket static
dm-event.socket enabled
iscsid.socket enabled
iscsiuio.socket enabled
lldpad.socket disabled
lvm2-lvmetad.socket enabled
lvm2-lvmpolld.socket enabled
multipathd.socket static
nscd.socket enabled
rpcbind.socket disabled
sshd.socket disabled
sssd-autofs.socket disabled
sssd-kcm.socket enabled
sssd-nss.socket disabled
sssd-pac.socket disabled
sssd-pam-priv.socket disabled
sssd-pam.socket disabled
sssd-secrets.socket enabled
sssd-ssh.socket disabled
sssd-sudo.socket disabled
syslog.socket static
systemd-coredump.socket static
systemd-initctl.socket static
systemd-journald-audit.socket static
systemd-journald-dev-log.socket static
systemd-journald.socket static
systemd-networkd.socket disabled
systemd-rfkill.socket static
systemd-udevd-control.socket static
systemd-udevd-kernel.socket static
dev-mapper-fedora00\x2dswap.swap generated
anaconda.target static
basic.target static
bluetooth.target static
cryptsetup-pre.target static
cryptsetup.target static
ctrl-alt-del.target disabled
default.target enabled
emergency.target static
exit.target disabled
final.target static
getty.target static
graphical.target enabled
halt.target disabled
hibernate.target static
hybrid-sleep.target static
initrd-fs.target static
initrd-root-device.target static
initrd-root-fs.target static
initrd-switch-root.target static
initrd.target static
kexec.target disabled
local-fs-pre.target static
local-fs.target static
multi-user.target static
network-online.target static
network-pre.target static
network.target static
nfs-client.target enabled
nss-lookup.target static
nss-user-lookup.target static
paths.target static
poweroff.target disabled
printer.target static
reboot.target disabled
remote-cryptsetup.target disabled
remote-fs-pre.target static
remote-fs.target enabled
rescue.target disabled
rpc_pipefs.target static
rpcbind.target static
runlevel0.target disabled
runlevel1.target disabled
runlevel2.target static
runlevel3.target static
runlevel4.target static
runlevel5.target enabled
runlevel6.target disabled
selinux-autorelabel.target static
shutdown.target static
sigpwr.target static
sleep.target static
slices.target static
smartcard.target static
sockets.target static
sound.target static
spice-vdagentd.target static
sshd-keygen.target static
suspend.target static
swap.target static
sysinit.target static
system-update.target static
time-sync.target static
timers.target static
umount.target static
chrony-dnssrv@.timer disabled
dnf-makecache.timer enabled
fstrim.timer disabled
mdadm-last-resort@.timer static
mlocate-updatedb.timer enabled
systemd-tmpfiles-clean.timer static
unbound-anchor.timer enabled
384 unit files listed.
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Starting external process
2017-11-30T10:12:05Z DEBUG args=/bin/systemctl list-unit-files --full
2017-11-30T10:12:05Z DEBUG Process finished, return code=0
2017-11-30T10:12:05Z DEBUG stdout=UNIT FILE STATE
proc-sys-fs-binfmt_misc.automount static
-.mount generated
boot.mount generated
dev-hugepages.mount static
dev-mqueue.mount static
home.mount generated
proc-fs-nfsd.mount static
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
tmp.mount static
var-lib-nfs-rpc_pipefs.mount static
cups.path enabled
systemd-ask-password-console.path static
systemd-ask-password-plymouth.path static
systemd-ask-password-wall.path static
session-2.scope transient
abrt-ccpp.service disabled
abrt-journal-core.service enabled
abrt-oops.service enabled
abrt-pstoreoops.service disabled
abrt-vmcore.service enabled
abrt-xorg.service enabled
abrtd.service enabled
accounts-daemon.service enabled
alsa-restore.service static
alsa-state.service static
anaconda-direct.service static
anaconda-nm-config.service static
anaconda-noshell.service static
anaconda-pre.service static
anaconda-shell@.service static
anaconda-sshd.service static
anaconda-tmux@.service static
anaconda.service static
arp-ethers.service disabled
auditd.service enabled
auth-rpcgss-module.service static
autofs.service disabled
autovt@.service enabled
avahi-daemon.service enabled
blk-availability.service disabled
[...]
384 unit files listed.
2017-11-30T10:12:05Z DEBUG stderr=
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-11-30T10:12:05Z INFO Client uninstall complete.
2017-11-30T10:12:05Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 336, in run
cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 364, in run
self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 388, in execute
for _nothing in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 514, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 66, in _install
for _nothing in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 3624, in main
install(self)
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2346, in install
_install(options)
File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2568, in _install
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
2017-11-30T10:12:05Z DEBUG The ipa-client-install command failed, exception: ScriptError:
2017-11-30T10:12:05Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
(END)
---------
6 years, 6 months
FreeIPA setup third party ssl from Comodo
by randrewg@gmail.com
Hello!
Guys, I had set up FreeIPA 4.5 on Centos 7 with self-signed SSL cert.
Now I want to install my main wildcard cert (from Comodo CA) for domain where IPA-server located, just for web-service, so web browsers won't complain to users about ssl.
As expected - when I'm trying to do:
# ipa-server-certinstall -w comodo.crt comodo.key
I'm getting:
Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
The ipa-server-certinstall command failed.
I've found on https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/9...
all CA certs for Comodo and set them up via
# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate
As pointed on https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
But nontheless, when I'm trying after it - ipa-server-certinstall, I get above error anyway.
I'm starting to go crazy with it and don't know what should I do to solve this :(
Help me please!
Thank you.
6 years, 6 months
Replication failed after ipa-server-upgrade
by skrawczenko@gmail.com
My cluster has been successfully working for over a year with version 4.2
I have replica of two ipa nodes and winsync
Tried to upgrade (ipa-server-upgrade) and replica seems to be ruined after it.
I can't even check its status
[root@idm0 ~]# ipa-replica-manage list --verbose
Traceback (most recent call last):
File "/usr/sbin/ipa-replica-manage", line 1615, in <module>
main(options, args)
File "/usr/sbin/ipa-replica-manage", line 1548, in main
options.nolookup)
File "/usr/sbin/ipa-replica-manage", line 197, in list_replicas
config_string = ent.single_value['ipaConfigString']
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 564, in __getitem__
value = self._entry[name]
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 442, in __getitem__
return self._get_nice(name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 409, in _get_nice
name = self._get_attr_name(name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 405, in _get_attr_name
name = self._names[name]
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 583, in __getitem__
return super(CIDict, self).__getitem__(key.lower())
KeyError: u'ipaconfigstring'
Unexpected error: u'ipaconfigstring'
Please any advises how to restore replication and winsync after upgrade, this is quite critical.
6 years, 6 months
Update of compat tree after change of AD user attributes
by Lenhardt, Matthias
Hi,
any recommendations how to best update the compat tree after changes of AD user attributes?
We use IPA 4.5 with AD trust. After modification of a AD user attribute, e.g. loginShell, the compat tree doesn't get updated automatically and so the unix/linux can't enjoy his new shell.
Accourding to Red Hat's knowledge base article https://access.redhat.com/solutions/1503713 the only way is to restart dirsrv ...
Maybe there's a better way to achieve this.
Thanks in advance!
Mit freundlichen Grüßen
Matthias Lenhardt
System Administrator
BITMARCK Beratung GmbH
Firmensitz: Putzbrunner Straße 93, 81739 München
Geschäftsführer: Christian Niklaus
Registergericht: Amtsgericht München HRB 130163
*****************************************************************
Die Information in dieser E-Mail ist vertraulich und ausschließlich für
den/die benannten Adressaten bestimmt. Ein Zugriff auf diese E-Mail
durch andere Personen als den/die benannten Adressaten ist nicht
gestattet. Sollten Sie nicht der benannte Adressat sein, löschen Sie bitte
diese E-Mail.
[http://postmaster.bitmarck.de/images/signatur_neuer_standort_essen.png]
6 years, 6 months
ipa-client-install --uninstall commands
by barrykfl@gmail.com
Dear all:
Simple question ..Is this command enough to disjoin from an existing IPA
master.?
Want to test some servers.. joined a master ....is .ipa-client-install
--uninstall
can remove all config from my master server ???
Regards
Barry
6 years, 6 months
Special admin account for one server/host only?
by Rob Morin
Hello all...
I was wondering if someone could help me out, is it possible to have a
user administer only one host/server. Meaning they would log on to
freeipa gui and be able to change a password or lock and account for one
host only. In our case our sftp server where someone else wants to
administer it, when i am not around, like add a user and so on.
Is this possible?
Thanks...
--
Rob Morin
Systems/Network Administrator
Hardent Inc.
6 years, 6 months
X509v3 Subject Alternative Name in IPA master Webserver certificate
by dbischof@hrz.uni-kassel.de
Dear list,
one of my IPA masters (master.example.com, IPA 4.5) runs a Dokuwiki and a
DAViCal instance besides IPA. DNS is external (not managed by IPA) and I
asked the DNS admin to create CNAMEs wiki.example.com and cal.example.com
that point to master.example.com).
That works, but my users get browser warnings "SSL_ERROR_BAD_CERT_DOMAIN"
upon first connect via the CNAMEs and have to allow exceptions.
Unbeautiful.
Therefore, I force-created dummy hosts in IPA and let them be managed by
master.example.com:
$ ipa host-add wiki.example.com --force
$ ipa service-add HTTP/wiki.example.com --force
$ ipa service-add-host HTTP/wiki.example.com --host master.example.com
If i would revoke the certificate for HTTP/master.example.com now (didn't
dare yet), will a new certificate be created that contains
wiki.example.com as X509v3 Subject Alternative Name? It probably isn't
that easy, right?
Mit freundlichen Gruessen/With best regards,
--Daniel.
6 years, 6 months
DNS forwarder broken
by Ken Bass
I am running on the latest Centos 7 with a system that has been working
for quite some time. The only thing that I think has changed has been
keeping the system up to date with yum.
DNS forwarding no longer works. On the DNS Global Configuration page I
have a Global forwarders IP listed as forward only but it does not work.
Running ipa dnsconfig-show on my workstation returns nothing. However,
running on the IPA server returns something.
I manually added a specific forward zone for a specific domain and that
works.
6 years, 6 months
Using pam_krb5 to change password at ssh prompt gives shell
by Aaron Hicks
Hello the list,
As a workaround for another issue we have with using two-factor
authentication, we're using pam_krb5 to change expired passwords, so in
/etc/pam.d/password-auth-ac whe have changed the password section to be:
password requisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass
use_authtok
#password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so chpw_prompt=true use_authok
banner=Retype
This puts the user through a password reset process without the second
factor interfering, but at the end they get shell. This is without the
second factor.
Is there a parameter this so that the connection is disconnected instead, or
the connection attempt is restarted?
I've also tried changing the pam control 'sufficient' from:
[success=done new_authtok_reqd=done default=ignore]
To
[default=ignore]
Regards,
Aaron Hicks
6 years, 6 months