error in FreeIPA UI login page
by Elhamsadat Azarian
Dear friends
I instalked freeIPA on centos 7 with external DNS and internal CA server.
It finished successfuly but with a failed message about installing client components!
Anyway i open a web browser and browse freeipa page. It showed and i add exeption for certificate.
Then login page appeared. I inserted admin user and pasdword but it showed error. "Invalid CA renewal master. All masters must have CA server role enabled"
4 years, 12 months
IPA users and local groups question
by Jeff Goddard
First off thanks to everyone who makes FreeIPA. Its an awesome product that
we love.
We're working at breaking our application up into micro services and using
docker containers and deployment automation. As part of this I have a
deploy user in IPA and a rundeck server that performs tasks as this user.
However, we need this user to be part of the local docker hosts "docker"
group. Is this something I have to do manually per host? Is it possible to
create a docker IPA group that will substitute for the local docker group
and do it all in IPA? Our IPA version is 4.4. The servers are Centos 7.2
and the clients are ubuntu 16.04 LTS.
Thanks for the insight, references and help,
Jeff
4 years, 12 months
Error in FreeIPA UI login page
by Elham Sadat Azarian
Hi
Following my last post about error in login page("Invalid CA renewal master. All masters must have CA server role enabled"), you said it's duo to client installation failed.so i attached log of client installation.
i will appreciate if you help me about the error.Thanks
4 years, 12 months
Re: error in FreeIPA UI login page
by Elhamsadat Azarian
Hi Rob
I checked ipaclient-install.log.
I think this part is the problem. I attached the pic.
My dns server name have token two domain "shs.dc" i dont know why!
On Mon, 10 Jun 2019, 18:04 Elhamsadat Azarian, <elhamsadat.az(a)gmail.com>
wrote:
> Really thanks for ur quick response.
> Rob i will search log file tomorrow and i will report you.
>
>
> On Mon, 10 Jun 2019, 17:46 Rob Crittenden, <rcritten(a)redhat.com> wrote:
>
>> Elhamsadat Azarian wrote:
>> > Hi Rob
>> > Thanks for your email.
>> > But i installed Ipa-server. I dont know why it try to install client
>> > components!
>>
>> The client installer is needed because sssd, etc needs to be configured
>> on a server as well.
>>
>> The error you are seeing is because the client installation failed the
>> server installation is not complete.
>>
>> > Client hostname is set to ipa server hostname and i dont know when i
>> > give it client hostname and how can i change it.
>>
>> A separate hostname is not needed. The server is a client of itself.
>>
>> rob
>>
>> >
>> > On Mon, 10 Jun 2019, 16:56 Rob Crittenden, <rcritten(a)redhat.com
>> > <mailto:rcritten@redhat.com>> wrote:
>> >
>> > Elhamsadat Azarian via FreeIPA-users wrote:
>> > > Dear friends
>> > > I instalked freeIPA on centos 7 with external DNS and internal CA
>> > server.
>> > > It finished successfuly but with a failed message about installing
>> > client components!
>> > > Anyway i open a web browser and browse freeipa page. It showed and
>> > i add exeption for certificate.
>> > > Then login page appeared. I inserted admin user and pasdword but
>> > it showed error. "Invalid CA renewal master. All masters must have
>> > CA server role enabled"
>> >
>> > It didn't install successfully if the client configuration failed.
>> > You'll need to look at /var/log/ipaclient-install.log to see why it
>> > failed.
>> >
>> > rob
>> >
>>
>>
4 years, 12 months
Re: krb5_child always reports going offline when trying to login
by Robert Sturrock
OK, here is the output (quite slow in doing the second kinit but did succeed in the end):
# KRB5CCNAME=FILE:/tmp/armor_ccache kinit -k 'host/ipa-server.localdomain@LOCALREALM'
# KRB5_TRACE=/dev/stdout kinit -T FILE:/tmp/armor_ccache rns@LOCALREALM
[59156] 1560216478.835910: Getting initial credentials for rns@LOCALREALM
[59156] 1560216478.835911: FAST armor ccache: FILE:/tmp/armor_ccache
[59156] 1560216478.835912: Retrieving host/ipa-server.localdomain@LOCALREALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: from FILE:/tmp/armor_ccache with result: 0/Success
[59156] 1560216478.835913: Read config in FILE:/tmp/armor_ccache for krbtgt/LOCALREALM@LOCALREALM: fast_avail: yes
[59156] 1560216478.835914: Using FAST due to armor ccache negotiation result
[59156] 1560216478.835915: Getting credentials host/ipa-server.localdomain@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM using ccache FILE:/tmp/armor_ccache
[59156] 1560216478.835916: Retrieving host/ipa-server.localdomain@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM from FILE:/tmp/armor_ccache with result: 0/Success
[59156] 1560216478.835917: Armor ccache sesion key: aes256-cts/DD29
[59156] 1560216478.835919: Creating authenticator for host/ipa-server.localdomain@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM, seqnum 0, subkey aes256-cts/F86D, session key aes256-cts/DD29
[59156] 1560216478.835921: FAST armor key: aes256-cts/6B25
[59156] 1560216478.835923: Sending unauthenticated request
[59156] 1560216478.835924: Encoding request body and padata into FAST request
[59156] 1560216478.835925: Sending request (1790 bytes) to LOCALREALM
[59156] 1560216478.835926: Initiating TCP connection to stream 172.22.6.6:88
[59156] 1560216478.835927: Sending TCP request to stream 172.22.6.6:88
[59156] 1560216488.846431: Sending initial UDP request to dgram 172.22.6.6:88
[59156] 1560216491.848556: Sending retry UDP request to dgram 172.22.6.6:88
[59156] 1560216494.267665: Received answer (640 bytes) from dgram 172.22.6.6:88
[59156] 1560216494.267666: Terminating TCP connection to stream 172.22.6.6:88
[59156] 1560216494.267667: Response was from master KDC
[59156] 1560216494.267668: Received error from KDC: -1765328359/Additional pre-authentication required
[59156] 1560216494.267669: Decoding FAST response
[59156] 1560216494.267672: Preauthenticating using KDC method data
[59156] 1560216494.267673: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
[59156] 1560216494.267674: Selected etype info: etype aes256-cts, salt ";A*b)Z`R_}=lEJ&a", params ""
[59156] 1560216494.267675: Received cookie: MIT
[59156] 1560216494.267676: PKINIT client has no configured identity; giving up
[59156] 1560216494.267677: Preauth module pkinit (147) (info) returned: 0/Success
[59156] 1560216494.267678: PKINIT client has no configured identity; giving up
[59156] 1560216494.267679: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[59156] 1560216494.267680: PKINIT client has no configured identity; giving up
[59156] 1560216494.267681: Preauth module pkinit (14) (real) returned: 22/Invalid argument
Password for rns@LOCALREALM:
[59156] 1560216500.214090: Preauth module encrypted_challenge (138) (real) returned: 0/Success
[59156] 1560216500.214091: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENCRYPTED-CHALLENGE (138)
[59156] 1560216500.214092: Encoding request body and padata into FAST request
[59156] 1560216500.214093: Sending request (1889 bytes) to LOCALREALM
[59156] 1560216500.214094: Initiating TCP connection to stream 172.22.6.6:88
[59156] 1560216500.214095: Sending TCP request to stream 172.22.6.6:88
[59156] 1560216500.214096: Received answer (1101 bytes) from stream 172.22.6.6:88
[59156] 1560216500.214097: Terminating TCP connection to stream 172.22.6.6:88
[59156] 1560216500.214098: Response was not from master KDC
[59156] 1560216500.214099: Decoding FAST response
[59156] 1560216500.214100: Processing preauth types: PA-ETYPE-INFO2 (19), PA-ENCRYPTED-CHALLENGE (138)
[59156] 1560216500.214101: Selected etype info: etype aes256-cts, salt ";A*b)Z`R_}=lEJ&a", params ""
[59156] 1560216500.214102: Preauth module encrypted_challenge (138) (real) returned: 0/Success
[59156] 1560216500.214103: Produced preauth for next request: (empty)
[59156] 1560216500.214104: AS key determined by preauth: aes256-cts/F080
[59156] 1560216500.214105: FAST reply key: aes256-cts/6C07
[59156] 1560216500.214106: Decrypted AS reply; session key is: aes256-cts/3A0A
[59156] 1560216500.214107: FAST negotiation: available
[59156] 1560216500.214108: Initializing KEYRING:persistent:0:0 with default princ rns@LOCALREALM
[59156] 1560216500.214109: Storing rns@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM in KEYRING:persistent:0:0
[59156] 1560216500.214110: Storing config in KEYRING:persistent:0:0 for krbtgt/LOCALREALM@LOCALREALM: fast_avail: yes
[59156] 1560216500.214111: Storing rns@LOCALREALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: in KEYRING:persistent:0:0
[59156] 1560216500.214112: Storing config in KEYRING:persistent:0:0 for krbtgt/LOCALREALM@LOCALREALM: pa_type: 138
[59156] 1560216500.214113: Storing rns@LOCALREALM -> krb5_ccache_conf_data/pa_type/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: in KEYRING:persistent:0:0
Regards,
Robert.
4 years, 12 months
Interaction with web services is crashing ipa
by Marc Boorshtein
Seeing a very odd issue. When we make webservices calls to IPA sssd
crashes. this started happening within the last few days after onboarding
new members (hosts, not people) of the domain. I'm wondering if there's
some kind of database corruption? The ldap services are all OK. Here's
the error logs from /var/log/messages:
Jun 10 16:24:51 freeipa1 abrt-hook-ccpp: Process 2823 (sssd_be) of user 0
killed by SIGABRT - dumping core
Jun 10 16:24:51 freeipa1 sssd[be[data.domain.com]]: Starting up
Jun 10 16:24:51 freeipa1 abrt-server: Duplicate: core backtrace
Jun 10 16:24:51 freeipa1 abrt-server: DUP_OF_DIR:
/var/spool/abrt/ccpp-2019-06-07-12:08:45-936
Jun 10 16:24:51 freeipa1 abrt-server: Deleting problem directory
ccpp-2019-06-10-16:24:51-2823 (dup of ccpp-2019-06-07-12:08:45-936)
Jun 10 16:24:51 freeipa1 dbus[874]: [system] Activating service
name='org.freedesktop.problems' (using servicehelper)
Jun 10 16:24:51 freeipa1 dbus[874]: [system] Successfully activated service
'org.freedesktop.problems'
Jun 10 16:24:51 freeipa1 abrt-server: Email address of sender was not
specified. Would you like to do so now? If not, 'user@localhost' is to be
used [y/N]
Jun 10 16:24:51 freeipa1 abrt-server: Email address of receiver was not
specified. Would you like to do so now? If not, 'root@localhost' is to be
used [y/N]
Jun 10 16:24:51 freeipa1 abrt-server: Sending an email...
Jun 10 16:24:51 freeipa1 abrt-server: Sending a notification email to:
root@localhost
Jun 10 16:24:51 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabftFudt
Jun 10 16:24:51 freeipa1 abrt-server: Email was sent to: root@localhost
Jun 10 16:24:51 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabgUy4NG
Jun 10 16:24:51 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabZAy7NU
Jun 10 16:24:52 freeipa1 abrt-hook-ccpp: Process 2845 (sssd_be) of user 0
killed by SIGABRT - ignoring (repeated crash)
Jun 10 16:24:54 freeipa1 sssd[be[data.domain.com]]: Starting up
Jun 10 16:24:54 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabiaqYNk
Jun 10 16:24:54 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabY4XRrH
Jun 10 16:24:55 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytab5Qenw4
Jun 10 16:24:57 freeipa1 abrt-hook-ccpp: Process 2871 (sssd_be) of user 0
killed by SIGABRT - ignoring (repeated crash)
Jun 10 16:25:01 freeipa1 sssd[be[data.domain.com]]: Starting up
Jun 10 16:25:01 freeipa1 systemd: Created slice User Slice of pcp.
Jun 10 16:25:01 freeipa1 systemd: Starting User Slice of pcp.
Jun 10 16:25:01 freeipa1 systemd: Started Session 9 of user pcp.
Jun 10 16:25:01 freeipa1 systemd: Starting Session 9 of user pcp.
Jun 10 16:25:01 freeipa1 systemd: Removed slice User Slice of pcp.
Jun 10 16:25:01 freeipa1 systemd: Stopping User Slice of pcp.
Jun 10 16:25:07 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabDhS9wO
Jun 10 16:25:07 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabXv4vAK
Jun 10 16:25:11 freeipa1 abrt-hook-ccpp: Process 2888 (sssd_be) of user 0
killed by SIGABRT - dumping core
Jun 10 16:25:11 freeipa1 sssd: Exiting the SSSD. Could not restart critical
service [data.domain.com].
Jun 10 16:25:11 freeipa1 sssd[pac]: Shutting down
Jun 10 16:25:11 freeipa1 sssd[ssh]: Shutting down
Jun 10 16:25:11 freeipa1 sssd[pam]: Shutting down
Jun 10 16:25:11 freeipa1 sssd[ifp]: Shutting down
Jun 10 16:25:11 freeipa1 sssd: Attempted to unregister path (path[0] = org
path[1] = freedesktop) which isn't registered
Jun 10 16:25:11 freeipa1 sssd: Attempted to unregister path (path[0] = org
path[1] = freedesktop) which isn't registered
Jun 10 16:25:11 freeipa1 sssd: Attempted to unregister path (path[0] = org
path[1] = freedesktop) which isn't registered
Jun 10 16:25:11 freeipa1 sssd[nss]: Shutting down
Jun 10 16:25:11 freeipa1 sssd[sudo]: Shutting down
Jun 10 16:25:11 freeipa1 systemd: sssd.service: main process exited,
code=exited, status=1/FAILURE
Jun 10 16:25:11 freeipa1 systemd: Unit sssd.service entered failed state.
Jun 10 16:25:11 freeipa1 systemd: sssd.service failed.
Jun 10 16:25:11 freeipa1 abrt-server: Duplicate: core backtrace
Jun 10 16:25:11 freeipa1 abrt-server: DUP_OF_DIR:
/var/spool/abrt/ccpp-2019-06-07-12:08:45-936
Jun 10 16:25:11 freeipa1 abrt-server: Deleting problem directory
ccpp-2019-06-10-16:25:11-2888 (dup of ccpp-2019-06-07-12:08:45-936)
Jun 10 16:25:11 freeipa1 abrt-server: Email address of sender was not
specified. Would you like to do so now? If not, 'user@localhost' is to be
used [y/N]
Jun 10 16:25:11 freeipa1 abrt-server: Email address of receiver was not
specified. Would you like to do so now? If not, 'root@localhost' is to be
used [y/N]
Jun 10 16:25:11 freeipa1 abrt-server: Sending an email...
Jun 10 16:25:11 freeipa1 abrt-server: Sending a notification email to:
root@localhost
Jun 10 16:25:11 freeipa1 abrt-server: Email was sent to: root@localhost
Here's the logs from httpd:
[Mon Jun 10 16:36:16.050489 2019] [auth_gssapi:error] [pid 2012] [client
X.X.X.X:47040] NO AUTH DATA Client did not send any authentication headers
[Mon Jun 10 16:36:16.266300 2019] [:error] [pid 2008] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM: group_find(u'',
sizelimit=u'0', pkey_only=u'true'): SUCCESS
[Mon Jun 10 16:36:16.268858 2019] [:warn] [pid 2787] [client X.X.X.X:47042]
failed to set perms (3140) on file (/var/run/ipa/ccaches/
sa-unison-admin(a)DOMAIN.COM)!, referer: https://freeipa1.DOMAIN.COM/ipa/ui/
[Mon Jun 10 16:36:16.286936 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:17.570595 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'applications-openshift',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:21.758992 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch:
group_show(u'applications-openshift-keytabs', no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:21.762565 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'approvers-infrastructure',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:21.763886 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'editors',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:21.766866 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'infrastructure-admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:21.768170 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'ipausers',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:21.769203 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'trust admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:21.769403 2019] [:error] [pid 2009] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM: batch(({u'params':
([u'admins'], {u'no_members': u'true'}), u'method': u'group_show', u'id':
0}, {u'params': ([u'applications-openshift'], {u'no_members': u'true'}),
u'method': u'group_show', u'id': 0}, {u'params':
([u'applications-openshift-keytabs'], {u'no_members': u'true'}), u'method':
u'group_show', u'id': 0}, {u'params': ([u'approvers-infrastructure'],
{u'no_members': u'true'}), u'method': u'group_show', u'id': 0}, {u'params':
([u'editors'], {u'no_members': u'true'}), u'method': u'group_show', u'id':
0}, {u'params': ([u'infrastructure-admins'], {u'no_members': u'true'}),
u'method': u'group_show', u'id': 0}, {u'params': ([u'ipausers'],
{u'no_members': u'true'}), u'method': u'group_show', u'id': 0}, {u'params':
([u'trust admins'], {u'no_members': u'true'}), u'method': u'group_show',
u'id': 0})): SUCCESS
[Mon Jun 10 16:36:21.775349 2019] [:warn] [pid 2787] [client X.X.X.X:47042]
failed to set perms (3140) on file (/var/run/ipa/ccaches/
sa-unison-admin(a)DOMAIN.COM)!, referer: https://freeipa1.DOMAIN.COM/ipa/ui/
[Mon Jun 10 16:36:21.802952 2019] [:error] [pid 2008] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM:
idoverrideuser_show(u'Default Trust View', u'user(a)domain.com',
rights=False, all=True): SUCCESS
[Mon Jun 10 16:36:21.869183 2019] [auth_gssapi:error] [pid 2685] [client
X.X.X.X:47054] NO AUTH DATA Client did not send any authentication headers
[Mon Jun 10 16:36:22.050937 2019] [:error] [pid 2008] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM: group_find(u'',
sizelimit=u'0', pkey_only=u'true'): SUCCESS
[Mon Jun 10 16:36:22.053821 2019] [:warn] [pid 2014] [client X.X.X.X:47056]
failed to set perms (3140) on file (/var/run/ipa/ccaches/
sa-unison-admin(a)DOMAIN.COM)!, referer: https://freeipa1.DOMAIN.COM/ipa/ui/
[Mon Jun 10 16:36:22.074007 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.334145 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'applications-openshift',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.555629 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch:
group_show(u'applications-openshift-keytabs', no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.575277 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'approvers-infrastructure',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.576704 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'editors',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.578262 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'infrastructure-admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.579398 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'ipausers',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.580488 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'trust admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.580653 2019] [:error] [pid 2009] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM: batch(({u'params':
([u'admins'], {u'no_members': u'true'}), u'method': u'group_show', u'id':
0}, {u'params': ([u'applications-openshift'], {u'no_members': u'true'}),
u'method': u'group_show', u'id': 0}, {u'params':
([u'applications-openshift-keytabs'], {u'no_members': u'true'}), u'method':
u'group_show', u'id': 0}, {u'params': ([u'approvers-infrastructure'],
{u'no_members': u'true'}), u'method': u'group_show', u'id': 0}, {u'params':
([u'editors'], {u'no_members': u'true'}), u'method': u'group_show', u'id':
0}, {u'params': ([u'infrastructure-admins'], {u'no_members': u'true'}),
u'method': u'group_show', u'id': 0}, {u'params': ([u'ipausers'],
{u'no_members': u'true'}), u'method': u'group_show', u'id': 0}, {u'params':
([u'trust admins'], {u'no_members': u'true'}), u'method': u'group_show',
u'id': 0})): SUCCESS
[Mon Jun 10 16:36:36.584869 2019] [:warn] [pid 2014] [client X.X.X.X:47056]
failed to set perms (3140) on file (/var/run/ipa/ccaches/
sa-unison-admin(a)DOMAIN.COM)!, referer: https://freeipa1.DOMAIN.COM/ipa/ui/
[Mon Jun 10 16:36:36.607421 2019] [:error] [pid 2008] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM:
idoverrideuser_show(u'Default Trust View', u'user(a)domain.com',
rights=False, all=True): NotFound
[Mon Jun 10 16:36:36.702126 2019] [auth_gssapi:error] [pid 2012] [client
X.X.X.X:47068] NO AUTH DATA Client did not send any authentication headers
[Mon Jun 10 16:36:36.875245 2019] [:error] [pid 2008] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM: group_find(u'',
sizelimit=u'0', pkey_only=u'true'): SUCCESS
[Mon Jun 10 16:36:36.877648 2019] [:warn] [pid 2013] [client X.X.X.X:47070]
failed to set perms (3140) on file (/var/run/ipa/ccaches/
sa-unison-admin(a)DOMAIN.COM)!, referer: https://freeipa1.DOMAIN.COM/ipa/ui/
[Mon Jun 10 16:36:36.898421 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.900574 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'applications-openshift',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.902432 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch:
group_show(u'applications-openshift-keytabs', no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.903783 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'approvers-infrastructure',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.904848 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'editors',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.906110 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'infrastructure-admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.907088 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'ipausers',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.908196 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'trust admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:36.908404 2019] [:error] [pid 2009] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM: batch(({u'params':
([u'admins'], {u'no_members': u'true'}), u'method': u'group_show', u'id':
0}, {u'params': ([u'applications-openshift'], {u'no_members': u'true'}),
u'method': u'group_show', u'id': 0}, {u'params':
([u'applications-openshift-keytabs'], {u'no_members': u'true'}), u'method':
u'group_show', u'id': 0}, {u'params': ([u'approvers-infrastructure'],
{u'no_members': u'true'}), u'method': u'group_show', u'id': 0}, {u'params':
([u'editors'], {u'no_members': u'true'}), u'method': u'group_show', u'id':
0}, {u'params': ([u'infrastructure-admins'], {u'no_members': u'true'}),
u'method': u'group_show', u'id': 0}, {u'params': ([u'ipausers'],
{u'no_members': u'true'}), u'method': u'group_show', u'id': 0}, {u'params':
([u'trust admins'], {u'no_members': u'true'}), u'method': u'group_show',
u'id': 0})): SUCCESS
[Mon Jun 10 16:36:36.915960 2019] [:warn] [pid 2013] [client X.X.X.X:47070]
failed to set perms (3140) on file (/var/run/ipa/ccaches/
sa-unison-admin(a)DOMAIN.COM)!, referer: https://freeipa1.DOMAIN.COM/ipa/ui/
[Mon Jun 10 16:36:36.938184 2019] [:error] [pid 2008] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM:
idoverrideuser_show(u'Default Trust View', u'user(a)domain.com',
rights=False, all=True): NotFound
[Mon Jun 10 16:36:36.998127 2019] [auth_gssapi:error] [pid 2685] [client
X.X.X.X:47074] NO AUTH DATA Client did not send any authentication headers
[Mon Jun 10 16:36:37.174673 2019] [:error] [pid 2008] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM: group_find(u'',
sizelimit=u'0', pkey_only=u'true'): SUCCESS
[Mon Jun 10 16:36:37.180021 2019] [:warn] [pid 2010] [client X.X.X.X:47076]
failed to set perms (3140) on file (/var/run/ipa/ccaches/
sa-unison-admin(a)DOMAIN.COM)!, referer: https://freeipa1.DOMAIN.COM/ipa/ui/
[Mon Jun 10 16:36:37.199364 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.201877 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'applications-openshift',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.204011 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch:
group_show(u'applications-openshift-keytabs', no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.205837 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'approvers-infrastructure',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.206975 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'editors',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.208494 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'infrastructure-admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.209613 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'ipausers',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.211233 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'trust admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.211435 2019] [:error] [pid 2009] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM: batch(({u'params':
([u'admins'], {u'no_members': u'true'}), u'method': u'group_show', u'id':
0}, {u'params': ([u'applications-openshift'], {u'no_members': u'true'}),
u'method': u'group_show', u'id': 0}, {u'params':
([u'applications-openshift-keytabs'], {u'no_members': u'true'}), u'method':
u'group_show', u'id': 0}, {u'params': ([u'approvers-infrastructure'],
{u'no_members': u'true'}), u'method': u'group_show', u'id': 0}, {u'params':
([u'editors'], {u'no_members': u'true'}), u'method': u'group_show', u'id':
0}, {u'params': ([u'infrastructure-admins'], {u'no_members': u'true'}),
u'method': u'group_show', u'id': 0}, {u'params': ([u'ipausers'],
{u'no_members': u'true'}), u'method': u'group_show', u'id': 0}, {u'params':
([u'trust admins'], {u'no_members': u'true'}), u'method': u'group_show',
u'id': 0})): SUCCESS
[Mon Jun 10 16:36:37.214743 2019] [:warn] [pid 2010] [client X.X.X.X:47076]
failed to set perms (3140) on file (/var/run/ipa/ccaches/
sa-unison-admin(a)DOMAIN.COM)!, referer: https://freeipa1.DOMAIN.COM/ipa/ui/
[Mon Jun 10 16:36:37.232248 2019] [:error] [pid 2008] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM:
idoverrideuser_show(u'Default Trust View', u'user(a)domain.com',
rights=False, all=True): NotFound
[Mon Jun 10 16:36:37.400208 2019] [auth_gssapi:error] [pid 2012] [client
X.X.X.X:47078] NO AUTH DATA Client did not send any authentication headers
[Mon Jun 10 16:36:37.550208 2019] [:error] [pid 2008] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM: group_find(u'',
sizelimit=u'0', pkey_only=u'true'): SUCCESS
[Mon Jun 10 16:36:37.557728 2019] [:warn] [pid 2011] [client X.X.X.X:47082]
failed to set perms (3140) on file (/var/run/ipa/ccaches/
sa-unison-admin(a)DOMAIN.COM)!, referer: https://freeipa1.DOMAIN.COM/ipa/ui/
[Mon Jun 10 16:36:37.576635 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.579153 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'applications-openshift',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.581039 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch:
group_show(u'applications-openshift-keytabs', no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.582622 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'approvers-infrastructure',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.584955 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'editors',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.586773 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'infrastructure-admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.587765 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'ipausers',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.588728 2019] [:error] [pid 2009] ipa: INFO:
sa-unison-admin(a)DOMAIN.COM: batch: group_show(u'trust admins',
no_members=u'true'): SUCCESS
[Mon Jun 10 16:36:37.588908 2019] [:error] [pid 2009] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM: batch(({u'params':
([u'admins'], {u'no_members': u'true'}), u'method': u'group_show', u'id':
0}, {u'params': ([u'applications-openshift'], {u'no_members': u'true'}),
u'method': u'group_show', u'id': 0}, {u'params':
([u'applications-openshift-keytabs'], {u'no_members': u'true'}), u'method':
u'group_show', u'id': 0}, {u'params': ([u'approvers-infrastructure'],
{u'no_members': u'true'}), u'method': u'group_show', u'id': 0}, {u'params':
([u'editors'], {u'no_members': u'true'}), u'method': u'group_show', u'id':
0}, {u'params': ([u'infrastructure-admins'], {u'no_members': u'true'}),
u'method': u'group_show', u'id': 0}, {u'params': ([u'ipausers'],
{u'no_members': u'true'}), u'method': u'group_show', u'id': 0}, {u'params':
([u'trust admins'], {u'no_members': u'true'}), u'method': u'group_show',
u'id': 0})): SUCCESS
[Mon Jun 10 16:36:37.592774 2019] [:warn] [pid 2011] [client X.X.X.X:47082]
failed to set perms (3140) on file (/var/run/ipa/ccaches/
sa-unison-admin(a)DOMAIN.COM)!, referer: https://freeipa1.DOMAIN.COM/ipa/ui/
[Mon Jun 10 16:36:37.609236 2019] [:error] [pid 2008] ipa: INFO:
[jsonserver_session] sa-unison-admin(a)DOMAIN.COM:
idoverrideuser_show(u'Default Trust View', u'user(a)domain.com',
rights=False, all=True): NotFound
Here's IPA's info:
red hat release - CentOS Linux release 7.5.1804 (Core)
packages:
python2-ipaserver-4.5.4-10.el7.centos.noarch
sssd-ipa-1.16.0-19.el7.x86_64
python2-ipalib-4.5.4-10.el7.centos.noarch
ipa-common-4.5.4-10.el7.centos.noarch
ipa-client-4.5.4-10.el7.centos.x86_64
python-libipa_hbac-1.16.0-19.el7.x86_64
ipa-server-4.5.4-10.el7.centos.x86_64
ipa-server-dns-4.5.4-10.el7.centos.noarch
python2-ipaclient-4.5.4-10.el7.centos.noarch
ipa-server-trust-ad-4.5.4-10.el7.centos.x86_64
libipa_hbac-1.16.0-19.el7.x86_64
ipa-client-common-4.5.4-10.el7.centos.noarch
ipa-server-common-4.5.4-10.el7.centos.noarch
This has taken out access to our okd cluster so any help would be greatly
appreciated on how to debug this issue.
Thanks
Marc
4 years, 12 months
Re: error in FreeIPA UI login page
by Rob Crittenden
Elhamsadat Azarian wrote:
> Hi Rob
> Thanks for your email.
> But i installed Ipa-server. I dont know why it try to install client
> components!
The client installer is needed because sssd, etc needs to be configured
on a server as well.
The error you are seeing is because the client installation failed the
server installation is not complete.
> Client hostname is set to ipa server hostname and i dont know when i
> give it client hostname and how can i change it.
A separate hostname is not needed. The server is a client of itself.
rob
>
> On Mon, 10 Jun 2019, 16:56 Rob Crittenden, <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Elhamsadat Azarian via FreeIPA-users wrote:
> > Dear friends
> > I instalked freeIPA on centos 7 with external DNS and internal CA
> server.
> > It finished successfuly but with a failed message about installing
> client components!
> > Anyway i open a web browser and browse freeipa page. It showed and
> i add exeption for certificate.
> > Then login page appeared. I inserted admin user and pasdword but
> it showed error. "Invalid CA renewal master. All masters must have
> CA server role enabled"
>
> It didn't install successfully if the client configuration failed.
> You'll need to look at /var/log/ipaclient-install.log to see why it
> failed.
>
> rob
>
4 years, 12 months
Full chain with ipa-getcert request
by Jo Domsic
Hi,
I've deployed FreeIPA and now am trying to use ipa-getcert.
FreeIPA has been deployed with external CA, and the root CA cert has been deployed to all servers.
FreeIPA is acting as an intermediate ssl authority.
So, when I run ipa-getcert request .... I generate ssl key (server.key) and receive vaild ssl cert (server.cert).
However the certificate in not quite valid, since it's missing the intermediate certificate in the server.cert bundle.
Is there a way (e.g. flag or a feature) to include intermediate.cert to server.cert?
Or better yet: how did you envision the whole PKI with FreeIPA as intermediate certificate?
4 years, 12 months
Re: krb5_child always reports going offline when trying to login
by Robert Sturrock
Hi.
It appears to work ok when I run that command, returning this very quickly:
# KRB5_TRACE=/dev/stdout kinit -k 'host/ipa-server.localdomain@LOCALREALM'
[19706] 1559864041.540056: Getting initial credentials for host/ipa-server.localdomain@LOCALREALM
[19706] 1559864041.540057: Looked up etypes in keytab: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[19706] 1559864041.540059: Sending unauthenticated request
[19706] 1559864041.540060: Sending request (221 bytes) to LOCALREALM
[19706] 1559864041.540061: Resolving hostname ipa-server.localdomain
[19706] 1559864041.540062: Initiating TCP connection to stream 172.22.6.6:88
[19706] 1559864041.540063: Sending TCP request to stream 172.22.6.6:88
[19706] 1559864041.540064: Received answer (400 bytes) from stream 172.22.6.6:88
[19706] 1559864041.540065: Terminating TCP connection to stream 172.22.6.6:88
[19706] 1559864041.540066: Response was from master KDC
[19706] 1559864041.540067: Received error from KDC: -1765328359/Additional pre-authentication required
[19706] 1559864041.540070: Preauthenticating using KDC method data
[19706] 1559864041.540071: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
[19706] 1559864041.540072: Selected etype info: etype aes256-cts, salt "LOCALREALMhostipa-server.localdomain", params ""
[19706] 1559864041.540073: Received cookie: MIT
[19706] 1559864041.540074: PKINIT client has no configured identity; giving up
[19706] 1559864041.540075: Preauth module pkinit (147) (info) returned: 0/Success
[19706] 1559864041.540076: PKINIT client has no configured identity; giving up
[19706] 1559864041.540077: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[19706] 1559864041.540078: PKINIT client has no configured identity; giving up
[19706] 1559864041.540079: Preauth module pkinit (14) (real) returned: 22/Invalid argument
[19706] 1559864041.540080: Retrieving host/ipa-server.localdomain@LOCALREALM from FILE:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[19706] 1559864041.540081: AS key obtained for encrypted timestamp: aes256-cts/781D
[19706] 1559864041.540083: Encrypted timestamp (for 1559864041.544859): plain 301AA011180F32303139303630363233333430315AA105020308505B, encrypted 08B3042D8AE66FC15F6059376F620C3ABDFD910009117824437E4B5682CF458270762A621A809444A2DE02190FFD0E737A3F697F5F4F62DC
[19706] 1559864041.540084: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[19706] 1559864041.540085: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)
[19706] 1559864041.540086: Sending request (316 bytes) to LOCALREALM
[19706] 1559864041.540087: Resolving hostname ipa-server.localdomain
[19706] 1559864041.540088: Initiating TCP connection to stream 172.22.6.6:88
[19706] 1559864041.540089: Sending TCP request to stream 172.22.6.6:88
[19706] 1559864041.540090: Received answer (1559 bytes) from stream 172.22.6.6:88
[19706] 1559864041.540091: Terminating TCP connection to stream 172.22.6.6:88
[19706] 1559864041.540092: Response was from master KDC
[19706] 1559864041.540093: Processing preauth types: PA-ETYPE-INFO2 (19)
[19706] 1559864041.540094: Selected etype info: etype aes256-cts, salt "LOCALREALMhostipa-server.localdomain", params ""
[19706] 1559864041.540095: Produced preauth for next request: (empty)
[19706] 1559864041.540096: AS key determined by preauth: aes256-cts/781D
[19706] 1559864041.540097: Decrypted AS reply; session key is: aes256-cts/ED09
[19706] 1559864041.540098: FAST negotiation: available
[19706] 1559864041.540099: Initializing KEYRING:persistent:0:krb_ccache_z1xuQWr with default princ host/ipa-server.localdomain@LOCALREALM
[19706] 1559864041.540100: Storing host/ipa-server.localdomain@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM in KEYRING:persistent:0:krb_ccache_z1xuQWr
[19706] 1559864041.540101: Storing config in KEYRING:persistent:0:krb_ccache_z1xuQWr for krbtgt/LOCALREALM@LOCALREALM: fast_avail: yes
[19706] 1559864041.540102: Storing host/ipa-server.localdomain@LOCALREALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: in KEYRING:persistent:0:krb_ccache_z1xuQWr
[19706] 1559864041.540103: Storing config in KEYRING:persistent:0:krb_ccache_z1xuQWr for krbtgt/LOCALREALM@LOCALREALM: pa_type: 2
[19706] 1559864041.540104: Storing host/ipa-server.localdomain@LOCALREALM -> krb5_ccache_conf_data/pa_type/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: in KEYRING:persistent:0:krb_ccache_z1xuQWr
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_z1xuQWr
Default principal: host/ipa-server.localdomain@LOCALREALM
Valid starting Expires Service principal
07/06/19 09:34:01 08/06/19 09:34:01 krbtgt/LOCALREALM@LOCALREALM
Is this what you’d expect?
Regards,
Robert.
5 years