Unable to add external domain global groups
by Martijn Bakkes
We have a one way trust set up on our IPA with our AD. ( IPA trusting AD ).
I am able to add domain local groups as external member is an IPA group.
However, when I try to add a domain global group I receive the error:
invalid 'trusted domain object': no trusted domain matched the specified flat name
Has anybody run in to this issue. I can only find this error referenced in cases where the trust wasn't working.
4 years, 8 months
Re: kadmin service fails to start
by Mike Conner
Thanks for the reply.
I ran `nestat -tulpn` after restarting the rpcbind service and did not see anything listening on 749. Unfortunately, I didn't think to run it before I restarted the rpcbind service.
Is it possible kadmin think the port is in use even after rpcbind has moved off it?
4 years, 8 months
subCA OCSP on IPA Replica
by David Etchen
Hi Guys,
I have a 2 host basic IPA setup both IPA servers are running dns & ca.
I'm running on Centos 7.6 using freeipa version 4.6.4 & dogtag version 10.5.9
I've made a subCA called vpnca and a certificate policy and all this is working fine with the exception of OCSP on the 2nd IPA box.
The original master works fine and issues OCSP responses for certifcates issued by the vpnca (subCA) however the replica IPA box fails to respond.
I've had a look through the logs and found in the /var/log/pki/pki-tomcat/ca/debug log an error on the 2nd box when doing an OCSP request against it for a certificate issued by the subCA.
I should note here that OCSP requests for certificates issued by the main IPA CA work fine it's only for ones issued by the subCA on the replica that seem to be broken.
I have also spotted the 2nd IPA server complaining that is can't get caSigningCert
[04/Sep/2019:13:24:01][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]: Running ExternalProcessKeyRetriever
[04/Sep/2019:13:24:01][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, caSigningCert cert-pki-ca dd4ea812-c044-41c0-93bf-ec376c732c93, man-fb-ipa-01.testhost.com]
[04/Sep/2019:13:24:02][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]: Failed to retrieve key from any host.
[04/Sep/2019:13:24:02][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]: KeyRetriever did not return a result.
[04/Sep/2019:13:24:02][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]: Retrying in 1946 seconds
I'm presuming this is the reason OCSP is failing as it can't sign the response for the subCA?
Does anyone know if this is a known issue or if there is something I need to modify to get the OCSP working on the replica host?
Any help would be greatly appreciated
Thanks
Dave
See logs below.
2nd IPA Replica (Broken) /var/log/pki/pki-tomcat/ca/debug
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet:service() uri = /ca/ocsp
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: caOCSP start to service.
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: IP: 10.128.164.2
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: no authMgrName
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet.authorize(DirAclAuthz)
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: in auditSubjectID
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: auditSubjectID auditContext {locale=en_GB, ipAddress=10.128.164.2}
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet auditSubjectID: subjectID: null
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: in auditGroupID
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: auditGroupID auditContext {locale=en_GB, ipAddress=10.128.164.2}
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet auditGroupID: groupID: null
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: In LdapBoundConnFactory::getConn()
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: masterConn is connected: true
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: getConn: conn is connected true
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: getConn: mNumConns now 2
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: returnConn: mNumConns now 3
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: AAclAuthz.checkPermission(certServer.ee.request.ocsp, submit)
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: checkAllowEntries(): expressions: ipaddress=".*"
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: evaluating expressions: ipaddress=".*"
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: evaluated expression: ipaddress=".*" to be true
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: DirAclAuthz: authorization passed
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: SignedAuditLogger: event AUTHZ
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: OCSPServlet: Servlet Path: /ocsp
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: OCSPServlet: RequestURI: /ca/ocsp
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: OCSPServlet: PathInfo: null
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: OCSPServlet: HTTP method: POST
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: OCSPServlet: processing POST request
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: OCSPServlet: decoding request
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: OCSPServlet: validating request
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: In LdapBoundConnFactory::getConn()
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: masterConn is connected: true
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: getConn: conn is connected true
[04/Sep/2019:12:25:13][ajp-bio-127.0.0.1-8009-exec-1]: getConn: mNumConns now 2
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: returnConn: mNumConns now 3
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: In LdapBoundConnFactory::getConn()
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: masterConn is connected: true
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: getConn: conn is connected true
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: getConn: mNumConns now 2
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: returnConn: mNumConns now 3
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: CertificateAuthority: validating OCSP request
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: CertificateAuthority: processing request for cert 0x1b
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: In LdapBoundConnFactory::getConn()
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: masterConn is connected: true
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: getConn: conn is connected true
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: getConn: mNumConns now 2
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: returnConn: mNumConns now 3
java.lang.NullPointerException
at com.netscape.ca.CertificateAuthority.getResponderIDByName(CertificateAuthority.java:2340)
at com.netscape.ca.CertificateAuthority.validate(CertificateAuthority.java:2473)
at com.netscape.ca.CertificateAuthority.validate(CertificateAuthority.java:2428)
at com.netscape.cms.servlet.ocsp.OCSPServlet.process(OCSPServlet.java:222)
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:493)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: in auditSubjectID
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: auditSubjectID auditContext {locale=en_GB, ipAddress=10.128.164.2}
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet auditSubjectID: subjectID: null
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: SignedAuditLogger: event OCSP_GENERATION
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: OCSPServlet: response is null
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet.java: renderTemplate
[04/Sep/2019:12:25:14][ajp-bio-127.0.0.1-8009-exec-1]: CMSServlet: curDate=Wed Sep 04 12:25:14 BST 2019 id=caOCSP time=213
If I look at 1st IPA server which is working I see
1st IPA Master (Working) /var/log/pki/pki-tomcat/ca/debug
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet:service() uri = /ca/ocsp
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet: caOCSP start to service.
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: IP: 10.128.167.2
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet: no authMgrName
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet.authorize(DirAclAuthz)
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet: in auditSubjectID
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet: auditSubjectID auditContext {locale=en_GB, ipAddress=10.128.167.2}
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet auditSubjectID: subjectID: null
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet: in auditGroupID
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet: auditGroupID auditContext {locale=en_GB, ipAddress=10.128.167.2}
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet auditGroupID: groupID: null
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn()
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: AAclAuthz.checkPermission(certServer.ee.request.ocsp, submit)
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: checkAllowEntries(): expressions: ipaddress=".*"
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: evaluating expressions: ipaddress=".*"
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: evaluated expression: ipaddress=".*" to be true
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: DirAclAuthz: authorization passed
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTHZ
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: Servlet Path: /ocsp
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: RequestURI: /ca/ocsp
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: PathInfo: null
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: HTTP method: POST
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: processing POST request
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: decoding request
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: validating request
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn()
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 4
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 5
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn()
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 4
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 5
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CertificateAuthority: validating OCSP request
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CertificateAuthority: processing request for cert 0x1b
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn()
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 4
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 5
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: adding signature
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: Signing Certificate
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet: in auditSubjectID
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet: auditSubjectID auditContext {locale=en_GB, ipAddress=10.128.167.2}
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: CMSServlet auditSubjectID: subjectID: null
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event OCSP_GENERATION
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: OCSP Request:
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: MGwwaqADAgEAMD4wPDA6MAkGBSsOAwIaBQAEFK377uGJz9Owh8lyIT07pU1YHAEs^M
BBTDA9mf27XJPVL0EOy+SaFKAxCZhAIBG6IjMCEwHwYJKwYBBQUHMAECBBIEEJMj^M
ZAn0Vjd91e0eZdmHXyo=^M
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: Serial Number: 27
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: OCSP Response Size:
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: 2364
[04/Sep/2019:13:22:06][ajp-bio-127.0.0.1-8009-exec-15]: OCSPServlet: OCSP Response Data:
**SNIP**
4 years, 8 months
kadmin service fails to start
by Mike Conner
I've had a FreeIPA installation running without issues until today directory services went down and when I attempt to restart services using `ipactl restart` the kadmin service fails to start. I've been digging through logs and searching for answers but haven't found anything that makes sense to me. The only change I introduced (that I'm aware of) was that I upgraded ipa-server on the replica a week or two ago. Master is running IPA 4.5 and replica is running IPA 4.6.
Any help with troubleshooting would be greatly appreciated.
-Mike
4 years, 8 months
ldapsearch for AD users via FreeIPA
by Tom K.
Hey All,
I've been following this post to refine an ldapsearch query in an attempt to return a list of AD users via IPA:
https://www.redhat.com/archives/freeipa-users/2017-February/msg00300.html
But haven't had luck yet. What I've tried so far:
LDAPTLS_CACERT=/etc/ipa/ca.crt ldapsearch -H ldaps://idmipa03.mws.mds.xyz:636 -D "uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz" -w "<SECRET>" -b "dc=mws,dc=mds,dc=xyz" -v "(&(objectClass=posixAccount)(uid=*))" |grep dn:
[root@idmipa03 ~]# cat ad-lookup.update
dn:cn=users,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: user
dn:cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-lookup-nsswitch: group
[root@idmipa03 ~]#
[root@idmipa03 ~]#
[root@idmipa03 ~]# ipa-compat-manage status
Directory Manager password:
Plugin Enabled
[root@idmipa03 ~]#
[root@idmipa03 ~]#
[root@idmipa03 ~]# ipa-ldap-updater ad-lookup.update
Update complete, no data were modified
The ipa-ldap-updater command was successful
[root@idmipa03 ~]#
Still I don't get a list of AD users. Did not use --enable-compat on installation of the IPA servers. What am I missing?
--
Thx,
TK.
4 years, 8 months
'ipa-ca' DNS record - where used?
by Dmitry Perets
Hi,
I know of one usage - all the IPA ansible modules (ipa_*) query for 'ipa-ca' record to find the IPA server.
But for other cases - looks like IPA clients mostly rely on entries like '_kerberos.*' and '_ldap.*'...
What other functionality uses 'ipa-ca' record?
Thanks.
---
Regards,
Dmitry Perets
4 years, 8 months
spake_preauth_groups
by Rob Verduijn
Hello,
I found out that running ipa on rhel8 in the file /etc/krb5.conf.d/freeipa
the setting
[libdefaults]
spake_preauth_groups=edwards25519
prevents ad domain account users from logging in to the ipa server running
on rhel8
according to this site it's protection against dictionary attacks
https://web.mit.edu/kerberos/krb5-latest/doc/admin/spake.html
commenting those two lines and restarting the sssd service allows the ad
domain users to login to the rhel8 systems
however, this means I lose the extra protection against dictionary attacks.
Is there a way to have both ?
( login for ad users on rhel8 and dictionary attack protection )
Cheers
Rob
4 years, 8 months
NFS Errors
by Tobi Berninger
Hello,
sadly we had a power shortage (a transformer exploded in the building next
to us....) and all server shutted down immediately - i started them again.
now we have some strange errors:
First only two clients werent able to access their nfs home - two days
latter all clients cant access them...
I first check the date but it is synced all over the system and not the
problem.
then i discovered an error in the logs that the callback ip wasnt right,
fixed that too...
still cant get access to the nfs server - only the one share that is
accessiable for all users is mounted.
Keytabes was renewed on NFSserver as on the clients. the krb5 logs dont
show any real clue...
I use virtualized Centos Based Server (Up to Date):
IpaServer
NFSServer
BackupNFSServer
Any ideas?
Thanks
4 years, 8 months
Can login with non-existing user
by Ronald Wimmer
I have managed to login to an IPA client with a non-existing user.
My AD user is z123456(a)addomain.mydomain.at and I have created a similar
user called i123456(a)ipadomain.mydomain.at. What happened now is that I
could log in with the i-User and what I get to see after logging in is this:
[i123456@addomain.mydomain.at(a)as12314 ~]$ id
uid=1246600007(i123456(a)addomain.mydomain.at)
gid=1246600007(i123456(a)addomain.mydomain.at)
groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group(a)ipadomain.mydomain.at)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[i123456@addomain.mydomain.at(a)as12314 ~]$ whoami
i123456(a)addomain.mydomain.at
The user i123456(a)addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
What is wrong here? Are things just displayed wrong or could it be more?
Which files do you need in order to analyze this issue?
Cheers,
Ronald
4 years, 8 months