Kerberized NFS Home directories
by Kristian Petersen
Hey all,
I am trying to get kerberized NFS home directories working in Ubuntu 18.04
with the mapping info coming from IPA. I can get them to mount on login in
a multi-user target (terminal only), but not a graphical one (using gdm for
login). The messages I am seeing in the syslog seem to indicate that it is
having issues communicating with the server hosting the NFS share and times
out. That doesn't make sense though since it works to mount in the
terminal like I would expect.
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
4 years, 4 months
Proxy LDAP queries to Active Directory
by White, David
Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust?
I have AD, where users live.
I have FreeIPA / RedHat IdM.
And I have servers that are registered to FreeIPA.
But I also have applications (such as Mediawiki, or Red Hat Satellite to name a few) that support LDAP authentication.
I want to be able to use my AD credentials to login to Mediawiki or Satellite, but have the application bind to FreeIPA, instead of binding it to AD.
Is this possible?
I currently:
Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki using an account that is built locally instead of FreeIPA, but I cannot login to Mediawiki using my AD credentials.
-----
David White
Engineer II, Fiber Systems Engineering
(423) 648-1500, Option 2
[/var/folders/7m/l5bzdbz14c9bkrwxvn2ffnjc0000gq/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.jpg(a)01D4B3F3.F5D81170]
4 years, 4 months
FreeIPA ipa-replica-install hangs on "No status yet" during the first replication
by Damien Bras
Hi,
During the installation of one of our FreeIPA replica (with ipa-replica-install), the process hangs on "No status yet".
Our domain is in domain level 1.
It seems that the script is waiting for an attribute nsds5ReplicaLastInitStatus.
The master server is up & running and we want to have a multimaster environment.
We don't find any error related to the replication process in the log.
The version installed: 4.6.5-11.0.1.el7_7.3
First, the ipa client is correctly installed on the server. Then we use the comment ipa-replica-install to promote it as IPA server with:
ipa-replica-install -U --principal admin --admin-password $admin_password --domain domain.com --server server2.domain.com --setup-ca --setup-dns --no-forwarders --forward-policy=first --no-dnssec-validation --allow-zone-overlap --reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join
In the ipareplica-install.log we just have this:
…
2020-01-17T10:25:46Z DEBUG [28/41]: setting up initial replication
2020-01-17T10:25:46Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c94db6248>
2020-01-17T10:25:47Z DEBUG Destroyed connection context.ldap2_139829518113296
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl --system daemon-reload
2020-01-17T10:25:47Z DEBUG Process finished, return code=0
2020-01-17T10:25:47Z DEBUG stdout=
2020-01-17T10:25:47Z DEBUG stderr=
2020-01-17T10:25:47Z DEBUG Starting external process
2020-01-17T10:25:47Z DEBUG args=/bin/systemctl restart dirsrv(a)DOMAIN-COM.service
2020-01-17T10:25:53Z DEBUG Process finished, return code=0
2020-01-17T10:25:53Z DEBUG stdout=
2020-01-17T10:25:53Z DEBUG stderr=
2020-01-17T10:25:53Z DEBUG Restart of dirsrv(a)HS2-VDC-CORP-HOMESEND-COM.service complete
2020-01-17T10:25:53Z DEBUG Created connection context.ldap2_139829518113296
2020-01-17T10:25:53Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2020-01-17T10:25:53Z DEBUG retrieving schema for SchemaCache url=ldap://server2.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c95da8320>
2020-01-17T10:25:54Z DEBUG Successfully updated nsDS5ReplicaId.
2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Added replica config cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config
2020-01-17T10:25:54Z DEBUG No update to cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config necessary
2020-01-17T10:25:54Z DEBUG Waiting for replication (ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket) cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config (objectclass=*)
2020-01-17T10:25:54Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': ['meToserver2.domain.com'], u'objectClass': ['nsds5replicationagreement', 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain,dc=com'], u'nsDS5ReplicaHost': ['server2.domain.com'], u'nsds5replicaLastUpdateStatus': ['Error (0) No replication sessions started since server startup'], u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], u'nsds5replicaLastUpdateStart': ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to server2.domain.com'], u'nsds5replicareapactive': ['0'], u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'], u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]
On the live master, there is a strange behavior also:
It seems the ldap is like in read only mode. For exemple, if I reset the password of an account, I don’t have any error but nothing happened.
I have also those errors on this server:
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.102642397 +0100] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - 2711289715, limit - 86400
Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.110464100 +0100] - WARN - NSMMReplicationPlugin - replica_generate_next_csn - opcsn=5e21d27e000000050000 <= basecsn=ffbcd1f1522600040000, adjusted opcsn=5e21d27e522700050000
But we don’t have any replication because no other servers:
# ipa-replica-manage list
server2.domain.com: master
# ipa-replica-manage list-ruv
Directory Manager password:
Replica Update Vectors:
server2.domain.com:389: 5
Certificate Server Replica Update Vectors:
server2.domain.com:389: 6
# ipa topologysuffix-find
---------------------------
2 topology suffixes matched
---------------------------
Suffix name: ca
Managed LDAP suffix DN: o=ipaca
Suffix name: domain
Managed LDAP suffix DN: dc=domain,dc=com
----------------------------
Number of entries returned 2
----------------------------
# ipa topologysegment-find
Suffix name: domain
------------------
0 segments matched
------------------
----------------------------
Number of entries returned 0
----------------------------
I really don’t know what happened here. Could you help us on that ?
Best regards,
Damien
4 years, 4 months
Approval workflow
by Daniel PC
Hi all,
Does anyone know if it is possible to implement an approval workflow to enable a user to access a host?
My idea is, for a limited number of users, allow access only after receiving OK from a responsible.
Thank you
DPC
4 years, 4 months
Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service
by Ferdinand Babas
Hi All,
I've been trying to work through this issue but can't find the magic formula to get it working so I'm turning to the community for help.
We are currently running VERSION: 4.4.0, API_VERSION: 2.213 in a 4 node multi master environment and the steps listed below were performed on the IPA CA renewal master. Please let me know if any additional information is needed regarding the environment.
As background we had expired certificates (both /etc/httpd/alias and /etc/pki/pki-tomcat/alias) which were renewed by setting the date in the past and restarting certmonger. Now on the IPA CA renewal master all certs have valid 'expires' dates and have a status of MONITORING. Note that the other nodes still have expired certs.
On the IPA CA renewal master when I start up the pki-tomcatd(a)pki-tomcat.service with the default CS.cfg and password.conf file I get the following error:
Internal Database Error encountered: Could not connect to LDAP server host francolin.local port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
So I changed the CS.cfg file to use Basic Auth and added the directory-manager-password to password.conf, restarted pki-tomcatd(a)pki-tomcat.service and now I get the following:
/var/log/messages
Jan 6 10:54:30 francolin systemd: Started PKI Tomcat Server pki-tomcat.
Jan 6 10:54:30 francolin server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
Jan 6 10:54:30 francolin server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
Jan 6 10:54:30 francolin server: main class used: org.apache.catalina.startup.Bootstrap
Jan 6 10:54:30 francolin server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni
Jan 6 10:54:30 francolin server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
Jan 6 10:54:30 francolin server: arguments used: start
Jan 6 10:54:30 francolin server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false]
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://francolin.local:9080/ca/ocsp' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CB
C_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property.
Jan 6 10:54:31 francolin server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property.
Jan 6 10:54:31 francolin server: PKIListener: org.apache.catalina.core.StandardServer[before_init]
Jan 6 10:54:31 francolin server: PKIListener: org.apache.catalina.core.StandardServer[after_init]
Jan 6 10:54:31 francolin server: PKIListener: org.apache.catalina.core.StandardServer[before_start]
Jan 6 10:54:31 francolin server: PKIListener: org.apache.catalina.core.StandardServer[configure_start]
Jan 6 10:54:31 francolin server: PKIListener: org.apache.catalina.core.StandardServer[start]
Jan 6 10:54:31 francolin server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
Jan 6 10:54:31 francolin server: SSLAuthenticatorWithFallback: Setting container
Jan 6 10:54:32 francolin server: SSLAuthenticatorWithFallback: Initializing authenticators
Jan 6 10:54:32 francolin server: SSLAuthenticatorWithFallback: Starting authenticators
Jan 6 10:54:33 francolin server: CMSEngine.initializePasswordStore() begins
Jan 6 10:54:33 francolin server: CMSEngine.initializePasswordStore(): tag=internaldb
Jan 6 10:54:33 francolin server: testLDAPConnection connecting to francolin.local:389
Jan 6 10:54:33 francolin server: CMSEngine.initializePasswordStore(): tag=replicationdb
Jan 6 10:54:33 francolin server: testLDAPConnection connecting to francolin.local:389
Jan 6 10:54:33 francolin server: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-francolin.local-pki-tomcat,cn=config does not exist
Jan 6 10:54:33 francolin server: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER. This may not be a latest instance. Ignoring ..
Jan 6 10:54:34 francolin server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure.
Jan 6 10:54:34 francolin server: -----------------------
Jan 6 10:54:34 francolin server: Disabled "ca" subsystem
Jan 6 10:54:34 francolin server: -----------------------
Jan 6 10:54:34 francolin server: Subsystem ID: ca
Jan 6 10:54:34 francolin server: Instance ID: pki-tomcat
Jan 6 10:54:34 francolin server: Enabled: False
Jan 6 10:54:34 francolin server: Invalid class name repositorytop
Jan 6 10:54:35 francolin server: Invalid class name repositorytop
Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485)
Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167)
Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137)
Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125)
Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244)
Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460)
Jan 6 10:54:35 francolin server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1374)
Jan 6 10:54:35 francolin server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:201)
Jan 6 10:54:35 francolin server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1622)
Jan 6 10:54:35 francolin server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
Jan 6 10:54:35 francolin server: at javax.servlet.GenericServlet.init(GenericServlet.java:158)
Jan 6 10:54:35 francolin server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Jan 6 10:54:35 francolin server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Jan 6 10:54:35 francolin server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Jan 6 10:54:35 francolin server: at java.lang.reflect.Method.invoke(Method.java:498)
Jan 6 10:54:35 francolin server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
Jan 6 10:54:35 francolin server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
Jan 6 10:54:35 francolin server: at java.security.AccessController.doPrivileged(Native Method)
Jan 6 10:54:35 francolin server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
Jan 6 10:54:35 francolin server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
Jan 6 10:54:35 francolin server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
Jan 6 10:54:35 francolin server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
Jan 6 10:54:35 francolin server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
Jan 6 10:54:35 francolin server: at java.security.AccessController.doPrivileged(Native Method)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
Jan 6 10:54:35 francolin server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
Jan 6 10:54:35 francolin server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
Jan 6 10:54:35 francolin server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
Jan 6 10:54:35 francolin server: at java.util.concurrent.FutureTask.run(FutureTask.java:266)
Jan 6 10:54:35 francolin server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
Jan 6 10:54:35 francolin server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
Jan 6 10:54:35 francolin server: at java.lang.Thread.run(Thread.java:748)
Jan 6 10:54:36 francolin server: PKIListener: org.apache.catalina.core.StandardServer[after_start]
Jan 6 10:54:36 francolin server: PKIListener: Subsystem CA is disabled.
Jan 6 10:54:36 francolin server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors.
Jan 6 10:54:36 francolin server: PKIListener: To enable the subsystem:
Jan 6 10:54:36 francolin server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca
Jan 6 10:54:47 francolin server: SSLAuthenticatorWithFallback: Stopping authenticators
Jan 6 10:54:47 francolin server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://francolin.local:389] but has failed to stop it. This is very likely to create a memory leak.
Jan 6 10:54:47 francolin server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-7 ldaps://francolin.local:389] but has failed to stop it. This is very likely to create a memory leak.
Jan 6 10:54:47 francolin server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak.
Jan 6 10:54:47 francolin server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-9 ldaps://francolin.local:389] but has failed to stop it. This is very likely to create a memory leak.
Jan 6 10:54:47 francolin server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak.
Jan 6 10:54:47 francolin server: SSLAuthenticatorWithFallback: Setting container
/var/log/pki/pki-tomcat/ca/selftests.log
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: Initializing self test plugins:
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: loading all self test plugin instances
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: loading self test plugins in startup order
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] CAPresence: CA is present
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SystemCertsVerification: system certs verification failure: Certificate not found: auditSigningCert cert-pki-ca
0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!
I can also confirm that the 'auditSigningCert cert-pka-ca' isn't there when I run certutil -L -d /etc/pki/pki-tomcat/alias/. The output is listed below:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca ,,
Server-Cert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
The 'auditSigningCert cert-pka-ca' shows up on the other nodes however:
auditSigningCert cert-pki-ca u,u,Pu
Let me know if there is more information that is needed. This one is baffling me.
Thanks,
Ferdinand
4 years, 4 months
Integrated DNS - best solution to unique domain
by Daniel PC
Hi,
Red Hat strongly recommends IdM-integrated DNS for basic usage within the IdM deployment but at the same time declares "It does not support
some of the advanced DNS features" and must be used only for IdM purposes.
I have a DNS for a domain that resolves names to Linux hostnames, VIPs, application names, databases scan, and more.
From my understanding, IdM must resolve DNS only for hostnames. Other services should be delegated to a true DNS server.
I understand that it's not normal the use of two DNS for one domain, but in my case how can I build my DNS system?
Any advice?
Thank you
DC
4 years, 4 months
Re: Where is the "Audit" in IPA?
by Charles Hedrick
I’ve thought about this a bit more. I think it would be useful if log entries showing changes could be routed differently by syslog. The simplest would be to use a different log level, e.g. NOTICE, where other things are INFO. Another approach would be to put a specific tag in the try, e.g. AUDIT.
On Jan 15, 2020, at 5:20 PM, Angus Clarke <post(a)angusclarke.com<mailto:post@angusclarke.com>> wrote:
Yeah, to find what I'm looking for I keep a list of grep examples, as auditors generally ask for the same things! I modify httpd.conf to send ErrorLog messages to syslog and then use syslog to send those to a server with cheap storage to keep a long history.
Regards
Angus
________________________________
From: Charles Hedrick <hedrick(a)rutgers.edu<mailto:hedrick@rutgers.edu>>
Sent: 15 January 2020 22:54
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Cc: Ryan Slominski <ryans(a)jlab.org<mailto:ryans@jlab.org>>; Angus Clarke <post(a)angusclarke.com<mailto:post@angusclarke.com>>
Subject: Re: [Freeipa-users] Where is the "Audit" in IPA?
This looks pretty reasonable. Unfortunately it intermixed lots of info. The files grow rapidly enough that it’s probably not practical to keep them for a long time. It might not be hard to pull out just the things that make changes.
On Jan 15, 2020, at 4:47 PM, Angus Clarke via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Just a note from a fellow user ...
Changes made through the API are logged via apache's ErrorLog directive, I've been using this to some degree of success to answer 3rd party audit queries. However it does miss things like "which groups was this user a member of when they were deleted" though ... The facilities you are asking about sound excellent Ryan!
Regards
Angus
________________________________
From: Ryan Slominski via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Sent: 15 January 2020 20:28
To: freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Cc: Ryan Slominski <ryans(a)jlab.org<mailto:ryans@jlab.org>>
Subject: [Freeipa-users] Where is the "Audit" in IPA?
Hi FreeIPA dudes,
What is the status of audit in IPA? Specifically, is there an easy way to determine what was the group membership of a particular group was at a particular point in time, say last October? I noticed there is an audit log file (disabled by default), but that is going to be a not-so-easy way to try to re-construct group membership at a point in time in the past. I was hoping to just navigate to a "history" tab on the GUI, but no such luck. Is this on anyone's todo list? I also noticed a "Centralized Logging" webpage that suggest setting up an ELK stack, but that doesn't quite provide snapshots of group membership.
What about the ability to subscribe to changes (as opposed to poll them)? I suppose the replication features could be used somehow, but those are also polling based? Would be nice to configure simple callbacks (perhaps HTTP post) when things change. I believe this is called a webhook. Any support for this kind of notification system?
Thanks,
Ryan
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...>
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...>
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...>
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...>
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...>
4 years, 4 months
Question about ipa group-add-member
by White, Daniel E. (GSFC-770.0)[NICS]
Adding multiple users to one group is documented, but the other way around seems to be missing.
Is there a way to add one user to multiple groups with one command ?
If not, I can deal with it.
4 years, 4 months
Legacy client in compat tree - multiple entries?
by S Toulmonde
Hello IPA gurus,
I have a legacy client (Solaris) that I want to migrate to a IPA (RHEL IPA 4.6.5). Currently, it's being served by an ODSEE server for ldap.
So first I want to test if I can connect with a user in IPA, then I'll try with an external (AD client). But I have the following issue:
User I try to login with: seb
# Legacy (Solaris) Client:
Jan 14 15:46:34 vs4b7 sshd[45644]: [ID 293258 auth.warning] libsldap: Status: 7 Mesg: Too many entries are returned for seb
So it seems that I have several users in the compat tree with uid=seb...
# IPA server serving Legacy client:
[root@el6982 sssd]# ldapsearch -Y GSSAPI -b 'cn=users,cn=compat,dc=dev,dc=ipa,dc=bc' '(&(objectClass=posixaccount)(uid=seb))'
# seb, users, compat, dev.ipa.bc
dn: uid=seb,cn=users,cn=compat,dc=dev,dc=ipa,dc=bc
objectClass: posixAccount
objectClass: top
gecos:: U8OpYmFzdGllbiBUb3VsbW9uZGUgKGxvY2FsIElQQSk=
cn:: U8OpYmFzdGllbiBUb3VsbW9uZGUgKGxvY2FsIElQQSk=
uidNumber: 1856200001
gidNumber: 1856200001
loginShell: /bin/bash
homeDirectory: /home/seb
uid: seb(a)dev.ipa.bc
uid: seb
# seb, users, compat, dev.ipa.bc
dn: uid=seb,cn=users,cn=compat,dc=dev,dc=ipa,dc=bc
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos:: U8OpYmFzdGllbiBUb3VsbW9uZGU=
cn:: U8OpYmFzdGllbiBUb3VsbW9uZGU=
uidNumber: 1856200001
gidNumber: 1856200001
loginShell: /bin/bash
homeDirectory: /home/seb
ipaAnchorUUID:: OklQQTpkZXYuaXBhLmJjOmRmMmQyNjdjLWFjN2MtMTFlOS1iYTMyLTAwNTA1NjllMjc5OQ==
uid: seb
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
# LDAP config for legacy client:
(vs4b7:/var/adm)# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris10,cn=sysaccounts,cn=etc,dc=dev,dc=ipa,dc=bc
NS_LDAP_BINDPASSWD= {NS1}c537f4abc1a7c4e477a5ca0ca15c7bdc7a83d9
NS_LDAP_SERVERS= el6982.dev.ipa.bc
NS_LDAP_SEARCH_BASEDN= dc=dev,dc=ipa,dc=bc
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 15
NS_LDAP_CACHETTL= 0
NS_LDAP_PROFILE= solaris10
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,dc=dev,dc=ipa,dc=bc
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=dev,dc=ipa,dc=bc
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
I wonder why do I have two entries in the compat tree? One if objectClass: ipaOverrideTarget and the other isn't... I restarted sssd and IPA to clear the compat tree, but it pops back up again.
Any idea?
Thanks!
4 years, 4 months
Server-Cert cert-pki-ca was expired and wasn't renewed automatically
by luckydog xf
Hi, I have 2 nodes of IPA system. The 'Server-Cert cert-pki-ca' of master node was expired unexpectedly.
Based on https://ftweedal.fedorapeople.org/ipa-cert-renewal-deep-dive.pdf, this cert is for HTTS( pki-tomcat), AKA Dogtag website.
As it was expired, Dogtag is OOS, either.
Right now, those services are not running,
---
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
---
This is /var/log/pki/pki-tomcat/ca/selftests.log
---------------------
0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peers Certificate has expired.
0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!
-----------------
And /var/log/pki/pki-tomcat/ca/debug
------------
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(Server-Cert cert-pki-ca, SSLServer)
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(Server-Cert cert-pki-ca, true, SSLServer)
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired.
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired.
-----------------
Output from certutil:
-------
Issuer: "CN=Certificate Authority,O=IPA.PTHL.HK"
Validity:
Not Before: Tue Nov 21 08:43:11 2017
Not After : Mon Nov 11 08:43:11 2019
Subject: "CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK"
----------
This certificate was expired, so here comes the point,
1. Why ipa cert-mon did monitor and renew it? So weired.
getcert list | grep tomcat -i
does not return this certificate.
2. How to fix it? it's renewal master by 'ipa config-show | grep 'IPA CA renewal master'
1) I reset the clock during the valid period, and restart services. it failed.
2) I plan to renew or recreate a Server-Cert since my CA is still valid, but I'm not sure it's doable and don't know how.
Not sure it's a bug or not, my slave node is good, both are running freeipa v4.6.4.
Thanks a lot.
4 years, 4 months