IPA OTPD Crashing After Reboot
by Kevin Cassar
Hey there!
I've been running FreeIPA server (VERSION: 4.8.4, API_VERSION: 2.235) on CentOS-8 for a month now with TOTP based login configured. I recently had to restart the server due to maintenance.
Now the OTP based login doesn't seem to work. The ipa-otpd process starts fine via ipactl start command, but once I try to login into one of the clients, it crashes on the server.
I see following in /var/log/message on the server:
systemd[1]: ipa-otpd.socket: Failed to queue service startup job (Maybe the service file is missing or not a template unit?): Resource temporarily unavailable
systemd[1]: ipa-otpd.socket: Failed with result 'resources'.
I've checked and both
ipa-otpd.socket
ipa-otpd@.service
exist in /usr/lib/systemd/system
Appreciate any help on this.
Thanks.
3 years, 5 months
client pam authentication failing intermittently
by prasad kumar
Hi,
We are using IPA as host authentication for application service account sometime those logins are failing and don't see any errors in the ipa logs but server throwing PAM authentication failed. I am new to freeipa and clue less how this process works and where to troubleshoot. Could someone please guide me.
3 years, 5 months
Migrated users have not attribute ipaNThash
by Kiselev Mikhail
Hello.
My specs:
cat /etc/system-release
CentOS Linux release 7.8.2003 (Core)
rpm -qa ipa-server
ipa-server-4.6.6-11.el7.centos.x86_64
We migrated users from openLDAP. These users do not have a attribute
ipaNThash:
ldapsearch -h ipareplica2.opentech.local -D "cn=Directory Manager" -x
-LLL -W -b 'cn=users,cn=accounts,dc=opentech,dc=local' 'uid=mkiselev'
ipaNTHash
Enter LDAP Password:
dn: uid=mkiselev,cn=users,cn=accounts,dc=opentech,dc=local
Changing the user's password doesn't help
If a new user is created in FreeIPA, then the attribute is:
ldapsearch -h ipareplica2.opentech.local -D "cn=Directory Manager" -x
-LLL -W -b 'cn=users,cn=accounts,dc=opentech,dc=local' 'uid=test' ipaNTHash
Enter LDAP Password:
dn: uid=test,cn=users,cn=accounts,dc=opentech,dc=local
ipaNTHash:: xaI3t+nY5wjYQ2thSKJfoQ==
What could be the problem?
3 years, 5 months
PKI instance would produce a namespace collision with - during server setup
by lejeczek
Hi
A clean, first master setup fails with:
Configuring certificate server (pki-tomcatd). Estimated
time: 3 minutes
[1/30]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpdu3s0mxw',
'--debug'] returned non-zero exit status 1: 'INFO:
Connecting to LDAP server at
ldap://third.abba.xx.priv.yy:389\nINFO: Connecting to LDAP
server at ldap://third.abba.xx.priv.yy:389\nDEBUG:
Installing Maven dependencies: False\nINFO: BEGIN spawning
CA subsystem in pki-tomcat instance\nINFO: Loading instance:
pki-tomcat\nINFO: Loading global Tomcat config:
/etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
/usr/share/pki/etc/tomcat.conf\nINFO: Loading instance
Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO:
Loading password config:
/etc/pki/pki-tomcat/password.conf\nINFO: Loading instance
registry:
/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: -
user: pkiuser\nINFO: - group: pkiuser\nINFO: Setting up
pkiuser group\nINFO: Reusing existing pkiuser group with GID
17\nINFO: Setting up pkiuser user\nINFO: Reusing existing
pkiuser user with UID 17\nDEBUG: Retrieving UID for
\'pkiuser\'\nDEBUG: UID of \'pkiuser\' is 17\nDEBUG:
Retrieving GID for \'pkiuser\'\nDEBUG: GID of \'pkiuser\' is
17\nINFO: Initialization\nERROR: PKI instance \'pki-tomcat\'
would produce a namespace collision with
\'/etc/sysconfig/pki-tomcat\'!\nERROR: Exception: PKI
instance \'pki-tomcat\' would produce a namespace collision
with \'/etc/sysconfig/pki-tomcat\'!\n File
"/usr/lib/python3.6/site-packages/pki/server/pkispawn.py",
line 575, in main\n scriptlet.spawn(deployer)\n File
"/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/initialization.py",
line 165, in spawn\n
deployer.namespace.collision_detection()\n File
"/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py",
line 313, in collision_detection\n
self.mdict[\'pki_target_tomcat_conf_instance_id\']))\n\n')
See the installation logs and the following
files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
Is /etc/sysconfig/pki-tomcat a creation solely of freeIPA
and that file was not cleaned up from an earlier
installation or a problems lies elsewhere, would you know?
many thanks, L.
3 years, 5 months
bind - named.conf ... no named.conf
by lejeczek
Hi...
It's almost Xmas :) here is another one :D
How this:
-> $ ipa-server-install --setup-dns --no-forwarders
--setup-kra --auto-reverse --ds-password
can end up getting this?
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up kerberos principal
[9/12]: setting up named.conf
[error] FileNotFoundError: [Errno 2] No such file or
directory: '/etc/named.conf'
And bind was okey & working prior & at the time of IPA setup
start.
Could it be some underlying problem? Perhaps OS/hardware
limitations which could affect IPA?
I do in a qemu-kvm with 2 high perf cpus and 6GB of mem.
cheers, L.
3 years, 5 months
IPA client registration fail under load
by prasad kumar
Hi All,
I am getting below issue when multiple instance trying to register with ipa server. we 2 ipa servers, when 5 or 6 clients trying to register at the same time some are able to success and some failing by throwing this errors.
Kerberos authentication failed: kinit: Cannot contact any KDC for realm '<<DNS_NAME>>' while getting initial credentials
if anybody experience above issue please guide me how to tune. Don't see any errors in server logs which is strange. looks to me some timeout value and don't know where to configure.
3 years, 5 months
in what circumstance replica setup would prefer itself, the candidate as DNS resolver?
by lejeczek
Hi guys.
This is bit weird, no? Or complete misunderstand it.
~]$ ipa-replica-install --setup-dns --no-forwarders
Lookup failed: Preferred host fourth.abba.xx.priv.yy does
not provide DNS.
Reverse DNS resolution of address 10.0.0.5
(fourth.abba.xx.priv.yy) failed. Clients may not function
properly. Please check your DNS setup. (Note that this check
queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]:
This is on the 'fourth'. So the candidate for the
installation prefers itself as DNS resolver? (its
/etc/resolver points to one of already existing masters)
many thanks, L.
3 years, 5 months
bricked beyond belief?
by lejeczek
Hi everyone.
I'm trying to add fourth replica to existing IPA domain and
it does not want to work, but don't mind that for now.
Failed replica no. 4 now is not happy to go away, not happy
at all.
~]$ ipa-server-install --uninstall --unattended
--ignore-last-of-role
Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server second.abba.xx.priv.yy to
replicate with servers:
fourth.abba.xx.priv.yy
Topology does not allow server third.abba.xx.priv.yy to
replicate with servers:
fourth.abba.xx.priv.yy
Topology does not allow server first.abba.xx.priv.yy to
replicate with servers:
fourth.abba.xx.priv.yy.
~]$ dsctl -l
slapd-ABBA.XX.PRIV-YY
~]$ dsctl slapd-ABBA.XX.PRIV-YY remove --do-it
No such instance 'slapd-ABBA.XX.PRIV-YY'
Unable to access instance information. Are you running as
the correct user? (usually dirsrv or root)
Masters first, second & third do not show sign of any
relation to master candidate fourth, at least not with ipa
cmd tools they show.
I've even resorted to reinstalling rpm packages on that
failed master - dnf remove `rpm -qa \*ipa\*` - but it seems
that data somewhere so resilient is and survive that.
gee.. where to start?
thanks, L
3 years, 5 months
a shortcut a small mayhem - a replica's way
by lejeczek
Hi guys.
I'm trying to spin up a new replica:
...
[25/41]: restarting directory server
[26/41]: creating DS keytab
[error] CalledProcessError: CalledProcessError(Command
['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p',
'ldap/sucker.ccnr.ceb.private.cam.ac.uk(a)CCN.DOMAIN.MINE', '-H',
'ldaps://drunk.ccn.domain.mine'] returned non-zero exit status 9:
'Failed to parse result: Insufficient access rights\n\nRetrying with
pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient
access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k',
'/etc/dirsrv/ds.keytab', '-p',
'ldap/sucker.ccn.domain.mine(a)CCNR.CEB.PRIVATE.CAM.AC.UK', '-H',
'ldaps://drunk.ccn.domain.mine'] returned non-zero exit status 9:
'Failed to parse result: Insufficient access rights\n\nRetrying with
pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient
access rights\n\nFailed to get keytab!\nFailed to get keytab\n')
So I do:
~]$ ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and
configuration!
It is highly recommended to take a backup of existing data and
configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services
Unconfiguring directory server
[Errno 2] No such file or directory:
'/etc/dirsrv/slapd-CCN-DOMAIN-MINE/dse.ldif'
And from here on it's practically a small mayhem. '--uninstall' no
matter how many times does not help.
I see that 'systemctl status -l dirsrv@my-instance' is till up. So
obviously:
~]$ ipa-replica-install --setup-dns --no-forwarders --admin-password=ccn
--principal=admin
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
IPA requires ports 389 and 636 for the Directory Server.
These are currently in use:
389
636
...
One more time?
~]$ ipa-server-install --uninstall
WARNING:
IPA server is not configured on this system. If you want to install the
IPA server, please install it using 'ipa-server-install'.
This is a NON REVERSIBLE operation and will delete all data and
configuration!
It is highly recommended to take a backup of existing data and
configuration using ipa-backup utility before proceeding.
... and like I vicious circle.
Seems to me that this simple case is what IPA devel guys could look into
and then hopefully improve and harden un/installation process.
ipa-client-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-client-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-healthcheck-core-0.4-6.module_el8.3.0+482+9e103aab.noarch
ipa-selinux-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-server-4.8.7-12.module_el8.3.0+511+8a502f20.x86_64
ipa-server-common-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
ipa-server-dns-4.8.7-12.module_el8.3.0+511+8a502f20.noarch
3 years, 5 months
Partial replication of LDAP branch
by Karim Bourenane
Hello Team
I have a special question, about a partial replication branch domain LDAP
into a FreeIPA v. 4.6.2 on Centos 7.7.1908.
I want to deploy several FreeIPA into several network zones.
Its possible to only replicate a branch of data, to manage only an ipa
client / dns / certificat to this zone ?
I want to segment data replication for security reasons.
Perhaps I took my project in a bad way ?
Regards / Bien à vous
Mr Karim Bourenane
3 years, 5 months