CentOS 6 Client installation stuck and don't complete
by Rohan Talkar
HI Team,
We are migrating from our current Directory Service 389DS to FreeIPA. Our all servers at
present authenticated by 389DS server.
Our infra hosted on AWS cloud. Please find below setup of FreeIPA & Client on which we
are performing tests & getting issue.
FreeIPA Servers
Primary Master Server = Region 1
Secondary Master Server = Region 2
OS = CentOS Linux release 8.3.2011
IPA Version = 4.8.7, API_VERSION: 2.239
FreeIPA Client
OS = CentOS release 6.9 (Final)
Kernel Version = Linux drxlceco6app01 2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
IPA Client version = 3.0.0-51.el6.centos
Our DNS getting managed from "/etc/hosts" file by manually adding DNS entries of
server.
On centos 6 client installation gets stuck after SSSD setup completes. Below output for
details.
NOTE = For security reason we have masked our Domain nme to "XYZ.com" &
other details with Capital "X".
========================================
case "$env" in
echo 'This is US DR'
This is US DR
++ hostname
ipa-client-install --mkhomedir --no-krb5-offline-passwords
--hostname=drxlceco6app01.XYZ.com --force-join --fixed-primary
--server=drxipaco8lds01.XYZ.com --server=prdipaco8ldm01.XYZ.com --domain XYZ.com --realm
XYZ.COM
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the
discovered server for all operations and will not fail over to other servers in case of
failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: drxlceco6app01.XYZ.com
Realm: XYZ.COM
DNS Domain: XYZ.com
IPA Server: prdipaco8ldm01.XYZ.com, drxipaco8lds01.XYZ.com
BaseDN: dc=XYZ,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that
123 UDP port is opened.
Password for admin(a)XYZ.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=XYZ.COM
Issuer: CN=Certificate Authority,O=XYZ.COM
Valid From: Mon Apr 19 14:35:38 2021 UTC
Valid Until: Fri Apr 19 14:35:38 2041 UTC
Enrolled in IPA realm XYZ.COM
Attempting to get host TGT...
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm XYZ.COM
trying https://prdipaco8ldm01.XYZ.com/ipa/xml
Forwarding 'env' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
Hostname (drxlceco6app01.XYZ.com) not found in DNS
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configuring XYZ.com as NIS domain
========================================
Current /etc/nsswitch.conf entries as below.
========================================
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
========================================
Complete client installation logs as below.
========================================
2021-06-01T17:25:40Z DEBUG /usr/sbin/ipa-client-install was invoked with options:
{'domain': 'XYZ.com', 'force': False, 'realm_name':
'XYZ.COM', 'krb5_offline_passwords': False, 'primary': True,
'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True,
'conf_ntp': True, 'on_master': False, 'ntp_server': None,
'nisdomain': None, 'no_nisdomain': False, 'principal': None,
'hostname': 'drxlceco6app01.XYZ.com', 'no_ac': False,
'unattended': None, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True,
'conf_ssh': True, 'force_join': True, 'ca_cert_file': None,
'server': ['drxipaco8lds01.XYZ.com', 'prdipaco8ldm01.XYZ.com'],
'prompt_password': False, 'permit': False, 'debug': False,
'preserve_sssd': False, 'uninstall': False}
2021-06-01T17:25:40Z DEBUG missing options might be asked for interactively later
2021-06-01T17:25:40Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:25:40Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:25:40Z DEBUG [IPA Discovery]
2021-06-01T17:25:40Z DEBUG Starting IPA discovery with domain=XYZ.com,
servers=['drxipaco8lds01.XYZ.com', 'prdipaco8ldm01.XYZ.com'],
hostname=drxlceco6app01.XYZ.com
2021-06-01T17:25:40Z DEBUG Server and domain forced
2021-06-01T17:25:40Z DEBUG [Kerberos realm search]
2021-06-01T17:25:40Z DEBUG Kerberos realm forced
2021-06-01T17:25:40Z DEBUG Search DNS for SRV record of _kerberos._udp.XYZ.com.
2021-06-01T17:25:40Z DEBUG No DNS record found
2021-06-01T17:25:40Z DEBUG SRV record for KDC not found! Domain: XYZ.com
2021-06-01T17:25:40Z DEBUG [LDAP server check]
2021-06-01T17:25:40Z DEBUG Verifying that drxipaco8lds01.XYZ.com (realm XYZ.COM) is an IPA
server
2021-06-01T17:25:40Z DEBUG Init LDAP connection with: ldap://drxipaco8lds01.XYZ.com:389
2021-06-01T17:25:40Z DEBUG Search LDAP server for IPA base DN
2021-06-01T17:25:40Z DEBUG Check if naming context 'dc=XYZ,dc=com' is for IPA
2021-06-01T17:25:40Z DEBUG LDAP Error: Anonymous access not allowed
2021-06-01T17:25:40Z DEBUG Verifying that prdipaco8ldm01.XYZ.com (realm XYZ.COM) is an IPA
server
2021-06-01T17:25:40Z DEBUG Init LDAP connection with: ldap://prdipaco8ldm01.XYZ.com:389
2021-06-01T17:25:40Z DEBUG Search LDAP server for IPA base DN
2021-06-01T17:25:40Z DEBUG Check if naming context 'dc=XYZ,dc=com' is for IPA
2021-06-01T17:25:40Z DEBUG LDAP Error: Anonymous access not allowed
2021-06-01T17:25:40Z DEBUG Generated basedn from realm: dc=XYZ,dc=com
2021-06-01T17:25:40Z DEBUG Discovery result: NO_ACCESS_TO_LDAP; server=None,
domain=XYZ.com, kdc=None, basedn=dc=XYZ,dc=com
2021-06-01T17:25:40Z DEBUG Validated servers:
prdipaco8ldm01.XYZ.com,drxipaco8lds01.XYZ.com
2021-06-01T17:25:40Z DEBUG will use discovered domain: XYZ.com
2021-06-01T17:25:40Z DEBUG Using servers from command line, disabling DNS discovery
2021-06-01T17:25:40Z DEBUG will use provided server: drxipaco8lds01.XYZ.com,
prdipaco8ldm01.XYZ.com
2021-06-01T17:25:40Z INFO Autodiscovery of servers for failover cannot work with this
configuration.
2021-06-01T17:25:40Z INFO If you proceed with the installation, services will be
configured to always access the discovered server for all operations and will not fail
over to other servers in case of failure.
2021-06-01T17:26:20Z DEBUG will use discovered realm: XYZ.COM
2021-06-01T17:26:20Z DEBUG will use discovered basedn: dc=XYZ,dc=com
2021-06-01T17:26:20Z INFO Hostname: drxlceco6app01.XYZ.com
2021-06-01T17:26:20Z DEBUG Hostname source: Provided as option
2021-06-01T17:26:20Z INFO Realm: XYZ.COM
2021-06-01T17:26:20Z DEBUG Realm source: Forced
2021-06-01T17:26:20Z INFO DNS Domain: XYZ.com
2021-06-01T17:26:20Z DEBUG DNS Domain source: Forced
2021-06-01T17:26:20Z INFO IPA Server: prdipaco8ldm01.XYZ.com, drxipaco8lds01.XYZ.com
2021-06-01T17:26:20Z DEBUG IPA Server source: Provided as option
2021-06-01T17:26:20Z INFO BaseDN: dc=XYZ,dc=com
2021-06-01T17:26:20Z DEBUG BaseDN source: Generated from Kerberos realm
2021-06-01T17:26:45Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r XYZ.COM
2021-06-01T17:26:45Z DEBUG stdout=
2021-06-01T17:26:45Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No
such file or directory
2021-06-01T17:26:45Z DEBUG args=/bin/hostname drxlceco6app01.XYZ.com
2021-06-01T17:26:45Z DEBUG stdout=
2021-06-01T17:26:45Z DEBUG stderr=
2021-06-01T17:26:45Z DEBUG Backing up system configuration file
'/etc/sysconfig/network'
2021-06-01T17:26:45Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:26:45Z DEBUG args=/usr/sbin/selinuxenabled
2021-06-01T17:26:45Z DEBUG stdout=
2021-06-01T17:26:45Z DEBUG stderr=
2021-06-01T17:26:45Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:26:51Z DEBUG will use principal provided as option: admin
2021-06-01T17:26:51Z INFO Synchronizing time with KDC...
2021-06-01T17:26:51Z DEBUG Search DNS for SRV record of _ntp._udp.XYZ.com.
2021-06-01T17:26:51Z DEBUG No DNS record found
2021-06-01T17:26:55Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com
2021-06-01T17:26:55Z DEBUG stdout=
2021-06-01T17:26:55Z DEBUG stderr=
2021-06-01T17:26:59Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com
2021-06-01T17:26:59Z DEBUG stdout=
2021-06-01T17:26:59Z DEBUG stderr=
2021-06-01T17:27:03Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com
2021-06-01T17:27:03Z DEBUG stdout=
2021-06-01T17:27:03Z DEBUG stderr=
2021-06-01T17:27:03Z WARNING Unable to sync time with IPA NTP server, assuming the time is
in sync. Please check that 123 UDP port is opened.
2021-06-01T17:27:03Z DEBUG Writing Kerberos configuration to /tmp/tmpGWIbHp:
2021-06-01T17:27:03Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = XYZ.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
XYZ.COM = {
kdc = prdipaco8ldm01.XYZ.com:88
master_kdc = prdipaco8ldm01.XYZ.com:88
admin_server = prdipaco8ldm01.XYZ.com:749
kdc = drxipaco8lds01.XYZ.com:88
master_kdc = drxipaco8lds01.XYZ.com:88
admin_server = drxipaco8lds01.XYZ.com:749
default_domain = XYZ.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.XYZ.com = XYZ.COM
XYZ.com = XYZ.COM
2021-06-01T17:27:07Z DEBUG args=kinit admin(a)XYZ.COM
2021-06-01T17:27:07Z DEBUG stdout=Password for admin(a)XYZ.COM:
2021-06-01T17:27:07Z DEBUG stderr=
2021-06-01T17:27:07Z DEBUG trying to retrieve CA cert via LDAP from
ldap://prdipaco8ldm01.XYZ.com
2021-06-01T17:27:07Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=XYZ.COM
Issuer: CN=Certificate Authority,O=XYZ.COM
Valid From: Mon Apr 19 14:35:38 2021 UTC
Valid Until: Fri Apr 19 14:35:38 2041 UTC
2021-06-01T17:27:08Z DEBUG args=/usr/sbin/ipa-join -s prdipaco8ldm01.XYZ.com -b
dc=XYZ,dc=com -h drxlceco6app01.XYZ.com -f
2021-06-01T17:27:08Z DEBUG stdout=
2021-06-01T17:27:08Z DEBUG stderr=Failed to retrieve encryption type Triple DES cbc mode
with HMAC/sha1 (#16)
Failed to retrieve encryption type ArcFour with HMAC/md5 (#23)
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=XYZ.COM
2021-06-01T17:27:08Z INFO Enrolled in IPA realm XYZ.COM
2021-06-01T17:27:08Z DEBUG args=kdestroy
2021-06-01T17:27:08Z DEBUG stdout=
2021-06-01T17:27:08Z DEBUG stderr=
2021-06-01T17:27:08Z INFO Attempting to get host TGT...
2021-06-01T17:27:08Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/drxlceco6app01.XYZ.com(a)XYZ.COM
2021-06-01T17:27:08Z DEBUG stdout=
2021-06-01T17:27:08Z DEBUG stderr=
2021-06-01T17:27:08Z DEBUG Attempt 1/5 succeeded.
2021-06-01T17:27:08Z DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2021-06-01T17:27:08Z DEBUG -> Not backing up - '/etc/ipa/default.conf'
doesn't exist
2021-06-01T17:27:08Z INFO Created /etc/ipa/default.conf
2021-06-01T17:27:08Z DEBUG importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
2021-06-01T17:27:08Z DEBUG args=klist -V
2021-06-01T17:27:08Z DEBUG stdout=Kerberos 5 version 1.10.3
2021-06-01T17:27:08Z DEBUG stderr=
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
2021-06-01T17:27:08Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
2021-06-01T17:27:09Z DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2021-06-01T17:27:09Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf'
doesn't exist
2021-06-01T17:27:09Z INFO New SSSD config will be created
2021-06-01T17:27:09Z DEBUG Backing up system configuration file
'/etc/nsswitch.conf'
2021-06-01T17:27:09Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:27:09Z INFO Configured sudoers in /etc/nsswitch.conf
2021-06-01T17:27:09Z INFO Configured /etc/sssd/sssd.conf
2021-06-01T17:27:09Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C
-a -i /etc/ipa/ca.crt
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=
2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/krb5.conf'
2021-06-01T17:27:09Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-06-01T17:27:09Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2021-06-01T17:27:09Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = XYZ.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
XYZ.COM = {
kdc = prdipaco8ldm01.XYZ.com:88
master_kdc = prdipaco8ldm01.XYZ.com:88
admin_server = prdipaco8ldm01.XYZ.com:749
kdc = drxipaco8lds01.XYZ.com:88
master_kdc = drxipaco8lds01.XYZ.com:88
admin_server = drxipaco8lds01.XYZ.com:749
default_domain = XYZ.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.XYZ.com = XYZ.COM
XYZ.com = XYZ.COM
2021-06-01T17:27:09Z INFO Configured /etc/krb5.conf for IPA realm XYZ.COM
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG failed to find session_cookie in persistent storage for
principal 'host/drxlceco6app01.XYZ.com(a)XYZ.COM'
2021-06-01T17:27:09Z INFO trying https://prdipaco8ldm01.XYZ.com/ipa/xml
2021-06-01T17:27:09Z DEBUG Created connection context.xmlclient
2021-06-01T17:27:09Z DEBUG raw: env(None, server=True)
2021-06-01T17:27:09Z DEBUG env(None, server=True, all=True)
2021-06-01T17:27:09Z INFO Forwarding 'env' to server
u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
2021-06-01T17:27:09Z DEBUG NSSConnection init prdipaco8ldm01.XYZ.com
2021-06-01T17:27:09Z DEBUG Connecting: 10.113.10.50:0
2021-06-01T17:27:09Z DEBUG auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=XYZ.COM
Validity:
Not Before: Mon Apr 19 14:37:53 2021 UTC
Not After: Thu Apr 20 14:37:53 2023 UTC
Subject: CN=prdipaco8ldm01.XYZ.com,O=XYZ.COM
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Exponent:
65537 (0x10001)
Signed Extensions: (7 total)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Info [1]:
Method: PKIX Online Certificate Status Protocol
Location: URI: http://ipa-ca.XYZ.com/ca/ocsp
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: CRL Distribution Points
Critical: False
CRL Distribution Points: [1 total]
Point [1]:
General Names: [1 total]
http://ipa-ca.XYZ.com/ipa/crl/MasterCRL.bin
Issuer: Directory Name: CN=Certificate Authority,O=ipaca
Reasons: ()
Name: Certificate Subject Key ID
Critical: False
Data:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX
Name: Certificate Subject Alt Name
Critical: False
Names:
prdipaco8ldm01.XYZ.com
ipa-ca.XYZ.com
HTTP/prdipaco8ldm01.XYZ.com(a)XYZ.COM
['[0]', '[1]']
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Fingerprint (MD5):
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Fingerprint (SHA1):
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX
2021-06-01T17:27:09Z DEBUG approved_usage = SSL Server intended_usage = SSL Server
2021-06-01T17:27:09Z DEBUG cert valid True for
"CN=prdipaco8ldm01.XYZ.com,O=XYZ.COM"
2021-06-01T17:27:09Z DEBUG handshake complete, peer = 10.113.10.50:443
2021-06-01T17:27:09Z DEBUG Protocol: TLS1.2
2021-06-01T17:27:09Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2021-06-01T17:27:09Z DEBUG received Set-Cookie
'ipa_session=MagBearerToken=Aus0%2bwdoksGBb%2belr0QOIi6Yk7TDzrcvkEuJLRtZf1KNWdahbAPsUyeWqGHs2CM72OMQKtkhONEi6FBan0Km69ssXfx%2bgu6r96B9VC4paNAXVi%2fVr3dd450OSsT1%2fHevzaAFoqFI0Mz95R%2bWgeIkuR4eZ%2fjvCLSGBlM3TwoQUMLA9CKKqPAh6kyN%2fMy6YaG0oXET1ht51P4zJ3rfXdPP9Ael%2bvTNQrS%2fiyCE%2b4TzjZtoNLHei2s5BoGlyZ3GPUS7;path=/ipa;httponly;secure;'
2021-06-01T17:27:09Z DEBUG storing cookie
'ipa_session=MagBearerToken=Aus0%2bwdoksGBb%2belr0QOIi6Yk7TDzrcvkEuJLRtZf1KNWdahbAPsUyeWqGHs2CM72OMQKtkhONEi6FBan0Km69ssXfx%2bgu6r96B9VC4paNAXVi%2fVr3dd450OSsT1%2fHevzaAFoqFI0Mz95R%2bWgeIkuR4eZ%2fjvCLSGBlM3TwoQUMLA9CKKqPAh6kyN%2fMy6YaG0oXET1ht51P4zJ3rfXdPP9Ael%2bvTNQrS%2fiyCE%2b4TzjZtoNLHei2s5BoGlyZ3GPUS7;
Domain=prdipaco8ldm01.XYZ.com; Path=/ipa; Secure; HttpOnly' for principal
host/drxlceco6app01.XYZ.com(a)XYZ.COM
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM
2021-06-01T17:27:09Z DEBUG stdout=
2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available
2021-06-01T17:27:09Z DEBUG args=keyctl padd user
ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM @s
2021-06-01T17:27:09Z DEBUG stdout=915601519
2021-06-01T17:27:09Z DEBUG stderr=
2021-06-01T17:27:09Z WARNING Hostname (drxlceco6app01.XYZ.com) not found in DNS
2021-06-01T17:27:09Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
2021-06-01T17:27:09Z DEBUG
zone XYZ.com.
update delete drxlceco6app01.XYZ.com. IN A
send
update add drxlceco6app01.XYZ.com. 1200 IN A 10.111.5.11
send
2021-06-01T17:27:10Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2021-06-01T17:27:10Z DEBUG stdout=
2021-06-01T17:27:10Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS
failure. Minor code may provide more information, Minor = Server
DNS/udns1.ultradns.net(a)XYZ.COM not found in Kerberos database.
2021-06-01T17:27:10Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt' returned non-zero exit status 1
2021-06-01T17:27:10Z ERROR Failed to update DNS records.
2021-06-01T17:27:10Z DEBUG args=/sbin/service messagebus start
2021-06-01T17:27:10Z DEBUG stdout=Starting system message bus:
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service messagebus status
2021-06-01T17:27:10Z DEBUG stdout=messagebus (pid 1186) is running...
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger restart
2021-06-01T17:27:10Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;31mFAILED?[0;39m]
Starting certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger status
2021-06-01T17:27:10Z DEBUG stdout=certmonger (pid 1974) is running...
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger stop
2021-06-01T17:27:10Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:10Z DEBUG stderr=
2021-06-01T17:27:11Z DEBUG args=/sbin/service certmonger restart
2021-06-01T17:27:11Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;31mFAILED?[0;39m]
Starting certmonger: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:11Z DEBUG stderr=
2021-06-01T17:27:11Z DEBUG args=/sbin/service certmonger status
2021-06-01T17:27:11Z DEBUG stdout=certmonger (pid 2063) is running...
2021-06-01T17:27:11Z DEBUG stderr=
2021-06-01T17:27:11Z DEBUG args=/sbin/chkconfig certmonger on
2021-06-01T17:27:11Z DEBUG stdout=
2021-06-01T17:27:11Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine
Certificate - drxlceco6app01.XYZ.com -N CN=drxlceco6app01.XYZ.com,O=XYZ.COM -K
host/drxlceco6app01.XYZ.com(a)XYZ.COM
2021-06-01T17:27:12Z DEBUG stdout=New signing request "20210601172712" added.
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
2021-06-01T17:27:12Z DEBUG raw: host_mod(u'drxlceco6app01.XYZ.com',
ipasshpubkey=[u'ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAobH2Rt+aBxrhxWJazVGUpMej9nnncp8DhPewnZkyZxoSAyDc6C5c3nBqW22/Cr7gk26d/D2Ietbi0E7mFrt5Wo4bGgN2KcnlG3ABSifvwh3oqzL+anT6+/lkwzgm3hwIQQRDfF3/GljmvX495HateMqc7syLyOe5ZnKI4Xu6khQ/JF1hhv+8GiUbl7+le+QxYuosmNNIekfMqVbtJ8IM7Zf5/CXINIkwy1UtV+gl0JsAn6AlcBfLcsssg6LQVdgCCjVsJFNB2t+tR0LozJ8L5mDerKqVxJZWI3EnfLIXMq0VWoVfn20fPe0pkcoiyv9bQt/YsDxZS54BFjlTK7DpjQ=='],
updatedns=False)
2021-06-01T17:27:12Z DEBUG host_mod(u'drxlceco6app01.XYZ.com', random=False,
ipasshpubkey=(u'ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAobH2Rt+aBxrhxWJazVGUpMej9nnncp8DhPewnZkyZxoSAyDc6C5c3nBqW22/Cr7gk26d/D2Ietbi0E7mFrt5Wo4bGgN2KcnlG3ABSifvwh3oqzL+anT6+/lkwzgm3hwIQQRDfF3/GljmvX495HateMqc7syLyOe5ZnKI4Xu6khQ/JF1hhv+8GiUbl7+le+QxYuosmNNIekfMqVbtJ8IM7Zf5/CXINIkwy1UtV+gl0JsAn6AlcBfLcsssg6LQVdgCCjVsJFNB2t+tR0LozJ8L5mDerKqVxJZWI3EnfLIXMq0VWoVfn20fPe0pkcoiyv9bQt/YsDxZS54BFjlTK7DpjQ==',),
rights=False, updatedns=False, all=False, raw=False, no_members=False)
2021-06-01T17:27:12Z INFO Forwarding 'host_mod' to server
u'https://prdipaco8ldm01.XYZ.com/ipa/xml'
2021-06-01T17:27:12Z DEBUG NSSConnection init prdipaco8ldm01.XYZ.com
2021-06-01T17:27:12Z DEBUG Connecting: 10.113.10.50:0
2021-06-01T17:27:12Z DEBUG handshake complete, peer = 10.113.10.50:443
2021-06-01T17:27:12Z DEBUG Protocol: TLS1.2
2021-06-01T17:27:12Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2021-06-01T17:27:12Z DEBUG received Set-Cookie
'ipa_session=MagBearerToken=yKnSiJdb44vhq6AuqB%2boAE5Fatp7CXJ8A9xYVUqlqXI73Gk9ukPfIr9%2bD6KnSCiBXmtVx3flwJ1Rf17528nymjCE5vMtNTSeVU5l8rn36fEtAFq6QZt%2bAHs2LjPLWwyR9geT7Y5aKgLbEMDzZv0DTwM3N2ocM0b7Rc6inZUvAgU%2fYmqmkZafsbYy%2fCUm2Kgyx%2b%2fZ6kQg%2fK94CVAqMLxZDE1k1gAP3qq98k%2fllMQu9k0GAYcdKEbmN%2bwff4LzeQRs;path=/ipa;httponly;secure;'
2021-06-01T17:27:12Z DEBUG storing cookie
'ipa_session=MagBearerToken=yKnSiJdb44vhq6AuqB%2boAE5Fatp7CXJ8A9xYVUqlqXI73Gk9ukPfIr9%2bD6KnSCiBXmtVx3flwJ1Rf17528nymjCE5vMtNTSeVU5l8rn36fEtAFq6QZt%2bAHs2LjPLWwyR9geT7Y5aKgLbEMDzZv0DTwM3N2ocM0b7Rc6inZUvAgU%2fYmqmkZafsbYy%2fCUm2Kgyx%2b%2fZ6kQg%2fK94CVAqMLxZDE1k1gAP3qq98k%2fllMQu9k0GAYcdKEbmN%2bwff4LzeQRs;
Domain=prdipaco8ldm01.XYZ.com; Path=/ipa; Secure; HttpOnly' for principal
host/drxlceco6app01.XYZ.com(a)XYZ.COM
2021-06-01T17:27:12Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM
2021-06-01T17:27:12Z DEBUG stdout=915601519
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM
2021-06-01T17:27:12Z DEBUG stdout=915601519
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=keyctl pupdate 915601519
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG Caught fault 4202 from server
https://prdipaco8ldm01.XYZ.com/ipa/xml: no modifications to be performed
2021-06-01T17:27:12Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
2021-06-01T17:27:12Z DEBUG zone XYZ.com.
update delete drxlceco6app01.XYZ.com. IN SSHFP
send
update add drxlceco6app01.XYZ.com. 1200 IN SSHFP 1 1
F6ABCFF542C5E35268387C2A53EBF83C5C6B0517
send
2021-06-01T17:27:12Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS
failure. Minor code may provide more information, Minor = Server
DNS/udns1.ultradns.net(a)XYZ.COM not found in Kerberos database.
2021-06-01T17:27:12Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt' returned non-zero exit status 1
2021-06-01T17:27:12Z WARNING Could not update DNS SSHFP records.
2021-06-01T17:27:12Z DEBUG args=/sbin/service nscd status
2021-06-01T17:27:12Z DEBUG stdout=nscd is stopped
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=/sbin/service nscd stop
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG args=/sbin/chkconfig nscd off
2021-06-01T17:27:12Z DEBUG stdout=
2021-06-01T17:27:12Z DEBUG stderr=
2021-06-01T17:27:12Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:12Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:12Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:15Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --enablemkhomedir
--update --enablesssd
2021-06-01T17:27:15Z DEBUG stdout=Starting sssd: ?[60G[?[0;32m OK ?[0;39m]
Starting oddjobd: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:15Z DEBUG stderr=
2021-06-01T17:27:15Z INFO SSSD enabled
2021-06-01T17:27:15Z INFO Configuring XYZ.com as NIS domain
2021-06-01T17:27:15Z DEBUG args=/bin/nisdomainname
2021-06-01T17:27:15Z DEBUG stdout=(none)
2021-06-01T17:27:15Z DEBUG stderr=
2021-06-01T17:27:15Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-06-01T17:27:15Z DEBUG args=/usr/sbin/authconfig --update --nisdomain XYZ.com
2021-06-01T17:27:15Z DEBUG stdout=Starting sssd: ?[60G[?[0;32m OK ?[0;39m]
2021-06-01T17:27:15Z DEBUG stderr=
2021-06-01T17:27:15Z DEBUG args=/bin/nisdomainname XYZ.com
2021-06-01T17:27:15Z DEBUG stdout=
2021-06-01T17:27:15Z DEBUG stderr=
========================================
I am unable to understand what i am missing or changes required in current config.
Any help / suggestions appreciated.
Regards,
Rohan
2 years, 11 months
Invalid CA chain after ca chain renewal
by Philipp Leusmann
Hi,
I have just renewed freeipas externally signed CA certificate using 'ipa-cacert-manage renew --external-ca'
Given the new CSR contains the same key elements as the previous one, I already had to ignore the duplicate while signing. Maybe that's the cause for the issues following?
After renewing I now have the new and the old CA key in /etc/ipa/ca.crt and also in exported certificate chains which for example nginx cannot handle properly.
1) Did I do anything wrong during renewal?
2) how can I remove the previous CA cert?
Thanks in advance,
Philipp
2 years, 11 months
Announcing SSSD 2.5.1
by Pavel Březina
# SSSD 2.5.01
The SSSD team is proud to announce the release of version 2.5.1 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.5.1
See the full release notes at:
https://sssd.io/release-notes/sssd-2.5.1.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### New features
* `auto_private_groups` option can be set centrally through ID range
setting in IPA (see `ipa idrange` commands family). This feature
requires SSSD update on both client and server. This feature also
requires `freeipa 4.9.4` and newer.
### Important fixes
* Fix `getsidbyname` issues with IPA users with a user-private-group
### Configuration changes
* Default value of `ldap_sudo_random_offset` changed to `0` (disabled).
This makes sure that sudo rules are available as soon as possible after
SSSD start in default configuration.
2 years, 11 months
various errors and warnings on F34: Can't contact LDAP server, Component identity is NULL; Failed to unwrap key for cipher
by Robert Kudyba
After upgrading to Fedora 34 and freeipa-server-4.9.3-2.fc34.x86_64, we're
seeing the below errors. I found a previous post that mentions a user had
these during a migration but we finished the migration a while ago:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
ipa cert-find shows 10 certs and all have a status of VALID. Apache logs do
not have any errors. And the ipaupgrade.log ends with INFO The
ipa-server-upgrade command was successful
Jun 3 18:14:03 ourschoolipa-dnskeysyncd[5025]: ipa-dnskeysyncd: ERROR
syncrepl_poll: LDAP error ({'result': -1, 'desc': "Can't contact LDAP
server", 'ctrls': []})
Jun 3 18:14:06 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:06.994125936
-0400] - ERR - allow_operation - Component identity is NULL
Jun 3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.899216572
-0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES
Jun 3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.955942900
-0400] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with
the private key; Cert might have been renewed since the key is wrapped. To
recover the encrypted contents, keep the wrapped symmetric key value.
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.022213263
-0400] - ERR - attrcrypt_init - All prepared ciphers are not available.
Please disable attribute encryption.
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.090020323
-0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.177952423
-0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree
scan in about 5 seconds after the server startup!
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.875367301
-0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition
cn=Password Policy,cn=accounts,dc=sub,dc=domain,dc=ourschool,dc=edu--no CoS
Templates found, which should be added before the CoS Definition.
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.961081967
-0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will
start in about 5 seconds!
Jun 3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.740194095
-0400] - ERR - schema-compat-plugin - warning: no entries set up under
ou=sudoers,dc=sub,dc=domain,dc=ourschool,dc=edu
Jun 3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.818774136
-0400] - ERR - schema-compat-plugin - warning: no entries set up under
cn=ng, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu
Jun 3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.804889621
-0400] - ERR - schema-compat-plugin - warning: no entries set up under
cn=computers, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu
Jun 3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.873391357
-0400] - ERR - schema-compat-plugin - Finished plugin initialization.
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.577526585
-0400] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=ad,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu does not exist
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.599342179
-0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu
does not exist
2 years, 11 months
Improper format of Kerberos configuration - error from client setup
by lejeczek
Hi guys.
I'm trying client install and I fail:
...
Time synchronization was successful.
Please make sure the following ports are opened in the
firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client
working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Kerberos authentication failed: kinit: Improper format of
Kerberos configuration file while initializing Kerberos 5
library
This is the client's problem right? Reason I'm bit doubtful
is such that all the usual places I made sure are
plain-vanilla. What do I miss?
many thanks, L.
2 years, 11 months
How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?
by Bret Wortman
I'm trying to update our IPA servers to newer OSes and IPA versions. What I've done so far:
1. run "ipa-replica-prepare" on the original main server, ipa1.
2. Copied the resulting file to ipa1c7.
3. Tried to import that file via "ipa-replica-install replica-info-ipa2c7.our.net.gpg --skip-conncheck --setup-dns --auto-forwarders". This typically fails:
===========
[root@ipa2c7 ~]# ipa-replica-install replica-info-ipa2c7.our.net.gpg --skip-conncheck --setup-dns --auto-forwarders
Directory Manager (existing master) password:
ipaserver.install.server.replicainstall: ERROR Could not resolve hostname ipa1.our.net using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]: yes
Checking DNS forwarders, please wait ...
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/42]: creating directory server instance
[2/42]: enabling ldapi
[3/42]: configure autobind for root
[4/42]: stopping directory server
[5/42]: updating configuration in dse.ldif
[6/42]: starting directory server
[7/42]: adding default schema
[8/42]: enabling memberof plugin
[9/42]: enabling winsync plugin
[10/42]: configure password logging
[11/42]: configuring replication version plugin
[12/42]: enabling IPA enrollment plugin
[13/42]: configuring uniqueness plugin
[14/42]: configuring uuid plugin
[15/42]: configuring modrdn plugin
[16/42]: configuring DNS plugin
[17/42]: enabling entryUSN plugin
[18/42]: configuring lockout plugin
[19/42]: configuring topology plugin
[20/42]: creating indices
[21/42]: enabling referential integrity plugin
[22/42]: configuring certmap.conf
[23/42]: configure new location for managed entries
[24/42]: configure dirsrv ccache
[25/42]: enabling SASL mapping fallback
[26/42]: restarting directory server
[27/42]: creating DS keytab
[28/42]: ignore time skew for initial replication
[29/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[30/42]: prevent time skew after initial replication
[31/42]: adding sasl mappings to the directory
[32/42]: updating schema
[33/42]: setting Auto Member configuration
[34/42]: enabling S4U2Proxy delegation
[35/42]: initializing group membership
[36/42]: adding master entry
ipaserver.install.service: CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68
[error] CalledProcessError: Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[root@ipa2c7 ~]# host ipa1.our.net
ipa1.our.net has address 192.168.2.61
===========
So I'm not sure why the DNS query is failing but it appears to be intermittent at best.
Also, after near-misses when the ldap error occurs, I often get informed that we have an existing replication agreement that needs to be removed. When I follow the indicated steps:
===========
[root@ipa1 ~]# ipa-replica-manage del ipa2c7.our.net --force
Directory Manager password:
Connection to 'ipa2c7.our.net' failed:
Forcing removal of ipa2c7.our.net
Skipping calculation to determine if one or more masters would be orphaned.
Deleting replication agreements between ipa2c7.our.net and ipa1.our.net, ipa2.our.net, ipa3.our.net
Failed to get list of agreements from 'ipa2c7.our.net':
Forcing removal on 'ipa1.our.net'
Any DNA range on 'ipa2c7.our.net' will be lost
Deleted replication agreement from 'ipa1.our.net' to 'ipa2c7.our.net'
'ipa2.our.net' has no replication agreement for 'ipa2c7.our.net'
Unable to remove replication agreement for ipa2c7.our.net from ipa2.our.net.
Failed to determine agreement type for 'ipa3.our.net':
Unable to remove replication agreement for ipa2c7.our.net from ipa3.our.net.
Background task created to clean replication data. This may take a while.
This may be safely interrupted with Ctrl+C
^C
Wait for task interrupted. It will continue to run in the background
Failed to cleanup ipa2c7.our.net entries: Not allowed on non-leaf entry
You may need to manually remove them from the tree
Failed to cleanup ipa2c7.our.net DNS entries: no matching entry found
You may need to manually remove them from the tree
[root@ipa1 ~]#
===========
Is there something obvious that I've missed?
--
Bret Wortman
bret.wortman(a)damascusgrp.com
2 years, 11 months
python3-ipaserver installutils.py missing IPA_MODULES list
by iulian roman
Hello everybody,
I do not know if this is the right place to mentioned, but maybe there will be someone who can redirect me to the right list or support channel.
On RHEL 8.3 , the latest python3-ipaserver package (python3-ipaserver-4.9.2-3.module+el8.4.0+10412+5ecb5b37) does not contain the IPA_MODULES list in the installutils.py package. Due to that, the ansible freeipa role will fail.
Can you please suggest whom I should contact for that or where should it be reported ?
2 years, 11 months
named won't start
by Bret Wortman
It's an ancient server, and one I'm trying to get us off of, but it's our current primary IPA server on this network and named didn't like its last reboot and is erroring on startup:
[root@ipa1 ~]# systemctl status -l named-pkcs11.service
● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11
Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled)
Active: failed (Result: exit-code) since Thu 2021-06-03 12:47:25 EDT; 13min ago
Process: 1055 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE)
Process: 1053 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: bind-dyndb-ldap version 6.1 compiled at 17:24:34 Dec 2 2014, compiler 4.9.2 20141101 (Red Hat 4.9.2-1)
Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: option 'serial_autoincrement' is not supported, ignoring
Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: GSSAPI client step 1
Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: GSSAPI client step 1
Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: LDAP error: Invalid credentials: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context: bind to LDAP server failed
Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: couldn't establish connection in LDAP connection pool: permission denied
Jun 03 12:47:25 ipa1.our.net systemd[1]: named-pkcs11.service: control process exited, code=exited status=1
Jun 03 12:47:25 ipa1.our.net systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
Jun 03 12:47:25 ipa1.our.net systemd[1]: Unit named-pkcs11.service entered failed state.
Jun 03 12:47:25 ipa1.our.net systemd[1]: named-pkcs11.service failed.
One of its replicas is still up and running so I'm not in emergency crisis mode yet.
This server is running Fedora 21 and ipa-server 4.1.4-1.
We got here as I was trying to take this server and replicate it to a C7 box running a more recent ipa-server (4.6.8-5) but couldn't get the replication to work. Along the way, I rebooted the F21 server and it came back in this state.
What should I try next to get it back?
--
Bret Wortman
bret.wortman(a)damascusgrp.com
2 years, 11 months
Automember Hostgroup Rule not applying to new hosts
by Russ Long
Hello,
I have an automember rule for a hostgroup where it uses the nshostlocation of the host to then add the host to the group. When adding new hosts, which are installed via ipa-client-install, and then have the nshostlocation added via ipa host-mod, all in an automated process, the new hosts are not being added to the group. If I run an automembership rebuild, the hosts are then added.
As these hosts spin up and down frequently, having to manually trigger this is less than ideal. Is there a better way to handle this? I'm not dead set on using the nshostlocation for the automember rule, but it seemed the easiest and most appropriate for my situation.
Thanks,
Russ
2 years, 11 months
Solve freeipa 'fragility' via orchestrated containers & whole-container upgrade?
by Harry G. Coin
Long time freeipa users have faced a certain 'fragility' freeipa has
inherited, mostly as a result of freeipa being the 'band director' over
a number of distinct subsystems maintained by various groups across the
world.
This or that 'little upgrade' in a seemingly small sub-part of freeipa
'suddenly breaks' major things like not being able to install a replica
& etc, there's a quite a list and it's been going on for a few years at
least to my knowledge. Usually one expects newer features to have bugs
but none that disrupt core prior functionality.
I wonder whether it would be a solution to this if free-ipa took a look
at how a 'similar feeling' multi-host, multi-subsystem architecture has
appeared to have solved this puzzle: ceph's 'containers' and
'orchestrator' / cephadm / 'ceph orch' concept.
For some time, as freeipa, ceph relied on packages and 'dependency hell
management' to operate as native packages across hosts connected on an
internal network. Then in a very effective shift: they treated 'the
contents of a container' much as 'one thing owned entirely by and
released by ceph' and tested that -- each container housing known-good
versions of dependent and third party modules as well as their own code
-- 'as one thing', to the point of providing their own tool to
'download and manage upgrade installs in the proper sequence' across
hosts providing this-or-that functionality.
You might imagine a freeipa orchestrator upgrading masters and replicas
in the correct order, freeipa devs knowing for certain-sure that no 'dnf
upgrade' on the host will disrupt the setup that passed qa in the
container... Will not 'corrupt a database' owing to a 'sync' with
content one version understood but another did not, etc.
Over these many months, while freeipa has struggled to provide
consistent service and value, ceph has been working nearly flawlessly
across many upgrade cycles and I think it's because ceph controls the
versions of the subsystems in the containers-- and that improves QA and
dramatically limits surprise breakages' that lead to the feeling of
'always catching up' under conditions of time pressure owing to down
services, this or that distro's 100 package mantainers deciding when/if
to include this/that patch and when to publish which new version, which
are 'security updates', which are 'bug fix updates', etc. If freeipa
server came in a container that was tested and QA'd as a container,
deployed as a container, perhaps the 'fragility factor' would improve by
10x.
My $0.02
2 years, 11 months