backup / restore
by Frederic Ayrault
Bonjour,
I need to replace our external CA to an Internal one.
We tried several ways without success. One of them was to do a backup
with ipa-backup or db2bak
reinstall the serveur with an internal CA and restore the datas. But
this also restore the external CA.
Is there a way to backup or restore only the users, groups, roles, ... ?
I am still running ipa 4.6.8 from Centos7
Thank you
Regards,
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
fred(a)lix.polytechnique.fr
7 months, 4 weeks
Free IPA DNS Issues
by Pradeep KNS
Hello Team,
While setting up Freeipa in my Linux infrastructure.I noticed a strange
warning. I would like to clarify before rolling into production.
*DNS zone alpha-grep.com <http://alpha-grep.com>. already exists in DNS and
is handled by server(s): ['ns2.', 'ns1.'] Please make sure that the domain
is properly delegated to this IPA server.*
Detailed installation log i have updated in this link. Please suggest me
will it be any security flaw in future.Before installing it on production.
https://bpa.st/AMITK
7 months, 4 weeks
Migration sequencing
by Johnnie W Adams
Hi, folks,
We've got a small shop with around a hundred RHEL boxes and a small
user base currently authenticating against LDAP using one user naming
scheme. Our plan is to migrate these to freeipa (actually Red Hat IdM) with
a one-way trust with AD using a different naming scheme. I'm trying to
juggle in my head exactly how to sequence the needed activities to do this.
What I'd like to do is this, which I believe will require a moratorium
on user logons:
1) Provision IdM manually with new usernames and old UIDs.
2) Rename and chown home directories on the servers.
3) Join the servers to freeipa (IdM).
4) Establish a one-way trust with AD.
This seems like the logical course of events, but the gap between 3
and 4 worries me.
Thanks,
John A
--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | jxadams(a)ualr.edu | http://ualr.edu/itservices
*UA Little Rock*
Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
7 months, 4 weeks
Unable to delete ID range
by Jeremy Tourville
We are running IPA server 4.9.11 We previously had a domain trust established with AD. Presently, the trust has been removed and we are trying to remove / clean up the ID range for AD. When doing so, using the command ipa idrange-del <range_name>, we get the error: "ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed"
Any suggestions to troubleshoot and remove this range?
8 months
AD user authentication problems
by Ostrom, Erik
Hi freeipa-users list!
I'm having problems getting AD users from a specific domain (ad.contoso.local) to authenticate to our FreeIPA server (freeipa1.ipa.subdomain.contoso.local).
I've gone over the docs at https://sssd.io/troubleshooting/backend.html and now have a lot of logs for one of these failed AD user login attempts, but nothing stands out to me as being the actual problem.
The last few lines of my logs look something like this (sanitized as best I can while still making sense hopefully):https://pastebin.com/HW4DcGT0
I'd be happy to share more logs with individuals or run other diagnostics if anyone is willing to help me figure out why users from this particular AD can't authenticate.
Thanks for your time!
Erik
8 months
Use existing Kerberos ticket for Keycloak Auth
by Ronald Wimmer
I found out that my TGT does not reside in a ticket cache file anymore.
Instead it is located in a keyring
(KEYRING:persistent:1073895519:1073895519). How would I fetch this
ticket with a few lines of python3 code in order to authenticate to
Keycloak for example?
Cheers,
Ronald
8 months
Ubuntu 22.04 and 4.9.x
by Cyrus
Hello!,
Anybody knows if there are any issues with freeipa-client with versions
higher than 4.9.8?.
I'm currently having issues with Ubuntu 22.04 due to a python library that
needed to be updated for an application requirements and breaks FreeIPA
python scripts.
I see tar files for 4.9.12 and wonder why Ubuntu would go higher today.
Any experiences are welcome, I'm considering building an alternative
package but most probably nobody will be maintaining it internally and I
prefer going with distro provided packages.
Regards,
Cyrus
8 months
Healthcheck errors for certificate issues after update
by Jeremy Tourville
I recently updated my system. I am now at version 4.9.11. After the update I noticed the following output from healthcheck.
# ipa-healthcheck
ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6f0000001f2421fafd6722322500000000001f not found (404)
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "8a663c7d-77f9-4739-8029-c401b113fa5e",
"when": "20231003134004Z",
"duration": "0.093615",
"kw": {
"key": "cert_show_1",
"error": "Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6f0000001f2421fafd6722322500000000001f not found (404)",
"serial": "2475382717198593230277736537855912919378690079",
"msg": "Serial number not found: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "3c183bb0-bffc-403a-9899-a59a4d29750b",
"when": "20231003134009Z",
"duration": "1.819175",
"kw": {
"key": "20230901185953",
"msg": "certmonger tracking request {key} found and is not expected on an IPA master."
}
}
]
If I am understanding correctly it looks like the error is for a certificate that it cannot find. I have several questions here.
#1 What cert is the system looking for?
#2 How do I correct the error issue?
#3 Is the warning the result of the error? -ie are the issues related to each other?
#4 If the warning is not the result of the error, how do I correct that?
Thanks for your input.
8 months
Health check issues
by Alex Corcoles
Hi all,
Sorry I didn't keep track of this more accurately. Some time ago, the ipa-healthcheck service started failing (September 23rd, I think). I took a look, and IIRC, it said something like some certs were about to expire. I ignored that (because they renew automatically?). But then I checked some time after that, and ipa-healthcheck started reporting:
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "af584c7d-6288-4848-acf8-9e59946e298b",
"when": "20231004180708Z",
"duration": "0.093486",
"kw": {
"key": "ca_audit_signing",
"nickname": "auditSigningCert cert-pki-ca",
"directive": "ca.audit_signing.cert",
"configfile": "/etc/pki/pki-tomcat/ca/CS.cfg",
"msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg"
}
},
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "94d21af1-63d1-4bc8-80ff-dc974b3bafc2",
"when": "20231004180708Z",
"duration": "0.401906",
"kw": {
"key": "auditSigningCert cert-pki-ca",
"directive": "ca.audit_signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the value of ca.audit_signing.cert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
}
}
]
I suppose the automatic renewal process went awry? I have seen messages on this list with similar errors, but the path forward does not seem clear to me.
I'm running:
ipa-healthcheck-0.12-1.el9.noarch
ipa-healthcheck-core-0.12-1.el9.noarch
ipa-server-4.10.1-9.el9_2.x86_64
Coincidentally, some updates went out around those dates:
2023-08-26T06:56:04+0000 SUBDEBUG Upgraded: ipa-server-dns-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-server-4.10.1-7.el9_2.x86_64
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: python3-ipaserver-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-client-4.10.1-7.el9_2.x86_64
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: python3-ipaclient-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: python3-ipalib-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-common-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-server-common-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-client-common-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-selinux-4.10.1-7.el9_2.noarch
2023-09-24T06:56:28+0000 SUBDEBUG Upgraded: ipa-server-dns-4.10.1-8.el9_2.noarch
2023-09-24T06:56:28+0000 SUBDEBUG Upgraded: ipa-server-4.10.1-8.el9_2.x86_64
2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: python3-ipaserver-4.10.1-8.el9_2.noarch
2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: ipa-client-4.10.1-8.el9_2.x86_64
2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: python3-ipaclient-4.10.1-8.el9_2.noarch
2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: python3-ipalib-4.10.1-8.el9_2.noarch
2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: ipa-common-4.10.1-8.el9_2.noarch
2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-server-common-4.10.1-8.el9_2.noarch
2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-client-common-4.10.1-8.el9_2.noarch
2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-selinux-4.10.1-8.el9_2.noarch
Any thoughts?
Thanks,
Álex
8 months
