Help-Query IPA-Client Re-Enrollment
by Polavarapu Manideep Sai
HI Team,
I have a query
I have two replica servers which are replicating with master server
Replica1[Old]-hostname1.com --- 10 client nodes integrated at Replica1
Replica2[New]-hostname2.com --- No client nodes integrated at Replica2
Now I want to remove Replica1, which is having issues
Now the query is can I re-enrol all 10 clients to Replica2[hostname2.com], without going for uninstallation of ipa-client
Regards
Sai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
1 year, 3 months
Starting `ipa-server-install` fails while trying to run inside created Docker container
by Georgiy Odisharia
Hi there,
I am trying to install FreeIPA via Docker container.
I successfully built image with Rocky Linux 9 as base image.
Then I created container with following options.
docker create \
-it \
--name ipa.odisharia.ru \
-v "$(realpath data)":/data:Z \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-e IPA_SERVER_IP=<MY_PUBLIC_IP> \
--read-only \
--tmpfs /run \
--tmpfs /tmp \
-h <HOSTNAME> \
--dns 127.0.0.1 \
freeipa-server \
-p 53:53 \
-p 8080:80 \
-p 8443:443 \
-p 389:389 \
-p 636:636 \
-p 88:88 \
-p 464:464 \
-p 88:88/udp \
-p 464:464/udp \
-p 123:123/udp \
ipa-server-install
Then I tried to run it but get following error.
```
❯ docker start -ai ipa.odisharia.ru
systemd 250-12.el9_1.1 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Detected virtualization docker.
Detected architecture x86-64.
Queued start job for default target Minimal target for containerized FreeIPA server.
-.slice: Failed to get cgroup ID on cgroup /sys/fs/cgroup, ignoring: Operation not permitted
system.slice: Failed to get cgroup ID on cgroup /sys/fs/cgroup/system.slice, ignoring: Operation not permitted
systemd-journald.service: Failed to get cgroup ID on cgroup /sys/fs/cgroup/system.slice/systemd-journald.service, ignoring: Operation not permitted
system.slice: Failed to get cgroup ID on cgroup /sys/fs/cgroup/system.slice, ignoring: Operation not permitted
-.slice: Failed to get cgroup ID on cgroup /sys/fs/cgroup, ignoring: Operation not permitted
Fri Feb 10 14:12:04 UTC 2023 /usr/sbin/ipa-server-configure-first
Usage: ipa-server-install [options]
ipa-server-install: error: Too many arguments provided
File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 177, in execute
self.validate_options()
File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 282, in validate_options
self.option_parser.error("Too many arguments provided")
File "/usr/lib64/python3.9/optparse.py", line 1569, in error
self.exit(2, "%s: error: %s\n" % (self.get_prog_name(), msg))
File "/usr/lib64/python3.9/optparse.py", line 1559, in exit
sys.exit(status)
The ipa-server-install command failed, exception: SystemExit: 2
The ipa-server-install command failed.
Sending SIGTERM to remaining processes...
Sending SIGKILL to remaining processes...
All filesystems, swaps, loop devices, MD devices and DM devices detached.
Exiting container.
```
How should I create and run container with FreeIPA?
1 year, 3 months
Force LDAPS and 636 port
by Alex Ivanov
Greetings,
I'm struggling to find a comprehensive guide on how to block LDAP and 389 port on FreeIPA and force usage of LDAPS and 636 port for all clients and connections. I would really appreciate a link or a hint.
1 year, 3 months
Upgrade outdated FreeIPA sanity check
by Kevin Vasko
We have a set of 3x freeIPA servers that have outdated (everything) in a
development/test environment that need to be updated.
It seems that 4.6.8-5.el7.centos.12 is the latest version available on
CentOS 7?
We are at on the 3 servers:
4.5.4-10.el7.centos.4.4
4.6.4-10-el7.centos.6
4.6.4-10-el7.centos.6
For the two 4.6.4 installs, that seems relatively simple upgrade as we
would only be going to a different dot release and a simple "yum update
ipa-server" should handle this? Is there any advisement for/against doing a
full "yum update" on the entire system to get everything updated?
For the 4.5.4 system, is there much of a concern going straight from 4.5.4
to 4.6.8 straight? I assume the concern would be jumping major versions and
going from say 4.5 to 4.9?
My current plan is to stop at CentOS 7.9 and latest FreeIPA 4.6 release on
CentOS 7.9. But for my own knowledge if I was going to 4.10 wouldn't the
recommendation path to upgrade to 4.10, to install CentOS Stream 9 on a new
server, enroll it, make 4.10 the master and then remove the CentOS 7
instances?
-Kevin
1 year, 3 months
ipa-replica-install fails when I use custom certificates
by Peter Tselios
I have installed the ipa server by using the following command:
---------
ipa-server-install
--realm "EXAMPLE.COM" -p 'password' -a 'password'
--hostname="server.example.com" -n example.com
--ip-address="10.1.4.2"
--dirsrv-cert-file=/etc/pki/tls/private/example.com.pem
--dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt
--dirsrv-pin=''
--http-cert-file=/etc/pki/tls/certs/example.com.crt
--http-cert-file=/etc/pki/tls/private/example.com.pem
--http-pin=''
--ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem
--ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem
--mkhomedir -N
--no-host-dns
--unattended
---------
Which works perfectly fine.
However, I cannot make it work with ipa-replica-install since there is no option for --ca-cert-file.
So, how can I install a replica with custom certificates?
1 year, 3 months
Questions about /root/cacert.p12 file
by Kathy Zhu
Hi Team,
I like to understand more about the /root/cacert.p12 file in a self signed
CA environment. Here are the questions:
1, could this file be located somewhere other than under /root?
2, what operations use this file instead of nssdb? In other words, if
the /root/cacert.p12 file were not in place, what operations would fail?
3, any good readings to learn more?
Thank you in advance!
Kathy.
1 year, 3 months
How to lock a user after password expired for some period
by Sarawut Lee
Hi,
I'm using FreeIPA 4.9.8 on Centos Stream 8. One feature I'm going to consider is to lock a user once password expires(except for some group). Why I need, because some application when access to user/password from FreeIPA the applications just read user/password for each user only(don't implement Single Sign On). I'd appreciate for any advice.
Regards,
Lee.
1 year, 3 months
password-expiration
by phiroc@free.fr
Hello,
in FreeIPA 4.5.4, how do you reset a user's password expiration date?
Many thanks.
Best regards,
Philippe
1 year, 3 months
Error on updating FreeIPA (custodia No such file or directory: '/var/lib/ipa/ra-agent.key')
by alexey safonov
I have 5 servers on CentOS 8 stream, and while trying to update to
Rocky 9.1 I found that re-creating new replicas only with one server
it is successful. And the others provide an error
It fails with this error (full log attached):
[22/29]: Importing RA key
Error storing key "keys/ra/ipaCert": CalledProcessError(Command
['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-']
returned non-zero exit status 1: 'Traceback (most recent call last):\n
File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in
<module>\n main(ra_agent_parser())\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
line 114, in main\n
common.main(parser, export_key, import_key)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py",
line 73, in
main\n func(args, tmpdir, **kwargs)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
line 69, in
import_key\n ipautil.run(cmd, umask=0o027)\n File
"/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in
run\n raise
CalledProcessError(\nipapython.ipautil.CalledProcessError:
CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\',
\'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\',
\'/var/lib/ipa/ra-agent.pem\', \'-password\',
\'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1:
\'Error outputting keys and
certificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
default library context, Algorithm (RC2-40-CBC : 0),
Properties ()\\n\')\n')
[error] FileNotFoundError: [Errno 2] No such file or directory:
'/var/lib/ipa/ra-agent.key'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
So currently, I'm on a situation where I have servers:
A,B - CentOS8
C,D,E - RHEL9
I know that only when I'm mastering with server B the recreation of
replica will be successful. Even with the new server on RHEL9.1 no
replica will be created due to custodia error.
Any ideas on how to fix that?
pki-ca on server A - 10.12.0.3
server B - 10.12.0.2
C,D,E - 11.2.1.1
ipa on A, B - 4.9.8.2
C,D,E - 4.10.0.7
I'm really worrying why only creating replica with server B works.
Alex
1 year, 3 months
Re: help
by Pagan, Omar
I deployed coredns zones in openstack to accommodate for the private IPs in the zone I wanted with the FQDN. Once the private IPs were able to resolve with the domain I wanted I was able to deploy.
If anyone want details, I can post here.
1 year, 3 months