Re: unable to install freeipa replica
by Rob Crittenden
seddik alaoui ismaili wrote:
> I tried to kill the process, but did'nt help
>
> Error showed :
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
We really need more details on what it is you're doing an seeing. The
install log for example.
When you killed ns-slapd did you:
- confirm it wasn't running afterward
- run ipa server-del <replica fqdn>
- run ipa-server-install --uninstall -U prior to trying to re-install
rob
P.S. Please keep responses on the list
>
> Le lun. 26 févr. 2024 à 16:47, Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> a écrit :
>
> seddik alaouiismaili via FreeIPA-users wrote:
> > Thank you for the reply..
> > It's for ipa running on replica(client) server
> >
> > So you think i can kill the process, and re-install replica ??
>
> I'm just curious about the history. Is this a leftover from a previous
> failed installation? Normally ipa-server-install --uninstall will
> remove/kill it.
>
> If you're sure it's just a zombie process then yes, killing it should
> allow installation.
>
> rob
>
2 months, 3 weeks
unable to install freeipa replica
by seddik alaouiismaili
I tried to install freeipa server and replica, and replica install showed this error :
```
ipa requires ports 389 and 636 for the directory server. these are currently in use 389
```
actualy 389 port is used on replica/client server for ns-slapd.
This is needed to be done asap ..
Without access to ipa servers, I need to build local ipa check_ipa_replication nagios check .
Thank you
2 months, 3 weeks
FreeIPA 4.11.1 radius proxy auth timeout
by Lenard Pasztor
Hi All!
I've just configured FreeIPA with duo authproxy. I assigned a user to use this radius proxy.
When I try to log in to FreeIPA admin UI it successful when the mobile push receiving in shortly and I have time to accept the login with my mobile device.
So there is a timeout problem. I've tried to search this maillist and found some old mails in this topic, but they not helped.
I've found the ipa-otpd logs and I see that the ipa-otpd always reports Accept-Accept but usually it is too late and the FreeIPA admin UI reports auth failed.
Can somebody tell where can I configure the timeout?
I've also tried to set up the password+radius auth on an enrolled linux host. I can log in the user with password auth, but when I set radius auth on the "Authentication indicators" section of the enrolled host the user can't log in and not receiving 2FA push.
How can I debug this?
Thanks!
2 months, 4 weeks
Cannot sudo on one system
by Jeremy Tourville
I am unable to sudo but I can login to this system. This host is a member of host group "admin", others hosts in the admin group are able to sudo. From troubleshooting, the issue appears to be isolated to this host only.
IPA Server is 4.9.11 but client is 4.9.12
[root@gsil-v-lc10 log]# rpm -qa | grep ipa-client
ipa-client-4.9.12-9.module+el8.9.0+1535+eb844c6f.x86_64
ipa-client-common-4.9.12-9.module+el8.9.0+1535+eb844c6f.noarch
[root@gsil-v-lc10 log]# cat /etc/redhat-release
Rocky Linux release 8.9 (Green Obsidian)
The ipa-client installed without any issues.
kinit jtourville.sa(a)gsil.org works as expected. A klist shows the ticket
id jtourville.sa works as expected and the appropriate groups are displayed.
Logs show the following while attempting to sudo:
tail -f /var/log/audit/audit.log -f /var/log/sssd/*.log -f /var/log/messages
==> /var/log/audit/audit.log <==
node=gsil-v-lc10.idm.gsil.org type=SYSCALL msg=audit(1708441835.339:2331): arch=c000003e syscall=59 success=yes exit=0 a0=561a46512ff0 a1=561a465111a0 a2=561a46512590 a3=8 items=2 ppid=6267 pid=6543 auid=10044 uid=10044 gid=4001 euid=0 suid=0 fsuid=0 egid=4001 sgid=4001 fsgid=4001 tty=pts1 ses=7 comm="sudo" exe="/usr/bin/sudo" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="privileged"
ARCH=x86_64 SYSCALL=execve AUID="jtourville.sa" UID="jtourville.sa" GID="gsil_sa" EUID="root" SUID="root" FSUID="root" EGID="gsil_sa" SGID="gsil_sa" FSGID="gsil_sa"
node=gsil-v-lc10.idm.gsil.org type=EXECVE msg=audit(1708441835.339:2331): argc=2 a0="sudo" a1="su"
node=gsil-v-lc10.idm.gsil.org type=CWD msg=audit(1708441835.339:2331): cwd="/home/gsil.org/jtourville.sa"
node=gsil-v-lc10.idm.gsil.org type=PATH msg=audit(1708441835.339:2331): item=0 name="/usr/bin/sudo" inode=100664031 dev=fd:01 mode=0104111 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sudo_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID="root" OGID="root"
node=gsil-v-lc10.idm.gsil.org type=PATH msg=audit(1708441835.339:2331): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=72105 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID="root" OGID="root"
node=gsil-v-lc10.idm.gsil.org type=PROCTITLE msg=audit(1708441835.339:2331): proctitle=7375646F007375
==> /var/log/sssd/sssd_kcm.log <==
(2024-02-20 15:10:39): [kcm] [orderly_shutdown] (0x3f7c0): SIGTERM: killing children
(2024-02-20 15:10:39): [kcm] [orderly_shutdown] (0x3f7c0): Shutting down (status = 0)
==> /var/log/audit/audit.log <==
node=gsil-v-lc10.idm.gsil.org type=SERVICE_STOP msg=audit(1708441839.721:2332): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
UID="root" AUID="unset"
==> /var/log/messages <==
Feb 20 15:10:39 gsil-v-lc10 sssd_kcm[6533]: Shutting down (status = 0)
Feb 20 15:10:39 gsil-v-lc10 systemd[1]: sssd-kcm.service: Succeeded.
==> /var/log/audit/audit.log <==
node=gsil-v-lc10.idm.gsil.org type=SERVICE_START msg=audit(1708441848.576:2333): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
UID="root" AUID="unset"
==> /var/log/sssd/sssd_kcm.log <==
(2024-02-20 15:10:48): [kcm] [server_setup] (0x3f7c0): Starting with debug level = 0x0070
==> /var/log/sssd/krb5_child.log <==
(2024-02-20 15:10:48): [krb5_child[6547]] [get_and_save_tgt] (0x0020): [RID#20] 2250: [-1765328230][Cannot find KDC for realm "gsil.org"]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x0400): [RID#20] krb5_child started.
* (2024-02-20 15:10:48): [krb5_child[6547]] [unpack_buffer] (0x1000): [RID#20] total buffer size: [120]
* (2024-02-20 15:10:48): [krb5_child[6547]] [unpack_buffer] (0x0100): [RID#20] cmd [241 (auth)] uid [10044] gid [4001] validate [true] enterprise principal [false] offline [false] UPN [jtourville.sa(a)GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6547]] [unpack_buffer] (0x0100): [RID#20] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
* (2024-02-20 15:10:48): [krb5_child[6547]] [switch_creds] (0x0200): [RID#20] Switch user to [10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6547]] [sss_krb5_cc_verify_ccache] (0x2000): [RID#20] TGT not found or expired.
* (2024-02-20 15:10:48): [krb5_child[6547]] [switch_creds] (0x0200): [RID#20] Switch user to [0][0].
* (2024-02-20 15:10:48): [krb5_child[6547]] [k5c_check_old_ccache] (0x4000): [RID#20] Ccache_file is [KCM:] and is active and TGT is valid.
* (2024-02-20 15:10:48): [krb5_child[6547]] [k5c_setup_fast] (0x0100): [RID#20] Fast principal is set to [host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6547]] [find_principal_in_keytab] (0x4000): [RID#20] Trying to find principal host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG in keytab.
* (2024-02-20 15:10:48): [krb5_child[6547]] [match_principal] (0x1000): [RID#20] Principal matched to the sample (host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG).
* (2024-02-20 15:10:48): [krb5_child[6547]] [check_fast_ccache] (0x0200): [RID#20] FAST TGT is still valid.
* (2024-02-20 15:10:48): [krb5_child[6547]] [become_user] (0x0200): [RID#20] Trying to become user [10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x2000): [RID#20] Running as [10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6547]] [set_lifetime_options] (0x0100): [RID#20] No specific renewable lifetime requested.
* (2024-02-20 15:10:48): [krb5_child[6547]] [set_lifetime_options] (0x0100): [RID#20] No specific lifetime requested.
* (2024-02-20 15:10:48): [krb5_child[6547]] [set_canonicalize_option] (0x0100): [RID#20] Canonicalization is set to [true]
* (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x0400): [RID#20] Will perform auth
* (2024-02-20 15:10:48): [krb5_child[6547]] [main] (0x0400): [RID#20] Will perform online auth
* (2024-02-20 15:10:48): [krb5_child[6547]] [tgt_req_child] (0x1000): [RID#20] Attempting to get a TGT
* (2024-02-20 15:10:48): [krb5_child[6547]] [get_and_save_tgt] (0x0400): [RID#20] Attempting kinit for realm [GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6547]] [get_and_save_tgt] (0x0020): [RID#20] 2250: [-1765328230][Cannot find KDC for realm "GSIL.ORG"]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-02-20 15:10:48): [krb5_child[6547]] [map_krb5_error] (0x0020): [RID#20] 2379: [-1765328230][Cannot find KDC for realm "GSIL.ORG"]
(2024-02-20 15:10:48): [krb5_child[6551]] [get_and_save_tgt] (0x0020): [RID#20] 2250: [-1765328230][Cannot find KDC for realm "GSIL.ORG"]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x0400): [RID#20] krb5_child started.
* (2024-02-20 15:10:48): [krb5_child[6551]] [unpack_buffer] (0x1000): [RID#20] total buffer size: [120]
* (2024-02-20 15:10:48): [krb5_child[6551]] [unpack_buffer] (0x0100): [RID#20] cmd [241 (auth)] uid [10044] gid [4001] validate [true] enterprise principal [false] offline [false] UPN [jtourville.sa(a)GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6551]] [unpack_buffer] (0x0100): [RID#20] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
* (2024-02-20 15:10:48): [krb5_child[6551]] [switch_creds] (0x0200): [RID#20] Switch user to [10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6551]] [sss_krb5_cc_verify_ccache] (0x2000): [RID#20] TGT not found or expired.
* (2024-02-20 15:10:48): [krb5_child[6551]] [switch_creds] (0x0200): [RID#20] Switch user to [0][0].
* (2024-02-20 15:10:48): [krb5_child[6551]] [k5c_check_old_ccache] (0x4000): [RID#20] Ccache_file is [KCM:] and is active and TGT is valid.
* (2024-02-20 15:10:48): [krb5_child[6551]] [k5c_setup_fast] (0x0100): [RID#20] Fast principal is set to [host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6551]] [find_principal_in_keytab] (0x4000): [RID#20] Trying to find principal host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG in keytab.
* (2024-02-20 15:10:48): [krb5_child[6551]] [match_principal] (0x1000): [RID#20] Principal matched to the sample (host/gsil-v-lc10.idm.gsil.org(a)IDM.GSIL.ORG).
* (2024-02-20 15:10:48): [krb5_child[6551]] [check_fast_ccache] (0x0200): [RID#20] FAST TGT is still valid.
* (2024-02-20 15:10:48): [krb5_child[6551]] [become_user] (0x0200): [RID#20] Trying to become user [10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x2000): [RID#20] Running as [10044][4001].
* (2024-02-20 15:10:48): [krb5_child[6551]] [set_lifetime_options] (0x0100): [RID#20] No specific renewable lifetime requested.
* (2024-02-20 15:10:48): [krb5_child[6551]] [set_lifetime_options] (0x0100): [RID#20] No specific lifetime requested.
* (2024-02-20 15:10:48): [krb5_child[6551]] [set_canonicalize_option] (0x0100): [RID#20] Canonicalization is set to [true]
* (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x0400): [RID#20] Will perform auth
* (2024-02-20 15:10:48): [krb5_child[6551]] [main] (0x0400): [RID#20] Will perform online auth
* (2024-02-20 15:10:48): [krb5_child[6551]] [tgt_req_child] (0x1000): [RID#20] Attempting to get a TGT
* (2024-02-20 15:10:48): [krb5_child[6551]] [get_and_save_tgt] (0x0400): [RID#20] Attempting kinit for realm [GSIL.ORG]
* (2024-02-20 15:10:48): [krb5_child[6551]] [get_and_save_tgt] (0x0020): [RID#20] 2250: [-1765328230][Cannot find KDC for realm "GSIL.ORG"]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-02-20 15:10:48): [krb5_child[6551]] [map_krb5_error] (0x0020): [RID#20] 2379: [-1765328230][Cannot find KDC for realm "GSIL.ORG"]
==> /var/log/messages <==
Feb 20 15:10:48 gsil-v-lc10 systemd[1]: Starting SSSD Kerberos Cache Manager...
Feb 20 15:10:48 gsil-v-lc10 systemd[1]: Started SSSD Kerberos Cache Manager.
Feb 20 15:10:48 gsil-v-lc10 sssd_kcm[6550]: Starting up
Feb 20 15:10:48 gsil-v-lc10 krb5_child[6547]: Cannot find KDC for realm "GSIL.ORG"
Feb 20 15:10:48 gsil-v-lc10 krb5_child[6547]: Cannot find KDC for realm "GSIL.ORG"
Feb 20 15:10:48 gsil-v-lc10 krb5_child[6551]: Cannot find KDC for realm "GSIL.ORG"
==> /var/log/sssd/sssd_idm.gsil.org.log <==
(2024-02-20 15:10:48): [be[idm.gsil.org]] [fo_resolve_service_send] (0x0020): [RID#20] No available servers for service 'IPA'
* ... skipping repetitive backtrace ...
(2024-02-20 15:10:48): [be[idm.gsil.org]] [child_sig_handler] (0x0020): [RID#20] waitpid did not found a child with changed status.
* ... skipping repetitive backtrace ...
(2024-02-20 15:10:48): [be[idm.gsil.org]] [krb5_auth_cache_creds] (0x0020): [RID#20] Offline authentication failed
==> /var/log/audit/audit.log <==
node=gsil-v-lc10.idm.gsil.org type=USER_AUTH msg=audit(1708441848.898:2334): pid=6543 uid=10044 auid=10044 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="jtourville.sa" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
UID="jtourville.sa" AUID="jtourville.sa"
==> /var/log/messages <==
Feb 20 15:10:48 gsil-v-lc10 krb5_child[6551]: Cannot find KDC for realm "GSIL.ORG"
3 months
Error during enrolling
by Dmitry Krasov
Centos 9 ipa-client install error:
Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529639122): Pre-authentication failed: No key table entry found for host/ipaclient.dom.loc(a)DOM.LOC
----------------------------------------------
This program will set up IPA client.
Version 4.11.0
Client hostname: ipaclient.dom.loc
Realm: DOM.LOC
DNS Domain: dom.loc
IPA Server: ipa.dom.loc
BaseDN: dc=dom,dc=loc
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=DOM.LOC
Issuer: CN=Certificate Authority,O=DOM.LOC
Valid From: 2022-12-12 10:19:12+00:00
Valid Until: 2042-12-12 10:19:12+00:00
Enrolled in IPA realm DOM.LOC
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529639122): Pre-authentication failed: No key table entry found for host/ipaclient.dom.loc(a)DOM.LOC
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
3 months
ipa client install as root but am told I need to be root
by Mauricio Tavares
So I am trying to add the first ipa client to my test environment. If
I am running ipa-client-install as a root, why is it barking that
nisdomainname: you must be root to change the domain name
[root@idm-client1 /]# ipa-client-install --domain example.test
--no-ntp --mkhomedir
This program will set up IPA client.
Version 4.9.12
Discovery was successful!
Client hostname: idm-client1.example.test
Realm: EXAMPLE.TEST
DNS Domain: example.test
IPA Server: idm01.example.test
BaseDN: dc=example,dc=test
Continue to configure the system with these values? [no]: yes
Continue to configure the system with these values? [no]: yes
Skipping chrony configuration
User authorized to enroll computers: admin
Password for admin(a)EXAMPLE.TEST:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.TEST
Issuer: CN=Certificate Authority,O=EXAMPLE.TEST
Valid From: 2024-02-07 15:25:44
Valid Until: 2044-02-07 15:25:44
Enrolled in IPA realm EXAMPLE.TEST
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
SSSD enabled
Configured /etc/openldap/ldap.conf
/etc/ssh/ssh_config not found, skipping configuration
/etc/ssh/sshd_config not found, skipping configuration
Configuring example.test as NIS domain.
CalledProcessError(Command ['/bin/systemctl', 'restart',
'nis-domainname.service'] returned non-zero exit status 1: 'Job for
nis-domainname.service failed because the control process exited with
error code.\nSee "systemctl status nis-domainname.service" and
"journalctl -xe" for details.\n')
The ipa-client-install command failed. See
/var/log/ipaclient-install.log for more information
[root@idm-client1 /]#
[root@idm-client1 /]# systemctl status nis-domainname.service --full --no-pager
● nis-domainname.service - Read and set NIS domainname from
/etc/sysconfig/network
Loaded: loaded (/usr/lib/systemd/system/nis-domainname.service;
enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2024-02-12 21:26:58
UTC; 2min 24s ago
Process: 300 ExecStart=/usr/libexec/hostname/nis-domainname
(code=exited, status=1/FAILURE)
Main PID: 300 (code=exited, status=1/FAILURE)
Feb 12 21:26:58 idm-client1.example.test systemd[1]: Starting Read and
set NIS domainname from /etc/sysconfig/network...
Feb 12 21:26:58 idm-client1.example.test nis-domainname[301]:
nisdomainname: you must be root to change the domain name
Feb 12 21:26:58 idm-client1.example.test systemd[1]:
nis-domainname.service: Main process exited, code=exited,
status=1/FAILURE
Feb 12 21:26:58 idm-client1.example.test systemd[1]:
nis-domainname.service: Failed with result 'exit-code'.
Feb 12 21:26:58 idm-client1.example.test systemd[1]: Failed to start
Read and set NIS domainname from /etc/sysconfig/network.
[root@idm-client1 /]#
3 months
handling certificate expirations
by Grant Janssen
When I upgraded the servers to EL8 (I rebuilt from scratch using the old hostnames), I had neglected to assign an IPA CA renewal master after the old “boss” was retired.
This crime is of course it’s own punishment.
I found the documentation for handling this to actually be pretty good.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
fraser’s blog was also helpful (in confirming I executed this correctly)
https://frasertweedale.github.io/blog-redhat/posts/2019-05-24-ipa-cert-fi...
I progressed through the other three IPA servers, but the last one still has a bad expiration on the CA cert.
[root@ef-idm01 ~]# date
Wed Feb 14 07:08:38 PST 2024
[root@ef-idm01 ~]# getcert list | egrep '^Request|status:|subject:|expir'
Request ID '20230530175932':
status: MONITORING
subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
expires: 2025-05-30 10:59:53 PDT
Request ID '20230530180022':
status: MONITORING
subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
expires: 2025-05-30 11:00:30 PDT
Request ID '20230530180438':
status: NEED_CA
subject: CN=IPA RA,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
expires: 2024-01-02 07:58:28 PST
[root@ef-idm01 ~]# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA. It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
IPA IPA RA certificate:
Subject: CN=IPA RA,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
Serial: 162
Expires: 2024-01-02 15:58:28
Enter "yes" to proceed: yes
Proceeding.
Renewed IPA IPA RA certificate:
Subject: CN=IPA RA,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
Serial: 1341915142
Expires: 2026-02-03 20:18:20
Becoming renewal master.
Restarting IPA
Note: Monitor the certmonger-initiated renewal of
certificates after ipa-cert-fix and wait for its completion before
any other administrative task.
The ipa-cert-fix command was successful
[root@ef-idm01 ~]#
I checked the cert expiration several times yesterday, but it never updated on this server.
I waited a full day to let certmonger do its thing, below is my result this morning.
[root@ef-idm01 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@ef-idm01 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@ef-idm01 ~]# getcert list | egrep '^Request|status:|subject:|expir'
Request ID '20230530175932':
status: MONITORING
subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
expires: 2025-05-30 10:59:53 PDT
Request ID '20230530180022':
status: MONITORING
subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
expires: 2025-05-30 11:00:30 PDT
Request ID '20230530180438':
status: NEED_CA
subject: CN=IPA RA,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
expires: 2024-01-02 07:58:28 PST
[root@ef-idm01 ~]# ipa-cert-fix
Nothing to do.
The ipa-cert-fix command was successful
[root@ef-idm01 ~]# getcert list | egrep '^Request|status:|subject:|expir'
Request ID '20230530175932':
status: MONITORING
subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
expires: 2025-05-30 10:59:53 PDT
Request ID '20230530180022':
status: MONITORING
subject: CN=ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
expires: 2025-05-30 11:00:30 PDT
Request ID '20230530180438':
status: NEED_CA
subject: CN=IPA RA,O=PRODUCTION.EFILM.COM<http://PRODUCTION.EFILM.COM>
expires: 2024-01-02 07:58:28 PST
[root@ef-idm01 ~]#
How can I sort out this one remaining issue?
Do I just make assign another server as the renewal master?
thanx
- grant
3 months
Named times out localhost:53 minutes per boot until notify storm settles?
by Harry G Coin
On the latest stable freeipa on v9, in a two-master setup: after a
period of normal operations, I need to reboot one of them. When that
happens, each boot, nslookup times out on the newly rebooted one, even
after named has been running for minutes.
The logs are filled with such as (signed) zones sending and receiving
'notifies', sometimes on v6 interfaces and sometimes on v4, often for
the same zones, with slightly increasing serial numbers. DNSSec is
active on most zones.
During that time, 'nslookups' on the most recently booted machine time
out. Letting time pass (usually 10 to 15 minutes) this 'notify storm'
settles and normal bind/named operations commence. Operations on the
other node (not rebooted) remain normal throughout, though its logs too
are filled with 'notifies' received on v4 and v6, but not sent.
What can be done? I don't mind the 'notify storm' as such, but during
that I need resolution to occur. What am I missing?
Thanks!
Harry Coin
3 months
Kerberos principal expiration
by kt s
when I login in with administrator, I got an error "Kerberos principal expiration".
I can't login in now ,so how to change Kerberos principal time.
3 months
Kerberos principal expiration
by kt s
when I login in with administrator, I got an error "Kerberos principal expiration".
I can't login in now ,so how to change Kerberos principal time.
3 months