IPA CA allow CSR SAN names in external domains
by Steve Dainard
Hello
I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be
able to add SAN's for a different dns domain than exists in the IPA realm.
The dns for 'otherdomain.com' is handled by active directory which my IPA
server has a cross-forest trust with.
ie:
host: client1.ipadomain.com
certificate: CN = client1.ipadomain.com, SAN = client1.ipadomain.com,
servicename.otherdomain.com
When I try to submit this CSR with 'ipa-getcert request' the IPA server
denies with: "The service principal for subject alt name
servicename.otherdomain.com in certificate request does not exist"
It seems that the default CAACL enforces a profile named
'caIPAserviceCert', but I'm having some trouble determining what can be
modified (or cloned and changed in a new profile) that would allow the CA
to sign a CSR that contains *.ipadomain.com and *.otherdomain.com in the
SAN.
This is the only section in the profile that contains SAN:
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.12.default.name=Copy Common Name to Subject
Alternative Name
Thanks,
Steve
6 months, 3 weeks
ipa-getkeytab: PrincipalName not found
by Harald Dunkel
Hi folks,
maybe I missed something, but shouldn't admin have sufficient
privileges to run
# ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp
# reboot
:
:
# kinit admin
# ipa-getkeytab -s ipa1.example.de -p HTTP/stretch1.vs.example.de -k /etc/apache2/apache2.keytab
?
ipa-getkeytab failed with
Failed to parse result: PrincipalName not found.
I would have expected it to create the principal on the fly.
"admin" was created at freeipa install time on the first server,
AFAIR. It is member of the "admins" and "trust admins" groups.
I am concerned that I corrupted something. Every helpful comment
is highly appreciated.
Harri
3 years, 5 months
nfsidmap/nss_getpwnam fails to resolve users with IPA/NFSv4+krb5
by Robert Sturrock
Hi All.
We have IPA setup in an AD trust to support our Linux fleet. I’m running into a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an NFS-mounted filesystem from an NFS server using NFSv4/krb5. Files and directories show up as ‘nobody’ or an incorrect numerical ID when listed with ‘ls’. RHEL7 clients seem to working fine with a very similar configuration (as far as I can tell).
The particulars are:
- AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user identity is ‘user@localdomain’)
- IPA domain is ‘ipa.localdomain’
- The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf).
I have mounted the NFS volume on the clients with a simple:
mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt
Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see:
$ ls -ld rns
drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns
.. with these corresponding nfsidmap messages:
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' does not map into domain 'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22
.. whereas on the RHEL7 client, I see:
$ ls -ld rns
drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: key: 0xf113fd2 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname 'rns@localdomain'
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: final return value is 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: key: 0x2125a5d2 type: gid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: calling nsswitch->name_to_gid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: final return value is 0
Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into ‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’?
(My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can login and use local filesystems without issue).
The idmapd.conf looks like this:
[General]
Verbosity = 4
Pipefs-Directory = /run/rpc_pipefs
Domain = ipa.localdomain
Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = nsswitch
Any pointers appreciated!
Regards,
Robert.
3 years, 6 months
IPA server upgrade fails with KDC error
by Johannes Brandstetter
Hi,
I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..."
Does anybody know how to fix this?
Some more info:
$ cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
$ tail /var/log/krb5kdc.log
krb5kdc: Server error - while fetching master key K/M for realm XXX
krb5kdc: Database module does not match KDC version - while initializing database for realm XXX
$ sudo less /var/log/ipaupgrade.log
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG duration: 0 seconds
2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade
data_upgrade.create_instance()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance
runtime=90)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start
api.Backend.ldap2.connect()
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection
client_controls=clientctrls)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler
raise errors.ACIError(info=info)
2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access:
2017-10-16T13:04:14Z ERROR Insufficient access:
2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
$ sudo less /var/log/yum.log
Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64
Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64
Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64
Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64
Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch
Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64
Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch
Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64
Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64
Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64
Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64
Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64
Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64
Cheers,
Johannes
3 years, 10 months
using freeipa with an AWS elastic load balancer
by ridha.zorgui@infor.com
I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving ldap data and during the authentication, the SSL handshake fails as the certificate sent back from the master or replica has a hostname different than the one used in the sssd ( the ELB CNAME). so the connection is terminated. There is a workaround which is the use reqcert=allow but this bring a security issue with a MITM attack. another solution i found is the use SAN. I was able to add the ELB DNS as a SAN in freeipa servers certificate. i made sure it is there by downloading the certificate and checking that the elb san exist but when testing it the same problem remain. Please help.
3 years, 11 months
Web UI login fails after upgrading to 4.5
by Marius Bjørnstad
Hi all,
After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login failed due to an unknown reason" on the web UI, no matter if I use the admin user or my personal user. From what I can tell, all the ipa commands work fine on the command line, and kinit also works fine.
I have included some output from /var/log/httpd/error_log below. It would be great if someone could make a guess (or better) at what is going wrong, or which logs to look at, etc.
When I run the command in the CalledProcessError, I get a password prompt for WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL (the second part is the realm name).
Thanks,
Marius
[Thu Oct 05 11:36:34.898930 2017] [core:notice] [pid 7417] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Oct 05 11:36:34.899649 2017] [suexec:notice] [pid 7417] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Oct 05 11:36:34.899669 2017] [:warn] [pid 7417] NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Oct 05 11:36:35.065273 2017] [auth_digest:notice] [pid 7417] AH01757: generating secret for digest authentication ...
[Thu Oct 05 11:36:35.065933 2017] [lbmethod_heartbeat:notice] [pid 7417] AH02282: No slotmem from mod_heartmonitor
[Thu Oct 05 11:36:35.065947 2017] [:warn] [pid 7417] NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Oct 05 11:36:35.100828 2017] [mpm_prefork:notice] [pid 7417] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Thu Oct 05 11:36:35.100849 2017] [core:notice] [pid 7417] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Oct 05 11:36:36.676629 2017] [:error] [pid 7424] ipa: INFO: *** PROCESS START ***
[Thu Oct 05 11:36:36.695362 2017] [:error] [pid 7425] ipa: INFO: *** PROCESS START ***
--- login attempt performed now ---
[Thu Oct 05 11:36:38.504718 2017] [:error] [pid 7424] [remote 192.168.1.48:244] mod_wsgi (pid=7424): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Thu Oct 05 11:36:38.504758 2017] [:error] [pid 7424] [remote 192.168.1.48:244] Traceback (most recent call last):
[Thu Oct 05 11:36:38.504776 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/share/ipa/wsgi.py", line 51, in application
[Thu Oct 05 11:36:38.504845 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return api.Backend.wsgi_dispatch(environ, start_response)
[Thu Oct 05 11:36:38.504855 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Thu Oct 05 11:36:38.505045 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return self.route(environ, start_response)
[Thu Oct 05 11:36:38.505054 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Thu Oct 05 11:36:38.505067 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return app(environ, start_response)
[Thu Oct 05 11:36:38.505072 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
[Thu Oct 05 11:36:38.505079 2017] [:error] [pid 7424] [remote 192.168.1.48:244] self.kinit(user_principal, password, ipa_ccache_name)
[Thu Oct 05 11:36:38.505083 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
[Thu Oct 05 11:36:38.505089 2017] [:error] [pid 7424] [remote 192.168.1.48:244] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Thu Oct 05 11:36:38.505094 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Thu Oct 05 11:36:38.505135 2017] [:error] [pid 7424] [remote 192.168.1.48:244] run(args, env=env, raiseonerr=True, capture_error=True)
[Thu Oct 05 11:36:38.505143 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
[Thu Oct 05 11:36:38.505346 2017] [:error] [pid 7424] [remote 192.168.1.48:244] raise CalledProcessError(p.returncode, arg_string, str(output))
[Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_7424 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
4 years, 9 months
Unable to use externa groups or users, truster domain object not found
by Henrik Stigendal
Hello everyone,
I’m new to this and are trying to setup a working trust against an AD forrest, I seem to have a working trust but when I try to reference external groups (or users) I get:
# ipa group-add-member ad_users_external --external "AD2\Domain Users"
[member user]:
[member group]:
Group name: ad_users_external
Description: AD users external map
Failed members:
member user:
member group: AD2\Domain Users: trusted domain object not found
-------------------------
Number of members added 0
-------------------------
I enable some logging and last in the mail is the output there from the command above, any suggestions what could cause this? Current version of IPA is 4.5.
Regards
Henrik
Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 192.168.6.82:34714] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin(a)IDM.TEST.NET)!, referer: https://ipaserver.idm.test.net/ipa/xml
string_to_sid: SID AD2\Domain Users is not in a valid format
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
Processing section "[global]"
INFO: Current debug levels:
all: 11
tdb: 11
printdrivers: 11
lanman: 11
smb: 11
rpc_parse: 11
rpc_srv: 11
rpc_cli: 11
passdb: 11
sam: 11
auth: 11
winbind: 11
vfs: 11
idmap: 11
quota: 11
acls: 11
locking: 11
msdfs: 11
dmapi: 11
registry: 11
scavenger: 11
dns: 11
ldb: 11
tevent: 11
pm_process() returned Yes
added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0
added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0
added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0
added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0
added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0
added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0
added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0
added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain ad2.test.net
finddcs: looking for SRV records for _ldap._tcp.ad2.test.net
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.ad2.test.net<0x0>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
ads_dns_lookup_srv: 2 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
Addrs = 192.168.5.158@389/adserver,192.168.5.104(a)389/adserver
finddcs: DNS SRV response 0 at '192.168.5.158'
finddcs: DNS SRV response 1 at '192.168.5.104'
finddcs: performing CLDAP query on 192.168.5.158
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x0001f1fc (127484)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
0: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
1: NBT_SERVER_FULL_SECRET_DOMAIN_6
1: NBT_SERVER_ADS_WEB_SERVICE
1: NBT_SERVER_DS_8
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978
forest : 'ad2.test.net'
dns_domain : 'ad2.test.net'
pdc_dns_name : 'adserver.ad2.test.net'
domain_name : 'AD2'
pdc_name : 'adserver'
user_name : ''
server_site : 'AS001'
client_site : 'AS002'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc
[Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: [jsonserver_session] admin(a)IDM.TEST.NET: group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\\\Domain Users',), version=u'2.228'): SUCCESS
4 years, 9 months
upgrade to ubuntu 17.10 fails
by David Harvey
Hi wisdom of the list,
I know I am an edge case with running on ubuntu, but hoped someone might be
able to shed some light.
A bit of background. I'm trying to test upgrades without potentially
hosing my existing services, so I have cloned the VM, given it a new IP
address, updated hosts file and pointed DNS somewhere that doesn't know
about the real IPA services (8.8.8.8) so it won't try and sync or replicate.
Attempting to upgrade hits a snags or two, some described in bugs already
like the pki version number confusing the apt scripts
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1703051 ). The one I
can't work around however is below.
It seems deeply unhappy, and restarting the services result in the
dogtag-pki web page being available until a login attempt is made (as
occurs during the ipa-server-upgrade) after which point it bombs with a 500
error.
Could the below caused by
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1716842 ?
Any advice appreciated, as I think even when 18.04 hits with the proposed
updates to rely on to tomcat 8.5, I'll still need to upgrade via 17.10
which seems currently fraught! If it relates to my method of cloning the
VM, is there a better way of testing upgrades without potentially hosing
the existing live systems?
Thanks in advance,
David
2017-11-15T13:05:59Z DEBUG approved_usage = SSL Server intended_usage = SSL
Server
2017-11-15T13:05:59Z DEBUG cert valid True for "CN=ipa1.my.net,O=THOMAC.NET"
2017-11-15T13:05:59Z DEBUG handshake complete, peer = IPADDRESS
2017-11-15T13:05:59Z DEBUG Protocol: TLS1.2
2017-11-15T13:05:59Z DEBUG Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
2017-11-15T13:05:59Z DEBUG response status 500
2017-11-15T13:05:59Z DEBUG response headers {'content-length': '2292',
'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection':
'close', 'date': 'Wed, 15 Nov 2017 13:05:59 GMT', 'content-type':
'text/html;charset=utf-8'}
2017-11-15T13:05:59Z DEBUG response body '<!DOCTYPE
html><html><head><title>Apache Tomcat/8.0.46 (Ubuntu) - Error
report</title><style type="text/css">H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}.line {height: 1px;
background-color: #525D76; border: none;}</style> </head><body><h1>HTTP
Status 500 - Subsystem unavailable</h1><div
class="line"></div><p><b>type</b> Exception report</p><p><b>message</b>
<u>Subsystem unavailable</u></p><p><b>description</b> <u>The server
encountered an internal error that prevented it from fulfilling this
request.</u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException:
Subsystem
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:283)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>note</b>
<u>The full stack trace of the root cause is available in the Apache
Tomcat/8.0.46 (Ubuntu) logs.</u></p><hr class="line"><h3>Apache
Tomcat/8.0.46 (Ubuntu)</h3></body></html>'
2017-11-15T13:05:59Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-11-15T13:05:59Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 172, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 1878, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 1797, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 347, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py",
line 1981, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py",
line 1987, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/dogtag.py", line
1294, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA
REST API'))
2017-11-15T13:05:59Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
2017-11-15T13:05:59Z ERROR Unexpected error - see /var/log/ipaupgrade.log
for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
4 years, 9 months
freeipa sudoers help
by Andrew Meyer
In preparation for a migration I am trying to setup sudoers within freeipa. I have about a dozen people that will need to sudo to another user and run commands. However I want to add all the commands for that user into my rule.
would this be best practice to add ALL the commands into 1 rule? or should I do a sudocmdgroup?
ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commandsWould I just put a comma after each command? Or should I do this all individually and add all the commands to a cmd group?
4 years, 10 months
Accessing KRB5 NFS from local system accounts
by Gordon Messmer
I'm troubleshooting a problem: A local system account (daemon) needs to
access a file on an NFS4 filesystem with sec=krb5. My understanding is
that only processes which have a Kerberos ticket are able to access
files on such a filesystem, and that seems to be the case on the system
I'm troubleshooting.
Suppose I need a keytab to identify the "daemon" user. I don't think I
want to create a new user in FreeIPA, since it would have a uid/gid that
conflict with the locally defined account. However, I think I do need a
keytab for "daemon@DOMAIN". The ipa command doesn't seem to provide a
means of creating such a principal.
Should I work directly in kadmin to create the principal and export the
keytab? Am I even on the right track?
4 years, 10 months
