November 2017 - FreeIPA-users - Fedora Mailing-Lists

by Johannes Brandstetter

Hi, I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..." Does anybody know how to fix this? Some more info: $ cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) $ tail /var/log/krb5kdc.log krb5kdc: Server error - while fetching master key K/M for realm XXX krb5kdc: Database module does not match KDC version - while initializing database for realm XXX $ sudo less /var/log/ipaupgrade.log 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG duration: 0 seconds 2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade data_upgrade.create_instance() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance runtime=90) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler raise errors.ACIError(info=info) 2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access: 2017-10-16T13:04:14Z ERROR Insufficient access: 2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information $ sudo less /var/log/yum.log Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64 Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64 Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64 Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64 Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64 Cheers, Johannes

2 weeks, 3 days

4
11
0 / 0

using freeipa with an AWS elastic load balancer

by ridha.zorgui＠infor.com

I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving ldap data and during the authentication, the SSL handshake fails as the certificate sent back from the master or replica has a hostname different than the one used in the sssd ( the ELB CNAME). so the connection is terminated. There is a workaround which is the use reqcert=allow but this bring a security issue with a MITM attack. another solution i found is the use SAN. I was able to add the ELB DNS as a SAN in freeipa servers certificate. i made sure it is there by downloading the certificate and checking that the elb san exist but when testing it the same problem remain. Please help.

1 month, 4 weeks

3
3
0 / 0

Web UI login fails after upgrading to 4.5

by Marius Bjørnstad

Hi all, After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login failed due to an unknown reason" on the web UI, no matter if I use the admin user or my personal user. From what I can tell, all the ipa commands work fine on the command line, and kinit also works fine. I have included some output from /var/log/httpd/error_log below. It would be great if someone could make a guess (or better) at what is going wrong, or which logs to look at, etc. When I run the command in the CalledProcessError, I get a password prompt for WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL (the second part is the realm name). Thanks, Marius [Thu Oct 05 11:36:34.898930 2017] [core:notice] [pid 7417] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Thu Oct 05 11:36:34.899649 2017] [suexec:notice] [pid 7417] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Oct 05 11:36:34.899669 2017] [:warn] [pid 7417] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu Oct 05 11:36:35.065273 2017] [auth_digest:notice] [pid 7417] AH01757: generating secret for digest authentication ... [Thu Oct 05 11:36:35.065933 2017] [lbmethod_heartbeat:notice] [pid 7417] AH02282: No slotmem from mod_heartmonitor [Thu Oct 05 11:36:35.065947 2017] [:warn] [pid 7417] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu Oct 05 11:36:35.100828 2017] [mpm_prefork:notice] [pid 7417] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations [Thu Oct 05 11:36:35.100849 2017] [core:notice] [pid 7417] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Thu Oct 05 11:36:36.676629 2017] [:error] [pid 7424] ipa: INFO: *** PROCESS START *** [Thu Oct 05 11:36:36.695362 2017] [:error] [pid 7425] ipa: INFO: *** PROCESS START *** --- login attempt performed now --- [Thu Oct 05 11:36:38.504718 2017] [:error] [pid 7424] [remote 192.168.1.48:244] mod_wsgi (pid=7424): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Thu Oct 05 11:36:38.504758 2017] [:error] [pid 7424] [remote 192.168.1.48:244] Traceback (most recent call last): [Thu Oct 05 11:36:38.504776 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/share/ipa/wsgi.py", line 51, in application [Thu Oct 05 11:36:38.504845 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return api.Backend.wsgi_dispatch(environ, start_response) [Thu Oct 05 11:36:38.504855 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__ [Thu Oct 05 11:36:38.505045 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return self.route(environ, start_response) [Thu Oct 05 11:36:38.505054 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route [Thu Oct 05 11:36:38.505067 2017] [:error] [pid 7424] [remote 192.168.1.48:244] return app(environ, start_response) [Thu Oct 05 11:36:38.505072 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__ [Thu Oct 05 11:36:38.505079 2017] [:error] [pid 7424] [remote 192.168.1.48:244] self.kinit(user_principal, password, ipa_ccache_name) [Thu Oct 05 11:36:38.505083 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit [Thu Oct 05 11:36:38.505089 2017] [:error] [pid 7424] [remote 192.168.1.48:244] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Thu Oct 05 11:36:38.505094 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor [Thu Oct 05 11:36:38.505135 2017] [:error] [pid 7424] [remote 192.168.1.48:244] run(args, env=env, raiseonerr=True, capture_error=True) [Thu Oct 05 11:36:38.505143 2017] [:error] [pid 7424] [remote 192.168.1.48:244] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run [Thu Oct 05 11:36:38.505346 2017] [:error] [pid 7424] [remote 192.168.1.48:244] raise CalledProcessError(p.returncode, arg_string, str(output)) [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_7424 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1

11 months, 3 weeks

3
11
0 / 0

Unable to use externa groups or users, truster domain object not found

by Henrik Stigendal

Hello everyone, I’m new to this and are trying to setup a working trust against an AD forrest, I seem to have a working trust but when I try to reference external groups (or users) I get: # ipa group-add-member ad_users_external --external "AD2\Domain Users" [member user]: [member group]: Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD2\Domain Users: trusted domain object not found ------------------------- Number of members added 0 ------------------------- I enable some logging and last in the mail is the output there from the command above, any suggestions what could cause this? Current version of IPA is 4.5. Regards Henrik Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 192.168.6.82:34714] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin(a)IDM.TEST.NET)!, referer: https://ipaserver.idm.test.net/ipa/xml string_to_sid: SID AD2\Domain Users is not in a valid format lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty Processing section "[global]" INFO: Current debug levels: all: 11 tdb: 11 printdrivers: 11 lanman: 11 smb: 11 rpc_parse: 11 rpc_srv: 11 rpc_cli: 11 passdb: 11 sam: 11 auth: 11 winbind: 11 vfs: 11 idmap: 11 quota: 11 acls: 11 locking: 11 msdfs: 11 dmapi: 11 registry: 11 scavenger: 11 dns: 11 ldb: 11 tevent: 11 pm_process() returned Yes added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain ad2.test.net finddcs: looking for SRV records for _ldap._tcp.ad2.test.net resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.ad2.test.net<0x0> getlmhostsent: lmhost entry: 127.0.0.1 localhost ads_dns_lookup_srv: 2 records returned in the answer section. ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] Addrs = 192.168.5.158@389/adserver,192.168.5.104(a)389/adserver finddcs: DNS SRV response 0 at '192.168.5.158' finddcs: DNS SRV response 1 at '192.168.5.104' finddcs: performing CLDAP query on 192.168.5.158 &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x0001f1fc (127484) 0: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 1: NBT_SERVER_DS_8 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978 forest : 'ad2.test.net' dns_domain : 'ad2.test.net' pdc_dns_name : 'adserver.ad2.test.net' domain_name : 'AD2' pdc_name : 'adserver' user_name : '' server_site : 'AS001' client_site : 'AS002' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc [Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: [jsonserver_session] admin(a)IDM.TEST.NET: group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\\\Domain Users',), version=u'2.228'): SUCCESS

12 months

4
9
0 / 0

upgrade to ubuntu 17.10 fails

by David Harvey

Hi wisdom of the list, I know I am an edge case with running on ubuntu, but hoped someone might be able to shed some light. A bit of background. I'm trying to test upgrades without potentially hosing my existing services, so I have cloned the VM, given it a new IP address, updated hosts file and pointed DNS somewhere that doesn't know about the real IPA services (8.8.8.8) so it won't try and sync or replicate. Attempting to upgrade hits a snags or two, some described in bugs already like the pki version number confusing the apt scripts https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1703051 ). The one I can't work around however is below. It seems deeply unhappy, and restarting the services result in the dogtag-pki web page being available until a login attempt is made (as occurs during the ipa-server-upgrade) after which point it bombs with a 500 error. Could the below caused by https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1716842 ? Any advice appreciated, as I think even when 18.04 hits with the proposed updates to rely on to tomcat 8.5, I'll still need to upgrade via 17.10 which seems currently fraught! If it relates to my method of cloning the VM, is there a better way of testing upgrades without potentially hosing the existing live systems? Thanks in advance, David 2017-11-15T13:05:59Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2017-11-15T13:05:59Z DEBUG cert valid True for "CN=ipa1.my.net,O=THOMAC.NET" 2017-11-15T13:05:59Z DEBUG handshake complete, peer = IPADDRESS 2017-11-15T13:05:59Z DEBUG Protocol: TLS1.2 2017-11-15T13:05:59Z DEBUG Cipher: TLS_RSA_WITH_AES_128_CBC_SHA 2017-11-15T13:05:59Z DEBUG response status 500 2017-11-15T13:05:59Z DEBUG response headers {'content-length': '2292', 'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection': 'close', 'date': 'Wed, 15 Nov 2017 13:05:59 GMT', 'content-type': 'text/html;charset=utf-8'} 2017-11-15T13:05:59Z DEBUG response body '<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 (Ubuntu) - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:283)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.46 (Ubuntu) logs.</u></p><hr class="line"><h3>Apache Tomcat/8.0.46 (Ubuntu)</h3></body></html>' 2017-11-15T13:05:59Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-11-15T13:05:59Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 1878, in upgrade upgrade_configuration() File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 1797, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 347, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 1981, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 1987, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/dogtag.py", line 1294, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) 2017-11-15T13:05:59Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2017-11-15T13:05:59Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API

12 months

6
17
0 / 0

freeipa sudoers help

by Andrew Meyer

In preparation for a migration I am trying to setup sudoers within freeipa. I have about a dozen people that will need to sudo to another user and run commands. However I want to add all the commands for that user into my rule. would this be best practice to add ALL the commands into 1 rule? or should I do a sudocmdgroup? ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commandsWould I just put a comma after each command? Or should I do this all individually and add all the commands to a cmd group?

1 year

3
7
0 / 0

Accessing KRB5 NFS from local system accounts

by Gordon Messmer

I'm troubleshooting a problem: A local system account (daemon) needs to access a file on an NFS4 filesystem with sec=krb5. My understanding is that only processes which have a Kerberos ticket are able to access files on such a filesystem, and that seems to be the case on the system I'm troubleshooting. Suppose I need a keytab to identify the "daemon" user. I don't think I want to create a new user in FreeIPA, since it would have a uid/gid that conflict with the locally defined account. However, I think I do need a keytab for "daemon@DOMAIN". The ipa command doesn't seem to provide a means of creating such a principal. Should I work directly in kadmin to create the principal and export the keytab? Am I even on the right track?

1 year

4
7
0 / 0

Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200

by Fuji San

Hello, I have trouble enrolling a ipa client. I just installed Fedora 27 and all the packages are up-to-date. I succeeded to enroll 2 previous F27 clients, but this one is giving me a hard time. Any help would be welcome. Fuji ------ $ ipa-client-install --enable-dns-updates --mkhomedir --ssh-trust-dns --no-nisdomain --server=ipaserver.mydomain --domain=mydomain WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Client hostname: ipaclient.mydomain Realm: MYDOMAIN DNS Domain: mydomain IPA Server: ipaserver.mydomain BaseDN: dc=mydomain Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin@MYDOMAIN: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=MYDOMAIN Issuer: CN=Certificate Authority,O=MYDOMAIN Valid From: 2015-09-11 08:02:12 Valid Until: 2035-09-11 08:02:12 Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200 Installation failed. Rolling back changes. Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1. Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Client uninstall complete. The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ----- ------ 2017-11-30T10:11:50Z DEBUG Logging to /var/log/ipaclient-install.log 2017-11-30T10:11:50Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': None, 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'no_ac': False, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': True, 'force_join': False, 'ntp_servers': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': True, 'ssh_trust_dns': True, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': True, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'no_sssd': False, 'automount_location': None, 'domain_name': 'mydomain', 'servers': ['ipaserver.mydomain'], 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False} 2017-11-30T10:11:50Z DEBUG IPA version 4.6.1-3.fc27 2017-11-30T10:11:50Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2017-11-30T10:11:50Z DEBUG Starting external process 2017-11-30T10:11:50Z DEBUG args=/usr/sbin/selinuxenabled 2017-11-30T10:11:50Z DEBUG Process finished, return code=1 2017-11-30T10:11:50Z DEBUG stdout= 2017-11-30T10:11:50Z DEBUG stderr= 2017-11-30T10:11:50Z DEBUG Starting external process 2017-11-30T10:11:50Z DEBUG args=/bin/systemctl is-enabled chronyd.service 2017-11-30T10:11:50Z DEBUG Process finished, return code=0 2017-11-30T10:11:50Z DEBUG stdout=enabled 2017-11-30T10:11:50Z DEBUG stderr= 2017-11-30T10:11:50Z DEBUG [IPA Discovery] 2017-11-30T10:11:50Z DEBUG Starting IPA discovery with domain=mydomain, servers=['ipaserver.mydomain'], hostname=ipaclient.mydomain 2017-11-30T10:11:50Z DEBUG Server and domain forced 2017-11-30T10:11:50Z DEBUG [Kerberos realm search] 2017-11-30T10:11:50Z DEBUG Search DNS for TXT record of _kerberos.mydomain 2017-11-30T10:11:50Z DEBUG DNS record found: "MYDOMAIN" 2017-11-30T10:11:50Z DEBUG [LDAP server check] 2017-11-30T10:11:50Z DEBUG Verifying that ipaserver.mydomain (realm MYDOMAIN) is an IPA server 2017-11-30T10:11:50Z DEBUG Init LDAP connection to: ldap://ipaserver.mydomain:389 2017-11-30T10:11:50Z DEBUG Search LDAP server for IPA base DN 2017-11-30T10:11:50Z DEBUG Check if naming context 'dc=mydomain' is for IPA 2017-11-30T10:11:50Z DEBUG Naming context 'dc=mydomain' is a valid IPA context 2017-11-30T10:11:50Z DEBUG Search for (objectClass=krbRealmContainer) in dc=mydomain (sub) 2017-11-30T10:11:50Z DEBUG Found: cn=MYDOMAIN,cn=kerberos,dc=mydomain 2017-11-30T10:11:50Z DEBUG Discovery result: Success; server=ipaserver.mydomain, domain=mydomain, kdc=ipaserver.mydomain, basedn=dc=mydomain 2017-11-30T10:11:50Z DEBUG Validated servers: ipaserver.mydomain 2017-11-30T10:11:50Z DEBUG will use discovered domain: mydomain 2017-11-30T10:11:50Z DEBUG Using servers from command line, disabling DNS discovery 2017-11-30T10:11:50Z DEBUG will use provided server: ipaserver.mydomain 2017-11-30T10:11:50Z INFO Autodiscovery of servers for failover cannot work with this configuration. 2017-11-30T10:11:50Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all mydomaintions and will not fail over to other servers in case of failure. 2017-11-30T10:11:53Z DEBUG will use discovered realm: MYDOMAIN 2017-11-30T10:11:53Z DEBUG will use discovered basedn: dc=mydomain 2017-11-30T10:11:53Z INFO Client hostname: ipaclient.mydomain 2017-11-30T10:11:53Z DEBUG Hostname source: Machine's FQDN 2017-11-30T10:11:53Z INFO Realm: MYDOMAIN 2017-11-30T10:11:53Z DEBUG Realm source: Discovered from LDAP DNS records in ipaserver.mydomain 2017-11-30T10:11:53Z INFO DNS Domain: mydomain 2017-11-30T10:11:53Z DEBUG DNS Domain source: Forced 2017-11-30T10:11:53Z INFO IPA Server: ipaserver.mydomain 2017-11-30T10:11:53Z DEBUG IPA Server source: Provided as option 2017-11-30T10:11:53Z INFO BaseDN: dc=mydomain 2017-11-30T10:11:53Z DEBUG BaseDN source: From IPA server ldap://ipaserver.mydomain:389 2017-11-30T10:11:55Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2017-11-30T10:11:55Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2017-11-30T10:11:55Z DEBUG Starting external process 2017-11-30T10:11:55Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r MYDOMAIN 2017-11-30T10:11:55Z DEBUG Process finished, return code=3 2017-11-30T10:11:55Z DEBUG stdout= 2017-11-30T10:11:55Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory 2017-11-30T10:11:55Z INFO Skipping synchronizing time with NTP server. 2017-11-30T10:11:58Z DEBUG will use principal provided as option: admin 2017-11-30T10:11:58Z DEBUG Starting external process 2017-11-30T10:11:58Z DEBUG args=keyctl get_persistent @s 0 2017-11-30T10:11:58Z DEBUG Process finished, return code=0 2017-11-30T10:11:58Z DEBUG stdout=227339787 2017-11-30T10:11:58Z DEBUG stderr= 2017-11-30T10:11:58Z DEBUG Enabling persistent keyring CCACHE 2017-11-30T10:11:58Z DEBUG Writing Kerberos configuration to /tmp/tmp5wx608ci: 2017-11-30T10:11:58Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MYDOMAIN dns_lookup_realm = false dns_lookup_kdc = false rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] MYDOMAIN = { kdc = ipaserver.mydomain:88 master_kdc = ipaserver.mydomain:88 admin_server = ipaserver.mydomain:749 kpasswd_server = ipaserver.mydomain:464 default_domain = mydomain pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .mydomain = MYDOMAIN mydomain = MYDOMAIN ipaclient.mydomain = MYDOMAIN 2017-11-30T10:12:03Z DEBUG Initializing principal admin@MYDOMAIN using password 2017-11-30T10:12:03Z DEBUG Starting external process 2017-11-30T10:12:03Z DEBUG args=/usr/bin/kinit admin@MYDOMAIN -c /tmp/krbcct8vze36h/ccache 2017-11-30T10:12:03Z DEBUG Process finished, return code=0 2017-11-30T10:12:03Z DEBUG stdout=Password for admin@MYDOMAIN: 2017-11-30T10:12:03Z DEBUG stderr= 2017-11-30T10:12:03Z DEBUG trying to retrieve CA cert via LDAP from ipaserver.mydomain 2017-11-30T10:12:03Z DEBUG retrieving schema for SchemaCache url=ldap://ipaserver.mydomain:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f20e73c5b70> 2017-11-30T10:12:03Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=MYDOMAIN Issuer: CN=Certificate Authority,O=MYDOMAIN Valid From: 2015-09-11 08:02:12 Valid Until: 2035-09-11 08:02:12 2017-11-30T10:12:03Z DEBUG Starting external process 2017-11-30T10:12:03Z DEBUG args=/usr/sbin/ipa-join -s ipaserver.mydomain -b dc=mydomain -h ipaclient.mydomain 2017-11-30T10:12:03Z DEBUG Process finished, return code=17 2017-11-30T10:12:03Z DEBUG stdout= 2017-11-30T10:12:03Z DEBUG stderr=HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200 2017-11-30T10:12:03Z ERROR Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200 2017-11-30T10:12:03Z ERROR Installation failed. Rolling back changes. 2017-11-30T10:12:03Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2017-11-30T10:12:03Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2017-11-30T10:12:03Z DEBUG Starting external process 2017-11-30T10:12:03Z DEBUG args=ipa-client-automount --uninstall --debug 2017-11-30T10:12:04Z DEBUG Process finished, return code=1 2017-11-30T10:12:04Z DEBUG stdout= 2017-11-30T10:12:04Z DEBUG stderr=IPA client is not configured on this system 2017-11-30T10:12:04Z ERROR Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1. 2017-11-30T10:12:04Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2017-11-30T10:12:04Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2017-11-30T10:12:04Z DEBUG Starting external process 2017-11-30T10:12:04Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n Local IPA host -a -f /etc/ipa/nssdb/pwdfile.txt 2017-11-30T10:12:04Z DEBUG Process finished, return code=255 2017-11-30T10:12:04Z DEBUG stdout= 2017-11-30T10:12:04Z DEBUG stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. 2017-11-30T10:12:04Z DEBUG Starting external process 2017-11-30T10:12:04Z DEBUG args=/usr/bin/certutil -d /etc/pki/nssdb -L -n IPA Machine Certificate - ipaclient.mydomain -a -f /etc/pki/nssdb/pwdfile.txt 2017-11-30T10:12:04Z DEBUG Process finished, return code=255 2017-11-30T10:12:04Z DEBUG stdout= 2017-11-30T10:12:04Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - ipaclient.mydomain : PR_FILE_NOT_FOUND_ERROR: File not found 2017-11-30T10:12:04Z DEBUG Starting external process 2017-11-30T10:12:04Z DEBUG args=/bin/systemctl start certmonger.service 2017-11-30T10:12:04Z DEBUG Process finished, return code=0 2017-11-30T10:12:04Z DEBUG stdout= 2017-11-30T10:12:04Z DEBUG stderr= 2017-11-30T10:12:04Z DEBUG Starting external process 2017-11-30T10:12:04Z DEBUG args=/bin/systemctl is-active certmonger.service 2017-11-30T10:12:04Z DEBUG Process finished, return code=0 2017-11-30T10:12:04Z DEBUG stdout=active 2017-11-30T10:12:04Z DEBUG stderr= 2017-11-30T10:12:04Z DEBUG Starting external process 2017-11-30T10:12:04Z DEBUG args=/bin/systemctl stop certmonger.service 2017-11-30T10:12:04Z DEBUG Process finished, return code=0 2017-11-30T10:12:04Z DEBUG stdout= 2017-11-30T10:12:04Z DEBUG stderr= 2017-11-30T10:12:04Z DEBUG Starting external process 2017-11-30T10:12:04Z DEBUG args=/bin/systemctl disable certmonger.service 2017-11-30T10:12:04Z DEBUG Process finished, return code=0 2017-11-30T10:12:04Z DEBUG stdout= 2017-11-30T10:12:04Z DEBUG stderr= 2017-11-30T10:12:04Z INFO Disabling client Kerberos and LDAP configurations 2017-11-30T10:12:04Z DEBUG Starting external process 2017-11-30T10:12:04Z DEBUG args=/usr/sbin/authconfig --disableldap --disablekrb5 --disablesssdauth --disablemkhomedir --update 2017-11-30T10:12:05Z DEBUG Process finished, return code=0 2017-11-30T10:12:05Z DEBUG stdout= 2017-11-30T10:12:05Z DEBUG stderr= 2017-11-30T10:12:05Z DEBUG Error while moving /etc/sssd/sssd.conf to /etc/sssd/sssd.conf.deleted 2017-11-30T10:12:05Z INFO Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted 2017-11-30T10:12:05Z DEBUG Starting external process 2017-11-30T10:12:05Z DEBUG args=/bin/systemctl stop sssd.service 2017-11-30T10:12:05Z DEBUG Process finished, return code=0 2017-11-30T10:12:05Z DEBUG stdout= 2017-11-30T10:12:05Z DEBUG stderr= 2017-11-30T10:12:05Z DEBUG Starting external process 2017-11-30T10:12:05Z DEBUG args=/bin/systemctl disable sssd.service 2017-11-30T10:12:05Z DEBUG Process finished, return code=0 2017-11-30T10:12:05Z DEBUG stdout= 2017-11-30T10:12:05Z DEBUG stderr=Removed /etc/systemd/system/multi-user.target.wants/sssd.service. 2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2017-11-30T10:12:05Z DEBUG Starting external process 2017-11-30T10:12:05Z DEBUG args=/bin/systemctl disable fedora-domainname.service 2017-11-30T10:12:05Z DEBUG Process finished, return code=0 2017-11-30T10:12:05Z DEBUG stdout= 2017-11-30T10:12:05Z DEBUG stderr= 2017-11-30T10:12:05Z DEBUG Starting external process 2017-11-30T10:12:05Z DEBUG args=/bin/systemctl list-unit-files --full 2017-11-30T10:12:05Z DEBUG Process finished, return code=0 2017-11-30T10:12:05Z DEBUG stdout=UNIT FILE STATE proc-sys-fs-binfmt_misc.automount static -.mount generated boot.mount generated dev-hugepages.mount static dev-mqueue.mount static home.mount generated proc-fs-nfsd.mount static proc-sys-fs-binfmt_misc.mount static sys-fs-fuse-connections.mount static sys-kernel-config.mount static sys-kernel-debug.mount static tmp.mount static var-lib-nfs-rpc_pipefs.mount static cups.path enabled systemd-ask-password-console.path static systemd-ask-password-plymouth.path static systemd-ask-password-wall.path static session-2.scope transient abrt-ccpp.service disabled abrt-journal-core.service enabled abrt-oops.service enabled abrt-pstoreoops.service disabled abrt-vmcore.service enabled abrt-xorg.service enabled abrtd.service enabled accounts-daemon.service enabled alsa-restore.service static alsa-state.service static anaconda-direct.service static anaconda-nm-config.service static anaconda-noshell.service static anaconda-pre.service static anaconda-shell@.service static anaconda-sshd.service static anaconda-tmux@.service static anaconda.service static arp-ethers.service disabled auditd.service enabled auth-rpcgss-module.service static autofs.service disabled autovt@.service enabled avahi-daemon.service enabled blk-availability.service disabled bluetooth.service enabled brltty.service disabled btattach-bcm@.service static canberra-system-bootup.service disabled canberra-system-shutdown-reboot.service disabled canberra-system-shutdown.service disabled certmonger.service disabled chrony-dnssrv@.service static chrony-wait.service disabled chronyd.service enabled clean-mount-point@.service static colord.service static configure-printer@.service static console-getty.service disabled container-getty@.service static crond.service enabled cups-browsed.service disabled cups.service disabled dbus-org.bluez.service enabled dbus-org.fedoraproject.FirewallD1.service enabled dbus-org.freedesktop.Avahi.service enabled dbus-org.freedesktop.hostname1.service static dbus-org.freedesktop.locale1.service static dbus-org.freedesktop.login1.service static dbus-org.freedesktop.ModemManager1.service enabled dbus-org.freedesktop.network1.service enabled dbus-org.freedesktop.NetworkManager.service enabled dbus-org.freedesktop.nm-dispatcher.service enabled dbus-org.freedesktop.resolve1.service enabled dbus-org.freedesktop.timedate1.service enabled dbus.service static dbxtool.service enabled debug-shell.service disabled display-manager.service enabled dm-event.service disabled dmraid-activation.service enabled dnf-makecache.service static dnfdaemon.service static dnsmasq.service disabled dracut-cmdline.service static dracut-initqueue.service static dracut-mount.service static dracut-pre-mount.service static dracut-pre-pivot.service static dracut-pre-trigger.service static dracut-pre-udev.service static dracut-shutdown.service static ebtables.service disabled emergency.service static fcoe.service disabled fedora-domainname.service disabled fedora-import-state.service enabled fedora-loadmodules.service disabled fedora-readonly.service enabled firewalld.service enabled fprintd.service static fstrim.service static geoclue.service static getty@.service enabled gssproxy.service disabled halt-local.service static hypervfcopyd.service static hypervkvpd.service static hypervvssd.service static initial-setup-reconfiguration.service disabled initial-setup.service disabled initrd-cleanup.service static initrd-parse-etc.service static initrd-switch-root.service static initrd-udevadm-cleanup-db.service static instperf.service static iodine-client.service disabled ipsec.service disabled irqbalance.service enabled iscsi-shutdown.service static iscsi.service enabled iscsid.service disabled iscsiuio.service disabled kdump.service disabled kmod-static-nodes.service static ldconfig.service static lightdm.service enabled livesys-late.service generated livesys.service generated lldpad.service disabled lvm2-lvmetad.service disabled lvm2-lvmpolld.service disabled lvm2-monitor.service enabled lvm2-pvscan@.service static mcelog.service enabled mdadm-grow-continue@.service static mdadm-last-resort@.service static mdmon@.service static mdmonitor.service enabled messagebus.service static mlocate-updatedb.service static ModemManager.service enabled multipathd.service enabled netconsole.service generated network.service generated NetworkManager-dispatcher.service enabled NetworkManager-wait-online.service enabled NetworkManager.service enabled nfs-blkmap.service disabled nfs-config.service static nfs-idmap.service static nfs-idmapd.service static nfs-lock.service static nfs-mountd.service static nfs-secure.service static nfs-server.service disabled nfs-utils.service static nfs.service disabled nscd.service enabled nslcd.service enabled ntpd.service disabled oddjobd.service disabled openvpn-client@.service disabled openvpn-server@.service disabled plymouth-halt.service static plymouth-kexec.service static plymouth-poweroff.service static plymouth-quit-wait.service static plymouth-quit.service static plymouth-read-write.service static plymouth-reboot.service static plymouth-start.service static plymouth-switch-root.service static polkit.service static powerline.service disabled pppoe-server.service disabled psacct.service disabled qemu-guest-agent.service static quotaon.service static rc-local.service static rdisc.service disabled realmd.service static rescue.service static rngd.service enabled rpc-gssd.service static rpc-statd-notify.service static rpc-statd.service static rpcbind.service disabled rsyslog.service enabled rtkit-daemon.service enabled selinux-autorelabel-mark.service static selinux-autorelabel.service static serial-getty@.service disabled smartd.service enabled speech-dispatcherd.service disabled spice-vdagentd.service enabled sshd-keygen@.service disabled sshd.service enabled sshd@.service static sssd-autofs.service indirect sssd-kcm.service indirect sssd-nss.service indirect sssd-pac.service indirect sssd-pam.service indirect sssd-secrets.service indirect sssd-ssh.service indirect sssd-sudo.service indirect sssd.service disabled syslog.service enabled system-update-cleanup.service static systemd-ask-password-console.service static systemd-ask-password-plymouth.service static systemd-ask-password-wall.service static systemd-backlight@.service static systemd-binfmt.service static systemd-bootchart.service disabled systemd-coredump@.service static systemd-exit.service static systemd-firstboot.service static systemd-fsck-root.service enabled-runtime systemd-fsck@.service static systemd-halt.service static systemd-hibernate-resume@.service static systemd-hibernate.service static systemd-hostnamed.service static systemd-hwdb-update.service static systemd-hybrid-sleep.service static systemd-initctl.service static systemd-journal-catalog-update.service static systemd-journal-flush.service static systemd-journald.service static systemd-kexec.service static systemd-localed.service static systemd-logind.service static systemd-machine-id-commit.service static systemd-modules-load.service static systemd-networkd-wait-online.service disabled systemd-networkd.service enabled systemd-poweroff.service static systemd-quotacheck.service static systemd-random-seed.service static systemd-reboot.service static systemd-remount-fs.service static systemd-resolved.service enabled systemd-rfkill.service static systemd-suspend.service static systemd-sysctl.service static systemd-sysusers.service static systemd-timedated.service masked systemd-timesyncd.service disabled systemd-tmpfiles-clean.service static systemd-tmpfiles-setup-dev.service static systemd-tmpfiles-setup.service static systemd-udev-settle.service static systemd-udev-trigger.service static systemd-udevd.service static systemd-update-done.service static systemd-update-utmp-runlevel.service static systemd-update-utmp.service static systemd-user-sessions.service static systemd-vconsole-setup.service static systemd-volatile-root.service static tcsd.service disabled teamd@.service static timedatex.service enabled udisks2.service enabled unbound-anchor.service static upower.service disabled usb_modeswitch@.service static usbmuxd.service static user@.service static vboxadd-service.service enabled vboxadd.service enabled vgauthd.service enabled vmtoolsd.service enabled wacom-inputattach@.service static wpa_supplicant.service disabled xl2tpd.service disabled zram.service static system.slice static user-0.slice transient user.slice static avahi-daemon.socket enabled cups.socket enabled dbus.socket static dm-event.socket enabled iscsid.socket enabled iscsiuio.socket enabled lldpad.socket disabled lvm2-lvmetad.socket enabled lvm2-lvmpolld.socket enabled multipathd.socket static nscd.socket enabled rpcbind.socket disabled sshd.socket disabled sssd-autofs.socket disabled sssd-kcm.socket enabled sssd-nss.socket disabled sssd-pac.socket disabled sssd-pam-priv.socket disabled sssd-pam.socket disabled sssd-secrets.socket enabled sssd-ssh.socket disabled sssd-sudo.socket disabled syslog.socket static systemd-coredump.socket static systemd-initctl.socket static systemd-journald-audit.socket static systemd-journald-dev-log.socket static systemd-journald.socket static systemd-networkd.socket disabled systemd-rfkill.socket static systemd-udevd-control.socket static systemd-udevd-kernel.socket static dev-mapper-fedora00\x2dswap.swap generated anaconda.target static basic.target static bluetooth.target static cryptsetup-pre.target static cryptsetup.target static ctrl-alt-del.target disabled default.target enabled emergency.target static exit.target disabled final.target static getty.target static graphical.target enabled halt.target disabled hibernate.target static hybrid-sleep.target static initrd-fs.target static initrd-root-device.target static initrd-root-fs.target static initrd-switch-root.target static initrd.target static kexec.target disabled local-fs-pre.target static local-fs.target static multi-user.target static network-online.target static network-pre.target static network.target static nfs-client.target enabled nss-lookup.target static nss-user-lookup.target static paths.target static poweroff.target disabled printer.target static reboot.target disabled remote-cryptsetup.target disabled remote-fs-pre.target static remote-fs.target enabled rescue.target disabled rpc_pipefs.target static rpcbind.target static runlevel0.target disabled runlevel1.target disabled runlevel2.target static runlevel3.target static runlevel4.target static runlevel5.target enabled runlevel6.target disabled selinux-autorelabel.target static shutdown.target static sigpwr.target static sleep.target static slices.target static smartcard.target static sockets.target static sound.target static spice-vdagentd.target static sshd-keygen.target static suspend.target static swap.target static sysinit.target static system-update.target static time-sync.target static timers.target static umount.target static chrony-dnssrv@.timer disabled dnf-makecache.timer enabled fstrim.timer disabled mdadm-last-resort@.timer static mlocate-updatedb.timer enabled systemd-tmpfiles-clean.timer static unbound-anchor.timer enabled 384 unit files listed. 2017-11-30T10:12:05Z DEBUG stderr= 2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2017-11-30T10:12:05Z DEBUG Starting external process 2017-11-30T10:12:05Z DEBUG args=/bin/systemctl list-unit-files --full 2017-11-30T10:12:05Z DEBUG Process finished, return code=0 2017-11-30T10:12:05Z DEBUG stdout=UNIT FILE STATE proc-sys-fs-binfmt_misc.automount static -.mount generated boot.mount generated dev-hugepages.mount static dev-mqueue.mount static home.mount generated proc-fs-nfsd.mount static proc-sys-fs-binfmt_misc.mount static sys-fs-fuse-connections.mount static sys-kernel-config.mount static sys-kernel-debug.mount static tmp.mount static var-lib-nfs-rpc_pipefs.mount static cups.path enabled systemd-ask-password-console.path static systemd-ask-password-plymouth.path static systemd-ask-password-wall.path static session-2.scope transient abrt-ccpp.service disabled abrt-journal-core.service enabled abrt-oops.service enabled abrt-pstoreoops.service disabled abrt-vmcore.service enabled abrt-xorg.service enabled abrtd.service enabled accounts-daemon.service enabled alsa-restore.service static alsa-state.service static anaconda-direct.service static anaconda-nm-config.service static anaconda-noshell.service static anaconda-pre.service static anaconda-shell@.service static anaconda-sshd.service static anaconda-tmux@.service static anaconda.service static arp-ethers.service disabled auditd.service enabled auth-rpcgss-module.service static autofs.service disabled autovt@.service enabled avahi-daemon.service enabled blk-availability.service disabled [...] 384 unit files listed. 2017-11-30T10:12:05Z DEBUG stderr= 2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2017-11-30T10:12:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2017-11-30T10:12:05Z INFO Client uninstall complete. 2017-11-30T10:12:05Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 336, in run cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 364, in run self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 388, in execute for _nothing in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 514, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 66, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 3624, in main install(self) File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2346, in install _install(options) File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2568, in _install raise ScriptError(rval=CLIENT_INSTALL_ERROR) 2017-11-30T10:12:05Z DEBUG The ipa-client-install command failed, exception: ScriptError: 2017-11-30T10:12:05Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information (END) ---------

1 year

3
4
0 / 0

FreeIPA setup third party ssl from Comodo

by randrewg＠gmail.com

Hello! Guys, I had set up FreeIPA 4.5 on Centos 7 with self-signed SSL cert. Now I want to install my main wildcard cert (from Comodo CA) for domain where IPA-server located, just for web-service, so web browsers won't complain to users about ssl. As expected - when I'm trying to do: # ipa-server-certinstall -w comodo.crt comodo.key I'm getting: Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed. I've found on https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/9... all CA certs for Comodo and set them up via # ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt # ipa-certupdate As pointed on https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP But nontheless, when I'm trying after it - ipa-server-certinstall, I get above error anyway. I'm starting to go crazy with it and don't know what should I do to solve this :( Help me please! Thank you.

1 year

4
10
0 / 0

Replication failed after ipa-server-upgrade

by skrawczenko＠gmail.com

My cluster has been successfully working for over a year with version 4.2 I have replica of two ipa nodes and winsync Tried to upgrade (ipa-server-upgrade) and replica seems to be ruined after it. I can't even check its status [root@idm0 ~]# ipa-replica-manage list --verbose Traceback (most recent call last): File "/usr/sbin/ipa-replica-manage", line 1615, in <module> main(options, args) File "/usr/sbin/ipa-replica-manage", line 1548, in main options.nolookup) File "/usr/sbin/ipa-replica-manage", line 197, in list_replicas config_string = ent.single_value['ipaConfigString'] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 564, in __getitem__ value = self._entry[name] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 442, in __getitem__ return self._get_nice(name) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 409, in _get_nice name = self._get_attr_name(name) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 405, in _get_attr_name name = self._names[name] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 583, in __getitem__ return super(CIDict, self).__getitem__(key.lower()) KeyError: u'ipaconfigstring' Unexpected error: u'ipaconfigstring' Please any advises how to restore replication and winsync after upgrade, this is quite critical.

1 year

4
12
0 / 0

2018

2017

FreeIPA-users November 2017