Replica setup options
by Gordon Messmer
I've set up a replica in an IPA domain, and was surprised that it did
not have DNS configured the same way that the first IPA server does. Of
the following options that I specified on the first install, which do I
need to provide to a replica in order to get identical functionality,
and where is that documented?
--mkhomedir --setup-dns --forwarder --reverse-zone
--allow-zone-overlap --setup-adtrust
6 years, 4 months
Re: Broken WebUI
by Marek Wiewiórka
Hi Guys - we are facing exactly the same issue.
Did you find any root cause of it or any temporary workaround besides refreshing a page each time ?
Any hints welcome.
Thanks!
Marek
6 years, 4 months
DNS Reverse Zone Error (UPDATE)
by Auerbach, Steven
We perform monthly patching of our IPA servers on consecutive weeks. We have a realm member server that loses it's 'A' record in DNS after every monthly patching cycle on the first of our 2 IPA servers. And this member server is the ONLY machine to have such a problem.
Using the DNS Admin GUI I can make the 'A' record on one of the IPA servers and it shows up immediately in the DNS Admin GUI of the other. There is no reverse record for that member server in the DNS Admin GUI and it will not allow me to add a reverse zone record for the server. I receive a message that the reverse record for this server already exists.
It there a way to clean this up? Is this glitch regarding the reverse zone record the reason the 'A' record falls away?
UPDATE: We rebooted the member server to test which post-patch reboot might be the point of loss for the 'A' record (we did not reboot either IPA server). The 'A' record for the member server is gone again.
Steven Auerbach
Assistant Director of Information Systems
Information Technology & Security
State University System of Florida
Board of Governors
325 W. Gaines Street, Suite 1625
Tallahassee, Florida 32399
(850) 245-9592
Steven.auerbach(a)flbog.edu<mailto:Steven.auerbach@flbog.edu> | www.flbog.edu<http://www.flbog.edu/>
[email_sig]
6 years, 4 months
upgrade to ubuntu 17.10 fails
by David Harvey
Hi wisdom of the list,
I know I am an edge case with running on ubuntu, but hoped someone might be
able to shed some light.
A bit of background. I'm trying to test upgrades without potentially
hosing my existing services, so I have cloned the VM, given it a new IP
address, updated hosts file and pointed DNS somewhere that doesn't know
about the real IPA services (8.8.8.8) so it won't try and sync or replicate.
Attempting to upgrade hits a snags or two, some described in bugs already
like the pki version number confusing the apt scripts
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1703051 ). The one I
can't work around however is below.
It seems deeply unhappy, and restarting the services result in the
dogtag-pki web page being available until a login attempt is made (as
occurs during the ipa-server-upgrade) after which point it bombs with a 500
error.
Could the below caused by
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1716842 ?
Any advice appreciated, as I think even when 18.04 hits with the proposed
updates to rely on to tomcat 8.5, I'll still need to upgrade via 17.10
which seems currently fraught! If it relates to my method of cloning the
VM, is there a better way of testing upgrades without potentially hosing
the existing live systems?
Thanks in advance,
David
2017-11-15T13:05:59Z DEBUG approved_usage = SSL Server intended_usage = SSL
Server
2017-11-15T13:05:59Z DEBUG cert valid True for "CN=ipa1.my.net,O=THOMAC.NET"
2017-11-15T13:05:59Z DEBUG handshake complete, peer = IPADDRESS
2017-11-15T13:05:59Z DEBUG Protocol: TLS1.2
2017-11-15T13:05:59Z DEBUG Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
2017-11-15T13:05:59Z DEBUG response status 500
2017-11-15T13:05:59Z DEBUG response headers {'content-length': '2292',
'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection':
'close', 'date': 'Wed, 15 Nov 2017 13:05:59 GMT', 'content-type':
'text/html;charset=utf-8'}
2017-11-15T13:05:59Z DEBUG response body '<!DOCTYPE
html><html><head><title>Apache Tomcat/8.0.46 (Ubuntu) - Error
report</title><style type="text/css">H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}.line {height: 1px;
background-color: #525D76; border: none;}</style> </head><body><h1>HTTP
Status 500 - Subsystem unavailable</h1><div
class="line"></div><p><b>type</b> Exception report</p><p><b>message</b>
<u>Subsystem unavailable</u></p><p><b>description</b> <u>The server
encountered an internal error that prevented it from fulfilling this
request.</u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException:
Subsystem
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:283)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>note</b>
<u>The full stack trace of the root cause is available in the Apache
Tomcat/8.0.46 (Ubuntu) logs.</u></p><hr class="line"><h3>Apache
Tomcat/8.0.46 (Ubuntu)</h3></body></html>'
2017-11-15T13:05:59Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-11-15T13:05:59Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 172, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 1878, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 1797, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 347, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py",
line 1981, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py",
line 1987, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/dogtag.py", line
1294, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA
REST API'))
2017-11-15T13:05:59Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
2017-11-15T13:05:59Z ERROR Unexpected error - see /var/log/ipaupgrade.log
for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
6 years, 4 months
DNS Reverse Zone Error
by Auerbach, Steven
We perform monthly patching of our IPA servers on consecutive weeks. We have a realm member server that loses it's 'A' record in DNS after every monthly patching cycle on the first of our 2 IPA servers. And this member server is the ONLY machine to have such a problem.
Using the DNS Admin GUI I can make the 'A' record on one of the IPA servers and it shows up immediately in the DNS Admin GUI of the other. There is no reverse record for that member server in the DNS Admin GUI and it will not allow me to add a reverse zone record for the server. I receive a message that the reverse record for this server already exists.
It there a way to clean this up? Is this glitch regarding the reverse zone record the reason the 'A' record falls away?
Steven Auerbach
Assistant Director of Information Systems
Information Technology & Security
State University System of Florida
Board of Governors
325 W. Gaines Street, Suite 1625
Tallahassee, Florida 32399
(850) 245-9592
Steven.auerbach(a)flbog.edu<mailto:Steven.auerbach@flbog.edu> | www.flbog.edu<http://www.flbog.edu/>
[email_sig]
6 years, 4 months
ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: server configuration missing
by James Harrison
Hello,I'm reinstalling a replica FreeIPA server in a CA-less environment.
I'm looked online and found: https://www.redhat.com/archives/freeipa-users/2016-December/msg00391.html which is similar (or exactly the problem), but theres no solid resolution. I recopied /etc/ipa/ca.crt to the new server from an existing ipa server.
[root@cro-lv-ipa-01 log]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
[root@cro-lv-ipa-01 log]# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)
Not sure what to do.
Really appreciate any help.
Many thanksJames
Below is a snip from log files:Dec 14 15:34:34 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:34.546670082 +0000] - NOTICE - NSMMReplicationPlugin - multimaster_be_state_change - Replica dc=int,dc=DOMAIN,dc=com is going offline; disabling replication
Dec 14 15:34:34 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:34.756581200 +0000] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server step 1
Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server step 2
Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server step 3
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.608407982 +0000] - INFO - import_monitor_threads - import userRoot: Workers finished; cleaning up...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.845823301 +0000] - INFO - import_monitor_threads - import userRoot: Workers cleaned up.
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.862303717 +0000] - INFO - import_main_offline - import userRoot: Indexing complete. Post-processing...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.879128392 +0000] - INFO - import_main_offline - import userRoot: Generating numsubordinates (this may take several minutes to complete)...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.926416316 +0000] - INFO - import_main_offline - import userRoot: Generating numSubordinates complete.
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.937805159 +0000] - INFO - ldbm_get_nonleaf_ids - import userRoot: Gathering ancestorid non-leaf IDs...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.954558879 +0000] - INFO - ldbm_get_nonleaf_ids - import userRoot: Finished gathering ancestorid non-leaf IDs.
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.988095437 +0000] - INFO - ldbm_ancestorid_new_idl_create_index - import userRoot: Creating ancestorid index (new idl)...
Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:38.037871941 +0000] - INFO - ldbm_ancestorid_new_idl_create_index - import userRoot: Created ancestorid index (new idl).
Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:38.054977988 +0000] - INFO - import_main_offline - import userRoot: Flushing caches...
Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:38.071740106 +0000] - INFO - import_main_offline - import userRoot: Closing files...
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.087512816 +0000] - INFO - import_main_offline - import userRoot: Import complete. Processed 2258 entries in 5 seconds. (451.60 entries/sec)
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.108388854 +0000] - ERR - ipa-topology-plugin - ipa_topo_be_state_change - backend userRoot is coming online; checking domain level and init shared topology
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.144415357 +0000] - NOTICE - NSMMReplicationPlugin - multimaster_be_state_change - Replica dc=int,dc=DOMAIN,dc=com is coming online; enabling replication
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.194223235 +0000] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=int,dc=DOMAIN,dc=com--no CoS Templates found, which should be added before the CoS Definition.
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.216305850 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client step 2
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.241702245 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.266861361 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.292000163 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.317009177 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.342161229 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.367108163 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.392166650 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.417292219 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.442364745 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.467486445 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.492482419 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.517678450 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.542783571 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.567929627 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.592914991 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.631596834 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.651414870 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.763358682 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes...
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.785332575 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success)
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.818877061 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes...
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.852136491 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success)
Dec 14 15:34:40 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server step 1
Dec 14 15:34:40 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server step 2
Dec 14 15:34:40 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server step 3
Dec 14 15:35:00 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:35:00.564199045 +0000] - ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: server configuration missing
Dec 14 15:35:00 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:35:00.589577811 +0000] - ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: cannot create replica
6 years, 4 months
Add principal alias to a service from the client
by Robson Ramos Barreto
Hi Guys
I need to add principal alias to a service from the client in which it is
managed by.
From the client I have the following script:
---
kinit -k -t /etc/krb5.keytab
ipa service-add myservice/myclient.example.com
ipa service-add-principal myservice/myclient.example.com myservice/
myalias.example.com
---
On the last command it returns the following error:
---
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'krbPrincipalName' attribute of entry 'krbprincipalname=myservice/
myclient.example.com(a)example.com,cn=services,cn=accounts,dc=example,dc=com'.
---
I tried create a role with the 'Service Administrators' privilege and
attached it on the principal host: host/myclient.example.com (instead of
myservice/myclient.example.com) and it worked.
However I need to set this role (or privilege) globally. On the other hand,
any new host enrolled after ipa-client-install has that privilege allowed.
Thank you
6 years, 4 months
Kerberized NFS on two identical VMs. But mounting works only from one.
by Ray
Hi,
I run FreeIPA across a few sites with five replicted servers. The IPA
version is the current CentOS one: 4.5.0-21
At two of those sites a kerberized NFS service is offered to the client
machines. All clients and servers involved in the are CentOS 7.4 boxes.
For both NFS servers I configured NFS service pricipals and when I click
my way in the GUI Identity -> Services -> nfs.server1 resp. nfs.server2
I get to see "Kerberos Key Present, Service Provisioned" for both. So
far things seem ok.
However, mounting works only from server1, for clients at both sites
(site1 to site2 mounting and vice versa is allowed). Mounting anything
from server2 keeps failing:
Site 2: local mount attempt:
root@client.at.site2:~# mount -vv -t nfs4 -osec=krb5p
server.at.site2:/local/test /mnt
mount.nfs4: timeout set for Sat Dec 9 17:03:02 2017
mount.nfs4: trying text-based options
'sec=krb5p,vers=4.1,addr=xx.xx.xx.xx,clientaddr=yy.yy.yy.yy'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting
server.at.site2:/local/test
root@client.at.site2:~#
Site 2: remote mount attempt:
root@client.at.site2:~# mount -vv -t nfs4 -osec=krb5p
server.at.site1:/local/test /mnt
mount.nfs4: timeout set for Sat Dec 9 17:03:10 2017
mount.nfs4: trying text-based options
'sec=krb5p,vers=4.1,addr=zz.zz.zz.zz,clientaddr=yy.yy.yy.yy'
root@client.at.site2:~#
At site2's server I disabled:
- the firewall
- selinux
Exports are identical at both sites
I don't see what might be the problem here. How can I debug this? Tried
to enable all sorts of debug flags in /etc/sysconfig/nfs on site2's
server:
RPCNFSDARGS="-d"
RPCMOUNTDOPTS="-dall"
STATDARG=""
SMNOTIFYARGS=""
RPCIDMAPDARGS=""
RPCGSSDARGS="-vvv -r"
RPCSVCGSSDARGS="-vvv"
GSS_USE_PROXY="yes"
BLKMAPDARGS=""
SECURE_NFS="yes"
I did restart nfs with systemctl restart nfs-server, but neither there's
not much happening in tail -f /var/log/messages not journalctl -f show
anything new on failing mount attemppts as shown above.
I did read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA, but
this seems outdated in several spots: Is SECURE_NFS still required in
/etv/sysconfig/nfs, for instance?
The fact that I can mount anything at all on the client indicates that
the client is ok. In desparation, I reinstalled the NFS server at site2
last weekend from scratch. But now I run into the same issue as before.
Might there be something wrong with the service principals after all?
I would sincerely appreciate suggestions that help me solve this.
Best,
Ray
6 years, 4 months
Case insensitivity issues
by Aaron Hicks
Hello the group,
We have a script that keeps things like user names and group descriptions in
sync with our customer management system, and mostly this is great, but the
FreeIPA API is very case insensitive.
If we have someone update their surname to fix capitalization (e.g. update
"De Veers" to "de Veers") or fix a typo in a group description (e.g. "The
Structure of Materials Assembled From Atomic Clusters" to "The Structure of
Materials Assembled from Atomic Clusters") it throws the following error:
in parse_error
raise exception_class(message, code)
python_freeipa.exceptions.BadRequest: Type or value exists:
Basically, the user_mod and group_mod command is case insensitive, so it
throws an exception, rather than update the value. While it is correct for
usernames and group names to be case insensitive, it's not appropriate for
many other attributes. Is there a way modify this behavior, or is it a bug?
Regards,
Aaron Hicks
6 years, 4 months
Announcing FreeIPA 4.6.2
by Tibor Dudlák
The FreeIPA team would like to announce FreeIPA 4.6.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 26 and 27 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ COPR
repository].
== Highlights in 4.6.2 ==
=== Enhancements ===
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.6.2 is a stabilization release for the features delivered as a
part of 4.6.0.
There are more than 20 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list (
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7275 Viewing DNS Records with WebUI fails
* 7254 test_caless: fix http.p12 is not valid and provide domain_level for
replica tests
* 7226 Remove remaining references to Firefox configuration extension
* 7213 Increase dbus client timeouts during CA install
* 7210 Firefox reports insecure TLS configuration when visiting FreeIPA web
UI after standard server deployment
* 7208 freeipa: binary RPMs require both Python 2 and Python 3
* 7190 Wrong info message from tasks.py
* 7189 make check is failed
* 7187 ipa-replica-manage should provide a debug option
* 7186 testing: get back command outputs when running tests
* 7155 test_caless: add caless to external CA test
* 7154 test_external_ca: switch to python-cryptography
* 7153 Switch "ipa-run-tests" symlink to "ipa-run-tests-3.6"
* 7151 ipa-server-upgrade performs unneeded steps to stop tracking/start
tracking certs
* 7148 py3: ipa cert-request --principal --database fails with
BytesWarning: str() on a bytes instance
* 7142 py3: ipa ca-add fails with 'an internal error has occurred'
* 7134 ipa param-find: command displays internal error
* 7133 tox -e pylint3 fails under Python 3.6
* 7132 [4.6] PyPI packages are broken
* 7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite fails
due to missing dns records
* 7033 vault: TypeError: ... is not JSON serializable
* 6994 RFE: Remove 389-ds tuning step
* 6858 RFE - Option to add custom OID or display name in IPA Cert
* 6844 ipa-restore fails when umask is set to 0027
* 6702 Update Dogtag to 10.4
* 5887 IDNA domains does not work under py3
* 5442 [tracker] SELinux 'execmem' denials
== Detailed changelog since 4.6.1 ==
=== Alexander Bokovoy (10) ===
* ipaserver/plugins/trust.py: pep8 compliance
* trust: detect and error out when non-AD trust with IPA domain name exists
* ipaserver/plugins/trust.py; fix some indenting issues
* ipa-extdom-extop: refactor nsswitch operations
* test_dns_plugin: cope with missing IPv6 in Travis
* travis-ci: collect logs from cmocka tests
* ipa-kdb: override krb5.conf when testing KDC code in cmocka
* adtrust: filter out subdomains when defining our topology to AD
* ipa-replica-manage: implicitly ignore initial time skew in force-sync
* ds: ignore time skew during initial replication step
=== Abhijeet Kasurde (3) ===
* Trivial typo fix.
* ipatests: Fix interactive prompt in ca_less tests
* tests: correct usage of hostname in logger in tasks
=== Alexander Koksharov (1) ===
* kra-install: better warning message
=== Aleksei Slaikovskii (6) ===
* ipa-restore: Set umask to 0022 while restoring
* View plugin/command help in pager
* Add a notice to restart ipa services after certs are installed
* Fix TypeError while ipa-restore is restoring a backup
* ipaclient.plugins.dns: Cast DNS name to unicode
* Less confusing message for PKINIT configuration during install
=== Christian Heimes (23) ===
* Update IPA_GIT_BRANCH to ipa-4-6
* Add make targets for fast linting and testing
* Add marker needs_ipaapi and option to skip tests
* Add python_requires to Python package metadata
* Remove Custodia keys on uninstall
* Update to python-ldap 3.0.0
* Update builddep command to install Python 3 and tox deps
* Add workaround for pytest 3.3.0 bug
* Fix dict iteration bug in dnsrecord_show
* Reproducer for bug in structured dnsrecord_show
* Use Python 3 on Travis
* Prevent installation of Py2 and Py3 mod_wsgi
* libotp: add libraries after objects
* Require UTF-8 fs encoding
* Run tox tests for PyPI packages on Travis
* Py3: Fix vault tests
* Use namespace-aware meta importer for ipaplatform
* Test script for ipa-custodia
* Remove ignore_import_errors
* Backup ipa-custodia conf and keys
* Py3: fix fetching of tar files
* Use os.path.isfile() and isdir()
* Block PyOpenSSL to prevent SELinux execmem in wsgi
=== David Kupka (2) ===
* schema: Fix internal error in param-{find,show} with nonexistent object
* tests: Add LDAP URI to ldappasswd explicitly
=== Felipe Barreto (6) ===
* Warning the user when using a loopback IP as forwarder
* Removing replica-s4u2proxy.ldif since it's not used anymore
* Fix log capture when running pytests_multihosts commands
* Checks if replica-s4u2proxy.ldif should be applied
* Fixing tox and pylint errors
* Fixing param-{find,show} and output-{find,show} commands
=== Florence Blanc-Renaud (10) ===
* Improve help message for ipa trust-add --range-type
* Fix ca less IPA install on fips mode
* Fix ipa-restore (python2)
* ipa-getkeytab man page: add more details about the -r option
* Py3: fix ipa-replica-conncheck
* Fix ipa-replica-conncheck when called with --principal
* py3: fix ipa cert-request --database ...
* ipa-cacert-manage renew: switch from ext-signed CA to self-signed
* ipa-server-upgrade: do not add untracked certs to the request list
* ipa-server-upgrade: fix the logic for tracking certs
=== Fraser Tweedale (22) ===
* ipa_certupdate: avoid classmethod and staticmethod
* Run certupdate after promoting to CA-ful deployment
* ipa-ca-install: run certupdate as initial step
* CertUpdate: make it easy to invoke from other programs
* renew_ra_cert: fix update of IPA RA user entry
* Use correct version of Python in RPM scripts
* Re-enable some KRA installation tests
* Remove caJarSigningCert profile and related code
* CertDB: remove unused method issue_signing_cert
* Remove XPI and JAR MIME types from httpd config
* Remove mention of firefox plugin after CA-less install
* ipa-cacert-manage: avoid some duplicate string definitions
* ipa-cacert-manage: handle alternative tracking request CA name
* Add tests for external CA profile specifiers
* ipa-cacert-manage: support MS V2 template extension
* certmonger: add support for MS V2 template
* certmonger: refactor 'resubmit_request' and 'modify'
* ipa-ca-install: add --external-ca-profile option
* install: allow specifying external CA template
* Remove duplicate references to external CA type
* cli: simplify parsing of arbitrary types
* py3: fix pkcs7 file processing
=== John Morris (1) ===
* Increase dbus client timeouts during CA install
=== Michal Reznik (12) ===
* test_batch_plugin: fix py2/3 failing assertion
* test_vault: increase WAIT_AFTER_ARCHIVE
* test_caless: fix http.p12 is not valid
* test_caless: fix TypeError on domain_level compare
* manpage: ipa-replica-conncheck - fix minor typo
* test_forced_client: decode get_file_contents() result
* test_external_dns: add missing test cases
* test_caless: open CA cert in binary mode
* tests: add host zone with overlap
* tests_py3: decode get_file_contents() result
* test_caless: add caless to external CA test
* test_external_ca: switch to python-cryptography
=== Mohammad Rizwan Yusuf (1) ===
* ipatest: replica install with existing entry on master
=== Petr Čech (2) ===
* tests: Mark failing tests as failing
* ipatests: Fix on logs collection
=== Pavel Vomacka (1) ===
* WebUI: make Domain Resolution Order writable
=== Rob Crittenden (7) ===
* Run server upgrade in ipactl start/restart
* If the cafile is not present or readable then raise an exception
* Add test to ensure that properties are being set in rpcclient
* Use the CA chain file from the RPC context
* Fix cert-find for CA-less installations
* Use 389-ds provided method for file limits tuning
* Collect group membership without a size limit
=== Rishabh Dave (1) ===
* ipa-ca-install: mention REPLICA_FILE as optional in help
=== Sumit Bose (1) ===
* ipa-kdb: reinit trusted domain data for enterprise principals
=== Stanislav Laznicka (22) ===
* Don't allow OTP or RADIUS in FIPS mode
* caless tests: decode cert bytes in debug log
* caless tests: make debug log of certificates sensible
* Add indexing to improve host-find performance
* Add the sub operation for fqdn index config
* x509: remove subject_base() function
* x509: remove the strip_header() function
* py3: pass raw entries to LDIFWriter
* ipatests: use python3 if built with python3
* PRCI: use a new template for py3 testing
* csrgen_ffi: cast the DN value to unsigned char *
* Remove pkcs10 module contents
* Add tests for CertificateSigningRequest
* parameters: introduce CertificateSigningRequest
* parameters: relax type checks
* csrgen: update docstring for py3
* csrgen: accept public key info as Bytes
* csrgen_ffi: pass bytes where "char *" is required
* travis: pep8 changes to pycodestyle
* p11-kit: add serial number in DER format
* travis: make tests fail if pep8 does not pass
* Remove the `message` attribute from exceptions
=== Thierry Bordaz (1) ===
* 389-ds-base crashed as part of ipa-server-intall in ipa-uuid
=== Tibor Dudlák (3) ===
* Become IPA 4.6.2
* Update Contributors.txt
* Update zanata translations
=== Tomas Krizek (13) ===
* prci: define testing topologies
* prci: start testing PRs on fedora 27
* py3 spec: remove python2 dependencies from server-trust-ad
* py3 spec: remove python2 dependencies from freeipa-server
* py3 spec: use proper python2 package names
* ipatests: fix circular import for collect_logs
* ipatests: collect logs for external_ca test suite
* prci: add external_ca test
* ldap: limit the retro changelog to dns subtree
* spec: bump 389-ds-base to 1.3.7.6-1
* ipatests: set default 389-ds log level to 0
* prci: update F26 template
* 4.6 set back to git snapshot
=== Thorsten Scherf (1) ===
* Add debug option to ipa-replica-manage and remove references to api_env
var.
--
Tibor Dudlák
Identity management - FreeIPA
Brno, TPB-C, 2C403
Red Hat
6 years, 4 months
