Certificate renewals with external CA
by Rob Foehl
I've got a test instance of FreeIPA 4.4.4 running on F25 that was
installed with --external-ca, and the resulting CSR signed with a validity
period of 30 days to test behavior around expirations.
Upon booting that instance today, certmonger decided to preemptively renew
every IPA cert -- which is a good thing -- but did so without waiting for
renewal of the IPA CA cert first, which is less good. Now that instance
has a pile of certs that expire in two weeks, since they were signed with
and thus tied to the expiration of the old IPA CA cert.
While I'm guessing certmonger will figure this out and do the right thing
within a couple weeks -- and with the expectation that this would only
happen once per IPA CA renewal with a "real" deployment -- is this the
intended behavior?
Logs are a bit of a mess between this and a potentially-resolved SELinux
issue with certmonger, but I'll wedge them all into a proper bug report if
desired.
-Rob
5 years, 9 months
cannot connect ...Encountered end of file.
by Vinny Del Signore
Hello all,
Has anyone seen this issue? We've tried to generate a new CA and SSL Cert.
IPA v.3.0.0-50
# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-50.el6.1.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# ipa-replica-prepare --ip-address=10.10.xx.xx rtlvxl0055.test.local
Directory Manager (existing master) password:
Preparing replica for rtlvxl0055.test.local from ldap-srv.domain.com
Creating SSL certificate for the Directory Server
preparation of replica failed: cannot connect to
'https://ldap-srv.domain..com:9444/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
cannot connect to
'https://ldap-srv.domain..com:xxxx/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 361, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
raise e
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
#
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-50.el6.1.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# uname -r
2.6.32-642.3.1.el6.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
#
Kind regards,
Vin
5 years, 11 months
very slow remove users process
by Adrian HY
Hi folks, I have a freeipa group with 30000 users to delete. The process is
very very slow. For example:
# time ipa -v user-del vvv
-------------------------
Deleted user "vvv"
-------------------------
real 0m16.913s
user 0m0.814s
sys 0m0.084s
The hardware parameters are normal. The hard drive is SSD.
Regards.
5 years, 11 months
ipa server-del results in "internal error"
by dbischof@hrz.uni-kassel.de
Dear list,
I'm in the process of upgrading my IPA installation (1 master, 1 replica,
external DNS) from IPA version 3.0 to 4.4.
I followed the instructions at [1].
Everything worked flawlessly (kudos to all developers and supporters!): My
new 4.4 master is up and running.
To my understanding, the last step would be to remove the still existing
replication agreements of the old 3.0 master and replica before creating
the new 4.4 replica (the new 4.4 master is new hardware with a new
hostname, but i want to keep the old hardware and hostname for the 4.4
replica).
My attempt to remove the old servers result in
---
root@o201:~# ipa server-del poolsrv.example.org
Removing poolsrv.example.org from replication topology, please wait...
ipa: ERROR: an internal error has occurred
---
The error occurs even if i try to remove a non-existing server with
--force. Attempts to remove the server via the web interface fail as well.
IPA/OS versions:
---
root@o201:~# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
root@o201:~# rpm -qa | grep -i ipa
libipa_hbac-1.14.0-43.el7_3.14.x86_64
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
ipa-server-common-4.4.0-14.el7.centos.7.noarch
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
ipa-common-4.4.0-14.el7.centos.7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
sssd-ipa-1.14.0-43.el7_3.14.x86_64
ipa-admintools-4.4.0-14.el7.centos.7.noarch
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
ipa-server-4.4.0-14.el7.centos.7.x86_64
---
Something I could try?
[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
Best regards,
--Daniel.
5 years, 12 months
ipa-client-install combined with 'authconfig --enablenis --update'
by paul@kenla.nl
Hi,
I have boot problem when i combine a ipa-client-install with 'authconfig --enablenis --update'
According to the ovirt/RHEV docs [1] I have to do this to make SSO to the VM possible.
Messages during boot are:
Failed to start RealtimeKit for Policy Services
Failed to start Authorization Manager
Dependency failed for Dynamic System tuning deamon
My setup is:
All systems Centos 7.3(1611)
oVirt 4.1
IPA server 4.4
IPA client 4.4
If i use an old VM with Centos 7.2(1511) and ipa-client 4.2 there are no problems and SSO is working so oVirt and IPA seem to be configured correct.
My findings so far:
- Centos 7.3 does not include ypbind. If i install manually it sometimes boots (but takes a long time) but the other times stops at same point as mentioned before. This could imply some kind of race condition during boot.
- I tried different versions of ipa-client (ipa-client-4.4.0-12.el7.centos.x86_64 up to ipa-client-4.4.0-14.el7.centos.7.x86_64) none worked. Older versions i could not find anymore.
Can anyone comfirm my findings or point me in some direction?
Kind regards,
Paul
[1]https://access.redhat.com/documentation/en-us/red_hat_virtualization/4....
6 years
SSH Key replication time/issues
by Jake
Hey again,
I'm trying to track down how to ensure ssh keys are added AND removed quickly.
Right now it seems I must restart ipa services or sss_cache -E to force them to update, and there doesn't seem to be a determinate amount of time to allow replication.
Note, SSH keys are stored in the "Default View" for external users (external one-way trust with AD).
Thanks,
-Jake
6 years
Get rid of manually calling kinit with SSSD
by Ronald Wimmer
Hi,
I read Jakub Hrozeks post
https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-call...
and found that it is exactly what I need. The only problem is that I am
using Ubuntu and not Fedora or CentOS.
In sssd_pamlog i only see a SSS_PAM_OPEN_SESSION but no
SSS_PAM_AUTHENTICATE - so most likely the pam config is still wrong. Is
anybody here who got this working under Ubuntu?
This is how my /etc/pam.d/common-auth looks:
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
And this is my nsswitch.conf
passwd: compat
group: compat
shadow: compat
hosts: files wins mdns4_minimal [NOTFOUND=return] resolve
[!UNAVAIL=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files sss
Any ideas on this matter would be highly appreciated!
Regards,
Ronald
6 years
Custom attributes - Php Api
by Ivan Joaquim (Pichot)
Hi,
I'm integrating an app in PHP with the freeIPA API using this
library.https://github.com/gnumoksha/php-freeipa
I'm using extras schemas with custom attributes and can't access those
attributes via API.
Can someone show me how can I manage these attributes such read and modify
them?
Thanks in advance for your time!
Cheers,
Ivan Joaquim.
6 years
DatabaseError: Server is unwilling to perform: Too many failed logins.
by Jose Alvarez R.
Hi
A question, I have the following errors on my server FreeIPA 4.3.3
cat /var/log/httpd/error_log
Wed May 31 11:27:59.079315 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] mod_wsgi (pid=2024): Exception occurred processing WSGI
script '/usr/share/ipa/wsgi
[Wed May 31 11:27:59.079432 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] Traceback (most recent call last):
[Wed May 31 11:27:59.079486 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File "/usr/share/ipa/wsgi.py", line 63, in application
[Wed May 31 11:27:59.079675 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] return api.Backend.wsgi_dispatch(environ,
start_response)
[Wed May 31 11:27:59.079703 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in __ca
[Wed May 31 11:27:59.080261 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] return self.route(environ, start_response)
[Wed May 31 11:27:59.080298 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in rout
[Wed May 31 11:27:59.080343 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] return app(environ, start_response)
[Wed May 31 11:27:59.080401 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 811, in __ca
[Wed May 31 11:27:59.080437 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] self.create_context(ccache=ipa_ccache_name)
[Wed May 31 11:27:59.080455 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipalib/backend.py", line 123, in create_co
[Wed May 31 11:27:59.080578 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] self.Backend.ldap2.connect(ccache=ccache)
[Wed May 31 11:27:59.080611 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
[Wed May 31 11:27:59.080654 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] conn = self.create_connection(*args, **kw)
[Wed May 31 11:27:59.080691 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 202, in
[Wed May 31 11:27:59.080973 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] client_controls=clientctrls)
[Wed May 31 11:27:59.081019 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssap
[Wed May 31 11:27:59.081653 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] '', auth_tokens, server_controls, client_controls)
[Wed May 31 11:27:59.081678 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File "/usr/lib64/python2.7/contextlib.py", line 35, in
__exit__
[Wed May 31 11:27:59.081835 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] self.gen.throw(type, value, traceback)
[Wed May 31 11:27:59.081897 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 998, in error_
[Wed May 31 11:27:59.081955 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] raise errors.DatabaseError(desc=desc, info=info)
[Wed May 31 11:27:59.082028 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] DatabaseError: Server is unwilling to perform: Too many
failed logins.
I checked this link: https://pagure.io/freeipa/issue/5653
But I'm not sure, How can I solve that?
Thanks, Regards
Jose Alvarez
6 years
ipa command breaks by setting "NSSVerifyClient require"
by Ivars Strazdiņš
Hi there,
our IPA servers' https port is exposed to internet. I wanted to restrict access to Web UI by requesting a user certificate issued by IPA and enabling Apache setting "NSSVerifyClient require" (or "optional") in /etc/httpd/conf.d/nss.conf
This, however, broke "ipa" command, which now started to fail like:
[user@im conf.d]$ ipa user-show user
ipa: ERROR: cannot connect to 'https://a.b.c.d/ipa/json': (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
Questions:
Is it possible for "ipa" command to present sertificate to Apache server?
Anything else is going to break by such approach?
Thanks,
Ivars
6 years
