Strange behavior on my structure
by Ataliba Teixeira
Hello,
i'm new on freeipa and i have some problems on my structure here.
I have two servers :
ipa-replica-manage -v list
Directory Manager password:
server1.domain : master
server2.domain : master
When i use the command :
# ipa-replica-manage -v list server2.domain
server1.domain: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
last update ended: 2017-06-23 13:35:42+00:00
# ipa-replica-manage -v list server1.domain
server2.domain: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully:
Incremental update succeeded
last update ended: 2017-06-23 13:36:42+00:00
There are no errors on the syncronization of this two servers.
But i have two strange behaviors on my structure.
1. I have network elements ( servers ) listed on server2. domain ( web )
and are no listed on server1.domain ( web )
And i many servers ( many of this are listed on server2 and not on server1
), i receive this erro when i try to connect via ssh using the dns name :
# ssh app01
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f5:21:f0:0c:b7:4b:cf:c4:f2:8f:9c:8a:75:d3:55:5c.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/lib/sss/pubconf/known_hosts:4
RSA host key for app01 has changed and you have requested strict checking.
Host key verification failed.
Anyone knows how to sync this two servers ? And about the ssh, how to
solve this ?
Thanks,
--
Ataliba Teixeira via Inbox by Gmail
6 years, 3 months
ipa host-del --updatedns
by arsene.gschwind@gmail.com
Hi,
I'm running VERSION: 4.4.0, API_VERSION: 2.213.
When trying to delete a host using # ipa host-del --updatedns it returns always the following error even if the DNS record exists.
ipa: WARNING: DNS record(s) of host velo.vm.example.com could not be removed. (No A, AAAA, SSHFP or PTR records found.)
How to reproduce:
# ipa host-add velo.vm.example.com --ip-address=10.0.20.67 --random
------------------------------
Added host "velo.vm.example.com"
------------------------------
Host name: velo.vm.example.com
Random password: xxxxxxxx
Password: True
Keytab: False
Managed by: velo.vm.example.com
# ipa dnsrecord-show vm.example.com velo
Record name: velo
A record: 10.0.20.67
# ipa dnsrecord-show 10.in-addr.arpa 67.20.0
Record name: 67.20.0
PTR record: velo.vm.example.com.
# ipa host-del velo --updatedns
ipa: WARNING: DNS record(s) of host velo.vm.example.com could not be removed. (No A, AAAA, SSHFP or PTR records found.)
-------------------
Deleted host "velo"
-------------------
The DNS records are not deleted ...
Thanks for any hint / help
Rgds,
Arsène
6 years, 3 months
Insufficient 'delete' privilege
by Sieferlinger, Andreas
Hi all,
after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7) I have some trouble in changing replication agreements.
#ipa-replica-manage del auth4.example.com
'auth9.example.com' has no replication agreement for 'auth4.example.com'
# ipa-replica-manage del auth4.example.com --force --clean
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
Re-run /sbin/ipa-replica-manage with --verbose option to get more information
Unexpected error: Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=ldap/auth4.example.com(a)example.com,cn=services,cn=accounts,dc=example,dc=com'.
I suspect some missing ACLs that probably got lost during an update, although I do not know which and how to read.
Any help would be appreciated.
Andreas Sieferlinger
Site Reliability Engineer
glomex GmbH
A Company of ProSiebenSat.1 Media SE
Landsberger Straße 110
D-80339 Munich
Germany
Tel. +49 89 9507 8964
Executive Board:
Michael Jaschke (CEO), Arnd Mückenberger (CFO)
Registered Office: Unterfoehring
HRB 224542 AG München
VAT number DE 305765704
Tax No. 143/314/40826
6 years, 3 months
Fwd: Logwatch and FreeIPA/sssd
by Lachlan Musicman
Hola,
I have logwatch set up on my server, and there is a stanza in my daily
email called "**Unmatched Entries**", which is filled with lines from
either ipa or sssd:
Failed password for usename(a)domain.com from 10.126.67.170 port 57331 ssh2 :
2 time(s)
Accepted password for usename(a)domain.com from 10.126.67.170 port 61402 ssh2
: 1 time(s)
pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh
ruser= rhost=hostname.domain.com user=usename(a)domain.com : 1 time(s)
Does anyone have a logwatch .conf script that they have written? Does such
a thing formally exist for ipa/sssd?
cheers
L.
------
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
6 years, 3 months
Issue with replica creation
by Oleg Danilovich
Hello guys,
I have problems with creation freeipa master replica.
ipa --version
VERSION: 4.3.1, API_VERSION: 2.164
Master server Idp+self sign CA
I want create full replica of master server
Host for replica in domain (ipa-client-install -U --domain= --server=
ipa1.itcapital.io --password= --principal=--hostname= --no-ntp --mkhomedir)
I try to create replica:
ipa-replica-install --hostname=<domain name> --domain=<domain name>
--server=<ipa server name> --password=XXXXXX --principal=admin --setup-ca
Replica installation success but CA replica creation failed:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
[1/23]: creating certificate server user
[2/23]: creating certificate server db
[3/23]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded
[4/23]: creating installation admin user
[5/23]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpjnucvO' returned
non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration
failed.
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
Maybe somebody has information about this issue?
--
Best regards,
*Oleg Danilovich*
6 years, 3 months
Fwd: Change subdomain
by Matt .
Hi Guys,
When you have a subdomain with hosts in it is it possible to change
that subdomain in a simple way ?
Normal DNS server can do but as LDAP is involved I hope this is
possible as well!
Thanks,
Matt
6 years, 3 months
cannot connect ...Encountered end of file.
by Vinny Del Signore
Hello all,
Has anyone seen this issue? We've tried to generate a new CA and SSL Cert.
IPA v.3.0.0-50
# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-50.el6.1.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# ipa-replica-prepare --ip-address=10.10.xx.xx rtlvxl0055.test.local
Directory Manager (existing master) password:
Preparing replica for rtlvxl0055.test.local from ldap-srv.domain.com
Creating SSL certificate for the Directory Server
preparation of replica failed: cannot connect to
'https://ldap-srv.domain..com:9444/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
cannot connect to
'https://ldap-srv.domain..com:xxxx/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 361, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
raise e
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
#
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-50.el6.1.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# uname -r
2.6.32-642.3.1.el6.x86_64
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
#
Kind regards,
Vin
6 years, 3 months
IPA Locations: client chooses wrong/random IPA server
by Denis Iskandarov
Hello,
I have two datacenters. One is self hosted so all the docs are working just
fine. The second one is AWS.
I've managed to setup replica between "static" DC , "DC1", and AWS "cloud"
DC with all its problems.
There are still issues to solve within AWS.
But "static" which has Bind name servers is not working properly.
Client hosts are using my external DNSs, with proper zone delegation to IPA.
And are slaves of zone delegated to FreeIPA - so they do receive all
updates from IPA.
Default TTL lowered to 5min.
Configured IPA locations.
During install ipa-client-install in "DC1" chooses wrong IPA server, one
dedicated for AWS.
And because of our security policies clients are not allowed to communicate
with AWS IPA - so installation completely fails.
At some point randomly of course it chooses correct IPA server.
dig on every host in network shows correct priorities and weights.
Below I will paste related configs outputs:
; auth.tld zone delegation
> auth.tld. IN NS ipa.auth.tld.
> auth.tld. IN NS dns1.tld.
> ipa.auth.tld. IN A 10.200.10.9
> ipa-aws.auth.tld. IN A 10.70.83.86
on client host, and every other dig looks like:
> # dig +short _ldap._tcp.auth.tld SRV
> _ldap._tcp.dc1._locations.auth.tld.
> 0 100 389 ipa.auth.tld.
> 50 100 389 ipa-aws.auth.tld.
or putting servers on different positions but still with correct priorities:
> dig +short _ldap._tcp.auth.tld SRV
> _ldap._tcp.dc1._locations.auth.tld.
> 50 100 389 ipa-aws.auth.tld.
> 0 100 389 ipa.auth.tld.
[root@client-001 ~]# /usr/sbin/ipa-client-install --domain='auth.tld'
> --principal='hostreg' --password='xxxxxxx' --mkhomedir --no-sshd --no-ntp
> Discovery was successful!
> Client hostname: client-001.dmz.dc1.tld
> Realm: AUTH.tld
> DNS Domain: auth.tld
> IPA Server: ipa-aws.auth.tld
> BaseDN: dc=auth,dc=tld
> Continue to configure the system with these values? [no]: no
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
I don't understand, why if dig shows correct priorities information,
ipa-client-install is choosing wrong server.
Looks like ipa-client install not treating priorities and is choosing first
ipa server from dig list.
Can't find out what I'm missing
6 years, 3 months
GSSAPI login from trusted AD domain to FreeIPA clients not working
by Tiemen Ruiten
Hello,
I have a FreeIPA domain, i.rdmedia.com, (CentOS 7.3, fully up-to-date: rpm
versions are 4.4.0-14.el7.centos.7) with a two-way, non-transitive,
external trust to an Active Directory domain in another forest,
clients.rdmedia.com, (Windows Server 2012R2). I've setup the trust using
the Administrator credentials.
As one of the final steps, I would like to get passwordless SSH-access
using GSSAPI to work, but unfortunately I get the following error in the
Putty log when connecting from an AD domain-joined client:
Event Log: GSSAPI authentication initialisation failed
Event Log: The target was not recognized
Is it possible to configure GSSAPI authentication for a cross-forest trust
or should I setup the trust as a 'Trusted Forest' ie. not external?
--
Tiemen Ruiten
Systems Engineer
R&D Media
6 years, 3 months
Rebuilding IPA environment
by John Bowman
What would be the best method to stand up a new IPA environment while
keeping as much of the existing data as possible?
I've read that the ipa migrate-ds only migrates the users and groups and
the recommended suggestion is to set up a replica. I'd like to sever any
ties to the existing environment but not have to start over completely from
scratch if at all possible. Ideally I would be able to just point existing
services to the new environment and hopefully minimize impact, I'm sure
I'd still have plenty of manual changes as well, but one can dream.
Basically I'm just running in to too many issues with trying to expand our
existing environment some of which is related to having a mix of IPA 3.0
and 4.x I believe and likely some old and recent missteps that make me
question the stability of our environment.
Any tips/advice would be appreciated.
--
John Bowman
6 years, 3 months
