certificate has expired?
by Roberto Cornacchia
Not being able to login to the admin console, I checked the httpd log and
found the following errors:
[Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.
[Wed Jun 07 12:50:59.353372 2017] [:error] [pid 10237] SSL Library Error:
-8181 Certificate has expired
[Wed Jun 07 12:50:59.353395 2017] [:error] [pid 10237] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.
[Wed Jun 07 12:50:59.986025 2017] [core:error] [pid 11522] AH00546: no
record of generation 47 of exiting child 10203
I also get an error during enrollment of a new client (which seems to
retrieve a valid certificate anyway):
Password for admin(a)HQ.SPINQUE.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=HQ.SPINQUE.COM
Issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM
Valid From: Mon Mar 16 18:44:35 2015 UTC
Valid Until: Fri Mar 16 18:44:35 2035 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction,
explaining: TCP connection reset by peer
Services are up:
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Certificate monitoring seems ok:
$ getcert list -d /etc/httpd/alias -n ipaCert
Number of certificates and requests being tracked: 8.
Request ID '20160501114633':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM
subject: CN=IPA RA,O=HQ.SPINQUE.COM
expires: 2019-01-26 19:41:51 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Version:
$ ipa --version
VERSION: 4.4.3, API_VERSION: 2.215
Could you please point me at what else to check?
6 years, 3 months
IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"
by Josh Pavel
I have a setup with 2 zones:
My IPA realm is mob.nuance.com
My first IPA server was built out with the DNS zone
prod.mcs.som.mob.nuance.com
My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuance.com
I can successfully add client to my first IPA server, and everything works
as expected, including DNS updates.
When I add clients to my second IPA server, they complete successfully for
everything except updating DNS.
I recreated the DNS Update file from ipa-client install log, and executed
it manually as "admin" with debug. Any ideas what is wrong?
# kinit admin
Password for admin(a)MOB.NUANCE.COM:
# id admin
uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins)
# getent passwd admin
admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash
# kinit -k
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI
Default principal: host/
metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com(a)MOB.NUANCE.COM
Valid starting Expires Service principal
06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/
MOB.NUANCE.COM(a)MOB.NUANCE.COM
# nsupdate -v -g ./dns_update.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY A
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. IN SOA
;; AUTHORITY SECTION:
dev.mcs.az-eastus2.mob.nuance.com. 0 IN SOA
freeipa-01.dev.mcs.az-eastus2.mob.nuance.com.
hostmaster.dev.mcs.az-eastus2.mob.nuance.com. 1496548206 3600 900 1209600
3600
Found zone name: dev.mcs.az-eastus2.mob.nuance.com
The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY
;; ADDITIONAL SECTION:
2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY
TKEY gss-tsig.
1496686456 1496686456 3 NOERROR 750
YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA
AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg
AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1
czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB
OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r
5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8
UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9
MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6
j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2
uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq
gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ
1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C
tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC
1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa
dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ
+YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU
1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze
voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301
;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY
*response to GSS-TSIG query was unsuccessful*
6 years, 3 months
certificate has expired?
by Roberto Cornacchia
Not being able to login to the admin console, I checked the httpd log and
found the following errors:
[Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.
[Wed Jun 07 12:50:59.353372 2017] [:error] [pid 10237] SSL Library Error:
-8181 Certificate has expired
[Wed Jun 07 12:50:59.353395 2017] [:error] [pid 10237] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.
[Wed Jun 07 12:50:59.986025 2017] [core:error] [pid 11522] AH00546: no
record of generation 47 of exiting child 10203
I also get an error during enrollment of a new client (which seems to
retrieve a valid certificate anyway):
Password for admin(a)HQ.SPINQUE.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=HQ.SPINQUE.COM
Issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM
Valid From: Mon Mar 16 18:44:35 2015 UTC
Valid Until: Fri Mar 16 18:44:35 2035 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction,
explaining: TCP connection reset by peer
Services are up:
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Certificate monitoring seems ok:
$ getcert list -d /etc/httpd/alias -n ipaCert
Number of certificates and requests being tracked: 8.
Request ID '20160501114633':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM
subject: CN=IPA RA,O=HQ.SPINQUE.COM
expires: 2019-01-26 19:41:51 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Version:
$ ipa --version
VERSION: 4.4.3, API_VERSION: 2.215
Could you please point me at what else to check?
6 years, 3 months
keytab usage?
by Kat
Ok, I guess I am not understanding something here. What am I missing?
The PW is correct, but no matter what I do, I can't use the keytab file
for a user as shown below:
[root@ipa ~]# ktutil
ktutil: addent -password -p cyberj(a)EXAMPLE.COM -k 1 -e
aes256-cts-hmac-sha1-96
Password for cyberj(a)EXAMPLE.COM:
ktutil: wkt /root/cyberj.keytab
ktutil: q
[root@ipa ~]# kinit -k -t cyberj.keytab cyberj(a)EXAMPLE.COM
kinit: Password incorrect while getting initial credentials
:-(
-K
6 years, 3 months
Scripting a SSSD client to add SIDtoUIDnumbers from ad Trust into custom LDAP schema.
by Frank Rey
I have a Netapp that does not support SSSD or Windbind and i want to use
IDM ldap to do permission/name mapping. would using a Script on a SSSD
client to populate a custom ldap schema in IPA with the SSSD uidnumber
mappings be a bad idea? I know i would have to set up a cron job to run it
at a reasonable interval. set it up to create and remove users added or
removed from the Posix group i have mapped from the AD trust. Am i missing
anything?
Ray
6 years, 3 months
Scripting a SSSD client to add SID to UIDnumbers from ad Trust into custom LDAP schema.
by Frank Rey
I have a Netapp that does not support SSSD or Windbind and i want to use
IDM ldap to do permission/name mapping. would using a Script on a SSSD
client to populate a custom ldap schema in IPA with the SSSD uidnumber
mappings be a bad idea? I know i would have to set up a cron job to run it
at a reasonable interval. set it up to create and remove users added or
removed from the Posix group i have mapped from the AD trust.
Ray
6 years, 3 months
status of auditd integration on freeipa clients
by Sven Kieske
Hi,
I got a question regarding integration of auditd on freeipa clients.
What I want to achieve is full audit logging, like auditd provides, on
the freeipa clients.
we tried to hook auditd up with the currently deployed ipa via kerberos,
but had no luck so far.
we tried to reuse the already present kerberos authentication
to transmit the auditdata in a secure way, but auditd needs the
principal name to be "host/$hostname@REALM"
whereas freeipa requires "$foo/$fqdn@REALM", so it seems we can't
use kerberos tickets from ipa?
(see also this ML Thread:
https://www.redhat.com/archives/freeipa-users/2014-August/msg00079.html)
it's very sad to see this divergent development, given that both
projects are heavily developed by redhat, maybe this can get fixed?
If I can help with this (even if you just need bug reports opened),
please tell me so.
In the mean time I would like to ask about the status of this project
page:
https://www.freeipa.org/page/Session_Recording
Is this already implemnted? So far I couldn't find any practical
examples on how to configure freeipa with auditd on freeipa clients :(
If you know of any other working solution, please share!
Thanks in advance
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +495772 293100
F: +495772 293333
https://www.mittwald.de
Geschäftsführer: Robert Meyer, Maik Behring
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217
HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH
HRB 13260, AG Bad Oeynhausen
6 years, 3 months
Privileges needed for ipa-client-install
by Ronald Wimmer
Which privileges are needed for ipa-client-install? I created a user and
gave it host enrollment privileges. But that does not seem to be enough...
6 years, 4 months
FreeIPA for simply managing DNS
by Striker Leggette
FreeIPA has a very well-made and easy to use DNS management GUI that
would serve well as a standalone tool. Are there any plans to fork the
DNS GUI like this for those who would like an easy DNS management
application who do not necessarily need LDAP/PKI/Kerberos/etc.?
--
Striker Leggette
Identity Management
linkedin.com/in/striker
6 years, 4 months
ipa server-del results in "internal error"
by dbischof@hrz.uni-kassel.de
Dear list,
I'm in the process of upgrading my IPA installation (1 master, 1 replica,
external DNS) from IPA version 3.0 to 4.4.
I followed the instructions at [1].
Everything worked flawlessly (kudos to all developers and supporters!): My
new 4.4 master is up and running.
To my understanding, the last step would be to remove the still existing
replication agreements of the old 3.0 master and replica before creating
the new 4.4 replica (the new 4.4 master is new hardware with a new
hostname, but i want to keep the old hardware and hostname for the 4.4
replica).
My attempt to remove the old servers result in
---
root@o201:~# ipa server-del poolsrv.example.org
Removing poolsrv.example.org from replication topology, please wait...
ipa: ERROR: an internal error has occurred
---
The error occurs even if i try to remove a non-existing server with
--force. Attempts to remove the server via the web interface fail as well.
IPA/OS versions:
---
root@o201:~# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
root@o201:~# rpm -qa | grep -i ipa
libipa_hbac-1.14.0-43.el7_3.14.x86_64
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
ipa-server-common-4.4.0-14.el7.centos.7.noarch
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
ipa-common-4.4.0-14.el7.centos.7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
sssd-ipa-1.14.0-43.el7_3.14.x86_64
ipa-admintools-4.4.0-14.el7.centos.7.noarch
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
ipa-server-4.4.0-14.el7.centos.7.x86_64
---
Something I could try?
[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
Best regards,
--Daniel.
6 years, 4 months
