FreeIPA (adding all new users to admin group by default?)
by Devin Acosta
I am hoping to see if someone can tell me what I either need to change or
update to get it so that FreeIPA doesn't automatically keep adding all new
users that is created automatically to the admin group. I inherited this
installation of FreeIPA and so far haven't been able to figure out what
either got changed or how to disable this behavior? I am running the latest
FreeIPA 4.4 on CentOS 7.3.
Any help would be greatly appreciated.
Devin Acosta
6 years, 6 months
IPA and CM?
by Kat
Hi,
I have read several pages on getting IPA and Clouder Manager working
together to make nice with Kerberos, however, having an issue following
the various steps. When I run through CM set and put the primary account
in I run into the classic "Preauth required" and yet, I can kinit the
account with no issues, so I am wondering if there are any hints on
debugging this? What is typically the cuase of that kind of error?
Thanks
K
6 years, 6 months
Re: DatabaseError: Server is unwilling to perform: Too many failed logins.
by Jose Alvarez R.
Hi
Can you help me with this problem?
My FreeIPA version 4.3.3 and the S.O. is Fedora 24
Thanks Regards
Jose Alvarez
From: Jose Alvarez R. [mailto:jalvarez@cyberfuel.com]
Sent: miércoles 31 de mayo de 2017 12:17 p.m.
To: 'FreeIPA users list' <freeipa-users(a)lists.fedorahosted.org>
Subject: DatabaseError: Server is unwilling to perform: Too many failed
logins.
Hi
A question, I have the following errors on my server FreeIPA 4.3.3
cat /var/log/httpd/error_log
Wed May 31 11:27:59.079315 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] mod_wsgi (pid=2024): Exception occurred processing WSGI
script '/usr/share/ipa/wsgi
[Wed May 31 11:27:59.079432 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] Traceback (most recent call last):
[Wed May 31 11:27:59.079486 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File "/usr/share/ipa/wsgi.py", line 63, in application
[Wed May 31 11:27:59.079675 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] return api.Backend.wsgi_dispatch(environ,
start_response)
[Wed May 31 11:27:59.079703 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in __ca
[Wed May 31 11:27:59.080261 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] return self.route(environ, start_response)
[Wed May 31 11:27:59.080298 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in rout
[Wed May 31 11:27:59.080343 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] return app(environ, start_response)
[Wed May 31 11:27:59.080401 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 811, in __ca
[Wed May 31 11:27:59.080437 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] self.create_context(ccache=ipa_ccache_name)
[Wed May 31 11:27:59.080455 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipalib/backend.py", line 123, in create_co
[Wed May 31 11:27:59.080578 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] self.Backend.ldap2.connect(ccache=ccache)
[Wed May 31 11:27:59.080611 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
[Wed May 31 11:27:59.080654 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] conn = self.create_connection(*args, **kw)
[Wed May 31 11:27:59.080691 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 202, in
[Wed May 31 11:27:59.080973 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] client_controls=clientctrls)
[Wed May 31 11:27:59.081019 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssap
[Wed May 31 11:27:59.081653 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] '', auth_tokens, server_controls, client_controls)
[Wed May 31 11:27:59.081678 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File "/usr/lib64/python2.7/contextlib.py", line 35, in
__exit__
[Wed May 31 11:27:59.081835 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] self.gen.throw(type, value, traceback)
[Wed May 31 11:27:59.081897 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 998, in error_
[Wed May 31 11:27:59.081955 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] raise errors.DatabaseError(desc=desc, info=info)
[Wed May 31 11:27:59.082028 2017] [wsgi:error] [pid 2024] [remote
192.168.0.114:200] DatabaseError: Server is unwilling to perform: Too many
failed logins.
I checked this link: https://pagure.io/freeipa/issue/5653
But I'm not sure, How can I solve that?
Thanks, Regards
Jose Alvarez
6 years, 6 months
new/fresh server can't be setup as replica due to "The remote replica has a different database generation ID ..."
by Chris Dagdigian
Hi folks,
Related to my posts from earlier in the week. I'm stuck in catch-22 land
with no seemingly viable way forward ...
I am stuck with 2x IPA masters in different AWS regions that refuse to
replicate because the topology is disconnected, I can't seem to force
the re-connect so I'm trying to expand my topology options by building
new fresh masters from scratch. CentOS 7.3 with fully updated IPA
software.
The fresh replica install fails with a "Local LDAP" error, these seem to
be the corresponding errors in the /var/log/dirserv logs:
[02/Jun/2017:14:29:31.965022647 +0000] 389-Directory/1.3.5.10
B2017.145.2037 starting up
[02/Jun/2017:14:29:31.976521839 +0000] default_mr_indexer_create:
warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
[02/Jun/2017:14:29:32.102416271 +0000] slapd started. Listening on All
Interfaces port 389 for LDAP requests
[02/Jun/2017:14:29:32.104077504 +0000] Listening on All Interfaces port
636 for LDAPS requests
[02/Jun/2017:14:29:32.105380691 +0000] Listening on
/var/run/slapd-companyIDM-ORG.socket for LDAPI requests
[02/Jun/2017:14:29:35.776066609 +0000] NSMMReplicationPlugin -
agmt="cn=meTodeawilidmp001.companyidm.org" (deawilidmp001:389): The
remote replica has a different database generation ID than the local
database. You may have to reinitialize the remote replica, or the local
replica.
And here is the output from trying to perform the replica setup:
[root@usaeilidmp003 centos]# ipa-replica-install --setup-ca --principal
admin --admin-password SEKRIT
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Discovery was successful!
Client hostname: usaeilidmp003.companyidm.org
Realm: companyIDM.ORG
DNS Domain: companyidm.org
IPA Server: deawilidmp001.companyidm.org
BaseDN: dc=companyidm,dc=org
Skipping synchronizing time with NTP server.
Enrolled in IPA realm companyIDM.ORG
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm companyIDM.ORG
trying https://deawilidmp001.companyidm.org/ipa/json
Forwarding 'schema' to json server
'https://deawilidmp001.companyidm.org/ipa/json'
trying https://deawilidmp001.companyidm.org/ipa/session/json
Forwarding 'ping' to json server
'https://deawilidmp001.companyidm.org/ipa/session/json'
Forwarding 'ca_is_enabled' to json server
'https://deawilidmp001.companyidm.org/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server
'https://deawilidmp001.companyidm.org/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring companyidm.org as NIS domain.
Client configuration complete.
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/44]: creating directory server user
[2/44]: creating directory server instance
[3/44]: updating configuration in dse.ldif
[4/44]: restarting directory server
[5/44]: adding default schema
[6/44]: enabling memberof plugin
[7/44]: enabling winsync plugin
[8/44]: configuring replication version plugin
[9/44]: enabling IPA enrollment plugin
[10/44]: enabling ldapi
[11/44]: configuring uniqueness plugin
[12/44]: configuring uuid plugin
[13/44]: configuring modrdn plugin
[14/44]: configuring DNS plugin
[15/44]: enabling entryUSN plugin
[16/44]: configuring lockout plugin
[17/44]: configuring topology plugin
[18/44]: creating indices
[19/44]: enabling referential integrity plugin
[20/44]: configuring certmap.conf
[21/44]: configure autobind for root
[22/44]: configure new location for managed entries
[23/44]: configure dirsrv ccache
[24/44]: enabling SASL mapping fallback
[25/44]: restarting directory server
[26/44]: creating DS keytab
[27/44]: retrieving DS Certificate
[28/44]: restarting directory server
[29/44]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 15 seconds elapsed
[deawilidmp001.companyidm.org] reports: Update failed! Status: [-2 -
LDAP error: Local error]
[error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to
start replication
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information
[root@usaeilidmp003 centos]#
\
6 years, 6 months
ipa-adtrust-install command fails to add fallback group
by Marin BERNARD
Hi,
I'm trying to configure ad trust on a freshly installed FreeIPA server 4.4.0 running on an up-to-date instance of CentOS 7 (1611). The ipa-adtrust-install command fails at step 17 (failed to add fallback group). As a consequence, Samba cannot be started and AD trusts can't be established.
Here is an excerpt of the install log:
````
# ipa-adtrust-install --netbios-name=PEP06-IPA --add-sids --enable-compat
(...)
2017-06-01T13:49:29Z DEBUG [18/23]: adding fallback group
2017-06-01T13:49:29Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket from SchemaCache
2017-06-01T13:49:29Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x62107a0>
2017-06-01T13:49:30Z DEBUG Starting external process
2017-06-01T13:49:30Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpyj5xIJ -H ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket -Y EXTERNAL
2017-06-01T13:49:30Z DEBUG Process finished, return code=1
2017-06-01T13:49:30Z DEBUG stdout=add cn:
Default SMB Group
add description:
Fallback group for primary group RID, do not add users to this group
add gidnumber:
-1
add objectclass:
top
ipaobject
posixgroup
adding new entry "cn=Default SMB Group,cn=groups,cn=accounts,dc=ipa,dc=pep06,dc=fr"
2017-06-01T13:49:30Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-IPA-PEP06-FR.socket/??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Operations error (1)
additional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.
2017-06-01T13:49:30Z CRITICAL Failed to load default-smb-group.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpyj5xIJ -H ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket -Y EXTERNAL' returned non-zero exit status 1
2017-06-01T13:49:30Z DEBUG Failed to add fallback group.
2017-06-01T13:49:30Z DEBUG duration: 0 seconds
(...)
````
In the end, Samba logically fails to start with the following error:
````
Missing mandatory attribute ipaNTFallbackPrimaryGroup.
````
I ran the same command one week ago on another server and had no issue.
Does anybody have an idea about what to do to make it work ?
Thanks,
Marin BERNARD
Administrateur systèmes
Pupilles de l’Enseignement Public 06
35 boulevard de la Madeleine — 06300 Nice
marin.bernard[at]pep06.fr
6 years, 6 months
ipa-server-upgrade stuck
by pgb205
I have tried to start an apparently crashed instance of ipa server
and got
ipactl startUpgrade required: please run ipa-server-upgrade commandAborting ipactl
ran ipa-server-upgrade which got to the following step, but no further
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: ---------------------------------------------ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: Final value after applying updatesipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: dn: cn=selinux,dc=mmracks,dc=internalipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: objectClass:ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: nsContaineripa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: topipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: cn:ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: selinux
the command is stuck and is not giving me any error.
Any advise as to why I am suddenly prompted to upgrade but even more importantly on how I should get past the above point in the upgrade?
thanks
6 years, 6 months
Replica - From version 3 to 4
by Roberto Cantalapiedra
Hi,
My master server is version 3 and I would like to create a replica but
using version 4. Is It possible without update the master server to version
4?.
Thanks in advance,
6 years, 6 months
Need a clue re: broken topology and broken replication in a simple 2-server setup
by Chris Dagdigian
Situation: Two servers housed in 2 different AWS regions are completely
disconnected and totally out of sync. I can't fix replication at all so
I'm looking for clues or tips ..
Backstory:
- Complex Active Directory needs including transitive trusts across
multiple child domains of the AD Forrest
- This means that we've been constantly upgrading IPA and subsystems
like sssd* given the speed at which AD integration is being improved/fixed
- We've been doing "yum update" and "ipa-server-upgrade" commands all
the way from ipa-3.x to current v4.4.0
- Due to incremental upgrades over time we've been at "domain level 0"
until very recently
Issues
- Two servers work but they are islands to their own - no replication
seems to be occurring
- IPA connection-check scripts seem to all pass
- IPA replication-manage "list" commands seem to work fine
- forcing replication or forcing a complete reinit has zero effect
- IPA topologysegment-find domain commands seem to show the proper
segments
- BUT -- the topology-verify command clearly shows broken topology and
disconnected state
It was only recently that I discovered the broken topology status - had
spent too much time in the weeds looking at debug output trying to
figure out why replication was not working .
I'm wondering what the best next-step is to regaining a unified IPA
view. From reading the admin guide I'm thinking that I need to bring up
new IPA servers so that I have more "nodes" to play with when
potentially connecting and fixing the topology segments -- seems easier
to fix segments when you have more nodes to play with.
I'm not sure what to fix first -- is the broken topology segment the
cause for broken replication or is something wrong in the replication
internals that results in a disconnected topology?
Guidance appreciated. I'm appending some redacted command output below.
Regards,
Chris
###
# ipa-replica-manage list
us-idmp001.COMPANYidm.org: master
eu-idmp001.COMPANYidm.org: master
# ipa topologysegment-find domain
-----------------
1 segment matched
-----------------
Segment name: us-idmp001.COMPANYidm.org-to-eu-idmp001.COMPANYidm.org
Left node: us-idmp001.COMPANYidm.org
Right node: eu-idmp001.COMPANYidm.org
Connectivity: left-right
----------------------------
Number of entries returned 1
----------------------------
#ipa topologysegment-find domain
-----------------
1 segment matched
-----------------
Segment name: eu-idmp001.COMPANYidm.org-to-us-idmp001.COMPANYidm.org
Left node: eu-idmp001.COMPANYidm.org
Right node: us-idmp001.COMPANYidm.org
Connectivity: left-right
----------------------------
Number of entries returned 1
----------------------------
[root@eu-idmp001 centos]#
# ipa topologysuffix-verify domain
========================================================
Replication topology of suffix "domain" contains errors.
========================================================
------------------------
Topology is disconnected
------------------------
Server eu-idmp001.COMPANYidm.org can't contact servers:
us-idmp001.COMPANYidm.org
[root@us-idmp001 centos]#
# ipa topologysuffix-verify domain
========================================================
Replication topology of suffix "domain" contains errors.
========================================================
------------------------
Topology is disconnected
------------------------
Server us-idmp001.COMPANYidm.org can't contact servers:
eu-idmp001.COMPANYidm.org
[root@eu-idmp001 centos]#
[root@eu-idmp001 centos]#
# /usr/sbin/ipa-replica-conncheck --replica eu-idmp001.COMPANYidm.org
Check connection from master to remote replica 'eu-idmp001.COMPANYidm.org':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): WARNING
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): WARNING
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.
Connection from master to replica is OK.
ipa-replica-conncheck --master us-idmp001.COMPANYidm.org
Check connection from replica to remote master 'us-idmp001.COMPANYidm.org':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Listeners are started. Use CTRL+C to terminate the listening part after
the test.
Please run the following command on remote master:
/usr/sbin/ipa-replica-conncheck --replica eu-idmp001.COMPANYidm.org
6 years, 6 months
ipa-client-install combined with 'authconfig --enablenis --update'
by paul@kenla.nl
Hi,
I have boot problem when i combine a ipa-client-install with 'authconfig --enablenis --update'
According to the ovirt/RHEV docs [1] I have to do this to make SSO to the VM possible.
Messages during boot are:
Failed to start RealtimeKit for Policy Services
Failed to start Authorization Manager
Dependency failed for Dynamic System tuning deamon
My setup is:
All systems Centos 7.3(1611)
oVirt 4.1
IPA server 4.4
IPA client 4.4
If i use an old VM with Centos 7.2(1511) and ipa-client 4.2 there are no problems and SSO is working so oVirt and IPA seem to be configured correct.
My findings so far:
- Centos 7.3 does not include ypbind. If i install manually it sometimes boots (but takes a long time) but the other times stops at same point as mentioned before. This could imply some kind of race condition during boot.
- I tried different versions of ipa-client (ipa-client-4.4.0-12.el7.centos.x86_64 up to ipa-client-4.4.0-14.el7.centos.7.x86_64) none worked. Older versions i could not find anymore.
Can anyone comfirm my findings or point me in some direction?
Kind regards,
Paul
[1]https://access.redhat.com/documentation/en-us/red_hat_virtualization/4....
6 years, 6 months
