IPA replica with CA role problems
by Mark Haney
Prior to my employment, one of our engineers setup an IPA server to
replace the horrific OpenLDAP server. One of my first tasks was to build
a second IPA server and setup replication. Initially, the replication
setup was smooth and simple. (I used this:
https://www.howtoforge.com/installing-freeipa-with-replication for
getting replica up.)
However, as we were starting to consider how best to deploy it to our
remote servers, and digging through the GUI I got this pop-up when
looking at the Topology page:
It is strongly recommended to keep the CA services installed on more
than one server.
As this replica needs to be a full 'replica' of the primary, I went
about trying to install the CA role on the second server, which I'll
call IPA1 and the master IPA0. The RH documentation says to 'Run
ipa-replica-install with the --setup-ca option.' Of course, the
documentation doesn't explicitly say whether that needs to be done on
the initial creation of the replica, or if it can be done after the
replica was created. (IOW, it just adds the CA services role and pulls
from IPA0 the CA stuff it needs.)
Unfortunately, that failed and I ended up uninstalling the replica with
'ipa-server-install --uninstall' after removing the replica from IPA0.
After a reboot (just in case), I built a new replica GPG file on IPA0,
copied it over to IPA1 and ran this:
ipa-replica-install replica-info-ipa1.neonova.net.gpg --setup-ca
That also failed with the exact same error as the failure from trying to
install just the CA role on the existing replica. This is the error I get:
[2/27]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command '/usr/sbin/pkispawn -s CA -f
/tmp/tmpYC8gIz' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR CA
configuration failed.
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information
Also, in the pki-tomcat/ca/debug log I get this:
Failed to contact master using admin
portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
issuer: CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
javax.ws.rs.NotFoundException: HTTP 404 Not Found
We have a signed Wildcard Cert from GoDaddy on IPA0, but I can't tell
why this even needs to contact the Cert CA for any reason.
BTW, I had this wildcard cert setup for the IPA web interface only prior
to blowing this thing to pieces over partial documentation and God knows
what else isn't spelled out that I missed.
Any ideas?
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net
6 years, 8 months
External Application Authentication Against FreeIPA LDAP Not Working
by bdlamprecht@gmail.com
I've been trying to get this to work for a few days now all to no avail...
I'm been running "FreeIPA, version: 4.3.1" for a few months now to authenticate a number of VMs that I grew tired of managing permissions on a individual basis and so far have been very pleased.
Now, I'm attempt to use the LDAP functionality to authenticate an external application against it.
I've been able to get the basic auth to work well, however, I can't seem to get the group permissions to work at all.
From my FreeIPA server's "/var/log/dirsrv/slapd/access.log":
Without group permissions (working):
[31/Jul/2017:16:21:07 -0600] conn=6138 fd=121 slot=121 SSL connection from 9.0.49.10 to 9.0.49.11
[31/Jul/2017:16:21:07 -0600] conn=6138 TLS1.2 128-bit AES-GCM
[31/Jul/2017:16:21:07 -0600] conn=6138 op=0 BIND dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" method=128 version=3
[31/Jul/2017:16:21:07 -0600] conn=6138 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com"
[31/Jul/2017:16:21:07 -0600] conn=6138 op=1 BIND dn="" method=128 version=3
[31/Jul/2017:16:21:07 -0600] conn=6138 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[31/Jul/2017:16:21:07 -0600] conn=6138 op=2 SRCH base="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[31/Jul/2017:16:21:07 -0600] conn=6138 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[31/Jul/2017:16:21:07 -0600] conn=6138 op=3 UNBIND
[31/Jul/2017:16:21:07 -0600] conn=6138 op=3 fd=121 closed - U1
Using group permissions (NOT working):
[31/Jul/2017:16:32:54 -0600] conn=6162 fd=126 slot=126 SSL connection from 9.0.49.10 to 9.0.49.11
[31/Jul/2017:16:32:54 -0600] conn=6162 TLS1.2 128-bit AES-GCM
[31/Jul/2017:16:32:54 -0600] conn=6162 op=0 BIND dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" method=128 version=3
[31/Jul/2017:16:32:54 -0600] conn=6162 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com"
[31/Jul/2017:16:32:54 -0600] conn=6162 op=1 BIND dn="" method=128 version=3
[31/Jul/2017:16:32:54 -0600] conn=6162 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[31/Jul/2017:16:32:54 -0600] conn=6162 op=2 CMP dn="cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" attr="member"
[31/Jul/2017:16:32:54 -0600] conn=6162 op=2 RESULT err=50 tag=111 nentries=0 etime=0
[31/Jul/2017:16:32:54 -0600] conn=6162 op=3 UNBIND
[31/Jul/2017:16:32:54 -0600] conn=6162 op=3 fd=126 closed - U1
In the 2nd example above the "op=2 RESULT err=50" indicates that "LDAP_INSUFFICIENT_ACCESS" is what is being returned, but when I do the following "ldapsearch" command:
ldapsearch -D "uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" -W uid=bl839s
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=coc,dc=ibm,dc=com> (default) with scope subtree
# filter: uid=bl839s
# requesting: ALL
#
# bl839s, users, accounts, coc.ibm.com
dn: uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com
krbLastSuccessfulAuth: 20170731223600Z
memberOf: cn=admins,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com
---SNIP---
memberOf: cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com
---SNIP---
I can see that I AM a "member" of the the dn="cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" group.
That being said, when I try to search for members of the group directly, I get a similar error:
root@ipa1:~# ldapsearch -D "cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" -W uid=bl839s
Enter LDAP Password:
ldap_bind: Inappropriate authentication (48)
I would appreciate any help I can get in understanding what I don't have configured properly.
Thanks in advance,
Brady
6 years, 8 months
Time Skew on Amazon nodes?
by pgb205
I have noticed that we had a broken replication agreement between replica in amazon and on another physical node. I have attempted to re-initialize but receivedUpdate failed! Status: [2 Replication error acquiring replica: excessive clock skew]
I had triple verified that time on both is correct and at most within seconds of each other.
in dirsrv logs I get
Excessive clock skew from supplier RUVUnable to acquire replica: error: excessive clock skew
After doing a bit of searching I found this beauty:https://www.redhat.com/archives/freeipa-users/2014-February/msg000...
The article mentions that the time skew might occur due to server being virtualied, and I'm wondering if this is applicable to Amazon.
The steps mentioned in the article look intrusive (and intimidating) . I'm curious what other avenues are available to me to fix this?If I blow away the replica and re-set up the new one from scratch would that fix the problem.
6 years, 8 months
Errors in enrolling Ubuntu 14.04 Client to FreeIPA
by Alka Murali
I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to IPA
Server (4.4). My IPA Server is having third party certificates for
HTTP/LDAP. I have installed it using the suggestions in
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Other version of Ubuntu like 16.04 is enrolled fine.
Here is the error message that I get during the installation
----
cert validation failed for
"CN=*.*.*,O=*.*,((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
issuer has been marked as not trusted by the user.)
Cannot connect to the server due to generic error: cannot connect to
'https://*.*.*.*/ipa/xml': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER)
Peer's certificate issuer has been marked as not trusted by the user.
Installation failed. Rolling back changes.
certmonger failed to start: [Errno 2] No such file or directory:
'/var/run/ipa/services.list'
certmonger failed to stop: [Errno 2] No such file or directory:
'/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm:
Configuration file does not specify default realm.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
SSSD service could not be stopped
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
-----
Is it due to my third part cert? If so, please provide a suggestion so
that I can enrol my Ubuntu Client to my IPA Server.
I am attaching the logs for your reference.
6 years, 8 months
External Application Authentication Against FreeIPA LDAP Not Working
by Brady Lamprecht
I've been trying to get this to work for a few days now all to no avail...
I'm been running "FreeIPA, version: 4.3.1" for a few months now to
authenticate a number of VMs that I grew tired of managing permissions on a
individual basis and so far have been very pleased.
Now, I'm attempting to use the LDAP functionality to authenticate an
external application against it.
I've been able to get the basic auth to work well, however, I can't seem to
get the group permissions to work at all.
From my FreeIPA server's "/var/log/dirsrv/slapd/access.log":
Without group permissions (working):
[31/Jul/2017:16:21:07 -0600] conn=6138 fd=121 slot=121 SSL connection from
9.0.49.10 to 9.0.49.11
[31/Jul/2017:16:21:07 -0600] conn=6138 TLS1.2 128-bit AES-GCM
[31/Jul/2017:16:21:07 -0600] conn=6138 op=0 BIND
dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" method=128
version=3
[31/Jul/2017:16:21:07 -0600] conn=6138 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com"
[31/Jul/2017:16:21:07 -0600] conn=6138 op=1 BIND dn="" method=128 version=3
[31/Jul/2017:16:21:07 -0600] conn=6138 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[31/Jul/2017:16:21:07 -0600] conn=6138 op=2 SRCH
base="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
[31/Jul/2017:16:21:07 -0600] conn=6138 op=2 RESULT err=0 tag=101 nentries=1
etime=0
[31/Jul/2017:16:21:07 -0600] conn=6138 op=3 UNBIND
[31/Jul/2017:16:21:07 -0600] conn=6138 op=3 fd=121 closed - U1
Using group permissions (NOT working):
[31/Jul/2017:16:32:54 -0600] conn=6162 fd=126 slot=126 SSL connection from
9.0.49.10 to 9.0.49.11
[31/Jul/2017:16:32:54 -0600] conn=6162 TLS1.2 128-bit AES-GCM
[31/Jul/2017:16:32:54 -0600] conn=6162 op=0 BIND
dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" method=128
version=3
[31/Jul/2017:16:32:54 -0600] conn=6162 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com"
[31/Jul/2017:16:32:54 -0600] conn=6162 op=1 BIND dn="" method=128 version=3
[31/Jul/2017:16:32:54 -0600] conn=6162 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[31/Jul/2017:16:32:54 -0600] conn=6162 op=2 CMP
dn="cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com"
attr="member"
[31/Jul/2017:16:32:54 -0600] conn=6162 op=2 RESULT err=50 tag=111
nentries=0 etime=0
[31/Jul/2017:16:32:54 -0600] conn=6162 op=3 UNBIND
[31/Jul/2017:16:32:54 -0600] conn=6162 op=3 fd=126 closed - U1
In the 2nd example above, the "op=2 RESULT err=50" indicates that
"LDAP_INSUFFICIENT_ACCESS" is what is being returned, but when I do the
following "ldapsearch" command:
ldapsearch -D "uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com" -W
uid=bl839s
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=coc,dc=ibm,dc=com> (default) with scope subtree
# filter: uid=bl839s
# requesting: ALL
#
# bl839s, users, accounts, coc.ibm.com
dn: uid=bl839s,cn=users,cn=accounts,dc=coc,dc=ibm,dc=com
krbLastSuccessfulAuth: 20170731223600Z
memberOf: cn=admins,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com
---SNIP---
memberOf: cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com
---SNIP---
I can see that I AM a "member" of the the
dn="cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" group.
That being said, when I try to search for members of the group directly, I
get a similar access error:
root@ipa1:~# ldapsearch -D
"cn=netbox-users,cn=groups,cn=accounts,dc=coc,dc=ibm,dc=com" -W uid=bl839s
Enter LDAP Password:
ldap_bind: Inappropriate authentication (48)
I would appreciate any help I can get in understanding what I don't have
configured properly.
Thanks in advance,
Brady
6 years, 8 months
IP address in certificate
by Mikaël ANDRE
Hi evrybody,
With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi and
HP ILO certificates to my FreeIPA server.
I create csr with the following command: "openssl req -new -sha256 -nodes
-config openssl.cfg -newkey rsa:2048 -keyout esxi.key -out esxi.csr"
My OpenSSL configuration file contains the following informations:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:esxi, IP:X.X.X.X, DNS:esxi.example.com
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Province
localityName = Town
0.organizationName = Corporate
organizationalUnitName = IT Services
commonName = esxi.example.com
Then, I use the "cat" command to display the certificate signin request, I
copy it and I paste into my FreeIPA.
On my FreeIPA WebGui, I declare a host named esxi, I click on it, then on
the "action" button and finally "New certificate".
I select IPA for Certificate Authority, I use caIPAserviceCert profil ID, I
paste the CSR and click.
I get the following error message:
Insufficient access : Subject alt name type IP Address is forbidden
I need to keep IP Address in SAN. Is there a way to authorize IPA to sign
my certificate? Many thanks.
--
Cordialement/Best regards,
Mikaël ANDRÉ
Mobile : +33 6 28 71 19 89
Mail : mikael.andre.1989(a)gmail.com
6 years, 8 months
Custom certificate
by Per Qvindesland
Hi All
I installed a custom signed certificate from quovadis, the install on the ipa server wen’t fine but when I try to add a client (centos 6) it gives error:
LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
The standard google searching doesn’t give any answers from what I can see.
Is there any workaround for this?
Regards
Per
6 years, 8 months
Removal of obsolete certificates from o=ipaca
by Adam Tkac
Hello all,
we are currently facing issue with huge number of outdated certificate entries
in o=ipaca LDAP subtree (many servers no longer exists, certificates already expired etc)
and we would like to remove them to decrease number of entries in LDAP and also
to speed-up initial replication of o=ipaca subtree (we have more than 700 000
DNs in o=ipaca and deploy of new replica takes quite long).
Does anyone tried to do something like this? I'm quite affraid if simple
ldapdelete of many DNs in o=ipaca subtree wouldn't break DogTag somehow.
Do you have any ideas if something can break by removal of old (expired and also
non-expired) certificates from o=ipaca ? Thanks in advance for any advice.
Regards, Adam
--
Adam Tkac
6 years, 8 months
can not restart httpd service after certificate renewal
by Karl Forner
Hello,
Today I realized that the https certificate for my freeipa web ui has
expired.
I tried to renew it using:
#ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
So it seemed to went well. I tried to restart ipa but it failed:
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Job for httpd.service failed because the control process exited with error
code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Failed to start httpd Service
Shutting down
What went wrong ? I'm running in a freeipa-server docker on a linux
server...
It is quite a big deal since I can not run my master freeipa anymore even
from a backup !
Moreover, even after starting from a backup of the ipa data, the httpd
service still fails.
Could it be caused by the replica server ?
Thanks.
logs
===
# systemctl status httpd.service
* httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service)
Drop-In: /usr/lib/systemd/system/httpd.service.d
`-abc.conf
Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57 CEST;
3min 52s ago
Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited,
status=0/SUCCESS)
Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
(code=exited, status=1/FAILURE)
Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
(code=exited, status=0/SUCCESS)
Main PID: 28717 (code=exited, status=1/FAILURE)
Jul 11 17:21:56 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP
Server...
Jul 11 17:21:56 ipa.quartzbio.com ipa-httpd-kdcproxy[28716]: ipa :
INFO KDC proxy enabled
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Main process
exited, code=exited, status=1/FAILURE
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Failed to start The Apache
HTTP Server.
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered
failed state.
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Failed with
result 'exit-code'.
Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Stopped The Apache HTTP
Server.
and (excerpt from journalctl -xe)
-- The start-up result is done.
Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Unregistered
Authentication Agent for unix-process:28918:604682378 (system bus
name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
locale C) (disconnected from bus)
Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Registered Authentication
Agent for unix-process:28932:604682393 (system bus na
me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-hwdb-update.service:
Cannot add dependency job, ignoring: Unit systemd-hwdb
-update.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dev-hugepages.mount: Cannot
add dependency job, ignoring: Unit dev-hugepages.mount
is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: ldconfig.service: Cannot add
dependency job, ignoring: Unit ldconfig.service is mas
ked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: swap.target: Cannot add
dependency job, ignoring: Unit swap.target is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]:
sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit
sys-fs-fus
e-connections.mount is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: local-fs.target: Cannot add
dependency job, ignoring: Unit local-fs.target is maske
d.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-update-done.service:
Cannot add dependency job, ignoring: Unit systemd-upda
te-done.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: slices.target: Cannot add
dependency job, ignoring: Unit slices.target is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dnf-makecache.timer: Cannot
add dependency job, ignoring: Unit dnf-makecache.timer
is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: fedora-autorelabel-mark.service:
Cannot add dependency job, ignoring: Unit fedora-a
utorelabel-mark.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: rpcbind.socket: Cannot add
dependency job, ignoring: Unit rpcbind.socket is masked.
Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP
Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable
to get root NS rrset from cache: not found
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
70.9.10.in-addr.arpa/IN: sending notifies (serial 1499786955)
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
70.9.10.in-addr.arpa/IN: loaded serial 1499786955
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
0.17.172.in-addr.arpa/IN: sending notifies (serial 1499786955)
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
0.17.172.in-addr.arpa/IN: loaded serial 1499786955
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone quartzbio.com/IN:
sending notifies (serial 1499786955)
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone quartzbio.com/IN:
loaded serial 1499786955
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: 3 master zones from
LDAP instance 'ipa' loaded (3 zones defined, 0 inactive, 0 f
ailed to load)
Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable
to get root NS rrset from cache: not found
Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1
Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1
Jul 11 17:29:16 ipa.quartzbio.com ipa-httpd-kdcproxy[28938]: ipa :
INFO KDC proxy enabled
Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Main process
exited, code=exited, status=1/FAILURE
Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Failed to start The Apache
HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered
failed state.
Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Failed with
result 'exit-code'.
Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Unregistered
Authentication Agent for unix-process:28932:604682393 (system bus
name :1.42, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
locale C) (disconnected from bus)
Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Registered Authentication
Agent for unix-process:28944:604682474 (system bus na
me :1.43 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Stopping Kerberos 5 KDC...
-- Subject: Unit krb5kdc.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
6 years, 8 months
Password History
by John Trump
I am using FreeIPA 4.4 and have implemented a password policy where
password history is set to 24. If a password admin or the user "admin"
resets a users password, the user is forced to change their password upon
logging in. At this point, the user is able to reuse the previous password
even though it should be in their password history. How do I make it so a
password reset by an admin does not wipe out the users' password history?
Thanks.
6 years, 8 months