ipactl status Failed to get list of services to probe status! Configured hostname 'replica.company.domain' does not match any master server in LDAP: No master found because of error: no matching entry found
by pgb205
Get this error when trying to restart ipa service on apparently not working replica.
This iscat /etc/redhat-releaseCentOS Linux release 7.3.1611 (Core)andipa-server-4.4.0-14.el7.centos.7.x86_64
and389-ds-base-1.3.5.10-20.el7_3.x86_64
ausearch -m avc -ts today<no matches>
slapd log shows the following
[22/Sep/2017:20:17:09.347682405 +0000] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.[22/Sep/2017:20:17:09.349071947 +0000] SSL alert: Security Initialization: Enabling default cipher set.[22/Sep/2017:20:17:09.349375124 +0000] SSL alert: Configured NSS Ciphers[22/Sep/2017:20:17:09.349563797 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.349777578 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.350058874 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.350253063 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.350444460 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.350701172 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.350893090 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.351072545 +0000] SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.351309052 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.351583340 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.351769757 +0000] SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.351974981 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled[22/Sep/2017:20:17:09.352164262 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.352340685 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.352542263 +0000] SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.352733543 +0000] SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled[22/Sep/2017:20:17:09.352918881 +0000] SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.353101704 +0000] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled[22/Sep/2017:20:17:09.353281802 +0000] SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled[22/Sep/2017:20:17:09.353466924 +0000] SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.353685045 +0000] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled[22/Sep/2017:20:17:09.353892808 +0000] SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled[22/Sep/2017:20:17:09.354107226 +0000] SSL alert: TLS_AES_128_GCM_SHA256: enabled[22/Sep/2017:20:17:09.354318986 +0000] SSL alert: TLS_CHACHA20_POLY1305_SHA256: enabled[22/Sep/2017:20:17:09.354531161 +0000] SSL alert: TLS_AES_256_GCM_SHA384: enabled[22/Sep/2017:20:17:09.354740409 +0000] SSL alert: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled[22/Sep/2017:20:17:09.354935016 +0000] SSL alert: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled[22/Sep/2017:20:17:09.355128927 +0000] SSL alert: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled[22/Sep/2017:20:17:09.362744793 +0000] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2[22/Sep/2017:20:17:09.363153851 +0000] 389-Directory/1.3.5.10 B2017.102.203 starting up[22/Sep/2017:20:17:09.374289379 +0000] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match[22/Sep/2017:20:17:09.381853474 +0000] WARNING: changelog: entry cache size 2097152 B is less than db size 90570752 B; We recommend to increase the entry cache size nsslapd-cachememsize.[22/Sep/2017:20:17:09.382628247 +0000] Detected Disorderly Shutdown last time Directory Server was running, recovering database.[22/Sep/2017:20:17:09.440619592 +0000] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup![22/Sep/2017:20:17:09.541575136 +0000] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist[22/Sep/2017:20:17:09.548822508 +0000] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=company,dc=domain)[22/Sep/2017:20:17:09.549220205 +0000] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped[22/Sep/2017:20:17:09.566729598 +0000] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds![22/Sep/2017:20:17:09.575270590 +0000] slapd started. Listening on All Interfaces port 389 for LDAP requests[22/Sep/2017:20:17:09.575561870 +0000] Listening on All Interfaces port 636 for LDAPS requests[22/Sep/2017:20:17:09.575772412 +0000] Listening on /var/run/slapd-company-domain.socket for LDAPI requests[22/Sep/2017:20:17:09.855493846 +0000] slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1[22/Sep/2017:20:17:09.856267729 +0000] slapd shutting down - waiting for 27 threads to terminate[22/Sep/2017:20:17:09.856664101 +0000] slapd shutting down - closing down domain subsystems and plugins[22/Sep/2017:20:17:14.572232152 +0000] Waiting for 4 database threads to stop[22/Sep/2017:20:17:15.430730850 +0000] All database threads now stopped[22/Sep/2017:20:17:15.448323210 +0000] slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects[22/Sep/2017:20:17:15.580988368 +0000] slapd stopped.
I found a mention of this bug https://bugzilla.redhat.com/show_bug.cgi?id=996716
but it seems to be for older version of dirsrv then what we have installed.
6 years, 7 months
CentOS 6 system 4 error
by Mark Haney
I've been migrating a lot of our customer boxes from a local install of
our master LDAP database (yeah, I know) to our IPA servers. Nearly all
these boxes are CentOS 6 (we have a smattering of C7 and C5 boxes as
well) and I've built an ansible playbook to make the migration changes.
I've done slightly more than a dozen of these and had no trouble at all,
until now. This last run I hit two customer servers, one is accessible
via ssh and can sudo fine. The other, not so much. I'm getting this
error in /var/log/secure:
Sep 26 10:41:12 rad0 sshd[7906]: pam_sss(sshd:auth): received for user
mark.haney: 4 (System error)
Since I've not encountered this problem before, I'm totally clueless to
what to do. Google says it's likely a Kerberos problem, but that's not
particularly helpful when the configs between the working server and the
non-working one are virtually identical. I'll be glad to spill any logs
you need and run anything that might help the problem. Here's what I
know right now.
The good server: can ssh and sudo with the credentials above.
The bad server: cannot ssh or sudo with same credentials. However, I can
ssh to the box via an unprivileged non-LDAP account (the one used for
ansible) can sudo to root, then I can sudo to my user account (note: my
user account doesn't exist locally on ANY of these boxes until IPA is
installed and configured and I test it) but from that account, I can't
sudo back to root. It bombs with the above error.
There's nothing in the sssd logs (literally, they are all empty) and
nothing strikes me as odd in pam.d and other configs I've looked at.
And as I've avoided LDAP nonsense for any servers for over a decade,
I've no clue to debugging this.
What can I offer to help get this resolved?
nss--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net
6 years, 7 months
How to set all passwords expired
by xattab@syneforge.com
Hi!
I changed password police and i need force everyone (excluding one
directory) to change passwords.
How to implement it ?
6 years, 7 months
Restriction for SSH Key per host
by Alessandro Perucchi
Hello,
We are using Freeipa to our satisfaction.
We are trying to create a bastion/jumphost/... and in order to do it, we want to protect the bastion so that nobody can access it directly (except of course some admin people).
And at the same time, we want that the users access some hosts through the bastion via ssh proxy.
Manually it works as expected. Let say that I have a user `testuser`, this user has a ssh key like this one `ssh-ed25519 AAAAC3N testuser(a)example.com`.
So on the bastion, I will create the following entry in the authorized_keys for the testuser:
no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 AAAAC3N testuser(a)example.com
And in the other hosts, I will use the ssh key:
ssh-ed25519 AAAAC3N testuser(a)example.com
How can I give some SSH key restrictions per host? From what I’ve seen in freeipa, you can either give the restriction in the ssh key for the user, as the first entry or the second, and it will apply to every server without any possibility to customization.
An extension to that would be, If I am connecting from our internal network (192.168.0.0/24), then you could connect to the bastion directly, but if you are outside the internal network, then you cannot... and in that case, the ssh entries in authorized_keys would be something like that:
from=”192.168.0.0/24” ssh-ed25519 AAAAC3N testuser(a)example.com
from=”!192.168.0.0/24”,no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 AAAAC3N testuser(a)example.com
Is there a way to do that in freeipa? Because I would like to avoid as much as possible to handle the ssh keys “manually” outside from freeipa...
Thank you very much in advance for your help.
Regards,
Alessandro
6 years, 7 months
Force 2FA on specific hosts
by Jeremy Utley
Hello all on the list!
Kind of an odd question, but management has asked me to try to find this
out. We've been rolling out FreeIPA to replace OpenLDAP inside a
higher-security (PCI Compliant) part of our overall network. One of the
things we would like to possibly do is require 2FA (using Yubikeys) for
certain machines within that network, without creating a second FreeIPA
domain. For example, inside this domain we have jump hosts that will
require Yubikey 2FA to log in to, and from that point forward, Kerberos
would be used to move from one machine to another. However, for 2 specific
machines, we'd like to require a second 2FA authentication to those to
provide some additional security. Is this even possible?
Thanks,
Jeremy Utley
6 years, 7 months
How to implement sudo for "ALL, !something"
by Ranbir
Hi Everyone,
We have sudo rules like this on plain, non-freeipa domain CentOS
servers:
%group ALL=(someuser) ALL,!SU,!SHELLS
How would I implement the above in a freeipa domain? I've tried to name
my rules 01-group and 02-group and put the above into two separate
rules, but it didn't work. I tried to set only what's not allowed, but
that didn't work either.
I'm now thoroughly confused! Can anyone lend a hand?
Thanks in advance!
Ranbir
--
Ranbir
6 years, 7 months
Web UI errors after update to ipa-server 4.5/centos 7.4
by Mark Esman
After upgrading two freeipa servers (replicas of each other) from
ipa-server-4.4.0-14.el7.centos.7.x86_64 to
ipa-server-4.5.0-21.el7.centos.1.2.x86_64 during the recent
Centos 7.3 to 7.4 update, one of the servers is having Web UI errors.
ipactl status show all services up and running on both servers.
One of the replicas Web UI works fine, the other throws the following
errors.
Here is the output is see from the Chrome browser:
Runtime error
Web UI got in unrecoverable state during "profile" phase.
Technical details:
Cannot read property 'object' of undefined
TypeError: Cannot read property 'object' of undefined
at Object.update_logged_in
(https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:18169)
at Object.choose_profile
(https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:16656)
at Object.<anonymous>
(https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:1190)
at https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3478
at Object.forEach
(https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:29752)
at Object._run_phase
(https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3442)
at Object.next_phase
(https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3904)
at Object.<anonymous>
(https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3631)
at c
(https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:60960)
at Object.then.t.then
(https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:62246)
And even more output from Firefox browser:
Runtime error
Web UI got in unrecoverable state during "profile" phase.
Technical details:
t.metadata is undefined
.cache["freeipa/Application_controller"]/</w<.update_logged_in@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:18156
.cache["freeipa/Application_controller"]/</w<.choose_profile@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:16651
.cache["freeipa/app_container"]/</<.register_phases/<@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:1181
.cache["freeipa/_base/Phase_controller"]/</o<._run_phase/<@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3476
.cache["dojo/_base/array"]/</a.forEach@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:29752
.cache["freeipa/_base/Phase_controller"]/</o<._run_phase@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3440
.cache["freeipa/_base/Phase_controller"]/</o<.next_phase@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3899
.cache["freeipa/_base/Phase_controller"]/</o<._run_phase/<@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3626
.cache["dojo/Deferred"]/</c@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:60960
.cache["dojo/Deferred"]/</d/t.then@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:62246
.cache["freeipa/_base/Phase_controller"]/</o<._run_phase@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3548
.cache["freeipa/_base/Phase_controller"]/</o<.next_phase@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3899
.cache["freeipa/_base/Phase_controller"]/</o<._run_phase/<@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:3626
.cache["dojo/Deferred"]/</c@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:60960
.cache["dojo/Deferred"]/</l@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:60886
.cache["dojo/Deferred"]/</d/this.resolve@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:61873
.cache["dojo/promise/all"]/</</</<@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:85255
.cache["dojo/Deferred"]/</c@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:60960
.cache["dojo/Deferred"]/</l@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:60886
.cache["dojo/Deferred"]/</d/this.resolve@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:61873
.cache["freeipa/app_container"]/</<.register_phases/</<@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:1092
.cache["freeipa/ipa"]/</y</t.init_metadata/s<.on_success@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:34431
.cache["freeipa/rpc"]/</a.concurrent_command/t.on_success_all@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:57160
.cache["freeipa/rpc"]/</a.concurrent_command/t.command_completed@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:56953
.cache["freeipa/rpc"]/</a.concurrent_command/t.success_handler@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:56790
.cache["freeipa/rpc"]/</a.concurrent_command/t.execute/n.on_success</<@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:56340
.cache["freeipa/rpc"]/</a.command/l.register_handlers/<@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:53786
r/</f@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:49586
.cache["dojo/on"]/</i.emit@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:45192
.cache["dojo/on"]/</i.emit@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:45808
.cache["dojo/Evented"]/</r.prototype.emit@https://server.example.com/ipa/ui/js/dojo/dojo.js?v=40500:1:48712
c@https://server.example.com/ipa/ui/js/freeipa/app.js?40500:1:52429
x.Callbacks/l@https://server.example.com/ipa/ui/js/libs/jquery.js?v=40500:4:24877
x.Callbacks/c.fireWith@https://server.example.com/ipa/ui/js/libs/jquery.js?v=40500:4:25702
k@https://server.example.com/ipa/ui/js/libs/jquery.js?v=40500:6:5346
.send/t/<@https://server.example.com/ipa/ui/js/libs/jquery.js?v=40500:6:9152
Any help or insight would be greatly appreciated.
--
Mark Esman
6 years, 7 months
DNS Zone Serial Number
by Andrey Ptashnik
Team,
How can I make sure that DNS zones are in sync between multiple masters?
Is it normal for DNS zone to have different serial number on each replica?
Thank you,
Andrey
6 years, 7 months
basics of openssh and freeipa integration
by freeipa-users@trodman.com
Assume my new freeipa server is on 7.4 centos, and my client freeipa
hosts are on fedora 25. Assume I create a freeipa user "jdoe" with a
NFS4 automounted home dir, to be available on the fedora hosts.
The goal is to ssh remotely into any fedora client host as "jdoe" and
be authenticated by the centos freeipa server. Is or can openssh
configured to work this way by the initial freeipa server install? If
not what steps must be done?
Assuming I succeed, may I still ssh to a non freeipa account (ie a
local account in /etc/passwd) on the a freeipa server or a fedora
freeipa client? How are "non freeipa", ie local accounts handled by
open ssh on the fedora 25 client freeipa hosts?
--
Thanks for trying to clear up my foggy grasp of freeipa,
Tom
--
Below is some more background, and additional question(s).
--
GOAL: Setup freeipa for w/ kerberos NFS4 file sharing,
and autofs/auto mount home directories. A small number of users or hosts.
I have a centos 7.3 Internet host "pez.ipa.uqjau.org", with
bind/bind-chroot installed and working. There is a "ipa.uqjau.org"
delegation NS record and a SOA ipa.uqjau.org record, both mapped to
host "pez.ipa.uqjau.org" both in the "uqjau.org" zone. bind is working
OK on pez with pez bind authoritative for ipa.uqjau.org, but I plan
to uninstall bind-chroot and let 'ipa-server-install' setup bind from
scratch. (I understand I need to uninstall bind-chroot, and plan to
do so.)
I'm new to freeipa, but have read for 7 hours or so, and have spent a
couple of hours reading the list. NFS4 is working now.
For guidance on the install I have been looking at:
<https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.4/html/Free...>
<https://blog.christophersmart.com/articles/freeipa-how-to-fedora/>
How does this look?
ipa-server-install
--unattended
--realm=IPA.UQJAU.ORG
--domain=ipa.uqjau.org
--ds-password=SOMESECRET_PASSWD
--admin-password=SOMESECRET_PW
--mkhomedir
--ip-address=45.55.89.85
--idstart=50000
--no_hbac_allow
--ssh-trust-dns
--setup-dns
--no-forwarders
--no-reverse
--zonemgr=SOME_EMAIL_ADDR_HERE
--no-dnssec-validation
The --zonemgr line above is what I think the man page intends,
right?
--
thanks,
Tom
6 years, 7 months
IPA replica appears in LDAP conflicts
by Andrey Ptashnik
Team,
When I run LDAP search for conflicting records I see that one replica is listed as a conflicting record. Do you know how that may have happened and can I safely remove it?
# ldapsearch -xLLL -D "cn=Directory Manager" -W -b "dc=aws,dc=cccis,dc=com" "nsds5ReplConflict=*" dn | perl -p00e 's/\r?\n //g' | sed -e "s/dn: //g" > /tmp/ldap-conflicts.list
# cat ldap-conflicts_09.22.17.list
dnaHostname=ipa-idm-replica-1b.sub.domain.com+dnaPortNum=389+nsuniqueid=c31c804c-9fa311e7-862eb8db-a442907b,cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=sub,dc=domain,dc=com
Thanks,
Andrey
6 years, 7 months