Changing CA certificate subject name post-install
by Rob Foehl
Noting that it's now possible to modify the CA certificate subject name at
install time in 4.5 and 4.6, is there any provision for doing so after an
upgrade to one of those releases with a cert that originated in a 4.4
instance? Possibly involving renewal of the (externally signed) CA cert,
if necessary?
-Rob
6 years, 7 months
Restoring DNS Grants
by techmail+freeipa@dangertoaster.com
Hello,
I have two questions:
1. How can the default DNS grants be restored, or fixed, without
knowing what they were?
2. Where can I get information about grants? I can't seem to find where
they're documented.
I was trying to get DDNS updates to work from DHCP server, and the
documentation doesn't mention executing 'ipa dnszone-mod example.com.
--update-policy="grant rndc-key wildcard * ANY;"' will overwrite the
current grants breaking the DNS portion of ipa-client-install.
Environment:
* Fedora 26
* FreeIPA 4.4.4 from Fedora repos
* ISC DHCP server 4.3.5 from Fedora repos
Ryan
6 years, 7 months
Clients cant login in - cant access home mounted via autofs
by Tobi Berninger
Hello,
i have an freeipa server running and 10 clients. Every client is an copy
from a pc. And everybody works just perfectly except the original pc where
i tested and installed the system at the beginning. I allready copyed the
system over with the one that i used on every client around here, but after
one week he allready shows errors again.
Now the problem is that i cant login in with any account. When login in
over the greeter (lightdm) he just turns to a black screen shortly and then
switches back. When u try to login in over tty, u will get the following
error:
/net/laufer/user: change directory failed: no such file or directory
I run in this error before and normaly it was connected to autofs not
running. But autofs is running and prints out the following errors:
dev_ioctl_send_fail: token = 76
handle_packet: type= 3
handle_packet_missing_indirect: token 77, name user, request pid 3085
dev_ioctl_send_fail: token = 77
handle_packet: type = 3
handle_packet_missing_indirect. toke 78, name user, request pid 3085
dev_ioctl_send_fail: toke 78
handle:packet: type = 3
handle_packet_missing_indirect: toke 79, name user, request pid 3085
dev_ioctl_send_fail: toke = 79
Any ideas?
thank u very much
greetings tobi
6 years, 7 months
sssd suddenly throw system error on Mint 17.3 clients
by Torsten Harenberg
Dear all,
appologies if that has already been discussed. I am currently on travel overseas and only have a small tablet here, so my options are limited.
Suddenly, our Linux Mint clients refrain from logging in users and throw a system error. I increased the log level and the relevant lines seem to be:
(Sun Sep 10 03:19:09 2017) [sssd[be[pleiades.uni-wuppertal.de]]] [hbac_eval_user_element] (0x0040): Parse error on [
cn=System: Manage Host Principals+nsuniqueid=53120f31-41e811e7-b96dfa31-96759478,cn=permissions,cn=pbac,dc=pleiades,dc=uni-wuppertal,dc=de]: Malformed cache entry
(Sun Sep 10 03:19:09 2017) [sssd[be[pleiades.uni-wuppertal.de]]] [hbac_ctx_to_rules] (0x0020): Could not construct e
val request
(Sun Sep 10 03:19:09 2017) [sssd[be[pleiades.uni-wuppertal.de]]] [ipa_hbac_evaluate_rules] (0x0020): Could not const
ruct HBAC rules
(Sun Sep 10 03:19:09 2017) [sssd[be[pleiades.uni-wuppertal.de]]] [be_pam_handler_callback] (0x0100): Backend returne
d: (3, 4, <NULL>) [Internal Error (System error)]
I tried to delete the local cache, but that had no effect. Restarting the IPA server in question also did not help.
Thanks for any hint.
Best regards
Torsten
6 years, 7 months
Issue with replica promotion -- potential custodia issue
by Michael Salsone
Hello,
I am on CentOS 7.3.1611 running FreeIPA Version 4.4.0
I have the master installed and running:
:; sudo ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
I am trying to deploy a replica, it makes it through most of the tasks, then bombs out at the end. The system is listed in freeipa as an ipaserver/relica. But the process itself never starts on the replica.
The deploy fails with the following errors
2017-09-07T19:31:04Z DEBUG stderr=
2017-09-07T19:31:04Z DEBUG Destroyed connection context.ldap2_106994896
2017-09-07T19:31:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-09-07T19:31:04Z DEBUG Configuring ipa-custodia
2017-09-07T19:31:04Z DEBUG [1/5]: Generating ipa-custodia config file
2017-09-07T19:31:04Z DEBUG duration: 0 seconds
2017-09-07T19:31:04Z DEBUG [2/5]: Generating ipa-custodia keys
2017-09-07T19:31:04Z DEBUG duration: 0 seconds
2017-09-07T19:31:04Z DEBUG [3/5]: Importing RA Key
2017-09-07T19:31:04Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key
cli.fetch_key('ra/ipaCert')
File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 99, in fetch_key
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status
raise HTTPError(http_error_msg, response=self)
HTTPError: 404 Client Error: Not Found
2017-09-07T19:31:04Z DEBUG [error] HTTPError: 404 Client Error: Not Found
2017-09-07T19:31:04Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
for nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main
promote(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1478, in promote
custodia.create_replica(config.master_host_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 95, in create_replica
realm=self.realm)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 581, in create_instance
self.start_creation("Configuring %s" % self.service_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key
cli.fetch_key('ra/ipaCert')
File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 99, in fetch_key
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status
raise HTTPError(http_error_msg, response=self)
2017-09-07T19:31:04Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 404 Client Error: Not Found
2017-09-07T19:31:04Z ERROR 404 Client Error: Not Found
2017-09-07T19:31:04Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
I "kinit admin" and try to run "curl --negotiate -u: https://`hostname`/ipa/keys/ -vv" I get the initial 401, followed by a 403.
< HTTP/1.1 403 Forbidden
< Date: Fri, 08 Sep 2017 17:55:18 GMT
< Server: Custodia/0.1
< WWW-Authenticate: Negotiate <key_blob>
< X-Frame-Options: DENY
< Content-Security-Policy: frame-ancestors 'none'
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
<
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 403.
<p>Message: Forbidden.
<p>Error code explanation: 403 = Request forbidden -- authorization will not help.
</body>
* Closing connection 0
The httpd gateway seems to work correctly but something is broken in the ipa-custodia response.
I appreciate any thoughts/help!
6 years, 7 months
Replacing OpenLDAP with FreeIPA
by Mark Haney
Probably the dumbest question you'll get all day, but we've got a
hundred or so VMs with OpenLDAP on them (as clients pointing to a
master). Are there any gotchas to replacing OpenLDAP with FreeIPA? I'm
using Ansible to push the client install to the VMs, with a task for
uninstalling OpenLDAP prior to IPA setup.
Does this plan sound cunning enough? Or am I missing something?
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net
6 years, 7 months
Proxmox pam authentication
by Maciej Drobniuch
Hey Freeipa users!
Proxmox supports pam logins from webui and it is debian based.
I've used the following guide to install freeipa unofficial packages.
http://clusterfrak.com/sysops/app_installs/freeipa_clients/
The ipa client installation went smoothly but... I can not see the users
and login.
# id freeipauser
id: 'freeipauser': no such user
Does someone know about a documentation for the detailed troubleshooting
steps that need to be taken to check pam/sssd/related.
My pam.d common-session file:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
session required pam_mkhomedir.so
cat sssd.conf
[domain/domain.int]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = domain.int
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = proxmox.domain.int
chpass_provider = ipa
ipa_server = _srv_, freeipa1.domain.int
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
domains = domain.int
services = sudo, ssh
[ssh]
[sudo]
Any idea what is the first troubleshooting step?
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
6 years, 7 months
Raising domain to level 1 from level 0
by Kristian Petersen
I am trying to set the domain level for my IPA servers to level 1 from
level 0. When I attempt to run:
ipa domainlevel-set 1
I get the following error:
ipa: ERROR: Domain Level cannot be raised to 1, existing replication
conflicts have to be resolved.
At the moment, the server has no replicas. All of them have been removed.
-bash-4.2$ ipa-replica-manage list
ipa1.chem.byu.edu: master
Any ideas as to why I am still getting this error?
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
6 years, 7 months
4.5.0-21.el7_4.1.2 and 389-ds-1.3.6.1-19 failures
by Steve Huston
Today I updated one of my three servers again, including the versions
of RPMs listed in the subject line above. The ipa-server-upgrade
failed again without patching ipautil.py and ipa-replica-conncheck to
fix the problem of waiting on tomcat for I suppose an IPv6 port that
will never happen? I'm not sure, but there's been enough IPv4-only
breaking things that I'm almost used to those.
When I rebooted the machine, however, nothing came up. The logs
contained this bit:
Sep 7 13:35:31 auth ns-slapd: [07/Sep/2017:13:35:31.847507616 -0400]
- INFO - main - 389-Directory/1.3.6.1 B2017.248.1842 starting up
Sep 7 13:35:32 auth ns-slapd: [07/Sep/2017:13:35:32.158108855 -0400]
- ERR - ldbm_config_dbcachesize_set - nsslapd-dbcachesize value is too
large.
Sep 7 13:35:32 auth ns-slapd: [07/Sep/2017:13:35:32.180891884 -0400]
- ERR - parse_ldbm_config_entry - Error with config attribute
nsslapd-dbcachesize : Error: nsslapd-dbcachesize value is too large.
Sep 7 13:35:32 auth ns-slapd: [07/Sep/2017:13:35:32.202852469 -0400]
- ERR - ldbm_config_load_dse_info - Error parsing the ldbm config DSE
Sep 7 13:35:32 auth ns-slapd: [07/Sep/2017:13:35:32.223902244 -0400]
- ERR - ldbm_back_start - Loading database configuration failed
Sep 7 13:35:32 auth ns-slapd: [07/Sep/2017:13:35:32.248975920 -0400]
- ERR - plugin_dependency_startall - Failed to start database plugin
ldbm database
Interestingly, if I manually run 'ipactl start', then it will start
ds-389 successfully and everything seems to work:
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.598213558 -0400]
- INFO - main - 389-Directory/1.3.6.1 B2017.248.1842 starting up
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.612870058 -0400]
- INFO - ldbm_instance_config_cachememsize_set - force a minimal value
512000
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.617381627 -0400]
- WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does
not handle caseExactIA5Match
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.622605528 -0400]
- INFO - ldbm_instance_config_cachememsize_set - force a minimal value
512000
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.629501131 -0400]
- INFO - ldbm_instance_config_cachememsize_set - force a minimal value
512000
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.637443337 -0400]
- NOTICE - ldbm_back_start - found 1879636k physical memory
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.638504556 -0400]
- NOTICE - ldbm_back_start - found 1207892k available
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.639567173 -0400]
- NOTICE - ldbm_back_start - cache autosizing: db cache: 75185k
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.640797237 -0400]
- NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3
total): 65536k
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.643930356 -0400]
- NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3
total): 65536k
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.647893792 -0400]
- NOTICE - ldbm_back_start - cache autosizing: changelog entry cache
(3 total): 65536k
Sep 7 13:32:31 auth ns-slapd: [07/Sep/2017:13:32:31.651452253 -0400]
- NOTICE - ldbm_back_start - total cache size: 294375784 B;
But if I then reboot the machine, it breaks again (thus why the
timestamp of my first block of log messages is newer than the second
block). Ideas?
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
6 years, 7 months