November 2018 - FreeIPA-users - Fedora Mailing-Lists

by Peter Tselios

Hello, I have an non-IPA aware application to succssfuly login users from IPA's LDAP. However, I cannot make it work with group membership. It seems that the LDAP filter is not working and using LDAP search proves that the app is not wrong. So, what I have: myself (ptselios) member of the group grafana-adms. The group is stored as: ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b "cn=groups,cn=accounts,dc=example,dc=com" "(&(objectClass=groupOfNames)(cn=grafana-adms))" -h localhost -p 389 -s sub dn: cn=grafana-adms,cn=groups,cn=accounts,dc=example,dc=com member: uid=ptselios,cn=users,cn=accounts,dc=example,dc=com member: uid=anotheruser,cn=users,cn=accounts,dc=example,dc=com ipaNTSecurityIdentifier: S-1-5-21-120251393-583861438-3385547448-1050 objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs cn: grafana-adms description:: blabla ipaUniqueID: ccc54368-ce1d-11e8-b523-06db1b82a33a gidNumber: 690200050 Now, when I search with the memberuid I get an empty response: ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b "cn=groups,cn=accounts,dc=example,dc=com" "(&(objectClass=groupOfNames)(memberuid=ptselios))" -h localhost -p 389 -s sub # search result search: 2 result: 0 Success # numResponses: 1 Obviously, the filter is wrong, but what is the correct one?

8 months, 3 weeks

3
4
0 / 0

Export service keytab as Active Directory user

by Michael Gusek

Hi, we are running FreeIPA 4.5.4 on Centos 7 with a one way trust to an Active Directory. We want to allow AD users to retrieve service keytab on FreeIPA managed hosts. AD users are linked to a external group, and these group to a FreeIPA group. We've created a service and allowed FreeIPA group (for testing external group too) to retrieve keytab. Now we logged in with AD credentials to a FreeIPA managed host, got an ticket with kinit user@AD-domain and tried to retrieve keytab for service, which runs in an error "Failed to parse result: Insufficient access rights". With an FreeIPA user, added to FreeIPA group above, it works. So what we are missing here ? Is it possible to retrieve service keytabs as a trusted AD user ? Thanks.

8 months, 3 weeks

2
4
0 / 0

How to add host with subdomain local.<mydomain>.de

by 74cmonty

Hi, I completed installation using the recommended FQHN ipa.<mydomain>.de of FreeIPA server. How can I add a client host configured with sub-domain local.<mydomain>.de? THX

8 months, 3 weeks

3
3
0 / 0

tomcatd - Could not connect to LDAP server host

by Jack Henschel

Hello, we ran into an issue after an upgrade to FreeIPA 4.6.4, API_VERSION: 2.229 (using the current Docker Image Fedora 27) The ipa-upgrade ran without issues, but pki-tomcatd is causing trouble after the upgrade. The tomcatd system log: 0.localhost-startStop-1 - [05/Nov/2018:08:44:41 UTC] [8] [3] In Ldap (bound) connection pool to host ipa port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) (-1) Tomcat Debug log: java.net.ConnectException: Connection refused (Connection refused) at java.net.PlainSocketImpl.socketConnect(Native Method) Could not connect to LDAP server host ipa port 636 Error netscape.ldap.LDAPException: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) (-1) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) Internal Database Error encountered: Could not connect to LDAP server host ipa port 636 Error netscape.ldap.LDAPException: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:689) However, the dirsrv starts just seconds afterwards: Nov 05 08:44:45 ipa ns-slapd[90]: [05/Nov/2018:08:44:45.159306972 +0000] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Nov 05 08:44:45 ipa ns-slapd[90]: [05/Nov/2018:08:44:45.162543716 +0000] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Nov 05 08:44:45 ipa systemd[1]: Started 389 Directory Server Then, certmonger fails to start (probably trying to reach tomcatd, I assume): Nov 05 08:45:41 ipa systemd[1]: certmonger.service: Start-post operation timed out. Stopping. Nov 05 08:45:50 ipa server[231]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3b86a3a1 background process Nov 05 08:45:50 ipa server[231]: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Nov 05 08:45:50 ipa server[231]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:130) Nov 05 08:45:50 ipa server[231]: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1156) Nov 05 08:45:50 ipa server[231]: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5740) Nov 05 08:45:50 ipa server[231]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java: 1379) Nov 05 08:45:50 ipa server[231]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java: 1383) Nov 05 08:45:50 ipa server[231]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1351) Nov 05 08:45:50 ipa server[231]: at java.lang.Thread.run(Thread.java:748) Nov 05 08:45:56 ipa systemd[1]: Failed to start Certificate monitoring and PKI enrollment. Nov 05 08:45:56 ipa systemd[1]: certmonger.service: Unit entered failed state. Nov 05 08:45:56 ipa systemd[1]: certmonger.service: Failed with result 'timeout'. After that, IPA shuts down after 300 sec. Nov 05 08:50:01 ipa systemd[1]: Stopping Kerberos 5 KDC... Nov 05 08:50:01 ipa systemd[1]: Stopped Kerberos 5 KDC. Nov 05 08:50:01 ipa systemd[1]: Stopping Kerberos 5 Password-changing and Administration... Nov 05 08:50:01 ipa systemd[1]: kadmin.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Nov 05 08:50:01 ipa systemd[1]: Stopped Kerberos 5 Password-changing and Administration. Nov 05 08:50:01 ipa systemd[1]: kadmin.service: Unit entered failed state. Nov 05 08:50:01 ipa systemd[1]: kadmin.service: Failed with result 'exit-code'. Nov 05 08:50:02 ipa systemd[1]: Stopping The Apache HTTP Server... Nov 05 08:50:03 ipa systemd[1]: Stopped The Apache HTTP Server. Nov 05 08:50:03 ipa systemd[1]: Stopping IPA Custodia Service... Nov 05 08:50:03 ipa systemd[1]: Stopped IPA Custodia Service. Nov 05 08:50:03 ipa ntpd[73]: ntpd exiting on signal 15 (Terminated) Nov 05 08:50:03 ipa ntpd[73]: 127.127.1.0 local addr 127.0.0.1 -> Nov 05 08:50:03 ipa systemd[1]: Stopping Network Time Service... Nov 05 08:50:03 ipa systemd[1]: Stopped Network Time Service. Nov 05 08:50:03 ipa systemd[1]: Stopped target PKI Tomcat Server. Nov 05 08:50:03 ipa systemd[1]: Stopping PKI Tomcat Server pki-tomcat... The error is consistent enough, it seems LDAP only comes up seconds after tomcat tries to reach it. Nov 05 09:34:57 ipa server[231]: Internal Database Error encountered: Could not connect to LDAP server host ipa port 636 E rror netscape.ldap.LDAPException: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) (-1) Nov 05 09:34:59 ipa ns-slapd[83]: [05/Nov/2018:09:34:59.793590657 +0000] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Nov 05 09:34:59 ipa ns-slapd[83]: [05/Nov/2018:09:34:59.812565603 +0000] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Nov 05 09:34:59 ipa ns-slapd[83]: [05/Nov/2018:09:34:59.814451330 +0000] - INFO - slapd_daemon - Listening on /var/run/slapd-VISION-FHG-DE.socket for LDAPI requests Since it's not an Authentication Error, as described here: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom... I don't think this is an issue with the certificates. Nonetheless, I checked them and it seems fine. When starting FreeIPA via ipactl start, however, the system starts - certmonger remains failed though. The system isn't fully functional though. This is how we start the Container: /usr/bin/docker run \ -h 'ipa' --net bridge -m 0b -e IPA_SERVER_IP=192.168.2.15 \ -e IPA_SERVER_HOSTNAME=ipa \ -p 80:80 \ -p 443:443 \ -p 88:88/tcp \ -p 88:88/udp \ -p 389:389 \ -p 636:636 \ -p 7389:7389 \ -p 464:464/tcp \ -p 464:464/udp \ -p 123:123 \ -p 9443:9443 \ -p 9444:9444 \ -p 9445:9445 \ -v /data/ipa:/data:Z \ -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ --tmpfs /tmp --tmpfs /run --sysctl net.ipv6.conf.all.disable_ipv6=0 --cap-add=SYS_ADMIN --cap-add SYS_TIME \ --name freeipa \ freeipa/freeipa-server:fedora-27 \ Any idea what might cause this, or how we can futher debug it?

8 months, 3 weeks

1
0
0 / 0

Installation Error in step: Configuring the web interface (httpd)

by c.monty＠web.de

8 months, 3 weeks

3
2
0 / 0

IPA server upgrade fails with KDC error

by Johannes Brandstetter

Hi, I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..." Does anybody know how to fix this? Some more info: $ cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) $ tail /var/log/krb5kdc.log krb5kdc: Server error - while fetching master key K/M for realm XXX krb5kdc: Database module does not match KDC version - while initializing database for realm XXX $ sudo less /var/log/ipaupgrade.log 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG duration: 0 seconds 2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade data_upgrade.create_instance() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance runtime=90) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler raise errors.ACIError(info=info) 2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access: 2017-10-16T13:04:14Z ERROR Insufficient access: 2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information $ sudo less /var/log/yum.log Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64 Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64 Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64 Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64 Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64 Cheers, Johannes

8 months, 4 weeks

4
11
0 / 0

RSA using FreeIPA as an identity source

by Angus Clarke

Hi all Excuse my ignorance, can anyone give me some pointers on getting RSA Authentication Manager 8 to use FreeIPA 4.5 as an identity source over LDAPS? Many thanks Angus

9 months

1
0
0 / 0

Migration from Test to Production

by Ronald Wimmer

Hi, we have been evaluating FreeIPA for quite a while now on our test setup (1 IPA server, 1 Replica) and are planning to move towards production. Can the whole setup be migrated from an ipa test to an ipa production server? (the ipa 'linux.ourdomain.at' domain should stay the same) Or would it be easier to use both test servers for production (and just adding additional replicas)? Cheers, Ronald

9 months

3
5
0 / 0

Can OTP use as other datasource other than LDAP?

by luckydog xf

when I deploy freeipa with build-in LDAP( 389 DS), and create user with OTP password enabled, I can integrate into freeradius with LDAP module to authenticate against Network Access Service( Switch.etc) with user's password and OTP password. My question is that, our vpn only supports MSchap authenticaion, while I want to use MS Active Directory as freeipa datastore ( Don't use 389 DS) , if OTP works as well, it's great. yet judging from https://www.freeipa.org/page/V4/OTP, it's only applicable to LDAP.

9 months

1
0
0 / 0

Can IPA-otp use together with MS Active Directory?

by fu-hong-quan＠pacific-textiles.com

Hi, I'm curious that can OTP of freeipa use with MS AD, it seems it's only associated with LDAP, judging from https://www.freeipa.org/page/V4/OTP Any other work around as we are going to use AD as backend user store, and auth against VPN ( using MSchap auth type, which means it supports NThash password only) login. Thanks.

9 months

1
0
0 / 0

2019

2018

2017

FreeIPA-users November 2018