November 2018 - FreeIPA-users - Fedora Mailing-Lists

Fails to start CA with Basic Auth (and/or SSL)

by Zarko D

Hi, this is the part of troubleshooting expired certificates (it's in another post). I can't successfully renew certs after going back in time and I believe the reason is that CA is not starting. Some of posts and Bugzilla bugs suggest using PKI basic authentication, that I try without success, so I'd like to see if I do something wrong. ipa-server is 4.4.0 and pki-server is 10.3.3 [1] "internaldb" added to /etc/pki/pki-tomcat/password.conf hence it reads: internal=264530051944 replicationdb=-1979518752 internaldb=directory-manager-password [2] Edited /etc/pki/pki-tomcat/ca/CS.cfg so diff is: 61c61 < authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth --- > authz.instance.DirAclAuthz.ldap.ldapauth.authtype=SslClientAuth 63,64c63,64 < authz.instance.DirAclAuthz.ldap.ldapconn.port=389 < authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false --- > authz.instance.DirAclAuthz.ldap.ldapconn.port=636 > authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=true 784,786c784,785 < internaldb.ldapauth.authtype=BasicAuth < internaldb.ldapauth.bindDN=cn=Directory Manager < internaldb.ldapauth.bindPWPrompt=internaldb --- > internaldb.ldapauth.authtype=SslClientAuth > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipaca 791c790 < internaldb.ldapconn.port=389 --- > internaldb.ldapconn.port=636 793c792 < internaldb.ldapconn.secureConn=false --- > internaldb.ldapconn.secureConn=true [3] Restart pki-tomcatd(a)pki-tomcat.service Please let me know if you need some additional logs, these are the ones I believe can help and are relevant. [4] /var/log/pki/pki-tomcat/catalina.2018-11-06.log WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://ca-ldap04.internal.com:9080/ca/ocsp' did not find a matching property. Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. ... shortened INFO messages ... Nov 06, 2018 3:55:13 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-9 ldap://ca-ldap04.internal.com:389] but has failed to stop it. This is very likely to create a memory leak. Nov 06, 2018 3:55:13 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. [5] /var/log/pki/pki-tomcat/ca/debug [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: CMSEngine.shutdown() [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: Destroying LdapBoundConnFactory(CrossCertPairSubsystem) [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: Destroying RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/selftests.log) [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: Destroying LogFile(/var/lib/pki/pki-tomcat/logs/ca/selftests.log) [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: SignedAuditEventFactory: create() message created for eventType=AUDIT_LOG_SHUTDOWN [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: In LdapBoundConnFactory::getConn() [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: masterConn is null. [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: makeConnection: errorIfDown true [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: Established LDAP connection using basic authentication to host ca-ldap04.internal.com port 389 as cn=Directory Manager [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: increasing minimum connections by 3 [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: new total available connections 3 [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: new number of connections 3 [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: getConn: conn is connected true [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: getConn: mNumConns now 2 [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: returnConn: mNumConns now 3 [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: Shuting down publishing. [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: Destroying LdapBoundConnFactory(CertificateAuthority) [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: Cannot reset factory: connections not all returned [06/Nov/2018:15:55:28][ContainerBackgroundProcessor[StandardEngine[Catalina]]]: CertificateAuthority.shutdown: failed to reset dbFactory: Cannot reset LDAP connection factory because some connections are still outstanding. [6] /var/log/messages Nov 6 15:54:34 ca-ldap04 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Nov 6 15:54:34 ca-ldap04 systemd: Starting PKI Tomcat Server pki-tomcat... Nov 6 15:54:34 ca-ldap04 systemd: Started PKI Tomcat Server pki-tomcat. Nov 6 15:54:34 ca-ldap04 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Nov 6 15:54:34 ca-ldap04 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Nov 6 15:54:34 ca-ldap04 server: main class used: org.apache.catalina.startup.Bootstrap Nov 6 15:54:34 ca-ldap04 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Nov 6 15:54:34 ca-ldap04 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Nov 6 15:54:34 ca-ldap04 server: arguments used: start Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Nov 6 15:54:35 ca-ldap04 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 6 15:54:35 ca-ldap04 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 6 15:54:35 ca-ldap04 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://ca-ldap04.internal.com:9080/ca/ocsp' did not find a matching property. Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 6 15:54:35 ca-ldap04 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 6 15:54:35 ca-ldap04 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 6 15:54:35 ca-ldap04 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 6 15:54:35 ca-ldap04 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 6 15:54:35 ca-ldap04 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 6 15:54:35 ca-ldap04 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 6 15:54:35 ca-ldap04 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 6 15:54:35 ca-ldap04 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '- SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,- SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Nov 6 15:54:35 ca-ldap04 server: Nov 06, 2018 3:54:35 PM org.apache.catalina.startup.SetAllPropertiesRule begin ... Nov 6 15:54:58 ca-ldap04 server: Nov 06, 2018 3:54:58 PM org.apache.catalina.startup.HostConfig deployDescriptor Nov 6 15:54:58 ca-ldap04 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Nov 6 15:54:58 ca-ldap04 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Nov 6 15:54:58 ca-ldap04 server: SSLAuthenticatorWithFallback: Setting container Nov 6 15:55:00 ca-ldap04 server: Nov 06, 2018 3:55:00 PM org.apache.catalina.startup.TldConfig execute Nov 6 15:55:00 ca-ldap04 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Nov 6 15:55:00 ca-ldap04 server: SSLAuthenticatorWithFallback: Initializing authenticators Nov 6 15:55:00 ca-ldap04 server: SSLAuthenticatorWithFallback: Starting authenticators Nov 6 15:55:00 ca-ldap04 server: CMSEngine.initializePasswordStore() begins Nov 6 15:55:00 ca-ldap04 server: CMSEngine.initializePasswordStore(): tag=internaldb Nov 6 15:55:01 ca-ldap04 server: testLDAPConnection connecting to ca-ldap04.internal.com:389 Nov 6 15:55:01 ca-ldap04 server: CMSEngine.initializePasswordStore(): tag=replicationdb Nov 6 15:55:01 ca-ldap04 server: testLDAPConnection connecting to ca-ldap04.internal.com:389 Nov 6 15:55:01 ca-ldap04 server: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-ca-ldap04.internal.com-pki-tomcat,cn=config does not exist Nov 6 15:55:02 ca-ldap04 server: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER. This may not be a latest instance. Ignoring .. Nov 6 15:55:03 ca-ldap04 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Nov 6 15:55:03 ca-ldap04 server: ----------------------- Nov 6 15:55:03 ca-ldap04 server: Disabled "ca" subsystem Nov 6 15:55:03 ca-ldap04 server: ----------------------- Nov 6 15:55:03 ca-ldap04 server: Subsystem ID: ca Nov 6 15:55:03 ca-ldap04 server: Instance ID: pki-tomcat Nov 6 15:55:03 ca-ldap04 server: Enabled: False Nov 6 15:55:03 ca-ldap04 server: Invalid class name repositorytop Nov 6 15:55:03 ca-ldap04 server: Invalid class name repositorytop .. Nov 6 15:55:03 ca-ldap04 server: Nov 06, 2018 3:55:03 PM org.apache.catalina.startup.HostConfig deployDescriptor Nov 6 15:55:03 ca-ldap04 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in4,815 ms Nov 6 15:55:13 ca-ldap04 server: Nov 06, 2018 3:55:13 PM org.apache.catalina.startup.HostConfig undeploy Nov 6 15:55:13 ca-ldap04 server: INFO: Undeploying context [/ca] Nov 6 15:55:13 ca-ldap04 server: SSLAuthenticatorWithFallback: Stopping authenticators Nov 6 15:55:13 ca-ldap04 server: Nov 06, 2018 3:55:13 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Nov 6 15:55:13 ca-ldap04 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldap://ca-ldap04.internal.com:389] but has failed to stop it. This is very likely to create a memory leak. Nov 6 15:55:13 ca-ldap04 server: Nov 06, 2018 3:55:13 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Nov 6 15:55:13 ca-ldap04 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-7 ldap://ca-dap04.internal.com:389] but has failed to stop it. This is very likely to create a memory leak. Nov 6 15:55:13 ca-ldap04 server: Nov 06, 2018 3:55:13 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Nov 6 15:55:13 ca-ldap04 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Nov 6 15:55:13 ca-ldap04 server: Nov 06, 2018 3:55:13 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Nov 6 15:55:13 ca-ldap04 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-9 ldap://ca-ldap04.internal.com:389] but has failed to stop it. This is very likely to create a memory leak. Nov 6 15:55:13 ca-ldap04 server: Nov 06, 2018 3:55:13 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Nov 6 15:55:13 ca-ldap04 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Nov 6 15:55:13 ca-ldap04 server: SSLAuthenticatorWithFallback: Setting container Nov 6 15:55:13 ca-ldap04 server: Nov 06, 2018 3:55:13 PM org.apache.catalina.startup.HostConfig deployDescriptor Nov 6 15:55:13 ca-ldap04 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Nov 6 15:55:13 ca-ldap04 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Nov 6 15:55:13 ca-ldap04 server: SSLAuthenticatorWithFallback: Setting container Nov 6 15:55:14 ca-ldap04 server: Nov 06, 2018 3:55:14 PM org.apache.catalina.startup.TldConfig execute Nov 6 15:55:14 ca-ldap04 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Nov 6 15:55:14 ca-ldap04 server: SSLAuthenticatorWithFallback: Initializing authenticators Nov 6 15:55:15 ca-ldap04 server: SSLAuthenticatorWithFallback: Starting authenticators Nov 6 15:55:15 ca-ldap04 server: CMSEngine.initializePasswordStore() begins Nov 6 15:55:15 ca-ldap04 server: CMSEngine.initializePasswordStore(): tag=internaldb Nov 6 15:55:15 ca-ldap04 server: testLDAPConnection connecting to ca-ldap04.internal.com:389 Nov 6 15:55:15 ca-ldap04 server: CMSEngine.initializePasswordStore(): tag=replicationdb Nov 6 15:55:15 ca-ldap04 server: testLDAPConnection connecting to ca-ldap04.internal.com:389 Nov 6 15:55:15 ca-ldap04 server: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-ca-ldap04.internal.com-pki-tomcat,cn=config does not exist

5 years, 5 months

3
8
0 / 0

smartcard yubikey opensc-pkcs11.so error

by Natxo Asenjo

hi, trying to get smart card authentication using a yubikey. I follow the $ opensc-tool --list-readers # Detected readers (pcsc) Nr. Card Features Name 0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00 I managed to import a key and certificate (generated by openssl): $ yubico-piv-tool -a status -v trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'. Action 'status' does not need authentication. Now processing for action 'status'. CHUID: No data available CCC: No data available Slot 9a: Algorithm: RSA2048 Subject DN: O=UNIX.ASENJO.NL, CN=user50 Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority Fingerprint: dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9 Not Before: Nov 8 22:40:02 2018 GMT Not After: Nov 8 22:40:02 2020 GMT PIN tries left: 3 And this user50 has this certificate in ipa. My trouble starts when running this step on the client: # modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so -force ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error." I have tried using full paths (/usr/lib64/opensc-pkcs11.so, /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors. So, basically, I'm stuck now :(, because without this piece opensc cannot work apparently. This is a fedora 29 host, by the way. Any clues? -- regards, Natxo -- Groeten, natxo

5 years, 5 months

2
6
0 / 0

Issues installing replica

by Alex Corcoles

So I solved my LXC problems (thanks Rob, again), but now: ipa-replica-install -U --setup-ca -N fails when rebuilding my replica from scratch, see: https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251 , where I think I've copied the relevant logs. I think I saw someone recommending revoking the replica certs, which makes sense as I'm using the same hostname that I used on the previous replica, but that doesn't seem to fix things. (I'm removing the previous replica via the admin interface, IPA Server -> Topology -> IPA Servers, select my replica and "Delete Server". This removes it too from the host list). Any idea? Cheers, Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/

5 years, 5 months

3
10
0 / 0

Getting access denied when using kerberos when mounting nfs share

by Kevin Vasko

I followed these instructions to enable kerberos within my realm/domain. My FreeIPA, NFS server and my NFS client is CentOS 7.4 https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/kerb-nf... I’m completely stuck in that when I mount the NFS share I get Sudo mount -o sec=krb5p share.example.com:/data/shared /mnt/shared “mount.nfs: access denied by server while mounting share.example.com:/data/shared” My /etc/exports file /data/shared 172.16.0.0/24(sec=krb5p, rw, ...) On my nfs server /var/log/messages all i see is rpc.mountd[1674]: authenticated mount request from 172.16.0.23:819 for /data/shared (/data/shared) If i remove the “sec=krb5p” from the mount and the exports file it mounts just fine. -Kevin

5 years, 5 months

2
2
0 / 0

FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

by Eric Fredrickson

Hello everyone, I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled. FreeIPA Setup: CentOS 7.5 FreeIPA 4.5.4 HBAC Service: openvpn HBAC Rule: [root@ipa ~]# ipa hbacrule-show openvpn_access Rule name: openvpn_access Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. Enabled: TRUE Users: <users> Hosts: vpnhost.localdomain.local Services: openvpn User account: [root@ipa ~]# ipa user-show <omitted> User login: <omitted> First name: <omitted> Last name: <omitted> Home directory: /home/<omitted> Login shell: /bin/bash Principal name: <omitted> Principal alias: <omitted> Email address: <omitted> UID: 1909600003 GID: 1909600003 User authentication types: otp Certificate: <omitted> Account disabled: False Password: True Member of groups: vpn_users Member of HBAC rule: openvpn_access Indirect Member of HBAC rule: user_ipa_access Kerberos keys available: True OpenVPN server: /etc/pam.d/openvpn #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts. Eric

5 years, 5 months

1
0
0 / 0

SSH Key auth with expired Kerberos password

by Nathan Harper

Hi all, We have noticed some behaviour that we are trying to work out if it is expected or not (or if this is an SSSD thing). We have a pair of FreeIPA replicas running on CentOS 7 (v4.5.x), with various CentOS 7 clients. Most clients aren't actually enrolled in FreeIPA, but are configured with: id_provider = ldap auth_provider = krb5 Authentication works as expected, plus password changes etc. However, if a user has added a public key to authorized_keys, the status of the password is not considered and at no point is a user prompted to change their password. More importantly, if a user is disabled in FreeIPA, they are still permitted to login using their SSH key. I have checked the behaviour on a client that is enrolled, and it is better (disabling a user does prevent access), but it still does not give any indication about failed passwords. Under most circumstances this wouldn't be too much of an issue, but we make use of one application for remote access that does not know what to do with an expired password, and instead just presents 'authentication failed'. Any suggestions?

5 years, 5 months

3
2
0 / 0

Re: Testing requested - certificate checking tool

by William Muriithi

Morning Rob > > What's the process for either removing or making it known? > > I'll add something to the program about this too but for now you can run: > > # getcert list -i 20170919231606 > > That will tell us what it is. It is perfectly fine to have certmonger > track other certs on the system. I display unexpected once as a > just-in-case. > > It's supposed to display as just a warning. I'll fix that too since it > is a little alarming. This is the result I got on my end.: Failures: Unable to find request for serial 268304424 Unable to find request for serial 268304426 Unable to find request for serial 268304425 Unable to find request for serial 268304423 Subject O=ENG.EXAMPLE.COM,CN=zinc.eng.example.com and template subject CN=lithium.eng.example.com,O=ENG.EXAMPLE.COM do not match for serial 77 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/key3.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/cert8.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/secmod.db are 0600 and should be 0640 Warnings: Unknown certmonger ids: 20170812234301 [root@lithium bin]# The system so far seem healthy. Did these file permission had a stricter access that was relaxed later? I have never attempted to change them, at least impicitly Regards, William

5 years, 5 months

3
2
0 / 0

Replica install on RPI3

by Winfried de Heiden

Hi all, Just because we can and a Rapsberry Pi 3 is cheap, I'm trying to install a FreeIPA replica on Fedora 29 ARM. It looks like the Raspberry is a bit too slow for default installation settings: 018-11-03T12:27:12Z DEBUG stderr=WARNING: Password was garbage collected before it was cleared. password file contains no data pkispawn : ERROR ........... server did not start after 60s pkispawn : ERROR ....... server failed to restart 2018-11-03T12:27:12Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpv2y32e9l'] returned non-zero exit status 1: 'WARNING: Password was garbage collected before it was cleared.\npassword file contains no data\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n') 2018-11-03T12:27:12Z CRITICAL See the installation logs and the following files/directories for more information: 2018-11-03T12:27:12Z CRITICAL /var/log/pki/pki-tomcat 2018-11-03T12:27:12Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.7/site- packages/ipaserver/install/dogtaginstance.py", line 164, in spawn_instance ipautil.run(args, nolog=nolog_list) File "/usr/lib/python3.7/site-packages/ipapython/ipautil.py", line 573, in run p.returncode, arg_string, output_log, error_log ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpv2y32e9l'] returned non-zero exit status 1: 'WARNING: Password was garbage collected before it was cleared.\npassword file contains no data\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n') I did change the "startup_timeout" in /usr/lib/python3.7/site- packages/ipalib/constants.py and /etc/ipa/default.conf but it doens't seem to be enough. Any sugestion? Winfried

5 years, 5 months

4
9
0 / 0

How to wreck your IPA environment

by Chris Evich

Hey all, About a year ago I did a really, really stupid thing. I updated IPA on one CentOS 7 host, then before being really sure things were working, I did the replica. Turned out the first upgrade only 'mostly' worked[*], meaning both hosts are now partially wrecked :S The good news is, DNS and PKI seems mostly in-tact and functional (why I haven't done anything for a year). The bad news is, the web interface and API-access (ipa cmdline) is non-functional. Meaning I have no way to maintain the setup, add new replicas/hosts, etc. :( Both kerberos and ldapsearch are working, so I'm wondering if there's a way I can "save" my DNS and user/group/kerberos records, to make a re-build/re-install less painful? I don't have anything worth saving PKI-wise. Thoughts? [*] The damage was caused by running out of disk-space after the package install, while the upgrade or schema-update script was running. I'm not above trying to repair the API, but so far my attempts have all been fruitless. I tried 'yum reinstall' and manually running the upgrade scripts. The damage seems to be inside the databases, since restoring from backup also restores API-breakage.

5 years, 5 months

2
4
0 / 0

FreeIPA on CentOS 7 under LXC, replica installation problems

by Alex Corcoles

So I had a running replica on CentOS 7 LXC which started giving me trouble, so I decided to rebuild it. Now, when running ipa-replica install I get: 2018-11-04T20:12:20Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255! 2018-11-04T20:12:20Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpyZ34z1' returned non-zero exit status 1 , which seems to cause this to fail. Googling around, I find this thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... , where apparently two bugs were filed to fix this- and they were fixed. Are they supposed to land on CentOS 7? Cheers, Alex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/

5 years, 5 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users November 2018