replica unable to communicate
by Andrew Meyer
I need some help with this. I am working with FreeIPA runnning on CentOS 7.4 verssion 4.5.0-22. I have 2 servers in my AWS VPC and 2 servers at my local office.
For some reason I am not seeing replication happen (over ldaps?) from 1 server in my local office to the two servers up there.
AWS servers:
[centos@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa01.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:30:31+00:00[centos@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa03.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[centos@freeipa03 ~]$
[root@freeipa04 log]# ipa-replica-manage list -v freeipa03.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00freeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[root@freeipa04 log]# ipa-replica-manage list -v freeipa01.stl1.gatewayblend.netfreeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:25:31+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:30:31+00:00[root@freeipa04 log]#
Local office:server 1
[gatewayblend@freeipa01 ~]$ sudo ipa-replica-manage list -v freeipa04.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:24:41+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:24:32+00:00freeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa01 ~]$ sudo ipa-replica-manage list -v freeipa03.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:30:53+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 13:30:53+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa01 ~]$
[gatewayblend@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa04.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:08:00+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:07:54+00:00freeipa03.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa03 ~]$ sudo vim /etc/resolv.conf[gatewayblend@freeipa03 ~]$ sudo ipa-replica-manage list -v freeipa03.east.gatewayblend.netfreeipa01.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:40:35+00:00freeipa03.stl1.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-03-21 02:40:35+00:00freeipa04.east.gatewayblend.net: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) last update ended: 1970-01-01 00:00:00+00:00[gatewayblend@freeipa03 ~]$
The topologysegment shows we have 2-way connectivity all the way around:[root@freeipa04 log]# ipa topologysegment-find --allSuffix name: domain------------------6 segments matched------------------ dn: cn=freeipa01.stl1.gatewayblend.net-to-freeipa03.stl1.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa01.stl1.gatewayblend.net-to-freeipa03.stl1.gatewayblend.net Left node: freeipa01.stl1.gatewayblend.net Right node: freeipa03.stl1.gatewayblend.net Connectivity: both iparepltoposegmentstatus: autogen objectclass: iparepltoposegment, top
dn: cn=freeipa01.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa01.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net Left node: freeipa01.stl1.gatewayblend.net Right node: freeipa04.east.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top
dn: cn=freeipa03.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.east.gatewayblend.net-to-freeipa01.stl1.gatewayblend.net Left node: freeipa03.east.gatewayblend.net Right node: freeipa01.stl1.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top
dn: cn=freeipa03.east.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.east.gatewayblend.net-to-freeipa04.east.gatewayblend.net Left node: freeipa03.east.gatewayblend.net Right node: freeipa04.east.gatewayblend.net Connectivity: both iparepltoposegmentstatus: autogen objectclass: iparepltoposegment, top
dn: cn=freeipa03.stl1.gatewayblend.net-to-freeipa03.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.stl1.gatewayblend.net-to-freeipa03.east.gatewayblend.net Left node: freeipa03.stl1.gatewayblend.net Right node: freeipa03.east.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top
dn: cn=freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net,cn=domain,cn=topology,cn=ipa,cn=etc,dc=gatewayblend,dc=net Segment name: freeipa03.stl1.gatewayblend.net-to-freeipa04.east.gatewayblend.net Left node: freeipa03.stl1.gatewayblend.net Right node: freeipa04.east.gatewayblend.net Connectivity: both objectclass: iparepltoposegment, top----------------------------Number of entries returned 6----------------------------[root@freeipa04 log]#
When I add a user everything gets sync'ed. When I add a DNS entry its gets sync'ed all the way around.
Is the error i'm getting a false positive? It seems like it is.
This is the error I'm getting in /var/log/messages. However I think this pertains to DNSSEC and can be ignored, correct?
Mar 21 13:35:25 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:35:25 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:35:25 freeipa01 systemd: ipa-dnskeysyncd.service failed.Mar 21 13:36:25 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 21 13:36:25 freeipa01 systemd: Started IPA key daemon.Mar 21 13:36:25 freeipa01 systemd: Starting IPA key daemon...Mar 21 13:36:28 freeipa01 ipa-dnskeysyncd: ipa : INFO LDAP bind...Mar 21 13:36:28 freeipa01 ipa-dnskeysyncd: ipa : INFO Commencing sync processMar 21 13:36:29 freeipa01 ipa-dnskeysyncd: ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BINDMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: Traceback (most recent call last):Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_pollMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: self.syncrepl_refreshdone()Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in syncrepl_refreshdoneMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: self.hsm_replica_sync()Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in hsm_replica_syncMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in runMar 21 13:36:32 freeipa01 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output))Mar 21 13:36:32 freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 21 13:36:33 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:36:33 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:36:33 freeipa01 systemd: ipa-dnskeysyncd.service failed.Mar 21 13:37:33 freeipa01 systemd: ipa-dnskeysyncd.service holdoff time over, scheduling restart.Mar 21 13:37:33 freeipa01 systemd: Started IPA key daemon.Mar 21 13:37:33 freeipa01 systemd: Starting IPA key daemon...Mar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa : INFO LDAP bind...Mar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa : INFO Commencing sync processMar 21 13:37:36 freeipa01 ipa-dnskeysyncd: ipa.ipaserver.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BINDMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: Traceback (most recent call last):Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 114, in <module>Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_pollMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: self.syncrepl_refreshdone()Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 115, in syncrepl_refreshdoneMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: self.hsm_replica_sync()Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 181, in hsm_replica_syncMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in runMar 21 13:37:40 freeipa01 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output))Mar 21 13:37:40 freeipa01 ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1Mar 21 13:37:40 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 21 13:37:40 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 21 13:37:40 freeipa01 systemd: ipa-dnskeysyncd.service failed.[gatewayblend@freeipa01 ~]$
I'm not sure what the issue is.
Any help is appreciated.
Thank you,Andrew Meyer
2 months, 3 weeks
IPA server upgrade fails with KDC error
by Johannes Brandstetter
Hi,
I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..."
Does anybody know how to fix this?
Some more info:
$ cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
$ tail /var/log/krb5kdc.log
krb5kdc: Server error - while fetching master key K/M for realm XXX
krb5kdc: Database module does not match KDC version - while initializing database for realm XXX
$ sudo less /var/log/ipaupgrade.log
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG duration: 0 seconds
2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade
data_upgrade.create_instance()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance
runtime=90)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start
api.Backend.ldap2.connect()
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection
client_controls=clientctrls)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler
raise errors.ACIError(info=info)
2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access:
2017-10-16T13:04:14Z ERROR Insufficient access:
2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
$ sudo less /var/log/yum.log
Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64
Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64
Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64
Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64
Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch
Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64
Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch
Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64
Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64
Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64
Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64
Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64
Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64
Cheers,
Johannes
2 months, 3 weeks
using freeipa with an AWS elastic load balancer
by ridha.zorgui@infor.com
I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving ldap data and during the authentication, the SSL handshake fails as the certificate sent back from the master or replica has a hostname different than the one used in the sssd ( the ELB CNAME). so the connection is terminated. There is a workaround which is the use reqcert=allow but this bring a security issue with a MITM attack. another solution i found is the use SAN. I was able to add the ELB DNS as a SAN in freeipa servers certificate. i made sure it is there by downloading the certificate and checking that the elb san exist but when testing it the same problem remain. Please help.
4 months, 1 week
Can't install CA from replica file - Failed to import EncryptedPrivateKeyInfo to token
by H. Frenzel
Hi,
I tried to install a CA to the 2nd master a replicafile which was
created on the 1st master (with self-signed CA), with fails with:
ipa : DEBUG stderr=TokenException: Failed to import
EncryptedPrivateKeyInfo to token: (-8152) The key does not support the
requested operation.
What could be wrong here? - Please find the detailed debug log of
ipa-ca-install as attachment.
Thx & b/r
H.
4 months, 2 weeks
Certificates renewing with the wrong Subject
by Roderick Johnstone
Hi
Our freeipa certificates need to be renewed due to passing their expiry
dates.
While some certificates have renewed ok, the ipaCert and
auditSigningCert are renewing but the new certificates have the wrong
Subject.
Environment is:
serverA (CRL, first, master) RHEL 7.3, ipa 4.4
serverB (replica) RHEL 7.3, ipa 4.4
serverC (replica) RHEL 7.4, ipa 4.5
Once there are renewed certificates with the wrong Subject present,
there are various problems with renewing the remaining certificates,
which I think might be related to the bad Subject:
1) When just ipaCert has the wrong subject no further renewals happen
2) When auditSigningCert has the wrong subject the ipa pki-tomcatd
service will not start and no further renewals happen.
I've been round the following loop many times on ServerA, our first master:
1) Restore good certificates from backup
2) Put the clock back to a time when certificates are all valid
3) Resubmit certificates for renewal
Each time the ipaCert renews it has the same wrong Subject. The wrong
Subject includes the host name of one of our ipa client systems.
Each time the auditSigningCert renews it has the same wrong Subject but
a different subject to the ipaCert. The wrong Subject in this case
includes the host name of a system which has never been an ipa client,
but might have been added and removed with ipa host-add and ipa host-del
for testing something, a while ago.
As far as I can see, the "cert_subject" is set correctly in the file
/var/lib/certmonger/<request id> until the point at which the
certificate is actually renewed.
I'd be very grateful for some pointers as to which configuration options
and logs to check through to resolve this problem on our production system.
If its of any relevance we did change which server is the first master
some time ago.
Thanks
Roderick Johnstone
6 months
Getting Synology NAS to play nice with FreeIPA
by Kristian Petersen
I have a synology NAS which hosts some SMB shares on my network. I would
like to be able to use FreeIPA as the LDAP provider it checks against for
authenticating these shares. I have a system user that I created in
FreeIPA for this purpose.
I configured the NAS to connect to my FreeIPA server for LDAP, but I get a
message about a failure to access some users NT passwords and how the Samba
service may not work for these users. It also says it could be either a
lack of NT passwords for the users or insufficient privileges to access
them. After chatting with Synology support they wanted me to enable CIFS
plaintext password authentication. However, if I select that option it
given me a warning about the share not being able to be the remote mount
target of CIFS anymore due to SMB being set to v1 only and disabling the
SMB related Bonjour service. If the system user doesn't have the needed
privileges, how can I fix that since I can't enroll the NAS?
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
7 months
IPA users and local groups question
by Jeff Goddard
First off thanks to everyone who makes FreeIPA. Its an awesome product that
we love.
We're working at breaking our application up into micro services and using
docker containers and deployment automation. As part of this I have a
deploy user in IPA and a rundeck server that performs tasks as this user.
However, we need this user to be part of the local docker hosts "docker"
group. Is this something I have to do manually per host? Is it possible to
create a docker IPA group that will substitute for the local docker group
and do it all in IPA? Our IPA version is 4.4. The servers are Centos 7.2
and the clients are ubuntu 16.04 LTS.
Thanks for the insight, references and help,
Jeff
7 months
Announcing SSSD 1.16.1
by Jakub Hrozek
SSSD 1.16.1
===========
The SSSD team is proud to announce the release of version 1.16.1 of the
System Security Services Daemon.
The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback
via the sssd-devel or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
—————
New Features
^^^^^^^^^^^^
* A new option ``auto_private_groups`` was added. If this option is
enabled, SSSD will automatically create user private groups based on
user's UID number. The GID number is ignored in this case. Please
see https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html
for more details on the feature.
* The SSSD smart card integration now supports a special type of PAM
conversation implemented by GDM which allows the user to select the
appropriate smrt card certificate in GDM. Please refer to
https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certifi...
for more details about this feature.
* A new API for accessing user and group information was added. This API
is similar to the tradiional Name Service Switch API, but allows
the consumer to talk to SSSD directly as well as to fine-tune
the query with e.g. how cache should be evaluated. Please see
https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html
for more information on the new API.
* The ``sssctl`` command line tool gained a new command ``access-report``,
which can generate who can access the client machine. Currently only generating
the report on an IPA client based on HBAC rules is supported. Please see
https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html
for more information about this new feature.
* The ``hostid`` provider was moved from the IPA specific code to the generic
LDAP code. This allows SSH host keys to be access by the generic LDAP provider
as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` manual page
for more details.
* Setting the ``memcache_timeout`` option to 0 disabled creating the
memory cache files altogether. This can be useful in cases there is a
bug in the memory cache that needs working around.
Performance enhancements
^^^^^^^^^^^^^^^^^^^^^^^^
* Several internal changes to how objects are stored in the cache improve
SSSD performance in environments with large number of objects of the same
type (e.g. many users, many groups). In particular, several useless indexes
were removed and the most common object types no longer use the indexed
``objectClass`` attribute, but use unindexed ``objectCategory`` instead
(#3503)
* In setups with ``id_provider=ad`` that use POSIX attributes which
are replicated to the Global Catalog, SSSD uses the Global Catalog to
determine which domain should be contacted for a by-ID lookup instead
of iterating over all domains. More details about this feature can
be found at
https://docs.pagure.org/SSSD.sssd/design_pages/uid_negative_global_catalo...
Notable bug fixes
^^^^^^^^^^^^^^^^^
* A crash in ``sssd_nss`` that might have happened if a list of domains
was refreshed while a NSS lookup using this request was fixed (#3551)
* A potential crash in ``sssd_nss`` during netgroup lookup in case the
netgroup object kept in memory was already freed (#3523)
* Fixed a potential crash of ``sssd_be`` with two concurrent sudo refreshes
in case one of them failed (#3562)
* A memory growth issue in ``sssd_nss`` that occured when an entry was
removed from the memory cache was fixed (#3588)
* Two potential memory growth issues in the ``sssd_be`` process that could
have hit configurations with ``id_provider=ad`` were fixed (#3639)
* The ``selinux_child`` process no longer crashes on a system where SSSD
is compiled with SELinux support, but at the same time, the SELinux policy
is not even installed on the machine (#3618)
* The memory cache consistency detection logic was fixed. This would prevent
printing false positive memory cache corruption messages (#3571)
* SSSD now remembers the last successfuly discovered AD site and use this
for DNS search to lookup a site and forest during the next lookup. This
prevents time outs in case SSSD was discovering the site using the global
list of DCs where some of the global DCs might be unreachable. (#3265)
* SSSD no longer starts the implicit file domain when configured with
``id_provider=proxy`` and ``proxy_lib_name=files``. This bug prevented
SSSD from being used in setups that combine identities from UNIX files
together with authentication against a remote source unless a files
domain was explicitly configured (#3590)
* The IPA provider can handle switching between different ID views better
(#3579)
* Previously, the IPA provider kept SSH public keys and certificates from
an ID view in its cache and returned them even if the public key or
certificate was then removed from the override (#3602, #3603)
* FleetCommander profiles coming from IPA are applied even if they are
assigned globally (to ``category: ALL``), previously, only profiles
assigned to a host or a hostgroup were applied (#3449)
* It is now possible to reset an expired password for users with 2FA
authentication enabled (#3585)
* A bug in the AD provider which could have resulted in built-in AD groups
being incorrectly cached was fixed (#3610)
* The SSSD watchdog can now cope better with time drifts (#3285)
* The ``nss_sss`` NSS module's return codes for invalid cases were fixed
* A bug in the LDAP provider that prevented setups with id_provider=proxy
and auth_provider=ldap with LDAP servers that do not allow anonymous
binds from working was fixed (#3451)
Packaging Changes
-----------------
* The FleetCommander desktop profile path now uses stricter permissions,
751 instead of 755 (#3621)
* A new option ``--logger`` was added to the ``sssd(8)`` binary. This option
obsoletes old options such as ``--debug-to-files``, although the old options
are kept for backwards compatibility.
* The file ``/etc/systemd/system/sssd.service.d/journal.conf`` is not
installed anymore In order to change logging to journald, please use the
``--logger`` option. The logger is set using the
``Environment=DEBUG_LOGGER`` directive in the systemd unit files. The
default value is ``Environment=DEBUG_LOGGER=--logger=files``
Documentation Changes
---------------------
There are no notable documentation changes such as options changing default
values etc in this release.
Tickets Fixed
-------------
* `3648 <https://pagure.io/SSSD/sssd/issue/3648>`_ - Mention in the manpages that Fleet Commander does *not* work when SSSD is running as the unprivileged user
* `3639 <https://pagure.io/SSSD/sssd/issue/3639>`_ - sssd_be consumes more memory on RHEL 7.4 systems.
* `3627 <https://pagure.io/SSSD/sssd/issue/3627>`_ - MAN: Explain how does auto_private_groups affect subdomains
* `3621 <https://pagure.io/SSSD/sssd/issue/3621>`_ - FleetCommander integration must not require capability DAC_OVERRIDE
* `3618 <https://pagure.io/SSSD/sssd/issue/3618>`_ - selinux_child segfaults in a docker container
* `3615 <https://pagure.io/SSSD/sssd/issue/3615>`_ - Requesting an AD user's private group and then the user itself returns an emty homedir
* `3613 <https://pagure.io/SSSD/sssd/issue/3613>`_ - auto_private_groups does not work with trusted domains with direct AD integration
* `3610 <https://pagure.io/SSSD/sssd/issue/3610>`_ - AD provider - AD BUILTIN groups are cached with gidNumber = 0
* `3608 <https://pagure.io/SSSD/sssd/issue/3608>`_ - dbus-send unable to find user by CAC cert
* `3603 <https://pagure.io/SSSD/sssd/issue/3603>`_ - Certificate is not removed from cache when it's removed from the override
* `3602 <https://pagure.io/SSSD/sssd/issue/3602>`_ - SSH public key authentication keeps working after keys are removed from ID view
* `3601 <https://pagure.io/SSSD/sssd/issue/3601>`_ - race condition: sssd_be in a one-way trust accepts request before ipa-getkeytab finishes, marking the sssd offline
* `3599 <https://pagure.io/SSSD/sssd/issue/3599>`_ - getent output is not showing home directory for IPA AD trusted user
* `3594 <https://pagure.io/SSSD/sssd/issue/3594>`_ - sssd used wrong search base with wrong AD server
* `3592 <https://pagure.io/SSSD/sssd/issue/3592>`_ - Write a regression test for false possitive "corrupted" memory cache
* `3590 <https://pagure.io/SSSD/sssd/issue/3590>`_ - proxy to files does not work with implicit_files_domain
* `3588 <https://pagure.io/SSSD/sssd/issue/3588>`_ - sssd_nss consumes more memory until restarted or machine swaps
* `3586 <https://pagure.io/SSSD/sssd/issue/3586>`_ - Give a more detailed debug and system-log message if krb5_init_context() failed
* `3585 <https://pagure.io/SSSD/sssd/issue/3585>`_ - Reset password with two factor authentication fails
* `3579 <https://pagure.io/SSSD/sssd/issue/3579>`_ - SSSD fails to fetch group information after switching IPA client to a non-default view
* `3571 <https://pagure.io/SSSD/sssd/issue/3571>`_ - mmap cache: consistency check might fail if there are hash collisions
* `3570 <https://pagure.io/SSSD/sssd/issue/3570>`_ - The cache-req debug string representation uses a wrong format specifier for by-ID requests
* `3569 <https://pagure.io/SSSD/sssd/issue/3569>`_ - The cache_req code doesn't check the min_id/max_id boundaries for requests by ID
* `3564 <https://pagure.io/SSSD/sssd/issue/3564>`_ - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True'
* `3563 <https://pagure.io/SSSD/sssd/issue/3563>`_ - Some sysdb tests fail because they expect a certain order of entries returned from ldb
* `3562 <https://pagure.io/SSSD/sssd/issue/3562>`_ - Use-after free if more sudo requests run and one of them fails, causing a fail-over to a next server
* `3560 <https://pagure.io/SSSD/sssd/issue/3560>`_ - Improve Smartcard integration if multiple certificates or multiple mapped identities are available
* `3551 <https://pagure.io/SSSD/sssd/issue/3551>`_ - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss
* `3547 <https://pagure.io/SSSD/sssd/issue/3547>`_ - data from ipa returned with id_provider=file
* `3545 <https://pagure.io/SSSD/sssd/issue/3545>`_ - SSSD creates bad override search filter due to AD Trust object with parenthesis
* `3539 <https://pagure.io/SSSD/sssd/issue/3539>`_ - Do not autostart the implicit files domain if sssd configures id_provider=proxy and proxy_target_files
* `3529 <https://pagure.io/SSSD/sssd/issue/3529>`_ - SSSD-kcm/secrets failed to restart during/after upgrade
* `3528 <https://pagure.io/SSSD/sssd/issue/3528>`_ - sssd refuses to start when pidfile is present, but the process is gone
* `3523 <https://pagure.io/SSSD/sssd/issue/3523>`_ - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout
* `3503 <https://pagure.io/SSSD/sssd/issue/3503>`_ - Do not index objectclass, add and index objectcategory instead
* `3496 <https://pagure.io/SSSD/sssd/issue/3496>`_ - [RFE] Add a configuration option to SSSD to disable the memory cache
* `3486 <https://pagure.io/SSSD/sssd/issue/3486>`_ - Improve `enumerate` documentation/troubleshooting guide
* `3484 <https://pagure.io/SSSD/sssd/issue/3484>`_ - MAN: Describe the constrains of ipa_server_mode better in the man page
* `3468 <https://pagure.io/SSSD/sssd/issue/3468>`_ - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests
* `3454 <https://pagure.io/SSSD/sssd/issue/3454>`_ - sssd-kcm crashes with multiple parallel requests
* `3451 <https://pagure.io/SSSD/sssd/issue/3451>`_ - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.
* `3444 <https://pagure.io/SSSD/sssd/issue/3444>`_ - document information on why SSSD does not use host-based security filtering when processing AD GPOs
* `3433 <https://pagure.io/SSSD/sssd/issue/3433>`_ - SYSLOG_IDENTIFIER is different
* `3293 <https://pagure.io/SSSD/sssd/issue/3293>`_ - Log when SSSD authentication fails because when two IPA accounts share an email address
* `3285 <https://pagure.io/SSSD/sssd/issue/3285>`_ - SSSD needs restart after incorrect clock is corrected with AD
* `3265 <https://pagure.io/SSSD/sssd/issue/3265>`_ - [RFE] sssd should remember DNS sites from first search
* `3198 <https://pagure.io/SSSD/sssd/issue/3198>`_ - Incorrect error code returned from krb5_child for expired/locked user with id_provider AD
* `2976 <https://pagure.io/SSSD/sssd/issue/2976>`_ - sdap code can mark the whole sssd_be offline
* `2840 <https://pagure.io/SSSD/sssd/issue/2840>`_ - [RFE] Produce access control attestation report for IPA domains
* `2823 <https://pagure.io/SSSD/sssd/issue/2823>`_ - Integration tests: Use dbus-daemon in cwrap enviroment for test
* `2478 <https://pagure.io/SSSD/sssd/issue/2478>`_ - Provide sss_nss_* API to directly query SSSD instead of nsswitch.conf route
* `1872 <https://pagure.io/SSSD/sssd/issue/1872>`_ - [RFE] Support User Private Groups for main domains, too
* `1729 <https://pagure.io/SSSD/sssd/issue/1729>`_ - Enumerating large number of users makes sssd_be hog the cpu for a long time.
Detailed Changelog
------------------
* Andreas Schneider (1):
* Avoid double semicolon warnings on older compilers
* Carlos O'Donell (1):
* nss: Fix invalid enum nss_status return values.
* Fabiano Fidêncio (21):
* CACHE_REQ: Copy the cr_domain list for each request
* LDAP: Bind to the LDAP server also in the auth
* TOOLS: Double quote array expansions in sss_debuglevel
* TOOLS: Call "exec" for sss_debuglevel
* LDAP: Improve error treatment from sdap_cli_connect() in ldap_auth
* SYSDB: Remove code causing a covscan warning
* NSS: Fix covscan warning
* CACHE_REQ: Fix typo: cache_reg -> cache_req
* TOOLS: Fix typo: exist -> exists
* SYSDB: Return EOK in case a non-fatal issue happened
* SYSDB_VIEWS: Remove sshPublicKey attribute when it's not set
* IPA: Remove sshPublicKey attribute when it's not set
* DESKPROFILE: Add checks for user and host category
* DESKPROFILE: Harden the permission of deskprofilepath
* DESKPROFILE: Soften umask for the domain's dir
* DESKPROFILE: Fix the permissions and soften the umask for user's dir
* DESKPROFILE: Use seteuid()/setegid() to create the profile
* DESKPROFILE: Use seteuid()/setegid() to delete the profile/user's dir
* DESKPROFILE: Set the profile permissions to read-only
* PYSSS_MURMUR: Fix [-Wsign-compare] found by gcc
* DESKPROFILE: Document it doesn't work when run as unprivileged user
* Hristo Venev (1):
* providers: Move hostid from ipa to sdap, v2
* Jakub Hrozek (35):
* Update the version number to track 1.16.1 development
* CONFIG: Add a new option auto_private_groups
* CONFDB: Remove the obsolete option magic_private_groups
* SDAP: Allow the mpg flag for the main domain
* LDAP: Turn group request into user request for MPG domains if needed
* SYSDB: Prevent users and groups ID collision in MPG domains except for id_provider=local
* TESTS: Add integration tests for the auto_private_groups option
* RESP: Add some missing NULL checks
* TOOLS: Add a new sssctl command access-report
* SDAP: Split out utility function sdap_get_object_domain() from sdap_object_in_domain()
* LDAP: Extract the check whether to run a POSIX check to a function
* LDAP: Only run the POSIX check with a GC connection
* SDAP: Search with a NULL search base when looking up an ID in the Global Catalog
* SDAP: Rename sdap_posix_check to sdap_gc_posix_check
* DP: Create a new handler function getAccountDomain()
* AD: Implement a real getAccountDomain handler for the AD provider
* RESP: Expose DP method getAccountDomain() to responders
* NEGCACHE: Add API for setting and checking locate-account-domain requests
* TESTS: Add tests for the object-by-id cache_req interface
* CACHE_REQ: Export cache_req_search_ncache_add() as cache_req private interface
* CACHE_REQ: Add plugin methods required for the domain-locator request
* CACHE_REQ: Add a private request cache_req_locate_domain()
* CACHE_REQ: Implement the plugin methods that utilize the domain locator API
* CACHE_REQ: Use the domain-locator request to only search domains where the entry was found
* MAN: Document how the Global Catalog is used currently
* IPA: Include SYSDB_OBJECTCATEGORY, not OBJECTCLASS in cache search results
* MAN: Document that auth and access IPA and AD providers rely on id_provider being set to the same type
* MAN: Improve enumeration documentation
* MAN: Describe the constrains of ipa_server_mode better in the man page
* IPA: Delay the first periodic refresh of trusted domains
* AD: Inherit the MPG setting from the main domain
* SYSDB: Fix sysdb_search_by_name() for looking up groups in MPG domains
* SYSDB: Use sysdb_domain_dn instead of raw ldb_dn_new_fmt
* SYSDB: Read the ldb_message from loop's index counter when reading subdomain UPNs
* AD: Use the right sdap_domain for the forest root
* Lukas Slebodnik (51):
* KCM: Fix typo in comments
* CI: Ignore source file generated by systemtap
* UTIL: Add wrapper function to configure logger
* Add parameter --logger to daemons
* SYSTEMD: Replace parameter --debug-to-files with ${DEBUG_LOGGER}
* SYSTEMD: Add environment file to responder service files
* UTIL: Hide and deprecate parameter --debug-to-files
* KCM: Fix restart during/after upgrade
* BUILD: Properly expand variables in sssd-ifp.service
* SYSTEMD: Clean pid file in corner cases
* CHILD: Pass information about logger to children
* BUILD: Disable tests with know failures
* SPEC: Reduce build time dependencies
* sysdb-test: Fix warning may be used uninitialized
* responder: Fix talloc hierarchy in sized_output_name
* test_responder: Check memory leak in sized_output_name
* confdb: Move detection files to separate function
* confdb: Fix starting of implicit files domain
* confdb: Do not start implicit_files with proxy domain
* test_files_provider: Regression test for implicit_files + proxy
* SDAP: Fix typo in debug message
* Revert "intg: Disable add_remove tests"
* libnfsidmap: Use public plugin header file if available
* dyndns_tests: Fix unit test with missing features in nsupdate
* Remove unnecessary script for upgrading debug_levels
* Remove legacy script for upgrading sssd.conf
* BUILD: Add missing libs found by -Wl,-z,defs
* BUILD: Fix using of libdlopen_test_providers.so in tests
* SYSDB: Decrese debuglevel in sysdb_get_certmap
* KRB5: Pass special flag to krb5_child
* krb5_child: Distinguish between expired & disabled AD user
* AD: Suppress warning Wincompatible-pointer-types with sasl callbacks
* pysss: Drop unused parameter
* pysss: Suppress warning Wincompatible-pointer-types
* CRYPTO: Suppress warning Wstringop-truncation
* INOTIFY: Fix warning Wstringop-truncation
* SIFP: Suppress warning Wstringop-truncation
* CLIENT: Fix warning Wstringop-overflow
* pysss_murmur: Allow to have NUL character in python bindings
* TESTS: Extend code coverage for murmurhash3
* mmap_cache: Remove unnecessary memchr in client code
* test_memory_cache: Regression test for #3571
* SPEC: Fix systemd executions/requirements
* SPEC: Reduce changes between upstream and downstream
* intg: Build with optimisations and debug symbols
* intg: Do not prefer builddir in PATH
* intg: Install configuration for dbus daemon
* intg: Install wrapper for getsockopt
* intg: Add sample infopipe test in cwrap env
* IPA: Drop unused ifdef HAVE_SELINUX_LOGIN_DIR
* IPA: Fix typo in debug message in sssm_ipa_selinux_init
* Michal Židek (9):
* NSS: Move memcache setup to separate function
* NSS: Specify memcache_timeout=0 semantics
* MAN: Document memcache_timeout=0 meaning
* MAN: GPO Security Filtering limitation
* SYSDB: Better debugging for email conflicts
* TESTS: Order list of entries in some lists
* Revert "BUILD: Disable tests with know failures"
* SELINUX: Check if SELinux is managed in selinux_child
* util: Add sss\_ prefix to some functions
* Niranjan M.R (1):
* Initial revision of sssd pytest framework
* Pavel Březina (10):
* sudo: document background activity
* sudo: always use srv_opts from id context
* AD: Remember last site discovered
* sysdb: add functions to get/set client site
* AD: Remember last site discovered in sysdb
* dp: use void * to express empty output argument list
* dp: add method to refresh access control rules
* ipa: implement method to refresh HBAC rules
* ifp: add method to refresh access control rules in domain
* sssctl: call dbus instead of pam to refresh HBAC rules
* René Genz (12):
* Fix minor spelling mistakes
* README: Add link to docs repo
* Fix minor spelling mistakes
* Fix minor spelling mistakes in providers/*
* Fix minor spelling mistakes in responder/*
* Fix minor spelling mistakes in sss_client/*
* Fix minor spelling mistakes in tests/cmocka/*
* Fix minor spelling mistakes
* Fix minor spelling mistakes in tests/*
* Fix minor spelling mistakes in tests/multihost/*
* Fix minor spelling mistakes in PY files in tests/python/*
* Fix minor spelling mistakes and formatting in tests/python/*
* Sumit Bose (48):
* sss_client: create nss_common.h
* nss-idmap: add nss like calls with timeout and flags
* NSS: add \*_EX version of some requests
* NSS: add support for SSS_NSS_EX_FLAG_NO_CACHE
* CACHE_REQ: Add cache_req_data_set_bypass_dp()
* nss: make memcache_delete_entry() public
* NSS: add support for SSS_NSS_EX_FLAG_INVALIDATE_CACHE
* NSS/TESTS: add unit tests for \*_EX requests
* nss-idmap: add timeout version of old sss_nss_* calls
* nss-idmap: allow empty buffer with SSS_NSS_EX_FLAG_INVALIDATE_CACHE
* p11_child: return multiple certs
* PAM: handled multiple certs in the responder
* pam_sss: refactoring, use struct cert_auth_info
* p11_child: use options to select certificate for authentication
* pam: add prompt string for certificate authentication
* PAM: allow missing logon_name during certificate authentication
* p11_child: add descriptions for error codes to debug messages
* pam: filter certificates in the responder not in the child
* PAM: add certificate's label to the selection prompt
* NSS: Use enum_ctx as memory_context in _setnetgrent_set_timeout()
* mmap_cache: make checks independent of input size
* sysdb: be_refresh_get_values_ex() remove unused option
* sysdb: do not use objectClass for users and groups
* sysdb: do not use LDB_SCOPE_ONELEVEL
* sysdb: remove IDXONE and objectClass from users and groups
* krb5: show error message for krb5_init_context() failures
* UTIL: add find_domain_by_object_name_ex()
* ipa: handle users from different domains in ipa_resolve_user_list_send()
* overrides: fixes for sysdb_invalidate_overrides()
* ipa: check for SYSDB_OVERRIDE_DN in process_members and get_group_dn_list
* IPA: use cache searches in get_groups_dns()
* ipa: compare DNs instead of group names in ipa_s2n_save_objects()
* p11_child: make sure OCSP checks are done
* nss-idmap: allow NULL result in \*_timeout calls
* Revert "p11_child: make sure OCSP checks are done"
* p11_child: properly check results of CERT_VerifyCertificateNow
* ifp: use realloc in ifp_list_ctx_remaining_capacity()
* SDAP: skip builtin AD groups in sdap_save_grpmem()
* sysdb: add userMappedCertificate to the index
* krb5_child: check preauth types if password is expired
* pam_sss: password change with two factor authentication
* nss-idmap: check timed muted return code
* krb5: call krb5_auth_cache_creds() if a password is available
* DESKPROFILE: Fix 'Improper use of negative value'
* AD: sdap_get_ad_tokengroups_done() allocate temporary data on state
* AD: do not allocate temporary data on long living context
* ipa: remove SYSDB_USER_CERT from sub-domain users
* ipa: add SYSDB_USER_MAPPED_CERT for certs in idoverrides
* Thorsten Scherf (1):
* IPA: Fixed subdomain typo
* Victor Tapia (1):
* WATCHDOG: Restart providers with SIGUSR2 after time drift
* amitkuma (3):
* cache_req: Correction of cache_req debug string ID format
* cache: Check for max_id/min_id in cache_req
* MAN: Explain how does auto_private_groups affect subdomains
8 months, 2 weeks