April 2018 - FreeIPA-users - Fedora Mailing-Lists

dumb question - how many AD trust setup interactions are needed for multi-node replicating IPA cluster

by Chris Dagdigian

Hi folks, Multi-region AWS IPA user here. We've got an ancient and brittle IPA setup with broken replication and an inability to upgrade. Rather than fix I want to stand up a whole new set of IPA servers running the latest version so I can get replication working again as well as leverage all the great new features in IPA and SSSD subsystem. However in my environment it's an incredibly complex process to set up a 1-way trust with Active Directory. The administrators work for a managed service provider and they are outside of the normal support loop so they rarely interact with peons and outsiders like myself. Just getting their attention is a procedural and political effort. The first AD trust took more than 3 months to setup (!) I need to start the process again for requesting a new AD trust arrangement for the new IPA servers I intend to build. Realized that I had a really dumb question ... If my goal is to have a 4-node replicating cluster (2x in us-east AWS region and 2x in eu-central-2 region) how many discrete AD trusts do I actually have to arrange with my remote AD administrators? If I get a good 1-way trust working on a single IPA node in the cluster, will the replicating targets inherit this trust? Do I need to set up the trust individually on each of the 4 planned IPA boxes? Thanks! _Chris

6 years

2
1
0 / 0

LDAP Replication errors and GSSAPI authentication on one FreeIPA replica

by Dave Jablonski

One of the FreeIPA replicas are not able to use the GSSAPI authentication to connect to ldap server on itself or any other FreeIPA server. I'm not sure why. I added example.com to just replace the actual domains, we're not using that. I really don't fully understand how the krbprincipalname is used but as a thought I think maybe we have 2 ldap/ krbbprincipal names for this host/service and it's using the wrong one for the mapping. ipa-server-4.5.0 eu-ipa-02.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 ipa-001.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 rsdfw-ipa-01.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 rsiad-ipa-01.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 [root@eu-ipa-01 ~]# klist -ke /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 ldap/eu-ipa-01.example.com(a)EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 ldap/eu-ipa-01.example.com(a)EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 ldap/eu-ipa-01.example.com(a)EXAMPLE.COM (des3-cbc-sha1) 2 ldap/eu-ipa-01.example.com(a)EXAMPLE.COM (arcfour-hmac) 2 ldap/eu-ipa-01.example.com(a)EXAMPLE.COM (camellia128-cts-cmac) 2 ldap/eu-ipa-01.example.com(a)EXAMPLE.COM (camellia256-cts-cmac) ldapsearch -h eu-ipa-01.example.com -D "cn=directory manager" -W -b "dc=example,dc=com" '(krbprincipalname=ldap/eu-ipa-01*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (krbprincipalname=ldap/eu-ipa-01*) # requesting: ALL # # ldap/eu-ipa-01.example.com(a)EXAMPLE.COM, services, accounts, example.com dn: krbprincipalname=ldap/eu-ipa-01.example.com(a)EXAMPLE.COM ,cn=services,cn=accou nts,dc=example,dc=com krbLastSuccessfulAuth: 20180411141738Z ipaAllowedToPerform;read_keys: cn=admins,cn=groups,cn=accounts,dc=example,dc=ne t memberOf: cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com ipaKrbPrincipalAlias: ldap/eu-ipa-01.example.com(a)EXAMPLE.COM userCertificate:: krbExtraData:: krbPrincipalKey:: krbLoginFailedCount: 0 krbLastPwdChange: 20170718043248Z krbCanonicalName: ldap/eu-ipa-01.example.com(a)EXAMPLE.COM objectClass: ipaobject objectClass: top objectClass: ipaservice objectClass: pkiuser objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: ipakrbprincipal objectClass: ipaallowedoperations managedBy: fqdn=eu-ipa-01.example.com ,cn=computers,cn=accounts,dc=example,dc=com krbPrincipalName: ldap/eu-ipa-01.example.com(a)EXAMPLE.COM ipaUniqueID: 26d525e0-6b72-11e7-803b-0643f376e57a krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accou nts,dc=example,dc=com # ldap/eu-ipa-01.example.com(a)EXAMPLE.COM + d07bbe98-65a111e7-8454f4db-22f31cc6, s ervices, accounts, example.com dn: krbprincipalname=ldap/eu-ipa-01.example.com(a)EXAMPLE.COM +nsuniqueid=d07bbe98- 65a111e7-8454f4db-22f31cc6,cn=services,cn=accounts,dc=example,dc=com ipaKrbPrincipalAlias: ldap/eu-ipa-01.example.com(a)EXAMPLE.COM userCertificate:: krbExtraData:: krbPrincipalKey:: krbLastPwdChange: 20170710185854Z krbCanonicalName: ldap/eu-ipa-01.example.com(a)EXAMPLE.COM objectClass: ipaobject objectClass: top objectClass: ipaservice objectClass: pkiuser objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: ipakrbprincipal managedBy: fqdn=eu-ipa-01.example.com ,cn=computers,cn=accounts,dc=example,dc=com krbPrincipalName: ldap/eu-ipa-01.example.com(a)EXAMPLE.COM ipaUniqueID: d1f75da2-65a1-11e7-b431-0643f376e57a krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accou nts,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 Is this 2nd result the one it's trying to use and it has the wrong password associated with it? [11/Apr/2018:12:06:08.426926060 +0100] conn=137434 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.431094978 +0100] conn=137434 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [11/Apr/2018:12:06:08.431544044 +0100] conn=137434 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.432833552 +0100] conn=137434 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [11/Apr/2018:12:06:08.432981174 +0100] conn=137434 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.433457303 +0100] conn=137434 op=3 RESULT err=49 tag=97 nentries=0 etime=0 - SASL(-14): authorization failure: [11/Apr/2018:12:06:08.433918022 +0100] conn=137434 op=4 UNBIND [11/Apr/2018:12:06:08.433934070 +0100] conn=137434 op=4 fd=229 closed - U1 Any help would be most appreciated. Thank you. -- IMPORTANT: This e-mail (including any attachments) is intended for the use of the individual or entity to which it is addressed and may contain information that is classified, private, or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this communication in error, please notify us immediately by replying to this e-mail. Thank you.

6 years

3
2
0 / 0

modifying ttl on dns records

by Andrew Meyer

I am trying to modify the TTL for records in my zone. When I try to do this I am getting the following error: [gatewayblend@freeipa01-dev ~]$ ipa dnsrecord-mod gatewayblend.local. andrew-test.stl1 --ttl=300No option to modify specific record provided.Current DNS record contents: SSHFP record: 1 1 8F38BD27234E2F419E8179607096D497DABAB293, 1 2 3536330BFFF12A9E135FB1C0AD0592B85AF6DE4B806386CDAFB8A907 46C55DC0, 3 1 593EA53A72596B89549FE7C342EC6207CBE4B1A5, 3 2 CCD421DBE0FF48127B1360F463506FBD07D1751E9C0694398B14624E D925F2B0, 4 1 3B50D596C462184636194EBBD6D7142D964CAE4F, 4 2 4C7B1BA7E6108EC2225DBF1D85DA60CDFEDCCF11FC140A2C068A4804 E2813CB8A record: 10.1.6.200 Modify SSHFP record '1 1 8F38BD27234E2F419E8179607096D497DABAB293'? Yes/No (default No): Yipa: ERROR: invalid 'name': must be Unicode text[gatewayblend@freeipa01-dev ~]$

6 years

2
2
0 / 0

Question about FreeIPA

by Mike Manfredi

I noticed in FreeIPA is that it looks like the directory infrastructure is flat. There is no tree, or no way to make OUs. When I look at other solutions like openLDAP and 389 Directory server. It has the ability to do trees. Which makes me wonder if, FreeIPA is using 389 Directory server, why is it flat. Is there a way to make it more flexible, or do I have to find other solutions? If it's better than having a tree and make multiple OUs, can you please tell me why? Thanks

6 years

2
1
0 / 0

authoritative nameserver

by Andrew Meyer

A while ago I removed my original 2 FreeIPA server after adding 4 new ones. However in the DNS zone for my FreeIPA server in the authoritative nameserver entry I still have the original nameserver. Should this have been changed when I removed it? Does this have to be changed manually? Authoritative nameserver: infra-test-ipa.gatewayblend.net.

6 years

1
0
0 / 0

Re: ipa-restore breaks pki-tomcatd (?)

by Florence Blanc-Renaud

On 04/10/2018 04:30 PM, Hillar Aarelaid wrote: > >> On 10. apr 2018, at 15:05, Florence Blanc-Renaud <flo(a)redhat.com> wrote: >> >> I would start by checking if all the certificates are up-to-date, especially subsystemCert cert-pki-ca. > > sorry, i did not touch any certificates. > Hi, (re-adding the mailing in copy) the certificates may have expired between the time you did the backup and reinstalled. What is the output of ipactl status? If only pki-tomcatd fails to start, then the logs from /var/log/pki/pki-tomcat/ca may provide more information. Flo > it was simple ipa-backup->ipa-restore as described in https://www.freeipa.org/page/Backup_and_Restore#Server_Loss_Cases > i had _single_ server and (by scenario 'Catastrophic hardware failure') i lost it so i start with new server from scratch... > i followed https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... > as it says: "Important It is recommended that you uninstall a server before performing a full-server restore on it." > i tried > a) ipa-server-install and then uninstall and then ipa-restore > b) no ipa-server-install, straight to ipa-restore > > and always ended up with tomcat not starting > it seems that most was restored, as i can do kinit with previously existed users and i can find them with ldapsearch > but command line "ipa whatever-command" fail, so ;( ;( ;( > > Hillar > > #ref https://github.com/hillar/detektiven/blob/master/vagans/createFedoraIPA.b... > > >

6 years

1
0
0 / 0

ipa-restore breaks pki-tomcatd (?)

by lejeczek

hi here I have something very easily reproducible I think. I have two masters IPA, fist one stood alone for a while and then I added the second server. Then I ipa-restored the first master to a data backup from a day or two before second master was added and now: ... Starting pki-tomcatd Service Failed to start pki-tomcatd Service in /var/log/pki/pki-tomcat/ca/debug: ... [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [04/Apr/2018:11:56:27][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host swir.private port 636 Error netscape.ldap.LDAPException: Authentication failed (49) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1631) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) ... Is this normal/expected? Many thanks, L.

6 years

3
3
0 / 0

Obtain TGT at login.

by Michael Rainey (Contractor, Code 7320)

Greetings, My organization is working to remove the need for passwords for its end-users. While moving forward on this project I have noticed after logging into a system the user is never given a TGT after login. A TGT can be obtained by using kinit and entering a password, but this defeats the purpose eliminating the use of passwords. Is there some guidance I can follow to configure freeIPA to obtain a TGT at login. So farmy searches have come up empty. Is this type of configuration handled by SSSD or do I need to configure kerberos? Any guidance is greatly appreciated. Thanks, -- *Michael Rainey*

6 years

4
3
0 / 0

ipa-client-install - error - Failed to obtain host TGT: Major (851968)

by lejeczek

hi everyone I'm trying a client, when I do: $ ipa-client-install --no-ntp --force-join Discovery was successful! ... Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed Installation failed. Rolling back changes. -- end At server's end(one single server in domain): .. Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560685](info): closing down fd 11 Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: host/dzien.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x, Additional pre-authentication required Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: PREAUTH_FAILED: host/dzien.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x, Preauthentication failed Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x, Additional pre-authentication required Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for ldap/swir.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for HTTP/swir.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x -- end But after many tries(randomly) suddenly it would succeed. Client said to use --force-join. VERSION: 4.5.0, API_VERSION: 2.228 What can a problem? regards, L.

6 years

4
8
0 / 0

client does not see users

by lejeczek

hi guys I've successfully(?) installed replica but that system(local to IPA) does not see IPA users. I've had a look at sssd.conf and krb5.conf and all seem okey. I use authconf to tell system to "Cache Information" and then users are visible What can be the problem? What am I missing? many thanks, L.

6 years

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users April 2018