logic behind replica installer - host already exists
by lejeczek
hi
having a client installed now I attempt to install a replica..
..
host already exists. It needs to be removed.
Run this command:
%% ipa-replica-manage del
rider.private.ccnr.ceb.private.cam.ac.uk --force
which I do, I go to first master and I do as recommend, and
on candidate replica again I do, but this time..
..
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR Major (851968): Unspecified GSS failure. Minor
code may provide more information, Minor (2529638918):
Client
'host/rider.private.ccnr.ceb.private.cam.ac.uk@PRIVATE' not
found in Kerberos database
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR
on first master I do: $ ipa host-find ; and yes, there no
host so I need to do client re-installation, right?
Is this intended & expected? Or is this some weird bug?
many thanks, L.
6 years
client installation would randomly succeed
by lejeczek
hi
I'm trying to install a client that would very rarely
succeed, 9 out of 10 fails, I run these installations in series.
When it fails it does it this way:
..
Failed to obtain host TGT: Major (851968): Unspecified GSS
failure. Minor code may provide more information, Minor
(2529638936): Preauthentication failed
But when it succeed that replica installation would always
fail, always the same way, like:
..
[28/40]: adding sasl mappings to the directory
[29/40]: updating schema
ipa : CRITICAL Failed to load schema-update.ldif:
Command '/usr/bin/ldapmodify -v -f
/usr/share/ipa/schema-update.ldif -H
ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket -Y EXTERNAL'
returned non-zero exit status 50
[error] CalledProcessError: Command '/usr/bin/ldapmodify
-v -f /usr/share/ipa/schema-update.ldif -H
ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket -Y EXTERNAL'
returned non-zero exit status 50
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
..
in log:
..
2018-04-07T15:34:24Z DEBUG stderr=ldap_initialize(
ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket/??base )
SASL/EXTERNAL authentication started
SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Insufficient access (50)
additional info: Insufficient 'write' privilege to the
'objectClasses' attribute of entry 'cn=schema'.
2018-04-07T15:34:24Z CRITICAL Failed to load
schema-update.ldif: Command '/usr/bin/ldapmodify -v -f
/usr/share/ipa/schema-update.ldif -H
ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket -Y EXTERNAL'
returned non-zero exit status 50
2018-04-07T15:34:24Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 490, in __update_schema
self._ldap_mod("schema-update.ldif")
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 308, in _ldap_mod
ipautil.run(args, nolog=nologlist)
File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py",
line 512, in run
raise CalledProcessError(p.returncode, arg_string,
str(output))
CalledProcessError: Command '/usr/bin/ldapmodify -v -f
/usr/share/ipa/schema-update.ldif -H
ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket -Y EXTERNAL'
returned non-zero exit status 50
2018-04-07T15:34:24Z DEBUG [error] CalledProcessError:
Command '/usr/bin/ldapmodify -v -f
/usr/share/ipa/schema-update.ldif -H
ldapi://%2Fvar%2Frun%2Fslapd-PRIVATE.socket -Y EXTERNAL'
returned non-zero exit status 50
...
How I exec commands:
$ ipa-client-install --principal=admin
--password=pass#diradm --force-join -U &&
ipa-replica-install --setup-dns --no-forwarders
--admin-password=pass#diradm -U
How is possible to troubleshoot this?
many thanks
6 years
FreeIPA-integrated remote desktop?
by Alex Corcoles
Hi,
Is there a nice combo that gives you a well-integrated remote desktop
(preferrably RDP or something bandwidth friendly) on FreeIPA? What I mean
is something that can be dnf-installed and doesn't require much messing
around so I can use mstsc.exe or Remmina (or rocket-depot, etc.) and
connect to a multi-user desktop environment integrated with FreeIPA?
I'd probably do this on Fedora, although RHEL/CentOS would be welcome to
(even Debian/Ubuntu, but I don't think that's going to be easier OOB).
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
6 years
ipa: ERROR: No valid Negotiate header in server response
by Zarko Dudic
Hi there,
Seems I have to kinit every time in order to run ipa command, as a quick
fix!?
The client is ipa-client-4.5.0-22.0.1.el7_4.x86_64
Servers are ipa-server-4.4.0-12.0.1.el7.x86_64
This has started recently and I am not able to track any changes that
could cause this. This happens:
# kinit
# ipa -d -vv user-find bob
- get good results. Then run same command again.
# ipa -d -vv user-find bob
ipa: DEBUG: New HTTP connection (ldap03.pls.com)
ipa: DEBUG: HTTP connection destroyed (ldap03.pls.com)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 697, in
single_request
if not self._auth_complete(response):
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 657, in
_auth_complete
message=u"No valid Negotiate header in server response")
KerberosError: No valid Negotiate header in server response
ipa: ERROR: No valid Negotiate header in server response
[can provide more info if needed].
The kinit allows only next run to be successful.
I notice that problem occurs only with ldap03, ldap03 is called when
running ipa for the second time. And after kinit, another servers are
queried, not ldap03, hence no issue.
Another longer time 'fix' is in /etc/hosts, assigning IP (of another
server) to ldap03, basically "avoiding" ldap03.
Any idea for troubleshoot is appreciated. Thanks in advance!
--
Thanks,
Zarko
6 years
dns recursion
by Andrew Meyer
Another issue i'm having is that we have DNS setup with split horizon/views in R53. We want to be able to get a copy of the internal zone from R53 from my local FIPA servers. Is this possible? I have zone forwards setup in FIPA so that if you are up in AWS VPC you can query R53. However I can't do that form my local office. We are trying to figure out how to get a copy of the internal zone down to my local FIPA servers. From what I have read this is NOT possible since I can't recursively talk to R53.
I can't remember if I have asked this before but has anyone else done this?
Thank you, Andrew
6 years
FreeIPA DNS troubleshooting
by Kristian Petersen
I am in the process of switching a small network over from a DNS hosted on
a pfSense firewall appliance to one handled by FreeIPA. I haven't got a
lot of expereience with DNS in this regard. When I made the cut over,
everything seemed to work except for a trio of websites all hosted from
this one server. When I do an nslookup on the webserver's domain name
using the pfSense is shows:
16.1.168.192.in-addr.arpa name = webserver.cpms.byu.edu.
The same query but using the FreeIPA DNS shows:
16.1.168.192.in-addr.arpa name = webserver.cpms.byu.edu.
16.1.168.192.in-addr.arpa.
I'm not sure what is causing the difference in the responses.
In the zone cpms.byu.edu, I have an A record for webserver with the IP
address 1923168.1.16.
In the zone 1.168.192.in-addr.arpa., there is a PTR record 16 for
webserver.cpms.byu.edu
Any thoughts?
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
6 years
Re: Third Party SSL for HTTP and Certmonger SSL for LDAP
by Alka Murali
Hello Team,
Right now, I am using third party SSL for both HTTP and LDAP services.
However I would like to know if there is any way to use third party SSL for
HTTP alone and certmonger SSL for LDAP services.
--
Regards,
Alka Murali
6 years
Fwd: Centos Update to 4.6.X
by Jens Laufer
Hey,
i run an centos vserver with freeipa in version 4.5 but i am not able to
upgrade it to 4.6.x.
I tried yum update allready and looked at the upgrade (
https://www.freeipa.org/page/Upgrade), but didnt found any helpfull
informations.
Any idea what is wrong?
thank you very much
6 years
FreeIPA ipa-ca-install problem at the second replica
by Jan Gardian
Hello,
We have freeipa installed in our environment with two master replica
servers but only one have CA installed.
I tried to install CA also at the second server but got error during
communication with first replica "HTTPError: 502 Server Error: Proxy Error".
Server's OS: "Ubuntu 16.04.3 LTS (Xenial Xerus)"
ipa version: 4.3.1, API_VERSION: 2.164
Collected logs from ipa-ca-install and other logs are in attached file
"ipa_ca_install_logs"
If you will require more logs please write.
Thank you for checking and any provided advice.
With kind regards,
--
*Ján Gardian*
Security Software Specialist
*CYAN Research & Development s.r.o.*
Palackého třída 879/84, 612 00 Brno, CZ
Upozornění: Tento e-mail včetně všech příloh je důvěrný a může být
předmětem obchodního tajemství. Pokud nejste zamýšleným adresátem,
upozorněte prosím ihned odesilatele, zničte všechny kopie z Vašeho
systému a nevyzrazujte nebo nepoužívejte tyto informace k žádnému účelu.
Notice: This e-mail and any attachments are confidential and may be
privileged. If you are not the intended recipient, notify the sender
immediately, destroy all copies from your system and do not disclose or
use the information for any purpose.
6 years
Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
by lejeczek
hi guys,
I fail to troubleshoot this here:
$ ipactl start --ignore-service-failures
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Forced start, ignoring pki-tomcatd Service, continuing
normal operation
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
logs in /var/log/pki/pki-tomcat:
localhost.2018-03-28.log
...
Mar 28, 2018 11:35:14 AM
org.apache.catalina.core.StandardHostValve invoke
SEVERE: Exception Processing /ca/admin/ca/getStatus
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
?????????????? at
com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)
?????????????? at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)
?????????????? at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
?????????????? at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
?????????????? at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
?????????????? at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
?????????????? at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
?????????????? at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
?????????????? at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
?????????????? at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
?????????????? at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
?????????????? at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
?????????????? at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
?????????????? at java.lang.Thread.run(Thread.java:748)
in catalina.2018-03-28.log:
...
Mar 28, 2018 11:41:35 AM
org.apache.catalina.core.ContainerBase backgroundProcess
WARNING: Exception processing realm
com.netscape.cms.tomcat.ProxyRealm@1e572093 background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
?????? at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
?????? at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
?????? at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
?????? at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
?????? at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
?????? at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
?????? at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
?????? at java.lang.Thread.run(Thread.java:748)
Would you able to conclude anything from those errors? What
might be a problem?
many thanks, L.
6 years
