Problem with promoting replica: missing key for auditSigningCert on CA server
by Andy Stubbs
Hi
So, I have what I think seems to be a slightly odd problem. And I think
I've worked out what the solution might be - but not the root cause. In any
case, I wanted to run it by you all and see whether you agree or have any
insight into it.
The background
running 6 directory servers 4.5.0-21 on CentOS 7.4.1708, 3 of which have
the CA role. I've been running the directory blissfully uneventfully for
7ish months now. We have experimented a little bit with the CA features,
but nothing that can't be done trivially with the web interface (on
reflection I'm sure it probably is trivial to revoke your primary
certificate authority with the web interface, but you know what I mean).
The problem
In the past few days I've had the occasion to try to create a new replica
but on each attempt, the process fails around this time:
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
The ipa-replica-install command failed, exception: HTTPError: 404 Client
Error: Not Found
404 Client Error: Not Found
The ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information
Now, I've learned a fair amount over the past few days digging into this,
like what ipa-custodia is, and how to poke it.
It seems that at this point, the process is still actually actively doing
things - it appears to be generating some kind of NSS certificate/key
store. And that process is failing, because apparently it can't find the
key for the entry "auditSigningCert cert-pki-ca" - specifically in
custodiainstance.__get_keys the call to cli.fetch_key is failing for this
nickname (but no others).
So, more digging, and I find that yes indeed, the private key appears to be
missing from the cert database on one of the directory servers
(specifically the "first" directory server).
I haven't quite joined the dots on how custodia is working here, but using
the following command:
sudo certutil -L -d /etc/pki/pki-tomcat/alias
I can determine that on the first directory server, the trust attributes
for this cert are ",,P" whereas on the other two CA directory servers, the
trust attributes are "u,u,uP", and that indeed the key is missing from the
first directory server in this database.
I also note that the cert databases seem to be divergent in other ways
between the CA servers. Which I find interesting.
But anyway, so my next action is to copy the cert databases to another
machine and to try to import the cert/key from a "good" CA db to the "bad"
CA db using pk12util.
This gives me a segmentation fault.
So, I try with a new DB. I export all the cert/key pairs from the "bad" CA
individually and import them into a new DB, replicating the trust
attributes. So far so good. I also export the missing cert/key from a
"good" CA and import that into the same new DB. Also apparently good.
The solution?
So, at this point, I feel relatively confident that I have constructed a
good DB and I should be able to perform some surgery to remove the old
"bad" DB and replace it with this "good" DB.
My questions are:
1. Does this approach seem reasonable or am I oversimplifying?
2. If this is a reasonable approach: what's my best method for performing
the surgery? ipactl stop, move bad db directory out of way, move "good" db
in, don't forget the selinux stuff, then ipactl start again?
3. How could this even happen in the first place? Is it a known issue?
4. Shouldn't the CA databases basically all look the same between servers
created at the same time? Why might they diverge?
5. Do you have any other comments or questions which you feel might be
pertinent?
Thanks in advance for any input or insights shared.
Best Regards
Andy
--
<https://www.treatwell.com/>
Andrew Stubbs, PhD
Head of Technical Operations
treatwell.co.uk
5 years, 9 months
DNS not resolving IPA Clients or IPA Server
by Sameer Gurung
Hi all,
have weird problem suddenly. I was getting a DNS update error on client
installs. My server has been installed with the setup-dns option. While
trying to figure that problem out I dont know what I did but now the ipa
dns server does not resolve any ipa clients. I had set it up as a
forwarding server and it does forward requests (forward only) but now none
of my clients hostnames can be resolved. Where do I start figuring this
problem out.
A nood here so looking for all the help I can get
with regards,
*-----------------------------------------------------------------------Sameer
Kr.
Gurung-----------------------------------------------------------------------*
--
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be intercepted,
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message, which arise as a result of e-mail
transmission. If verification is required please request a hard-copy
version. Saint Mary's College, Shillong, Meghalaya, India-793003,
smcs.ac.in <http://smcs.ac.in>
5 years, 9 months
Re: How to use HBAC rules on services where is used Ipsion
by SOLER SANGUESA Miguel
I have added the service on IPA and changed on the HBAC rule form "any service" to "ipsilon", but now I can not login on ipsilon.
Also I've checked that there is no '/etc/pam.d/ipsilon' file
Thanks & Regards.
______________________________
Miguel Soler Sangüesa
Consultant - Linux Systems Administrator
OPPV - Linux Server Support
[cid:image001.png@01D41870.F204ED80] + 34 96 199 39 24 - EXT 3924
[cid:image002.png@01D41870.F204ED80] + 41 22 929 19 13
[cid:image003.jpg@01D41870.F204ED80]<https://www.unicc.org/Pages/Home.aspx>
5 years, 9 months
weird problems with passwords and user accounts
by Karl Forner
[ tried to create the thread by mail, but did not seem to work, so I'm creating it from the web UI. Sorry if there's a duplicate coming in...]
Hi,
The problem started with a user that could not connect with his initial password from the GUI: Username or password incorrect.
I reset it myself, and tried with the new temp password: idem.
I retried many many times. Same.
I tried creating a new user, same.
In the meantime I realized the admin password had expired.
I could not update it successfully via the command-line, but I could using the GUI.
I tried many things, but now "ipa user-status" fails for a lot of accounts:
pa: ERROR: xxxxx: user not found
I tried creating a new account from command-line with ipa user-add, then asks for the status using "ipa user-status", it failed the same way.
What's happening ?
What should I try ?
Thanks.
5 years, 9 months
Unauthorized: kinit: Generic preauthentication failure while getting initial credentials
by Karl Forner
I tried to dig a little on my problem where new accounts or passwords-reset accounts can no longer connect to the web UI.
Looking a /var/log/http.log:
for a user that fails (brand new account):
[Tue Jul 10 13:46:20.536415 2018] [wsgi:error] [pid 1526] ipa: INFO: 401 Unauthorized: kinit: Generic preauthentication failure while getting initial credentials
[Tue Jul 10 13:46:20.536605 2018] [wsgi:error] [pid 1526]
for a user that works:
[Tue Jul 10 13:48:44.776366 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: i18n_messages(): SUCCESS
[Tue Jul 10 13:48:44.783299 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: config_show(): SUCCESS
[Tue Jul 10 13:48:44.945623 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: user_find(None, whoami=True, all=True): SUCCESS
[Tue Jul 10 13:48:44.946730 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: env(None): SUCCESS
[Tue Jul 10 13:48:44.956964 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: dns_is_enabled(): SUCCESS
[Tue Jul 10 13:48:44.963362 2018] [wsgi:error] [pid 1527] ipa: INFO: karl(a)xxxxx.COM: batch: trustconfig_show(): NotFound
....
What should I look into next ?
Thanks.
5 years, 9 months
weird problems with passwords and user accounts
by Karl Forner
Hi,
The problem started with a user that could not connect with his initial
password from the GUI: Username or password incorrect.
I reset it myself, and tried with the new temp password: idem.
I retried many many times. Same.
I tried creating a new user, same.
In the meantime I realized the admin password had expired.
I could not update it successfully via the command-line, but I could using
the GUI.
I tried many things, but now "ipa user-status" fails for a lot of accounts:
pa: ERROR: xxxxx: user not found
I tried creating a new account from command-line with ipa user-add, then
asks for the status using "ipa user-status", it failed the same way.
What's happening ?
What should I try ?
Thanks.
Karl
5 years, 9 months
Re: Certificates renewing with the wrong Subject
by Jakob Ackermann
I'm getting the same problem. Did you find a solution? I cannot get my certificates renew with the wright subject. It always adding the hostname of a deleted replica into 'cert_subject_der'.
Thanks,
Jakob
5 years, 9 months
AIX 7.x with sudo, netgroups, LDAP and Kerberos
by Pieter Baele
I have currently been assisting an AIX colleague to use IPA as
authentication/authz provider for AIX systems.
That way we are moving to a common platform
We have found some examples on the web (AIX 5.x, AIX 6); information here
and there - but for the moment we still have a few issues.
The proprietary AIX schema extensions would be a nice to have, but are not
required (as I have read in earlier posts)
Has anyone seen a complete working example for a AIX client configuration
for FreeIPA?
Once we have found everything; I'll try to share the information.
-- PieterB
5 years, 9 months
kpasswd: Preauthentication failed getting initial ticket
by lune voo
Hello !
I contact you because I encounter a problem when I use kpasswd using python
popen function.
I use freeipa 3.0 and python 2.6.6.
Here is what I do in python :
input_process = otp + '\n' + password + '\n' + password
cmd = 'kpasswd %s' % user_login
cmd_and_args = shlex.split(cmd)
p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT)
(output, error) = p.communicate(input=input_process)
Before doing that, I performed the following command in order to have more
logs :
export KRB5_TRACE=/dev/stdout
And here is what I see in the logs :
###
[47700] 1530630765.610794: Getting initial credentials for test_user@MYREALM
[47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser
[47700] 1530630765.610998: Retrieving admin@MYREALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF: from
FILE:/tmp/krb5cc_testuser with result: 0/Success
[47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for
krbtgt/MYREALM@MYREALM: fast_avail: yes
[47700] 1530630765.611006: Using FAST due to armor ccache negotiation result
[47700] 1530630765.611016: Getting credentials admin@MYREALM ->
krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser
[47700] 1530630765.611044: Retrieving admin@MYREALM ->
krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success
[47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559
[47700] 1530630765.611089: Creating authenticator for admin@MYREALM ->
krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key
aes256-cts/2559
[47700] 1530630765.611168: FAST armor key: aes256-cts/79AB
[47700] 1530630765.611179: Setting initial creds service to kadmin/changepw
[47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser
[47700] 1530630765.611208: Retrieving admin@MYREALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF: from
FILE:/tmp/krb5cc_testuser with result: 0/Success
[47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for
krbtgt/MYREALM@MYREALM: fast_avail: yes
[47700] 1530630765.611213: Using FAST due to armor ccache negotiation result
[47700] 1530630765.611219: Getting credentials admin@MYREALM ->
krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser
[47700] 1530630765.611240: Retrieving admin@MYREALM ->
krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success
[47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559
[47700] 1530630765.611256: Creating authenticator for admin@MYREALM ->
krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key
aes256-cts/2559
[47700] 1530630765.611288: FAST armor key: aes256-cts/62C4
[47700] 1530630765.611299: Encoding request body and padata into FAST
request
[47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM
[47700] 1530630765.611418: Resolving hostname ipamasterhostname
[47700] 1530630765.611608: Initiating TCP connection to stream
ipamasterIP:88
[47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88
[47700] 1530630765.675154: Received answer from stream ipamasterIP:88
[47700] 1530630765.675208: Response was from master KDC
[47700] 1530630765.675238: Received error from KDC: -1765328359/Additional
pre-authentication required
[47700] 1530630765.675249: Decoding FAST response
[47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133, 137
[47700] 1530630765.675319: Received cookie: MIT
Password for test_user@MYREALM: [47700] 1530630765.682884: Preauth module
encrypted_challenge (138) (flags=1) returned: 0/Success
[47700] 1530630765.682889: Produced preauth for next request: 133, 138
[47700] 1530630765.682891: Encoding request body and padata into FAST
request
[47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM
[47700] 1530630765.682967: Resolving hostname ipamasterhostname
[47700] 1530630765.683098: Initiating TCP connection to stream
ipamasterIP:88
[47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88
[47700] 1530630765.756232: Received answer from stream ipamasterIP:88
[47700] 1530630765.756302: Response was from master KDC
[47700] 1530630765.756321: Received error from KDC:
-1765328360/Preauthentication failed
[47700] 1530630765.756325: Decoding FAST response
[47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138, 133,
137
kpasswd: Preauthentication failed getting initial ticket
)
###
I don't understand yet why the commande kpasswd is failing ?
My ticket admin is good.
My ticket cache is used only by me.
May you help me to understand what is going on please ?
Is there a way to use ipa python library to perform a kpasswd instead of
popen of kpasswd command ?
Best regards.
Lune
5 years, 9 months
AD user shown id command but visible for ldapsearch
by Pieter Baele
Hi,
On a test FreeIPA environment (4.5.0-22), a user is shown using the id
command, so ID Override is working as well.
id xxxx(a)accmsnet.railb.be
uid=8028(xxx(a)Accmsnet.railb.be) gid=4030(ucc)
groups=4030(ucc),702800513(domain users(a)Accmsnet.railb.be
),1318400009(ad_users)
However this particular (AD) user is not shown using an ldapsearch in the
compat
ldapsearch -Y GSSAPI -b cn=compat,dc=accnix,dc=infrabel,dc=be
'(&(objectClass=posixAccount)(uid=xxxx))'
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=accnix,dc=infrabel,dc=be> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=mcj7700))
# requesting: ALL
#
# search result
search: 4
result: 0 Success
Any idea? This is not happening in our production environment.
I cleared caches, did enable slapi-compat, and even tried adding the
resolution by an ldif to be sure
I did also re-run ipa-adtrust-install
I really don't understand why the AD users are not visible in LDAP....
Sincerely Pieter
5 years, 9 months
