ipa-replica-manage --force replica.server fails
by Ralph Crongeyer
Hi List,
I have a master server that had a replica installed. The replica has been
uninstalled. When I try to run "ipa-replica-manage del --force
replica.server" it fails with:
invalid 'PKINIT enabled server': all masters must have IPA master role
enabled
How can I delete this replica?
Thanks,
Ralph
3 hours, 32 minutes
nfsidmap/nss_getpwnam fails to resolve users with IPA/NFSv4+krb5
by Robert Sturrock
Hi All.
We have IPA setup in an AD trust to support our Linux fleet. I’m running into a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an NFS-mounted filesystem from an NFS server using NFSv4/krb5. Files and directories show up as ‘nobody’ or an incorrect numerical ID when listed with ‘ls’. RHEL7 clients seem to working fine with a very similar configuration (as far as I can tell).
The particulars are:
- AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user identity is ‘user@localdomain’)
- IPA domain is ‘ipa.localdomain’
- The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf).
I have mounted the NFS volume on the clients with a simple:
mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt
Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see:
$ ls -ld rns
drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns
.. with these corresponding nfsidmap messages:
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' does not map into domain 'ipa.localdomain'
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22
Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22
.. whereas on the RHEL7 client, I see:
$ ls -ld rns
drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: key: 0xf113fd2 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: calling nsswitch->name_to_uid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname 'rns@localdomain'
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: final return value is 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: key: 0x2125a5d2 type: gid value: rns@localdomain(a)ipa.localdomain timeout 600
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: calling nsswitch->name_to_gid
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: final return value is 0
Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into ‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’?
(My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can login and use local filesystems without issue).
The idmapd.conf looks like this:
[General]
Verbosity = 4
Pipefs-Directory = /run/rpc_pipefs
Domain = ipa.localdomain
Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = nsswitch
Any pointers appreciated!
Regards,
Robert.
5 days, 22 hours
Web app integration
by Alex Corcoles
Hi,
I've read:
https://www.freeipa.org/page/Web_App_Authentication
, but there is some stuff that is not clear to me.
1) SAML
As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
Keycloak is the way to go, right?
However, Keycloak setup is not trivial, correct? Running CentOS there
is no straightforward way to install and integrate it with a FreeIPA
domain, correct?
2) SSO
What is the special sauce for users using a browser on an IPA-joined
system to log in to apps without even seeing a login form? SPNEGO?
I'm using mod_auth_gssapi for some apps, having httpd do the
authentication and forward it through REMOTE_USER, but it doesn't do
the magic. There are some hints on mod_auth_gssapi's docs, but nothing
really clear.
3) How should you deliver apps?
Suppose you are a web app developer and you want to deliver a web
application which can easily integrate with FreeIPA. What's the most
comfortable option you can give? (assuming, for instance, that you want
the SSO magic sauce). Is there any difference between apps that will
run on the FreeIPA's domain owner's systems or third party apps?
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
1 week
is anyone running Debian as freeipa-client
by Johan Vermeulen
Hello All,
first of all, we have great success running Freeipa and Freeipa-clients on
Centos.
Thanks for making this possible! I think this is a really important peace
of software for Linux.
Now it would come in handy if I could field some Debian clients for some
purposes.
But on the current stable release there is no freeipa client.
I have installed some freeipa-clients from unstable, but it's not ideal.
I'm wondering, is anyone doing this at the moment.
Is there some repo for this?
Can this be compiled from source?
Thanks for any help.
Greetings, J.
1 month
IPA and legacy systems
by Ronald Wimmer
What would be a good solution to add systems where the FQDN cannot be
changed?
Would it make sense to add a second DNS A Record in the IPA domain for
each of these systems?
Is there any experience on how to deal with such a situation?
Thanks a lot in advance!
Cheers,
Ronald
1 month
AD Trust: Add "mail" user attribute to AD -> IPA transfer
by Lenhardt, Matthias
Hi,
we have an IPA 4.6.4 environment with an AD Trust configured and everything's working perfectly.
My question is: Is it possible to configure, that extra AD user attributes are transfered? I would need the AD user attribute "mail" with the users email address.
This question came up, after I tried to connect GitLab to IPA and authentication with an AD users fails, because IPA doesn't have the "mail" attribute of the user, so logging is denied. (Authentication on Linux systems is working).
Thanks in advance!
Regards
Matthias Lenhardt
System Administrator
BITMARCK
*****************************************************************
Die Information in dieser E-Mail ist vertraulich und ausschließlich für
den/die benannten Adressaten bestimmt. Ein Zugriff auf diese E-Mail
durch andere Personen als den/die benannten Adressaten ist nicht
gestattet. Sollten Sie nicht der benannte Adressat sein, löschen Sie bitte
diese E-Mail.
1 month, 1 week
CentOS 7 ipa upgrade causes pki-tomcatd not to start CA
by Jason Wood
Upgraded from CentOS 7.5 to 7.6 which includes IPA upgrade.from 4.5.4-10 to 4.6.4-10 upgrade was done via yum upgrade
Upgrade went fine. I see no alarming errors in the logs. It stopped and started all the servers did the ipa upgrade. All was fine once completed.
Reboot and now pki-tomcatd CA will not start. Tomcat starts, gets all the way to were it should start the CA and doesn't. No errors, Debug doesn't show any blatant errors. It does have "Repository: Server not completely started. Returning .." which is the closest thing I see to an error.
All the certs are in monitoring state. None are expired. Domain is not quite a year old. PKI is communicating to LDAP without issues. Validated that. Also checked for and replication errors. There are none.
This is happening on all 4 systems. In the exact same way. DNS is up, we can authenticate, kerbrose is working. Can search LDAP via SSL and non-SSL Rebooted into the older kernel just to make sure. Reverted back to an old CS.cfg also, no different. I'm at a complete loss. Most other posts and pages about this all deal with expired certs. And the one that wasn't (from Redhat) was about replication conflicts. Nothing is panning out.
Fully patched CentOS Linux release 7.6.1810 (Core)
ipa-client-4.6.4-10.el7.centos.x86_64
ipa-client-common-4.6.4-10.el7.centos.noarch
ipa-common-4.6.4-10.el7.centos.noarch
ipa-server-4.6.4-10.el7.centos.x86_64
ipa-server-common-4.6.4-10.el7.centos.noarch
ipa-server-dns-4.6.4-10.el7.centos.noarch
libipa_hbac-1.16.2-13.el7.x86_64
python2-ipaclient-4.6.4-10.el7.centos.noarch
python2-ipalib-4.6.4-10.el7.centos.noarch
python2-ipaserver-4.6.4-10.el7.centos.noarch
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.16.2-13.el7.x86_64
sssd-ipa-1.16.2-13.el7.x86_64
krb5-pkinit-1.15.1-34.el7.x86_64
pki-base-10.5.9-6.el7.noarch
pki-base-java-10.5.9-6.el7.noarch
pki-ca-10.5.9-6.el7.noarch
pki-kra-10.5.9-6.el7.noarch
pki-server-10.5.9-6.el7.noarch
pki-tools-10.5.9-6.el7.x86_64
1 month, 1 week
external ocsp ?
by veer Schlansky
My company's PIV/AD credintial is user(a)example.com. We set up our IPA
credintial as user(a)linux.example.com
example.com and linux.example.com are completedly seperated domain/realms,
no trust or interaction whatsoever.
I took the user and CA certs on the PIV card and put them into ipa. I was
able to authenticate to ipa webui with my PIV card.
My question is does ipa do online certificate status protocol check for the
user(a)example.com cert? Any way to verify that?
Thanks.
1 month, 1 week
ipa-replica-install error - no-such-object ldap
by Arjen Heidinga
Dear all,
Perhaps someone could shed some light on what is amiss here. I am trying
to install a IPA replica to an ancient freeipa server, which has always
run standalone.
I have attached the logs for you to read. It seems there is missing
something in de ldap tree.
Server and replica-to-be are running Fedora 29, freeipa 4.7.2.
The (i suppose) relevant stacktrace is here:
2019-01-21T13:17:44Z DEBUG [28/41]: setting up initial replication
2019-01-21T13:17:45Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-PLATYPUSNET-ORG.socket
conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f03f2114710>
2019-01-21T13:17:45Z DEBUG Destroyed connection
context.ldap2_139654961964256
2019-01-21T13:17:45Z DEBUG Starting external process
2019-01-21T13:17:45Z DEBUG args=['/bin/systemctl', '--system',
'daemon-reload']
2019-01-21T13:17:46Z DEBUG Process finished, return code=0
2019-01-21T13:17:46Z DEBUG stdout=
2019-01-21T13:17:46Z DEBUG stderr=
2019-01-21T13:17:46Z DEBUG Starting external process
2019-01-21T13:17:46Z DEBUG args=['/bin/systemctl', 'restart',
'dirsrv(a)PLATYPUSNET-ORG.service']
2019-01-21T13:17:51Z DEBUG Process finished, return code=0
2019-01-21T13:17:51Z DEBUG stdout=
2019-01-21T13:17:51Z DEBUG stderr=
2019-01-21T13:17:51Z DEBUG Restart of dirsrv(a)PLATYPUSNET-ORG.service
complete
2019-01-21T13:17:51Z DEBUG Created connection context.ldap2_139654961964256
2019-01-21T13:17:52Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
2019-01-21T13:17:52Z DEBUG retrieving schema for SchemaCache
url=ldap://starkey.platypusnet.org:389
conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f03f28c7668>
2019-01-21T13:17:52Z DEBUG Successfully updated nsDS5ReplicaId.
2019-01-21T13:17:52Z DEBUG Add or update replica config
cn=replica,cn=dc\=platypusnet\,dc\=org,cn=mapping tree,cn=config
2019-01-21T13:17:52Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
{'desc': 'Operations error'}
2019-01-21T13:17:52Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line
1023, in error_handler
yield
File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line
1517, in find_entries
raise e
File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line
1477, in find_entries
result = self.conn.result3(id, 0)
File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line
749, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line
756, in result4
ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line
329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib64/python3.7/site-packages/ldap/compat.py", line 44, in
reraise
raise exc_value
File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line
313, in _ldap_call
result = func(*args,**kwargs)
ldap.NO_SUCH_OBJECT: {'desc': 'No such object'}
Kind Regards,
Arjen Heidinga
1 month, 2 weeks
light sub-cas crl / ocsp urls
by Natxo Asenjo
hi,
at work I am testing using a light sub-ca with openvpn to limit the scope
of hosts that can auto request a certificate.
So far so good, really impressed with how well it works.
The question I cannot answer is: are there specific urls for crl/ocsp for
sub-cas, or do the 'generic' crl/ocsp url apply to sub-cas as well?
Thanks for your support.
Regards,
--
Groeten,
natxo
1 month, 2 weeks
