December 2019 - FreeIPA-users - Fedora Mailing-Lists

by Vinícius Ferrão

Hello, this is probably a comercial question and not a technical one, but I’m curious about it. As today RHEL8 ships with FreeIPA (IdM) 4.7. The latest release is 4.8 with some interesting features. Since RHEL8 is still fresh, there’s any rebase to a higher version on the map? I see that IdM is now on AppStream: https://access.redhat.com/support/policy/updates/rhel8-app-streams-life-c... so I’m guessing that 4.8 will hit AppStream sooner or later. The point is: is this real or just speculation? I wasn’t able to find a roadmap on this specific issue. Is there anyone available that I can consult? Thanks.

20 hours, 34 minutes

3
3
0 / 0

Re: No Login on GUI

by Christian Reiss

Hey Angus, thanks for replying. Allow me to reply inline: On 06/12/2019 16:00, Angus Clarke wrote: > Have you checked your times are in sync within 5 minutes? Yes. And it's monitored. > Have you checked DNS is working for all node entries between all nodes? Yes. And it's monitored. Even PTR <-> A check. > Have you used ipactl [status|restart|stop]? Yes. [root@auth1:~] # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful [root@auth2:~] # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful auth3 is down. > -> Do you see certain services fail and have you checked their logs? Well thats the wild thing. ipa cli (host remove, host add etc) all work from auth1 (which the webui does not allow access). And all changes are propagated to auth2. Same for the other way around. It's just the login to auth1. > I'm hoping your remaining IPA server is the renewal master: > > On remaining good server: > kinit admin > ipa config-show | grep "IPA CA renewal master" auth1 and auth2 agree on auth1 being the IPA CA renewal master. > If it is then the following rebuild instructions should be ok. > If it is not, then you prolly need some other advice (I haven't faced > that situation yet ...) > [...] The following items seem to mix my two problems. a) auth1 web login broken, b) auth3 needs re-setup. Any clue on how to debug the web login (or lack thereof) issue? Chedked httpd logs, nothing to see there in the error logs.... Cheers, Chris. -- Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon support(a)alpha-labs.net \ / Campaign X against HTML WEB alpha-labs.net / \ in eMails GPG Retrieval https://gpg.christian-reiss.de GPG ID ABCD43C5, 0x44E29126ABCD43C5 GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5 "It's better to reign in hell than to serve in heaven.", John Milton, Paradise lost.

21 hours, 39 minutes

2
1
0 / 0

FreeIPA and IPV6

by TomK

Hey All, Does FreeIPA fully support IPV6 or are there corner cases and limitations that could make it a show stopper? Just a general question. If folks here could elaborate on this topic a bit, it would be appreciated. -- Thx, TK.

22 hours, 17 minutes

5
6
0 / 0

Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

by White, Daniel E. (GSFC-770.0)[NICS]

Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units. Thanks. ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

22 hours, 53 minutes

2
10
0 / 0

No Login on GUI

by Christian Reiss

Hey folks, I am running a 4.6.5 (CentOS 7) Cluster containing out of 3 nodes. Replication is working and I have been using it for nearly a year now. Now, two issues arose. First on my first node, I can no longer login to the WebUI, neither with password nor with Kerberos Login. I can login on the 2nd node without any issues. Replication works, however (If I delete a host on node1 it is replicated to node2, and creating a host on node2 will replicate to node1). /var/log/httpd/* yields not usable errors. Login with password just says "wrong password". Second issue: My home server where node3 was running died. I have file based backup, but several errors are flashing up, no good. Can I simply replace the VM with a fresh one, re-attach it using the same name and all is well? What would be the correct way to replace a node? Thanks for your help, Chris. -- Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon support(a)alpha-labs.net \ / Campaign X against HTML WEB alpha-labs.net / \ in eMails GPG Retrieval https://gpg.christian-reiss.de GPG ID ABCD43C5, 0x44E29126ABCD43C5 GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5 "It's better to reign in hell than to serve in heaven.", John Milton, Paradise lost.

23 hours, 13 minutes

2
1
0 / 0

In-place upgrade from RHEL 7 to RHEL 8

by Ronald Wimmer

According to a RedHat document (https://access.redhat.com/articles/4263361 ) an in-place upgrade is only possible from RHEL 7.6 to RHEL 8.1. Unfortunately, I've kept my IPA servers up-to-date so that their version is now 7.7.1908. The document also states that there will be a possibility to upgrade from the last RHEL 7.x minor version to RHEL 8. Will this happen any time soon? Is it generally recommended to perform an in-place upgrade on an IPA server or is it better to follow the steps in "Migrating IDM from RHEL 7 to 8" as documented in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... ? Cheers, Ronald

1 day

2
5
0 / 0

Apache mod_ssl on the same host as FreeIPA

by Vinícius Ferrão

Hello, Is it supported to install mod_ssl on the same machine of FreeIPA? I’m asking this because FreeIPA ships by default mod_nss and this may lead to conflicting issues inside /etc/httpd/conf.d. For example: [root@headnode conf.d]# grep -iR virtualhost nss.conf:<VirtualHost _default_:443> nss.conf:</VirtualHost> ssl.conf:<VirtualHost _default_:443> ssl.conf:</VirtualHost> Both add a default virtual host to 443. What’s the correct procedure? Don’t use mod_ssl at all? Thanks,

1 day, 18 hours

3
5
0 / 0

ipa-server-install error [37/44] initializing group membership: [error] NotFound: no such entry

by Michael Schefczyk

Dear All, Trying to install ipa-server (4.7.1-11.module_el8.0.0+79+bbd20d7b package from @AppStream) on a new virtual CentOS Linux 8.0.1905 server within my LAN (fresh test install, the previous version on CentOS 7 did work), I persistently get the following error message when freipa-install tries to configure the dirsrv: [37/44]: initializing group membership [error] NotFound: no such entry I would very much welcome if anyone could point me to the right direction. I find the log content (below) not very telling. Regards, Michael Schefczyk 2019-10-13T07:21:07Z DEBUG step duration: dirsrv __add_topology_entries 0.05 sec 2019-10-13T07:21:07Z DEBUG [37/44]: initializing group membership 2019-10-13T07:21:07Z DEBUG Starting external process 2019-10-13T07:21:07Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpm2nl4f4x', '-H', 'ldapi://%2fvar%2frun%2fslapd-B72-COM.socket', '-Y', 'EXTERNAL'] 2019-10-13T07:21:07Z DEBUG Process finished, return code=0 2019-10-13T07:21:07Z DEBUG stdout=add objectClass: top extensibleObject add cn: IPA install add basedn: dc=b72,dc=com add filter: (objectclass=*) add ttl: 10 adding new entry "cn=IPA install 1570951250, cn=memberof task, cn=tasks, cn=config" modify complete 2019-10-13T07:21:07Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-B72-COM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 2019-10-13T07:21:07Z DEBUG Waiting for memberof task to complete. 2019-10-13T07:21:07Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1022, in error_handler yield File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1514, in find_entries raise e File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1474, in find_entries result = self.conn.result3(id, 0) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 749, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 756, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.NO_SUCH_OBJECT: {'desc': 'No such object'} During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 712, in init_memberof replication.wait_for_task(conn, dn) File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 171, in wait_for_task entry = conn.get_entry(dn, attrlist) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1571, in get_entry size_limit=size_limit, get_effective_rights=get_effective_rights, File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1383, in get_entries **kwargs) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1521, in find_entries break File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1032, in error_handler raise errors.NotFound(reason=arg_desc or 'no such entry') ipalib.errors.NotFound: no such entry 2019-10-13T07:21:07Z DEBUG [error] NotFound: no such entry 2019-10-13T07:21:07Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 347, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 550, in main master_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 253, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 800, in install setup_pkinit=not options.no_pkinit) File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 345, in create_instance self.start_creation(runtime=30) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 605, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 591, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 712, in init_memberof replication.wait_for_task(conn, dn) File "/usr/lib/python3.6/site-packages/ipaserver/install/replication.py", line 171, in wait_for_task entry = conn.get_entry(dn, attrlist) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1571, in get_entry size_limit=size_limit, get_effective_rights=get_effective_rights, File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1383, in get_entries **kwargs) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1521, in find_entries break File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1032, in error_handler raise errors.NotFound(reason=arg_desc or 'no such entry') 2019-10-13T07:21:07Z DEBUG The ipa-server-install command failed, exception: NotFound: no such entry 2019-10-13T07:21:07Z ERROR no such entry 2019-10-13T07:21:07Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

2 days, 17 hours

2
3
0 / 0

Disable MFA prompt on users with no more OTP

by Michael Deffenbaugh

I'm having an issue where users who were previously enrolled in OTP (and had it enforced) which then were removed from OTP and have no tokens are still prompted for "First Factor/Second Factor". Up until recently this has been an inconvenience as a user could just leave the field blank and it would authenticate; they would only have to wait for IPA to process the non-existent OTP token. Recently I've ran across an application which doesnt support OTP prompting at all, and the fact that users are getting prompted for First/Second factor breaks the application. While I do have a github issue in with the project to properly support OTP, there should be some way to disable the MFA prompt that users are getting (via PAM/SSSD?) given we're no longer using it. Any thoughts as to where I should look? There's a fair amount of documentation on how to enable it, less so on disabling it. Thanks in advance! Regards, Mike

2 days, 20 hours

2
2
0 / 0

Debug logging for dirsrv

by Russ Long

Hello, I'm trying to figure out how to temporarily enable debug-level logging for dirsrv. I'm using an external application (elasticsearch/kibana) that I have setup to authenticate against my FreeIPA cluster using LDAP, and there's some odd issues that I'd like to prove are on the Elasticsearch side and not FreeIPA, but ES support wants debug level logging from the LDAP server.

3 days, 21 hours

2
2
1 / 0

2019

2018

2017

FreeIPA-users December 2019