ipa-replica-install failing
by Mitchell Smith
Hi list,
I wanted to repost this issue with a more appropriate subject line, in
case anyone has come across this issue before and has a work around.
To provide some context, I have two FreeIPA instances running FreeIPA
4.3.1 on Ubuntu 16.04 LTS.
I want to migrate to FreeIPA 4.5.4 running on CentOS 7.
I have a way to migrate by dumping all the users out with ldapsearch
and adding them to the new instance with ldapadd but it is a bit messy
and will result in all users having to reset their password, as it
won't let me add in already encrypted passwords.
My initial thought was to add the new instance as a replica and then
eventually retire the old one.
I ran in to some problems with the ‘ipa-replica-install’ command though.
I was able to join as a client no problem, but when I went to run
‘ipa-replica-install’ it failed while configuring the directory server
component.
[25/42]: restarting directory server
[26/42]: creating DS keytab
[27/42]: ignore time skew for initial replication
[28/42]: setting up initial replication
[error] DatabaseError: Server is unwilling to perform: modification
of attribute nsds5replicareleasetimeout is not allowed in replica
entry
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
I thought this might have something to do with differences between
4.3.1 and 4.5.4 but I wasn’t entirely sure.
If there is a work around for this issue, it would be a significantly
easier transition to the new FreeIPA instance.
Cheers,
Mitch
3 years, 1 month
kinit -n asking for password on clients
by John Ratliff
When trying to do pkinit, if I do kinit -n on one of the IdM servers, it
works fine. If I try on a client machine, it asks me for the password
for WELLKNOWN/ANONYMOUS@REALM.
I have the pkinit_anchors setup for the realm. As I'm trying to do
anonymous pkinit, I think I don't need a client certificate.
On the server, I get this:
$ KRB5_TRACE="/dev/stderr" kinit -n
[13061] 1518402857.924212: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM
[13061] 1518402857.929673: Sending request (200 bytes) to IDM.EXAMPLE.COM
[13061] 1518402857.931830: Initiating TCP connection to stream
10.77.9.101:88
[13061] 1518402857.932241: Sending TCP request to stream 10.77.9.101:88
[13061] 1518402857.939162: Received answer (359 bytes) from stream
10.77.9.101:88
[13061] 1518402857.939180: Terminating TCP connection to stream
10.77.9.101:88
[13061] 1518402857.939284: Response was from master KDC
[13061] 1518402857.939380: Received error from KDC:
-1765328359/Additional pre-authentication required
[13061] 1518402857.939474: Processing preauth types: 16, 15, 14, 136,
19, 147, 2, 133
[13061] 1518402857.939499: Selected etype info: etype aes256-cts, salt
"IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
[13061] 1518402857.939509: Received cookie: MIT
[13061] 1518402857.939563: Preauth module pkinit (147) (info) returned:
0/Success
[13061] 1518402857.940352: PKINIT client computed kdc-req-body checksum
9/D98A0144E7E4ACC66B63EBCA98379AB9F055D143
[13061] 1518402857.940369: PKINIT client making DH request
[13061] 1518402858.935: Preauth module pkinit (16) (real) returned:
0/Success
[13061] 1518402858.956: Produced preauth for next request: 133, 16
[13061] 1518402858.994: Sending request (1408 bytes) to IDM.EXAMPLE.COM
[13061] 1518402858.1091: Initiating TCP connection to stream 10.77.9.101:88
[13061] 1518402858.1187: Sending TCP request to stream 10.77.9.101:88
[13061] 1518402858.43063: Received answer (2880 bytes) from stream
10.77.9.101:88
[13061] 1518402858.43088: Terminating TCP connection to stream
10.77.9.101:88
[13061] 1518402858.43198: Response was from master KDC
[13061] 1518402858.43258: Processing preauth types: 17, 19, 147
[13061] 1518402858.43273: Selected etype info: etype aes256-cts, salt
"IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
[13061] 1518402858.43300: Preauth module pkinit (147) (info) returned:
0/Success
[13061] 1518402858.44150: PKINIT client verified DH reply
[13061] 1518402858.44189: PKINIT client found id-pkinit-san in KDC cert:
krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM
[13061] 1518402858.44199: PKINIT client matched KDC principal
krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM against id-pkinit-san; no EKU
check required
[13061] 1518402858.62345: PKINIT client used KDF 2B06010502030602 to
compute reply key aes256-cts/00E0
[13061] 1518402858.62395: Preauth module pkinit (17) (real) returned:
0/Success
[13061] 1518402858.62402: Produced preauth for next request: (empty)
[13061] 1518402858.62414: AS key determined by preauth: aes256-cts/00E0
[13061] 1518402858.62547: Decrypted AS reply; session key is:
aes256-cts/96F0
[13061] 1518402858.62589: FAST negotiation: available
[13061] 1518402858.62692: Initializing
KEYRING:persistent:760400007:krb_ccache_f3PFEy1 with default princ
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
[13061] 1518402858.62770: Storing
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM in
KEYRING:persistent:760400007:krb_ccache_f3PFEy1
[13061] 1518402858.62846: Storing config in
KEYRING:persistent:760400007:krb_ccache_f3PFEy1 for
krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM: fast_avail: yes
[13061] 1518402858.62878: Storing
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/fast_avail/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM(a)X-CACHECONF:
in KEYRING:persistent:760400007:krb_ccache_f3PFEy1
[13061] 1518402858.62933: Storing config in
KEYRING:persistent:760400007:krb_ccache_f3PFEy1 for
krbtgt/IDM.EXAMPLE.COM(a)IDM.EXAMPLE.COM: pa_type: 16
[13061] 1518402858.62954: Storing
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krb5_ccache_conf_data/pa_type/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM(a)X-CACHECONF:
in KEYRING:persistent:760400007:krb_ccache_f3PFEy1
But on the client, I get this:
$ KRB5_TRACE="/dev/stderr" kinit -n
[2941] 1518402820.155827: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM
[2941] 1518402820.156298: Sending request (200 bytes) to IDM.EXAMPLE.COM
[2941] 1518402820.158723: Resolving hostname paine.example.com.
[2941] 1518402820.159975: Resolving hostname phantom.example.com.
[2941] 1518402820.160757: Resolving hostname paine.example.com.
[2941] 1518402820.161411: Initiating TCP connection to stream
204.89.253.101:88
[2941] 1518402820.162065: Sending TCP request to stream 204.89.253.101:88
[2941] 1518402820.168495: Received answer (359 bytes) from stream
204.89.253.101:88
[2941] 1518402820.168532: Terminating TCP connection to stream
204.89.253.101:88
[2941] 1518402820.169917: Response was from master KDC
[2941] 1518402820.169974: Received error from KDC:
-1765328359/Additional pre-authentication required
[2941] 1518402820.170029: Processing preauth types: 16, 15, 14, 136, 19,
147, 2, 133
[2941] 1518402820.170051: Selected etype info: etype aes256-cts, salt
"IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
[2941] 1518402820.170062: Received cookie: MIT
Password for WELLKNOWN/ANONYMOUS(a)IDM.EXAMPLE.COM:
[2941] 1518402833.34612: Preauth module encrypted_timestamp (2) (real)
returned: -1765328252/Password read interrupted
kinit: Pre-authentication failed: Password read interrupted while
getting initial credentials
Suggestions on what I'm missing?
Thanks.
3 years, 2 months
IPA and legacy systems
by Ronald Wimmer
What would be a good solution to add systems where the FQDN cannot be
changed?
Would it make sense to add a second DNS A Record in the IPA domain for
each of these systems?
Is there any experience on how to deal with such a situation?
Thanks a lot in advance!
Cheers,
Ronald
3 years, 4 months
Vault: Cannot authenticate agent with certificate
by Peter Oliver
I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I find that operations related to the vault feature fail. For example:
> ipa -v vault-add test --type=standard
ipa: INFO: trying https://ipa-01.example.com/ipa/session/json
ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json'
ipa: ERROR: an internal error has occurred
In /var/log/pki/pki-tomcat/kra/system I see the following message:
0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot authenticate agent with certificate Serial 0x7 Subject DN CN=IPA RA,O=IPA.EXAMPLE.COM. Error: User not found
In /var/log/pki/pki-tomcat/kra/debug is see the following messages:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: Not authenticated.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: mapping: default
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: required auth methods: [*]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: anonymous access allowed
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor.filter: no authorization required
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No ACL mapping; authz not required.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: event AUTHZ
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: content-type: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: accept: [application/json]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: request format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: response format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: Authenticating certificate chain:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA RA, O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: started
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Retrieving client certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got client certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: client certificate found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot map certificate to any userUser not found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH
Any suggestions? Has something gone wrong with the setup?
--
Peter Oliver
4 years
Can login with non-existing user
by Ronald Wimmer
I have managed to login to an IPA client with a non-existing user.
My AD user is z123456(a)addomain.mydomain.at and I have created a similar
user called i123456(a)ipadomain.mydomain.at. What happened now is that I
could log in with the i-User and what I get to see after logging in is this:
[i123456@addomain.mydomain.at(a)as12314 ~]$ id
uid=1246600007(i123456(a)addomain.mydomain.at)
gid=1246600007(i123456(a)addomain.mydomain.at)
groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group(a)ipadomain.mydomain.at)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[i123456@addomain.mydomain.at(a)as12314 ~]$ whoami
i123456(a)addomain.mydomain.at
The user i123456(a)addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
What is wrong here? Are things just displayed wrong or could it be more?
Which files do you need in order to analyze this issue?
Cheers,
Ronald
4 years, 1 month
FreeIPA v4.5.0 install lost topology suffixes
by Gavin Williams
Afternoon all
I’ve got a slightly strange one with one of our FreeIPA clusters, whereby the topology suffixes appear to have disappeared.
From what I can see, this is causing replication issues between the hosts, which is causing us issues with bootstrapping new clients against FreeIPA.
I’m not aware of any config changes that have happened on the FreeIPA hosts that could have caused this issue, so am a bit stumped atm.
Is someone able to advise next steps on how to investigate the cause and correct the configuration?
Regards
Gavin
4 years, 1 month
DNS A Record Disappears after IPA Server reboot
by Mariusz Stolarczyk
Hi all,
Whenever I have to reboot my IPA server I loose one of my IPA client's DNS A Record. Curiously all of the IPA client related SSHFP records are intact as well as the reverse lookup record.
The only thing that was slightly different about this client is at some point the IP address was changed. I did however change the IP address on a different client with no problems.
Thanks,
-Mark
4 years, 2 months
freeipa-server failied to instal - Debian
by Milos Cuculovic
I am trying to install after an uninstall the freeipa-server package on Debian, which is now failing. I normally removed all packages and config files, something seems to still cause issues. The installation output is as follows, after running apt install freeipa-server (I^m first extracting main warning and failure lines I identified).
—————
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Warning failed to create cache: usr.sbin.sssd
—————
Failed to preset unit: Unit file /etc/systemd/system/bind9.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on bind9.service: No such file or directory
—————
ob for krb5-kdc.service failed because the control process exited with error code.
See "systemctl status krb5-kdc.service" and "journalctl -xe" for details.
invoke-rc.d: initscript krb5-kdc, action "start" failed.
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/krb5-kdc.service.d
└─slapd-before-kdc.conf
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:00 CEST; 16ms ago
Process: 17099 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=1/FAILURE)
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Starting Kerberos 5 Key Distribution Center...
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Server error - while fetching master key K/M for realm IPA.MDPI.COM
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: krb5kdc: cannot initialize realm IPA.MDPI.COM - see log file for details
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Control process exited, code=exited status=1
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Failed to start Kerberos 5 Key Distribution Center.
—————
pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it.
Job for pki-tomcatd.service failed because the control process exited with error code.
See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript pki-tomcatd, action "start" failed.
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:03 CEST; 17ms ago
Docs: man:systemd-sysv-generator(8)
Process: 17421 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=1/FAILURE)
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Starting LSB: Start pki-tomcatd at boot time...
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: /usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', `while', or `until' loop
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: ERROR: No 'tomcat' instances installed!
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Control process exited, code=exited status=1
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Failed with result 'exit-code'.
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Failed to start LSB: Start pki-tomcatd at boot time.
—————
Setting up freeipa-server (4.7.0~pre1+git20180411-2ubuntu2) ...
dpkg: error processing package freeipa-server (--configure):
installed freeipa-server package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of freeipa-server-dns:
freeipa-server-dns depends on freeipa-server (>= 4.7.0~pre1+git20180411-2ubuntu2); however:
Package freeipa-server is not configured yet.
dpkg: error processing package freeipa-server-dns (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
No apport report written because the error message indicates its a followup error from a previous failure.
Processing triggers for oddjob (0.34.3-4) ...
Errors were encountered while processing:
freeipa-server
freeipa-server-dns
E: Sub-process /usr/bin/dpkg returned an error code (1)
—————
FULL OUTPUT:
Setting up libsymkey-jni (10.6.0-1ubuntu2) ...
Setting up python-dnspython (1.15.0-1) ...
Setting up libxcb-present0:amd64 (1.13-1) ...
Setting up libslf4j-java (1.7.25-3) ...
Setting up libglvnd0:amd64 (1.0.0-2ubuntu2.2) ...
Setting up oddjob (0.34.3-4) ...
Setting up libxinerama1:amd64 (2:1.1.3-1) ...
Setting up libplexus-classworlds-java (2.5.2-2) ...
Processing triggers for ufw (0.35-5) ...
Setting up libxcb-dri2-0:amd64 (1.13-1) ...
Setting up libsss-idmap0 (1.16.1-1ubuntu1) ...
Setting up libhttp-parser2.7.1:amd64 (2.7.1-2) ...
Setting up libxcb-dri3-0:amd64 (1.13-1) ...
Setting up libxcb-glx0:amd64 (1.13-1) ...
Setting up libcommons-io-java (2.6-2) ...
Setting up libstax-java (1.2.0-4) ...
Setting up libargs4j-java (2.33-1) ...
Setting up python-urllib3 (1.22-1) ...
Setting up libapache2-mod-lookup-identity (1.0.0-1) ...
apache2_invoke: Enable module lookup_identity
Setting up libpath-utils1:amd64 (0.6.1-1) ...
Setting up libjettison-java (1.4.0-1) ...
Setting up libsocket-getaddrinfo-perl (0.22-3) ...
Setting up libknopflerfish-osgi-framework-java (6.1.1-2) ...
Setting up libperl4-corelibs-perl (0.004-1) ...
Setting up libsss-nss-idmap0 (1.16.1-1ubuntu1) ...
Setting up libnfsidmap2:amd64 (0.25-5.1) ...
Setting up python-usb (1.0.0-1) ...
Setting up libxdamage1:amd64 (1:1.1.4-3) ...
Setting up libhawtjni-runtime-java (1.15-2) ...
Setting up libhttpcore-java (4.4.9-1) ...
Setting up libjackson2-core-java (2.9.4-1) ...
Setting up ieee-data (20180204.1) ...
Setting up libjsr311-api-java (1.1.1-1) ...
Setting up python-yubico (1.3.2-1) ...
Setting up libyaml-snake-java (1.20-1) ...
Setting up libxfixes3:amd64 (1:5.0.3-1) ...
Setting up oddjob-mkhomedir (0.34.3-4) ...
Processing triggers for ureadahead (0.100.0-20) ...
Setting up libdrm-amdgpu1:amd64 (2.4.91-2) ...
Setting up libllvm6.0:amd64 (1:6.0-1ubuntu2) ...
Setting up chrony (3.2-4ubuntu4.2) ...
Setting up libisorelax-java (20041111-10) ...
Setting up python-openssl (17.5.0-1ubuntu1) ...
Setting up libplexus-cipher-java (1.7-3) ...
Setting up python-ply (3.11-1) ...
Setting up python-kdcproxy (0.3.2-5) ...
Setting up python-netaddr (0.7.19-1) ...
Setting up python-jwcrypto (0.4.2-1) ...
Setting up libatspi2.0-0:amd64 (2.28.0-1) ...
Setting up libdtd-parser-java (1.2~svn20110404-1) ...
Setting up libsvrcore0:amd64 (1:4.1.2+dfsg1-3) ...
Setting up at-spi2-core (2.28.0-1) ...
Setting up libsss-certmap0 (1.16.1-1ubuntu1) ...
Setting up libxshmfence1:amd64 (1.3-1) ...
Setting up libjaxb-api-java (2.2.9-1) ...
Setting up krb5-pkinit:amd64 (1.16-2build1) ...
Setting up libstax2-api-java (3.1.1-1) ...
Setting up python-certifi (2018.1.18-2) ...
Setting up libstax-ex-java (1.7.8-1) ...
Setting up libipa-hbac0 (1.16.1-1ubuntu1) ...
Setting up dogtag-pki-server-theme (10.6.0-1ubuntu2) ...
Setting up libplexus-interpolation-java (1.24-1) ...
Setting up libnl-route-3-200:amd64 (3.2.29-0ubuntu3) ...
Setting up libglapi-mesa:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up fonts-open-sans (1.11-1) ...
Setting up python-sss (1.16.1-1ubuntu1) ...
Setting up libplexus-component-annotations-java (1.7.1-7) ...
Setting up python-pkg-resources (39.0.1-2) ...
Setting up freeipa-common (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up opendnssec-common (1:2.1.3-0.2build1) ...
Setting up libmaven-shared-utils-java (3.1.0-2) ...
Setting up python-pyasn1-modules (0.2.1-0.2) ...
Setting up libdhash1:amd64 (0.6.1-1) ...
Setting up python-nss (1.0.0-1build3) ...
Setting up python-markupsafe (1.0-1build1) ...
Setting up fonts-font-awesome (4.7.0~dfsg-3) ...
Setting up python-netifaces (0.10.4-0.1build4) ...
Setting up libjackson2-annotations-java (2.9.4-1) ...
Setting up libldns2:amd64 (1.7.0-3ubuntu4) ...
Setting up sqlite3 (3.22.0-1) ...
Setting up libjoda-time-java (2.9.9-1) ...
Setting up libplexus-utils2-java (3.0.24-3) ...
Setting up libjackson2-dataformat-cbor (2.7.8-3) ...
Setting up libcollection4:amd64 (0.6.1-1) ...
Setting up libwagon-provider-api-java (3.0.0-2) ...
Setting up libxcb-sync1:amd64 (1.13-1) ...
Setting up libjsr305-java (0.1~+svn49-10) ...
Setting up python-dateutil (2.6.1-1) ...
Setting up ldap-utils (2.4.45+dfsg-1ubuntu1) ...
Setting up libatk1.0-data (2.28.1-1) ...
Setting up libjackson2-databind-java (2.9.5-1) ...
Setting up libjackson2-dataformat-yaml (2.8.10-3) ...
Setting up libx11-xcb1:amd64 (2:1.6.4-3ubuntu0.1) ...
Setting up libnetaddr-ip-perl (4.079+dfsg-1build2) ...
Setting up python-gi (3.26.1-2) ...
Setting up libmozilla-ldap-perl (1.5.3-2build4) ...
Setting up libservlet3.1-java (8.5.30-1ubuntu1.4) ...
Setting up libjboss-jdeparser2-java (2.0.2-1) ...
Setting up libjavassist-java (1:3.21.0-2) ...
Setting up p11-kit-modules:amd64 (0.23.9-2) ...
Setting up libnss-sss:amd64 (1.16.1-1ubuntu1) ...
Setting up softhsm2-common (2.2.0-3.1build1) ...
Setting up libhsm-bin (1:2.1.3-0.2build1) ...
Setting up python3-sss (1.16.1-1ubuntu1) ...
Setting up libjackson2-module-jaxb-annotations-java (2.8.10-2) ...
Setting up libxmlrpc-core-c3 (1.33.14-8build1) ...
Setting up libxxf86dga1:amd64 (2:1.1.4-1) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Setting up libjackson-json-java (1.9.2-9) ...
Setting up python-bs4 (4.6.0-1) ...
Setting up python-selinux (2.7-2build2) ...
Setting up libgeronimo-interceptor-3.0-spec-java (1.0.1-4fakesync) ...
Setting up libmaven-resolver-java (1.1.0-3) ...
Setting up libsocket6-perl (0.27-1build2) ...
Setting up libnsspem:amd64 (1.0.3-0ubuntu2) ...
Setting up 389-ds-base-libs (1.3.7.10-1ubuntu1) ...
Setting up libplexus-utils-java (1:1.5.15-5) ...
Setting up libnss3-tools (2:3.35-2ubuntu2) ...
Setting up python-libipa-hbac (1.16.1-1ubuntu1) ...
Setting up libnuxwdog0 (1.0.3-4) ...
Setting up libjackson2-dataformat-xml-java (2.9.4-1) ...
Setting up libcommons-compress-java (1.13-2) ...
Setting up libatk1.0-0:amd64 (2.28.1-1) ...
Setting up libcommons-lang3-java (3.5-2ubuntu1) ...
Setting up libjaxen-java (1.1.6-3) ...
Setting up libwebpmux3:amd64 (0.6.1-2) ...
Setting up libsnappy1v5:amd64 (1.1.7-1) ...
Setting up libjansi-native-java (1.7-1) ...
Setting up python-systemd (234-1build1) ...
Processing triggers for systemd (237-3ubuntu10.3) ...
Setting up libpwquality-common (1.4.0-2) ...
Setting up augeas-lenses (1.10.1-2) ...
Setting up python-lxml:amd64 (4.2.1-1) ...
Setting up libatk-bridge2.0-0:amd64 (2.26.2-1) ...
Setting up libjaxrs-api-java (2.1-1) ...
Setting up libice6:amd64 (2:1.0.9-2) ...
Setting up libasm-java (6.0-1) ...
Setting up libfontenc1:amd64 (1:1.1.3-1) ...
Setting up libxcomposite1:amd64 (1:0.4.4-2) ...
Setting up libcrack2:amd64 (2.9.2-5build1) ...
Setting up python-olefile (0.45.1-1) ...
Setting up libwebpdemux2:amd64 (0.6.1-2) ...
Setting up libxcb-shape0:amd64 (1.13-1) ...
Setting up libpciaccess0:amd64 (0.14-1) ...
Setting up libstreambuffer-java (1.5.4-1) ...
Setting up libxv1:amd64 (2:1.0.11-1) ...
Processing triggers for man-db (2.8.3-2) ...
Setting up libatinject-jsr330-api-java (1.0+ds1-5) ...
Setting up libjboss-logging-tools-java (2.1.0-2) ...
Setting up libbasicobjects0:amd64 (0.6.1-1) ...
Setting up libmaven-parent-java (27-2) ...
Setting up python3-ply (3.11-1) ...
Setting up libdrm-radeon1:amd64 (2.4.91-2) ...
Setting up libref-array1:amd64 (0.6.1-1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
Setting up libxxf86vm1:amd64 (1:1.1.4-1) ...
Setting up libdrm-nouveau2:amd64 (2.4.91-2) ...
Setting up libxft2:amd64 (2.3.2-1) ...
Setting up python-dbus (1.2.6-1) ...
Setting up libcommons-codec-java (1.11-1) ...
Setting up libjss-java (4.4.3-1) ...
Setting up libjackson2-dataformat-smile (2.7.8-3) ...
Setting up slapi-nis (0.56.1-1build1) ...
Setting up libcommons-lang-java (2.6-8) ...
Setting up libcurl3-nss:amd64 (7.58.0-2ubuntu3.3) ...
Setting up python-pil:amd64 (5.1.0-1) ...
Setting up libcommons-httpclient-java (3.1-14) ...
Setting up libaopalliance-java (20070526-6) ...
Setting up libc-ares2:amd64 (1.14.0-1) ...
Setting up libjs-dojo-core (1.11.0+dfsg-1) ...
Setting up python-webencodings (0.5-2) ...
Setting up libgeronimo-annotation-1.3-spec-java (1.0-1) ...
Setting up libdbi-perl (1.640-1) ...
Setting up libjboss-logging-java (3.3.2-1) ...
Setting up libsss-sudo (1.16.1-1ubuntu1) ...
Checking NSS setup...
Setting up libxrandr2:amd64 (2:1.5.1-1) ...
Setting up librelaxng-datatype-java (1.0+ds1-3) ...
Setting up libcommons-cli-java (1.4-1) ...
Setting up libini-config5:amd64 (0.6.1-1) ...
Setting up libplexus-sec-dispatcher-java (1.4-3) ...
Setting up sssd-common (1.16.1-1ubuntu1) ...
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Warning failed to create cache: usr.sbin.sssd
sssd-secrets.service is a disabled or a static unit not running, not starting it.
Setting up python-ldap (3.0.0-1) ...
Setting up 389-ds-base (1.3.7.10-1ubuntu1) ...
dirsrv-snmp.service is a disabled or a static unit, not starting it.
dirsrv.target is a disabled or a static unit, not starting it.
Setting up bind9utils (1:9.11.3+dfsg-1ubuntu1.2) ...
Setting up libdom4j-java (2.1.0-2) ...
Setting up python-setuptools (39.0.1-2) ...
Setting up libsm6:amd64 (2:1.2.2-1) ...
Setting up libplexus-io-java (3.0.0-1) ...
Setting up libscannotation-java (1.0.2+svn20110812-3) ...
Setting up libsymkey-java (10.6.0-1ubuntu2) ...
Setting up python-libsss-nss-idmap (1.16.1-1ubuntu1) ...
Setting up sssd-krb5-common (1.16.1-1ubuntu1) ...
Setting up python-chardet (3.0.4-1) ...
Setting up libdbd-sqlite3-perl (1.56-1) ...
Setting up python-pycparser (2.18-2) ...
Setting up libnuxwdog-java (1.0.3-4) ...
Setting up libjs-dojo-dijit (1.11.0+dfsg-1) ...
Setting up libsofthsm2 (2.2.0-3.1build1) ...
Setting up libcglib-java (3.2.6-2) ...
Setting up opendnssec-signer (1:2.1.3-0.2build1) ...
Setting up python-jinja2 (2.10-1) ...
Setting up libtomcatjss-java (7.3.0~rc-1) ...
Setting up cracklib-runtime (2.9.2-5build1) ...
Setting up libjs-dojo-dojox (1.11.0+dfsg-1) ...
Setting up libsnappy-jni (1.1.4-1) ...
Setting up libldap-java (4.19+dfsg1-1) ...
Setting up libjansi-java (1.16-1) ...
Setting up p11-kit (0.23.9-2) ...
Setting up libaugeas0:amd64 (1.10.1-2) ...
Setting up libxsom-java (2.3.0-3) ...
Setting up bind9 (1:9.11.3+dfsg-1ubuntu1.2) ...
Failed to preset unit: Unit file /etc/systemd/system/bind9.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on bind9.service: No such file or directory
bind9-pkcs11.service is a disabled or a static unit not running, not starting it.
bind9-resolvconf.service is a disabled or a static unit not running, not starting it.
Setting up libguava-java (19.0-1) ...
Setting up python-qrcode (5.3-1) ...
update-alternatives: using /usr/bin/python2-qr to provide /usr/bin/qr (qr) in auto mode
Setting up sssd-ad-common (1.16.1-1ubuntu1) ...
Setting up libfastinfoset-java (1.2.12-3) ...
Setting up velocity (1.7-5) ...
Setting up sssd-krb5 (1.16.1-1ubuntu1) ...
Setting up libmsv-java (2009.1+dfsg1-5) ...
Setting up sssd-ldap (1.16.1-1ubuntu1) ...
Setting up sssd-proxy (1.16.1-1ubuntu1) ...
Setting up libcdi-api-java (1.2-2) ...
Setting up libpwquality1:amd64 (1.4.0-2) ...
Setting up libdrm-intel1:amd64 (2.4.91-2) ...
Setting up python-augeas (0.5.0-1) ...
Setting up sssd-dbus (1.16.1-1ubuntu1) ...
Setting up certmonger (0.79.5-3ubuntu1) ...
Setting up libsnappy-java (1.1.4-1) ...
Setting up libplexus-archiver-java (3.5-2) ...
Setting up libhttpclient-java (4.5.5-1) ...
Setting up softhsm2 (2.2.0-3.1build1) ...
Setting up bind9-dyndb-ldap (11.1-3ubuntu1) ...
Setting up librngom-java (2.3.0-3) ...
Setting up python-cffi (1.11.5-1) ...
Setting up libxt6:amd64 (1:1.1.5-1) ...
Setting up python-requests (2.18.4-2) ...
Setting up python-ipalib (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up libsisu-guice-java (4.2.0-1) ...
Setting up python-html5lib (0.999999999-1) ...
Setting up libsisu-ioc-java (2.3.0-11) ...
Setting up opendnssec-enforcer-sqlite3 (1:2.1.3-0.2build1) ...
Setting up sssd-ad (1.16.1-1ubuntu1) ...
Setting up python-custodia (0.5.0-3) ...
Setting up libpam-pwquality:amd64 (1.4.0-2) ...
Setting up libguice-java (4.0-4) ...
Setting up pki-base (10.6.0-1ubuntu2) ...
Setting up sssd-ipa (1.16.1-1ubuntu1) ...
Setting up sssd (1.16.1-1ubuntu1) ...
Setting up libgl1-mesa-dri:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up libpam-sss:amd64 (1.16.1-1ubuntu1) ...
Setting up libwoodstox-java (1:4.1.3-1) ...
Setting up libxmu6:amd64 (2:1.1.2-2) ...
Setting up libjackson2-jaxrs-providers-java (2.9.4-1) ...
Setting up python-ipaclient (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up opendnssec-enforcer (1:2.1.3-0.2build1) ...
Setting up libsisu-inject-java (0.3.2-2) ...
Setting up pki-tools (10.6.0-1ubuntu2) ...
Setting up libglx-mesa0:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up opendnssec (1:2.1.3-0.2build1) ...
Setting up libxaw7:amd64 (2:1.0.13-1) ...
Setting up custodia (0.5.0-3) ...
Setting up freeipa-client (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up libsisu-plexus-java (0.3.3-3) ...
Setting up libglx0:amd64 (1.0.0-2ubuntu2.2) ...
Setting up libmaven3-core-java (3.5.2-2) ...
Setting up libmaven-shared-io-java (3.0.0-3) ...
Setting up libgl1:amd64 (1.0.0-2ubuntu2.2) ...
Setting up libmaven-file-management-java (3.0.0-1) ...
Setting up x11-utils (7.7+3build1) ...
Setting up libgl1-mesa-glx:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up libatk-wrapper-java (0.33.3-20ubuntu0.1) ...
Setting up libatk-wrapper-java-jni:amd64 (0.33.3-20ubuntu0.1) ...
Setting up libistack-commons-java (3.0.6-1) ...
Setting up libcodemodel-java (2.6+jaxb2.3.0-3) ...
Setting up libtxw2-java (2.3.0-3) ...
Setting up libverto-libevent1:amd64 (0.2.4-2.1ubuntu3) ...
Setting up libverto1:amd64 (0.2.4-2.1ubuntu3) ...
Setting up libjaxb-java (2.3.0-3) ...
Setting up gssproxy (0.8.0-1) ...
Setting up libresteasy3.0-java (3.0.19-2) ...
Setting up krb5-kdc (1.16-2build1) ...
Job for krb5-kdc.service failed because the control process exited with error code.
See "systemctl status krb5-kdc.service" and "journalctl -xe" for details.
invoke-rc.d: initscript krb5-kdc, action "start" failed.
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/krb5-kdc.service.d
└─slapd-before-kdc.conf
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:00 CEST; 16ms ago
Process: 17099 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=1/FAILURE)
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Starting Kerberos 5 Key Distribution Center...
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Server error - while fetching master key K/M for realm IPA.MDPI.COM
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: krb5kdc: cannot initialize realm IPA.MDPI.COM - see log file for details
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Control process exited, code=exited status=1
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Failed to start Kerberos 5 Key Distribution Center.
Setting up libkrad0:amd64 (1.16-2build1) ...
Setting up krb5-kdc-ldap (1.16-2build1) ...
Setting up krb5-admin-server (1.16-2build1) ...
Setting up pki-base-java (10.6.0-1ubuntu2) ...
Setting up krb5-otp:amd64 (1.16-2build1) ...
Setting up pki-server (10.6.0-1ubuntu2) ...
pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it.
Job for pki-tomcatd.service failed because the control process exited with error code.
See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript pki-tomcatd, action "start" failed.
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:03 CEST; 17ms ago
Docs: man:systemd-sysv-generator(8)
Process: 17421 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=1/FAILURE)
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Starting LSB: Start pki-tomcatd at boot time...
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: /usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', `while', or `until' loop
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: ERROR: No 'tomcat' instances installed!
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Control process exited, code=exited status=1
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Failed with result 'exit-code'.
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Failed to start LSB: Start pki-tomcatd at boot time.
pki-tomcatd start failed because no instance has been configured yet
Setting up python-ipaserver (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up pki-kra (10.6.0-1ubuntu2) ...
Setting up pki-ca (10.6.0-1ubuntu2) ...
Setting up freeipa-server (4.7.0~pre1+git20180411-2ubuntu2) ...
dpkg: error processing package freeipa-server (--configure):
installed freeipa-server package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of freeipa-server-dns:
freeipa-server-dns depends on freeipa-server (>= 4.7.0~pre1+git20180411-2ubuntu2); however:
Package freeipa-server is not configured yet.
dpkg: error processing package freeipa-server-dns (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
No apport report written because the error message indicates its a followup error from a previous failure.
Processing triggers for oddjob (0.34.3-4) ...
Errors were encountered while processing:
freeipa-server
freeipa-server-dns
E: Sub-process /usr/bin/dpkg returned an error code (1)
Thank you!
Milos
4 years, 2 months
FreeIPA Client AD Trust user look-up latencies and results
by John Desantis
Hello all,
I've pretty much exhausted my searching in order to find a solution to
a problem I've been working on for about a week now, and now I find
myself grasping at straws.
Basically, AD trust user lookups on IPA clients fail several times in
a row before finally returning results (after 8-20 seconds). However,
this does not happen on the IPA servers - even after clearing caches.
Furthermore, querying the same list of users against a non IPA Linux
client that connects directly to our AD domain using nslcd has no
issues querying the same list of users.
From what I understand regarding the anatomy of the FreeIPA - AD Trust
relationship, the FreeIPA servers' sssd caches are queried first by
FreeIPA clients and if there is no result, then the FreeIPA server
queries the AD domain controllers, receives results, caches them, and
then provides the results to the FreeIPA client.
I've tried adjusting the sssd.conf file on both the server and the
client, without any expected results:
ignore_group_members = True
ldap_purge_cache_timeout = (various values)
memcache_timeout = (various values)
cache_first = (various values)
ldap_opt_timeout = (various values)
ldap_search_timeout = (various values)
The trust was established using the range type of "ipa-ad-trust-posix"
since each user has a unique Posix UID and a shared unique Posix GID
(no AD groups are returned).
I've attached logs (dirsrv and sssd) from the IPA server I directly
specified via the client sssd.conf and logs from the client itself.
Any pointers and/or suggestions would be extremely helpful!
Thank you,
John DeSantis
4 years, 3 months
IPA users and local groups question
by Jeff Goddard
First off thanks to everyone who makes FreeIPA. Its an awesome product that
we love.
We're working at breaking our application up into micro services and using
docker containers and deployment automation. As part of this I have a
deploy user in IPA and a rundeck server that performs tasks as this user.
However, we need this user to be part of the local docker hosts "docker"
group. Is this something I have to do manually per host? Is it possible to
create a docker IPA group that will substitute for the local docker group
and do it all in IPA? Our IPA version is 4.4. The servers are Centos 7.2
and the clients are ubuntu 16.04 LTS.
Thanks for the insight, references and help,
Jeff
4 years, 3 months