Hi folks,
Environment: AWS-based FreeIPA cluster with it's own unique
realm/domain that is bound to the AD domain of the real COMPANY.COM and
a fairly complex forest
We have a functional FreeIPA system at the moment where AD users from
COMPANY.COM can login
- via <crypticshortname>@CHILD-DOMAIN.COMPANY.COM on older systems
- via <crypticshortname>@COMPANY.COM on newer systems with fresh SSSD
(thank you AD search domains, heh!)
But we've gotten word from AD admins that they want to change the UPN
from <crypticshortname> to "<firstname>.<lastname>@company.com" and
although I did not witness it supposedly when they made the change, all
SSH logins to our FreeIPA managed systems broke.
I'm still not 100% convinced that things broke and we'll be testing more
this week --- but now I'm motivated to try to get ahead of any
potential problems ...
Looking for documentation and URLS to read or general tips and advice
regarding any impact or changes needed on FreeIPA when the UPN on Active
Directory changes format.
In particular:
- What happens to existing IPA user groups of type "external" when we've
listed those AD usernames via their
<shortname>@CHILD-DOMAIN.COMPANY.COM and the UPN is now different? Do
we have to go update/change/fix all of our external users? If so, do
those changes propagate into all of the other RBAC rules or are we
looking at an entire rebuild/reset of our RBAC and user environment?
- Any FreeIPA changes or settings to look at or alter when UPN changes
format?
I'm probably missing other major questions to ask so any other tips or
advice would be appreciated.
Regards
Chris
Hey folks,
I read it's possible to attach Puppet CA to the FreeIPA CA.
The only howtos our there were pretty dated; they either state super old
Puppetserver components (puppet server, which was abolished in like
3.x), CentOS5 or even FreeIPAs inability to run more than one CA.
For the lack of any good/recent howto out there, here are my assumptions:
- I should create a CA for Puppet in FreeIPA. This can be trivially
done via the gui.
Q: It would ask me for a DN on the CA. I would put my FQDN of the
PuppetServer there?
- Create the puppetserver certificate on any node with admin rights:
ipa service-add puppetmaster/$(hostname -f)
ipa service-add puppet/$(hostname -f)
Q: I found the puppet*/* descriptors in some ancient document. I am
unsure if they are still needed or if they are the right ones
for Puppet 6.x+.
Q: How can I request a certificate from a specific CA?
- Then I found this tidbit:
--- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< ---
yum --nogpgcheck --localinstall
http://passenger.stealthymonkeys.com/fedora/16/passenger-release.noarch.rpm
yum install mod_nss mod_passenger
ipa-client-install --password=secret
systemctl stop puppetmaster.service
ipa-getcert -K puppetmaster/puppet.example.com
-d /etc/httpd/alias
-n puppetmaster/puppet.example.com
ipa-getcert -K puppet/puppet.example.com
-D puppet.example.com
-k /etc/puppet/ssl/private_keys/puppet.example.com.pem
-f /etc/puppet/ssl/public_keys/puppet.example.com.pem
mkdir -p /var/www/puppet/public
cp /usr/share/puppet/ext/rack/files/config.ru /var/www/puppet
--- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< --- --- 8< ---
(https://jca.pe/2012/01/16/using-the-freeipa-pki-with-puppet/) from 2012.
Those paths still check out. I would adapt those with the certificate I
got earlier.
Am I on the right track here?
-Chris.
--
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
Hello,
I need some assistance getting a basic functional docker-based FreeIPA server deploy working. I am not sure what I am missing, but the install is consistently failing on the client setup portion at the end. I have tried a number of variations for install options, but always end up with the same result. Any assistance would be much appreciated.
This is a good example of how I am bootstrapping the container:
host=ipa
domain=example.comrealm=EXAMPLE.COM
password=Secret123
rm -rf /data/ipa/*
cat << EOF > /data/ipa/ipa-server-install-options
--setup-dns \
--forwarder=10.2.0.2 \
--allow-zone-overlap \
--domain=${domain} \
--realm=${realm} \
--hostname=${host}.${domain} \
--ds-password=${password} \
--admin-password=${password} \
--no-ntp \
--verbose \
--unattended
EOF
docker run -it --rm -e DEBUG_TRACE=1 -e DEBUG_NO_EXIT=1 --name ${host} -h ${host}.${domain} \
-e PASSWORD=$password \
-v /data/ipa:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp \
-p 53:53/udp -p 53:53 -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 \
-p 88:88/udp -p 464:464/udp -p 123:123/udp -p 7389:7389 -p 9443:9443 -p 9444:9444 -p 9445:9445 \
--privileged --userns=host freeipa/freeipa-server
It appears that most of the install runs as expected, but this is what I get in the end:
No valid Negotiate header in server response
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Here are some additional details from the ipaclient-install.log:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipaclient/remote_plugins/__init__.py", line 126, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 726, in single_request
if not self._auth_complete(response):
File "/usr/lib/python3.7/site-packages/ipalib/rpc.py", line 679, in _auth_complete
message=u"No valid Negotiate header in server response")
ipalib.errors.KerberosError: No valid Negotiate header in server response
2019-06-28T17:01:04Z DEBUG Destroyed connection context.rpcclient_140381178350560
Hi,
Is it required to upgrade via every minor release of CentOS, say 7.2,7.3,7.4 etc to have a successful IPA upgrade, or can one also go from 7.2 to 7.6 directly?
Any advice will be appreciated,
Thanks,
Chris
I am trying to install after an uninstall the freeipa-server package on Debian, which is now failing. I normally removed all packages and config files, something seems to still cause issues. The installation output is as follows, after running apt install freeipa-server (I^m first extracting main warning and failure lines I identified).
—————
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Warning failed to create cache: usr.sbin.sssd
—————
Failed to preset unit: Unit file /etc/systemd/system/bind9.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on bind9.service: No such file or directory
—————
ob for krb5-kdc.service failed because the control process exited with error code.
See "systemctl status krb5-kdc.service" and "journalctl -xe" for details.
invoke-rc.d: initscript krb5-kdc, action "start" failed.
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/krb5-kdc.service.d
└─slapd-before-kdc.conf
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:00 CEST; 16ms ago
Process: 17099 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=1/FAILURE)
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Starting Kerberos 5 Key Distribution Center...
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Server error - while fetching master key K/M for realm IPA.MDPI.COM
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: krb5kdc: cannot initialize realm IPA.MDPI.COM - see log file for details
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Control process exited, code=exited status=1
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Failed to start Kerberos 5 Key Distribution Center.
—————
pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it.
Job for pki-tomcatd.service failed because the control process exited with error code.
See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript pki-tomcatd, action "start" failed.
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:03 CEST; 17ms ago
Docs: man:systemd-sysv-generator(8)
Process: 17421 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=1/FAILURE)
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Starting LSB: Start pki-tomcatd at boot time...
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: /usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', `while', or `until' loop
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: ERROR: No 'tomcat' instances installed!
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Control process exited, code=exited status=1
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Failed with result 'exit-code'.
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Failed to start LSB: Start pki-tomcatd at boot time.
—————
Setting up freeipa-server (4.7.0~pre1+git20180411-2ubuntu2) ...
dpkg: error processing package freeipa-server (--configure):
installed freeipa-server package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of freeipa-server-dns:
freeipa-server-dns depends on freeipa-server (>= 4.7.0~pre1+git20180411-2ubuntu2); however:
Package freeipa-server is not configured yet.
dpkg: error processing package freeipa-server-dns (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
No apport report written because the error message indicates its a followup error from a previous failure.
Processing triggers for oddjob (0.34.3-4) ...
Errors were encountered while processing:
freeipa-server
freeipa-server-dns
E: Sub-process /usr/bin/dpkg returned an error code (1)
—————
FULL OUTPUT:
Setting up libsymkey-jni (10.6.0-1ubuntu2) ...
Setting up python-dnspython (1.15.0-1) ...
Setting up libxcb-present0:amd64 (1.13-1) ...
Setting up libslf4j-java (1.7.25-3) ...
Setting up libglvnd0:amd64 (1.0.0-2ubuntu2.2) ...
Setting up oddjob (0.34.3-4) ...
Setting up libxinerama1:amd64 (2:1.1.3-1) ...
Setting up libplexus-classworlds-java (2.5.2-2) ...
Processing triggers for ufw (0.35-5) ...
Setting up libxcb-dri2-0:amd64 (1.13-1) ...
Setting up libsss-idmap0 (1.16.1-1ubuntu1) ...
Setting up libhttp-parser2.7.1:amd64 (2.7.1-2) ...
Setting up libxcb-dri3-0:amd64 (1.13-1) ...
Setting up libxcb-glx0:amd64 (1.13-1) ...
Setting up libcommons-io-java (2.6-2) ...
Setting up libstax-java (1.2.0-4) ...
Setting up libargs4j-java (2.33-1) ...
Setting up python-urllib3 (1.22-1) ...
Setting up libapache2-mod-lookup-identity (1.0.0-1) ...
apache2_invoke: Enable module lookup_identity
Setting up libpath-utils1:amd64 (0.6.1-1) ...
Setting up libjettison-java (1.4.0-1) ...
Setting up libsocket-getaddrinfo-perl (0.22-3) ...
Setting up libknopflerfish-osgi-framework-java (6.1.1-2) ...
Setting up libperl4-corelibs-perl (0.004-1) ...
Setting up libsss-nss-idmap0 (1.16.1-1ubuntu1) ...
Setting up libnfsidmap2:amd64 (0.25-5.1) ...
Setting up python-usb (1.0.0-1) ...
Setting up libxdamage1:amd64 (1:1.1.4-3) ...
Setting up libhawtjni-runtime-java (1.15-2) ...
Setting up libhttpcore-java (4.4.9-1) ...
Setting up libjackson2-core-java (2.9.4-1) ...
Setting up ieee-data (20180204.1) ...
Setting up libjsr311-api-java (1.1.1-1) ...
Setting up python-yubico (1.3.2-1) ...
Setting up libyaml-snake-java (1.20-1) ...
Setting up libxfixes3:amd64 (1:5.0.3-1) ...
Setting up oddjob-mkhomedir (0.34.3-4) ...
Processing triggers for ureadahead (0.100.0-20) ...
Setting up libdrm-amdgpu1:amd64 (2.4.91-2) ...
Setting up libllvm6.0:amd64 (1:6.0-1ubuntu2) ...
Setting up chrony (3.2-4ubuntu4.2) ...
Setting up libisorelax-java (20041111-10) ...
Setting up python-openssl (17.5.0-1ubuntu1) ...
Setting up libplexus-cipher-java (1.7-3) ...
Setting up python-ply (3.11-1) ...
Setting up python-kdcproxy (0.3.2-5) ...
Setting up python-netaddr (0.7.19-1) ...
Setting up python-jwcrypto (0.4.2-1) ...
Setting up libatspi2.0-0:amd64 (2.28.0-1) ...
Setting up libdtd-parser-java (1.2~svn20110404-1) ...
Setting up libsvrcore0:amd64 (1:4.1.2+dfsg1-3) ...
Setting up at-spi2-core (2.28.0-1) ...
Setting up libsss-certmap0 (1.16.1-1ubuntu1) ...
Setting up libxshmfence1:amd64 (1.3-1) ...
Setting up libjaxb-api-java (2.2.9-1) ...
Setting up krb5-pkinit:amd64 (1.16-2build1) ...
Setting up libstax2-api-java (3.1.1-1) ...
Setting up python-certifi (2018.1.18-2) ...
Setting up libstax-ex-java (1.7.8-1) ...
Setting up libipa-hbac0 (1.16.1-1ubuntu1) ...
Setting up dogtag-pki-server-theme (10.6.0-1ubuntu2) ...
Setting up libplexus-interpolation-java (1.24-1) ...
Setting up libnl-route-3-200:amd64 (3.2.29-0ubuntu3) ...
Setting up libglapi-mesa:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up fonts-open-sans (1.11-1) ...
Setting up python-sss (1.16.1-1ubuntu1) ...
Setting up libplexus-component-annotations-java (1.7.1-7) ...
Setting up python-pkg-resources (39.0.1-2) ...
Setting up freeipa-common (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up opendnssec-common (1:2.1.3-0.2build1) ...
Setting up libmaven-shared-utils-java (3.1.0-2) ...
Setting up python-pyasn1-modules (0.2.1-0.2) ...
Setting up libdhash1:amd64 (0.6.1-1) ...
Setting up python-nss (1.0.0-1build3) ...
Setting up python-markupsafe (1.0-1build1) ...
Setting up fonts-font-awesome (4.7.0~dfsg-3) ...
Setting up python-netifaces (0.10.4-0.1build4) ...
Setting up libjackson2-annotations-java (2.9.4-1) ...
Setting up libldns2:amd64 (1.7.0-3ubuntu4) ...
Setting up sqlite3 (3.22.0-1) ...
Setting up libjoda-time-java (2.9.9-1) ...
Setting up libplexus-utils2-java (3.0.24-3) ...
Setting up libjackson2-dataformat-cbor (2.7.8-3) ...
Setting up libcollection4:amd64 (0.6.1-1) ...
Setting up libwagon-provider-api-java (3.0.0-2) ...
Setting up libxcb-sync1:amd64 (1.13-1) ...
Setting up libjsr305-java (0.1~+svn49-10) ...
Setting up python-dateutil (2.6.1-1) ...
Setting up ldap-utils (2.4.45+dfsg-1ubuntu1) ...
Setting up libatk1.0-data (2.28.1-1) ...
Setting up libjackson2-databind-java (2.9.5-1) ...
Setting up libjackson2-dataformat-yaml (2.8.10-3) ...
Setting up libx11-xcb1:amd64 (2:1.6.4-3ubuntu0.1) ...
Setting up libnetaddr-ip-perl (4.079+dfsg-1build2) ...
Setting up python-gi (3.26.1-2) ...
Setting up libmozilla-ldap-perl (1.5.3-2build4) ...
Setting up libservlet3.1-java (8.5.30-1ubuntu1.4) ...
Setting up libjboss-jdeparser2-java (2.0.2-1) ...
Setting up libjavassist-java (1:3.21.0-2) ...
Setting up p11-kit-modules:amd64 (0.23.9-2) ...
Setting up libnss-sss:amd64 (1.16.1-1ubuntu1) ...
Setting up softhsm2-common (2.2.0-3.1build1) ...
Setting up libhsm-bin (1:2.1.3-0.2build1) ...
Setting up python3-sss (1.16.1-1ubuntu1) ...
Setting up libjackson2-module-jaxb-annotations-java (2.8.10-2) ...
Setting up libxmlrpc-core-c3 (1.33.14-8build1) ...
Setting up libxxf86dga1:amd64 (2:1.1.4-1) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Setting up libjackson-json-java (1.9.2-9) ...
Setting up python-bs4 (4.6.0-1) ...
Setting up python-selinux (2.7-2build2) ...
Setting up libgeronimo-interceptor-3.0-spec-java (1.0.1-4fakesync) ...
Setting up libmaven-resolver-java (1.1.0-3) ...
Setting up libsocket6-perl (0.27-1build2) ...
Setting up libnsspem:amd64 (1.0.3-0ubuntu2) ...
Setting up 389-ds-base-libs (1.3.7.10-1ubuntu1) ...
Setting up libplexus-utils-java (1:1.5.15-5) ...
Setting up libnss3-tools (2:3.35-2ubuntu2) ...
Setting up python-libipa-hbac (1.16.1-1ubuntu1) ...
Setting up libnuxwdog0 (1.0.3-4) ...
Setting up libjackson2-dataformat-xml-java (2.9.4-1) ...
Setting up libcommons-compress-java (1.13-2) ...
Setting up libatk1.0-0:amd64 (2.28.1-1) ...
Setting up libcommons-lang3-java (3.5-2ubuntu1) ...
Setting up libjaxen-java (1.1.6-3) ...
Setting up libwebpmux3:amd64 (0.6.1-2) ...
Setting up libsnappy1v5:amd64 (1.1.7-1) ...
Setting up libjansi-native-java (1.7-1) ...
Setting up python-systemd (234-1build1) ...
Processing triggers for systemd (237-3ubuntu10.3) ...
Setting up libpwquality-common (1.4.0-2) ...
Setting up augeas-lenses (1.10.1-2) ...
Setting up python-lxml:amd64 (4.2.1-1) ...
Setting up libatk-bridge2.0-0:amd64 (2.26.2-1) ...
Setting up libjaxrs-api-java (2.1-1) ...
Setting up libice6:amd64 (2:1.0.9-2) ...
Setting up libasm-java (6.0-1) ...
Setting up libfontenc1:amd64 (1:1.1.3-1) ...
Setting up libxcomposite1:amd64 (1:0.4.4-2) ...
Setting up libcrack2:amd64 (2.9.2-5build1) ...
Setting up python-olefile (0.45.1-1) ...
Setting up libwebpdemux2:amd64 (0.6.1-2) ...
Setting up libxcb-shape0:amd64 (1.13-1) ...
Setting up libpciaccess0:amd64 (0.14-1) ...
Setting up libstreambuffer-java (1.5.4-1) ...
Setting up libxv1:amd64 (2:1.0.11-1) ...
Processing triggers for man-db (2.8.3-2) ...
Setting up libatinject-jsr330-api-java (1.0+ds1-5) ...
Setting up libjboss-logging-tools-java (2.1.0-2) ...
Setting up libbasicobjects0:amd64 (0.6.1-1) ...
Setting up libmaven-parent-java (27-2) ...
Setting up python3-ply (3.11-1) ...
Setting up libdrm-radeon1:amd64 (2.4.91-2) ...
Setting up libref-array1:amd64 (0.6.1-1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
Setting up libxxf86vm1:amd64 (1:1.1.4-1) ...
Setting up libdrm-nouveau2:amd64 (2.4.91-2) ...
Setting up libxft2:amd64 (2.3.2-1) ...
Setting up python-dbus (1.2.6-1) ...
Setting up libcommons-codec-java (1.11-1) ...
Setting up libjss-java (4.4.3-1) ...
Setting up libjackson2-dataformat-smile (2.7.8-3) ...
Setting up slapi-nis (0.56.1-1build1) ...
Setting up libcommons-lang-java (2.6-8) ...
Setting up libcurl3-nss:amd64 (7.58.0-2ubuntu3.3) ...
Setting up python-pil:amd64 (5.1.0-1) ...
Setting up libcommons-httpclient-java (3.1-14) ...
Setting up libaopalliance-java (20070526-6) ...
Setting up libc-ares2:amd64 (1.14.0-1) ...
Setting up libjs-dojo-core (1.11.0+dfsg-1) ...
Setting up python-webencodings (0.5-2) ...
Setting up libgeronimo-annotation-1.3-spec-java (1.0-1) ...
Setting up libdbi-perl (1.640-1) ...
Setting up libjboss-logging-java (3.3.2-1) ...
Setting up libsss-sudo (1.16.1-1ubuntu1) ...
Checking NSS setup...
Setting up libxrandr2:amd64 (2:1.5.1-1) ...
Setting up librelaxng-datatype-java (1.0+ds1-3) ...
Setting up libcommons-cli-java (1.4-1) ...
Setting up libini-config5:amd64 (0.6.1-1) ...
Setting up libplexus-sec-dispatcher-java (1.4-3) ...
Setting up sssd-common (1.16.1-1ubuntu1) ...
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Warning failed to create cache: usr.sbin.sssd
sssd-secrets.service is a disabled or a static unit not running, not starting it.
Setting up python-ldap (3.0.0-1) ...
Setting up 389-ds-base (1.3.7.10-1ubuntu1) ...
dirsrv-snmp.service is a disabled or a static unit, not starting it.
dirsrv.target is a disabled or a static unit, not starting it.
Setting up bind9utils (1:9.11.3+dfsg-1ubuntu1.2) ...
Setting up libdom4j-java (2.1.0-2) ...
Setting up python-setuptools (39.0.1-2) ...
Setting up libsm6:amd64 (2:1.2.2-1) ...
Setting up libplexus-io-java (3.0.0-1) ...
Setting up libscannotation-java (1.0.2+svn20110812-3) ...
Setting up libsymkey-java (10.6.0-1ubuntu2) ...
Setting up python-libsss-nss-idmap (1.16.1-1ubuntu1) ...
Setting up sssd-krb5-common (1.16.1-1ubuntu1) ...
Setting up python-chardet (3.0.4-1) ...
Setting up libdbd-sqlite3-perl (1.56-1) ...
Setting up python-pycparser (2.18-2) ...
Setting up libnuxwdog-java (1.0.3-4) ...
Setting up libjs-dojo-dijit (1.11.0+dfsg-1) ...
Setting up libsofthsm2 (2.2.0-3.1build1) ...
Setting up libcglib-java (3.2.6-2) ...
Setting up opendnssec-signer (1:2.1.3-0.2build1) ...
Setting up python-jinja2 (2.10-1) ...
Setting up libtomcatjss-java (7.3.0~rc-1) ...
Setting up cracklib-runtime (2.9.2-5build1) ...
Setting up libjs-dojo-dojox (1.11.0+dfsg-1) ...
Setting up libsnappy-jni (1.1.4-1) ...
Setting up libldap-java (4.19+dfsg1-1) ...
Setting up libjansi-java (1.16-1) ...
Setting up p11-kit (0.23.9-2) ...
Setting up libaugeas0:amd64 (1.10.1-2) ...
Setting up libxsom-java (2.3.0-3) ...
Setting up bind9 (1:9.11.3+dfsg-1ubuntu1.2) ...
Failed to preset unit: Unit file /etc/systemd/system/bind9.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on bind9.service: No such file or directory
bind9-pkcs11.service is a disabled or a static unit not running, not starting it.
bind9-resolvconf.service is a disabled or a static unit not running, not starting it.
Setting up libguava-java (19.0-1) ...
Setting up python-qrcode (5.3-1) ...
update-alternatives: using /usr/bin/python2-qr to provide /usr/bin/qr (qr) in auto mode
Setting up sssd-ad-common (1.16.1-1ubuntu1) ...
Setting up libfastinfoset-java (1.2.12-3) ...
Setting up velocity (1.7-5) ...
Setting up sssd-krb5 (1.16.1-1ubuntu1) ...
Setting up libmsv-java (2009.1+dfsg1-5) ...
Setting up sssd-ldap (1.16.1-1ubuntu1) ...
Setting up sssd-proxy (1.16.1-1ubuntu1) ...
Setting up libcdi-api-java (1.2-2) ...
Setting up libpwquality1:amd64 (1.4.0-2) ...
Setting up libdrm-intel1:amd64 (2.4.91-2) ...
Setting up python-augeas (0.5.0-1) ...
Setting up sssd-dbus (1.16.1-1ubuntu1) ...
Setting up certmonger (0.79.5-3ubuntu1) ...
Setting up libsnappy-java (1.1.4-1) ...
Setting up libplexus-archiver-java (3.5-2) ...
Setting up libhttpclient-java (4.5.5-1) ...
Setting up softhsm2 (2.2.0-3.1build1) ...
Setting up bind9-dyndb-ldap (11.1-3ubuntu1) ...
Setting up librngom-java (2.3.0-3) ...
Setting up python-cffi (1.11.5-1) ...
Setting up libxt6:amd64 (1:1.1.5-1) ...
Setting up python-requests (2.18.4-2) ...
Setting up python-ipalib (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up libsisu-guice-java (4.2.0-1) ...
Setting up python-html5lib (0.999999999-1) ...
Setting up libsisu-ioc-java (2.3.0-11) ...
Setting up opendnssec-enforcer-sqlite3 (1:2.1.3-0.2build1) ...
Setting up sssd-ad (1.16.1-1ubuntu1) ...
Setting up python-custodia (0.5.0-3) ...
Setting up libpam-pwquality:amd64 (1.4.0-2) ...
Setting up libguice-java (4.0-4) ...
Setting up pki-base (10.6.0-1ubuntu2) ...
Setting up sssd-ipa (1.16.1-1ubuntu1) ...
Setting up sssd (1.16.1-1ubuntu1) ...
Setting up libgl1-mesa-dri:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up libpam-sss:amd64 (1.16.1-1ubuntu1) ...
Setting up libwoodstox-java (1:4.1.3-1) ...
Setting up libxmu6:amd64 (2:1.1.2-2) ...
Setting up libjackson2-jaxrs-providers-java (2.9.4-1) ...
Setting up python-ipaclient (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up opendnssec-enforcer (1:2.1.3-0.2build1) ...
Setting up libsisu-inject-java (0.3.2-2) ...
Setting up pki-tools (10.6.0-1ubuntu2) ...
Setting up libglx-mesa0:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up opendnssec (1:2.1.3-0.2build1) ...
Setting up libxaw7:amd64 (2:1.0.13-1) ...
Setting up custodia (0.5.0-3) ...
Setting up freeipa-client (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up libsisu-plexus-java (0.3.3-3) ...
Setting up libglx0:amd64 (1.0.0-2ubuntu2.2) ...
Setting up libmaven3-core-java (3.5.2-2) ...
Setting up libmaven-shared-io-java (3.0.0-3) ...
Setting up libgl1:amd64 (1.0.0-2ubuntu2.2) ...
Setting up libmaven-file-management-java (3.0.0-1) ...
Setting up x11-utils (7.7+3build1) ...
Setting up libgl1-mesa-glx:amd64 (18.0.5-0ubuntu0~18.04.1) ...
Setting up libatk-wrapper-java (0.33.3-20ubuntu0.1) ...
Setting up libatk-wrapper-java-jni:amd64 (0.33.3-20ubuntu0.1) ...
Setting up libistack-commons-java (3.0.6-1) ...
Setting up libcodemodel-java (2.6+jaxb2.3.0-3) ...
Setting up libtxw2-java (2.3.0-3) ...
Setting up libverto-libevent1:amd64 (0.2.4-2.1ubuntu3) ...
Setting up libverto1:amd64 (0.2.4-2.1ubuntu3) ...
Setting up libjaxb-java (2.3.0-3) ...
Setting up gssproxy (0.8.0-1) ...
Setting up libresteasy3.0-java (3.0.19-2) ...
Setting up krb5-kdc (1.16-2build1) ...
Job for krb5-kdc.service failed because the control process exited with error code.
See "systemctl status krb5-kdc.service" and "journalctl -xe" for details.
invoke-rc.d: initscript krb5-kdc, action "start" failed.
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/krb5-kdc.service.d
└─slapd-before-kdc.conf
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:00 CEST; 16ms ago
Process: 17099 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=1/FAILURE)
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Starting Kerberos 5 Key Distribution Center...
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Server error - while fetching master key K/M for realm IPA.MDPI.COM
Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: krb5kdc: cannot initialize realm IPA.MDPI.COM - see log file for details
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Control process exited, code=exited status=1
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Failed to start Kerberos 5 Key Distribution Center.
Setting up libkrad0:amd64 (1.16-2build1) ...
Setting up krb5-kdc-ldap (1.16-2build1) ...
Setting up krb5-admin-server (1.16-2build1) ...
Setting up pki-base-java (10.6.0-1ubuntu2) ...
Setting up krb5-otp:amd64 (1.16-2build1) ...
Setting up pki-server (10.6.0-1ubuntu2) ...
pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it.
Job for pki-tomcatd.service failed because the control process exited with error code.
See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript pki-tomcatd, action "start" failed.
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:03 CEST; 17ms ago
Docs: man:systemd-sysv-generator(8)
Process: 17421 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=1/FAILURE)
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Starting LSB: Start pki-tomcatd at boot time...
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: /usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', `while', or `until' loop
Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: ERROR: No 'tomcat' instances installed!
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Control process exited, code=exited status=1
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Failed with result 'exit-code'.
Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Failed to start LSB: Start pki-tomcatd at boot time.
pki-tomcatd start failed because no instance has been configured yet
Setting up python-ipaserver (4.7.0~pre1+git20180411-2ubuntu2) ...
Setting up pki-kra (10.6.0-1ubuntu2) ...
Setting up pki-ca (10.6.0-1ubuntu2) ...
Setting up freeipa-server (4.7.0~pre1+git20180411-2ubuntu2) ...
dpkg: error processing package freeipa-server (--configure):
installed freeipa-server package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of freeipa-server-dns:
freeipa-server-dns depends on freeipa-server (>= 4.7.0~pre1+git20180411-2ubuntu2); however:
Package freeipa-server is not configured yet.
dpkg: error processing package freeipa-server-dns (--configure):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
No apport report written because the error message indicates its a followup error from a previous failure.
Processing triggers for oddjob (0.34.3-4) ...
Errors were encountered while processing:
freeipa-server
freeipa-server-dns
E: Sub-process /usr/bin/dpkg returned an error code (1)
Thank you!
Milos
hi guys,
I'm starting to look more thoroughly into CA and something I'm not sure
is possible, and hoping you could shed more light onto, is - having IPA
deployed with own CA is it possible to then, at a later point,
move/migrate/change IPA to subordinate type of CA with AD's CA as root?
Is such a change a SOP or rather something undocumented-unsupported but
possible & risky?
many thanks, L.
What I did on an OracleLinux 8 beta system (which is an IPA client) was
installing the packages tlog and cockpit-session-recording. I do not
want to use the cockpit web interface. What are the next steps in order
to get session recording working?
Cheers,
Ronald
I am getting this error when key tabs are generated for my Hadoop Cluster.
I am getting an access error when I create key tabs with IPA commands -
User has these permissions
ipa role-add hadoopadminrole
ipa role-add-privilege hadoopadminrole --privileges="User Administrators"
ipa role-add-privilege hadoopadminrole --privileges="Service Administrators"
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
dev8-ipa-server.mia.cloud.net -p test(a)MIA.CLOUD.NET -k /tmp/ipa.keytab
Failed to parse result: Insufficient access rights
2019-07-15 04:39:33,221 - Failed to create keytab file for kafka/
hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET - Failed to
export the keytab file for kafka/
hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET:
ExitCode: 9
STDOUT:
STDERR: SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Failed to get keytab
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa user-add test
First name: Test
Last name: Test
-----------------
Added user "test"
-----------------
User login: test
First name: Test
Last name: Test
Full name: Test Test
Display name: Test Test
Initials: TT
Home directory: /home/test
GECOS: Test Test
Login shell: /bin/sh
Kerberos principal: test(a)MIA.CLOUD.NET
Email address: test(a)mia.cloud.net
UID: 1818200036
GID: 1818200036
Password: False
Member of groups: ipausers
Kerberos keys available: False
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
dev8-ipa-server.mia.cloud.net -p test(a)MIA.CLOUD.NET -k /tmp/ipa.keytab
Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /tmp/ipa.keytab
--
Deepak Subhramanian