August 2019 - FreeIPA-users - Fedora mailing-lists

CA Master Confusion
by Auerbach, Steven 06 Aug '19

06 Aug '19

As I work through understanding the current state of my CA mastering in this realm I am getting results I do not understand from these ipa commands (on the v4.6.4 server) and from the ldapsearch commands (on the v3.0.0 server): On the v4.6.4 replica (ipa<3>): $ sudo ipa config-show |grep 'CA renewal master' [sudo] password for <user>: $ $ On the v3.0.0 (ipa<1>): $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn [sudo] password for <user>: Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local> with scope subtree # filter: (&(cn=CA)(ipaConfigString=caRenewalMaster)) # requesting: dn # # search result search: 2 result: 0 Success # numResponses: 1 Neither tells me anything. Is it possible that the original installation never had a CA master at all? This seems odd considering when I look for CA Master(s), on the v4.6.4 (ipa<3>) tells me: $ sudo ipa server-role-find --role 'CA server' [sudo] password for <user>: ---------------------- 3 server roles matched ---------------------- Server name: ipa<2>.mydomain.local Role name: CA server Role status: absent Server name: ipa<1>.mydomain.local Role name: CA server Role status: enabled Server name: ipa<3>.mydomain.local Role name: CA server Role status: absent ---------------------------- Number of entries returned 3 ---------------------------- And on the v3.0.0 (ipa<1>) I get: $ sudo ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=<mydomain>,dc=local' '(&(cn=CA)(ipaConfigString=caServer))' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=masters,cn=ipa,cn=etc,dc=fbog,dc=local> with scope subtree # filter: (&(cn=CA)(ipaConfigString=caServer)) # requesting: dn # # search result search: 2 result: 0 Success # numResponses: 1 I know I am missing something basic and fundamental here. Is there a CA Master or not? If not, would I want to just enable the CA Master on the newest server (ipa<3>)? The way forward is not clear. -Steven Auerbach

1 0

[IPA4.6.4 with VCSA6.7] LDAP Authentification
by Karim Bourenane 06 Aug '19

06 Aug '19

Hello All, Do someone know i must configure my IPA server + the VCenter VSCA to authenticate in LDAP ? I found several demo, but nothing run. Thanks you in advance. Regard Mr Karim Bourenane

3 5

Re: Replacing IPA v3.0.0-51 on OEL6 with IPA v4.6.4-10 on OEL7: Making the newest replica the master
by François Cami 06 Aug '19

06 Aug '19

On Tue, Aug 6, 2019 at 3:55 PM Auerbach, Steven <Steven.Auerbach(a)flbog.edu> wrote: > > Pure genius. FQDN on ipa commands..... Unless I read the documentation cover-to-cover before starting anything I would never have found this. Thanks. Our (collective) pleasure to help. Thanks for thanking us :) François > -Steven Auerbach > > -----Original Message----- > From: François Cami <fcami(a)redhat.com> > Sent: Tuesday, August 6, 2019 9:28 AM > To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > Cc: Rob Crittenden <rcritten(a)redhat.com>; Auerbach, Steven <Steven.Auerbach(a)flbog.edu> > Subject: Re: [Freeipa-users] Re: Replacing IPA v3.0.0-51 on OEL6 with IPA v4.6.4-10 on OEL7: Making the newest replica the master > > On Tue, Aug 6, 2019 at 2:59 PM Auerbach, Steven via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote: > > > > When I add the --no-lookup option on the v4.6.4 ipa server I get the same results I received on the v3.0.0 server: > > " Cannot find ipa<#> in public server list" > > Are you using the FQDN of your IPA servers? > The ipa-replica-manage command will not find IPA servers by their shortnames (and that's expected). > > > > If I cannot even verify these servers in the group, how am I supposed to test the integrity of current inter-version replication? And how will I ever migrate the whole directory and all the inter-related services of IPA to two new servers of version 4.6.4? The functions do not appear to work as documented, and my trust that the command operations will behave as documented is really shaken. > > > > Is my best option to build a new IPA server pair in version 4.6.4 and de-enroll all the clients and users from the older v3.0.0 IPA and then enroll them into the v4.6.4 IPA? > > > > -----Original Message----- > > From: Rob Crittenden <rcritten(a)redhat.com> > > Sent: Monday, August 5, 2019 5:16 PM > > To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > > Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu> > > Subject: Re: [Freeipa-users] Re: Replacing IPA v3.0.0-51 on OEL6 with > > IPA v4.6.4-10 on OEL7: Making the newest replica the master > > > > Auerbach, Steven via FreeIPA-users wrote: > > > From the master-master original IPA v3.0.0 server - <ipa1> - I ran and received the following responses: > > > NOTE: using aliases within arrow points for ambiguation. > > > > > > [<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa1>' > > > [sudo] password for <user>: > > > Cannot find <ipa1> in public server list > > > > > > [<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa2>' > > > Directory Manager password: > > > > > > Cannot find <ipa2> in public server list > > > > > > [<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa3>' > > > Directory Manager password: > > > > > > Cannot find <ipa3> in public server list > > > > It is looking for the list of masters in cn=masters,cn=ipa,cn=etc,dc=example,dc=com. I'd search that to see what is there. > > > > A plain ipa-replica-manage list will list all masters and IIRC they do show. > > > > > From the replica-master server recently made with IPA v4.6.5 - <ipa3> - I ran and received the following responses: > > > NOTE: using aliases within arrow points for ambiguation. > > > > > > [<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa1>' > > > [sudo] password for <user>: > > > Unknown host <ipa1>: Host '<ipa1>' does not have corresponding DNS > > > A/AAAA record > > > > > > [<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa2>' > > > Directory Manager password: > > > > > > Unknown host ipa-r02: Host 'ipa-r02' does not have corresponding DNS > > > A/AAAA record > > > > > > [<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa3>' > > > Directory Manager password: > > > > > > Unknown host ipa03: Host 'ipa03' does not have corresponding DNS > > > A/AAAA record > > > > Try adding --no-lookup to the command to skip the lookup. > > > > rob > > > > > > > > > > > > > > Steven Auerbach > > > Assistant Director of Information Systems Information Technology & > > > Security State University System of Florida Board of Governors > > > 325 W. Gaines Street, Suite 1625 > > > Tallahassee, Florida 32399 > > > (850) 245-9592 > > > Steven.auerbach(a)flbog.edu > > >

1 0

Re: Replacing IPA v3.0.0-51 on OEL6 with IPA v4.6.4-10 on OEL7: Making the newest replica the master
by François Cami 06 Aug '19

06 Aug '19

On Tue, Aug 6, 2019 at 2:59 PM Auerbach, Steven via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote: > > When I add the --no-lookup option on the v4.6.4 ipa server I get the same results I received on the v3.0.0 server: > " Cannot find ipa<#> in public server list" Are you using the FQDN of your IPA servers? The ipa-replica-manage command will not find IPA servers by their shortnames (and that's expected). > If I cannot even verify these servers in the group, how am I supposed to test the integrity of current inter-version replication? And how will I ever migrate the whole directory and all the inter-related services of IPA to two new servers of version 4.6.4? The functions do not appear to work as documented, and my trust that the command operations will behave as documented is really shaken. > > Is my best option to build a new IPA server pair in version 4.6.4 and de-enroll all the clients and users from the older v3.0.0 IPA and then enroll them into the v4.6.4 IPA? > > -----Original Message----- > From: Rob Crittenden <rcritten(a)redhat.com> > Sent: Monday, August 5, 2019 5:16 PM > To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > Cc: Auerbach, Steven <Steven.Auerbach(a)flbog.edu> > Subject: Re: [Freeipa-users] Re: Replacing IPA v3.0.0-51 on OEL6 with IPA v4.6.4-10 on OEL7: Making the newest replica the master > > Auerbach, Steven via FreeIPA-users wrote: > > From the master-master original IPA v3.0.0 server - <ipa1> - I ran and received the following responses: > > NOTE: using aliases within arrow points for ambiguation. > > > > [<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa1>' > > [sudo] password for <user>: > > Cannot find <ipa1> in public server list > > > > [<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa2>' > > Directory Manager password: > > > > Cannot find <ipa2> in public server list > > > > [<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa3>' > > Directory Manager password: > > > > Cannot find <ipa3> in public server list > > It is looking for the list of masters in cn=masters,cn=ipa,cn=etc,dc=example,dc=com. I'd search that to see what is there. > > A plain ipa-replica-manage list will list all masters and IIRC they do show. > > > From the replica-master server recently made with IPA v4.6.5 - <ipa3> - I ran and received the following responses: > > NOTE: using aliases within arrow points for ambiguation. > > > > [<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa1>' > > [sudo] password for <user>: > > Unknown host <ipa1>: Host '<ipa1>' does not have corresponding DNS > > A/AAAA record > > > > [<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa2>' > > Directory Manager password: > > > > Unknown host ipa-r02: Host 'ipa-r02' does not have corresponding DNS > > A/AAAA record > > > > [<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa3>' > > Directory Manager password: > > > > Unknown host ipa03: Host 'ipa03' does not have corresponding DNS > > A/AAAA record > > Try adding --no-lookup to the command to skip the lookup. > > rob > > > > > > > > > Steven Auerbach > > Assistant Director of Information Systems Information Technology & > > Security State University System of Florida Board of Governors > > 325 W. Gaines Street, Suite 1625 > > Tallahassee, Florida 32399 > > (850) 245-9592 > > Steven.auerbach(a)flbog.edu > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to > > freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: > > https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs > > .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% > > 7C01%7CSteven.Auerbach%40flbog.edu%7C4f2f8ff3a0be4ddb3c8d08d719ea0d02% > > 7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C637006365346901243&sd > > ata=Cxz0ohxpRe51I%2FSImlMCpbkmVKehGKn%2BzcBzbQaUS5E%3D&reserved=0 > > List Guidelines: > > https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo > > raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7CStev > > en.Auerbach%40flbog.edu%7C4f2f8ff3a0be4ddb3c8d08d719ea0d02%7C63bf107bc > > b6f41738c1c1406bb5cb794%7C0%7C0%7C637006365346911237&sdata=GWg7INn > > f%2FptaoK5HoSjC62DsshZ0VoF%2BHieWgFOxkGg%3D&reserved=0 > > List Archives: > > https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > > s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos > > ted.org&data=02%7C01%7CSteven.Auerbach%40flbog.edu%7C4f2f8ff3a0be4 > > ddb3c8d08d719ea0d02%7C63bf107bcb6f41738c1c1406bb5cb794%7C0%7C0%7C63700 > > 6365346911237&sdata=F6pb9RhzSs7Yd%2BJGLoPN%2BYnlZ7f%2F1IZJfTXwZlnh > > d5k%3D&reserved=0 > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…

2 1

Re: Replacing IPA v3.0.0-51 on OEL6 with IPA v4.6.4-10 on OEL7: Making the newest replica the master
by Rob Crittenden 06 Aug '19

06 Aug '19

Auerbach, Steven via FreeIPA-users wrote: > From the master-master original IPA v3.0.0 server - <ipa1> - I ran and received the following responses: > NOTE: using aliases within arrow points for ambiguation. > > [<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa1>' > [sudo] password for <user>: > Cannot find <ipa1> in public server list > > [<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa2>' > Directory Manager password: > > Cannot find <ipa2> in public server list > > [<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa3>' > Directory Manager password: > > Cannot find <ipa3> in public server list It is looking for the list of masters in cn=masters,cn=ipa,cn=etc,dc=example,dc=com. I'd search that to see what is there. A plain ipa-replica-manage list will list all masters and IIRC they do show. > From the replica-master server recently made with IPA v4.6.5 - <ipa3> - I ran and received the following responses: > NOTE: using aliases within arrow points for ambiguation. > > [<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa1>' > [sudo] password for <user>: > Unknown host <ipa1>: Host '<ipa1>' does not have corresponding DNS A/AAAA record > > [<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa2>' > Directory Manager password: > > Unknown host ipa-r02: Host 'ipa-r02' does not have corresponding DNS A/AAAA record > > [<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa3>' > Directory Manager password: > > Unknown host ipa03: Host 'ipa03' does not have corresponding DNS A/AAAA record Try adding --no-lookup to the command to skip the lookup. rob > > > > Steven Auerbach > Assistant Director of Information Systems > Information Technology & Security > State University System of Florida > Board of Governors > 325 W. Gaines Street, Suite 1625 > Tallahassee, Florida 32399 > (850) 245-9592 > Steven.auerbach(a)flbog.edu > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… >

2 1

Re: Replacing IPA v3.0.0-51 on OEL6 with IPA v4.6.4-10 on OEL7: Making the newest replica the master
by Rob Crittenden 05 Aug '19

05 Aug '19

Auerbach, Steven via FreeIPA-users wrote: > I am struggling through this. I have a new server built and IPA 4.6.4-10 > installed. I made it a replica from the v3.0.0-51 master. I can't tell the context in which these commands are being executed, on which master. What I would do instead is on each master run: # ipa-replica-manage list -v `hostname` This should provide the topology you are looking for. rob > > > > Ipa-replica-manage shows 3 ipa servers, the original 2 v3.0.0-51 servers > and the new ipa v4.6.4-10 server. But when I poll for replication > agreements I get no answer. > > > > From <server1> I issued the following commands: > > $ sudo ipa-replica-manage list > > Directory Manager password: > > > > <server1>.mydomain.local: master > > <server2>.mydomain.local: master > > <server3 – new>.mydomain.local: master > > > > $ sudo ipa-replica-manage list <server2> > > [sudo] password for <user>: > > Cannot find servername in public server list > > > > $ sudo ipa-replica-manage list <server3> > > [sudo] password for <user>: > > Cannot find servername in public server list > > > > $ ldapsearch -x -D 'cn=directory manager' -W -b 'cn=mapping tree,cn=config' > > Enter LDAP Password: > > > > There is an extensive response that includes: > > # dc\3Dmydomain\2Cdc\3Dlocal, mapping tree, config > > . > > . > > nsslapd-referral: > ldap://<server3>.mydomain..local:389/dc%3Dmydomain%2Cdc%3Dlocal > > nsslapd-referral: > ldap://<server2>.mydomain.local:389/dc%3Dmydomain%2Cdc%3Dlocal > > > > # replica, dc\3Dmydomain\2Cdc\3Dlocal, mapping tree, config > > dn: cn=replica,cn=dc\3Dmydomain\2Cdc\3Dlocal,cn=mapping tree,cn=config > > cn: replica > > nsDS5Flags: 1 > > objectClass: top > > objectClass: nsds5replica > > objectClass: extensibleobject > > nsDS5ReplicaType: 3 > > nsDS5ReplicaRoot: dc=mydomain,dc=local > > nsds5ReplicaLegacyConsumer: off > > nsDS5ReplicaId: 4 > > nsDS5ReplicaBindDN: cn=replication manager,cn=config > > nsDS5ReplicaBindDN: krbprincipalname=ldap/<invalid, removed server that > should not even appear > here>.mydomain.local(a)MYDOMAIN.LOCAL,cn=services,cn=accounts,dc=mydomain,dc=local > > nsDS5ReplicaBindDN: > krbprincipalname=ldap/<server2>.mydomain.local(a)MYDOMAIN.LOCAL,cn=services,cn=accounts,dc=mydomain,dc=local > > nsDS5ReplicaBindDN: > krbprincipalname=ldap/<server3>.mydomain.local(a)MYDOMAIN.LOCAL,cn=services,cn=accounts,dc=mydomain,dc=local > > nsState:: BAAAAAAAAAA+CUNdAAAAAGEAAAAAAAAAkgAAAAAAAAAEAAAAAAAAAA== > > nsDS5ReplicaName: a5641a0e-252711e3-96afcc83-6ff9b802 > > nsds5ReplicaChangeCount: 3768023 > > nsds5replicareapactive: 0 > > > > # meTo<server2>.mydomain.local, replica, dc\3Dmydomain\2Cdc\3Dlocal, > mapping tree, config > > dn: > cn=meTo<server2>.mydomain.local,cn=replica,cn=dc\3Dmydomain\2Cdc\3Dlocal,cn=mapping > tree,cn=config > > cn: meTo<server2>.mydomain.local > > objectClass: nsds5replicationagreement > > objectClass: top > > nsDS5ReplicaTransportInfo: LDAP > > description: me to <server2>.mydomain.local > > nsDS5ReplicaRoot: dc=mydomain,dc=local > > nsDS5ReplicaHost: <server2>.mydomain.local > > nsds5replicaTimeout: 120 > > nsDS5ReplicaPort: 389 > > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserialentryusn krblastsuccessfulauth krblastfailedauth > krbloginfailedcount > > nsDS5ReplicaBindMethod: SASL/GSSAPI > > nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount > > nsds50ruv: {replicageneration} 5241a52a000000040000 > > nsds50ruv: {replica 7 ldap://<server2>.mydomain.local:389} > 54c80f57000000070000 5d271a1b000700070000 > > nsds50ruv: {replica 4 ldap://<server1>.mydomain.local:389} > 5241a584000800040000 5d271866000300040000 > > nsds50ruv: {replica 8 ldap://<server3>.mydomain.local:389} > 5d166840000000080000 5d270db6000500080000 > > nsruvReplicaLastModified: {replica 7 > ldap://<server2>.mydomain.local:389} 00000000 > > nsruvReplicaLastModified: {replica 4 > ldap://<server1>.mydomain.local:389} 00000000 > > nsruvReplicaLastModified: {replica 8 > ldap://<server3>.mydomain.local:389} 00000000 > > nsds5ReplicaStripAttrs: modifiersName modifyTimestamp > internalModifiersName internalModifyTimestamp > > nsds5replicareapactive: 0 > > nsds5replicaLastUpdateStart: 20190801154606Z > > nsds5replicaLastUpdateEnd: 20190801154607Z > > nsds5replicaChangesSentSinceStartup:: NDo2MDAvMjI1MjE1OSA4OjM1OS8wIA== > > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: > Incremental update succeeded > > nsds5replicaUpdateInProgress: FALSE > > nsds5replicaLastInitStart: 0 > > nsds5replicaLastInitEnd: 0 > > > > # meTo<server3>.mydomain.local, replica, dc\3Dmydomain\2Cdc\3Dlocal, > mapping tree, config > > dn: > cn=meTo<server3>.mydomain.local,cn=replica,cn=dc\3Dmydomain\2Cdc\3Dlocal,cn=mapping > tree,cn=config > > cn: meTo<server3>.mydomain.local > > objectClass: nsds5replicationagreement > > objectClass: top > > nsDS5ReplicaTransportInfo: LDAP > > nsds5ReplicaStripAttrs: modifiersName modifyTimestamp > internalModifiersName in > > ternalModifyTimestamp > > nsDS5ReplicaRoot: dc=mydomain,dc=local > > nsDS5ReplicaHost: <server3>.mydomain.local > > nsds5replicaTimeout: 120 > > nsDS5ReplicaPort: 389 > > nsDS5ReplicaBindMethod: SASL/GSSAPI > > nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof > idnssoaserialentryusn krblastsuccessfulauth krblastfailedauth > krbloginfailedcount > > description: me to <server3>.mydomain.local > > nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount > > nsds50ruv: {replicageneration} 5241a52a000000040000 > > nsds50ruv: {replica 8 ldap://<server3>.mydomain.local:389} > 5d166840000000080000 5d271a1b000000080000 > > nsds50ruv: {replica 4 ldap://<server1>.mydomain.local:389} > 5241a584000800040000 5d271866000300040000 > > nsds50ruv: {replica 7 ldap://<server2>.mydomain.local:389} > 54c80f57000000070000 5d2717a3000300070000 > > nsruvReplicaLastModified: {replica 8 > ldap://<server3>.mydomain.local:389} 00000000 > > nsruvReplicaLastModified: {replica 4 > ldap://<server1>.mydomain.local:389} 00000000 > > nsruvReplicaLastModified: {replica 7 > ldap://<server2>.mydomain.local:389} 00000000 > > nsds5replicareapactive: 0 > > nsds5replicaLastUpdateStart: 20190801154606Z > > nsds5replicaLastUpdateEnd: 20190801154607Z > > nsds5replicaChangesSentSinceStartup:: NDo2MDAvMTkyNTgzNyA3OjUxMi8wIA== > > nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: > Incremental update succeeded > > nsds5replicaUpdateInProgress: FALSE > > nsds5replicaLastInitStart: 0 > > nsds5replicaLastInitEnd: 0 > > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 6 > > # numEntries: 5 > > > > Are there no replication agreements between these servers or is there > something missing in “public server list” that the agreements cannot be > found? > > > > I imagine that all parts need to be seeing each other properly at this > point before I even begin to try and make <server3> the new ultimate > master. I will then add a <server4> ipa server and replicate it from > <server3> once it is the master and retire <server1> and <server2>. At > least that is the scope of the project. > > > > Steven Auerbach > > Assistant Director of Information Systems > > Information Technology & Security > > State University System of Florida > > Board of Governors > > 325 W. Gaines Street, Suite 1625 > > Tallahassee, Florida 32399 > > (850) 245-9592 > > Steven.auerbach(a)flbog.edu <mailto:Steven.auerbach@flbog.edu> | > www.flbog.edu <http://www.flbog.edu/> > > email_sig > > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… >

2 1

How to get IPA client log data
by Boyd Ako 05 Aug '19

05 Aug '19

Anybody know how to get more log information on what the IPA client does? I already know about the stuff in /var/log/sssd, but I'm looking for something in regards to dynamic dns updates failing. When I ran `ipa-client-install` with the --enable-dns-updates option it kicked out an error saying it couldn't update the dns record. It doesn't show up in the server; obviously. I checked the ipaclient-install.log and tried to run the `nsupdate` command with a recreated command file or what ever. At best I got the following.... ============================== [root@luna ipa]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin(a)NEVERLAND.DDNS.ME Valid starting Expires Service principal 08/01/2019 02:04:26 08/02/2019 02:04:20 krbtgt/NEVERLAND.DDNS.ME(a)NEVERLAND.DDNS.ME [root@luna ipa]# cat /etc/ipa/.dns_update.txt update delete luna.neverland.ddns.me. IN A show send update delete luna.neverland.ddns.me. IN AAAA show send update add luna.neverland.ddns.me. 1200 IN A 10.0.0.19 show send update add luna.neverland.ddns.me. 1200 IN AAAA 2605:e000:1127:713::7 show send [root@luna ipa]# /usr/bin/nsupdate -v -g /etc/ipa/.dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 0 ANY A response to SOA query was unsuccessful

4 7

TOTP Token with Okta Verify
by Russ Long 05 Aug '19

05 Aug '19

Hey everyone, I'm in the process of implementing a FreeIPA cluster for our EC2 environment in AWS. I've got everything configured and working (hoping to do a full writeup and share later), however I'm running into one issue. Our Security Team has chosen Okta Verify as the MFA/OTP token application to be used. I've attempted to setup a token with Okta Verify, and no matter the settings I choose on the token setup page, the token just won't let me login. I can use FreeOTP, and the token there works fine. Any ideas what might be the cause or solution here? Thanks!

2 3

CA subsystem certificates failing to renew.
by Guillermo Fuentes 04 Aug '19

04 Aug '19

Hi list, I'm having an issue where the CA subsystem certificates are failing to renew. *** Environment: 4 FreeIPA replica servers with CA. Currently CentOS 7 up-to-date. Initially setup as FreeIPA 3 on CentOS 6 upgraded to CentOS 7 and kept up-to-date with the latest stable release available: ipa-server-4.6.4-10.el7.centos.3.x86_64 389-ds-base-1.3.8.4-23.el7_6.x86_64 pki-ca-10.5.9-13.el7_6.noarch pki-server-10.5.9-13.el7_6.noarch This past June third-party wildcard certificate was installed for both the HTTPS and LDAP servers using the ipa-server-certinstall command. Trying to be proactive as the following CA subsystem certificates will expire on August 12, 2019: subject: CN=CA Audit,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM *** Issue: Getting the following error when listing the certificate info for each of them in the CA Renewal and CRL Master: status: MONITORING ca-error: Server at "https://ipa1.example.com:8443/ca/agent/ca/profileProcess" replied: 1: Server Internal Error stuck: no CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM expires: 2019-08-12 ... pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Getting the following error in the other CA replicas for the same certificates (I'm assuming fixing it in the Master should take care of the replicas): ca-error: Invalid cookie: u'' Looking at the logs in the Master, the renewal seems to fail with an LDAP error code 68 (Entry Already Exists) when adding serial 268304406 (when resubmitting it). Doesn't that serial suppose to exist as it's being renewed? These are some relevant logs after resubmitting: - certmonger journal shows: ... Jul 22 20:30:19 ipa1.example.com dogtag-ipa-renew-agent-submit[10116]: GET https://ipa1.example.com:8443/ca/agent/ca/profileProcess?requestId=9980043&… Jul 22 20:30:19 ipa1.example.com dogtag-ipa-ca-renew-agent-submit[10097]: dogtag-ipa-renew-agent returned 2 Jul 22 20:30:19 ipa1.example.com certmonger[1288]: 2019-07-22 20:30:19 [1288] Server at "https://ipa1.example.com:8443/ca/agent/ca/profileProcess" replied: 1: Server Internal Error - /var/log/pki/pki-tomcat/ca/debug ... [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: Repository: checkRange mLastSerialNo=268304406 [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: Repository: getNextSerialNumber: returning retSerial 268304406 [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: CAService: issueX509Cert: setting issuerDN using exact CA signing cert subjectDN encoding [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: About to ca.sign cert. [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: sign cert get algorithm [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: sign cert encoding cert [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: sign cert encoding algorithm [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: CA cert signing: signing cert [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: Signing Certificate [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: storeX509Cert 268304406 [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: In storeX509Cert [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: In LdapBoundConnFactory::getConn() [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: masterConn is connected: true [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: getConn: conn is connected true [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: getConn: mNumConns now 5 [22/Jul/2019:20:30:19][http-bio-8443-exec-16]: returnConn: mNumConns now 6 LDAP operation failure - cn=268304406,ou=certificateRepository, ou=ca, o=ipaca: error result at com.netscape.cmscore.dbs.DBSSession.add(DBSSession.java:125) at com.netscape.cmscore.dbs.CertificateRepository.addCertificateRecord(CertificateRepository.java:737) at com.netscape.ca.CAService.storeX509Cert(CAService.java:893) at com.netscape.ca.CAService.storeX509Cert(CAService.java:579) at com.netscape.ca.CAService.issueX509Cert(CAService.java:564) at com.netscape.cms.profile.common.CAEnrollProfile.execute(CAEnrollProfile.java:203) at com.netscape.cms.servlet.cert.RequestProcessor.approveRequest(RequestProcessor.java:371) at com.netscape.cms.servlet.cert.RequestProcessor.processRequest(RequestProcessor.java:173) ... - /var/log/dirsrv/slapd-EXAMPLE-COM/access ... [22/Jul/2019:20:30:18.703610909 +0000] conn=15 op=44 SRCH base="cn=Certificate Manager Agents,ou=groups,o=ipaca" scope=0 filter="(uniqueMember=uid=ipara,ou=people,o=ipaca)" attrs="cn" [22/Jul/2019:20:30:18.703958648 +0000] conn=15 op=44 RESULT err=0 tag=101 nentries=1 etime=0.0002262912 [22/Jul/2019:20:30:18.706322783 +0000] conn=14 op=2439 SRCH base="cn=9980043,ou=ca,ou=requests,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [22/Jul/2019:20:30:18.706916435 +0000] conn=14 op=2439 RESULT err=0 tag=101 nentries=1 etime=0.0020648732 [22/Jul/2019:20:30:18.758736256 +0000] conn=14 op=2440 SRCH base="cn=9980043,ou=ca,ou=requests,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [22/Jul/2019:20:30:18.759537249 +0000] conn=14 op=2440 RESULT err=0 tag=101 nentries=1 etime=0.0051791092 [22/Jul/2019:20:30:18.984013755 +0000] conn=15 op=45 SRCH base="ou=People,o=ipaca" scope=2 filter="(description=2;268304403;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM)" attrs=ALL [22/Jul/2019:20:30:18.984630800 +0000] conn=15 op=45 RESULT err=0 tag=101 nentries=1 etime=0.1719630345 [22/Jul/2019:20:30:18.988077577 +0000] conn=15 op=46 SRCH base="ou=Groups,o=ipaca" scope=2 filter="(&(objectClass=groupofuniquenames)(cn=*))" attrs=ALL [22/Jul/2019:20:30:18.990404518 +0000] conn=15 op=46 RESULT err=0 tag=101 nentries=14 etime=0.0005432147 [22/Jul/2019:20:30:18.994230483 +0000] conn=15 op=47 SRCH base="uid=ipara,ou=People,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [22/Jul/2019:20:30:18.994648102 +0000] conn=15 op=47 RESULT err=0 tag=101 nentries=1 etime=0.0004001393 [22/Jul/2019:20:30:18.996091715 +0000] conn=15 op=48 SRCH base="cn=Certificate Manager Agents,ou=groups,o=ipaca" scope=0 filter="(uniqueMember=uid=ipara,ou=people,o=ipaca)" attrs="cn" [22/Jul/2019:20:30:18.996470330 +0000] conn=15 op=48 RESULT err=0 tag=101 nentries=1 etime=0.0001510753 [22/Jul/2019:20:30:19.023676890 +0000] conn=14 op=2441 ADD dn="cn=268304406,ou=certificateRepository,ou=ca,o=ipaca" [22/Jul/2019:20:30:19.024455023 +0000] conn=14 op=2441 RESULT err=68 tag=105 nentries=0 etime=0.1736683576 [22/Jul/2019:20:30:19.037339256 +0000] conn=28692 op=5 UNBIND [22/Jul/2019:20:30:19.037387249 +0000] conn=28692 op=5 fd=162 closed - U1 ... Can someone shed some light on what the problem could be and what to try to fix it? Any help is really appreciated. Guillermo

2 6

[Announce] FreeIPA 4.7.3 released
by Alexander Bokovoy 02 Aug '19

02 Aug '19

Hello! The FreeIPA team would like to announce FreeIPA 4.7.3 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 29 will be available in the official [https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-7/ COPR repository]. == Highlights in 4.7.3 == * 6077: [RFE] Support One-Way Trust authenticated by trust secret With this enhancement, Identity Management (IdM) supports establishing a one-way forest trust to Active Directory (AD) authenticated by a shared secret from the Windows AD domain controller (DC). Previous IdM versions did not contain the features that allowed AD DCs to contact an IdM DC in the mentioned scenario. As a result, IdM now supports establishing a one-way forest trust using a shared secret from both Active Directory and from IdM. -------- * 7193: [RFE] Warn or adjust umask if it is too restrictive to break installation If the umask has been used during the installation of an Identity Management (IdM) it was "too restrictive" This RFE checks for too-restrictive mask at install time and error out when this happens to avoid not working deployments of the FreeIPA server. -------- * 7206: [RFE] Provide an option to include FQDN in IDM topology graph IdM WebUI is now able to display the fully qualified domain name (FQDN) of the nodes in its Topology Graph. As a result, the topology graph is able to distinguish nodes with the same short hostname but within different domains. -------- * 7716: [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None. In verbose mode, the command ipa-replica-manage list <server> displays additional details such as the status and timestamp of the last initialization or the last update. When no initialization occurred on the server, the command doesn't display any more the labels 'last init status: None' and 'last init ended: 1970-01-01 00:00:00+00:00' which were confusing. -------- * 7747: [RFE] Support interactive prompt for NTP options for FreeIPA With patches related to this RFE an Identity Management (IdM) is no longer unable to set time servers/pool when run without NTP related options passed only by command line options. This prompt for NTP server and pool options applies to interactive installations run without --unattended/-U option aiming to improve user experience for users not familiar with command line options. -------- === Enhancements === === Known Issues === === Bug fixes === FreeIPA 4.7.3 is a stabilization release for the features delivered as a part of 4.7.0. There are more than 130 bug-fixes details of which can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…) or #freeipa channel on Freenode. == Resolved tickets == * 2018 Change hostname length limit to 64 * 4270 CA-less installation should not continue if dirsrv/httpd certificate is revoked * 4271 CA-less test suite always generate failures * 4607 ipa-getkeytab fails if -k points to empty file or a symlink to nonexistent file * 4812 Switch nsslapd-unhashed-pw-switch to nolog * 5062 [WebUI] Unlock option is enabled for all user. * 5803 Add utility to promote CA replica to CRL master * 5880 Second call to ldapmodify in ipatests.test_integration.tasks.enable_replication_debugging fails * 6077 [RFE] Support One-Way Trust authenticated by trust secret * 6468 Make ipaclient pip install-able * 6594 ipa idoverrideuser-find view --anchor fails to return output * 6627 WebUI: Enable pagination * 6951 Update samba config file and use sss idmap module * 6979 Suggest user to install libyubikey package instead of traceback * 7139 Traceback is seen when modification is done for user from ID Views - Default Trust View Tab. * 7193 [RFE] Warn or adjust umask if it is too restrictive to break installation * 7200 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not. * 7206 [RFE] Provide an option to include FQDN in IDM topology graph * 7288 set_directive can overwrite wrong directives * 7305 PKINIT status not displayed in the web UI (IPA Server > Configuration) * 7329 update_ra_cert_store does not remove private key from NSSDB * 7347 ipa-server-install breaks if subject base RDN has an escaped comma * 7369 The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records * 7451 Allow issuing certificates with IP addresses in subjectAltName * 7492 client install still creates /etc/ipa/nssdb * 7548 Need integration test for --external-ca-type=ms-cs * 7578 IPA server upgrade should remove stale kdcinfo_* generated by SSSD * 7597 IPA: IDM drops all custom attributes when moving account from preserved to stage * 7598 ipa-client-install: autodiscovery must refuse single label domains * 7603 In IPA WebUI, a warning appears in the background(warning message behind the dialog box). * 7647 Error message should be more useful while ipa-backup fails for insufficient space * 7651 ipa-replica-install --setup-kra broken on DL1 * 7654 ipa-kra-install fails on DL1 * 7667 When setting up mod_ssl, define range o f the TLS protocols within the system-wide crypto policy * 7708 Create a warning that SSSD needs restart after idrange-mod * 7716 [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None. * 7719 Automation added for NTP Replacement test scenarios * 7723 NTP options fails on ipa replica * 7744 ipa-replica-install picks wrong replica for CA initial replication * 7745 nss.conf needs to be zero length, not removed. * 7746 IPA help command fails in an environment without the `less` binary * 7747 [RFE] Support interactive prompt for NTP options for FreeIPA * 7750 ipaldap: invalid modlist when attribute encoding can vary * 7751 add ipaapi user to the list of allowed uids in [ifp] section in sssd configuration * 7756 Split Web UI test suite in nightly PR CI configuration * 7761 External CA renewal accepts issuer key < 2048-bit * 7762 External CA renewal accepts IPA CA cert with empty Subject Key Identifier * 7775 IPA Upgrade failed with "unable to convert the attribute u'cACertificate;binary'" * 7778 test_full_backup_and_restore_with_replica fails with "Unknown host replica1.ipa.test" * 7780 Make ipa-client-automount --uninstall more robust * 7781 Don't start/enable nfs-idmap nor nfs-secure * 7783 use non-symlink (aliases) NFS unit names * 7786 Index accessruletype, hostcategory, ipaenabledflag, ipserviceport, and ipserviceprotocol by default * 7787 Missing indexes for automountmapname and automountkey * 7790 ipa host-del --updatedns FQDN yeilds unindexed searches * 7792 Missing index on ipaconfigstring * 7793 ipa service-del service fails with internal error * 7795 ipa-pkinit-manage enable fails on replica if it doesn't host the CA * 7796 ipa-replica-install fails migrating CentOS 6 to 7 * 7797 SSSD's getservby*() causes performance issues * 7803 Missing index on idnsName * 7805 [NFS] test kerberized NFS * 7807 Detect container installation to avoid Kernel keyring * 7809 All Web UI tests fail with UnexpectedAlertPresentException * 7810 [F28] Require NSS with fix for p11-kit issue. * 7811 Fix compile issue with new 389-ds * 7828 ipa trust-add fails with ipa: ERROR: an internal error has occurred * 7829 ipa-server-upgrade when run displays 'No such file name in the index' on the console * 7831 add systemd-user HBAC service to default set of HBAC services * 7835 Cert revokation for services and hosts is inefficient * 7836 print appropriate message when uninstalling non-existent IPA client * 7837 Replace os.getenv('HOME') with os.path.expanduser * 7838 configure_openldap_conf() does not handle multi-value URI * 7841 Remove tests for client installation with --no-sssd and --noac options * 7843 [WebUI] Use generated certificates and CSR for testing * 7844 testcase test_change_sysaccount_password_issue7561 fails with some test configurations * 7855 Automember XML-RPC test failure * 7857 Create tests for ipa-winsync-migrate * 7858 Define C feature macros * 7860 389-ds-base will no longer use /etc/sysconfig * 7862 "ccache" may not exist if GSSError occurs in ipa-client-automount causing an exception to be thrown * 7864 [WebUI] Review and increase timeouts for UI tests in Nightly PR configuration * 7865 test_topology_TestTopologyOptions:test_add_remove_segment nightly failure in fed28 and fed29 * 7866 FreeIPA server deployment fails due to 'Permission denied' error under /tmp during pki-tomcatd deployment * 7868 ipa-client-automount exception backing up /etc/sysconfig/nfs * 7873 remove all occurrences of osinfo.version_id from ipatests/ * 7874 testcase test_commands.py::TestIPACommand::test_ssh_key_connection fails with some test configurations * 7876 Fail replica install * 7877 External CA installation: sanity check pathLenConstraints * 7881 [WebUI] Automember UI tests are broken * 7883 Cannot install ipa-server on rhel7.7 * 7884 Coverity: New defect found in ipa-4.6.5 * 7885 RFE: wrapper for Dogtag cert-fix command * 7886 ipa-replica-manage force-sync --from keeps prompting "No status yet" * 7889 test_integration/test_trust.py need improvement * 7892 Implement hidden / unadvertised IPA replicas * 7893 ipasam needs changes for Samba 4.10 * 7895 ipa trust fetch-domains, server parameter ignored * 7896 ipa-server-upgrade fails with ConversionError: invalid 'cn': must be Unicode text * 7897 ipa-kra-install failing with invalid 'role_servrole': must be Unicode text error * 7900 dns and search not fixed for dns enabled deployments * 7901 IPA Web UI is slow to display user details page. * 7902 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules * 7903 d-bus interface signature failure for oddjobd helper trust-fetch-domains * 7905 ipa-dnskeysync-replica should handle LDAP down gracefully * 7906 ipa-kra-install fails due to fs.protected_regular=1 * 7907 ipa-replica-install due to permission error, leaves ipa server in unstable condition * 7916 ipaplatform.debian.services does not implement wait for CA service * 7918 ipa-client-automount needs option to specify domain * 7921 Missing deps for `make pylint` * 7922 Command ipa conole is broken * 7926 cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign * 7927 Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd * 7928 cn=cacert could show expired certificate * 7929 ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled * 7930 Interactive promt for NTP options after install check. * 7932 FreeIPA queries rely on missing attribute altsecurityidentities * 7933 FreeIPA must index certmap attributes. * 7934 ipa-server-common expected file permissions in package don't match runtime permissions * 7937 `build_requestinfo` crashes in OpenSSL1.1.0+ enviroments * 7939 Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured * 7943 [FIPS] Use PKCS#8 instead of weaker traditional OpenSSL private key format * 7952 ipa-backup file logging does not work * 7956 Ipatests don't honor TMPDIR, TEMP or TMP environment variables * 7959 ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character * 7962 Different pycodestyle results: Travis vs Azure * 7963 x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs * 7964 GSSAPI failure causing LWCA key replication failure on f30 * 7969 test failure in test_caless.py::TestServerInstall * 7970 test failure in test_backup_and_restore.py::TestBackupAndRestore * 7972 automember rebuild sometimes appears to return before the rebuild is complete * 7981 Pytest4.x warnings * 7982 Cannot modify TTL with ipa dnsrecord-mod --ttl alone on command line * 7983 Staged user is not being recognized if the user entry doesn't have an objectClass "posixaccount" * 7984 make sure 'make fastlint' processes Python .in files * 7986 Increase debugging level of certmonger * 7988 test_nfs.py: errors when running ipa-client-automount * 7992 ipa upgrade fails with trust entry already exists * 8012 test_webui/test_loginscreen.py::TestLoginScreen::()::test_reset_password_and_login_view failure * 8024 [WebUI] test_webui/test_trust.py failed because of request timeout == Detailed changelog since 4.7.2 == === Armando Neto (4) === * travis: Use Fedora 29 to test ipa-4-7 branch * Update Travis config to run on Fedora 28 * Bump template version * Add missing nightly test definitions from master === Alexander Bokovoy (29) === * translations: update Ukrainian translation from Zanata * certmaprule: add negative test for altSecurityIdentities * certmap rules: altSecurityIdentities should only be used for trusted domains * Create indexes for altSecurityIdentities and ipaCertmapData attributes * Add altSecurityIdentities attribute from MS-WSPP schema definition * trust-fetch-domains: make sure we use right KDC when --server is specified * adtrust upgrade: fix wrong primary principal name, part 2 * adtrust upgrade: fix wrong primary principal name * upgrade: adtrust - catch empty result when retrieving list of trusts * Enforce SMBLoris attack protection in default Samba configuration * Set idmap config for Samba to follow IPA ranges and use SSSD * Update list of contributors and sort it alphabetically * Update translations in ipa-4-7 * Update mailmap * Bypass D-BUS interface definition deficiences for trust-fetch-domains * Remove DsInstance.request_service_keytab as it is not needed anymore * oddjob: allow to pass options to trust-fetch-domains * ipasam: use SID formatting calls to libsss_idmap * upgrade: add trust upgrade to actual upgrade code * upgrade: upgrade existing trust agreements to new layout * trusts: add support for one-way shared secret trust * trust: allow trust agents to read POSIX identities of trust * Add design page for one-way trust to AD with shared secret * domainlevel-get: fix various issues when running as non-admin * make sure IPA_CONFDIR is used to check that client is configured * ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned * ipa-sidgen: make internal fetch_attr helper really internal * Update ipa-4-7 translations from Zanata * Revert to development after a release === Anuja More (1) === * ipatests: POSIX attributes are no longer overwritten or missing === Ian Pilcher (1) === * Allow issuing certificates with IP addresses in subjectAltName === Adam Williamson (1) === * Correct default fontawesome path (broken by da2cf1c5) === Christian Heimes (96) === * Fix CustodiaClient ccache handling * Use only TLS 1.2 by default * Replace PYTHONSHEBANG with valid shebang * Increase default debug level of certmonger * Forbid imports of ipaserver and install packages * Don't import ipaserver in conf.py * Replace imports from ipaserver * Delay import of SSSDConfig * Consider configured servers as valid * Correct path to systemd-detect-virt * Add helper to look for missing binaries * Guard dbus.start() with dbus.is_running() * chmod SYSTEMD_PKI_TOMCAT_IPA_CONF * Check for SELinux AVCs after installation * Refactor tasks to include is_selinux_enabled() * Globally disable softhsm2 in p11-kit-proxy * Deprecate ipa-client-install --request-cert * Fix pylint error with absolute_import * Debian: Use RedHatCAService for pki-tomcatd * Debian: auto-generate config files for oddjobd * Debian: Fix replicatio of light weight sub CAs * Add ODS manager abstraction to ipaplatform * Debian: Use different paths for KDC cert and key * Debian: Add fixes for OpenDNSSEC 2.0 * Debian: Add paths for open-sans and font-awesome * Debian doesn't have authselect * Debian: use -m lesscpy instead of hard-coded name * Reduce startup_timeout to 120sec as documented * Add ExecStartPost hook to wait for Dogtag PKI * Use Network Manager to configure resolv.conf * Improve error handling in DNSSEC helpers * Gating: remove vault and kdcproxy tests * automount: rmtree temp directory * Adapt cert-find performance workaround for users * Make netifaces optional * Skip orphan automember rule test * Verify external CA's basic constraint pathlen * Move DS's Kerberos env vars to unit file * Add tasks.systemd_daemon_reload() * Add option to remove lines from a file * Add test case for configure_openldap_conf * Don't fail if config-show does not return servers * Add design draft * Test replica installation from hidden replica * Synchronize hidden state from IPA master role * Don't allow to hide last server for a role * More test fixes * Improve config-show to show hidden servers * Consider hidden servers as role provider * Implement server-state --state=enabled/hidden * Simplify and improve tests * Add hidden replica feature * Consolidate container_masters queries * Use api.env.container_masters * Unify and simplify LDAP service discovery * replica install: acknowledge ca_host override * Fix assign instead of compare * GIT: ignore ipa-crlgen-manage * Disable dependency on dogtag-pki PyPI package * Test --external-ca-type=ms-cs * Remove ZERO_STRUCT() call * Update build requirements on twine * Compile IPA modules with C11 extensions * Require 389-ds 1.4.0.21 * Mark two failing automember tests as xfail * ipa-getkeytab: resolve symlink * Optimize cert remove case * Add workaround for slow host/service del * Use expanduser instead of HOME env var * Don't configure KEYRING ccache in containers * Fix systemd-user HBAC rule * Create systemd-user HBAC service and rule * Require krb5 with fix for CVE-2018-20217 * Don't use Python dependency generator yet * Use debug logger in ntpd_cleanup() * Make conftest compatible with pytest 4.x * Add index on idnsName * Require 3.41.0-3 on Fedora 28 * Create reindex task for ipaca DB * Add more LDAP indices * LDAPUpdate: Batch index tasks * Always collect test logs * Handle service_del with bad service name * Add index and container for RFC 2307 IP services * Python 2 compatibility * Add install/remove package helpers to advise * Test smart card advise scripts * Log stderr in run_command * Smart card auth advise: Allow Apache user * Allow HTTPd user to access SSSD IFP * Remove dead code * Disable nss-p11-kit crypto policy for tests * Run idviews integration tests in nightly * Add integration tests for idviews * Resolve user/group names in idoverride*-find * Require Dogtag PKI 10.6.8-3 === Diogo Nunes (1) === * Fix f52e0e31f7c76a3cd6b9b51aeba120c4ba3f38c9 typo in tests label definition. === François Cami (24) === * test_nfs.py: change pr-ci configuration to run on master_2repl_1client * ipatests: add proper timeouts to nfs.py * ipa-client-automount: fix '--idmap-domain DNS' logic * nfs.py: fix user creation * Hidden replica documentation: fix typo * ipa-backup: better error message if ENOSPC * ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR * ipatests: add tests for the new NFSv4 domain option of ipa-client-automount * ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf) * ipaplatform: add more services * ipatests: add nfs tests * ipaserver/install/cainstance.py: unlink before creating new file in /tmp * ipaserver/install/krainstance.py: chown after write * ipatests: Exercise hidden replica feature * ipa-{server,replica}-install: add too-restritive mask detection * ipatests: add too-restritive mask tests * ipa-client-automount: fix PEP8 issues * ipatests: remove all occurrences of osinfo.version_id * pylintrc: ignore R1720 no-else-raise errors * ipa-client-automount: handle NFS configuration file changes * ipa-server-install: fix ca setup when fs.protected_regular=1 * ipatests: add a test for ipa-client-automount * ipa-client-automount: use nfs-utils unit * Fix NFS unit names === Florence Blanc-Renaud (41) === * xmlrpc test: add test for preserved > stage user * user-stage: transfer all attributes from preserved to stage user * test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules * upgrade: remove ipaCert and key from /etc/httpd/alias * ipatests: fix ipatests/test_xmlrpc/test_dns_plugin.py * XMLRPC tests: add new test for ipa dsnrecord-mod $ZONE $RECORD --ttl * dnsrecord-mod: allow to modify ttl without passing the record * ipatests: add a test for stageuser-find with non-posix account * stageuser-find: fix search with non-posix user * ipatests: fix test_backup_and_restore.py::TestBackupAndRestore * ipatests: fix test_caless.py * ipatests: add integration test for ipa-replica-manage list * NSSDatabase: fix get_trust_chain * ipatests: CA renewal must refresh cn=CAcert * CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA * ipatests: add integration test checking the files mode * Fix expected file permissions for ghost files * ipactl restart: fix wrong logic when checking service list * ipa-client-install: autodiscovery must refuse single-label domains * ipa-setup-kra: fix python2 parameter * ipa-server-upgrade: fix add_systemd_user_hbac * ipa-replica-manage: fix force-sync * Coverity: fix issue in ipa_extdom_extop.c * XML RPC test: fix test_automember_plugin * ipa server: prevent uninstallation if the server is CRL master * Test: add new tests for ipa-crlgen-manage * CRL generation master: new utility to enable|disable * pkinit setup: fix regression on master install * test: add non-reg test checking pkinit after server install * tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment * ipatests: mark known failures as xfail * ipatests: add test for replica in forward zone * replica installation: add master record only if in managed zone * ipatests: fix CA less expectations * ipatests: add integration test for pkinit enable on replica * pkinit enable: use local dogtag only if host has CA * replication: check remote ds version before editing attributes * ipatests: fix test_full_backup_and_restore * PKINIT: fix ipa-pkinit-manage enable|disable * ipatest: add test for ipa-pkinit-manage enable|disable * ipatests: fix TestUpgrade::test_double_encoded_cacert === Fraser Tweedale (25) === * CustodiaClient: fix IPASecStore config on ipa-4-7 * CustodiaClient: use ldapi when ldap_uri not specified * Handle missing LWCA certificate or chain * dn: sort AVAs when converting from x509.Name * .gitignore: add ipa-cert-fix program * ipa-cert-fix: fix spurious renewal master change * ipa-cert-fix: handle 'pki-server cert-fix' failure * require Dogtag 10.7.0-1 * ipa-cert-fix: use customary exit statuses * ipa-cert-fix: add man page * Add ipa-cert-fix tool * constants: add ca_renewal container * cainstance: add function to determine ca_renewal nickname * Extract ca_renewal cert update subroutine * add test for external CA key size sanity check * dn: handle multi-valued RDNs in Name conversion * Fix installation when CA subject DN has escapes * cert-request: handle missing zone * cert-request: more specific errors in IP address validation * Add tests for cert-request IP address SAN support * cert-request: report all unmatched SAN IP addresses * cert-request: generalise _san_dnsname_ips for arbitrary cname depth * cert-request: collect only qualified DNS names for IPAddress validation * cert-request: restrict IPAddress SAN to host/service principals * certupdate: add commentary about certmonger behaviour === German Parente (1) === * ipa-replica-manage: remove "last init status" if it's None. === Kaleemullah Siddiqui (2) === * Tests for autounmembership feature * Order of master and replica corrected in logger.info === Varun Mylaraiah (3) === * nightly_rawhide.yaml Added test_integration/test_ntp_options.py * nightly_master.yaml Added test_integration/test_ntp_options.py * ipatests: add tests for NTP options usage on server, replica, and client === Mohammad Rizwan Yusuf (4) === * Test if ipactl restart restarts the pki-tomcatd * Check if issuer DN is updated after external-ca > self-signed * Test error when yubikey hardware not present * Test KRA installtion after ca agent cert renewal === Oleg Kozlov (4) === * Remove stale kdc requests info files when upgrading IPA server * Replace nss.conf with zero-length file instead of removing * Fix python2 compatibility * Check pager's executable before subprocess.Popen === Pavel Picka (1) === * PRCI failures fix === Rob Crittenden (13) === * For Fedora and RHEL use system-wide crypto policy for mod_ssl * Log the raised message when DNS check_zone_overlap fails * admintool: don't display log file on errors unless logging is setup * tests: Wait for automember rebuild --no-wait tasks to finish * Fix expected return code in tests when server is uninstalled * Return 0 on uninstall when on_master for case of not installed * Drop list of return values to be ignored in AdminTool * When reading SSH pub key don't assume last character is newline * Add knob to limit hostname length * Send only the path and not the full URI to httplib.request * Remove tests which install KRA on replica w/o KRA on master * tests: Don't provide explicit hostname to ldapmodify * Update mod_nss cipher list so there is overlap with a 4.x master === Robbie Harwood (1) === * Fix unnecessary usrmerge assumptions === Sumit Bose (2) === * ipa_sam: remove dependency to talloc_strackframe.h * ipa-extdom-exop: add instance counter and limit === Stanislav Levin (8) === * Fix Pytest4.x warning about `message` * Fix Pytest4.1+ warnings about pytest.config * Fix `build_requestinfo` in LibreSSL environments * Fix `build_requestinfo` in OpenSSL1.1.0+ environments * Make `pycodestyle` results identical * Respect TMPDIR, TEMP or TMP environment variables during testing * Fix `inconsistent-return-statements` in ipa-dnskeysync-replica * Add missing deps for `make pylint` === Sergey Orlov (21) === * ipatests: new test for trust with partially unreachable AD topology * ipatests: mark test_domain_resolution_order as expectedly failing * ipatests: add test for sudo with runAsUser and domain resolution order. * ipatests: new tests for establishing one-way AD trust with shared secret * ipatests: make encoding to base64 compatible with python2 * ipatests: new tests for ipa-winsync-migrate utility * ipa console: catch proper exception when history file can not be open * ipatests: refactor test_trust.py * ipatests: adapt test_trust.py for changes in multihost fixture * ipatests: allow AD hosts to be placed in separate domain config objects * ipatests: relax requirements for time server quality * ipatests: fix expectations of `ipa trust-find` output for trust with root domain * ipatests: in test_trust.py fix parent class * ipatests: disable bind dns validation when preparing to establish AD trust * ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust * Revert "Tests: Remove DNS configuration from trust tests" * ipatests: fix host name for ssh connection from controller to master * ipatests: add test for correct modlist when value encoding differs * Remove obsolete tests from test_caless.py * ipatests: fix ldap server url * Remove unused tests === Serhii Tsymbaliuk (14) === * WebUI tests: Fix request timeout for test_trust * WebUI: Add PKINIT status field to 'Configuration' page * WebUI tests: Fix timeout issues for reset password tests * WebUI: Fix automount maps pagination * WebUI: Disable 'Unlock' action for users with no password * WebUI: Fix 'user not found' traceback on user ID override details page * Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone * WebUI test: Fix automember tests according to new behavior * Web UI: Increase timeouts for UI tests in Nightly PR configuration * Split Web UI test suite in nightly PR CI configuration (IPA 4.7) * Fix test_arbitrary_certificates for Web UI * Web UI tests: Get rid of *_cert_path and *_csr_path config variables * Fix "Configured size limit exceeded" warning on Web UI * WebUI: Temporary fix for UnexpectedAlertPresentException === Thierry Bordaz (1) === * Switch nsslapd-unhashed-pw-switch to nolog === Tibor Dudlák (4) === * ipatests: Add Unattended option to external ca task * Moving prompt for NTP options to install_check * Support interactive prompt for ntp options * Fix test_ntp_options to use tasks' methods === Oleg Kozlov (1) === * Show a notification that sssd needs restarting after idrange-mod -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

3 9

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users August 2019