Login failed due to an unknown reason.
by D R
Greetings,
After automatic KDC certificate renewal, I'm no longer able to access the
UI.
[Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] Traceback (most recent call last):
[Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application
[Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ,
start_response)
[Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in
__call__
[Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return self.route(environ, start_response)
[Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in
route
[Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] return app(environ, start_response)
[Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in
__call__
[Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name)
[Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in
kinit
[Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT,
paths.KDC_CA_BUNDLE_PEM],
[Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in
kinit_armor
[Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True)
[Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string,
str(output))
[Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote
10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_6150 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1
---
KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_19265 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/
ANONYMOUS(a)A-LABS.COM
[12904] 1609104974.342212: Sending unauthenticated request
[12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM
[12904] 1609104974.342214: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342216: Received answer (335 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342217: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342218: Response was from master KDC
[12904] 1609104974.342219: Received error from KDC: -1765328359/Additional
pre-authentication required
[12904] 1609104974.342222: Preauthenticating using KDC method data
[12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
(133)
[12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342225: Received cookie: MIT
[12904] 1609104974.342226: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE
[12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum
9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3
[12904] 1609104974.342232: PKINIT client making DH request
[12904] 1609104974.342233: Preauth module pkinit (16) (real) returned:
0/Success
[12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE
(133), PA-PK-AS-REQ (16)
[12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM
[12904] 1609104974.342236: Initiating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88
[12904] 1609104974.342238: Received answer (1603 bytes) from stream
10.xx.xx.90:88
[12904] 1609104974.342239: Terminating TCP connection to stream
10.xx.xx.90:88
[12904] 1609104974.342240: Response was from master KDC
[12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17),
PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147)
[12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
[12904] 1609104974.342243: Preauth module pkinit (147) (info) returned:
0/Success
[12904] 1609104974.342244: PKINIT client verified DH reply
[12904] 1609104974.342245: Preauth module pkinit (17) (real) returned:
-1765328308/KDC name mismatch
[12904] 1609104974.342246: Produced preauth for next request: (empty)
[12904] 1609104974.342247: Getting AS key, salt
"A-LABS.COMWELLKNOWNANONYMOUS", params ""
Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM:
[12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD
kinit: Password incorrect while getting initial credentials
--
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=DOMAIN.COM, CN=ipa.domain.com
Validity
Not Before: Dec 27 07:38:54 2020 GMT
Not After : Dec 27 07:38:54 2021 GMT
Subject: O=DOMAIN.COM, CN=ipa.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80:
4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d:
d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2:
39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48:
c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb:
d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c:
97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d:
2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0:
7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73:
00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34:
29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7:
ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0:
2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01:
a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f:
15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9:
4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5:
89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66:
b0:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
To my understanding, something is wrong with the kdc certificate, it lacks
some attributes. I'm just not sure how to generate a proper cert.
1 month, 2 weeks
Something changed regarding enrollment permissions?
by Ronald Wimmer
Today we did not manage to enroll new hosts with our enrollment user.
The only thing we changed is that we added the Permission "System:
Remove hosts" to the "Host Enrollment" role. The error we get is:
Joining realm failed: Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: Insufficient access rights
Failed to get keytab!
Failed to get keytab
child exited with 9
When I try to add the same host with my admin user it works without any
problems.
Cheers,
Ronald
1 month, 4 weeks
Unable to install ipa client centos 7.5.1804 (Core)
by William Graboyes
Hello List,
I have been searching around for the day and have found an answer for
the error I am getting when I am trying to install the client on a brand
new install:
Version:
ipa-client-4.5.4-10.el7.centos.3.x86_64
ipa-client-common-4.5.4-10.el7.centos.3.noarch
The error is below (run as root, not via sudo):
ipa-client-install
Traceback (most recent call last):
File "/sbin/ipa-client-install", line 22, in <module>
from ipaclient.install import ipa_client_install
File
"/usr/lib/python2.7/site-packages/ipaclient/install/ipa_client_install.py",
line 5, in <module>
from ipaclient.install import client
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py",
line 34, in <module>
from ipalib import api, errors, x509
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 45, in
<module>
from pyasn1_modules import rfc2315, rfc2459
File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py",
line 67, in <module>
class DigestedData(univ.Sequence):
File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py",
line 72, in DigestedData
namedtype.NamedType('digest', Digest)
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 115, in __init__
self.__ambiguousTypes = 'terminal' not in kwargs and
self.__computeAmbiguousTypes() or {}
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 232, in __computeAmbiguousTypes
ambigiousTypes[idx] = NamedTypes(*partialAmbigiousTypes,
**dict(terminal=True))
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 114, in __init__
self.__tagToPosMap = self.__computeTagToPosMap()
File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py",
line 205, in __computeTagToPosMap
for _tagSet in tagMap.presentTypes:
AttributeError: 'property' object has no attribute 'presentTypes'
Any help would be greatly appreciated.
Thanks,
Bill G.
2 months
FreeIPA certificate doesn't validate in iOS
by Jochen Kellner
Hello,
I'm running IPA on current Fedora 32, freeipa-server-4.8.9-2 and pki-server-10.9.0-0.4
Today the certificate of my IMAP server (running on Debian Buster) was
automatically refreshed:
,----
| Request ID '20181003215953':
| status: MONITORING
| stuck: no
| key pair storage: type=FILE,location='/etc/ssl/private/imap.jochen.org.key'
| certificate: type=FILE,location='/etc/ssl/certs/imap.jochen.org.crt'
| CA: IPA
| issuer: CN=Certificate Authority,O=JOCHEN.ORG
| subject: CN=imap.jochen.org,O=JOCHEN.ORG
| expires: 2022-09-07 09:30:16 CEST
| dns: imap.jochen.org
| principal name: imap/jupiter.jochen.org(a)JOCHEN.ORG
| key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
| eku: id-kp-serverAuth,id-kp-clientAuth
| pre-save command:
| post-save command: /root/refresh_cyrus_certificate.sh
| track: yes
| auto-renew: yes
`----
On an iPhone one of my users gets a message that the certificate is not valid.
Reason seems to be this: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html
When I look at the certificate with openssl I see:
,----
| X509v3 extensions:
| X509v3 Authority Key Identifier:
| keyid:4F:F8:45:3D:E8:06:4B:8D:BB:9D:D2:D1:8B:00:43:A1:07:16:A1:17
|
| Authority Information Access:
| OCSP - URI:http://ipa-ca.jochen.org/ca/ocsp
|
| X509v3 Key Usage: critical
| Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
| X509v3 Extended Key Usage:
| TLS Web Server Authentication, TLS Web Client Authentication
`----
My current guess is that the "Key Usage: critical" is the reason for the iOS error.
I've looked for the certprofiles and found these files:
,----
| [root@freeipa3 /]# find . -name \*caIPAserviceCert\* -ls
| 8510694 8 -rw-rw---- 1 pkiuser pkiuser 6218 Mär 4 2020 ./var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg
| 9332162 4 -rw-r--r-- 1 root root 229 Aug 20 12:38 ./usr/lib/python3.8/site-packages/ipaclient/csrgen/profiles/caIPAserviceCert.json
| 26138015 8 -rw-r--r-- 1 root root 7014 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.UPGRADE.cfg
| 26138016 8 -rw-r--r-- 1 root root 7294 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.cfg
| 9323278 8 -rw-r--r-- 1 root root 6272 Jun 25 23:53 ./usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
`----
These files contain:
,----
| policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
| policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
| policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
| policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
| policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
| policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
`----
So I think this is where the critical comes from and the keyUsage defaults come from.
What I could use help with is the following:
1. I didn't find reports about the problem in pagure or the mailing
list. Am I really alone with this?
2. My FreeIPA has been installed years ago on Fedora, moved to CentOS
and this year back to Fedora by creating replicas. Has there been a
problem with upgrading the certprofiles?
3. How can I remove the options from the certificate request so that
certmonger gets a valid certificate?
Do I miss something else?
--
This space is intentionally left blank.
2 months
Concurrent ssh to the same host fails after few successfully open sessions with Additional pre-authentication krb error.
by mir mal
Hi,
As in the title a very odd behaviour if I keep opening new ssh sessions using same IPA user after few successful ones I have ssh authentication failed error and in krb5 logs on freeipa server, I can see the following errors:
Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.64: NEEDED_PREAUTH: c000000(a)STUXNET.LAB for krbtgt/STUXNET.LAB(a)STUXNET.LAB, Additional pre-authentication required
Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): closing down fd 11
At the same time, I can use the same user and connect to other hosts or use kinit or freeipa web portal. It looks like after N successful attempts I'm hitting some kind of time or max concurrent connections limit, but I can't find any related settings. It's standard Fedora-based freeipa 4.8.10 and hosts to connect are ubuntu. If I wait a few minutes I'm allowed to open another connection but then again if I try to open few I hit the error. I've been checking KRB_TRACE for kinit and sshd DEBUG3 level logs but I can't find why would it happen the only error is the one above with pre-auth.
Thanks
2 months
problem with AD user login
by Suchismita Panda
Hi,
We have a pair of FreeIPA servers (1 master and 1 replica)
Freeipa server version 4.6.8
Recently when we are trying to enroll any new freeipa client to the server,
the installation goes successful, but AD user login does not work. Even the
client fails to retrieve AD user information using id command. This works
fine on the FreeIPA server.
Freeipa local user login is working fine on the client.
There are other FreeIPA clients, where the AD user login is working fine.
We generally use Ansible to join FreeIPA. So the installation process is
also the same for all servers. Not sure why, recently it does not work. Any
advice would be really helpful.
Freeipa client version 4.8.6
In the logs mostly I am seeing below error -
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Thanks
Suchi
3 months
Samba on IdM member failure
by Alan Latteri
Hello.
I have setup a test FreeIPA server and client, CentOS 8.3, very minimal, exactly as the documentation. I can successfully mount a Samba shared from ipaclient on MacOS, the first access. But any subsequent share mounting fails until winbind is restarted. Please see this screen capture which explicitly shows the issue.
https://youtu.be/8Qd8u67WLkU
These errors appear in /var/log/messages:
Dec 23 13:31:15 ipaclient01 winbindd[1258]: [2020/12/23 13:31:15.265397, 0] ../../source3/winbindd/winbindd_util.c:175(add_trusted_domain)
Dec 23 13:31:15 ipaclient01 winbindd[1258]: add_trusted_domain: SID [S-1-5-21-1037681751-2390144637-354493272] already used by domain [IPA], expected [ipa.instinctual.studio]
Dec 23 13:31:15 ipaclient01 winbindd[1258]: [2020/12/23 13:31:15.265462, 0] ../../source3/winbindd/winbindd_pam_auth_crap.c:169(winbindd_pam_auth_crap_done)
Dec 23 13:31:15 ipaclient01 winbindd[1258]: winbindd_pam_auth_crap_done: add_trusted_domain_from_auth failed
Dec 23 13:31:17 ipaclient01 winbindd[1258]: [2020/12/23 13:31:17.263925, 0] ../../source3/winbindd/winbindd_util.c:175(add_trusted_domain)
Dec 23 13:31:17 ipaclient01 winbindd[1258]: add_trusted_domain: SID [S-1-5-21-1037681751-2390144637-354493272] already used by domain [IPA], expected [ipa.instinctual.studio]
Dec 23 13:31:17 ipaclient01 winbindd[1258]: [2020/12/23 13:31:17.263985, 0] ../../source3/winbindd/winbindd_pam_auth_crap.c:169(winbindd_pam_auth_crap_done)
Dec 23 13:31:17 ipaclient01 winbindd[1258]: winbindd_pam_auth_crap_done: add_trusted_domain_from_auth failed
Below are the exact server and client install steps:
####################
FreeIPA Server Setup
####################
[root@freeipa01 ~]# more /etc/redhat-release
CentOS Linux release 8.3.2011
[root@freeipa01 ~]# uname -a
Linux freeipa01.ipa.instinctual.studio 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@freeipa01 ~]# systemctl disable --now firewalld
[root@freeipa01 ~]# dnf module install -y idm:DL1/{server,client,dns,adtrust}
[root@freeipa01 ~]# ipa-server-install --setup-dns --auto-reverse
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.8.7
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [freeipa01.ipa.instinctual.studio]:
Warning: skipping DNS resolution of host freeipa01.ipa.instinctual.studio
The domain name has been determined based on the host name.
Please confirm the domain name [ipa.instinctual.studio]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [IPA.INSTINCTUAL.STUDIO]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Checking DNS domain ipa.instinctual.studio., please wait ...
DNS check for domain ipa.instinctual.studio. failed: All nameservers failed to answer the query ipa.instinctual.studio. IN SOA: Server 8.8.8.8 UDP port 53 answered SERVFAIL; Server 9.9.9.9 UDP port 53 answered SERVFAIL.
Invalid IP address fe80::5005:3a7d:8c39:957c for freeipa01.ipa.instinctual.studio: cannot use link-local IP address fe80::5005:3a7d:8c39:957c
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 8.8.8.8, 9.9.9.9
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Checking DNS domain 200.0.10.in-addr.arpa., please wait ...
Reverse zone 200.0.10.in-addr.arpa. will be created
Using reverse zone(s) 200.0.10.in-addr.arpa.
Do you want to configure chrony with NTP server or pool address? [no]:
The IPA Master Server will be configured with:
Hostname: freeipa01.ipa.instinctual.studio
IP address(es): 10.0.200.2
Domain name: ipa.instinctual.studio
Realm name: IPA.INSTINCTUAL.STUDIO
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=IPA.INSTINCTUAL.STUDIO
Subject base: O=IPA.INSTINCTUAL.STUDIO
Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 8.8.8.8, 9.9.9.9
Forward policy: only
Reverse zone(s): 200.0.10.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Adding [10.0.200.2 freeipa01.ipa.instinctual.studio] to your /etc/hosts file
Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/44]: creating directory server instance
[2/44]: configure autobind for root
[3/44]: stopping directory server
[4/44]: updating configuration in dse.ldif
[5/44]: starting directory server
[6/44]: adding default schema
[7/44]: enabling memberof plugin
[8/44]: enabling winsync plugin
[9/44]: configure password logging
[10/44]: configuring replication version plugin
[11/44]: enabling IPA enrollment plugin
[12/44]: configuring uniqueness plugin
[13/44]: configuring uuid plugin
[14/44]: configuring modrdn plugin
[15/44]: configuring DNS plugin
[16/44]: enabling entryUSN plugin
[17/44]: configuring lockout plugin
[18/44]: configuring topology plugin
[19/44]: creating indices
[20/44]: enabling referential integrity plugin
[21/44]: configuring certmap.conf
[22/44]: configure new location for managed entries
[23/44]: configure dirsrv ccache and keytab
[24/44]: enabling SASL mapping fallback
[25/44]: restarting directory server
[26/44]: adding sasl mappings to the directory
[27/44]: adding default layout
[28/44]: adding delegation layout
[29/44]: creating container for managed entries
[30/44]: configuring user private groups
[31/44]: configuring netgroups from hostgroups
[32/44]: creating default Sudo bind user
[33/44]: creating default Auto Member layout
[34/44]: adding range check plugin
[35/44]: creating default HBAC rule allow_all
[36/44]: adding entries for topology management
[37/44]: initializing group membership
[38/44]: adding master entry
[39/44]: initializing domain level
[40/44]: configuring Posix uid/gid generation
[41/44]: adding replication acis
[42/44]: activating sidgen plugin
[43/44]: activating extdom plugin
[44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/30]: configuring certificate server instance
[2/30]: Add ipa-pki-wait-running
[3/30]: secure AJP connector
[4/30]: reindex attributes
[5/30]: exporting Dogtag certificate store pin
[6/30]: stopping certificate server instance to update CS.cfg
[7/30]: backing up CS.cfg
[8/30]: disabling nonces
[9/30]: set up CRL publishing
[10/30]: enable PKIX certificate path discovery and validation
[11/30]: starting certificate server instance
[12/30]: configure certmonger for renewals
[13/30]: requesting RA certificate from CA
[14/30]: setting audit signing renewal to 2 years
[15/30]: restarting certificate server
[16/30]: publishing the CA certificate
[17/30]: adding RA agent as a trusted user
[18/30]: authorizing RA to modify profiles
[19/30]: authorizing RA to manage lightweight CAs
[20/30]: Ensure lightweight CAs container exists
[21/30]: configure certificate renewals
[22/30]: Configure HTTP to proxy connections
[23/30]: restarting certificate server
[24/30]: updating IPA configuration
[25/30]: enabling CA instance
[26/30]: migrating certificate profiles to LDAP
[27/30]: importing IPA certificate profiles
[28/30]: adding default CA ACL
[29/30]: adding 'ipa' CA entry
[30/30]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[13/21]: configure certmonger for renewals
[14/21]: publish CA cert
[15/21]: clean up any existing httpd ccaches
[16/21]: configuring SELinux for httpd
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: starting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up kerberos principal
[9/12]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
[10/12]: setting up server configuration
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
This program will set up IPA client.
Version 4.8.7
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: freeipa01.ipa.instinctual.studio
Realm: IPA.INSTINCTUAL.STUDIO
DNS Domain: ipa.instinctual.studio
IPA Server: freeipa01.ipa.instinctual.studio
BaseDN: dc=ipa,dc=instinctual,dc=studio
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.instinctual.studio as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
[root@freeipa01 ~]# yum install ipa-server-trust-ad samba-client
[root@freeipa01 ~]# ipa-adtrust-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
admin password:
WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.
Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: yes
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.
NetBIOS domain name [IPA]:
WARNING: 3 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.
Do you want to run the ipa-sidgen task? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
[1/25]: validate server hostname
[2/25]: stopping smbd
[3/25]: creating samba domain object
[4/25]: retrieve local idmap range
[5/25]: creating samba config registry
[6/25]: writing samba config file
[7/25]: adding cifs Kerberos principal
[8/25]: adding cifs and host Kerberos principals to the adtrust agents group
[9/25]: check for cifs services defined on other replicas
[10/25]: adding cifs principal to S4U2Proxy targets
[11/25]: adding admin(group) SIDs
[12/25]: adding RID bases
[13/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[14/25]: activating CLDAP plugin
[15/25]: activating sidgen task
[16/25]: map BUILTIN\Guests to nobody group
[17/25]: configuring smbd to start on boot
[18/25]: enabling trusted domains support for older clients via Schema Compatibility plugin
[19/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[20/25]: adding fallback group
[21/25]: adding Default Trust View
[22/25]: setting SELinux booleans
[23/25]: starting CIFS services
[24/25]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
[25/25]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================
[root@freeipa01 ~]# reboot
[root@freeipa01 ~]# smbclient -L freeipa01.ipa.instinctual.studio -k
lp_load_ex: changing to config backend registry
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.12.3)
SMB1 disabled -- no workgroup available
[root@freeipa01 ~]# testparm
Load smb config files from /etc/samba/smb.conf
lp_load_ex: changing to config backend registry
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
# Global parameters
[global]
create krb5 conf = No
dedicated keytab file = /etc/samba/samba.keytab
disable spoolss = Yes
domain logons = Yes
domain master = Yes
kerberos method = dedicated keytab
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap ssl = no
ldap suffix = dc=ipa,dc=instinctual,dc=studio
ldap user suffix = cn=users,cn=accounts
log file = /var/log/samba/log.%m
max log size = 100000
max smbd processes = 1000
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-INSTINCTUAL-STUDIO.socket
realm = IPA.INSTINCTUAL.STUDIO
registry shares = Yes
security = USER
workgroup = IPA
idmap config ipa : range = 275600000 - 275800000
idmap config ipa : backend = sss
idmap config * : range = 0 - 0
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
[root@freeipa01 ~]# more /etc/samba/smb.conf
### Added by IPA Installer ###
[global]
debug pid = yes
config backend = registry
########################################
IPA Client with Samba Share Setup
########################################
[root@ipaclient01 ~]# more /etc/redhat-release
CentOS Linux release 8.3.2011
[root@ipaclient01 ~]# uname -a
Linux ipaclient01.ipa.instinctual.studio 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@ipaclient01 log]# systemctl disable --now firewalld
[root@ipaclient01 ~]# yum -y install ipa-client ipa-client-samba
[root@ipaclient01 ~]# ipa-client-install
This program will set up IPA client.
Version 4.8.7
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 10.0.200.2
Enter a NTP source pool address, or press Enter to skip:
Client hostname: ipaclient01.ipa.instinctual.studio
Realm: IPA.INSTINCTUAL.STUDIO
DNS Domain: ipa.instinctual.studio
IPA Server: freeipa01.ipa.instinctual.studio
BaseDN: dc=ipa,dc=instinctual,dc=studio
NTP server: 10.0.200.2
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin(a)IPA.INSTINCTUAL.STUDIO:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.INSTINCTUAL.STUDIO
Issuer: CN=Certificate Authority,O=IPA.INSTINCTUAL.STUDIO
Valid From: 2020-12-23 18:47:32
Valid Until: 2040-12-23 18:47:32
Enrolled in IPA realm IPA.INSTINCTUAL.STUDIO
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.INSTINCTUAL.STUDIO
Systemwide CA database updated.
Hostname (ipaclient01.ipa.instinctual.studio) does not have A/AAAA record.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.instinctual.studio as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@ipaclient01 ~]# reboot
[root@ipaclient01 ~]# ipa-client-samba
Searching for IPA server...
IPA server: DNS discovery
Chosen IPA master: freeipa01.ipa.instinctual.studio
SMB principal to be created: cifs/ipaclient01.ipa.instinctual.studio(a)IPA.INSTINCTUAL.STUDIO
NetBIOS name to be used: IPACLIENT01
Discovered domains to use:
Domain name: ipa.instinctual.studio
NetBIOS name: IPA
SID: S-1-5-21-1037681751-2390144637-354493272
ID range: 275600000 - 275799999
Continue to configure the system with these values? [no]: yes
Samba domain member is configured. Please check configuration at /etc/samba/smb.conf and start smb and winbind services
[root@ipaclient01 ~]# systemctl enable --now smb winbind
Created symlink /etc/systemd/system/multi-user.target.wants/smb.service → /usr/lib/systemd/system/smb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → /usr/lib/systemd/system/winbind.service.
[root@ipaclient01 ~]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
max smbd processes = 1000
realm = IPA.INSTINCTUAL.STUDIO
server role = member server
workgroup = IPA
idmap config ipa : backend = sss
idmap config ipa : range = 275600000 - 275799999
idmap config * : range = 0 - 0
idmap config * : backend = tdb
[share]
path = /share
read only = No
[root@ipaclient01 ~]# cat /etc/samba/smb.conf
[global]
# Limit number of forked processes to avoid SMBLoris attack
max smbd processes = 1000
# Use dedicated Samba keytab. The key there must be synchronized
# with Samba tdb databases or nothing will work
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
# Set up logging per machine and Samba process
log file = /var/log/samba/log.%m
log level = 1
# We force 'member server' role to allow winbind automatically
# discover what is supported by the domain controller side
server role = member server
realm = IPA.INSTINCTUAL.STUDIO
netbios name = IPACLIENT01
workgroup = IPA
# Local writable range for IDs not coming from IPA or trusted domains
idmap config * : range = 0 - 0
idmap config * : backend = tdb
idmap config IPA : range = 275600000 - 275799999
idmap config IPA : backend = sss
# Default homes share
#[homes]
# read only = no
[share]
path = /share
read only = no
[root@ipaclient01 ~]# kinit admin
Password for admin(a)IPA.INSTINCTUAL.STUDIO:
[root@ipaclient01 ~]# smbclient -L ipaclient01.ipa.instinctual.studio -k
Sharename Type Comment
--------- ---- -------
share Disk
IPC$ IPC IPC Service (Samba 4.12.3)
SMB1 disabled -- no workgroup available
3 months
healthcheck errors
by Prasun Gera
I'm seeing the following two errors on running ipahealthcheck. This is on
an up to date RHEL 8.3 system in a 2 server topology with self signed CA.
DOMAIN.COM IPA CA not found, assuming 3rd party
DOMAIN.COM IPA CA not found, assuming 3rd party
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "da820035-6955-436f-9bf5-bde578b27920",
"when": "20201221130025Z",
"duration": "0.172261",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not match the
value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "cfba0bf1-4e4b-40d6-9d26-455bab9c9057",
"when": "20201221130027Z",
"duration": "0.307626",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"caSigningCert cert-pki-ca\", template-profile=caCACert",
"msg": "Missing tracking for cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"caSigningCert cert-pki-ca\", template-profile=caCACert"
}
},
...
]
1. This is with a self-signed CA. So I don't know why it has that
assuming 3rd party message.
2. I think this has something to do with the fact
that /etc/pki/pki-tomcat/alias/ has two certs under the nickname
of "caSigningCert cert-pki-ca", (one for each of the masters I presume),
but somehow only 1 cert is tracked in other parts of the
infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg lists a single
certificate under ca.signing.cert and there is also a single entry in LDAP
(which is the same as CS.cfg). Is something broken in my setup ?
Thanks,
Prasun
3 months, 1 week
repair ca
by Evg Hertz
Hello I need to fix CA
Failed to authenticate to CA REST API
How I can reinstall/reconfigure only CA.
or export users(with hash passwords)/groups. and import on new installation.
Help me please.
3 months, 2 weeks
Access LOG Files / configuration - zip ?
by Karim Bourenane
Hello Team
Its possible to know where the access log files in
/var/log/dirsrv/slapd...../
are configured. Its possible to active the gzip process for this files ?
Happy holidays
Bien à vous
Mr Karim Bourenane
3 months, 2 weeks
