[SSSD-users] Announcing SSSD 2.3.1
by Pavel Březina
# SSSD 2.3.1
The SSSD team is proud to announce the release of version 2.3.1 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/sssd-2_3_1
See the full release notes at:
https://sssd.io/docs/users/relnotes/notes_2_3_1
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### New features
- Domains can be now explicitly enabled or disabled using `enable` option in
domain section. This can be especially used in configuration snippets.
- New configuration options `memcache_size_passwd`, `memcache_size_group`,
`memcache_size_initgroups` that can be used to control memory cache size.
### Notable bug fixes
- Fixed several regressions in GPO processing introduced in sssd-2.3.0
- Fixed regression in PAM responder: failures in cache only lookups are
no longer considered fatal
- Fixed regression in proxy provider: `pwfield=x` is now default value
only for `sssd-shadowutils` target
### Packaging changes
- `libwbclient` is now deprecated and is not being built by default (use
`--with-libwibclient` to build it)
### Documentation Changes
- Added option `memcache_size_passwd`
- Added option `memcache_size_group`
- Added option `memcache_size_initgroups`
- Added option `enable` in domain sections
- Minor text improvements
3 years, 7 months
ipa-ca-install fails
by Roberto Cornacchia
Hi,
I have successfully created a replica from a 4.2.4 master (ipa01) into a
new 4.6.6 master (ipa02).
I did it without --setup-ca option (because it had failed), so the only CA
is still on the 4.2.4 server (ipa01).
When I try to setup theCA on ipa02 (the same replica file was used with
ipa-replica-install), this fails:
$ ipa-ca-install replica-info-ipa02.hq.spinque.com.gpg
Directory Manager (existing master) password:
Run connection check to master
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck
parameter.
The log of conncheck (generated by ipa-ca-install) is in attachment. In
there, I can see a couple of things going wrong:
ProtocolError: <ProtocolError for ipa01.hq.spinque.com/ipa/session/json:
500 Internal Server Error>
...
2020-07-23T12:20:50Z ERROR ERROR: Remote master check failed with following
error message(s):
invalid 'cn': must be "ipa02.hq.spinque.com"
Not sure if relevant, but also ipa-replica-install, though it completed
successfully, gave this error:
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
ipaserver.install.ldapupdate: ERROR Add failure attribute "cn" not
allowed
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Could you please help me find the issue?
3 years, 7 months
Users won't migrate despite filters?
by Alfred Victor
Hi all,
We're performing some migrate-ds and noticed some missing users. We took a
closer look and the errors are:
<redacted user>: attribute "givenName" not allowed
<redacted user>: attribute "givenName" not allowed
<redacted user>: attribute "departmentNumber" not allowed
<redacted user>: attribute "departmentNumber" not allowed
<redacted user>: attribute "departmentNumber" not allowed
This is odd, because this OU is being grabbed with some filters which
should specifically ignore these attributes. The old environment is
OpenLDAP and the migrate-ds command is as follows:
ipa migrate-ds --schema=RFC2307 --base-dn="dc=<redacted>,dc=com"
--bind-dn="cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=com"
--ca-cert-file=/etc/ssl/certs/ca.crt ldaps://<redacted>
--user-container=ou=<redacted> --user-objectclass=posixaccount
--group-container=ou=group --group-objectclass=posixgroup
--user-ignore-attribute="sn,ldappublickey,sshpublickey,givenName,departmentNumber"
--user-ignore-objectclass={person,organizationalPerson,inetOrgPerson,departmentNumber,givenName,ldappublickey,sshpublickey}
Regards,
Alfred
3 years, 7 months
Replica from 4.2 to 4.8
by Roberto Cornacchia
Hi,
I currently have a single 4.2.4 server.
I would like to create a replica with 4.8 and later decommission the 4.2
server.
I had tested the procedure a while ago, from 4.2 to 4.6. I had created a
replica package from the old instance, and used it with ipa-replica-install
to create the new one.
However, I see that 4.8 no longer supports level 0. Does this mean I cannot
do this replica in one go? I also see that ipa-replica-install does not
accept the replica package in input. So I suppose it only supports the
upgrade to master of an existing client.
What is the best route for my 4.2 -> 4.8 replica?
Thanks,
Roberto
3 years, 8 months
cacerts and ipa-client-install
by Ben Aveling
The man page for ipa-client-install has a list of files that are replaced/created/updated.
It's not completely up to date.
I'm sure if it's worth the effort of keeping it up to date or not.
On the one hand, it's probably a bit of work to get it up to date and keep it up to date.
On the other hand, If it were up to date, it could be useful for people who want to be able to do a selective backup, prior to installing, or just want to see what changes.
If we don't want to keep it up to date, we should probably explain what the criteria for including files in the list is, while being clear that this isn't the full list.
If we do want to bring it up to date, it should possibly also include :
Files always created (replacing existing content):
- /etc/pki/ca-trust/source/ipa.p11-kit
Files updated, existing content is maintained:
- /etc/pki/ca-trust/extracted/java/cacerts
Does IPA depend on the entries that it adds to cacerts? Or does it just put them there in case some other application needs them?
3 years, 8 months
Initial setup: some questions before proceeding.
by Chathranga Wijekoon
Hi everyone,
We're currently in the process of deploying FreeIPA within our
organization and I'd like to ask a few questions before we actually do
deploy it to make sure I'm not getting anything wrong.
We don't have an ActiveDirectory system, and our preference for
OpenSource means we most likely never will.
1. Is there any requirement for FreeIPA to have a public (internet
facing) connection if we already have an existing P2P link with our
data-centers?
2. We are placing all IPA servers under a separate sub-domain of our
primary domain. Are there any pitfalls to this or anything we should
look out for before doing this?
3. We thought of changing the ca-subject and subject bases to
CN=Certificate Authority,OU=IPA,OU=Identity Management,OU=<IT
OU>,O=<OUR ORGANIZATION>,C=LK
and
OU=IPA,OU=Identity Management,OU=<IT OU>,O=<OUR ORGANIZATION>,C=LK
respectively. Will there be any problems in doing this?
Thanks in advance for any replies,
Chathranga Wijekoon.
3 years, 8 months
username has domain in it
by Chris Roadfeldt
This is probably a simple change, but a few weeks ago after an update of my fedora 31 freeipa server and clients, usernames are now displaying with the freeipa domain in the standard email format (username(a)sample.com), minus the () obviously. This caused some issues with processes that were looking for the previous format (username), looking at you cron... Anyway, I'd like to restore the previous username format to (username).
I attempted to track down the change / update that did this, but was unable to. I've attempted to set a default domain in sssd which did not change the behavior. Not sure if this is a change in data returned from freeipa / ldap / kerberos or something in PAM.
I can login with just the username, minus the domain, but all command prompts and environment variables contain (username(a)sample.com) as the username.
What changed and how do I restore the previous username format?
Thanks!
Chris
3 years, 8 months
ldap_bind: Invalid credentials (49)
by Dwija D
Hi I am trying to search ldap user using the following command but with
invalid credentials error: # ldapsearch -x -h ldap://ipm.example.net
<http://ldaps//idm.example.net> -p 389 -b "*dc=example,dc=net*" -D "
*uid=ldapbind,cn=users,cn=account,dc=example,dc=net*" uid=ambariadmin1 -W
Enter LDAP Password: *ldap_bind: Invalid credentials (49)* I have double
checked the password but the error still persists. Before that, i have
added a ldap bind user with the following procedure *[root@example ~]# cat
ldapbind.ldif* dn: uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net
changetype: add objectclass: account objectclass: simplesecurityobject uid:
ambaribind userPassword: secret123 passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0 *[root@example ~]# ldapmodify -h **example.net*
<http://example.net/>* -p 389 -x -D "cn=Directory Manager" -w 'secret123'
-f ldapbind.ldif* adding new entry
"uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net" *[root@example ~]#
ipa user-show ambaribind --raw --all* dn:
uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net uid: ldapbind
nsaccountlock: FALSE has_password: TRUE has_keytab: FALSE objectClass:
account objectClass: simplesecurityobject objectClass: top Without bind
user, i can search the user *[root@example ~]# ldapsearch -x -h *
*ipa.example.net* <http://idm.infodetics.net/>* -p 389 -b
"cn=ambari,dc=example,dc=net" uid=ambariadmin1* Can any one plz guide me
where is the issue ? Regards
3 years, 8 months
Re: Looking for help to get my IPA server running again
by Florence Blanc-Renaud
On 7/16/20 4:54 PM, Lorenz Braun wrote:
> On 16.07.20 15:50, Florence Blanc-Renaud wrote:
>> On 7/16/20 3:00 PM, Lorenz Braun via FreeIPA-users wrote:
>>> I was thinking something similar. I tried
>>> ```
>>> [root@ipa01 ~]# ipa-cacert-manage renew
>>> Renewing CA certificate, please wait
>>> Error resubmitting certmonger request '20200716071025', please check
>>> the request manually
>>> The ipa-cacert-manage command failed.
>>> ```
>>
>> Hi,
>> this command is used to renew IPA CA certificate and not applicable to
>> the current situation. IPA CA has ~20 years validity and this cert is
>> unlikely to be expired.
> Good to know, thanks!
>>> ```
>>> [root@ipa01 ~]# getcert list
>>> Number of certificates and requests being tracked: 9.
>>> [...]
>>> Request ID '20200716071025':
>>> status: CA_UNREACHABLE
>> This is expected in your case as pki is down, and won't be able to
>> manage the certificate renewal request.
>>
>>> ca-error: Internal error
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>> subject: CN=Certificate Authority,O=EXAMPLE.COM
>>> expires: 2040-07-16 07:08:27 UTC
>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "caSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> [...]
>>> ```
>>>
>>> The other one are all MONITORING and expire at 2022. Since i tried to
>>> force a new cert maybe this is still okay and the problem lies
>>> somewhere else?
>>
>> Then the problem is different. Since the new certs will expire 2022
>> (in 2 years), I suspect that they were renewed recently but the
>> renewal failed in the middle.
>>
>> You can refer to [1] in order to ensure that this is the root cause
>> and fix the current situation.
>>
>> HTH,
>> flo
>>
>> [1]
>> https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
>>
> I have checked and the certificate from /etc/pki/pki-tomcat/alias and
> ldap are the exactly the same. I attached
> /var/log/pki/pki-tomcat/ca/debug. The error message there is different:
> ```
> [16/Jul/2020:16:24:57][profileChangeMonitor]: SignedAuditLogger: event
> CLIENT_ACCESS_SESSION_ESTABLISH
> java.net.ConnectException: Connection refused (Connection refused)
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>
> at
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>
> at
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> at java.net.Socket.connect(Socket.java:607)
> at java.net.Socket.connect(Socket.java:556)
> at java.net.Socket.<init>(Socket.java:452)
> at java.net.Socket.<init>(Socket.java:262)
> at
> com.netscape.cmscore.ldapconn.PKISocketFactory.makeSSLSocket(PKISocketFactory.java:120)
>
> at
> com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:159)
>
> at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
> at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
> at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
> at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source)
> at netscape.ldap.LDAPConnThread.connect(Unknown Source)
> at netscape.ldap.LDAPConnection.connect(Unknown Source)
> at netscape.ldap.LDAPConnection.connect(Unknown Source)
> at netscape.ldap.LDAPConnection.connect(Unknown Source)
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:82)
>
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory$BoundConnection.<init>(LdapBoundConnFactory.java:531)
>
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:187)
>
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:332)
>
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:295)
>
> at
> com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:426)
>
> at java.lang.Thread.run(Thread.java:748)
> [...]
> [16/Jul/2020:16:24:57][profileChangeMonitor]: Can't create master
> connection in LdapBoundConnFactory::getConn! Could not connect to LDAP
> server host ipa01.example.com port 636 Error
> netscape.ldap.LDAPException: Unable to create socket:
> java.net.ConnectException: Connection refused (Connection refused) (-1)
> [16/Jul/2020:16:24:57][authorityMonitor]: Can't create master connection
> in LdapBoundConnFactory::getConn! Could not connect to LDAP server host
> ipa01.example.com port 636 Error netscape.ldap.LDAPException: Unable to
> create socket: java.net.ConnectException: Connection refused (Connection
> refused) (-1)
> ```
>
> Firewall is not restricting this and i am a bit puzzled on why the
> connection fails. If the service is not running or the port not open
> ldapsearch should also not work, right?
> I might test a fresh ipa install without restoring any data. Maybe
> something with my OS or network is wrong.
>
You can check with
# netstat -tunpl | grep 636
if the ldap server is listening on this port. It's possible that the
LDAP server is up but only listening to 389.
To see if port 636 is enabled in the server config:
# ldapsearch -x -D "cn=directory manager" -W -b cn=config -s base
nsslapd-security
The attribute value should be "nsslapd-security: on".
flo
> Best Regards
> Lorenz
3 years, 8 months