January 2021 - FreeIPA-users - Fedora Mailing-Lists

by D R

Greetings, After automatic KDC certificate renewal, I'm no longer able to access the UI. [Sun Dec 27 23:33:20.563064 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] Traceback (most recent call last): [Sun Dec 27 23:33:20.563085 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/share/ipa/wsgi.py", line 59, in application [Sun Dec 27 23:33:20.563121 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return api.Backend.wsgi_dispatch(environ, start_response) [Sun Dec 27 23:33:20.563129 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in __call__ [Sun Dec 27 23:33:20.563142 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return self.route(environ, start_response) [Sun Dec 27 23:33:20.563160 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in route [Sun Dec 27 23:33:20.563170 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] return app(environ, start_response) [Sun Dec 27 23:33:20.563174 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in __call__ [Sun Dec 27 23:33:20.563182 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] self.kinit(user_principal, password, ipa_ccache_name) [Sun Dec 27 23:33:20.563194 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in kinit [Sun Dec 27 23:33:20.563201 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Sun Dec 27 23:33:20.563209 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor [Sun Dec 27 23:33:20.563219 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] run(args, env=env, raiseonerr=True, capture_error=True) [Sun Dec 27 23:33:20.563225 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run [Sun Dec 27 23:33:20.563234 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] raise CalledProcessError(p.returncode, arg_string, str(output)) [Sun Dec 27 23:33:20.563263 2020] [:error] [pid 6150] [remote 10.xx.xx.22:72] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_6150 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1 --- KRB5_TRACE=/dev/stdout /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_19265 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [12904] 1609104974.342210: Getting initial credentials for WELLKNOWN/ ANONYMOUS(a)A-LABS.COM [12904] 1609104974.342212: Sending unauthenticated request [12904] 1609104974.342213: Sending request (184 bytes) to A-LABS.COM [12904] 1609104974.342214: Initiating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342215: Sending TCP request to stream 10.xx.xx.90:88 [12904] 1609104974.342216: Received answer (335 bytes) from stream 10.xx.xx.90:88 [12904] 1609104974.342217: Terminating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342218: Response was from master KDC [12904] 1609104974.342219: Received error from KDC: -1765328359/Additional pre-authentication required [12904] 1609104974.342222: Preauthenticating using KDC method data [12904] 1609104974.342223: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133) [12904] 1609104974.342224: Selected etype info: etype aes256-cts, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" [12904] 1609104974.342225: Received cookie: MIT [12904] 1609104974.342226: Preauth module pkinit (147) (info) returned: 0/Success [12904] 1609104974.342227: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342228: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342229: PKINIT loading CA certs and CRLs from FILE [12904] 1609104974.342230: PKINIT client computed kdc-req-body checksum 9/D4FAE675E4E8C9664DBE0FAD0EB8C416A639CAF3 [12904] 1609104974.342232: PKINIT client making DH request [12904] 1609104974.342233: Preauth module pkinit (16) (real) returned: 0/Success [12904] 1609104974.342234: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [12904] 1609104974.342235: Sending request (1497 bytes) to A-LABS.COM [12904] 1609104974.342236: Initiating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342237: Sending TCP request to stream 10.xx.xx.90:88 [12904] 1609104974.342238: Received answer (1603 bytes) from stream 10.xx.xx.90:88 [12904] 1609104974.342239: Terminating TCP connection to stream 10.xx.xx.90:88 [12904] 1609104974.342240: Response was from master KDC [12904] 1609104974.342241: Processing preauth types: PA-PK-AS-REP (17), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147) [12904] 1609104974.342242: Selected etype info: etype aes256-cts, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" [12904] 1609104974.342243: Preauth module pkinit (147) (info) returned: 0/Success [12904] 1609104974.342244: PKINIT client verified DH reply [12904] 1609104974.342245: Preauth module pkinit (17) (real) returned: -1765328308/KDC name mismatch [12904] 1609104974.342246: Produced preauth for next request: (empty) [12904] 1609104974.342247: Getting AS key, salt "A-LABS.COMWELLKNOWNANONYMOUS", params "" Password for WELLKNOWN/ANONYMOUS(a)A-LABS.COM: [12904] 1609104977.873071: AS key obtained from gak_fct: aes256-cts/B8BD kinit: Password incorrect while getting initial credentials -- openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha256WithRSAEncryption Issuer: O=DOMAIN.COM, CN=ipa.domain.com Validity Not Before: Dec 27 07:38:54 2020 GMT Not After : Dec 27 07:38:54 2021 GMT Subject: O=DOMAIN.COM, CN=ipa.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cc:6e:b1:b1:2d:05:ab:f1:df:ce:01:43:d5:80: 4a:f6:72:38:3c:50:aa:c7:40:bf:bd:6c:60:5e:8d: d0:f3:2b:6c:db:fc:8f:48:9f:91:d6:d3:d2:43:f2: 39:35:17:56:37:a8:6f:66:c3:ab:1f:13:8f:d9:48: c3:be:b9:2b:83:77:78:08:fe:3b:f8:93:83:1c:bb: d0:e8:eb:49:a5:c1:8c:7f:0c:b5:fa:e7:07:f1:0c: 97:9b:47:e9:a2:a3:ab:9b:c1:70:e3:1b:e9:f2:3d: 2f:96:53:6d:38:eb:57:19:7f:dd:ed:e8:3c:c8:f0: 7c:36:b1:72:03:f1:2f:86:8e:cd:67:fd:fd:85:73: 00:16:60:81:3c:ad:13:4d:19:c0:4d:e7:94:8d:34: 29:99:7a:45:70:db:81:5d:0e:2d:83:7a:9c:19:c7: ef:0a:79:8d:84:af:74:a3:b9:90:c8:b1:8c:65:d0: 2d:e0:89:98:42:e0:cb:c8:b0:e3:b5:7c:9b:44:01: a8:31:15:8d:19:79:c5:35:26:4d:3f:e6:83:64:7f: 15:da:50:c1:5e:9c:67:1b:27:e5:35:0c:a8:71:a9: 4e:ee:ef:92:b5:f9:10:f6:31:82:2c:94:04:05:c5: 89:c6:96:1d:48:11:e5:8d:05:92:56:93:99:55:66: b0:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: sha256WithRSAEncryption To my understanding, something is wrong with the kdc certificate, it lacks some attributes. I'm just not sure how to generate a proper cert.

1 year, 1 month

4
4
0 / 0

dirsrv hangs soon after reboot

by Kees Bakker

Hey, I'm looking for advice how to analyse/debug this. On one of the masters the dirsrv is unresponsive. It runs, but every attempt to connect it hangs. The command "systemctl status" does not show anything alarming ● dirsrv(a)EXAMPLE-COM.service - 389 Directory Server EXAMPLE-COM. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Active: active (running) since vr 2020-04-17 13:46:25 CEST; 1h 33min ago Process: 3123 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS) Main PID: 3134 (ns-slapd) Status: "slapd started: Ready to process requests" CGroup: /system.slice/system-dirsrv.slice/dirsrv(a)EXAMPLE-COM.service └─3134 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-COM -i /var/run/dirsrv/slapd-EXAMPLE-COM.pid apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:13:54 linge.example.com ns-slapd[3134]: GSSAPI client step 2 apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:18:54 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 1 apr 17 15:18:55 linge.example.com ns-slapd[3134]: GSSAPI client step 2 However, an ldapsearch command hangs forever [root@rotte ~]# ldapsearch -H ldaps://linge.example.com -D uid=keesbtest,cn=users,cn=accounts,dc=example,dc=com -W -LLL -o ldif-wrap=no -b cn=users,cn=accounts,dc=example,dc=com '(&(objectClass=person)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))' uid Enter LDAP Password: Even if I use the socket (ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket) the ldapsearch command hangs. "ipactl status" hangs "kinit" hangs -- Kees Bakker

1 year, 1 month

5
16
0 / 0

DNS - trusted-keys via IPA's tools - ?

by lejeczek

hi everybody I want to ask if we have a way of adding trusted-keys? Official/recommended VS by fiddling/non-recommended ? many thanks, L.

1 year, 2 months

1
1
0 / 0

Something changed regarding enrollment permissions?

by Ronald Wimmer

Today we did not manage to enroll new hosts with our enrollment user. The only thing we changed is that we added the Permission "System: Remove hosts" to the "Host Enrollment" role. The error we get is: Joining realm failed: Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Failed to parse result: Insufficient access rights Failed to get keytab! Failed to get keytab child exited with 9 When I try to add the same host with my admin user it works without any problems. Cheers, Ronald

1 year, 4 months

2
2
0 / 0

Unable to install ipa client centos 7.5.1804 (Core)

by William Graboyes

Hello List, I have been searching around for the day and have found an answer for the error I am getting when I am trying to install the client on a brand new install: Version: ipa-client-4.5.4-10.el7.centos.3.x86_64 ipa-client-common-4.5.4-10.el7.centos.3.noarch The error is below (run as root, not via sudo): ipa-client-install Traceback (most recent call last): File "/sbin/ipa-client-install", line 22, in <module> from ipaclient.install import ipa_client_install File "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_client_install.py", line 5, in <module> from ipaclient.install import client File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 34, in <module> from ipalib import api, errors, x509 File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 45, in <module> from pyasn1_modules import rfc2315, rfc2459 File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py", line 67, in <module> class DigestedData(univ.Sequence): File "/usr/lib/python2.7/site-packages/pyasn1_modules/rfc2315.py", line 72, in DigestedData namedtype.NamedType('digest', Digest) File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py", line 115, in __init__ self.__ambiguousTypes = 'terminal' not in kwargs and self.__computeAmbiguousTypes() or {} File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py", line 232, in __computeAmbiguousTypes ambigiousTypes[idx] = NamedTypes(*partialAmbigiousTypes, **dict(terminal=True)) File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py", line 114, in __init__ self.__tagToPosMap = self.__computeTagToPosMap() File "/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py", line 205, in __computeTagToPosMap for _tagSet in tagMap.presentTypes: AttributeError: 'property' object has no attribute 'presentTypes' Any help would be greatly appreciated. Thanks, Bill G.

1 year, 4 months

3
2
0 / 0

FreeIPA certificate doesn't validate in iOS

by Jochen Kellner

Hello, I'm running IPA on current Fedora 32, freeipa-server-4.8.9-2 and pki-server-10.9.0-0.4 Today the certificate of my IMAP server (running on Debian Buster) was automatically refreshed: ,---- | Request ID '20181003215953': | status: MONITORING | stuck: no | key pair storage: type=FILE,location='/etc/ssl/private/imap.jochen.org.key' | certificate: type=FILE,location='/etc/ssl/certs/imap.jochen.org.crt' | CA: IPA | issuer: CN=Certificate Authority,O=JOCHEN.ORG | subject: CN=imap.jochen.org,O=JOCHEN.ORG | expires: 2022-09-07 09:30:16 CEST | dns: imap.jochen.org | principal name: imap/jupiter.jochen.org(a)JOCHEN.ORG | key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment | eku: id-kp-serverAuth,id-kp-clientAuth | pre-save command: | post-save command: /root/refresh_cyrus_certificate.sh | track: yes | auto-renew: yes `---- On an iPhone one of my users gets a message that the certificate is not valid. Reason seems to be this: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html When I look at the certificate with openssl I see: ,---- | X509v3 extensions: | X509v3 Authority Key Identifier: | keyid:4F:F8:45:3D:E8:06:4B:8D:BB:9D:D2:D1:8B:00:43:A1:07:16:A1:17 | | Authority Information Access: | OCSP - URI:http://ipa-ca.jochen.org/ca/ocsp | | X509v3 Key Usage: critical | Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment | X509v3 Extended Key Usage: | TLS Web Server Authentication, TLS Web Client Authentication `---- My current guess is that the "Key Usage: critical" is the reason for the iOS error. I've looked for the certprofiles and found these files: ,---- | [root@freeipa3 /]# find . -name \*caIPAserviceCert\* -ls | 8510694 8 -rw-rw---- 1 pkiuser pkiuser 6218 Mär 4 2020 ./var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg | 9332162 4 -rw-r--r-- 1 root root 229 Aug 20 12:38 ./usr/lib/python3.8/site-packages/ipaclient/csrgen/profiles/caIPAserviceCert.json | 26138015 8 -rw-r--r-- 1 root root 7014 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.UPGRADE.cfg | 26138016 8 -rw-r--r-- 1 root root 7294 Aug 20 12:37 ./usr/share/ipa/profiles/caIPAserviceCert.cfg | 9323278 8 -rw-r--r-- 1 root root 6272 Jun 25 23:53 ./usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg `---- These files contain: ,---- | policyset.serverCertSet.6.constraint.params.keyUsageCritical=true | policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true | policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true | policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true | policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true | policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false `---- So I think this is where the critical comes from and the keyUsage defaults come from. What I could use help with is the following: 1. I didn't find reports about the problem in pagure or the mailing list. Am I really alone with this? 2. My FreeIPA has been installed years ago on Fedora, moved to CentOS and this year back to Fedora by creating replicas. Has there been a problem with upgrading the certprofiles? 3. How can I remove the options from the certificate request so that certmonger gets a valid certificate? Do I miss something else? -- This space is intentionally left blank.

1 year, 4 months

4
16
0 / 0

LDAP configuration synchronization failed: socket is not connected - from named-pkcs11

by lejeczek

Hi guys. I'm trying to setup a first master during which I get: ... [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Named service failed to start (CalledProcessError(Command ['/bin/systemctl', 'restart', 'named-pkcs11.service'] returned non-zero exit status 1: 'Job for named-pkcs11.service failed because a timeout was exceeded.\nSee "systemctl status named-pkcs11.service" and "journalctl -xe" for details.\n')) ... and that is the only error from the setup which seemingly continues and completes successfully: ... Using existing certificate '/etc/ipa/ca.crt'. Client hostname: c8kubermaster1.private.openshift.c8 Realm: PRIVATE.OPENSHIFT.C8 DNS Domain: private.openshift.c8 IPA Server: c8kubermaster1.private.openshift.c8 BaseDN: dc=private,dc=openshift,dc=c8 Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring private.openshift.c8 as NIS domain. Client configuration complete. The ipa-client-install command was successful DNS query for c8kubermaster1.private.openshift.c8. 1 failed: The DNS operation timed out after 30.000322580337524 seconds unable to resolve host name c8kubermaster1.private.openshift.c8. to IP address, ipa-ca DNS record will be incomplete ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful Yet, very first reboot and ipa.service fails to start, but before that reboot if I -> $ systemctl restart named-pkcs11.service I takes rather long 10 or so secons and journal shows ... LDAP configuration synchronization failed: socket is not connected ... but socket is there: /var/run/slapd-PRIVATE-OPENSHIFT-C8.socket More from named's journal: ... esolver priming query complete LDAP error: Can't contact LDAP server: ldap_sync_poll() failed ldap_syncrepl will reconnect in 60 seconds GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 2 successfully reconnected to LDAP server LDAP configuration for instance 'ipa' synchronized GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 2 LDAP data for instance 'ipa' are being synchronized, please ignore message 'all zones loaded' Is it named-pkcs11 looking for wrong bits or something not good with dirsrv or .. maybe something else... would you anybody know? many thanks, L.

1 year, 4 months

2
6
0 / 0

Concurrent ssh to the same host fails after few successfully open sessions with Additional pre-authentication krb error.

by mir mal

Hi, As in the title a very odd behaviour if I keep opening new ssh sessions using same IPA user after few successful ones I have ssh authentication failed error and in krb5 logs on freeipa server, I can see the following errors: Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.64: NEEDED_PREAUTH: c000000(a)STUXNET.LAB for krbtgt/STUXNET.LAB(a)STUXNET.LAB, Additional pre-authentication required Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): closing down fd 11 At the same time, I can use the same user and connect to other hosts or use kinit or freeipa web portal. It looks like after N successful attempts I'm hitting some kind of time or max concurrent connections limit, but I can't find any related settings. It's standard Fedora-based freeipa 4.8.10 and hosts to connect are ubuntu. If I wait a few minutes I'm allowed to open another connection but then again if I try to open few I hit the error. I've been checking KRB_TRACE for kinit and sshd DEBUG3 level logs but I can't find why would it happen the only error is the one above with pre-auth. Thanks

1 year, 4 months

5
14
0 / 0

FreeIPA/Red Hat IDM and AD communication

by Jones, Bob (rwj5d)

Hello all, We currently have Red Hat IDM implemented on our campus local network. It has a one-way trust with our Active Directory and all of our Linux systems that live in our network use IDM for auth/authz. We are looking to start deploying our linux images into AWS and want to use our Red Hat IDM for auth control there as well and would like, if possible, to remove any dependencies on our local network for systems that live in AWS in doing so. With that being said, I would like to verify my understanding of how auth/authz works with IDM and Active Directory. A client system will query a freeipa server in order to get HBAC policies, sudo rules/commands, authorization for accounts to use certain services, and user account/group information. The client system will authenticate the user, whether for login or sudo/su, directly to Active Directory without going through the freeipa server. Also, the freeipa servers will query AD for user account/group information if it’s not already cached on the freeipa server. Is my understanding here correct? If not, please enlighten me on where my misunderstanding is. So, if my understanding as outlined above is correct, then to remove any depency on our local network AD and FreeIPA/IDM for clients that live in AWS, we would need IDM servers and Active Directory servers in AWS for the clients to use, correct? If that is the case, is Azure Active Directory (AAD) a usable option in this case? Is there a way to specify for clients to use the IDM servers and AD that are in AWS first, before attempting to use the ones on our local network? Is there a way to specify for FreeIPA/IDM servers to use the AD in AWS before attempting to use the ones on our local network? I appreciate anyone who can verify or correct what I have above. Thanks, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services

1 year, 4 months

2
2
0 / 0

Another 4.8.7 failed upgrade

by John Obaterspok

Hi, I'm stuck since about a week when I updated to latest ipa-server. It seems to be the same problem as Ian had ("FreeIPA centos8 update Failed to authenticate to CA REST API"). He seem to resolve this using a replicate which I dont have. Any ideas on how I get this to work? ipa-server-4.8.7-13.module_el8.3.0+606+1e8766d7.x86_64 centos-linux-release-8.3-1.2011.el8.noarch ... IPA version error: data needs to be upgraded (expected version '4.8.7-13.module_el8.3.0+606+1e8766d7', current version '4.8.7-12.module_el8.3.0+511+8a502f20') .... [Migrating certificate profiles to LDAP] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API ... 2021-01-22T08:47:46Z DEBUG request GET https://ipa2.win.lan:8443/ca/rest/account/login 2021-01-22T08:47:46Z DEBUG request body '' 2021-01-22T08:47:47Z DEBUG response status 500 2021-01-22T08:47:47Z DEBUG response headers Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 2234 Date: Fri, 22 Jan 2021 08:47:47 GMT Connection: close 2021-01-22T08:47:47Z DEBUG response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 500 \xe2\x80\x93 Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> CA subsystem unavailable. Check CA debug log.</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: CA subsystem unavailable. Check CA debug log.\n\tcom.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81)\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:149)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>' 2021-01-22T08:47:47Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2021-01-22T08:47:47Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1805, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1670, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 414, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 1954, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 1960, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) 2021-01-22T08:47:47Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API -- john

1 year, 5 months

2
3
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2021