FreeIPA topology issues after clean install
by Am Titan
HI,
I am facing a repeated phenomenon, I have installed one FreeIPA server and two replica FreeIPA servers.
All are masters (roles are being assigned automatically).
The problem i experience directly after fresh install is that the topology keep breaks or at least "disconnected" after left the servers off for few hours.
The is literally no data on the servers and no changes are being made, first everything works ok, i even check the sync and all is working and syncing well, only after few hours that the serves are up again, the issues starts show up, here hare some paste from the servers:
[root@ipa-server1 ~]# ipa topologysuffix-verify domain
========================================================
Replication topology of suffix "domain" contains errors.
========================================================
------------------------
Topology is disconnected
------------------------
Server ipa-server1.ipa.example.com can't contact servers: ipa-server3.ipa.example.com
Server ipa-dctrlv2.ipa.example.com can't contact servers: ipa-server3.ipa.example.com
[root@ipa-server1 ~]# reboot
Last login: Wed Jan 20 16:17:02 2021 from 192.168.2.100
[root@ipa-server1 ~]# ipa topologysuffix-show # display all managed hosts and segments
Suffix name: all
ipa: ERROR: all: suffix not found
[root@ipa-server1 ~]# ipa topologysuffix-verify # check connectivity, missing connections, redundant connections
Suffix name: dc=int,dc=example,dc=com
ipa: ERROR: dc=int,dc=example,dc=com: suffix not found
[root@ipa-server1 ~]# ipa topologysuffix-verify # check connectivity, missing connections, redundant connections
Suffix name: domain
========================================================
Replication topology of suffix "domain" contains errors.
========================================================
------------------------
Topology is disconnected
------------------------
Server ipa-server1.ipa.example.com can't contact servers: ipa-server3.ipa.example.com
Server ipa-dctrlv2.ipa.example.com can't contact servers: ipa-server3.ipa.example.com
[root@ipa-server1 ~]# ipa topologysegment-find domain
Replication topology of suffix "domain" is in order.
====================================================
[root@ipa-server3 ~]# ipa-replica-manage re-initialize --from ipa-dctrlv2.ipa.example.com
'ipa-server3.ipa.example.com' has no replication agreement for 'ipa-dctrlv2.ipa.example.com'
[root@ipa-server3 ~]# ipa topologysegment-find
Suffix name: domain
------------------
2 segments matched
------------------
Segment name: ipa-server1.ipa.example.com-to-ipa-dctrlv2.ipa.example.com
Left node: ipa-server1.ipa.example.com
Right node: ipa-dctrlv2.ipa.example.com
Connectivity: both
Segment name: ipa-server1.ipa.example.com-to-ipa-server3.ipa.example.com
Left node: ipa-server1.ipa.example.com
Right node: ipa-server3.ipa.example.com
Connectivity: both
----------------------------
Number of entries returned 2
----------------------------
[root@ipa-server3 ~]# ipa topologysegment-find^C
[root@ipa-server3 ~]# pa topologysegment-del
-bash: pa: command not found
[root@ipa-server3 ~]# ipa topologysegment-del
Suffix name: domain
Segment name: ipa-server1.ipa.example.com-to-ipa-server3.ipa.example.com
ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed.
[root@ipa-server3 ~]# ipa topologysegment-add ipa-server1.ipa.example.com-to-ipa-server3.ipa.example.com
Left node: ipa-server1.ipa.example.com
Right node: ipa-server3.ipa.example.com
Segment name [ipa-server1.ipa.example.com-to-ipa-server3.ipa.example.com]:
ipa: ERROR: invalid 'leftnode': left node (ipa-server1.ipa.example.com) does not support suffix 'ipa-server1.ipa.example.com-to-ipa-server3.ipa.example.com'
[root@ipa-server3 ~]# Last login: Sat Jan 16 18:11:10 2021 from 192.168.2.100
[root@ipa-server3 ~]#
Can someone please help understand why new installed servers with clean topology and no changes are breaking after few hours?
Thanks on advance
1 month, 1 week
Allow "sudo su - USER" to only the specified user
by Russ Long
I'm trying to come up with a Sudo rule that will allow a user to "su" to only a single specified user. I need to give a DBA access to the oracle user account.
This serverfault article details exactly what I want to do, however this is not for FreeIPA.
I've tried creating a sudo command that's "/usr/bin/su - USER" and other variations to no avail.
I've also tried creating a sudo rule that allows all commands to be run as "USER".
1 month, 1 week
chronyd support in freeipa server?
by Kent Brodie
I have found online docs proposing chronyd support for freeipa (target 4.7).
I am running 4.8. Does support for using chronyd instead of ntpd exist yet? I have not founnd anything concrete yet to confirm this.
IF this exists, is there a documented procedure to change?
and if the support does not exist yet, does anyone have an insight as to when that might happen?
Thank you all in advance.
1 month, 1 week
ansible-freeipa in RHEL8.1
by Dominik Vogt
For the moment we're stuck with RHEL8.1. The ansible-freeipa
package there (0.1.6-4) does not seem to include the "ipaconf" and
"iparole" modules (maybe others). Are they missing, in a
different package or do we need to upgrade to a newer RHEL
version?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
1 month, 1 week
RHEL IdM update in CentOS 8 Stream
by Alexander Bokovoy
Hi,
[I sent this to centos-devel@ mailing list already, now sending to
freeipa-users@ for wider distribution]
thanks for Carl and Brian, yesterday's compose of CentOS 8 Stream now
includes RHEL IdM bits slated for RHEL 8.4. Several components were
rebased to their upstream versions and are worth noting to those who
want to test them in advance of RHEL 8.4.
Note that these are not final RHEL IdM updates for RHEL 8.4. While RHEL
builds already passed through a comprehensive QA cycle, there are still
few improvements that will come during next month or so. Bugs found by
CentOS 8 Stream users would in general be seen in the same way as those
found by RHEL QE teams during the RHEL minor release development, so it
is your opportunity to help. Also improvements in form of upstream
patches are welcome too.
There are many small and large fixes and improvements in FreeIPA 4.9.0.
For more detailed information I'd point to FreeIPA 4.9.0 release notes:
https://www.freeipa.org/page/Releases/4.9.0#Highlights_in_4.9.0
Among those changes, we are looking for a feedback to following
features of RHEL IdM in CentOS 8 Stream:
== ACME CA integration
With FreeIPA 4.9 and Dogtag 10.10 it is now possible to deploy ACME
support in FreeIPA CA and issue certificates using ACME protocol. For
more details please look at https://www.freeipa.org/page/V4/ACME for
general design overview and Fraser's blogs around the feature:
https://frasertweedale.github.io/blog-redhat/tags/acme.html
CentOS 8 Stream includes mod_md Apache module as one of ACME clients.
Fedora and EPEL do also have a certbot, so there are multiple clients to
use. Interoperability testing with other clients would also be great to
see reported.
== Active Directory integration improvements
There are enhancements for services for user (S4U) feature of Kerberos
protocol extensions in Active Directory. In particular, it is now
possible to run MS SQL server on a server enrolled into RHEL IdM domain
and allow access to it to users of trusted Active Directory forests,
along with IPA users. MS SQL does certain operations that required
functionality not supported by RHEL IdM. This was fixed in RHEL 8.3.
More improvements are available in CentOS 8 Stream, including
performance improvements when creating Kerberos tickets for Active
Directory users with a large AD group membership.
== Non-FQDN host support
FreeIPA requires uniform hostname support -- either all systems defined
with fully-qualified hostnames or they all are using non-FQDN. In
practice, there are checks in the installers to always force FQDN host
names. There are many applications that insist on seeing hostnames as
non-fully qualified. FreeIPA 4.9.0 adds ability to enroll non-FQDN
hosts to otherwise FQDN-based IPA deployment.
In addition, this allows to enroll clients with hostnames of total FQDN
length longer than 64 characters on Linux.
== FIPS support
RHEL IdM in CentOS 8 Stream is now capable to be deployed and operated
in FIPS mode. One notable omission is the support for trusted Active
Directory domains. We are working on FIPS support for trust to AD
upstream and already have a good progress. Hopefully, this work will be
completed in upcoming weeks and will also land in CentOS 8 Stream.
== DNS support improvements
PTR records now supported in any zone type to facilitate DNS-SD
[RFC6763] operations, for example, publishing printers.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1 month, 1 week
Advanced RBAC Rules
by Yehuda Katz
Is it possible to create an RBAC rule that includes a userattr filter?
For example, we added a cn=mailinglists and each mailing list has an `owner` attribute. We created a rule to allow anonymous reads in this subtree through RBAC.
I know we can create an ACI that would allow the owner to modify the list members:
(targetattr = "mgrpRFC822MailMember")(target = "ldap:///cn=*,cn=aliases,dc=example,dc=com")(version 3.0;acl "Owner Change Aliases";allow (add,delete,write) userattr = "owner#USERDN";)
Is there any way to create this ACI (or something that would do the same thing) through the RBAC system?
1 month, 1 week
chronyd support in freeipa server?
by Kent Brodie
I have found online docs proposing chronyd support for freeipa (target 4.7).
I am running 4.8. Does support for using chronyd instead of ntpd exist yet? I have not founnd anything concrete yet to confirm this.
IF this exists, is there a documented procedure to change?
and if the support does not exist yet, does anyone have an insight as to when that might happen?
Thank you all in advance.
1 month, 2 weeks
Login failed due to an unknown reason.
by anilkumar panditi
Hi,
I am running freeipa as a docker container and all of sudden i am getting
an error message while trying to login into free ipa server via web ui.
Login failed due to an unknown reason.
Tried checking for solution as , chmod a+x /var/lib/krb5kdc
But i dont see krb5kdc under /var/lib
Please help.
1 month, 2 weeks
Let's encrypt SSL changed Intermediate
by Petar Kozić
Hi,
I had Let’s encrypt SSL on my freeipa server. When I setup freeIPA for the first time, I set Let’s encrypt on next way:
I installed DST CA ROOT and LetsEncrypt intermediate with next command:
ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer
ipa-certupdate -v
Then, I issued letsencypt ssl for domain with certbot and make pkcs chain with command:
openssl pkcs12 -export -in my_domain.cer -inkey my.key.key -out my_ipa.p12 -certfile fullchain.cer
and install with command:
ipa-server-certinstall -w ipa.soholab.org.p12
In the last almost two years I didn’t have any problem, letsencrypt was renewed and freeipa was worked. But after last renew sll failed.
In the freeipa gui when I try to access to Authentication tab I get error:
cannot connect to 'https://my_domain:443/ca/rest/certs/search?size=2147483647': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
I checked SSL in browser and I can see Let’s encrypt changed intermediate from Let’s encypt Authority X3 to R3.
I found doc on letsencypt where they said about that intermediate changes:
https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html <https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html>
I tried to install new Intermediate with this new R3 on same way as I do that earlier with old intermediate:
ipa-cacert-manage -n R3 -t C,, install new_intermediate.cer
but without luck.
Maybe someone of you had same probem, or some idea how to solve this?
Thank you in advanced.
1 month, 2 weeks
