October 2021 - FreeIPA-users - Fedora mailing-lists

pam_sss account Access denied (permission denied)
by Mark Johnson 28 Oct '21

28 Oct '21

I've been struggling with this all day and I'm getting nowhere. We're wanting to migrate from a 389-DS authenticated network to FreeIPA. We have a few Linux servers scattered around the world that authenticate against our current 389 directory and we're wanting to do this with minimal changes to these servers. The thought process is to perform LDAP auth against FreeIPA and filter access permissions by way of an LDAP access filter based on group membership as we are currently doing with 389, so we just need to make config changes to sssd to point to the new servers (and install the required certificate to do so). FreeIPA servers are already setup and replicating. Set up a couple of test groups and a handful of test user accounts. I can successfully authenticate these users, but I get a permission denied seemingly at the access filter stage. Oct 27 04:15:09 autugd6998 sshd[9984]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.66.67.69 user=markj Oct 27 04:15:09 autugd6998 sshd[9984]: pam_sss(sshd:account): Access denied for user markj: 6 (Permission denied) Same result for a console login. To test this, I changed the access_provider to 'permit' and I can successfully log in to the server. So, it's as if I'm having issues with my access filter, but everything I've tried is giving me the same result. I've used these same filters in ldapsearch tests and they seem to work fine. For instance, I've created a group called "serveradmins" and placed a couple of users in that group. My sssd.conf ldap_access_filter looks like this: access_provider = ldap ldap_access_filter = memberOf=cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com But that just isn't working. However, if I issue the following, I can see the group members: $ ldapsearch -x -W -LLL -H ldap://ussv4p6004.ipa.domain.com -b cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com -D "uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com" Enter LDAP Password: dn: cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com member: uid=mark,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com member: uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com cn: serveradmins objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject ipaUniqueID: 2e489422-36c2-11ec-a8a8-52540031af07 I've tried different groups including the default 'ipausers' group which everyone is a member of but I'm getting nowhere. For the record, here's a snippet from the server audit.log when I fail to login. Not sure if that "PAM:accounting grantors=?" bit where the USER_ACCT fails is indicative of the problem or not but if so, I'm not sure what that means and how to resolve it. However, the same server works on the old 389 directory using LDAP auth - just have no idea what I'm missing. type=USER_AUTH msg=audit(1635321247.300:1039): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="markj" exe="/usr/sbin/sshd" hostname=? addr=10.66.67.69 terminal=ssh res=failed' type=USER_AUTH msg=audit(1635321252.664:1040): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss acct="markj" exe="/usr/sbin/sshd" hostname=10.66.67.69 addr=10.66.67.69 terminal=ssh res=success' type=USER_ACCT msg=audit(1635321252.855:1041): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="markj" exe="/usr/sbin/sshd" hostname=10.66.67.69 addr=10.66.67.69 terminal=ssh res=failed' type=USER_AUTH msg=audit(1635321252.856:1042): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="markj" exe="/usr/sbin/sshd" hostname=? addr=10.66.67.69 terminal=ssh res=failed'

2 5

Group not in compat subtree
by Cyrus 27 Oct '21

27 Oct '21

Good morning, I've seen some of the groups present in the compat subgroup, but not all of them. Can anybody provide a hint of what's needed for a group to be present in that subtree?. All of them are internal FreeIPA groups. Regards, CI.-

1 1

Re: Recommendations for completely new IPA and AD
by Yehuda Katz 21 Oct '21

21 Oct '21

Not worried about Windows 10 Home. All the machines have Pro. I also have no issues running real Windows Server domain controllers. I do want to be able to use policy features in IPA like HBAC, sudo rules, etc. Will a trust without synced local users cause any issues with that? - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Fri, Oct 22, 2021, 12:42 AM Jonathan Aquilina <jaquilina(a)eagleeyet.net> wrote: > Hi Guys, > > Long time lurker. I can confirm in order to join an AD domain you need at > least win 10 Pro > > The below using Samba isn’t a bad idea in all fairness. The question > becomes though how would you join an windows 10 home machine to the samba > AD controller? > > Regards, > Jonathan > > -----Original Message----- > From: Alexander Bokovoy via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org> > Sent: 22 October 2021 06:32 > To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > Cc: Yehuda Katz <yehuda(a)ymkatz.net>; Alexander Bokovoy < > abokovoy(a)redhat.com> > Subject: [Freeipa-users] Re: Recommendations for completely new IPA and AD > > On to, 21 loka 2021, Yehuda Katz via FreeIPA-users wrote: > >I was asked to set up a completely new network for a non-profit. They > >have a mix of Windows and Linux (mostly Ubuntu) machines. Until now I > >have only used FreeIPA (or RedHat IDM) in a standalone configuration. > >Is there any kind of best practices documentation for this situation? A > >discussion of a sync vs. trust approach? Any known gotchas? > > Things to consider: > - Windows machines cannot be enrolled into FreeIPA, they have to be > enrolled into Active Directory > > - If users are all on Active Directory side, they can login to > FreeIPA-enrolled machines through trust to Active Directory > > - While winsync plugin allows to synchronize users from Active > Directory side to FreeIPA (they become FreeIPA users), this is of > limited functionality and in general not going to live well in future > as we consider deprecating this approach > > It used to be that non-Pro versions of Windows weren't possible to join to > Active Directory. I'd rather checked what is in use before planning it. > > For a non-profit it is probably worth to consider deploying Samba AD as > your Active Directory configuration. > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://link.edgepilot.com/s/353e228f/dztk3XYEi0aFWaiQj6NYgQ?u=https://docs… > List Guidelines: > https://link.edgepilot.com/s/5d76def5/Td4UrtlZ6EOnNh9n6-3LKQ?u=https://fedo… > List Archives: > https://link.edgepilot.com/s/272b5696/8xmEHAzD_kibpiI-63hpXQ?u=https://list… > Do not reply to spam on the list, report it: > https://link.edgepilot.com/s/0f57d6da/-ls6zhlc-0uuBKO_6RvycA?u=https://pagu… >

2 1

Recommendations for completely new IPA and AD
by Yehuda Katz 21 Oct '21

21 Oct '21

I was asked to set up a completely new network for a non-profit. They have a mix of Windows and Linux (mostly Ubuntu) machines. Until now I have only used FreeIPA (or RedHat IDM) in a standalone configuration. Is there any kind of best practices documentation for this situation? A discussion of a sync vs. trust approach? Any known gotchas? Thank you, - Y Sent from a device with a very small keyboard and hyperactive autocorrect.

3 2

Account synchronization from AD to FreeIPA
by Zdenek Sobotka 21 Oct '21

21 Oct '21

Hello, I would need advice on setting up account synchronization between Windows10 testing instance with AD and FREEIPA. I successfully imported CA certificates for trust between AD and FREEIPA, ran ldapsearch, which I can use to read information from Windows AD. Now I want to synchronize data accounts from AD to FREEIPA, using "ipa-replica-manage connect --winsync". In debug mode, I see that the synchronization is established, and also there is an attempt with data replication. Finally in the end, is written that the replica update "passed successfully". But no AD data was added, when I looked into FREEIPA. Here is the log: ``` [root@freeipa ~]# ipa-replica-manage connect -d --verbose --winsync --no-lookup --binddn="cn=Administrator,cn=Users,dc=ngov,dc=local" --bindpw="H3sl0123456." --cacert=/etc/ipa/ca.crt --passsync="TESTTEST111" WIN-7G3BH6KDDHU.ngov.local Directory Manager password: ipa: DEBUG: Created connection context.ldap2_140493289808392 ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'stop', 'dirsrv(a)TEST-LOCAL.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Stop of dirsrv(a)TEST-LOCAL.service complete ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=Certificate Authority,O=TEST.LOCAL', '-t', 'C,,', '-a', '-f', '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=WIN-7G3BH6KDDHU.ngov.local', '-t', 'C,,', '-a', '-f', '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=ngov-WIN-7G3BH6KDDHU-CA,DC=ngov,DC=local', '-t', 'C,,', '-a', '-f', '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'start', 'dirsrv(a)TEST-LOCAL.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'is-active', 'dirsrv(a)TEST-LOCAL.service '] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120 ipa: DEBUG: waiting for port: 389 ipa: DEBUG: SUCCESS: port: 389 ipa: DEBUG: Start of dirsrv(a)TEST-LOCAL.service complete ipa: DEBUG: Created connection context.ldap2_140493289808392 Added CA certificate /etc/ipa/ca.crt to certificate database for freeipa.TEST.local ipa: INFO: AD Suffix is: DC=ngov,DC=local ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://freeipa.TEST.local:636 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fc7249c2c88> ipa: DEBUG: Add or update replica config cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config ipa: DEBUG: No update to cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config necessary The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local Windows PassSync system account exists, not resetting password ipa: DEBUG: Plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' already 'uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local' in passSyncManagersDNs ipa: DEBUG: Waiting up to 300 seconds for replication (ldaps://freeipa.TEST.local:636) cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config (objectclass=*) ipa: DEBUG: Entry found [LDAPEntry(ipapython.dn.DN('cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config'), {'objectClass': [b'nsDSWindowsReplicationAgreement', b'top'], 'cn': [b'meToWIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaHost': [b'WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=TEST,dc=local'], 'description': [b'me to WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsDS5ReplicaBindDN': [b'cn=Administrator,cn=Users,dc=ngov,dc=local'], 'nsDS5ReplicaTransportInfo': [b'TLS'], 'nsDS5ReplicaBindMethod': [b'simple'], 'nsds7WindowsReplicaSubtree': [b'cn=Users,DC=ngov,DC=local'], 'nsds7DirectoryReplicaSubtree': [b'cn=users,cn=accounts,dc=TEST,dc=local'], 'nsds7NewWinUserSyncEnabled': [b'true'], 'nsds7NewWinGroupSyncEnabled': [b'false'], 'nsds7WindowsDomain': [b'TEST.local'], 'nsDS5ReplicaCredentials': [b'{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUTVaRGxoTVRJNFpDMHhOVGt6TTJZNQ0KTmkwNU9HTTBNR0ZtTXkxaE56TTJaakUwTWdBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRGJXVlFqdEZEY3k1RjFYTEMwT1V2TA==}gjvpjBG5R/xt7jkO7XzRPg=='], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup'], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2021-10-20T10:36:28Z", "message": "Error (0) No replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: Error (0) Replica acquired successfully: Incremental update started: start: 20211020103628: end: 20211020103628 ipa: INFO: Agreement is ready, starting replication . . . ipa: WARNING: This configuration ("--winsync") may imply that the log file contains clear text passwords. Please ensure that these files can be accessed only by trusted accounts. Log files are under /var/lib/dirsrv/slapd-TEST-LOCAL/cldb Starting replication, please wait until this has completed. Update succeeded Connected 'freeipa.TEST.local' to 'WIN-7G3BH6KDDHU.ngov.local' ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 [root@freeipa ~]# ``` I will be happy for any helpful advice. Thanks. -- -------------------------------------------------------------------------------------------------- email: zden2k.sobotka(a)gmail.com

2 3

Can't add replica CA_UNREACHABLE Permission denied
by Евгений Жиряков 21 Oct '21

21 Oct '21

Hello. I can't add a replica to exist master server. FreeIPA version is 4.9.2 on CentOS 8 in docker From replica side it looks like this: freeipa-replica_1 | Configuring directory server (dirsrv) freeipa-replica_1 | [1/3]: configuring TLS for DS instance freeipa-replica_1 | [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://ipa1.srv.DOMAIN.com/ipa/json failed request, will retry: 907 (cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied).) freeipa-replica_1 | Your system may be partly configured. freeipa-replica_1 | Run /usr/sbin/ipa-server-install --uninstall to clean up. freeipa-replica_1 | freeipa-replica_1 | FreeIPA server configuration failed. Also, I notice the same error when running command ipa cert-show on master: ipa cert-show 1 ipa: ERROR: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/certs/1': [Errno 13] Permission denied And third place is in web interface Authentication --> Certificate Authorities There are logs from /var/log/httpd/error_log with debug enbled in /etc/ipa/server.conf [Wed Oct 20 19:50:40.730514 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: cert_request('MIIDxzCCAq8CAQAwNzEXMBUGA1UEChMOU1JWLkFTU0FJQS5DT00xHDAaBgNVBAMTE2lwYTIuc3J2LmFzc2FpYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2N8SZVlYlsgslL/CL/951CA1YgLdmhBmV2H0TNfwx9CZJKit1B6dl4HddAz1xWaYhsVTQ1PK0Ph6Hjz1+ura/Hou4XFBUHkAMolxMzmxsGOzkZrlFr5gCH5xWeEn2Rm6RVXy16GS5o3Gxy8zSK4MtlwblVrAstRXaJHZkY9eNwQ1+67OJIB3uDw4XhXGD60aLbcL/tZ5ZLW/lotZeRLHYI4VM1dMhGfsTduYEYFn2QH1cU36UX1EJgCggMWCz9KQX9OZVyA7yBsW0X/5Tfrb6s7LEwgRCYW8FqPWQ0+t4vtVXcWG0BH6bESX1JzwZD9EMd+gQJxXlEUrGO4IP9NTDAgMBAAGgggFJMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBHgYJKoZIhvcNAQkOMYIBDzCCAQswgaQGA1UdEQEBAASBmTCBloITaXBhMi5zcnYuYXNzYWlhLmNvbaA3BgorBgGEAVI3FAIDoCkMJ2xkYXAvaXBhMi5zcnYuYXNzYWlhLmNvbUBTUlYuQVNTQUlBLkNPTaBGBgYrBgEFAgKgPDA6oBAbDlNSVi5BU1NBSUEuQ09NoSYwJKADAgEBoR0wGxsEbGRhcBsTaXBhMi5zcnYuYXNzYWlhLmNvbTAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQmDzatkec4N+/l6ECCUA5k35sbkD AyBgkrBgEEAYI3FAIBAQAEIh4gAGMAYQBJAFAAQQBzAGUAcgB2AGkAYwBlAEMAZQByAHQwDQYJKoZIhvcNAQELBQADggEBAIDSuXsB+ZfJBG4eKVSAD1d3fxZErNFnmtqLBYguCBiv+eGANTcfJBoqXpfM8ZK4IvyInF7jiMELZNnwRvSZNrTPfhWGlb8i2fWVU872QTD5qbQ6D/lmD0xbR4PQ6VTSCsskCndrgaK6kFNPtXEPw8Y1RlMVEXUq9BF7H3Zc4aUWp1AbQFXJaZb/F0sRDyKgN4imxnA+odi/hfk7IeLLQG+fqzpooeLDMjV1aAQF9nWfe8Uy0ofbIzDN4FGMH/xvHjId93qC9RLlSzom/VE264FrL2kPZNrShhsfUJnEfj+DV3AYurStJRnpvadU33jwenYmSkmgNCPL/RCa1MzjpQQ=', profile_id='caIPAserviceCert', principal='ldap/ipa2.srv.DOMAIN.com(a)SRV.DOMAIN.COM', add=True, version='2.240') [Wed Oct 20 19:50:40.731430 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: cert_request(<cryptography.hazmat.backends.openssl.x509._CertificateSigningRequest object at 0x7f23fdcbb278>, request_type='pkcs10', profile_id='caIPAserviceCert', cacn='ipa', principal=ipapython.kerberos.Principal('ldap/ipa2.srv.DOMAIN.com(a)SRV.DOMAIN.COM'), add=True, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.731670 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.731745 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.736607 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_show('ipa', chain=False, all=False, version='2.240') [Wed Oct 20 19:50:40.736869 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_show('ipa', rights=False, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.737119 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.737256 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.743096 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request GET https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login [Wed Oct 20 19:50:40.743235 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request body '' [Wed Oct 20 19:50:40.745172 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: httplib request failed: [Wed Oct 20 19:50:40.745202 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.745208 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.745213 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.745218 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.745223 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.745228 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.745233 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.745239 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.745247 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747246 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Wed Oct 20 19:50:40.747275 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.747282 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.747287 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.747292 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.747296 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.747301 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.747306 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.747311 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747316 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] During handling of the above exception, another exception occurred: [Wed Oct 20 19:50:40.747325 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747329 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.747334 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 397, in wsgi_execute [Wed Oct 20 19:50:40.747339 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] result = command(*args, **options) [Wed Oct 20 19:50:40.747343 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747348 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747353 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747358 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747363 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747368 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747373 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 657, in execute [Wed Oct 20 19:50:40.747377 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ca_obj = api.Command.ca_show(ca, all=all, chain=chain)['result'] [Wed Oct 20 19:50:40.747383 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747394 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747399 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747403 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747408 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747413 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747418 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 252, in execute [Wed Oct 20 19:50:40.747423 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] msg = set_certificate_attrs(result['result'], options) [Wed Oct 20 19:50:40.747428 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in set_certificate_attrs [Wed Oct 20 19:50:40.747434 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] with api.Backend.ra_lightweight_ca as ca_api: [Wed Oct 20 19:50:40.747439 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1199, in __enter__ [Wed Oct 20 19:50:40.747445 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method='GET' [Wed Oct 20 19:50:40.747450 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request [Wed Oct 20 19:50:40.747455 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method=method, headers=headers) [Wed Oct 20 19:50:40.747460 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request [Wed Oct 20 19:50:40.747465 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] raise NetworkError(uri=uri, error=str(e)) [Wed Oct 20 19:50:40.747470 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipalib.errors.NetworkError: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied Please help, I spent two days on it already.

2 4

Problems after replacing SSL certificates
by Andreas Bulling 21 Oct '21

21 Oct '21

Dear all, I have recently started using FreeIPA (4.8.1 on Ubuntu) and now wanted to replace the original SSL certificates for the web UI and the LDAP server with official ones issued by our university. I've followed the procedure described here (no errors): https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I could confirm in the browser that the certificate for the web UI has been replaced and I therefore assume so has the LDAP certificate. Authentication from other hosts/services using LDAP still works but in the server log file I see errors like these for all hosts in the domain: Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: NEEDED_PREAUTH: host/X@X for krbtgt/X@X, Additional pre-authentication required Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12 Apr 20 19:57:11 auth krb5kdc[24895]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for krbtgt/X@X Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12 Apr 20 19:57:11 auth krb5kdc[24895]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) X: ISSUE: authtime 1587405431, etypes {rep=18 tkt=18 ses=18}, host/X@X for ldap/X@X Apr 20 19:57:11 auth krb5kdc[24895]: closing down fd 12 Also, ipa-certupdate on the respective clients shows ipa-certupdate trying https://X/ipa/json [try 1]: Forwarding 'schema' to json server 'https://X/ipa/json' cannot connect to 'https://X/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727) The ipa-certupdate command failed. Also, I can't login to the web UI anymore. I tried ipa-getkeytab -s X -p HTTP/X@X -k /var/lib/ipa/gssproxy/http.keytab on the freeipa server (followed by ipactl restart) but this didn't help. Any idea/suggestions for how to get everything working again? Thanks a lot!

6 15

Can't add replica CA_UNREACHABLE Permission denied
by Евгений Жиряков 20 Oct '21

20 Oct '21

Hello. I can't add a replica to exist master server. FreeIPA version is 4.9.2 on CentOS 8 in docker From replica side it looks like this: freeipa-replica_1 | Configuring directory server (dirsrv) freeipa-replica_1 | [1/3]: configuring TLS for DS instance freeipa-replica_1 | [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://ipa1.srv.DOMAIN.com/ipa/json failed request, will retry: 907 (cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied).) freeipa-replica_1 | Your system may be partly configured. freeipa-replica_1 | Run /usr/sbin/ipa-server-install --uninstall to clean up. freeipa-replica_1 | freeipa-replica_1 | FreeIPA server configuration failed. Also, I notice the same error when running command ipa cert-show on master: ipa cert-show 1 ipa: ERROR: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/certs/1': [Errno 13] Permission denied And third place is in web interface Authentication --> Certificate Authorities There are logs from /var/log/httpd/error_log with debug enbled in /etc/ipa/server.conf [Wed Oct 20 19:50:40.730514 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: cert_request('MIIDxzCCAq8CAQAwNzEXMBUGA1UEChMOU1JWLkFTU0FJQS5DT00xHDAaBgNVBAMTE2lwYTIuc3J2LmFzc2FpYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2N8SZVlYlsgslL/CL/951CA1YgLdmhBmV2H0TNfwx9CZJKit1B6dl4HddAz1xWaYhsVTQ1PK0Ph6Hjz1+ura/Hou4XFBUHkAMolxMzmxsGOzkZrlFr5gCH5xWeEn2Rm6RVXy16GS5o3Gxy8zSK4MtlwblVrAstRXaJHZkY9eNwQ1+67OJIB3uDw4XhXGD60aLbcL/tZ5ZLW/lotZeRLHYI4VM1dMhGfsTduYEYFn2QH1cU36UX1EJgCggMWCz9KQX9OZVyA7yBsW0X/5Tfrb6s7LEwgRCYW8FqPWQ0+t4vtVXcWG0BH6bESX1JzwZD9EMd+gQJxXlEUrGO4IP9NTDAgMBAAGgggFJMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBHgYJKoZIhvcNAQkOMYIBDzCCAQswgaQGA1UdEQEBAASBmTCBloITaXBhMi5zcnYuYXNzYWlhLmNvbaA3BgorBgGEAVI3FAIDoCkMJ2xkYXAvaXBhMi5zcnYuYXNzYWlhLmNvbUBTUlYuQVNTQUlBLkNPTaBGBgYrBgEFAgKgPDA6oBAbDlNSVi5BU1NBSUEuQ09NoSYwJKADAgEBoR0wGxsEbGRhcBsTaXBhMi5zcnYuYXNzYWlhLmNvbTAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQmDzatkec4N+/l6ECCUA5k35sbkD AyBgkrBgEEAYI3FAIBAQAEIh4gAGMAYQBJAFAAQQBzAGUAcgB2AGkAYwBlAEMAZQByAHQwDQYJKoZIhvcNAQELBQADggEBAIDSuXsB+ZfJBG4eKVSAD1d3fxZErNFnmtqLBYguCBiv+eGANTcfJBoqXpfM8ZK4IvyInF7jiMELZNnwRvSZNrTPfhWGlb8i2fWVU872QTD5qbQ6D/lmD0xbR4PQ6VTSCsskCndrgaK6kFNPtXEPw8Y1RlMVEXUq9BF7H3Zc4aUWp1AbQFXJaZb/F0sRDyKgN4imxnA+odi/hfk7IeLLQG+fqzpooeLDMjV1aAQF9nWfe8Uy0ofbIzDN4FGMH/xvHjId93qC9RLlSzom/VE264FrL2kPZNrShhsfUJnEfj+DV3AYurStJRnpvadU33jwenYmSkmgNCPL/RCa1MzjpQQ=', profile_id='caIPAserviceCert', principal='ldap/ipa2.srv.DOMAIN.com(a)SRV.DOMAIN.COM', add=True, version='2.240') [Wed Oct 20 19:50:40.731430 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: cert_request(<cryptography.hazmat.backends.openssl.x509._CertificateSigningRequest object at 0x7f23fdcbb278>, request_type='pkcs10', profile_id='caIPAserviceCert', cacn='ipa', principal=ipapython.kerberos.Principal('ldap/ipa2.srv.DOMAIN.com(a)SRV.DOMAIN.COM'), add=True, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.731670 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.731745 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.736607 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_show('ipa', chain=False, all=False, version='2.240') [Wed Oct 20 19:50:40.736869 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_show('ipa', rights=False, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.737119 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.737256 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.743096 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request GET https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login [Wed Oct 20 19:50:40.743235 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request body '' [Wed Oct 20 19:50:40.745172 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: httplib request failed: [Wed Oct 20 19:50:40.745202 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.745208 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.745213 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.745218 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.745223 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.745228 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.745233 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.745239 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.745247 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747246 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Wed Oct 20 19:50:40.747275 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.747282 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.747287 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.747292 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.747296 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.747301 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.747306 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.747311 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747316 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] During handling of the above exception, another exception occurred: [Wed Oct 20 19:50:40.747325 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747329 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.747334 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 397, in wsgi_execute [Wed Oct 20 19:50:40.747339 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] result = command(*args, **options) [Wed Oct 20 19:50:40.747343 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747348 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747353 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747358 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747363 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747368 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747373 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 657, in execute [Wed Oct 20 19:50:40.747377 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ca_obj = api.Command.ca_show(ca, all=all, chain=chain)['result'] [Wed Oct 20 19:50:40.747383 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747394 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747399 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747403 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747408 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747413 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747418 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 252, in execute [Wed Oct 20 19:50:40.747423 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] msg = set_certificate_attrs(result['result'], options) [Wed Oct 20 19:50:40.747428 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in set_certificate_attrs [Wed Oct 20 19:50:40.747434 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] with api.Backend.ra_lightweight_ca as ca_api: [Wed Oct 20 19:50:40.747439 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1199, in __enter__ [Wed Oct 20 19:50:40.747445 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method='GET' [Wed Oct 20 19:50:40.747450 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request [Wed Oct 20 19:50:40.747455 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method=method, headers=headers) [Wed Oct 20 19:50:40.747460 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request [Wed Oct 20 19:50:40.747465 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] raise NetworkError(uri=uri, error=str(e)) [Wed Oct 20 19:50:40.747470 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipalib.errors.NetworkError: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied Please help, I spent two days on it already.

1 0

How to configure freeipa hidden replica
by Monkey Bizness 20 Oct '21

20 Oct '21

Hi, I'll add a hidden replica to do all the management stuff. Notably I would like to backup all configuration (dns, ca, users, groups, hosts, ad trust etc...). 1st question : Is it possible? 2nd question : Is it a good idea? 3rd question : does that replica need to have all the features from the other replicas enabled? For instance, to backup dns config but not serving as a dns server, should the dns feature still be enabled? Thanks you Monkey

1 0

FreeIPA Bastion Adding a new Shema
by G Col 20 Oct '21

20 Oct '21

Dear FreeIPA team, We have been trying to add a new attribute to our FreeIPA ldap configuration from the command line, but seemed not to work as expected. I provide the steps below: cd /usr/share/ipa ipa-ldap-updater --schema-file 01auhkey.ldif ******************File content: The content is quite generic and nothing in particular is customised on the template below. ********************** dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.1.1 NAME 'authKey' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Extending FreeIPA' ) - add: objectClasses objectClasses: ( 2.25.28639311321113238241701611583088740684.14.2.2.1 NAME '*****Account' SUP top AUXILIARY MAY (authKey) X-ORIGIN 'Extending FreeIPA' ) *****************Logs after executing the command: ************************* 2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2021-10-20T09:43:20Z DEBUG Created connection context.ldap2_139992050688208 2021-10-20T09:43:20Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-HOOYU-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f526fe1f3f8> 2021-10-20T09:43:21Z DEBUG Processing schema LDIF file 01authkey.ldif 2021-10-20T09:43:21Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 143, in run ldapi=True) or modified File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 129, in update_schema _dn, new_schema = ldap.schema.subentry.urlfetch(url) File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 480, in urlfetch ldif_file = urllib.urlopen(uri) File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen return opener.open(url) File "/usr/lib64/python2.7/urllib.py", line 210, in open return getattr(self, name)(url) File "/usr/lib64/python2.7/urllib.py", line 463, in open_file return self.open_ftp(url) File "/usr/lib64/python2.7/urllib.py", line 522, in open_ftp host = socket.gethostbyname(host) 2021-10-20T09:43:21Z DEBUG The ipa-ldap-updater command failed, exception: IOError: [Errno socket error] [Errno -2] Name or service not known 2021-10-20T09:43:21Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: IOError: [Errno socket error] [Errno -2] Name or service not known 2021-10-20T09:43:21Z ERROR The ipa-ldap-updater command failed. See /var/log/ipaupgrade.log for more information All the best, gcol

2 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users October 2021