December 2021 - FreeIPA-users - Fedora Mailing-Lists

by Vinícius Ferrão

Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host. After def -y update and reboot, IPA fails to load an it’s in broken state. [root@headnode ~]# systemctl status ipa ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) Main PID: 1278 (code=exited, status=1/FAILURE) Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details: Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'. Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit. If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something. The relevant thing that I’ve found by myself is: 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service> failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service<mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n’) Is that Java regression again that happened a month or two ago? Thank you all.

1 week, 3 days

5
7
0 / 0

FreeIPA and Certbot ?

by Günther J. Niederwimmer

Hello list, Why are there actually problems between FreeIPA and Certbot? What I have found out so far is it no longer possible to install FreeIPA as a client and replication server if Certbot is installed before ipa-client- install? The question now is, are there also problems when Certbot is installed after FreeIPA? Can I still use Lestencryt at all? Thanks for an answer, -- mit freundlichen Grüßen / best regards Günther J. Niederwimmer

2 weeks, 5 days

3
3
0 / 0

Replica install fails due nonexisting RID ranges

by Andrius Jurkus

Hello, I didint enable adrust or installed related packages, I dont use samba shares either on existing installation. I wanted to create additional replica, during install it asked what is NETBIOS name and if I want to generate SID identifiers for users (answered no) then process failed with errors below. Should I update my ID ranges? or there is replica install option to skip this setup. (I dont use cross AD trusts, or similar features) Configuring SID generation [1/7]: creating samba domain object Samba domain object already exists [2/7]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/7]: adding RID bases Found more than one local domain ID range with no RID base set. [error] RuntimeError: Too many ID ranges Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Too many ID ranges 2021-12-27T17:56:04Z DEBUG [2/7]: adding admin(group) SIDs 2021-12-27T17:56:04Z DEBUG Admin SID already set, nothing to do 2021-12-27T17:56:04Z DEBUG Admin group SID already set, nothing to do 2021-12-27T17:56:04Z DEBUG step duration: SID generation __add_admin_sids 0.00 sec 2021-12-27T17:56:04Z DEBUG [3/7]: adding RID bases 2021-12-27T17:56:04Z CRITICAL Found more than one local domain ID range with no RID base set. 2021-12-27T17:56:04Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 380, in __add_rid_bases raise RuntimeError("Too many ID ranges\n") RuntimeError: Too many ID ranges 2021-12-27T17:56:04Z DEBUG [error] RuntimeError: Too many ID ranges 2021-12-27T17:56:04Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 603, in main replica_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1371, in install adtrust.install(False, options, fstore, api) File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrust.py", line 483, in install smb.create_instance() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 895, in create_instance self.start_creation(show_service_name=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 380, in __add_rid_bases raise RuntimeError("Too many ID ranges\n") 2021-12-27T17:56:04Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Too many ID ranges 2021-12-27T17:56:04Z ERROR Too many ID ranges

3 weeks

2
2
0 / 0

[pam] [sss_dp_on_reconnect] (0x0010): Could not reconnect to provider.

by Alexander Becker

Hello all, since some time we have some cases where a sssd login does not work anymore and a service restart is necessary. According to analysis, there is a high disk and CPU usage at that time. Affected are clients with Ubuntu 20.04 sssd 2.2.3 freeipa 4.8.6 We get the following error messages: sssd_pam.log [pam] [sss_dp_on_reconnect] (0x0010): Could not reconnect to ad.server provider. auth.log pam_sss(sshd:account): Access denied for user monitor: 4 (System error) sshd[3126935]: fatal: Access denied for user monitor by PAM account configuration [preauth]. Does anyone have any ideas?

3 weeks, 1 day

2
1
0 / 0

2FA - prompting - single_prompt

by Winfried de Heiden

Hi all, Using FreeIPA, 2FA can be made optional by enabling "Password" AND "Two factor authentication (password + OTP)" for a user. For particular hosts the 2FA now can be made mandatory by enabling "Two factor authentication (password + OTP)" Now, for hosts for which 2FA is NOT mandatory, according to the man pages, 2FA can be made "invissible" by using the "single_prompt" option. In man sssd.conf: "If the second factor is optional and it should be possible to log in either only with the password or with both factors two-step prompting has to be used." However, this doesn't work. When using the "single_prompt" login will fail. Using two prompts, and just press enter for the second 2FA prompt, login will succeed. Hence: did I forget something or is there a bug involved? FYI: tested on CentOS Stream9 -- email handtekening privé Met vriendelijke groet, Winfried de Heiden wdh(a)dds.nl

3 weeks, 1 day

2
1
0 / 0

Samba 4.10.16-17.el7_9 and IPA 4.6.8-5.el7.centos.10 updates broke SMB Kerberos authentication

by Konstantin M. Khankin

Hello! I have several SMB shares served by Samba using Kerberos accounts managed by FreeIPA. I have no AD integrations and no AD itself. Windows clients are configured using this <https://www.freeipa.org/page/Windows_authentication_against_FreeIPA> guide, linux clients use ipa-client and "smbclient -k". Servers and linux clients use CentOS 7. Today I received updates for ipa-* (to 4.6.8-5.el7.centos.*10* from 4.6.8-5.el7.centos.*9*) and samba-* (to 4.10.16-*17*.el7_9 from 4.10.16-*15*.el7_9) packages and authentication broke, no clients can connect to shares anymore. Here are logs from linux client: $ klist Ticket cache: KEYRING:persistent:1696200001:1696200001 Default principal: me(a)MYDOMAIN.LOC Valid starting Expires Service principal 12/30/2021 18:04:03 12/31/2021 18:03:46 cifs/samba.server.mydomain.loc(a)MYDOMAIN.LOC 12/30/2021 18:04:02 12/31/2021 18:03:46 nfs/samba.server.mydomain.loc(a)MYDOMAIN.LOC 12/30/2021 18:03:49 12/31/2021 18:03:46 krbtgt/MYDOMAIN.LOC(a)MYDOMAIN.LOC $ smbclient -k -L //samba.server.mydomain.loc session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN Server logs: *log.smbd:* [2021/12/30 19:03:23.597495, 2] ../../source3/lib/smbldap.c:847(smbldap_open_connection) smbldap_open_connection: connection opened [2021/12/30 19:03:23.695598, 3] ../../source3/lib/smbldap.c:1069(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2021/12/30 19:03:23.737401, 1] ipa_sam.c:4896(pdb_init_ipasam) pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain mydomain.loc [2021/12/30 19:03:23.737597, 3] ../../lib/util/access.c:365(allow_access) Allowed connection from 192.168.10.1 (192.168.10.1) *log.192.168.10.1:* ... [2021/12/30 19:05:22.458992, 3] ../../source3/smbd/negprot.c:776(reply_negprot) Selected protocol SMB 2.??? [2021/12/30 19:05:22.459495, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot) Selected protocol SMB3_11 [2021/12/30 19:05:22.524677, 3] ../../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob) gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory [2021/12/30 19:05:22.524750, 1] ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac) gensec_generate_session_info_pac: Unable to find PAC in ticket from me(a)MYDOMAIN.LOC, failing to allow access [2021/12/30 19:05:22.524784, 3] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_IMPERSONATION_TOKEN] || at ../../source3/smbd/smb2_sesssetup.c:146 [2021/12/30 19:05:22.525565, 3] ../../source3/smbd/server_exit.c:236(exit_server_common) Server exit (NT_STATUS_END_OF_FILE) Googling, source-digging and "log level = 5" were not helpful. However, I find changelogs somewhat interesting: $ rpm -q --changelog ipa-server | head * Thu Dec 16 2021 CentOS Sources <bugs(a)centos.org> - 4.6.8-5.el7.centos.10 - Roll in CentOS Branding * Thu Dec 02 2021 Florence Blanc-Renaud <frenaud(a)redhat.com> - 4.6.8-5.el7_9.10 - Resolves: 2025848 - RHEL 8.6 IPA Replica Failed to configure PKINIT setup against a RHEL 7.9 IPA server - Fix cert_request for KDC cert - Resolves: 2021444 - CVE-2020-25719 ipa: samba: *Samba AD DC did not always rely on the SID and PAC in Kerberos tickets* - SMB: switch IPA domain controller role $ rpm -q --changelog samba | head * Mon Nov 15 2021 Andreas Schneider <asn(a)redhat.com> - 4.10.16-17 - related: #2019673 - *Add missing checks for IPA DC server role* * Mon Nov 08 2021 Andreas Schneider <asn(a)redhat.com> - 4.10.16-16 - resolves: #2019661 - Fix CVE-2016-2124 - resolves: #2019673 - Fix CVE-2020-25717 - resolves: #2021428 - *Add missing PAC buffer types to krb5pac.idl* I don't have access to the mentioned bugs in Bugzilla unfortunately. Maybe someone knows if I need to do something after upgrading these packages? Rolling back samba packages is unwanted given that Samba sources mention this is unsafe. Thanks! -- Konstantin Khankin

3 weeks, 2 days

2
5
0 / 0

Re: how to get xrdp to work with ipa users

by Mattias

HI Rob, I saw your post about FreeIPA and XRDP. I cant login via xrdp with my IPA user account. A local account works fine. My guess is that the PAM parts cant find the "remote ipa user" account. Tried to add xrdp and xrdp-sesman to HBAC rules and services but that doesnt make a difference. How does your pam.d/xrdp-sesman look? What more exactly did you do to HBAC? Thanks! /Mattias <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_camp...> Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_camp...> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

3 weeks, 4 days

1
0
0 / 0

Re: IPA Server Upgrade: CA REST API: 403 error

by Joshua Hurst

Hello Scott, Lots of fun things going on with the above. I experienced the same issue, and your thread was at the top of my search results when I first started investigating. Sadly, it does not appear that a solution was posted to it there yet, hence my reply below. What I found: https://access.redhat.com/solutions/4796941 This talks about disabling TLS 1.3. I checked, and on our server 1.3 was disabled by default. After a little more searching I found the thread below, which for me at least contained the solution: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Reading through the thread it appears there is a conflict that can occur during updates that can cause secretRequired in /etc/pki/pki-tomcat/server.xml to not be set correctly. secretRequired should match secret in that file (it's in 2 different spots, so make sure to update both).

3 weeks, 4 days

1
0
0 / 0

Unable to create replicas.

by Chris Roadfeldt

For the past couple months, I've been struggling to get replicas up and running. Have tried using containers and VMs, ended up rebuilding my FreeIPA install from the ground up to eliminate corruption as an issue. The failures are consistent, regardless of install options and appear to be related to replication itself. Initial replication works, but replication after that fails. Attached are the errors encountered during the ipa-replica-install command, along with the relevant log entries. The primary server is currently on a Fedora 35 VM running the following RPMs. freeipa-client-common-4.9.8-1.fc35.noarch freeipa-server-common-4.9.8-1.fc35.noarch freeipa-common-4.9.8-1.fc35.noarch freeipa-client-4.9.8-1.fc35.x86_64 freeipa-healthcheck-core-0.9-3.fc35.noarch freeipa-server-4.9.8-1.fc35.x86_64 freeipa-server-dns-4.9.8-1.fc35.noarch freeipa-server-trust-ad-4.9.8-1.fc35.x86_64 freeipa-selinux-4.9.8-1.fc35.noarch freeipa-healthcheck-0.9-3.fc35.noarch Here are the replica installs for the container and VM along with the relevant ipareplica-install.log entries. Container first, here's the output from ipa-replica-install command. [9/21]: configuring httpd Nothing to do for configure_httpd_wsgi_conf [10/21]: setting up httpd keytab [error] NotFound: wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information /var/log/ipareplica-install.log entries 2021-12-28T18:46:57Z DEBUG stderr=Keytab successfully retrieved and stored in: /var/lib/ipa/gssproxy/http.keytab 2021-12-28T18:46:57Z DEBUG Waiting up to 300 seconds for replication (ldap://primary.example.com:389) krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=ac counts,dc=example,dc=com (objectclass=*) 2021-12-28T18:47:06Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:47:16Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:47:26Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:47:36Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:47:46Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:47:56Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:48:06Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:48:16Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:48:26Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:48:36Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:48:46Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:48:56Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:49:06Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:49:16Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:49:26Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:49:36Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:49:46Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:49:56Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:50:06Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:50:16Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:50:26Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:50:36Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:50:46Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:50:56Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:51:06Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:51:16Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:51:26Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:51:36Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:51:46Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:51:56Z DEBUG Still waiting for replication of krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:51:57Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.10/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.10/site-packages/ipaserver/install/httpinstance.py", line 634, in request_service_keytab replication.wait_for_entry( File "/usr/lib/python3.10/site-packages/ipaserver/install/replication.py", line 208, in wait_for_entry raise errors.NotFound( ipalib.errors.NotFound: wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=roadfel dt,dc=com 2021-12-28T18:51:57Z DEBUG [error] NotFound: wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services ,cn=accounts,dc=example,dc=com 2021-12-28T18:51:57Z DEBUG File "/usr/lib/python3.10/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.10/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.10/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.10/site-packages/ipaserver/install/server/__init__.py", line 603, in main replica_install(self) File "/usr/lib/python3.10/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.10/site-packages/ipaserver/install/server/replicainstall.py", line 1315, in install install_http( File "/usr/lib/python3.10/site-packages/ipaserver/install/server/replicainstall.py", line 163, in install_http http.create_instance( File "/usr/lib/python3.10/site-packages/ipaserver/install/httpinstance.py", line 151, in create_instance self.start_creation() File "/usr/lib/python3.10/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.10/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.10/site-packages/ipaserver/install/httpinstance.py", line 634, in request_service_keytab replication.wait_for_entry( File "/usr/lib/python3.10/site-packages/ipaserver/install/replication.py", line 208, in wait_for_entry raise errors.NotFound( 2021-12-28T18:51:57Z DEBUG The ipa-replica-install command failed, exception: NotFound: wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:51:57Z ERROR wait_for_entry timeout on ldap://primary.example.com:389 for krbprincipalname=HTTP/replica1.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com 2021-12-28T18:51:57Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information VM install output Done configuring ipa-otpd. Custodia uses 'primary.example.com' as master peer. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Incorrect number of results (0) searching for public key for host/primary.example.com(a)EXAMPLE.COM /var/log/ipareplica-install.log entries 2021-12-29T00:40:10Z DEBUG Done configuring ipa-custodia. 2021-12-29T00:40:10Z DEBUG service duration: ipa-custodia 2.37 sec 2021-12-29T00:40:10Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2021-12-29T00:40:10Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2021-12-29T00:40:10Z DEBUG Waiting up to 300 seconds to see our keys appear on host ldap://primary.example.com 2021-12-29T00:40:10Z DEBUG File "/usr/lib/python3.10/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.10/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.10/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.10/site-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3.10/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.10/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.10/site-packages/ipaserver/install/server/__init__.py", line 603, in main replica_install(self) File "/usr/lib/python3.10/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.10/site-packages/ipaserver/install/server/replicainstall.py", line 1345, in install ca.install(False, config, options, custodia=custodia) File "/usr/lib/python3.10/site-packages/ipaserver/install/ca.py", line 270, in install install_step_0(standalone, replica_config, options, custodia=custodia) File "/usr/lib/python3.10/site-packages/ipaserver/install/ca.py", line 306, in install_step_0 custodia.get_ca_keys( File "/usr/lib/python3.10/site-packages/ipaserver/install/custodiainstance.py", line 296, in get_ca_keys self._get_keys(cacerts_file, cacerts_pwd, data) File "/usr/lib/python3.10/site-packages/ipaserver/install/custodiainstance.py", line 252, in _get_keys cli = self._get_custodia_client() File "/usr/lib/python3.10/site-packages/ipaserver/install/custodiainstance.py", line 241, in _get_custodia_client return CustodiaClient( File "/usr/lib/python3.10/site-packages/ipaserver/secrets/client.py", line 70, in __init__ self._server_keys(), self._client_keys() File "/usr/lib/python3.10/site-packages/ipaserver/secrets/client.py", line 80, in _server_keys sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG))) File "/usr/lib/python3.10/site-packages/ipaserver/secrets/kem.py", line 224, in find_key return conn.get_key(usage, kid) File "/usr/lib/python3.10/site-packages/ipaserver/secrets/kem.py", line 78, in get_key raise ValueError("Incorrect number of results (%d) searching for " 2021-12-29T00:40:10Z DEBUG The ipa-replica-install command failed, exception: ValueError: Incorrect number of results (0) searching for public key for host/primary.example.com(a)EXAMPLE.COM 2021-12-29T00:40:10Z ERROR Incorrect number of results (0) searching for public key for host/primary.example.com(a)EXAMPLE.COM 2021-12-29T00:40:10Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

3 weeks, 4 days

2
4
0 / 0

FreeIPA missing replication segments but still replicating

by Neal Harrington

Hi, I have managed to setup an IPA cluster which is still replicating changes to users and CA's, but thinks it has no replication configured. I'm not sure how I have managed this and have not been able to figure it out so would appreciate any pointers anyone can provide. I setup an initial IPA server, successfully joined a further 5 and setup the replication using the web based GUI with 3 being domain+ca and the remaining 3 being just domain. All seemed good, a user created on one server appeared on remote IPA servers and I left for Christmas. Returning for work yesterday and the web based GUI does not show any links between the servers and will not let me add any with error "leftnode does not support suffix 'domain'". However if I create or edit a user then it appears on the other IPA servers and adding a new root CA also is visible from all IPA servers. I can also successfully join client servers, and then login to them with IPA based credentials. The "ipa topology*" commands show no suffixes or segments, however an LDAP search does show the links as I set them up (output below). The only errors I have seen in the logs are for things which google searches list as "normal" - but I'm obviously missing something. Disabling firewall/selinux does not seem to have any impact and DNS/reverse DNS is resolving correctly from all the servers. The only difference to the guides is that FreeIPA is not hosting the reverse zones itself - I'm using forwarders to my main DNS servers which host those records - but I can't see that being related as resolution is working. Any pointers for where to look and what to look for next greatly appreciated. This is a fresh deploy, so I can wipe and restart if needed, but I'd like to at least understand what is going on so I can avoid repeating it in the future. versions installed : ipa-client-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64 ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64 ipa-server-dns-4.9.6-10.module+el8.5.0+719+4f06efb6.noarch # ipa topologysuffix-show Suffix name: domain ipa: ERROR: domain: suffix not found # ipa topologysuffix-find --all --------------------------- 0 topology suffixes matched --------------------------- ---------------------------- Number of entries returned 0 ---------------------------- # ipa topologysegment-find domain --all ------------------ 0 segments matched ------------------ ---------------------------- Number of entries returned 0 ---------------------------- $ ldapsearch -D "cn=directory manager" -W -b "cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # topology, ipa, etc, ipa.mydomain.net dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net objectClass: top objectClass: nsContainer cn: topology # domain, topology, ipa, etc, ipa.mydomain.net dn: cn=domain,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net objectClass: top objectClass: iparepltopoconf ipaReplTopoConfRoot: dc=ipa,dc=mydomain,dc=net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in ternalModifyTimestamp cn: domain # ca, topology, ipa, etc, ipa.mydomain.net dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net objectClass: top objectClass: iparepltopoconf ipaReplTopoConfRoot: o=ipaca cn: ca # ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net, domain, topology, ipa, et c, ipa.mydomain.net dn: cn=ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net,cn=domain,cn=topolog y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentDirection: both objectClass: iparepltoposegment objectClass: top cn: ipa1-c.ipa.mydomain.net-to-ipa2-c.ipa.mydomain.net ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa2-c.ipa.mydomain.net ipaReplTopoSegmentStatus: autogen # ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, domain, topology, ipa, et c, ipa.mydomain.net dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net,cn=domain,cn=topolog y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentDirection: both objectClass: iparepltoposegment objectClass: top cn: ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa1-b.ipa.mydomain.net ipaReplTopoSegmentStatus: autogen # ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net, ca, topology, ipa, etc, i pa.mydomain.net dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net,cn=ca,cn=topology,cn =ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentDirection: both objectClass: iparepltoposegment objectClass: top cn: ipa1-c.ipa.mydomain.net-to-ipa1-b.ipa.mydomain.net ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa1-b.ipa.mydomain.net ipaReplTopoSegmentStatus: autogen # ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, ipa, et c, ipa.mydomain.net dn: cn=ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net,cn=domain,cn=topolog y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentDirection: both objectClass: iparepltoposegment objectClass: top cn: ipa2-c.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net ipaReplTopoSegmentLeftNode: ipa2-c.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa2-b.ipa.mydomain.net ipaReplTopoSegmentStatus: autogen # ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net, domain, topology, ipa, et c, ipa.mydomain.net dn: cn=ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net,cn=domain,cn=topolog y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentLeftNode: ipa1-b.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa2-b.ipa.mydomain.net ipaReplTopoSegmentDirection: both cn: ipa1-b.ipa.mydomain.net-to-ipa2-b.ipa.mydomain.net objectClass: iparepltoposegment objectClass: top # ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net, domain, topology, ipa, et c, ipa.mydomain.net dn: cn=ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net,cn=domain,cn=topolog y,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=net ipaReplTopoSegmentDirection: both objectClass: iparepltoposegment objectClass: top cn: ipa1-c.ipa.mydomain.net-to-ipa1-a.ipa.mydomain.net ipaReplTopoSegmentLeftNode: ipa1-c.ipa.mydomain.net ipaReplTopoSegmentRightNode: ipa1-a.ipa.mydomain.net ipaReplTopoSegmentStatus: autogen <SNIP several more links> # search result search: 2 result: 0 Success # numResponses: 17 # numEntries: 16 Follow us: Neal Harrington | System Administrator Direct - 01256831040 | Mobile - 07849089832 Office - 01494410000 | https://www.myphones.com *** Please consider your environmental responsibility before printing this e-mail *** MyPhones.com is the trading name of Et Al Innovations Limited, registered in the United Kingdom. Company Number: 03718039 | VAT Registration Number: GB 697877637 Registered Address: Glebe Farm, Down Street, Dummer, Basingstoke RG25 2AD This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential and/or legally privileged. Unauthorised use is strictly prohibited and may be unlawful. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, including any picture or graphic and any attachment, except for the purpose of delivery to the addressee. We make every effort to keep our network free from viruses. However, you do need to verify this e-mail and any attachments to it to be virus free as we can take no responsibility for any computer virus which might be transferred by way of this e-mail.

3 weeks, 5 days

1
0
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users December 2021