different sssd.conf among masters
by lejeczek
Hi guys.
What each option in sssd.conf mean & does I can try to learn
from man pages, but I'd like to ask why would there be
differences between masters?
A) first master
[domain/priv.my.dom.private]
access_provider = ipa
auth_provider = ipa
cache_credentials = True
chpass_provider = ipa
id_provider = ipa
ipa_domain = priv.my.dom.private
ipa_hostname = drunk.priv.my.dom.private
ipa_server = drunk.priv.my.dom.private
ipa_server_mode = True
krb5_store_password_if_offline = True
ldap_tls_cacert = /etc/ipa/ca.crt
B) next master
[domain/priv.my.dom.private]
access_provider = ipa
auth_provider = ipa
autofs_provider = ipa
cache_credentials = True
chpass_provider = ipa
hostid_provider = ipa
id_provider = ipa
ipa_domain = priv.my.dom.private
ipa_hostname = sucker.priv.my.dom.private
ipa_server_mode = True
ipa_server = sucker.priv.my.dom.private
krb5_store_password_if_offline = True
ldap_tls_cacert = /etc/ipa/ca.crt
session_provider = ipa
subdomains_provider = ipa
sudo_provider = ipa
Both config are result of 'ipa-server/replica' process, no
manual interventions and both systems virtually identical in
terms of soft/hardware.
many thanks, L.
3 years, 1 month
ipa-sidgen - when to run
by lejeczek
Hi guys.
When integrating Samba with 'ipa-adtrust-install' the
process asks:
Do you want to run the ipa-sidgen task?
I wonder why that is optional?
Every subsequent run 'ipa-adtrust-install' or when repeated
on other masters does not pause with that question.
many thanks, L.
3 years, 1 month
Joining Windows 7 system to a FreeIPA domain/realm
by dd4321 Dey
Hi
I am trying to join a Windows 7 system to a FreeIPA domain/realm [mydomain.net] rather than being a member of workgroup. So i have added a SRV record to the dnszone [mydomain.net]
DNS Resource Records: mydomain.net.
Record name Record Type Data
....
....
_ldap._tcp.dc._msdcs SRV 0 100 389 idm.mydomain.net.
(https://imgur.com/a/7TouKjs)
I get the desired SRV record by digging the LDAP domain
# dig SRV _ldap._tcp.dc._msdcs.mydomain.net.
(https://imgur.com/a/4TCDFuZ)
However, when i try to join the domain, i encounter following error:
++++++++++++++++++++++++++++++++++++++++++++++++++
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "mydomain.net":
The query was for the SRV record for _ldap._tcp.dc._msdcs.mydomain.net
The following domain controllers were identified by the query:
idm.mydomain.net
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
++++++++++++++++++++++++++++++++++++++++++++++++++
The A record for the domain controller mydomain.net is resolved correctly as can be seen from the output of dig.
I can confirm domain controller is running and is connected to the network.
Although, it is an Windows 7 issue, i just like to know shall i have to add some more configuration in FreeIPA/LDAP side ?
Regards
3 years, 1 month
ssh login - Illegal empty authtok for user & 7 (Authentication failure)
by lejeczek
Hi guys
I have a fresh re/deployment and users cannot ssh with
passwords.
Snippets of some logs.
...
(2021-03-12 23:16:00): [be[priv.my.dom.private]]
[remove_tree_with_ctx] (0x0020): Cannot open
/var/lib/sss/deskprofile/priv.my.dom.private/me: [2]: No
such file or directory
(2021-03-12 23:16:00): [be[priv.my.dom.private]]
[remove_tree_with_ctx] (0x0020): Cannot open
/var/lib/sss/deskprofile/priv.my.dom.private/me: [2]: No
such file or directory
(2021-03-12 23:18:33): [be[priv.my.dom.private]]
[krb5_auth_send] (0x0020): Illegal empty authtok for user
[me(a)priv.my.dom.private]
(2021-03-12 23:27:56): [be[priv.my.dom.private]]
[krb5_auth_send] (0x0020): Illegal empty authtok for user
[me(a)priv.my.dom.private]
(2021-03-13 3:10:50): [be[priv.my.dom.private]]
[sysdb_range_create] (0x0040): Invalid range, skipping.
Expected that either the secondary base RID or the SID of
the trusted domain is set, but not both or none of them.
(2021-03-13 7:10:50): [be[priv.my.dom.private]]
[sysdb_range_create] (0x0040): Invalid range, skipping.
Expected that either the secondary base RID or the SID of
the trusted domain is set, but not both or none of them.
(2021-03-13 9:08:25): [be[priv.my.dom.private]]
[krb5_auth_send] (0x0020): Illegal empty authtok for user
[me(a)priv.my.dom.private]
(2021-03-13 9:28:16): [be[priv.my.dom.private]]
[krb5_auth_send] (0x0020): Illegal empty authtok for user
[me(a)priv.my.dom.private]
..
of krb5_child.log
..
ailed]
(2021-03-13 9:27:42): [krb5_child[77868]] [map_krb5_error]
(0x0020): 1849: [-1765328353][Decrypt integrity check failed]
(2021-03-13 9:27:48): [krb5_child[77881]]
[get_and_save_tgt] (0x0020): 1720: [-1765328353][Decrypt
integrity check failed]
(2021-03-13 9:27:48): [krb5_child[77881]] [map_krb5_error]
(0x0020): 1849: [-1765328353][Decrypt integrity check failed]
(2021-03-13 9:29:07): [krb5_child[78072]]
[get_and_save_tgt] (0x0020): 1720: [-1765328353][Decrypt
integrity check failed]
(2021-03-13 9:29:07): [krb5_child[78072]] [map_krb5_error]
(0x0020): 1849: [-1765328353][Decrypt integrity check failed]
...
I'm on CentOS Stream with ipa-server-4.9.0.
"Funny" thing is that very first domain deployment worked
but I had 'idranges' created which I realized I needed
different. So I quickly 'uninstalled' and started new with
'--idstart'.
But since then I 'uninstalled' again and again installed
without '--idstart'. At this point I can re-install no
matter how and the problem persists, ssh with password does
not work.
many thanks, L.
3 years, 1 month
Adding OTP token without using IPA UI
by dd4321 Dey
Hi
Is it possible to add/generate OTP token without using IPA user interface ? Due to security reasons, i don't want to give access to IPA web interface to users. Recently, i have configured password manager which integrates OpenLDAP/IPA server. So each user can change their password using password manager eliminating needs for accessing IPA web UI. In the same way, is it possible to do the same i.e generating OTP token using any third party application ?
Regards
3 years, 1 month
Replication broken
by Antoine Gatineau
Hello,
I'm on freeipa 4.9.0 on CentOS Stream. (1 master and 1 replica)
I have noticed that my replication is broken. Unfortunatly, I don't know since when...
First Question, can it b fixed?
Second question, is it possible to peform a restore (on one node, both nodes) to fix the issue.
I recently upgraded from CentOS 8 to CentOS Stream (ipa with it). So can I restore from a previous version?
Here are some snipets of what I see.
$ sudo ipa-healthcheck
Internal server error HTTPSConnectionPool(host='ipa-master-tmp.empire.lan', port=443): Max retries exceeded with url:
/ca/rest/certs/search?size=3 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fa49f3df320>: Failed to
establish a new connection: [Errno -2] Name or service not known',))
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "66815b82-56d9-43a4-9035-78333c5cb5cd",
"when": "20210308162643Z",
"duration": "0.364202",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA clone. Host: ipa-master-tmp.empire.lan Port: 443"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "WARNING",
"uuid": "55addd45-6440-4317-8d0b-8eb0d516bd4e",
"when": "20210308162645Z",
"duration": "0.353734",
"kw": {
"key": "DSREPLLE0002",
"items": [
"Replication",
"Conflict Entries"
],
"msg": "There were 6 conflict entries found under the replication suffix \"dc=empire,dc=lan\"."
}
}
]
pki-tomcatd seems ok :
$ sudo journalctl -u pki-tomcatd@pki-tomcat
-- Logs begin at Mon 2021-03-08 17:24:39 CET, end at Mon 2021-03-08 17:35:01 CET. --
Mar 08 17:25:01 ipa-master.empire.lan systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Mar 08 17:25:04 ipa-master.empire.lan java[1613]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: Java virtual machine used: /usr/lib/jvm/java-1.8.0-openjdk/bin/java
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-
juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-la>
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: main class used: org.apache.catalina.startup.Bootstrap
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: flags used: -Dcom.redhat.fips=false
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/>
Mar 08 17:25:05 ipa-master.empire.lan server[1716]: arguments used: start
Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:63: The subsystem in
PKIConnection.__init__() has been deprecated (https>
Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]: ipa-pki-wait-running: Created connection
http://ipa-master.empire.lan:8080/ca
Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
master.empire.lan', port=8080): Max retries exceeded>
Mar 08 17:25:06 ipa-master.empire.lan java[1716]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
Mar 08 17:25:06 ipa-master.empire.lan server[1716]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have
been skipped: [[TLSv1, TLSv1.1]]
Mar 08 17:25:07 ipa-master.empire.lan ipa-pki-wait-running[1717]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
master.empire.lan', port=8080): Read timed out. (rea>
Mar 08 17:25:09 ipa-master.empire.lan ipa-pki-wait-running[1717]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
master.empire.lan', port=8080): Read timed out. (rea>
Mar 08 17:25:11 ipa-master.empire.lan ipa-pki-wait-running[1717]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
master.empire.lan', port=8080): Read timed out. (rea>
Mar 08 17:25:12 ipa-master.empire.lan ipa-pki-wait-running[1717]: ipa-pki-wait-running: Success, subsystem ca is running!
Mar 08 17:25:12 ipa-master.empire.lan systemd[1]: Started PKI Tomcat Server pki-tomcat.
Best
Antoine
3 years, 1 month
How to automatically manage a service before host creation
by Nelson LAMEIRAS
Hi all,
I'm looking for a way to automatize certificate creation for services hosted on servers inside a highly available cluster.
exemple: we have the following setup :
- http/serverha (an IPA service that will be highly available)
- server01 (not kickstarted yet)
- server02 (not kickstarted yet)
Both server01 and server02 must be able to get http/serverha certificate when kickstarted, but I find this impossible because they are not part of "managed by" hosts configured in service http/serverha
I'm forced to add manually each host to "managed by" section of the service, but only after it is kickstarted, which ruins my automatation goal
I hope this explanation is clear.
1 - Is there an elegant (ie. official) way to automaticaly manage this situation ?
2 - My intuitive solution would be to use automember to put server01 and server02 inside the same hostgroup and to able to add hostsgroups to the "managed by" section on a service, but this is not possible on my current setup (IPA v4.6.8) - only adding hosts (not hostgroups!) are allowed. Could this be a legitimate RFE I should write?
Please note that I'm not suppose to know beforehand the precise name of serverXY ? it could be server24... ;)
Thanks for your answers,
regards,
Nelson
3 years, 1 month
Re: FreeIPA integration with Azure AD
by Alexander Bokovoy
On to, 11 maalis 2021, Jonathan Aquilina wrote:
>Hi Alexander,
>
>My question was more how can i start this venture towards supporting Azure AD.
We already have some plans for that. If you want to help, please add
your specific use cases to https://pagure.io/freeipa/issue/6664
ticket with as much details as possible.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 1 month
