Disabling dynamic DNS updates completely
by Dominik Vogt
We install a freeipa-server with a constant set of clients that
never changes, and install the DNS server with ipa-server-install.
Dynamic DNS updates are automatically enabled.
I'm not sure what the best way is to get rid of the dynamic update
capabilities completely. During installation ipa-dns-install has
added a block about dynamic updates at the end of named.conf. Can
we just remove this block to disable the feature? Is anything
else required?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
2 weeks
ipa user-mod --rename failed with Operations error
by Janez Molicnik
I've seen a similar thread from two years ago, but with no solution. Something similar happened here. We use FreeIPA VERSION: 4.6.8, API_VERSION: 2.237 on CentOS Linux release 7.8.2003 (Core) and when I've tried to rename the test user, I got the following error:
ipa user-mod --rename=testis test.is
ipa: ERROR: Operations error:
Now the renamed user is inaccessible as an object - if I try to list all users with test in their names in the WebUI I always get the error:
Operations Error
Some operations failed.
testis: user not found
While if I try to use the CLI tool to search for users with test in their name, the new renamed user is displayed among other test users:
ipa user-find test
User login: testis
First name: test
Last name: is
Home directory: /home/test.is
Login shell: /bin/bash
Principal name: testis(a)REALM.COM
Principal alias: testis(a)REALM.COM
Email address: test.is(a)mail.com
UID: 545200935
GID: 545200935
Job Title: Diretore
SSH public key fingerprint: SHA256:hash (ssh-rsa)
Account disabled: False
But I can't reference it directly:
ipa user-find testis
---------------
0 users matched
---------------
...
ipa user-find test.is
---------------
0 users matched
---------------
But if I go to replica server and search it there, the user is there, un-renamed.. like it was:
[root@ipa2 ~]# ipa user-find test.is
--------------
1 user matched
--------------
User login: test.is
First name: test
Last name: is
Home directory: /home/test.is
Login shell: /bin/bash
Principal name: test.is(a)REALM.COM
Principal alias: test.is(a)REALM.COM
Email address: test.is(a)mail.com
UID: 545200935
GID: 545200935
Job Title: Diretore
SSH public key fingerprint: SHA256:hash (ssh-rsa)
Account disabled: False
I can also see the new renamed user on 1st server with Apache Directory Studio, but it does not display any attribute values when selected.
So my question is how to delete this user and synchronize both replicas? I've also searched on the internet and I cannot believe that there are so little resources about this issue. I found some old bug reports that user-mod rename wouldn't rename the principal, but it did in our case. Only email and home directory remained un-renamed.
2 weeks
Resolving gssproxy ... Unspecified GSS failure. ... No credentials cache found...
by Harry G. Coin
After the recent freeipa upgrades on fedora, the reported "Server Error"
blocking even the login screen.
The logs were filled with such as:
gssproxy {oid ...} Unspecified GSS failure. Minor code may provide
more information, No credentials cache found
Searches report the solution involved rebooting, checking keytab file
access, etc. These didn't help.
What resolved the problem was clearing the browser cookie / data cache.
HTH
Harry
2 weeks, 1 day
KRB5KDC Service crashing with core dump
by Ash Ryder
Hello Guys,
I am having a bit of trouble keeping the krb5kdc service up for longer than 10mins. I have
just installed Free IPA on our windows domain and can authenticate when the service is up
to the IPA server with my windows credentials.
I have just installed the development tools to run GBD but i am having issues.. is someone able to please advise how to obtain a backtrace? with a simple guide? I'm not that Linux savvy yet :)
The service errors with the following:
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset:
disabled)
Active: failed (Result: core-dump) since Mon 2021-04-26 10:09:02 AEST; 3h 55min ago
Process: 139132 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS
(code=exited, status=0/SUCCESS)
Main PID: 139136 (code=dumped, signal=ABRT)
LOG SSD_Example.com shows this around the same time the service stops
(2021-04-26 10:08:53): [be[linux.example.com]] [sdap_id_conn_data_expire_handler]
(0x0080): connection is about to expire, releasing it
(2021-04-26 10:09:01): [be[linux.example.com]] [sasl_bind_send] (0x0020): ldap_sasl_bind
failed (-2)[Local error]
(2021-04-26 10:09:01): [be[example.com]] [sasl_bind_send] (0x0080): Extended failure
message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code
may provide more information (Cannot contact any KDC for realm
'LINUX.EXAMPLE.COM')]
KRB5KDC.LOG
Apr 26 10:09:01 IPA01.linux.example.com krb5kdc[139141](info): AS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25),
DEPRECATED:arcfour-hmac(23)}) 10.2.0.208: NEEDED_PREAUTH:
host/IPA01.linux.example.com(a)LINUX.EXAMPLE.COM for
krbtgt/LINUX.EXAMPLE.COM(a)LINUX.EXAMPLE.COM, Additional pre-authentication required
Apr 26 10:09:01 IPA01.linux.example.com krb5kdc[139141](info): closing down fd 12
Apr 26 10:09:01 IPA01.linux.example.com krb5kdc[139136](Error): worker 139142 exited with
status 134
Apr 26 10:09:01 IPA01.linux.example.com krb5kdc[139141](info): AS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25),
DEPRECATED:arcfour-hmac(23)}) 10.2.0.208: ISSUE: authtime 1619395741, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, host/IPA01.linux.example.com(a)LINUX.EXAMPLE.COM for
krbtgt/LINUX.EXAMPLE.COM(a)LINUX.EXAMPLE.COM
Apr 26 10:09:01 IPA01.linux.example.com krb5kdc[139141](info): closing down fd 11
Apr 26 10:09:01 IPA01.linux.example.com krb5kdc[139141](info): closing down fd 10
Apr 26 10:09:01 IPA01.linux.example.com krb5kdc[139141](info): closing down fd 9
Apr 26 10:09:01 IPA01.linux.example.com krb5kdc[139141](info): closing down fd 8
Apr 26 10:09:01 IPA01.linux.example.com krb5kdc[139141](info): shutting down
Apr 26 10:09:01 IPA01.linux.example.com krb5kdc[139141](info): IPA certauth plugin
un-loaded.
Thank in advance,
Ash
2 weeks, 1 day
Use of certificates to have https secure connection
by guille.colmena@gmail.com
Hello,
I have run that command and I get the following message. The file
doesn't exist.
certutil -L -d /etc/httpd/alias -n Server-Cert
certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
Not sure what to do next.
Also is here where I can find the passphrase?
cat /etc/ipa/nssdb/pwdfile.txt
Thank you for your help,
gcol
2 weeks, 1 day
general question - replication of master
by Sinh Lam
Hi -
General question. I would like to add freeradius to freeipa. Currently we
have a single master with multiple replicas at various sites. Will
replication break if I only add freeradius to the master but not to the
various sites?
Thanks.
Sinh
2 weeks, 2 days
Dovecot integration, expired password as well as if over quota login notice; local user can't login
by Robert Kudyba
As I continue to test FreeIPA, freeipa-server-4.9.3-1, on Fedora 33 I've
run into the following issues with web mail and Dovecot integration.
1. I followed
https://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using...
but I couldn't get web mail to login until I used the suggestion from
https://blog.delouw.ch/2017/02/19/integrate-dovecot-imap-with-freeipa-usi...
and changed logins auth_mechanisms = plain gssapi login
2. even with auth_mechanisms = plain gssapi login, I could then no longer
login to webmail with any local Unix (non-Kerberized) users.
The dovecot logs show:
auth: Error: policy(localuser(a)ourdomain.edu,127.0.0.1,<r2eFe+PAvut/AAAB>):
Policy server HTTP error: connect(x.x.x.x:8084) failed: Connection refused
auth: Debug: policy(localuser(a)ourdomain.edu,127.0.0.1,<r2eFe+PAvut/AAAB>):
Policy report action finished
auth: Debug: http-client[1]: request [Req2: POST
https://x.x.x.x:8084/?command=report]: Destroy (requests left=1)
auth: Debug: http-client[1]: request [Req2: POST
https://x.x.x.x:8084/?command=report]: Free (requests left=0)
auth: Debug: http-client: conn x.x.x.x[2]: Connection close
auth: Debug: http-client: conn x.x.x.x[2]: Connection disconnect
auth: Debug: http-client: conn x.x.x.x[2]: Disconnected: connect() failed:
Connection refused (fd=23)
auth: Debug: http-client: conn x.x.x.x[2]: Detached peer
auth: Debug: http-client: conn x.x.x.x[2]: Connection destroy
auth: Debug: http-client: host x.x.x.x: Idle host timed out
auth: Debug: http-client: host x.x.x.x: Host destroy
auth: Debug: http-client: host x.x.x.x: Host session destroy
auth: Debug: http-client[1]: queue https://x.x.x.x:8084: Destroy
auth: Debug: client passdb out: FAIL 1 user=localuser(a)ourdomain.edu
original_user=localuser
imap-login: Debug: Ignoring unknown passdb extra field: original_user
imap-login: Info: Aborted login (auth failed, 1 attempts in 3 secs): user=<
localuser(a)ourdomain.edu>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
secured, session=<r2eFe+PAvut/AAAB>
3. If a user was over quota there was no way to tell on the webmail page
that they were over quota but the dovecot logs show imap(ouruser): Error:
mkdir(/path/to/ouruser/mail/.imap) failed: Disk quota exceeded
Is this more of a Dovecot and webmail issue? Would there be a security risk
if the web page displayed a warning that could be generalized to inform the
user to either check their quota or password reset being needed?
2 weeks, 2 days
GSSAPI Error with AD trust
by iulian roman
I have an IPA setup with replica which has trust configured with an Active Directory domain. The trust has been configured and it does show correctly when listed, but users cannot authenticate against Active Directory. The only error I see (on IPA server sssd logs) after I enabled debugging is:
[sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/dccontroller.example.local(a)IPADEV.EXAMPLE.LOCAL not found in Kerberos database)]
This error is logged for all 8 domain controllers behind Active Directory domain.
Any hint where to look for or check would be really appreciated .
2 weeks, 2 days
missed ipa-certupdate after adding certificates root ca and httpd
by Embedded Devel
any work around for missing the ipa-certupdate step ? we injected the root CA and missed the step,
so now we are basically locked out from doing anything ipa, even loggging in with the error
ipa: ERROR: cannot connect to 'https://ipa.domain.com/ipa/json'
<https://ipa.awnix.net/ipa/json>: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:897)
The certificate in mysite.crt must be signed by a CA known by the
service you are loading the certificate into. If it is not the case, you
can use the commands/ipa-cacert-manage install/ and/ipa-certupdate/ to load
the CA's certificate prior to installing the new certificate.
# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate
Note: the command ipa-certupdate must be executed on all the IPA hosts
(master/replicas/clients) before moving to the next step.
Configuration of the 3rd part certificate
You can install the new bundle using:
# ipa-server-certinstall -w -d mysite.key mysite.crt
The option -w|--http installs the certificate for the HTTP server, and
-d|--dirsrv installs the certificate for the LDAP server. Please see
ipa-server-certinstall(1) man page for more information regarding all
the available options.
Then restart your daemons:
# systemctl restart httpd.service
# systemctl restart dirsrv(a)MY-REALM.service
2 weeks, 6 days
