Use of LDAP Configuration UI Web Console
by G Col
Hi Fedora team,
I have configured FreeIPA and I have finally a web interface to access to the configuration and the different settings, it is exciting that works. However, I am not entire sure how to configure LDAP groups and LDAP users. The current menus I can see are the following ones:
Identity / Policy / Authentication / Network Services / IPA Server
Then each section has subsections, but I cannot find the LDAP option or functionality. Is a plugin that I will need to install manually from the CLI?
Thank you for your help,
GCol
2 years, 10 months
Kerberos setup in IPA server and IPA clients
by iulian roman
I have setup an Idm environment with replica and AD trust. I have the following realms and domains:
IPADEV.EXAMPLE.LOCAL is the IPA realm with the domain ipadev.example.local
EXAMPLE.LOCAL is the AD realm with dns domain example.local
All the clients have the DNS domain example.local and are/will be enrolled to the IPA domain.
In the IPA servers I had the following entries (added by the installation process) in /etc/krb5.conf :
server
=====
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev04.example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
client
====
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev02.example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
Because of various issues (either replication did not work, either clients could not query AD), I had removed entries on the server config (at some point i had .example.local = EXAMPLE.LOCAL but that broke the replication between ipa servers ) and now it looks like that:
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev04.example.local = IPADEV.EXAMPLE.LOCAL
My question is , how should the [domain_realm] section of the /etc/krb5.conf look like on both ipa server and ipa client ?
Is dns_lookup_realm = true and dns_lookup_kdc = true enough in the [libdefaults] section or should these realm be explicitly added ? What are the tradeoffs of not using them ?
2 years, 10 months
Cert lookup from CLI or Webui causes SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
by Jim Richard
From /var/log/pki/pki-tomcat/ca/debug.2021-04-26.log
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174647,ou=certificateRepository,ou=ca,o=ipaca
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174648,ou=certificateRepository,ou=ca,o=ipaca
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477)
at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610)
at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602)
at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754)
at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110)
at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to search for certificates: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
java.lang.RuntimeException: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523)
at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610)
at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602)
at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754)
at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110)
at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477)
... 70 more
Current versions are:
CentOS 8:
ipa-client.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-client-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-healthcheck.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream
ipa-healthcheck-core.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream
ipa-selinux.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-server.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-server-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
389-ds-base.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream
389-ds-base-libs.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream
Linux sso-111 4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1 17:16:16 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Jim Richard
System Administrator III
jrichard(a)placeiq.com | (646) 338-8905 | www.placeiq.com
2 years, 10 months
Assistance configuring RHEL client
by Ash Ryder
Hello Guys, I just recently configured my IPA server on its own subdomain within my active directory environment and established trust between AD and Free IPA. Windows users can now SSH to my Free IPA server.
I now want to configure my existing Debian server which is on my AD domain so AD users can SSH to it . I have read through the following documentation to enroll my Debain box on my AD domain to Free IPA (https://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain) and seem to be confusing myself. I am no linux expert and have been learning on the fly.
I have tried running the following command and got these results and was under the impression that the DNS domain should be example.com? If someone could please provide some simple steps and confirm what I should expect that would help me get my head around it.
*****************************************************************************************
ipa-client-install --domain linux.example.com --enable-dns-updates
This program will set up FreeIPA client.
Version 4.7.2
WARNING: conflicting time&date synchronization service 'ntp' will be disabled
in favor of chronyd
Discovery was successful!
Client hostname: Server.example.com
Realm: LINUX.EXAMPLE.COM
DNS Domain: linux.example.com
IPA Server: IPA01.linux.example.com
BaseDN: dc=linux,dc=example,dc=com
Thank you as always,
Ash
2 years, 11 months
ipa clients cannot ssh with AD credentials
by iulian roman
I am using a Idm setup which has AD trust configured.
IPADEV.EXAMPLE.LOCAL is the IPA realm
EXAMPLE.LOCAL is the AD realm
I can ssh to both ipa servers with AD credentials , but cannot ssh to the ipa clients. I have enabled debug for almost all services in sssd and the only one which seems to be related to the issue is this one:
[[sssd[krb5_child[29926]]]] [sss_child_krb5_trace_cb] (0x4000): [29926] 1619534544.375456: Getting initial credentials for user.email\@COMPANY.COM(a)IPADEV.EXAMPLE.LOCAL
[[sssd[krb5_child[29926]]]] [get_and_save_tgt] (0x0020): 1695: [-1765328378][Client 'user.email@COMPANY.COM(a)IPADEV.EXAMPLE.LOCAL' not found in Kerberos database]
What i do not understand is why does it use UPN (in the user.email format) to query for the user .
I can run id, getent passwd, etc and all userids/gids are resolved.
I have tried many settings in sssd.conf , both on the client and server side, but none of them helped.
Bellow are the sssd.conf and krb5.conf from the client:
sssd.conf
========
[domain/ipadev.example.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipadev.example.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = ipadev02.example.local
chpass_provider = ipa
ipa_server = _srv_, ipadev04.example.local, ipadev05.example.local
#dns_discovery_domain = ipadev.example.local
debug_level = 9
krb5_auth_timeout = 30
[sssd]
domain_resolution_order = example.local, ipadev.example.local
services = nss, sudo, pam, ssh, ifp
domains = ipadev.example.local
debug_level = 9
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
debug_level = 9
[pac]
[ifp]
[secrets]
[session_recording]
krb5.conf
========
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPADEV.EXAMPLE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPADEV.EXAMPLE.LOCAL = {
kdc = ipadev04.example.local:88
master_kdc = ipadev04.example.local:88
admin_server = ipadev04.example.local:749
kpasswd_server = ipadev04.example.local:464
kdc = ipadev05.example.local:88
master_kdc = ipadev05.example.local:88
admin_server = ipadev05.example.local:749
kpasswd_server = ipadev05.example.local:464
default_domain = ipadev.example.local
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev02.example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
2 years, 11 months
Disabling "kinit admin" on all machines
by Dominik Vogt
What is the correct way to disable "kinit admin" on all ipa
clients? In our setup, becoming admin should only possible on the
ipa server. (Everything is done by scripts runn through ssh;
nobody ever logs in to the server directly.)
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
2 years, 11 months
Disabling dynamic DNS updates completely
by Dominik Vogt
We install a freeipa-server with a constant set of clients that
never changes, and install the DNS server with ipa-server-install.
Dynamic DNS updates are automatically enabled.
I'm not sure what the best way is to get rid of the dynamic update
capabilities completely. During installation ipa-dns-install has
added a block about dynamic updates at the end of named.conf. Can
we just remove this block to disable the feature? Is anything
else required?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
2 years, 11 months
ipa user-mod --rename failed with Operations error
by Janez Molicnik
I've seen a similar thread from two years ago, but with no solution. Something similar happened here. We use FreeIPA VERSION: 4.6.8, API_VERSION: 2.237 on CentOS Linux release 7.8.2003 (Core) and when I've tried to rename the test user, I got the following error:
ipa user-mod --rename=testis test.is
ipa: ERROR: Operations error:
Now the renamed user is inaccessible as an object - if I try to list all users with test in their names in the WebUI I always get the error:
Operations Error
Some operations failed.
testis: user not found
While if I try to use the CLI tool to search for users with test in their name, the new renamed user is displayed among other test users:
ipa user-find test
User login: testis
First name: test
Last name: is
Home directory: /home/test.is
Login shell: /bin/bash
Principal name: testis(a)REALM.COM
Principal alias: testis(a)REALM.COM
Email address: test.is(a)mail.com
UID: 545200935
GID: 545200935
Job Title: Diretore
SSH public key fingerprint: SHA256:hash (ssh-rsa)
Account disabled: False
But I can't reference it directly:
ipa user-find testis
---------------
0 users matched
---------------
...
ipa user-find test.is
---------------
0 users matched
---------------
But if I go to replica server and search it there, the user is there, un-renamed.. like it was:
[root@ipa2 ~]# ipa user-find test.is
--------------
1 user matched
--------------
User login: test.is
First name: test
Last name: is
Home directory: /home/test.is
Login shell: /bin/bash
Principal name: test.is(a)REALM.COM
Principal alias: test.is(a)REALM.COM
Email address: test.is(a)mail.com
UID: 545200935
GID: 545200935
Job Title: Diretore
SSH public key fingerprint: SHA256:hash (ssh-rsa)
Account disabled: False
I can also see the new renamed user on 1st server with Apache Directory Studio, but it does not display any attribute values when selected.
So my question is how to delete this user and synchronize both replicas? I've also searched on the internet and I cannot believe that there are so little resources about this issue. I found some old bug reports that user-mod rename wouldn't rename the principal, but it did in our case. Only email and home directory remained un-renamed.
2 years, 11 months
Resolving gssproxy ... Unspecified GSS failure. ... No credentials cache found...
by Harry G. Coin
After the recent freeipa upgrades on fedora, the reported "Server Error"
blocking even the login screen.
The logs were filled with such as:
gssproxy {oid ...} Unspecified GSS failure. Minor code may provide
more information, No credentials cache found
Searches report the solution involved rebooting, checking keytab file
access, etc. These didn't help.
What resolved the problem was clearing the browser cookie / data cache.
HTH
Harry
2 years, 11 months