Is something changed in the compat tree in CentOS/RHEL 8?
by Peter Tselios
We use the FreeIPA servers as authentication source for Opestack Keystone.
However, after the migration of our FreeIPA to CentOS 8 from CentOS 7, Openstack users cannot login.
IPA Logs from the Openstack queries where I detected the different answer:
CentOS 7
op=4 SRCH base="cn=groups,cn=compat,dc=example,dc=com" scope=2 filter="(&(cn=dev_admins)(cn=dev_admins)(objectClass=posixGroup))" attrs="cn description"
op=4 RESULT err=0 tag=101 nentries=1 etime=0.000771612
op=5 SRCH base="cn=dev_admins,cn=groups,cn=compat,dc=example,dc=com" scope=0 filter="(objectClass=posixGroup)" attrs="memberUid"
op=5 RESULT err=0 tag=101 nentries=1 etime=0.000322091
CentOS 8
op=4 SRCH base="cn=groups,cn=compat,dc=test,dc=example,dc=com" scope=2 filter="(&(cn=dev_admins)(cn=dev_admins)(objectClass=posixGroup))" attrs="cn description"
op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000169800 optime=0.000829186 etime=0.000997334
op=5 SRCH base="cn=dev_admins,cn=groups,cn=compat,dc=test,dc=example,dc=com" scope=0 filter="(objectClass=posixGroup)" attrs="memberUid"
op=5 RESULT err=0 tag=101 nentries=0 wtime=0.000131140 optime=0.000667892 etime=0.000794799
Notice that in CentOS 8 we have nentries=0
To reproduce the problem there is no need for Keystone or Openstack as it’s reproducible by a simple ldapsearch:
CentOS 7
$ LDAPBASE="dc=example,dc=com"
$ ldapsearch -v -H ldaps://localhost:636 -D "uid=appusers,cn=sysaccounts,cn=etc,${LDAPBASE}" -W -s base -b "cn=dev_admins,cn=groups,cn=compat,${LDAPBASE}" "(objectClass=posixGroup)" memberUid
CentOS 8
$ LDAPBASE="dc=test,dc=example,dc=com"
$ ldapsearch -v -H ldaps://localhost:636 -D "uid=appusers,cn=sysaccounts,cn=etc,${LDAPBASE}" -W -s base -b "cn=dev_admins,cn=groups,cn=compat,${LDAPBASE}" "(objectClass=posixGroup)" memberUid
If using the “-s sub” scope in CentOS 8, we can see the group object, which make me thing that the “compat” branch is there and that it’s just a problem with the searching of the object
Is there any possibility to fix this, or we should stick with CentOS 7?
1 year, 2 months
PKI-Tomcat flagging up on security scans
by Jake Reynolds
Hi,
I'm running ipa-server 4.8.7-13 on Centos 8.3.
My security scanning software is lighting up with a lot of warnings about my FreeIPA servers - specifically Apache Tomcat vulnerabilities exposed on the PKI-Tomcat ports - 8080/8443. It is detecting v9.0.30, and seemingly has a different list of vulnerabilities for each version below 9.0.43 that the service is vulnerable to.
Firstly, is the detection accurate? How can I determine the tomcat version in use here? If the detection is correct, has this dependency been upgraded/is in the process of upgrading?
Secondly, why are these ports exposed at all? It seems that the server.xml defines AJP listening on port localhost:8009, which is what Apache forwards requests to. However this port simply forwards on to 8443 which is listening publicly, and we also have 8080 listening publicly. As far as I can see from documentation connectivity to these endpoints should not be needed.
Thirdly, how can I configure pki-tomcat to not listen on these ports? I've tried editing the connectors in /etc/pki/pki-tomcat/server.xml but the pki-tomcatd service fails on restart - presumably an ipa service somewhere is configured to connect to the FQDN/external IP rather than localhost. Error is ` ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my.fqdn.com', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionErr`. I'm aware I could firewall off the ports, but I'd rather they weren't listening in the first place.
The only reference I've been able to find is the bug here https://github.com/dogtagpki/pki/issues/2748 - but this seems unresolved, and only refers to installation as oppose to modifying an existing install.
Thanks!
Jake
1 year, 2 months
Updating Letsencrypt certificate fails
by Reino Wallin
When the letsencrypt certificate was renewed a couple of months ago, a problem occurred.
I found this guide and tried to follow it:
https://yyhh.org/blog/2021/01/fix-freeipa-httpd-lets-encrypt-certificate-...
But it seems I have messed up something, and I would like some hints how to solve my problem.
ipa-server: 4.6.8
Among other things I get this error message:
ipa-server-certinstall -w fullchain.pem privkey.pem
Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
The ipa-server-certinstall command failed.
Below are outputs from some important commands with my domain replaced with example.net:
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
DSTRootCAX3 C,,
EXAMPLE.NET IPA CA CT,C,C
letsencryptx3 C,,
CN=ipa.example.net u,u,u
ldapsearch -Y GSSAPI -Q -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
# extended LDIF
#
# LDAPv3
# base <cn=certificates,cn=ipa,cn=etc,dc=example,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# certificates, ipa, etc, example.net
dn: cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
objectClass: nsContainer
objectClass: top
cn: certificates
# EXAMPLE.NET IPA CA, certificates, ipa, etc, example.net
dn: cn=EXAMPLE.NET IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaConfigString: ipaCa
ipaConfigString: compatCA
ipaCertSubject: CN=Certificate Authority,O=EXAMPLE.NET
ipaKeyTrust: trusted
cACertificate;binary:: Replaced with XXX
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1nIS8VuSpvUaTucptnP
BDEXQYh4cxPT5qkHbuaBrZ7z8TvS2V5K2HCB/Gm6kkyZghxQFMm7zZdDNJQSu9pXUb2HDwv2wdBf6
ZBLxAZNYWJ4qTCXG5RhY13xcORnxzflXkQsMk1Pz4BZb6yEjZx9UvGXVWcdzoKVC9u1YF+jHdcKyQ
4o4K/mcy7PR/F73j3VVAyUXB7WIHT6KLaIp13Ir2byRAHHSPrIa3RBvodrRLQPuHQZZhO5O4BRXPR
6v1rwTgF+EI1Ua3w+mRmP7fHgCQcehvwkXy7zV7GMtaSchcDUf4EluWarG0UsclbLG9orVBnX6kBu
T++1Zs/nVnMAE8wIDAQAB
ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.NET;1
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
cn: EXAMPLE.NET IPA CA
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4
# DSTRootCAX3, certificates, ipa, etc, example.net
dn: cn=DSTRootCAX3,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: DSTRootCAX3
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=DST Root CA X3,O=Digital Signature Trust Co.
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA36/pl1AIg1e0zGJl9pC
C7MfTLGswylvs2cN9x0DBGBSL4Ogzdkkq4z8hSZOsTg6vPkjLZe780yEPZdIq2TKPjOX3d7ASe7WV
wImjqbrtcy56DAYyg6J+ihQwzRGg4So4uXkKMf1QvYBl37dRY4PI4ohh6kthgexSa7mi4ksaKJ9Io
54M2gmOPhcuHt0g31vGKoqrLr1wrcULGiWQdHLFe2qrNNYwif/laBN7VAvI1q7sWpySHj1ks4zG37
/JQXDsFnLVJuw4VTlD0Pz9GFxA8Zfr1ZqbjR262iW5xtjfwRUCOqvabvE+LvVcCJw81oNp5BCbGSq
2KVfj5T2bn/ACXQIDAQAB
cACertificate;binary:: Replaced with XXX
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;912997355
75339953335919266965803778155
# letsencryptx3, certificates, ipa, etc, example.net
dn: cn=letsencryptx3,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: letsencryptx3
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7N
oYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdx
yGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQD
IZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSX
gvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r
6hCm21AvA2H3DkwIDAQAB
cACertificate;binary:: Replaced with XXX
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;132987958
40390663119752826058995181320
# letsencryptr3-cross, certificates, ipa, etc, example.net
dn: cn=letsencryptr3-cross,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: letsencryptr3-cross
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=R3,O=Let's Encrypt,C=US
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLsjVW
Sw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKpTm71O8Mu243AsFzz
WTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLuta7tj95gcOKlVKu2bQ6Xp
UA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YG
d1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbs
TzFID9e1RoYvbFQIDAQAB
cACertificate;binary:: Replaced with XXX
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;850781574
26496920958827089468591623647
# search result
search: 4
result: 0 Success
# numResponses: 6
# numEntries: 5
1 year, 2 months
FreeIPA SUDO rules fail with hostgroups
by Brian Sanders
I have recently found out that when adding SUDO rules to my IPA server, the host groups are not evaluated correctly. I am using the same host groups in my HBAC and they are working correctly. If I remove the host groups from the SUDO rule, and instead directly put the server in as an individual host, the SUDO rule works correctly. If simply set it to allow "all" hosts, while leaving the rest of the SUDO rule the same, it also works.
Running a sudo command with the host groups provides the error:
"test1 is not allowed to run sudo on srv1. This incident will be reported."
I have turned on some debugging for SSSD and SUDO but it is extremely verbose, and after realizing the same host groups work with HBAC, I am skeptical this is an issue with my configuration. Anyone have some troubleshooting or work arounds? Is there perhaps a known bug I didn't find about this? As much as I hate it, my "right now" work around is to just allow it on all hosts, and rely on my HBAC to determine what groups can log into what hosts. However this isn't a true fix, just a stop gap while I look into this.
IPA Client versions:
ipa --version
VERSION: 4.6.8, API_VERSION: 2.237
IPA Server version:
ipa --version
VERSION: 4.6.8, API_VERSION: 2.237
1 year, 2 months
API Browser - which privilege?
by Ronald Wimmer
Which permission would let a user use the API browser in the WebGUI? Or
is there already a privilege that is well-suited for and API user? (or
even a role?)
Cheers,
Ronald
1 year, 2 months
ipa-dnskeysyncd keeps starting and crashing
by Rob Verduijn
Hello,
My ipa server on centos 8 seems to have a problem.
The ipa-dnskeysyncd keeps trying to start and keeps crashing while doing so.
I suspect this is caused by the crashed ipaserver that I now have removed
from the domain.
I spend quite some time adjusting all the dns entries so they now all point
to the new server however the dnskeysyncd keeps trying to run even though
there is no server anymore to sync with.
Where do I need to check or configure things so that it no longer keeps
crashing.
Rob
apr 20 12:46:11 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]:
ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done,
sychronizing with ODS and BIND
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: Traceback
(most recent call last):
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: File
"/usr/libexec/ipa/ipa-dnskeysyncd", line 116, in <module>
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: while
ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: File
"/usr/lib64/python3.6/site-packages/ldap/syncrepl.py", line 457, in
syncrepl_poll
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]:
self.syncrepl_refreshdone()
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: File
"/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 126,
in syncrepl_refreshdone
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]:
self.hsm_replica_sync()
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: File
"/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 192,
in hsm_replica_sync
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]:
ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: File
"/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]:
p.returncode, arg_string, output_log, error_log
apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]:
ipapython.ipautil.CalledProcessError: CalledProcessError(Command
['/usr/libexec/ipa/ipa-dnskeysync-replica'] returned non-zero exit status
1: 'ipalib.plugable: DEBUG impor
ting all plugin modules in ipaserver.plugins...\nipalib.plugable: DEBUG
importing plugin module ipaserver.plugins.aci\nipalib.plugable: DEBUG
importing plugin module ipaserver.plugins.automember\nipalib.plugable:
DEBUG importin
g plugin module ipaserver.plugins.automount\nipalib.plugable: DEBUG
importing plugin module ipaserver.plugins.baseldap\nipalib.plugable:
DEBUG ipaserver.plugins.baseldap is not a valid plugin
module\nipalib.plugable: DEBUG impo
rting plugin module ipaserver.plugins.baseuser\nipalib.plugable: DEBUG
importing plugin module ipaserver.plugins.batch\nipalib.plugable: DEBUG
importing plugin module ipaserver.plugins.ca\nipalib.plugable: DEBUG
importing plugi
n module ipaserver.plugins.caacl\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugins.cert\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugins.certmap\nipalib.plugable: DEBUG
importing plugin module i
paserver.plugins.certprofile\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.config\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.delegation\nipalib.plugable: DEBUG importing
plugin module
ipaserver.plugins.dns\nipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.dnsserver\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.dogtag\nipalib.plugable: DEBUG importing plugin
module ipaserve
r.plugins.domainlevel\nipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.group\nipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.hbac\nipalib.plugable: DEBUG ipaserver.plugins.hbac is
not a valid
plugin module\nipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.hbacrule\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.hbacsvc\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugin
s.hbacsvcgroup\nipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.hbactest\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.host\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.
hostgroup\nipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.idrange\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.idviews\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugins.int
ernal\nipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.join\nipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.krbtpolicy\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.ldap2\n
ipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.location\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.migration\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugins.misc\nipali
b.plugable: DEBUG importing plugin module
ipaserver.plugins.netgroup\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.otp\nipalib.plugable: DEBUG
ipaserver.plugins.otp is not a valid plugin module\nipalib.pluga
ble: DEBUG importing plugin module
ipaserver.plugins.otpconfig\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.otptoken\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugins.passwd\nipalib.plugable
: DEBUG importing plugin module
ipaserver.plugins.permission\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.ping\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.pkinit\nipalib.plugable: DEBU
G importing plugin module ipaserver.plugins.privilege\nipalib.plugable:
DEBUG importing plugin module
ipaserver.plugins.pwpolicy\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.rabase\nipalib.plugable: DEBUG
ipaserver.plugins.rabase is not a valid plugin module\nipalib.plugable:
DEBUG importing plugin module
ipaserver.plugins.radiusproxy\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.realmdomains\nipalib.plugable:
DEBUG importing plugin module ipaserver.plugins.role\nipalib.plugable:
DEBUG importing plugin module ipaserver.plugins.schema\nipalib.plugable:
DEBUG importing plugin module
ipaserver.plugins.selfservice\nipalib.plugable: DEBU
G importing plugin module
ipaserver.plugins.selinuxusermap\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugins.server\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugins.serverrole\nipalib.plugable:
DEBUG importing plugin module
ipaserver.plugins.serverroles\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.service\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugins.servicedelegation\nipalib.p
lugable: DEBUG importing plugin module
ipaserver.plugins.session\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.stageuser\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugins.sudo\nipalib.plugabl
e: DEBUG ipaserver.plugins.sudo is not a valid plugin
module\nipalib.plugable: DEBUG importing plugin module
ipaserver.plugins.sudocmd\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.sudocmdgroup\nipalib.pluga
ble: DEBUG importing plugin module
ipaserver.plugins.sudorule\nipalib.plugable: DEBUG importing plugin
module ipaserver.plugins.topology\nipalib.plugable: DEBUG importing
plugin module ipaserver.plugins.trust\nipalib.plugable:
DEBUG importing plugin module ipaserver.plugins.user\nipalib.plugable:
DEBUG importing plugin module ipaserver.plugins.vault\nipalib.plugable:
DEBUG importing plugin module
ipaserver.plugins.virtual\nipalib.plugable: DEBUG i
paserver.plugins.virtual is not a valid plugin module\nipalib.plugable:
DEBUG importing plugin module ipaserver.plugins.whoami\nipalib.plugable:
DEBUG importing plugin module
ipaserver.plugins.xmlserver\nipa-dnskeysync-replica: DE
BUG Kerberos principal:
ipa-dnskeysyncd/freeipa02.tjako.thuis\nipalib.install.kinit: DEBUG
Initializing principal ipa-dnskeysyncd/freeipa02.tjako.thuis using
keytab /etc/ipa/dnssec/ipa-dnskeysyncd.keytab\nipalib.install.kinit: DEB
UG using ccache
/tmp/ipa-dnskeysync-replica.ccache\nipalib.install.kinit: DEBUG Attempt
1/5: success\nipa-dnskeysync-replica: DEBUG Got TGT\nTraceback (most
recent call last):\n File "/usr/libexec/ipa/ipa-dnskeysync-replica",
line 177, in <module>\n f.read()\n File
"/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 104,
in __init__\n self.p11 = _ipap11helper.P11_Helper(label, pin, library)\n
File "/usr/lib/python3.6/site-packages/i
paserver/p11helper.py", line 868, in __init__\n raise Error("No slot for
label {} found".format(self.token_label))\nipaserver.p11helper.Error: No
slot for label ipaDNSSEC found\nException ignored in: <bound method
LocalHSM.__del__ of
<ipaserver.dnssec.localhsm.LocalHSM object at 0x7ff5f2bf6c50>>\nTraceback
(most recent call last):\n File
"/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 107,
in __del__\n self.p11.finalize()\nAttributeError:
\'LocalHSM\' object has no attribute \'p11\'\n')
1 year, 2 months
FreeIPA and FIPS
by Steve Reed
If I successfully install FreeIPA in FIPS mode, does that mean that all my clients that call on the server need to be in FIPS mode as well? Or can I just have the server in FIPS mode and the clients in whatever mode I want?
Thanks in advance.
Steve
1 year, 2 months
Server Installation Error - [error] RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl
by Scott Reed
I am not new to installing FreeIPA. This one has been a struggle. I came in to help some people on there server installation. Long story short. I found the ipa-dnskeysyncd.service constantly restarting. I went and uninstalled the server, and found that the slapd-<Domain> service broken and I uninstalled it completely manually. Then when I went to install the server again. It is hanging on the creation of the domain server. Here are the results of the installation.
Installation Output:
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
* Configure the KDC to enable PKINIT
Warning: skipping DNS resolution of host serv.example.domain
Checking DNS domain example.domain., please wait ...
The IPA Master Server will be configured with:
Hostname: serv.example.domain
IP address(es): 192.168.1.191
Domain name: example.domain
Realm name: EXAMPLE.DOMAIN
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Forward policy: only
Reverse zone(s): No reverse zone
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/45]: creating directory server instance
[error] RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' returned no-zero exit status 1
ipapython.admintool: ERROR failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' retured non-zero exit status 1
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Install Log File:
2021-03-30T19:11:29Z DEBUG Logging to /var/log/ipaserver-install.log
2021-03-30T19:11:29Z INFO Checking DNS domain example.domain, please wait ...
2021-03-30T19:11:29Z DEBUG ipa-server-install was invoked with arguments [] and options: {'no_dns_sshfp': False, 'ignore_topology_disconnect': False, 'verbose': False, 'domain_level': None, 'ip_addresses': None, 'secondary_rid_base': None, 'netbios_name': None, 'mkhomedir': True, 'http_cert_files': None, 'zonemgr': None, 'no_pkinit': False, 'reverse_zones': None, 'no_forwarders': True, 'external_ca_profile': None, 'external_ca_type': None, 'no_ntp': False, 'no_msdcs': False, 'setup_kra': False, 'domain_name': 'example.domain', 'idmax': None, 'setup_adtrust': False, 'http_cert_name': None, 'dirsrv_cert_files': None, 'no_dnssec_validation': False, 'ca_signing_algorithm': None, 'no_reverse': False, 'ssh_trust_dns': False, 'pkinit_cert_files': None, 'ca_cert_files': None, 'subject_base': None, 'auto_reverse': True, 'auto_forwarders': False, 'no_host_dns': False, 'no_sshd': False, 'no_ui_redirect': False, 'ignore_last_of_role': False, 'realm_name': 'EXAMPLE.DOMAIN', 'forwarders': None, 'i
dstart': None, 'external_ca': False, 'pkinit_cert_name': None, 'no_ssh': False, 'external_cert_files': None, 'enable_compat': False, 'no_hbac_allow': False, 'forward_policy': None, 'dirsrv_cert_name': None, 'unattended': True, 'rid_base': None, 'quiet': False, 'setup_dns': True, 'ca_subject': None, 'host_name': 'serv.example.domain', 'dirsrv_config_file': None, 'log_file': None, 'allow_zone_overlap': False, 'uninstall': False}
2021-03-30T19:11:29Z DEBUG IPA version 4.6.8-5.el7.centos
2021-03-30T19:11:29Z DEBUG Searching for an interface of IP address: ::1
2021-03-30T19:11:29Z DEBUG Testing local IP address: ::1/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (interface: lo)
2021-03-30T19:11:29Z DEBUG Starting external process
2021-03-30T19:11:29Z DEBUG args=/usr/sbin/selinuxenabled
2021-03-30T19:11:29Z DEBUG Process finished, return code=1
2021-03-30T19:11:29Z DEBUG stdout=
2021-03-30T19:11:29Z DEBUG stderr=
2021-03-30T19:11:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:29Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2021-03-30T19:11:29Z DEBUG httpd is not configured
2021-03-30T19:11:29Z DEBUG kadmin is not configured
2021-03-30T19:11:29Z DEBUG dirsrv is not configured
2021-03-30T19:11:29Z DEBUG pki-tomcatd is not configured
2021-03-30T19:11:29Z DEBUG install is not configured
2021-03-30T19:11:29Z DEBUG krb5kdc is not configured
2021-03-30T19:11:29Z DEBUG ntpd is not configured
2021-03-30T19:11:29Z DEBUG named is not configured
2021-03-30T19:11:29Z DEBUG filestore is tracking no files
2021-03-30T19:11:29Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-03-30T19:11:29Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2021-03-30T19:11:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:29Z DEBUG Starting external process
2021-03-30T19:11:29Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2021-03-30T19:11:29Z DEBUG Process finished, return code=1
2021-03-30T19:11:29Z DEBUG stdout=
2021-03-30T19:11:29Z DEBUG stderr=Failed to get unit file state for chronyd.service: No such file or directory
2021-03-30T19:11:29Z DEBUG Starting external process
2021-03-30T19:11:29Z DEBUG args=/bin/systemctl is-active chronyd.service
2021-03-30T19:11:29Z DEBUG Process finished, return code=3
2021-03-30T19:11:29Z DEBUG stdout=unknown
2021-03-30T19:11:29Z DEBUG stderr=
2021-03-30T19:11:29Z DEBUG Starting external process
2021-03-30T19:11:29Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS
2021-03-30T19:11:29Z DEBUG Process finished, return code=0
2021-03-30T19:11:29Z DEBUG stdout=VirtualHost configuration:
*:8443 serv.example.domain (/etc/httpd/conf.d/nss.conf:81)
2021-03-30T19:11:29Z DEBUG stderr=
2021-03-30T19:11:29Z DEBUG Check if serv.example.domain is a primary hostname for localhost
2021-03-30T19:11:29Z DEBUG Primary hostname for localhost: serv.example.domain
2021-03-30T19:11:29Z DEBUG will use host_name: serv.example.domain
2021-03-30T19:11:29Z DEBUG importing all plugin modules in ipaserver.plugins...
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.aci
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.automember
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.automount
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.baseldap
2021-03-30T19:11:29Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.baseuser
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.batch
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.ca
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.caacl
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.cert
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.certmap
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.certprofile
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.config
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.delegation
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.dns
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.dnsserver
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.dogtag
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.domainlevel
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.group
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hbac
2021-03-30T19:11:29Z DEBUG ipaserver.plugins.hbac is not a valid plugin module
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hbacrule
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hbacsvc
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hbactest
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.host
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hostgroup
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.idrange
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.idviews
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.internal
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.join
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.ldap2
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.location
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.migration
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.misc
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.netgroup
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.otp
2021-03-30T19:11:29Z DEBUG ipaserver.plugins.otp is not a valid plugin module
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.otpconfig
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.otptoken
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.passwd
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.permission
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.ping
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.pkinit
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.privilege
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.pwpolicy
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.rabase
2021-03-30T19:11:29Z DEBUG ipaserver.plugins.rabase is not a valid plugin module
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.radiusproxy
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.realmdomains
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.role
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.schema
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.selfservice
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.server
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.serverrole
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.serverroles
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.service
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.servicedelegation
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.session
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.stageuser
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.sudo
2021-03-30T19:11:29Z DEBUG ipaserver.plugins.sudo is not a valid plugin module
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.sudocmd
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.sudorule
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.topology
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.trust
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.user
2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.vault
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.plugins.virtual
2021-03-30T19:11:30Z DEBUG ipaserver.plugins.virtual is not a valid plugin module
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.plugins.whoami
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.plugins.xmlserver
2021-03-30T19:11:30Z DEBUG importing all plugin modules in ipaserver.install.plugins...
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.adtrust
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.dns
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.fix_kra_people_entry
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_nis
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_referint
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_services
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_unhashed_password
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness
2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt
2021-03-30T19:11:30Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2021-03-30T19:11:30Z INFO Checking DNS domain example.domain., please wait ...
2021-03-30T19:11:30Z DEBUG Name serv.example.domain resolved to set([UnsafeIPAddress('192.168.1.191')])
2021-03-30T19:11:30Z DEBUG Searching for an interface of IP address: 192.168.1.191
2021-03-30T19:11:30Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo)
2021-03-30T19:11:30Z DEBUG Testing local IP address: 192.168.1.191/255.255.255.0 (interface: eth0)
2021-03-30T19:11:30Z DEBUG IP address 192.168.1.191 belongs to a private range, using forward policy only
2021-03-30T19:11:30Z DEBUG will use DNS forwarders: []
2021-03-30T19:11:30Z INFO Reverse record for IP address 192.168.1.191 already exists
2021-03-30T19:11:30Z DEBUG Backing up system configuration file '/etc/hostname'
2021-03-30T19:11:30Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2021-03-30T19:11:30Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:30Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:30Z DEBUG Starting external process
2021-03-30T19:11:30Z DEBUG args=/bin/hostnamectl set-hostname serv.example.domain
2021-03-30T19:11:30Z DEBUG Process finished, return code=0
2021-03-30T19:11:30Z DEBUG stdout=
2021-03-30T19:11:30Z DEBUG stderr=
2021-03-30T19:11:30Z DEBUG Backing up system configuration file '/etc/hosts'
2021-03-30T19:11:30Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2021-03-30T19:11:30Z DEBUG Starting external process
2021-03-30T19:11:30Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2021-03-30T19:11:30Z DEBUG Process finished, return code=1
2021-03-30T19:11:30Z DEBUG stdout=
2021-03-30T19:11:30Z DEBUG stderr=Failed to get unit file state for chronyd.service: No such file or directory
2021-03-30T19:11:30Z DEBUG Starting external process
2021-03-30T19:11:30Z DEBUG args=/bin/systemctl is-active chronyd.service
2021-03-30T19:11:30Z DEBUG Process finished, return code=3
2021-03-30T19:11:30Z DEBUG stdout=unknown
2021-03-30T19:11:30Z DEBUG stderr=
2021-03-30T19:11:30Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:30Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2021-03-30T19:11:30Z DEBUG Configuring NTP daemon (ntpd)
2021-03-30T19:11:30Z DEBUG [1/4]: stopping ntpd
2021-03-30T19:11:30Z DEBUG Starting external process
2021-03-30T19:11:30Z DEBUG args=/bin/systemctl is-active ntpd.service
2021-03-30T19:11:30Z DEBUG Process finished, return code=3
2021-03-30T19:11:30Z DEBUG stdout=unknown
2021-03-30T19:11:30Z DEBUG stderr=
2021-03-30T19:11:30Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:30Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:30Z DEBUG Starting external process
2021-03-30T19:11:30Z DEBUG args=/bin/systemctl stop ntpd.service
2021-03-30T19:11:30Z DEBUG Process finished, return code=0
2021-03-30T19:11:30Z DEBUG stdout=
2021-03-30T19:11:30Z DEBUG stderr=
2021-03-30T19:11:30Z DEBUG Stop of ntpd.service complete
2021-03-30T19:11:30Z DEBUG duration: 0 seconds
2021-03-30T19:11:30Z DEBUG [2/4]: writing configuration
2021-03-30T19:11:30Z DEBUG Backing up system configuration file '/etc/ntp.conf'
2021-03-30T19:11:30Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2021-03-30T19:11:30Z DEBUG Backing up system configuration file '/etc/sysconfig/ntpd'
2021-03-30T19:11:30Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2021-03-30T19:11:30Z DEBUG duration: 0 seconds
2021-03-30T19:11:30Z DEBUG [3/4]: configuring ntpd to start on boot
2021-03-30T19:11:30Z DEBUG Starting external process
2021-03-30T19:11:30Z DEBUG args=/bin/systemctl is-enabled ntpd.service
2021-03-30T19:11:30Z DEBUG Process finished, return code=1
2021-03-30T19:11:30Z DEBUG stdout=disabled
2021-03-30T19:11:30Z DEBUG stderr=
2021-03-30T19:11:30Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:30Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:30Z DEBUG Starting external process
2021-03-30T19:11:30Z DEBUG args=/bin/systemctl enable ntpd.service
2021-03-30T19:11:31Z DEBUG Process finished, return code=0
2021-03-30T19:11:31Z DEBUG stdout=
2021-03-30T19:11:31Z DEBUG stderr=Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.
2021-03-30T19:11:31Z DEBUG duration: 0 seconds
2021-03-30T19:11:31Z DEBUG [4/4]: starting ntpd
2021-03-30T19:11:31Z DEBUG Starting external process
2021-03-30T19:11:31Z DEBUG args=/bin/systemctl start ntpd.service
2021-03-30T19:11:31Z DEBUG Process finished, return code=0
2021-03-30T19:11:31Z DEBUG stdout=
2021-03-30T19:11:31Z DEBUG stderr=
2021-03-30T19:11:31Z DEBUG Starting external process
2021-03-30T19:11:31Z DEBUG args=/bin/systemctl is-active ntpd.service
2021-03-30T19:11:31Z DEBUG Process finished, return code=0
2021-03-30T19:11:31Z DEBUG stdout=active
2021-03-30T19:11:31Z DEBUG stderr=
2021-03-30T19:11:31Z DEBUG Start of ntpd.service complete
2021-03-30T19:11:31Z DEBUG duration: 0 seconds
2021-03-30T19:11:31Z DEBUG Done configuring NTP daemon (ntpd).
2021-03-30T19:11:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:31Z DEBUG Configuring directory server (dirsrv). Estimated time: 30 seconds
2021-03-30T19:11:31Z DEBUG [1/45]: creating directory server instance
2021-03-30T19:11:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:31Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2021-03-30T19:11:31Z DEBUG Backing up system configuration file '/etc/sysconfig/dirsrv'
2021-03-30T19:11:31Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2021-03-30T19:11:31Z DEBUG
dn: dc=example,dc=domain
objectClass: top
objectClass: domain
objectClass: pilotObject
dc: example
info: IPA V2.0
2021-03-30T19:11:31Z DEBUG writing inf template
2021-03-30T19:11:31Z DEBUG
[General]
FullMachineName= serv.example.domain
SuiteSpotUserID= dirsrv
SuiteSpotGroup= dirsrv
ServerRoot= /usr/lib64/dirsrv
[slapd]
ServerPort= 389
ServerIdentifier= EXAMPLE-DOMAIN
Suffix= dc=example,dc=domain
RootDN= cn=Directory Manager
InstallLdifFile= /var/lib/dirsrv/boot.ldif
inst_dir= /var/lib/dirsrv/scripts-EXAMPLE-DOMAIN
2021-03-30T19:11:31Z DEBUG calling setup-ds.pl
2021-03-30T19:11:31Z DEBUG Starting external process
2021-03-30T19:11:31Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop
2021-03-30T19:21:33Z DEBUG Process finished, return code=1
2021-03-30T19:21:33Z DEBUG stdout=Process returned 1280
[21/03/30:19:21:33] - [Setup] Info Could not start the directory server using command '/bin/systemctl start dirsrv(a)EXAMPLE-DOMAIN.service'. The last line from the error log was '[30/Mar/2021:19:11:32.950196247 +0000] - INFO - import_main_offline - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec)
'. Error: Unknown error 1280
Could not start the directory server using command '/bin/systemctl start dirsrv(a)EXAMPLE-DOMAIN.service'. The last line from the error log was '[30/Mar/2021:19:11:32.950196247 +0000] - INFO - import_main_offline - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec)
'. Error: Unknown error 1280
[21/03/30:19:21:33] - [Setup] Fatal Error: Could not create directory server instance 'EXAMPLE-DOMAIN'.
Error: Could not create directory server instance 'EXAMPLE-DOMAIN'.
[21/03/30:19:21:33] - [Setup] Fatal Exiting . . .
Log file is '-'
Exiting . . .
Log file is '-'
2021-03-30T19:21:33Z DEBUG stderr=Process returned 1280
2021-03-30T19:21:33Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 587, in __create_instance
raise RuntimeError("failed to create DS instance %s" % e)
RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' returned non-zero exit status 1
2021-03-30T19:21:33Z DEBUG [error] RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' returned non-zero exit status 1
2021-03-30T19:21:33Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 590, in main
master_install(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 250, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 783, in install
setup_pkinit=not options.no_pkinit)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 346, in create_instance
self.start_creation(runtime=30)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 587, in __create_instance
raise RuntimeError("failed to create DS instance %s" % e)
2021-03-30T19:21:33Z DEBUG The ipa-server-install command failed, exception: RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' returned non-zero exit status 1
2021-03-30T19:21:33Z ERROR failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' returned non-zero exit status 1
Uninstall log:
[root@serv scripts-EXAMPLE-DOMAIN]# ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes
WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
If this server is the last instance of CA,
KRA, or DNSSEC master, uninstallation may result in data loss.
Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring directory server
ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-EXAMPLE-DOMAIN/dse.ldif
Removing IPA client configuration
Unconfigured automount client failed: Command '/usr/sbin/ipa-client-automount --uninstall --debug' returned non-zero exit status 1
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
IPA domain could not be found in /etc/sssd/sssd.conf and therefore not deleted
Other domains than IPA domain found, IPA domain was removed from /etc/sssd/sssd.conf.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command was successful
Thanks in advance in looking at this.
1 year, 2 months
update ldap schema with ipa-ldap-updater
by iulian roman
Hello,
I would like to extend the ldap schema in order to get rid of tnsnames.ora and use ldap for that. I try to update the schema using ipa-ldap-updater, but so far no success. Can anybody point what would be the correct update file I should create for the schema file bellow (this is only one of the schema files which need to be updated, but the others would be similar) :
attributetype ( 2.16.840.1.113894.3.2.6 NAME 'orclNetServiceAlias' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
objectclass ( 2.16.840.1.113894.3.2.6 NAME 'orclNetServiceAlias' SUP alias STRUCTURAL MUST cn )
Thank You !
1 year, 2 months
FreeIPA/RedHat IDM server in containers
by iulian roman
Hello,
Can anyone confirm if RedHat IDM is supported/recommended to run in containers in a production environment ? I would like to know if there are any drawbacks before I'll put any effort in implementing it. I would like to use it with one replica and trust with Active Directory.
Thank You !
1 year, 2 months