update ldap schema with ipa-ldap-updater
by iulian roman
Hello,
I would like to extend the ldap schema in order to get rid of tnsnames.ora and use ldap for that. I try to update the schema using ipa-ldap-updater, but so far no success. Can anybody point what would be the correct update file I should create for the schema file bellow (this is only one of the schema files which need to be updated, but the others would be similar) :
attributetype ( 2.16.840.1.113894.3.2.6 NAME 'orclNetServiceAlias' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
objectclass ( 2.16.840.1.113894.3.2.6 NAME 'orclNetServiceAlias' SUP alias STRUCTURAL MUST cn )
Thank You !
1 month, 4 weeks
FreeIPA/RedHat IDM server in containers
by iulian roman
Hello,
Can anyone confirm if RedHat IDM is supported/recommended to run in containers in a production environment ? I would like to know if there are any drawbacks before I'll put any effort in implementing it. I would like to use it with one replica and trust with Active Directory.
Thank You !
1 month, 4 weeks
Win non-enrolled clients - manually find users but will not list them
by lejeczek
Hi guys.
Having a IPA Samba's share mapped in Windows and wanting to
amend a folder permission:
"Select User or Group" -> "Advanced" -> "Find Now"
such Win10 client will list, show everything but users.
I do it on freshly install IPA, very little there, only a
couple of users.
would you care to share thoughts as to why 'users' do not
get there?
If it may make is more interesting - when in first step a
username is typed in and then "Check Names" is clicked then
give user is found and shown.
many thanks, L.
2 months
DNS forward for subdomain only working on first master
by Scott Serr
We've been trying to figure this out for a day. Looking for some help please.
We have servers ipa1 and ipa2. The ipa1 was installed first and it can delegate to a subdomain fine. The ipa2 server does not get an answer. Looking at packets on ipa2, they end up going to my general forwarders to the outside world.
This must have been seen before but I can't find a previous post.
Thanks so much!
Configuration:
# ipa dnsforwardzone-find emcisi2.emc2.
Zone name: emcisi2.emc2.
Active zone: TRUE
Zone forwarders: 192.168.75.175
Forward policy: first
# ipa dnsrecord-find example.com emc2
Record name: emc2
NS record: emcisi2.emc2.example.com.
Record name: emcisi2.emc2
A record: 192.168.75.175
# ipa dnsrecord-find 75.168.192.in-addr.arpa. 175
Record name: 175
PTR record: emcisi2.emc2.example.com.
2 months
IPA master/replica sssd.conf question
by John Desantis
Hello all!
I've just perused the list and seem to have found a single entry where
an IPA master/replica is configured with the following items:
1.) ipa_server_mode = true
2.) ipa_server = master, replica1, replica2
Is it recommended to have all IPA servers listed in the server's
sssd.conf? For example:
# master
ipa_server = master.domain, replica.domain
ipa_server_mode = true
# replica
ipa_server = replica.domain, master.domain
ipa_server_mode = true
The idea is that `sssctl domain-status` would return all possible IPA
servers on the server itself, vs. just itself.
I apologize if this should have gone to the SSSD list instead.
Thanks!
John DeSantis
2 months
Debian Docker container FreeIPA Server Installation error
by Guille Colmena
Hello team,
I have been trying to create a Docker container using Debian 10 for the FreeIPA server installation and I am getting the following error almost at the end of the installation after running:
ipa-server-install --no-ntp
The IPA Master Server will be configured with:
Hostname: freeipa.test.com
IP address(es): x.x.x.x
Domain name: test.com
Realm name: TEST.COM
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=TEST.COM
Subject base: O=TEST.COM
Chaining: self-signed
The interesting part is that almost finishes the installation, but fails at the end with this. I really think is nothing related with cert as I selected self signed certificate during the installation of the freeipa.
[11/30]: starting certificate server instance
[12/30]: configure certmonger for renewals
[13/30]: requesting RA certificate from CA
[error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "https://freeipa.******.com:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
Certificate issuance failed (CA_REJECTED: Server at "https://freeipa.*****.com:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I am not sure if there is any relation with my host file configuration, though it is talking about the certificate in the following message.
Checking the freeipa logs I have got the following log in /var/log/ipaserver-install.log:
File "/usr/lib/python3/dist-packages/ipaserver/install/dogtaginstance.py", line 520, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2021-04-10T17:00:51Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2021-04-10T17:00:51Z ERROR CA configuration failed.
*************
I provide more information: I can see the following services related with this already running:
pki-tomcatd(a)pki-tomcat.service loaded active running PKI Tomcat Server pki-tomcat
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysusers.service loaded active exited Create System Users
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
-.slice loaded active active Root Slice
system-dirsrv.slice loaded active active system-dirsrv.slice
system-getty.slice loaded active active system-getty.slice
system-modprobe.slice loaded active active system-modprobe.slice
system-pki\x2dtomcatd.slice loaded active active system-pki\x2dtomcatd.slice
system.slice loaded active active System Slice
dbus.socket loaded active running D-Bus System Message Bus Socket
systemd-initctl.socket loaded active listening initctl Compatibility Named Pipe
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket loaded active running Journal Socket
Not sure what is the issue. the /var/log/pki/pki-tomcat doesn't show much. : /
There is not much help with the logs, just trying to confirm if someone has seen something similar.
Thank you for your help,
2 months
Error on ipa-replica-install (replication agreement already exists)
by Ronald Wimmer
I tried to promote an ipa-client to an ipa-replica. That particular host
has previously been a replica but has been removed due to a faulty base
OS configuration. When I do an ldapsearch from the top of the LDAP tree
(dc=linux,dc=mydomain,dc=at) I could not find any entries before
ipa-client-install.
ipa-replica-install fails with "DEBUG The ipa-replica-install command
failed, exception: ScriptError: A replication agreement for this host
already exists. It needs to be removed." Why do I get this error? I
cannot find ANY topology-related entries in LDAP.
Cheers,
Ronald
2 months
Keytab retrieval
by Mark Potter
Is there a way to enable a user to be able to retrieve all host keytabs
without explicitly allowing for each host?
In short we have a very large, stateless environment. We are currently in
the process of converting to RHEL in order to receive support. The size of
our environment makes force joining on boot a nightmare even though it
worked in testing. I have spoken with our RH rep and the advice we received
from the IDM team, via our rep, was to retrieve the host keytab on boot for
registered machines. We are aware of the risks involved but need a solution
that allows 8k plus hosts to boot without completely overloading the
FreeIPA cluster. With the available documentation I cannot find a way to
allow the service account we will be using to retrieve all host keytabs. As
you can imagine, explicitly allowing for each host would a tedious process
and prone to error.
Thanks in advance for any responses.
--
*Mark Potter*
Senior Linux Administrator
DownUnder GeoSolutions
16200 Park Row Drive, Suite 100
Houston TX 77084, USA
tel +1 832 582 3221
markp(a)dug.com
www.dug.com
2 months
IPA-Resetup
by Ronald Wimmer
Hi,
is there a way to export all IPA configuration and import it on a new
server? For instance to resetup everything from scratch or if purchasing
forces us to switch to a completely different distro.
Cheers,
Ronald
2 months
upgrade to 4.9..3-1 breaks UI: Unknown Error
by Robert Kudyba
After the upgrade to freeipa-server-4.9.3-1.fc33.x86_64
on 5.10.18-200.fc33.x86_64, the web UI will not load and just has the alert
box pop up with Unknown Error: error
Parsing through some logs here are some errors/warnings:
2021-04-09T06:22:57Z DEBUG request body ''
2021-04-09T06:22:57Z DEBUG httplib request failed:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipapython/dogtag.py", line 262, in
_httplib_request
conn.request(method, path, body=request_body, headers=headers)
File "/usr/lib64/python3.9/http/client.py", line 1255, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1301, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1250, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1010, in _send_output
self.send(msg)
File "/usr/lib64/python3.9/http/client.py", line 950, in send
self.connect()
File "/usr/lib64/python3.9/http/client.py", line 921, in connect
self.sock = self._create_connection(
File "/usr/lib64/python3.9/socket.py", line 843, in create_connection
raise err
File "/usr/lib64/python3.9/socket.py", line 831, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
2021-04-09T06:22:57Z DEBUG Failed to check CA status: cannot connect to '
http://ourdomain.edu:8080/ca/admin/ca/getStatus': [Errno 111] Connection
refused
2021-04-09T06:22:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
[auth_gssapi:error] [pid 1553901:tid 1554106] [client x.x.x.x:59482] GSS
ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported
mechanism was requested (Unknown error)], referer:
https://ourdomain.edu/ipa/ui/
And running rndc reload is successful but the logs show:
Apr 12 13:28:07 ourdomain named[1553865]: zone ourdomain.edu/IN: NS '
ourdomain.edu' has no address records (A or AAAA)
Apr 12 13:28:07 ourdomain named[1553865]: zone ourdomain.edu/IN: not loaded
due to errors.
Apr 12 13:28:07 ourdomain named[1553865]: 1 master zones from LDAP instance
'ipa' loaded (2 zones defined, 0 inactive, 1 failed to load)
Apr 12 13:28:07 ourdomain named[1553865]: zone ourdomain.edu/IN: NS '
ourdomain.edu' has no address records (A or AAAA)
Apr 12 13:28:07 ourdomain named[1553865]: zone ourdomain.edu/IN: not loaded
due to errors.
Apr 12 13:28:07 ourdomain named[1553865]: update_zone (syncrepl) failed for
master zone DN 'idnsname=ourdomain.edu.,cn=dns,dc=ourdomain,dc=edu'. Zones
can be outdated, run `rndc reload`: bad zone
Apr 12 13:28:07 ourdomain named[1553865]: timed out resolving
'./DNSKEY/IN': 8.8.8.8#53
Apr 12 13:28:07 ourdomain named[1553865]: managed-keys-zone: Key 20326 for
zone . acceptance timer complete: key now trusted
Apr 12 13:28:08 ourdomain named[1553865]: resolver priming query complete
Apr 12 13:28:08 ourdomain named[1553865]: checkhints: unable to get root NS
rrset from cache: not found
Anything new that could've caused this?
2 months
