April 2021 - FreeIPA-users - Fedora Mailing-Lists

Is something changed in the compat tree in CentOS/RHEL 8?

by Peter Tselios

We use the FreeIPA servers as authentication source for Opestack Keystone. However, after the migration of our FreeIPA to CentOS 8 from CentOS 7, Openstack users cannot login. IPA Logs from the Openstack queries where I detected the different answer: CentOS 7 op=4 SRCH base="cn=groups,cn=compat,dc=example,dc=com" scope=2 filter="(&(cn=dev_admins)(cn=dev_admins)(objectClass=posixGroup))" attrs="cn description" op=4 RESULT err=0 tag=101 nentries=1 etime=0.000771612 op=5 SRCH base="cn=dev_admins,cn=groups,cn=compat,dc=example,dc=com" scope=0 filter="(objectClass=posixGroup)" attrs="memberUid" op=5 RESULT err=0 tag=101 nentries=1 etime=0.000322091 CentOS 8 op=4 SRCH base="cn=groups,cn=compat,dc=test,dc=example,dc=com" scope=2 filter="(&(cn=dev_admins)(cn=dev_admins)(objectClass=posixGroup))" attrs="cn description" op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000169800 optime=0.000829186 etime=0.000997334 op=5 SRCH base="cn=dev_admins,cn=groups,cn=compat,dc=test,dc=example,dc=com" scope=0 filter="(objectClass=posixGroup)" attrs="memberUid" op=5 RESULT err=0 tag=101 nentries=0 wtime=0.000131140 optime=0.000667892 etime=0.000794799 Notice that in CentOS 8 we have nentries=0 To reproduce the problem there is no need for Keystone or Openstack as it’s reproducible by a simple ldapsearch: CentOS 7 $ LDAPBASE="dc=example,dc=com" $ ldapsearch -v -H ldaps://localhost:636 -D "uid=appusers,cn=sysaccounts,cn=etc,${LDAPBASE}" -W -s base -b "cn=dev_admins,cn=groups,cn=compat,${LDAPBASE}" "(objectClass=posixGroup)" memberUid CentOS 8 $ LDAPBASE="dc=test,dc=example,dc=com" $ ldapsearch -v -H ldaps://localhost:636 -D "uid=appusers,cn=sysaccounts,cn=etc,${LDAPBASE}" -W -s base -b "cn=dev_admins,cn=groups,cn=compat,${LDAPBASE}" "(objectClass=posixGroup)" memberUid If using the “-s sub” scope in CentOS 8, we can see the group object, which make me thing that the “compat” branch is there and that it’s just a problem with the searching of the object Is there any possibility to fix this, or we should stick with CentOS 7?

1 year, 2 months

2
2
0 / 0

PKI-Tomcat flagging up on security scans

by Jake Reynolds

Hi, I'm running ipa-server 4.8.7-13 on Centos 8.3. My security scanning software is lighting up with a lot of warnings about my FreeIPA servers - specifically Apache Tomcat vulnerabilities exposed on the PKI-Tomcat ports - 8080/8443. It is detecting v9.0.30, and seemingly has a different list of vulnerabilities for each version below 9.0.43 that the service is vulnerable to. Firstly, is the detection accurate? How can I determine the tomcat version in use here? If the detection is correct, has this dependency been upgraded/is in the process of upgrading? Secondly, why are these ports exposed at all? It seems that the server.xml defines AJP listening on port localhost:8009, which is what Apache forwards requests to. However this port simply forwards on to 8443 which is listening publicly, and we also have 8080 listening publicly. As far as I can see from documentation connectivity to these endpoints should not be needed. Thirdly, how can I configure pki-tomcat to not listen on these ports? I've tried editing the connectors in /etc/pki/pki-tomcat/server.xml but the pki-tomcatd service fails on restart - presumably an ipa service somewhere is configured to connect to the FQDN/external IP rather than localhost. Error is ` ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my.fqdn.com', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionErr`. I'm aware I could firewall off the ports, but I'd rather they weren't listening in the first place. The only reference I've been able to find is the bug here https://github.com/dogtagpki/pki/issues/2748 - but this seems unresolved, and only refers to installation as oppose to modifying an existing install. Thanks! Jake

1 year, 2 months

3
4
0 / 0

Updating Letsencrypt certificate fails

by Reino Wallin

When the letsencrypt certificate was renewed a couple of months ago, a problem occurred. I found this guide and tried to follow it: https://yyhh.org/blog/2021/01/fix-freeipa-httpd-lets-encrypt-certificate-... But it seems I have messed up something, and I would like some hints how to solve my problem. ipa-server: 4.6.8 Among other things I get this error message: ipa-server-certinstall -w fullchain.pem privkey.pem Directory Manager password: Enter private key unlock password: Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed. Below are outputs from some important commands with my domain replaced with example.net: certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u DSTRootCAX3 C,, EXAMPLE.NET IPA CA CT,C,C letsencryptx3 C,, CN=ipa.example.net u,u,u ldapsearch -Y GSSAPI -Q -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=net # extended LDIF # # LDAPv3 # base <cn=certificates,cn=ipa,cn=etc,dc=example,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # certificates, ipa, etc, example.net dn: cn=certificates,cn=ipa,cn=etc,dc=example,dc=net objectClass: nsContainer objectClass: top cn: certificates # EXAMPLE.NET IPA CA, certificates, ipa, etc, example.net dn: cn=EXAMPLE.NET IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net ipaConfigString: ipaCa ipaConfigString: compatCA ipaCertSubject: CN=Certificate Authority,O=EXAMPLE.NET ipaKeyTrust: trusted cACertificate;binary:: Replaced with XXX ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1nIS8VuSpvUaTucptnP BDEXQYh4cxPT5qkHbuaBrZ7z8TvS2V5K2HCB/Gm6kkyZghxQFMm7zZdDNJQSu9pXUb2HDwv2wdBf6 ZBLxAZNYWJ4qTCXG5RhY13xcORnxzflXkQsMk1Pz4BZb6yEjZx9UvGXVWcdzoKVC9u1YF+jHdcKyQ 4o4K/mcy7PR/F73j3VVAyUXB7WIHT6KLaIp13Ir2byRAHHSPrIa3RBvodrRLQPuHQZZhO5O4BRXPR 6v1rwTgF+EI1Ua3w+mRmP7fHgCQcehvwkXy7zV7GMtaSchcDUf4EluWarG0UsclbLG9orVBnX6kBu T++1Zs/nVnMAE8wIDAQAB ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.NET;1 objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top cn: EXAMPLE.NET IPA CA ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4 # DSTRootCAX3, certificates, ipa, etc, example.net dn: cn=DSTRootCAX3,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 cn: DSTRootCAX3 objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top ipaCertSubject: CN=DST Root CA X3,O=Digital Signature Trust Co. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA36/pl1AIg1e0zGJl9pC C7MfTLGswylvs2cN9x0DBGBSL4Ogzdkkq4z8hSZOsTg6vPkjLZe780yEPZdIq2TKPjOX3d7ASe7WV wImjqbrtcy56DAYyg6J+ihQwzRGg4So4uXkKMf1QvYBl37dRY4PI4ohh6kthgexSa7mi4ksaKJ9Io 54M2gmOPhcuHt0g31vGKoqrLr1wrcULGiWQdHLFe2qrNNYwif/laBN7VAvI1q7sWpySHj1ks4zG37 /JQXDsFnLVJuw4VTlD0Pz9GFxA8Zfr1ZqbjR262iW5xtjfwRUCOqvabvE+LvVcCJw81oNp5BCbGSq 2KVfj5T2bn/ACXQIDAQAB cACertificate;binary:: Replaced with XXX ipaKeyTrust: trusted ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;912997355 75339953335919266965803778155 # letsencryptx3, certificates, ipa, etc, example.net dn: cn=letsencryptx3,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 cn: letsencryptx3 objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top ipaCertSubject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7N oYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdx yGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQD IZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSX gvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r 6hCm21AvA2H3DkwIDAQAB cACertificate;binary:: Replaced with XXX ipaKeyTrust: trusted ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;132987958 40390663119752826058995181320 # letsencryptr3-cross, certificates, ipa, etc, example.net dn: cn=letsencryptr3-cross,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 cn: letsencryptr3-cross objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top ipaCertSubject: CN=R3,O=Let's Encrypt,C=US ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLsjVW Sw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKpTm71O8Mu243AsFzz WTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLuta7tj95gcOKlVKu2bQ6Xp UA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YG d1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbs TzFID9e1RoYvbFQIDAQAB cACertificate;binary:: Replaced with XXX ipaKeyTrust: trusted ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;850781574 26496920958827089468591623647 # search result search: 4 result: 0 Success # numResponses: 6 # numEntries: 5

1 year, 2 months

2
3
0 / 0

FreeIPA SUDO rules fail with hostgroups

by Brian Sanders

I have recently found out that when adding SUDO rules to my IPA server, the host groups are not evaluated correctly. I am using the same host groups in my HBAC and they are working correctly. If I remove the host groups from the SUDO rule, and instead directly put the server in as an individual host, the SUDO rule works correctly. If simply set it to allow "all" hosts, while leaving the rest of the SUDO rule the same, it also works. Running a sudo command with the host groups provides the error: "test1 is not allowed to run sudo on srv1. This incident will be reported." I have turned on some debugging for SSSD and SUDO but it is extremely verbose, and after realizing the same host groups work with HBAC, I am skeptical this is an issue with my configuration. Anyone have some troubleshooting or work arounds? Is there perhaps a known bug I didn't find about this? As much as I hate it, my "right now" work around is to just allow it on all hosts, and rely on my HBAC to determine what groups can log into what hosts. However this isn't a true fix, just a stop gap while I look into this. IPA Client versions: ipa --version VERSION: 4.6.8, API_VERSION: 2.237 IPA Server version: ipa --version VERSION: 4.6.8, API_VERSION: 2.237

1 year, 2 months

5
10
0 / 0

API Browser - which privilege?

by Ronald Wimmer

Which permission would let a user use the API browser in the WebGUI? Or is there already a privilege that is well-suited for and API user? (or even a role?) Cheers, Ronald

1 year, 2 months

3
3
0 / 0

ipa-dnskeysyncd keeps starting and crashing

by Rob Verduijn

Hello, My ipa server on centos 8 seems to have a problem. The ipa-dnskeysyncd keeps trying to start and keeps crashing while doing so. I suspect this is caused by the crashed ipaserver that I now have removed from the domain. I spend quite some time adjusting all the dns entries so they now all point to the new server however the dnskeysyncd keeps trying to run even though there is no server anymore to sync with. Where do I need to check or configure things so that it no longer keeps crashing. Rob apr 20 12:46:11 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: Traceback (most recent call last): apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 116, in <module> apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: File "/usr/lib64/python3.6/site-packages/ldap/syncrepl.py", line 457, in syncrepl_poll apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: self.syncrepl_refreshdone() apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 126, in syncrepl_refreshdone apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: self.hsm_replica_sync() apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 192, in hsm_replica_sync apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: p.returncode, arg_string, output_log, error_log apr 20 12:46:14 freeipa02.tjako.thuis ipa-dnskeysyncd[13112]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/libexec/ipa/ipa-dnskeysync-replica'] returned non-zero exit status 1: 'ipalib.plugable: DEBUG impor ting all plugin modules in ipaserver.plugins...\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember\nipalib.plugable: DEBUG importin g plugin module ipaserver.plugins.automount\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap\nipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module\nipalib.plugable: DEBUG impo rting plugin module ipaserver.plugins.baseuser\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca\nipalib.plugable: DEBUG importing plugi n module ipaserver.plugins.caacl\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap\nipalib.plugable: DEBUG importing plugin module i paserver.plugins.certprofile\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag\nipalib.plugable: DEBUG importing plugin module ipaserve r.plugins.domainlevel\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac\nipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc\nipalib.plugable: DEBUG importing plugin module ipaserver.plugin s.hbacsvcgroup\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins. hostgroup\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.int ernal\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2\n ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc\nipali b.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp\nipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module\nipalib.pluga ble: DEBUG importing plugin module ipaserver.plugins.otpconfig\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd\nipalib.plugable : DEBUG importing plugin module ipaserver.plugins.permission\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ping\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.pkinit\nipalib.plugable: DEBU G importing plugin module ipaserver.plugins.privilege\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.pwpolicy\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.rabase\nipalib.plugable: DEBUG ipaserver.plugins.rabase is not a valid plugin module\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.radiusproxy\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.realmdomains\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.role\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.schema\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.selfservice\nipalib.plugable: DEBU G importing plugin module ipaserver.plugins.selinuxusermap\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.server\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.serverrole\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.serverroles\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.service\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.servicedelegation\nipalib.p lugable: DEBUG importing plugin module ipaserver.plugins.session\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.stageuser\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.sudo\nipalib.plugabl e: DEBUG ipaserver.plugins.sudo is not a valid plugin module\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.sudocmd\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.sudocmdgroup\nipalib.pluga ble: DEBUG importing plugin module ipaserver.plugins.sudorule\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.topology\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.trust\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.user\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.vault\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.virtual\nipalib.plugable: DEBUG i paserver.plugins.virtual is not a valid plugin module\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.whoami\nipalib.plugable: DEBUG importing plugin module ipaserver.plugins.xmlserver\nipa-dnskeysync-replica: DE BUG Kerberos principal: ipa-dnskeysyncd/freeipa02.tjako.thuis\nipalib.install.kinit: DEBUG Initializing principal ipa-dnskeysyncd/freeipa02.tjako.thuis using keytab /etc/ipa/dnssec/ipa-dnskeysyncd.keytab\nipalib.install.kinit: DEB UG using ccache /tmp/ipa-dnskeysync-replica.ccache\nipalib.install.kinit: DEBUG Attempt 1/5: success\nipa-dnskeysync-replica: DEBUG Got TGT\nTraceback (most recent call last):\n File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 177, in <module>\n f.read()\n File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 104, in __init__\n self.p11 = _ipap11helper.P11_Helper(label, pin, library)\n File "/usr/lib/python3.6/site-packages/i paserver/p11helper.py", line 868, in __init__\n raise Error("No slot for label {} found".format(self.token_label))\nipaserver.p11helper.Error: No slot for label ipaDNSSEC found\nException ignored in: <bound method LocalHSM.__del__ of <ipaserver.dnssec.localhsm.LocalHSM object at 0x7ff5f2bf6c50>>\nTraceback (most recent call last):\n File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 107, in __del__\n self.p11.finalize()\nAttributeError: \'LocalHSM\' object has no attribute \'p11\'\n')

1 year, 2 months

1
1
0 / 0

FreeIPA and FIPS

by Steve Reed

If I successfully install FreeIPA in FIPS mode, does that mean that all my clients that call on the server need to be in FIPS mode as well? Or can I just have the server in FIPS mode and the clients in whatever mode I want? Thanks in advance. Steve

1 year, 2 months

8
15
0 / 0

Server Installation Error - [error] RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl

by Scott Reed

I am not new to installing FreeIPA. This one has been a struggle. I came in to help some people on there server installation. Long story short. I found the ipa-dnskeysyncd.service constantly restarting. I went and uninstalled the server, and found that the slapd-<Domain> service broken and I uninstalled it completely manually. Then when I went to install the server again. It is hanging on the creation of the domain server. Here are the results of the installation. Installation Output: The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT Warning: skipping DNS resolution of host serv.example.domain Checking DNS domain example.domain., please wait ... The IPA Master Server will be configured with: Hostname: serv.example.domain IP address(es): 192.168.1.191 Domain name: example.domain Realm name: EXAMPLE.DOMAIN BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Forward policy: only Reverse zone(s): No reverse zone Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/45]: creating directory server instance [error] RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' returned no-zero exit status 1 ipapython.admintool: ERROR failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' retured non-zero exit status 1 ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Install Log File: 2021-03-30T19:11:29Z DEBUG Logging to /var/log/ipaserver-install.log 2021-03-30T19:11:29Z INFO Checking DNS domain example.domain, please wait ... 2021-03-30T19:11:29Z DEBUG ipa-server-install was invoked with arguments [] and options: {'no_dns_sshfp': False, 'ignore_topology_disconnect': False, 'verbose': False, 'domain_level': None, 'ip_addresses': None, 'secondary_rid_base': None, 'netbios_name': None, 'mkhomedir': True, 'http_cert_files': None, 'zonemgr': None, 'no_pkinit': False, 'reverse_zones': None, 'no_forwarders': True, 'external_ca_profile': None, 'external_ca_type': None, 'no_ntp': False, 'no_msdcs': False, 'setup_kra': False, 'domain_name': 'example.domain', 'idmax': None, 'setup_adtrust': False, 'http_cert_name': None, 'dirsrv_cert_files': None, 'no_dnssec_validation': False, 'ca_signing_algorithm': None, 'no_reverse': False, 'ssh_trust_dns': False, 'pkinit_cert_files': None, 'ca_cert_files': None, 'subject_base': None, 'auto_reverse': True, 'auto_forwarders': False, 'no_host_dns': False, 'no_sshd': False, 'no_ui_redirect': False, 'ignore_last_of_role': False, 'realm_name': 'EXAMPLE.DOMAIN', 'forwarders': None, 'i dstart': None, 'external_ca': False, 'pkinit_cert_name': None, 'no_ssh': False, 'external_cert_files': None, 'enable_compat': False, 'no_hbac_allow': False, 'forward_policy': None, 'dirsrv_cert_name': None, 'unattended': True, 'rid_base': None, 'quiet': False, 'setup_dns': True, 'ca_subject': None, 'host_name': 'serv.example.domain', 'dirsrv_config_file': None, 'log_file': None, 'allow_zone_overlap': False, 'uninstall': False} 2021-03-30T19:11:29Z DEBUG IPA version 4.6.8-5.el7.centos 2021-03-30T19:11:29Z DEBUG Searching for an interface of IP address: ::1 2021-03-30T19:11:29Z DEBUG Testing local IP address: ::1/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (interface: lo) 2021-03-30T19:11:29Z DEBUG Starting external process 2021-03-30T19:11:29Z DEBUG args=/usr/sbin/selinuxenabled 2021-03-30T19:11:29Z DEBUG Process finished, return code=1 2021-03-30T19:11:29Z DEBUG stdout= 2021-03-30T19:11:29Z DEBUG stderr= 2021-03-30T19:11:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:29Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2021-03-30T19:11:29Z DEBUG httpd is not configured 2021-03-30T19:11:29Z DEBUG kadmin is not configured 2021-03-30T19:11:29Z DEBUG dirsrv is not configured 2021-03-30T19:11:29Z DEBUG pki-tomcatd is not configured 2021-03-30T19:11:29Z DEBUG install is not configured 2021-03-30T19:11:29Z DEBUG krb5kdc is not configured 2021-03-30T19:11:29Z DEBUG ntpd is not configured 2021-03-30T19:11:29Z DEBUG named is not configured 2021-03-30T19:11:29Z DEBUG filestore is tracking no files 2021-03-30T19:11:29Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2021-03-30T19:11:29Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2021-03-30T19:11:29Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:29Z DEBUG Starting external process 2021-03-30T19:11:29Z DEBUG args=/bin/systemctl is-enabled chronyd.service 2021-03-30T19:11:29Z DEBUG Process finished, return code=1 2021-03-30T19:11:29Z DEBUG stdout= 2021-03-30T19:11:29Z DEBUG stderr=Failed to get unit file state for chronyd.service: No such file or directory 2021-03-30T19:11:29Z DEBUG Starting external process 2021-03-30T19:11:29Z DEBUG args=/bin/systemctl is-active chronyd.service 2021-03-30T19:11:29Z DEBUG Process finished, return code=3 2021-03-30T19:11:29Z DEBUG stdout=unknown 2021-03-30T19:11:29Z DEBUG stderr= 2021-03-30T19:11:29Z DEBUG Starting external process 2021-03-30T19:11:29Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS 2021-03-30T19:11:29Z DEBUG Process finished, return code=0 2021-03-30T19:11:29Z DEBUG stdout=VirtualHost configuration: *:8443 serv.example.domain (/etc/httpd/conf.d/nss.conf:81) 2021-03-30T19:11:29Z DEBUG stderr= 2021-03-30T19:11:29Z DEBUG Check if serv.example.domain is a primary hostname for localhost 2021-03-30T19:11:29Z DEBUG Primary hostname for localhost: serv.example.domain 2021-03-30T19:11:29Z DEBUG will use host_name: serv.example.domain 2021-03-30T19:11:29Z DEBUG importing all plugin modules in ipaserver.plugins... 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.aci 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.automember 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.automount 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.baseldap 2021-03-30T19:11:29Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.baseuser 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.batch 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.ca 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.caacl 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.cert 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.certmap 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.certprofile 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.config 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.delegation 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.dns 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.dogtag 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.group 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hbac 2021-03-30T19:11:29Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hbactest 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.host 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.idrange 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.idviews 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.internal 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.join 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.ldap2 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.location 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.migration 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.misc 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.netgroup 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.otp 2021-03-30T19:11:29Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.otptoken 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.passwd 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.permission 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.ping 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.pkinit 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.privilege 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.rabase 2021-03-30T19:11:29Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.role 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.schema 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.selfservice 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.server 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.serverrole 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.serverroles 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.service 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.session 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.stageuser 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.sudo 2021-03-30T19:11:29Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.sudorule 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.topology 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.trust 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.user 2021-03-30T19:11:29Z DEBUG importing plugin module ipaserver.plugins.vault 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.plugins.virtual 2021-03-30T19:11:30Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.plugins.whoami 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2021-03-30T19:11:30Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.dns 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.fix_kra_people_entry 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_unhashed_password 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2021-03-30T19:11:30Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2021-03-30T19:11:30Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2021-03-30T19:11:30Z INFO Checking DNS domain example.domain., please wait ... 2021-03-30T19:11:30Z DEBUG Name serv.example.domain resolved to set([UnsafeIPAddress('192.168.1.191')]) 2021-03-30T19:11:30Z DEBUG Searching for an interface of IP address: 192.168.1.191 2021-03-30T19:11:30Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo) 2021-03-30T19:11:30Z DEBUG Testing local IP address: 192.168.1.191/255.255.255.0 (interface: eth0) 2021-03-30T19:11:30Z DEBUG IP address 192.168.1.191 belongs to a private range, using forward policy only 2021-03-30T19:11:30Z DEBUG will use DNS forwarders: [] 2021-03-30T19:11:30Z INFO Reverse record for IP address 192.168.1.191 already exists 2021-03-30T19:11:30Z DEBUG Backing up system configuration file '/etc/hostname' 2021-03-30T19:11:30Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2021-03-30T19:11:30Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:30Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:30Z DEBUG Starting external process 2021-03-30T19:11:30Z DEBUG args=/bin/hostnamectl set-hostname serv.example.domain 2021-03-30T19:11:30Z DEBUG Process finished, return code=0 2021-03-30T19:11:30Z DEBUG stdout= 2021-03-30T19:11:30Z DEBUG stderr= 2021-03-30T19:11:30Z DEBUG Backing up system configuration file '/etc/hosts' 2021-03-30T19:11:30Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2021-03-30T19:11:30Z DEBUG Starting external process 2021-03-30T19:11:30Z DEBUG args=/bin/systemctl is-enabled chronyd.service 2021-03-30T19:11:30Z DEBUG Process finished, return code=1 2021-03-30T19:11:30Z DEBUG stdout= 2021-03-30T19:11:30Z DEBUG stderr=Failed to get unit file state for chronyd.service: No such file or directory 2021-03-30T19:11:30Z DEBUG Starting external process 2021-03-30T19:11:30Z DEBUG args=/bin/systemctl is-active chronyd.service 2021-03-30T19:11:30Z DEBUG Process finished, return code=3 2021-03-30T19:11:30Z DEBUG stdout=unknown 2021-03-30T19:11:30Z DEBUG stderr= 2021-03-30T19:11:30Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:30Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2021-03-30T19:11:30Z DEBUG Configuring NTP daemon (ntpd) 2021-03-30T19:11:30Z DEBUG [1/4]: stopping ntpd 2021-03-30T19:11:30Z DEBUG Starting external process 2021-03-30T19:11:30Z DEBUG args=/bin/systemctl is-active ntpd.service 2021-03-30T19:11:30Z DEBUG Process finished, return code=3 2021-03-30T19:11:30Z DEBUG stdout=unknown 2021-03-30T19:11:30Z DEBUG stderr= 2021-03-30T19:11:30Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:30Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:30Z DEBUG Starting external process 2021-03-30T19:11:30Z DEBUG args=/bin/systemctl stop ntpd.service 2021-03-30T19:11:30Z DEBUG Process finished, return code=0 2021-03-30T19:11:30Z DEBUG stdout= 2021-03-30T19:11:30Z DEBUG stderr= 2021-03-30T19:11:30Z DEBUG Stop of ntpd.service complete 2021-03-30T19:11:30Z DEBUG duration: 0 seconds 2021-03-30T19:11:30Z DEBUG [2/4]: writing configuration 2021-03-30T19:11:30Z DEBUG Backing up system configuration file '/etc/ntp.conf' 2021-03-30T19:11:30Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2021-03-30T19:11:30Z DEBUG Backing up system configuration file '/etc/sysconfig/ntpd' 2021-03-30T19:11:30Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2021-03-30T19:11:30Z DEBUG duration: 0 seconds 2021-03-30T19:11:30Z DEBUG [3/4]: configuring ntpd to start on boot 2021-03-30T19:11:30Z DEBUG Starting external process 2021-03-30T19:11:30Z DEBUG args=/bin/systemctl is-enabled ntpd.service 2021-03-30T19:11:30Z DEBUG Process finished, return code=1 2021-03-30T19:11:30Z DEBUG stdout=disabled 2021-03-30T19:11:30Z DEBUG stderr= 2021-03-30T19:11:30Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:30Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:30Z DEBUG Starting external process 2021-03-30T19:11:30Z DEBUG args=/bin/systemctl enable ntpd.service 2021-03-30T19:11:31Z DEBUG Process finished, return code=0 2021-03-30T19:11:31Z DEBUG stdout= 2021-03-30T19:11:31Z DEBUG stderr=Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service. 2021-03-30T19:11:31Z DEBUG duration: 0 seconds 2021-03-30T19:11:31Z DEBUG [4/4]: starting ntpd 2021-03-30T19:11:31Z DEBUG Starting external process 2021-03-30T19:11:31Z DEBUG args=/bin/systemctl start ntpd.service 2021-03-30T19:11:31Z DEBUG Process finished, return code=0 2021-03-30T19:11:31Z DEBUG stdout= 2021-03-30T19:11:31Z DEBUG stderr= 2021-03-30T19:11:31Z DEBUG Starting external process 2021-03-30T19:11:31Z DEBUG args=/bin/systemctl is-active ntpd.service 2021-03-30T19:11:31Z DEBUG Process finished, return code=0 2021-03-30T19:11:31Z DEBUG stdout=active 2021-03-30T19:11:31Z DEBUG stderr= 2021-03-30T19:11:31Z DEBUG Start of ntpd.service complete 2021-03-30T19:11:31Z DEBUG duration: 0 seconds 2021-03-30T19:11:31Z DEBUG Done configuring NTP daemon (ntpd). 2021-03-30T19:11:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:31Z DEBUG Configuring directory server (dirsrv). Estimated time: 30 seconds 2021-03-30T19:11:31Z DEBUG [1/45]: creating directory server instance 2021-03-30T19:11:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:31Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2021-03-30T19:11:31Z DEBUG Backing up system configuration file '/etc/sysconfig/dirsrv' 2021-03-30T19:11:31Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2021-03-30T19:11:31Z DEBUG dn: dc=example,dc=domain objectClass: top objectClass: domain objectClass: pilotObject dc: example info: IPA V2.0 2021-03-30T19:11:31Z DEBUG writing inf template 2021-03-30T19:11:31Z DEBUG [General] FullMachineName= serv.example.domain SuiteSpotUserID= dirsrv SuiteSpotGroup= dirsrv ServerRoot= /usr/lib64/dirsrv [slapd] ServerPort= 389 ServerIdentifier= EXAMPLE-DOMAIN Suffix= dc=example,dc=domain RootDN= cn=Directory Manager InstallLdifFile= /var/lib/dirsrv/boot.ldif inst_dir= /var/lib/dirsrv/scripts-EXAMPLE-DOMAIN 2021-03-30T19:11:31Z DEBUG calling setup-ds.pl 2021-03-30T19:11:31Z DEBUG Starting external process 2021-03-30T19:11:31Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop 2021-03-30T19:21:33Z DEBUG Process finished, return code=1 2021-03-30T19:21:33Z DEBUG stdout=Process returned 1280 [21/03/30:19:21:33] - [Setup] Info Could not start the directory server using command '/bin/systemctl start dirsrv(a)EXAMPLE-DOMAIN.service'. The last line from the error log was '[30/Mar/2021:19:11:32.950196247 +0000] - INFO - import_main_offline - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec) '. Error: Unknown error 1280 Could not start the directory server using command '/bin/systemctl start dirsrv(a)EXAMPLE-DOMAIN.service'. The last line from the error log was '[30/Mar/2021:19:11:32.950196247 +0000] - INFO - import_main_offline - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec) '. Error: Unknown error 1280 [21/03/30:19:21:33] - [Setup] Fatal Error: Could not create directory server instance 'EXAMPLE-DOMAIN'. Error: Could not create directory server instance 'EXAMPLE-DOMAIN'. [21/03/30:19:21:33] - [Setup] Fatal Exiting . . . Log file is '-' Exiting . . . Log file is '-' 2021-03-30T19:21:33Z DEBUG stderr=Process returned 1280 2021-03-30T19:21:33Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 587, in __create_instance raise RuntimeError("failed to create DS instance %s" % e) RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' returned non-zero exit status 1 2021-03-30T19:21:33Z DEBUG [error] RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' returned non-zero exit status 1 2021-03-30T19:21:33Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run return cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 590, in main master_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 250, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 783, in install setup_pkinit=not options.no_pkinit) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 346, in create_instance self.start_creation(runtime=30) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 587, in __create_instance raise RuntimeError("failed to create DS instance %s" % e) 2021-03-30T19:21:33Z DEBUG The ipa-server-install command failed, exception: RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' returned non-zero exit status 1 2021-03-30T19:21:33Z ERROR failed to create DS instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp_Z6Bop' returned non-zero exit status 1 Uninstall log: [root@serv scripts-EXAMPLE-DOMAIN]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes WARNING: Failed to connect to Directory Server to find information about replication agreements. Uninstallation will continue despite the possible existing replication agreements. If this server is the last instance of CA, KRA, or DNSSEC master, uninstallation may result in data loss. Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring directory server ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-EXAMPLE-DOMAIN/dse.ldif Removing IPA client configuration Unconfigured automount client failed: Command '/usr/sbin/ipa-client-automount --uninstall --debug' returned non-zero exit status 1 Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations IPA domain could not be found in /etc/sssd/sssd.conf and therefore not deleted Other domains than IPA domain found, IPA domain was removed from /etc/sssd/sssd.conf. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. The ipa-client-install command was successful Thanks in advance in looking at this.

1 year, 2 months

4
5
0 / 0

update ldap schema with ipa-ldap-updater

by iulian roman

Hello, I would like to extend the ldap schema in order to get rid of tnsnames.ora and use ldap for that. I try to update the schema using ipa-ldap-updater, but so far no success. Can anybody point what would be the correct update file I should create for the schema file bellow (this is only one of the schema files which need to be updated, but the others would be similar) : attributetype ( 2.16.840.1.113894.3.2.6 NAME 'orclNetServiceAlias' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) objectclass ( 2.16.840.1.113894.3.2.6 NAME 'orclNetServiceAlias' SUP alias STRUCTURAL MUST cn ) Thank You !

1 year, 2 months

2
1
0 / 0

FreeIPA/RedHat IDM server in containers

by iulian roman

Hello, Can anyone confirm if RedHat IDM is supported/recommended to run in containers in a production environment ? I would like to know if there are any drawbacks before I'll put any effort in implementing it. I would like to use it with one replica and trust with Active Directory. Thank You !

1 year, 2 months

2
2
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users April 2021