Debian Docker container FreeIPA Server Installation error
by Guille Colmena
Hello team,
I have been trying to create a Docker container using Debian 10 for the FreeIPA server installation and I am getting the following error almost at the end of the installation after running:
ipa-server-install --no-ntp
The IPA Master Server will be configured with:
Hostname: freeipa.test.com
IP address(es): x.x.x.x
Domain name: test.com
Realm name: TEST.COM
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=TEST.COM
Subject base: O=TEST.COM
Chaining: self-signed
The interesting part is that almost finishes the installation, but fails at the end with this. I really think is nothing related with cert as I selected self signed certificate during the installation of the freeipa.
[11/30]: starting certificate server instance
[12/30]: configure certmonger for renewals
[13/30]: requesting RA certificate from CA
[error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "https://freeipa.******.com:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
Certificate issuance failed (CA_REJECTED: Server at "https://freeipa.*****.com:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I am not sure if there is any relation with my host file configuration, though it is talking about the certificate in the following message.
Checking the freeipa logs I have got the following log in /var/log/ipaserver-install.log:
File "/usr/lib/python3/dist-packages/ipaserver/install/dogtaginstance.py", line 520, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2021-04-10T17:00:51Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2021-04-10T17:00:51Z ERROR CA configuration failed.
*************
I provide more information: I can see the following services related with this already running:
pki-tomcatd(a)pki-tomcat.service loaded active running PKI Tomcat Server pki-tomcat
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysusers.service loaded active exited Create System Users
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
-.slice loaded active active Root Slice
system-dirsrv.slice loaded active active system-dirsrv.slice
system-getty.slice loaded active active system-getty.slice
system-modprobe.slice loaded active active system-modprobe.slice
system-pki\x2dtomcatd.slice loaded active active system-pki\x2dtomcatd.slice
system.slice loaded active active System Slice
dbus.socket loaded active running D-Bus System Message Bus Socket
systemd-initctl.socket loaded active listening initctl Compatibility Named Pipe
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket loaded active running Journal Socket
Not sure what is the issue. the /var/log/pki/pki-tomcat doesn't show much. : /
There is not much help with the logs, just trying to confirm if someone has seen something similar.
Thank you for your help,
3 years
Error on ipa-replica-install (replication agreement already exists)
by Ronald Wimmer
I tried to promote an ipa-client to an ipa-replica. That particular host
has previously been a replica but has been removed due to a faulty base
OS configuration. When I do an ldapsearch from the top of the LDAP tree
(dc=linux,dc=mydomain,dc=at) I could not find any entries before
ipa-client-install.
ipa-replica-install fails with "DEBUG The ipa-replica-install command
failed, exception: ScriptError: A replication agreement for this host
already exists. It needs to be removed." Why do I get this error? I
cannot find ANY topology-related entries in LDAP.
Cheers,
Ronald
3 years
Keytab retrieval
by Mark Potter
Is there a way to enable a user to be able to retrieve all host keytabs
without explicitly allowing for each host?
In short we have a very large, stateless environment. We are currently in
the process of converting to RHEL in order to receive support. The size of
our environment makes force joining on boot a nightmare even though it
worked in testing. I have spoken with our RH rep and the advice we received
from the IDM team, via our rep, was to retrieve the host keytab on boot for
registered machines. We are aware of the risks involved but need a solution
that allows 8k plus hosts to boot without completely overloading the
FreeIPA cluster. With the available documentation I cannot find a way to
allow the service account we will be using to retrieve all host keytabs. As
you can imagine, explicitly allowing for each host would a tedious process
and prone to error.
Thanks in advance for any responses.
--
*Mark Potter*
Senior Linux Administrator
DownUnder GeoSolutions
16200 Park Row Drive, Suite 100
Houston TX 77084, USA
tel +1 832 582 3221
markp(a)dug.com
www.dug.com
3 years
IPA-Resetup
by Ronald Wimmer
Hi,
is there a way to export all IPA configuration and import it on a new
server? For instance to resetup everything from scratch or if purchasing
forces us to switch to a completely different distro.
Cheers,
Ronald
3 years
upgrade to 4.9..3-1 breaks UI: Unknown Error
by Robert Kudyba
After the upgrade to freeipa-server-4.9.3-1.fc33.x86_64
on 5.10.18-200.fc33.x86_64, the web UI will not load and just has the alert
box pop up with Unknown Error: error
Parsing through some logs here are some errors/warnings:
2021-04-09T06:22:57Z DEBUG request body ''
2021-04-09T06:22:57Z DEBUG httplib request failed:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipapython/dogtag.py", line 262, in
_httplib_request
conn.request(method, path, body=request_body, headers=headers)
File "/usr/lib64/python3.9/http/client.py", line 1255, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1301, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1250, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1010, in _send_output
self.send(msg)
File "/usr/lib64/python3.9/http/client.py", line 950, in send
self.connect()
File "/usr/lib64/python3.9/http/client.py", line 921, in connect
self.sock = self._create_connection(
File "/usr/lib64/python3.9/socket.py", line 843, in create_connection
raise err
File "/usr/lib64/python3.9/socket.py", line 831, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
2021-04-09T06:22:57Z DEBUG Failed to check CA status: cannot connect to '
http://ourdomain.edu:8080/ca/admin/ca/getStatus': [Errno 111] Connection
refused
2021-04-09T06:22:57Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
[auth_gssapi:error] [pid 1553901:tid 1554106] [client x.x.x.x:59482] GSS
ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported
mechanism was requested (Unknown error)], referer:
https://ourdomain.edu/ipa/ui/
And running rndc reload is successful but the logs show:
Apr 12 13:28:07 ourdomain named[1553865]: zone ourdomain.edu/IN: NS '
ourdomain.edu' has no address records (A or AAAA)
Apr 12 13:28:07 ourdomain named[1553865]: zone ourdomain.edu/IN: not loaded
due to errors.
Apr 12 13:28:07 ourdomain named[1553865]: 1 master zones from LDAP instance
'ipa' loaded (2 zones defined, 0 inactive, 1 failed to load)
Apr 12 13:28:07 ourdomain named[1553865]: zone ourdomain.edu/IN: NS '
ourdomain.edu' has no address records (A or AAAA)
Apr 12 13:28:07 ourdomain named[1553865]: zone ourdomain.edu/IN: not loaded
due to errors.
Apr 12 13:28:07 ourdomain named[1553865]: update_zone (syncrepl) failed for
master zone DN 'idnsname=ourdomain.edu.,cn=dns,dc=ourdomain,dc=edu'. Zones
can be outdated, run `rndc reload`: bad zone
Apr 12 13:28:07 ourdomain named[1553865]: timed out resolving
'./DNSKEY/IN': 8.8.8.8#53
Apr 12 13:28:07 ourdomain named[1553865]: managed-keys-zone: Key 20326 for
zone . acceptance timer complete: key now trusted
Apr 12 13:28:08 ourdomain named[1553865]: resolver priming query complete
Apr 12 13:28:08 ourdomain named[1553865]: checkhints: unable to get root NS
rrset from cache: not found
Anything new that could've caused this?
3 years
IPA Upgrade error
by Ronald Wimmer
OS upgrades including IPA relevant packages lead to an upgrade error:
IPA version error: data needs to be upgraded (expected version
'4.8.7-16.0.1.module+el8.3.0+20007+a5dde1bf', current version
'4.8.7-12.0.1.module+el8.3.0+7868+2151076c')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
'start', 'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status
1: 'Job for pki-tomcatd(a)pki-tomcat.service failed because a timeout was
exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service" and
"journalctl -xe" for details.\n')
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
See the upgrade log for more details and/or run
/usr/sbin/ipa-server-upgrade again.
Of course I can provide the upgrade log (but I cannot disclose it to the
public).
Cheers,
Ronald
3 years
dirsrv schema-compat-plugin error messages after yum upgrade
by John Desantis
Hello!
Today we successfully upgraded our FreeIPA servers from 4.6.4 to 4.6.8
via `yum`.
Other than the upgrade process taking what seemed to be a long time,
it completed without an issue and everything is intact, including the
AD Trust (as stated). We use a naming convention posix-group and
posix-group_external for mapping purposes.
After adding an AD user to an external group, I noticed the following
messages logged in the dirsrv error log:
[08/Apr/2021:13:54:45.582168432 -0400] - ERR - schema-compat-plugin -
group "posix-group(a)ipa.domain" does not exist because SSSD is offline.
The SSSD logs do show that there was a crash:
(2021-04-08 13:54:35): [be[ipa.domain]] [dp_get_account_info_handler]
(0x0200): Got request for
[0x2][BE_REQ_GROUP][name=posix-group(a)ipa.domain]
(2021-04-08 13:54:38): [be[ipa.domain]] [dp_get_account_info_handler]
(0x0200): Got request for [0x1][BE_REQ_USER][name=idm-user(a)ipa.domain]
(2021-04-08 13:54:41): [be[ipa.domain]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [110]: Connection timed out
(2021-04-08 13:54:41): [be[ipa.domain]] [sdap_id_op_done] (0x0200):
communication error on cached connection, moving to next server
(2021-04-08 13:54:41): [be[ipa.domain]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(2021-04-08 13:54:41): [be[ipa.domain]] [get_port_status] (0x0080):
SSSD is unable to complete the full connection request, this internal
status does not necessarily indicate network port issues.
(2021-04-08 13:54:41): [be[ipa.domain]] [get_port_status] (0x0100):
Resetting the status of port 0 for server 'ipa-master.ipa.domain'
(2021-04-08 13:54:41): [be[ipa.domain]] [be_resolve_server_process]
(0x0200): Found address for server ipa-master.ipa.domain: [IP] TTL
7200
(2021-04-08 13:54:41): [be[ipa.domain]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(2021-04-08 13:54:41): [be[ipa.domain]] [be_resolve_server_process]
(0x0200): Found address for server ipa-master.ipa.domain: [IP] TTL
7200
(2021-04-08 13:54:41): [be[ipa.domain]] [child_sig_handler] (0x0100):
child [16309] finished successfully.
(2021-04-08 13:54:41): [be[ipa.domain]] [sdap_cli_auth_step] (0x0100):
expire timeout is 900
(2021-04-08 13:54:41): [be[ipa.domain]] [sasl_bind_send] (0x0100):
Executing sasl bind mech: GSSAPI, user: host/ipa-master.ipa.domain
(2021-04-08 13:54:47): [be[ipa.domain]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-5)[Timed out]
(2021-04-08 13:54:47): [be[ipa.domain]] [sasl_bind_send] (0x0080):
Extended failure message: [unknown error]
(2021-04-08 13:54:47): [be[ipa.domain]] [sdap_cli_connect_recv]
(0x0040): Unable to establish connection [110]: Connection timed out
(2021-04-08 13:54:47): [be[ipa.domain]] [fo_set_port_status] (0x0100):
Marking port 0 of server 'ipa-master.ipa.domain' as 'not working'
(2021-04-08 13:54:47): [be[ipa.domain]]
[ipa_id_get_account_info_orig_done] (0x0040): sdap_handle_acct request
failed: 110
(2021-04-08 13:54:47): [be[ipa.domain]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [110]: Connection timed out
(2021-04-08 13:54:47): [be[ipa.domain]] [sdap_get_users_done]
(0x0040): Failed to retrieve users [110][Connection timed out].
(2021-04-08 13:54:47): [be[ipa.domain]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(2021-04-08 13:54:47): [be[ipa.domain]] [get_port_status] (0x0080):
SSSD is unable to complete the full connection request, this internal
status does not necessarily indicate network port issues.
(2021-04-08 13:54:47): [be[ipa.domain]] [fo_resolve_service_send]
(0x0020): No available servers for service 'IPA'
(2021-04-08 13:54:47): [be[ipa.domain]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(2021-04-08 13:54:47): [be[ipa.domain]] [be_run_offline_cb] (0x0080):
Going offline. Running callbacks.
(2021-04-08 13:54:47): [be[ipa.domain]]
[ipa_id_get_account_info_orig_done] (0x0040): sdap_handle_acct request
failed: 11
(2021-04-08 13:54:48): [be[ipa.domain]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(2021-04-08 13:54:48): [be[ipa.domain]]
[resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record
of 'ipa-master.ipa.domain' in files
(2021-04-08 13:54:48): [be[ipa.domain]] [set_server_common_status]
(0x0100): Marking server 'ipa-master.ipa.domain' as 'resolving name'
(2021-04-08 13:54:48): [be[ipa.domain]] [set_server_common_status]
(0x0100): Marking server 'ipa-master.ipa.domain' as 'name resolved'
(2021-04-08 13:54:48): [be[ipa.domain]] [be_resolve_server_process]
(0x0200): Found address for server ipa-master.ipa.domain: [IP] TTL
7200
(2021-04-08 13:54:48): [be[ipa.domain]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(2021-04-08 13:54:48): [be[ipa.domain]] [be_resolve_server_process]
(0x0200): Found address for server ipa-master.ipa.domain: [IP] TTL
7200
(2021-04-08 13:54:48): [be[ipa.domain]] [child_sig_handler] (0x0100):
child [16320] finished successfully.
(2021-04-08 13:54:48): [be[ipa.domain]] [sdap_cli_auth_step] (0x0100):
expire timeout is 900
(2021-04-08 13:54:48): [be[ipa.domain]] [sasl_bind_send] (0x0100):
Executing sasl bind mech: GSSAPI, user: host/ipa-master.ipa.domain
(2021-04-08 13:54:48): [be[ipa.domain]] [fo_set_port_status] (0x0100):
Marking port 0 of server 'ipa-master.ipa.domain' as 'working'
(2021-04-08 13:54:48): [be[ipa.domain]] [set_server_common_status]
(0x0100): Marking server 'ipa-master.ipa.domain' as 'working'
(2021-04-08 13:54:48): [be[ipa.domain]] [be_run_online_cb] (0x0080):
Going online. Running callbacks.
(2021-04-08 13:54:48): [be[ipa.domain]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(2021-04-08 13:54:48): [be[ipa.domain]] [be_resolve_server_process]
(0x0200): Found address for server ipa-master.ipa.domain: [IP] TTL
7200
(2021-04-08 13:54:48): [be[ipa.domain]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(2021-04-08 13:54:48): [be[ipa.domain]] [be_resolve_server_process]
(0x0200): Found address for server ipa-master.ipa.domain: [IP] TTL
7200
(2021-04-08 13:54:48): [be[ipa.domain]] [child_sig_handler] (0x0100):
child [16321] finished successfully.
(2021-04-08 13:54:48): [be[ipa.domain]] [sdap_cli_auth_step] (0x0100):
expire timeout is 900
(2021-04-08 13:54:56): [be[ipa.domain]] [resolve_srv_send] (0x0200):
The status of SRV lookup is resolved
(2021-04-08 13:54:56): [be[ipa.domain]] [child_sig_handler] (0x0100):
child [16334] finished successfully.
(2021-04-08 13:54:56): [be[ipa.domain]] [sdap_cli_auth_step] (0x0100):
expire timeout is 900
The messages appear to be harmless in the sense that the AD user is
associated with their groups correctly and are able to access group
protected resources without an issue.
Searching for the same dirsrv error message via Google and the mailing
list only produces the following URL's, and I didn't experience any
crashes during the upgrade process. Other than it taking about ~25
minutes per server (maybe due to SSSD running during the upgrade?),
everything restarted as expected:
https://bugzilla.redhat.com/show_bug.cgi?id=1346735
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
The nsslapd-pluginEnabled has been enabled this entire time.
Looking a little deeper now, I did rename a group post upgrade and
there was a similar set of logs:
[08/Apr/2021:12:03:18.692100370 -0400] - ERR - schema-compat-plugin -
group "pi_posix-group-originalname(a)ipa.domain" does not exist because
SSSD is offline.
[08/Apr/2021:12:03:36.825433630 -0400] - ERR - schema-compat-plugin -
group "pi_posix-group-newname(a)ipa.domain" does not exist because SSSD
is offline.
And the correlated SSSD logs:
(2021-04-08 12:03:08): [be[rc.usf.edu]] [dp_get_account_info_handler]
(0x0200): Got request for
[0x2][BE_REQ_GROUP][name=pi_posix-group-originalname@ipadomain]
(2021-04-08 12:03:09): [be[rc.usf.edu]] [dp_get_account_info_handler]
(0x0200): Got request for [0x1][BE_REQ_USER][name=idm-user]
(2021-04-08 12:03:14): [be[rc.usf.edu]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [110]: Connection timed out
(2021-04-08 12:03:14): [be[rc.usf.edu]] [sdap_id_op_done] (0x0200):
communication error on cached connection, moving to next server
(2021-04-08 12:03:14): [be[rc.usf.edu]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(2021-04-08 12:03:14): [be[rc.usf.edu]] [get_port_status] (0x0080):
SSSD is unable to complete the full connection request, this internal
status does not necessarily indicate network port issues.
(2021-04-08 12:03:14): [be[rc.usf.edu]] [get_port_status] (0x0100):
Resetting the status of port 0 for server 'ipa-master'
(2021-04-08 12:03:14): [be[rc.usf.edu]] [be_resolve_server_process]
(0x0200): Found address for server ipa-master: [IP] TTL 7200
(2021-04-08 12:03:14): [be[rc.usf.edu]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(2021-04-08 12:03:14): [be[rc.usf.edu]] [be_resolve_server_process]
(0x0200): Found address for server ipa-master: [IP] TTL 7200
(2021-04-08 12:03:15): [be[rc.usf.edu]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [110]: Connection timed out
(2021-04-08 12:03:15): [be[rc.usf.edu]] [sdap_get_users_done]
(0x0040): Failed to retrieve users [110][Connection timed out].
(2021-04-08 12:03:18): [be[rc.usf.edu]] [dp_get_account_info_handler]
(0x0200): Got request for [0x1][BE_REQ_USER][name=user@ad-domain]
(2021-04-08 12:03:18): [be[rc.usf.edu]] [child_sig_handler] (0x0100):
child [5193] finished successfully.
(2021-04-08 12:03:18): [be[rc.usf.edu]] [sdap_cli_auth_step] (0x0100):
expire timeout is 900
(2021-04-08 12:03:18): [be[rc.usf.edu]] [sasl_bind_send] (0x0100):
Executing sasl bind mech: GSSAPI, user: host/ipa-master
(2021-04-08 12:03:19): [be[rc.usf.edu]] [fo_set_port_status] (0x0100):
Marking port 0 of server 'ipa-master' as 'working'
(2021-04-08 12:03:19): [be[rc.usf.edu]] [set_server_common_status]
(0x0100): Marking server 'ipa-master' as 'working'
(2021-04-08 12:03:30): [be[rc.usf.edu]] [dp_get_account_info_handler]
(0x0200): Got request for
[0x2][BE_REQ_GROUP][name=pi_posix-group-newname@ipadomain]
(2021-04-08 12:03:36): [be[rc.usf.edu]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [110]: Connection timed out
(2021-04-08 12:03:36): [be[rc.usf.edu]] [sdap_id_op_done] (0x0200):
communication error on cached connection, moving to next server
(2021-04-08 12:03:36): [be[rc.usf.edu]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(2021-04-08 12:03:36): [be[rc.usf.edu]] [get_port_status] (0x0080):
SSSD is unable to complete the full connection request, this internal
status does not necessarily indicate network port issues.
(2021-04-08 12:03:36): [be[rc.usf.edu]] [fo_resolve_service_send]
(0x0020): No available servers for service 'IPA'
(2021-04-08 12:03:36): [be[rc.usf.edu]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
Has anyone else run into this issue? Can the messages be ignored? Are
there any steps to take to resolve the issue?
Thank you,
John DeSantis
3 years
IPA Server does not start after Update
by Dirk Streubel
Hello,
here on Fedora 34 i have a made a Update last Night. After Rebooting the
System the IPA service does not start:
[root@ipa2 ~]# systemctl status ipa
× ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled;
vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2021-04-09 09:17:14
CEST; 5s ago
Process: 1092 ExecStart=/usr/sbin/ipactl start (code=exited,
status=1/FAILURE)
Main PID: 1092 (code=exited, status=1/FAILURE)
CPU: 1.444s
Apr 09 09:17:06 ipa2.linux.schnell.er ipactl[1092]: Assuming stale,
cleaning and proceeding
Apr 09 09:17:07 ipa2.linux.schnell.er ipactl[1092]: Failed to read data
from service file: Failed to get list of services to probe status!
Apr 09 09:17:07 ipa2.linux.schnell.er ipactl[1092]: Configured hostname
'ipa2.linux.schnell.er' does not match any master server in LDAP:
Apr 09 09:17:07 ipa2.linux.schnell.er ipactl[1092]: No master found
because of error: no such entry
Apr 09 09:17:07 ipa2.linux.schnell.er ipactl[1092]: Shutting down
Apr 09 09:17:14 ipa2.linux.schnell.er ipactl[1092]: Starting Directory
Service
Apr 09 09:17:14 ipa2.linux.schnell.er systemd[1]: ipa.service: Main
process exited, code=exited, status=1/FAILURE
Apr 09 09:17:14 ipa2.linux.schnell.er systemd[1]: ipa.service: Failed
with result 'exit-code'.
Apr 09 09:17:14 ipa2.linux.schnell.er systemd[1]: Failed to start
Identity, Policy, Audit.
Apr 09 09:17:14 ipa2.linux.schnell.er systemd[1]: ipa.service: Consumed
1.444s CPU time.
[root@ipa2 ~]# ipactl stop
Stopping Directory Service
ipa: INFO: The ipactl command was successful
[root@ipa2 ~]# ipactl start
Starting Directory Service
Failed to read data from service file: Failed to get list of services to
probe status!
Configured hostname 'ipa2.linux.schnell.er' does not match any master
server in LDAP:
No master found because of error: no such entry
Shutting down
After downgrading 389-ds-base-libs and 389-ds-base from 2.0.4-1.fc34 to
2.0.3-3.fc34 everything is working fine.
A Bug or what is the Problem with the new Package?
See you
Dirk
3 years
using SSH with password authentication when NIS is still running with FreeIPA
by Robert Kudyba
We have freeipa-server-4.8.10-6.fc33 running on top of NIS and I'm trying
to determine why ssh -k from any client is hanging and not even connecting.
Does sssd need to be configured as in this 2013 training document?
https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
The goal is to eliminate NIS so perhaps the issue is running both
concurrently? The good news is, thanks to tips here last week, all the NIS
users migrated along with their passwords. And kinit on the Free IPA server
even prompts to change their password.
sssd is running:
sssd_be[2329]: GSSAPI client step 1
sssd_be[2329]: GSSAPI client step 2
/etc/krb.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ourserver.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
ourserver.EDU = {
kdc = ourserver.edu:88
master_kdc = ourserver.edu:88
admin_server = ourserver.edu:749
default_domain = ourserver.edu
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ourserver.edu = ourserver.EDU
ourserver.edu = ourserver.EDU
ourserver.edu = ourserver.EDU
[dbmodules]
ourserver.EDU = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
HBAC is wide open:
ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: TRUE
Rule name: allow_systemd-user
User category: all
Host category: all
Description: Allow pam_systemd to run user@.service to create a system
user session
Enabled: TRUE
Here are some debug ssh server logs:
Feb 8 16:23:27 ourserver sshd[381563]: debug1: Forked child 510395.
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Set
/proc/self/oom_score_adj to 0
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rexec start in 5 out 5
newsock 5 pipe 10 sock 11
Feb 8 16:23:27 ourserver sshd[510395]: debug1: inetd sockets after
dupping: 4, 4
Feb 8 16:23:27 ourserver sshd[510395]: Connection from 150.108.68.26 port
45806 on 150.108.64.156 port 22 rdomain ""
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Local version string
SSH-2.0-OpenSSH_8.4
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Remote protocol version
2.0, remote software version OpenSSH_8.4
Feb 8 16:23:27 ourserver sshd[510395]: debug1: match: OpenSSH_8.4 pat
OpenSSH* compat 0x04000000
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SELinux support disabled
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: permanently_set_uid: 74/74
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT received
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: algorithm:
curve25519-sha256 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: host key algorithm:
ecdsa-sha2-nistp256 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: client->server cipher:
aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: server->client cipher:
aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rekey out after 4294967296
blocks [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS sent
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Sending SSH2_MSG_EXT_INFO
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: expecting SSH2_MSG_NEWKEYS
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS received
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rekey in after 4294967296
blocks [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: KEX done [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user
ouruser service ssh-connection method none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: attempt 0 failures 0
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: initializing for
"ouruser"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_RHOST to
"xx.xx.xx.xx"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_TTY to
"ssh"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user
ouruser service ssh-connection method publickey [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: attempt 1 failures 0
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth_pubkey: test pkalg
rsa-sha2-256 pkblob RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: temporarily_use_uid:
5879/200 (e=0/0)
Feb 8 16:23:27 ourserver sshd[510395]: debug1: trying public key file
/home/ouruser/.ssh/authorized_keys
and ssh -k from a Fedora client, note the user I'm logged in as is NOT the
same user I'm trying to log in to:
ssh -vv -k ouruser@ourserver
OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS 8 Dec 2020
debug1: Reading configuration data /home/ouruser/.ssh/config
debug1: /home/ouruser/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host ourserver originally ourserver
debug2: match not found
debug1: Reading configuration data
/etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/ouruser/.ssh/config
debug1: /home/ouruser/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host ourserver originally ourserver
debug2: match found
debug1: Reading configuration data
/etc/crypto-policies/back-ends/openssh.config
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/ouruser/.ssh/sockets/ouruser@ourserver-22"
does not exist
debug2: resolving "ourserver" port 22
debug2: ssh_connect_direct
debug1: Connecting to ourserver [150.108.64.156] port 22.
debug1: Connection established.
debug1: identity file /home/ouruser/.ssh/id_rsa type 0
debug1: identity file /home/ouruser/.ssh/id_rsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_dsa type -1
debug1: identity file /home/ouruser/.ssh/id_dsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519 type 3
debug1: identity file /home/ouruser/.ssh/id_ed25519-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519_sk type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/ouruser/.ssh/id_xmss type -1
debug1: identity file /home/ouruser/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to ourserver:22 as 'ouruser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256(a)libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01(a)openssh.com,
ecdsa-sha2-nistp384-cert-v01(a)openssh.com,
ecdsa-sha2-nistp521-cert-v01(a)openssh.com,
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01(a)openssh.com
,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01(a)openssh.com,
rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01(a)openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519(a)openssh.com
,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305(a)openssh.com
,aes256-ctr,aes128-gcm(a)openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305(a)openssh.com
,aes256-ctr,aes128-gcm(a)openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm(a)openssh.com,
umac-128-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com
,hmac-sha2-256,hmac-sha1,umac-128(a)openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm(a)openssh.com,
umac-128-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com
,hmac-sha2-256,hmac-sha1,umac-128(a)openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib(a)openssh.com,zlib
debug2: compression stoc: none,zlib(a)openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256(a)libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305(a)openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm(a)openssh.com,
aes256-gcm(a)openssh.com
debug2: ciphers stoc: chacha20-poly1305(a)openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm(a)openssh.com,
aes256-gcm(a)openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm(a)openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com,
hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128(a)openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm(a)openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com,
hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128(a)openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib(a)openssh.com
debug2: compression stoc: none,zlib(a)openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm(a)openssh.com MAC: <implicit>
compression: none
debug1: kex: client->server cipher: aes256-gcm(a)openssh.com MAC: <implicit>
compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:XUXhRKNYwxAGhwVIMa3fuo8uNMay6q4/qVeSWlQAOpM
debug1: Host 'ourserver' is known and matches the ECDSA host key.
debug1: Found key in /home/ouruser/.ssh/known_hosts:46
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/ouruser/.ssh/id_rsa RSA
SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug1: Will attempt key: /home/ouruser/.ssh/id_dsa
debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa
debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519 ED25519
SHA256:OoedE0VhmLFtl9nifW57Mca+GHDD0xKkJ2BCLGlV9xc
debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/ouruser/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,
sk-ssh-ed25519(a)openssh.com
,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256(a)openssh.com,
webauthn-sk-ecdsa-sha2-nistp256(a)openssh.com>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /home/ouruser/.ssh/id_rsa RSA
SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug2: we sent a publickey packet, wait for reply
What am I missing? I appreciate the help last week!
Rob
3 years
Re: Crash in ipadb_get_principal
by Florence Blanc-Renaud
On 4/5/21 8:21 AM, Sushmita Bhattacharya via FreeIPA-users wrote:
> Hi,
>
> I am facing an issue with a ipa-kdb crash in ipadb_get_principal
> function, in ipa version 4.6.8. Backtrace below:-
>
Hi,
it looks similar to issue #8681 krb5kdc dumped core [1]
The issue got fixed in ipa-4-6, ipa-4-8, ipa-4-9 and master branches.
Which OS are you using? There won't be any new version on fedora with
the ipa-4-6 branch + the fix but RHEL 7.9 z-stream is still supported.
flo
[1] https://pagure.io/freeipa/issue/8681
> (gdb) bt
>
> #0 0x00007fec38d8d387 in raise () from /lib64/libc.so.6
>
> #1 0x00007fec38d8ea78 in abort () from /lib64/libc.so.6
>
> #2 0x00007fec38d861a6 in __assert_fail_base () from /lib64/libc.so.6
>
> #3 0x00007fec38d86252 in __assert_fail () from /lib64/libc.so.6
>
> #4 0x00007fec3046d353 in ldap_get_values_len () from
>
> /lib64/libldap_r-2.4.so.2
>
> #5 0x00007fec3201422e in ipadb_ldap_attr_to_int () from
>
> /usr/lib64/krb5/plugins/kdb/ipadb.so
>
> #6 0x00007fec320173cb in ipadb_parse_ldap_entry () from
>
> /usr/lib64/krb5/plugins/kdb/ipadb.so
>
> #7 0x00007fec3201832b in ipadb_get_principal () from
>
> /usr/lib64/krb5/plugins/kdb/ipadb.so
>
> #8 0x00007fec3a918bb7 in krb5_db_get_principal () from /lib64/libkdb5.so.8
>
> #9 0x000056443d95fff2 in kdc_get_server_key ()
>
> #10 0x000056443d9603ce in kdc_process_tgs_req ()
>
> #11 0x000056443d95ac97 in process_tgs_req ()
>
> #12 0x000056443d958df3 in dispatch ()
>
> #13 0x000056443d96c950 in process_tcp_connection_read ()
>
> #14 0x00007fec39127b48 in verto_fire () from /lib64/libverto.so.1
>
> #15 0x00007fec31242b13 in tevent_common_invoke_fd_handler () from
>
> /lib64/libtevent.so.0
>
> #16 0x00007fec31249087 in epoll_event_loop_once () from
> /lib64/libtevent.so.0
>
> #17 0x00007fec31247057 in std_event_loop_once () from /lib64/libtevent.so.0
>
> #18 0x00007fec3124225d in _tevent_loop_once () from /lib64/libtevent.so.0
>
> #19 0x00007fec3912731f in verto_run () from /lib64/libverto.so.1
>
> #20 0x000056443d957af6 in main ()
>
> (gdb) q
>
> We observed this crash with kerberos version 1.15.1.
>
> The issue is that the ldap handle passed from function
> ipadb_parse_ldap_entry and eventually to openldap, is an invalid LDAP
> handle(though not NULL). Hence there is an assert failure in function
> ldap_get_values_len.
>
> (gdb) f 4
>
> #4 0x00007fec3046d353 in ldap_get_values_len (ld=ld@entry=0x56443f44b850,
>
> entry=entry@entry=0x56443f5c4fe0,
>
> target=target@entry=0x7fec3202192b "krbTicketFlags") at getvalues.c:98
>
> 98 assert( LDAP_VALID( ld ) );
>
> (gdb) p ld->ldc->ldc_options.ldo_valid
>
> $1 = -17435
>
> (gdb) p/x ld->ldc->ldc_options.ldo_valid
>
> $2 = 0xbbe5
>
> (gdb) f 5
>
> #5 0x00007fec3201422e in ipadb_ldap_attr_to_int
>
> (lcontext=lcontext@entry=0x56443f44b850, le=le@entry=0x56443f5c4fe0,
>
> attrname=attrname@entry=0x7fec3202192b "krbTicketFlags",
>
> result=result@entry=0x7ffcdd2accc4) at ipa_kdb_common.c:383
>
> 383 vals = ldap_get_values_len(lcontext, le, attrname);
>
> (gdb) f 7
>
> #7 0x00007fec3201832b in ipadb_get_principal (kcontext=0x56443f47b920,
>
> search_for=<optimized out>, flags=8192, entry=0x7ffcdd2acec8)
>
> at ipa_kdb_principals.c:1311
>
> 1311 kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry,
> entry,
>
> &pol);
>
> (gdb)
>
> Any ideas on this issue ? Is there a specific fix available ? It looks
> like someone reported a similar crash here :
> https://pagure.io/freeipa/issue/5633
> <https://pagure.io/freeipa/issue/5633>, but there was no fix documented,
> and it got closed as there was insufficient info. Any help will be much
> appreciated.
>
> Thanks,
>
> Sushmita
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
3 years