I support a product that natively supports ingesting computers from Active Directory via an LDAP query.
We are able to ingest users from FreeIPA (actually Redhat IDM) without a problem, but hosts cannot be ingested because the objectClass and attributes are different than what is used by ActiveDirectory.
Is there a simple solution in FreeIPA to have the host objects simulate an AD 'computer' object?
Hi FreeIPA list,
We are having an issue with our IPA environment of 4 replicated FreeIPA
systems serving linux compute clients which join from a command in rc.local
after boot. This worked in the past, but the system has been rebuilt since
and the join command changed slightly. Unfortunately booting a few dozen
nodes at a time, though they each talk to a different IPA system by design,
leads to problems such as these - though 40-100 nodes can boot ok at a time
there are always many stragglers, and the more we attempt to boot at once
the more fail to join IPA (if we try to boot 500 nodes, we are lucky if we
get a fifth of that joining IPA). Can you please advise on this output?
Here is our join command in compute node rc.local:
ipa-client-install -U -q -p mach_join \
> -w <redacted> \
> --force-join \
> --no-dns-sshfp \
And here is some log output of the 500 error:
ProtocolError: <ProtocolError for redacted.redacted.com/ipa/json: 500
Internal Server Error>
> Cannot connect to the server due to generic error: cannot connect to 'https://redacted.redacted.com/ipa/json <https://hauth0003.dug.com/ipa/json>': Internal Server Error
As well as:
2021-06-02T21:39:11Z DEBUG Starting external process
> 2021-06-02T21:39:11Z DEBUG args=/usr/sbin/ipa-join -s
> redacted.redacted.com -b dc=redacted,dc=com -h redactednode.redacted.com
> 2021-06-02T21:40:13Z DEBUG Process finished, return code=17
> 2021-06-02T21:40:13Z DEBUG stdout=
> 2021-06-02T21:40:13Z DEBUG stderr=HTTP response code is 500, not 200
> 2021-06-02T21:40:13Z ERROR Joining realm failed: HTTP response code is
> 500, not 200
And we also see timeouts happen:
> 2021-06-02T22:08:50Z DEBUG args=/usr/sbin/ipa-join -s redacted.redacted.com -b dc=redacted,dc=com -h redactednode.redacted.com -f
> 2021-06-02T22:09:01Z DEBUG Process finished, return code=17
> 2021-06-02T22:09:01Z DEBUG stdout=
> 2021-06-02T22:09:01Z DEBUG stderr=RPC failed at server. Configured time limit exceeded
> 2021-06-02T22:09:01Z ERROR Joining realm failed: RPC failed at server. Configured time limit exceeded
And we also see later timeouts near the end of the log in some cases though
are able to authenticate and it didn't back out the install, but never got
going healthy either:
> 2021-06-03T19:20:13Z DEBUG The ipa-client-install command failed,
> exception: TimeLimitExceeded: Configured time limit exceeded
On some servers I can see that ipactl status hangs from time to time. I
can see SSSD reporting the backend to be offline and dirsrv not running
for some reason. ipactl -d status reveals that it hangs when issuing
systemctl is-active dirsrv. Instead of hanging I would expect ipcactl
status to report a problem (= dirsrv not running).
I have an IPA setup with AD trust configured and Trust View defined on the IPA server. Everything works properly on Ubuntu 18 clients with sssd 1.16.1 but it doesn't on Ubuntu 20 with sssd version 2.2.3. I can list /query the AD accounts which are not part of the default Trust View, but not those accounts which have the id overriden in the Trust View.
Is that a known issue, or any idea what do I need to change /where to look ?
We have some replication messages in our slapd errors log which look very
like the ones discussed here:
I took a look and we do have the MemberOf plugin, but our version of 389-ds
Hoping someone might have a suggestion for what we might do to get rid of
these log messages, or what the root cause may be/impact? They've been
going since at least a couple of weeks ago:
[15/Jun/2021:18:57:26.362094959 -0500] - WARN - NSMMReplicationPlugin
- repl5_inc_update_from_op_result -
(redactedauth0003:389): Consumer failed to replay change (uniqueid
d5896001-39a111eb-8868efc8-91dc0b98, CSN 60c93bc2000400250000):
Operations error (1). Will retry later.
I looked for this same uniqueid (they are ALL the same uniqueID) and
found this which is interesting and references a specific cn and
> [03/Jun/2021:15:45:43.332068775 -0500] - ERR - NSMMReplicationPlugin - write_changelog_and_ruv - Can't add a change for cn=admin,cn=groups,cn=accounts,dc=redacted,dc=com (uniqid: d5896001-39a111eb-8868efc8-91dc0b98, optype: 8) to changelog csn 60b93f93005200230000
I need some suggestions for a certificate related problem.
The setup has 2 servers, let's call them ldap1 and ldap2 with ldap1 being the primary system with the CA.
The certificates were to expire on june 15.
I checked on june 1st and on ldap1 certmonger had renewed all certificates, on ldap2 certmonger was not running.
So, I restarted the certmonger service and it began its work. `getcert list` shows three certificates (it's ipa 4.4, so that's probably correct)
Quite soon, the first certificate was renewed (HTTP/ldap2, ...) I assume that's the one for the web UI. A second one (ldap/ldap2...) is still valid until december. I assume that's why all the ldap related stuff and replication is still working.
But the cn=IPA RA expired one week ago (may 24th).
I have no ipa-certs-fix, would setting back the system clock still work? The HTTP/ldap2 certificate was not yet valid when the IPA RA certificate expired.
Or put the the other round: what happens if i don't renew this certificate - that's not quite clear to me. Currently, the system ist working fine, replication works and in 2022 the hardware will be replaced, so we will setup new replicas anyways. But, that's after the expiration date of the ldap/ldap2 certificate.
I hope this is understandable and thanks in advance for any hint.
Might the 'edition' (server, desktop, iot, whatnot) of the distribution
used in testing freeipa-server* be explicitly stated in the 'getting
started' docs as being 'approved' for freeipa-server use? The better
to avoid interactions with un-interaction-tested packages / security
libraries generally seen only in user/special-purpose distros. (re:
dnssec / bind9 / smart-card interaction)
Quite some time ago I added a trust to another AD domain. IIRC I added
an "external trust" for a reason I do not remember.
What is the "Non-transitive external trust to a domain in another Active
Directory forest" trust type for? Could I not just have added another
"Active Directory domain" trust?
Any clarification on this matter would be highly appreciated!