June 2021 - FreeIPA-users - Fedora Mailing-Lists

by Ronald Wimmer

Is it sufficient to create DNS locations in IPA and do a ipa dns-update-system-records --dry-run in order to populate new DNS Zone information to the external DNS system? Apart from adding IPA clients to their respective locations, there is nothing to do regarding DNS locations on IPA clients, right? Cheers, Ronald

2 years, 3 months

2
2
0 / 0

Cant login via AD user

by Konstantin Ignatev

Good day. IPA - 4.9.4. OS - Fedora 34. I have established a trust relationship with the AD domain. The list of domains is easily obtained by the command ipa trust-fetch-domains "example.com" I can get a ticket using kinit username(a)example.com in CLI. I can not log into the server using the AD account from UI. With exactly the same installation but on the Centos 7 + IPA 4.6.8 there are no similar problemsю In /var/log/httpd/error_log [Sun Jun 13 15:51:14.045718 2021] [wsgi:error] [pid 2312:tid 2815] [remote 172.17.51.252:8946] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844988): KDC returned error string: PROCESS_TGS In /var/log/krb5kdc.log Jun 13 15:51:13 freeipa-master.ipa.example.com krb5kdc[2256](info): AS_REQ (3 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23)}) 172.17.252.121: REFERRAL: aduser\@example.com(a)IPA.EXAMPLE.COM for krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM, Realm not local to KDC /etc/krb.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPA.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc [realms] IPA.EXAMPLE.COM = { kdc = freeipa-master.ipa.example.com:88 master_kdc = freeipa-master.ipa.example.com:88 admin_server = freeipa-master.ipa.example.com:749 default_domain = ipa.example.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem auth_to_local = RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@EXAMPLE.COM/@example.com/ auth_to_local = DEFAULT } [domain_realm] .ipa.example.com = IPA.EXAMPLE.COM ipa.example.com = IPA.EXAMPLE.COM freeipa-master.ipa.example.com = IPA.EXAMPLE.COM [dbmodules] IPA.EXAMPLE.COM = { db_library = ipadb.so } [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } /etc/sssd/sssd.conf [domain/ipa.example.com] krb5_use_kdcinfo = False krb5_use_fast = never id_provider = ipa ipa_server_mode = True ipa_server = freeipa-master.ipa.example.com ipa_domain = ipa.example.com ipa_hostname = freeipa-master.ipa.example.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True [sssd] services = nss, pam, ifp, ssh, sudo domains = ipa.example.com [nss] homedir_substring = /home memcache_timeout = 600 [pam] [sudo] [autofs] [ssh] [pac] [ifp] allowed_uids = ipaapi, root [secrets] [session_recording] I would be grateful for any help

2 years, 3 months

2
2
0 / 0

Cant login via AD from UI Freeipa

by Константин

Good day. IPA - 4.9.4. OS - Fedora 34. I have established a trust relationship with the AD domain. The list of domains is easily obtained by the command ipa trust-fetch-domains "example.com" I can get a ticket using kinit username(a)example.com in CLI. I can not log into the server using the AD account from UI. With exactly the same installation but on the Centos 7 + IPA 4.6.8 there are no similar problemsю In /var/log/httpd/error_log [Sun Jun 13 15:51:14.045718 2021] [wsgi:error] [pid 2312:tid 2815] [remote 172.17.51.252:8946] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598844988): KDC returned error string: PROCESS_TGS In /var/log/krb5kdc.log Jun 13 15:51:13 freeipa-master.ipa.example.com krb5kdc[2256](info): AS_REQ (3 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23)}) 172.17.252.121: REFERRAL: aduser\@ example.com(a)IPA.EXAMPLE.COM for krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM, Realm not local to KDC /etc/krb.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPA.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc [realms] IPA.EXAMPLE.COM = { kdc = freeipa-master.ipa.example.com:88 master_kdc = freeipa-master.ipa.example.com:88 admin_server = freeipa-master.ipa.example.com:749 default_domain = ipa.example.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem auth_to_local = RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@ EXAMPLE.COM/@example.com/ auth_to_local = DEFAULT } [domain_realm] .ipa.example.com = IPA.EXAMPLE.COM ipa.example.com = IPA.EXAMPLE.COM freeipa-master.ipa.example.com = IPA.EXAMPLE.COM [dbmodules] IPA.EXAMPLE.COM = { db_library = ipadb.so } [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } /etc/sssd/sssd.conf [domain/ipa.example.com] krb5_use_kdcinfo = False krb5_use_fast = never id_provider = ipa ipa_server_mode = True ipa_server = freeipa-master.ipa.example.com ipa_domain = ipa.example.com ipa_hostname = freeipa-master.ipa.example.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True [sssd] services = nss, pam, ifp, ssh, sudo domains = ipa.example.com [nss] homedir_substring = /home memcache_timeout = 600 [pam] [sudo] [autofs] [ssh] [pac] [ifp] allowed_uids = ipaapi, root [secrets] [session_recording] I would be grateful for any help

2 years, 3 months

1
0
0 / 0

Redhat Idm/IPA cross domain trust problems

by thing.thing＠gmail.com

Hi, I have RH's version of freeipa (ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64) working fine. RHEL8, RHEL7, Debian10.9, Ubuntu20LTS and Centos7 clients work perfectly OK to IPA OK for users in IPA.. For the cross domain trust however only RHEL8 and RHEL7 work. Debian10.9, Ubuntu20LTS and Centos7 fail for the AD user who cannot ssh in. Is there any config I need to do to get 3rd party Linux to work with a trust? Just wondering if I have missed a package? config? steps? or does it just not work? rhel7 secure log showing success, 8><---- Jun 9 16:40:55 rhel7a sshd[9339]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=v1.ods.vuw.ac.nz user=linuxuser2(a)vuwtest.ac.nz Jun 9 16:41:04 rhel7a sshd[9336]: Accepted keyboard-interactive/pam for linuxuser2(a)vuwtest.ac.nz from 10.100.32.67 port 48 Jun 9 16:41:04 rhel7a sshd[9336]: pam_unix(sshd:session): session opened for user linuxuser2(a)vuwtest.ac.nz by (uid=0) [root@rhel7a ~]# 8><--- centos7 secure log, 8><--- [root@centos7a ~]# tail -50f /var/log/secure Jun 9 17:15:24 centos7a sshd[1812]: Invalid user linuxuser2(a)vuwtest.ac.nz from 10.100.32.67 port 53880 Jun 9 17:15:24 centos7a sshd[1812]: input_userauth_request: invalid user linuxuser2(a)vuwtest.ac.nz [preauth] Jun 9 17:15:24 centos7a sshd[1812]: Postponed keyboard-interactive for invalid user linuxuser2(a)vuwtest.ac.nz from 10.100.32.67 port 53880 ssh2 [preauth] Jun 9 17:15:35 centos7a sshd[1814]: pam_unix(sshd:auth): check pass; user unknown Jun 9 17:15:35 centos7a sshd[1814]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.100.32.67 Jun 9 17:15:37 centos7a sshd[1812]: error: PAM: User not known to the underlying authentication module for illegal user linuxuser2(a)vuwtest.ac.nz from 10.100.32.67 Jun 9 17:15:37 centos7a sshd[1812]: Failed keyboard-interactive/pam for invalid user linuxuser2(a)vuwtest.ac.nz from 10.100.32.67 port 53880 ssh2 Jun 9 17:15:37 centos7a sshd[1812]: Postponed keyboard-interactive for invalid user linuxuser2(a)vuwtest.ac.nz from 10.100.32.67 port 53880 ssh2 [preauth] 8><---

2 years, 3 months

2
1
0 / 0

CentOS 6 Client installation stuck and don't complete

by Rohan Talkar

HI Team, We are migrating from our current Directory Service 389DS to FreeIPA. Our all servers at present authenticated by 389DS server. Our infra hosted on AWS cloud. Please find below setup of FreeIPA & Client on which we are performing tests & getting issue. FreeIPA Servers Primary Master Server = Region 1 Secondary Master Server = Region 2 OS = CentOS Linux release 8.3.2011 IPA Version = 4.8.7, API_VERSION: 2.239 FreeIPA Client OS = CentOS release 6.9 (Final) Kernel Version = Linux drxlceco6app01 2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux IPA Client version = 3.0.0-51.el6.centos Our DNS getting managed from "/etc/hosts" file by manually adding DNS entries of server. On centos 6 client installation gets stuck after SSSD setup completes. Below output for details. NOTE = For security reason we have masked our Domain nme to "XYZ.com" & other details with Capital "X". ======================================== case "$env" in echo 'This is US DR' This is US DR ++ hostname ipa-client-install --mkhomedir --no-krb5-offline-passwords --hostname=drxlceco6app01.XYZ.com --force-join --fixed-primary --server=drxipaco8lds01.XYZ.com --server=prdipaco8ldm01.XYZ.com --domain XYZ.com --realm XYZ.COM Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: drxlceco6app01.XYZ.com Realm: XYZ.COM DNS Domain: XYZ.com IPA Server: prdipaco8ldm01.XYZ.com, drxipaco8lds01.XYZ.com BaseDN: dc=XYZ,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for admin(a)XYZ.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=XYZ.COM Issuer: CN=Certificate Authority,O=XYZ.COM Valid From: Mon Apr 19 14:35:38 2021 UTC Valid Until: Fri Apr 19 14:35:38 2041 UTC Enrolled in IPA realm XYZ.COM Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm XYZ.COM trying https://prdipaco8ldm01.XYZ.com/ipa/xml Forwarding 'env' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml' Hostname (drxlceco6app01.XYZ.com) not found in DNS Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configuring XYZ.com as NIS domain ======================================== Current /etc/nsswitch.conf entries as below. ======================================== passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus ======================================== Complete client installation logs as below. ======================================== 2021-06-01T17:25:40Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'XYZ.com', 'force': False, 'realm_name': 'XYZ.COM', 'krb5_offline_passwords': False, 'primary': True, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': 'drxlceco6app01.XYZ.com', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'ca_cert_file': None, 'server': ['drxipaco8lds01.XYZ.com', 'prdipaco8ldm01.XYZ.com'], 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2021-06-01T17:25:40Z DEBUG missing options might be asked for interactively later 2021-06-01T17:25:40Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2021-06-01T17:25:40Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:25:40Z DEBUG [IPA Discovery] 2021-06-01T17:25:40Z DEBUG Starting IPA discovery with domain=XYZ.com, servers=['drxipaco8lds01.XYZ.com', 'prdipaco8ldm01.XYZ.com'], hostname=drxlceco6app01.XYZ.com 2021-06-01T17:25:40Z DEBUG Server and domain forced 2021-06-01T17:25:40Z DEBUG [Kerberos realm search] 2021-06-01T17:25:40Z DEBUG Kerberos realm forced 2021-06-01T17:25:40Z DEBUG Search DNS for SRV record of _kerberos._udp.XYZ.com. 2021-06-01T17:25:40Z DEBUG No DNS record found 2021-06-01T17:25:40Z DEBUG SRV record for KDC not found! Domain: XYZ.com 2021-06-01T17:25:40Z DEBUG [LDAP server check] 2021-06-01T17:25:40Z DEBUG Verifying that drxipaco8lds01.XYZ.com (realm XYZ.COM) is an IPA server 2021-06-01T17:25:40Z DEBUG Init LDAP connection with: ldap://drxipaco8lds01.XYZ.com:389 2021-06-01T17:25:40Z DEBUG Search LDAP server for IPA base DN 2021-06-01T17:25:40Z DEBUG Check if naming context 'dc=XYZ,dc=com' is for IPA 2021-06-01T17:25:40Z DEBUG LDAP Error: Anonymous access not allowed 2021-06-01T17:25:40Z DEBUG Verifying that prdipaco8ldm01.XYZ.com (realm XYZ.COM) is an IPA server 2021-06-01T17:25:40Z DEBUG Init LDAP connection with: ldap://prdipaco8ldm01.XYZ.com:389 2021-06-01T17:25:40Z DEBUG Search LDAP server for IPA base DN 2021-06-01T17:25:40Z DEBUG Check if naming context 'dc=XYZ,dc=com' is for IPA 2021-06-01T17:25:40Z DEBUG LDAP Error: Anonymous access not allowed 2021-06-01T17:25:40Z DEBUG Generated basedn from realm: dc=XYZ,dc=com 2021-06-01T17:25:40Z DEBUG Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=XYZ.com, kdc=None, basedn=dc=XYZ,dc=com 2021-06-01T17:25:40Z DEBUG Validated servers: prdipaco8ldm01.XYZ.com,drxipaco8lds01.XYZ.com 2021-06-01T17:25:40Z DEBUG will use discovered domain: XYZ.com 2021-06-01T17:25:40Z DEBUG Using servers from command line, disabling DNS discovery 2021-06-01T17:25:40Z DEBUG will use provided server: drxipaco8lds01.XYZ.com, prdipaco8ldm01.XYZ.com 2021-06-01T17:25:40Z INFO Autodiscovery of servers for failover cannot work with this configuration. 2021-06-01T17:25:40Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. 2021-06-01T17:26:20Z DEBUG will use discovered realm: XYZ.COM 2021-06-01T17:26:20Z DEBUG will use discovered basedn: dc=XYZ,dc=com 2021-06-01T17:26:20Z INFO Hostname: drxlceco6app01.XYZ.com 2021-06-01T17:26:20Z DEBUG Hostname source: Provided as option 2021-06-01T17:26:20Z INFO Realm: XYZ.COM 2021-06-01T17:26:20Z DEBUG Realm source: Forced 2021-06-01T17:26:20Z INFO DNS Domain: XYZ.com 2021-06-01T17:26:20Z DEBUG DNS Domain source: Forced 2021-06-01T17:26:20Z INFO IPA Server: prdipaco8ldm01.XYZ.com, drxipaco8lds01.XYZ.com 2021-06-01T17:26:20Z DEBUG IPA Server source: Provided as option 2021-06-01T17:26:20Z INFO BaseDN: dc=XYZ,dc=com 2021-06-01T17:26:20Z DEBUG BaseDN source: Generated from Kerberos realm 2021-06-01T17:26:45Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r XYZ.COM 2021-06-01T17:26:45Z DEBUG stdout= 2021-06-01T17:26:45Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory 2021-06-01T17:26:45Z DEBUG args=/bin/hostname drxlceco6app01.XYZ.com 2021-06-01T17:26:45Z DEBUG stdout= 2021-06-01T17:26:45Z DEBUG stderr= 2021-06-01T17:26:45Z DEBUG Backing up system configuration file '/etc/sysconfig/network' 2021-06-01T17:26:45Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2021-06-01T17:26:45Z DEBUG args=/usr/sbin/selinuxenabled 2021-06-01T17:26:45Z DEBUG stdout= 2021-06-01T17:26:45Z DEBUG stderr= 2021-06-01T17:26:45Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:26:51Z DEBUG will use principal provided as option: admin 2021-06-01T17:26:51Z INFO Synchronizing time with KDC... 2021-06-01T17:26:51Z DEBUG Search DNS for SRV record of _ntp._udp.XYZ.com. 2021-06-01T17:26:51Z DEBUG No DNS record found 2021-06-01T17:26:55Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com 2021-06-01T17:26:55Z DEBUG stdout= 2021-06-01T17:26:55Z DEBUG stderr= 2021-06-01T17:26:59Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com 2021-06-01T17:26:59Z DEBUG stdout= 2021-06-01T17:26:59Z DEBUG stderr= 2021-06-01T17:27:03Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v prdipaco8ldm01.XYZ.com 2021-06-01T17:27:03Z DEBUG stdout= 2021-06-01T17:27:03Z DEBUG stderr= 2021-06-01T17:27:03Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. 2021-06-01T17:27:03Z DEBUG Writing Kerberos configuration to /tmp/tmpGWIbHp: 2021-06-01T17:27:03Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = XYZ.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] XYZ.COM = { kdc = prdipaco8ldm01.XYZ.com:88 master_kdc = prdipaco8ldm01.XYZ.com:88 admin_server = prdipaco8ldm01.XYZ.com:749 kdc = drxipaco8lds01.XYZ.com:88 master_kdc = drxipaco8lds01.XYZ.com:88 admin_server = drxipaco8lds01.XYZ.com:749 default_domain = XYZ.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .XYZ.com = XYZ.COM XYZ.com = XYZ.COM 2021-06-01T17:27:07Z DEBUG args=kinit admin(a)XYZ.COM 2021-06-01T17:27:07Z DEBUG stdout=Password for admin(a)XYZ.COM: 2021-06-01T17:27:07Z DEBUG stderr= 2021-06-01T17:27:07Z DEBUG trying to retrieve CA cert via LDAP from ldap://prdipaco8ldm01.XYZ.com 2021-06-01T17:27:07Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=XYZ.COM Issuer: CN=Certificate Authority,O=XYZ.COM Valid From: Mon Apr 19 14:35:38 2021 UTC Valid Until: Fri Apr 19 14:35:38 2041 UTC 2021-06-01T17:27:08Z DEBUG args=/usr/sbin/ipa-join -s prdipaco8ldm01.XYZ.com -b dc=XYZ,dc=com -h drxlceco6app01.XYZ.com -f 2021-06-01T17:27:08Z DEBUG stdout= 2021-06-01T17:27:08Z DEBUG stderr=Failed to retrieve encryption type Triple DES cbc mode with HMAC/sha1 (#16) Failed to retrieve encryption type ArcFour with HMAC/md5 (#23) Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=XYZ.COM 2021-06-01T17:27:08Z INFO Enrolled in IPA realm XYZ.COM 2021-06-01T17:27:08Z DEBUG args=kdestroy 2021-06-01T17:27:08Z DEBUG stdout= 2021-06-01T17:27:08Z DEBUG stderr= 2021-06-01T17:27:08Z INFO Attempting to get host TGT... 2021-06-01T17:27:08Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/drxlceco6app01.XYZ.com(a)XYZ.COM 2021-06-01T17:27:08Z DEBUG stdout= 2021-06-01T17:27:08Z DEBUG stderr= 2021-06-01T17:27:08Z DEBUG Attempt 1/5 succeeded. 2021-06-01T17:27:08Z DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2021-06-01T17:27:08Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2021-06-01T17:27:08Z INFO Created /etc/ipa/default.conf 2021-06-01T17:27:08Z DEBUG importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' 2021-06-01T17:27:08Z DEBUG args=klist -V 2021-06-01T17:27:08Z DEBUG stdout=Kerberos 5 version 1.10.3 2021-06-01T17:27:08Z DEBUG stderr= 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' 2021-06-01T17:27:08Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' 2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2021-06-01T17:27:09Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist 2021-06-01T17:27:09Z INFO New SSSD config will be created 2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/nsswitch.conf' 2021-06-01T17:27:09Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2021-06-01T17:27:09Z INFO Configured sudoers in /etc/nsswitch.conf 2021-06-01T17:27:09Z INFO Configured /etc/sssd/sssd.conf 2021-06-01T17:27:09Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt 2021-06-01T17:27:09Z DEBUG stdout= 2021-06-01T17:27:09Z DEBUG stderr= 2021-06-01T17:27:09Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2021-06-01T17:27:09Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2021-06-01T17:27:09Z DEBUG Writing Kerberos configuration to /etc/krb5.conf: 2021-06-01T17:27:09Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = XYZ.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] XYZ.COM = { kdc = prdipaco8ldm01.XYZ.com:88 master_kdc = prdipaco8ldm01.XYZ.com:88 admin_server = prdipaco8ldm01.XYZ.com:749 kdc = drxipaco8lds01.XYZ.com:88 master_kdc = drxipaco8lds01.XYZ.com:88 admin_server = drxipaco8lds01.XYZ.com:749 default_domain = XYZ.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .XYZ.com = XYZ.COM XYZ.com = XYZ.COM 2021-06-01T17:27:09Z INFO Configured /etc/krb5.conf for IPA realm XYZ.COM 2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:09Z DEBUG stdout= 2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available 2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:09Z DEBUG stdout= 2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available 2021-06-01T17:27:09Z DEBUG failed to find session_cookie in persistent storage for principal 'host/drxlceco6app01.XYZ.com(a)XYZ.COM' 2021-06-01T17:27:09Z INFO trying https://prdipaco8ldm01.XYZ.com/ipa/xml 2021-06-01T17:27:09Z DEBUG Created connection context.xmlclient 2021-06-01T17:27:09Z DEBUG raw: env(None, server=True) 2021-06-01T17:27:09Z DEBUG env(None, server=True, all=True) 2021-06-01T17:27:09Z INFO Forwarding 'env' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml' 2021-06-01T17:27:09Z DEBUG NSSConnection init prdipaco8ldm01.XYZ.com 2021-06-01T17:27:09Z DEBUG Connecting: 10.113.10.50:0 2021-06-01T17:27:09Z DEBUG auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=XYZ.COM Validity: Not Before: Mon Apr 19 14:37:53 2021 UTC Not After: Thu Apr 20 14:37:53 2023 UTC Subject: CN=prdipaco8ldm01.XYZ.com,O=XYZ.COM Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Exponent: 65537 (0x10001) Signed Extensions: (7 total) Name: Certificate Authority Key Identifier Critical: False Key ID: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Authority Information Access: [1 total] Info [1]: Method: PKIX Online Certificate Status Protocol Location: URI: http://ipa-ca.XYZ.com/ca/ocsp Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: CRL Distribution Points Critical: False CRL Distribution Points: [1 total] Point [1]: General Names: [1 total] http://ipa-ca.XYZ.com/ipa/crl/MasterCRL.bin Issuer: Directory Name: CN=Certificate Authority,O=ipaca Reasons: () Name: Certificate Subject Key ID Critical: False Data: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX Name: Certificate Subject Alt Name Critical: False Names: prdipaco8ldm01.XYZ.com ipa-ca.XYZ.com HTTP/prdipaco8ldm01.XYZ.com(a)XYZ.COM ['[0]', '[1]'] Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX: XX:XX:XX:XX 2021-06-01T17:27:09Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2021-06-01T17:27:09Z DEBUG cert valid True for "CN=prdipaco8ldm01.XYZ.com,O=XYZ.COM" 2021-06-01T17:27:09Z DEBUG handshake complete, peer = 10.113.10.50:443 2021-06-01T17:27:09Z DEBUG Protocol: TLS1.2 2021-06-01T17:27:09Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 2021-06-01T17:27:09Z DEBUG received Set-Cookie 'ipa_session=MagBearerToken=Aus0%2bwdoksGBb%2belr0QOIi6Yk7TDzrcvkEuJLRtZf1KNWdahbAPsUyeWqGHs2CM72OMQKtkhONEi6FBan0Km69ssXfx%2bgu6r96B9VC4paNAXVi%2fVr3dd450OSsT1%2fHevzaAFoqFI0Mz95R%2bWgeIkuR4eZ%2fjvCLSGBlM3TwoQUMLA9CKKqPAh6kyN%2fMy6YaG0oXET1ht51P4zJ3rfXdPP9Ael%2bvTNQrS%2fiyCE%2b4TzjZtoNLHei2s5BoGlyZ3GPUS7;path=/ipa;httponly;secure;' 2021-06-01T17:27:09Z DEBUG storing cookie 'ipa_session=MagBearerToken=Aus0%2bwdoksGBb%2belr0QOIi6Yk7TDzrcvkEuJLRtZf1KNWdahbAPsUyeWqGHs2CM72OMQKtkhONEi6FBan0Km69ssXfx%2bgu6r96B9VC4paNAXVi%2fVr3dd450OSsT1%2fHevzaAFoqFI0Mz95R%2bWgeIkuR4eZ%2fjvCLSGBlM3TwoQUMLA9CKKqPAh6kyN%2fMy6YaG0oXET1ht51P4zJ3rfXdPP9Ael%2bvTNQrS%2fiyCE%2b4TzjZtoNLHei2s5BoGlyZ3GPUS7; Domain=prdipaco8ldm01.XYZ.com; Path=/ipa; Secure; HttpOnly' for principal host/drxlceco6app01.XYZ.com(a)XYZ.COM 2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:09Z DEBUG stdout= 2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available 2021-06-01T17:27:09Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:09Z DEBUG stdout= 2021-06-01T17:27:09Z DEBUG stderr=keyctl_search: Required key not available 2021-06-01T17:27:09Z DEBUG args=keyctl padd user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM @s 2021-06-01T17:27:09Z DEBUG stdout=915601519 2021-06-01T17:27:09Z DEBUG stderr= 2021-06-01T17:27:09Z WARNING Hostname (drxlceco6app01.XYZ.com) not found in DNS 2021-06-01T17:27:09Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2021-06-01T17:27:09Z DEBUG zone XYZ.com. update delete drxlceco6app01.XYZ.com. IN A send update add drxlceco6app01.XYZ.com. 1200 IN A 10.111.5.11 send 2021-06-01T17:27:10Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2021-06-01T17:27:10Z DEBUG stdout= 2021-06-01T17:27:10Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/udns1.ultradns.net(a)XYZ.COM not found in Kerberos database. 2021-06-01T17:27:10Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 2021-06-01T17:27:10Z ERROR Failed to update DNS records. 2021-06-01T17:27:10Z DEBUG args=/sbin/service messagebus start 2021-06-01T17:27:10Z DEBUG stdout=Starting system message bus: 2021-06-01T17:27:10Z DEBUG stderr= 2021-06-01T17:27:10Z DEBUG args=/sbin/service messagebus status 2021-06-01T17:27:10Z DEBUG stdout=messagebus (pid 1186) is running... 2021-06-01T17:27:10Z DEBUG stderr= 2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger restart 2021-06-01T17:27:10Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;31mFAILED?[0;39m] Starting certmonger: ?[60G[?[0;32m OK ?[0;39m] 2021-06-01T17:27:10Z DEBUG stderr= 2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger status 2021-06-01T17:27:10Z DEBUG stdout=certmonger (pid 1974) is running... 2021-06-01T17:27:10Z DEBUG stderr= 2021-06-01T17:27:10Z DEBUG args=/sbin/service certmonger stop 2021-06-01T17:27:10Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;32m OK ?[0;39m] 2021-06-01T17:27:10Z DEBUG stderr= 2021-06-01T17:27:11Z DEBUG args=/sbin/service certmonger restart 2021-06-01T17:27:11Z DEBUG stdout=Stopping certmonger: ?[60G[?[0;31mFAILED?[0;39m] Starting certmonger: ?[60G[?[0;32m OK ?[0;39m] 2021-06-01T17:27:11Z DEBUG stderr= 2021-06-01T17:27:11Z DEBUG args=/sbin/service certmonger status 2021-06-01T17:27:11Z DEBUG stdout=certmonger (pid 2063) is running... 2021-06-01T17:27:11Z DEBUG stderr= 2021-06-01T17:27:11Z DEBUG args=/sbin/chkconfig certmonger on 2021-06-01T17:27:11Z DEBUG stdout= 2021-06-01T17:27:11Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - drxlceco6app01.XYZ.com -N CN=drxlceco6app01.XYZ.com,O=XYZ.COM -K host/drxlceco6app01.XYZ.com(a)XYZ.COM 2021-06-01T17:27:12Z DEBUG stdout=New signing request "20210601172712" added. 2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub 2021-06-01T17:27:12Z DEBUG raw: host_mod(u'drxlceco6app01.XYZ.com', ipasshpubkey=[u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAobH2Rt+aBxrhxWJazVGUpMej9nnncp8DhPewnZkyZxoSAyDc6C5c3nBqW22/Cr7gk26d/D2Ietbi0E7mFrt5Wo4bGgN2KcnlG3ABSifvwh3oqzL+anT6+/lkwzgm3hwIQQRDfF3/GljmvX495HateMqc7syLyOe5ZnKI4Xu6khQ/JF1hhv+8GiUbl7+le+QxYuosmNNIekfMqVbtJ8IM7Zf5/CXINIkwy1UtV+gl0JsAn6AlcBfLcsssg6LQVdgCCjVsJFNB2t+tR0LozJ8L5mDerKqVxJZWI3EnfLIXMq0VWoVfn20fPe0pkcoiyv9bQt/YsDxZS54BFjlTK7DpjQ=='], updatedns=False) 2021-06-01T17:27:12Z DEBUG host_mod(u'drxlceco6app01.XYZ.com', random=False, ipasshpubkey=(u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAobH2Rt+aBxrhxWJazVGUpMej9nnncp8DhPewnZkyZxoSAyDc6C5c3nBqW22/Cr7gk26d/D2Ietbi0E7mFrt5Wo4bGgN2KcnlG3ABSifvwh3oqzL+anT6+/lkwzgm3hwIQQRDfF3/GljmvX495HateMqc7syLyOe5ZnKI4Xu6khQ/JF1hhv+8GiUbl7+le+QxYuosmNNIekfMqVbtJ8IM7Zf5/CXINIkwy1UtV+gl0JsAn6AlcBfLcsssg6LQVdgCCjVsJFNB2t+tR0LozJ8L5mDerKqVxJZWI3EnfLIXMq0VWoVfn20fPe0pkcoiyv9bQt/YsDxZS54BFjlTK7DpjQ==',), rights=False, updatedns=False, all=False, raw=False, no_members=False) 2021-06-01T17:27:12Z INFO Forwarding 'host_mod' to server u'https://prdipaco8ldm01.XYZ.com/ipa/xml' 2021-06-01T17:27:12Z DEBUG NSSConnection init prdipaco8ldm01.XYZ.com 2021-06-01T17:27:12Z DEBUG Connecting: 10.113.10.50:0 2021-06-01T17:27:12Z DEBUG handshake complete, peer = 10.113.10.50:443 2021-06-01T17:27:12Z DEBUG Protocol: TLS1.2 2021-06-01T17:27:12Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 2021-06-01T17:27:12Z DEBUG received Set-Cookie 'ipa_session=MagBearerToken=yKnSiJdb44vhq6AuqB%2boAE5Fatp7CXJ8A9xYVUqlqXI73Gk9ukPfIr9%2bD6KnSCiBXmtVx3flwJ1Rf17528nymjCE5vMtNTSeVU5l8rn36fEtAFq6QZt%2bAHs2LjPLWwyR9geT7Y5aKgLbEMDzZv0DTwM3N2ocM0b7Rc6inZUvAgU%2fYmqmkZafsbYy%2fCUm2Kgyx%2b%2fZ6kQg%2fK94CVAqMLxZDE1k1gAP3qq98k%2fllMQu9k0GAYcdKEbmN%2bwff4LzeQRs;path=/ipa;httponly;secure;' 2021-06-01T17:27:12Z DEBUG storing cookie 'ipa_session=MagBearerToken=yKnSiJdb44vhq6AuqB%2boAE5Fatp7CXJ8A9xYVUqlqXI73Gk9ukPfIr9%2bD6KnSCiBXmtVx3flwJ1Rf17528nymjCE5vMtNTSeVU5l8rn36fEtAFq6QZt%2bAHs2LjPLWwyR9geT7Y5aKgLbEMDzZv0DTwM3N2ocM0b7Rc6inZUvAgU%2fYmqmkZafsbYy%2fCUm2Kgyx%2b%2fZ6kQg%2fK94CVAqMLxZDE1k1gAP3qq98k%2fllMQu9k0GAYcdKEbmN%2bwff4LzeQRs; Domain=prdipaco8ldm01.XYZ.com; Path=/ipa; Secure; HttpOnly' for principal host/drxlceco6app01.XYZ.com(a)XYZ.COM 2021-06-01T17:27:12Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:12Z DEBUG stdout=915601519 2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG args=keyctl search @s user ipa_session_cookie:host/drxlceco6app01.XYZ.com@XYZ.COM 2021-06-01T17:27:12Z DEBUG stdout=915601519 2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG args=keyctl pupdate 915601519 2021-06-01T17:27:12Z DEBUG stdout= 2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG Caught fault 4202 from server https://prdipaco8ldm01.XYZ.com/ipa/xml: no modifications to be performed 2021-06-01T17:27:12Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2021-06-01T17:27:12Z DEBUG zone XYZ.com. update delete drxlceco6app01.XYZ.com. IN SSHFP send update add drxlceco6app01.XYZ.com. 1200 IN SSHFP 1 1 F6ABCFF542C5E35268387C2A53EBF83C5C6B0517 send 2021-06-01T17:27:12Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2021-06-01T17:27:12Z DEBUG stdout= 2021-06-01T17:27:12Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/udns1.ultradns.net(a)XYZ.COM not found in Kerberos database. 2021-06-01T17:27:12Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 2021-06-01T17:27:12Z WARNING Could not update DNS SSHFP records. 2021-06-01T17:27:12Z DEBUG args=/sbin/service nscd status 2021-06-01T17:27:12Z DEBUG stdout=nscd is stopped 2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG args=/sbin/service nscd stop 2021-06-01T17:27:12Z DEBUG stdout= 2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG args=/sbin/chkconfig nscd off 2021-06-01T17:27:12Z DEBUG stdout= 2021-06-01T17:27:12Z DEBUG stderr= 2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:27:12Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:27:15Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd 2021-06-01T17:27:15Z DEBUG stdout=Starting sssd: ?[60G[?[0;32m OK ?[0;39m] Starting oddjobd: ?[60G[?[0;32m OK ?[0;39m] 2021-06-01T17:27:15Z DEBUG stderr= 2021-06-01T17:27:15Z INFO SSSD enabled 2021-06-01T17:27:15Z INFO Configuring XYZ.com as NIS domain 2021-06-01T17:27:15Z DEBUG args=/bin/nisdomainname 2021-06-01T17:27:15Z DEBUG stdout=(none) 2021-06-01T17:27:15Z DEBUG stderr= 2021-06-01T17:27:15Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-06-01T17:27:15Z DEBUG args=/usr/sbin/authconfig --update --nisdomain XYZ.com 2021-06-01T17:27:15Z DEBUG stdout=Starting sssd: ?[60G[?[0;32m OK ?[0;39m] 2021-06-01T17:27:15Z DEBUG stderr= 2021-06-01T17:27:15Z DEBUG args=/bin/nisdomainname XYZ.com 2021-06-01T17:27:15Z DEBUG stdout= 2021-06-01T17:27:15Z DEBUG stderr= ======================================== I am unable to understand what i am missing or changes required in current config. Any help / suggestions appreciated. Regards, Rohan

2 years, 3 months

2
1
0 / 0

Invalid CA chain after ca chain renewal

by Philipp Leusmann

Hi, I have just renewed freeipas externally signed CA certificate using 'ipa-cacert-manage renew --external-ca' Given the new CSR contains the same key elements as the previous one, I already had to ignore the duplicate while signing. Maybe that's the cause for the issues following? After renewing I now have the new and the old CA key in /etc/ipa/ca.crt and also in exported certificate chains which for example nginx cannot handle properly. 1) Did I do anything wrong during renewal? 2) how can I remove the previous CA cert? Thanks in advance, Philipp

2 years, 3 months

2
2
0 / 0

Announcing SSSD 2.5.1

by Pavel Březina

# SSSD 2.5.01 The SSSD team is proud to announce the release of version 2.5.1 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.5.1 See the full release notes at: https://sssd.io/release-notes/sssd-2.5.1.html RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users ## Highlights ### New features * `auto_private_groups` option can be set centrally through ID range setting in IPA (see `ipa idrange` commands family). This feature requires SSSD update on both client and server. This feature also requires `freeipa 4.9.4` and newer. ### Important fixes * Fix `getsidbyname` issues with IPA users with a user-private-group ### Configuration changes * Default value of `ldap_sudo_random_offset` changed to `0` (disabled). This makes sure that sudo rules are available as soon as possible after SSSD start in default configuration.

2 years, 3 months

1
0
0 / 0

various errors and warnings on F34: Can't contact LDAP server, Component identity is NULL; Failed to unwrap key for cipher

by Robert Kudyba

After upgrading to Fedora 34 and freeipa-server-4.9.3-2.fc34.x86_64, we're seeing the below errors. I found a previous post that mentions a user had these during a migration but we finished the migration a while ago: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful ipa cert-find shows 10 certs and all have a status of VALID. Apache logs do not have any errors. And the ipaupgrade.log ends with INFO The ipa-server-upgrade command was successful Jun 3 18:14:03 ourschoolipa-dnskeysyncd[5025]: ipa-dnskeysyncd: ERROR syncrepl_poll: LDAP error ({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': []}) Jun 3 18:14:06 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:06.994125936 -0400] - ERR - allow_operation - Component identity is NULL Jun 3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.899216572 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES Jun 3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.955942900 -0400] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.022213263 -0400] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.090020323 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.177952423 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.875367301 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=sub,dc=domain,dc=ourschool,dc=edu--no CoS Templates found, which should be added before the CoS Definition. Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.961081967 -0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jun 3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.740194095 -0400] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=sub,dc=domain,dc=ourschool,dc=edu Jun 3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.818774136 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu Jun 3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.804889621 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu Jun 3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.873391357 -0400] - ERR - schema-compat-plugin - Finished plugin initialization. Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.577526585 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu does not exist Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.599342179 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu does not exist

2 years, 3 months

2
1
0 / 0

Improper format of Kerberos configuration - error from client setup

by lejeczek

Hi guys. I'm trying client install and I fail: ... Time synchronization was successful. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. Disabling client Kerberos and LDAP configurations nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library This is the client's problem right? Reason I'm bit doubtful is such that all the usual places I made sure are plain-vanilla. What do I miss? many thanks, L.

2 years, 3 months

2
1
0 / 0

How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

by Bret Wortman

I'm trying to update our IPA servers to newer OSes and IPA versions. What I've done so far: 1. run "ipa-replica-prepare" on the original main server, ipa1. 2. Copied the resulting file to ipa1c7. 3. Tried to import that file via "ipa-replica-install replica-info-ipa2c7.our.net.gpg --skip-conncheck --setup-dns --auto-forwarders". This typically fails: =========== [root@ipa2c7 ~]# ipa-replica-install replica-info-ipa2c7.our.net.gpg --skip-conncheck --setup-dns --auto-forwarders Directory Manager (existing master) password: ipaserver.install.server.replicainstall: ERROR Could not resolve hostname ipa1.our.net using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Checking DNS forwarders, please wait ... Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/42]: creating directory server instance [2/42]: enabling ldapi [3/42]: configure autobind for root [4/42]: stopping directory server [5/42]: updating configuration in dse.ldif [6/42]: starting directory server [7/42]: adding default schema [8/42]: enabling memberof plugin [9/42]: enabling winsync plugin [10/42]: configure password logging [11/42]: configuring replication version plugin [12/42]: enabling IPA enrollment plugin [13/42]: configuring uniqueness plugin [14/42]: configuring uuid plugin [15/42]: configuring modrdn plugin [16/42]: configuring DNS plugin [17/42]: enabling entryUSN plugin [18/42]: configuring lockout plugin [19/42]: configuring topology plugin [20/42]: creating indices [21/42]: enabling referential integrity plugin [22/42]: configuring certmap.conf [23/42]: configure new location for managed entries [24/42]: configure dirsrv ccache [25/42]: enabling SASL mapping fallback [26/42]: restarting directory server [27/42]: creating DS keytab [28/42]: ignore time skew for initial replication [29/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [30/42]: prevent time skew after initial replication [31/42]: adding sasl mappings to the directory [32/42]: updating schema [33/42]: setting Auto Member configuration [34/42]: enabling S4U2Proxy delegation [35/42]: initializing group membership [36/42]: adding master entry ipaserver.install.service: CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68 [error] CalledProcessError: Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68 ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@ipa2c7 ~]# host ipa1.our.net ipa1.our.net has address 192.168.2.61 =========== So I'm not sure why the DNS query is failing but it appears to be intermittent at best. Also, after near-misses when the ldap error occurs, I often get informed that we have an existing replication agreement that needs to be removed. When I follow the indicated steps: =========== [root@ipa1 ~]# ipa-replica-manage del ipa2c7.our.net --force Directory Manager password: Connection to 'ipa2c7.our.net' failed: Forcing removal of ipa2c7.our.net Skipping calculation to determine if one or more masters would be orphaned. Deleting replication agreements between ipa2c7.our.net and ipa1.our.net, ipa2.our.net, ipa3.our.net Failed to get list of agreements from 'ipa2c7.our.net': Forcing removal on 'ipa1.our.net' Any DNA range on 'ipa2c7.our.net' will be lost Deleted replication agreement from 'ipa1.our.net' to 'ipa2c7.our.net' 'ipa2.our.net' has no replication agreement for 'ipa2c7.our.net' Unable to remove replication agreement for ipa2c7.our.net from ipa2.our.net. Failed to determine agreement type for 'ipa3.our.net': Unable to remove replication agreement for ipa2c7.our.net from ipa3.our.net. Background task created to clean replication data. This may take a while. This may be safely interrupted with Ctrl+C ^C Wait for task interrupted. It will continue to run in the background Failed to cleanup ipa2c7.our.net entries: Not allowed on non-leaf entry You may need to manually remove them from the tree Failed to cleanup ipa2c7.our.net DNS entries: no matching entry found You may need to manually remove them from the tree [root@ipa1 ~]# =========== Is there something obvious that I've missed? -- Bret Wortman bret.wortman(a)damascusgrp.com

2 years, 3 months

2
5
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2021