December 2022 - FreeIPA-users - Fedora Mailing-Lists

by Russ Long

We're adding FreeIPA to an immutable, often rotated environment (AWS ECS Hosts). These hosts are spun up and down at least daily. Is there a way to check FreeIPA to see when a host has last communicated with the FreeIPA Cluster? I'd like to use this information to auto-delete hosts that have not reported in from the FreeIPA host list.

1 week, 2 days

5
4
0 / 0

Allow sysaccount to view its own entry

by Adam Bishop

I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured. This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts. Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)? Many Thanks, Adam Bishop

1 month

4
3
0 / 0

kinit: KDC can't fulfill requested option while renewing credentials - which approach?

by Pieter Baele

I tried various approached to get Renewable tickets : modifying the kdc modifying krb5.conf using kadmin.local on every replica to modify the principal; which is not working - as designed (?)- in IPA What should I do to get a ticket with the correct R flag from IPA ? I don't think this is SSSD related (the service needing the renewable ticket this way is Apache Storm) Thanks a lot!

2 months, 3 weeks

3
4
0 / 0

Cannot get rid of a replica/agreement

by lejeczek

Hi guys. Two masters from which third got disconnected in a "dirty" manner. -> $ ipa-replica-manage del midway.ccn.priv.dom Server removal aborted: Replication topology in suffix 'domain' is disconnected: Topology does not allow server love.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom Topology does not allow server midway.ccn.priv.dom to replicate with servers: love.ccn.priv.dom punch.ccn.priv.dom Topology does not allow server punch.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom. -> $ ipa topologysegment-find domain ----------------- 1 segment matched ----------------- Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom Left node: punch.ccn.priv.dom Right node: love.ccn.priv.dom Connectivity: both ---------------------------- Number of entries returned 1 -> $ ipa-replica-manage del midway.ccn.priv.dom --force ipa: WARNING: /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). Updating DNS system records Not allowed on non-leaf entry I've tried to 'reinitialize' but without success. Anybody care to share suggestions & thoughts? many thanks, L.

4 months, 3 weeks

4
6
0 / 0

Limiting access to GUI

by Entrepreneur AJ

Hey all, I have a wan facing install due to many of my team operating with mobile phone hotspots whilst visiting customers. An Issue I'm having is I want to restrict the GUI to only our admin team's IP address but editing the Apache Config with; # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" <Directory "/usr/share/ipa/ui"> SetHandler None AllowOverride None Satisfy Any Require all granted ExpiresActive On ExpiresDefault "access plus 1 year" <FilesMatch "(index.html|loader.js|login.html|reset_password.html)"> ExpiresDefault "access plus 0 seconds" </FilesMatch> Order allow,deny Allow from <ADMIN IP RANGE> </Directory> Is still allowing anyone with a browser to reach the IPA gui. We have Keycloak in place for staff and users to update their passwords. Any pointers? I would personally prefer to firewall it off but that effects other IPA features.

5 months

2
5
0 / 0

Do keytabs expire?

by Ronald Wimmer

Hi, today I found out that some entries in a keytab file seemed to have expired: Request ticket server HTTP/mwc.linux.mydomain.at(a)LINUX.MYDOMAIN.AT kvno 4 not found in keytab; keytab is likely out of date Fetching the keytab again with ipa-getkeytab fixed the problem. But why is this happening? Do keytab entries expire? I have not set any custom password or ticket policies. Regards, Ronald

6 months, 1 week

4
13
0 / 0

ipa-replica-install -- cannot get past [26/41]: creating DS keytab

by Jonathon Jenkins

Greetings, I cannot get the ipa-replica-install to proceed past step 26/41 - creating DS keytab. I see the command that is to be run, and I can run that just fine before and after the ipa-replica-install command, and it creates the keytab. I am not sure how to proceed from here - the bug reports I see all pertain to earlier versions, and my files reflect those changes. I have also tried running this with all manner of password flags, which are correct, but still getting insufficient access rights. particulars: centos 7 3.10.0-957.1.3.el7.x86_64 ipa-server-4.6.4-10.el7.centos.x86_64 ipa-common-4.6.4-10.el7.centos.noarch ipa-server-common-4.6.4-10.el7.centos.noarch ipa-client-4.6.4-10.el7.centos.x86_64 ipa-server-dns-4.6.4-10.el7.centos.noarch ipa-client-common-4.6.4-10.el7.centos.noarch * Note: anonymized output below ipapython.ipautil: DEBUG stderr= ipalib.backend: DEBUG Created connection context.ldap2_139891568509776 ipaserver.install.service: DEBUG duration: 7 seconds ipaserver.install.service: DEBUG [26/41]: creating DS keytab [26/41]: creating DS keytab ipalib.frontend: DEBUG raw: service_add(u'ldap/<ipa-replica-host>@<domain>.NET', force=True, version=u'2.229') ipalib.frontend: DEBUG service_add(ipapython.kerberos.Principal('ldap/<ipa-replica-host>@<domain>.NET'), force=True, all=False, raw=False, version=u'2.229', no_members=False) ipalib.frontend: DEBUG raw: host_show(u'<ipa-replica-host>', version=u'2.229') ipalib.frontend: DEBUG host_show(u'<ipa-replica-host>', rights=False, all=False, raw=False, version=u'2.229', no_members=False) ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab' ipalib.install.sysrestore: DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist ipapython.ipautil: DEBUG Starting external process ipapython.ipautil: DEBUG args=/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master> ipapython.ipautil: DEBUG Process finished, return code=9 ipapython.ipautil: DEBUG stdout= ipapython.ipautil: DEBUG stderr=Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Failed to parse result: Insufficient access rights Failed to get keytab! Failed to get keytab ipaserver.install.service: DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab super(DsInstance, self).request_service_keytab() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab ipautil.run(args, nolog=nolog) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run raise CalledProcessError(p.returncode, arg_string, str(output)) CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipaserver.install.service: DEBUG [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipalib.backend: DEBUG Destroyed connection context.ldap2_139891548583120 ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/ipa/default.conf' ipalib.install.sysrestore: DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run return cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run return self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute for rval in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 622, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 406, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1431, in install fstore=fstore) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 113, in install_replica_ds setup_pkinit=not options.no_pkinit, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 419, in create_replica self.start_creation(runtime=30) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab super(DsInstance, self).request_service_keytab() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab ipautil.run(args, nolog=nolog) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run raise CalledProcessError(p.returncode, arg_string, str(output)) ipapython.admintool: DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipapython.admintool: ERROR Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9 ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

8 months, 2 weeks

2
2
0 / 0

FreeIPA-Kubernetes Setup

by Ronald Wimmer

Hi, are there any plans (or maybe ongoing work already) to let FreeIPA run in a K8s environment? Cheers, Ronald

8 months, 3 weeks

6
8
0 / 0

Removal & clean up certificates from o=ipaca

by David Goudet

Hello all, I have to clean up lot of useless certificate in dirsrv database. Because of resubmit loop on Certmonger client, i have 99,9% of certificate in dirsrv database that are useless and not obsolete (expiration in 2020) (it represent ~85 000 certificates). These useless certificates produce some issues on FreeIPA: - decrease FreeIPA performances on CLI and GUI - increase the LDAP size - increase size and time of FreeIPA backup ... Is it possible to purge these certificates in dirsrv database and how? I found two branches in LDAP directory about these certificates: dn: cn=xxx,ou=ca,ou=requests,o=ipaca dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca I can remove all requests and certificates entry from dirsrv database but how it is supported by PKI manager Dogtag (CRL, certificate generation, OCSP)? (This topic has already been discuss on https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...) Thank you for you help -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574

10 months

4
5
2 / 0

ipa-replica-install fails when I use custom certificates

by Peter Tselios

I have installed the ipa server by using the following command: --------- ipa-server-install --realm "EXAMPLE.COM" -p 'password' -a 'password' --hostname="server.example.com" -n example.com --ip-address="10.1.4.2" --dirsrv-cert-file=/etc/pki/tls/private/example.com.pem --dirsrv-cert-file=/etc/pki/tls/certs/example.com.crt --dirsrv-pin='' --http-cert-file=/etc/pki/tls/certs/example.com.crt --http-cert-file=/etc/pki/tls/private/example.com.pem --http-pin='' --ca-cert-file=/etc/pki/ca-trust/source/anchors/myca.pem --ca-cert-file=/etc/pki/ca-trust/source/anchors/mysubca.pem --mkhomedir -N --no-host-dns --unattended --------- Which works perfectly fine. However, I cannot make it work with ipa-replica-install since there is no option for --ca-cert-file. So, how can I install a replica with custom certificates?

10 months

6
12
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users December 2022