IPA-Error 903: InternalError on Certificate page
by Nico Maas
Dear all,
I am using FreeIPA, Version: 4.8.4 on CentOS 8
ipa-client.x86_64 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-client-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-healthcheck-core.noarch 0.4-4.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-server.x86_64 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-server-common.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
ipa-server-dns.noarch 4.8.4-7.module_el8.2.0+374+0d2d74a1 @AppStream
Whenever I open the "Authentication" tab in the freeIPA webserver, I get the error
"IPA-Error 903: InternalError. An internal error has happend".
Retry does not help, within Authentication I can use all tabs, except from the Authentication -> Certificate -> Certificate one. This one gives the error. I can also not search for a certificate. The other areas of Authentication -> Certificate (Certificate Profiles, CA ACLS, Certificate Authorities) work without problems.
As a test I cloned the machine and updated it to the latest CentOS 8 version with a newer freeIPA version on it, but that did not solve the problem and I scrapped this vm and idea again.
Any idea on how to resolve the issue / what could be broken?
Which logs and things would be useful to look into?
Thanks a lot for your help and have a nice day
Nico
10 months, 3 weeks
LoadBalancer vs. DNS
by Ronald Wimmer
IPA heavily relies on DNS entries. In my opinion, this design makes it
more difficult to quickly disable one or more IPA servers - especially
when using IPA in combination with external DNS (managed by a different
department).
Would it be possible to put all relevant DNS entries on a Loadbalancer
VIP and let the LB resolve to all IPA servers?
e.g. instead of having 8 DNS entries for
_kerberos-master._tcp.linux.oebb.at for every of our 8 IPA servers I
would have just one _kerberos-master._tcp.linux.oebb.at entry. The LB
would distribute requests in such a setup.
Is it possible to do that or would it break some IPA functionality?
Cheers,
Ronald
10 months, 4 weeks
IdM with trust relationship with Samba AD DC - User accounts with passwords expired
by Mateo Duffour
Hi,
We currently have an IdM installation with a trust relationship with a Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user accounts on IdM.
We are having a problem with Samba user acounts that have its passwords expired.
When we try to login with an ubuntu IdM client with one of those accounts, it fails and asks again for password.
The behaviour we are expecting is that Ubuntu should ask for a password change.
Thanks, best regards.
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,... | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido.
1 year, 1 month
Potential API change for FreeIPA plugin writers
by Alexander Bokovoy
Hi,
as you have probably noticed in a thread we had with Leo on
freeipa-users@ about FreeIPA plugin development, we hadn't had
consistency in handling boolean types between LDAP and IPA Python API
level. A change is coming that would make 'native' boolean types used in
both worlds. If your plugins rely on Bool() parameter handling in
FreeIPA, your code might be affected. If your scripts using output of
IPA API rely on case-sensitive output, you might need to adjust your
code.
If not, you can skip this email.
Pull request https://github.com/freeipa/freeipa/pull/6294 turns handling
of boolean types to be native to each side:
- in LDAP, TRUE and FALSE strings used to represent the values
- in Python, native True and False constants of bool type will be used
to represent an LDAP boolean.
Prior to PR#6294, when an LDAP attribute with a boolean syntax was read
from LDAP, its representation in IPA Python code was either 'TRUE'
or 'FALSE' string. This created a bit of inconvenience:
- Python code had to explicitly compare a value to 'TRUE' or 'FALSE',
- Web UI JavaScript code had to use a radio-box where a simple checkbox
would be enough
- JavaScript plugin code would need to handle all types of 'TRUE',
'FALSE', 1, 0, true, false, none in every place where a boolean type
would be enough
After PR#6294 is merged, IPA Python code will use Python bool type.
JSON-RPC response to an IPA API command request would produce a simple
'true' or 'false' instead of ["TRUE"] or ["FALSE"] elements. This means,
for example, that in the following command
ipa dnszone-show ipa.test
instead of
"idnsallowdynupdate": [
"TRUE"
],
one would get
"idnsallowdynupdate": [
true
],
and the output of 'ipa dnszone-show ipa.test' would have 'True' instead
of 'TRUE' (and False instead of 'FALSE'):
$ ipa dnszone-show ipa.test
Zone name: ipa.test.
Active zone: True
Authoritative nameserver: idm.ipa.test.
Administrator e-mail address: hostmaster.ipa.test.
SOA serial: 1654159048
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPA.TEST krb5-self * A; grant IPA.TEST krb5-self * AAAA; grant IPA.TEST krb5-self * SSHFP;
Dynamic update: True
Allow query: any;
Allow transfer: none;
If your scripts rely on the case-sensitive output, you'd need to fix
them. IPA tools already able to handle the changes so they are
backward-compatible.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1 year, 1 month
Auto cleanup old enrolled hosts
by Russ Long
We're adding FreeIPA to an immutable, often rotated environment (AWS ECS Hosts). These hosts are spun up and down at least daily. Is there a way to check FreeIPA to see when a host has last communicated with the FreeIPA Cluster? I'd like to use this information to auto-delete hosts that have not reported in from the FreeIPA host list.
1 year, 1 month
Problem running IPA client on IPv6 only connection
by William Muriithi
Hello,
I have an IPA clients that has both IPv4 and IPv6 addresses. One of the
IPA client is in the office and hence can reach the IPA server on both IPv4
and IPv6. However, the client outside the LAN can only reach the IPA server
over IPv6.
I was able to enroll the external client fine over IPv6 and from the logs,
all clean. However, when I attempted to ssh, its not able to retreave the
user from IPA. The client in the office works fine. I can also make for
example LDAP queries and they work over IPv6 fine. It looks like kerberos
is somehow however using IPv4. I reached this conclusion after taking a
tcpdump when attempting to ssh to the server and the kerberos traffic from
the client to IPA is on IPv4.
What would I need to do on the IPA client for it to prefer IPv6? I am
aware I could remove IPv4 address from DNS, but that would break any
communication from IPv4 only systems. Any assistance would be appreaciated.
[william@ansible ~]$ ssh root(a)mars.external.example.com
Last login: Mon Jan 7 17:19:49 2019 from 65.98.193.94
[root@mars ~]# kinit admin
kinit: Cannot contact any KDC for realm 'EXTERNAL.EXAMPLE.COM
<http://external.example.com/>' while getting initial credentials
[root@mars ~]# ldapsearch -x -b
cn=ftp,cn=groups,cn=compat,dc=external,dc=example,dc=com | tail -n 4
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@mars ~]# cat /etc/resolv.conf
search external.example.com
nameserver 2607:4860:6000:a::5
[root@mars ~]#
Regards,
William
1 year, 2 months
ssh key issues
by Andrew Meyer
I recently cleaned up a few server in my home lab. Deleted servers that I no longer needed. However It seems I have a server with an IP address that used previously. FreeIPA is reporting that it is in /var/lib/sss/pubconf/known_hosts but I can't reverse engineer the hostname by doing sshkey -R 1.2.3.4. I have run into this issue previously but it has bee quite some time. When I go to delete the line from /var/lib/sss/pubconf/known_hosts it is gone. If someone could help me that would be great. I didn't see anything on my FreeIPA master that indicated I did anything there.
1 year, 2 months
Could not login with AD user
by Ronald Wimmer
Today I was not able to log in with an AD user to an IPA client within a
test setup. IPA users worked fine.
DNS is managed externally. I figured out that the DNS-Record of that
particular IPA client has not been created correctly. After having
corrected the DNS entry and having dropped the SSSD cache on that client
I could login with my AD user.
Do you have an explanation for that or was it just a coincidence?
Cheers,
Ronald
1 year, 2 months
SSSD prompting/2fa
by Sigbjorn Lie
Hi list,
When I have a 2FA enabled user account, I receive the two password
prompt for sudo at a host, even on hosts where 2FA is not required. This
breaks Ansible for me, when using "become" with Ansible.
I am testing the [prompting/2fa] options in sssd to remediate this. I
have the following configuration:
---
[prompting/2fa/sudo]
first_prompt = 'Please enter your password and optional OTP token value:
'
single_prompt = True
---
This provides me with a single prompt, with the configured text when I
run sudo on this host.
However the 2FA OTP code is no longer optional. If I do not enter both
my password and an OTP code, the authentication fails. So still this
does not fix Ansible for me.
From var/log/secure:
---
Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth):
authentication failure; logname=myusername uid=12345678 euid=0
tty=/dev/pts/1 ruser= myusername rhost= user= myusername
Jun 3 09:15:16 myhost.mydomain.tld sudo[2289804]: pam_sss(sudo:auth):
received for user myusername: 7 (Authentication failure)
Jun 3 09:15:18 myhost.mydomain.tld sudo[2289804]: myusername : 1
incorrect password attempt ; TTY=pts/1 ; PWD=/home/myusername ;
USER=root ; COMMAND=list
---
The only change performed is to add the above prompting configuration to
sssd.conf. If I remove the prompting configuration from sssd.conf, I can
now authentiate using only my password, even though with two prompts.
In either way, I am unable to run Ansible anymore.
Any suggestions on how to fix this?
Regards,
Siggi
1 year, 2 months
SSSD Problem after update
by Ronald Wimmer
Today I updated all packages on one of our IPA servers. Unfortunately,
SSSD stopped working:
[sssd] [main] (0x0010): SSSD couldn't load the configuration database.
[sssd] [ldb] (0x0020): Unable to open tdb '/var/lib/sss/db/config.ldb':
Permission denied
[sssd] [ldb] (0x0020): Failed to connect to '/var/lib/sss/db/config.ldb'
with backend 'tdb': Unable to open tdb '/var/lib/sss/db/config.ldb':
Permission denied
[sssd] [confdb_init] (0x0010): Unable to open config database
[/var/lib/sss/db/config.ldb]
[sssd] [confdb_setup] (0x0010): The confdb initialization failed [5]:
Input/output error
[sssd] [load_configuration] (0x0010): Unable to setup ConfDB [5]:
Input/output error
I noticed that owner and group of config.ldb are changed to sssd when I
try to restart the sssd.service. On all remaining IPA servers this
particular file belongs to root.
I will revert to the snapshot I made before updating packages in order
to make that IPA server work again properly.
Cheers,
Ronald
1 year, 2 months