June 2022 - FreeIPA-users - Fedora Mailing-Lists

Failed to read data from service file: Failed to get list of services to probe status!

by rui liang

root@ipa-test-65-191:/var/log/dirsrv/slapd-YYDEVOPS-COM# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Failed to read data from service file: Failed to get list of services to probe status! Configured hostname 'ipa-test-65-191.hiido.host.yydevops.com' does not match any master server in LDAP: ipa-test-65-190.hiido.host.yydevops.com Shutting down my topology A<->B A (CA) B (replica) ssh A root@ipa-test-65-190:/home/liangrui# ipa-replica-manage list ipa-test-65-190.hiido.host.yydevops.com: master ipa-test-65-191.hiido.host.yydevops.com: master root@ipa-test-65-190:/home/liangrui# ipa-replica-manage del ipa-test-65-191.hiido.host.yydevops.com Checking connectivity in topology suffix 'ca' 'ipa-test-65-191.hiido.host.yydevops.com' is not a part of topology suffix 'ca' Not checking connectivity Checking connectivity in topology suffix 'domain' Skipping replication agreement deletion check for suffix 'ca' Checking for deleted segments in suffix 'domain' Agreements deleted root@ipa-test-65-190:/home/liangrui# ipa-replica-manage list ipa-test-65-190.hiido.host.yydevops.com: master ssh B root@ipa-test-65-191:/home/liangrui# ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful root@ipa-test-65-191:/home/liangrui# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Failed to read data from service file: Failed to get list of services to probe status! Configured hostname 'ipa-test-65-191.hiido.host.yydevops.com' does not match any master server in LDAP: ipa-test-65-190.hiido.host.yydevops.com Shutting down root@ipa-test-65-191:/home/liangrui# ipa-replica-install ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA server is already configured on this system. If you want to reinstall the IPA server, please uninstall it first using 'ipa-server-install --uninstall'. ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ssh A root@ipa-test-65-190:/home/liangrui# ipa hostgroup-add-member ipaservers --hosts ipa-test-65-191.hiido.host.yydevops.com Host-group: ipaservers Description: IPA server hosts Member hosts: ipa-test-65-190.hiido.host.yydevops.com, ipa-test-65-191.hiido.host.yydevops.com ------------------------- Number of members added 1 ------------------------- root@ipa-test-65-190:/home/liangrui# ipa topologysegment-add --leftnode=ipa-test-65-191.hiido.host.yydevops.com --rightnode=ipa-test-65-190.hiido.host.yydevops.com Suffix name: domain Segment name [ipa-test-65-191.hiido.host.yydevops.com-to-ipa-test-65-190.hiido.host.yyd...]: ipa: ERROR: invalid 'leftnode': left node is not a topology node: ipa-test-65-191.hiido.host.yydevops.com Why is service B unavailable after copy B is deleted and cannot be restored?Is this a normal phenomenon?How to recover? Request big guy guidance, thank you!

1 year, 3 months

2
2
0 / 0

SAN not added to requested cert

by Ranbir

Hello Everyone, I have an AlmaLinux 9.0 client enrolled into a 4.9.8 ipa domain running on a Rocky Linux 8.6 server. I'm running the following command on the client to request a cert: ipa-getcert request -I cockpit -k /etc/cockpit/ws-certs.d/0-cockpit.key -f /etc/cockpit/ws-certs.d/0-cockpit.crt -g 2048 -K HTTP/$(hostname) -D hostname.theinside.rnr -m 640 -M 640 -o root:cockpit-ws -O root:cockpit-ws The cert gets issued without error. But, I don't see the "dns" line in the ouput: status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/cockpit/ws- certs.d/0-cockpit.key' certificate: type=FILE,location='/etc/cockpit/ws-certs.d/0- cockpit.crt' CA: IPA issuer: CN=Certificate Authority,O=THEINSIDE.RNR subject: CN=hostname.theinside.rnr,O=THEINSIDE.RNR issued: 2022-06-20 21:31:39 EDT expires: 2024-06-20 21:31:39 EDT principal name: HTTP/hostname.theinside.rnr(a)THEINSIDE.RNR key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes The result is Firefox complains about the cert when I try to visit the cockpit web UI. I've run it now a few times with the same result. Which one of the myriad of logs should I check to maybe understand why this is happening? -- Ranbir

1 year, 3 months

1
2
0 / 0

Re: ipa-server-certinstall -k

by Rob Crittenden

Charles Hedrick via FreeIPA-users wrote: > the error is > > The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC A PKINIT certificate needs an EKU extension, https://datatracker.ietf.org/doc/html/rfc4556 When generating the key with OpenSSL you need to include "-extensions kdc_cert" rob > > > ------------------------------------------------------------------------ > *From:* Charles Hedrick via FreeIPA-users > <freeipa-users(a)lists.fedorahosted.org> > *Sent:* Wednesday, June 15, 2022 3:39 PM > *To:* freeipa-users(a)lists.fedorahosted.org > <freeipa-users(a)lists.fedorahosted.org> > *Cc:* Charles Hedrick <hedrick(a)rutgers.edu> > *Subject:* [Freeipa-users] ipa-server-certinstall -k > > ipa-server-certinstall works fine for http and ldap. But I can't get the > -k option to work. > > I've tried cert.pem and privkey.pem with and without chain.pem, as well > as fullchain.pem and privkey.pem (fullchain has both the cert and the > chain). > > The certs were issued by Internet2, which chains up to addtrust. > > kinit -n works fine if I install the pem files manually, so presumably > my files are valid. > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure >

1 year, 3 months

3
2
0 / 0

Extending FreeIPA (Schema, CI, UI)

by Leo O

Hello, running on the FreeIPA rocky-8-4.9.6 docker container. I would like to extend FreeIPA with the postfix-book schema. I need it for a mail server. Unfortunately I can't find any documentation about that. Just some old presentation (FreeIPA 3.3 Training Series) + also some old, maybe still valid, example: https://github.com/abbra/freeipa-userstatus-plugin. A documentation would be really good and helpful. Does anyone have some Notes, doesn't have to be a full polished documentation, some notes maybe some more examples for the current FreeIPA version? Thanks

1 year, 3 months

4
35
0 / 0

Force early renewal of server certificate

by Ian Pilcher

It seems that Firefox has now started warning about certificates that don't include a subject alternative name. (Honestly, I had no idea that it wasn't already doing so; Chrome has been doing this for years.) My EL7 FreeIPA server still uses a "sans SAN" certificate for its HTTPS interface, so I would like to regenerate it. 1. Is it possible to use ipa-getcert to request an early renewal, or do I have to delete/recreate it? 2. This is a fully updated CentOS 7 system, running the included version of FreeIPA (ipa-server-4.6.8-5.el7.centos.10.x86_64). Will it automatically include a SAN extension when it renews the server certificate (or issues a new one), or do I need to modify a certificate profile? 3. Related to the above, which profile should I use if I need to issue a completely new certificate - caIPAserviceCert? 4. Are any other steps necessary? I.e., if I have to delete and re- issue the certificate, do I need to update any other configuration files or directory records to reference the new certificate? Thanks! -- ======================================================================== Google Where SkyNet meets Idiocracy ========================================================================

1 year, 3 months

2
1
0 / 0

Re: Upgrading from EL7.9 to EL8

by Rob Crittenden

Angus Clarke via FreeIPA-users wrote: > Hello > > I am planning the upgrade of one of our FreeIPA deployments from EL7.9 > > Previously, we have been quite good at upgrading through OS point > upgrades (7.3, 7.4, 7.5 etc) as this was the advice through that series > of FreeIPA software. > > Upgrading our FreeIPAs from EL7.9 today will see me introduce an EL8 > FreeIPA which will receive the freeipa software from the Appstream > repository. At time of writing, that process will see me introducing a > replica running ipa-server 4.9.8 to my existing FreeIPA nodes running > ipa-server 4.6.8 > > Should I be concerned about more minor updates and find some way of > upgrading through different ipa-server (and dependencies) releases from > Appstream or do you think I should just run the procedure as described > above? Major version upgrades via adding a new machine is the recommended and documented route. It includes retiring existing, older servers, so have a plan for that. Running mixed versions is likely fine in most cases but we don't recommend doing it for very long and encourage a relatively fast migration (weeks not months). Be sure to watch the replication topology and maintain the service mix (e.g. at least 2 CAs), and at have one CA designated as the renewal master, CRL master, etc. It's all in the docs. rob

1 year, 3 months

4
5
0 / 0

ID Views change sudo rules for local user

by Alessandro Fort

Hi, I have a local user (let's call it local) that has NOPASSWD set in /etc/sudoers. When I apply an ID view to change my FreeIPA user's (let's call it domain) username, UID, GID, shell and home to that of local, whenever I try to use sudo after logging in with either domain or local, domain's sudo rules apply and I am asked for a password. Is this expected behaviour or a quirk of my configuration/policies? I would expect that when logging in using domain, FreeIPA sudo rules are applied, while if I log in using local I'd get the old /etc/sudoers policy. Is this possible? Thank you!

1 year, 3 months

2
2
0 / 0

kdb5_util: Plugin does not support the operation performing Kerberos version 5 release 1.11 dump

by rui liang

> Oh, I see.Thank you for your guidance > > My system is Ubuntu16.04 Freeipa4.3, because the current CA cert has expired and there > are > problems, it is difficult to repair, so I want to rebuild the new environment to recover > the user data on the old cluster, is there any good scheme recommended?Thank you very much I tried the kdb5_util tool to import Kerberos data into the new IPA environment, but I got a message that the file was empty. What's the reason? man kdb5_util 1.13.2 KDB5_UTIL(8) https://web.mit.edu/kerberos/krb5-1.13/doc/admin/admin_commands/kdb5_util... root@migration-ipa-65:~# kdb5_util dump mydump kdb5_util: Plugin does not support the operation performing Kerberos version 5 release 1.11 dump root@migration-ipa-65:~# kdb5_util dump -verbose mydump admin(a)YYDEVOPS.COM K/M(a)YYDEVOPS.COM krbtgt/YYDEVOPS.COM(a)YYDEVOPS.COM kadmin/migration-ipa-65.185.hiido.host.yydevops.com(a)YYDEVOPS.COM kadmin/admin(a)YYDEVOPS.COM kadmin/changepw(a)YYDEVOPS.COM kiprop/migration-ipa-65.185.hiido.host.yydevops.com(a)YYDEVOPS.COM ldap/migration-ipa-65.185.hiido.host.yydevops.com(a)YYDEVOPS.COM host/migration-ipa-65.185.hiido.host.yydevops.com(a)YYDEVOPS.COM HTTP/migration-ipa-65.185.hiido.host.yydevops.com(a)YYDEVOPS.COM csantana(a)YYDEVOPS.COM roy(a)YYDEVOPS.COM kdb5_util: Plugin does not support the operation performing Kerberos version 5 release 1.11 dump -old|-ov|-b6|-b7|-r13|-r18 I tried all the parameters, but it didn't work. Why?

1 year, 3 months

1
0
0 / 0

ipa migrate-ds later kerberos Generic preauthentication failure while getting initial credentials

by rui liang

I want to migrate the old freeipa LDAP server to a new Freeipa server. However, after using this migration scheme, I find that the old keytab file cannot be logged in. How do I set up the old keytab file to work properly? https://www.freeipa.org/page/Howto/Migration echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://migrated.freeipa.server.test ssh new.migrated.freeipa.server.test Use the old keytab file root@migration-ipa-65:/home/liangrui# kinit -kt roy.keytab roy kinit: Generic preauthentication failure while getting initial credentials

1 year, 3 months

2
5
0 / 0

Can the UPN searched for in a trust be modied?

by Ranbir

Hello Everyone, I have a situation where users' UPN in AD for the domain that my ipa domain has a trust with has been modified to look nothing like the domain account. The user name and suffix entered in the UPN don't match the AD account name or the trusted domain. I've used ipa trust-mod to add two suffixes where one matches the AD domain and the other matches what's entered in the UPN. I've looked through the man pages for sssd-ad and sssd-ldap, but I didn't immediately see an option that would allow me to modify what's being searched for the user name in the UPN. I'm looking through the man pages again. But, I figured I should ask here, too: is it possible to also modify the "user name" portion of the UPN that's being looked up for the trusted account? -- Ranbir

1 year, 3 months

2
2
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2022