June 2022 - FreeIPA-users - Fedora Mailing-Lists

by G H

I got FreeIPA up and running but am having trouble getting it working with apache, I tried both mod_auth_mellon and mod_auth_gssapi. My goal is to have something that 1) attempts kerberos 2) falls back to user/pass auth. For mod_auth_gssapi, I am able to get get SSO working with my local Firefox, but the fallback HTTPBasic auth fails. Opening a private firefox window (to break kerberos) and entering my username/pass I get the following Apache log error: GSS ERROR gss_init_sec_context(): [Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type) Apache config is: <Location /> AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/http.keytab GssapiBasicAuth On GssapiBasicAuthMech krb5 Require valid-user </Location> Okay, so I moved to mod_auth_mellon (SAML auth via Keycloak via FreeIPA). With this one I got username/pass auth working, but kerberos does not work. I followed the instructions here: https://jdennis.fedorapeople.org/doc/mellon-install/mellon-install-guide.... Keycloak reports the below message when I *require* kerberos auth (over username/passwd): Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96) So I think something might be wrong with my keytab file. Lots of posts around the internet are about Windows AD and say to enable AES encryption for that service, but I do not see such an option in FreeIPA. So am I missing something with the encryption settings ? Here is my keytab creation command: ipa-getkeytab -s freeipa.example.com -p HTTP/keycloak.example.com -k /tmp/client1.keytab And here is the result: [root@freeipa ~]# klist -e -k /tmp/client1.keytab Keytab name: FILE:/tmp/client1.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HTTP/keycloak.example.com(a)EXAMPLE.COM (aes256-cts-hmac-sha1-96) 1 HTTP/keycloak.example.com(a)EXAMPLE.COM (aes128-cts-hmac-sha1-96)

1 year, 6 months

1
0
0 / 0

After upgrade, only one direction replication while should be bi-directions replication

by Kathy Zhu

Hi Team, We upgraded our Centos 7 IPA masters to the latest: CentOS Linux release 7.9.2009 (Core) *ipa*-server.x86_64 4.6.8-5.el7.centos.10 *389-ds*-base.x86_64 1.3.10.2-15.el7_9 *389-ds*-base-libs.x86_64 1.3.10.2-15.el7_9 *389-ds*-base-snmp.x86_64 1.3.10.2-15.el7_9 *slapi*-nis.x86_64 0.56.5-3.el7_9 After that, 8 of 10 masters had replication issues. After reinitializing, 2 of them are still having issues. They can accept replication from other masters but their own changes can not be replicated to others. Here are the logs in /var/log/dirsrv/slapd-EXAMPLE-COM/errors: [01/Jun/2022:21:53:02.324756398 -0700] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=dc1-ipa1.example.com-to-dc2-ipa1.example.com" (dc2-ipa1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. [01/Jun/2022:21:53:03.396330801 -0700] - ERR - agmt="cn= dc1-ipa1.example.com-to-dc3-ipa1.example.com" (dc3-ipa1:389) - clcache_load_buffer - Can't locate CSN 627e26a50005001d0000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [01/Jun/2022:21:53:03.396502102 -0700] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn= dc1-ipa1.example.com-to-dc3-ipa1.example.com" (dc3-ipa1:389): CSN 627e26a50005001d0000 not found, we aren't as up to date, or we purged [01/Jun/2022:21:53:03.396694568 -0700] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=dc1-ipa1.example.com-to-dc3-ipa1.example.com" (dc3-ipa1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. [01/Jun/2022:21:53:04.411599251 -0700] - ERR - agmt="cn= dc1-ipa1.example.com-to-ipa0.example.com" (ipa0:389) - clcache_load_buffer - Can't locate CSN 627e26a50005001d0000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [01/Jun/2022:21:53:04.411753186 -0700] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn= dc1-ipa1.example.com-to-ipa0.example.com" (ipa0:389): CSN 627e26a50005001d0000 not found, we aren't as up to date, or we purged [01/Jun/2022:21:53:04.411893312 -0700] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=dc1-ipa1.example.com-to-ipa0.example.com" (ipa0:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. [01/Jun/2022:21:53:05.482898290 -0700] - ERR - agmt="cn= dc1-ipa1.example.com-to-dc2-ipa1.example.com" (dc2-ipa1:389) - clcache_load_buffer - Can't locate CSN 627e26a50005001d0000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [01/Jun/2022:21:53:05.483231727 -0700] - ERR - NSMMReplicationPlugin - changelog program - repl_plugin_name_cl - agmt="cn= dc1-ipa1.example.com-to-dc2-ipa1.example.com" (dc2-ipa1:389): CSN 627e26a50005001d0000 not found, we aren't as up to date, or we purged [01/Jun/2022:21:53:05.483483005 -0700] - ERR - NSMMReplicationPlugin - send_updates - agmt="cn=dc1-ipa1.example.com-to-dc2-ipa1.example.com" (dc2-ipa1:389): Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized. Note, those messages are after being reinitialized. Any idea what's wrong here? Thanks. Kathy.

1 year, 6 months

3
5
0 / 0

Password reuse not permitted on ipa-replica-prepare

by Grant Janssen

I’m on the march to move beyond CentOS 7. My plan was to build more replicas, then retire the old systems. I haven’t built a replica since 2019, but the commands I used then are failing now. grant@ef-idm01:~[20220601-4:39][#1003]$ sudo ipa-replica-prepare ef-idm04.production.efilm.com<http://ef-idm04.production.efilm.com> Directory Manager (existing master) password: ************** Preparing replica for ef-idm04.production.efilm.com<http://ef-idm04.production.efilm.com> from ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com> Constraint violation: Password reuse not permitted The ipa-replica-prepare command failed. grant@ef-idm01:~[20220601-4:40][#1004]$ This error message is rather laconic, so I don’t understand the nature of the issue and why I would get a password error. - grant

1 year, 6 months

3
8
0 / 0

ca-error: Server at https://xx.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired).

by rui liang

### Request for enhancement ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired At present, it is an online operation, so I dare not change the configuration at will.I tried to modify Linux times on the test environment, but there were some unexpected risks.Don't dare change the time online like this.Is there a good way to renew it?Thank you very much #### Steps to Reproduce root@fs-ambari-server:~# ipa host-add fs-hiido-alluxio-12-65-100.hiido.host.yydevops.com ipa: ERROR: cert validation failed for "CN=fs-hiido-kerberos-server02.hiido.host.yydevops.com,O=YYDEVOPS.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cannot connect to 'https://fs-hiido-kerberos-server02.hiido.host.yydevops.com/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. root@fs-ambari-server:~# root@fs-ambari-server:~# root@fs-ambari-server:~# cat /tmp/kinit_trace [61194] 1653916457.285087: ccselect module realm chose cache KEYRING:persistent:0:0 with client principal admin(a)YYDEVOPS.COM for server principal HTTP/fs-hiido-kerberos-server02.hiido.host.yydevops.com(a)YYDEVOPS.COM [61194] 1653916457.285138: Getting credentials admin(a)YYDEVOPS.COM -> HTTP/fs-hiido-kerberos-server02.hiido.host.yydevops.com(a)YYDEVOPS.COM using ccache KEYRING:persistent:0:0 [61194] 1653916457.285216: Retrieving admin(a)YYDEVOPS.COM -> HTTP/fs-hiido-kerberos-server02.hiido.host.yydevops.com(a)YYDEVOPS.COM from KEYRING:persistent:0:0 with result: 0/Success [61194] 1653916457.285253: Creating authenticator for admin(a)YYDEVOPS.COM -> HTTP/fs-hiido-kerberos-server02.hiido.host.yydevops.com(a)YYDEVOPS.COM, seqnum 746871073, subkey aes256-cts/24EC, session key aes256-cts/BFE5 ssh fs-hiido-kerberos-server02.hiido.host.yydevops.com(a)YYDEVOPS.COM root@fs-hiido-kerberos-server02:/var/log/ipa# ipa-getcert list Number of certificates and requests being tracked: 4. Request ID '20200528083036': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-YYDEVOPS-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv YYDEVOPS-COM track: yes auto-renew: yes Request ID '20200528083056': status: CA_UNREACHABLE ca-error: Server at https://fs-hiido-kerberos-server02.hiido.host.yydevops.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/fs-hiido-kerberos-server02.hiido.host.yydevops.com-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=YYDEVOPS.COM subject: CN=fs-hiido-kerberos-server02.hiido.host.yydevops.com,O=YYDEVOPS.COM expires: 2022-05-29 16:31:00 CST dns: fs-hiido-kerberos-server02.hiido.host.yydevops.com principal name: HTTP/fs-hiido-kerberos-server02.hiido.host.yydevops.com(a)YYDEVOPS.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes #### Version/Release/Distribution root@fs-hiido-kerberos-server02:/var/log/ipa# ipa --version VERSION: 4.8.6, API_VERSION: 2.236

1 year, 6 months

3
10
0 / 0

freeipa crashing

by Albert Szostkiewicz

Hi, I have posted this question on stack overflow but no traction https://stackoverflow.com/questions/72367227/trying-to-get-hostent-from-a... I'm getting errors "Bug: Trying to get hostent from a name-less server" which i think its the reason i have to do 'kinit user' every few minutes (as its crashing?) I have no idea where to start debugging so maybe someone here could help me out? Thanks!

1 year, 6 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2022