January 2023 - FreeIPA-users - Fedora Mailing-Lists

by MM MM

Hi, we have two IPA-Servers (primary and replica) in the same network. Both are running on CentOS7, on 1th January we had the problem that suddenly the authentication didn’t work anymore. During troubleshooting we noticed that the Subsystem CA’s were expired since nearly two years. I don’t know why the error didn’t occurre earlier. At this point we could fix the primary server with the command „ipa-cert-fix“, but the replica couldn’t be included to the FreeIPA anymore. So we decided to install a fresh system - CentOS 7, same IPA version, same IP, same hostname. We could bind the new system without any problems to the exisiting primary server, but when we tried to install the replica service, we got the following error: " RuntimeError: CA configuration failed. 2023-01-26T07:48:34Z DEBUG [error] RuntimeError: CA configuration failed. 2023-01-26T07:48:34Z DEBUG Removing /root/.dogtag/pki-tomcat/ca " In the pki-tomcatd debug log it’s a bit more detailed: " 2023-01-26 08:48:32 [main] SEVERE: LogFile: Attempt to log message "/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit" to closed log file 0.main - [26/Jan/2023:08:48:32 CET] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=10.150.116.54][ServerHost=10.150.116.54][ServerPort=636][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertSent: CLOSE_NOTIFY] access session terminated when Certificate System acts as client 2023-01-26 08:48:32 [main] SEVERE: Exception sending context initialized event to listener instance of class [org.dogtagpki.server.ca.CAEngine] java.lang.RuntimeException: Unable to start CA engine: Selftest failed: Invalid certificate ocspSigningCert cert-pki-ca: NotAfter: Sun Mar 07 15:49:58 CET 2021 2023-01-26 08:48:32 [main] INFO: Shutting down CA subsystem " As you can see the CA-replication couldn’t be started, as there are expired subsystem CA’s on the primary system which are expired. First we tried to remove the expired subsystem ca certficates from the ldap tree with ldapdelete -x -D "cn=directory manager" -W "cn=44,ou=ca,ou=requests,o=ipaca" and ldapdelete -x -D "cn=directory manager" -W "cn=44,ou=certificateRepository,ou=ca,o=ipaca" as there are newely generated subsystem ca certificates already, but the „ipa-cert-fix“ still reported that these certificates still are expired. This had the effect that the pki-tomcatd didn’t start anymore. As next we also remove the expired certficates from pki-tomcat with /usr/bin/certutil -d sql:/etc/pki/pki-tomcat/alias -D -n 'ocspSigningCert cert-pki-ca' -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt At this point the IPA service starts without any problems and the „ipa-cert-fix“ doesn’t show any expired certificates anymore, but when we tried to initialize the replica it still tries to repllicate the old expired certificates ending in an http 404 error. Now we’ve reached a point where we just don’t have any more ideas. I hope somebody has an idea and can help. If you need some more informations and/or logs, we can deliver them at any time! Thanks in advance! Best regards

8 hours, 55 minutes

3
3
0 / 0

Re: Explanation on how Smartcard Authentication works with all it's componants.

by Rob Crittenden

r0nam1 wrote: > So far it's a lot of 'I thinks'. I think I've configured OpenSC and > pcscd correctly, I think I've configured SSSD correctly, and I think > I've configured PAM correctly, if you can give me a list of relevant > logs or test commands (Even full directory's of logs) I'll do what I can. Please keep responses on the list. The log to see depends on the behavior. Some additional readings (some are rather old but still relevant): https://floblanc.wordpress.com/?s=smart https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-... rob

13 hours, 27 minutes

4
5
0 / 0

Unable to Login to Ubuntu Servers after Enabling token

by Damola Azeez

Hi, I am Unable to log in to all my Ubuntu Servers after I enabled OTP token on my account. I get the bellow errors from the Auth.log Jan 25 13:34:59 softpaydbv4 sshd[2633643]: pam_sss(sshd:auth): received for user daazeez: 17 (Failure setting user credentials) Jan 25 13:35:01 softpaydbv4 sshd[2633643]: Failed password for daazeez from 10.10.40.249 port 9254 ssh2 Jan 25 13:35:01 softpaydbv4 CRON[2633650]: pam_unix(cron:session): session opened for user root by (uid=0) Jan 25 13:35:01 softpaydbv4 CRON[2633650]: pam_unix(cron:session): session closed for user root Jan 25 13:35:12 softpaydbv4 sshd[2633643]: error: Received disconnect from 10.10.40.249 port 9254:0: [preauth] Jan 25 13:35:12 softpaydbv4 sshd[2633643]: Disconnected from authenticating user daazeez 10.10.40.249 port 9254 [preauth] Jan 25 13:35:12 softpaydbv4 sshd[2633643]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.40.249 user=daazeez Jan 25 13:35:16 softpaydbv4 sshd[2633659]: Invalid user dazeez from 10.10.40.249 port 9962 Jan 25 13:35:20 softpaydbv4 sshd[2633659]: pam_unix(sshd:auth): check pass; user unknown Jan 25 13:35:20 softpaydbv4 sshd[2633659]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.40.249 Jan 25 13:35:20 softpaydbv4 sshd[2633659]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.40.249 user=dazeez Jan 25 13:35:20 softpaydbv4 sshd[2633659]: pam_sss(sshd:auth): received for user dazeez: 10 (User not known to the underlying authentication module) Jan 25 13:35:22 softpaydbv4 sshd[2633659]: Failed password for invalid user dazeez from 10.10.40.249 port 9962 ssh2 Jan 25 13:35:27 softpaydbv4 sshd[2633659]: pam_unix(sshd:auth): check pass; user unknown Jan 25 13:35:27 softpaydbv4 sshd[2633659]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.40.249 user=dazeez Jan 25 13:35:27 softpaydbv4 sshd[2633659]: pam_sss(sshd:auth): received for user dazeez: 10 (User not known to the underlying authentication module) Jan 25 13:35:29 softpaydbv4 sshd[2633659]: Failed password for invalid user dazeez from 10.10.40.249 port 9962 ssh2 Jan 25 13:35:36 softpaydbv4 sshd[2633659]: error: Received disconnect from 10.10.40.249 port 9962:0: [preauth] Jan 25 13:35:36 softpaydbv4 sshd[2633659]: Disconnected from invalid user dazeez 10.10.40.249 port 9962 [preauth] Jan 25 13:35:36 softpaydbv4 sshd[2633659]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.40.249 Jan 25 13:35:57 softpaydbv4 sshd[2633672]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.40.249 user=sysadmin Jan 25 13:35:57 softpaydbv4 sshd[2633672]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.40.249 user=sysadmin Jan 25 13:35:57 softpaydbv4 sshd[2633672]: pam_sss(sshd:auth): received for user sysadmin: 10 (User not known to the underlying authentication module) Jan 25 13:36:00 softpaydbv4 sshd[2633672]: Failed password for sysadmin from 10.10.40.249 port 10434 ssh2 Jan 25 13:36:17 softpaydbv4 sshd[2633672]: error: Received disconnect from 10.10.40.249 port 10434:0: [preauth] Jan 25 13:36:17 softpaydbv4 sshd[2633672]: Disconnected from authenticating user sysadmin 10.10.40.249 port 10434 [preauth] Kindly assist

22 hours, 19 minutes

3
2
0 / 0

Show expiring certificates issued by IPA CA

by Orion Poplawski

Does anyone know of a script or way to get a list of certificates issued by the IPA CA that are about to expire? Thanks. -- Orion Poplawski IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion(a)nwra.com Boulder, CO 80301 https://www.nwra.com/

1 day, 4 hours

3
5
0 / 0

Replica Install issue after 'adding fallback group' step

by Khurrum Maqb

Hi all, I'm moving from Centos 7 running FreeIPA Server 4.6.8-5 to Rocky Linux 8 running FreeIPA Server 4.9.10-6, and I am having some issues apparently with idranges and dnaranges when creating a replica on RL8. There are 3xCentos 7 systems (ServerA, ServerB, ServerC) and 1xRockyLinux8 (ServerRL). This domain has been around since the Centos 6 days. The main issue - when I try to create a replica on RL8, there is a failure at the [7/7]: adding fallback group Operations Error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignments plugin,cn=plugins,cn=config failed! Unable to proceed. When I check the available idranges, they are not depleted The main oddity that I'm seeing is that some of the earliest UIDs and GIDs are in the range 100710000 + 200000. And ServerA has a dnaNextRange set to 1007111507-1007111999. This is in a non-existent idrange. When I try to set it manually, all I get is Updating Next Range Failed. See logs: ####### On ServerRL (New RL 8 server) ####### # ipa-replica-install --setup-ca --setup-dns --forwarder <IP> --forwarder <IP> [6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/7]: adding fallback group Failed to load default-smb-group.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') Failed to add fallback group. [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information And in the ipareplica-install.log I see: 2023-01-25T16:33:28Z DEBUG step duration: SID generation __restart_dirsrv 8.81 sec 2023-01-25T16:33:28Z DEBUG [7/7]: adding fallback group 2023-01-25T16:33:28Z DEBUG flushing ldapi://%2Frun%2Fslapd-mydomain3-COM.socket from SchemaCache 2023-01-25T16:33:28Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-mydomain3-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fc8a1020278> 2023-01-25T16:33:29Z DEBUG Starting external process 2023-01-25T16:33:29Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] 2023-01-25T16:33:39Z DEBUG Process finished, return code=1 2023-01-25T16:33:39Z DEBUG stdout=add cn: Default SMB Group add description: Fallback group for primary group RID, do not add users to this group add gidnumber: -1 add objectclass: top ipaobject posixgroup adding new entry "cn=Default SMB Group,cn=groups,cn=accounts,dc=mydomain3,dc=com" 2023-01-25T16:33:39Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_add: Operations error (1) additional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. 2023-01-25T16:33:39Z CRITICAL Failed to load default-smb-group.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2023-01-25T16:33:39Z DEBUG Failed to add fallback group. 2023-01-25T16:33:39Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1085, in error_handler yield File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1585, in find_entries raise e File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1545, in find_entries result = self.conn.result3(id, 0) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 767, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 774, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 340, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 46, in reraise raise exc_value File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 324, in _ldap_call result = func(*args,**kwargs) ldap.NO_SUCH_OBJECT: {'msgtype': 101, 'msgid': 4, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'matched': 'cn=groups,cn=accounts,dc=mydomain3,dc=com'} During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 327, in __add_fallback_group api.Backend.ldap2.get_entry(fb_group_dn) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1941, in get_entry dn, attrs_list, time_limit, size_limit, get_effective_rights File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1642, in get_entry size_limit=size_limit, get_effective_rights=get_effective_rights, File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1454, in get_entries **kwargs) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1592, in find_entries break File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1095, in error_handler raise errors.NotFound(reason=arg_desc or 'no such entry') ipalib.errors.NotFound: no such entry During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 333, in __add_fallback_group raise e File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 330, in __add_fallback_group self._ldap_mod('default-smb-group.ldif', self.sub_dict) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 399, in _ldap_mod ipautil.run(args, nolog=nologlist) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2023-01-25T16:33:39Z DEBUG [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2023-01-25T16:33:39Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 599, in main replica_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1371, in install adtrust.install(False, options, fstore, api) File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrust.py", line 483, in install smb.create_instance() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 913, in create_instance self.start_creation(show_service_name=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 333, in __add_fallback_group raise e File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 330, in __add_fallback_group self._ldap_mod('default-smb-group.ldif', self.sub_dict) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 399, in _ldap_mod ipautil.run(args, nolog=nologlist) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log 2023-01-25T16:33:39Z DEBUG The ipa-replica-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2023-01-25T16:33:39Z ERROR CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2023-01-25T16:33:39Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ####### ON serverA ####### Last login: Wed Jan 25 10:44:37 2023 from client.sub.mydomain3.com [root@serverA ~]# ipa-replica-manage list serverRL.sub.mydomain3.com: master serverC.mydomain3.com: master serverB.sub.mydomain3.com: master serverA.sub.mydomain3.com: master [root@serverA ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: mydomain3.COM_id_range First Posix ID of the range: 104600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: mydomain3.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690 Range type: Active Directory domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@serverA ~]# ipa-replica-manage dnarange-show serverA.sub.mydomain3.com: 104605010-104605500 serverB.sub.mydomain3.com: 104605502-104606000 serverC.mydomain3.com: 104608142-104608500 serverRL.sub.mydomain3.com: No range set [root@serverA ~]# ipa-replica-manage dnanextrange-show serverA.sub.mydomain3.com: 1007111507-1007111999 serverB.sub.mydomain3.com: 104606003-104606500 serverC.mydomain3.com: 104606519-104606600 serverRL.sub.mydomain3.com: No on-deck range set [root@serverA ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaMagicRegen: -1 dnaMaxValue: 104605500 dnaNextRange: 1007111507-1007111999 dnaNextValue: 104605010 dnaScope: dc=mydomain3,dc=com dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@serverA ~]# ####### ON serverB ####### Last login: Wed Jan 25 10:44:16 2023 from client.sub.mydomain3.com [root@serverB ~]# ipa-replica-manage list serverRL.sub.mydomain3.com: master serverC.mydomain3.com: master serverB.sub.mydomain3.com: master serverA.sub.mydomain3.com: master [root@serverB ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: mydomain3.COM_id_range First Posix ID of the range: 104600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: mydomain3.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690 Range type: Active Directory domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@serverB ~]# ipa-replica-manage dnarange-show serverA.sub.mydomain3.com: 104605010-104605500 serverB.sub.mydomain3.com: 104605502-104606000 serverC.mydomain3.com: 104608142-104608500 serverRL.sub.mydomain3.com: No range set [root@serverB ~]# ipa-replica-manage dnanextrange-show serverA.sub.mydomain3.com: 1007111507-1007111999 serverB.sub.mydomain3.com: 104606003-104606500 serverC.mydomain3.com: 104606519-104606600 serverRL.sub.mydomain3.com: No on-deck range set [root@serverB ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaMagicRegen: -1 dnaMaxValue: 104606000 dnaNextRange: 104606003-104606500 dnaNextValue: 104605502 dnaScope: dc=mydomain3,dc=com dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@serverB ~]# ####### ON serverC ####### Last login: Wed Jan 25 10:44:51 2023 from client.sub.mydomain3.com [root@serverC ~]# ipa-replica-manage list Directory Manager password: serverRL.sub.mydomain3.com: master serverC.mydomain3.com: master serverB.sub.mydomain3.com: master serverA.sub.mydomain3.com: master [root@serverC ~]# ipa idrange-find ipa: ERROR: did not receive Kerberos credentials [root@serverC ~]# kinit kmaqbool Password for kmaqbool(a)mydomain3.COM: [root@serverC ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: mydomain3.COM_id_range First Posix ID of the range: 104600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: mydomain3.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690 Range type: Active Directory domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@serverC ~]# ipa-replica-manage dnarange-show serverA.sub.mydomain3.com: 104605010-104605500 serverB.sub.mydomain3.com: 104605502-104606000 serverC.mydomain3.com: 104608142-104608500 serverRL.sub.mydomain3.com: No range set [root@serverC ~]# ipa-replica-manage dnanextrange-show serverA.sub.mydomain3.com: 1007111507-1007111999 serverB.sub.mydomain3.com: 104606003-104606500 serverC.mydomain3.com: 104606519-104606600 serverRL.sub.mydomain3.com: No on-deck range set [root@serverC ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaMagicRegen: -1 dnaMaxValue: 104608500 dnaNextRange: 104606519-104606600 dnaNextValue: 104608142 dnaScope: dc=mydomain3,dc=com dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@serverC ~]# ####### ON serverRL ####### root(a)192.168.162.6's password: Last login: Wed Jan 25 10:55:08 2023 from client.sub.mydomain3.com [root@serverRL ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: mydomain3.COM_id_range First Posix ID of the range: 104600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: mydomain3.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690 Range type: Active Directory domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@serverRL ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaMagicRegen: -1 dnaMaxValue: 1100 dnaNextValue: 1101 dnaScope: dc=mydomain3,dc=com dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@serverRL ~]# ipa-replica-manage dnarange-show Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: IPA is not configured on this system. ####### ON serverA ####### Attempting to change dnaNextRange [root@serverA ~]# ipa-replica-manage dnanextrange-set -d serverA.sub.mydomain3.com 104607000-104607500 ipa: DEBUG: importing all plugin modules in ipaserver.plugins... ipa: DEBUG: importing plugin module ipaserver.plugins.aci ipa: DEBUG: importing plugin module ipaserver.plugins.automember ipa: DEBUG: importing plugin module ipaserver.plugins.automount ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser ipa: DEBUG: importing plugin module ipaserver.plugins.batch ipa: DEBUG: importing plugin module ipaserver.plugins.ca ipa: DEBUG: importing plugin module ipaserver.plugins.caacl ipa: DEBUG: importing plugin module ipaserver.plugins.cert ipa: DEBUG: importing plugin module ipaserver.plugins.certmap ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile ipa: DEBUG: importing plugin module ipaserver.plugins.config ipa: DEBUG: importing plugin module ipaserver.plugins.delegation ipa: DEBUG: importing plugin module ipaserver.plugins.dns ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipa: DEBUG: importing plugin module ipaserver.plugins.group ipa: DEBUG: importing plugin module ipaserver.plugins.hbac ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest ipa: DEBUG: importing plugin module ipaserver.plugins.host ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipa: DEBUG: importing plugin module ipaserver.plugins.idrange ipa: DEBUG: importing plugin module ipaserver.plugins.idviews ipa: DEBUG: importing plugin module ipaserver.plugins.internal ipa: DEBUG: importing plugin module ipaserver.plugins.join ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipa: DEBUG: importing plugin module ipaserver.plugins.location ipa: DEBUG: importing plugin module ipaserver.plugins.migration ipa: DEBUG: importing plugin module ipaserver.plugins.misc ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup ipa: DEBUG: importing plugin module ipaserver.plugins.otp ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken ipa: DEBUG: importing plugin module ipaserver.plugins.passwd ipa: DEBUG: importing plugin module ipaserver.plugins.permission ipa: DEBUG: importing plugin module ipaserver.plugins.ping ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit ipa: DEBUG: importing plugin module ipaserver.plugins.privilege ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipa: DEBUG: importing plugin module ipaserver.plugins.rabase ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipa: DEBUG: importing plugin module ipaserver.plugins.role ipa: DEBUG: importing plugin module ipaserver.plugins.schema ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipa: DEBUG: importing plugin module ipaserver.plugins.server ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles ipa: DEBUG: importing plugin module ipaserver.plugins.service ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipa: DEBUG: importing plugin module ipaserver.plugins.session ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser ipa: DEBUG: importing plugin module ipaserver.plugins.sudo ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule ipa: DEBUG: importing plugin module ipaserver.plugins.topology ipa: DEBUG: importing plugin module ipaserver.plugins.trust ipa: DEBUG: importing plugin module ipaserver.plugins.user ipa: DEBUG: importing plugin module ipaserver.plugins.vault ipa: DEBUG: importing plugin module ipaserver.plugins.virtual ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.whoami ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipa: DEBUG: found 1 A records for serverA.sub.mydomain3.com.: 192.168.162.11 ipa: DEBUG: The DNS response does not contain an answer to the question: serverA.sub.mydomain3.com. IN AAAA ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://serverA.sub.mydomain3.com:636 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0818d6b1b8> ipa: DEBUG: Created connection context.ldap2_139672798648528 ipa: DEBUG: found 1 A records for serverA.sub.mydomain3.com.: 192.168.162.11 ipa: DEBUG: The DNS response does not contain an answer to the question: serverA.sub.mydomain3.com. IN AAAA ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://serverB.sub.mydomain3.com:636 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0818d8be60> ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://serverC.mydomain3.com:636 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0815752bd8> Updating next range failed Any help would be MUCH appreciated. Thank you, Khurrum

1 day, 4 hours

2
3
0 / 0

help

by Omar

Trying to deploy freeipa to an instance in Openstack. The instance is configured with a private IP and a floating IP. I have set up DNS to resolve both private and public IP addresses. When I try to deploy using the public FQDN, the KDC will not deploy. If I deploy using the private FQDN, the webUI won't connect. Please advise, Thanks

1 day, 9 hours

2
1
0 / 0

Explanation on how Smartcard Authentication works with all it's componants.

by r0 nam1

I'm wondering if anybody who actually knows this can shed some light on how it works. I'm attempting to get Certificate Based SmartCards (Yubikeys) to work with FreeIPA so I can connect terminals and have MFA domain wide. The issue is that on Debian PC's, the process isn't documented very well, or even how all the components interact. Could anybody shed some light on how each program interacts, from OpenSC to SSSD talking to FreeIPA to validate the Cert, how does it all work?

1 day, 10 hours

3
2
0 / 0

Re: FreeIPA Upgrade Failing with "Could not find cert: ipaCert"

by Florence Blanc-Renaud

Hi, (adding back the mailing list in CC) On Tue, Jan 24, 2023 at 6:54 PM Tyler Zang <tyler.j.zang(a)gmail.com> wrote: > This brings up another "issue" that I am running into, that might be > related. To give a quick back story, I am a windows admin pulled into > support Linux, and thus FreeIPA. So my knowledge is very limited on this > stuff. > > We have 2 separate FreeIPA's running on our network, as one will be > retired soon. I feel like, starting about 2 months ago or so, my newest one > (the one this post is about) started to fail booting up because of "smb" > and "winbind" would not start. I had to use the --ignore-service-failure to > get freeipa to start which would let everything else start except those two > services. I don't recall the previous admin having samba or winbind > purposely installed so I suspected maybe a monthly update installed it or > something. I checked my other instance and it does not have those services > installed, so ipa starts up without those services. So I was looking last > week on how to stop freeipa from trying to boot those two services. As of > now, I just let those fail. > If the server is configured as a trust controller (ie you ran ipa-adtrust-install), then it's expected that smb and winbind are running. > > This FreeIPA does have a trust with AD, trusting the forest, but it is not > "joined" (net ads join) to my domain, which is why winbind and smb breaks > (I think). I open up the web gui and go to the network services > Trusts > and see my domains. The "old" freeipa does not even have the trust submenu. > Neither show up in ADUC. > > So now it sounds like this trust issue might be potentially affecting this > upgrade. I am tempted to just join it into AD and see what happens. > No, an IPA machine cannot join an AD domain. You can ask for help on this mailing list for troubleshooting the smb/winbind issues, if you provide additional logs I'm sure someone will be able to help. flo > > On Tue, Jan 24, 2023 at 4:59 AM Florence Blanc-Renaud <flo(a)redhat.com> > wrote: > >> Hi, >> >> On Mon, Jan 23, 2023 at 7:58 PM Ty zang via FreeIPA-users < >> freeipa-users(a)lists.fedorahosted.org> wrote: >> >>> Thanks for the information. I will treat that as a false positive. The >>> error is failing due to something not found (no such file or directory) and >>> the only other error that stands out to me is maybe this.. (airgapped so I >>> cant just post the log sadly) >>> >>> args=/usr/bin/net -s /dev/null groupmap add sid=S-5-1-5-32-546 >>> unixgroup=nobody type=builtin >>> process execution failed >>> destroyed connection context.ldap2_ (bunch of #) >>> upgrade failed with [Errno 2] no such file or directory. >>> >>> Does this file /usr/bin/net exist? It should be installed with the >> package samba-common-tools, that is required by ipa-server-trust-ad. This >> code should be executed only if adtrust is installed, is this your case? >> flo >> >> So maybe this is a missing account or something? Any suggestion on what >>> to look for regarding ldap? Ill google this to see what comes up >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-leave(a)lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> > > -- > Regards, > Tyler Zang > >

2 days, 11 hours

1
0
0 / 0

FreeIPA Upgrade Failing with "Could not find cert: ipaCert"

by Ty zang

Hi all, I am very very green at understanding/supporting FreeIPA so bare with me please. I tried to update my Red Hat 8.7 in December and part of that update was trying to install IPA 4.6.8. So after updating my server, I tried to start IPA but it said it needed an upgrade. The upgrades have been failing and the ipaupgrade log shows one error near the end.. "certutil: Could not find cert: ipaCert". I think it is looking at /etc/httpd/alias and when I run certutil -d /etc/httpd/alias -L, I see: Server-Cert u,u,u acme.com IPA CA CT,C,C I googled around but found no real answer. Would it just be a case of my certificate being called Server-Cert and not ipaCert? Am I missing a certificate? Does anyone have any suggestions on how to troubleshoot this?

2 days, 17 hours

3
3
0 / 0

FreeIPA OAuth2.0 on OS other than fedora

by John Smith

HI All, recently I managed to run FreeIPA 4.10.1 on Fedora 37 and eveyrhting works fine, I set up also a IPA client on other instance and here I'm also able to log with Azure Account. However we have in our config many different OS'es. As far as I see first implementation of OAuth2.0 was placed in release 4.9.10 -> https://www.freeipa.org/page/Releases/4.9.10 --- Highlights in 4.9.10 1539: [RFE] Add code to check password expiration on ldap bind User can no longer do LDAP BIND operation with expired password. 8803: Add support for managing IdP references FreeIPA can now authenticate users with the help of OAuth 2.0 identity providers supporting OAuth 2.0 Device Authorization Flow. IdPs known to work are Keycloak, Microsoft Azure, Google, Github, and Okta. Details on how to use Keycloak can be found in FreeIPA workshop: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support... --- We have on board instances with Ubuntu 22.04 for example, and as I see the newest package for this OS is freeipa-client_4.9.8-1_amd64.deb, I've tried to do the flow there but as I suspected it is not working, there is not even a request to log azure site for authorization and I suspect this is OK, as according to above it is not yet supported. However I tried to do the same with Ubuntu 23.04 (lunar), where the newest available package is freeipa-client_4.9.11-1_amd64.deb, which gives me hope that this would allows us to proceed with flow: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support... as above there was a statement that it was already introduced in version 4.9.10. Sadly behaviour is exactly the same like it was on Ubuntu 22.04.(there is no even logs for otpd - like such module is not even installed with this Client version) Do you Guys know if the 4.9.10 woudl allows us to do the OAuth2.0 be proceeded succesfully or inded it has to be at least 4.10 like it is providedd in documentation? BR John

3 days, 20 hours

2
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2023