Re: FreeIPA Upgrade Failing with "Could not find cert: ipaCert"
by Florence Blanc-Renaud
Hi,
(adding back the mailing list in CC)
On Tue, Jan 24, 2023 at 6:54 PM Tyler Zang <tyler.j.zang(a)gmail.com> wrote:
> This brings up another "issue" that I am running into, that might be
> related. To give a quick back story, I am a windows admin pulled into
> support Linux, and thus FreeIPA. So my knowledge is very limited on this
> stuff.
>
> We have 2 separate FreeIPA's running on our network, as one will be
> retired soon. I feel like, starting about 2 months ago or so, my newest one
> (the one this post is about) started to fail booting up because of "smb"
> and "winbind" would not start. I had to use the --ignore-service-failure to
> get freeipa to start which would let everything else start except those two
> services. I don't recall the previous admin having samba or winbind
> purposely installed so I suspected maybe a monthly update installed it or
> something. I checked my other instance and it does not have those services
> installed, so ipa starts up without those services. So I was looking last
> week on how to stop freeipa from trying to boot those two services. As of
> now, I just let those fail.
>
If the server is configured as a trust controller (ie you ran
ipa-adtrust-install), then it's expected that smb and winbind are running.
>
> This FreeIPA does have a trust with AD, trusting the forest, but it is not
> "joined" (net ads join) to my domain, which is why winbind and smb breaks
> (I think). I open up the web gui and go to the network services > Trusts
> and see my domains. The "old" freeipa does not even have the trust submenu.
> Neither show up in ADUC.
>
> So now it sounds like this trust issue might be potentially affecting this
> upgrade. I am tempted to just join it into AD and see what happens.
>
No, an IPA machine cannot join an AD domain. You can ask for help on this
mailing list for troubleshooting the smb/winbind issues, if you provide
additional logs I'm sure someone will be able to help.
flo
>
> On Tue, Jan 24, 2023 at 4:59 AM Florence Blanc-Renaud <flo(a)redhat.com>
> wrote:
>
>> Hi,
>>
>> On Mon, Jan 23, 2023 at 7:58 PM Ty zang via FreeIPA-users <
>> freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>>> Thanks for the information. I will treat that as a false positive. The
>>> error is failing due to something not found (no such file or directory) and
>>> the only other error that stands out to me is maybe this.. (airgapped so I
>>> cant just post the log sadly)
>>>
>>> args=/usr/bin/net -s /dev/null groupmap add sid=S-5-1-5-32-546
>>> unixgroup=nobody type=builtin
>>> process execution failed
>>> destroyed connection context.ldap2_ (bunch of #)
>>> upgrade failed with [Errno 2] no such file or directory.
>>>
>>> Does this file /usr/bin/net exist? It should be installed with the
>> package samba-common-tools, that is required by ipa-server-trust-ad. This
>> code should be executed only if adtrust is installed, is this your case?
>> flo
>>
>> So maybe this is a missing account or something? Any suggestion on what
>>> to look for regarding ldap? Ill google this to see what comes up
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> Do not reply to spam, report it:
>>> https://pagure.io/fedora-infrastructure/new_issue
>>>
>>
>
> --
> Regards,
> Tyler Zang
>
>
1 year, 3 months
FreeIPA OAuth2.0 on OS other than fedora
by John Smith
HI All, recently I managed to run FreeIPA 4.10.1 on Fedora 37 and eveyrhting works fine, I set up also a IPA client on other instance and here I'm also able to log with Azure Account. However we have in our config many different OS'es.
As far as I see first implementation of OAuth2.0 was placed in release 4.9.10 -> https://www.freeipa.org/page/Releases/4.9.10
---
Highlights in 4.9.10
1539: [RFE] Add code to check password expiration on ldap bind
User can no longer do LDAP BIND operation with expired password.
8803: Add support for managing IdP references
FreeIPA can now authenticate users with the help of OAuth 2.0 identity providers supporting OAuth 2.0 Device Authorization Flow. IdPs known to work are Keycloak, Microsoft Azure, Google, Github, and Okta. Details on how to use Keycloak can be found in FreeIPA workshop: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support...
---
We have on board instances with Ubuntu 22.04 for example, and as I see the newest package for this OS is freeipa-client_4.9.8-1_amd64.deb, I've tried to do the flow there but as I suspected it is not working, there is not even a request to log azure site for authorization and I suspect this is OK, as according to above it is not yet supported.
However I tried to do the same with Ubuntu 23.04 (lunar), where the newest available package is freeipa-client_4.9.11-1_amd64.deb, which gives me hope that this would allows us to proceed with flow:
https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support... as above there was a statement that it was already introduced in version 4.9.10. Sadly behaviour is exactly the same like it was on Ubuntu 22.04.(there is no even logs for otpd - like such module is not even installed with this Client version)
Do you Guys know if the 4.9.10 woudl allows us to do the OAuth2.0 be proceeded succesfully or inded it has to be at least 4.10 like it is providedd in documentation?
BR
John
1 year, 3 months
SSH 2FA (password + totp)
by Kjell Cornelius Nicolaysen
Hey,
So I am trying to implement TOTP+password for SSH on a server. In the
past its been as simple as using google authenticatior but seeing as how
we have a shiny FreeIPA server...
Created a user, then gave them a TOTP token (synched and tested that it
works by logging into the web ui). But I'm stuck at the correct way to
implement this on the SSH server.
Found the earlier thread[1] and got some pointers.
sshd config:
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive
If I do not define password/otp for the host via the IPA web interface,
login works fine with password. If I set it to password/otp only it fails.
Looking at journalctl -xeu ssh.service there clearly is some issue.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 7 (Authentication failure)
error: PAM: Authentication failure for kjell from 192.168.31.102
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Postponed keyboard-interactive for kjell from 192.168.31.102 port 38832
ssh2 [preauth]
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Failed keyboard-interactive/pam for kjell from 192.168.31.102 port 38832
ssh2
Connection closed by authenticating user kjell 192.168.31.102 port 38832
[preauth]
Tried giving my password, and my password+otp (without the '+'). But
nothing works.
Anyone got any pointers or see any obvious mistakes ?
1:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
--
Mvh,
Kjell C. Nicolaysen
PGP Public key available on request.
Current key (at time of this email) fingerprint:
3F59 7410 AFD5 FC22 F2F1 EEC9 980A 8C9E C126 6716
1 year, 3 months
Healthckeck help
by Bob Strachan
I wonder I if have gotten myself in a bind.
I have a small realm of a dozen Rhel7 and Rhel8 servers, a few dozen users and three IDM servers. We moved from yellow pages to IDM for 2FA a couple of years ago. The original IDM servers were all Rhel7. In November of 2021, we moved to IDM 4.9 on Rhel8.4 by standing up new IDM servers and replicating.
When we finished the migration there were no significant healtcheck (hc) errors. Over the next year we upgraded to 8.5, 8.6 and then 8.7.
At some point and I believe it was when we got to Rhel8.6 we started getting hc errors with this type of message:
"msg": "Certificate 'subsystemCert cert-pki-ca' does not match the value of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
On two of the IDM servers the messages were for:
kra_subsystem
kra_transport
kra_storage
kra_audit_signing
all showing a missmatch in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
There was one other similar message:
"transportCert cert-pki-kra had a mismatch in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
At the time we googled the issue and came up with:
https://github.com/freeipa/freeipa-healthcheck/issues/154
where Rob Crittenden says:
"We seem to have lost traction on this. It is my understanding that the certificates not matching the values in CS.cfg is not a critical problem. It is checked to ensure consistency."
So we ignored the errors
After upgrading to 8.7 in November 2022, we started getting more hc errors regarding iDNS. Google led us to a script to fix the problem which we ran and the problem went away.
I was still concerned with the CS.cfg mismatches, so I decided to fix the messages. An inventory of the messages showed two IDM servers with the messages listed above and one IDM server with an sslserverCert in ...kra/CS.cfg and transportCert in ...ca/CS.cfg mismatch errors.
Since this was only a sanity check, I modified the cert hashes in each CS.cfg to match the cert generated by:
certutil -d /etc/pki/pki-tomcat/alias -L -n '<cert nickname>' -a by pasting the trimmed hash into the appropriate directive in the corresponding CS.cfg.
Now when I run ipa-healthcheck, there are no errors. My concern is that perhaps I have broken Dogtag and when some of these certs go to be renewed in February, there will be problems.
I also note that for all 14 of these cert directives I modified in CS.cfg there was also a "<directive.certreq=>" pointing to a hash in CS.cfg that I didn't modify.
Is my system in trouble? How do I resolve this? Since all the errors are only in CS.cfg, is there a way to generate a fresh CS.cfg? Most of the articles I've found regarding fixing corrupt CS.cfg files, are old and incredibly complex.
1 year, 3 months
freeIPA 4.10.1 - Oauth2.0 with Azure AD
by John Smith
Morning All,
I'm trying to do almost the same as it was demoed here: https://www.youtube.com/watch?v=NorXJN3tw3Q&themeRefresh=1 [Break ice or don't login twice: FreeIPA and OAuth 2.0]. In particular I'm trying to let authorize linux ussers (ssh) with OAuth2.0 Azure AD. I already registered new app in Azure AD (so I have new Client ID), then I add new idp like it was described here: https://freeipa.readthedocs.io/en/latest/designs/external-idp/idp-api.htm... and https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.... I created new user and attached him to AD idp.
Sadly I have some issues with make whole thing work.
I run for this on clean fedora 37 OS:
---
[root@ipa2 log]# cat /etc/fedora-release
Fedora release 37 (Thirty Seven)
---
I installed freeipa-server in version 4.10.1:
---
[root@ipa2 log]# ipa --version
VERSION: 4.10.1, API_VERSION: 2.251
---
and all components seems to be working:
---
[root@ipa2 log]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
---
However when im trying to do:
---
[root@ipa2 ~]# kinit -T ./fast.ccache testuser2
Authenticate with PIN RJ4TEQ3KW at https://microsoft.com/devicelogin and press ENTER.:
kinit: Preauthentication failed while getting initial credentials
---
of course the link provided in commandilne is valid and i can proceed with the authorization with no issues and get SUCCESS at the end, however for freeipa the response is always the same:
[kinit: Preauthentication failed while getting initial credentials.]
I already noticed that the error occurs almost immiadetely after running [ kinit -T ./fast.ccache testuser2 ], so freeipa is not even waiting for me to log on https://microsoft.com/devicelogin website:
I see in journactl such flow:
---
[root@ipa2 log]# journalctl --follow /usr/libexec/ipa/ipa-otpd
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): idp query end: ad
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): oauth2 start: Get device code
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): Received: [{"device_code":"EAQABAAEAAAD--DLA3VO7QrddgJg7Wevr7iawpzAIiCTXDx5OKQCTvg3u_0IfN7car7U1-ErltsJ_HqupRB-wsm-ls_tCZYc3Z98zG-jVx_xXmZ7oIg5LkxswyAJocRVtTygHdN9sDrHb9lhfGYSZPizy0hEMKGHfhgPaiDtnW3muH-izoWktC_PXqqgJC08d2apcLI8RK6YgAA","expires_in":900,"interval":5}
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: oauth2 {"verification_uri": "https://microsoft.com/devicelogin", "user_code": "EWVEHBCR6"}
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: ]
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): sent: 0 data: 371
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): ..sent: 371 data: 371
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): response sent: Access-Challenge
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: oauth2.c:088: Child finished with status [0].
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: Socket closed, shutting down...
---
[Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): response sent: Access-Challenge] - I have an impression that request is ended almost in the same second when it starts.
In messages logs:
---
Jan 18 15:13:42 ipa2 systemd[1]: /usr/lib/systemd/system/ipa-otpd@.service:10: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether.
Jan 18 15:13:42 ipa2 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@19-1182-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 18 15:13:42 ipa2 systemd[1]: Started ipa-otpd(a)19-1182-0.service - ipa-otpd service (PID 1182/UID 0).
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: LDAP: ldapi://%2Frun%2Fslapd-(MY DOMAIN HERE).socket
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): request received
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): user query start
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): user query end: uid=testuser1,cn=users,cn=accounts,dc=tribecloud,dc=io
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): idp query start: cn=ad,cn=idp,dc=tribecloud,dc=io
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): idp query end: ad
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): oauth2 start: Get device code
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): Received: [{"device_code":"FAQABAAEAAAD--DLA3VO7QrddgJg7Wevr9pXKAjhGk35vFXJUS2CnmQ0ASimeHG_O_I9Ws_CW4GVxOBdb_80yKD2giSQ4SE9PzYEEuCYhzsq70plMMb8XQzgVbYUhe-Mfa85Zb96X8eUAD1PLRh6zO_2i5EMA_hsFXyhC-QDO_uOA64QsoHOFHP5C-FQTbaAYegdUiRlMWj4gAA","expires_in":900,"interval":5}
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: oauth2 {"verification_uri": "https://microsoft.com/devicelogin", "user_code": "FW5GFFLMH"}
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: ]
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): sent: 0 data: 371
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): ..sent: 371 data: 371
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): response sent: Access-Challenge
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: oauth2.c:088: Child finished with status [0].
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: Socket closed, shutting down...
Jan 18 15:13:43 ipa2 systemd[1]: ipa-otpd(a)19-1182-0.service: Deactivated successfully.
Jan 18 15:13:43 ipa2 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@19-1182-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
---
User configuration:
---
[root@ipa2 log]# ipa user-show testuser2
User login: testuser2
First name: Test
Last name: User2
Home directory: /home/testuser2
Login shell: /bin/bash
Principal name: testuser2@(MY DOMAIN HERE)
Principal alias: testuser2@(MY DOMAIN HERE)
Email address: testuser2@(MY DOMAIN HERE)
UID: 608800004
GID: 608800004
User authentication types: idp
External IdP configuration: ad
External IdP user identifier: john@(MY DOMAIN HERE)
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
---
idp config:
---
[root@ipa2 log]# ipa idp-show ad
Identity Provider server name: ad
Authorization URI: https://login.microsoftonline.com/(My tenant ID HERE)/oauth2/v2.0/authorize
Device authorization URI: https://login.microsoftonline.com/(My tenant ID HERE)/oauth2/v2.0/devicecode
Token URI: https://login.microsoftonline.com/(My tenant ID HERE)/oauth2/v2.0/token
User info URI: https://graph.microsoft.com/oidc/userinfo
JWKS URI: https://login.microsoftonline.com/common/discovery/v2.0/keys
Client identifier: (MY client ID Here)
Scope: openid email
External IdP user identifier attribute: email
---
I couldn't figure out what is going on, do you have any ideas, advices how I can solve that and let me to use OAuth with Azure AD?
Best regards
John
1 year, 3 months
new server gives error on old server healthcheck
by Rob Verduijn
Hello all,
I wanted to migrate my old el8 freeipa server to el9.
So I installed a new system with el9 and configured a replica on it.
After this was completed I ran ipa-healthcheck on the new el9 replica and
all was well.
However after this I ran ipa-healthcheck on the old el8 ipa server and I
got the following error.
ipa-healthcheck
Internal server error 'Link'
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f",
"when": "20230117082651Z",
"duration": "0.402024",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA clone. Host:
freeipa01.tjako.thuis Port: 443"
}
}
]
I double checked the firewall and all ports were open on the el9 server
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: br0 enp1s0
sources:
services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps http https
ntp ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
On the el9 server ipa-healthcheck yields no errors and ipactl status shows
everything is
running.
Anybody know why the old el8 server fails the ipa-healthcheck ?
Rob
1 year, 3 months
Installing Third-Party Certificates-Help
by Polavarapu Manideep Sai
Hi Team,
We need your help or support
I have a master IPA server and 2 Replica IPA Servers, i want to install third party certificates in my setup
a. master.ipa.example.com
b. replica1.ipa.example.com
c. replica2.ipa.example.com
1. Generated new CSR/wildcard certificate on master IPA server for the domain "*.ipa.example.com" and shared to third party vendor and they have shared two zip files one for apache and other for tomcat as shown below, i see crt and pem files in zip files as shown below after unzip
a. _.ipa.onmobile.com_Apache.zip
b. _.ipa.onmobile.com_TOMCAT.zip
unzipped:
[root@dir01 tmp]# tree Apache/
Apache/
├── 1f1f7ab616938168.crt
├── 1f1f7ab616938168.pem
├── gd_bundle-g2-g1.crt
└── _.ipa.onmobile.com_Apache.zip
0 directories, 4 files
[root@dir01 tmp]# tree Tomcat/
Tomcat/
├── 1f1f7ab616938168.crt
├── 1f1f7ab616938168.pem
├── gd_bundle-g2-g1.crt
├── gdig2.crt.pem
└── _.ipa.onmobile.com_TOMCAT.zip
0 directories, 5 files
2. Followed the Redhat documentation but not understood which of the following one is applicable in my case for the received certificates
Installing Third-Party Certificates for HTTP or LDAP
Installing a CA Certificate Manually
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Can you please let us know the step by step procedure that how to install the certificates
can you please also comment on below query
3. If i install the certificate will it get replaced in "/etc/pki/pki-tomcat/alias/" database as well? along with httpd and dirsrv databases ?
/etc/pki/pki-tomcat/alias/
/etc/httpd/alias/
/etc/dirsrv/slapd-IPA-EXAMPLE-COM
Please let us know if any more details required
Sai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
1 year, 3 months
IPA Healthcheck Warning for IPA Trust on Replica
by Jeremy Tourville
I have recently added a replica to my existing setup. Everything seems to work except for 2 issues that I have noted:
#1 IPA health check generates a warning from the replica only (master is ok)
similar to this:
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "WARNING",
"uuid": "my_uuid",
"when": "20191121135331Z",
"duration": "2.128808",
"kw": {
"key": "my_key",
"error": "returned nothing",
"msg": "Look up of {key} {error}"
}
},
#2 id some_user
returns:
id: 'some_user': no such user
I have also noted that:
ipa trust-fetch-domains "gsil.smil"
return an error - Fetching domains from trusted forest failed
ipa trustdomain-find is able to find the domain
ipa idrange-find returns the same set of results for both the master and the replica
ipa-replica-manage dnarange-show
shows that the dna ranges are not overlapping (my understanding is this is a good thing)
My environment:
Rocky 8.7
FreeIPA 4.9.10
Master: gsil-ipa01
Replica: gsil-ipa02
Both master and replica are configured with server roles: AD trust agent, AD trust controller, CA server, DNS server, KRA server.
Are issues #1 and #2 related? ie- fix one and the other will work as expected?
I am still reviewing possible solutions for why ldap lookup using the id command is not working. But maybe it will never work unless I fix the healthcheck issue...
Your input is greatly appreciated!
1 year, 3 months
Trust-Agents
by Ronald Wimmer
I have a setup where we have four IPA servers. Two of them are able to
talk to the AD Domain Controllers directly. I set them up as AD Trust
controllers.
The other two IPA servers can only talk to these IPA servers and not to
the AD DCs directly. Thats why I wanted them to have the Trust Agent
Role only.
I used "ipa-adtrust-install --add-agents" on these servers. After
configuring the roles and finishing the setup I did a "ipa
server-role-find" to check if the roles where set correctly. I found out
that all four IPA servers do have the Trust Controller role. And here
comes my question... why? Why have the two servers been added as trust
controllers and not as agents only?
Cheers,
Ronald
1 year, 3 months