certgmonger not able to renew a certificate: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
by Sam Morris
Hi folks, I've got a machine where certmonger is unable to renew a
certificate request:
# getcert list -i 20220519165212
Number of certificates and requests being tracked: 2.
Request ID '20220519165212':
status: MONITORING
ca-error: Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
stuck: no
key pair storage: type=FILE,location='/etc/cockpit/ws-certs.d/51-xoanon.key'
certificate: type=FILE,location='/etc/cockpit/ws-certs.d/51-xoanon.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
subject: CN=xoanon.ipa.example.com,O=IPA.EXAMPLE.COM
issued: 2023-06-21 07:49:49 UTC
expires: 2023-09-19 07:49:49 UTC
dns: xoanon.ipa.example.com
principal name: host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
I'm manually attempting to renew the certificate with:
[root@xoanon ~]# getcert resubmit -w -v -i 20220519165212
Resubmitting "20220519165212" to "IPA".
State GENERATING_CSR, stuck: no.
State SUBMITTING, stuck: no.
State MONITORING, stuck: no.
On the server side, I'm unable to find any errors being logged anywhere.
Even after I set 'debug = true' in /etc/ipa/default.conf & restarted
httpd.service, the only log messages are:
==> /var/log/httpd/error_log <==
[Wed Aug 23 10:59:50.765980 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed Aug 23 10:59:50.766232 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: WSGI jsonserver.__call__:
[Wed Aug 23 10:59:50.766352 2023] [wsgi:error] [pid 124570:tid 140295030843136] [remote 192.168.88.3:52224] ipa: DEBUG: KerberosWSGIExecutioner.__call__:
==> /var/log/httpd/access_log <==
192.168.88.3 - host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM [23/Aug/2023:10:59:50 +0000] "POST /ipa/json HTTP/1.1" 200 526
... which show that the API call was successful. On the other hand,
according to 'ipa cert-find --subject=xoanon.ipa.example.com', no
certificates have been issued.
It looks like the API isn't calling out to PKI/Dogtag, since nothing is
logged to /var/log/pki/pki-tomcat/localhost_access_log.*.txt or
/var/log/pki/pki-tomcat/ca/debug.*.log.
I also looked for AVC denials and didn't see anything in /var/log/audit.
So, back to the client. certmonger logs the following:
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_SUBJECT" to "CN=xoanon.ipa.example.com" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_HOSTNAME" to "xoanon.ipa.example.com" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_REQ_PRINCIPAL" to "host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CSR" to "-----BEGIN CERTIFICATE REQUEST-----
MIIEpzCCAw8CAQAwIzEhMB8GA1UEAxMYeG9hbm9uLmlwYS5yb2JvdHMub3JnLnVr
[...]
4d6BlUMScGAgCAxfxEb1eXymTxVm/Do/liHaOqnHGVIr+1OjZNftrUODFQ==
-----END CERTIFICATE REQUEST-----
" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_SPKAC" to "[...]" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_SPKI" to "[...]" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_LOCAL_CA_DIR" to "/var/lib/certmonger/local" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_KEY_TYPE" to "RSA" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CA_NICKNAME" to "IPA" for child.
2023-08-23 11:15:50 [836073] Setting "CERTMONGER_CERTIFICATE" to "-----BEGIN CERTIFICATE-----
MIIFajCCBFKgAwIBAgIET/8AJDANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFJ
[...]
dF6L+2tIIpjYylCxKQISWaexKkv1jVQaIPB1foIKyLGaf9YtyaIwyoM9G80UaQ==
-----END CERTIFICATE-----
" for child.
2023-08-23 11:15:50 [836073] Redirecting stdin to /dev/null, leaving stdout and stderr open for child "/usr/libexec/certmonger/ipa-submit".
2023-08-23 11:15:50 [836073] Running enrollment helper "/usr/libexec/certmonger/ipa-submit".
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
Submitting request to "https://ipa5.ipa.example.com/ipa/json".
JSON-RPC error: 2100: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
2023-08-23 11:15:50 [834693] Certificate submission still ongoing.
2023-08-23 11:15:50 [834693] Certificate submission attempt complete.
2023-08-23 11:15:50 [834693] Child status = 2.
2023-08-23 11:15:50 [834693] Child output:
"Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
"
2023-08-23 11:15:50 [834693] Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).
2023-08-23 11:15:50 [834693] Certificate not (yet?) issued.
2023-08-23 11:15:50 [834693] Wrote to /var/lib/certmonger/requests/20220519165212
I found that I could add 'OPTS=-d9' to /etc/sysconfig/certmonger &
restart certmonger.service, which does cause it to log more, but it
doesn't give any further insight into the messages exchanged with the
server.
Does anyone know where I can look next?
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
1 day, 15 hours
New plugin almost ready - postfixadmin
by Francis Augusto Medeiros-Logeay
Hi,
I have almost finished a plugin for FreeIPA, so that admins can have similar functionality found on Postfix Admin.
https://github.com/oculos/freeipa-postfixadmin/blob/main/README.md
freeipa-postfixadmin/README.md at main · oculos/freeipa-postfixadmin
github.com
There is already a good plugin that does a bit of that, but the goal is a bit different. My main goal is not to mix up postfix configuration with groups and hosts, but have separate entities for domain, aliases and virtual domains, in addition to mailboxes.
It was written mostly to allow me to migrate my mailboxes from MySQL to FreeIPA, and I don’t have a huge postfix configuration - I only have multiple domains, mailboxes, aliases and virtual domains, so that’s the functionality I wanted with this plugin.
There are a few things missing before this can go in production («production» here means to actually migrate my mailboxes to FreeIPA), adding a mailbox to ipa users on the gui being the most important one.
I would appreciate any comments and feedbacks regarding this plugin. It wasn’t easy to understand the logic on how to write one, but I got the hang of it (for simple stuff).
Best,
Francis
2 weeks, 3 days
Allow sysaccount to view its own entry
by Adam Bishop
I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Many Thanks,
Adam Bishop
2 weeks, 6 days
Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
by Alexander Bokovoy
On Чцв, 26 кас 2023, Kroon PC, Peter wrote:
>Hi Alexander and Rob,
>
>many thanks for your prompt responses :)
>I made a new lxc machine and restored a backup so at least I have a working environment again. I kept the borken one for further investigation which I'll use to provide more information.
>I'm not super comfortable using mailing lists, and I'm not sure whether my mail client (outlook) will mangle my inline responses.
>
>Peter
>
>________________________________________
>Van: Alexander Bokovoy <abokovoy(a)redhat.com>
>Verzonden: woensdag 25 oktober 2023 20:49
>Aan: Rob Crittenden
>CC: FreeIPA users list; Kroon PC, Peter
>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT following S4U2PROXY_NO_HEADER_PAC
>
>On ���, 25 ��� 2023, Rob Crittenden wrote:
>>Alexander Bokovoy via FreeIPA-users wrote:
>>> On ���, 25 ��� 2023, Kroon PC, Peter via FreeIPA-users wrote:
>>>> Hi all,
>>>>
>>>> After upgrading to Rocky linux 9.2 I'm running into issues with my IPA
>>>> server (4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
>>>>
>>>> $ kinit admin
>>>> Password for admin(a)EXAMPLE.COM:
>>>> $ ipa show-user admin
>>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>>>> Error: No credentials were supplied, or the credentials were
>>>> unavailable or inaccessible (Credential cache is empty)
>>>>
>>>> /var/log/krb5kdc.log:
>>>> okt 24 16:17:48 freeipa.example.com krb5kdc[10493]: TGS_REQ (4 etypes
>>>> {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
>>>> aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)})
>>>> 192.168.12.57: S4U2PROXY_NO_HEADER_PAC: authtime 0, etypes
>>>> {rep=UNSUPPORTED:(0)} HTTP/freeipa.example.com(a)EXAMPLE.COM for
>>>> ldap/freeipa.example.com(a)EXAMPLE.COM, TGT has been revoked
>>>>
>>>> As the log shows, the KDC states there is no PAC, and therefore revokes
>>>> the TGT (note, I had to RTFS to decipher the S4U2PROXY_NO_HEADER_PAC).
>>>> Because of this, the web gui also doesn't work.
>>>
>>> That is correct description of the reason why it does not work.
>>>
>>>>
>>>> $ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=nl
>>>> "ipaNTSecurityIdentifier=*" uid ipaNTSecurityIdentifier
>>>> SASL/GSSAPI authentication started
>>>> SASL username: admin(a)EXAMPLE.COM
>>>> SASL SSF: 256
>>>> SASL data security layer installed.
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree
>>>> # filter: ipaNTSecurityIdentifier=*
>>>> # requesting: uid ipaNTSecurityIdentifier
>>>> #
>>>>
>>>> # admin, users, accounts, example.com
>>>> dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
>>>> uid: admin
>>>> ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440-500
>>>>
>>>> # search result
>>>> search: 4
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>>
>>>> Out of the ~200 or so users only the admin user has a
>>>> ipaNTSecurityIdentifier, but I don't know if it's correct...
>>>> I can't run `ipa config-mod --enable-sid --add-sids`, since my ipa CLI
>>>> is broken. I do still have LDAP access fortunately.
>>>
>>> You can run it, see below. If you'd run, do you have any error messages in
>>> the dirsrv errors log related to sidgen plugin?
>>>
>>>>
>>>> I tried to set `disable_pac = true` in /var/kerberos/krb5kdc/kdc.conf,
>>>> but that results in the exact same error. Setting ipaKrbAuthzData=None
>>>> in cn=ipaConfig also has no effect.
>>>
>>> No, one cannot disable PAC globally in FreeIPA. S4U operations
>>> require PAC presence since last year, so for any real Kerberos service
>>> that uses S4U (like IPA API or web UI) one cannot disable PAC
>>> enforcement.
>
>This is useful information :)
>
>>>
>>> Look at your ID range and SID configuration. You can avoid admin issue
>>> currently by running 'ipa' tool on IPA server as root with '-e
>>> in_server=true' option. This will force the tool to simulate direct
>>> access (as if it is running within httpd) and talk directly to LDAPI
>>> socket.
>>>
>>> Something like below:
>>>
>>> # KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
>>> ipa: WARNING: API Version number was not sent, forward compatibility not
>>> guaranteed. Assuming server's API version, 2.253
>>> Domain: ipa1.test
>>> Security Identifier: S-1-5-21-790702333-3825749031-3739951824
>>> NetBIOS name: IPA1
>>> Domain GUID: 529fcbe9-3e34-436d-a541-6ffa88e7dac1
>>> Fallback primary group: Default SMB Group
>>> IPA AD trust agents: master1.ipa1.test
>>> IPA AD trust controllers: master1.ipa1.test
>
>KRB5CACHE=/dev/null ipa -e in_server=true trustconfig-show
>ipa: ERROR: : trust configuration not found
Ok, let's try differently. Can you provide output of
# ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-EXAMPLE-COM.socket \
-b cn=ad,cn=etc,dc=example,dc=com
(replace EXAMPLE-COM and dc=example,dc=com by your domain data)
>
>
>>>
>>> # KRB5CACHE=/dev/null ipa -e in_server=true idrange-find
>>> ipa: WARNING: API Version number was not sent, forward compatibility not
>>> guaranteed. Assuming server's API version, 2.253
>>> ----------------
>>> 5 ranges matched
>>> ----------------
>>> Range name: IPA1.TEST_id_range
>>> First Posix ID of the range: 1055600000
>>> Number of IDs in the range: 200000
>>> First RID of the corresponding RID range: 1000
>>> First RID of the secondary RID range: 100000000
>>> Range type: local domain range
>>>
>>> ... [ skip ] ...
>>>
>>>
>
>ipa: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.251
>----------------
>2 ranges matched
>----------------
> Range name: EXAMPLE.COM_id_range
> First Posix ID of the range: 1000
> Number of IDs in the range: 4000
> Range type: local domain range
This one is definitely not configured to handle SIDs. Also, see my
comment at the bottom of this email.
>
> Range name: EXAMPLE.COM_subid_range
> First Posix ID of the range: 2147483648
> Number of IDs in the range: 2147352576
> First RID of the corresponding RID range: 2147479648
> Domain SID of the trusted domain: S-1-5-21-738065-838566-2966017632
> Range type: Active Directory domain range
>----------------------------
>Number of entries returned 2
>----------------------------
>
>>
>>In my testing you can't run config-mod without a principal, and running
>>in-server does not have a principal.
>>
>># KRB5CACHE=/dev/null ipa -e in_server=true config-mod --add-sids
>>--enable-sid
>>[snip]
>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
>>line 701, in pre_callback
>> self._enable_sid(ldap, options)
>> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/config.py",
>>line 512, in _enable_sid
>> if not principal_has_privilege(self.api, context.principal, privilege):
>> ^^^^^^^^^^^^^^^^^
>>AttributeError: '_thread._local' object has no attribute 'principal'
>>ipa: ERROR: an internal error has occurred
>
>Thank you, Rob. I did not check that part.
>
>On IPA master one can run the oddjobd-activated script directly:
>
># /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
>
>$ /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
>Configuring SID generation
> [1/8]: creating samba domain object
> [error] TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>The ipa-enable-sid command failed. See /var/log/ipaserver-enable-sid.log for more information
>
>Python traceback from the log:
>2023-10-26T13:24:21Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
> method()
> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 485, in __create_samba_domain_object
> api.Backend.ldap2.add_entry(entry)
> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, in add_entry
> super(LDAPCache, self).add_entry(entry)
> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, in add_entry
> self.conn.add_s(str(entry.dn), list(attrs.items()))
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in add_s
> return self.add_ext_s(dn,modlist,None,None)
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, in add_ext_s
> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls)
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, in add_ext
> return self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
> result = func(*args,**kwargs)
>TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>
>2023-10-26T13:24:21Z DEBUG [error] TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>2023-10-26T13:24:21Z DEBUG Destroyed connection context.ldap2_140617190554016
>2023-10-26T13:24:21Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
> return_value = self.run()
> File "/usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid", line 68, in run
> smb.create_instance()
> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 913, in create_instance
> self.start_creation(show_service_name=False)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
> method()
> File "/usr/lib/python3.9/site-packages/ipaserver/install/adtrustinstance.py", line 485, in __create_samba_domain_object
> api.Backend.ldap2.add_entry(entry)
> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1893, in add_entry
> super(LDAPCache, self).add_entry(entry)
> File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1659, in add_entry
> self.conn.add_s(str(entry.dn), list(attrs.items()))
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, in add_s
> return self.add_ext_s(dn,modlist,None,None)
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 221, in add_ext_s
> msgid = self.add_ext(dn,modlist,serverctrls,clientctrls)
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 218, in add_ext
> return self._ldap_call(self._l.add_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
> File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
> result = func(*args,**kwargs)
>
>2023-10-26T13:24:21Z DEBUG The ipa-enable-sid command failed, exception: TypeError: ('Tuple_to_LDAPMod(): expected a byte string in the list', None)
>
>
>I still need to see ID range and trustconfig-show output to understand
>the state of this deployment. Also, dirsrv errors log would be helpful
>if there was an attempt to run sidgen in past.
>
>I went through the dirsrv logs, and found the following:
>[24/Oct/2023:10:25:34.071341978 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ...
>[24/Oct/2023:10:25:34.300104111 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [52021] into an unused SID.
>[24/Oct/2023:10:25:34.300266490 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
>[24/Oct/2023:10:25:34.303536359 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
You have a range that defines UID/GID space of [1000...5000] but IDs are
outside this range. This is pretty much wrong regardless of whether we
enforce SIDs or not ;)
You need to create a separate ID range that would cover your existing
IDs. Before that, we need to create a configuration to be used for SID
generation -- if the ldapsearch above would show us that the entry in
cn=ad,cn=etc,$SUFFIX does not exist.
Since ipa-enable-sid has failed, probably the entry indeed does not exist and
it would be easier to construct it with ipa-ldap-updater tool:
----
dn: cn=${DOMAIN},cn=ad,cn=etc,${SUFFIX}
default:objectClass: ipaNTDomainAttrs
default:objectClass: nsContainer
default:objectClass: top
default:cn: ${DOMAIN}
default:ipaNTFlatName: NETBIOSNAME
default:ipaNTSecurityIdentifier: S-1-5-21-3777974847-1414448952-306354440
default:ipaNTDomainGUID: 529fcbe9-3e34-3122-a541-6786236014c1
default:ipaNTFallbackPrimaryGroup: cn=Default SMB Group,cn=groups,cn=accounts,${SUFFIX}
----
Change 'NETBIOSNAME' above to some name. By default that would be a
first part of your Kerberos realm, e.g. for IPA1.TEST that would be
IPA.
The SID value (S-1-5-21-...) is the one that your admin user has,
without the last part (relative identifier, RID, which is -500 for
administrator case).
Save this to a file named '90-somefile.update' and run as root
# ipa-ldap-updater ./90-somefile.update
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 weeks, 2 days
Apache Tomcat Showing on Security Scan as Outdated.
by Marcelo Carvalho
Hi everyone.
We are running FreeIPA version:
VERSION: 4.10.1, API_VERSION: 2.251
Tomcat showing running is:
[root@corp-freeipa-01 tomcat]# java -cp catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/9.0.50
Server built: Jan 8 1970 23:12:05 UTC
Server number: 9.0.50.0
OS Name: Linux
OS Version: 5.14.0-284.30.1.el9_2.x86_64
Architecture: amd64
JVM Version: 11.0.20+8-LTS
JVM Vendor: Red Hat, Inc.
Host is a RHEL 9.2 with OS recently updated.
The Tomcat version is showing in our Security scan as outdated.
Is there a way to only update Tomcat or should I update FreeIPA using......
# ipa-ldap-updater --upgrade
# ipa-upgradeconfig
..... and expect the Tomcat gets updated?
Please advise.
Many thanks in advance.
Marcelo
Linux System Administrator
4 weeks, 1 day
FreeIPA server + Replica - HBAC rules not matching
by Finn Fysj
I'm setting up a server + replica and I've migrated data from an old IPA server using ipa migrate-ds.
I experience problems with SSH into my IPA servers, even though I have HBAC rules to allow this:
$ssh test_alice(a)ipa-test.example.com -i test_alice
Connection closed by 192.168.10.24 port 22
$ssh test_alice(a)ipa-test.example.com
(test_alice(a)ipa-test.example.com) Password:
[usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com --service=ssh
--------------------
Access granted: True
--------------------
Matched rules: allow_alice
[usr@ipa-test ~]$ ipa hbacrule-find test_alice --all
-------------------
1 HBAC rule matched
-------------------
dn: ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com
Rule name: allow_alice
Host category: all
Service category: all
Enabled: True
Users: test_alice
accessruletype: allow
[usr@ipa-test ~]$ ipa user-find test_alice --all
--------------
1 user matched
--------------
dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com
User login: test_alice
First name: Alice
Last name: Test
Full name: Alice Test
Display name: Alice Test
Initials: AT
Home directory: /home/test_alice
GECOS: Alice Test
Login shell: /bin/sh
Principal name: test_alice(a)EXAMPLE.COM
Principal alias: test_alice(a)EXAMPLE.COM
Email address: test_alice(a)example.com
UID: 5002
GID: 5002
SSH public key: ssh-rsa
AAAAB3N...........
test_alice
Previsouly using FreeIPA I have been able to find "denying access" in log files because of not matching HBAC rules. Now I can't find any trace of this, even with debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section).
4 weeks, 1 day
Httpd Graceful restart - syntax error
by Finn Fysj
This morning I woke up to following:
[pid 18582] AH00171: Graceful restart requested, doing restart
httpd: Syntax error on line 56 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.modules.d/10-nss.conf: Cannot load modules/libmodnss.so into server: /lib64/libnssutil3.so: version `NSSUTIL_3.82' not found (required by /lib64/libnss3.so)
cat /etc/httpd/conf.modules.d/10-nss.conf:
LoadModule nss_module modules/libmodnss.so
I've verified the files exists, after a manually restart of Httpd it was back.
httpd -t reports syntax OK
4 weeks, 1 day
FreeIPA running in Kubernetes
by Jay Smith
It is possible to run FreeIPA in a Kubernetes cluster as a Pod?
If Yes. It is a good idea?
I'm new in Kubernetes. I'm currently running FreeIPA as a docker container and it's working very well. The problem in K8s is, there's no fix IP address and the privileged permission could be a problem.
1 month
unable to Authenticate users from Ubuntu Desktops
by md tabrez
Hi Everyone,
got an issue with our ipa server, users cannot login into there ipa account.
failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted ldap connection
kerberos 5 kdc service status
krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago
Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)
Main PID: 928 (krb5kdc)
Tasks: 3 (limit: 9191)
Memory: 11.4M
CPU: 9.916s
CGroup: /system.slice/krb5kdc.service
├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2
├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2
└─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2
Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC...
Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted
Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC.
1 month
Web UI thinks PEM-encoded CSR is Base64
by Ian Pilcher
I am attempting to generate a host certificate, but the FreeIPA web
interface will not accept the PEM-encoded CSR. I am receiving the
following error:
IPA Error 4015: Base64DecodeError
Base64 decoding failed: Incorrect padding
The CSR is in PEM format, rather than Base64:
-----BEGIN CERTIFICATE REQUEST-----
MIHXMH8CAQEwHTEbMBkGA1UEAwwSZXQtMjgwMC5wZW51cmlvLnVzMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEH/Eg1/91MD611DkgngyafpnckA6Ki8yxrGl0tQ1s
yi09mqW09bQMDvy8v/tRdKjpDeLwoZs6CE8z/O0CwY0x76AAMAoGCCqGSM49BAMC
A0gAMEUCIQCr+k6iSKQslOT21u2RsOXtFdFMkO7qFghHYOSxbD0eNAIgZetAu95e
8AJSxJGMqQYRgC4r6hOWKMv1XVKf8Rf23Cw=
-----END CERTIFICATE REQUEST-----
Any ideas?
--
========================================================================
If your user interface is intuitive in retrospect ... it isn't intuitive
========================================================================
1 month
