ipa-replica-install -- cannot get past [26/41]: creating DS keytab
by Jonathon Jenkins
Greetings,
I cannot get the ipa-replica-install to proceed past step 26/41 - creating DS keytab. I see the command that is to be run, and I can run that just fine before and after the ipa-replica-install command, and it creates the keytab. I am not sure how to proceed from here - the bug reports I see all pertain to earlier versions, and my files reflect those changes.
I have also tried running this with all manner of password flags, which are correct, but still getting insufficient access rights.
particulars:
centos 7 3.10.0-957.1.3.el7.x86_64
ipa-server-4.6.4-10.el7.centos.x86_64
ipa-common-4.6.4-10.el7.centos.noarch
ipa-server-common-4.6.4-10.el7.centos.noarch
ipa-client-4.6.4-10.el7.centos.x86_64
ipa-server-dns-4.6.4-10.el7.centos.noarch
ipa-client-common-4.6.4-10.el7.centos.noarch
* Note: anonymized output below
ipapython.ipautil: DEBUG stderr=
ipalib.backend: DEBUG Created connection context.ldap2_139891568509776
ipaserver.install.service: DEBUG duration: 7 seconds
ipaserver.install.service: DEBUG [26/41]: creating DS keytab
[26/41]: creating DS keytab
ipalib.frontend: DEBUG raw: service_add(u'ldap/<ipa-replica-host>@<domain>.NET', force=True, version=u'2.229')
ipalib.frontend: DEBUG service_add(ipapython.kerberos.Principal('ldap/<ipa-replica-host>@<domain>.NET'), force=True, all=False, raw=False, version=u'2.229', no_members=False)
ipalib.frontend: DEBUG raw: host_show(u'<ipa-replica-host>', version=u'2.229')
ipalib.frontend: DEBUG host_show(u'<ipa-replica-host>', rights=False, all=False, raw=False, version=u'2.229', no_members=False)
ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab'
ipalib.install.sysrestore: DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>
ipapython.ipautil: DEBUG Process finished, return code=9
ipapython.ipautil: DEBUG stdout=
ipapython.ipautil: DEBUG stderr=Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: Insufficient access rights
Failed to get keytab!
Failed to get keytab
ipaserver.install.service: DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab
super(DsInstance, self).request_service_keytab()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab
ipautil.run(args, nolog=nolog)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipaserver.install.service: DEBUG [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
[error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipalib.backend: DEBUG Destroyed connection context.ldap2_139891548583120
ipalib.install.sysrestore: DEBUG Backing up system configuration file '/etc/ipa/default.conf'
ipalib.install.sysrestore: DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run
return self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute
for rval in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 622, in main
replica_install(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 406, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1431, in install
fstore=fstore)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 113, in install_replica_ds
setup_pkinit=not options.no_pkinit,
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 419, in create_replica
self.start_creation(runtime=30)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1308, in request_service_keytab
super(DsInstance, self).request_service_keytab()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 742, in request_service_keytab
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 732, in run_getkeytab
ipautil.run(args, nolog=nolog)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
ipapython.admintool: DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipapython.admintool: ERROR Command '/usr/sbin/ipa-getkeytab -k /etc/dirsrv/ds.keytab -p ldap/<ipa-replica-host>@<domain>.NET -H ldaps://<ipa-replica-master>' returned non-zero exit status 9
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
15 hours, 45 minutes
Disabled Domain fills IPA client sssd logs
by Ronald Wimmer
We do face the problem that we disabled a domain we do not need and that
this particular domain fills up sssd logs on the client side. Especially
sssd_nss.log. How could we possibly avoid this behavior?
Cheers,
Ronald
1 week
FreeIPA-Kubernetes Setup
by Ronald Wimmer
Hi,
are there any plans (or maybe ongoing work already) to let FreeIPA run
in a K8s environment?
Cheers,
Ronald
1 week, 1 day
Different results with search in replicas
by danila kuzovlev
Hi, I'm trynig to create centrlized authorization for my services with freeipa cluster in differnet locations. For some reasons I use base search in cn=compat tree for mapping users, but in different replcias result of same ldapsearch quiestions is different:
ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
ldapsearch -h Y.Y.Y.Y -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s base -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# some-group, groups, compat, example.com
dn: some_group,cn=groups,cn=compat,dc=example,dc=com
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 12345678
memberUid: user2
memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD
U2YWIxMDNl
cn: some_group
But, if I make search with "Subtree" cope to the first one, I can see entries in answer:
ldapsearch -h X.X.X.X -p 389 -b "cn=some_group,cn=groups,cn=compat,dc=example,dc=com" -s sub -D "uid=binddn,cn=users,cn=accounts,dc=example,dc=com" -W
# extended LDIF
#
# LDAPv3
# base <cn=some_group,cn=groups,cn=compat,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# some-group, groups, compat, example.com
dn: some_group,cn=groups,cn=compat,dc=example,dc=com
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 12345678
memberUid: user2
memberUid: user1
ipaAnchorUUID:: OklQQToyMS1zY2hvb2wucnU6YjI2ZTNkNjQtYWI5ZC0xMWVkLWE5NDUtMDA1MD
U2YWIxMDNl
cn: some_group
I have 4 ipa-servers with vesrions 4.9.6 and 4.9.10.
This result I can see with a only one replica, with 4.9.6 vesrion. I try delete topology segment, reinstall ipa-replica - but it doesnt work.
Thanks.
3 weeks, 1 day
Configuration of server on DO droplet in Docker container and clients behind router's NAT
by Georgiy Odisharia
Hi there,
I know that it is not secure but I have exposed to the internet FreeIPA instance for uniform logging between all my machines. They're reside at my home network behind OpenWRT-based router (behind NAT). Public IP address of router is getting via ISP's DHCP.
I want to properly set up FreeIPA server in Docker container running on the DigitalOcean droplet, set up DNS entries in DigitalOcean panel, and properly set up client for allowing LDAP authentication (sssd.conf, krb5.conf and so on).
I don't know where to start and debug so if anybody will help me in general I would be highly appreciated.
3 weeks, 5 days
Re: FreeIPA Replica Install Issue
by Rob Crittenden
Jerome Talbert via FreeIPA-users wrote:
> Hello,
>
>
>
> We had an issue with one of replicas and decided to remove it from the
> topology and run the ipa-server-install –uninstall command on the
> replica. I also went through and removed all the SRV records related to
> the replica.
>
>
>
> The idea was to reinstall the same server as replica again using the
> command:
>
> ipa-replica-install --setup-dns --setup-ca --principal=admin
> --password='############' --no-forwarders
>
>
>
> When I try to run the command, I get the following error message:
>
> ipapython.admintool: ERROR Cannot install replica of a server of
> higher version ((u'00000004', u'00000006', u'00000008', '*final')) than
> the local version ((u'00000004', u'00000006', u'00000006', '*final'))
>
> ipapython.admintool: ERROR The ipa-replica-install command failed.
> See /var/log/ipareplica-install.log for more information
>
>
>
> Any ideas what might be going on here? Do I have something left-over on
> the replica that needs to be cleaned up manually first?
As the message says, you are trying to create a new server using a lower
version than the remote server. A higher local version is allowed for
upgrades but not the other way around. (4.6.8 remote, 4.6.6 local).
Updating the IPA packages on your replica should fix it.
rob
3 weeks, 6 days
use FreeIPA/certmonger to manage and generate TLS certificates for vHosts
by Carlos Mogas da Silva
Hi list!
I'm trying to figure out a way to get certmonger to manage vhost certificates using FreeIPA. I'm able to use it to
generate and renew certificates for the host itself (`host1.example.com`), but what if I have several websites managed
on this same host (`webapp1.example.com` and `webapp2.example.com` are hosted on `host1.example.com`)? Is this possible
at all?
Thanks,
Carlos Mogas da Silva
4 weeks
Accessing the compat subtree requires a specific search base
by Gianluca Amato
Hi,
I have a FreeIPA 4.10 installation with a Squid proxy server using the ext_kerberos_ldap_group_acl helper for authorizations. At some point the helper stopped working correctly. The problem is that ext_kerberos_ldap_group_acl uses the memberuid attribute, which is only available in the "cn=groups,cn=compat,dc=labeconomia,dc=unich,dc=it" subtree. Unfortunately, it seems that traversing the compat subtree is only possible when specifying a search base.
For example, the command
ldapsearch -H <host> "(uid=studente)"
returns the user "uid=studente,cn=users,cn=accounts,dc=labeconomia,dc=unich,dc=it"
If I want to get the corresponding user in the compat subtree, I need to specify a search base as in
ldapsearch -H <host> -b "cn=compat,dc=labeconomia,dc=unich,dc=it" "(uid=studente)"
which correctly returns "uid=studente,cn=users,cn=compat,dc=labeconomia,dc=unich,dc=it"
Now I wonder: is this the correct behavior ? And if this is correct, why did ext_kerberos_ldap_group_acl use to work in the past ?
Thanks for any help.
4 weeks, 1 day
Exception: Invalid instance: pki-tomcat
by Mark Clarke
Hi All,
After a recent system update freeipa pki-tomcat will not start. I have traced the error to where freeipa attempts to upgrade pki-tomcat in the service unit. "ExecStartPre=/usr/sbin/pki-server upgrade %i". I have no idea why it thinks the instance id is wrong. Anyone else with this problem and know how to fix it?
VERSION: 4.9.10, API_VERSION: 2.251
Feb 24 06:42:16 auth-server.abc.com systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: ERROR: Invalid instance: pki-tomcat
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: Traceback (most recent call last):
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 41, in <module>
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: cli.execute(sys.argv)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 145, in execute
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: super(PKIServerCLI, self).execute(args)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 217, in execute
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: module.execute(module_args)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: File "/usr/lib/python3.6/site-packages/pki/server/cli/upgrade.py", line 135, in execute
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: raise Exception('Invalid instance: %s' % instance_name)
Feb 24 06:42:16 auth-server.abc.com pki-server[2308]: Exception: Invalid instance: pki-tomcat
4 weeks, 1 day
Re: any disadvantages to using gssproxy?
by Alexander Bokovoy
On ma, 20 helmi 2023, Charles Hedrick via FreeIPA-users wrote:
>We have a site where some users want to be able to run cron jobs with
>credentials so they can access files via NFS. We are currently using a
>local mechanism to generate those credentials. I'm considering using
>gssproxy instead. I've verified that it will work.
>
>Is there any disadvantage to installing gssproxy on all systems, and
>setting use_gss_proxy in /etc/nfs.conf? We're on Ubuntu 20.04 and
>22.04.
>
>The only issue I can see is that attempts to access files will cause
>something (the server?) to check for delegation entries in LDAP. If
>this only happens when credentials aren't already present, the extra
>overhead should be minimal. But we have lots of calls to rpc.gss,
>particularly since we expire contexts in 30 min, to deal with the
>problem that removing users from a group doesn't remove their access to
>files protected by the group until their NFS session credentials are
>refreshed.
GSSProxy does not look at LDAP at all, it is not written to do so. What
it does is that it allows applications to request operations on behalf
of users (allow_constrained_delegation=true or
allow_constrained_delegation=true in a configuration file) and *that*
requires KDC to perform conditional delegation checks. The check is done
by KDC, not by GSSProxy, at the time when a client (GSSProxy in this
case) would request a protocol transition or constraint delegation, e.g.
to obtain a ticket to a service.
When there is a ticket already, no additional operations would be done.
If you expire tickets in 30 minutes, then at least once in those 30
minutes if you'd get a service performing acquisition of a Kerberos
ticket on behalf of the user, then KDC would get a request.
An additional consideration would be to see if you have any applications
that use Heimdal Kebreros instead of MIT Kerberos. GSSProxy is only
supported for MIT Kerberos-linked applications using GSSAPI. Heimdal has
no interposer mechanism pluggable interface, hence no way to interpose
it this way. That specifically affects Debian and Ubuntu as their Samba
builds are done against Heimdal.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4 weeks, 1 day
