April 2024 - FreeIPA-users - Fedora Mailing-Lists

by Anton Menshutin

Hello, list. I have installed freeipa server 4.10.2-8 under RockyLinux and would like to setup windows clients to join freeipa domain. I followed the guide https://www.freeipa.org/page/Windows_authentication_against_FreeIPA. When I enter user credentials for the first time windows asks to change password, after password is changed it does not login. After that every attempt results in the "wrong user or password" message. Looking at kerberos log it seems that password is correct but windows does not let the user in for some reason. In audit log it says that login was refused with some error that does not explain anything. Time is in sync as well as timezone. There are a lot of posts saying that this should work but I don't have any clues where to look. Any ideas what might be wrong?

1 month

2
1
0 / 0

How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?

by cdknight

When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources.

1 month

5
10
1 / 0

Assertion failure in dns_name_fromtext prevents named-pkcs11 from starting

by Sam Morris

I've got two RHEL 8 servers where named-pkcs11 aborts with an assertion failure after upgrading bind to version 32:9.11.36-11.el8_9.1. ``` Apr 13 15:54:50 named-pkcs11[372364]: zone localhost/IN: loaded serial 0 Apr 13 15:54:50 named-pkcs11[372364]: zone localhost.localdomain/IN: loaded serial 0 Apr 13 15:54:50 named-pkcs11[372364]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Apr 13 15:54:50 named-pkcs11[372364]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Apr 13 15:54:50 named-pkcs11[372364]: all zones loaded Apr 13 15:54:50 named-pkcs11[372364]: running Apr 13 15:54:50 named-pkcs11[372364]: ../../../lib/dns-pkcs11/name.c:1116: REQUIRE((target != ((void *)0) && (__builtin_expect(((target) != ((void *)0)), 1) && __builtin_ex> Apr 13 15:54:50 systemd[1]: named-pkcs11.service: New main PID 372364 does not belong to service, and PID file is not owned by root. Refusing. Apr 13 15:54:50 named-pkcs11[372364]: #0 0x563c05be4d14 in ?? Apr 13 15:54:50 systemd[1]: named-pkcs11.service: New main PID 372364 does not belong to service, and PID file is not owned by root. Refusing. Apr 13 15:54:50 named-pkcs11[372364]: #1 0x7fb179f28fe0 in ?? Apr 13 15:54:50 named-pkcs11[372364]: #2 0x7fb17a23b7b2 in ?? Apr 13 15:54:50 named-pkcs11[372364]: #3 0x7fb1687e4156 in ?? Apr 13 15:54:50 named-pkcs11[372364]: #4 0x7fb1687e45e1 in ?? Apr 13 15:54:50 named-pkcs11[372364]: #5 0x7fb1687e5e60 in ?? Apr 13 15:54:50 named-pkcs11[372364]: #6 0x7fb1687e6214 in ?? Apr 13 15:54:50 named-pkcs11[372364]: #7 0x7fb1687ef3e0 in ?? Apr 13 15:54:50 named-pkcs11[372364]: #8 0x7fb179f50904 in ?? Apr 13 15:54:50 named-pkcs11[372364]: #9 0x7fb179f5158f in ?? Apr 13 15:54:50 named-pkcs11[372364]: #10 0x7fb17733e1ca in ?? Apr 13 15:54:50 named-pkcs11[372364]: #11 0x7fb176c42e73 in ?? Apr 13 15:54:50 named-pkcs11[372364]: exiting (due to assertion failure) ``` Downgrading to 9.11.36-11.el8_9.x86_64 fixes the problem. Here's the stack trace from 'coredumpctl info named-pkcs11': ``` Stack trace of thread 325662: #0 0x00007f0575081acf raise (libc.so.6) #1 0x00007f0575054ea5 abort (libc.so.6) #2 0x0000557c3cbecd2a assertion_failed.cold.5 (named-pkcs11) #3 0x00007f0578352fe0 isc_assertion_failed (libisc-pkcs11.so.1107) #4 0x00007f05786657b2 dns_name_fromtext (libdns-pkcs11.so.1115) #5 0x00007f056e20b156 empty_zone_search_next (ldap.so) #6 0x00007f056e20b5e1 empty_zone_handle_conflicts (ldap.so) #7 0x00007f056e20ce60 fwd_configure_zone (ldap.so) #8 0x00007f056e20d214 fwd_reconfig_global (ldap.so) #9 0x00007f056e2163e0 update_serverconfig (ldap.so) #10 0x00007f057837a904 dispatch (libisc-pkcs11.so.1107) #11 0x00007f057837b58f run_normal (libisc-pkcs11.so.1107) #12 0x00007f05757681ca start_thread (libpthread.so.0) #13 0x00007f057506ce73 __clone (libc.so.6) ``` I can open a Jira, attach coredumps, etc. next week if needed. ``` -- Sam Morris <sam(a)robots.org.uk> ```

1 month, 1 week

2
2
0 / 0

ipaclient-install.log certutil: Could not find cert:

by C Wilson

Hello I'm trying to roll out a new IPA server for our development environment and have nicely automated the server installation process with Ansible but when I've come to rolling out the clients I'm hitting this problem. When running ipa-client-install: ipa-client-install -N --fixed-primary --server server.domain.local --realm DOMAIN.LOCAL --domain DOMAIN.local --principal admin --password 'adminpassword' -U I get the following error: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. Disabling client Kerberos and LDAP configurations nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. Kerberos authentication failed: kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials I've disabled the firewall on both systems, DNS resolves the server name. I can nmap and telnet to the ports listed so I don't think it's a networking issue. The ipa server appears to be running fine: [root@server tmp]# service ipa status Redirecting to /bin/systemctl status ipa.service ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; preset: disabled) Active: active (exited) since Wed 2024-04-10 15:49:49 UTC; 2 days ago Main PID: 18336 (code=exited, status=0/SUCCESS) CPU: 1.610s Apr 10 15:49:48 server ipactl[18336]: Assuming stale, cleaning and proceeding Apr 10 15:49:49 server ipactl[18336]: ipa: INFO: The ipactl command was successful Apr 10 15:49:49 server ipactl[18336]: Starting Directory Service Apr 10 15:49:49 server ipactl[18336]: Starting krb5kdc Service Apr 10 15:49:49 server ipactl[18336]: Starting kadmin Service Apr 10 15:49:49 server ipactl[18336]: Starting httpd Service Apr 10 15:49:49 server ipactl[18336]: Starting ipa-custodia Service Apr 10 15:49:49 server ipactl[18336]: Starting pki-tomcatd Service Apr 10 15:49:49 server ipactl[18336]: Starting ipa-otpd Service Apr 10 15:49:49 server systemd[1]: Finished Identity, Policy, Audit. Looking at the ipaclient-install.log there are lines that are semi interesting but I can't see how to progress from here to resolve the issue: 2024-04-12T16:25:51Z DEBUG stderr=kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials 2024-04-12T16:25:51Z ERROR Installation failed. Rolling back changes. 2024-04-12T16:25:52Z DEBUG stderr= 2024-04-12T16:25:52Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - virt01.domain.local : PR_FILE_NOT_FOUND_ERROR: File not found but if I run `kinit admin(a)server.domain.local` it authenticates. I seem to be at a dead end, How do I troubleshoot this further?

1 month, 1 week

3
2
0 / 0

Cannot retrieve CRL from new EL9 IPA replica

by Orion Poplawski

I've just added an EL9 IPA replica into our domain. I seems to generally be working fine, but trying to download the MasterCRL.bin fails: ==> /var/log/httpd/access_log <== 10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET /ipa/crl/MasterCRL.bin HTTP/1.1" 301 293 "-" "curl/7.76.1" ==> /var/log/httpd/error_log <== [Wed Apr 10 14:14:17.830119 2024] [proxy_ajp:error] [pid 28001:tid 28040] (70007)The timeout specified has expired: AH01030: ajp_ilink_receive() can't receive header [Wed Apr 10 14:14:17.830249 2024] [proxy_ajp:error] [pid 28001:tid 28040] [client 10.20.0.37:35124] AH00992: ajp_read_header: ajp_ilink_receive failed [Wed Apr 10 14:14:17.830261 2024] [proxy_ajp:error] [pid 28001:tid 28040] (70007)The timeout specified has expired: [client 10.20.0.37:35124] AH00878: read response failed from [::1]:8009 (localhost:8009) ==> /var/log/httpd/access_log <== 10.20.0.37 - - [10/Apr/2024:14:13:17 -0700] "GET /ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL HTTP/1.1" 500 527 "-" "curl/7.76.1" I'm not sure where else to look for logs. TIA, Orion -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion(a)nwra.com Boulder, CO 80301 https://www.nwra.com/

1 month, 1 week

2
3
0 / 0

httpd uses 2x100% CPU

by Bo Lind

I just went to check on one of my replicas, and noticed that the IPA web server seems to use a lot of CPU: From htop: PID USER PRI NI VIRT RES SHR S CPU%▽MEM% TIME+ Command 507664 ipaapi 20 0 1353M 459M 16656 S 100.8 0.2 24h15:19 (wsgi:ipa) -DFOREGROUND 507984 ipaapi 20 0 1353M 459M 16656 R 100.8 0.2 24h15:12 (wsgi:ipa) -DFOREGROUND From top: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 507664 ipaapi 20 0 1385892 470580 16656 S 100.0 0.2 1456:06 httpd I checked /var/log/httpd/access_log and error_log, but there was nothing out of the ordinary. I have not yet restarted the service/machine, as it's in production. Any ideas?

1 month, 1 week

2
1
0 / 0

"Credential cache is empty" error preventing certmonger from renewing a host's certificate

by Sam Morris

I've got an IPA client on which certmonger is unable to renew a certificate. Here are the log messages from certmonger... 2023-06-20 08:24:49 [622035] Certificate submission attempt complete. 2023-06-20 08:24:49 [622035] Child status = 2. 2023-06-20 08:24:49 [622035] Child output: "Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is > " 2023-06-20 08:24:49 [622035] Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more infor> Here's the tracking request, nothing looks out of the ordinary to me... # getcert list -i 20220519165212 Number of certificates and requests being tracked: 2. Request ID '20220519165212': status: MONITORING ca-error: Server at https://ipa5.ipa.example.com/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cre. stuck: no key pair storage: type=FILE,location='/etc/cockpit/ws-certs.d/51-myhost.key' certificate: type=FILE,location='/etc/cockpit/ws-certs.d/51-myhost.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM subject: CN=myhost.ipa.example.com,O=IPA.EXAMPLE.COM issued: 2023-03-25 16:52:45 UTC expires: 2023-06-23 16:52:45 UTC dns: myhost.ipa.example.com principal name: host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes In order to rule out a problem with ipa5, I used 'ipactl' to stop everything on it, then re-ran 'getcert resubmit -i 20220519165212'. In the subsequent output of 'getcert list -i 20220519165212' I saw the same error message displayed but with the name of a different IPA server. So I don't think this is a problem with a particular IPA server. Next I extracted the CSR data from '/var/lib/certmonger/requests/20220519165212' to a file, authenticated as host/myhost.ipa.example.com (with 'kinit -k') and then ran 'ipa cert-request host.req --principal=host/myhost.ipa.example.com', which worked! So perhaps the problem is with certmonger, or with the way in which it interacts with the IPA server that differs from simply running 'ipa cert-request' as I did manually. I also tried to look for logs on the server side, but I didn't find anything very useful. /var/log/httpd/access_log has: 192.168.0.4 - - [20/Jun/2023:13:21:53 +0000] "POST /ipa/json HTTP/1.1" 401 2719 192.168.0.4 - host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [20/Jun/2023:13:21:53 +0000] "POST /ipa/json HTTP/1.1" 200 526 So it looks like certmonger is having no problem authenticating to ipaapi. httpd is logging: $ journalctl -u httpd -e Jun 20 13:21:56 [121899]: GSSAPI client step 1 Jun 20 13:21:56 [121899]: GSSAPI client step 1 Jun 20 13:21:57 [121899]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) So is looks like ipaapi might be having trouble using Kerberos as a client? I added KRB5_TRACE=/var/lib/httpd/krb5.trace to httpd.service's Environment= and restarted it, then re-ran 'getcert resubmit' on the tracking request. I got these messages: [124285] 1687270136.437160: Initializing FILE:/tmp/krb5cc-httpd with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM [124285] 1687270136.437161: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> Encrypted/Credentials/v1@X-GSSPROXY: in FILE:/tmp/krb5cc-httpd [124285] 1687270136.437163: Retrieving HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> Encrypted/Credentials/v1@X-GSSPROXY: from FILE:/tmp/krb5cc-httpd with result: 0/Success [124285] 1687270136.437165: Initializing FILE:/run/ipa/ccaches/host~myhost.ipa.example.com@IPA.EXAMPLE.COM-h3azdl with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124285] 1687270136.437166: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> Encrypted/Credentials/v1@X-GSSPROXY: in FILE:/run/ipa/ccaches/host~myhost.ipa.example.com@IPA.EXAMPLE.COM-h3azdl No errors there either. I set KRB5_TRACE=/var/lib/gssproxy/krb5.trace in gssproxy.service's Environment= and got: [124798] 1687270460.854044: Resolving unique ccache of type MEMORY [124798] 1687270460.854045: Initializing MEMORY:GJanRRF with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270460.854046: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:GJanRRF [124798] 1687270460.854047: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:GJanRRF [124798] 1687270460.854048: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:GJanRRF [124798] 1687270460.854049: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:GJanRRF [124798] 1687270460.854052: Destroying ccache MEMORY:GJanRRF [124798] 1687270460.854054: Resolving unique ccache of type MEMORY [124798] 1687270460.854055: Initializing MEMORY:Cn5E8Va with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270460.854056: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:Cn5E8Va [124798] 1687270460.854057: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:Cn5E8Va [124798] 1687270460.854058: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:Cn5E8Va [124798] 1687270460.854059: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:Cn5E8Va [124798] 1687270460.854062: Destroying ccache MEMORY:Cn5E8Va [124798] 1687270460.854064: Resolving unique ccache of type MEMORY [124798] 1687270460.854065: Initializing MEMORY:8e5DNHy with default princ HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270460.854066: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:8e5DNHy [124798] 1687270460.854067: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:8e5DNHy [124798] 1687270460.854068: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:8e5DNHy [124798] 1687270460.854069: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:8e5DNHy [124798] 1687270460.854071: Decrypted AP-REQ with server principal HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM: aes256-cts/E0A2 [124798] 1687270460.854072: AP-REQ ticket: host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, session key aes256-cts/1952 [124798] 1687270460.854073: Negotiated enctype based on authenticator: aes256-cts [124798] 1687270460.854074: Authenticator contains subkey: aes256-cts/2098 [124798] 1687270460.854075: Resolving unique ccache of type MEMORY [124798] 1687270460.854076: Initializing MEMORY:FX6Yqgq with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270460.854077: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:FX6Yqgq [124798] 1687270460.854078: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:FX6Yqgq [124798] 1687270460.854079: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:FX6Yqgq [124798] 1687270460.854080: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:FX6Yqgq [124798] 1687270460.854081: Storing config in MEMORY:FX6Yqgq for : proxy_impersonator: HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270460.854082: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:FX6Yqgq [124798] 1687270460.854083: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:FX6Yqgq [124798] 1687270460.854085: Creating AP-REP, time 1687270460.725581, subkey aes256-cts/BB66, seqnum 668121546 [124798] 1687270461.005570: Destroying ccache MEMORY:FX6Yqgq [124798] 1687270461.005573: Destroying ccache MEMORY:8e5DNHy [124798] 1687270461.005575: Resolving unique ccache of type MEMORY [124798] 1687270461.005576: Initializing MEMORY:NmnNwyD with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005577: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:NmnNwyD [124798] 1687270461.005578: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:NmnNwyD [124798] 1687270461.005579: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:NmnNwyD [124798] 1687270461.005580: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:NmnNwyD [124798] 1687270461.005581: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:NmnNwyD [124798] 1687270461.005582: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:NmnNwyD [124798] 1687270461.005585: Destroying ccache MEMORY:NmnNwyD [124798] 1687270461.005587: Resolving unique ccache of type MEMORY [124798] 1687270461.005588: Initializing MEMORY:gUnl8Xt with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005589: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:gUnl8Xt [124798] 1687270461.005590: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:gUnl8Xt [124798] 1687270461.005591: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:gUnl8Xt [124798] 1687270461.005592: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:gUnl8Xt [124798] 1687270461.005593: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:gUnl8Xt [124798] 1687270461.005594: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:gUnl8Xt [124798] 1687270461.005597: Destroying ccache MEMORY:gUnl8Xt [124798] 1687270461.005599: Resolving unique ccache of type MEMORY [124798] 1687270461.005600: Initializing MEMORY:wBGblf3 with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005601: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:wBGblf3 [124798] 1687270461.005602: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:wBGblf3 [124798] 1687270461.005603: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:wBGblf3 [124798] 1687270461.005604: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:wBGblf3 [124798] 1687270461.005605: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:wBGblf3 [124798] 1687270461.005606: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:wBGblf3 [124798] 1687270461.005609: Destroying ccache MEMORY:wBGblf3 [124798] 1687270461.005611: Resolving unique ccache of type MEMORY [124798] 1687270461.005612: Initializing MEMORY:4uHf47g with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005613: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:4uHf47g [124798] 1687270461.005614: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:4uHf47g [124798] 1687270461.005615: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:4uHf47g [124798] 1687270461.005616: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:4uHf47g [124798] 1687270461.005617: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:4uHf47g [124798] 1687270461.005618: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:4uHf47g [124798] 1687270461.005621: Destroying ccache MEMORY:4uHf47g [124798] 1687270461.005623: Resolving unique ccache of type MEMORY [124798] 1687270461.005624: Initializing MEMORY:9LUdBez with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005625: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:9LUdBez [124798] 1687270461.005626: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:9LUdBez [124798] 1687270461.005627: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:9LUdBez [124798] 1687270461.005628: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:9LUdBez [124798] 1687270461.005629: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:9LUdBez [124798] 1687270461.005630: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:9LUdBez [124798] 1687270461.005634: Initializing MEMORY:cred_allowed_0x7f85d9152380 with default princ host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM [124798] 1687270461.005635: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005636: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005637: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/pa_type/krbtgt\/IPA.EXAMPLE.COM\@IPA.EXAMPLE.COM(a)X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005638: Storing HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005639: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005640: Storing host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM in MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005641: Destroying ccache MEMORY:cred_allowed_0x7f85d9152380 [124798] 1687270461.005644: Getting credentials host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> ldap/ipa5.ipa.example.com@ using ccache MEMORY:9LUdBez [124798] 1687270461.005645: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from MEMORY:9LUdBez with result: -1765328243/Matching credential not found [124798] 1687270461.005646: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> ldap/ipa5.ipa.example.com@ from MEMORY:9LUdBez with result: -1765328243/Matching credential not found [124798] 1687270461.005647: Retrying host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM with result: -1765328243/Matching credential not found [124798] 1687270461.005648: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM from MEMORY:9LUdBez with result: 0/Success [124798] 1687270461.005649: Getting credentials HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM using ccache MEMORY:9LUdBez [124798] 1687270461.005650: Retrieving host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from MEMORY:9LUdBez with result: -1765328243/Matching credential not found [124798] 1687270461.005651: Retrieving HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM -> krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM from MEMORY:9LUdBez with result: 0/Success [124798] 1687270461.005652: Get cred via TGT krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM after requesting ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM (canonicalize on) [124798] 1687270461.005653: Generated subkey for TGS request: aes256-cts/FBB4 [124798] 1687270461.005654: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-cts, aes128-sha2, camellia128-cts [124798] 1687270461.005656: Encoding request body and padata into FAST request [124798] 1687270461.005657: Sending request (5335 bytes) to IPA.EXAMPLE.COM [124798] 1687270461.005658: Initiating TCP connection to stream 192.168.0.5:88 [124798] 1687270461.005659: Sending TCP request to stream 192.168.0.5:88 [124798] 1687270461.005660: Received answer (508 bytes) from stream 192.168.0.5:88 [124798] 1687270461.005661: Terminating TCP connection to stream 192.168.0.5:88 [124798] 1687270461.005662: Response was from master KDC [124798] 1687270461.005663: Decoding FAST response [124798] 1687270461.005664: Decoding FAST response [124798] 1687270461.005665: Got cred; -1765328371/KDC can't fulfill requested option [124798] 1687270461.005669: Destroying ccache MEMORY:9LUdBez The only thing that looks like an error in that output is "KDC can't fulfill requested option". The last place I can think of looking is in /var/log/krb5kdc.log: Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): TGS_REQ : handle_authdata (-1765328371) Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.0.5: HANDLE_AUTHDATA: authtime 1687270653, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM for ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, KDC can't fulfill requested option Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): ... CONSTRAINED-DELEGATION s4u-client=host/myhost.ipa.example.com(a)IPA.EXAMPLE.COM Jun 20 14:17:34 ipa5.ipa.example.com krb5kdc[119948](info): closing down fd 12 There's another instance of "KDC can't fulfill requested option". My best guess is that there's something wrong with the constrained delegation setup that lets ipaapi access the directory on behalf of the client host? But this looks fine: $ ipa servicedelegationrule-show ipa-http-delegation Delegation name: ipa-http-delegation Allowed Target: ipa-ldap-delegation-targets, ipa-cifs-delegation-targets Member principals: HTTP/ipa3.ipa.example.com(a)IPA.EXAMPLE.COM, HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, HTTP/ipa6.ipa.example.com(a)IPA.EXAMPLE.COM $ ipa servicedelegationtarget-show ipa-ldap-delegation-targets Delegation name: ipa-ldap-delegation-targets Member principals: ldap/ipa3.ipa.example.com(a)IPA.EXAMPLE.COM, ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, ldap/ipa6.ipa.example.com(a)IPA.EXAMPLE.COM ... and in any case a simple 'ipa cert-request' as the host worked fine, it's only certmonger's attempts to request a certificate that are failing. The IPA client has: ipa-client-4.9.11-5.module+el8.8.0+18147+84fe6ec1.x86_64 certmonger-0.79.17-2.el8.x86_64 ... and the server has: ipa-server-4.9.11-5.module+el8.8.0+18146+a1d8660b.x86_64 Any troubleshooting help is really appreciated! -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9

1 month, 1 week

2
5
0 / 0

Extra objectClass for new IPA group

by Winfried de Heiden

Hi all, Following documentation as provided on: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... adding an extra objectClass (groupOfUniqueNames in this case) to newly created groups turned out to be easy. It seems we depend of this objectClass and its attribute "uniqueMember" because of existing applications. Adding the latter attribute will only work from the CLI. (ipa group-mod dummy3 --addattr=uniqueMember=uid=someuser,cn=users,cn=accounts,dc=example,dc=com) OK, this seems to work well, but the objectClass will be added to ALL newly created groups since the objectClass is added to the defaults. Now, let's say I want to add an extra objectClass to only one new created group; how would that be possible? The command "ipa group-add" command does not provide such an option, does it? FYI, I'm running/testing IPA version: 4.11.0 on RHEL 9.4 Beta :) The new attributes will not be visible in de webUI, only using the CLI (or good-old Apache Directory Studio of ldapsearch). Correct? -- email handtekening privé Met vriendelijke groet, Winfried de Heiden wdh(a)dds.nl

1 month, 1 week

2
2
0 / 0

'ipk11id length should not be 0' -- 'restart counter at 811' how to correct?

by Harry G Coin

What's the correct way to correct the cause of this error message? There is no guidance online I can find. I first saw it a few years ago, it's back. ipa-ods-exporter emits this assertion, then quits. ipk11id length should not be 0 This system hosts the dnssec master db. There is one replica. That's it. Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Scheduled restart job, restart counter is at 811. Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: Stopped IPA OpenDNSSEC Signer replacement. Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Consumed 2.876s CPU time. Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: Started IPA OpenDNSSEC Signer replacement. Apr 07 08:12:09 registry1.1.quietfountain.com ipa-ods-exporter[857534]: ipa-ods-exporter: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: GSSAPI client step 1 Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: GSSAPI client step 1 Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: GSSAPI client step 1 Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: Traceback (most recent call last): Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: File "/usr/libexec/ipa/ipa-ods-exporter", line 718, in <module> Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: ldap2master_replica_keys_sync(ldapkeydb, localhsm) Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: File "/usr/libexec/ipa/ipa-ods-exporter", line 295, in ldap2master_replica_keys_sync Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: hex_set(localhsm.replica_pubkeys_wrap)) Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line 130, in replica_pubkeys_wrap Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: self.find_keys(objclass=_ipap11helper.KEY_CLASS_PUBLIC_KEY, Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line 114, in find_keys Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: key = Key(self.p11, h) Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line 38, in __init__ Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: assert len(cka_id) != 0, 'ipk11id length should not be 0' Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: AssertionError: ipk11id length should not be 0 Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Main process exited, code=exited, status=1/FAILURE Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Failed with result 'exit-code'. Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Consumed 2.938s CPU time. on [root@registry1 ~]# dnf info ipa-server Last metadata expiration check: 3:19:38 ago on Sun 07 Apr 2024 04:55:29 AM CDT. Installed Packages Name : ipa-server Version : 4.10.2 Release : 8.el9_3.alma.1 Architecture : x86_64 Size : 1.1 M Source : ipa-4.10.2-8.el9_3.alma.1.src.rpm Repository : @System From repo : appstream Summary : The IPA authentication server 5.14.0-362.24.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 20 04:52:13 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux p11 tools has one entry that has no id, no label, RSA of 0 byte length, with also the 'wrap' flag. There's no obvious way to track that back to a file-- if that's event the right path to explore. It's pretty much dead until this is solved.

1 month, 1 week

1
0
0 / 0

CA Subsystem certificate

by Travis West

The person who set this up is no longer available. We have 6 IPA servers in a cluster, all set as MASTER. All servers are running IPA v. 4.6.4. On 8 March the CA Subsystem certificate expired. When looking at the certificate I noticed it had an incorrect Common Name, which may be why it didn't renew. I checked the pki-tomcat CS.cfg and the two lines ca.subsystem.cert - Has cert with incorrect hostname listed ca.subsystem.certreq - Has cert request for correct ca subsystem cert (Common Name CA Subsystem) I tried removing the errant ca subsystem cert from the NSS DB in pki-tomcat/alias and was successful. I then tried to request a new SubSystem Cert using this command getcert request -I CASubsystem -c dogtag-ipa-renew-agent -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -N 'cn=CA Subsystem,o=IPA.*****.NET' -P 'PIN_FROM_FILE' -t 'NSS Certificate DB' And that seems to at least have issued the request because 'getcert list' shows the request, but with a CA_REJECTED message. If I do an ldapsearch for the certificate, it shows the the correct cert with CN=CA Subystem, but the one that expired on 8 March. How can I get a valid CA Subsystem cert again so I can start the CA on all IPA servers?

1 month, 2 weeks

3
38
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users April 2024