May 2024 - FreeIPA-users - Fedora Mailing-Lists

FreeIPA - Need help with Expired Certificate

by azeem

Hello! I have inherited a FreeIPA server, and upon checking the certificate list with getcert list, it shows that the certificate is already expired. Does anyone know how to renew it? And coz of this issue, I am not able to enroll any any clients. Any help would be appreciated. Request ID '20160825909273': status: CA_UNREACHABLE ca-error: Server at https://test.domain.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://test.domain.com:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST.DOMAIN.COM expires: 2023-12-18 15:52:08 UTC principal name: ldap/test.domain.com(a)TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM track: yes auto-renew: yes

1 month

1
0
0 / 0

External IdP/OAuth - additional feature ideas

by Manuel Linsmayer

Hello, I've connected FreeIPA to Dex and Keycloak, which works fine. However, there are two features I'm missing, which would make life a lot easier: - Automatic creation of user account upon first "login" -- at the moment, the FreeIPA user has to be created upfront, and the "IdP reference" has to be set. If the "preferred username" from the IdP can be the same as the username in FreeIPA, then the FreeIPA account could be provisioned automatically. - Evaluation of group memberships from Userinfo endpoint -- upon every login, group memberships should be adapted. This way, group memberships could be managed in the IdP system. Or are there any other features available to "ease" and "streamline" the integration between IdP and FreeIPA? Thank you, Manuel

1 month

2
1
0 / 0

getent group peter and getent shadow peter don't agree on group id

by laolux laolux

I have a freeipa server at freeipa.domain.com. Works fine and users have been migrated from an old NIS setup. New machines are added to the domain and users can log in using their freeipa credentials. However, one issue we have observed is that `getent` does not behave as expected. On a freshly installed server (freeipa client), group information for alice seems to be messed up. Running `getent group alice`, we get `alice:*:1024:`. Running `getent paswd alice`, we get `alice:*:1024:1026:allice NIS_USER:/home/alice:/bin/bash`. Running `id alice`, we get `uid=1024(alice) gid=1026(bob) groups=1026(bob),185400081(sudoers)`. This is very confusing. Neither alice nor bob have local accounts. When checking directly in freeipa (kinit admin; ipa user-show alice --all), we get `UID: 1024`, `GID: 1026` and `Member of groups: sudoers, ipausers`. This seems to be correct, because in the old NIS environment alice had uid 1024 and gid 1026. How can we get `getent group alice` to display the correct gid and `id alice` to not claim that gid 1026 belongs to bob? For reference, `id bob` shows `uid=1026(bob) gid=1028(carol) groups=1028(carol)`. Thank you so much for your help!

1 month

1
0
0 / 0

`ipactl restart` fails with `Unknown error when retrieving list of services from LDAP: not enough values to unpack (expected 2, got 1)`

by Andrea Stacchiotti

Hello everyone, freshly installed ipa server on Oracle Linux 9, via the ansible role at https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipaserver/RE... The installation goes apparently well, but if I try restarting the service I get the error in the subject, which prevents dirsrv from starting, a debug log is at the end. This is apparently a known issue, as https://access.redhat.com/solutions/5268961 exists to address it, but I don't have a subscription and I found no other results on the internet. It seems to be an issue finding services, but `ipa service-find` finds HTTP and ldap as expected. Can someone help? Thanks ------------ [root@ipa-innovation opc]# ipactl start -d ipa: DEBUG: importing all plugin modules in ipaserver.plugins... ipa: DEBUG: importing plugin module ipaserver.plugins.aci [...] Starting Directory Service ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'start', 'dirsrv(a)PRIVATE-ACUS-EU.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'is-active', 'dirsrv(a)PRIVATE-ACUS-EU.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120 ipa: DEBUG: waiting for port: 389 ipa: DEBUG: SUCCESS: port: 389 ipa: DEBUG: Start of dirsrv(a)PRIVATE-ACUS-EU.service complete ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'is-active', 'dirsrv(a)PRIVATE-ACUS-EU.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= Failed to read data from service file: Unknown error when retrieving list of services from LDAP: not enough values to unpack (expected 2, got 1) Shutting down ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'stop', 'dirsrv(a)PRIVATE-ACUS-EU.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: Stop of dirsrv(a)PRIVATE-ACUS-EU.service complete ipa: DEBUG: File "/usr/lib/python3.9/site-packages/ipaserver/install/installutils.py", line 781, in run_script return_value = main_function() File "/usr/lib/python3.9/site-packages/ipaserver/install/ipactl.py", line 735, in main ipa_start(options) File "/usr/lib/python3.9/site-packages/ipaserver/install/ipactl.py", line 398, in ipa_start raise IpactlError(rval=e.rval) ipa: DEBUG: The ipactl command failed, exception: IpactlError:

1 month

2
3
0 / 0

[error] RuntimeError: Too many ID ranges

by Satish Patel

Folks, I am migrating CentOS7 to RockyLinux 8.3. I have my master running on CentOS7 and trying to add replica of RockyLinux 8.3 I am stuck here and not sure what it's actually trying to say and how to fix it? [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd) [1/2]: configure certmonger for renewals [2/2]: Importing RA key Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Server at https://ldap-vx-010103-2.site5.example.com/ipa/json failed request, will retry: 4035 (Request failed with status 400: Non-2xx response from CA REST API: 400. Profile KDCs_PKINIT_Certs Not Found).) Failed to configure PKINIT Full PKINIT configuration did not succeed The setup will only install bits essential to the server functionality You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server Could not get dnaHostname entries in 60 seconds [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Restarting the KDC Configuring SID generation [1/7]: creating samba domain object [2/7]: adding admin(group) SIDs [3/7]: adding RID bases Found more than one local domain ID range with no RID base set. [error] RuntimeError: Too many ID ranges Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Too many ID ranges The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information # ipa idrange-find --all --raw ---------------- 3 ranges matched ---------------- dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com cn: EXAMPLE.COM_id_range ipabaseid: 1000 ipaidrangesize: 200000 iparangetype: ipa-local objectclass: top objectclass: ipaIDrange objectclass: ipaDomainIDRange dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com cn: EXAMPLE.COM_subid_range ipabaseid: 2147483648 ipaidrangesize: 2147352576 ipabaserid: 2147283648 ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254 iparangetype: ipa-ad-trust objectclass: top objectclass: ipaIDrange objectclass: ipaTrustedADDomainRange dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com cn: EXAMPLE_OLD_USERS ipabaseid: 500 ipaidrangesize: 500 iparangetype: ipa-local objectclass: ipadomainidrange objectclass: ipaIDrange ---------------------------- Number of entries returned 3 ----------------------------

1 month

2
5
0 / 0

admin account keep getting lock without reason

by Satish Patel

Folks, I have noticed my admin account keeps getting locked out because of failed attempts but I don't know from where and how. I tried to dig into logs but didn't find any trace of attempt. $ ipa-replica-manage list Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: Server is unwilling to perform: Too many failed logins. $ ipa user-show --all admin dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=com User login: admin Last name: Administrator Full name: Administrator Home directory: /home/admin GECOS: Administrator Login shell: /bin/bash Principal alias: admin(a)FOO.COM UID: 1000 GID: 1000 Account disabled: False Preserved user: False Password: True Member of groups: admins, trust admins, no-pwd-policy Kerberos keys available: True ipauniqueid: 97f5d270-d355-11e6-a809-000c29712463 krbextradata: AALmz2BfYWRtaW5AVklWT1guQ09NAA== krblastadminunlock: 20240509172126Z krblastpwdchange: 20200915142958Z krblastsuccessfulauth: 20240509172620Z krbloginfailedcount: 0 krbpwdpolicyreference: cn=no-pwd-policy,cn=FOO.COM ,cn=kerberos,dc=foo,dc=com krbticketflags: 128 objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys After running following command it do unlock but in few minutes it will get lock again $ ipa user-unlock admin

1 month

2
3
0 / 0

SSSD OCSP verfification failed

by Alvarez, Angelo CIV USN JOINT TYPHOON WARCEN (USA)

Aloha. We are trying to get OCSP verification working with RHEL 8 SSSD. The OCSP responder CA is not in the trust chain of the CA that issued the smart card certificates. I was able to get openssl ocsp verification to work using "-verify_other" and "-trust_other" options. [root@c27nmgmtjtprlh1 PKI]# openssl ocsp -issuer DOD_ID_CA-63.pem -verify_other NAWEPRLHRD12.pem -trust_other -cert ~alvareza/alvarez.pem -url http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx -respout -text WARNING: no nonce in response Response verify OK /home/alvareza/alvarez.pem: good This Update: May 9 00:00:00 2024 GMT Next Update: May 15 06:16:18 2024 GMT I tried to perform OCSP verification with the SSSD p11_child helper, but it does not work. Does anyone know if the "Direct Trust" model for OCSP works with RHEL 8 SSSD? [root@c27nmgmtjtprlh1 pki]# /usr/libexec/sssd/p11_child --dumpable=1 --debug-microseconds=0 --debug-timestamps=1 --debug-fd=22 --debug-level=9 --verification --verify ocsp_dgst=sha1,ocsp_default_responder=http://repeater1.xxxxx.xxxxx.xxxx.xxxx .xxxx --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --certificate=$(cat /home/alvareza/alvarez.pem | grep -v BEGIN | grep -v END | tr -d "\n") set_debug_file_from_fd failed. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0400): p11_child started. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running in [verify] mode. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running with effective IDs: [0][0]. (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running with real IDs [0][0]. (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts] (0x4000): Using sha1 for OCSP. (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts] (0x4000): Using OCSP default responder [http://repeater1.prlh.nadsuswe.nads.navy.mil] (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x4000): Using OCSP URL [http://repeater1.prlh.nadsuswe.nads.navy.mil]. (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): No nonce in OCSP response. This might indicate a replay attack or an OCSP responder which does not support nonces. Accepting response. (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): OCSP_basic_verify() failed to verify OCSP response. (2024-05-09 8:07:24): [p11_child[2817468]] [do_verification] (0x0040): do_ocsp failed. (2024-05-09 8:07:24): [p11_child[2817468]] [do_work] (0x0400): Certificate is NOT valid. 22 (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0020): p11_child failed (22) v/r Angelo Alvarez, CISSP N6 Joint Typhoon Warning Center Work: 808.471.3645 Mobile: 808.389.9474 Email: angelo.alvarez(a)navy.mil <mailto:angelo.alvarez@navy.mil> SiPR Email: angelo.alvarez(a)navy.smil.mil <mailto:angelo.alvarez@navy.smil.mil> "!No contaban on mi astucia!" - El Chapulin Colorado

1 month, 1 week

4
3
0 / 0

RockyLinux error Joining realm failed: Unable to initialize STARTTLS session

by Satish Patel

Folks, I have a FreeIPA server running on CentOS7 and now I am trying to create a replica copy using RockyLinux 9.3. When I try to join, the error related cert expires. I have checked everywhere and didn't find any expired certificates. /usr/sbin/ipa-client-install -p admin -w XXXX --realm=FOO.COM --domain= foo.com --server=ldap-1.foo.com --hostname ldap-2.foo.com -N --no-ssh --no-sshd --request-cert -U --force-join ... ... Joining realm failed: Unable to initialize STARTTLS session Connect error: error:0A000086:SSL routines::certificate verify failed (certificate has expired) Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... Unable to initialize STARTTLS session Connect error: error:0A000086:SSL routines::certificate verify failed (certificate has expired) Failed to bind to server! Failed to get keytab child exited with 9 Installation failed. Rolling back changes. Disabling client Kerberos and LDAP configurations nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. On master ldap node I did "/usr/bin/getcert list" and all certs are up to date. Now sure from where this expired cert error is coming from.

1 month, 1 week

1
0
0 / 0

role_del arguments

by Mauricio Tavares

https://freeipa.readthedocs.io/en/latest/api/role_del.html only lists the cn as argument. Shouldn't it also contain the name of the role we want to go away?

1 month, 1 week

2
2
0 / 0

Reenrolling IPA client in split-brain environment

by William Faulk

I have an IdM environment where one of the replicas stopped replicating out. A number of clients were enrolled into this replica. They are currently working fine, since they're basically only ever talking to that replica. But I need to fix that replica, and the only feasible solution at this point seems to be a re-initialization. But that means that these clients' enrollments will disappear. Is there any way to get a client in this state to re-enroll into a different replica that doesn't yet know about it, in such a way that it won't have an interruption in the IdM services it consumes? I only have four systems in this state, so I can reasonably make manual changes to support this, as long as they won't be snowflakes in the long term. -- William Faulk

1 month, 1 week

2
5
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2024