FreeIPA-users May 2025

freeipa-users@lists.fedorahosted.org

27 participants
39 discussions

IPA Replica installation is failing - Missing certificate Server-Cert cert-pki-ca a
by John Tor 28 May '25

28 May '25

Hi, I had tried many times to install free-ipa-replica, but I always have the same error at this step: DEBUG: NSSDatabase.get_cert(Server-Cert cert-pki-ca) begins DEBUG: Command: certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -f /tmp/tmpxotjk756/password.txt -n Server-Cert cert-pki-ca -a DEBUG: stdout: -1 DEBUG: NSSDatabase: stderr: certutil: Could not find cert: Server-Cert cert-pki-ca : PR_FILE_NOT_FOUND_ERROR: File not found DEBUG: Cert not found: Server-Cert cert-pki-ca INFO: Updating /var/lib/pki/pki-tomcat/conf/serverCertNick.conf INFO: Updating serverCertNickFile in server.xml INFO: Joining security domain at https://master.example.com:443 ERROR: KeyError: 'CA' File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 594, in main deployer.spawn() File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 5986, in spawn scriptlet.spawn(self) File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 76, in spawn deployer.setup_security_domain(subsystem) File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 2854, in setup_security_domain self.join_security_domain() File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 2795, in join_security_domain sd_subsystem = self.domain_info.subsystems['CA'] Failed to configure CA instance See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 688, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 674, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 685, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 643, in handle_setup_error raise RuntimeError( RuntimeError: CA configuration failed. [error] RuntimeError: CA configuration failed. [error] RuntimeError: CA configuration failed. Removing /root/.dogtag/pki-tomcat/ca Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 219, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 343, in run return cfgr.run() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 663, in _configure next(executor) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 526, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 523, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 687, in main replica_install(self) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 387, in decorated func(installer) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1446, in install ca.install(False, config, options, custodia=custodia) File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 546, in install install_step_0(standalone, replica_config, options, custodia=custodia) File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 621, in install_step_0 ca.configure_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 522, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 688, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 674, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 685, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 643, in handle_setup_error raise RuntimeError( The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed. CA configuration failed. The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information I am stuck in a loop, I tried with new server but It didn't work. I am using AlmaLinux 9.6 fully updated and the command I used was: ipa-replica-install --setup-dns --forwarder 1.1.1.1 --setup-ca --verbose The command ipa-client-install worked perfect. certutil -L -d sql:/var/lib/pki/pki-tomcat/conf/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u I don't know what else to do :/ Regards

2 3

Creating an IPA Replica FAILING LDAP Authentication
by Gato Sombrero 28 May '25

28 May '25

I am attempting to create an IPA replica. I have been stuck at this for about 3-4 months. This is what I am at: args=['/bin/systemctl', 'restart', 'dirsrv(a)REALM.service'] Process finished, return code=0 stdout= stderr= Restart of dirsrv(a)REALM.service complete Created connection context.ldap2_xxxxxxxxxxxxxxxx Fetching nsDS5ReplicaId from master [attempt 1/5] retrieving schema for SchemaCache url=ldap://primary.example.internal:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0xXXXXXXXXXXXX> Successfully updated nsDS5ReplicaId. Add or update replica config cn=replica,cn=dc\=example\,dc\=internal,cn=mapping tree,cn=config Added replica config cn=replica,cn=dc\=example\,dc\=internal,cn=mapping tree,cn=config update_entry modlist [(2, 'nsslapd-changelogmaxage', [b'30d'])] update_entry modlist [(0, 'nsDS5ReplicaBindDN', [b'cn=ldap/primary.example.internal(a)REALM.EXAMPLE.INTERNAL,cn=config'])] Fetching nsDS5ReplicaId from master [attempt 1/5] Successfully updated nsDS5ReplicaId. Add or update replica config cn=replica,cn=dc\=example\,dc\=internal,cn=mapping tree,cn=config Added replica config cn=replica,cn=dc\=example\,dc\=internal,cn=mapping tree,cn=config update_entry modlist [(2, 'nsslapd-changelogmaxage', [b'30d'])] Waiting up to 300 seconds for replication (ldap://primary.example.internal:389) cn=meTosecondary.example.internal,cn=replica,cn=dc\=example\,dc\=internal,cn=mapping tree,cn=config (objectclass=*) Entry found [LDAPEntry(ipapython.dn.DN('cn=meTosecondary.example.internal,cn=replica,cn=dc\=example\,dc\=internal,cn=mapping tree,cn=config'), {... 'description': [b'me to secondary.example.internal'], ... 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], ... 'nsDS5ReplicaLastUpdateStatusJSON': [b'{"state": "green", ... "message": "Error (0) No replication sessions started since server startup"}'], ...})] Waiting up to 300 seconds for replication (ldapi://%2Frun%2Fslapd-REALM.socket) cn=meToprimary.example.internal,cn=replica,cn=dc\=example\,dc\=internal,cn=mapping tree,cn=config (objectclass=*) Entry found [LDAPEntry(ipapython.dn.DN('cn=meToprimary.example.internal,cn=replica,cn=dc\=example\,dc\=internal,cn=mapping tree,cn=config'), {... 'description': [b'me to primary.example.internal'], ... 'nsDS5ReplicaBindMethod': [b'SASL/GSSAPI'], ... 'nsDS5ReplicaLastUpdateStatusJSON': [b'{"state": "green", ... "message": "Error (0) No replication sessions started since server startup"}'], ...})] Starting replication, please wait until this has completed. Update in progress, 15 seconds elapsed [ldap://primary.example.internal:389] reports: Update failed! Status: [Error (49) - LDAP error: Invalid credentials - no response received] I obviously scrubbed my information and replaced it with placeholders. The main issue that I am getting is: Update failed! Status: [Error (49) - LDAP error: Invalid credentials - no response received] This is what I am doing: ##### STEP1: Create the FreeIPA Master ##### sudo ipa-server-install --setup-dns --no-forwarders --auto-reverse --hostname=$(hostname -f) --domain=$(hostname -d) --realm=$(hostname -d | awk '{print toupper($0)}') --netbios-name=$(hostname -d | awk -F. '{out=""; for(i=NF-1;i>=1;i--) out=out (out?"-":"") toupper($i); print substr(out,1,15)}') ##### STEP2: Add Service Account ##### ipa user-add svc --first=svc --last=svc --cn=svc --displayname='' --initials='' --gecos='' ipa hbacrule-add allow_svc --desc="Allow the service account to access any host from any host" && ipa hbacrule-mod allow_svc --hostcat=all --servicecat=all && ipa hbacrule-add-user allow_svc --users=svc && ipa hbacrule-enable allow_svc ipa hbacrule-add allow_svc --desc="Allow the service account to access any host from any host" && ipa hbacrule-mod allow_svc --hostcat=all --servicecat=all && ipa hbacrule-add-user allow_svc --users=svc && ipa hbacrule-enable allow_svc ##### STEP3: Enroll Client ##### eval $(sudo cat /root/.ipa_enroll_admin | tr -d '\r' | grep -v '^#') && sudo ipa-client-install --principal=${IPA_PRINCIPAL} --password=${IPA_SECRET} --enable-dns-updates --mkhomedir --all-ip-addresses --force-join --unattended && unset IPA_PRINCIPAL && unset IPA_SECRET ##### STEP4: Add Client to Group "ipaservers" ##### ipa hostgroup-add-member ipaservers --hosts="$host"; done ##### STEP5: Promote Replica ##### sudo ipa-replica-install --setup-dns --setup-ca --no-forwarders --verbose --unattended These are the steps DIRECTLY from the documentation on RedHat's website as well as the FreeIPA website. I have not deviated from them. I have not done anything different or special. I am using the commands above in order to simplify as much as I can since I have been installing and configuring these over and over and over again from scratch and after a certain point, I am tired of entering in all the information. If anyone has any advice or assistance. I have dug deep inside the docs and found nothing. I have searched my exact problem on Google and have gotten exactly 2 pages of results and half of them are useless and the other half are at least somewhat relevant but not what I am dealing with. Any advice or assistance would be greatly appreciated.

2 2

AH03490: scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit
by Kees Bakker 28 May '25

28 May '25

Every now and then we see that httpd is spitting out this message, one per second. It continues to do so until we restart httpd. The server is still operational when it happens. The load is low. [Sun May 25 00:00:10.084137 2025] [mpm_event:error] [pid 282380:tid 282380] AH03490: scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit. [Sun May 25 00:00:11.085262 2025] [mpm_event:error] [pid 282380:tid 282380] AH03490: scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit. [Sun May 25 00:00:12.086405 2025] [mpm_event:error] [pid 282380:tid 282380] AH03490: scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit. [Sun May 25 00:00:13.087482 2025] [mpm_event:error] [pid 282380:tid 282380] AH03490: scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit. Until now we haven't found what is causing this. Our "solution" is then to restart httpd. Is there something we can change in our settings to avoid it? -- Kees

4 4

dirsrv@DOMAIN crashing with core-dump
by alexey safonov 28 May '25

28 May '25

Hi, having freeIPA 4.12.2-1.el9_5.4 and recently has an issue where dirsrv is crashing once per two days with core-dump (for some reason systemd doesn't restarting it). How to troubleshoot / find, what is the root cause for that issue? Checking logs, also found strange behaviour with dnskeysncd. not sure if that is related or not May 28 17:59:03 qb-mum-vm01 systemd[1]: Started IPA key daemon. May 28 17:59:04 qb-mum-vm01 ipa-dnskeysyncd[319295]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details May 28 17:59:05 qb-mum-vm01 ipa-dnskeysyncd[319295]: ipa-dnskeysyncd: CRITICAL Kerberos authentication failed: Major (458752): No credentials were supplied, or the credentials were una vailable or inaccessible, Minor (2529638972): Generic error (see e-text) May 28 17:59:05 qb-mum-vm01 systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE May 28 17:59:05 qb-mum-vm01 systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. May 28 17:59:05 qb-mum-vm01 systemd[1]: ipa-dnskeysyncd.service: Consumed 2.005s CPU time. May 28 18:00:06 qb-mum-vm01 systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 143. May 28 18:00:06 qb-mum-vm01 systemd[1]: Stopped IPA key daemon. May 28 18:00:06 qb-mum-vm01 systemd[1]: ipa-dnskeysyncd.service: Consumed 2.005s CPU time. May 28 18:00:06 qb-mum-vm01 systemd[1]: Started IPA key daemon. May 28 18:00:06 qb-mum-vm01 ipa-dnskeysyncd[319309]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details May 28 18:00:07 qb-mum-vm01 ipa-dnskeysyncd[319309]: ipa-dnskeysyncd: CRITICAL Kerberos authentication failed: Major (458752): No credentials were supplied, or the credentials were una vailable or inaccessible, Minor (2529638972): Generic error (see e-text) May 28 18:00:08 qb-mum-vm01 systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE May 28 18:00:08 qb-mum-vm01 systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. May 28 18:00:08 qb-mum-vm01 systemd[1]: ipa-dnskeysyncd.service: Consumed 1.923s CPU time. May 28 18:01:08 qb-mum-vm01 systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 144. May 28 18:01:08 qb-mum-vm01 systemd[1]: Stopped IPA key daemon. May 28 18:01:08 qb-mum-vm01 systemd[1]: ipa-dnskeysyncd.service: Consumed 1.923s CPU time. May 28 18:01:08 qb-mum-vm01 systemd[1]: Started IPA key daemon.

2 1

ad login after reinstallation
by Remo Schmid 28 May '25

28 May '25

i have a construct with two freeipa servers and a samba ad that trusts each other. now i have rebuilt a freeipa, since then i have problems with the authentication. logging in via ssh on server works (via ssh key), but doing sudo on the server with the ad user does not work. according to logfiles the password of the ad user is checked correctly and there i also see different logs if the password is correct or wrong. Kerberos says the password is checked successfully. however, it does not work afterwards. in the krbt5_child.log I see the following error. ==> [krb5_child[33538]] [get_and_save_tgt] (0x0020): [RID#45] 2395: [-1765328353][Decrypt integrity check failed] the trust position looks good from samba ad as well as from the ipa side. are there any who have had similar problems after reinstalling? any ideas what else I should check?

4 6

FreeIPA at the Red Hat Summit 2025
by Alexander Bokovoy 27 May '25

27 May '25

Hello, I have attended Red Hat Summit 2025 last week in Boston and gave few talks about FreeIPA. They were run as a part of the Community Theater stage on the exhibition hall. Each talk at the Community Theater is a lightning talk: 20 minutes total, including questions, and aims to show what happens in upstream development. I gave four talks, all named 'Experiencing FreeIPA before RHEL IdM', exploring different areas of FreeIPA ecosystem: - Deployment migration - Integration with Keycloak - Trust between IdM deployments - ansible-freeipa dynamic inventory For several topics we actually have upstream demo labs in https://github.com/freeipa/freeipa-local-tests/ project, so if you want to experiment yourself, it is possible now. The talks weren't recorded but were well attended. Community Theater had roughly 35-40 seats available and since it was in the middle of the exhibition hall, sometimes more folks were lured into the talks while walking around. I uploaded my slides to the FreeIPA web site: https://www.freeipa.org/page/Documentation.html#red-hat-summit-2025-lightin… -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

1 0

[SSSD] Announcing SSSD 2.9.7
by Alexey Tikhonov 21 May '25

21 May '25

# SSSD 2.9.7 The SSSD team is announcing the release of version 2.9.7 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.9.7 Note that this is the latest release of 2.9.x LTM branch. See the full release notes at: https://sssd.io/release-notes/sssd-2.9.7.html ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users # SSSD 2.9.7 Release Notes ## Highlights ### General information * When both IPv4 and IPv6 address families are resolvable, but the primary is blocked on firewall, SSSD attempts to connect to the server on the secondary family. ### New features * SSSD IPA provider now supports IPA subdomains, not only Active Directory. This IPA subdomain support will enable SSSD support of IPA-IPA Trust feature, the full usable feature coming in a later FreeIPA release. Trusted domain configuration options are specified in the 'sssd-ipa' man page. ### Important fixes * 'sssd_kcm' memory leak was fixed. ### Configuration changes * New 'ldap_read_rootdse' option allows you to specify how SSSD will read RootDSE from the LDAP server. Allowed values are "anonymous", "authenticated" and "never" * Until now dyndns_iface option supported only "*" for all interfaces or exact names. With this update it is possible to use shell wildcard patterns (e. g. eth*, eth[01], ...).

1 0

MNAME vs. idnsSOAmName
by Jerzy Borkowski 16 May '25

16 May '25

Hi, I run freeipa (VERSION: 4.12.2, API_VERSION: 2.254) in config with 2 servers: server1, server2 Both under docker using freeipa-server-container. DNS is integrated into freeipa. I set idnsSOAmName using freeipa UI to preferred server, say server1. This is correctly reflected in LDAP: idnsSOAmName: server1.example.com. However, when I run 'host' command I get different values for mname : host -t soa example.com server1.example.com example.com has SOA record server1.example.com. hostmaster.example.com. 1747399498 3600 900 1209600 3600 host -t soa example.com server2.example.com example.com has SOA record server2.example.com. hostmaster.example.com. 1747399498 3600 900 1209600 3600 mname appears to be the same as freeipa DNS server name. Is this by design? kind regards, Jurek

2 1

PKI request with ecdsa-with-SHA256
by Bruno BISOLI 16 May '25

16 May '25

Hello, I am new here and I am throwing a bottle into the sea hoping for your help. I've been working for several days to implement the compliant certificate integration for Stormshield on FreeIPA 4.12. Here is the link : https://documentation.stormshield.eu/SNS/v4/en/Content/DR_Mode/DR-complianc… Ensuring the PKI's compliance with DR mode Is it possible to do that ? Maybe i miss something ? I created a profile cert that only accepts signatures SHA256withEC policyset.caSubCertSet.9.constraint.params.signingAlgsAllowed=SHA256withEC,SHA384withEC,SHA512withEC policyset.caSubCertSet.9.default.class_id=signingAlgDefaultImpl policyset.caSubCertSet.9.default.name=Signing Alg policyset.caSubCertSet.9.default.params.signingAlg=SHA256withEC or policyset.caSubCertSet.9.default.params.signingAlg=SHA256withECDSA freeipa accepts it but Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Signature Algorithm: sha256WithRSAEncryption Signature Value: Signature Algorithm: sha256WithRSAEncryption Is it possible to change this : Signature Algorithm: ecdsa-with-SHA256 I tried to create a sub CA but I don't know if I'm doing it right. Kind regards

1 0

PKI request with ecdsa-with-SHA256
by Bruno BISOLI 16 May '25

16 May '25

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2025