This happens when the subsystem cert is not accepted as valid
authentication from Dogtag to the ldap server.
Which date in the past did you use? If the subsystemcert's Not Before is
after this date, the cert is not valid yet and authentication will fail.
Could you post the full output of getcert list? If you have multiple
certificates expired, you need to carefully select a date in the past
where all the certs are in their validity window (ie after "Not before"
and before "Not after").
HTH,
flo
Request ID '20171024201555':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=CORP.ENDURANCE.COM
<
http://CORP.ENDURANCE.COM>
subject: CN=CA
Subsystem,O=CORP.ENDURANCE.COM <
http://CORP.ENDURANCE.COM>
expires: 2021-09-06 03:25:48 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
-------------------------------------------------------------
[root@ipa1 ~]# cat /etc/pki/pki-tomcat/ca/CS.cfg| grep subsystem.cert
ca.cert.subsystem.certusage=SSLClient
ca.subsystem.cert=MIIDhjCCAm6gAwIBAgIBOTANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJDT1JQLkVORFVSQU5DRS5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTcwMzI1NDhaFw0yMTA5MDYwMzI1NDhaMDQxGzAZBgNVBAoMEkNPUlAuRU5EVVJBTkNFLkNPTTEVMBMGA1UEAwwMQ0EgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwuicP62ZiJBTVqE+6zMdq5HHHjtGCfJTz8qqB58F7efRRWgbYHGSwsjUiOPQOknZlVZsuocLYU+zKxDmJ1w7IpAW4W/4RM/fN4rxKMvA4PP4Lcikld12eAOhuepjOzgaetu2Q5DF7rZEpTviZLiUTQJMDM8wQM+cZBVp3LPWi8D/CViXQKc/SjeWzWL6sQNTxnWhJR0OjvprmKeJB6oAEN/T5cLqr5rxnNCsn2MtXbQAXq1jwRuHYkpbwD64N+aAKbYGR03VHWWgP1MSbbp3XYWudM34h0+clZeTeomNSTVuxvE0n9JCpAGpeSDHIGbmvTG5+O9Lu7dZTe/UHS54nQIDAQABo4GZMIGWMB8GA1UdIwQYMBaAFGLd+5wtR3MapBd2R/ufY++/vtulMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2lwYS1jYS5jb3JwLmVuZHVyYW5jZS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAf00fJv2cjjVeZr7FYdHZZRB7RoaZNIY+SjsKkfxGP8KCFFOleKE6CXlqtXlDD0BKYnqvDv+3C27G1UIjTXmUpbJS/TKciemZYBZC7yDNs0F1K04VV00c1Ceag+f43kaR+oIZFoEGnHwSLKNyoSwsodpKPWnGfyrXAt0oj6nh+J6ADup3uJMxLXLp8Xrl7FxRt8PKgZypLn52RF9DzPZH+f7kDVAay3fqy8P/DZJMRTokYUjDDVBg2Mq7B99KHPV6TXHbgc/b7I9TdEz5aZ0ZA4mSkWLNw/ZwVPbx22drhErpvIs5h3RjRbPqB7fNsNWtF3GFZBn3vjR9fugo1ZyUS
ca.subsystem.certreq=MIICeTCCAWECAQAwNDEbMBkGA1UECgwSQ09SUC5FTkRVUkFOQ0UuQ09NMRUwEwYDVQQDDAxDQSBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC6Jw/rZmIkFNWoT7rMx2rkcceO0YJ8lPPyqoHnwXt59FFaBtgcZLCyNSI49A6SdmVVmy6hwthT7MrEOYnXDsikBbhb/hEz983ivEoy8Dg8/gtyKSV3XZ4A6G56mM7OBp627ZDkMXutkSlO+JkuJRNAkwMzzBAz5xkFWncs9aLwP8JWJdApz9KN5bNYvqxA1PGdaElHQ6O+muYp4kHqgAQ39PlwuqvmvGc0KyfYy1dtABerWPBG4diSlvAPrg35oAptgZHTdUdZaA/UxJtunddha50zfiHT5yVl5N6iY1JNW7G8TSf0kKkAal5IMcgZua9Mbn470u7t1lN79QdLnidAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEABl3uxfntEZZFeoB1eIjd774MSxK2itaj6B1VyXV0qxcp/SHF1sfJnUHjDpNIB0J/Bpk/sc/+Y2Gxar3zcwyORjF+ojCBc8lP6QZ7mB9H3m9XEuA+H1qmgGz+h2FhnQy5/EmgJnTAn8fNpZCQwQmSZLtnbmd++yK9y+YXCAvaHx+Wsz5c/GhyNxoHGADcmir+iFVltO3jpQ06ThVBb0bD4D6ZzaimkM1vnAqseKdqXvLJI1/ZfIVj6QDcdnnTryt24zOZoxzeOcc2X5HKOtR/5pXilmCS/7zpujXTd1iZi8nfRkpurUdMgC7FLK+B3Dq03G61RPJUwJZvsKlXbwBghg==
[root@ipa1 ~]# cat /tmp/subsystemCert\ cert-pki-ca.pem
MIIDhjCCAm6gAwIBAgIBOTANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJDT1JQLkVORFVSQU5DRS5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTcwMzI1NDhaFw0yMTA5MDYwMzI1NDhaMDQxGzAZBgNVBAoMEkNPUlAuRU5EVVJBTkNFLkNPTTEVMBMGA1UEAwwMQ0EgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwuicP62ZiJBTVqE+6zMdq5HHHjtGCfJTz8qqB58F7efRRWgbYHGSwsjUiOPQOknZlVZsuocLYU+zKxDmJ1w7IpAW4W/4RM/fN4rxKMvA4PP4Lcikld12eAOhuepjOzgaetu2Q5DF7rZEpTviZLiUTQJMDM8wQM+cZBVp3LPWi8D/CViXQKc/SjeWzWL6sQNTxnWhJR0OjvprmKeJB6oAEN/T5cLqr5rxnNCsn2MtXbQAXq1jwRuHYkpbwD64N+aAKbYGR03VHWWgP1MSbbp3XYWudM34h0+clZeTeomNSTVuxvE0n9JCpAGpeSDHIGbmvTG5+O9Lu7dZTe/UHS54nQIDAQABo4GZMIGWMB8GA1UdIwQYMBaAFGLd+5wtR3MapBd2R/ufY++/vtulMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2lwYS1jYS5jb3JwLmVuZHVyYW5jZS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAf00fJv2cjjVeZr7FYdHZZRB7RoaZNIY+SjsKkfxGP8KCFFOleKE6CXlqtXlDD0BKYnqvDv+3C27G1UIjTXmUpbJS/TKciemZYBZC7yDNs0F1K04VV00c1Ceag+f43kaR+oIZFoEGnHwSLKNyoSwsodpKPWnGfyrXAt0oj6nh+J6ADup3uJMxLXLp8Xrl7FxRt8PKgZypLn52RF9DzPZH+f7kDVAay3fqy8P/DZJMRTokYUjDDVBg2Mq7B99KHPV6TXHbgc/b7I9TdEz5aZ0ZA4mSkWLNw/ZwVPbx22drhErpvIs5h3RjRbPqB7fNsNWtF3GFZBn3vjR9fugo1ZyUS
I had a few queries on this
1. Is there any way we take the backup of the current setup and create a
new IPA instance without changing any parameter in the client servers
2. If we upgrade the IPA version we can fix this issue?
Regards
Nikita S
On Fri, Nov 8, 2019 at 4:29 PM Nikita Deeksha <nikita.d(a)endurance.com
<mailto:nikita.d@endurance.com>> wrote:
Thanks, Florence and Alexander.
@Alexander Bokovoy <mailto:abokovoy@redhat.com> ,
While we were debugging in one of a blog we came across a scenario
where NSS DB had got corrupted during a certificate renewal, so
wanted to eliminate that issue.
We see all the private key.
[root@ipa1 nikita.d]# certutil -K -d /etc/pki/pki-tomcat/alias -f
/tmp/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa b8763cec560cf751cdafa5b0006af9405bdfabf0 NSS
Certificate DB:subsystemCert cert-pki-ca
< 1> rsa c7d8b4bf5f7d60de906444744a3b512c801676d2 (orphan)
< 2> rsa 49ddc4aff2ae7a59ed5c3a939217d006d059fea2 NSS
Certificate DB:Server-Cert cert-pki-ca
< 3> rsa 12717b4e7fec1f408c947015b069e94838198947 NSS
Certificate DB:auditSigningCert cert-pki-ca
< 4> rsa 249cfa8ef238a902bd45ce397eda0a8ce8dda01d
caSigningCert cert-pki-ca
< 5> rsa 079bf91860780244f89ee9509853ed3e975ca11d NSS
Certificate DB:ocspSigningCert cert-pki-ca
We will try renewing the HTTP cert in our environment, will let you
know once the cert is updated successfully.
https://access.redhat.com/solutions/3357261
Regards
Nikita S
On Fri, Nov 8, 2019 at 3:42 PM Florence Blanc-Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
On 11/7/19 11:16 AM, Nikita Deeksha via FreeIPA-users wrote:
> Thanks for the update Alexander will check this and get back
to you,
> wanted to check on another thing as well.
>
> Can you please help us to understand this error that we see
for the cert
> in pki
>
> [root@ipa1 nikita.d]# for i in $(certutil -d
/etc/pki/pki-tomcat/alias
> -L | grep cert-pki-ca | awk'{print $1}');do certutil -K -d
> /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n "$i
cert-pki-ca";done
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
> Key and Certificate Services"
>
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized
> Object Identifier.
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
> Key and Certificate Services"
>
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized
> Object Identifier.
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
> Key and Certificate Services"
>
> < 0> rsa 249cfa8ef238a902bd45ce397eda0a8ce8dda01d
caSigningCert
> cert-pki-ca
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
> Key and Certificate Services"
>
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized
> Object Identifier.
>
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private
> Key and Certificate Services"
>
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized
> Object Identifier.
>
Hi,
If you use "certutil -K -d /etc/pki/pki-tomcat/alias -f
/tmp/pwdfile.txt" (without the -n alias option), you will see
all the
keys present in the database and notice that some of them have a
prefixed nickname, for instance:
'NSS Certificate DB:Server-Cert cert-pki-ca'
instead of 'Server-Cert cert-pki-ca'.
You need to provide this prefixed name with -K -n nickname.
HTH,
flo
>
> These are the cert which is present /etc/pki/pki-tomcat/alias
>
> [root@ipa1 nikita.d]# certutil -L -d /etc/pki/pki-tomcat/alias
>
> Certificate Nickname
Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> COMODO CA BUNDLE
CT,C,C
> ocspSigningCert cert-pki-ca
u,u,u
> auditSigningCert cert-pki-ca
u,u,Pu
> caSigningCert cert-pki-ca
CTu,Cu,Cu
> subsystemCert cert-pki-ca
u,u,u
> Server-Cert cert-pki-ca
u,u,u
>
>
>
> Regards
>
> Nikita S
>
>
> On Wed, Nov 6, 2019 at 9:52 PM Alexander Bokovoy
<abokovoy(a)redhat.com <mailto:abokovoy@redhat.com>
> <mailto:abokovoy@redhat.com <mailto:abokovoy@redhat.com>>>
wrote:
>
> On ke, 06 marras 2019, Nikita Deeksha via FreeIPA-users
wrote:
> >2.
> >
> >Status SUBMITTING means the renewal is not yet
completed. It will not
> >complete until you get Dogtag working.
> >
> >But now the status says CA_UNEACHABLE
> >
> >Request ID '20180412150739':
> >status: CA_UNREACHABLE
> >ca-error: Server at
https://ipa1.xxx.xxxx.com/ipa/xml
failed
> request, will
> >retry: -504 (libcurl failed to execute the HTTP POST
transaction,
> >explaining: Peer's Certificate has expired.).
>
> This is exactly an issue with expired HTTP certificate.
> I guess you'd need to roll back time to when the
certificate was valid
> (before 2019-10-25) and restart certmonger.
>
> See discussion in this thread:
>
https://www.redhat.com/archives/freeipa-users/2016-July/msg00270.html
>
> In newer RHEL version (RHEL 7.7) there is a special tool,
ipa-cert-fix,
> that can help with fixing these issues. However, since
you are on the
> version before it, you need to do manual renewal.
>
> >stuck: no
> >key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='CN=
> >ipa1.xxx.xxxx.com <
http://ipa1.xxx.xxxx.com>
<
http://ipa1.xxx.xxxx.com>,O=CORP.ENDURANCE.COM
<
http://CORP.ENDURANCE.COM>
> <http://CORP.ENDURANCE.COM>',token='NSS Certificate
> >DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='CN=
> >ipa1.xxx.xxxx.com <
http://ipa1.xxx.xxxx.com>
<
http://ipa1.xxx.xxxx.com>,O=CORP.ENDURANCE.COM
<
http://CORP.ENDURANCE.COM>
> <http://CORP.ENDURANCE.COM>',token='NSS Certificate
DB'
> >CA: IPA
> >issuer: CN=Certificate
Authority,O=xxx.xxxx.COM
<
http://xxx.xxxx.COM> <
http://xxx.xxxx.COM>
> >subject:
CN=ipa1.xxxx.xxxxx.com
<
http://ipa1.xxxx.xxxxx.com>
> <http://ipa1.xxxx.xxxxx.com>,O=xxx.xxxx.COM
<
http://xxx.xxxx.COM> <
http://xxx.xxxx.COM>
> >expires: 2019-10-25 20:16:38 UTC
> >principal name: krbtgt/xxx.xxxxx.COM(a)xxx.xxxx.COM
<mailto:xxx.xxxxx.COM@xxx.xxxx.COM>
> <mailto:xxx.xxxxx.COM@xxx.xxxx.COM
<mailto:xxx.xxxxx.COM@xxx.xxxx.COM>>
> >key usage:
>
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >eku: id-kp-serverAuth,id-pkinit-KPKdc
> >pre-save command:
> >post-save command:
/usr/libexec/ipa/certmonger/restart_httpd
> >track: yes
> >
> >
> >
> >
> >*Issue2:*
> >
> >We are getting this alert while we log in to UI in
httpd error logs
> >
> >
> >#ipa: INFO: 401 Unauthorized: kinit: Preauthentication
failed
> while getting
> >initial credentials
> >
> >and PKINIT was disabled
> >
> >[root@ipa2 httpd]# ipa-pkinit-manage status
> >PKINIT is disabled
> >
> >While I tried to enable this
> >
> >[root@ipa2 httpd]# ipa-pkinit-manage enable
> >Configuring Kerberos KDC (krb5kdc)
> > [1/1]: installing X509 Certificate for PKINIT
> >
> >the process was getting stuck, so I had to terminate it
manually.
> After
> >trying to enable, I'm getting "Login failed due to an
unknown reason."
> >error in web UI when I try to login
> >
> >*Error in httpd:*
> >
> >[Wed Nov 06 10:13:37.465318 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] mod_wsgi (pid=24416):
> Exception occurred processing WSGI
> >script '/usr/share/ipa/wsgi.py'.
> >[Wed Nov 06 10:13:37.465433 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] Traceback (most recent
> call last):
> >[Wed Nov 06 10:13:37.468706 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] File
> "/usr/share/ipa/wsgi.py", line 59, in application
> >[Wed Nov 06 10:13:37.470083 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] return
> api.Backend.wsgi_dispatch(environ,
> >start_response)
> >[Wed Nov 06 10:13:37.470146 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
> 267, in
> >__call__
> >[Wed Nov 06 10:13:37.473376 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] return
> self.route(environ, start_response)
> >[Wed Nov 06 10:13:37.473437 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
> 279, in
> >route
> >[Wed Nov 06 10:13:37.473462 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] return app(environ,
> start_response)
> >[Wed Nov 06 10:13:37.473475 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
> 937, in
> >__call__
> >[Wed Nov 06 10:13:37.476093 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>]
> self.kinit(user_principal, password, ipa_ccache_name)
> >[Wed Nov 06 10:13:37.478843 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line
> 973, in
> >kinit
> >[Wed Nov 06 10:13:37.478864 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>]
> pkinit_anchors=[paths.KDC_CERT,
> >paths.KDC_CA_BUNDLE_PEM],
> >[Wed Nov 06 10:13:37.478878 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line
> 127, in
> >kinit_armor
> >[Wed Nov 06 10:13:37.484351 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] run(args, env=env,
> raiseonerr=True, capture_error=True)
> >[Wed Nov 06 10:13:37.484381 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] File
>
>"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
562,
> in run
> >[Wed Nov 06 10:13:37.487470 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] raise
> CalledProcessError(p.returncode, arg_string,
> >str(output))
> >[Wed Nov 06 10:13:37.488932 2019] [:error] [pid 24416]
[remote
> >172.27.10.113:0 <
http://172.27.10.113:0>
<
http://172.27.10.113:0>] CalledProcessError:
> Command '/usr/bin/kinit -n -c
> >/var/run/ipa/ccaches/armor_24416 -X
> >X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>
>X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'
returned
> >non-zero exit status 1
> >
> >And when I try to list the certificates using *getcert
list,*
> there is a
> >new cert which was added
> >
> >Request ID '20191106100258':
> >status: CA_UNREACHABLE
> >ca-error: Server at
https://ipa2.xxx.xxxxx.com/ipa/xml
failed
> request, will
> >retry: 907 (RPC failed at server. cannot connect to '
> >https://ipa1.xxx.xxxxx.com:443/ca/rest/account/login':
[SSL:
> >CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:618)).
> >stuck: no
> >key pair storage:
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> >certificate:
type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> >CA: IPA
> >issuer:
> >subject:
> >expires: unknown
> >pre-save command:
> >post-save command:
/usr/libexec/ipa/certmonger/renew_kdc_cert
> >track: yes
> >auto-renew: yes
> >
> >
> >Regards
> >Nikita S
> >
> >When
> >On Wed, Nov 6, 2019 at 6:39 PM Alexander Bokovoy
> <abokovoy(a)redhat.com <mailto:abokovoy@redhat.com>
<mailto:abokovoy@redhat.com <mailto:abokovoy@redhat.com>>>
> >wrote:
> >
> >> On ti, 05 marras 2019, Nikita Deeksha via
FreeIPA-users wrote:
> >> >Hi Team,
> >> >We have 2 IPA servers in Mater-Master setup are we
facing the
> below issue
> >> >on these servers.
> >> >
> >> >Isuue1:
> >> >Our httpd certificate has expired because of which
our IPA1 UI
> wasn't
> >> >working, we are getting “*loging failed due to an
unknown
> reason*” error
> >> >while we log in to the UI
> >> >
> >> >
> >> >1. First, the IPA console was not working as httpd
service was
> stopped,
> >> >httpd was not starting as HTTP certificate is
expired. Added
> >> >*NSSEnforceValidCerts
> >> >off* line in nss.conf to start the service.
> >> >
> >> >2. After the change IPA console was loading we are
not able to
> login to
> >> the
> >> >console as pki-tomcatd service was not running,
> >> >[root@ipa1 ca]# ipactl status
> >> >Directory Service: RUNNING
> >> >krb5kdc Service: RUNNING
> >> >kadmin Service: RUNNING
> >> >httpd Service: RUNNING
> >> >ipa-custodia Service: RUNNING
> >> >ntpd Service: RUNNING
> >> >pki-tomcatd Service: STOPPED
> >> >ipa-otpd Service: RUNNING
> >> >
> >> ># systemctl status pki-tomcatd(a)pki-tomcat.service -l
> >> >● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server
pki-tomcat
> >> > Loaded: loaded
(/lib/systemd/system/pki-tomcatd@.service;
> enabled;
> >> >vendor preset: disabled)
> >> > Active: active (running) since Tue 2019-11-05
10:16:50 GMT;
> 31min ago
> >> > Process: 97068 ExecStartPre=/usr/bin/pkidaemon
start %i
> (code=exited,
> >> >status=0/SUCCESS)
> >> > Main PID: 97233 (java)
> >> > CGroup:
> >>
>
>/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
> >> > └─97233
/usr/lib/jvm/jre-1.8.0-openjdk/bin/java
> >> >-DRESTEASY_LIB=/usr/share/java/resteasy-base
> >> >-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath
> >>
> >>
>
>/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
> >> >-Dcatalina.base=/var/lib/pki/pki-tomcat
> -Dcatalina.home=/usr/share/tomcat
> >> >-Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
> >>
> >>
>
>-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
> >>
>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> >> >-Djava.security.manager
> >>
>
>-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
> >> >org.apache.catalina.startup.Bootstrap start
> >> >
> >> >Nov 05 10:47:57
ipa1.xxx.xxxxx.com
<
http://ipa1.xxx.xxxxx.com> <
http://ipa1.xxx.xxxxx.com>
> server[97233]: WARNING: Exception
> >> >processing realm
com.netscape.cms.tomcat.ProxyRealm@1896e072
> background
> >> >process
> >> >Nov 05 10:47:57
ipa1.xxx.xxxxx.com
<
http://ipa1.xxx.xxxxx.com> <
http://ipa1.xxx.xxxxx.com>
> server[97233]:
> >> >javax.ws.rs <
http://javax.ws.rs>
<
http://javax.ws.rs>.ServiceUnavailableException:
> Subsystem unavailable
> >> >Nov 05 10:47:57
ipa1.xxx.xxxxx.com
<
http://ipa1.xxx.xxxxx.com> <
http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
>
>com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
> >> >Nov 05 10:47:57
ipa1.xxx.xxxxx.com
<
http://ipa1.xxx.xxxxx.com> <
http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
> >> >Nov 05 10:47:57
ipa1.xxx.xxxxx.com
<
http://ipa1.xxx.xxxxx.com> <
http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
> >> >Nov 05 10:47:57
ipa1.xxx.xxxxx.com
<
http://ipa1.xxx.xxxxx.com> <
http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
> >> >Nov 05 10:47:57
ipa1.xxx.xxxxx.com
<
http://ipa1.xxx.xxxxx.com> <
http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
> >> >Nov 05 10:47:57
ipa1.xxx.xxxxx.com
<
http://ipa1.xxx.xxxxx.com> <
http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
> >> >Nov 05 10:47:57
ipa1.xxx.xxxxx.com
<
http://ipa1.xxx.xxxxx.com> <
http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
> >> >Nov 05 10:47:57
ipa1.xxx.xxxxx.com
<
http://ipa1.xxx.xxxxx.com> <
http://ipa1.xxx.xxxxx.com>
> server[97233]: at
> >> >java.lang.Thread.run(Thread.java:748)
> >> >
> >> >
> >> >This service wasn’t starting with this error
> >> >
> >> ># less /var/log/pki/pki-tomcat/ca/debug
> >> >31/Oct/2019:13:24:23][localhost-startStop-1]:
> >> >SSLClientCertificateSelectionCB: desired cert found
in list:
> subsystemCert
> >> >cert-pki-ca
> >> >[31/Oct/2019:13:24:23][localhost-startStop-1]:
> >> >SSLClientCertificateSelectionCB: returning:
subsystemCert
> cert-pki-ca
> >> >[31/Oct/2019:13:24:23][localhost-startStop-1]: SSL
handshake
> happened
> >> >Could not connect to LDAP server host
ipa1.xxx.xxxx.com <
http://ipa1.xxx.xxxx.com>
> <http://ipa1.xxx.xxxx.com> port 636 Error
> >> >netscape.ldap.LDAPException: Authentication failed (49)
> >>
> >> Authentication failed means the RA agent certificate
dogtag uses to
> >> authenticate to LDAP server is not the same as the
one mentioned
> in the
> >> LDAP entry for RA agent.
> >>
> >> I think there was some procedure to fix it but I
don't have
> links handy.
> >> Also, you did not specify what versions of FreeIPA
you run.
> >>
> >>
> >> >at
> >>
> >>
>
>com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
> >> > at
> >>
> >>
>
>com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
> >> > at
> >>
> >>
>
>com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
> >> > at
>
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
> >> > at
> >>
>
>com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176)
> >> > at
> >>
>
>com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082)
> >> > at
> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572)
> >> > at
com.netscape.certsrv.apps.CMS.init(CMS.java:189)
> >> > at
com.netscape.certsrv.apps.CMS.start(CMS.java:1631)
> >> > at
> >>
> >>
>
>com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
> >> > at
> javax.servlet.GenericServlet.init(GenericServlet.java:158)
> >> > at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> >> > at
> >>
> >>
>
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >> > at
> >>
> >>
>
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> > at
java.lang.reflect.Method.invoke(Method.java:498)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> >> > at
java.security.AccessController.doPrivileged(Native
> Method)
> >> > at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> >> > at
> >>
> >>
>
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> >> > at
> >>
> >>
>
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
> >> > at
> >>
>
>org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
> >> > at
> >>
>
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
> >> > at
> >>
>
>org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> >> > at
java.security.AccessController.doPrivileged(Native
> Method)
> >> > at
> >>
>
>org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
> >> > at
> >>
>
>org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> >> > at
> >>
> >>
>
>org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
> >> > at
> >>
> >>
>
>org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
> >> > at
> >>
>
>java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> >> > at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >> > at
> >>
> >>
>
>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> >> > at
> >>
> >>
>
>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> >> > at java.lang.Thread.run(Thread.java:748)
> >> >Internal Database Error encountered: Could not
connect to LDAP
> server host
> >> >ipa1.xxx.xxx.com <
http://ipa1.xxx.xxx.com>
<
http://ipa1.xxx.xxx.com> port 636 Error
> netscape.ldap.LDAPException:
> >> Authentication
> >> >failed (49)
> >> > at
>
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
> >> > at
> >>
>
>com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176)
> >> > at
> >>
>
>com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082)
> >> > at
> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572)
> >> > at
com.netscape.certsrv.apps.CMS.init(CMS.java:189)
> >> > at
com.netscape.certsrv.apps.CMS.start(CMS.java:1631)
> >> > at
> >>
> >>
>
>com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
> >> > at
> javax.servlet.GenericServlet.init(GenericServlet.java:158)
> >> > at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> >> > at
> >>
> >>
>
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >> > at
> >>
> >>
>
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> > at
java.lang.reflect.Method.invoke(Method.java:498)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> >> > at
java.security.AccessController.doPrivileged(Native
> Method)
> >> > at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> >> > at
> >>
>
>org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> >> > at
> >>
> >>
>
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> >> > at
> >>
> >>
>
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
> >> > at
> >>
>
>org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
> >> > at
> >>
>
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
> >> > at
> >>
>
>org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> >> > at
> >>
> >>
>
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> >> > at
java.security.AccessController.doPrivileged(Native
> Method)
> >> > at
> >>
>
>org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
> >> > at
> >>
>
>org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> >> > at
> >>
> >>
>
>org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
> >> > at
> >>
> >>
>
>org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
> >> > at
> >>
>
>java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> >> > at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >> > at
> >>
> >>
>
>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> >> > at
> >>
> >>
>
>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> >> > at java.lang.Thread.run(Thread.java:748)
> >> >
> >> ># getcert list
> >> >Request ID '20180412150739':
> >> >status: SUBMITTING
> >> >stuck: no
> >> >key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='CN=
> >> >ipa1.xxxx.xxxxx.com <
http://ipa1.xxxx.xxxxx.com>
<
http://ipa1.xxxx.xxxxx.com>,O=xxx.xxxx.COM <
http://xxx.xxxx.COM>
> <http://xxx.xxxx.COM>',token='NSS Certificate
> >> >DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >> >certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='CN=
> >> >ipa1.xxxx.xxxxx.com <
http://ipa1.xxxx.xxxxx.com>
> <http://ipa1.xxxx.xxxxx.com>,O=xxx.xxxxx.COM
<
http://xxx.xxxxx.COM>
> <http://xxx.xxxxx.COM>',token='NSS Certificate DB'
> >> >CA: IPA
> >> >issuer: CN=Certificate
Authority,O=xxx.xxxxx.COM
<
http://xxx.xxxxx.COM>
> <http://xxx.xxxxx.COM>
> >> >subject:
CN=ipa1.xxxx.xxxx.com
<
http://ipa1.xxxx.xxxx.com>
> <http://ipa1.xxxx.xxxx.com>,O=xxx.xxxxx.COM
<
http://xxx.xxxxx.COM> <
http://xxx.xxxxx.COM>
> >> >expires: 2019-10-25 20:16:38 UTC
> >> >principal name: krbtgt/xxxx.xxxx.COM(a)xxxx.xxxx.COM
<mailto:xxxx.xxxx.COM@xxxx.xxxx.COM>
> <mailto:xxxx.xxxx.COM@xxxx.xxxx.COM
<mailto:xxxx.xxxx.COM@xxxx.xxxx.COM>>
> >> >key usage:
> >>
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >> >eku: id-kp-serverAuth,id-pkinit-KPKdc
> >> >pre-save command:
> >> >post-save command:
/usr/libexec/ipa/certmonger/restart_httpd
> >> >track: yes
> >> >auto-renew: yes
> >>
> >> Status SUBMITTING means the renewal is not yet
completed. It
> will not
> >> complete until you get Dogtag working.
> >>
> >> >
> >> >Issue2:
> >> >
> >> >On the IPA2 server, we are unable to login with the
admin user
> credentials
> >> >without OTP, but when an AD user is trying to login
with 2FA (i.e,
> >> >password and OTP) we are getting this error *"The
password you
> entered is
> >> >incorrect."*
> >>
> >> AD users cannot use multifactor authentication
defined in IPA.
> >>
> >>
> >> ># [root@ipa2 log]# ipactl status
> >> >Directory Service: RUNNING
> >> >krb5kdc Service: RUNNING
> >> >kadmin Service: RUNNING
> >> >httpd Service: RUNNING
> >> >ipa-custodia Service: RUNNING
> >> >ntpd Service: RUNNING
> >> >ipa-otpd Service: STOPPED
> >> >ipa: INFO: The ipactl command was successful
> >> >
> >> ># systemctl status ipa-otpd.socket -l
> >> >● ipa-otpd.socket - ipa-otpd socket
> >> > Loaded: loaded
(/usr/lib/systemd/system/ipa-otpd.socket;
> disabled;
> >> >vendor preset: disabled)
> >> > Active: failed (Result: resources) since Tue
2019-11-05
> 08:19:04 GMT;
> >> 1h
> >> >31min ago
> >> > Listen: /var/run/krb5kdc/DEFAULT.socket (Stream)
> >> > Accepted: 2; Connected: 0
> >> >
> >> >Nov 05 07:42:53
ipa2.xxxx.xxxx.com
<
http://ipa2.xxxx.xxxx.com> <
http://ipa2.xxxx.xxxx.com>
> systemd[1]: Listening on ipa-otpd
> >> socket.
> >> >Nov 05 08:19:04
ipa2.xxxx.xxxx.com
<
http://ipa2.xxxx.xxxx.com> <
http://ipa2.xxxx.xxxx.com>
> systemd[1]: ipa-otpd.socket failed to
> >> >queue service startup job (Maybe the service file is
missing or
> not a
> >> >template unit?): Resource temporarily unavailable
> >> >Nov 05 08:19:04
ipa2.xxxx.xxxx.com
<
http://ipa2.xxxx.xxxx.com> <
http://ipa2.xxxx.xxxx.com>
> systemd[1]: Unit ipa-otpd.socket
> >> entered
> >> >failed state.
> >> >
> >> ># cat /usr/lib/systemd/system/ipa-otpd.socket
> >> >[Unit]
> >> >Description=ipa-otpd socket
> >> >
> >> >[Socket]
> >> >ListenStream=/var/run/krb5kdc/DEFAULT.socket
> >> >RemoveOnStop=true
> >> >SocketMode=0600
> >> >Accept=true
> >> >
> >> >[Install]
> >> >WantedBy=krb5kdc.service
> >> >
> >> >
> >> >
> >> >We see that data replication is broken between the 2
IPA
> servers, as the
> >> >changes made on IPA2 is not reflecting on IPA1
> >> This is most likely because your LDAP server
certificate expired as
> >> well.
> >>
> >>
> >> >We the below errors as well.
> >> >
> >> >IPA1
> >> >Nov 05 10:09:23
ipa1.xxx.xxxx.com
<
http://ipa1.xxx.xxxx.com> <
http://ipa1.xxx.xxxx.com>
> krb5kdc[28021](info): TGS_REQ (8 etypes
> >> >{18 17 20 19 16 23 25 26}) x.x.x.x: ISSUE: authtime
1572948563,
> etypes
> >> >{rep=18 tkt=18 ses=18},
ldap/ipa1.xxxxx.xxxx.com(a)xxxx.xxxxx.COM
<mailto:ipa1.xxxxx.xxxx.com@xxxx.xxxxx.COM>
> <mailto:ipa1.xxxxx.xxxx.com@xxxx.xxxxx.COM
<mailto:ipa1.xxxxx.xxxx.com@xxxx.xxxxx.COM>> for ldap/
> >> >ipa2.xxxx.xxxx.com(a)xxxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxxx.xxxx.COM>
> <mailto:ipa2.xxxx.xxxx.com@xxxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxxx.xxxx.COM>>
> >> >Nov 05 10:14:24
ipa1.corp.endurance.com
<
http://ipa1.corp.endurance.com>
> <http://ipa1.corp.endurance.com> krb5kdc[28021](info):
TGS_REQ (8
> >> >etypes {18 17 20 19 16 23 25 26}) x.x.x.x: ISSUE:
authtime
> 1572948863,
> >> >etypes {rep=18 tkt=18 ses=18},
> ldap/ipa1.xxxx.xxx.com(a)xxxx.xxxx.COM
<mailto:ipa1.xxxx.xxx.com@xxxx.xxxx.COM>
> <mailto:ipa1.xxxx.xxx.com@xxxx.xxxx.COM
<mailto:ipa1.xxxx.xxx.com@xxxx.xxxx.COM>> for
> >> >ldap/ipa2.xxxx.xxxx.com(a)xxxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxxx.xxxx.COM>
> <mailto:ipa2.xxxx.xxxx.com@xxxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxxx.xxxx.COM>>
> >>
> >> These aren't errors. They are normal operations:
ldap/ipa1
> service (LDAP
> >> server on IPA1) asked for a Kerberos service ticket
to LDAP
> service on
> >> IPA2 and was granted it. This is just as it should be for
> replication.
> >>
> >> >
> >> >IPA2
> >> ># tailf krb5kdc.log
> >> >Nov 05 09:59:25
ipa2.xxxx.xxxx.com
<
http://ipa2.xxxx.xxxx.com> <
http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): AS_REQ (8 etypes
> >> >{18 17 20 19 16 23 25 26}) y.y.y.y: NEEDED_PREAUTH:
ldap/
> >> >ipa2.xxxx.xxxx.com(a)xxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxx.xxxx.COM>
> <mailto:ipa2.xxxx.xxxx.com@xxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxx.xxxx.COM>> for
> krbtgt/xxxx.xxxx.COM(a)xxxx.xxxx.COM
<mailto:xxxx.xxxx.COM@xxxx.xxxx.COM>
<mailto:xxxx.xxxx.COM@xxxx.xxxx.COM
<mailto:xxxx.xxxx.COM@xxxx.xxxx.COM>>,
> >> >Additional pre-authentication required
> >> >Nov 05 09:59:25
ipa2.xxxx.xxxx.com
<
http://ipa2.xxxx.xxxx.com> <
http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): closing down fd
> >> 11
> >> >Nov 05 09:59:25
ipa2.xxxx.xxxx.com
<
http://ipa2.xxxx.xxxx.com> <
http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): AS_REQ (8 etypes
> >> >{18 17 20 19 16 23 25 26}) y.y.y.y: ISSUE: authtime
1572947965,
> etypes
> >> >{rep=18 tkt=18 ses=18},
ldap/ipa2.xxxx.xxxx.com(a)xxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxx.xxxx.COM>
> <mailto:ipa2.xxxx.xxxx.com@xxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxx.xxxx.COM>> for krbtgt/
> >> >xxx.xxxx.COM(a)xxx.xxxx.COM
<mailto:xxx.xxxx.COM@xxx.xxxx.COM>
<mailto:xxx.xxxx.COM@xxx.xxxx.COM
<mailto:xxx.xxxx.COM@xxx.xxxx.COM>>
> >> >Nov 05 09:59:25
ipa2.xxxx.xxxx.com
<
http://ipa2.xxxx.xxxx.com> <
http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): closing down fd
> >> 11
> >> >Nov 05 09:59:25
ipa2.xxxx.xxxx.com
<
http://ipa2.xxxx.xxxx.com> <
http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): TGS_REQ (8 etypes
> >> >{18 17 20 19 16 23 25 26}) y.y.y.y: ISSUE: authtime
1572947965,
> etypes
> >> >{rep=18 tkt=18 ses=18},
ldap/ipa2.xxxx.xxxx.com(a)xxxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxxx.xxxx.COM>
> <mailto:ipa2.xxxx.xxxx.com@xxxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxxx.xxxx.COM>> for ldap/
> >> >ipa2.xxxx.xxxx.com(a)xxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxx.xxxx.COM>
> <mailto:ipa2.xxxx.xxxx.com@xxx.xxxx.COM
<mailto:ipa2.xxxx.xxxx.com@xxx.xxxx.COM>>
> >> >Nov 05 09:59:25
ipa2.xxxx.xxxx.com
<
http://ipa2.xxxx.xxxx.com> <
http://ipa2.xxxx.xxxx.com>
> krb5kdc[2451](info): closing down fd
> >> 11
> >>
> >> Same here. LDAP server on IPA2 operated against
itself here.
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
> >>
> >>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
> _______________________________________________
> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...