[Freeipa-users] Re: Free IPA Replica server retrieving two certificates from the IPA master server while installing IPA replica and installation fails
Hi Florence/Rob Upon your advice, I have removed the certificate from the IPA master, Now IPA Replica retrieving one certificate from the IPA master as shown below Facing another IPA Replica installation issue after deleting/removing the certificate from the IPA master server, please help us on this, please let us know anymore information required on this PFB Replica installation Logs == /var/log/ipaclient-install.log : == 2022-09-01T17:03:00Z DEBUG stderr= 2022-09-01T17:03:00Z DEBUG trying to retrieve CA cert via LDAP from aaa01.ipa.subdomain.com 2022-09-01T17:03:01Z DEBUG retrieving schema for SchemaCache url=ldap://aaa01.ipa.subdomain.com:389 conn= 2022-09-01T17:03:02Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM Issuer: CN=Certificate Authority,O=IPA.SUBDOMAIN.COM Valid From: 2018-04-12 14:15:30 Valid Until: 2038-04-12 14:15:30 2022-09-01T17:03:02Z DEBUG Starting external process 2022-09-01T17:03:02Z DEBUG args=/usr/sbin/ipa-join -s aaa01.ipa.subdomain.com -b dc=ipa,dc=subdomain,dc=com -h dirpav01.ipa.subdomain.com -f 2022-09-01T17:03:07Z DEBUG Process finished, return code=0 2022-09-01T17:03:07Z DEBUG stdout= 2022-09-01T17:03:07Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=IPA.SUBDOMAIN.COM 2022-09-01T17:03:07Z INFO Enrolled in IPA realm IPA.SUBDOMAIN.COM 2022-09-01T17:03:07Z DEBUG Starting external process 2022-09-01T17:03:07Z DEBUG args=/usr/bin/kdestroy 2022-09-01T17:03:07Z DEBUG Process finished, return code=0 2022-09-01T17:03:07Z DEBUG stdout= 2022-09-01T17:03:07Z DEBUG stderr= == Replica installation without debugging : == Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: creating certificate server db [2/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 30 seconds elapsed Update succeeded [3/30]: creating ACIs for admin [4/30]: creating installation admin user [5/30]: configuring certificate server instance [6/30]: secure AJP connector [7/30]: reindex attributes [8/30]: exporting Dogtag certificate store pin [9/30]: stopping certificate server instance to update CS.cfg [10/30]: backing up CS.cfg [11/30]: disabling nonces [12/30]: set up CRL publishing [13/30]: enable PKIX certificate path discovery and validation [14/30]: destroying installation admin user [15/30]: starting certificate server instance [16/30]: Finalize replication settings [17/30]: configure certmonger for renewals [18/30]: Importing RA key [19/30]: setting audit signing renewal to 2 years [20/30]: restarting certificate server [21/30]: authorizing RA to modify profiles [22/30]: authorizing RA to manage lightweight CAs [23/30]: Ensure lightweight CAs container exists [24/30]: configure certificate renewals [25/30]: configure Server-Cert certificate renewal [26/30]: Configure HTTP to proxy connections [27/30]: restarting certificate server [28/30]: updating IPA configuration [29/30]: enabling CA instance [30/30]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERRORCA did not start in 300.0s ipapython.admintool: ERRORThe ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information /var/log/ipareplica-install.log 2022-09-01T14:35:58Z DEBUG response body 'Apache Tomcat/7.0.76 - Error report HTTP Status 500 - Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exception javax.ws.rs.ServiceUnavailableException: Subsystem
[Freeipa-users] Intermittent login issues with SSSD/IDM
Howdy, We are having intermittent login issues with our SSSD/IPA clients using Identity Manager in a read-only cross-forest trust configuration. The SSSD/IPA servers themselves don't seem to be having this issue, just the SSSD/IPA clients using the IDM/IPA servers as their identity provider. In addition, the problem only affects AD accounts, not native IDM accounts. The issue manifests itself as either failed logins or the 'id' command returning user unknown. All of our IDM servers are RHEL 8. Clients are various mixes of RHEL 7 and RHEL 8, all exhibiting the same issue. We have a P2 open with Red Hat, and it feels like they are having a problem pinpointing the issue. Red Hat support seems to be indicating our AD environment is to blame, at least partially, as most our of AD groups don't have GIDs. We have 80K + users in our AD (not all of them assigned a Unix UID in AD as most of them have no need to log in to Unix). However, the users that are logging in via SSSD obviously have UIDs and many groups attached to them, most of which may not have Possix GIDs as many of those groups will never need to touch Unix. (ie, email groups, Windows only access groups, etc, etc, etc) Red Hat seems to indicate this is a highly unusual configuration for AD, where not all groups have Possix GIDs assigned. I'm curious to know if those who have large AD environments like this with a mix of Unix and non-Unix uses, truly assign a Possix GID to each and every group, even if that group will never be utilized by Unix. Also curious to know if anyone else is experiencing intermittent loging problems like this, and if you were able to solve it, and how? Thank you... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Intermittent login issues with SSSD/IDM
Howdy, We are having intermittent login issues with our SSSD/IPA clients using Identity Manager in a read-only cross-forest trust configuration. The SSSD/IPA servers themselves don't seem to be having this issue, just the SSSD/IPA clients using the IDM/IPA servers as their identity provider. In addition, the problem only affects AD accounts, not native IDM accounts. The issue manifests itself as either failed logins or the 'id' command returning user unknown. All of our IDM servers are RHEL 8. Clients are various mixes of RHEL 7 and RHEL 8, all exhibiting the same issue. We have a P2 open with Red Hat, and it feels like they are having a problem pinpointing the issue. Red Hat support seems to be indicating our AD environment is to blame, at least partially, as most our of AD groups don't have GIDs. We have 80K + users in our AD (not all of them assigned a Unix UID in AD as most of them have no need to log in to Unix). However, the users that are logging in via SSSD obviously have UIDs and many groups attached to them, most of which may not have Possix GIDs as many of those groups will never need to touch Unix. (ie, email groups, Windows only access groups, etc, etc, etc) Red Hat seems to indicate this is a highly unusual configuration for AD, where not all groups have Possix GIDs assigned. I'm curious to know if those who have large AD environments like this with a mix of Unix and non-Unix uses, truly assign a Possix GID to each and every group, even if that group will never be utilized by Unix. Also curious to know if anyone else is experiencing intermittent loging problems like this, and if you were able to solve it, and how? Thank you... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: error marshalling data for XML-RPC transport: message: need a ; got 'No valid Negotiate header in server response' (a )
> On ti, 30 elo 2022, liang fei via FreeIPA-users wrote: > > This is long time unsupported version already. Is there any chance you'd > move to something newer? > > > Keytab for httpd service was moved to /var/lib/ipa/gssproxy/http.keytab > in 2016. We stopped using /etc/httpd/conf/ipa.keytab (or > /etc/apache2/ipa.keytab for Debian and Ubuntu) in that time. > > > Perhaps your configuration lacks the rest of config files? May be it > would be better to stand up a separate machine using the same version, > for a test deployment and see what configuration files are present there > and what files they reference. This way you'd have a reference point to > compare your 'broken' replica against and would be able to recover > those. > > The 'auth_gssapi:error' message above says that whatever a client sent > as a Kerberos-based negotiation cannot be understood by the GSSAPI > mechanism or the mechanism used was not allowed. Judging by 'No valid > Negotiate header in server response' on the client side it may well be > that configuration of mod_auth_gssapi + gssproxy was not correct on this > machine. This exception is really hard to understand, the prompt is not very friendly ha, I asked rm -rf /etc/apache2/ipa.keytab prompted this exception, suddenly thought that the user may not have permission, so I did chown www-data:www-data /etc/apache2/ipa.keytab Everything is fine .. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: more rpm conflicts on CentOS
On to, 01 syys 2022, lejeczek via FreeIPA-users wrote: On 08/08/2022 08:45, Alexander Bokovoy wrote: On ma, 08 elo 2022, lejeczek via FreeIPA-users wrote: Hi guys. I this Samba end of packages having issues (again) ? -> $ dnf update Last metadata expiration check: 0:08:36 ago on Mon 08 Aug 2022 08:14:21 BST. Error: Problem 1: package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the providers can be installed This is a known issue. It should clear itself once ipa-server 4.9.10+ packages go through the verification. IPA uses one of internal Samba libraries and this library did change a soname in an update. My colleagues did not complete the rebuild in a side-tag (there were some infra issues to get two side-tags to work properly for modular rebuild), so it was decided to get Samba gated first and then do a normal rebuild of IPA packages. The latter build is currently ongoing bugs verification from QE side. This is still not resolved, right? I wonder for it's been a while and wonder, perhaps my dnf repos caches, proxies, etc, do not keep up. Looks like we caught up in some internal tooling mixup. I am checking with Brian Stinson on that as we already have newer builds that should get pushed out to CentOS 8 Stream and they haven't been pushed yet. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: more rpm conflicts on CentOS
On 08/08/2022 08:45, Alexander Bokovoy wrote: On ma, 08 elo 2022, lejeczek via FreeIPA-users wrote: Hi guys. I this Samba end of packages having issues (again) ? -> $ dnf update Last metadata expiration check: 0:08:36 ago on Mon 08 Aug 2022 08:14:21 BST. Error: Problem 1: package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the providers can be installed This is a known issue. It should clear itself once ipa-server 4.9.10+ packages go through the verification. IPA uses one of internal Samba libraries and this library did change a soname in an update. My colleagues did not complete the rebuild in a side-tag (there were some infra issues to get two side-tags to work properly for modular rebuild), so it was decided to get Samba gated first and then do a normal rebuild of IPA packages. The latter build is currently ongoing bugs verification from QE side. This is still not resolved, right? I wonder for it's been a while and wonder, perhaps my dnf repos caches, proxies, etc, do not keep up. many thanks, L. - package libsmbclient-4.16.4-1.el8.x86_64 requires libsamba-debug-samba4.so(SAMBA_4.16.4_SAMBA4)(64bit), but none of the providers can be installed - package libsmbclient-4.16.4-1.el8.x86_64 requires libsmbconf.so.0(SMBCONF_0.0.1)(64bit), but none of the providers can be installed and also, I wonder why would a "regular" package want to depend in a debug package - that should not be needed normally. It is not a debug package, it is an internal Samba library that contains facilities to process various levels of logging, expanding log lines with additional details when debug log levels requested at runtime. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue