[Freeipa-users] Re: Using ipa-ca-install on a replica

> On 20 Mar 2024, at 16:38, Ian Kumlien wrote: > > On Wed, Mar 20, 2024 at 3:52 PM Ian Kumlien wrote: >> >>> On Wed, Mar 20, 2024 at 11:21 AM Florence Blanc-Renaud >>> wrote: >>> >>> Hi, >>> >>> On Wed, Mar 20, 2024 at 10:00 AM Ian Kumlien wrote: On Wed, Mar 20, 2024 at 9:45 

[Freeipa-users] Re: Expired Subsystem CA's

Hi, > On 26 Jan 2023, at 13:12, MM MM via FreeIPA-users > wrote: > > Hello Antonio, > > ipa getcert-list doesn't show the outdated certificate. ipa getcert-list displays only a subset of certificates, the ones handled by IPA CA helper. What is the full output of “getcert list” on the

[Freeipa-users] Re: Another pki-tomcatd failing to start due to expired certs

Hi, Please find inline answers. > On 30 Nov 2021, at 06:02, Jacob Block wrote: > >  > Thank you flo! Those are very good leads. I also found your blog with some > very helpful posts, thanks! I see the Server-Cert must be after 2021-03-08 > now, but also the IPA certs need to be after

[Freeipa-users] Re: FreeIPA letsencrypt certificate problems after recent expiration of DST Root CA X3

Hi, start by checking the certificates stored in the LDAP database (replace $SUFFIX with your actual suffix): # ldapsearch -D "cn=directory manager" -W -b cn=certificates,cn=ipa,cn=etc,$SUFFIX You will get a list of entries, one for each CA cert, each entry may contain multiple values for the

[Freeipa-users] Re: FreeIPA letsencrypt certificate problems after recent expiration of DST Root CA X3

Hi, Let's Encrypt new chain of trust is now the following: - *ISRG Root X1*: *C = US, O = Internet Security Research Group, CN = ISRG Root X1* (was previsouly also cross signed by *DST Root CA X3*: *O = Digital Signature Trust Co., CN = DST Root CA X3*) - *R3*: *C = US, O = Let's Encrypt, CN =

[Freeipa-users] Re: ipantuserattrs - newly created users lack

Hi, the local domain range that is visible with *ipa idrange-find* shows the IDs that IPA should use when it creates new users / new groups. That configuration is set for the whole topology, stored in the LDAP tree that is replicated across the servers (below *cn=ranges,cn=etc,$BASEDN*) If there

[Freeipa-users] Re: How to update the certificate authority

Hi, the question is a bit ambiguous: are you referring to the self-signed IPA CA that you would like to replace with an externally-signed IPA CA? If that's the case, it's possible, please read demystifying the certificate authority component in freeipa

[Freeipa-users] Re: User login

Hi, I am not sure I understand what you mean. The below screenshot should be the first thing you see when you go to https://ipaserver.com/ipa/ui/ (unless you need to accept the security exception if the CA is not trusted yet by the browser). Is a custom configuration applied to the http instance

[Freeipa-users] Re: Unable to communicate with CMS (403)

On Fri, Sep 17, 2021 at 9:35 PM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > [...] > ps. with applied fix, thought origianal error(s) is gone I > still get: > -> $ ipa-healthcheck > Internal error testing KRA clone. KRA clone problem > detected Host:

[Freeipa-users] Re: New IPA server and unable to sudo from client

Hi, sudo is controlled with ipa sudorule-* commands, not with HBAC. You can follow freeipa workshop if you want to see how to use it: https://github.com/freeipa/freeipa/blob/master/doc/workshop/8-sudorule.rst HTH, flo On Sat, Sep 18, 2021 at 7:42 PM Jeremy Tourville via FreeIPA-users <

[Freeipa-users] Re: ipa-cert-fix failing

Hi, what is the full output of *ipa-cert-fix -v* (verbose)? The command internally calls "*pki-server cert-fix*", and you will be able to find the exact arguments list provided in the logs. Retry the same "pki-server cert-fix" command with -v option and we will get more information about what is

[Freeipa-users] Re: [BUG?] Host Alias DNS

Hi, re-adding the mailing list On Wed, Sep 15, 2021 at 6:31 PM Buckley Ross wrote: > Hi Flo, > > I think you misread my question. > Indeed. I interpreted "I found that on DNS records were provisioned..." as "I found that on DNS , records were provisioned" instead of "I found that *no* DNS

[Freeipa-users] Re: ipa-cert-fix failing

Hi, the CSR that you used is the one for the RA cert, not for "Server-Cert cert-pki-ca" (*openssl req -noout -text* shows *Subject: O = RHELENT.LAN, CN = IPA RA*). It seems that 2 different repair procedures were mixed: go back in time and use ipa-cert-fix. With ipa-cert-fix you don't need to

[Freeipa-users] Re: [BUG?] Host Alias DNS

Hi, I was not able to reproduce this issue: # ipa host-add myhost.ipa.test --ip-address $IP # ipa dnsrecord-find ipa.test >> shows myhost.ipa.test has been added # ipa host-add-principal myhost host/myalias.ipa.test # ipa dnsrecord-find ipa.test >> no new record added DNS records are added when

[Freeipa-users] Re: Waiting for CA subsystem to start (round 2)

Hi, which versions of 389-ds and nss are installed? You may be hitting https://bugzilla.redhat.com/show_bug.cgi?id=1986327 flo On Mon, Sep 13, 2021 at 2:57 PM MERCIER Jonathan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > For records that works if I remove these lines in >

[Freeipa-users] Re: Upgrade FreeIPA cluster from v4.6 (el7) to v4.9 (el8)

Hi, the fix is included in 389-ds-base 1.4.3.23-8. flo On Fri, Sep 10, 2021 at 8:46 AM Mikhail Kiselev via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'll installed soft: > [code] > [root@ipael8 ~]# dnf list 389* > Last metadata expiration check: 0:16:59 ago on Пт 10 сен

[Freeipa-users] Re: Upgrade FreeIPA cluster from v4.6 (el7) to v4.9 (el8)

Hi, Which version of 389-ds is installed on the replica? I think you're hitting https://github.com/389ds/389-ds-base/issues/4872 The problem happens because the new replica has a schema definition for entryUUID with a new syntax. When it gets installed, the schema should get replicated to the

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

Hi Jeremy, to enable debugging you can simply create /etc/ipa/server.conf if the file does not exist: # cat /etc/ipa/server.conf [global] debug=True # systemctl restart httpd The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can examine its content with # openssl x509 -noout

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

Hi Jeremy, Did you accept the security exception displayed by the browser (I'm trying to eliminate obvious issues)? If nothing is displayed, can you check if ipa command-line is working as expected (for instance do "kinit admin; ipa config-show")? You may want to enable debug logs (add debug=True

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

Hi, ipa-ods-exporter is a socket-activated service, and ipactl status may show it as STOPPED. That's not an issue (and you can see the status of ipactl as successful) as the socket is still listening on events and will wake the service on demand. If it is started manually without the appropriate

[Freeipa-users] Re: Waiting for CA subsystem to start

Hi, the error message "Could not open /run/lock/opencryptoki/LCK..APIlock" is harmless and is an opencryptoki issue, please see https://bugzilla.redhat.com/show_bug.cgi?id=1991840 The workaround (removing the lines from /etc/crypto-policies/back-ends/nss.config) means that NSS databases won't use

[Freeipa-users] Re: Unable to start directory server after updates

Hi, - Are you using the targeted selinux policy? (what is the output of "sestatus" command) - are the selinux-policy / selinux-policy-targeted / ipa-selinux packages up-to-date? To troubleshoot further, I would first try to start named-pkcs11 in permissive mode (setenforce 0; systemctl start

[Freeipa-users] Re: Unable to start directory server after updates

Hi, on rhel8, IPA is using named*-pkcs11*.service, not named.service. In order to manually start the bind service, you would need to use "systemctl start named-pkcs11.service". The journal may contain additional logs, as well as the output of "systemctl status named-pkcs11.service". IIRC in ipa

[Freeipa-users] Re: AD Trust not working after IPA server reinstall

Hi, 1/ The local ID range NIX.VERSATUSHPC.COM.BR_id_range shows that you can have posix ids created on IdM: from 1,278,400,000 to 1,278,599,999. These posix ids can be created either by idm1 or by idm2 server, but you need to make sure that they don't use the same value if simultaneous

[Freeipa-users] Re: ldap provider variables for AD trust

Hi, for the entries stored on AD side, the compat tree creates entries on demand, and only when specific search filters are used (the same ones as posix-compliant systems would use) . You can find the list of supported search filters in RFC 2307 (rfc2307#section-5.2

[Freeipa-users] Re: AD Trust not working after IPA server reinstall

Hi, On Thu, Aug 19, 2021 at 7:09 PM Vinícius Ferrão via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > I had to reinstall our IPA server since we had Filesystem corruption > beyond repair on it. > > After the reinstall (with ipa-replica-install) AD Trust does not seems

[Freeipa-users] Re: UI can't list certs on fedora latest. Java bug?

Hi, we have an open ticket for pruning expired certs from the database, please see ticket 7219 . Note that this mentions only expired certs, not unused certs. The problem was already discussed a few times in the past, see for instance - Removal of obsolete

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

Hi, What is the output of klist -A klist -k /etc/krb5.keytab on the machine where ipa-healthcheck command fails? ipa-healthcheck is using a kerberos ticket to authenticate to the LDAP server (obtained from /etc/krb5.keytab), and has different access rights depending on the identity mapped to this

[Freeipa-users] Re: UI can't list certs on fedora latest. Java bug?

Hi, you may be hitting *Bug 1959057* - An error has ocorred (IPA Error 4301:CertificateOperationError) The error happens when there are more entries to return than the configured nsSizeLimit. The workaround is to raise the nsSizeLimit as

[Freeipa-users] Re: A couple of CRL questions

Hi, Cc'ing us...@lists.dogtagpki.org as they may have more details. On Mon, Aug 16, 2021 at 5:04 PM IPA Listmail via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > 1) Is there a way to shrink a CRL? That is,

[Freeipa-users] Re: supported override method

Hi, It's OK to use host-specific ID views to override the Default Trust View, and documented in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/id-views#overriding-the-default-trust-view-with-other-id-views The Default Trust View can be

[Freeipa-users] Re: supported override method

Hi, when you write "do an override only for a set of servers", do you mean IPA servers? ID views (except the Default Trust view) can only be applied to IdM clients, not to servers. flo On Fri, Jul 23, 2021 at 2:58 PM iulian roman via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:

[Freeipa-users] Re: ldap_extended_operation fails on the client

Hi, a similar issue was already seen in other customer cases, and the advice was to look for an entry with nameAlias: in the cache. The issue was resolved by removing this additional group. HTH, flo On Tue, Jul 13, 2021 at 11:14 AM iulian roman via FreeIPA-users <

[Freeipa-users] Re: Using Subject Alternative Name in smart card certificate for authentication

Hi, please find more information regarding smart card mapping in the man page for sss-certmap(5) and in the chapter *Certificate Mapping Rules for Configuring Authentication on Smart Cards* [1] of *Linux Domain Identity, Authentication, and Policy Guide*. IdM allows you to configure rules that

[Freeipa-users] Re: ipahealthcheck: ldapsearch finds no replconflict but nsconf does

The correct search filter must include (objectClass=ldapSubEntry): ldapsearch -H ldaps://linge.example.com -W -D 'cn=Directory Manager' -b 'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict HTH, flo On Sat, Jul 10, 2021 at 3:20 PM Kees Bakker via FreeIPA-users <

[Freeipa-users] Re: Multiple ID views question

Hi, please refer to the chapter *8.1.2. Overriding the Default Trust View with Other ID Views* [1] from *Windows Integration Guide*: - 8< - If another ID view applied to the host overrides the attribute values in the Default Trust View, IdM applies the values from the host-specific ID

[Freeipa-users] Re: bug in ldap_entry_reconstruct()

Hi, There were a few known issues with 389-ds and sync_repl. I see your version of 389-ds is 1.4.3.16-8.module_el8.4.0 but 389-ds-base-1.4.3.23-2.module_el8.5.0+835+5d54734c.x86_64.rpm

[Freeipa-users] Re: Cannot get rid of a replica/agreement

Hi so there are replication conflicts in the LDAP database. To find the conflicting entries, run the following commands on each server: export BASEDN= ldapsearch -D "cn=Directory Manager" -W -b $BASEDN "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict And then follow the

[Freeipa-users] Re: failing to add additional replica (already 3 in place)

Hi, can you provide the logs of the replica installation (/var/log/ipareplica-install.log and /var/log/pki/pki-ca-spawn.$date.log) ? In the logs you can find which server was used to initialize the data (look for a line with ipa-replica-conncheck), the logs from this server may also be useful

[Freeipa-users] Re: Cannot get rid of a replica/agreement

Hi, is the topology at domain level 1 or domain level 0? # kinit admin # ipa domainlevel-get If the level is 1, the right command in order to remove a replica + ignore topology disconnect issues is # kinit admin # ipa server-del --ignore-topology-disconnect The error "not allowed on non-leaf

[Freeipa-users] Re: I have installed kerberos , How can I install FreeIPA

Hi, when you write "install kerberos", do you mean install the packages and configure a kerberos server? FreeIPA installer itself configures the kerberos server with specific settings (the kerberos server is using a LDAP database to store its information), and cannot be installed on top of an

[Freeipa-users] Re: bug in ldap_entry_reconstruct()

Hi Kees, can you also check if there are replication conflict entries? On each server: export BASEDN= ldapsearch -D "cn=Directory Manager" -W -b $BASEDN "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict flo On Thu, Jul 1, 2021 at 2:35 PM Rob Crittenden via FreeIPA-users <

[Freeipa-users] Re: dns of two out of three masters not up to date

Hi, as said on the other mail thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/GR2ZOFFNICWKLI3YBFYVTFZHUNNKDIQZ/, I suspect the search for plugins is executed with ldapsearch -Y GSSAPI ... and the ACIs are filtering part of the output. The command

[Freeipa-users] Re: CentOS 8 master missing plugins?

Hi Kees, How are you looking for the plugins? If you are performing a ldapsearch, make sure to bind as cn=directory manager, otherwise the returned entries may be filtered by ACIs. You can also look directly in /etc/dirsrv/slapd-DOMAIN/dse.ldif. What are the exact versions installed on your

[Freeipa-users] Re: Compatibility Plugin .update file for Active Directory

Hi, the doc for the schema compatibility plugin is available here: - https://pagure.io/slapi-nis/blob/master/f/doc/sch-getting-started.txt - https://pagure.io/slapi-nis/blob/master/f/doc/sch-configuration.txt HTH, flo On Mon, Jun 28, 2021 at 4:28 PM Rob Crittenden via FreeIPA-users <

[Freeipa-users] Re: Password avability before change

Hi, according to Password policies in IdM [1]: Min lifetime The minimum amount of time in hours that must pass between two password change operations. Min lifetime = 1 After users change their passwords, they must wait at least 1 hour before changing them again. Hope this clarifies, flo [1]

[Freeipa-users] Re: cache invalidation dilema on the clients

Hi, SSSD is also using a memory cache, and you need to remove the files in /var/lib/sss/mc/ in order to clean it. Its lifetime and size can also be set in sssd.conf, please look for memcache_* in sssd.conf man page. flo On Fri, Jun 25, 2021 at 5:28 PM iulian roman via FreeIPA-users <

[Freeipa-users] Re: FreeIPA w. letsencrypt for HTTPS/LDAP failing to communicate with itself

Hi, it seems the error happens when you run commands that require communication between IPA framework and the Certificate Server (like ipa ca-show). The workflow is the following: 1. the client (= the command "ipa ca-show") is a python process that communicates with httpd on the secure port. It

[Freeipa-users] Re: dns of two out of three masters not up to date

Hi, the high level view is the following: when there is an update related to DNS data on an IPA server (new/updated/deleted zone, new/updated/deleted record), it gets written to LDAP. As the LDAP data is replicated to the other IPA servers, their local LDAP database gets updated. The bind daemon

[Freeipa-users] Re: Consumer failed to replay change Operations error (1)

Forwarding to 389-us...@lists.fedoraproject.org as they may have more inputs. On Wed, Jun 16, 2021 at 11:31 PM Alfred Victor via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi FreeIPA, > > We have

[Freeipa-users] Re: AD Trust Types

Hi, please refer to External Trusts to Active Directory [1] from WIndows Integration guide, it nicely explains the difference between external trust and forest trust. flo [1]

[Freeipa-users] Re: FreeIPA w. letsencrypt for HTTPS/LDAP failing to communicate with itself

Hi, when the let's encrypt certificates were installed, did you run ipa-cacert-manage install on one of the nodes + ipa-certupdate on *all the IPA machines*? It's important to run ipa-certupdate on all the server/replicas/clients in order to install the CA everywhere. flo On Sat, Jun 12, 2021

[Freeipa-users] Re: various errors and warnings on F34: Can't contact LDAP server, Component identity is NULL; Failed to unwrap key for cipher

On Fri, Jun 4, 2021 at 10:11 PM Robert Kudyba via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > After upgrading to Fedora 34 and freeipa-server-4.9.3-2.fc34.x86_64, we're > seeing the below errors. I found a previous post that mentions a user had > these during a migration but we

[Freeipa-users] Re: Improper format of Kerberos configuration - error from client setup

On Sun, Jun 6, 2021 at 11:09 AM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi guys. > > I'm trying client install and I fail: > ... > Time synchronization was successful. > Please make sure the following ports are opened in the > firewall settings: > TCP:

[Freeipa-users] Re: healthcheck complains about a removed replica

Hi, I'm not sure the issue is really on PKI side. On ipa server-del call, IPA should also make sure to call something similar to pki securitydomain-host-del to make sure that the host is removed from PKI security domain. This was tracked in BZ 1740702

[Freeipa-users] Re: ipa-replica-install failing - operations error: the changelog directory already exists and is not empty

Glad to see it worked, and thanks for closing the loop. flo On Wed, Jun 2, 2021 at 10:21 PM Sinh Lam wrote: > Hi Flo - > > Thank you for the instructions. Everything is back to normal and I was > able to bring up a new replica in the process after the steps were done. > > Sinh > > > > On June

[Freeipa-users] Re: ipa-replica-install failing - operations error: the changelog directory already exists and is not empty

Hi, thanks for the confirmation. In this case, you can fix the issue with the following procedure: To fix the master that was missing the "cn=changelog5,cn=config" entry follow these steps: [1] Remove the directory /var/lib/dirsrv/slapd-XXX/cldb [2] Use ldapmodify and add this entry dn:

[Freeipa-users] Re: ipa-replica-install failing - operations error: the changelog directory already exists and is not empty

Hi, the error looks similar to https://bugzilla.redhat.com/show_bug.cgi?id=1590974 Most of the comments are private in this BZ because they refer to customer deployments, but the issue can happen if cn=changelog5,cn=config is missing on the master AND the changelog directory is present. Can you

[Freeipa-users] Re: IPA Reinstall

Hi, the recommended way to uninstall a replica and reinstall it is described in the doc: 1. Uninstall the replica ( https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/Uninstalling_IPA_Servers) with ipa server-del and

[Freeipa-users] Re: Changing directory manager password

Hi Ian, with IPA 4.6.8 you just need to follow the 389ds doc. The procedure was more complex in version < 3.2.2 because there were two 389ds instances (one for the regular suffix and one for the Certificate Server) and the password has to be manually synchronized between the 2, and the replica

[Freeipa-users] Re: [Freeipa-devel] How to promote replicated master server in freeIPA, if lost first master?

Hi, I'm moving the thread to freeipa-users mailing list as it's a better place for this conversation. The chapter Adjusting IdM clients during recovery

[Freeipa-users] Re: FreeIPA and SSL with the Web GUI

Hi, ipa started using mod_ssl in the version 4.7+. Your version 4.6.8 still relies on mod_nss with the http cert stored in /etc/httpd/alias. Hope this clarifies, flo On Fri, May 14, 2021 at 4:36 PM Steve Reed via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Steve Reed via

[Freeipa-users] Re: FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock

Hi, this is a known selinux-policy issue, tracked at https://bugzilla.redhat.com/show_bug.cgi?id=1894132 flo On Mon, May 10, 2021 at 9:42 PM Harry G. Coin via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote: > > In a

[Freeipa-users] Re: posix and non-posix AD users

Hi, when a trust is established with posix range type, the users need to have uidNumber and gidNumber set on AD side. If you want IdM to generate uid and gid, the range type has to be ipa-ad-trust instead of ipa-ad-trust-posix but I believe the posix attributes of the AD entries won't be taken

[Freeipa-users] Re: How to import OpenLDAP data to FreeIPA

Hi, I'm afraid I don't understand your question. For which purpose do you need this user? On FreeIPA side there are 2 special LDAP users: cn=Directory Manager and uid=admin,cn=users,cn=accounts,$BASEDN. The admin user has special privileges to administer FreeIPA but not as many as Directory

[Freeipa-users] Re: server install - You are attempting to import a cert with the same issuer

On Mon, May 3, 2021 at 1:30 PM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > On 03/05/2021 08:50, Florence Renaud wrote: > > Hi, > > the issue looks similar to > > https://pagure.io/freeipa/issue/8614 > > . > > Did you try

[Freeipa-users] Re: server install - You are attempting to import a cert with the same issuer

Hi, the issue looks similar to https://pagure.io/freeipa/issue/8614. Did you try installation on a node which was previously installed? There may be a remaining cert in /etc/ipa/ca.crt or in the system-wide trust store (for instance check in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem). If

[Freeipa-users] Re: Assistance configuring RHEL client

Hi, the following blog post describes your situation and may help understand the issues with linux hosts enrolled to IPA while their domain name belongs to AD: https://www.redhat.com/en/blog/i-really-cant-rename-my-hosts Hope this clarifies, flo On Wed, Apr 28, 2021 at 7:49 AM Ash Ryder via