[Freeipa-users] Re: TXT - SPF & DKIM
On 26/07/2023 11:07, Jernej Jakob wrote: I don't see the behavior you describe, for example I have DKIN records in the format: "v=DKIM1; k=rsa; t=s; " "p=MIIB..." "..." where "..." is the public key split into multiple chunks of arbitraty length to make it more readable in the FreeIPA WebUI (it has a bug where it doesn't line break long text into multiple lines, but it does line breaks on whitespace) If I dig this record I get exactly the data I entered into the text record box in FreeIPA WebUI. The spaces are left intact in the quoted string. So I don't know how your system behaves as you describe, maybe it's different between versions? If I enter data without quotes, for example 'v=spf1 mx -all' (without the single quotes) dig will return "v=spf1" "mx" "-all", maybe that's what you're seeing? On Wed, 26 Jul 2023 08:57:50 +0200 lejeczek via FreeIPA-users wrote: On 24/07/2023 10:13, Jernej Jakob wrote: On Sun, 23 Jul 2023 14:22:48 +0200 lejeczek via FreeIPA-users wrote: Hi guys. Would you know a correct or best-practice way to add such records. When I look at how those resolve for some(a few a tried) well-know domains - in order to get the same/similar with IPA it seems, that I have to escape some chars, name white-spaces. Is that normal/expected - it did not feel as such to me. many thanks, L. Put double quotes around the text. You can also split it into multiple quoted strings separated by whitespace. It will be served as-is. If the record has text and whitespace that is not quoted, each string separated by whitespace will be quoted separately. After the client concatenates the result the whitespaces will be lost. That's probably what you're experiencing. https://kb.isc.org/docs/aa-00356 That is what I meant - perhaps vaguely enough - that quotes, single or double did not do, I still had to escape white-spaces otherwise each such space did create separate sting - at least _dig_ shows it that way. VERSION: 4.10.1, API_VERSION: 2.251 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue in/with CLI it seems to be a 'must: ...-txt-rec='v=spf1\ mx\ a\ ip4:aa.bb.cc.dd\ a:mail.dom.mine\ -all' otherwise, without escaping, such record resolves to: "v=spf1" "mx" "a" "ip4:..." . as oppose to one string - which was what I expected. So.. it works, there is a way to have it set "correctly" but - if devel reads this - it's somewhat counter-intuitive, the quoting is. thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: cert management - ? - pkcs format
On 26/07/2023 14:32, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. Is it possible IPA output format (when rendered into files) is _pkcs_, for both keys & certs? Being not a security/cryptography expert thus unable to put it into better words - format/container which works with/in Java? Like when: -> $ openssl pkcs8 ... -topk8 -nocrypt -v1 PBE-SHA1-3DES .. In what context? Except for those services that IPA uses itself it has no access to the private key so this would be an exercise for the end-user. certmonger owns certificates and keys end-to-end but it only supports PEM files and NSS databases. rob apologies, yes, in context of 'service' certificates. so "external" to IPA, eg.: ipa-getcert ... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] cert management - ? - pkcs format
Hi guys. Is it possible IPA output format (when rendered into files) is _pkcs_, for both keys & certs? Being not a security/cryptography expert thus unable to put it into better words - format/container which works with/in Java? Like when: -> $ openssl pkcs8 ... -topk8 -nocrypt -v1 PBE-SHA1-3DES .. many thanks, L.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: TXT - SPF & DKIM
On 24/07/2023 10:13, Jernej Jakob wrote: On Sun, 23 Jul 2023 14:22:48 +0200 lejeczek via FreeIPA-users wrote: Hi guys. Would you know a correct or best-practice way to add such records. When I look at how those resolve for some(a few a tried) well-know domains - in order to get the same/similar with IPA it seems, that I have to escape some chars, name white-spaces. Is that normal/expected - it did not feel as such to me. many thanks, L. Put double quotes around the text. You can also split it into multiple quoted strings separated by whitespace. It will be served as-is. If the record has text and whitespace that is not quoted, each string separated by whitespace will be quoted separately. After the client concatenates the result the whitespaces will be lost. That's probably what you're experiencing. https://kb.isc.org/docs/aa-00356 That is what I meant - perhaps vaguely enough - that quotes, single or double did not do, I still had to escape white-spaces otherwise each such space did create separate sting - at least _dig_ shows it that way. VERSION: 4.10.1, API_VERSION: 2.251 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] TXT - SPF & DKIM
Hi guys. Would you know a correct or best-practice way to add such records. When I look at how those resolve for some(a few a tried) well-know domains - in order to get the same/similar with IPA it seems, that I have to escape some chars, name white-spaces. Is that normal/expected - it did not feel as such to me. many thanks, L.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: firewall - masters VS clients
On 15/06/2023 16:41, Alexander Bokovoy wrote: On Thu, 15 Jun 2023, lejeczek via FreeIPA-users wrote: On 15/06/2023 15:33, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. Are there any ports/services which clients do not need and which can be exclusively allowed only to/between masters/replicas access? This has been asked and answered many times on the list. See https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5OFGFDA2INO6GVNNHGCUHYQDALZMS4JO/#W3RMF2SSARWAASYW2KI64T2DDFGXBSXI for example. rob Many thanks. Might I dare to suggest - there are not many as complex as IPA programs(?) accompanied by documentation as good IPA is - an addition? of something like ipa-firewall, IPA is bit "stingy" on that front and a short & concise (with perhaps a short highlight on: master <-- master VS <--client -- if there are differences which I failed to find explained in those links) -- small man-page will go a long way, I have no doubts. Everybody knows that admins worth their souls go there first - sroogling can't compare - and nobody can put a better manual than the authors, obviously. There are multiple places in the RHEL IdM documentation that talks about protocols flow and firewalls/ports. For example, below are sections related to integration with Active Directory: Troubleshooting client access to services in the other forest: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management#assembly_troubleshooting-client-access-to-services-in-the-other-forest_installing-trust-between-idm-and-ad Ports required for communication between IdM and AD: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management#ports-required-for-communication-between-idm-and-ad_installing-trust-between-idm-and-ad There are also sections related to ports for normal installation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#port-requirements-for-idm_preparing-the-system-for-ipa-server-installation These all were taken from my original draft that I shared here multiple times: https://vda.li/drafts/firewall-considerations.txt Apologies, I did not get my point across well or could be that not at all - "stingy" on man-pages front - IPA I said had very good documentation - an addition of ipa-firewall man page(s) was my suggestion. Sroogling over the Internet is okey but most - all admins I'd like to believe - of us go to man pages first. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: firewall - masters VS clients
On 15/06/2023 15:33, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. Are there any ports/services which clients do not need and which can be exclusively allowed only to/between masters/replicas access? This has been asked and answered many times on the list. See https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/5OFGFDA2INO6GVNNHGCUHYQDALZMS4JO/#W3RMF2SSARWAASYW2KI64T2DDFGXBSXI for example. rob Many thanks. Might I dare to suggest - there are not many as complex as IPA programs(?) accompanied by documentation as good IPA is - an addition? of something like ipa-firewall, IPA is bit "stingy" on that front and a short & concise (with perhaps a short highlight on: master <-- master VS <--client -- if there are differences which I failed to find explained in those links) -- small man-page will go a long way, I have no doubts. Everybody knows that admins worth their souls go there first - sroogling can't compare - and nobody can put a better manual than the authors, obviously. regards & thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] firewall - masters VS clients
Hi guys. Are there any ports/services which clients do not need and which can be exclusively allowed only to/between masters/replicas access? many thanks, L.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Samba integration - in container ?
Hi guys. I've only started playing with IPA containers and I wonder - have anybody done Samba integration in containers so such setup would be, is, production-ready? One obvious "puzzle" - in my mind that is, as have not tried it yet - would be data storage, both local & networked data storage and hooking Samba - naturally - to it. All thoughts & experience shared are much appreciated. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: dns suddenly not happy with DNSSEC
On 29/05/2023 15:36, lejeczek via FreeIPA-users wrote: Hi guys. That is on first master which was happy for short while and then suddenly: ... 29-May-2023 12:38:23.597 info: client @0x7f6484005538 127.0.0.1#43235 (onet.pl): query failed (broken trust chain) for onet.pl/IN/A at ../../../lib/ns/query.c:7355 29-May-2023 12:39:08.518 info: client @0x7f64b0080088 127.0.0.1#48441 (onet.pl): query failed (broken trust chain) for onet.pl/IN/A at ../../../lib/ns/query.c:7355 and that is for any & every query. With given forwards or no forwarders. Time is in sync, network works, everything else seem good too... and the second master/replica does not complain. What might the issue (beside the obvious)? many thanks, L. For those who may see, "suffer" the same issues or just be curious - I decided to file a BZ here: https://github.com/freeipa/freeipa-container/issues/538 thanks, L.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: dns suddenly not happy with DNSSEC
On 30/05/2023 10:43, Alexander Bokovoy wrote: On Mon, 29 May 2023, lejeczek via FreeIPA-users wrote: Hi guys. That is on first master which was happy for short while and then suddenly: ... 29-May-2023 12:38:23.597 info: client @0x7f6484005538 127.0.0.1#43235 (onet.pl): query failed (broken trust chain) for onet.pl/IN/A at ../../../lib/ns/query.c:7355 29-May-2023 12:39:08.518 info: client @0x7f64b0080088 127.0.0.1#48441 (onet.pl): query failed (broken trust chain) for onet.pl/IN/A at ../../../lib/ns/query.c:7355 and that is for any & every query. With given forwards or no forwarders. Time is in sync, network works, everything else seem good too... and the second master/replica does not complain. What might the issue (beside the obvious)? The obvious part is described in the error message: you have broken DNSSEC trust chain for onet.pl and that causes the issue because you have DNSSEC validation enabled. Yes, that part is obvious - perhaps I did poor job formulating my question - this is fresh new IPA installation of first master(in container), which master worked for a short while - meanwhile I did add a replica to the domain - and then... this. Like I said - every query every domain DNSSSEC fails that same way ! on that first master, whereas... the second master continues to be a okey. There is nothing else I can think of that happened to that master - one more thing I did was backup on that master - before DNS broke. One conspiracy theory, the only one I can come up with, is - could a broken replication affected newly set up master? -> another domain's one master had 'ipa-healthcheck' reporting some troubles, mentioned the host-name of that new domain first-master-fqdn, which was before a member of already existing domain. I'm going to redeploy from new to see if that conspiracy theory - now when already existing domain is free from 'heathcheck' complains - might bare any substance. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: repl conflict which is not there - ?
On 30/05/2023 08:21, Florence Blanc-Renaud wrote: Hi, On Fri, May 26, 2023 at 10:26 PM lejeczek via FreeIPA-users wrote: Hi guys. for what 'ipa-healthcheck' complains of: { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "WARNING", "uuid": "720d7af6-5a11-486f-a610-f6f06ec4d9e2", "when": "20230526202306Z", "duration": "0.054683", "kw": { "key": "DSREPLLE0002", "items": [ "Replication", "Conflict Entries" ], "msg": "There were 1 conflict entries found under the replication suffix \"o=ipaca\"." } }, and old trick finds not culprit: -> $ ldapsearch -LLL -H ldaps://$(hostname) -Y GSSAPI -D 'cn=Directory Manager' -b 'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict SASL/GSSAPI authentication started SASL username: ad...@mine.priv SASL SSF: 256 SASL data security layer installed. Re-try the same command but without the -Y GSSAPI option (otherwise if you have an admin kerberos ticket, the operation is performed as admin instead of Directory Manager and the ACIs may hide some entries). HTH, flo right... man! thank you. (should the same apply to any other ldap user-manual, outside of ipa-tools, operation?)___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] dns suddenly not happy with DNSSEC
Hi guys. That is on first master which was happy for short while and then suddenly: ... 29-May-2023 12:38:23.597 info: client @0x7f6484005538 127.0.0.1#43235 (onet.pl): query failed (broken trust chain) for onet.pl/IN/A at ../../../lib/ns/query.c:7355 29-May-2023 12:39:08.518 info: client @0x7f64b0080088 127.0.0.1#48441 (onet.pl): query failed (broken trust chain) for onet.pl/IN/A at ../../../lib/ns/query.c:7355 and that is for any & every query. With given forwards or no forwarders. Time is in sync, network works, everything else seem good too... and the second master/replica does not complain. What might the issue (beside the obvious)? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: container IPA fine but only until host's reboot
/etc/dirsrv/slapd-MINE-PRIV/ is not writable with a permission error. I'd start there. rob ah... yes I saw those but did not understand why, after a good night sleep... to share (the obvious) mind your other stuff/tools(at host) traversing those paths. thanks! L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] container IPA fine but only until host's reboot
Hi guys. I've a replica in container which deploys & works seemingly a okey, container reboot is not detrimental to IPA yet host reboot seems to break LDAP down. Both container and host, are up to date Centos 9, it's a rootful container. So far - a several times - it reproduces each time - I can remove "broken" container, re-create anew, it works, then host reboots and ... a bummer. Anybody seen this or similar issues? Log snippets: -> $ ipactl restart Starting Directory Service Failed to start Directory Service: CalledProcessError(Command ['/bin/systemctl', 'start', 'dirsrv@MINE-PRIV.service'] returned non-zero exit status 1) Starting 389 Directory Server MINE-PRIV dirsrv@MINE-PRIV.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup. dirsrv@MINE-PRIV.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup. dirsrv@MINE-PRIV.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup. [25/May/2023:20:38:08.747319489 +] - CRIT - Security Initialization - warn_if_no_cert_file - Certificate DB file cert8.db nor cert9.db exists in [/etc/dirsrv/slapd-MINE-PRIV] - SSL initialization will likely fail [25/May/2023:20:38:08.752730373 +] - CRIT - Security Initialization - warn_if_no_key_file - Key DB file key3.db nor key4.db exists in [/etc/dirsrv/slapd-MINE-PRIV] - SSL initialization will likely fail [25/May/2023:20:38:08.768566520 +] - ERR - Security Initialization - SSL failure: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): certdir: /etc/dirsrv/slapd-MINE-PRIV [25/May/2023:20:38:08.770531395 +] - ERR - force_to_disable_security - ERROR: NSS Initialization Failed. Disabling NSS. [25/May/2023:20:38:08.772440575 +] - ERR - set_workingdir - detach: failed to chdir to /var/log/dirsrv/slapd-MINE-PRIV [25/May/2023:20:38:08.774326540 +] - ERR - set_workingdir - detach: set workingdir failed with "Working directory "/" is not writeable." [25/May/2023:20:38:08.776402306 +] - INFO - main - 389-Directory/2.2.4 B2022.347. starting up [25/May/2023:20:38:08.778279795 +] - INFO - main - Setting the maximum file descriptor limit to: 1024 [25/May/2023:20:38:08.780257034 +] - ERR - fedse_create_startOK - Cannot copy DSE file "/etc/dirsrv/slapd-MINE-PRIV/dse.ldif" to "/etc/dirsrv/slapd-MINE-PRIV/dse.ldif.startOK" OS error 13 (Permission denied) [25/May/2023:20:38:08.78230 +] - ERR - dse_write_file_nolock - Cannot open temporary DSE file "/etc/dirsrv/slapd-MINE-PRIV/dse.ldif.tmp" for update: OS error 13 (Permission denied) [25/May/2023:20:38:08.787607325 +] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.789526243 +] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.791436584 +] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.793404806 +] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.795305449 +] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.797253522 +] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.799164114 +] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.801065298 +] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.803027158 +] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.804938281 +] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.806866727 +] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.808871438 +] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.810796257 +] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.812761433 +] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.814675903 +] - ERR - PBKDF2_SHA256 - Unable to generate algorithm ID. [25/May/2023:20:38:08.816595692 +] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [25/May/2023:20:38:08.818568974 +] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 12000 rounds [25/May/2023:20:38:08.822101547 +] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [25/May/2023:20:38:08.824226177 +] - INFO - ldbm_instance_config_set - instance: userRoot attr aci [25/May/2023:20:38:08.826218264 +] - INFO - ldbm_instance_config_set - instance: userRoot attr nsslapd-cachesize [25/May/2023:20:38:08.828147422 +] - INFO - ldbm_instance_config_set - instance: userRoot attr nsslapd-cachememsize
[Freeipa-users] 'del' removes replica/tion but keeps all DNS record in - ?
Hi guys. With a forceful removal of a replica with 'ipa-replica-manage' such replica/tion gets removed but all DNS records - of which 'ipa-healthcheck' complains - remain intact. Is that normal & expected? many thanks, L.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipa: ERROR: No valid Negotiate header - from/in container replica
On 25/05/2023 11:58, lejeczek via FreeIPA-users wrote: Hi guys. This is my first trial/test of replicas in container - here I added a replica to already existing, bare-metal IPA domain, which otherwise works a okey - so numerous issues are possible. In container, only in this replica, I get: bash-5.1# ipa dnszone-find ipa: ERROR: No valid Negotiate header in server response What that is, might be, a symptom of? Where to go with troubleshooting? All thoughts share are much appreciated. many thanks, L. for experts, bit more debug: -> $ ipa --debug dnszone-find ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'ad...@mine.priv' ipa: DEBUG: trying https://swir-ipa.mine.priv/ipa/json ipa: DEBUG: New HTTP connection (swir-ipa.mine.priv) ipa: DEBUG: HTTP connection destroyed (swir-ipa.mine.priv) Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipalib/rpc.py", line 724, in single_request if not self._auth_complete(response): File "/usr/lib/python3.9/site-packages/ipalib/rpc.py", line 673, in _auth_complete raise errors.KerberosError( ipalib.errors.KerberosError: No valid Negotiate header in server response ipa: ERROR: No valid Negotiate header in server response -> $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@mine.priv Valid starting Expires Service principal 05/25/23 09:46:11 05/26/23 09:40:03 krbtgt/mine.p...@mine.priv 05/25/23 09:47:45 05/26/23 09:40:03 HTTP/swir-ipa.mine.p...@mine.priv ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] ipa: ERROR: No valid Negotiate header - from/in container replica
Hi guys. This is my first trial/test of replicas in container - here I added a replica to already existing, bare-metal IPA domain, which otherwise works a okey - so numerous issues are possible. In container, only in this replica, I get: bash-5.1# ipa dnszone-find ipa: ERROR: No valid Negotiate header in server response What that is, might be, a symptom of? Where to go with troubleshooting? All thoughts share are much appreciated. many thanks, L.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] control PKI (& other relevant listened-on address/interface - ?
Hi. Having more ifaces added to the system I have had http/www portion of IPA run on specific - as opposed to all/any - ip addresses and perfectly, problem-free. I need to do the same with remaining bits but have to start with :8443 which I believed was Tomcat, so did add 'address' into 'server.xml' in /usr/share/tomcat/conf/ but that is not doing it? Where, which bits have to change - even if against best practice & IPA recommendation - to make those IPA components bind to specific ifaces/ip address? many thanks, L.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: http redirect rules - ?
On 17/05/2023 16:15, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. With default/main redirect rule removed/disabled when I go to: https://swir.mine.priv/ipa I get a broken anchor page (thumbnail is not there), that uti/link points to: https://swir.mine.priv/ui/index.html which, obsviously(?) is not there, does not exist. Would not there be a safe redir rule to fix that? And if yes so, then why (@devel) not have it included in vanilla-default configs? We need specifics. What exactly did you change AND what is the purpose? What are you trying to accomplish? rob Only & purely what is vanilla-default config which IPA puts in, I understand it does, I'm talking about. in: ipa-rewrite.conf if the first rule is commented out - as the notes in the file explain - then what I described above, happens. I'd think it would still be desirable to have a working site - as oppose to anchor with invalid URI - that very first page when manually one goes to: https://swir.mine.priv/ipa even though one can manually go to: https://swir.mine.priv/ipa/ui/ which works. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] http redirect rules - ?
Hi guys. With default/main redirect rule removed/disabled when I go to: https://swir.mine.priv/ipa I get a broken anchor page (thumbnail is not there), that uti/link points to: https://swir.mine.priv/ui/index.html which, obsviously(?) is not there, does not exist. Would not there be a safe redir rule to fix that? And if yes so, then why (@devel) not have it included in vanilla-default configs? many thanks, L.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] backup & restore - 4.9.11 -> 4.10.1
Hi guys. I'm trying to migrate IPA from Centos 8 over to Centos 9 but I fail. If the path I try is supported & should work then, first, 'restore' failed with: ... Restoring umask to 18 CalledProcessError(Command ['/usr/sbin/ipactl', 'start'] returned non-zero exit status 1: 'IPA version error: data needs to be upgraded (expected version \'4.10.1-6.el9\', current version \'4.9.8-7.module_el8.6.0+1103+a004f6a8\')\nAutomatically running upgrade, for details see /var/log/ipaupgrade.log\nBe patient, this may take a few minutes.\nAutomatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed.\nError caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed.\nUpdate complete\nUpgrading the configuration of the IPA services\n[Verifying that root certificate is published]\n[Migrate CRL publish directory]\nPublish directory already set to new location\nForcing update of template /usr/share/ipa/ipa-pki-proxy.conf.template\nUpgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 17\n[Ensuring ephemeralRequest is enabled in KRA]\nephemeralRequest is already enabled\n[Verifying that KDC configuration is using ipa-kdb backend]\n[Fix DS schema file syntax]\n[Removing RA cert from DS NSS database]\n[Enable sidgen and extdom plugins by default]\n[Updating HTTPD service IPA configuration]\n[Updating HTTPD service IPA WSGI configuration]\nNothing to do for configure_httpd_wsgi_conf\n[Migrating from mod_nss to mod_ssl]\nAlready migrated to mod_ssl\n[Moving HTTPD service keytab to gssproxy]\n[Removing self-signed CA]\n[Removing Dogtag 9 CA]\n[Set OpenSSL engine for BIND]\n[Checking for deprecated KDC configuration files]\n[Checking for deprecated backups of Samba configuration files]\ndnssec-validation yes\n[Add missing CA DNS records]\nunable to resolve host name c8kubermaster1.private.lot. to IP address, ipa-ca DNS record will be incomplete\nIPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.\nUnexpected error - see /var/log/ipaupgrade.log for details:\nCalledProcessError: CalledProcessError(Command [\'/bin/systemctl\', \'start\', \'named.service\'] returned non-zero exit status 1: \'Job for named.service failed because the control process exited with error code.\\nSee "systemctl status named.service" and "journalctl -xeu named.service" for details.\\n\')\nThe ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information\n\nSee the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again\nAborting ipactl\n') so I try: -> $ ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: saving configuration [2/9]: disabling listeners [3/9]: enabling DS global lock [4/9]: disabling Schema Compat [5/9]: starting directory server [error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'dirsrv@PRIVATE-LOT.service'] returned non-zero exit status 1: 'Job for dirsrv@PRIVATE-LOT.service failed because a fatal signal was delivered causing the control process to dump core.\nSee "systemctl status dirsrv@PRIVATE-LOT.service" and "journalctl -xeu dirsrv@PRIVATE-LOT.service" for details.\n') [cleanup]: stopping directory server [cleanup]: restoring configuration IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'dirsrv@PRIVATE-LOT.service'] returned non-zero exit status 1: 'Job for dirsrv@PRIVATE-LOT.service failed because a fatal signal was delivered causing the control process to dump core.\nSee "systemctl status dirsrv@PRIVATE-LOT.service" and "journalctl -xeu dirsrv@PRIVATE-LOT.service" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information -> $ journalctl -lf -u dirsrv@PRIVATE-LOT.service Mar 17 16:19:03 c8kubermaster2.private.lot ns-slapd[14967]: [17/Mar/2023:16:19:03.748676397 +] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=private,dc=lot--no CoS Templates found, which should be added before the CoS Definition. Mar 17 16:19:03 c8kubermaster2.private.lot ns-slapd[14967]: [17/Mar/2023:16:19:03.764528091 +] - ERR - libdb - BDB2506 file userRoot/replication_changelog.db has LSN 12/7510992, past end of log at 12/2536210 Mar 17 16:19:03 c8kubermaster2.private.lot ns-slapTrd[14967]: [17/Mar/2023:16:19:03.768119982 +] - ERR - libdb - BDB2507 Commonly caused by moving a database from one database environment Mar 17 16:19:03 c8kubermaster2.private.lot ns-slapd[14967]:
[Freeipa-users] Re: idranges & NT_STATUS_NO_IMPERSONATION_TOKEN - ?
On 05/12/2022 15:01, lejeczek via FreeIPA-users wrote: Hi Gents. I have a user with UID of 57500500 and Samba's clients would fail with: NT_STATUS_NO_IMPERSONATION_TOKEN while trying to connect/authenticate. There was not idrange in the domain for that ID )so I created one: ... Range name: CCN.PRIVATE_id_range First Posix ID of the range: 5740 Number of IDs in the range: First RID of the corresponding RID range: 5740 First RID of the secondary RID range: 5740 Range type: local domain range and -> $ ipa-replica-manage dnarange-show drunk.in.ccn: 5740-5740 sucker.in.ccn: 1600700501-16007 but I still cannot samba-connect to the service/server, still fails with the same error. Would you know what is wrong and/or what I'm missing - all thoughts share are much appreciated. many thanks, L. Perhaps I was wrong to assume that it had to do with 'idranges'? I did assume that because other users when are created without '--uid' do connect to Samba services perfectly fine. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] idranges & NT_STATUS_NO_IMPERSONATION_TOKEN - ?
Hi Gents. I have a user with UID of 57500500 and Samba's clients would fail with: NT_STATUS_NO_IMPERSONATION_TOKEN while trying to connect/authenticate. There was not idrange in the domain for that ID )so I created one: ... Range name: CCN.PRIVATE_id_range First Posix ID of the range: 5740 Number of IDs in the range: First RID of the corresponding RID range: 5740 First RID of the secondary RID range: 5740 Range type: local domain range and -> $ ipa-replica-manage dnarange-show drunk.in.ccn: 5740-5740 sucker.in.ccn: 1600700501-16007 but I still cannot samba-connect to the service/server, still fails with the same error. Would you know what is wrong and/or what I'm missing - all thoughts share are much appreciated. many thanks, L.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: more rpm conflicts on CentOS
On 08/08/2022 08:45, Alexander Bokovoy wrote: On ma, 08 elo 2022, lejeczek via FreeIPA-users wrote: Hi guys. I this Samba end of packages having issues (again) ? -> $ dnf update Last metadata expiration check: 0:08:36 ago on Mon 08 Aug 2022 08:14:21 BST. Error: Problem 1: package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the providers can be installed This is a known issue. It should clear itself once ipa-server 4.9.10+ packages go through the verification. IPA uses one of internal Samba libraries and this library did change a soname in an update. My colleagues did not complete the rebuild in a side-tag (there were some infra issues to get two side-tags to work properly for modular rebuild), so it was decided to get Samba gated first and then do a normal rebuild of IPA packages. The latter build is currently ongoing bugs verification from QE side. This is still not resolved, right? I wonder for it's been a while and wonder, perhaps my dnf repos caches, proxies, etc, do not keep up. many thanks, L. - package libsmbclient-4.16.4-1.el8.x86_64 requires libsamba-debug-samba4.so(SAMBA_4.16.4_SAMBA4)(64bit), but none of the providers can be installed - package libsmbclient-4.16.4-1.el8.x86_64 requires libsmbconf.so.0(SMBCONF_0.0.1)(64bit), but none of the providers can be installed and also, I wonder why would a "regular" package want to depend in a debug package - that should not be needed normally. It is not a debug package, it is an internal Samba library that contains facilities to process various levels of logging, expanding log lines with additional details when debug log levels requested at runtime. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Access denied for uid [389]
On 15/08/2022 06:16, Sumit Bose wrote: Am Sun, Aug 14, 2022 at 04:34:30PM +0100 schrieb lejeczek via FreeIPA-users: Hi guys. Domain seems to function okey, 'healthcheck' reports no issues, but these begin to worry me, from sssd_pac.log ... (2022-08-14 16:19:52): [pac] [accept_fd_handler] (0x0020): Access denied for uid [389]. * ... skipping repetitive backtrace ... (2022-08-14 16:19:54): [pac] [accept_fd_handler] (0x0020): Access denied for uid [389]. * ... skipping repetitive backtrace ... (2022-08-14 16:19:54): [pac] [accept_fd_handler] (0x0020): Access denied for uid [389]. * ... skipping repetitive backtrace ... (2022-08-14 16:20:00): [pac] [accept_fd_handler] (0x0020): Access denied for uid [389]. Hi, you can allow 389ds to send the PAC to SSSD by setting allowed_uids = 0, 389 in the [pac] section of sssd.conf, see man sssd.conf for details. SSSD can use the PAC to determine group-memberships of a user and since we do not want that any process can tinker with the group-memberships we allow access only from "trusted" UIDs. Okey,. so is the fact that it's dirsrv itself wants something which makes SSSD not happy, is "abnormal", unexpected and dirsrv is not such "trusted" process/id? I'm not dong anything fancy - it's a "standard" deployment with Samba. many thanks, L. HTH bye, Sumit and this log is quite busy. What is that symptom of and should that be a worry? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Access denied for uid [389]
Hi guys. Domain seems to function okey, 'healthcheck' reports no issues, but these begin to worry me, from sssd_pac.log ... (2022-08-14 16:19:52): [pac] [accept_fd_handler] (0x0020): Access denied for uid [389]. * ... skipping repetitive backtrace ... (2022-08-14 16:19:54): [pac] [accept_fd_handler] (0x0020): Access denied for uid [389]. * ... skipping repetitive backtrace ... (2022-08-14 16:19:54): [pac] [accept_fd_handler] (0x0020): Access denied for uid [389]. * ... skipping repetitive backtrace ... (2022-08-14 16:20:00): [pac] [accept_fd_handler] (0x0020): Access denied for uid [389]. and this log is quite busy. What is that symptom of and should that be a worry? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] more rpm conflicts on CentOS
Hi guys. I this Samba end of packages having issues (again) ? -> $ dnf update Last metadata expiration check: 0:08:36 ago on Mon 08 Aug 2022 08:14:21 BST. Error: Problem 1: package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the providers can be installed - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.16.2-1.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.13.3-3.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.4-4.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.5-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.5-2.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.3-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.4-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-3.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-4.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-5.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-8.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.16.1-0.el8.x86_64 - cannot install the best update candidate for package samba-client-libs-4.16.2-1.el8.x86_64 - cannot install the best update candidate for package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 Problem 2: problem with installed package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 - package ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8.x86_64 requires libsmbconf.so.0(SMBCONF_0)(64bit), but none of the providers can be installed - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.16.2-1.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.13.3-3.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.4-4.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.5-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.14.5-2.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.3-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.4-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-0.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-3.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-4.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-5.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.15.5-8.el8.x86_64 - cannot install both samba-client-libs-4.16.4-1.el8.x86_64 and samba-client-libs-4.16.1-0.el8.x86_64 - package libsmbclient-4.16.4-1.el8.x86_64 requires libsamba-debug-samba4.so(SAMBA_4.16.4_SAMBA4)(64bit), but none of the providers can be installed - package libsmbclient-4.16.4-1.el8.x86_64 requires libsmbconf.so.0(SMBCONF_0.0.1)(64bit), but none of the providers can be installed and also, I wonder why would a "regular" package want to depend in a debug package - that should not be needed normally. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] who killed SSSD - ?
Hi guys. One of the masters started recently to find SSSD dead and says the killer is the WATCHDOG - but I'm not sure about that. From sssd.log: ... ** BACKTRACE DUMP ENDS HERE * (2022-07-21 7:11:01): [sssd] [svc_child_info] (0x0020): Child [991] ('pac':'pac') was terminated by own WATCHDOG * ... skipping repetitive backtrace ... (2022-07-21 7:11:14): [sssd] [svc_child_info] (0x0020): Child [984] ('abba.xx.priv.yy':'%BE_abba.xx.priv.yy') was terminated by own WATCHDOG * ... skipping repetitive backtrace ... (2022-07-21 7:11:14): [sssd] [svc_child_info] (0x0040): Child [9744] ('nss':'nss') exited with code [3] ** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-07-21 7:11:14): [sssd] [sbus_dispatch_reconnect] (0x0400): Connection lost. Terminating active requests. * (2022-07-21 7:11:14): [sssd] [sbus_dispatch_reconnect] (0x4000): Remote client terminated the connection. Releasing data... * (2022-07-21 7:11:14): [sssd] [sbus_connection_free] (0x4000): Connection 0x5576314d9180 will be freed during next loop! * (2022-07-21 7:11:14): [sssd] [mt_svc_restart] (0x0400): Scheduling service abba.xx.priv.yy for restart 1 * (2022-07-21 7:11:14): [sssd] [get_provider_config] (0x0100): Formed command '/usr/libexec/sssd/sssd_be --domain abba.xx.priv.yy --uid 0 --gid 0 --logger=files' for provider '%BE_abba.xx.priv.yy' * (2022-07-21 7:11:14): [sssd] [start_service] (0x0100): Queueing service abba.xx.priv.yy for startup * (2022-07-21 7:11:14): [sssd] [mt_svc_exit_handler] (0x1000): SIGCHLD handler of service nss called * (2022-07-21 7:11:14): [sssd] [svc_child_info] (0x0040): Child [9744] ('nss':'nss') exited with code [3] ** BACKTRACE DUMP ENDS HERE * (2022-07-21 7:11:14): [sssd] [svc_child_info] (0x0040): Child [9758] ('pac':'pac') exited with code [3] * ... skipping repetitive backtrace ... (2022-07-21 7:11:16): [sssd] [svc_child_info] (0x0040): Child [9876] ('nss':'nss') exited with code [3] * ... skipping repetitive backtrace ... (2022-07-21 7:11:16): [sssd] [svc_child_info] (0x0040): Child [9877] ('pac':'pac') exited with code [3] * ... skipping repetitive backtrace ... (2022-07-21 7:11:20): [sssd] [svc_child_info] (0x0040): Child [9903] ('nss':'nss') exited with code [3] * ... skipping repetitive backtrace ... (2022-07-21 7:11:20): [sssd] [monitor_restart_service] (0x0010): Process [nss], definitely stopped! (2022-07-21 7:11:20): [sssd] [monitor_quit] (0x3f7c0): Returned with: 1 (2022-07-21 7:11:20): [sssd] [monitor_quit] (0x3f7c0): Terminating [pac][9904] (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Child [pac] terminated with a signal (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Terminating [abba.xx.priv.yy][9875] (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Child [abba.xx.priv.yy] exited gracefully (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Terminating [sudo][990] (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Child [sudo] exited gracefully (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Terminating [ssh][989] (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Child [ssh] exited gracefully (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Terminating [ifp][988] (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Child [ifp] exited gracefully (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Terminating [pam][987] (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Child [pam] exited gracefully (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Terminating [implicit_files][983] (2022-07-21 7:11:21): [sssd] [monitor_quit] (0x3f7c0): Child [implicit_files] exited gracefully This "death" happens randomly, well, to me at least. Can be just after reboot or several hours of uptime. There is more in log files from /var/log/sssd but before I clutter emails with more logs snippets I was hoping some expert can share some thoughts. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: keycloak - the other way around?
On 28/06/2022 07:08, Alexander Bokovoy wrote: On ma, 27 kesä 2022, lejeczek via FreeIPA-users wrote: On 09/11/2021 06:40, Alexander Bokovoy wrote: On ti, 09 marras 2021, Fraser Tweedale wrote: On Mon, Nov 08, 2021 at 09:45:39PM +, lejeczek via FreeIPA-users wrote: Hi guys. I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense? many thanks, L. Hi L, It does make sense, and IIRC it is being worked on. That is, authenticating to FreeIPA realm as "external identities" by way of SAML or OpenID Connect assertions. Adding Alexander, who may be able to comment further. There is an ongoing work to enable this feature. It is not ready yet for any testing as we had been distracted with more important work[1] recently. Hopefully, we'll get back to external IdP support[2] relatively soon. [1] https://lists.samba.org/archive/samba-technical/2021-November/136978.html [2] https://github.com/abbra/freeipa/blob/external-idp/doc/designs/external-idp/external-idp.md Hi guys. I wonder if you get any closer to perhaps to some test/trial in some foreseeable future? It is part of FreeIPA 4.9.10 release. Please see release notes for additional details. gee - like a baby needs little to feel excitement I'll express mine quickly - fantastycznie! it's a new era!. Guys(not only IPA gang here but all involved).. you are the best. Some schedule/guesstimate when it might land in c8s? many! thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: keycloak - the other way around?
On 09/11/2021 06:40, Alexander Bokovoy wrote: On ti, 09 marras 2021, Fraser Tweedale wrote: On Mon, Nov 08, 2021 at 09:45:39PM +, lejeczek via FreeIPA-users wrote: Hi guys. I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense? many thanks, L. Hi L, It does make sense, and IIRC it is being worked on. That is, authenticating to FreeIPA realm as "external identities" by way of SAML or OpenID Connect assertions. Adding Alexander, who may be able to comment further. There is an ongoing work to enable this feature. It is not ready yet for any testing as we had been distracted with more important work[1] recently. Hopefully, we'll get back to external IdP support[2] relatively soon. [1] https://lists.samba.org/archive/samba-technical/2021-November/136978.html [2] https://github.com/abbra/freeipa/blob/external-idp/doc/designs/external-idp/external-idp.md Hi guys. I wonder if you get any closer to perhaps to some test/trial in some foreseeable future? thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: freeipa/certmonger for openvpn user certificates
On 27/06/2022 15:16, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: On 03/06/2019 05:19, Alexander Bokovoy via FreeIPA-users wrote: On Mon, 03 Jun 2019, Patrick Spinler via FreeIPA-users wrote: Hi, I'm setting up an openvpn server and I'd like to use our already existing FreeIPA CA to issue user keys/certs for openvpn's use. Since our OpenVPN box is a freeipa client, I thought it'd be nice to use certmonger to issue and keep up to date these certs. Ergo, I've created a certificate profile: pat@apex-freeipa ~$ ipa certprofile-show --all OpenVPNUserCert dn: cn=OpenVPNUserCert,cn=certprofiles,cn=ca,dc=int,dc=apexmw,dc=com Profile ID: OpenVPNUserCert Profile description: OpenVPN User Certificates Store issued certificates: FALSE objectclass: ipacertprofile, top And also a CA acl. For experimentation (and working vs our test freeipa) I've left this as wide open as I can: [pat@apex-freeipa ~]$ ipa caacl-show --all OpenVPN_User_Certificate_ACL dn: ipaUniqueID=6dde33a6-7849-11e9-aa05-525400b52c7b,cn=caacls,cn=ca,dc=int,dc=apexmw,dc=com ACL name: OpenVPN_User_Certificate_ACL Enabled: TRUE CA category: all Profile category: all User category: all Host category: all Service category: all ipauniqueid: 6dde33a6-7849-11e9-aa05-525400b52c7b objectclass: ipaassociation, ipacaacl Then, on my openvpn server, I ask for a cert for use for one of my users (myself, in this case): root@apex-openvpn:~# ipa-getcert request -f /etc/openvpn/client/pat.crt -k /etc/openvpn/client/pat.key -r -N 'CN=pat,O=INT.APEXMW.COM' -K pat -g 4096 --profile OpenVPNUserCert New signing request "20190603014016" added. But, it fails due to an access err vs the 'userCertificate' attribute of my account: root@apex-openvpn:~# ipa-getcert list (...snippy snip excess...) Request ID '20190603014016': status: CA_REJECTED ca-error: Server at https://apex-freeipa.int.apexmw.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com'.). stuck: yes key pair storage: type=FILE,location='/etc/openvpn/client/pat.key' certificate: type=FILE,location='/etc/openvpn/client/pat.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes If I look at the dirsrv log, here's the accesses I see for this request (trimmed off the date/time to make the lines a _little_ shorter): root@apex-freeipa slapd-INT-APEXMW-COM# grep conn=178 access | cut -d' ' -f3- conn=178 fd=114 slot=114 connection from 10.10.200.1 to 10.10.200.1 conn=178 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO conn=178 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0025554208 dn="fqdn=apex-openvpn.int.apexmw.com,cn=computers,cn=accounts,dc=int,dc=apexmw,dc=com" conn=178 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL conn=178 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0001319554 conn=178 op=2 SRCH base="cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL conn=178 op=2 RESULT err=0 tag=101 nentries=1 etime=0.979573 conn=178 op=3 SRCH base="cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL conn=178 op=3 RESULT err=0 tag=101 nentries=1 etime=0.736730 conn=178 op=4 SRCH base="cn=cas,cn=ca,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaca)(cn=ipa))" attrs="" conn=178 op=4 RESULT err=0 tag=101 nentries=1 etime=0.499142 conn=178 op=5 SRCH base="cn=ipa,cn=cas,cn=ca,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaCaId ipaCaSubjectDN cn ipaCaIssuerDN description" conn=178 op=5 RESULT err=0 tag=101 nentries=1 etime=0.482726 conn=178 op=6 SRCH base="cn=apex-freeipa.int.apexmw.com,cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(ipaConfigString=enabledService)(cn=CA))" attrs=ALL conn=178 op=6 RESULT err=0 tag=101 nentries=1 etime=0.950646 notes=U conn=178 op=7 SRCH base="cn=accounts,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=krbprincipalaux)(krbPrincipalName=p...@int.apexmw.com))" attrs=ALL conn=178 op=7 RESULT err=0 tag=101 nentries=1 etime=0.0002747849 conn=178 op=8 EXT oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin" conn=178 op=8 RESULT err=0 tag=120 nentries=0 etime=0.135034 conn=178 op=9 SRCH base="cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs=&
[Freeipa-users] Re: freeipa/certmonger for openvpn user certificates
On 03/06/2019 05:19, Alexander Bokovoy via FreeIPA-users wrote: On Mon, 03 Jun 2019, Patrick Spinler via FreeIPA-users wrote: Hi, I'm setting up an openvpn server and I'd like to use our already existing FreeIPA CA to issue user keys/certs for openvpn's use. Since our OpenVPN box is a freeipa client, I thought it'd be nice to use certmonger to issue and keep up to date these certs. Ergo, I've created a certificate profile: pat@apex-freeipa ~$ ipa certprofile-show --all OpenVPNUserCert dn: cn=OpenVPNUserCert,cn=certprofiles,cn=ca,dc=int,dc=apexmw,dc=com Profile ID: OpenVPNUserCert Profile description: OpenVPN User Certificates Store issued certificates: FALSE objectclass: ipacertprofile, top And also a CA acl. For experimentation (and working vs our test freeipa) I've left this as wide open as I can: [pat@apex-freeipa ~]$ ipa caacl-show --all OpenVPN_User_Certificate_ACL dn: ipaUniqueID=6dde33a6-7849-11e9-aa05-525400b52c7b,cn=caacls,cn=ca,dc=int,dc=apexmw,dc=com ACL name: OpenVPN_User_Certificate_ACL Enabled: TRUE CA category: all Profile category: all User category: all Host category: all Service category: all ipauniqueid: 6dde33a6-7849-11e9-aa05-525400b52c7b objectclass: ipaassociation, ipacaacl Then, on my openvpn server, I ask for a cert for use for one of my users (myself, in this case): root@apex-openvpn:~# ipa-getcert request -f /etc/openvpn/client/pat.crt -k /etc/openvpn/client/pat.key -r -N 'CN=pat,O=INT.APEXMW.COM' -K pat -g 4096 --profile OpenVPNUserCert New signing request "20190603014016" added. But, it fails due to an access err vs the 'userCertificate' attribute of my account: root@apex-openvpn:~# ipa-getcert list (...snippy snip excess...) Request ID '20190603014016': status: CA_REJECTED ca-error: Server at https://apex-freeipa.int.apexmw.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com'.). stuck: yes key pair storage: type=FILE,location='/etc/openvpn/client/pat.key' certificate: type=FILE,location='/etc/openvpn/client/pat.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes If I look at the dirsrv log, here's the accesses I see for this request (trimmed off the date/time to make the lines a _little_ shorter): root@apex-freeipa slapd-INT-APEXMW-COM# grep conn=178 access | cut -d' ' -f3- conn=178 fd=114 slot=114 connection from 10.10.200.1 to 10.10.200.1 conn=178 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO conn=178 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0025554208 dn="fqdn=apex-openvpn.int.apexmw.com,cn=computers,cn=accounts,dc=int,dc=apexmw,dc=com" conn=178 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL conn=178 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0001319554 conn=178 op=2 SRCH base="cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL conn=178 op=2 RESULT err=0 tag=101 nentries=1 etime=0.979573 conn=178 op=3 SRCH base="cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL conn=178 op=3 RESULT err=0 tag=101 nentries=1 etime=0.736730 conn=178 op=4 SRCH base="cn=cas,cn=ca,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaca)(cn=ipa))" attrs="" conn=178 op=4 RESULT err=0 tag=101 nentries=1 etime=0.499142 conn=178 op=5 SRCH base="cn=ipa,cn=cas,cn=ca,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaCaId ipaCaSubjectDN cn ipaCaIssuerDN description" conn=178 op=5 RESULT err=0 tag=101 nentries=1 etime=0.482726 conn=178 op=6 SRCH base="cn=apex-freeipa.int.apexmw.com,cn=masters,cn=ipa,cn=etc,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(ipaConfigString=enabledService)(cn=CA))" attrs=ALL conn=178 op=6 RESULT err=0 tag=101 nentries=1 etime=0.950646 notes=U conn=178 op=7 SRCH base="cn=accounts,dc=int,dc=apexmw,dc=com" scope=2 filter="(&(objectClass=krbprincipalaux)(krbPrincipalName=p...@int.apexmw.com))" attrs=ALL conn=178 op=7 RESULT err=0 tag=101 nentries=1 etime=0.0002747849 conn=178 op=8 EXT oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin" conn=178 op=8 RESULT err=0 tag=120 nentries=0 etime=0.135034 conn=178 op=9 SRCH base="cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass" conn=178 op=9 RESULT err=0 tag=101 nentries=1 etime=0.932668 - entryLevelRights: none conn=178 op=10 SRCH base="uid=pat,cn=users,cn=accounts,dc=int,dc=apexmw,dc=com" scope=0 filter="(objectClass=*)" attrs="distinguishedName" conn=178 op=10 RESULT err=0 tag=101
[Freeipa-users] ipa-dnskeysync-replica - returned non-zero exit status
Hi guys. This is from a box which I recently updated - I mailed earliel the list about pki* rpm packages issue - but also, for other reasons, I did fresh installation of IPA/replica on that box. ... ipa-dnskeysync-replica: DEBUG master keys in local HSM: set() ipa-dnskeysync-replica: DEBUG master keys in LDAP HSM: {'0x89cb5ca422df63e9a', '0x4191a795f83cd3367607f'} ipa-dnskeysync-replica: DEBUG new master keys in LDAP HSM: {'0x89cb5d8ca422df63e9a', '0x4191a7953367607f'} Traceback (most recent call last): File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 189, in ldap2replica_master_keys_sync(ldapkeydb, localhsm) File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 90, in ldap2replica_master_keys_sync raise ValueError( ValueError: Local HSM does not contain suitable unwrapping key for master key 0x4191a795f83ade7634ec01cd3367607f Traceback (most recent call last): File "/usr/libexec/ipa/ipa-dnskeysyncd", line 113, in while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): File "/usr/lib64/python3.9/site-packages/ldap/syncrepl.py", line 465, in syncrepl_poll self.syncrepl_refreshdone() File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/keysyncer.py", line 126, in syncrepl_refreshdone self.hsm_replica_sync() File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/keysyncer.py", line 192, in hsm_replica_sync ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/libexec/ipa/ipa-dnskeysync-replica'] returned non-zero exit status 1: 'ipalib.plugable: DEBUG ... DEBUG master keys in LDAP HSM: {\'0x89cb5d88042df63e9a\', \'0x4191a795f83adecd3367607f\'}\nipa-dnskeysync-replica: DEBUG new master keys in LDAP HSM: {\'0x89cb5da422df63e9a\', \'0x4191a795f83ade7634ec01cd3367607f\'}\nTraceback (most recent call last):\n File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 189, in \n ldap2replica_master_keys_sync(ldapkeydb, localhsm)\n File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 90, in ldap2replica_master_keys_sync\n raise ValueError(\nValueError: Local HSM does not contain suitable unwrapping key for master key 0x4191acd3367607f\n') ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE ... Domain seems to function okey, IPA does not complain about anything else except this 'ipa-dnskeysyncd.service' I wonder if it's this one box having relevant/related packages newer versions and other masters need updates to "fix" the issue, or perhaps doing those updates on remaining masters will make things worse.. or perhaps nature of the problems is altogether different. All advises are much welcomed. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] c9s - package conflicts with updates
Hi just to let you @devel guys know in case this might affect & brake IPA as in the (recent) past. ... Problem 1: package pki-java-11.2.0-0.2.beta1.el9.noarch requires pki-base = 11.2.0-0.2.beta1.el9, but none of the providers can be installed - package idm-pki-base-11.2.0-0.4.beta3.el9.noarch obsoletes pki-base < 11.2.0-0.4.beta3.el9 provided by pki-base-11.2.0-0.2.beta1.el9.noarch - cannot install the best update candidate for package pki-java-11.2.0-0.2.beta1.el9.noarch - cannot install the best update candidate for package pki-base-11.2.0-0.2.beta1.el9.noarch Problem 2: problem with installed package pki-java-11.2.0-0.2.beta1.el9.noarch - package pki-java-11.2.0-0.2.beta1.el9.noarch requires pki-base = 11.2.0-0.2.beta1.el9, but none of the providers can be installed - package pki-base-11.2.0-0.2.beta1.el9.noarch requires python3-pki = 11.2.0-0.2.beta1.el9, but none of the providers can be installed - package python3-idm-pki-11.2.0-0.4.beta3.el9.noarch obsoletes python3-pki < 11.2.0-0.4.beta3.el9 provided by python3-pki-11.2.0-0.2.beta1.el9.noarch - cannot install the best update candidate for package python3-pki-11.2.0-0.2.beta1.el9.noarch ... thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: c9s - Java update brakes IPA - ?
On 20/04/2022 15:42, Endi Dewata wrote: Hi, We're in the middle of updating PKI packages (jss, tomcatjss, ldapjdk, pki-core). The old one requires Java 11, but the new one requires Java 17. The problem is the pki-core update got stuck due to gating issues. Is it possible for you to downgrade the packages for now? -- Endi S. Dewata On Wed, Apr 20, 2022 at 9:24 AM lejeczek via FreeIPA-users wrote: On 20/04/2022 15:02, Chris Kelley via FreeIPA-users wrote: > PKI packages require Java 17 in CentOS 9 Stream: https://gitlab.com/redhat/centos-stream/rpms/pki-core/-/blob/c9s/pki-core.spec#L66. > > What version(s) of java-*-openjdk-headless do you have? java-17-openjdk-headless should have been pulled as a dependency when you pulled the PKI packages. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > 17 got an update as well: java-17-openjdk-headless-17.0.3.0.5-0.1.ea.el9.x86_64 java-11-openjdk-headless-11.0.15.0.1-0.1.ea.el9.x86_64 thanks, L. ___ tried that but with ipa & java but still fails - pretty messy case this is so encourage all involved devel to look into it asap. thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: c9s - Java update brakes IPA - ?
On 20/04/2022 15:02, Chris Kelley via FreeIPA-users wrote: PKI packages require Java 17 in CentOS 9 Stream: https://gitlab.com/redhat/centos-stream/rpms/pki-core/-/blob/c9s/pki-core.spec#L66. What version(s) of java-*-openjdk-headless do you have? java-17-openjdk-headless should have been pulled as a dependency when you pulled the PKI packages. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 17 got an update as well: java-17-openjdk-headless-17.0.3.0.5-0.1.ea.el9.x86_64 java-11-openjdk-headless-11.0.15.0.1-0.1.ea.el9.x86_64 thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: c9s - Java update brakes IPA - ?
On 20/04/2022 13:58, Alexander Bokovoy wrote: On ke, 20 huhti 2022, lejeczek via FreeIPA-users wrote: Hi guys. @devel perhaps could comment if it's Java among package updates which breaks PKI ? ... ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='whale.mine.private', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('object at 0x7f9c31d7ba60>: Failed to establish a new connection: [Errno 111] Connection refused')) WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]] SEVERE: Error deploying deployment descriptor [/etc/pki/pki-tomcat/Catalina/localhost/ca.xml] java.lang.IllegalStateException: Error starting child at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140) at java.base/java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706) ... ... at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) ... 41 more Caused by: java.lang.UnsupportedClassVersionError: netscape/ldap/LDAPException has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0 at java.base/java.lang.ClassLoader.defineClass1(Native Method) at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017) ... SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file SEVERE: Context [/acme] startup failed due to previous errors WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.apache.catalina.loader.WebappClassLoaderBase (file:/usr/share/java/tomcat/catalina.jar) to field java.io.ObjectStreamClass$Caches.localDescs WARNING: Please consider reporting this to the maintainers of org.apache.catalina.loader.WebappClassLoaderBase WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations ... java-11-openjdk-devel-11.0.15.0.1-0.1.ea.el9.x86_64 ipa-server-4.9.8-6.el9.x86_64 or this is some issue irrespective of java? It looks like some inconsistency between PKI and Java packages. I also noticed you have a previous CentOS 9 Stream compose as ipa-server 4.9.8-8.el9 is now available. Perhaps, many packages were upgraded in it as well and you might get a better chance? sorry, wrong c from me, that 4.9.8-8.el9 went in along with other updates, that was when PKI broke. Anyway, I asked PKI developers to check what's up with these different bytecode versions. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] c9s - Java update brakes IPA - ?
Hi guys. @devel perhaps could comment if it's Java among package updates which breaks PKI ? ... ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='whale.mine.private', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('object at 0x7f9c31d7ba60>: Failed to establish a new connection: [Errno 111] Connection refused')) WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]] SEVERE: Error deploying deployment descriptor [/etc/pki/pki-tomcat/Catalina/localhost/ca.xml] java.lang.IllegalStateException: Error starting child at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140) at java.base/java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706) ... ... at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) ... 41 more Caused by: java.lang.UnsupportedClassVersionError: netscape/ldap/LDAPException has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0 at java.base/java.lang.ClassLoader.defineClass1(Native Method) at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017) ... SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file SEVERE: Context [/acme] startup failed due to previous errors WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.apache.catalina.loader.WebappClassLoaderBase (file:/usr/share/java/tomcat/catalina.jar) to field java.io.ObjectStreamClass$Caches.localDescs WARNING: Please consider reporting this to the maintainers of org.apache.catalina.loader.WebappClassLoaderBase WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations ... java-11-openjdk-devel-11.0.15.0.1-0.1.ea.el9.x86_64 ipa-server-4.9.8-6.el9.x86_64 or this is some issue irrespective of java? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: server sshfp update - ?
On 13/04/2022 09:57, Florence Blanc-Renaud wrote: On Tue, Apr 12, 2022 at 7:05 PM lejeczek via FreeIPA-users wrote: On 12/04/2022 11:21, Florence Blanc-Renaud wrote: > Hi, > > if you already have ssh public keys in > /etc/ssh/ssh_host_*.pub, you can do > # ipa host-mod --updatedns --sshpubkey "*ssh-rsa > B3NzaC...*" client.ipa.test > (where the bold text is the content of your .pub file). > > Then in order to check what was done: > # ipa dnsrecord-show ipa.test client > Record name: client > A record: 10.0.147.130 > SSHFP record: 1 1 > 2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2 > 0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C > > You can check that they correspond using > # ssh-keygen -r client.ipa.test -f > /etc/ssh/ssh_host_rsa_key.pub > client.ipa.test IN SSHFP 1 1 > 2d9747370df5cedde66ac4dc354076326f466a0a > client.ipa.test IN SSHFP 1 2 > 0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c > > The fingerprints are also visible using > # ipa host-show client.ipa.test > ... > SSH public key fingerprint: SHA256:Cx... > > and can be checked using > # ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub > 3072 SHA256:Cx... > > Does it help? > flo > > On Mon, Apr 11, 2022 at 9:20 PM lejeczek via FreeIPA-users > wrote: > > Hi guys. > > What is the correct way to update/modify server's > sshfp records? > > I assumed those are in: /etc/ssh/ssh_host_*.pub > and I should use 'host-mod --updatedns ..' > but then such records do not look like what IPA > had/created. > > many thanks, L > ___ > I've probably phrased poorly what I wanted to say. I did that, as I said I did: 'host-mod --updatedns ..' and... just after this I did: 'ipa host-show' which showed also "ssh public key (FP separately as usually) records" which puzzled me a bit as, those where not there for/from "regular" client/replica install (including this host prior to manual update), but...! now those "ssh public key" records 'ipa host-show' does not show anymore... now I begin to worry, or.. it's how IPA "behaves"? Ok, so I didn't understand your point. If you run ipa host-mod --updatedns --sshpubkey "ssh-rsa ..." then the value of the ssh pub key is overwritten and now contains a single value. If there were previously other SSH pub keys they are simply deleted by this command. The right method would be to add multiple --sshpubkey arguments, for the key to be added + the previous ones, or to use --addattr="ipaSshPubKey=..." Was this your question? ps. Flo, do the right thing, follow etiquette/lang rules. I'd like to think it's not just conversation between us two. How do you like to read your book? aha! exactly. Honestly I have no idea how to interpret this comment, so I'd rather not interpret it myself and risk misunderstanding. Did I write something that broke etiquette? It was clearly not my intent. I'm open to constructive feedback as I try to help as much as I can on this mailing list. I know some dev guys(but not exclusively) do not think nor use mailing lists this way - I often struggle when searching(and I think search always prior to sent a message) for info/answers and get a thread when need to go down then jump up and down again, etc. simple etiquette you are now doing - as oppose to prev message - so rest/all? read it as read a book in Latin derived lang, from the top and down always. thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: server sshfp update - ?
On 12/04/2022 18:39, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: On 12/04/2022 11:21, Florence Blanc-Renaud wrote: Hi, if you already have ssh public keys in /etc/ssh/ssh_host_*.pub, you can do # ipa host-mod --updatedns --sshpubkey "*ssh-rsa B3NzaC...*" client.ipa.test (where the bold text is the content of your .pub file). Then in order to check what was done: # ipa dnsrecord-show ipa.test client Record name: client A record: 10.0.147.130 SSHFP record: 1 1 2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2 0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C You can check that they correspond using # ssh-keygen -r client.ipa.test -f /etc/ssh/ssh_host_rsa_key.pub client.ipa.test IN SSHFP 1 1 2d9747370df5cedde66ac4dc354076326f466a0a client.ipa.test IN SSHFP 1 2 0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c The fingerprints are also visible using # ipa host-show client.ipa.test ... SSH public key fingerprint: SHA256:Cx... and can be checked using # ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 3072 SHA256:Cx... Does it help? flo On Mon, Apr 11, 2022 at 9:20 PM lejeczek via FreeIPA-users wrote: Hi guys. What is the correct way to update/modify server's sshfp records? I assumed those are in: /etc/ssh/ssh_host_*.pub and I should use 'host-mod --updatedns ..' but then such records do not look like what IPA had/created. many thanks, L ___ I've probably phrased poorly what I wanted to say. I did that, as I said I did: 'host-mod --updatedns ..' and... just after this I did: 'ipa host-show' which showed also "ssh public key (FP separately as usually) records" which puzzled me a bit as, those where not there for/from "regular" client/replica install (including this host prior to manual update), but...! now those "ssh public key" records 'ipa host-show' does not show anymore... now I begin to worry, or.. it's how IPA "behaves"? I think it would help if you showed us what you are seeing, the exact commands, and what the output looks like vs what you expect. When I do: -> $ ipa host-mod drunk.in.ccn --updatedns --sshpubkey="ssh-ed25519 .." --sshpubkey="ecdsa-sha2-nistp256 ...=" --sshpubkey="ssh-rsa ..." Modified host "drunk.in.ccn" Host name: drunk.in.ccn Principal name: host/drunk.in@in.ccn Principal alias: host/drunk.in@in.ccn SSH public key: ssh-ed25519 AIKv2AOJxFqqpcpe/HR/3hh, ssh-rsa B3NzaC1U=, ecdsa-sha2-nistp256 /TWR/ZoiqV3Ke4Fw3LrtT9b86uqlb8Uc8P8lJe2RV4wvRw= SSH public key fingerprint: SHA256: IPA, above command prints - which '*-mod' when it does, I'd think, usually shows that end result as '*-show' would get. So there are both "SSH public key" & "SSH public key fingerprint" but '-show' latter gets only the latter - perhaps it's just how it should be? many thanks, L ps. Flo, do the right thing, follow etiquette/lang rules. I'd like to think it's not just conversation between us two. How do you like to read your book? aha! exactly. Not sure what you mean. She replied to the list, not just to you. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: server sshfp update - ?
On 12/04/2022 11:21, Florence Blanc-Renaud wrote: Hi, if you already have ssh public keys in /etc/ssh/ssh_host_*.pub, you can do # ipa host-mod --updatedns --sshpubkey "*ssh-rsa B3NzaC...*" client.ipa.test (where the bold text is the content of your .pub file). Then in order to check what was done: # ipa dnsrecord-show ipa.test client Record name: client A record: 10.0.147.130 SSHFP record: 1 1 2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2 0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C You can check that they correspond using # ssh-keygen -r client.ipa.test -f /etc/ssh/ssh_host_rsa_key.pub client.ipa.test IN SSHFP 1 1 2d9747370df5cedde66ac4dc354076326f466a0a client.ipa.test IN SSHFP 1 2 0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c The fingerprints are also visible using # ipa host-show client.ipa.test ... SSH public key fingerprint: SHA256:Cx... and can be checked using # ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 3072 SHA256:Cx... Does it help? flo On Mon, Apr 11, 2022 at 9:20 PM lejeczek via FreeIPA-users wrote: Hi guys. What is the correct way to update/modify server's sshfp records? I assumed those are in: /etc/ssh/ssh_host_*.pub and I should use 'host-mod --updatedns ..' but then such records do not look like what IPA had/created. many thanks, L ___ I've probably phrased poorly what I wanted to say. I did that, as I said I did: 'host-mod --updatedns ..' and... just after this I did: 'ipa host-show' which showed also "ssh public key (FP separately as usually) records" which puzzled me a bit as, those where not there for/from "regular" client/replica install (including this host prior to manual update), but...! now those "ssh public key" records 'ipa host-show' does not show anymore... now I begin to worry, or.. it's how IPA "behaves"? ps. Flo, do the right thing, follow etiquette/lang rules. I'd like to think it's not just conversation between us two. How do you like to read your book? aha! exactly. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] server sshfp update - ?
Hi guys. What is the correct way to update/modify server's sshfp records? I assumed those are in: /etc/ssh/ssh_host_*.pub and I should use 'host-mod --updatedns ..' but then such records do not look like what IPA had/created. many thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: DNS record with all IPA servers
On 07/04/2022 18:04, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: On 06/04/2022 16:50, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: On 30/03/2022 09:19, Alexander Bokovoy via FreeIPA-users wrote: On ke, 30 maalis 2022, Boris Behrens via FreeIPA-users wrote: Hi, I am currently trying to cleanup our IPA installation and saw that all our clients only got a single server configured, which doesn't sound good. (we've currently got two IPA servers). Is there some sort of record that can be used? Look into man page for 'ipa' tool: SERVERS The ipa client will determine which server to connect to in this order: 1. The server configured in /etc/ipa/default.conf in the xmlrpc_uri directive. 2. An unordered list of servers from the ldap DNS SRV records. If a kerberos error is raised by any of the requests then it will stop processing and display the error message. But is that really a problem, and if not, when could that be a problem? I see all my clients end up with only single server in config files - the which client hooked to at the installation time - is that not how it should be? It is only a potential problem if you don't use DNS discovery and that server goes away. In /etc/ipa/default.conf the server value is deprecated. The value of xmlrpc_uri is used to determine the API endpoint of an IPA server. This mostly affects the IPA tools and certmonger, all of which try DNS discovery first. There is no way to specify multiple servers in /etc/ipa/default.conf. So the worse case scenario is you don't use DNS discovery and a server goes away permanently never to be re-created. Any client with that hardcoded server value won't be able to use certmonger or IPA tools like ipa-certupdate, ipa, etc. Similarly SSSD is by default configured with: ipa_server = _srv_, ipa.example.test So if there is no DNS discovery and that one server dies, you're done until you restore the server or change the value (SSSD caching can mitigate this to some extent, it will be treated as offline). Going into your clients to evenly divide them between the two servers could save you some work if one went down forever but relying on DNS discovery to find servers is recommended and preferred. rob How about bit "twisted" way of having things run, when only one - for whatever imaginary reason - server is available to clients. Not at all times but at a given time, say... today it's masterA but tomorrow will be masterB That would brakes some clients some times, correct? And if so - would IPA be okay with a primitive remedy such as 'xmlrpc_uri' pointing to a URI/record with a non-existing/not actual host's hostname (still IPA server)? which would be always accessible to all clients? If you have DNS SRV records then it should continue to work fine. There just may be a delay in some requests until failover occurs. We do not recommend putting a load balancer in front of IPA. It's a lot of manual effort and lots of room to make mistakes. rob not a load-balancer - a record with a non-existing/non-actual server's hostname, but still IPA server. Better described as a "floating" record perhaps? srv1.ipa.com A x.x.x srv2.ipa.com A x.x.x some more.. mama.ipa.com A z.z.z (which IP, "physically" will travel from server to server on "whatever" basis) then 'xmlrpc_uri' points to 'mama.ipa.com' ? As long as this does not brake IPA in some way, it's a "workaround" which makes my setups very happy. thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: DNS record with all IPA servers
On 06/04/2022 16:50, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: On 30/03/2022 09:19, Alexander Bokovoy via FreeIPA-users wrote: On ke, 30 maalis 2022, Boris Behrens via FreeIPA-users wrote: Hi, I am currently trying to cleanup our IPA installation and saw that all our clients only got a single server configured, which doesn't sound good. (we've currently got two IPA servers). Is there some sort of record that can be used? Look into man page for 'ipa' tool: SERVERS The ipa client will determine which server to connect to in this order: 1. The server configured in /etc/ipa/default.conf in the xmlrpc_uri directive. 2. An unordered list of servers from the ldap DNS SRV records. If a kerberos error is raised by any of the requests then it will stop processing and display the error message. But is that really a problem, and if not, when could that be a problem? I see all my clients end up with only single server in config files - the which client hooked to at the installation time - is that not how it should be? It is only a potential problem if you don't use DNS discovery and that server goes away. In /etc/ipa/default.conf the server value is deprecated. The value of xmlrpc_uri is used to determine the API endpoint of an IPA server. This mostly affects the IPA tools and certmonger, all of which try DNS discovery first. There is no way to specify multiple servers in /etc/ipa/default.conf. So the worse case scenario is you don't use DNS discovery and a server goes away permanently never to be re-created. Any client with that hardcoded server value won't be able to use certmonger or IPA tools like ipa-certupdate, ipa, etc. Similarly SSSD is by default configured with: ipa_server = _srv_, ipa.example.test So if there is no DNS discovery and that one server dies, you're done until you restore the server or change the value (SSSD caching can mitigate this to some extent, it will be treated as offline). Going into your clients to evenly divide them between the two servers could save you some work if one went down forever but relying on DNS discovery to find servers is recommended and preferred. rob How about bit "twisted" way of having things run, when only one - for whatever imaginary reason - server is available to clients. Not at all times but at a given time, say... today it's masterA but tomorrow will be masterB That would brakes some clients some times, correct? And if so - would IPA be okay with a primitive remedy such as 'xmlrpc_uri' pointing to a URI/record with a non-existing/not actual host's hostname (still IPA server)? which would be always accessible to all clients? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] user different shells - ? - with rbac
Hi guys Just got this notion popped in - here is always best to ask before investigations start - can IPA do different shells, perhaps with RBAC somehow? I think it might be so trivial many must have asked already - different login host = different user shell many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: DNS record with all IPA servers
On 30/03/2022 09:19, Alexander Bokovoy via FreeIPA-users wrote: On ke, 30 maalis 2022, Boris Behrens via FreeIPA-users wrote: Hi, I am currently trying to cleanup our IPA installation and saw that all our clients only got a single server configured, which doesn't sound good. (we've currently got two IPA servers). Is there some sort of record that can be used? Look into man page for 'ipa' tool: SERVERS The ipa client will determine which server to connect to in this order: 1. The server configured in /etc/ipa/default.conf in the xmlrpc_uri directive. 2. An unordered list of servers from the ldap DNS SRV records. If a kerberos error is raised by any of the requests then it will stop processing and display the error message. But is that really a problem, and if not, when could that be a problem? I see all my clients end up with only single server in config files - the which client hooked to at the installation time - is that not how it should be? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] geo replication - ? - concept of
Hi guys. This must have been asked/covered somewhere I think, as it must be trivial concept/question many must have wondered - can IPA, in supported manner with built-in way or not, do 'geo-repliacation' in some sense? What I wonder specifically is - call it a secondary, backup or a mirror site(of whole domain) which would _only_ receive(possibly synchronously) and be read-only but!... that direction, the flow of main/primary -> secondary/backup could be flipped, reversed(in relatively non-time consuming way) Anybody done or contemplated such or similar thing and care to share some thoughts? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-ca DNS record - ?
On 31/03/2022 13:40, Florence Blanc-Renaud wrote: Hi, The command /ipa dns-update-system-records/ can be used to add the missing records. If you'd rather add them manually, the command can be run with the /--dry-run/ option and will display the expected records but will not perform any update. flo On Thu, Mar 31, 2022 at 2:26 PM Rob Crittenden via FreeIPA-users wrote: lejeczek via FreeIPA-users wrote: > Hi guys. > > What is 'ipa-ca' for and what should it point to? > Also, should IPA change that record ever? > > Reason I ask - from the docs as I understand - it should point to all CA > servers in the domain, but it not happening. It is a generic name for the CAs initially for the OCSP and CRL endpoints. If a fixed hostname was stored there then if/when that server disappears, no more resolving OCSP. It is also used for ACME as a generic name that can be used across your infra. I suppose its possible that you may have some old enough servers that predate the ipa-ca name. I have a faint memory that servers marked as HIDDEN also don't have this entry. It's fine to manually add the missing record in this case. IIRC there is no task to seek out all CAs and add them. rob ___ nice - 'ipa dns-update-system-records' - very useful. I wonder if the fact the my 'ipa-ca' was "incomplete" might have something to do with ipa-client-install's ... Successfully retrieved CA cert ... Joining realm failed: JSON-RPC call failed: Peer certificate cannot be authenticated with given CA certificates ... My setup is bit, well, awkward so it might be that but still - someone please decipher that error if you will. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] ipa-ca DNS record - ?
Hi guys. What is 'ipa-ca' for and what should it point to? Also, should IPA change that record ever? Reason I ask - from the docs as I understand - it should point to all CA servers in the domain, but it not happening. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: no clients records for a zones outside of the domain - ?
On 24/03/2022 02:02, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys Successful client installation on hosts with fqdn different from the main domain should result in IPA create A records, right? 'hosts' are there for such new clients but no A records in that "outside" zone. Does IPA have that zone defined? Are dynamic updates enabled for the zone? The details would be in the journal for named and/or ipaclient-install.log, probably named logging the update as REFUSED. rob ough, it keeps eluding me - when I look at that I think, without thinking - dynamic - will be 'dhcp' and not manual client installation - must make big yellow note with it. Thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: DNS - no paypal.com RSASHA1 ?
On 22/03/2022 18:14, Rainer Duffner wrote: Am 22.03.2022 um 18:07 schrieb lejeczek via FreeIPA-users : p.s. is the world ready for such hardened IPA/dns? I mean.. ifpaypal.com <http://paypal.com/>cannot keep up.. In a production-setup, I would not rely on IPA-DNS for my general resolver-tasks. I’d just forward it the necessary queries and let the actual resolvers do their work. Why? Is it too much of a job for IPA DNS? thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] no clients records for a zones outside of the domain - ?
Hi guys Successful client installation on hosts with fqdn different from the main domain should result in IPA create A records, right? 'hosts' are there for such new clients but no A records in that "outside" zone. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: DNS - no paypal.com RSASHA1 ?
On 22/03/2022 12:22, Alexander Bokovoy wrote: On ti, 22 maalis 2022, lejeczek via FreeIPA-users wrote: Hi guys. With latest IPA on CentOS 9, ver 4.9.8 & bind-9.16.23-1.el9.x86_64 - what would be a correct (temporary) workaround for those records around the world which are signed with "oldish" crypts? Perhaps, try to use 'update-crypto-policies --set LEGACY'? I thought slickest/safest - which I ended up doing - would be exclude validation for given domain(s). (trying to make it survive rpm updates) Seems to work but I was not sure was it best best way. thanks, L. p.s. is the world ready for such hardened IPA/dns? I mean.. if paypal.com cannot keep up.. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] DNS - no paypal.com RSASHA1 ?
Hi guys. With latest IPA on CentOS 9, ver 4.9.8 & bind-9.16.23-1.el9.x86_64 - what would be a correct (temporary) workaround for those records around the world which are signed with "oldish" crypts? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] When 'certmonger' looses it ? all
Hi guys. According to 'ipa-healthcheck' there are lots of problems with my IPA ... "key": "cert-file=/var/lib/ipa/ra-agent.pem, key-file=/var/lib/ipa/ra-agent.key, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/renew_ra_cert_pre, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ra_cert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" ... "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"auditSigningCert cert-pki-ca\", template-profile=caSignedLogCert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" ... ... { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "1f431916-88ae-4cf0-8dd1-c55914cf3801", "when": "20220315184602Z", "duration": "0.178625", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, ... 'ipa-restore' does not seem to fix anything there. What happens there and more importantly, how to troubleshoot/fix? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] services & certificates for domain record
Hi guys. I've fiddled a bit - IPA allows me to create host/service/cert for its domain/realm - @ record - will I not brake something having services/certs like that? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] PTR records via/from DHCP
Hi guys. for zone such as this: 1.3.10.in-addr.arpa with dynamic updates from DHCP, IPA end up with PTR records like: Record name: 30.1.3.10 PTR record: CROMO.private.road. to fix it - which end one should fiddle with, IPA's or DHCP's? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: zone types - allow both - check for state
On 17/02/2022 12:44, Alexander Bokovoy wrote: On to, 17 helmi 2022, lejeczek via FreeIPA-users wrote: On 16/02/2022 19:45, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: @devel Hi guys. Not knowing nitty-gritty of the internals if it, I'd dare to suggest, as future enhancement perhaps, this: allow both types of zone, creation of the second type would fail if first is 'enabled' and the same would go for '-mod' - allow(and facilitate switch) enable only if other is disabled(certainly allow both to be 'disabled') that would certainly be handy bit from an admin point of view. Can you provide more context to this question? Why do you need to do whatever it is you need to do with some sort of type of zone? Is this DNSSEC-related? By "both types" do you mean Country AND Western? [1] rob [1] See Brothers, Blue Apologies. Quite trivial: -> $ ipa dnsforwardzone-add j.xyz. --forwarder=10.3.1.221 --forwarder=10.3.1.222 --skip-overlap-check Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: Only one zone type is allowed per zone name -> $ ipa dnszone-disable j.xyz. --- Disabled DNS zone "jatymy.xyz." --- and here, now 'dnsforwardzone-add' would/could succeed. Then only one 'type' of zone is allowed to be 'enabled' at any given time and both can be (obviously) disabled. You either have an authoritative zone or forward it to someone else. There is no way to combine them together. Yes. Did I suggest 'combine'? - I said, allow both types to exist in IPA but, have only one be enabled at any given time. thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Ubuntu 20.04 as a client - no A records
Hi guys would anybody be able to confirm that Ubuntu client does not get IPA to create A record unless '--ip-address' is used with the client? I do not suppose it's IPA server's issue, right? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: zone types - allow both - check for state
On 16/02/2022 19:45, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: @devel Hi guys. Not knowing nitty-gritty of the internals if it, I'd dare to suggest, as future enhancement perhaps, this: allow both types of zone, creation of the second type would fail if first is 'enabled' and the same would go for '-mod' - allow(and facilitate switch) enable only if other is disabled(certainly allow both to be 'disabled') that would certainly be handy bit from an admin point of view. Can you provide more context to this question? Why do you need to do whatever it is you need to do with some sort of type of zone? Is this DNSSEC-related? By "both types" do you mean Country AND Western? [1] rob [1] See Brothers, Blue Apologies. Quite trivial: -> $ ipa dnsforwardzone-add j.xyz. --forwarder=10.3.1.221 --forwarder=10.3.1.222 --skip-overlap-check Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: Only one zone type is allowed per zone name -> $ ipa dnszone-disable j.xyz. --- Disabled DNS zone "jatymy.xyz." --- and here, now 'dnsforwardzone-add' would/could succeed. Then only one 'type' of zone is allowed to be 'enabled' at any given time and both can be (obviously) disabled. thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] zone types - allow both - check for state
@devel Hi guys. Not knowing nitty-gritty of the internals if it, I'd dare to suggest, as future enhancement perhaps, this: allow both types of zone, creation of the second type would fail if first is 'enabled' and the same would go for '-mod' - allow(and facilitate switch) enable only if other is disabled(certainly allow both to be 'disabled') that would certainly be handy bit from an admin point of view. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: host certs - Organizational Unit - ?
On 08/02/2022 19:45, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys Is it possible to insert/include Organizational Unit (OU) for host certificates? You'd need to create a custom certificate profile. rob If might suggest this as an enhancement which many would welcome - I think - include this in standard/default tool-set? thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: certificate management - best practices - ?
On 08/02/2022 19:33, Ahti Seier via FreeIPA-users wrote: Hello, I don't think there is one correct answer to this question. It depends on the services and how those hosts and services are managed. From a security perspective you need to have confidence that your private keys are secure and have not been been compromised. So if the services are administered by different teams or people it is better to separate the keys and control access to them so that each team and service would have access only to their own keys. Meaning it is better to have a certificate for each service. This will not save you if one of the keys gets compromised, but it is better to figure out how it happened and who is responsible if/when it does. It is a good idea if these certificates are with a different subject name because when one is expiring or there is some issue with it it is easier to understand which one it is. The OU field in the subject DN is a good way to separate these. If the server and all its services are managed by a single team/person and the impact of key compromise is not that severe then having one certificate for multiple services can be simpler to manage. All services will have access to the same private key. This has the effect that when a key does get compromised you will have a hard time figuring out how or through which service it could have happened. Just my 2c, Ahti okey, so another one obvious - how about masters themselves? (put the recommendation that IPA boxes should be IPA exclusive aside for now) I assume most of us if did not do then at least were tempted to have databases (other than IPA's) on masters - if you do/did that would you then use master's or separate/dedicated cert? (risks possibilities are what they are but I'm still curious to hear opinions & thoughts) and btw. Is there a defined list of - IPA's or greater standard - approved/supported services or we create those at whim as we go? eg. mysql/my-host posgresql/my-host .etc many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] certificate management - best practices - ?
Hi guys. I ponder what I think must be trivial for at the same time, also an obvious idea - services & hosts. All the hosts, domain members and all possible or maybe just a handful services, one might run on those hosts - should you want a unique certificate for each host+service or perhaps a single cert for a host which then be used by all services on the host, is a better practice? All ideas & notions shared are greatly appreciated. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] host certs - Organizational Unit - ?
Hi guys Is it possible to insert/include Organizational Unit (OU) for host certificates? many thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IPA to IPA migration - lot more groups - why?
On 02/02/2022 14:21, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: On 02/02/2022 08:45, Florence Blanc-Renaud wrote: Hi, On Wed, Feb 2, 2022 at 7:31 AM lejeczek via FreeIPA-users wrote: Hi guys. I migrate: -> $ ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --with-compat ldap://10.0.0.16 <http://10.0.0.16> and I end up, according to 'group-find', having a lot more - one for each user - extra groups which do not exist(or don't show up?) on the source IPA domain. Are those extra groups the user private group? You can check on the source IPA server if they show up with # ipa group-find --private Yes there are, they did exist on the 'source' but would not show up with just 'group-find' where on the migrated_to IPA they do show up with just 'group-find' (the same migrated_to when user is created manually would not show that private group) can not do with 'source' anything as it's been dissolved. User-private groups (UPG) become regular groups in IPA-to-IPA migration. UPGs are not displayed by default in group-find. rob But that I was saying - apologies if I was vague - they do show up with just 'group-find' on migrated_to IPA. (and I did not do change whatever 'defaults' are on a clean, new deployment is) migration was from 4.9.6 to 4.9.8 thanks, L. many thanks, L flo Why is that? Is that a symptom of a problem? Is it safe to remove those extra groups? many thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IPA to IPA migration - lot more groups - why?
On 02/02/2022 08:45, Florence Blanc-Renaud wrote: Hi, On Wed, Feb 2, 2022 at 7:31 AM lejeczek via FreeIPA-users wrote: Hi guys. I migrate: -> $ ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --with-compat ldap://10.0.0.16 <http://10.0.0.16> and I end up, according to 'group-find', having a lot more - one for each user - extra groups which do not exist(or don't show up?) on the source IPA domain. Are those extra groups the user private group? You can check on the source IPA server if they show up with # ipa group-find --private Yes there are, they did exist on the 'source' but would not show up with just 'group-find' where on the migrated_to IPA they do show up with just 'group-find' (the same migrated_to when user is created manually would not show that private group) can not do with 'source' anything as it's been dissolved. many thanks, L flo Why is that? Is that a symptom of a problem? Is it safe to remove those extra groups? many thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] IPA to IPA migration - lot more groups - why?
Hi guys. I migrate: -> $ ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --with-compat ldap://10.0.0.16 and I end up, according to 'group-find', having a lot more - one for each user - extra groups which do not exist(or don't show up?) on the source IPA domain. Why is that? Is that a symptom of a problem? Is it safe to remove those extra groups? many thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] first replica master - Internal error testing KRA clone
Hi guys. I believe that is reproducible every time - clean deployment, first master's ipa-healthcheck no problems, replica added still no problems, then on that first replica 'ipa-kra-install' and immediately: -> $ ipa-healthcheck Internal error testing KRA clone. KRA clone problem detected Host: swir.mine.private Port: 443 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 [ { "source": "pki.server.healthcheck.clones.connectivity_and_data", "check": "ClonesConnectivyAndDataCheck", "result": "ERROR", "uuid": "eed4f41f-27fe-4f37-aa01-d47602f2c58f", "when": "20220126174106Z", "duration": "1.207738", "kw": { "status": "ERROR: pki-tomcat : Internal error testing KRA clone. Host: swir.mine.private Port: 443" } } ] How critical is that and what to do to fix it? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: crypto policies but for SAMBA only - ?
On 26/01/2022 16:23, Alexander Bokovoy wrote: On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote: On 25/01/2022 14:31, Alexander Bokovoy wrote: On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote: On 25/01/2022 12:11, Alexander Bokovoy wrote: On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote: Hi guys. If that can be a news for some - I'd like to share a finding: it's possible to have ipa-integrated Samba serving non-enrolled clients, both Linux & Windows, with passwords for authentication. (which has been long & will continue to be a must-have for me) Question for @devel - above I get with simply by switching to 'LEGACY' - is it possible to do that but only for IPA-Samba(+ whatever required bits) as oppose to system-widely? It would be great to have IPA capable of that - perhaps an "enhancement" to future releases. FreeIPA is not a single application, so it is hard to apply that. I wonder if DEFAULT:AD-SUPPORT would work for you too? Or something on top of AD-SUPPORT one? The following is what I have on Fedora 35: $ cat /usr/share/crypto-policies/policies/modules/AD-SUPPORT.pmod # AD-SUPPORT subpolicy is intended to be used in Active Directory # environments where either accounts or trusted domain objects were not yet # migrated to AES or future encryption types. Active Directory implicitly # requires RC4 and MD5 (arcfour-hmac-md5) in Kerberos by default. cipher@kerberos = RC4-128+ hash@kerberos = MD5+ Samba uses GnuTLS, so may be expanding @gnutls scope in a similar way would work? E.g., add /etc/crypto-policies/policies/modules/MY-MODULE.pmod that includes cipher@kerberos = RC4-128+ hash@kerberos = MD5+ cipher@gnutls = RC4-128+ hash@gnutls = MD5+ and then set sytem-wide policy to use DEFAULT:MY-MODULE as a policy. This doesn't define it per application but at least limits use of insecure types to Kerberos and any application using GnuTLS. I actually haven't tried this all. Testing with this policy now and nope, Samba 4.15.3 says: ... [2022/01/25 14:21:55.930113, 2, pid=16175] ipa_sam.c:3645(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: dupa [2022/01/25 14:21:55.947759, 1, pid=16175] ../../source3/auth/check_samsec.c:454(check_sam_security) Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED All these modifications of the policy will not change the fact that we do not implement modification of SAM entry in IPA SAM module. This means you are getting in a different code path here. So probably more changes to the policy are needed... Here is something VERY ? peculiar... 1) I could both smbclient & ssh between IPA masters with passwords 2) I could ssh from a non-enrolled to IPA master with the password 3) non-enrolled smbclient _failed_ as with the log snipped, with password then I looked at that Samba log again and did, on a master: -> $ ipa passwd dupa now I do ! can 3) WTF? I must say. user was created by IPA with '--password --password-expiration=20310312232428Z' as args to 'ipa user-add' So, the policy seems good!! but that 'monstrosity' ? anybody will agree will be a 'bug', right? I think what you see above is that the user was created before IPA setup was enabled to handle trust configuration (which is a pre-requisite to generate NT hashes). So when you re-generated password, that triggered adding NT hash to that user. Well.. I do not think that was that(or rather should not be), for my first master was set up with: -> $ ipa-server-install --setup-dns --setup-kra --no-forwarders --idstart=5740 --admin-password=#diradm --ds-password=#dirsrv --enable-compat --setup-adtrust and every next master as well -> $ ipa-replica-install --setup-dns --no-forwarders --setup-ca --enable-compat --setup-adtrust Would that be be what you think still, when instantiating IPA(4.9.6) in ways such as above? thanks, L With newer IPA (4.9.8 in Fedora or CentOS 9 Stream, for example, or recent RHEL 8.5 update) you still need to prepare IPA to work with trust (ipa-adtrust-install) but proper NT hash generation internally is enabled from initial install instead of when ipa-adtrust-install is run. For new installations this should reduce the gap as users created after install would already be ready to access Samba when ipa-adtrust-install will be run. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IPA removal/uninstall renders box unable to login, including console - ?
On 25/01/2022 14:21, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: On 19/01/2022 16:34, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. Has anybody seen, experienced that/similar? - this is a second master from which I uninstalled IPA successfully, cleanly and immediately after reboot system does not login users(not even tty console) Something to do with SELinux/fcontext - I had to def-policy-relabeled whole '/etc' I've never seen a report of this, and our automated testing does a lot of install/re-install but generally lacks a reboot. Can you provide the AVCs for the failures? rob Immediately after 'unistall', before reboot, issues arise: -> $ journalctl -lf -o cat -u sshd PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for postlogin fatal: Access denied for user root by PAM account configuration [preauth] PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for postlogin PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for postlogin fatal: Access denied for user root by PAM account configuration [preauth] PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for postlogin PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for postlogin fatal: Access denied for user root by PAM account configuration [preauth] 'journal' full of denials: If you believe that sshd should be allowed read access on the password-auth file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sshd' --raw | audit2allow -M my-sshd # semodule -X 300 -i my-sshd.pp AnalyzeThread.run(): Set alarm timeout to 10 AnalyzeThread.run(): Cancel pending alarm AVC Message for setroubleshoot, dropping message AVC Message for setroubleshoot, dropping message AVC Message for setroubleshoot, dropping message SELinux is preventing /usr/sbin/sshd from read access on the file password-auth. For complete SELinux messages run: sealert -l 4aaa291e-a99a-439a-97e1-c810df760e9d SELinux is preventing /usr/sbin/sshd from read access on the file password-auth. * Plugin catchall_labels (83.8 confidence) suggests *** If you want to allow sshd to have read access on the password-auth file Then you need to change the label on password-auth Do # semanage fcontext -a -t FILE_TYPE 'password-auth' where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, NetworkManager_tmp_t, abrt_etc_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t,.. ... If you believe that sshd should be allowed read access on the nsswitch.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sshd' --raw | audit2allow -M my-sshd # semodule -X 300 -i my-sshd.pp Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects nsswitch.conf [ file ] Source sshd Source Path /usr/sbin/sshd Port Host sucker.private.ccn Source RPM Packages openssh-server-8.0p1-12.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-86.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-86.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name sucker.private.ccn Platform Linux sucker.private.ccn 4.18.0-358.el8.x86_64 #1 SMP Mon Jan 10 13:11:20 UTC 2022 x86_64 x86_64 Alert Count 425 First Seen 2022-01-25 11:11:34 GMT Last Seen 2022-01-25 11:15:47 GMT Local ID 4aaa291e-a99a-439a-97e1-c810df760e9d Raw Audit Messages type=AVC msg=audit(1643109347.32:6982): avc: denied { read } for pid=28594 comm="sshd" name="nsswitch.conf" dev="vda1" ino=13336622 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1643109347.32:6982): arch=x86_64 syscall=openat success=no exit=EACC
[Freeipa-users] Re: crypto policies but for SAMBA only - ?
On 25/01/2022 14:31, Alexander Bokovoy wrote: On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote: On 25/01/2022 12:11, Alexander Bokovoy wrote: On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote: Hi guys. If that can be a news for some - I'd like to share a finding: it's possible to have ipa-integrated Samba serving non-enrolled clients, both Linux & Windows, with passwords for authentication. (which has been long & will continue to be a must-have for me) Question for @devel - above I get with simply by switching to 'LEGACY' - is it possible to do that but only for IPA-Samba(+ whatever required bits) as oppose to system-widely? It would be great to have IPA capable of that - perhaps an "enhancement" to future releases. FreeIPA is not a single application, so it is hard to apply that. I wonder if DEFAULT:AD-SUPPORT would work for you too? Or something on top of AD-SUPPORT one? The following is what I have on Fedora 35: $ cat /usr/share/crypto-policies/policies/modules/AD-SUPPORT.pmod # AD-SUPPORT subpolicy is intended to be used in Active Directory # environments where either accounts or trusted domain objects were not yet # migrated to AES or future encryption types. Active Directory implicitly # requires RC4 and MD5 (arcfour-hmac-md5) in Kerberos by default. cipher@kerberos = RC4-128+ hash@kerberos = MD5+ Samba uses GnuTLS, so may be expanding @gnutls scope in a similar way would work? E.g., add /etc/crypto-policies/policies/modules/MY-MODULE.pmod that includes cipher@kerberos = RC4-128+ hash@kerberos = MD5+ cipher@gnutls = RC4-128+ hash@gnutls = MD5+ and then set sytem-wide policy to use DEFAULT:MY-MODULE as a policy. This doesn't define it per application but at least limits use of insecure types to Kerberos and any application using GnuTLS. I actually haven't tried this all. Testing with this policy now and nope, Samba 4.15.3 says: ... [2022/01/25 14:21:55.930113, 2, pid=16175] ipa_sam.c:3645(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: dupa [2022/01/25 14:21:55.947759, 1, pid=16175] ../../source3/auth/check_samsec.c:454(check_sam_security) Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED All these modifications of the policy will not change the fact that we do not implement modification of SAM entry in IPA SAM module. This means you are getting in a different code path here. So probably more changes to the policy are needed... Here is something VERY ? peculiar... 1) I could both smbclient & ssh between IPA masters with passwords 2) I could ssh from a non-enrolled to IPA master with the password 3) non-enrolled smbclient _failed_ as with the log snipped, with password then I looked at that Samba log again and did, on a master: -> $ ipa passwd dupa now I do ! can 3) WTF? I must say. user was created by IPA with '--password --password-expiration=20310312232428Z' as args to 'ipa user-add' So, the policy seems good!! but that 'monstrosity' ? anybody will agree will be a 'bug', right? thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: crypto policies but for SAMBA only - ?
On 25/01/2022 12:11, Alexander Bokovoy wrote: On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote: Hi guys. If that can be a news for some - I'd like to share a finding: it's possible to have ipa-integrated Samba serving non-enrolled clients, both Linux & Windows, with passwords for authentication. (which has been long & will continue to be a must-have for me) Question for @devel - above I get with simply by switching to 'LEGACY' - is it possible to do that but only for IPA-Samba(+ whatever required bits) as oppose to system-widely? It would be great to have IPA capable of that - perhaps an "enhancement" to future releases. FreeIPA is not a single application, so it is hard to apply that. I wonder if DEFAULT:AD-SUPPORT would work for you too? Or something on top of AD-SUPPORT one? The following is what I have on Fedora 35: $ cat /usr/share/crypto-policies/policies/modules/AD-SUPPORT.pmod # AD-SUPPORT subpolicy is intended to be used in Active Directory # environments where either accounts or trusted domain objects were not yet # migrated to AES or future encryption types. Active Directory implicitly # requires RC4 and MD5 (arcfour-hmac-md5) in Kerberos by default. cipher@kerberos = RC4-128+ hash@kerberos = MD5+ Samba uses GnuTLS, so may be expanding @gnutls scope in a similar way would work? E.g., add /etc/crypto-policies/policies/modules/MY-MODULE.pmod that includes cipher@kerberos = RC4-128+ hash@kerberos = MD5+ cipher@gnutls = RC4-128+ hash@gnutls = MD5+ and then set sytem-wide policy to use DEFAULT:MY-MODULE as a policy. This doesn't define it per application but at least limits use of insecure types to Kerberos and any application using GnuTLS. I actually haven't tried this all. Testing with this policy now and nope, Samba 4.15.3 says: ... [2022/01/25 14:21:55.930113, 2, pid=16175] ipa_sam.c:3645(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: dupa [2022/01/25 14:21:55.947759, 1, pid=16175] ../../source3/auth/check_samsec.c:454(check_sam_security) Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED [2022/01/25 14:21:55.947834, 2, pid=16175] ../../source3/auth/auth.c:348(auth_check_ntlm_password) check_ntlm_password: Authentication for user [dupa] -> [dupa] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2022/01/25 14:21:55.947889, 2, pid=16175] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [INCCN]\[dupa] at [Tue, 25 Jan 2022 14:21:55.947867 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [CCN-dupa] remote host [ipv4:10.8.0.144:59930] mapped to [INCCN]\[dupa]. local host [ipv4:10.8.0.1:445] {"timestamp": "2022-01-25T14:21:55.948030+", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.8.0.1:445", "remoteAddress": "ipv4:10.8.0.144:59930", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "INCCN", "clientAccount": "dupa", "workstation": "CCN-dupa", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "dupa", "mappedDomain": "INCCN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 24664}} thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IPA removal/uninstall renders box unable to login, including console - ?
On 25/01/2022 11:45, lejeczek via FreeIPA-users wrote: I'm not trying '.autorelabel' tough I doubt I will fix the 'uninstall' issue permanently. I meant to say 'now trying' - and have tried - this time first re/boot with '.autorelabel' OS was free from 'login ssh/console' problem. (and no AVC denials as just after 'uninstall') thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] crypto policies but for SAMBA only - ?
Hi guys. If that can be a news for some - I'd like to share a finding: it's possible to have ipa-integrated Samba serving non-enrolled clients, both Linux & Windows, with passwords for authentication. (which has been long & will continue to be a must-have for me) Question for @devel - above I get with simply by switching to 'LEGACY' - is it possible to do that but only for IPA-Samba(+ whatever required bits) as oppose to system-widely? It would be great to have IPA capable of that - perhaps an "enhancement" to future releases. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IPA removal/uninstall renders box unable to login, including console - ?
On 19/01/2022 16:34, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. Has anybody seen, experienced that/similar? - this is a second master from which I uninstalled IPA successfully, cleanly and immediately after reboot system does not login users(not even tty console) Something to do with SELinux/fcontext - I had to def-policy-relabeled whole '/etc' I've never seen a report of this, and our automated testing does a lot of install/re-install but generally lacks a reboot. Can you provide the AVCs for the failures? rob Immediately after 'unistall', before reboot, issues arise: -> $ journalctl -lf -o cat -u sshd PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for postlogin fatal: Access denied for user root by PAM account configuration [preauth] PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for postlogin PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for postlogin fatal: Access denied for user root by PAM account configuration [preauth] PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for postlogin PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for password-auth PAM _pam_load_conf_file: unable to open config for postlogin fatal: Access denied for user root by PAM account configuration [preauth] 'journal' full of denials: If you believe that sshd should be allowed read access on the password-auth file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sshd' --raw | audit2allow -M my-sshd # semodule -X 300 -i my-sshd.pp AnalyzeThread.run(): Set alarm timeout to 10 AnalyzeThread.run(): Cancel pending alarm AVC Message for setroubleshoot, dropping message AVC Message for setroubleshoot, dropping message AVC Message for setroubleshoot, dropping message SELinux is preventing /usr/sbin/sshd from read access on the file password-auth. For complete SELinux messages run: sealert -l 4aaa291e-a99a-439a-97e1-c810df760e9d SELinux is preventing /usr/sbin/sshd from read access on the file password-auth. * Plugin catchall_labels (83.8 confidence) suggests *** If you want to allow sshd to have read access on the password-auth file Then you need to change the label on password-auth Do # semanage fcontext -a -t FILE_TYPE 'password-auth' where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, NetworkManager_tmp_t, abrt_etc_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t,.. ... If you believe that sshd should be allowed read access on the nsswitch.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sshd' --raw | audit2allow -M my-sshd # semodule -X 300 -i my-sshd.pp Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects nsswitch.conf [ file ] Source sshd Source Path /usr/sbin/sshd Port Host sucker.private.ccn Source RPM Packages openssh-server-8.0p1-12.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-86.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-86.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name sucker.private.ccn Platform Linux sucker.private.ccn 4.18.0-358.el8.x86_64 #1 SMP Mon Jan 10 13:11:20 UTC 2022 x86_64 x86_64 Alert Count 425 First Seen 2022-01-25 11:11:34 GMT Last Seen 2022-01-25 11:15:47 GMT Local ID 4aaa291e-a99a-439a-97e1-c810df760e9d Raw Audit Messages type=AVC msg=audit(1643109347.32:6982): avc: denied { read } for pid=28594 comm="sshd" name="nsswitch.conf" dev="vda1" ino=13336622 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1643109347.32:6982): arch=x86_64 syscall=openat success=no exit=EACCES a0=ff9c a1=7f93cdee1041 a2=8 a3=0 items=0 ppid=27
[Freeipa-users] Re: CA - does it make sense with globbing/wildcard
On 24/01/2022 11:13, lejeczek via FreeIPA-users wrote: On 21/01/2022 23:09, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys I'm for the first time contemplating CA service from a public CA to subordinate IPA to it - would it make sense with a *.sub.domain cert, if such one cert one already has from that public CA, to still want to sub IPA's CA? (not a CA expert so go easy on me) I'm not quite sure I understand the question. I think what you're asking is: I have a wildcard cert from a public CA. Is that sufficient or should I get my IPA CA signed by the public CA? For the first question, maybe. You can replace the IPA web and LDAP certificates with the one from the public CA but it requires manual intervention at renewal and the more you share that key around the less secure it is in general. For the second question, I seriously doubt a public CA will sign an IPA CA because of policies. And if they did you'd need a small fortune to do it. rob That is pretty much what I wondered of. Now trying to that first thing with "maybe" IPA is not happy. I've add Root CAs but: -> $ ipa-server-certinstall -w -d private_key.key ssl_certificate.cer Directory Manager password: Enter private key unlock password: cannot connect to 'https://sucker.private:443/acme/directory': [Errno 111] Connection refused The ipa-server-certinstall command failed. ... No KRA in this domain - is that why? such I silly thing it did not cross my mind to check 'httpd', which crashed. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: CA - does it make sense with globbing/wildcard
On 21/01/2022 23:09, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys I'm for the first time contemplating CA service from a public CA to subordinate IPA to it - would it make sense with a *.sub.domain cert, if such one cert one already has from that public CA, to still want to sub IPA's CA? (not a CA expert so go easy on me) I'm not quite sure I understand the question. I think what you're asking is: I have a wildcard cert from a public CA. Is that sufficient or should I get my IPA CA signed by the public CA? For the first question, maybe. You can replace the IPA web and LDAP certificates with the one from the public CA but it requires manual intervention at renewal and the more you share that key around the less secure it is in general. For the second question, I seriously doubt a public CA will sign an IPA CA because of policies. And if they did you'd need a small fortune to do it. rob That is pretty much what I wondered of. Now trying to that first thing with "maybe" IPA is not happy. I've add Root CAs but: -> $ ipa-server-certinstall -w -d private_key.key ssl_certificate.cer Directory Manager password: Enter private key unlock password: cannot connect to 'https://sucker.private:443/acme/directory': [Errno 111] Connection refused The ipa-server-certinstall command failed. ... No KRA in this domain - is that why? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] CA - does it make sense with globbing/wildcard
Hi guys I'm for the first time contemplating CA service from a public CA to subordinate IPA to it - would it make sense with a *.sub.domain cert, if such one cert one already has from that public CA, to still want to sub IPA's CA? (not a CA expert so go easy on me) many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IPA removal/uninstall renders box unable to login, including console - ?
On 19/01/2022 16:34, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. Has anybody seen, experienced that/similar? - this is a second master from which I uninstalled IPA successfully, cleanly and immediately after reboot system does not login users(not even tty console) Something to do with SELinux/fcontext - I had to def-policy-relabeled whole '/etc' I've never seen a report of this, and our automated testing does a lot of install/re-install but generally lacks a reboot. Can you provide the AVCs for the failures? rob These two boxes got "cleaned up" and became production evn - cannot do - but will try to reproduce in a lab and will report back if I have anything. thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] IPA removal/uninstall renders box unable to login, including console - ?
Hi guys. Has anybody seen, experienced that/similar? - this is a second master from which I uninstalled IPA successfully, cleanly and immediately after reboot system does not login users(not even tty console) Something to do with SELinux/fcontext - I had to def-policy-relabeled whole '/etc' many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: DBusException: org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by
On 18/01/2022 13:36, lejeczek via FreeIPA-users wrote: Hi guys, That's new, well, I've never seen it. I got on a replica candidate so I thought I'd make a first new master and yet: -> $ ipa-server-install --setup-dns --setup-kra --no-forwarders --idstart=5740 --admin-password=diradm --ds-password=dirsrv --enable-compat --setup-adtrust ... [6/9]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20210709164208". org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20210709164208". The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information in log file: ... 2022-01-18T13:30:02Z DEBUG [6/9]: configure certificate renewals 2022-01-18T13:30:02Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-01-18T13:30:03Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 486, in configur e_renewal profile=self.tracking_reqs[nickname], File "/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py", line 576, in start_tracking result = cm.obj_if.add_request(params) File "/usr/lib64/python3.6/site-packages/dbus/proxies.py", line 145, in __call__ **keywords) File "/usr/lib64/python3.6/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) dbus.exceptions.DBusException: org.fedorahosted.certmonger.duplicate: Certificate at same location i s already used by request with nickname "20210709164208". 2022-01-18T13:30:03Z DEBUG [error] DBusException: org.fedorahosted.certmonger.duplicate: Certifica te at same location is already used by request with nickname "20210709164208". 2022-01-18T13:30:03Z DEBUG Removing /var/lib/ipa/tmp-brry92se 2022-01-18T13:30:03Z DEBUG Removing /root/.dogtag/pki-tomcat/kra 2022-01-18T13:30:03Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 18 0, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_ex ception How could this be, with first master?? many thanks, L. ___ I've missed the following first time on that failing box: -> $ ipa-server-install --uninstall ... If this server is the last instance of CA, KRA, or DNSSEC master, uninstallation may result in data loss. Are you sure you want to continue with the uninstall procedure? [no]: yes Failed to get request: Criteria expected to be met by 1 request, got 2. certmonger failed to stop tracking certificate: Criteria expected to be met by 1 request, got 2. Failed to get request: Criteria expected to be met by 1 request, got 2. certmonger failed to stop tracking certificate: Criteria expected to be met by 1 request, got 2. Failed to get request: Criteria expected to be met by 1 request, got 2. certmonger failed to stop tracking certificate: Criteria expected to be met by 1 request, got 2. Shutting down all IPA services Failed to remove DS instance. No serverid present in sysrestore file. Some certificates may still be tracked by certmonger. This will cause re-installation to fail. Start the certmonger service and list the certificates being tracked # getcert list These may be untracked by executing # getcert stop-tracking -i for each id in: 20210709164208, 20210709164209, 20210709164210, 20220116175552, 20220116175553, 20220116175554 Removing IPA client configuration The ipa-client-install command was successful The ipa-server-install command was successful What that be symptom of and why would '--uninstall' not take care of such case? (where never any CA management took place outside of IPA) many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.o
[Freeipa-users] DBusException: org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by
Hi guys, That's new, well, I've never seen it. I got on a replica candidate so I thought I'd make a first new master and yet: -> $ ipa-server-install --setup-dns --setup-kra --no-forwarders --idstart=5740 --admin-password=diradm --ds-password=dirsrv --enable-compat --setup-adtrust ... [6/9]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20210709164208". org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20210709164208". The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information in log file: ... 2022-01-18T13:30:02Z DEBUG [6/9]: configure certificate renewals 2022-01-18T13:30:02Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2022-01-18T13:30:03Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 486, in configur e_renewal profile=self.tracking_reqs[nickname], File "/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py", line 576, in start_tracking result = cm.obj_if.add_request(params) File "/usr/lib64/python3.6/site-packages/dbus/proxies.py", line 145, in __call__ **keywords) File "/usr/lib64/python3.6/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) dbus.exceptions.DBusException: org.fedorahosted.certmonger.duplicate: Certificate at same location i s already used by request with nickname "20210709164208". 2022-01-18T13:30:03Z DEBUG [error] DBusException: org.fedorahosted.certmonger.duplicate: Certifica te at same location is already used by request with nickname "20210709164208". 2022-01-18T13:30:03Z DEBUG Removing /var/lib/ipa/tmp-brry92se 2022-01-18T13:30:03Z DEBUG Removing /root/.dogtag/pki-tomcat/kra 2022-01-18T13:30:03Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 18 0, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_ex ception How could this be, with first master?? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: healthcheck - Invalid PKI instance: pki-tomcat
On 18/01/2022 11:23, lejeczek via FreeIPA-users wrote: Hi guys. adding second master failed a number of times so I did go without '--setup-ca', now on that master I get lots of: Invalid PKI instance: pki-tomcat: { "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "CRITICAL", "uuid": "7b920e6a-4f47-4541-80fa-e9d87dadff20", "when": "20220118102040Z", "duration": "0.000175", "kw": { "msg": "Invalid PKI instance: pki-tomcat" } }, ... { "source": "ipahealthcheck.ipa.certs", "check": "IPACertfileExpirationCheck", "result": "ERROR", "uuid": "fb01a7bd-3457-4007-8c3d-2e23b6df", "when": "20220118102040Z", "duration": "0.006617", "kw": { "key": "20210709164208", "dbdir": "/etc/pki/pki-tomcat/alias", "nickname": "auditSigningCert cert-pki-kra", "error": "NSSDB '/etc/pki/pki-tomcat/alias' not initialized.", "msg": "Request id {key}: Unable to retrieve cert '{nickname}' from '{dbdir}': {error}" } }, .. first master's healthcheck does not mention these problems. Is it that IPA - falsely - believe that this second master is CA/KRA? If so, then how to resolve this - this second master, according to '--uinstall' was removed successfully(each time '--setup-ca' failed) many thanks, L. And when CA install fails on that replica candidate it does so, each time with: ... FINE: - subject: SYSTEM FINE: PKIClientSocketListener.alertSent: begins FINE: PKIClientSocketListener.alertSent: got description:0 FINE: PKIClientSocketListener.alertSent: got reason:clientAlertSent: CLOSE_NOTIFY FINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED FINE: PKIClientSocketListener: SSL alert sent: FINE: - reason: clientAlertSent: CLOSE_NOTIFY FINE: - client: 10.0.0.8 FINE: - server: 10.0.0.8 FINE: - subject: SYSTEM FINE: - server port: 636 com.netscape.certsrv.base.ConflictingOperationException: Entry already exists. at com.netscape.certsrv.ldap.LDAPExceptionConverter.toPKIException(LDAPExceptionConverter.java:45) at com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:720) at org.dogtagpki.server.cli.SubsystemUserAddCLI.execute(SubsystemUserAddCLI.java:180) at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) at org.dogtagpki.cli.CLI.execute(CLI.java:357) at org.dogtagpki.cli.CLI.execute(CLI.java:357) at org.dogtagpki.cli.CLI.execute(CLI.java:357) at org.dogtagpki.server.cli.PKIServerCLI.execute(PKIServerCLI.java:93) at org.dogtagpki.server.cli.PKIServerCLI.main(PKIServerCLI.java:123) Caused by: netscape.ldap.LDAPException: error result (68); Already exists at netscape.ldap.LDAPConnection.checkMsg(Unknown Source) at netscape.ldap.LDAPConnection.add(Unknown Source) at netscape.ldap.LDAPConnection.add(Unknown Source) at netscape.ldap.LDAPConnection.add(Unknown Source) at com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:717) ... 7 more CalledProcessError: Command '['/usr/sbin/runuser', '-u', 'pkiuser', '--', '/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-classpath', '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', '-Dcatalina.base=/var/lib/pki/pki-tomcat', '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', '-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties', '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', '-Dcom.redhat.fips=false', 'org.dogtagpki.server.cli.PKIServerCLI', 'ca-user-add', '--full-name', 'CA-midway.abba.xx.priv.yy-8443', '--type', 'agentType', '--state', '1', '--debug', 'CA-midway.abba.xx.priv.yy-8443']' returned non-zero exit status 255. File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 740, in spawn deployer.setup_subsystem_user(instance, subsystem, system_certs['subsystem']) File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 1040, in setup_subsystem_user state='1') File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 1521, in add_user capture_output=True)
[Freeipa-users] healthcheck - Invalid PKI instance: pki-tomcat
Hi guys. adding second master failed a number of times so I did go without '--setup-ca', now on that master I get lots of: Invalid PKI instance: pki-tomcat: { "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "CRITICAL", "uuid": "7b920e6a-4f47-4541-80fa-e9d87dadff20", "when": "20220118102040Z", "duration": "0.000175", "kw": { "msg": "Invalid PKI instance: pki-tomcat" } }, ... { "source": "ipahealthcheck.ipa.certs", "check": "IPACertfileExpirationCheck", "result": "ERROR", "uuid": "fb01a7bd-3457-4007-8c3d-2e23b6df", "when": "20220118102040Z", "duration": "0.006617", "kw": { "key": "20210709164208", "dbdir": "/etc/pki/pki-tomcat/alias", "nickname": "auditSigningCert cert-pki-kra", "error": "NSSDB '/etc/pki/pki-tomcat/alias' not initialized.", "msg": "Request id {key}: Unable to retrieve cert '{nickname}' from '{dbdir}': {error}" } }, .. first master's healthcheck does not mention these problems. Is it that IPA - falsely - believe that this second master is CA/KRA? If so, then how to resolve this - this second master, according to '--uinstall' was removed successfully(each time '--setup-ca' failed) many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Replica KRA install - Certificate at same location is already used
Hi guys. Is this critical on its face and un/reinstall is necessary or some troubleshooting can still reveal it's all good? ... [4/10]: destroying installation admin user [5/10]: enabling ephemeral requests [6/10]: restarting KRA [7/10]: configure certmonger for renewals [8/10]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20210709164208". Your system may be partly configured. If you run into issues, you may have to re-install IPA on this server. org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20210709164208". many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: HA / high availability service - ?
On 17/01/2022 16:06, Harry G. Coin via FreeIPA-users wrote: On 1/17/22 05:30, lejeczek via FreeIPA-users wrote: On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote: Hi guys. I have an old - set up ~2 yrs ago - IPA domain which "survived" updates/upgrades till this day in such a way that integrated Samba serves up under different hostname/domain and serves non-enrolled clients(win 10) too. With new deployment, 4.9.6, just adding things to just DNS - which worked in that "old" domain - does _not_ do the trick. With only such "simple" DNS Samba does respond, clients connect and get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but rather it is, that non-enrolled clients, linux & windows will fail even if trying a "legitimate" master's Samba. Is that the default behavior in current version - as I mentioned my "old" with up-dates/grades IPA allows non-enrolled - and if so can it be managed into allowing non-enrolled clients? Lately it seems so much of freeipa's developers time is spent chasing Active Directory and related issues, when something 'breaks' 'a small business with a handful of windows boxes (maybe a mix of 'home' and 'professional' versions, and a mix of windows 7 or 8 or 10) sharing off of freeipa's samba instance with no domain capability, used very basic 'map network dirve' and 'usernames and passwords' (entirely sufficient for most businesses which are small and will never have money enough for a full time IT staff member) I wonder if the upgrades still test for that 'widely needed not too technically exciting' setup. I'm of that same mind and shared my thoughts on occasions such as this in the past. That setup I did long ago was such that system policies needed to be 'LEGACY' and non-enrolled Linux & win clients connected to IPA deployed that way - off the LEGACY, worked beautifully with Samba - so, not much hacking. I understand there might be large customers with large ADs with IPA only glued somewhere next to it but the rest of us I imagine must be like that - small deployments which mixes everything and do _not_! need AD, and securities... are taken of with all sorts of other means. I saw during one upgrade 'CLASSIC IPA" - or something alike - migrated to "IPA PRIMARY" or something like that. I'd imagine that was/when NEW installation changed so non-enrolled do not work now. If I can vote, my vote shall go to - IPA devel re/consider changes to reintroduce (as an option) such a deployment mode where Samba would "weaken" the setup/config so all those non-enrolled customers can connect with _passwords_ many thanks, L. Log snippet off a master's Samba when non-enrolled Linux connects: ... [2022/01/17 11:14:09.090933, 2, pid=35744] ipa_sam.c:3645(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: me254 [2022/01/17 11:14:09.099720, 1, pid=35744] ../../source3/auth/check_samsec.c:454(check_sam_security) Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED [2022/01/17 11:14:09.099758, 2, pid=35744] ../../source3/auth/auth.c:348(auth_check_ntlm_password) check_ntlm_password: Authentication for user [me254] -> [me254] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2022/01/17 11:14:09.099793, 2, pid=35744] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022 11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to [CCN]\[me254]. local host [ipv4:10.0.0.16:445] {"timestamp": "2022-01-17T11:14:09.099858+", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.0.0.16:445", "remoteAddress": "ipv4:10.0.0.6:55170", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "CCN", "clientAccount": "me254", "workstation": "DRUNK", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "me254", "mappedDomain": "CCN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 12172}} __
[Freeipa-users] Re: on stand-alone detached master - force-add KRA - ?
On 17/01/2022 16:20, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys Is it possible on a detached master to setup KRA, as if it was first master? What is a detached master and why do you need to "force" install a KRA on it? Assuming it's a server from an existing installation you've removed all replication with, does the existing install already have a KRA? What's the use-case? rob box, which master was no 'kra', was physically detached then replication was removed with 'ipa-x-manage' now it is: -> $ ipa config-show Maximum username length: 32 Maximum hostname length: 64 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: abba.xx.priv.yy Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=ABBA.XX.PRIV.YY Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: first.abba.xx.priv.yy IPA master capable of PKINIT: first.abba.xx.priv.yy IPA CA servers: first.abba.xx.priv.yy IPA CA renewal master: first.abba.xx.priv.yy IPA DNS servers: first.abba.xx.priv.yy I thought it would work as new first master: -> $ ipa-kra-install Directory Manager password: Failed to find an active KRA server! to "convince" the master somehow, if possible, to install new KRA on this "new-first" master, would be neat. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] on stand-alone detached master - force-add KRA - ?
Hi guys Is it possible on a detached master to setup KRA, as if it was first master? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: HA / high availability service - ?
On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote: Hi guys. I have an old - set up ~2 yrs ago - IPA domain which "survived" updates/upgrades till this day in such a way that integrated Samba serves up under different hostname/domain and serves non-enrolled clients(win 10) too. With new deployment, 4.9.6, just adding things to just DNS - which worked in that "old" domain - does _not_ do the trick. With only such "simple" DNS Samba does respond, clients connect and get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but rather it is, that non-enrolled clients, linux & windows will fail even if trying a "legitimate" master's Samba. Is that the default behavior in current version - as I mentioned my "old" with up-dates/grades IPA allows non-enrolled - and if so can it be managed into allowing non-enrolled clients? Log snippet off a master's Samba when non-enrolled Linux connects: ... [2022/01/17 11:14:09.090933, 2, pid=35744] ipa_sam.c:3645(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: me254 [2022/01/17 11:14:09.099720, 1, pid=35744] ../../source3/auth/check_samsec.c:454(check_sam_security) Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED [2022/01/17 11:14:09.099758, 2, pid=35744] ../../source3/auth/auth.c:348(auth_check_ntlm_password) check_ntlm_password: Authentication for user [me254] -> [me254] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2022/01/17 11:14:09.099793, 2, pid=35744] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022 11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to [CCN]\[me254]. local host [ipv4:10.0.0.16:445] {"timestamp": "2022-01-17T11:14:09.099858+", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.0.0.16:445", "remoteAddress": "ipv4:10.0.0.6:55170", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "CCN", "clientAccount": "me254", "workstation": "DRUNK", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "me254", "mappedDomain": "CCN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 12172}} ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: HA / high availability service - ?
On 17/01/2022 09:18, lejeczek via FreeIPA-users wrote: On 17/01/2022 06:19, Alexander Bokovoy wrote: On su, 16 tammi 2022, lejeczek via FreeIPA-users wrote: Hi guys. I have an old - set up ~2 yrs ago - IPA domain which "survived" updates/upgrades till this day in such a way that integrated Samba serves up under different hostname/domain and serves non-enrolled clients(win 10) too. With new deployment, 4.9.6, just adding things to just DNS - which worked in that "old" domain - does _not_ do the trick. With only such "simple" DNS Samba does respond, clients connect and get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD How - if it should be possible at all - to have a service, say Samba, which would serve a "virtual" FQDN? - which would make High-Available service for what I need. What I've tried so far - adding host/service seems not good/enough. The only HA service supported by Samba upstream is use of CTDB over a distributed file system that supports required semantics. https://wiki.samba.org/index.php/CTDB_and_Clustered_Samba It is impossible to say what is exact problem you have with your setup with that small amount of details. If you are already using CTDB, I'd suggest to share more of your configuration and logs. If you are not using CTDB for this configuration, there is most likely no way to help with that without going too deep into technical details and since this configuration would not be supported by either Samba or FreeIPA upstream, this would probably be a waste of everyone's time. It's purely about IPA - as mentioned that "old" deployment of mine - where DNS would manage a record(s) for a HA non-real-host, where such a FQDN (under IPA's realm or outside of it(as I had it with "old" domain)) would "float" between masters(following floating IP) Really nothing else to be bothered with, certainly not at this point. Info I found on "clustered services" is pretty scarce - my opinion - wish that covered Samba as one specific example, since Samba is - my opinion again - such an integral part of IPA. Such "clustered Samba" seems like what should work - for me - any of the masters' Samba serving a given HA-FQDN - part needin careful fiddling would be kerberos I presume. many thanks, L. I realize one bit I might have left vague - Samba's customers/clients, those no need to authenticate with Kerberos, password authentication is good enough(what my "old" IPA does) ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: HA / high availability service - ?
On 17/01/2022 06:19, Alexander Bokovoy wrote: On su, 16 tammi 2022, lejeczek via FreeIPA-users wrote: Hi guys. I have an old - set up ~2 yrs ago - IPA domain which "survived" updates/upgrades till this day in such a way that integrated Samba serves up under different hostname/domain and serves non-enrolled clients(win 10) too. With new deployment, 4.9.6, just adding things to just DNS - which worked in that "old" domain - does _not_ do the trick. With only such "simple" DNS Samba does respond, clients connect and get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD How - if it should be possible at all - to have a service, say Samba, which would serve a "virtual" FQDN? - which would make High-Available service for what I need. What I've tried so far - adding host/service seems not good/enough. The only HA service supported by Samba upstream is use of CTDB over a distributed file system that supports required semantics. https://wiki.samba.org/index.php/CTDB_and_Clustered_Samba It is impossible to say what is exact problem you have with your setup with that small amount of details. If you are already using CTDB, I'd suggest to share more of your configuration and logs. If you are not using CTDB for this configuration, there is most likely no way to help with that without going too deep into technical details and since this configuration would not be supported by either Samba or FreeIPA upstream, this would probably be a waste of everyone's time. It's purely about IPA - as mentioned that "old" deployment of mine - where DNS would manage a record(s) for a HA non-real-host, where such a FQDN (under IPA's realm or outside of it(as I had it with "old" domain)) would "float" between masters(following floating IP) Really nothing else to be bothered with, certainly not at this point. Info I found on "clustered services" is pretty scarce - my opinion - wish that covered Samba as one specific example, since Samba is - my opinion again - such an integral part of IPA. Such "clustered Samba" seems like what should work - for me - any of the masters' Samba serving a given HA-FQDN - part needin careful fiddling would be kerberos I presume. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] HA / high availability service - ?
Hi guys. I have an old - set up ~2 yrs ago - IPA domain which "survived" updates/upgrades till this day in such a way that integrated Samba serves up under different hostname/domain and serves non-enrolled clients(win 10) too. With new deployment, 4.9.6, just adding things to just DNS - which worked in that "old" domain - does _not_ do the trick. With only such "simple" DNS Samba does respond, clients connect and get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD How - if it should be possible at all - to have a service, say Samba, which would serve a "virtual" FQDN? - which would make High-Available service for what I need. What I've tried so far - adding host/service seems not good/enough. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] SSH with password fails - 7 (Authentication failure)
Hi guys. This have puzzled my and left clueless. It's a fresh new deployment and still only single master. Very first & only user and I cannot 'ssh' with password - but krb ticket I can obtain and 'ssh' with it successfully. ssh logs: .. pam_sss(sshd:auth): received for user bs58: 7 (Authentication failure) .. with in: /etc/sssd/sssd.conf [pam] debug_level=9 only fail/error/warn in sssd_pam.log is: .. (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] service: sshd (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] tty: ssh (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] ruser: not set (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] rhost: 10.0.0.16 (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] authtok type: 1 (Password) (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] newauthtok type: 0 (No authentication token available) (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] priv: 1 (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] cli_pid: 25363 (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] logon name: bs583 (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] flags: 2 (2022-01-16 12:20:18): [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (2022-01-16 12:20:18): [pam] [sbus_dispatch] (0x4000): Dispatching. (2022-01-16 12:20:18): [pam] [pam_dp_send_req_done] (0x0200): received: [7 (Authentication failure)][ccn.private.com][CID #6] (2022-01-16 12:20:18): [pam] [pam_reply] (0x4000): pam_reply initially called with result [7]: Authentication failure. this result might be changed during processing (2022-01-16 12:20:18): [pam] [pam_reply] (0x0200): blen: 43 (2022-01-16 12:20:18): [pam] [pam_reply] (0x0200): Returning [7]: Authentication failure to the client [CID #6] (2022-01-16 12:20:20): [pam] [client_recv] (0x0200): Client disconnected! ... It's on Centos 8 with: ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 sssd-ipa-2.5.2-2.el8_5.3.x86_64 krb5-libs-1.18.2-14.el8.x86_64 I've tried higher 'debug_level' for other bits in '/etc/sssd/sssd.conf' but there it nothing 'abnormal' there - or I've gone blind. All & any suggestions on how to troubleshoot/fix this very much appreciated. many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: DNSSEC - File.cpp(94): Could not open the file
On 12/01/2022 18:31, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys When I sign a zone I get lots of: ... File.cpp(94): Could not open the file (Permission denied): /var/lib/ipa/dnssec/tokens/4ee2f633-3b2a-ef03-6909-473386d17234/26365760-a70d-19be-2db1-a80adc796477.object File.cpp(94): Could not open the file (Permission denied): /var/lib/ipa/dnssec/tokens/4ee2f633-3b2a-ef03-6909-473386d17234/9776a26e-2ad9-1b46-b65c-11265eee7fbd.object File.cpp(94): Could not open the file (Permission denied): /var/lib/ipa/dnssec/tokens/4ee2f633-3b2a-ef03-6909-473386d17234/9776a26e-2ad9-1b46-b65c-11265eee7fbd.object zone private.road/IN (signed): sending notifies (serial 1642004083) client @0x7f8f7c1948b8 10.3.1.99#39887: received notify for zone 'private.road' Are those a reason to worry & investigate? If not then what do they translate to? I'd start by checking for SELinux AVCs and FS permissions. I seem to recall that another user has reported a race condition related to softhsm2. rob folder and its content: drwxrws---. 2 ods named 12288 Jan 12 16:14 /var/lib/ipa/dnssec/tokens/4ee2f633-3b2a-ef03-6909-473386d17234/ fcontext labels are as policies dictate, no SELinux issues unless some things are denied silently. This is on Centos 9 - should I make it a BZ? thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] DNSSEC - File.cpp(94): Could not open the file
Hi guys When I sign a zone I get lots of: ... File.cpp(94): Could not open the file (Permission denied): /var/lib/ipa/dnssec/tokens/4ee2f633-3b2a-ef03-6909-473386d17234/26365760-a70d-19be-2db1-a80adc796477.object File.cpp(94): Could not open the file (Permission denied): /var/lib/ipa/dnssec/tokens/4ee2f633-3b2a-ef03-6909-473386d17234/9776a26e-2ad9-1b46-b65c-11265eee7fbd.object File.cpp(94): Could not open the file (Permission denied): /var/lib/ipa/dnssec/tokens/4ee2f633-3b2a-ef03-6909-473386d17234/9776a26e-2ad9-1b46-b65c-11265eee7fbd.object zone private.road/IN (signed): sending notifies (serial 1642004083) client @0x7f8f7c1948b8 10.3.1.99#39887: received notify for zone 'private.road' Are those a reason to worry & investigate? If not then what do they translate to? many thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] DNS forward zone - ? - does not forward
Hi guys I have a basic fwd zone: -> $ ipa dnsforwardzone-show private.lot. --all --rights dn: idnsname=private.lot.,cn=dns,dc=mine,dc=private Zone name: private.lot. Active zone: TRUE Zone forwarders: 10.3.1.221, 10.3.1.222 Forward policy: only attributelevelrights: {'objectclass': 'rscwo', 'aci': 'rscwo', 'idnsname': 'rscwo', 'idnszoneactive': 'rscwo', 'idnsforwarders': 'rscwo', 'idnsforwardpolicy': 'rscwo', 'nsaccountlock': 'rscwo'} objectclass: top, idnsforwardzone but: -> $ host c8kubernode2.private.lot Host c8kubernode2.private.lot not found: 2(SERVFAIL) and when I'm looking at the forwarded-to server(also IPA) it does _not_ seem like queries even get to it. This got me pretty puzzled and only thing gets me suspicious is - forwarding-from & forwarded-to are on the same IP subnet and IPA is silently unhappy about it? What else it can be? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: 2 conflict entries found under the replication suffix o=ipaca - ? - issue
On 05/01/2022 12:47, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: On 04/01/2022 22:09, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. -> $ ipa-healthcheck .. { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "WARNING", "uuid": "7ff8f869-36c8-411c-9c44-7cb323deaf95", "when": "20220104193941Z", "duration": "0.574693", "kw": { "key": "DSREPLLE0002", "items": [ "Replication", "Conflict Entries" ], "msg": "There were 2 conflict entries found under the replication suffix \"o=ipaca\"." } I have found some old tips here from the list but I'm not sure what to do with it. -> $ ldapsearch -H ldaps://$(hostname) -W -D 'cn=Directory Manager' -b 'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*)) # requesting: nsds5ReplConflict # # 7c395f01-6d6211ec-a624dc4c-7402d017 + admin-dzien.mine.private, people, ipaca dn: nsuniqueid=7c395f01-6d6211ec-a624dc4c-7402d017+uid=admin-dzien.mine.privat e,ou=people,o=ipaca nsds5ReplConflict: namingConflict (ADD) uid=admin-dzien.mine.private,ou=people ,o=ipaca # e6ed9901-6d6811ec-affe8b51-4855b2e0 + admin-swir.mine.private, people, ipaca dn: nsuniqueid=e6ed9901-6d6811ec-affe8b51-4855b2e0+uid=admin-swir.mine.private ,ou=people,o=ipaca nsds5ReplConflict: namingConflict (ADD) uid=admin-swir.mine.private,ou=people, o=ipaca Remove either entries? I'd suggest dropping the attribute list and look at the entire conflict entry just to see if anything else was included. Chances are that yes, these can both be dropped. I assume that the CA is otherwise working fine? I'm curious how this came about. Were you were standing up a bunch of new servers simultaneously? rob From looking at 'raw' LDAP tree I would not know - is there a way to confirm/validate CA health? What I'm asking is what does the rest of the conflict entry contain? healthcheck does some basic validation by retrieving a certificate and testing that some certificates aren't revoked. Given that this failed on an ADD it means that the entry was already properly created on a different server which is why it should be safe to remove the conflict entries. If you want to hedge your bet, assuming the conflict contains anything useful, you can save off a copy of it before removing it. rob -> $ ldapsearch -LLL -H ldaps://$(hostname) -W -D 'cn=Directory Manager' -b 'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' Enter LDAP Password: dn: nsuniqueid=7c395f01-6d6211ec-a624dc4c-7402d017+uid=admin-dzien.mine.privat e,ou=people,o=ipaca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser objectClass: extensibleobject objectClass: ldapsubentry uid: admin-dzien.mine.private cn: admin-dzien.mine.private sn: admin-dzien.mine.private usertype: adminType userstate: 1 userPassword:: e.. dn: nsuniqueid=e6ed9901-6d6811ec-affe8b51-4855b2e0+uid=admin-swir.mine.private ,ou=people,o=ipaca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser objectClass: extensibleobject objectClass: ldapsubentry uid: admin-swir.mine.private cn: admin-swir.mine.private sn: admin-swir.mine.private usertype: adminType userstate: 1 userPassword:: e.. The only thing I can think of was that on some(all? I'm not sure) for a while, during re-creating a master(s) 'named' was not listening at '127.0.0.1' - which was my fault as I constrained named's 'ifaces' via 'acls' (unintentionally) I think on the first master (which shows above issue) 'named' might have stopped/crashed at the time of new master(s) re-introduction. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: 2 conflict entries found under the replication suffix o=ipaca - ? - issue
On 04/01/2022 22:09, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. -> $ ipa-healthcheck .. { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "WARNING", "uuid": "7ff8f869-36c8-411c-9c44-7cb323deaf95", "when": "20220104193941Z", "duration": "0.574693", "kw": { "key": "DSREPLLE0002", "items": [ "Replication", "Conflict Entries" ], "msg": "There were 2 conflict entries found under the replication suffix \"o=ipaca\"." } I have found some old tips here from the list but I'm not sure what to do with it. -> $ ldapsearch -H ldaps://$(hostname) -W -D 'cn=Directory Manager' -b 'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))' nsds5ReplConflict Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*)) # requesting: nsds5ReplConflict # # 7c395f01-6d6211ec-a624dc4c-7402d017 + admin-dzien.mine.private, people, ipaca dn: nsuniqueid=7c395f01-6d6211ec-a624dc4c-7402d017+uid=admin-dzien.mine.privat e,ou=people,o=ipaca nsds5ReplConflict: namingConflict (ADD) uid=admin-dzien.mine.private,ou=people ,o=ipaca # e6ed9901-6d6811ec-affe8b51-4855b2e0 + admin-swir.mine.private, people, ipaca dn: nsuniqueid=e6ed9901-6d6811ec-affe8b51-4855b2e0+uid=admin-swir.mine.private ,ou=people,o=ipaca nsds5ReplConflict: namingConflict (ADD) uid=admin-swir.mine.private,ou=people, o=ipaca Remove either entries? I'd suggest dropping the attribute list and look at the entire conflict entry just to see if anything else was included. Chances are that yes, these can both be dropped. I assume that the CA is otherwise working fine? I'm curious how this came about. Were you were standing up a bunch of new servers simultaneously? rob From looking at 'raw' LDAP tree I would not know - is there a way to confirm/validate CA health? The only thing I can think of was that on some(all? I'm not sure) for a while, during re-creating a master(s) 'named' was not listening at '127.0.0.1' - which was my fault as I constrained named's 'ifaces' via 'acls' (unintentionally) I think on the first master (which shows above issue) 'named' might have stopped/crashed at the time of new master(s) re-introduction. many thanks, L ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure