On ke, 10 helmi 2021, Kevin Cassar via FreeIPA-users wrote:
Hi,
I'm running FreeIPA v4.8.7. I have a requirement that end user systems
(not enrolled in FreeIPA) be allowed SSH access on FreeIPA enrolled
servers through Kerberos authentication. As of now I'm using user
keytabs on the end systems
I'm afraid I don't know how to construct the right ipa-getkeytab command to
test. Do I run ipa-getkeytab on the client or on the ipa server? For the
IPA$@DOMAIN.EDU principal?
I thought about STARTTLS pointing to a certificate issue. The certs on the ipa
server are not expired:
getcert list |
Mike Conner via FreeIPA-users wrote:
> The certificate for the AD secure ldap server is also current
> (ad.domain.edu:636).
It would only be binding to IPA for ipa-getkeytab. I don't know how sssd
invokes it.
But you should be able to see a failed TLS connection in the 389-ds logs
which could
Manuel Gujo via FreeIPA-users wrote:
> Hi,
>
> I've retried to move date three weeks before 2020-12-08 and renew cert
> manually
>
> # ipa-getcert resubmit -i "ID"
> Resubmitting "20201102185036" to "dogtag-ipa-ca-renew-agent".
>
> Here's one of the output log from journalctl -xe
>
> #
The certificate for the AD secure ldap server is also current
(ad.domain.edu:636).
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
Thank you. I've run the following command on the broken client. In this
instance 'ipa.ipa.domain.edu' is the IPA server. 'IPA$@DOMAIN.EDU' was used
simply because it's what I saw in the logs.
KRB5CCNAME=/var/lib/sss/db/ccache_IPA.DOMAIN.EDU /usr/sbin/ipa-getkeytab -r -s
ipa.ipa.domain.edu -p
The following is a portion of the sssd log on the client reflecting the same
inability to retrieve keytab:
***
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [sss_domain_get_state]
(0x1000): Domain domain.edu is Active
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]]
Manuel Gujo via FreeIPA-users wrote:
> Here's what I found in /var/log/pki/pki-tomcat/ca/debug
>
> Could not connect to LDAP server host ipa1.itec.lab port 636 Error
> netscape.ldap.LDAPException: Unable to create socket:
> java.net.ConnectException: Connection refused (Connection refused)
On pe, 12 helmi 2021, Mike Conner via FreeIPA-users wrote:
Thank you. I've run the following command on the broken client. In this
instance 'ipa.ipa.domain.edu' is the IPA server. 'IPA$@DOMAIN.EDU' was
used simply because it's what I saw in the logs.
Manuel Gujo via FreeIPA-users wrote:
> Hi Rob,
>
> do I have to stop all the IPA services before i move back the date? Now I'm
> only moving back date and restarting certmonger.
It wouldn't hurt.
You absolutely need to restart things in the past because they can't run
in current time with
I moved the date before the expiring and restarted the services one by one as
you listed (systemctl restart dirsrv@my-domain, systemctl restart krb5kdc etc.)
then:
[root@ipa1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: STOPPED (if
This may be useful information: Clients are still able to lookup and
authenticate AD users as long as they have an in-tact cache. If I empty the
sssd cache, that client will no longer be able to perform AD lookups or
authentications.
___
FreeIPA-users
Thank you for the clarification. I ran in on the IPA server and the keytab was
successfully retrieved.
`Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.edu.keytab-test`
-Mike
___
FreeIPA-users mailing list --
Mike Conner via FreeIPA-users wrote:
> The following is a portion of the sssd log on the client reflecting the same
> inability to retrieve keytab:
> ***
> (Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [sss_domain_get_state]
> (0x1000): Domain domain.edu is Active
> (Fri Feb 12 10:11:54
Manuel Gujo via FreeIPA-users wrote:
> I moved the date before the expiring and restarted the services one by one as
> you listed (systemctl restart dirsrv@my-domain, systemctl restart krb5kdc
> etc.)
>
> then:
> [root@ipa1 ~]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service:
Here's what I found in /var/log/pki/pki-tomcat/ca/debug
Could not connect to LDAP server host ipa1.itec.lab port 636 Error
netscape.ldap.LDAPException: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused) (-1)
at
On Fri, Feb 12, 2021 at 02:10:09PM -, Mike Conner via FreeIPA-users wrote:
> I'm afraid I don't know how to construct the right ipa-getkeytab command to
> test. Do I run ipa-getkeytab on the client or on the ipa server? For the
> IPA$@DOMAIN.EDU principal?
Hi,
SSSD calls
Hi Rob,
do I have to stop all the IPA services before i move back the date? Now I'm
only moving back date and restarting certmonger.
pki-tomcatd is failed so i can't stop/restart it
___
FreeIPA-users mailing list --
More logs. This is from another broken client during an attempt to login as an
AD user:
(Fri Feb 12 16:35:20 2021) [sssd[be[ipa.domain.edu]]] [sss_domain_get_state]
(0x1000): Domain domain.edu is Active
(Fri Feb 12 16:35:20 2021) [sssd[be[ipa.domain.edu]]] [sdap_id_op_connect_step]
Just to confirm, the system is working with the exception of
ipa-dnskeysyncd.service?
Does this work?
# kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br
# ipa user-show admin
This will get a ticket and then use that ticket.
rob
Vinícius Ferrão
Hi Rob.
Actually nothing that relies on Kerberos Keytabs is working.
I can properly issue kinit’s and login, but I can’t use ‘ipa’ commands for
instance. named-pkcs11 is only starting up because I’ve changed the
authentication method on /etc/named.conf:
/* WARNING: This part of the config
On Thu, Feb 11, 2021 at 10:20:45PM -, Mike Conner via FreeIPA-users wrote:
> This additional bit from the logs indicates a failure to retireve a keytab:
>
> (Thu Feb 11 15:45:13 2021) [sssd[be[ipa.domain.edu]]] [main] (0x0400):
> Backend provider (ipa.domain.edu) started!
> (Thu Feb 11
Hi,
I've retried to move date three weeks before 2020-12-08 and renew cert manually
# ipa-getcert resubmit -i "ID"
Resubmitting "20201102185036" to "dogtag-ipa-ca-renew-agent".
Here's one of the output log from journalctl -xe
# journalctl -xe
nov 17 18:08:27 ipa1.itec.lab certmonger[27108]:
23 matches
Mail list logo