Ipa error did not receive kerberos credentials

Ipa error не получены учетные данные kerberos

В первый раз пытаюсь сделать SSL сертификат с помощью FreeIPA CA (dogtag). Пытаюсь отправить CSR через certmonger. На клиенте сделал:

На нём же смотрю, что получилось:

Пробую пихнуть ещё раз:

Не верю, пробую другую команду:

Проверяю кэш Kerberos на клиенте:

Пробую вручную пробиться:

В логах у клиента и у сервера — только сообщения о старте-стопе.

Никто не видел такого зверя, что я делаю неправильно?

Ответить | Правка | Cообщить модератору

Сам уже разобрался. Там наслоилось три проблемы:

1. RFC-6125 — почти весь SSL-софт перестал заглядывать в CN совсем
2. для каждого servernameX в ipa-getcert request -D servername1 -D servername2 должен быть свой service principal вида HTTP/servernameX
3. конкретная версия ipa-getcert имела баг — брала только первый -D

Источник

Репликация домена IPA в ОС RELS и «КОБАЛЬТ»

Содержание

Применимость

Назначение

В этой инструкции описан процесс развёртывания резервного сервера IPA (Identification, Policy and Audit) при наличии основного. Предполагается, что у вас уже работает основной сервер домена, настроенный по инструкции.

Список поддерживаемых ОС

• ROSA Enterprise Linux Server (RELS) версии 6.6 и выше
• РОСА «КОБАЛЬТ»

Если основной сервер домена развёрнут на ОС РОСА «КОБАЛЬТ», то репликация возможна на любую из поддерживаемых ОС, т. е как непосредственно на сам «КОБАЛЬТ», так и на RELS.

Настройки серверов

Предполагается, что на момент настройки репликации у вас есть сервер с установленной ОС RELS или РОСА «КОБАЛЬТ» в варианте «Минимальная». Все команды выполняются от имени администратора (root).

В примерах, приводимых в данной инструкции, предполагается, что серверы имеют следующие сетевые параметры:

Установка FreeIPA

Настройка DNS и hostname

• Убедитесь, что в качестве первого DNS-сервера используется будущий сервер домена IPA. Если в сети планируется использовать короткие имена машин, также должна быть прописана корректная опция domain или search . В файле /etc/resolv.conf должны содержаться записи следующего вида:

Убедитесь, что имя сервера (hostname) записано строчными буквами. Имя сервера задаётся в файле /etc/sysconfig/network.

Установка оснастки

• Установите оснастку для сервера IPA:

• Проверьте корректность сетевых параметров в файле /etc/hosts:

Содержимое файла должно иметь следующий вид:

Последняя строка должна указывать на сервер.

Настройка репликации

Подготовка

Выполните подготовительные команды:

Добавление резервного сервера в DNS

Добавить запись о резервном сервере в DNS можно двумя способами.

• Способ 1. Подключитесь с серверу домена с помощью браузера и воспользуйтесь графической утилитой управления доменом «Identity Managment»:

• Способ 2. На основном сервере IPA выполните следующую команду:

Возможно, на этом этапе вы получите сообщение вида:

В этом случае нужно получить билет Kerberos:

Подготовка к репликации на основном сервере

• Создайте ключи и сертификаты для резервного сервера:

• Скопируйте их на резервный сервер:

Если второй сервер работает под управлением ОС РОСА «КОБАЛЬТ», выполните downgrade nss:

Запуск сервера репликации

Инициализируйте сервер репликации, выполнив на резервном сервере следующую команду:

Сначала будет выполнена проверка доступности портов на основном сервере. Если какие-либо порты не доступны, проверьте настройки межсетевого экрана, если таковой существует между серверами, а также сервиса блокировки портов iptables на обоих серверах.

Источник

Troubleshooting/Kerberos

This page contains Kerberos troubleshooting advice, including trusts. For other issues, refer to the index at Troubleshooting.

Contents

kinit does not work

• On client, see the debug messages from the kinit process itself:
• Make sure that there are no DNS Issues and that forward (A and/or AAAA) records of the client are OK.
• Make sure that krb5kdc and dirsrv services on the FreeIPA server are running
• Check for errors in /var/log/krb5kdc.log

Service does not start

• See service log of the respective service for the exact error text. For example, the Directory Server stores the log in /var/log/dirsrv/slapd-REALM-NAME/errors
• Make sure that the server the service is running on has a fully qualified domain name
• Make sure that if /etc/hosts contains an entry for this server, the fully qualified domain name comes first, e.g.:
• See what keys are in the keytab used for authentication of the service, e.g.:
• Make sure that the stored principals match the system FQDN system name
• Make sure that the version of the keys (KVNO) stored in the keytab and in the FreeIPA server match:
• Make sure that there are no DNS Issues and both forward and reverse DNS records of the are OK and match the system name and the stored principal keys
• Make sure that the system time difference on the host and FreeIPA server is not greater than 5 minutes

Cannot authenticate on client

• If FreeIPA was re-enrolled against different FreeIPA server, try removing SSSD caches (/var/lib/sss/db/*) and restarting the SSSD service (freeipa-users thread)

For further advise, see SSSD guide for troubleshooting problems on clients, including tips for gathering SSSD log files.

Failed auth increments failed login count by 2

• This happens when migration mode is enabled. After normal auth attempt SSSD performs LDAP bind to generate Kerberos keys. This failure raises the counter for second time.
• Resolution: disable migration mode when all users are migrated by

Cannot authenticate user with OTP with Google Authenticator

• This happens when hash function other that SHA-1 is used and OTP code is generated using Google Authenticator (encountered with 4.74). Google Authenticator ignores the hash function and uses SHA-1 anyway making the generated codes unusable. Use FreeOTP application or OTP tokens with SHA-1 hash function. related freeipa-users thread.

Smart Card authentication

For Kerberos PKINIT authentication both client and server (KDC) side must have support for PKINIT enabled. On Fedora/RHEL/CentOS systems this means an RPM package krb5-pkinit or similar should be installed. If a client system lacks krb5-pkinit package, a client will not be able to use a smartcard to obtain an initial Kerberos ticket (TGT). This is hard to notice as Kerberos client will simply have no way to respond to the pre-authentication scheme for PKINIT. Thus, a first step in resolving issues with PKINIT would be to check that krb5-pkinit package is installed.

Trusts

Ubuntu distributions at this time don’t support Trust feature of FreeIPA. See https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249 for more details.

Cannot create trust with trust-add

See separate page with instructions how to debug trust creating issues.

Источник

Portal:FreeIPA/Troubleshoot

Contents

General Information

FreeIPA is a complicated system and requires the cooperation of directory, name resolution, authentication and web services. Please carefully read the Installation Guide before attempting server/replica/client installation.

YaST fails to create CA with error «According to ‘basicConstraints’, this is not a CA.»

There is currently a bug in the YaST CA Management module, when you create a new CA, the default constraints are not properly configured and CA creation fails. To resolve the issue, visit «Advanced Options» when prompted for new CA password, and set CA «CA:true» under «Basic Constraints».

YaST fails to create server certificate with error «Signing certificate failed.»

Click «Details» button to learn the error details. Most commonly the valid period of the server certificate is incorrectly set to exceed the valid period of CA; if this is the case, decrease the valid period of the certificate and try again.

Troubleshoot Common CA and LDAP configuration

Command update-ca-certificates does not produce any output

This is normal. The command only produces output when an error is encountered.

File /etc/openldap/ldap.conf does not exist

Please install OpenLDAP client package:

Troubleshoot FreeIPA Server/Replica Installation

Access installation log file

ipa-server-install command writes logging information into file /var/log/ipaserver-install.log. To inspect the log file while IPA server is being installed, run:

ipa-replica-install command writes logging information into file /var/log/ipareplica-install.log. To inspect the log file while IPA replica is being installed, run:

Occasionally binary-only content is written into the log files during the installation process (a known issue), therefore it is necessary to use «cat -v» to turn the binary content into readable characters.

Clean up after a failed run of ipa-server-install

If ipa-server-install installation has started but fails to complete successfully, the next installation attempt will fail with message «IPA server is already configured on this system.». It is necessary to clean up the incomplete installation by running:

before making another installation attempt.

Clean up after a failed run of ipa-replica-install

If ipa-replica-install installation has started but fails to complete successfully, the next installation attempt will fail. It is necessary to clean up the incomplete installation by running on the replica:

And run on replica Target machine (not the replica machine itself):

Then you may re-try replica installation.

«>The server certificate is not valid: invalid for server

Make sure that the certificate file used for FreeIPA service satisfies all of these conditions:

1. It is in PKCS12 format.
2. It is a Server certificate (not a Client certificate).
3. It contains both certificate and key.
4. It does not contain CA or sub-CA certificate.
5. The certificate common name matches server fully-qualified-domain-name exactly.

hostname: Name or service not known

Sometimes NetworkManager can cause hostname-unknown issue, please disable NetworkManager and use Wicked Service for network setup. Consult YaST Network Settings manual for more details.

If NetworkManager is determined not to be the cause of host name trouble, correct host name and FQDN manually via «hostnamectl» command and manually enter the FQDN and short host name into /etc/hosts, then proceed with FreeIPA server/replica installation.

Access web service log files

FreeIPA web application runs on Apache web server.

Apache web server daemon logs critical and startup errors in system journal, accessible via:

Web access log and FreeIPA web application errors are logged in conventional log files, located by default under «/var/log/apache2».

Command line tool «ipa» gives error «did not receive Kerberos credentials»

Before using the command line tool «ipa», your current system user must have already obtained a Kerberos ticket with IPA administrative privilege. Use command «klist» to determine whether a Kerberos ticket has been obtained, and if not, obtain a new ticket via:

and then retry the ipa command.

Troubleshoot FreeIPA Client

Access authentication daemon log

FreeIPA client runs SSSD (System Security Services Daemon), whose logs are accessible via:

SSSD complains «Key table entry not found»

(Or alternatively «Failed to initialize credentials using keytab», «Client . not found in Kerberos database.»)

The error indicates SSSD was looking for your client host’s Kerberos key but it is not found in Kerberos keytab file (/etc/krb5.keytab).

There are several possible causes:

• Keytab file is empty.
• Keytab file does not belong to this client machine (incorrect placement).
• Client machine’s FQDN does not match the principal name in keytab file due to name resolution error.
• Client machine’s host name does not reflect the FQDN used by IPA database to identify the host.

In any case, inspect the keytab file content by running command:

The result should show more than one entries belonging to principal «host/ .domain@DOMAIN_REALM», e.g.:

If the keytab file appears empty or the principal name does not match with the client’s fully-qualified-domain-name, it is necessary to re-retrieve the client’s keytab file via «ipa-getkeytab» command. Refer to Installation Guide for detailed procedure.

If the keytab file content looks correct, then there is a possibility of name resolution error on the client side. Re-visit YaST Authentication Client module and enter the expected FQDN from client (e.g. «pulautin.linuxdom.net») into domain parameter «ipa_hostname», and see if the problem is eliminated. If the problem is eliminated, then check the private network’s domain name and DNS server settings on DHCP server.

Desktop or remote login using IPA credentials fails on the client

Inspect all system journal:

While re-attempting a login, to determine the failure reason.

Please note that it is sometimes necessary to reboot the client machine after it is configured as IPA client for the very first time.

Источник

Adblock
detector

1. «Проблема с FreeIPA»	+ / –
Сообщение от ACCA (ok), 05-Окт-18, 05:50

Installation[edit | edit source]

Here are my notes as I fumble my way setting up FreeIPA.

Docker[edit | edit source]

There is an official Docker container that has a complete FreeIPA installation. This container uses systemd to start up FreeIPA along with the other related services such as OpenLDAP, Bind, and Kerberos. See more at: https://github.com/freeipa/freeipa-container

Use the following docker-compose.yml stack to quickly get started with FreeIPA:

version: '3.3'

services:

  freeipa:
    image: freeipa/freeipa-server:rocky-8
    restart: unless-stopped
    tty: true
    stdin_open: true
    hostname: ipa
    domainname: home.steamr.com
    extra_hosts:
      - "ipa.home.steamr.com:10.1.2.12"
    environment:
      - IPA_SERVER_HOSTNAME=ipa.home.steamr.com
      - IPA_SERVER_IP=10.1.2.12
      - DNS=10.1.0.8
      - TZ=America/Edmonton
    command:
      - ipa-server-install
      - --realm=home.steamr.com
      - --domain=home.steamr.com
      - --ds-password=xxxxxxxxxx
      - --admin-password=xxxxxxxxxx
      - --no-host-dns
      - --setup-dns
      - --auto-forwarders
      - --allow-zone-overlap
      - --no-dnssec-validation
      - --unattended
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    volumes:
      - ./data:/data
      - ./logs:/var/logs
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    tmpfs:
      - /run
      - /var/cache
      - /tmp
    cap_add:
      - SYS_TIME
    ports:
      - "10.1.2.12:80:80/tcp"
      - "10.1.2.12:443:443/tcp"
      # DNS
      - "10.1.2.12:53:53/tcp"
      - "10.1.2.12:53:53/udp"
      # LDAP(S)
      - "10.1.2.12:389:389/tcp"
      - "10.1.2.12:636:636/tcp"
      # Kerberos
      - "10.1.2.12:88:88/tcp"
      - "10.1.2.12:464:464/tcp"
      - "10.1.2.12:88:88/udp"
      - "10.1.2.12:464:464/udp"

Samba integration[edit | edit source]

There are 3 methods to using FreeIPA with Samba. I eventually settled on method #2.

1. Configure Samba to use FreeIPA as a simple LDAP server, using ldapsam as the passdb backend. This requires a schema change to include the sambaSAMAccount and sambaGroupMapping, and sambaSID object classes. There is a DNA (distributed numeric assignment) plugin that can be used to update these fields.
2. Configure Samba to use FreeIPA using ipasam as the passdb backend. This requires the ipasam.so module installed on the samba servers.
3. Configure Samba to use Kerberos. Does not seem to allow users to use password authentication.

Method 1: ldapsam[edit | edit source]

To use ldapsam, we need to make some changes to the FreeIPA LDAP server by adding sambaSAMAccount and sambaGroupMapping as a default user object class and group object class.

You can either set this in the FreeIPA web interface under configuration, or run:

# ldapmodify <<EOF
dn: cn=ipaConfig,cn=etc,dc=home,dc=steamr,dc=com
changetype: modify
add: ipaUserObjectClasses
ipaUserObjectClasses: sambaSAMAccount
-
add: ipaGroupObjectClasses
ipaGroupObjectClasses: sambaGroupMapping
EOF

We will then need to make a custom DNA (distributed numeric assignment) plugin to update these attributes whenever something related to the object (such as the password) is changed. This can be done by adding a DNA object into LDAP.

ldapadd <<EOF
dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
dnatype: sambaSID
dnaprefix: S-1-5-21-2049073866-1371207509-1214748462
dnainterval: 1
dnamagicregen: assign
dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
dnascope: dc=home,dc=steamr,dc=com
cn: SambaSid
dnanextvalue: 2

dn: cn=sambaGroupType,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: sambaGroupType
dnatype: sambaGroupType
dnainterval: 1
dnamagicregen: assign
dnafilter: (objectClass=sambagroupmapping)
dnascope: dc=home,dc=steamr,dc=com
dnanextvalue: 2
EOF

A ldapsam user entry should have these fields. I don’t see these though.

dn: uid=guest2, ou=People,dc=quenya,dc=org
sambaLMPassword: 878D8014606CDA29677A44EFA1353FC7
sambaPwdMustChange: 2147483647
sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-513
sambaNTPassword: 552902031BEDE9EFAAD3B435B51404EE
sambaPwdLastSet: 1010179124
sambaLogonTime: 0
objectClass: sambaSamAccount
uid: guest2
sambaKickoffTime: 2147483647
sambaAcctFlags: [UX         ]
sambaLogoffTime: 2147483647
sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5006
sambaPwdCanChange: 0

Configure the Samba server[edit | edit source]

You can either use a specific binding credential that’s shared across all your samba servers, or use the machine’s cifs service account to authenticate to the LDAP server.

I tried to do the following using the admin account as the bind DN: (using the admin account like this is probably a bad idea, I’m just testing)

[global]
	# freeipa configurations
	passdb backend = ipasam:ldap://home.steamr.com
	ldap admin dn = uid=admin,cn=users,cn=accounts,dc=home,dc=steamr,dc=com
	ldapsam:trusted = yes
	ldap suffix = cn=accounts,dc=home,dc=steamr,dc=com
	ldap user suffix = cn=users,cn=accounts
	ldap machine suffix = cn=computers,cn=accounts
	ldap group suffix = cn=groups,cn=accounts
	ldap passwd sync = only
	ldap ssl = no

Run smbpasswd -w password to set your bind credential passwords.

Method 2: ipasam[edit | edit source]

See: https://bgstack15.wordpress.com/2017/05/10/samba-share-with-freeipa-auth/

Install the adtrust components on the FreeIPA server. Install ipa-server-trust-ad and run ipa-adtrust-install --add-sids. This will add the additional IPASAM attributes such as ipaNtPassword in user objects.

# ipa-adtrust-install --add-sids
## Answer yes to overwrite smb.conf
## Answer yes to install slapi-nis

Ensure that your hostname is set to the FQDN of the hostname otherwise this process will fail. If you are using an external DNS server, ensure that the additional service records are present. If you are using a Docker container, set the hostname to the full FQDN (eg. ipa.example.com, rather than just ‘ipa’).

Next, create a new user and then change the user’s password. This should populate the ipaNTPassword attribute.

# ipa user-add leo --first=Leo --last=Leung
# ipa group-add-member smbgrp --users=leo

When modifying smb.conf, the service account or bind DN must have access to these new ipasam attributes. You need to create a new set of privilege and role and grant the account access. Create the role and permissions in the web interface or run:

# ipa permission-add "CIFS server can read user passwords"  --attrs={ipaNTHash,ipaNTSecurityIdentifier} --type=user --right={read,search,compare} --bindtype=permission
# ipa privilege-add "CIFS server privilege"
# ipa privilege-add-permission "CIFS server privilege" --permission="CIFS server can read user passwords"
# ipa role-add "CIFS server"
# ipa role-add-privilege "CIFS server" --privilege="CIFS server privilege"

Then, add your service account or bind DN to the ‘CIFS server’ role. For example:

# ipa service-add cifs/dnas.home.steamr.com
# ipa role-add-member "CIFS server" --services=cifs/dnas.home.steamr.com

Configure the Samba server[edit | edit source]

Generate a keytab file for samba.

# kinit -kt /etc/krb5.keytab
## Note: we ran this in the previous step.
## ipa service-add cifs/dnas.home.steamr.com
# ipa-getkeytab -s ipa.home.steamr.com -p cifs/dnas.home.steamr.com -k /etc/samba/samba.keytab

Then, tweak smb.conf.

[global]
passdb backend = ipasam:ldap://ipa.home.steamr.com
ldapsam:trusted = yes
ldap suffix = dc=home,dc=steamr,dc=com
ldap user suffix = cn=users,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap ssl = no
idmap config * : backend = tdb  
create krb5 conf = No 
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab

If you get: NT_STATUS_BAD_TOKEN_TYPE, you need to disable MS-POC in the FreeIPA settings or disable it specifically for this cifs service account.

The ipasam passdb provider is available from the ipa-server-trust-ad package. However, this package also pulls in a ton of other IPA dependencies which aren’t needed. If you just want the provider to work on a bare minimal samba server, you can simply just copy (or extract from the ipa-server-trust-ad package) the ipasam.so file to /usr/lib64/samba/pdb/ipasam.so.

Method 3: Kerberos[edit | edit source]

This method is similar to the ipasam method above and you will need to set up the server in the same way. However, the way you configure Samba is different.

On the Samba server[edit | edit source]

## Join the samba server to FreeIPA
# ipa-client-install

## Then add the client to samba.
# ipa-client-samba

Note that when you try adding the samba client, the IPA server has to be able to resolve the A record for the Samba server you’re adding or else it will fail.

This should automatically set up the cifs service accounts for this particular samba server, get the samba keytab file in /etc/samba/samba.keytab, and then tweak the smb.conf file to use this keytab file.

The smb.conf file now looks like:

[global]
    # Limit number of forked processes to avoid SMBLoris attack
    max smbd processes = 1000
    # Use dedicated Samba keytab. The key there must be synchronized
    # with Samba tdb databases or nothing will work
    dedicated keytab file = FILE:/etc/samba/samba.keytab
    kerberos method = dedicated keytab
    # Set up logging per machine and Samba process
    log file = /var/log/samba/log.%m
    log level = 1
    # We force 'member server' role to allow winbind automatically
    # discover what is supported by the domain controller side
    server role = member server
    realm = HOME.STEAMR.COM
    netbios name = DNAS
    workgroup = HOME
    # Local writable range for IDs not coming from IPA or trusted domains
    idmap config * : range = 0 - 0
    idmap config * : backend = tdb


    idmap config HOME : range = 100000 - 299999
    idmap config HOME : backend = sss


# Default homes share
[homes]
    read only = no

You need to then start winbind and smb. For some reason, this method doesn’t seem to work as winbind is stuck with «wb_parent_idmap_setup_lookupname_done: Lookup domain name 'home' failed 'NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND'»

Debug samba issues[edit | edit source]

Use smbclient to help debug issues. This utility is provided by the samba-client package. You can then test authentication by running: smbclient -d 10 -U leo //dnas/home

Tasks[edit | edit source]

Join a computer to a FreeIPA[edit | edit source]

Use the ipa-client-install command to add a computer to a FreeIPA server. This should also automatically add a computer account, generate a keytab file, and tweak sssd to use FreeIPA as an authentication mechanism.

# ipa-client-install -U -p admin -w $Password --server ipa.home.steamr.com --domain home.steamr.com --force-join --no-ntp --fixed-primary

Troubleshooting[edit | edit source]

Error: did not receive Kerberos credentials[edit | edit source]

Tools such as ‘ipa’ uses your session’s Kerberos tickets for authentication. If you don’t have any tickets or if your tickets expired, you may get an ipa: ERROR: did not receive Kerberos credentials error. Fix this by running:

## Renew/obtain Kerberos tickets for 'admin'
# kinit admin
Password for admin@HOME.STEAMR.COM:  ****

Verify if your tickets are available with klist:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@STEAMR.COM

Valid starting     Expires            Service principal
03/06/22 14:44:35  03/07/22 14:39:47  krbtgt/STEAMR.COM@STEAMR.COM

Container issues[edit | edit source]

• Don’t mount /var/log because the container image symlinks everything into /data. If you do mount /var/log, make sure you make the expected directories or else the installer will fail.
• Error with AssertionError: Another instance named 'HOME-STEAMR-COM' may already exist. I can’t figure out what’s causing lib389 to think there’s another instance. I built a container image on top of this image with the assertion patched out. This seemed to have fixed the issue.

• FROM freeipa/freeipa-server:rocky-8
  RUN sed 's/assert_c(len(insts)/# assert_c(len(insts)/' -i /usr/lib/python3.6/site-packages/lib389/instance/setup.py
  

Can’t find the ipa-adtrust-install package[edit | edit source]

The FreeIPA packages are under a different app stream repo. Enable it by running dnf -y module enable idm:DL1.

sssd: Decrypt integrity check failed[edit | edit source]

After recreating the FreeIPA server, I uninstalled and reinstalled the FreeIPA client on a machine. Kinit works as expected, but sssd authentication fails with the following error in /var/log/sssd/.

[krb5_child[29691]] [get_and_save_tgt] (0x0020): [RID#6] 1725: [-1765328353][Decrypt integrity check failed]

The fix here is to wipe out all the caches. sss_cache -E isn’t sufficient. You have to stop sssd and delete all the databases:

# systemctl stop sssd
# rm -rf /var/lib/sss/db/*
# systemctl start sssd

File permission issues[edit | edit source]

I ran into issues starting FreeIPA in a Docker container. Symptoms include the following issues in the subsections below.

Bind / named doesn’t start:[edit | edit source]

ipa named-pkcs11[5407]: LDAP error: Invalid credentials: bind to LDAP server failed
ipa named-pkcs11[5407]: couldn't establish connection in LDAP connection pool: permission denied
ipa named-pkcs11[5407]: dynamic database 'ipa' configuration failed: permission denied
ipa named-pkcs11[5407]: loading configuration: permission denied
ipa named-pkcs11[5407]: exiting (due to fatal error)

Ignore this for now. You have other issues, likely.

Samba doesn’t start: Error: Invalid credentials[edit | edit source]

When trying to start smb, I get the following:

[2023/01/24 05:17:46.170883,  0, pid=5124] ipa_sam.c:4945(bind_callback)
  bind_callback: cannot perform interactive SASL bind with GSSAPI. LDAP security error is 49
[2023/01/24 05:17:46.171155,  0, pid=5124] ../../source3/lib/smbldap.c:1059(smbldap_connect_system)
  failed to bind to server ldapi://%2fvar%2frun%2fslapd-HOME-STEAMR-COM.socket with dn="[Anonymous bind]" Error: Invalid credentials
        (unknown)
[2023/01/24 05:17:46.171419,  1, pid=5124] ../../source3/lib/smbldap.c:1272(get_cached_ldap_connect)
  Connection to LDAP server failed for the 1 try!

The fix was to stop FreeIPA with ipactl stop, then rm /run/samba/krb5cc_samba, and restarting FreeIPA with ipactl start. If the error recurrs after restarting FreeIPA, then you have other issues that’s preventing Samba from starting.

Tomcat doesn’t start: status=5/NOTINSTALLED[edit | edit source]

When trying to start Tomcat, you get a 5 exit code, as reported by systemd:

pki-tomcatd@pki-tomcat.service: Control process exited, code=exited, status=5/NOTINSTALLED
pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'.
Failed to start PKI Tomcat Server pki-tomcat.

The exit code 5 being ‘NOTINSTALLED’ is a red herring. You likely have permission issues that’s preventing the user running tomcat (pkiuser) from accessing some certs or configs. Go through your Docker volumes and chown anything directory called ‘pki’ to the pkiuser.

# chown -R 17:17 etc/pki etc/sysconfig/pki var/lib/pki var/lib/ipa/pki-ca

Tomcat still doesn’t start: start-post operation timed out. Terminating.[edit | edit source]

Tomcat doesn’t start as it times out.

pki-tomcatd@pki-tomcat.service: start-post operation timed out. Terminating.
pki-tomcatd@pki-tomcat.service: Control process exited, code=killed, status=15/TERM
pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'.

There’s likely still something tomcat can’t write to.

It seemed to get better when made the ownerships for /data/var/lib/pki/pki-tomcat/logs/ and /var/log/pki/pki-tomcat to pkiuser.

To help troubleshoot, su as pkiuser and try running tomcat as per the service file and see if you get any stack traces.

IPA Web GUI reports «Your session has expired. Please re-login»[edit | edit source]

Review the logs for dirsrv and see if there are any errors.

# tail -f /var/log/dirsrv/slapd-*/access

For this instance, this was caused when I accidentally removed /etc/dirsrv/ds.keytab.

Configuring Samba issues[edit | edit source]

When running # ipa-adtrust-install —add-sids, you get:

# ipa-adtrust-install --add-sids
...
Configuring CIFS
  [1/25]: validate server hostname
  [error] ValueError: Host reports different name than configured: 'ipa' versus 'ipa.home.steamr.com'. Samba requires to have the same hostname or Kerberos principal 'cifs/ipa.home.steamr.com' will not be found in Samba keytab.
Unexpected error - see /var/log/ipaserver-adtrust-install.log for details:
ValueError: Host reports different name than configured: 'ipa' versus 'ipa.home.steamr.com'. Samba requires to have the same hostname or Kerberos principal 'cifs/ipa.home.steamr.com' will not be found in Samba keytab.

Ensure that your hostname is the full FQDN.

# hostname
ipa
# hostname -f
ipa.home.steamr.com

## You need to fix the hostname so that this is what you get:
# hostname ipa.home.steamr.com
# hostname
ipa.home.steamr.com

Once the hostname is fixed, try the command again.

DNS is missing A/AAAA entries for hosts[edit | edit source]

When trying to add a new host, the DNS silently gets ignored. Possible issues:

• I think this is related to this error when running ipa-client-install: Could not update DNS SSHFP records..
• Possibly bad DNS entries during install was detected and it skipped the DNS tasks?

  Hostname (fc37.home.steamr.com) does not have A/AAAA record.
  Failed to update DNS records.
  Missing A/AAAA record(s) for host fc37.home.steamr.com: 10.1.2.32.
  Incorrect reverse record(s):
  10.1.2.32 is pointing to fc35.home.steamr.com. instead of fc37.home.steamr.com.
  

Without this DNS entry set, other issues will crop up later on:

[root@ipa /]# ipa service-add cifs/dnas.home.steamr.com
ipa: ERROR: Host 'dnas.home.steamr.com' does not have corresponding DNS A/AAAA record

The quick work-around would be to add the DNS entry manually and try again.

See also[edit | edit source]

• https://bgstack15.wordpress.com/2017/05/10/samba-share-with-freeipa-auth/ — Older guide walking how to set up FreeIPA and Samba
• https://blog.cubieserver.de/2018/synology-nas-samba-nfs-and-kerberos-with-freeipa-ldap/
• https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA — Samba integration using kerberos (not ipasam)
• https://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa

We have a working FreeIPA installation, it’s in production since February. Almost everything works as expected but when we try to run command-line FreeIPA-related tools none of them work:

[admin@ipa ~]$ kinit admin
Password for admin@EXAMPLE.COM: 
[admin@ipa ~]$ klist
Ticket cache: KEYRING:persistent:8800000
Default principal: admin@EXAMPLE.COM

Valid starting       Expires              Service principal
06/30/2014 21:19:30  07/01/2014 21:19:12  krbtgt/EXAMPLE.COM@EXAMPLE.COM
[admin@ipa ~]$ ipa pwpolicy-show global_policy
ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('No Kerberos credentials available', -1765328243)
[admin@ipa ~]$

I’m not a Kerberos expert and don’t really know what to check. How can we debug and resolve this?

Update: when I add -vv I get the following:

[admin@ipa ~]$ ipa -vv pwpolicy-show global_policy
ipa: INFO: trying https://ipa.example.com/ipa/xml
ipa: INFO: Forwarding 'pwpolicy_show' to server 'https://ipa.example.com/ipa/xml'
ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('No Kerberos credentials available', -1765328243)
[admin@ipa ~]$

Update 2: the content of /etc/krb5.conf follows:

includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
  kdc = ipa.example.com:88
  master_kdc = ipa.example.com:88
  admin_server = ipa.example.com:749
  default_domain = example.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[dbmodules]
  EXAMPLE.COM = {
    db_library = ipadb.so
  }

Update 3: This is a single-server installation, the distro is Fedora 19 and FreeIPA version is 3.3.5

Репликация домена IPA в ОС RELS и «КОБАЛЬТ»

Содержание

Применимость

Назначение

В этой инструкции описан процесс развёртывания резервного сервера IPA (Identification, Policy and Audit) при наличии основного. Предполагается, что у вас уже работает основной сервер домена, настроенный по инструкции.

Список поддерживаемых ОС

• ROSA Enterprise Linux Server (RELS) версии 6.6 и выше
• РОСА «КОБАЛЬТ»

Если основной сервер домена развёрнут на ОС РОСА «КОБАЛЬТ», то репликация возможна на любую из поддерживаемых ОС, т. е как непосредственно на сам «КОБАЛЬТ», так и на RELS.

Настройки серверов

Предполагается, что на момент настройки репликации у вас есть сервер с установленной ОС RELS или РОСА «КОБАЛЬТ» в варианте «Минимальная». Все команды выполняются от имени администратора (root).

В примерах, приводимых в данной инструкции, предполагается, что серверы имеют следующие сетевые параметры:

Установка FreeIPA

Настройка DNS и hostname

• Убедитесь, что в качестве первого DNS-сервера используется будущий сервер домена IPA. Если в сети планируется использовать короткие имена машин, также должна быть прописана корректная опция domain или search . В файле /etc/resolv.conf должны содержаться записи следующего вида:

Убедитесь, что имя сервера (hostname) записано строчными буквами. Имя сервера задаётся в файле /etc/sysconfig/network.

Установка оснастки

• Установите оснастку для сервера IPA:

• Проверьте корректность сетевых параметров в файле /etc/hosts:

Содержимое файла должно иметь следующий вид:

Последняя строка должна указывать на сервер.

Настройка репликации

Подготовка

Выполните подготовительные команды:

Добавление резервного сервера в DNS

Добавить запись о резервном сервере в DNS можно двумя способами.

• Способ 1. Подключитесь с серверу домена с помощью браузера и воспользуйтесь графической утилитой управления доменом «Identity Managment»:

• Способ 2. На основном сервере IPA выполните следующую команду:

Возможно, на этом этапе вы получите сообщение вида:

В этом случае нужно получить билет Kerberos:

Подготовка к репликации на основном сервере

• Создайте ключи и сертификаты для резервного сервера:

• Скопируйте их на резервный сервер:

Если второй сервер работает под управлением ОС РОСА «КОБАЛЬТ», выполните downgrade nss:

Запуск сервера репликации

Инициализируйте сервер репликации, выполнив на резервном сервере следующую команду:

Сначала будет выполнена проверка доступности портов на основном сервере. Если какие-либо порты не доступны, проверьте настройки межсетевого экрана, если таковой существует между серверами, а также сервиса блокировки портов iptables на обоих серверах.

Источник

Portal:FreeIPA/Troubleshoot

Contents

General Information

FreeIPA is a complicated system and requires the cooperation of directory, name resolution, authentication and web services. Please carefully read the Installation Guide before attempting server/replica/client installation.

Troubleshoot Certificate Authority

YaST fails to create CA with error «According to ‘basicConstraints’, this is not a CA.»

There is currently a bug in the YaST CA Management module, when you create a new CA, the default constraints are not properly configured and CA creation fails. To resolve the issue, visit «Advanced Options» when prompted for new CA password, and set CA «CA:true» under «Basic Constraints».

YaST fails to create server certificate with error «Signing certificate failed.»

Click «Details» button to learn the error details. Most commonly the valid period of the server certificate is incorrectly set to exceed the valid period of CA; if this is the case, decrease the valid period of the certificate and try again.

Troubleshoot Common CA and LDAP configuration

Command update-ca-certificates does not produce any output

This is normal. The command only produces output when an error is encountered.

File /etc/openldap/ldap.conf does not exist

Please install OpenLDAP client package:

Troubleshoot FreeIPA Server/Replica Installation

Access installation log file

ipa-server-install command writes logging information into file /var/log/ipaserver-install.log. To inspect the log file while IPA server is being installed, run:

ipa-replica-install command writes logging information into file /var/log/ipareplica-install.log. To inspect the log file while IPA replica is being installed, run:

Occasionally binary-only content is written into the log files during the installation process (a known issue), therefore it is necessary to use «cat -v» to turn the binary content into readable characters.

Clean up after a failed run of ipa-server-install

If ipa-server-install installation has started but fails to complete successfully, the next installation attempt will fail with message «IPA server is already configured on this system.». It is necessary to clean up the incomplete installation by running:

before making another installation attempt.

Clean up after a failed run of ipa-replica-install

If ipa-replica-install installation has started but fails to complete successfully, the next installation attempt will fail. It is necessary to clean up the incomplete installation by running on the replica:

And run on replica Target machine (not the replica machine itself):

Then you may re-try replica installation.

«>The server certificate is not valid: invalid for server

Make sure that the certificate file used for FreeIPA service satisfies all of these conditions:

1. It is in PKCS12 format.
2. It is a Server certificate (not a Client certificate).
3. It contains both certificate and key.
4. It does not contain CA or sub-CA certificate.
5. The certificate common name matches server fully-qualified-domain-name exactly.

hostname: Name or service not known

Sometimes NetworkManager can cause hostname-unknown issue, please disable NetworkManager and use Wicked Service for network setup. Consult YaST Network Settings manual for more details.

If NetworkManager is determined not to be the cause of host name trouble, correct host name and FQDN manually via «hostnamectl» command and manually enter the FQDN and short host name into /etc/hosts, then proceed with FreeIPA server/replica installation.

Troubleshoot FreeIPA Administration Tools

Access web service log files

FreeIPA web application runs on Apache web server.

Apache web server daemon logs critical and startup errors in system journal, accessible via:

Web access log and FreeIPA web application errors are logged in conventional log files, located by default under «/var/log/apache2».

Command line tool «ipa» gives error «did not receive Kerberos credentials»

Before using the command line tool «ipa», your current system user must have already obtained a Kerberos ticket with IPA administrative privilege. Use command «klist» to determine whether a Kerberos ticket has been obtained, and if not, obtain a new ticket via:

and then retry the ipa command.

Troubleshoot FreeIPA Client

Access authentication daemon log

FreeIPA client runs SSSD (System Security Services Daemon), whose logs are accessible via:

SSSD complains «Key table entry not found»

(Or alternatively «Failed to initialize credentials using keytab», «Client . not found in Kerberos database.»)

The error indicates SSSD was looking for your client host’s Kerberos key but it is not found in Kerberos keytab file (/etc/krb5.keytab).

There are several possible causes:

• Keytab file is empty.
• Keytab file does not belong to this client machine (incorrect placement).
• Client machine’s FQDN does not match the principal name in keytab file due to name resolution error.
• Client machine’s host name does not reflect the FQDN used by IPA database to identify the host.

In any case, inspect the keytab file content by running command:

The result should show more than one entries belonging to principal «host/ .domain@DOMAIN_REALM», e.g.:

If the keytab file appears empty or the principal name does not match with the client’s fully-qualified-domain-name, it is necessary to re-retrieve the client’s keytab file via «ipa-getkeytab» command. Refer to Installation Guide for detailed procedure.

If the keytab file content looks correct, then there is a possibility of name resolution error on the client side. Re-visit YaST Authentication Client module and enter the expected FQDN from client (e.g. «pulautin.linuxdom.net») into domain parameter «ipa_hostname», and see if the problem is eliminated. If the problem is eliminated, then check the private network’s domain name and DNS server settings on DHCP server.

Desktop or remote login using IPA credentials fails on the client

Inspect all system journal:

While re-attempting a login, to determine the failure reason.

Please note that it is sometimes necessary to reboot the client machine after it is configured as IPA client for the very first time.

Источник

No Kerberos credentials available #374

Comments

rezaa1 commented Aug 26, 2020 •

ipa-server-4.6.6-11.el7.centos.x86_64
freeipa collection version 0.1.12

The playbook works with some users, and not working for other users!

This is a task I have:

The text was updated successfully, but these errors were encountered:

rjeffman commented Aug 26, 2020

@rezaa1, can you run the CLI command ipa hostgroup-add-member with the users that are failing to execute this playbook?

I usually see this error with expired passwords.

rezaa1 commented Aug 27, 2020 •

The password is not expired, I can login to servers with that user. but that user is service user which has no access, I use admin credential with the playbook to run the commands

Here you see the same error when i try the command line.

I don’t expect the api to use, user’s keytab/credetnials

rjeffman commented Aug 27, 2020

That behaviour is expected if you did not run kinit before the commands.

I’d like to ask you a few things so we can find what is wrong.

Log into the machine, run kinit admin , run klist -A , run ipa hostgroup-add-member . Do NOT log out, or run kdestroy .

Back in the controller, try to run the playbook that failed before. If you have any errors, check the kinit you find in /var/log/krb5kdc.log.

rezaa1 commented Aug 31, 2020

yes that works this way, but i am running this module with admin credntial and expect to be able to run it, my kerberose ticket will expire after 24h so you mean each time i need to run this command i have to go on the server and run kinit? That doesn’t look good.

t-woerner commented Aug 31, 2020

@rezaa1 Please explain what «The playbook works with some users, and not working for other users!» means. Which users are these?
The use of kinit is needed for the command line ipa hostgroup-add-member , but not for the ansible-freeipa module. The module is using kinit internally.

rezaa1 commented Sep 2, 2020

for instance my normal user which I always login as works, but this service account which we only use it for tower to login and do tasks, it won’t work.
The issue is , as soon as we login to the server and then su — ansible, then kinit admin the playbook works too. but when we do kdestroy in command line , it fails!

t-woerner commented Sep 3, 2020 •

Do you have environment variables KRB5CCNAME or KRB5_CLIENT_KTNAME set? Your ccache is referencing a KEYRING.

rezaa1 commented Nov 5, 2020

yes i have the variable set, but it doesn’t do anything. if you do not have valid Kerberos ticket.

t-woerner commented Nov 18, 2020

These variables are used by the modules. Where have you set these variables? For the service user locally or in the ansible environment? Please verify that the settings of the variables are correct. Are you using become_method: ksu ?

rezaa1 commented Jan 14, 2021 •

I use become_method: sudo, the only way i could get it working was to set become: false

About KRB5CCNAME and KRB5_CLIENT_KTNAME variable, i am not sure what they should set to, as I have no cached credentials on the remote server.

mproehl commented Mar 9, 2022

Why should it be necessary to set KRB5CCNAME when Kerberos credentials are available in the default credential cache?

Footer

© 2023 GitHub, Inc.

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

Источник

Troubleshooting/Kerberos

This page contains Kerberos troubleshooting advice, including trusts. For other issues, refer to the index at Troubleshooting.

Contents

kinit does not work

• On client, see the debug messages from the kinit process itself:
• Make sure that there are no DNS Issues and that forward (A and/or AAAA) records of the client are OK.
• Make sure that krb5kdc and dirsrv services on the FreeIPA server are running
• Check for errors in /var/log/krb5kdc.log

Service does not start

• See service log of the respective service for the exact error text. For example, the Directory Server stores the log in /var/log/dirsrv/slapd-REALM-NAME/errors
• Make sure that the server the service is running on has a fully qualified domain name
• Make sure that if /etc/hosts contains an entry for this server, the fully qualified domain name comes first, e.g.:
• See what keys are in the keytab used for authentication of the service, e.g.:
• Make sure that the stored principals match the system FQDN system name
• Make sure that the version of the keys (KVNO) stored in the keytab and in the FreeIPA server match:
• Make sure that there are no DNS Issues and both forward and reverse DNS records of the are OK and match the system name and the stored principal keys
• Make sure that the system time difference on the host and FreeIPA server is not greater than 5 minutes

Cannot authenticate on client

• If FreeIPA was re-enrolled against different FreeIPA server, try removing SSSD caches (/var/lib/sss/db/*) and restarting the SSSD service (freeipa-users thread)

For further advise, see SSSD guide for troubleshooting problems on clients, including tips for gathering SSSD log files.

Failed auth increments failed login count by 2

• This happens when migration mode is enabled. After normal auth attempt SSSD performs LDAP bind to generate Kerberos keys. This failure raises the counter for second time.
• Resolution: disable migration mode when all users are migrated by

Cannot authenticate user with OTP with Google Authenticator

• This happens when hash function other that SHA-1 is used and OTP code is generated using Google Authenticator (encountered with 4.74). Google Authenticator ignores the hash function and uses SHA-1 anyway making the generated codes unusable. Use FreeOTP application or OTP tokens with SHA-1 hash function. related freeipa-users thread.

Smart Card authentication

For Kerberos PKINIT authentication both client and server (KDC) side must have support for PKINIT enabled. On Fedora/RHEL/CentOS systems this means an RPM package krb5-pkinit or similar should be installed. If a client system lacks krb5-pkinit package, a client will not be able to use a smartcard to obtain an initial Kerberos ticket (TGT). This is hard to notice as Kerberos client will simply have no way to respond to the pre-authentication scheme for PKINIT. Thus, a first step in resolving issues with PKINIT would be to check that krb5-pkinit package is installed.

Trusts

Ubuntu distributions at this time don’t support Trust feature of FreeIPA. See https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249 for more details.

Cannot create trust with trust-add

See separate page with instructions how to debug trust creating issues.

Источник

Применимость

Назначение

В этой инструкции описан процесс развёртывания резервного сервера IPA (Identification, Policy and Audit) при наличии основного. Предполагается, что у вас уже работает основной сервер домена, настроенный по инструкции.

Список поддерживаемых ОС

• ROSA Enterprise Linux Server (RELS) версии 6.6 и выше
• РОСА «КОБАЛЬТ»

Если основной сервер домена развёрнут на ОС РОСА «КОБАЛЬТ», то репликация возможна на любую из поддерживаемых ОС, т. е как непосредственно на сам «КОБАЛЬТ», так и на RELS.

Настройки серверов

Предполагается, что на момент настройки репликации у вас есть сервер с установленной ОС RELS или РОСА «КОБАЛЬТ» в варианте «Минимальная». Все команды выполняются от имени администратора (root).

В примерах, приводимых в данной инструкции, предполагается, что серверы имеют следующие сетевые параметры:

Основной сервер:

Имя: dc1.test.dom
IP: 192.168.76.47/24

Резервный сервер:

Имя: dc2.test.dom
IP: 192.168.76.82/24

Установка FreeIPA

Настройка DNS и hostname

• Убедитесь, что в качестве первого DNS-сервера используется будущий сервер домена IPA. Если в сети планируется использовать короткие имена машин, также должна быть прописана корректная опция domain или search. В файле /etc/resolv.conf должны содержаться записи следующего вида:

search test.dom
nameserver 192.168.76.47

Убедитесь, что имя сервера (hostname) записано строчными буквами. Имя сервера задаётся в файле /etc/sysconfig/network.

cat /etc/sysconfig/network

HOSTNAME=dc2.test.dom
NETWORKING=yes
NISDOMAIN=test.dom

Установка оснастки

• Установите оснастку для сервера IPA:

yum install bind-dyndb-ldap bind ipa-server

• Проверьте корректность сетевых параметров в файле /etc/hosts:

cat /etc/hosts

Содержимое файла должно иметь следующий вид:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1   localhost localhost.localdomain localhost6 localhost6.localdomain6 
192.168.76.82  dc2.test.dom dc2

Последняя строка должна указывать на сервер.

Настройка репликации

Подготовка

Выполните подготовительные команды:

rm -f /etc/portreserve/slapd
service portreserve restart
yum remove firefox thunderbird
yum downgrade nss nss-tools nss-sysinit nss-util

Добавление резервного сервера в DNS

Добавить запись о резервном сервере в DNS можно двумя способами.

• Способ 1. Подключитесь с серверу домена с помощью браузера и воспользуйтесь графической утилитой управления доменом «Identity Managment»:

• Способ 2. На основном сервере IPA выполните следующую команду:

ipa dnsrecord-add test.dom dc2 --a-rec 192.168.76.82

Возможно, на этом этапе вы получите сообщение вида:

ipa: ERROR: не получены регистрационные данные Kerberos

В этом случае нужно получить билет Kerberos:

kinit admin

Подготовка к репликации на основном сервере

• Создайте ключи и сертификаты для резервного сервера:

ipa-replica-prepare dc2.test.dom --ip-address 192.168.76.82

Directory Manager (existing master) password: 
Preparing replica for dc2.test.dom from dc1.test.dom
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-dc2.test.dom.gpg
Adding DNS records for dc2.test.dom
Using reverse zone 76.168.192.in-addr.arpa.

• Скопируйте их на резервный сервер:

scp /var/lib/ipa/replica-info-dc2.test.dom.gpg root@dc2.test.dom:/var/lib/ipa/

Если второй сервер работает под управлением ОС РОСА «КОБАЛЬТ», выполните downgrade nss:

yum remove  firefox thunderbird
yum downgrade nss nss-tools nss-sysinit nss-util

Запуск сервера репликации

Инициализируйте сервер репликации, выполнив на резервном сервере следующую команду:

ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-dc2.test.dom.gpg

Сначала будет выполнена проверка доступности портов на основном сервере. Если какие-либо порты не доступны, проверьте настройки межсетевого экрана, если таковой существует между серверами, а также сервиса блокировки портов iptables на обоих серверах.

OS: Centos7u3

packages:
freeipa-letsencrypt]# rpm -qa | grep ^ipa
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-common-4.4.0-14.el7.centos.7.noarch

Listening ports:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:749             0.0.0.0:*               LISTEN      6487/kadmind
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      6487/kadmind
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      4754/sshd
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      6482/krb5kdc
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1025/master
tcp6       0      0 :::749                  :::*                    LISTEN      6487/kadmind
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd
tcp6       0      0 :::8080                 :::*                    LISTEN      6677/java
tcp6       0      0 :::80                   :::*                    LISTEN      6500/httpd
tcp6       0      0 :::464                  :::*                    LISTEN      6487/kadmind
tcp6       0      0 :::22                   :::*                    LISTEN      4754/sshd
tcp6       0      0 :::88                   :::*                    LISTEN      6482/krb5kdc
tcp6       0      0 :::8443                 :::*                    LISTEN      6677/java
tcp6       0      0 :::443                  :::*                    LISTEN      6500/httpd
tcp6       0      0 :::636                  :::*                    LISTEN      6433/ns-slapd
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      6677/java
tcp6       0      0 :::389                  :::*                    LISTEN      6433/ns-slapd
tcp6       0      0 ::1:8009                :::*                    LISTEN      6677/java

I edited setup-le.sh and changed dnf for yum.

freeipa-letsencrypt]# ./setup-le.sh
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
base                                                                                                                                              | 3.6 kB  00:00:00
epel/x86_64/metalink                                                                                                                              |  14 kB  00:00:00
epel                                                                                                                                              | 4.3 kB  00:00:00
extras                                                                                                                                            | 3.4 kB  00:00:00
updates                                                                                                                                           | 3.4 kB  00:00:00
(1/5): epel/x86_64/group_gz                                                                                                                       | 170 kB  00:00:00
(2/5): epel/x86_64/updateinfo                                                                                                                     | 789 kB  00:00:00
(3/5): extras/7/x86_64/primary_db                                                                                                                 | 188 kB  00:00:00
(4/5): epel/x86_64/primary_db                                                                                                                     | 4.8 MB  00:00:00
(5/5): updates/7/x86_64/primary_db                                                                                                                | 7.7 MB  00:00:00
Determining fastest mirrors
 * base: mirror.cisp.com
 * epel: s3-mirror-us-east-1.fedoraproject.org
 * extras: linux.cc.lehigh.edu
 * updates: mirrors.advancedhosters.com
Resolving Dependencies
--> Running transaction check
---> Package certbot.noarch 0:0.14.1-3.el7 will be installed
--> Processing Dependency: python2-certbot = 0.14.1-3.el7 for package: certbot-0.14.1-3.el7.noarch
--> Running transaction check
---> Package python2-certbot.noarch 0:0.14.1-3.el7 will be installed
--> Processing Dependency: python2-acme = 0.14.1 for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python2-dialog >= 3.3.0 for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python2-configargparse >= 0.10.0 for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python-psutil >= 2.1.0 for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python2-future for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python-zope-interface for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python-zope-component for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python-parsedatetime for package: python2-certbot-0.14.1-3.el7.noarch
--> Processing Dependency: python-mock for package: python2-certbot-0.14.1-3.el7.noarch
--> Running transaction check
---> Package python-parsedatetime.noarch 0:1.5-3.el7 will be installed
---> Package python-psutil.x86_64 0:2.2.1-1.el7 will be installed
---> Package python-zope-component.noarch 1:4.1.0-3.el7 will be installed
--> Processing Dependency: python-zope-event for package: 1:python-zope-component-4.1.0-3.el7.noarch
---> Package python-zope-interface.x86_64 0:4.0.5-4.el7 will be installed
---> Package python2-acme.noarch 0:0.14.1-1.el7 will be installed
--> Processing Dependency: pytz for package: python2-acme-0.14.1-1.el7.noarch
--> Processing Dependency: python-pyrfc3339 for package: python2-acme-0.14.1-1.el7.noarch
--> Processing Dependency: python-ndg_httpsclient for package: python2-acme-0.14.1-1.el7.noarch
---> Package python2-configargparse.noarch 0:0.11.0-1.el7 will be installed
---> Package python2-dialog.noarch 0:3.3.0-6.el7 will be installed
--> Processing Dependency: dialog for package: python2-dialog-3.3.0-6.el7.noarch
---> Package python2-future.noarch 0:0.16.0-2.el7 will be installed
---> Package python2-mock.noarch 0:1.0.1-9.el7 will be installed
--> Running transaction check
---> Package dialog.x86_64 0:1.2-4.20130523.el7 will be installed
---> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be installed
---> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed
---> Package python2-pyrfc3339.noarch 0:1.0-2.el7 will be installed
---> Package pytz.noarch 0:2012d-5.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================================================================================
 Package                                           Arch                              Version                                       Repository                       Size
=========================================================================================================================================================================
Installing:
 certbot                                           noarch                            0.14.1-3.el7                                  epel                             19 k
Installing for dependencies:
 dialog                                            x86_64                            1.2-4.20130523.el7                            base                            208 k
 python-ndg_httpsclient                            noarch                            0.3.2-1.el7                                   epel                             43 k
 python-parsedatetime                              noarch                            1.5-3.el7                                     epel                             61 k
 python-psutil                                     x86_64                            2.2.1-1.el7                                   epel                            114 k
 python-zope-component                             noarch                            1:4.1.0-3.el7                                 epel                            227 k
 python-zope-event                                 noarch                            4.0.3-2.el7                                   epel                             79 k
 python-zope-interface                             x86_64                            4.0.5-4.el7                                   base                            138 k
 python2-acme                                      noarch                            0.14.1-1.el7                                  epel                            170 k
 python2-certbot                                   noarch                            0.14.1-3.el7                                  epel                            417 k
 python2-configargparse                            noarch                            0.11.0-1.el7                                  epel                             30 k
 python2-dialog                                    noarch                            3.3.0-6.el7                                   epel                             94 k
 python2-future                                    noarch                            0.16.0-2.el7                                  epel                            799 k
 python2-mock                                      noarch                            1.0.1-9.el7                                   epel                             92 k
 python2-pyrfc3339                                 noarch                            1.0-2.el7                                     epel                             13 k
 pytz                                              noarch                            2012d-5.el7                                   base                             38 k

Transaction Summary
=========================================================================================================================================================================
Install  1 Package (+15 Dependent packages)

Total download size: 2.5 M
Installed size: 11 M
Downloading packages:
(1/16): certbot-0.14.1-3.el7.noarch.rpm                                                                                                           |  19 kB  00:00:00
(2/16): python-ndg_httpsclient-0.3.2-1.el7.noarch.rpm                                                                                             |  43 kB  00:00:00
(3/16): python-parsedatetime-1.5-3.el7.noarch.rpm                                                                                                 |  61 kB  00:00:00
(4/16): python-psutil-2.2.1-1.el7.x86_64.rpm                                                                                                      | 114 kB  00:00:00
(5/16): python-zope-component-4.1.0-3.el7.noarch.rpm                                                                                              | 227 kB  00:00:00
(6/16): python-zope-event-4.0.3-2.el7.noarch.rpm                                                                                                  |  79 kB  00:00:00
(7/16): python2-acme-0.14.1-1.el7.noarch.rpm                                                                                                      | 170 kB  00:00:00
(8/16): python2-certbot-0.14.1-3.el7.noarch.rpm                                                                                                   | 417 kB  00:00:00
(9/16): python2-configargparse-0.11.0-1.el7.noarch.rpm                                                                                            |  30 kB  00:00:00
(10/16): python2-dialog-3.3.0-6.el7.noarch.rpm                                                                                                    |  94 kB  00:00:00
(11/16): python2-future-0.16.0-2.el7.noarch.rpm                                                                                                   | 799 kB  00:00:00
(12/16): python2-mock-1.0.1-9.el7.noarch.rpm                                                                                                      |  92 kB  00:00:00
(13/16): python2-pyrfc3339-1.0-2.el7.noarch.rpm                                                                                                   |  13 kB  00:00:00
(14/16): dialog-1.2-4.20130523.el7.x86_64.rpm                                                                                                     | 208 kB  00:00:02
(15/16): python-zope-interface-4.0.5-4.el7.x86_64.rpm                                                                                             | 138 kB  00:00:02
(16/16): pytz-2012d-5.el7.noarch.rpm                                                                                                              |  38 kB  00:00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                    740 kB/s | 2.5 MB  00:00:03
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python-zope-interface-4.0.5-4.el7.x86_64                                                                                                             1/16
  Installing : dialog-1.2-4.20130523.el7.x86_64                                                                                                                     2/16
  Installing : python2-dialog-3.3.0-6.el7.noarch                                                                                                                    3/16
  Installing : pytz-2012d-5.el7.noarch                                                                                                                              4/16
  Installing : python-parsedatetime-1.5-3.el7.noarch                                                                                                                5/16
  Installing : python2-future-0.16.0-2.el7.noarch                                                                                                                   6/16
  Installing : python-psutil-2.2.1-1.el7.x86_64                                                                                                                     7/16
  Installing : python-zope-event-4.0.3-2.el7.noarch                                                                                                                 8/16
  Installing : 1:python-zope-component-4.1.0-3.el7.noarch                                                                                                           9/16
  Installing : python-ndg_httpsclient-0.3.2-1.el7.noarch                                                                                                           10/16
  Installing : python2-pyrfc3339-1.0-2.el7.noarch                                                                                                                  11/16
  Installing : python2-acme-0.14.1-1.el7.noarch                                                                                                                    12/16
  Installing : python2-configargparse-0.11.0-1.el7.noarch                                                                                                          13/16
  Installing : python2-mock-1.0.1-9.el7.noarch                                                                                                                     14/16
  Installing : python2-certbot-0.14.1-3.el7.noarch                                                                                                                 15/16
  Installing : certbot-0.14.1-3.el7.noarch                                                                                                                         16/16
restorecon:  lstat(/etc/letsencrypt) failed:  No such file or directory
  Verifying  : python2-certbot-0.14.1-3.el7.noarch                                                                                                                  1/16
  Verifying  : python2-mock-1.0.1-9.el7.noarch                                                                                                                      2/16
  Verifying  : python2-configargparse-0.11.0-1.el7.noarch                                                                                                           3/16
  Verifying  : python2-pyrfc3339-1.0-2.el7.noarch                                                                                                                   4/16
  Verifying  : python-zope-interface-4.0.5-4.el7.x86_64                                                                                                             5/16
  Verifying  : python-ndg_httpsclient-0.3.2-1.el7.noarch                                                                                                            6/16
  Verifying  : python-zope-event-4.0.3-2.el7.noarch                                                                                                                 7/16
  Verifying  : python-psutil-2.2.1-1.el7.x86_64                                                                                                                     8/16
  Verifying  : certbot-0.14.1-3.el7.noarch                                                                                                                          9/16
  Verifying  : 1:python-zope-component-4.1.0-3.el7.noarch                                                                                                          10/16
  Verifying  : python2-dialog-3.3.0-6.el7.noarch                                                                                                                   11/16
  Verifying  : python2-future-0.16.0-2.el7.noarch                                                                                                                  12/16
  Verifying  : python-parsedatetime-1.5-3.el7.noarch                                                                                                               13/16
  Verifying  : python2-acme-0.14.1-1.el7.noarch                                                                                                                    14/16
  Verifying  : pytz-2012d-5.el7.noarch                                                                                                                             15/16
  Verifying  : dialog-1.2-4.20130523.el7.x86_64                                                                                                                    16/16

Installed:
  certbot.noarch 0:0.14.1-3.el7

Dependency Installed:
  dialog.x86_64 0:1.2-4.20130523.el7                        python-ndg_httpsclient.noarch 0:0.3.2-1.el7              python-parsedatetime.noarch 0:1.5-3.el7
  python-psutil.x86_64 0:2.2.1-1.el7                        python-zope-component.noarch 1:4.1.0-3.el7               python-zope-event.noarch 0:4.0.3-2.el7
  python-zope-interface.x86_64 0:4.0.5-4.el7                python2-acme.noarch 0:0.14.1-1.el7                       python2-certbot.noarch 0:0.14.1-3.el7
  python2-configargparse.noarch 0:0.11.0-1.el7              python2-dialog.noarch 0:3.3.0-6.el7                      python2-future.noarch 0:0.16.0-2.el7
  python2-mock.noarch 0:1.0.1-9.el7                         python2-pyrfc3339.noarch 0:1.0-2.el7                     pytz.noarch 0:2012d-5.el7

Complete!
WARNING: yacc table file version is out of date
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
WARNING: yacc table file version is out of date
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying https://pae01.domain.org/ipa/json
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection context.rpcclient_30052752
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json server 'https://pae01.domain.org/ipa/json'
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection context.rpcclient_30052752
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line 54, in run
    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in finalize
    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in __do_if_not_done
    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in load_plugins
    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages
    ipaclient.remote_plugins.get_package(self),
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 118, in get_package
    plugins = schema.get_package(server_info, client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 543, in get_package
    schema = Schema(client)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 387, in __init__
    fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 426, in _fetch
    schema = client.forward(u'schema', **kwargs)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 986, in forward
    return self._call_command(command, params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 967, in _call_command
    return command(*params)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1117, in _call
    return self.__request(name, args)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1084, in __request
    verbose=self.__verbose >= 3,
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 617, in single_request
    h = SSLTransport.make_connection(self, host)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 492, in make_connection
    host, self._extra_headers, x509 = self.get_host_info(host)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 574, in get_host_info
    self._handle_exception(e, service=service)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 547, in _handle_exception
    raise errors.CCacheError()

ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command failed, exception: CCacheError: did not receive Kerberos credentials
ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: did not receive Kerberos credentials
ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command failed.

[root@pae01 freeipa-letsencrypt]# ls -l
total 148
drwxr-xr-x. 2 root root   4096 Jul 11 21:31 ca
-rw-r--r--. 1 root root   7183 Jul 11 22:10 lextab.py
-rw-r--r--. 1 root root    764 Jul 11 21:31 README.md
-rwxr-xr-x. 1 root root   1135 Jul 11 21:52 renew-le.sh
-rwxr-xr-x. 1 root root    394 Jul 11 21:53 setup-le.sh
-rw-r--r--. 1 root root 126135 Jul 11 22:10 yacctab.py
[root@pae01 freeipa-letsencrypt]# python --version
Python 2.7.5

[root@vm-078 ~]$ ipa group-add --desc=desc group$RANDOM
ipa: ERROR: did not receive Kerberos credentials

[root@vm-078 ~]# echo $KRB5CCNAME

[root@vm-078 ~]# ls /tmp/krb5cc*
ls: cannot access /tmp/krb5cc*: No such file or directory

[root@vm-078 ~]# rpm -qa | grep wsgi
mod_wsgi-3.4-2.fc18.x86_64
[root@vm-078 ~]# rpm -qa | grep freeipa-server
freeipa-server-trust-ad-3.0.99GITeb57d47-0.fc18.x86_64
freeipa-server-3.0.99GITeb57d47-0.fc18.x86_64
freeipa-server-selinux-3.0.99GITeb57d47-0.fc18.x86_64

Login
to comment on this ticket.