Oh wow. Well, thank you very much for showing me how to enable the debug logging for the whole app stack, that proved to reveal exactly what the issue was.
Turns out, apache mod_security was blocking the access from "ipa host-del". [Tue Feb 25 13:04:59.559181 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Pattern match "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|3.0.00738585072007e-308|1e309)$))" at ARGS:size. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "208"] [id "942220"] [rev "2"] [msg "Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \\"magic number\\" crash"] [data "Matched Data: 2147483647 found within ARGS:size: 2147483647"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "SNIP"] [uri "/ca/rest/c erts/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQAAAAE"] [Tue Feb 25 13:04:59.559335 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "SNIP"] [uri "/ca/rest/certs/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQAAAAE"] [Tue Feb 25 13:04:59.559524 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \\"magic number\\" crash"] [tag "event-correlation"] [hostname "SNIP"] [uri "/ca/rest/certs/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQAAAAE"] [Tue Feb 25 13:04:59.560660 2020] [wsgi:error] [pid 26430:tid 139810400032512] [remote 10.39.42.117:53934] ipa: DEBUG: response status 403 I didn't specifically install or set up mod_security, I believe it's a default package, but I normally just disable it as it causes all sorts of random headaches like this. Once I disabled it, I was able to delete the host via "ipa host-del". That at least solves that problem. Thank you for the suggestions! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
