date:20210701

[Freeipa-users] I have installed kerberos , How can I install FreeIPA

2021-07-01 Thread ighack asdf via FreeIPA-users

I have install kerberos , 

How can I installed FreeIPA
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: pki-tomcatd fails to start with LDAP error authentication failed (48)

2021-07-01 Thread Floyd Lorch via FreeIPA-users

I had this same problem. After the most recent update I was getting
Authentication Failed (48) in the tomcat debug log during the database
upgrade. Rolling back 389-ds-base from 1.4.3.16-16 to 1.4.3.16-13 resolved
that issue. Thank you.

On Thu, Jul 1, 2021, 1:02 PM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Tiemen Ruiten via FreeIPA-users wrote:
> > Hello,
> >
> > On a newly installed CentOS 8 IPA master (a few days ago), the
> > pki-tomcatd@pki-tomcat service fails to start and logs LDAP
> > authentication failed (48) in
> > /var/log/pki/pki-tomcat/ca/debug.2021-07-01.log. See below. This
> > happened after I dnf upgraded the master and replica at the same time,
> > my mistake.
>
> Try downgrading 389-ds-base.
>
> rob
>
> >
> > I've gone through the troubleshooting steps described
> > here:
> https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
> > but all certificates appear to be correct.
> >
> > What else can I do?
> >
> > RPM versions:
> > [root@ipa-01 ca]# rpm -qa | grep ipa
> > ipa-healthcheck-0.7-3.module_el8.5.0+750+c59b186b.noarch
> > python3-libipa_hbac-2.4.0-9.el8_4.1.x86_64
> > sssd-ipa-2.4.0-9.el8_4.1.x86_64
> > python3-ipalib-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> > ipa-server-trust-ad-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
> > centos-logos-ipa-85.8-1.el8.noarch
> > ipa-healthcheck-core-0.7-3.module_el8.5.0+750+c59b186b.noarch
> > ipa-client-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> > ipa-selinux-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> > ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
> > python3-ipaclient-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> > python3-ipaserver-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> > ipa-server-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> > libipa_hbac-2.4.0-9.el8_4.1.x86_64
> > ipa-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> > ipa-server-dns-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> > ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
> >
> >
> > <...>
> > 2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store
> > 2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store
> > for internaldb
> > 2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store
> > for replicationdb
> > 2021-07-01 17:28:20 [main] INFO: CMSEngine: Java version: 1.8.0_292
> > 2021-07-01 17:28:20 [main] INFO: CMSEngine: security providers:
> > 2021-07-01 17:28:20 [main] INFO: PluginRegistry: Loading plugin registry
> > from /var/lib/pki/pki-tomcat/conf/ca/registry.cfg
> > 2021-07-01 17:28:21 [main] SEVERE: LdapBoundConnFactory: Unable to
> > connect to LDAP server: Authentication failed
> > netscape.ldap.LDAPException: Authentication failed (48)
> > at netscape.ldap.LDAPSaslBind.checkForSASLBindCompletion(Unknown
> > Source)
> > at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
> > at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
> > at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
> > at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
> > at netscape.ldap.LDAPConnection.checkClientAuth(Unknown Source)
> > at netscape.ldap.LDAPConnection.connect(Unknown Source)
> > at netscape.ldap.LDAPConnection.connect(Unknown Source)
> > at netscape.ldap.LDAPConnection.connect(Unknown Source)
> > at
> >
> com.netscape.cmscore.ldapconn.LdapBoundConnection.(LdapBoundConnection.java:105)
> > at
> >
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:284)
> > at
> >
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:260)
> > at
> >
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:223)
> > at
> >
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:192)
> > at org.dogtagpki.server.ca
> .CAEngine.initDatabase(CAEngine.java:186)
> > at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1002)
> > at
> >
> com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1643)
> > at
> >
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685)
> > at
> >
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> > at
> >
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
> > at
> > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
> > at
> >
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
> > at
> >
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
> > at

[Freeipa-users] Re: bug in ldap_entry_reconstruct()

2021-07-01 Thread Kees Bakker via FreeIPA-users


Hi Flo,

No there are none.

All three servers report:
search: 2
result: 0 Success

On 01-07-2021 21:01, Florence Renaud wrote:

Hi Kees,
can you also check if there are replication conflict entries? On each 
server:

export BASEDN=
ldapsearch -D "cn=Directory Manager" -W -b $BASEDN 
"(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict


flo

On Thu, Jul 1, 2021 at 2:35 PM Rob Crittenden via FreeIPA-users 
> wrote:


Kees Bakker via FreeIPA-users wrote:
> Hey,
>
> In two of my three masters I see these error messages.
>
> Jul 01 09:38:38 linge.ghs.nl 
named-pkcs11[6945]: bug in
> ldap_entry_reconstruct(): protocol violation: attempt to reconstruct
> non-existing entry
> Jul 01 09:38:38 linge.ghs.nl 
named-pkcs11[6945]: ldap_sync_search_entry
> failed: not found
>
> It also so happens that DNS is not updated on these two systems.
> We only use one master to update DNS, either via the web interface
> or via DHCP-update. These changes are correctly found in LDAP, on
> all three systems. However, the two other nameservers don't pick
> up the changes.
>
> There are no "syncrepl_update" messages in the log (after increasing
> trace level with rndc trace 10).
>
> To be honest, I don't know if the above errors are related to
the missing
> updates. I'm grasping at straws here.
> Something is seriously wrong, but what? How can I debug this
further?
>
> The two failing systems run CentOS 8 Stream. Some rpm info:
> 389-ds-base-1.4.3.16-8.module_el8.4.0+644+ed25d39e.x86_64
> ipa-server-4.9.2-3.module_el8.5.0+750+c59b186b.x86_64

I don't really do DNS but both of these messages come from
bind-dyndb-ldap, the LDAP backend for bind.

There is slightly more syncrepl logging at level 20, but only
slightly more.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: bug in ldap_entry_reconstruct()

2021-07-01 Thread Florence Renaud via FreeIPA-users

Hi Kees,
can you also check if there are replication conflict entries? On each
server:
export BASEDN=
ldapsearch -D "cn=Directory Manager" -W -b $BASEDN
"(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict

flo

On Thu, Jul 1, 2021 at 2:35 PM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Kees Bakker via FreeIPA-users wrote:
> > Hey,
> >
> > In two of my three masters I see these error messages.
> >
> > Jul 01 09:38:38 linge.ghs.nl named-pkcs11[6945]: bug in
> > ldap_entry_reconstruct(): protocol violation: attempt to reconstruct
> > non-existing entry
> > Jul 01 09:38:38 linge.ghs.nl named-pkcs11[6945]: ldap_sync_search_entry
> > failed: not found
> >
> > It also so happens that DNS is not updated on these two systems.
> > We only use one master to update DNS, either via the web interface
> > or via DHCP-update. These changes are correctly found in LDAP, on
> > all three systems. However, the two other nameservers don't pick
> > up the changes.
> >
> > There are no "syncrepl_update" messages in the log (after increasing
> > trace level with rndc trace 10).
> >
> > To be honest, I don't know if the above errors are related to the missing
> > updates. I'm grasping at straws here.
> > Something is seriously wrong, but what? How can I debug this further?
> >
> > The two failing systems run CentOS 8 Stream. Some rpm info:
> > 389-ds-base-1.4.3.16-8.module_el8.4.0+644+ed25d39e.x86_64
> > ipa-server-4.9.2-3.module_el8.5.0+750+c59b186b.x86_64
>
> I don't really do DNS but both of these messages come from
> bind-dyndb-ldap, the LDAP backend for bind.
>
> There is slightly more syncrepl logging at level 20, but only slightly
> more.
>
> rob
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: pki-tomcatd fails to start with LDAP error authentication failed (48)

2021-07-01 Thread Rob Crittenden via FreeIPA-users

Tiemen Ruiten via FreeIPA-users wrote:
> Hello,
> 
> On a newly installed CentOS 8 IPA master (a few days ago), the
> pki-tomcatd@pki-tomcat service fails to start and logs LDAP
> authentication failed (48) in
> /var/log/pki/pki-tomcat/ca/debug.2021-07-01.log. See below. This
> happened after I dnf upgraded the master and replica at the same time,
> my mistake. 

Try downgrading 389-ds-base.

rob

> 
> I've gone through the troubleshooting steps described
> here: 
> https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
> but all certificates appear to be correct. 
> 
> What else can I do?
> 
> RPM versions:
> [root@ipa-01 ca]# rpm -qa | grep ipa
> ipa-healthcheck-0.7-3.module_el8.5.0+750+c59b186b.noarch
> python3-libipa_hbac-2.4.0-9.el8_4.1.x86_64
> sssd-ipa-2.4.0-9.el8_4.1.x86_64
> python3-ipalib-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> ipa-server-trust-ad-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
> centos-logos-ipa-85.8-1.el8.noarch
> ipa-healthcheck-core-0.7-3.module_el8.5.0+750+c59b186b.noarch
> ipa-client-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> ipa-selinux-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
> python3-ipaclient-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> python3-ipaserver-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> ipa-server-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> libipa_hbac-2.4.0-9.el8_4.1.x86_64
> ipa-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> ipa-server-dns-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
> ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
> 
> 
> <...>
> 2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store
> 2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store
> for internaldb
> 2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store
> for replicationdb
> 2021-07-01 17:28:20 [main] INFO: CMSEngine: Java version: 1.8.0_292
> 2021-07-01 17:28:20 [main] INFO: CMSEngine: security providers:
> 2021-07-01 17:28:20 [main] INFO: PluginRegistry: Loading plugin registry
> from /var/lib/pki/pki-tomcat/conf/ca/registry.cfg
> 2021-07-01 17:28:21 [main] SEVERE: LdapBoundConnFactory: Unable to
> connect to LDAP server: Authentication failed
> netscape.ldap.LDAPException: Authentication failed (48)
>         at netscape.ldap.LDAPSaslBind.checkForSASLBindCompletion(Unknown
> Source)
>         at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
>         at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
>         at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
>         at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
>         at netscape.ldap.LDAPConnection.checkClientAuth(Unknown Source)
>         at netscape.ldap.LDAPConnection.connect(Unknown Source)
>         at netscape.ldap.LDAPConnection.connect(Unknown Source)
>         at netscape.ldap.LDAPConnection.connect(Unknown Source)
>         at
> com.netscape.cmscore.ldapconn.LdapBoundConnection.(LdapBoundConnection.java:105)
>         at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:284)
>         at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:260)
>         at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:223)
>         at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:192)
>         at org.dogtagpki.server.ca.CAEngine.initDatabase(CAEngine.java:186)
>         at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1002)
>         at
> com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1643)
>         at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685)
>         at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146)
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>         at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
>         at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
>         at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
>         at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
>         at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
>         at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>         at
>

[Freeipa-users] Re: FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock

2021-07-01 Thread Rafael Jeffman via FreeIPA-users

On Thu, Jul 1, 2021 at 9:34 AM lejeczek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
>
>
> On 12/05/2021 08:03, Florence Renaud via FreeIPA-users wrote:
> > Hi,
> > this is a known selinux-policy issue, tracked at
> > https://bugzilla.redhat.com/show_bug.cgi?id=1894132
> > 
> > flo
> >
> > On Mon, May 10, 2021 at 9:42 PM Harry G. Coin via
> > FreeIPA-users  > > wrote:
> >
> >
> > On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote:
> > > In a completely fresh install of freeipa-server,
> > f34, my logs are filled with
> > >
> > > certmonger[5754]: usr/lib/api/apiutil.c Could not
> > open /run/lock/opencryptoki/LCK..APIlock
> >
> > I get similar messages from certutil, certmonger and
> > pk12util
> >
> > May 10 14:31:21 registry1.1.quietfountain.com
> >  certutil[18672]:
> > usr/lib/api/apiutil.c Could not open
> > /run/lock/opencryptoki/LCK..APIlock
> > May 10 14:31:22 registry1.1.quietfountain.com
> >  certutil[18674]:
> > usr/lib/api/apiutil.c Could not open
> > /run/lock/opencryptoki/LCK..APIlock
> > May 10 14:31:23 registry1.1.quietfountain.com
> >  certutil[18676]:
> > usr/lib/api/apiutil.c Could not open
> > /run/lock/opencryptoki/LCK..APIlock
> > May 10 14:31:25 registry1.1.quietfountain.com
> >  certutil[18678]:
> > usr/lib/api/apiutil.c Could not open
> > /run/lock/opencryptoki/LCK..APIlock
> > May 10 14:31:25 registry1.1.quietfountain.com
> >  certutil[18680]:
> > usr/lib/api/apiutil.c Could not open
> > /run/lock/opencryptoki/LCK..APIlock
> > May 10 14:31:26 registry1.1.quietfountain.com
> >  certutil[18682]:
> > usr/lib/api/apiutil.c Could not open
> > /run/lock/opencryptoki/LCK..APIlock
> > May 10 14:31:27 registry1.1.quietfountain.com
> >  certutil[18684]:
> > usr/lib/api/apiutil.c Could not open
> > /run/lock/opencryptoki/LCK..APIlock
> > May 10 14:31:28 registry1.1.quietfountain.com
> >  pk12util[18686]:
> > usr/lib/api/apiutil.c Could not open
> > /run/lock/opencryptoki/LCK..APIlock
> > May 10 14:31:32 registry1.1.quietfountain.com
> >  certutil[18688]:
> > usr/lib/api/apiutil.c Could not open
> > /run/lock/opencryptoki/LCK..APIlock
> > May 10 14:31:35 registry1.1.quietfountain.com
> >  pk12util[18700]:
> > usr/lib/api/apiutil.c Could not open
> > /run/lock/opencryptoki/LCK..APIlock
> > ___
> > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> > 
> > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
> > 
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > 
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > 
> > List Archives:
> >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > <
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
> > Do not reply to spam on the list, report it:
> > https://pagure.io/fedora-infrastructure
> > 
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> I think this might be the culprit in most recent CentOS
> updated packages:
>
> sssd-client-2.4.0-9.el8_4.1.x86_64
> sssd-common-2.4.0-9.el8_4.1.x86_64
> sssd-common-pac-2.4.0-9.el8_4.1.x86_64
> sssd-dbus-2.4.0-9.el8_4.1.x86_64
> sssd-ipa-2.4.0-9.el8_4.1.x86_64
> sssd-kcm-2.4.0-9.el8_4.1.x86_64
> sssd-krb5-common-2.4.0-9.el8_4.1.x86_64
> sssd-nfs-idmap-2.4.0-9.el8_4.1.x86_64
> sssd-tools-2.4.0-9.el8_4.1.x86_64
>

[Freeipa-users] pki-tomcatd fails to start with LDAP error authentication failed (48)

2021-07-01 Thread Tiemen Ruiten via FreeIPA-users

Hello,

On a newly installed CentOS 8 IPA master (a few days ago), the
pki-tomcatd@pki-tomcat service fails to start and logs LDAP authentication
failed (48) in /var/log/pki/pki-tomcat/ca/debug.2021-07-01.log. See below.
This happened after I dnf upgraded the master and replica at the same time,
my mistake.

I've gone through the troubleshooting steps described here:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
but all certificates appear to be correct.

What else can I do?

RPM versions:
[root@ipa-01 ca]# rpm -qa | grep ipa
ipa-healthcheck-0.7-3.module_el8.5.0+750+c59b186b.noarch
python3-libipa_hbac-2.4.0-9.el8_4.1.x86_64
sssd-ipa-2.4.0-9.el8_4.1.x86_64
python3-ipalib-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-trust-ad-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
centos-logos-ipa-85.8-1.el8.noarch
ipa-healthcheck-core-0.7-3.module_el8.5.0+750+c59b186b.noarch
ipa-client-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-selinux-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
python3-ipaclient-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
python3-ipaserver-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
libipa_hbac-2.4.0-9.el8_4.1.x86_64
ipa-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-dns-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64


<...>
2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store
2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store for
internaldb
2021-07-01 17:28:20 [main] INFO: CMSEngine: initializing password store for
replicationdb
2021-07-01 17:28:20 [main] INFO: CMSEngine: Java version: 1.8.0_292
2021-07-01 17:28:20 [main] INFO: CMSEngine: security providers:
2021-07-01 17:28:20 [main] INFO: PluginRegistry: Loading plugin registry
from /var/lib/pki/pki-tomcat/conf/ca/registry.cfg
2021-07-01 17:28:21 [main] SEVERE: LdapBoundConnFactory: Unable to connect
to LDAP server: Authentication failed
netscape.ldap.LDAPException: Authentication failed (48)
at netscape.ldap.LDAPSaslBind.checkForSASLBindCompletion(Unknown
Source)
at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
at netscape.ldap.LDAPConnection.checkClientAuth(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at
com.netscape.cmscore.ldapconn.LdapBoundConnection.(LdapBoundConnection.java:105)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:284)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:260)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:223)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:192)
at org.dogtagpki.server.ca.CAEngine.initDatabase(CAEngine.java:186)
at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1002)
at
com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1643)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
at

[Freeipa-users] Re: IPA client + AD Trust + ID Override inconsistent lookup results

2021-07-01 Thread Sumit Bose via FreeIPA-users

Am Wed, Jun 30, 2021 at 07:39:44PM - schrieb iulian roman via FreeIPA-users:
> I do not use ldap_group_name in IPA. I'll describe bellow an example
> for an override , because probably it all has to do with the
> 'sAMAccountName' :
> 
> Example of user  and group in AD: 
> 
> user: testuser - AD name 'testuser' - AD 'sAMAccountName'  'testuser' - 
> uidNumber:23634 gidNumber:23634 
> group: testuser - AD name 'testuser' - AD 'sAMAccountName'  'ux-testuser' - 
> gidNumber: 23634
> 
> Example of the override for the above mentioned user in IPA (Default Trust 
> View)
> User to override: testu...@example.com
> User Login: testuser
> UID: 23634
> GID: 23634

Hi,

maybe there is some unexpected interaction with the code which
automatically handles user private groups and the manual creation of a
user private group with the id-overrides.

Have you tried if the behavior is more reliable if you change the GID in
user override and group to e.g. 10023634 ?

bye,
Sumit

> 
> The question is how should the override look like or what do I need to
> change in AD in order to have it working properly ? Is that override
> according to the IPA prerequisites for override ? 
> Now , as I mentioned , the behaviour is different in different sssd
> versions and I can only make it work if I run 'getent group testuser'
> before and playing with caches on both IPA server and IPA client.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Network I/O error when trying to resolve AD users

2021-07-01 Thread Sumit Bose via FreeIPA-users

Am Wed, Jun 30, 2021 at 01:29:48PM +0200 schrieb Ronald Wimmer via 
FreeIPA-users:
> On 30.06.21 13:26, Sumit Bose via FreeIPA-users wrote:
> > Am Wed, Jun 30, 2021 at 12:13:54PM +0200 schrieb Ronald Wimmer via 
> > FreeIPA-users:
> > > Today I set up an IPA test web application in our IPA test environment. I
> > > figured out that my AD user was resolved but the user of my colleague was
> > > not. (getent passwd userA/userB)
> > > 
> > > I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and
> > > started SSSD again. After that I could not resolve any AD user. The sssd
> > > logs showed an Network I/O error:
> > > 
> > > ==> /var/log/sssd/sssd_ipatest.mydomain.at.log <==
> > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
> > > (0x0040): ldap_extended_operation result: Operations error(1), Failed to
> > > handle the request.
> > > .
> > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
> > > (0x0040): ldap_extended_operation failed, server logs might contain more
> > > details.
> > 
> > Hi,
> > 
> > you should check on the IPA servers if the users and all the
> > group-memberships can be resolved properly, i.e. 'id aduser@AD.DOMAIN'
> > should display the user and all its groups with both name and ID. If
> > some groups are only listed by GID you should check why the IPA server
> > cannot resolve the name.
> 
> Resolving the users on an IPA server works properly.

Hi,

I'm afraid in this case you should point the client to a dedicated
server and check the SSSD nss logs for issues while the client is
sending the request to the server. If this does not give a hint then
enabling plugin debugging in the 389ds LDAP server might help.

bye,
Sumit

> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: bug in ldap_entry_reconstruct()

2021-07-01 Thread Rob Crittenden via FreeIPA-users

Kees Bakker via FreeIPA-users wrote:
> Hey,
> 
> In two of my three masters I see these error messages.
> 
> Jul 01 09:38:38 linge.ghs.nl named-pkcs11[6945]: bug in
> ldap_entry_reconstruct(): protocol violation: attempt to reconstruct
> non-existing entry
> Jul 01 09:38:38 linge.ghs.nl named-pkcs11[6945]: ldap_sync_search_entry
> failed: not found
> 
> It also so happens that DNS is not updated on these two systems.
> We only use one master to update DNS, either via the web interface
> or via DHCP-update. These changes are correctly found in LDAP, on
> all three systems. However, the two other nameservers don't pick
> up the changes.
> 
> There are no "syncrepl_update" messages in the log (after increasing
> trace level with rndc trace 10).
> 
> To be honest, I don't know if the above errors are related to the missing
> updates. I'm grasping at straws here.
> Something is seriously wrong, but what? How can I debug this further?
> 
> The two failing systems run CentOS 8 Stream. Some rpm info:
> 389-ds-base-1.4.3.16-8.module_el8.4.0+644+ed25d39e.x86_64
> ipa-server-4.9.2-3.module_el8.5.0+750+c59b186b.x86_64

I don't really do DNS but both of these messages come from
bind-dyndb-ldap, the LDAP backend for bind.

There is slightly more syncrepl logging at level 20, but only slightly more.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock

2021-07-01 Thread lejeczek via FreeIPA-users




On 12/05/2021 08:03, Florence Renaud via FreeIPA-users wrote:

Hi,
this is a known selinux-policy issue, tracked at 
https://bugzilla.redhat.com/show_bug.cgi?id=1894132 


flo

On Mon, May 10, 2021 at 9:42 PM Harry G. Coin via 
FreeIPA-users > wrote:



On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote:
> In a completely fresh install of freeipa-server,
f34, my logs are filled with
>
> certmonger[5754]: usr/lib/api/apiutil.c Could not
open /run/lock/opencryptoki/LCK..APIlock

I get similar messages from certutil, certmonger and
pk12util

May 10 14:31:21 registry1.1.quietfountain.com
 certutil[18672]:
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
May 10 14:31:22 registry1.1.quietfountain.com
 certutil[18674]:
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
May 10 14:31:23 registry1.1.quietfountain.com
 certutil[18676]:
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
May 10 14:31:25 registry1.1.quietfountain.com
 certutil[18678]:
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
May 10 14:31:25 registry1.1.quietfountain.com
 certutil[18680]:
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
May 10 14:31:26 registry1.1.quietfountain.com
 certutil[18682]:
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
May 10 14:31:27 registry1.1.quietfountain.com
 certutil[18684]:
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
May 10 14:31:28 registry1.1.quietfountain.com
 pk12util[18686]:
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
May 10 14:31:32 registry1.1.quietfountain.com
 certutil[18688]:
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
May 10 14:31:35 registry1.1.quietfountain.com
 pk12util[18700]:
usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
___
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure
I think this might be the culprit in most recent CentOS 
updated packages:


sssd-client-2.4.0-9.el8_4.1.x86_64
sssd-common-2.4.0-9.el8_4.1.x86_64
sssd-common-pac-2.4.0-9.el8_4.1.x86_64
sssd-dbus-2.4.0-9.el8_4.1.x86_64
sssd-ipa-2.4.0-9.el8_4.1.x86_64
sssd-kcm-2.4.0-9.el8_4.1.x86_64
sssd-krb5-common-2.4.0-9.el8_4.1.x86_64
sssd-nfs-idmap-2.4.0-9.el8_4.1.x86_64
sssd-tools-2.4.0-9.el8_4.1.x86_64
389-ds-base-1.4.3.16-16.module_el8.4.0+845+0c39e1b7.x86_64
389-ds-base-libs-1.4.3.16-16.module_el8.4.0+845+0c39e1b7.x86_64
ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
ipa-client-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-selinux-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
ipa-server-common-4.9.2-4.module_el8.4.0+846+96522ed7.noarch
ipa-server-dns-4.9.2-4.module_el8.4.0+846+96522ed7.noarch

[Freeipa-users] Re: centos8 freeipa not starting anymore

2021-07-01 Thread Jelle de Jong via FreeIPA-users


On 7/1/21 10:41 AM, Jelle de Jong via FreeIPA-users wrote:

Hello everybody,

All my centos8 freeipa instances at different sites where down this 
morning.


https://pastebin.com/vVfwrNqL

I tried disabling firewalld, selinux, downgrade java version, can not 
get it to work.


Did anyone encountered this issue and found a workaround?


dnf downgrade -y 389-ds-base
ipactl start

Seems to work for some people, I had mixed success and did a few image 
based roll-backs.


No issues on centos7 so far.

Kind regards,

Jelle de Jong
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] centos8 freeipa not starting anymore

2021-07-01 Thread Jelle de Jong via FreeIPA-users


Hello everybody,

All my centos8 freeipa instances at different sites where down this morning.

https://pastebin.com/vVfwrNqL

I tried disabling firewalld, selinux, downgrade java version, can not 
get it to work.


Did anyone encountered this issue and found a workaround?

Kind regards,

Jelle de Jong


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] bug in ldap_entry_reconstruct()

2021-07-01 Thread Kees Bakker via FreeIPA-users


Hey,

In two of my three masters I see these error messages.

Jul 01 09:38:38 linge.ghs.nl named-pkcs11[6945]: bug in 
ldap_entry_reconstruct(): protocol violation: attempt to reconstruct 
non-existing entry
Jul 01 09:38:38 linge.ghs.nl named-pkcs11[6945]: ldap_sync_search_entry 
failed: not found


It also so happens that DNS is not updated on these two systems.
We only use one master to update DNS, either via the web interface
or via DHCP-update. These changes are correctly found in LDAP, on
all three systems. However, the two other nameservers don't pick
up the changes.

There are no "syncrepl_update" messages in the log (after increasing
trace level with rndc trace 10).

To be honest, I don't know if the above errors are related to the missing
updates. I'm grasping at straws here.
Something is seriously wrong, but what? How can I debug this further?

The two failing systems run CentOS 8 Stream. Some rpm info:
389-ds-base-1.4.3.16-8.module_el8.4.0+644+ed25d39e.x86_64
ipa-server-4.9.2-3.module_el8.5.0+750+c59b186b.x86_64
--
Kees
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] I have installed kerberos , How can I install FreeIPA

[Freeipa-users] Re: pki-tomcatd fails to start with LDAP error authentication failed (48)

[Freeipa-users] Re: bug in ldap_entry_reconstruct()

[Freeipa-users] Re: bug in ldap_entry_reconstruct()

[Freeipa-users] Re: pki-tomcatd fails to start with LDAP error authentication failed (48)

[Freeipa-users] Re: FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock

[Freeipa-users] pki-tomcatd fails to start with LDAP error authentication failed (48)

[Freeipa-users] Re: IPA client + AD Trust + ID Override inconsistent lookup results

[Freeipa-users] Re: Network I/O error when trying to resolve AD users

[Freeipa-users] Re: bug in ldap_entry_reconstruct()

[Freeipa-users] Re: FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock

[Freeipa-users] Re: centos8 freeipa not starting anymore

[Freeipa-users] centos8 freeipa not starting anymore

[Freeipa-users] bug in ldap_entry_reconstruct()

14 matches

Site Navigation

Mail list logo

Footer information