date:20230425

[Freeipa-users] Re: Help with Ghost Replica removal please.

2023-04-25 Thread Nicholas Cross via FreeIPA-users

Tested this again making sure that dirsrv is not running and the replica record 
is back.

I am obviously doing something wrong.  My steps are below.  I appreciate your 
time on this.



#
# check dirsrv is currently running
#
[root@ipa006 ~]# ps aux | grep dirsrv
dirsrv   3221639 31.4  5.4 2418488 883856 ?  Ssl  Apr24 322:04 
/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-AD-companyx-FM -i 
/run/dirsrv/slapd-AD-companyx-FM.pid
root 3281205  0.0  0.0   6412  2204 pts/2S+   09:11   0:00 grep 
--color=auto dirsrv

#
# shutdown dirsrv
#
[root@ipa006 ~]# time systemctl stop dirsrv@AD-companyx-FM.service

real10m0.130s
user0m0.009s
sys 0m0.012s

#
# check dirsrv is not running 1
#
[root@ipa006 ~]# ps aux | grep dirsrv
root 3282962  0.0  0.0   6412  2244 pts/2S+   09:47   0:00 grep 
--color=auto dirsrv

#
# check dirsrv is not running 2
#
[root@ipa006 slapd-AD-companyx-FM]# ipactl status
Directory Service: STOPPED
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
1 service(s) are not running

#
# go to right folder
#
[root@ipa006 ~]# cd /etc/dirsrv/slapd-AD-companyx-FM/


#
# make a backup just incase
#
[root@ipa006 slapd-AD-companyx-FM]# cp dse.ldif dse.ldif.nickx-25apr23

#
# edit ldif
#
[root@ipa006 slapd-AD-companyx-FM]# vi dse.ldif


#
# remove this record. Hoping its the right thing to do.
#
dn: 
cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm,cn=replica,cn=dc\3Dad\2Cdc\3Ddi
 ce\2Cdc\3Dfm,cn=mapping tree,cn=config
objectClass: nsds5replicationagreement
objectClass: ipaReplTopoManagedAgreement
objectClass: top
cn: ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm
nsDS5ReplicaHost: bad_serverdc.ad.companyx.fm
nsDS5ReplicaPort: 389
nsds5replicaTimeout: 300
nsDS5ReplicaRoot: dc=ad,dc=companyx,dc=fm
description: ipa006.ad.companyx.fm to bad_serverdc.ad.companyx.fm
ipaReplTopoManagedAgreementState: managed agreement - generated by topology pl
 ugin
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
 ternalModifyTimestamp
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
 uccessfulauth krblastfailedauth krbloginfailedcount
creatorsName: cn=IPA Topology Configuration,cn=plugins,cn=config
modifiersName: cn=IPA Topology Configuration,cn=plugins,cn=config
createTimestamp: 20230425095140Z
modifyTimestamp: 20230425095140Z


#
# check no records exist in dse.ldif
#
[root@ipa006 slapd-AD-companyx-FM]# grep bad_server dse.ldif
[root@ipa006 slapd-AD-companyx-FM]#

[root@ipa006 slapd-AD-companyx-FM]# time systemctl start 
dirsrv@AD-companyx-FM.service

real0m12.343s
user0m0.006s
sys 0m0.007s

#
# Look in logs
#
Apr 25 09:51:51 ipa006.ad.companyx.fm ns-slapd[3283119]: 
[25/Apr/2023:09:51:51.484197325 +] - ERR - NSMMReplicationPlugin - 
bind_and_check_pwp - 
agmt="cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm" 
(bad_serverdc:389) - Replication bind with GSSAPI auth failed: LDAP error -1 
(Can't contact LDAP server) ()

#
# check dse.ldif again - find entry is back !
#
[root@ipa006 slapd-AD-companyx-FM]# grep bad_server dse.ldif
dn: 
cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm,cn=replica,cn=dc\3Dad\2Cdc\3Ddi
cn: ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm
nsDS5ReplicaHost: bad_serverdc.ad.companyx.fm
description: ipa006.ad.companyx.fm to bad_serverdc.ad.companyx.fm


#
# scratch head and ponder life, the universe and everything
#
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Admin account gets constantly locked

2023-04-25 Thread Yavor Marinov via FreeIPA-users

Hi,

Thanks a lot Florence, i was able to locate the issue - it seems some
resources were previously enrolled to the previously installed version of
FreeIPA and were trying to authenticate using an old keytab and locking the
admin user.

On Tue, Apr 25, 2023 at 1:24 PM Florence Blanc-Renaud 
wrote:

> Hi,
>
> First, you can check which password policy settings are applied to your
> admin user:
> # kinit admin
> # ipa pwpolicy-show --user admin
>   Group: global_policy
>   Max lifetime (days): 90
>   Min lifetime (hours): 1
>   History size: 0
>   Character classes: 0
>   Min length: 8
>   Max failures: 6
>   Failure reset interval: 60
>   Lockout duration: 600
>   Max repeat: 5
>   Grace login limit: -1
>
> In the above example, the user can get locked after 6 authentication
> failures. You can use the command "ipa user-status admin" to check how many
> failed logins happened.
> If the admin account gets locked because of failed logins, you need to
> find if those are malicious attempts. Try to identify from which machine
> the attempts are issued (from /var/log/krb5kdc.log), etc...
>
> flo
>
> On Tue, Apr 25, 2023 at 10:51 AM Yavor Marinov via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hello all,
>>
>> We have a really strange problem with our installation of FreeIPA 4.10.
>> We are using latest Alma 9.1 as OS, but the default user account admin is
>> getting constantly locked. After kinit-ing with different admin user and
>> unlocking the account it becomes available.
>>
>> Another side effect of this is that WebUI starts reporting that the
>> service is unavailable with a popup. Once user admin is unlocked and ipa
>> services are restarted everything becomes available.
>>
>> Can you give me some heads up what should i check (password policy
>> expiration is set to 90 days)
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Help please Container install (proxmox)

2023-04-25 Thread Günther J . Niederwimmer via FreeIPA-users

hello list
I would like to install a container with FreeIPA from the github site and then 
build it into proxmox. but since I'm a newbie to this environment I need help. 
Can someone show me the right way, how to do something like that with FreeIPA.

All my attempts have failed so far.
Maybe there are pros for this environment on this list, even better would be a 
template for Proxmox? I'm also a newbie at Proxmox, so I'm in my infancy 
everywhere.
Thanks for an answer,
-- 
mit freundlichen Grüßen / best regards

  Günther J. Niederwimmer

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Admin account gets constantly locked

2023-04-25 Thread Florence Blanc-Renaud via FreeIPA-users

Hi,

First, you can check which password policy settings are applied to your
admin user:
# kinit admin
# ipa pwpolicy-show --user admin
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600
  Max repeat: 5
  Grace login limit: -1

In the above example, the user can get locked after 6 authentication
failures. You can use the command "ipa user-status admin" to check how many
failed logins happened.
If the admin account gets locked because of failed logins, you need to find
if those are malicious attempts. Try to identify from which machine the
attempts are issued (from /var/log/krb5kdc.log), etc...

flo

On Tue, Apr 25, 2023 at 10:51 AM Yavor Marinov via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hello all,
>
> We have a really strange problem with our installation of FreeIPA 4.10. We
> are using latest Alma 9.1 as OS, but the default user account admin is
> getting constantly locked. After kinit-ing with different admin user and
> unlocking the account it becomes available.
>
> Another side effect of this is that WebUI starts reporting that the
> service is unavailable with a popup. Once user admin is unlocked and ipa
> services are restarted everything becomes available.
>
> Can you give me some heads up what should i check (password policy
> expiration is set to 90 days)
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ACIs for replication status monitoring

2023-04-25 Thread Sam Morris via FreeIPA-users

On Mon, Apr 24, 2023 at 03:54:30PM -0400, Rob Crittenden via FreeIPA-users 
wrote:
> Sam Morris wrote:
> > On Mon, Apr 24, 2023 at 12:07:16PM -0400, Rob Crittenden via FreeIPA-users 
> > wrote:
> >>> However, this attribute can be read from the second search! Although
> >>> it's not included in the results when 'ALL' attributes are requested,
> >>> explicitly adding it to the search query works fine:
> >>
> >> The third search is looking for tombstone entries,
> >> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/tombstones
> >> , and there don't appear to be any. This is fine.
> >>
> >> I don't think you need to do anything here.
> > 
> > But here's what I see from ds-replcheck:
> > 
> >   $ ds-replcheck -v state -Z /etc/ipa/nssdb -m 
> > ldap://ipa0.ipa.example.com:389 -r ldap://ipa1.ipa.example.com:389 -D 
> > uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com -w ... -b 
> > o=ipaca
> >   Connecting to servers...
> >   Validating suffix ...
> >   Gathering Supplier's RUV...
> >   Error: Supplier does not have an RUV entry
> > 
> > That error is caused by the tombstone search returning no entries. But
> > with the directory manager, I get:
> > 
> >   $ ds-replcheck -v state -Z /etc/ipa/nssdb -m 
> > ldap://ipa0.ipa.example.com:389 -r ldap://ipa1.ipa.example.com:389 -D 
> > cn='Directory Manager' -W -b o=ipaca
> >   Enter password:
> >   Connecting to servers...
> >   Validating suffix ...
> >   Gathering Supplier's RUV...
> >   Gathering Replica's RUV...
> >   Getting Supplier's replica ID
> >   Replication State: Supplier and Replica are in perfect synchronization
> > 
> > Hence I figured I needed to add some ACIs somewhere. But the ones I've
> > tried adding to 'cn=mapping tree,cn=config' aren't sufficient.
> > 
> > Here's the search that I think ds-replcheck is doing:
> > 
> >   $ ldapsearch -H ldaps://ipa0.ipa.example.com -x -D 
> > uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com -w ... -s sub 
> > -b o=ipaca 
> > '(&(nsUniqueId=---)(objectClass=nstombstone))'
> >  nsds50ruv
> >   # extended LDIF
> >   #
> >   # LDAPv3
> >   # base  with scope subtree
> >   # filter: 
> > (&(nsUniqueId=---)(objectClass=nstombstone))
> >   # requesting: nsds50ruv
> >   #
> > 
> >   # search result
> >   search: 2
> >   result: 0 Success
> > 
> >   # numResponses: 1
> > 
> > ... and here it is, run as the directory manager:
> > 
> >   # ldapsearch -LLL -o ldif-wrap=no -s sub -b o=ipaca 
> > '(&(nsUniqueId=---)(objectClass=nstombstone))'
> >  nsds50ruv
> >   SASL/EXTERNAL authentication started
> >   SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> >   SASL SSF: 0
> >   dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
> >   nsds50ruv: {replicageneration} 5cb8bedf0006
> >   nsds50ruv: {replica 14 ldap://ipa0.ipa.example.com:389} 
> > 610ad7470001000e 6446aa16000e
> >   nsds50ruv: {replica 12 ldap://ipa1.ipa.example.com:389} 
> > 6082f5e10001000c 6446ae08000c
> >   nsds50ruv: {replica 18 ldap://ipa2.ipa.example.com:389} 
> > 628d6a0700010012 6446afa40012
> > 
> 
> I don't use this tool so I don't know the details on the searches it
> performs. If you can get a quiet LDAP server and run as your bind user
> and Directory Manager and provide the access logs we can try to figure
> out what is going on.

Sure, here's the command used:

  $ ds-replcheck -v state -Z /etc/ipa/nssdb -m ldap://ipa0.ipa.example.com:389 
-r ldap://ipa1.ipa.example.com:389 -D DN -w PASSWORD -b o=ipaca

Here are the logs when running it using the root DN:

  [25/Apr/2023:08:09:38.547193776 +] conn=1529 op=1 BIND dn="cn=Directory 
Manager" method=128 version=3
  [25/Apr/2023:08:09:38.547501267 +] conn=1529 op=1 RESULT err=0 tag=97 
nentries=0 wtime=0.010675418 optime=0.000343664 etime=0.011014089 
dn="cn=directory manager"
  [25/Apr/2023:08:09:38.556818128 +] conn=1529 op=2 SRCH base="o=ipaca" 
scope=0 filter="(objectClass=*)" attrs=ALL
  [25/Apr/2023:08:09:38.557355407 +] conn=1529 op=2 RESULT err=0 tag=101 
nentries=1 wtime=0.000350868 optime=0.000545608 etime=0.000878460
  [25/Apr/2023:08:09:38.558868700 +] conn=1529 op=3 SRCH base="cn=config" 
scope=2 filter="(&(objectClass=nsds5replica)(nsDS5ReplicaRoot=o=ipaca))" 
attrs=ALL
  [25/Apr/2023:08:09:38.561344851 +] conn=1529 op=3 RESULT err=0 tag=101 
nentries=1 wtime=0.000338392 optime=0.002481952 etime=0.002814677
  [25/Apr/2023:08:09:38.565951829 +] conn=1529 op=4 SRCH base="o=ipaca" 
scope=2 
filter="(&(nsUniqueId=---)(objectClass=nstombstone))"
 attrs="nsds50ruv"
  [25/Apr/2023:08:09:38.567222484 +] conn=1529 op=4 RESULT err=0 tag=101 
nentries=1 wtime=0.000293867 optime=0.001279436 etime=0.001568497
  [25/Apr/2023:08:09:38.574172428 +] conn=1529 op=5 UNBIND

... and with my repl-mon user:

[Freeipa-users] Admin account gets constantly locked

2023-04-25 Thread Yavor Marinov via FreeIPA-users

Hello all,

We have a really strange problem with our installation of FreeIPA 4.10. We
are using latest Alma 9.1 as OS, but the default user account admin is
getting constantly locked. After kinit-ing with different admin user and
unlocking the account it becomes available.

Another side effect of this is that WebUI starts reporting that the service
is unavailable with a popup. Once user admin is unlocked and ipa services
are restarted everything becomes available.

Can you give me some heads up what should i check (password policy
expiration is set to 90 days)
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Help with Ghost Replica removal please.

[Freeipa-users] Re: Admin account gets constantly locked

[Freeipa-users] Help please Container install (proxmox)

[Freeipa-users] Re: Admin account gets constantly locked

[Freeipa-users] Re: ACIs for replication status monitoring

[Freeipa-users] Admin account gets constantly locked

6 matches

Site Navigation

Mail list logo

Footer information