[Freeipa-users] Re: Help with Ghost Replica removal please.
Tested this again making sure that dirsrv is not running and the replica record is back. I am obviously doing something wrong. My steps are below. I appreciate your time on this. # # check dirsrv is currently running # [root@ipa006 ~]# ps aux | grep dirsrv dirsrv 3221639 31.4 5.4 2418488 883856 ? Ssl Apr24 322:04 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-AD-companyx-FM -i /run/dirsrv/slapd-AD-companyx-FM.pid root 3281205 0.0 0.0 6412 2204 pts/2S+ 09:11 0:00 grep --color=auto dirsrv # # shutdown dirsrv # [root@ipa006 ~]# time systemctl stop dirsrv@AD-companyx-FM.service real10m0.130s user0m0.009s sys 0m0.012s # # check dirsrv is not running 1 # [root@ipa006 ~]# ps aux | grep dirsrv root 3282962 0.0 0.0 6412 2244 pts/2S+ 09:47 0:00 grep --color=auto dirsrv # # check dirsrv is not running 2 # [root@ipa006 slapd-AD-companyx-FM]# ipactl status Directory Service: STOPPED krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running # # go to right folder # [root@ipa006 ~]# cd /etc/dirsrv/slapd-AD-companyx-FM/ # # make a backup just incase # [root@ipa006 slapd-AD-companyx-FM]# cp dse.ldif dse.ldif.nickx-25apr23 # # edit ldif # [root@ipa006 slapd-AD-companyx-FM]# vi dse.ldif # # remove this record. Hoping its the right thing to do. # dn: cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm,cn=replica,cn=dc\3Dad\2Cdc\3Ddi ce\2Cdc\3Dfm,cn=mapping tree,cn=config objectClass: nsds5replicationagreement objectClass: ipaReplTopoManagedAgreement objectClass: top cn: ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm nsDS5ReplicaHost: bad_serverdc.ad.companyx.fm nsDS5ReplicaPort: 389 nsds5replicaTimeout: 300 nsDS5ReplicaRoot: dc=ad,dc=companyx,dc=fm description: ipa006.ad.companyx.fm to bad_serverdc.ad.companyx.fm ipaReplTopoManagedAgreementState: managed agreement - generated by topology pl ugin nsDS5ReplicaTransportInfo: LDAP nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in ternalModifyTimestamp nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount creatorsName: cn=IPA Topology Configuration,cn=plugins,cn=config modifiersName: cn=IPA Topology Configuration,cn=plugins,cn=config createTimestamp: 20230425095140Z modifyTimestamp: 20230425095140Z # # check no records exist in dse.ldif # [root@ipa006 slapd-AD-companyx-FM]# grep bad_server dse.ldif [root@ipa006 slapd-AD-companyx-FM]# [root@ipa006 slapd-AD-companyx-FM]# time systemctl start dirsrv@AD-companyx-FM.service real0m12.343s user0m0.006s sys 0m0.007s # # Look in logs # Apr 25 09:51:51 ipa006.ad.companyx.fm ns-slapd[3283119]: [25/Apr/2023:09:51:51.484197325 +] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm" (bad_serverdc:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () # # check dse.ldif again - find entry is back ! # [root@ipa006 slapd-AD-companyx-FM]# grep bad_server dse.ldif dn: cn=ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm,cn=replica,cn=dc\3Dad\2Cdc\3Ddi cn: ipa006.ad.companyx.fm-to-bad_serverdc.ad.companyx.fm nsDS5ReplicaHost: bad_serverdc.ad.companyx.fm description: ipa006.ad.companyx.fm to bad_serverdc.ad.companyx.fm # # scratch head and ponder life, the universe and everything # ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Admin account gets constantly locked
Hi, Thanks a lot Florence, i was able to locate the issue - it seems some resources were previously enrolled to the previously installed version of FreeIPA and were trying to authenticate using an old keytab and locking the admin user. On Tue, Apr 25, 2023 at 1:24 PM Florence Blanc-Renaud wrote: > Hi, > > First, you can check which password policy settings are applied to your > admin user: > # kinit admin > # ipa pwpolicy-show --user admin > Group: global_policy > Max lifetime (days): 90 > Min lifetime (hours): 1 > History size: 0 > Character classes: 0 > Min length: 8 > Max failures: 6 > Failure reset interval: 60 > Lockout duration: 600 > Max repeat: 5 > Grace login limit: -1 > > In the above example, the user can get locked after 6 authentication > failures. You can use the command "ipa user-status admin" to check how many > failed logins happened. > If the admin account gets locked because of failed logins, you need to > find if those are malicious attempts. Try to identify from which machine > the attempts are issued (from /var/log/krb5kdc.log), etc... > > flo > > On Tue, Apr 25, 2023 at 10:51 AM Yavor Marinov via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Hello all, >> >> We have a really strange problem with our installation of FreeIPA 4.10. >> We are using latest Alma 9.1 as OS, but the default user account admin is >> getting constantly locked. After kinit-ing with different admin user and >> unlocking the account it becomes available. >> >> Another side effect of this is that WebUI starts reporting that the >> service is unavailable with a popup. Once user admin is unlocked and ipa >> services are restarted everything becomes available. >> >> Can you give me some heads up what should i check (password policy >> expiration is set to 90 days) >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Help please Container install (proxmox)
hello list I would like to install a container with FreeIPA from the github site and then build it into proxmox. but since I'm a newbie to this environment I need help. Can someone show me the right way, how to do something like that with FreeIPA. All my attempts have failed so far. Maybe there are pros for this environment on this list, even better would be a template for Proxmox? I'm also a newbie at Proxmox, so I'm in my infancy everywhere. Thanks for an answer, -- mit freundlichen Grüßen / best regards Günther J. Niederwimmer ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Admin account gets constantly locked
Hi, First, you can check which password policy settings are applied to your admin user: # kinit admin # ipa pwpolicy-show --user admin Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 Max repeat: 5 Grace login limit: -1 In the above example, the user can get locked after 6 authentication failures. You can use the command "ipa user-status admin" to check how many failed logins happened. If the admin account gets locked because of failed logins, you need to find if those are malicious attempts. Try to identify from which machine the attempts are issued (from /var/log/krb5kdc.log), etc... flo On Tue, Apr 25, 2023 at 10:51 AM Yavor Marinov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello all, > > We have a really strange problem with our installation of FreeIPA 4.10. We > are using latest Alma 9.1 as OS, but the default user account admin is > getting constantly locked. After kinit-ing with different admin user and > unlocking the account it becomes available. > > Another side effect of this is that WebUI starts reporting that the > service is unavailable with a popup. Once user admin is unlocked and ipa > services are restarted everything becomes available. > > Can you give me some heads up what should i check (password policy > expiration is set to 90 days) > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ACIs for replication status monitoring
On Mon, Apr 24, 2023 at 03:54:30PM -0400, Rob Crittenden via FreeIPA-users wrote: > Sam Morris wrote: > > On Mon, Apr 24, 2023 at 12:07:16PM -0400, Rob Crittenden via FreeIPA-users > > wrote: > >>> However, this attribute can be read from the second search! Although > >>> it's not included in the results when 'ALL' attributes are requested, > >>> explicitly adding it to the search query works fine: > >> > >> The third search is looking for tombstone entries, > >> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/tombstones > >> , and there don't appear to be any. This is fine. > >> > >> I don't think you need to do anything here. > > > > But here's what I see from ds-replcheck: > > > > $ ds-replcheck -v state -Z /etc/ipa/nssdb -m > > ldap://ipa0.ipa.example.com:389 -r ldap://ipa1.ipa.example.com:389 -D > > uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com -w ... -b > > o=ipaca > > Connecting to servers... > > Validating suffix ... > > Gathering Supplier's RUV... > > Error: Supplier does not have an RUV entry > > > > That error is caused by the tombstone search returning no entries. But > > with the directory manager, I get: > > > > $ ds-replcheck -v state -Z /etc/ipa/nssdb -m > > ldap://ipa0.ipa.example.com:389 -r ldap://ipa1.ipa.example.com:389 -D > > cn='Directory Manager' -W -b o=ipaca > > Enter password: > > Connecting to servers... > > Validating suffix ... > > Gathering Supplier's RUV... > > Gathering Replica's RUV... > > Getting Supplier's replica ID > > Replication State: Supplier and Replica are in perfect synchronization > > > > Hence I figured I needed to add some ACIs somewhere. But the ones I've > > tried adding to 'cn=mapping tree,cn=config' aren't sufficient. > > > > Here's the search that I think ds-replcheck is doing: > > > > $ ldapsearch -H ldaps://ipa0.ipa.example.com -x -D > > uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com -w ... -s sub > > -b o=ipaca > > '(&(nsUniqueId=---)(objectClass=nstombstone))' > > nsds50ruv > > # extended LDIF > > # > > # LDAPv3 > > # base with scope subtree > > # filter: > > (&(nsUniqueId=---)(objectClass=nstombstone)) > > # requesting: nsds50ruv > > # > > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 1 > > > > ... and here it is, run as the directory manager: > > > > # ldapsearch -LLL -o ldif-wrap=no -s sub -b o=ipaca > > '(&(nsUniqueId=---)(objectClass=nstombstone))' > > nsds50ruv > > SASL/EXTERNAL authentication started > > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > > SASL SSF: 0 > > dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config > > nsds50ruv: {replicageneration} 5cb8bedf0006 > > nsds50ruv: {replica 14 ldap://ipa0.ipa.example.com:389} > > 610ad7470001000e 6446aa16000e > > nsds50ruv: {replica 12 ldap://ipa1.ipa.example.com:389} > > 6082f5e10001000c 6446ae08000c > > nsds50ruv: {replica 18 ldap://ipa2.ipa.example.com:389} > > 628d6a0700010012 6446afa40012 > > > > I don't use this tool so I don't know the details on the searches it > performs. If you can get a quiet LDAP server and run as your bind user > and Directory Manager and provide the access logs we can try to figure > out what is going on. Sure, here's the command used: $ ds-replcheck -v state -Z /etc/ipa/nssdb -m ldap://ipa0.ipa.example.com:389 -r ldap://ipa1.ipa.example.com:389 -D DN -w PASSWORD -b o=ipaca Here are the logs when running it using the root DN: [25/Apr/2023:08:09:38.547193776 +] conn=1529 op=1 BIND dn="cn=Directory Manager" method=128 version=3 [25/Apr/2023:08:09:38.547501267 +] conn=1529 op=1 RESULT err=0 tag=97 nentries=0 wtime=0.010675418 optime=0.000343664 etime=0.011014089 dn="cn=directory manager" [25/Apr/2023:08:09:38.556818128 +] conn=1529 op=2 SRCH base="o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [25/Apr/2023:08:09:38.557355407 +] conn=1529 op=2 RESULT err=0 tag=101 nentries=1 wtime=0.000350868 optime=0.000545608 etime=0.000878460 [25/Apr/2023:08:09:38.558868700 +] conn=1529 op=3 SRCH base="cn=config" scope=2 filter="(&(objectClass=nsds5replica)(nsDS5ReplicaRoot=o=ipaca))" attrs=ALL [25/Apr/2023:08:09:38.561344851 +] conn=1529 op=3 RESULT err=0 tag=101 nentries=1 wtime=0.000338392 optime=0.002481952 etime=0.002814677 [25/Apr/2023:08:09:38.565951829 +] conn=1529 op=4 SRCH base="o=ipaca" scope=2 filter="(&(nsUniqueId=---)(objectClass=nstombstone))" attrs="nsds50ruv" [25/Apr/2023:08:09:38.567222484 +] conn=1529 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000293867 optime=0.001279436 etime=0.001568497 [25/Apr/2023:08:09:38.574172428 +] conn=1529 op=5 UNBIND ... and with my repl-mon user:
[Freeipa-users] Admin account gets constantly locked
Hello all, We have a really strange problem with our installation of FreeIPA 4.10. We are using latest Alma 9.1 as OS, but the default user account admin is getting constantly locked. After kinit-ing with different admin user and unlocking the account it becomes available. Another side effect of this is that WebUI starts reporting that the service is unavailable with a popup. Once user admin is unlocked and ipa services are restarted everything becomes available. Can you give me some heads up what should i check (password policy expiration is set to 90 days) ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue