Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
op=6 RESULT err=0 tag=101 nentries=0 etime=0 notes=P pr_idx=0 pr_cookie=-1 [26/Apr/2017:14:52:43.987119181 -0500] conn=19059 op=7 SRCH base="cn=sudo,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com))(entryusn>=20038636))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup entryusn" [26/Apr/2017:14:52:43.987828298 -0500] conn=19059 op=7 RESULT err=0 tag=101 nentries=0 etime=0 notes=P pr_idx=0 pr_cookie=-1 [26/Apr/2017:14:56:53.754308324 -0500] conn=8 op=8122 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" [26/Apr/2017:14:56:53.758231493 -0500] conn=8 op=8122 RESULT err=0 tag=103 nentries=0 etime=0 [26/Apr/2017:14:56:54.141384397 -0500] conn=17 op=5298 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn" [26/Apr/2017:14:56:54.141558862 -0500] conn=17 op=5298 RESULT err=32 tag=101 nentries=0 etime=0 > On Apr 20, 2017, at 1:03 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > Andrew Krause wrote: >> Sorry for the self bump but no one has any insight on this? >> >> >>> On Apr 17, 2017, at 11:31 AM, Andrew Krause >>> <andrew.kra...@breakthroughfuel.com> wrote: >>> >>> Many hosts in our web ui show a null status for “enrolled”. When you do a >>> search that includes any of these host objects the web UI posts errors, and >>> if you click on one of the problem hosts the same error stops anything from >>> loading on the host page. >>> >>> I’ve been trying to solve this problem on my own for quite some time and >>> have not been successful. It’s impossible to remove the host through the >>> web UI and using CLI commands seem to remove the entry from IPA (host is >>> not found with ipa host-find), but it is still visible in the UI. One >>> thing that may be common with all of these hosts is that they were enrolled >>> with our IPA system back while we were running version 3.0 and likely have >>> had issues for quite some time. Multiple updates have happened since then, >>> and all of our hosts added within the last year are working fine. I >>> suspect there’s an issue with a path somewhere for a certificate database, >>> but I’m unable to pinpoint what is going wrong. > > It should not be possible to have different views in the UI and the CLI > since they make the same backend calls. What you'd want to do, hopefully > on a semi-quiet system, is to do a host-find on the CLI and then list > all hosts in the UI and compare the logs in /var/log/httpd/error_log and > look at the LDAP queries in /var/log/dirsrv/slapd-REALM/access (this is > a buffered log so be patient). > > They should be doing more or less the exact same set of queries. > > Very doubtful that this has anything to do with certs. Anything on the > client would be completely separate from what is on the server. > > One thing you may be seeing though is that in 3.0 clients a host > certificate was obtained for it. This was dropped with 4.0, but it > wouldn't affect any visibility on the server. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
Sorry for the self bump but no one has any insight on this? > On Apr 17, 2017, at 11:31 AM, Andrew Krause > <andrew.kra...@breakthroughfuel.com> wrote: > > Many hosts in our web ui show a null status for “enrolled”. When you do a > search that includes any of these host objects the web UI posts errors, and > if you click on one of the problem hosts the same error stops anything from > loading on the host page. > > I’ve been trying to solve this problem on my own for quite some time and have > not been successful. It’s impossible to remove the host through the web UI > and using CLI commands seem to remove the entry from IPA (host is not found > with ipa host-find), but it is still visible in the UI. One thing that may > be common with all of these hosts is that they were enrolled with our IPA > system back while we were running version 3.0 and likely have had issues for > quite some time. Multiple updates have happened since then, and all of our > hosts added within the last year are working fine. I suspect there’s an > issue with a path somewhere for a certificate database, but I’m unable to > pinpoint what is going wrong. > > > I’m currently cloning 2 of my IPA servers into a private dmz to test fixes so > I can try things without worry... > > 1. Realized we had many certificates that were expired and not renewing with > “getcert list” on primary IPA server > 2. Tried every document I could find on renewing the certificates but was > never completely successful (on version 4.1 which is our current in > production) > 3. Upgraded to 4.4 and was actually able to renew all certificates listed on > the main IPA server showing current below > 4. After having success with #3 I was able to start the CA service without > error and everything on the server seems to be working as expected > 5. Have attempted many variations of removing a problem host and adding it > back, but the errors in the web UI persist. > > Output from "getcert list": > > Number of certificates and requests being tracked: 8. > Request ID '20160901214852': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=CA Audit,O=DOMAIN.COM > expires: 2018-08-22 22:13:44 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160901214853': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=OCSP Subsystem,O=DOMAIN.COM > expires: 2018-08-22 21:49:26 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160901214854': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.COM > subject: CN=CA Subsystem,O=DOMAIN.COM > expires: 2018-08-22 21:49:18 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160901214855': > status: MONITORING > stuck: no > ke
[Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
plugins in startup order 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SystemCertsVerification: system certs verification success 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup! Any assistance would be greatly appreciated. Andrew Krause -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] 3/4 replica failure - unknown reasons why
Yesterday I came in to 3 of my 4 freeipa replicas in an unusable state and replication was not connecting any of the hosts to each other. My first/primary host was still servicing authentication requests, but the others were in varying states of usability. I’ve investigated logs on all 4 nodes and the only thing I can see is messages like this from when the problem started until I restarted all 4 with ipactl stop/ipactl start: [09/Nov/2015:19:17:16 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc1papp08.somedomain.com" (abcloc1papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:19:16 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc1papp08.somedomain.com" (abcloc1papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:21:19 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc1papp08.somedomain.com" (abcloc1papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:23:19 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc1papp08.somedomain.com" (abcloc1papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:25:21 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc1papp08.somedomain.com" (abcloc1papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:27:21 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc1papp08.somedomain.com" (abcloc1papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:29:26 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc1papp08.somedomain.com" (abcloc1papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:31:26 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc1papp08.somedomain.com" (abcloc1papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:32:37 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc2papp08.somedomain.com" (abcloc2papp08:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) [09/Nov/2015:19:33:29 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc1papp08.somedomain.com" (abcloc1papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:34:37 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc2papp08.somedomain.com" (abcloc2papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:35:28 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc1papp08.somedomain.com" (abcloc1papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. [09/Nov/2015:19:36:41 -0700] NSMMReplicationPlugin - agmt="cn=meToabcloc2papp08.somedomain.com" (abcloc2papp08:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. We’ve already looked into our network and there was no outage/interruption between sites during the timeframe in question. The only corrective action that was taken was to restart each node. Does anyone know any way I can investigate further what caused this issue? I don’t like giving “I don’t know” answers for why replication stopped working and did not resume by itself. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Duplicate objects after 4.1 ipa-server upgrade
I upgraded 4 at the same time actually. It makes sense why the objects were created and I do understand how replication conflicts are handled. I just wanted to be absolutely certain that it was ok to delete these objects since it seems pointless to ever keep them around. Has there been any talk of a mechanism to just handle this on a regular basis (not that this situation should happen regularly)? > On Nov 3, 2015, at 1:42 AM, Martin Kosek <mko...@redhat.com> wrote: > > On 11/03/2015 12:05 AM, Andrew Krause wrote: >> After upgrading to 4.1 I have duplicated permission objects in my directory >> with names including nsuniqueid. Is it safe to delete all of these objects? >> Somehow this is only causing an issue for a specific user hitting a >> specific HBAC policy. >> >> (Mon Nov 2 14:29:23 2015) [sssd[be[blue-shift.com]]] >> [hbac_eval_user_element] (0x0080): Parse error on [cn=Read PassSync Managers >> Configuration+nsuniqueid=4ae3220f-4d2b11e5-a06ffcc2-215714a9 .. >> (Mon Nov 2 14:29:23 2015) [sssd[be[blue-shift.com]]] [hbac_ctx_to_rules] >> (0x0020): Could not construct eval request >> (Mon Nov 2 14:29:23 2015) [sssd[be[blue-shift.com]]] >> [ipa_hbac_evaluate_rules] (0x0020): Could not construct HBAC rules >> >> >> This is causing authentication to fail for the user in question, and I would >> like to get rid of these useless objects if they are no longer necessary. > > It looks like you had some replication problem in your network, or maybe > upgraded 2 FreeIPA instances at the same time, so they both generated > conflicting permissions? > > In any case, it should be case to delete the permissions with nsuniqueid, > FreeIPA should generate the managed permissions from scratch anyway, if they > are missing and upgrade is run again. > > More info on replication conflicts here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html#Solving_Common_Replication_Conflicts-Solving_Naming_Conflicts > > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Duplicate objects after 4.1 ipa-server upgrade
After upgrading to 4.1 I have duplicated permission objects in my directory with names including nsuniqueid. Is it safe to delete all of these objects? Somehow this is only causing an issue for a specific user hitting a specific HBAC policy. (Mon Nov 2 14:29:23 2015) [sssd[be[blue-shift.com]]] [hbac_eval_user_element] (0x0080): Parse error on [cn=Read PassSync Managers Configuration+nsuniqueid=4ae3220f-4d2b11e5-a06ffcc2-215714a9 .. (Mon Nov 2 14:29:23 2015) [sssd[be[blue-shift.com]]] [hbac_ctx_to_rules] (0x0020): Could not construct eval request (Mon Nov 2 14:29:23 2015) [sssd[be[blue-shift.com]]] [ipa_hbac_evaluate_rules] (0x0020): Could not construct HBAC rules This is causing authentication to fail for the user in question, and I would like to get rid of these useless objects if they are no longer necessary. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Using 389-console with FreeIPA 3
I realize this question has been brought forth previously, but I am unable to find a clear answer. I have a 389-ds environment that is serving as an authentication back end for a python application. The plan was to use this as a kind of SSO for other future applications and we have MANY users/groups/OUs and different policies involved already. Since it's not really feasible to re-create everything, and it will not integrate directly with FreeIPA I would like to be able to import my subtree to the 389-ds instance within my new FreeIPA install and manage that subtree separately from all my hosts and POSIX users. The short question, how can I manage to get the admin console working with the 389-ds that is included in FreeIPA? I'd really like to use FreeIPA for all my host based authentication, but it becomes a non-option if we have to run multiple directory clusters. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project