Header Shadow Image


OpenVpn: Can’t browse web when connected and VPN is active.

Configured your OpenVPN, however now you can't browse the web when connected?  Turns out the following NAT rule was missing from the F/W configuration on the OpenVPN router:

iptables -t nat -I POSTROUTING -s 10.1.1.0/24 -j SNAT --to $(nvram get wan_ipaddr)

Our VPN subnet is 10.1.1.0/24 but no rule existed to route traffic to the WAN interface.  Meaning no external traffic was passed to the external IP address resulting in no web connectivity with the outside world.  The rule above fixes this.  In case you're wondering what nvram get wan_ipaddress does.  It is busy box ( DD-WRT ) custom firmware command used on various routers.  It is a replacement for the standard Web UI on routers.  If DD-WRT is not used, the default external IP of the router will do.

Thanks,

OpenShift w/ Kubernetes Setup: Installing using the UPI Method

Building an OpenShift Kubernetes Cluster. Method used here will be the UPI installation method.  Start off by loading the official page from RedHat:

https://i1.wp.com/www.microdevsys.com/WordPressIMages/KubernetesAndOpenShift.PNG?ssl=1

Before you begin, ensure the following files are downloaded off the RedHat OpenShift pages (see links in the above document):

/root/openshift # ls -altri
total 439680
201572861 -rw-r–r–.  1 root        root              706 Apr 25 04:15 README.md
201572704 -rwxr-xr-x.  1 root        root        360710144 Apr 25 04:15 openshift-install
201572859 -rw-rw-r–.  1 tom@mds.xyz tom@mds.xyz      2775 May  8 22:53 pull-secret.txt
201572858 -rw-rw-r–.  1 tom@mds.xyz tom@mds.xyz  89491042 May  8 22:55 openshift-install-linux.tar.gz
201572850 drwxr-xr-x.  3 root        root             4096 May  8 23:58 .
201326721 dr-xr-x—. 12 root        root             4096 May  9 08:43 ..

Extract the .tar.gz using:

tar -zxf openshift-install-linux.tar.gz

Read the rest of this entry »

Firewalld. Add VLAN’s to allowed trusted / public zone rules.

Short list of commands for adding VLAN's to trusted zones:

firewall-cmd –zone=trusted –add-source=192.168.0.0/24
firewall-cmd –zone=trusted –add-source=10.0.0.0/24
firewall-cmd –zone=trusted –add-source=10.1.0.0/24
firewall-cmd –zone=trusted –add-source=10.2.0.0/24
firewall-cmd –zone=trusted –add-source=10.3.0.0/24
cat /etc/firewalld/zones/public.xml
firewall-cmd –runtime-to-permanent
cat /etc/firewalld/zones/public.xml

Result of this is:

cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <short>Trusted</short>
  <description>All network connections are accepted.</description>
  <source address="192.168.0.0/24"/>
  <source address="10.0.0.0/24"/>
  <source address="10.1.0.0/24"/>
  <source address="10.2.0.0/24"/>
  <source address="10.3.0.0/24"/>
</zone>

 

Thx,

ImportError: cannot import name ‘setup’

Getting this?

[root@rmq01 ~]# pip3 install –user git+https://github.com/powerline/powerline.git@master
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install –user` instead.
Collecting git+https://github.com/powerline/powerline.git@master
  Cloning https://github.com/powerline/powerline.git (to master) to /tmp/pip-i_onc12r-build
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-i_onc12r-build/setup.py", line 11, in <module>
        from setuptools import setup, find_packages
    ImportError: cannot import name 'setup'

Solve it by running this:

[root@rmq01 ~]# yum reinstall python3-setuptools.noarch

Seems package files were corrupted.  

Cheers,
Tom

User is not allowed to run sudo on server.  This incident will be reported.

Receiving the following when using FreeIPA to manage sudo rules?

-sh-4.2$ sudo su –
[sudo] password for tom@mds.xyz: 
tom@mds.xyz is not allowed to run sudo on idmipa04.  This incident will be reported.
-sh-4.2$

On a working node:

# ipa-compat-manage status
Directory Manager password: 

Plugin Enabled

and on a non-working node:

# ipa-compat-manage status
Directory Manager password: 

Plugin Disabled
# ipa-compat-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

ipa-compat-manage status
Directory Manager password: 

Plugin Disabled

Enable the plugin:

# ipa-compat-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
#

And try the sudo to root again:  All sudo rules should be visible using the following commands:

dapsearch -Y GSSAPI -b "dc=mws,dc=mds,dc=xyz" dn |grep -Ei sudo|grep -v "#"

ipa sudorule-find All

on both servers.  Verify on clients:

$ sudo su –
[sudo] password for tom@mds.xyz: 
tom@mds.xyz is not allowed to run sudo on azure-r01wn01.  This incident will be reported.
$ su –
Password: 
Last login: Thu Jan 28 21:53:55 EST 2021 on pts/0
[root@azure-r01wn01 ~]# systemctl restart sssd^C
[root@azure-r01wn01 ~]# rm -f /var/lib/sss/db/*
[root@azure-r01wn01 ~]# systemctl restart sssd
[root@azure-r01wn01 ~]# logout
$ sudo su –
[sudo] password for tom@mds.xyz: 
Last login: Fri Jan 29 00:51:40 EST 2021 on pts/1
[root@azure-r01wn01 ~]# 

Thanks,

CalledProcessError: Command ‘/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_12728 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem’ returned non-zero exit status 1

Getting one of these messages in the HTTPD error_log of a FreeIPA server? 

[Thu Jan 28 23:32:39.440152 2021] [:error] [pid 12728] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Thu Jan 28 23:32:39.440345 2021] [:error] [pid 12728] ipa: DEBUG: WSGI login_password.__call__:
[Thu Jan 28 23:32:39.442215 2021] [:error] [pid 12728] ipa: DEBUG: Obtaining armor in ccache /var/run/ipa/ccaches/armor_12728
[Thu Jan 28 23:32:39.442377 2021] [:error] [pid 12728] ipa: DEBUG: Initializing anonymous ccache
[Thu Jan 28 23:32:39.442660 2021] [:error] [pid 12728] ipa: DEBUG: Starting external process
[Thu Jan 28 23:32:39.442815 2021] [:error] [pid 12728] ipa: DEBUG: args=/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_12728 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[Thu Jan 28 23:32:39.646898 2021] [:error] [pid 12728] ipa: DEBUG: Process finished, return code=1
[Thu Jan 28 23:32:39.647109 2021] [:error] [pid 12728] ipa: DEBUG: stdout=
[Thu Jan 28 23:32:39.647256 2021] [:error] [pid 12728] ipa: DEBUG: stderr=kinit: Preauthentication failed while getting initial credentials
[Thu Jan 28 23:32:39.647281 2021] [:error] [pid 12728] 
[Thu Jan 28 23:32:39.647613 2021] [:error] [pid 12728] [remote 192.168.0.136:112] mod_wsgi (pid=12728): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Thu Jan 28 23:32:39.647727 2021] [:error] [pid 12728] [remote 192.168.0.136:112] Traceback (most recent call last):
[Thu Jan 28 23:32:39.647840 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/share/ipa/wsgi.py", line 59, in application
[Thu Jan 28 23:32:39.648086 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     return api.Backend.wsgi_dispatch(environ, start_response)
[Thu Jan 28 23:32:39.648143 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in __call__
[Thu Jan 28 23:32:39.648852 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     return self.route(environ, start_response)
[Thu Jan 28 23:32:39.648901 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in route
[Thu Jan 28 23:32:39.648952 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     return app(environ, start_response)
[Thu Jan 28 23:32:39.648989 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in __call__
[Thu Jan 28 23:32:39.649034 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     self.kinit(user_principal, password, ipa_ccache_name)
[Thu Jan 28 23:32:39.649076 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in kinit
[Thu Jan 28 23:32:39.649121 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Thu Jan 28 23:32:39.649165 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor
[Thu Jan 28 23:32:39.649365 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     run(args, env=env, raiseonerr=True, capture_error=True)
[Thu Jan 28 23:32:39.649407 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Thu Jan 28 23:32:39.650151 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Thu Jan 28 23:32:39.650286 2021] [:error] [pid 12728] [remote 192.168.0.136:112] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_12728 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1

This prevented Web UI logins as well:

Login failed due to an unknown reason.

Solve it by reenabling PKINIT, if it was disabled earlier for reasons that escape me:

# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
# ls -altri /var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.key /var/kerberos/krb5kdc/
201364201 -rw——-. 1 root root 1708 Jan 29 00:18 /var/kerberos/krb5kdc/kdc.key
201364200 -rw-r–r–. 1 root root 1635 Jan 29 00:18 /var/kerberos/krb5kdc/kdc.crt

/var/kerberos/krb5kdc/:
total 32
201645664 -rw——-. 1 root root   22 Nov 27  2019 kadm5.acl
134764626 drwxr-xr-x. 4 root root   31 Mar 31  2020 ..
201364197 -rw-r–r–. 1 root root 1448 Jan  8 21:13 kdc.crt-backup
201328018 -rw——-. 1 root root 1708 Jan 28 23:42 kdc.key-backup
201657540 -rw——-. 1 root root  626 Jan 28 23:59 kdc.conf
201364201 -rw——-. 1 root root 1708 Jan 29 00:18 kdc.key
201364200 -rw-r–r–. 1 root root 1635 Jan 29 00:18 kdc.crt
201645673 drwxr-xr-x. 2 root root 4096 Jan 29 00:18 .
201657542 -rw-r–r–. 1 root root 2578 Jan 29 00:18 cacert.pem
#

Note, prior to the reenabling PKINIT, the size of the kdc.crt was wrong and contained this:

# ls -altri /var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.key
201657540 -rw——-. 1 root root 1708 Jan 28 23:42 /var/kerberos/krb5kdc/kdc.key
201657541 -rw-r–r–. 1 root root 1448 Jan 28 23:42 /var/kerberos/krb5kdc/kdc.crt
# df -h 
Filesystem               Size  Used Avail Use% Mounted on
devtmpfs                 1.9G     0  1.9G   0% /dev
tmpfs                    1.9G  4.0K  1.9G   1% /dev/shm
tmpfs                    1.9G   17M  1.9G   1% /run
tmpfs                    1.9G     0  1.9G   0% /sys/fs/cgroup
/dev/mapper/centos-root   41G  5.1G   35G  13% /
/dev/mapper/centos-home   20G   33M   20G   1% /home
/dev/sda1                497M  298M  200M  60% /boot
tmpfs                    379M     0  379M   0% /run/user/155601104
# openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=MWS.MDS.XYZ, CN=idmipa03.mws.mds.xyz
        Validity
            Not Before: Jan 29 04:42:04 2021 GMT
            Not After : Jan 29 04:42:04 2022 GMT
        Subject: O=MWS.MDS.XYZ, CN=idmipa03.mws.mds.xyz
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:db:95:45:44:40:7e:0d:5b:f7:98:b6:5f:98:
                    10:c7:4a:27:5d:54:aa:97:59:58:85:e5:f4:12:b8:
                    0d:8f:9d:62:f5:35:b1:5a:40:d0:c9:98:76:5d:97:
                    80:1f:02:a1:e6:7e:9c:54:ff:f6:ba:a9:55:4e:c0:
                    c4:4c:71:91:32:cd:e0:a9:47:c6:88:ae:13:9f:6f:
                    7a:54:ee:1f:4a:82:cb:d4:b4:08:b5:44:18:e7:98:
                    b4:b8:8a:1f:76:56:5d:93:b8:fc:dc:61:40:66:6b:
                    d3:46:17:b5:cf:60:21:7f:b0:82:34:3c:d6:a3:17:
                    78:a6:75:0b:03:0d:cf:7f:df:8b:9e:05:40:cf:03:
                    22:f8:86:46:c9:82:d4:91:f3:26:7e:c9:b7:8d:a2:
                    f6:35:15:ef:0c:d3:52:55:96:e4:f7:71:72:12:a8:
                    c0:76:db:bc:4d:89:9f:46:99:6b:07:84:2e:2d:b2:
                    da:57:1f:36:8e:d5:27:f5:ea:d9:0e:d7:c6:98:91:
                    82:16:cb:e9:c1:f3:6e:27:de:9a:91:0d:b5:84:97:
                    6a:43:c3:84:e0:9b:b2:1a:2f:bd:d9:58:b4:0d:c6:
                    52:e1:30:ec:df:dd:88:d7:58:cb:69:ec:e6:22:c5:
                    92:b4:a3:e8:f9:73:c4:87:b2:e8:3c:e1:5c:b3:40:
                    b8:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, othername:<unsupported>
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, 1.3.6.1.5.2.3.5
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                66:59:08:5F:BB:10:A2:E1:E1:57:44:4F:4D:54:20:3E:5A:41:84:E6
            1.3.6.1.4.1.311.20.2: 
                .".K.D.C.s._.P.K.I.N.I.T._.C.e.r.t.s
    Signature Algorithm: sha256WithRSAEncryption
         00:0f:98:62:de:ad:cd:61:d1:ab:89:ce:10:33:eb:a2:7b:d1:
         55:c5:ec:2e:25:f0:09:72:08:ef:cb:b0:17:9e:06:fa:df:84:
         a6:42:5b:86:32:38:35:b1:25:8f:6e:39:eb:12:fc:2a:1f:1d:
         39:eb:2f:01:19:a8:c6:d6:12:35:6c:2a:ae:7c:3e:86:16:41:
         d5:a5:f0:50:ac:90:67:6e:5b:7d:41:6a:7f:f2:74:49:38:36:
         d3:c0:57:a0:8c:4a:40:97:eb:0b:6e:d4:9a:ee:b3:30:f4:8b:
         60:0a:32:8e:22:9b:39:0c:d3:67:71:71:30:da:82:d9:41:71:
         e2:83:f3:6a:75:b2:d7:62:a7:14:6e:a7:23:19:c1:05:c0:f0:
         cc:db:ea:93:32:cc:a5:c5:4a:b8:00:51:27:7a:94:62:e3:41:
         43:58:45:8c:99:25:e2:e7:e5:97:13:fa:fc:04:8b:97:75:f9:
         b2:25:a8:e8:e8:e1:77:da:c1:3d:c2:e3:3c:5d:6b:b8:38:f9:
         ac:dc:b1:68:fe:70:9f:6f:a0:54:67:0c:80:c2:da:21:40:b5:
         94:ea:9f:cf:4e:bd:df:ad:c6:b7:38:5f:2d:1e:a7:43:ed:ee:
         bb:3a:52:a3:ed:a9:8a:c9:64:80:12:8a:ff:86:69:9a:19:2e:
         80:1e:b4:e9

Hope this help!

Regards,
 

Low volume on Asus ROG Laptop

Low volume on your laptop?  Even when set to the maximum it's still very low?  Ensure the Loudness Equalization is checked off in Realtek HD Audio Manager.  

 

https://i0.wp.com/www.microdevsys.com/WordPressImages/Realtek-HD-Audio-Manager.png?ssl=1

Decomission or Recomission a host using Cloudera 6.X API Calls: /api/v3/cm/commands/hostsOfflineOrDecommission

Need to decomission a host?  Just call this:

curl -u admin:pAsS –insecure -X POST –header 'Content-Type: application/json' –header 'Accept: application/json' -d '{"items":[“cm-r01wn02.mws.mds.xyz”]}'    'https://cm-c01.mws.mds.xyz:7183/api/v3/cm/commands/hostsOfflineOrDecommission'
{
  "id" : 17256,
  "name" : "HostsDecommission",
  "startTime" : "2021-01-05T02:49:37.220Z",
  "active" : true,
  "children" : {
    "items" : [ ]
  }

Need to recomission a host?  Just call this:

curl -u admin:pAsS –insecure -X POST –header 'Content-Type: application/json' –header 'Accept: application/json' -d '{"items":[“cm-r01wn02.mws.mds.xyz”]}'    'https://cm-c01.mws.mds.xyz:7183/api/v33/cm/commands/hostsRecomission'

How this maps to the ApiHostNameLlst specification: https://archive.cloudera.com/cm6/6.2.0/generic/jar/cm_api/apidocs/json_ApiHostNameList.html

Cheers,

REF: https://archive.cloudera.com/cm6/6.3.0/generic/jar/cm_api/swagger-html-sdk-docs/java/docs/ClouderaManagerResourceApi.html#hostsDecommissionCommand
REF: https://cm-c01.mws.mds.xyz:7183/static/apidocs/ui/index.html#!/ClouderaManagerResource/hostsDecommissionCommand
 

WrongHost: Peer certificate subjectAltName does not match host, expected 1.2.3.4, got DNS: host1.domain, DNS: host2.domain, DNS: host3.domain

Another form of this error is when the certificate validation produced an IP instead of a host, such as this:

WrongHost: Peer certificate subjectAltName does not match host, expected 1.2.3.4, got DNS:srv-c01.earth.water.fire, DNS:cm-r01nn01.earth.water.fire, DNS:cm-r01nn02.earth.water.fire
[02/Jan/2021 03:15:59 +0000] 32309 Thread-13 downloader   ERROR    Failed fetching torrent: Peer certificate subjectAltName does not match host, expected 1.2.3.4, got DNS:srv-c01.earth.water.fire, DNS:cm-r01nn01.earth.water.fire, DNS:cm-r01nn02.earth.water.fire

In our software stack, Cloudera Manager is sitting behind an HAproxy / Keepalived VIP:

Cloudera CM <- HAproxy <- Keepalived <- Cloudera Node

In this case, the error was seen on the Cloudera Node.  So what could be the issue?

Verifying using forward and reverse lookups also produced expected results.

# dig -x 1.2.3.4
;; QUESTION SECTION:
;4.3.2.1.in-addr.arpa.       IN      PTR

;; ANSWER SECTION:
4.3.2.1.in-addr.arpa. 86400  IN      PTR     cm-r01nn01.earth.water.fire.


# dig cm-r01nn01.earth.water.fire
;; QUESTION SECTION:
;cm-r01nn01.earth.water.fire.                IN      A

;; ANSWER SECTION:
cm-r01nn01.earth.water.fire. 1200    IN      A       1.2.3.4


# nslookup 1.2.3.4
Server:         192.168.0.100
Address:        192.168.0.100#53

4.3.2.1.in-addr.arpa name = cm-r01nn01.earth.water.fire.


# nslookup cm-r01nn01
Server:         192.168.0.100
Address:        192.168.0.100#53

Name:   cm-r01nn01.earth.water.fire
Address: 1.2.3.4

Troubleshooting done revealed that pointing the node directly to the Cloudera CM server, bypassing the HAProxy and Keepalived VIP's worked well. A further investigation revealed that Selinux / Auditd were blocking HAProxy and Keepalived communication.  

type=AVC msg=audit(1609572407.005:1253694): avc:  denied  { name_bind } for  pid=3533 comm="haproxy" src=8084 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:luci_port_t:s0 tclass=tcp_socket  

Running the following several times helped create the correct rules to allow communication:  

grep AVC /var/log/audit/audit.log* >> /var/log/audit/audit-denied.log; cat /var/log/audit/audit-denied.log | audit2allow -M systemd-allow;semodule -i systemd-allow.pp  
systemctl restart haproxy keepalived  

Initially, this did not appear to fully resolve the issue.  A full restart of the Cloudera SCM server however did, apparently confirming this problem was made up of two issues.  Communication to or from the CM server was easily analyzed by using tcpdump to verify that no traffic was being received or that no valid replies were being sent, from the Cloudera SCM server.  The underlying behaviour of the logic to detect the correct hostname isn't known without diving into the java source code, however, regardless of the logic, what could be said is that the returned hostname from the query produced no results, defaulting to an IP.  

Regards,

Fixing FreeIPA Replication Issues

Case example of an HBAC service ID that is not consistent across the master-master FreeIPA implementation:

# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa04   | idmipa03   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 2          | 2          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa03 0 | idmipa04 0 | OK    |
+——————–+————+————+——-+

# ldapsearch -D "cn=Directory Manager" -W -b "dc=mws,dc=mds,dc=xyz" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mws,dc=mds,dc=xyz> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#

# System: Read Radius Servers + 4b428601-8c7311ea-a731aa32-03d9775b, permission
 s, pbac, mws.mds.xyz
dn: cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d97
 75b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz
ipaPermLocation: cn=radiusproxy,dc=mws,dc=mds,dc=xyz
ipaPermDefaultAttr: ipatokenradiusserver
ipaPermDefaultAttr: description
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipatokenusermapattribute
ipaPermDefaultAttr: ipatokenradiusretries
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: ipatokenradiustimeout
member: cn=User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xyz
member: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xy
 z
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: ldapsubentry
cn: System: Read Radius Servers
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipatokenradiusconfiguration)
nsds5ReplConflict: namingConflict (ADD) cn=system: read radius servers,cn=perm
 issions,cn=pbac,dc=mws,dc=mds,dc=xyz

# systemd-user + 1e6a2603-9d7c11ea-b83daa32-03d9775b, hbacservices, hbac, mws.m
 ds.xyz
dn: cn=systemd-user+nsuniqueid=1e6a2603-9d7c11ea-b83daa32-03d9775b,cn=hbacservices,cn=hbac,dc=mws,dc=mds,dc=xyz
ipaUniqueID: 22f40934-9d7c-11ea-b5a6-00505686b78e
description: pam_systemd and systemd user@.service
cn: systemd-user
objectClass: ipaobject
objectClass: ipahbacservice
objectClass: ldapsubentry
nsds5ReplConflict: namingConflict (ADD) cn=systemd-user,cn=hbacservices,cn=hba
 c,dc=mws,dc=mds,dc=xyz

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

 

# ldapdelete -D "cn=Directory Manager" -W -p 389 -h idmipa04.mws.mds.xyz -x "cn=systemd-user+nsuniqueid=1e6a2603-9d7c11ea-b83daa32-03d9775b,cn=hbacservices,cn=hbac,dc=mws,dc=mds,dc=xyz"
Enter LDAP Password:
$ echo $?
0
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 1          | 1          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+
#

 

Case two is identical to the first one above:

# ldapsearch -D "cn=Directory Manager" -W -b "dc=mws,dc=mds,dc=xyz" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mws,dc=mds,dc=xyz> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#

# System: Read Radius Servers + 4b428601-8c7311ea-a731aa32-03d9775b, permission
 s, pbac, mws.mds.xyz
dn: cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d97
 75b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz

ipaPermLocation: cn=radiusproxy,dc=mws,dc=mds,dc=xyz
ipaPermDefaultAttr: ipatokenradiusserver
ipaPermDefaultAttr: description
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipatokenusermapattribute
ipaPermDefaultAttr: ipatokenradiusretries
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: ipatokenradiustimeout
member: cn=User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xyz
member: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xy
 z
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: ldapsubentry
cn: System: Read Radius Servers
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipatokenradiusconfiguration)
nsds5ReplConflict: namingConflict (ADD) cn=system: read radius servers,cn=perm
 issions,cn=pbac,dc=mws,dc=mds,dc=xyz

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


# ldapdelete -D "cn=Directory Manager" -W -p 389 -h idmipa04.mws.mds.xyz -x "cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d9775b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz"
Enter LDAP Password:
# echo $?
0
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 0          | 0          | OK    |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+

 

Regards,


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License