Header Shadow Image


Firewalld. Add VLAN’s to allowed trusted / public zone rules.

Short list of commands for adding VLAN's to trusted zones:

firewall-cmd –zone=trusted –add-source=192.168.0.0/24
firewall-cmd –zone=trusted –add-source=10.0.0.0/24
firewall-cmd –zone=trusted –add-source=10.1.0.0/24
firewall-cmd –zone=trusted –add-source=10.2.0.0/24
firewall-cmd –zone=trusted –add-source=10.3.0.0/24
cat /etc/firewalld/zones/public.xml
firewall-cmd –runtime-to-permanent
cat /etc/firewalld/zones/public.xml

Result of this is:

cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <short>Trusted</short>
  <description>All network connections are accepted.</description>
  <source address="192.168.0.0/24"/>
  <source address="10.0.0.0/24"/>
  <source address="10.1.0.0/24"/>
  <source address="10.2.0.0/24"/>
  <source address="10.3.0.0/24"/>
</zone>

 

Thx,

ImportError: cannot import name ‘setup’

Getting this?

[root@rmq01 ~]# pip3 install –user git+https://github.com/powerline/powerline.git@master
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install –user` instead.
Collecting git+https://github.com/powerline/powerline.git@master
  Cloning https://github.com/powerline/powerline.git (to master) to /tmp/pip-i_onc12r-build
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-i_onc12r-build/setup.py", line 11, in <module>
        from setuptools import setup, find_packages
    ImportError: cannot import name 'setup'

Solve it by running this:

[root@rmq01 ~]# yum reinstall python3-setuptools.noarch

Seems package files were corrupted.  

Cheers,
Tom

User is not allowed to run sudo on server.  This incident will be reported.

Receiving the following when using FreeIPA to manage sudo rules?

-sh-4.2$ sudo su –
[sudo] password for tom@mds.xyz: 
tom@mds.xyz is not allowed to run sudo on idmipa04.  This incident will be reported.
-sh-4.2$

On a working node:

# ipa-compat-manage status
Directory Manager password: 

Plugin Enabled

and on a non-working node:

# ipa-compat-manage status
Directory Manager password: 

Plugin Disabled
# ipa-compat-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

ipa-compat-manage status
Directory Manager password: 

Plugin Disabled

Enable the plugin:

# ipa-compat-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
#

And try the sudo to root again:  All sudo rules should be visible using the following commands:

dapsearch -Y GSSAPI -b "dc=mws,dc=mds,dc=xyz" dn |grep -Ei sudo|grep -v "#"

ipa sudorule-find All

on both servers.  Verify on clients:

$ sudo su –
[sudo] password for tom@mds.xyz: 
tom@mds.xyz is not allowed to run sudo on azure-r01wn01.  This incident will be reported.
$ su –
Password: 
Last login: Thu Jan 28 21:53:55 EST 2021 on pts/0
[root@azure-r01wn01 ~]# systemctl restart sssd^C
[root@azure-r01wn01 ~]# rm -f /var/lib/sss/db/*
[root@azure-r01wn01 ~]# systemctl restart sssd
[root@azure-r01wn01 ~]# logout
$ sudo su –
[sudo] password for tom@mds.xyz: 
Last login: Fri Jan 29 00:51:40 EST 2021 on pts/1
[root@azure-r01wn01 ~]# 

Thanks,

CalledProcessError: Command ‘/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_12728 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem’ returned non-zero exit status 1

Getting one of these messages in the HTTPD error_log of a FreeIPA server? 

[Thu Jan 28 23:32:39.440152 2021] [:error] [pid 12728] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Thu Jan 28 23:32:39.440345 2021] [:error] [pid 12728] ipa: DEBUG: WSGI login_password.__call__:
[Thu Jan 28 23:32:39.442215 2021] [:error] [pid 12728] ipa: DEBUG: Obtaining armor in ccache /var/run/ipa/ccaches/armor_12728
[Thu Jan 28 23:32:39.442377 2021] [:error] [pid 12728] ipa: DEBUG: Initializing anonymous ccache
[Thu Jan 28 23:32:39.442660 2021] [:error] [pid 12728] ipa: DEBUG: Starting external process
[Thu Jan 28 23:32:39.442815 2021] [:error] [pid 12728] ipa: DEBUG: args=/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_12728 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[Thu Jan 28 23:32:39.646898 2021] [:error] [pid 12728] ipa: DEBUG: Process finished, return code=1
[Thu Jan 28 23:32:39.647109 2021] [:error] [pid 12728] ipa: DEBUG: stdout=
[Thu Jan 28 23:32:39.647256 2021] [:error] [pid 12728] ipa: DEBUG: stderr=kinit: Preauthentication failed while getting initial credentials
[Thu Jan 28 23:32:39.647281 2021] [:error] [pid 12728] 
[Thu Jan 28 23:32:39.647613 2021] [:error] [pid 12728] [remote 192.168.0.136:112] mod_wsgi (pid=12728): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Thu Jan 28 23:32:39.647727 2021] [:error] [pid 12728] [remote 192.168.0.136:112] Traceback (most recent call last):
[Thu Jan 28 23:32:39.647840 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/share/ipa/wsgi.py", line 59, in application
[Thu Jan 28 23:32:39.648086 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     return api.Backend.wsgi_dispatch(environ, start_response)
[Thu Jan 28 23:32:39.648143 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in __call__
[Thu Jan 28 23:32:39.648852 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     return self.route(environ, start_response)
[Thu Jan 28 23:32:39.648901 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in route
[Thu Jan 28 23:32:39.648952 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     return app(environ, start_response)
[Thu Jan 28 23:32:39.648989 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in __call__
[Thu Jan 28 23:32:39.649034 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     self.kinit(user_principal, password, ipa_ccache_name)
[Thu Jan 28 23:32:39.649076 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in kinit
[Thu Jan 28 23:32:39.649121 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Thu Jan 28 23:32:39.649165 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor
[Thu Jan 28 23:32:39.649365 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     run(args, env=env, raiseonerr=True, capture_error=True)
[Thu Jan 28 23:32:39.649407 2021] [:error] [pid 12728] [remote 192.168.0.136:112]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run
[Thu Jan 28 23:32:39.650151 2021] [:error] [pid 12728] [remote 192.168.0.136:112]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Thu Jan 28 23:32:39.650286 2021] [:error] [pid 12728] [remote 192.168.0.136:112] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_12728 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1

This prevented Web UI logins as well:

Login failed due to an unknown reason.

Solve it by reenabling PKINIT, if it was disabled earlier for reasons that escape me:

# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
# ls -altri /var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.key /var/kerberos/krb5kdc/
201364201 -rw——-. 1 root root 1708 Jan 29 00:18 /var/kerberos/krb5kdc/kdc.key
201364200 -rw-r–r–. 1 root root 1635 Jan 29 00:18 /var/kerberos/krb5kdc/kdc.crt

/var/kerberos/krb5kdc/:
total 32
201645664 -rw——-. 1 root root   22 Nov 27  2019 kadm5.acl
134764626 drwxr-xr-x. 4 root root   31 Mar 31  2020 ..
201364197 -rw-r–r–. 1 root root 1448 Jan  8 21:13 kdc.crt-backup
201328018 -rw——-. 1 root root 1708 Jan 28 23:42 kdc.key-backup
201657540 -rw——-. 1 root root  626 Jan 28 23:59 kdc.conf
201364201 -rw——-. 1 root root 1708 Jan 29 00:18 kdc.key
201364200 -rw-r–r–. 1 root root 1635 Jan 29 00:18 kdc.crt
201645673 drwxr-xr-x. 2 root root 4096 Jan 29 00:18 .
201657542 -rw-r–r–. 1 root root 2578 Jan 29 00:18 cacert.pem
#

Note, prior to the reenabling PKINIT, the size of the kdc.crt was wrong and contained this:

# ls -altri /var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.key
201657540 -rw——-. 1 root root 1708 Jan 28 23:42 /var/kerberos/krb5kdc/kdc.key
201657541 -rw-r–r–. 1 root root 1448 Jan 28 23:42 /var/kerberos/krb5kdc/kdc.crt
# df -h 
Filesystem               Size  Used Avail Use% Mounted on
devtmpfs                 1.9G     0  1.9G   0% /dev
tmpfs                    1.9G  4.0K  1.9G   1% /dev/shm
tmpfs                    1.9G   17M  1.9G   1% /run
tmpfs                    1.9G     0  1.9G   0% /sys/fs/cgroup
/dev/mapper/centos-root   41G  5.1G   35G  13% /
/dev/mapper/centos-home   20G   33M   20G   1% /home
/dev/sda1                497M  298M  200M  60% /boot
tmpfs                    379M     0  379M   0% /run/user/155601104
# openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=MWS.MDS.XYZ, CN=idmipa03.mws.mds.xyz
        Validity
            Not Before: Jan 29 04:42:04 2021 GMT
            Not After : Jan 29 04:42:04 2022 GMT
        Subject: O=MWS.MDS.XYZ, CN=idmipa03.mws.mds.xyz
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:db:95:45:44:40:7e:0d:5b:f7:98:b6:5f:98:
                    10:c7:4a:27:5d:54:aa:97:59:58:85:e5:f4:12:b8:
                    0d:8f:9d:62:f5:35:b1:5a:40:d0:c9:98:76:5d:97:
                    80:1f:02:a1:e6:7e:9c:54:ff:f6:ba:a9:55:4e:c0:
                    c4:4c:71:91:32:cd:e0:a9:47:c6:88:ae:13:9f:6f:
                    7a:54:ee:1f:4a:82:cb:d4:b4:08:b5:44:18:e7:98:
                    b4:b8:8a:1f:76:56:5d:93:b8:fc:dc:61:40:66:6b:
                    d3:46:17:b5:cf:60:21:7f:b0:82:34:3c:d6:a3:17:
                    78:a6:75:0b:03:0d:cf:7f:df:8b:9e:05:40:cf:03:
                    22:f8:86:46:c9:82:d4:91:f3:26:7e:c9:b7:8d:a2:
                    f6:35:15:ef:0c:d3:52:55:96:e4:f7:71:72:12:a8:
                    c0:76:db:bc:4d:89:9f:46:99:6b:07:84:2e:2d:b2:
                    da:57:1f:36:8e:d5:27:f5:ea:d9:0e:d7:c6:98:91:
                    82:16:cb:e9:c1:f3:6e:27:de:9a:91:0d:b5:84:97:
                    6a:43:c3:84:e0:9b:b2:1a:2f:bd:d9:58:b4:0d:c6:
                    52:e1:30:ec:df:dd:88:d7:58:cb:69:ec:e6:22:c5:
                    92:b4:a3:e8:f9:73:c4:87:b2:e8:3c:e1:5c:b3:40:
                    b8:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, othername:<unsupported>
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, 1.3.6.1.5.2.3.5
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                66:59:08:5F:BB:10:A2:E1:E1:57:44:4F:4D:54:20:3E:5A:41:84:E6
            1.3.6.1.4.1.311.20.2: 
                .".K.D.C.s._.P.K.I.N.I.T._.C.e.r.t.s
    Signature Algorithm: sha256WithRSAEncryption
         00:0f:98:62:de:ad:cd:61:d1:ab:89:ce:10:33:eb:a2:7b:d1:
         55:c5:ec:2e:25:f0:09:72:08:ef:cb:b0:17:9e:06:fa:df:84:
         a6:42:5b:86:32:38:35:b1:25:8f:6e:39:eb:12:fc:2a:1f:1d:
         39:eb:2f:01:19:a8:c6:d6:12:35:6c:2a:ae:7c:3e:86:16:41:
         d5:a5:f0:50:ac:90:67:6e:5b:7d:41:6a:7f:f2:74:49:38:36:
         d3:c0:57:a0:8c:4a:40:97:eb:0b:6e:d4:9a:ee:b3:30:f4:8b:
         60:0a:32:8e:22:9b:39:0c:d3:67:71:71:30:da:82:d9:41:71:
         e2:83:f3:6a:75:b2:d7:62:a7:14:6e:a7:23:19:c1:05:c0:f0:
         cc:db:ea:93:32:cc:a5:c5:4a:b8:00:51:27:7a:94:62:e3:41:
         43:58:45:8c:99:25:e2:e7:e5:97:13:fa:fc:04:8b:97:75:f9:
         b2:25:a8:e8:e8:e1:77:da:c1:3d:c2:e3:3c:5d:6b:b8:38:f9:
         ac:dc:b1:68:fe:70:9f:6f:a0:54:67:0c:80:c2:da:21:40:b5:
         94:ea:9f:cf:4e:bd:df:ad:c6:b7:38:5f:2d:1e:a7:43:ed:ee:
         bb:3a:52:a3:ed:a9:8a:c9:64:80:12:8a:ff:86:69:9a:19:2e:
         80:1e:b4:e9

Hope this help!

Regards,
 

Low volume on Asus ROG Laptop

Low volume on your laptop?  Even when set to the maximum it's still very low?  Ensure the Loudness Equalization is checked off in Realtek HD Audio Manager.  

 

https://i0.wp.com/www.microdevsys.com/WordPressImages/Realtek-HD-Audio-Manager.png?ssl=1

Decomission or Recomission a host using Cloudera 6.X API Calls: /api/v3/cm/commands/hostsOfflineOrDecommission

Need to decomission a host?  Just call this:

curl -u admin:pAsS –insecure -X POST –header 'Content-Type: application/json' –header 'Accept: application/json' -d '{"items":[“cm-r01wn02.mws.mds.xyz”]}'    'https://cm-c01.mws.mds.xyz:7183/api/v3/cm/commands/hostsOfflineOrDecommission'
{
  "id" : 17256,
  "name" : "HostsDecommission",
  "startTime" : "2021-01-05T02:49:37.220Z",
  "active" : true,
  "children" : {
    "items" : [ ]
  }

Need to recomission a host?  Just call this:

curl -u admin:pAsS –insecure -X POST –header 'Content-Type: application/json' –header 'Accept: application/json' -d '{"items":[“cm-r01wn02.mws.mds.xyz”]}'    'https://cm-c01.mws.mds.xyz:7183/api/v33/cm/commands/hostsRecomission'

How this maps to the ApiHostNameLlst specification: https://archive.cloudera.com/cm6/6.2.0/generic/jar/cm_api/apidocs/json_ApiHostNameList.html

Cheers,

REF: https://archive.cloudera.com/cm6/6.3.0/generic/jar/cm_api/swagger-html-sdk-docs/java/docs/ClouderaManagerResourceApi.html#hostsDecommissionCommand
REF: https://cm-c01.mws.mds.xyz:7183/static/apidocs/ui/index.html#!/ClouderaManagerResource/hostsDecommissionCommand
 

WrongHost: Peer certificate subjectAltName does not match host, expected 1.2.3.4, got DNS: host1.domain, DNS: host2.domain, DNS: host3.domain

Another form of this error is when the certificate validation produced an IP instead of a host, such as this:

WrongHost: Peer certificate subjectAltName does not match host, expected 1.2.3.4, got DNS:srv-c01.earth.water.fire, DNS:cm-r01nn01.earth.water.fire, DNS:cm-r01nn02.earth.water.fire
[02/Jan/2021 03:15:59 +0000] 32309 Thread-13 downloader   ERROR    Failed fetching torrent: Peer certificate subjectAltName does not match host, expected 1.2.3.4, got DNS:srv-c01.earth.water.fire, DNS:cm-r01nn01.earth.water.fire, DNS:cm-r01nn02.earth.water.fire

In our software stack, Cloudera Manager is sitting behind an HAproxy / Keepalived VIP:

Cloudera CM <- HAproxy <- Keepalived <- Cloudera Node

In this case, the error was seen on the Cloudera Node.  So what could be the issue?

Verifying using forward and reverse lookups also produced expected results.

# dig -x 1.2.3.4
;; QUESTION SECTION:
;4.3.2.1.in-addr.arpa.       IN      PTR

;; ANSWER SECTION:
4.3.2.1.in-addr.arpa. 86400  IN      PTR     cm-r01nn01.earth.water.fire.


# dig cm-r01nn01.earth.water.fire
;; QUESTION SECTION:
;cm-r01nn01.earth.water.fire.                IN      A

;; ANSWER SECTION:
cm-r01nn01.earth.water.fire. 1200    IN      A       1.2.3.4


# nslookup 1.2.3.4
Server:         192.168.0.100
Address:        192.168.0.100#53

4.3.2.1.in-addr.arpa name = cm-r01nn01.earth.water.fire.


# nslookup cm-r01nn01
Server:         192.168.0.100
Address:        192.168.0.100#53

Name:   cm-r01nn01.earth.water.fire
Address: 1.2.3.4

Troubleshooting done revealed that pointing the node directly to the Cloudera CM server, bypassing the HAProxy and Keepalived VIP's worked well. A further investigation revealed that Selinux / Auditd were blocking HAProxy and Keepalived communication.  

type=AVC msg=audit(1609572407.005:1253694): avc:  denied  { name_bind } for  pid=3533 comm="haproxy" src=8084 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:luci_port_t:s0 tclass=tcp_socket  

Running the following several times helped create the correct rules to allow communication:  

grep AVC /var/log/audit/audit.log* >> /var/log/audit/audit-denied.log; cat /var/log/audit/audit-denied.log | audit2allow -M systemd-allow;semodule -i systemd-allow.pp  
systemctl restart haproxy keepalived  

Initially, this did not appear to fully resolve the issue.  A full restart of the Cloudera SCM server however did, apparently confirming this problem was made up of two issues.  Communication to or from the CM server was easily analyzed by using tcpdump to verify that no traffic was being received or that no valid replies were being sent, from the Cloudera SCM server.  The underlying behaviour of the logic to detect the correct hostname isn't known without diving into the java source code, however, regardless of the logic, what could be said is that the returned hostname from the query produced no results, defaulting to an IP.  

Regards,

Fixing FreeIPA Replication Issues

Case example of an HBAC service ID that is not consistent across the master-master FreeIPA implementation:

# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa04   | idmipa03   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 2          | 2          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa03 0 | idmipa04 0 | OK    |
+——————–+————+————+——-+

# ldapsearch -D "cn=Directory Manager" -W -b "dc=mws,dc=mds,dc=xyz" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mws,dc=mds,dc=xyz> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#

# System: Read Radius Servers + 4b428601-8c7311ea-a731aa32-03d9775b, permission
 s, pbac, mws.mds.xyz
dn: cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d97
 75b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz
ipaPermLocation: cn=radiusproxy,dc=mws,dc=mds,dc=xyz
ipaPermDefaultAttr: ipatokenradiusserver
ipaPermDefaultAttr: description
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipatokenusermapattribute
ipaPermDefaultAttr: ipatokenradiusretries
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: ipatokenradiustimeout
member: cn=User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xyz
member: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xy
 z
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: ldapsubentry
cn: System: Read Radius Servers
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipatokenradiusconfiguration)
nsds5ReplConflict: namingConflict (ADD) cn=system: read radius servers,cn=perm
 issions,cn=pbac,dc=mws,dc=mds,dc=xyz

# systemd-user + 1e6a2603-9d7c11ea-b83daa32-03d9775b, hbacservices, hbac, mws.m
 ds.xyz
dn: cn=systemd-user+nsuniqueid=1e6a2603-9d7c11ea-b83daa32-03d9775b,cn=hbacservices,cn=hbac,dc=mws,dc=mds,dc=xyz
ipaUniqueID: 22f40934-9d7c-11ea-b5a6-00505686b78e
description: pam_systemd and systemd user@.service
cn: systemd-user
objectClass: ipaobject
objectClass: ipahbacservice
objectClass: ldapsubentry
nsds5ReplConflict: namingConflict (ADD) cn=systemd-user,cn=hbacservices,cn=hba
 c,dc=mws,dc=mds,dc=xyz

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

 

# ldapdelete -D "cn=Directory Manager" -W -p 389 -h idmipa04.mws.mds.xyz -x "cn=systemd-user+nsuniqueid=1e6a2603-9d7c11ea-b83daa32-03d9775b,cn=hbacservices,cn=hbac,dc=mws,dc=mds,dc=xyz"
Enter LDAP Password:
$ echo $?
0
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 1          | 1          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+
#

 

Case two is identical to the first one above:

# ldapsearch -D "cn=Directory Manager" -W -b "dc=mws,dc=mds,dc=xyz" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mws,dc=mds,dc=xyz> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#

# System: Read Radius Servers + 4b428601-8c7311ea-a731aa32-03d9775b, permission
 s, pbac, mws.mds.xyz
dn: cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d97
 75b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz

ipaPermLocation: cn=radiusproxy,dc=mws,dc=mds,dc=xyz
ipaPermDefaultAttr: ipatokenradiusserver
ipaPermDefaultAttr: description
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipatokenusermapattribute
ipaPermDefaultAttr: ipatokenradiusretries
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: ipatokenradiustimeout
member: cn=User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xyz
member: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xy
 z
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: ldapsubentry
cn: System: Read Radius Servers
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipatokenradiusconfiguration)
nsds5ReplConflict: namingConflict (ADD) cn=system: read radius servers,cn=perm
 issions,cn=pbac,dc=mws,dc=mds,dc=xyz

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


# ldapdelete -D "cn=Directory Manager" -W -p 389 -h idmipa04.mws.mds.xyz -x "cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d9775b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz"
Enter LDAP Password:
# echo $?
0
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 0          | 0          | OK    |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+

 

Regards,

Fixing a broken AD trust on a FreeIPA replica in a Master-Master configuration. 

Fixing a broken AD trust on a FreeIPA replica in a Master-Master configuration. 

Investigation:

./cipa –debug -d sub.domain.com -W "<PASSWORD>"

| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 91         | 91         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 2          | 2          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | False      | FAIL  |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+
2021-01-29 11:22:33 [main] DEBUG Finishing…

 

A symptom of this issue is the inability to lookup AD users:

# id sam@domain.com
id: sam@domain.com: no such user

Investigating further:

ipa server-role-find –role "AD trust controller" –status "absent"
———————
1 server role matched
———————
  Server name: idmipa04.sub.domain.com
  Role name: AD trust controller
  Role status: absent
—————————-
Number of entries returned 1
—————————-

 

ipa server-role-find –server idmipa04.sub.domain.com
———————-
6 server roles matched
———————-
  Server name: idmipa04.sub.domain.com
  Role name: CA server
  Role status: enabled

  Server name: idmipa04.sub.domain.com
  Role name: DNS server
  Role status: enabled

  Server name: idmipa04.sub.domain.com
  Role name: NTP server
  Role status: enabled

  Server name: idmipa04.sub.domain.com
  Role name: AD trust agent
  Role status: absent

  Server name: idmipa04.sub.domain.com
  Role name: KRA server
  Role status: absent

  Server name: idmipa04.sub.domain.com
  Role name: AD trust controller
  Role status: absent
—————————-
Number of entries returned 6
—————————-

 

cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = SAMBA
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775

 

Error message on idmipa04 when fetching domains.

IPA Error 4001: NotFound

Cannot perform the selected command without Samba 4 instance configured on this machine. Make sure you have run ipa-adtrust-install on this server. Alternatively, following servers are capable of running this command: idmipa03.sub.domain.com

On a working node, the Samba configuration looks like this:

# cat /etc/samba/smb.conf
### Added by IPA Installer ###
[global]
debug pid = yes
config backend = registry

Resolution.  Take a snapshot of the VM prior to doing anything.  Next, run the following:

# ipa-adtrust-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password:

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: y


The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/25]: validate server hostname
  [2/25]: stopping smbd
  [3/25]: creating samba domain object
Samba domain object already exists
  [4/25]: retrieve local idmap range
  [5/25]: creating samba config registry
  [6/25]: writing samba config file
  [7/25]: adding cifs Kerberos principal
  [8/25]: adding cifs and host Kerberos principals to the adtrust agents group
  [9/25]: check for cifs services defined on other replicas
  [10/25]: adding cifs principal to S4U2Proxy targets
  [11/25]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
  [12/25]: adding RID bases
RID bases already set, nothing to do
  [13/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [14/25]: activating CLDAP plugin
  [15/25]: activating sidgen task
  [16/25]: map BUILTIN\Guests to nobody group
  [17/25]: configuring smbd to start on boot
  [18/25]: adding special DNS service records
  [19/25]: enabling trusted domains support for older clients via Schema Compatibility plugin
  [20/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [21/25]: adding fallback group
Fallback group already set, nothing to do
  [22/25]: adding Default Trust View
Default Trust View already exists.
  [23/25]: setting SELinux booleans
  [24/25]: starting CIFS services
  [25/25]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
        TCP Ports:
          * 135: epmap
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
          * 1024..1300: epmap listener range
          * 3268: msft-gc
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

Restart Free IPA services (optional):

# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

Verify once more:

# ./cipa -d sub.domain.com -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa04   | idmipa03   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 2          | 2          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa03 0 | idmipa04 0 | OK    |
+——————–+————+————+——-+

Checking on an AD ID now works:

# id sam@domain.com

Regards,

init_smb_request: invalid wct number 255 (size 248)

Getting this SMB error?

init_smb_request: invalid wct number 255 (size 248)

Solve it using this parameter in the SMB conf file on the server:

# grep -Ei "max protocol" /etc/samba/smb.conf; cat messages|grep -Ei smb|grep 255|tail
        max protocol = SMB2

Cheers,


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License