Header Shadow Image


Fixing FreeIPA Replication Issues

Case example of an HBAC service ID that is not consistent across the master-master FreeIPA implementation:

# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa04   | idmipa03   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 2          | 2          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa03 0 | idmipa04 0 | OK    |
+——————–+————+————+——-+

# ldapsearch -D "cn=Directory Manager" -W -b "dc=mws,dc=mds,dc=xyz" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mws,dc=mds,dc=xyz> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#

# System: Read Radius Servers + 4b428601-8c7311ea-a731aa32-03d9775b, permission
 s, pbac, mws.mds.xyz
dn: cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d97
 75b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz
ipaPermLocation: cn=radiusproxy,dc=mws,dc=mds,dc=xyz
ipaPermDefaultAttr: ipatokenradiusserver
ipaPermDefaultAttr: description
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipatokenusermapattribute
ipaPermDefaultAttr: ipatokenradiusretries
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: ipatokenradiustimeout
member: cn=User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xyz
member: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xy
 z
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: ldapsubentry
cn: System: Read Radius Servers
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipatokenradiusconfiguration)
nsds5ReplConflict: namingConflict (ADD) cn=system: read radius servers,cn=perm
 issions,cn=pbac,dc=mws,dc=mds,dc=xyz

# systemd-user + 1e6a2603-9d7c11ea-b83daa32-03d9775b, hbacservices, hbac, mws.m
 ds.xyz
dn: cn=systemd-user+nsuniqueid=1e6a2603-9d7c11ea-b83daa32-03d9775b,cn=hbacservices,cn=hbac,dc=mws,dc=mds,dc=xyz
ipaUniqueID: 22f40934-9d7c-11ea-b5a6-00505686b78e
description: pam_systemd and systemd user@.service
cn: systemd-user
objectClass: ipaobject
objectClass: ipahbacservice
objectClass: ldapsubentry
nsds5ReplConflict: namingConflict (ADD) cn=systemd-user,cn=hbacservices,cn=hba
 c,dc=mws,dc=mds,dc=xyz

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

 

# ldapdelete -D "cn=Directory Manager" -W -p 389 -h idmipa04.mws.mds.xyz -x "cn=systemd-user+nsuniqueid=1e6a2603-9d7c11ea-b83daa32-03d9775b,cn=hbacservices,cn=hbac,dc=mws,dc=mds,dc=xyz"
Enter LDAP Password:
$ echo $?
0
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 1          | 1          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+
#

 

Case two is identical to the first one above:

# ldapsearch -D "cn=Directory Manager" -W -b "dc=mws,dc=mds,dc=xyz" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mws,dc=mds,dc=xyz> with scope subtree
# filter: (&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))
# requesting: * nsds5ReplConflict
#

# System: Read Radius Servers + 4b428601-8c7311ea-a731aa32-03d9775b, permission
 s, pbac, mws.mds.xyz
dn: cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d97
 75b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz

ipaPermLocation: cn=radiusproxy,dc=mws,dc=mds,dc=xyz
ipaPermDefaultAttr: ipatokenradiusserver
ipaPermDefaultAttr: description
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: ipatokenusermapattribute
ipaPermDefaultAttr: ipatokenradiusretries
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: ipatokenradiustimeout
member: cn=User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xyz
member: cn=Stage User Administrators,cn=privileges,cn=pbac,dc=mws,dc=mds,dc=xy
 z
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: ldapsubentry
cn: System: Read Radius Servers
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermBindRuleType: permission
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipatokenradiusconfiguration)
nsds5ReplConflict: namingConflict (ADD) cn=system: read radius servers,cn=perm
 issions,cn=pbac,dc=mws,dc=mds,dc=xyz

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


# ldapdelete -D "cn=Directory Manager" -W -p 389 -h idmipa04.mws.mds.xyz -x "cn=System: Read Radius Servers+nsuniqueid=4b428601-8c7311ea-a731aa32-03d9775b,cn=permissions,cn=pbac,dc=mws,dc=mds,dc=xyz"
Enter LDAP Password:
# echo $?
0
# ./cipa -d mws.mds.xyz -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 0          | 0          | OK    |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+

 

Regards,

Fixing a broken AD trust on a FreeIPA replica in a Master-Master configuration. 

Fixing a broken AD trust on a FreeIPA replica in a Master-Master configuration. 

Investigation:

./cipa –debug -d sub.domain.com -W "<PASSWORD>"

| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 91         | 91         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 2          | 2          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | False      | FAIL  |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+
2021-01-29 11:22:33 [main] DEBUG Finishing…

 

A symptom of this issue is the inability to lookup AD users:

# id sam@domain.com
id: sam@domain.com: no such user

Investigating further:

ipa server-role-find –role "AD trust controller" –status "absent"
———————
1 server role matched
———————
  Server name: idmipa04.sub.domain.com
  Role name: AD trust controller
  Role status: absent
—————————-
Number of entries returned 1
—————————-

 

ipa server-role-find –server idmipa04.sub.domain.com
———————-
6 server roles matched
———————-
  Server name: idmipa04.sub.domain.com
  Role name: CA server
  Role status: enabled

  Server name: idmipa04.sub.domain.com
  Role name: DNS server
  Role status: enabled

  Server name: idmipa04.sub.domain.com
  Role name: NTP server
  Role status: enabled

  Server name: idmipa04.sub.domain.com
  Role name: AD trust agent
  Role status: absent

  Server name: idmipa04.sub.domain.com
  Role name: KRA server
  Role status: absent

  Server name: idmipa04.sub.domain.com
  Role name: AD trust controller
  Role status: absent
—————————-
Number of entries returned 6
—————————-

 

cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = SAMBA
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775

 

Error message on idmipa04 when fetching domains.

IPA Error 4001: NotFound

Cannot perform the selected command without Samba 4 instance configured on this machine. Make sure you have run ipa-adtrust-install on this server. Alternatively, following servers are capable of running this command: idmipa03.sub.domain.com

On a working node, the Samba configuration looks like this:

# cat /etc/samba/smb.conf
### Added by IPA Installer ###
[global]
debug pid = yes
config backend = registry

Resolution.  Take a snapshot of the VM prior to doing anything.  Next, run the following:

# ipa-adtrust-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password:

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: y


The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/25]: validate server hostname
  [2/25]: stopping smbd
  [3/25]: creating samba domain object
Samba domain object already exists
  [4/25]: retrieve local idmap range
  [5/25]: creating samba config registry
  [6/25]: writing samba config file
  [7/25]: adding cifs Kerberos principal
  [8/25]: adding cifs and host Kerberos principals to the adtrust agents group
  [9/25]: check for cifs services defined on other replicas
  [10/25]: adding cifs principal to S4U2Proxy targets
  [11/25]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
  [12/25]: adding RID bases
RID bases already set, nothing to do
  [13/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [14/25]: activating CLDAP plugin
  [15/25]: activating sidgen task
  [16/25]: map BUILTIN\Guests to nobody group
  [17/25]: configuring smbd to start on boot
  [18/25]: adding special DNS service records
  [19/25]: enabling trusted domains support for older clients via Schema Compatibility plugin
  [20/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [21/25]: adding fallback group
Fallback group already set, nothing to do
  [22/25]: adding Default Trust View
Default Trust View already exists.
  [23/25]: setting SELinux booleans
  [24/25]: starting CIFS services
  [25/25]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
        TCP Ports:
          * 135: epmap
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
          * 1024..1300: epmap listener range
          * 3268: msft-gc
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

Restart Free IPA services (optional):

# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

Verify once more:

# ./cipa -d sub.domain.com -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa04   | idmipa03   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 2          | 2          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa03 0 | idmipa04 0 | OK    |
+——————–+————+————+——-+

Checking on an AD ID now works:

# id sam@domain.com

Regards,

init_smb_request: invalid wct number 255 (size 248)

Getting this SMB error?

init_smb_request: invalid wct number 255 (size 248)

Solve it using this parameter in the SMB conf file on the server:

# grep -Ei "max protocol" /etc/samba/smb.conf; cat messages|grep -Ei smb|grep 255|tail
        max protocol = SMB2

Cheers,

Kerberos authentication failed: kinit: Cannot read password while getting initial credentials

Sometimes for messages like this:  

Kerberos authentication failed: kinit: Cannot read password while getting initial credentials

There is a simple solution.  Reset the user's password, because it probably expired or the user account used was just created without the user having set a new password on it.  In our case, running the following FreeIPA command produced the above issue:  

ipa-client-install –force-join -p autojoin -w "SecretPass" –fixed-primary –server=$IPA01.$NDOMAIN –server=$IPA02.$NDOMAIN –domain=$NDOMAIN –realm=$UNDOMAIN -U

Cheers,
TK

User is not authorized to read Azure subscriptions. Permission elevation is required to proceed.

Getting this while trying to delete Azure Active Directory Tenants?

{"errorCode":"PermissionsElevationRequiredToReadSubscriptions","localizedErrorDetails":{"permissionsElevationRequiredToReadSubscriptions":"User is not authorized to read Azure subscriptions. Permission elevation is required to proceed."},"operationResults":null,"timeStampUtc":"2020-11-23T02:38:42.————-","clientRequestId":"—————","internalTransactionId":"——————–","tenantId":"——————–","userObjectId":"—————————","exceptionType":"UnauthorizedAccessException"}

Switch Directories to another one.  Then from there, click on Overview of this Active Directory, then click on Switch Tenant.  Delete the Tenant from here.  Deleting a Tenant whilst selected won't work. Once you do this, refresh the pages.  Your Tenant should now be gone. 

Cheers,
BV

C:\Program Files\WindowsApps\Microsoft.Darwin_100.1.38862.0_x64__8weekyb3d8bbwe\InputSystem_w32.dll is either not designed to run on Windows or it contains an error.

Receiving the following when trying to start Age of Empires: Definitive Edition?

C:\Program Files\WindowsApps\Microsoft.Darwin_100.1.38862.0_x64__8weekyb3d8bbwe\InputSystem_w32.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000022.

Read the rest of this entry »

OpenWRT: Microsoft Azure to Cloudera CDH via VPN Gateway

In this post, we'll show you how to create and connect your local home network to the Azure space network.  We'll take this a step further by connecting this Microsoft Azure VM instances defined to an on premise Cloudera CDH cluster.  Together, the on-prem cluster will be extended with compute capacity from Azure while the workloads are running.  Once workloads are done, the extra compute can be turned off or destroyed no the Azure side. This will provide some cost savings while also reducing the overall IaaS and PaaS costs normally associated with on-prem infrastructures.  The below steps are essentially a learning LAB or POC type of setup.  This is not meant for a PROD type of setup.  For PROD, Expressroute or a higher end configuration will be needed.  Or entirely Cloud based solutions would take the place of this setup. 

Read the rest of this entry »

Asus Merlin Firmware: Wrong date shows set to Sat May  5 01:07:40 DST 2018

Do you end up with the wrong date when using Asus or Asus Merlin software?

admin@ASUS-MERLIN-INTERNET:/tmp/home/root# date
Sat May  5 01:07:40 DST 2018
admin@ASUS-MERLIN-INTERNET:/tmp/home/root#

Not yet clear what is really causing this but a temporary workaround is shown below using the Asus Merlin startup scripts:

admin@ASUS-MERLIN-INTERNET:/tmp/home/root# cat /jffs/scripts/init-start
#!/bin/sh

NTP0=$(nvram show 2>/dev/null | awk -F'=' '/ntp_server0/{ print $2 }')
NTP1=$(nvram show 2>/dev/null | awk -F'=' '/ntp_server1/{ print $2 }')
PSV=$(ps|grep -Ei "ntpd_[s]ynced"|wc -l)

echo "Using the following NTP servers: NTP0 ($NTP0) and NTP1 ($NTP1).  Number of running NTP servers right now is $PSV";

if [[ $NTP0 != “” && $NTP1 != “” && $PSV == 0 ]]; then
        /usr/sbin/ntp -d -n -t -S /sbin/ntpd_synced -p $NTP0 -p $NTP1 &
        if $? == 0; then
                echo "SUCCESS: Started the NTPD server."
        else
                echo "FAILED to start the NTPD server.  Non 0 exit code detected."
        fi
else
        echo "ERROR:  Either NTP0($NTP0) or NTP1($NTP1) was empty.  Or NTPD was already started.  No action taken.";
fi
admin@ASUS-MERLIN-INTERNET:/tmp/home/root# ls -altri /jffs/scripts/init-start
   9640 -rwxr-x—    1 admin    root           716 Oct 17 18:50 /jffs/scripts/init-start
admin@ASUS-MERLIN-INTERNET:/tmp/home/root#

It uses the nvram variables to retireve your configured NTP servers.  

Hope this helps!

Thx,

iPhone Bricked: Update or Recovery

Had the misfortune of experiencing of doing the Apple equivalent of bricking my iPhone while doing an iOS update.  Why did I do an iOS update?  Well here's how I did this without any data loss. 

Read the rest of this entry »

Lost Thunderbird Settings and Folders

Lost Thunderbird settings and folders?  All settings in our Thunderbird were reset after a string of events including recent upgrade and some random reboots from apparent hardware issues.  Irrespective, file corruption occurred. 

Read the rest of this entry »


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License