This project forked from freeipa/freeipa
Mirror of FreeIPA, an integrated security information management solution
Home Page: http://www.freeipa.org
License: GNU General Public License v3.0
I am trying to reproduce the super cool demos you showed at samba XP described here (https://sambaxp.org/archive-data-samba/sxp20/sxp20-d2/sxp20-d2t2-1-bokovoy-blancrenaud-FreeIPA-Catalog.pdf)
but when I try to add user from IPA into the remote desktop users group I am always getting
this is when i try to add the user to the group via AD Administrative center
if I try to add the IPA user via system properties / remote i get
would love to see this function properly, let me know if i can help you to debug this / provide more info if needed
trust is setup and verified, I am able to login to Windows via local login
global catalog was installed as part of the ipa trust-add command
thanks
I can create two users in IPA with same names:
ipa user-add user1 --first Test --last User
ipa user-add user2 --first Test --last User
It is totally fine for people to have same names.
But GC instance will contain record only for the first one. In globalcatalog.log there is error:
2020-10-14T09:27:53Z 33784 MainThread ipaserver.globalcatalog.gcsyncer ERROR Entry CN=Test User,CN=Users,dc=testrelm,dc=test already exists
Last commit(50c9fb9) causes ipa-gcsyncd.service not starting up.
Reverting last commit fixes it.
I have logged in as IPA user at Windows AD client machine.
When I execute whoami /upn I get expected result: [email protected].
But when I run whoami /fqdn I get the error:
ERROR: Unable to get Fully Qualified Distinguished Name (FQDN) as the current
logged-on user is not a domain user.
For reference: same command output for AD user:
whoami /fqdn
CN=testuser,CN=Users,DC=ad,DC=test
Setup on Windows machine:
net localgroup Administrators "TESTRELM.TEST\logintest" /add
Testing on linux machine:
import winrm
session = winrm.Session(ad_client_hostname, ('TESTRELM.TEST\\logintest', 'Secret123'), transport='ntlm')
session.run_cmd('whoami')
This raises exception:
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
All other variants of username also fail: upn/down-level, lowercase/uppercase, full/abbreviated domain name.
I guess the problem is that ntlm is used which is not supported in Fedora/RHEL.
After ipactl restart ipa-gcsyncd starts "initial sync" again
Version: 4.9.0.dev202010011457+git-0.fc32
Steps to reproduce:
Ater ipa-server-install:
# ipa-adtrust-install -U -a Secret123 --add-sids
...
Configuring Global Catalog synchronization service (ipa-gcsyncd)
[1/2]: configuring ipa-gcsyncd to start on boot
[2/2]: start ipa-gcsyncd
Done configuring Global Catalog synchronization service (ipa-gcsyncd).
...
# cat /var/lib/ipa/gc_cookie
cat: /var/lib/ipa/gc_cookie: No such file or directory
# ipactl restart
...
Restarting globalcatalog Service
Restarting ipa-gcsyncd Service
ipa: INFO: The ipactl command was successful
# cat /var/lib/ipa/gc_cookie
cat: /var/lib/ipa/gc_cookie: No such file or directory
# cat /var/log/ipa/globalcatalog.log
2020-10-08T14:20:04Z 35137 MainThread ipa-gcsyncd INFO LDAP bind...
2020-10-08T14:20:04Z 35137 MainThread ipa-gcsyncd INFO Commencing sync process
2020-10-08T14:20:05Z 35137 MainThread ipaserver.globalcatalog.gcsyncer INFO Initial LDAP dump is done, now synchronizing with GC
2020-10-08T14:26:41Z 35137 MainThread ipa-gcsyncd ERROR syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP server"})
2020-10-08T14:27:22Z 35960 MainThread ipa-gcsyncd INFO LDAP bind...
2020-10-08T14:27:22Z 35960 MainThread ipa-gcsyncd INFO Commencing sync process
2020-10-08T14:27:22Z 35960 MainThread ipaserver.globalcatalog.gcsyncer INFO Initial LDAP dump is done, now synchronizing with GC
The _get_object_class method has this docustring:
"""Get object class.
Given the set of attributes, find the principal object class.
The attrs may contain for instance: top, groupofnames, nestedgroup,
ipausergroup, ... In this case the most relevant objectclass is
groupofnames.
For a user, the attrs may contain top, person. organizationalperson,
inetorgperson, inetuser, posixaccount, ... and the most relevant
objectclass is person.
"""
I think this is logically wrong -- Samba expects that a group object can have displayName attribute which is part of inetorgperson object class and if I'd add so, the error below is triggered:
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: ipa: INFO: LDAP bind...
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: ipa: INFO: Commencing sync process
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: Traceback (most recent call last):
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: File "/usr/libexec/ipa/gc/ipa-gcsyncd", line 111, in <module>
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: while sync_conn.syncrepl_poll(all=1, msgid=ldap_search):
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: File "/usr/lib64/python3.8/site-packages/ldap/syncrepl.py", line 435, in syncrepl_poll
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: self.syncrepl_entry(dn, attrs, c.entryUUID)
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: File "/usr/lib/python3.8/site-packages/ipaserver/globalcatalog/gcsyncer.py", line 257, in syncrepl_entry
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: objclass = self._get_objclass(attributes)
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: File "/usr/lib/python3.8/site-packages/ipaserver/globalcatalog/gcsyncer.py", line 217, in _get_objclass
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: assert len(present_objclasses) == 1, attrs[OBJCLASS_ATTR]
Oct 13 12:51:38 master.ipa.test ipa-gcsyncd[99540]: AssertionError: [b'top', b'groupofnames', b'nestedgroup', b'ipausergroup', b'ipaobject', b'posixgroup', b'ipantgroupattrs', b'inetorgperson', b'organizationalPerson', b'person']
Oct 13 12:51:38 master.ipa.test systemd[1]: ipa-gcsyncd.service: Main process exited, code=exited, status=1/FAILURE
Oct 13 12:51:38 master.ipa.test systemd[1]: ipa-gcsyncd.service: Failed with result 'exit-code'.
Oct 13 12:51:38 master.ipa.test audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-gcsyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Oct 13 12:51:38 master.ipa.test systemd[1]: ipa-gcsyncd.service: Consumed 2.642s CPU time.
I think it is OK to see both person and groupofnames in real life objects because customers might be using custom attributes added to users/groups. We should probably check a combination of ipantgroupattrs/groupofnames for groups and ipantuserattrs/person for users.
Hello! Faced with the problem of accessing the ws2019 file server by a trusted FreeIPA user.
Stand Description:
SMB Session Authentication Failure
Client Name: \192.168.1.40
Client Address: 192.168.1.40:59416
User Name: TEST2.LAN\admin
Session ID: 0xFFFFFFFFFFFFFFFF
Status: {Access Denied}
A process has requested access to an object, but has not been granted those access rights. (0xC0000022)
SPN: session setup failed before the SPN could be queried
SPN Validation Policy: SPN optional / no validation
Guidance:
You should expect this error when attempting to connect to shares using incorrect credentials.
This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.
This error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled
When checking the traffic from the client machine, a strange behavior of the request for the provision of a service ticket was noticed. First there is an appeal to FreeIPA for the service cifs/[email protected] naturally, there is no such service in FreeIPA, and the request fails, then the request goes to the ad domain controller and a service ticket is provided, but access to the smb session comes with an error in the response. Users of AD domains do not have this behavior – they immediately turn to ad-01.winad.lan with a reference principal (cifs/ad-fs-01.winad.lan@WINAD .LAN)
Also tested with the help of login and password (smbclient //ad-fs-01.winad.lan/share –U admin –W TEST2.LAN), there are no problems access is provided.
Have you ever encountered a similar problem? perhaps there are some solutions.
If I manually remove the GC instance setup
[root@master ~]# ipa -e in_server=True console
(Custom IPA interactive Python console)
api: IPA API object
pp: pretty printer
>>> from ipaserver.install.gc import uninstall
>>> from ipalib import sysrestore
>>> from ipaplatform.paths import paths
>>> uninstall(sysrestore.FileStore(paths.SYSRESTORE))
>>>
and attempt to re-run ipa-adtrust-install again, then it fails at the configuration of one of GC steps:
Configuring global catalog server (globalcatalog)
[1/20]: creating global catalog instance
[2/20]: Enable objectGUID generator
[3/20]: stopping global catalog
[4/20]: updating configuration in dse.ldif
[5/20]: starting global catalog
[6/20]: adding default schema
[7/20]: creating indices
[8/20]: add global catalog service principal aliases
[error] AlreadyContainsValueError: 'krbprincipalname' already contains one or more values
Unexpected error - see /var/log/ipaserver-adtrust-install.log for details:
AlreadyContainsValueError: 'krbprincipalname' already contains one or more values
2020-10-15T14:20:45Z DEBUG trust_find(None, sizelimit=0, all=False, raw=False, version='2.239', pkey_only=False)
2020-10-15T14:20:45Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 626, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 612, in run_step
method()
File "/usr/lib/python3.8/site-packages/ipaserver/install/gcinstance.py", line 706, in __add_service_alias
api.Command.service_add_principal(
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 471, in __call__
return self.__do_call(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 821, in run
return self.execute(*args, **options)
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/baseldap.py", line 2396, in execute
self._update_attrs(update, entry_attrs)
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/baseldap.py", line 2446, in _update_attrs
raise errors.AlreadyContainsValueError(attr=name)
ipalib.errors.AlreadyContainsValueError: 'krbprincipalname' already contains one or more values
2020-10-15T14:20:45Z DEBUG [error] AlreadyContainsValueError: 'krbprincipalname' already contains one or more values
2020-10-15T14:20:45Z DEBUG File "/usr/lib/python3.8/site-packages/ipaserver/install/installutils.py", line 774, in run_script
return_value = main_function()
File "/usr/sbin/ipa-adtrust-install", line 228, in main
gc.install(True, api, fstore, options)
File "/usr/lib/python3.8/site-packages/ipaserver/install/gc.py", line 128, in install
gc.create_instance(api.env.realm, api.env.host, api.env.domain,
File "/usr/lib/python3.8/site-packages/ipaserver/install/gcinstance.py", line 273, in create_instance
self.start_creation()
File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 626, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 612, in run_step
method()
File "/usr/lib/python3.8/site-packages/ipaserver/install/gcinstance.py", line 706, in __add_service_alias
api.Command.service_add_principal(
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 471, in __call__
return self.__do_call(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 821, in run
return self.execute(*args, **options)
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/baseldap.py", line 2396, in execute
self._update_attrs(update, entry_attrs)
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/baseldap.py", line 2446, in _update_attrs
raise errors.AlreadyContainsValueError(attr=name)
2020-10-15T14:20:45Z DEBUG The ipa-adtrust-install command failed, exception: AlreadyContainsValueError: 'krbprincipalname' already contains one or more values
After a test session I can not start sync daemon anymore. I am not sure which action triggered the error so I am attaching output of ldapsearch for main and GC instances
Another issue I see is that the traceback is written only to journal but not to globalcatalog.log.
Oct 26 19:20:47 master1.testrelm.test systemd[1]: Started IPA Global Catalog Sync daemon.
Oct 26 19:20:47 master1.testrelm.test ipa-gcsyncd[49294]: ipa: DEBUG: importing all plugin modules in ipaserver.plugins...
...
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: ipa: DEBUG: importing plugin module ipaserver.plugins.whoami
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: ipa: DEBUG: LDAP URL: ldapi://%2Frun%2Fslapd-TESTRELM-TEST.socket/cn%3Daccounts%2Cdc%3Dtestrelm%2Cdc%3Dtest?objectclass,cn,displayname,gidnumber,givenname,homedirectory,ipaextern>
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-GLOBAL-CATALOG.socket conn=<ldap.ldapobject.ReconnectLDAPObject object at 0x7f5721f73d60>
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: ipa: DEBUG: get_saved_cookie
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: ipa: DEBUG: Read cookie master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#643
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: ipa: DEBUG: New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#643
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: ipa: INFO: LDAP bind...
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: ipa: INFO: Commencing sync process
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: ipa: DEBUG: Current cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#643
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: Traceback (most recent call last):
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/type/constraint.py", line 32, in __call__
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: self._testValue(value, idx)
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/type/constraint.py", line 320, in _testValue
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: raise error.ValueConstraintError(value)
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: pyasn1.type.error.ValueConstraintError: b'\x1f\x86'
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: During handling of the above exception, another exception occurred:
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: Traceback (most recent call last):
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/type/base.py", line 269, in __init__
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: self.subtypeSpec(value)
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/type/constraint.py", line 35, in __call__
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: raise error.ValueConstraintError(
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: pyasn1.type.error.ValueConstraintError: <ValueSizeConstraint object, consts 16, 16> failed at: ValueConstraintError(b'\x1f\x86')
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: During handling of the above exception, another exception occurred:
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: Traceback (most recent call last):
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/libexec/ipa/gc/ipa-gcsyncd", line 111, in <module>
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: while sync_conn.syncrepl_poll(all=1, msgid=ldap_search):
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib64/python3.8/site-packages/ldap/syncrepl.py", line 449, in syncrepl_poll
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: sim = SyncInfoMessage(resp)
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib64/python3.8/site-packages/ldap/syncrepl.py", line 311, in __init__
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: d = decoder.decode(encodedMessage, asn1Spec=SyncInfoValue())
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/codec/ber/decoder.py", line 1581, in __call__
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: value, substrate = concreteDecoder.valueDecoder(
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/codec/ber/decoder.py", line 1006, in valueDecoder
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: component, head = decodeFun(
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/codec/ber/decoder.py", line 1581, in __call__
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: value, substrate = concreteDecoder.valueDecoder(
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/codec/ber/decoder.py", line 609, in valueDecoder
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: component, head = decodeFun(head, componentType, **options)
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/codec/ber/decoder.py", line 1581, in __call__
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: value, substrate = concreteDecoder.valueDecoder(
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/codec/ber/decoder.py", line 728, in valueDecoder
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: component, head = decodeFun(head, componentType, **options)
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/codec/ber/decoder.py", line 1581, in __call__
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: value, substrate = concreteDecoder.valueDecoder(
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/codec/ber/decoder.py", line 244, in valueDecoder
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: return self._createComponent(asn1Spec, tagSet, head, **options), tail
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/codec/ber/decoder.py", line 55, in _createComponent
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: return asn1Spec.clone(value)
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/type/base.py", line 376, in clone
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: return self.__class__(value, **initializers)
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/type/univ.py", line 837, in __init__
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: base.SimpleAsn1Type.__init__(self, value, **kwargs)
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: File "/usr/lib/python3.8/site-packages/pyasn1/type/base.py", line 273, in __init__
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: raise exType('%s at %s' % (exValue, self.__class__.__name__))
Oct 26 19:20:48 master1.testrelm.test ipa-gcsyncd[49294]: pyasn1.type.error.ValueConstraintError: <ValueSizeConstraint object, consts 16, 16> failed at: ValueConstraintError(b'\x1f\x86') at SyncUUID
Oct 26 19:20:48 master1.testrelm.test systemd[1]: ipa-gcsyncd.service: Main process exited, code=exited, status=1/FAILURE
Oct 26 19:20:48 master1.testrelm.test systemd[1]: ipa-gcsyncd.service: Failed with result 'exit-code'.
Oct 26 19:20:48 master1.testrelm.test systemd[1]: ipa-gcsyncd.service: Consumed 1.657s CPU time.
When trying to install GC on a replica (master already a GC instance), the installation fails due to a non-unique kerberos alias: during GC creation, the installer creates kerberos aliases. One of them is E3514235-4B06-11D1-AB04-00C04FC2DCD2/$DOMAINGUID_TEXT/$DOMAIN added to the kerberos principal ldap/$FQDN (see https://github.com/abbra/freeipa/blob/gc-wip/ipaserver/install/gcinstance.py#L76).
When this step is executed on a replica, the alias E3514235-4B06-11D1-AB04-00C04FC2DCD2/$DOMAINGUID_TEXT/$DOMAIN is already defined on the master and the attribute uniqueness plugin ensures that a given alias is unique, thus refuses the alias creation.
Steps to reproduce:
# ipa-adtrust-install -U -a Secret123
...
# ps aux | grep ipa-[g]csyncd
root 56437 0.8 5.0 174028 102980 ? Ss 04:48 0:01 /usr/bin/python3 -I /usr/libexec/ipa/gc/ipa-gcsyncd
# rm /var/log/ipa/globalcatalog.log
# ipa-adtrust-install -U -a Secret123
...
Global Catalog already installed, skipping
# ps aux | grep ipa-[g]csyncd
root 56687 9.2 4.9 171796 100432 ? Ss 04:53 0:01 /usr/bin/python3 -I /usr/libexec/ipa/gc/ipa-gcsyncd
# head /var/log/ipa/globalcatalog.log
2020-10-27T04:48:23Z 56437 MainThread ipalib.plugable DEBUG importing all plugin modules in ipaserver.plugins...
2020-10-27T04:48:23Z 56437 MainThread ipalib.plugable DEBUG importing plugin module ipaserver.plugins.aci
2020-10-27T04:48:23Z 56437 MainThread ipalib.plugable DEBUG importing plugin module ipaserver.plugins.automember
2020-10-27T04:48:23Z 56437 MainThread ipalib.plugable DEBUG importing plugin module ipaserver.plugins.automount
2020-10-27T04:48:23Z 56437 MainThread ipalib.plugable DEBUG importing plugin module ipaserver.plugins.baseldap
2020-10-27T04:48:23Z 56437 MainThread ipalib.plugable DEBUG ipaserver.plugins.baseldap is not a valid plugin module
2020-10-27T04:48:23Z 56437 MainThread ipalib.plugable DEBUG importing plugin module ipaserver.plugins.baseuser
2020-10-27T04:48:23Z 56437 MainThread ipalib.plugable DEBUG importing plugin module ipaserver.plugins.batch
2020-10-27T04:48:23Z 56437 MainThread ipalib.plugable DEBUG importing plugin module ipaserver.plugins.ca
2020-10-27T04:48:23Z 56437 MainThread ipalib.plugable DEBUG importing plugin module ipaserver.plugins.caacl
Good afternoon! Faced the problem of adding freeipa groups to access the windows folder. The user is added normally, but the group gives an error. On the freeipa server, the samba error is also visible in the logs. Maybe I don't have enough information.
After running ipa-adtrust-install broken symlink is created in /etc/systemd/system/dirsrv.target.wants/:
[email protected] -> /usr/lib/systemd/system/[email protected]
The correct link for main instance looks following way:
[email protected] -> /usr/lib/systemd/system/[email protected]
Note: this does not apply to users created before first run of ipa-adtrust-install
Steps:
# printf '[global]\ndebug=True' > /etc/ipa/globalcatalog.conf
# ipa-adtrust-install -U -a Secret123 --add-sids
...
# ipa user-add user1 --first First --last User
[see log 1]
# systemctl stop ipa-gcsyncd.service
# rm -f /var/log/ipa/globalcatalog.log
# systemctl start ipa-gcsyncd.service
[see log 2]
# systemctl stop ipa-gcsyncd.service
# rm -f /var/log/ipa/globalcatalog.log
# systemctl start ipa-gcsyncd.service
[see log 3]
log 1:
... skipping plugin importing
2020-10-14T09:26:10Z 33787 MainThread ipa-gcsyncd DEBUG LDAP URL: ldapi://%2Frun%2Fslapd-TESTRELM-TEST.socket/cn%3Daccounts%2Cdc%3Dtestrelm%2Cdc%3Dtest?objectclass,cn,displayname,gidnumber,givenname,homedirectory,ipaexternalmember,ipantsecurityidentifier,ipauniqueid,krbcanonicalname,krbprincipalname,mail,member,memberof,sn,uid,uidnumber?sub?%28%7C%28objectClass%3Dgroupofnames%29%28objectClass%3Dperson%29%29
2020-10-14T09:26:10Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG get_saved_cookie
2020-10-14T09:26:10Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: None
2020-10-14T09:26:10Z 33787 MainThread ipa-gcsyncd INFO LDAP bind...
2020-10-14T09:26:10Z 33787 MainThread ipa-gcsyncd INFO Commencing sync process
2020-10-14T09:26:10Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Current cookie is: None
2020-10-14T09:26:10Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected add of entry: uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test 6c4ffb28-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:10Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_add uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:10Z 33787 MainThread ipapython.ipaldap DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f279a603820>
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Adding user to the Global Catalog
dn: CN=Administrator,CN=Users,dc=testrelm,dc=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: ad-top
objectClass: ad-organizationalPerson
objectClass: user
objectClass: securityPrincipal
objectClass: posixAccount
objectClass: inetUser
objectClass: gcobject
cn: Administrator
sn: Administrator
instanceType: 4
name: Administrator
objectGUID:: bOToeA39EeuzmlJUAJrKUA==
userAccountControl: 66048
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA193Ho+cULaC6bIqW9AEAAA==
sAMAccountName: admin
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,dc=testrelm,dc=test
uidnumber: 970400000
gidnumber: 970400000
uid: admin
homeDirectory: /home/admin
memberof: cn=admins,cn=users,dc=testrelm,dc=test
memberof: cn=Replication Administrators,cn=privileges,cn=pbac,dc=testrelm,dc=test
memberof: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Read Replication Changelog Configuration,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Write Replication Changelog Configuration,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Read DNA Range,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Host Enrollment,cn=privileges,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Manage Host Principals,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=trust admins,cn=users,dc=testrelm,dc=test
nTSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(OA;;WP;736e4812-af31-11d2-b7df-00805f48caeb;bf967ab8-0de6-11d0-a285-00aa003049e2;CO)(A;;SD;;;CO)
gcuuid: 6c4ffb28-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:11Z 33787 MainThread ipapython.ipaldap DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-GLOBAL-CATALOG.socket conn=<ldap.ldapobject.ReconnectLDAPObject object at 0x7f279a603970>
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected add of entry: cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=test 6c4ffb29-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG group_add cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Adding group to the Global Catalog dn: CN=admins,CN=Users,dc=testrelm,dc=test
objectClass: top
objectClass: ad-top
objectClass: group
objectClass: securityprincipal
objectClass: nsmemberof
objectClass: gcobject
cn: admins
instanceType: 4
name: admins
objectGUID:: bP467g39Eeu8CVJUAJrKUA==
objectSid:: AQUAAAAAAAUVAAAA193Ho+cULaC6bIqWAAIAAA==
sAMAccountName: admins
sAMAccountType: 268435456
objectCategory: CN=Group,CN=Schema,CN=Configuration,dc=testrelm,dc=test
ntsecuritydescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a55-1e2f-11d0-9819-00aa0040529b;;AU)
member: CN=Administrator,CN=Users,dc=testrelm,dc=test
memberof: cn=Replication Administrators,cn=privileges,cn=pbac,dc=testrelm,dc=test
memberof: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Read Replication Changelog Configuration,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Write Replication Changelog Configuration,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Read DNA Range,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=Host Enrollment,cn=privileges,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=testrelm,dc=test
memberof: cn=System: Manage Host Principals,cn=permissions,cn=pbac,dc=testrelm,dc=test
groupType: -2147483646
gcuuid: 6c4ffb29-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected add of entry: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test 6c4ffb2a-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG group_add cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Adding group to the Global Catalog dn: CN=ipausers,CN=Users,dc=testrelm,dc=test
objectClass: top
objectClass: ad-top
objectClass: group
objectClass: securityprincipal
objectClass: nsmemberof
objectClass: gcobject
cn: ipausers
instanceType: 4
name: ipausers
objectGUID:: bQxeYg39Eeudl1JUAJrKUA==
objectSid:: AQQAAAALQxFiXgxt6xH9DVRSl51QypoA
sAMAccountName: ipausers
sAMAccountType: 268435456
objectCategory: CN=Group,CN=Schema,CN=Configuration,dc=testrelm,dc=test
ntsecuritydescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a55-1e2f-11d0-9819-00aa0040529b;;AU)
groupType: 2
gcuuid: 6c4ffb2a-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected add of entry: cn=editors,cn=groups,cn=accounts,dc=testrelm,dc=test 6c4ffb2b-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG group_add cn=editors,cn=groups,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Adding group to the Global Catalog dn: CN=editors,CN=Users,dc=testrelm,dc=test
objectClass: top
objectClass: ad-top
objectClass: group
objectClass: securityprincipal
objectClass: nsmemberof
objectClass: gcobject
cn: editors
instanceType: 4
name: editors
objectGUID:: bQ2ZqA39EeukPVJUAJrKUA==
objectSid:: AQUAAAAAAAUVAAAA193Ho+cULaC6bIqW6gMAAA==
sAMAccountName: editors
sAMAccountType: 268435456
objectCategory: CN=Group,CN=Schema,CN=Configuration,dc=testrelm,dc=test
ntsecuritydescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a55-1e2f-11d0-9819-00aa0040529b;;AU)
groupType: -2147483646
gcuuid: 6c4ffb2b-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Dropping syncrepl_entry for user cn=ipaservers,cn=hostgroups,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Dropping syncrepl_entry for user cn=helpdesk,cn=roles,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Dropping syncrepl_entry for user cn=User Administrator,cn=roles,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Dropping syncrepl_entry for user cn=IT Specialist,cn=roles,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Dropping syncrepl_entry for user cn=IT Security Specialist,cn=roles,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Dropping syncrepl_entry for user cn=Security Architect,cn=roles,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Dropping syncrepl_entry for user cn=Enrollment Administrator,cn=roles,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected add of entry: cn=trust admins,cn=groups,cn=accounts,dc=testrelm,dc=test e4b6bc57-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG group_add cn=trust admins,cn=groups,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Adding group to the Global Catalog dn: CN=trust admins,CN=Users,dc=testrelm,dc=test
objectClass: top
objectClass: ad-top
objectClass: group
objectClass: securityprincipal
objectClass: nsmemberof
objectClass: gcobject
cn: trust admins
instanceType: 4
name: trust admins
objectGUID:: 6Hb40g39EeuNNlJUAJrKUA==
objectSid:: AQQAAAALQxHS+Hbo6xH9DVRSNo1QypoA
sAMAccountName: trust admins
sAMAccountType: 268435456
objectCategory: CN=Group,CN=Schema,CN=Configuration,dc=testrelm,dc=test
ntsecuritydescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a55-1e2f-11d0-9819-00aa0040529b;;AU)
member: CN=Administrator,CN=Users,dc=testrelm,dc=test
groupType: 2
gcuuid: e4b6bc57-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#160
2020-10-14T09:26:11Z 33787 MainThread ipaserver.globalcatalog.gcsyncer INFO Initial LDAP dump is done, now synchronizing with GC
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected add of entry: uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test 4592c428-0dff-11eb-8275-d1d29acf4d90
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_add uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer ERROR Failed to create GC entry based on uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test (Unable to create SID, missing data)
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#164
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected add of entry: uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test 4592c428-0dff-11eb-8275-d1d29acf4d90
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_add uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer ERROR Failed to create GC entry based on uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test (Unable to create SID, missing data)
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#164
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected add of entry: uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test 4592c428-0dff-11eb-8275-d1d29acf4d90
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_add uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer ERROR Failed to create GC entry based on uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test (Unable to create SID, missing data)
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#166
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected add of entry: uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test 4592c428-0dff-11eb-8275-d1d29acf4d90
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_add uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer ERROR Failed to create GC entry based on uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test (Unable to create SID, missing data)
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#166
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected modify of entry: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test 6c4ffb2a-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG group_sync cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Syncing group in the Global Catalog (del+add)
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG group_del cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Deleting group from the Global Catalog CN=ipausers,CN=Users,dc=testrelm,dc=test
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG group_add cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Adding group to the Global Catalog dn: CN=ipausers,CN=Users,dc=testrelm,dc=test
objectClass: top
objectClass: ad-top
objectClass: group
objectClass: securityprincipal
objectClass: nsmemberof
objectClass: gcobject
cn: ipausers
instanceType: 4
name: ipausers
objectGUID:: bQxeYg39Eeudl1JUAJrKUA==
objectSid:: AQQAAAALQxFiXgxt6xH9DVRSl51QypoA
sAMAccountName: ipausers
sAMAccountType: 268435456
objectCategory: CN=Group,CN=Schema,CN=Configuration,dc=testrelm,dc=test
ntsecuritydescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a55-1e2f-11d0-9819-00aa0040529b;;AU)
member: CN=First User,CN=Users,dc=testrelm,dc=test
groupType: 2
gcuuid: 6c4ffb2a-0dfd-11eb-8275-d1d29acf4d90
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#4294967295
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Ignoring cookie value
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected add of entry: uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test 4592c428-0dff-11eb-8275-d1d29acf4d90
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_add uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Adding user to the Global Catalog
dn: CN=First User,CN=Users,dc=testrelm,dc=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: ad-top
objectClass: ad-organizationalPerson
objectClass: user
objectClass: securityPrincipal
objectClass: posixAccount
objectClass: inetUser
objectClass: gcobject
cn: First User
sn: User
givenName: First
instanceType: 4
displayName: First User
name: First User
objectGUID:: UGjBkA3/EeuOtlJUAJrKUA==
userAccountControl: 66048
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA193Ho+cULaC6bIqW6wMAAA==
sAMAccountName: user1
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,dc=testrelm,dc=test
mail: [email protected]
uidnumber: 970400003
gidnumber: 970400003
uid: user1
homeDirectory: /home/user1
memberof: cn=ipausers,cn=users,dc=testrelm,dc=test
nTSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(OA;;WP;736e4812-af31-11d2-b7df-00805f48caeb;bf967ab8-0de6-11d0-a285-00aa003049e2;CO)(A;;SD;;;CO)
gcuuid: 4592c428-0dff-11eb-8275-d1d29acf4d90
2020-10-14T09:26:18Z 33787 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#167
log 2:
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG get_saved_cookie
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Read cookie master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#167
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#167
2020-10-14T09:28:26Z 33823 MainThread ipa-gcsyncd INFO LDAP bind...
2020-10-14T09:28:26Z 33823 MainThread ipa-gcsyncd INFO Commencing sync process
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Current cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#167
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected modify of entry: uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test 4592c428-0dff-11eb-8275-d1d29acf4d90
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_sync uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Syncing user in the Global Catalog (del+add)
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_del uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Deleting user from the Global Catalog CN=First User,CN=Users,dc=testrelm,dc=test
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_add uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:28:26Z 33823 MainThread ipapython.ipaldap DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f24527b7d00>
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Adding user to the Global Catalog
dn: CN=First User,CN=Users,dc=testrelm,dc=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: ad-top
objectClass: ad-organizationalPerson
objectClass: user
objectClass: securityPrincipal
objectClass: posixAccount
objectClass: inetUser
objectClass: gcobject
cn: First User
sn: User
givenName: First
instanceType: 4
displayName: First User
name: First User
objectGUID:: UGjBkA3/EeuOtlJUAJrKUA==
userAccountControl: 66048
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA193Ho+cULaC6bIqW6wMAAA==
sAMAccountName: user1
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,dc=testrelm,dc=test
mail: [email protected]
uidnumber: 970400003
gidnumber: 970400003
uid: user1
homeDirectory: /home/user1
memberof: cn=ipausers,cn=users,dc=testrelm,dc=test
nTSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(OA;;WP;736e4812-af31-11d2-b7df-00805f48caeb;bf967ab8-0de6-11d0-a285-00aa003049e2;CO)(A;;SD;;;CO)
gcuuid: 4592c428-0dff-11eb-8275-d1d29acf4d90
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#167
2020-10-14T09:28:26Z 33823 MainThread ipaserver.globalcatalog.gcsyncer INFO Initial LDAP dump is done, now synchronizing with GC
log 3:
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG get_saved_cookie
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Read cookie master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#167
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#167
2020-10-14T09:29:01Z 33836 MainThread ipa-gcsyncd INFO LDAP bind...
2020-10-14T09:29:01Z 33836 MainThread ipa-gcsyncd INFO Commencing sync process
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Current cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#167
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Detected modify of entry: uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test 4592c428-0dff-11eb-8275-d1d29acf4d90
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_sync uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Syncing user in the Global Catalog (del+add)
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_del uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Deleting user from the Global Catalog CN=First User,CN=Users,dc=testrelm,dc=test
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG user_add uid=user1,cn=users,cn=accounts,dc=testrelm,dc=test
2020-10-14T09:29:01Z 33836 MainThread ipapython.ipaldap DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f5f2c237880>
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG Adding user to the Global Catalog
dn: CN=First User,CN=Users,dc=testrelm,dc=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: ad-top
objectClass: ad-organizationalPerson
objectClass: user
objectClass: securityPrincipal
objectClass: posixAccount
objectClass: inetUser
objectClass: gcobject
cn: First User
sn: User
givenName: First
instanceType: 4
displayName: First User
name: First User
objectGUID:: UGjBkA3/EeuOtlJUAJrKUA==
userAccountControl: 66048
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA193Ho+cULaC6bIqW6wMAAA==
sAMAccountName: user1
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,dc=testrelm,dc=test
mail: [email protected]
uidnumber: 970400003
gidnumber: 970400003
uid: user1
homeDirectory: /home/user1
memberof: cn=ipausers,cn=users,dc=testrelm,dc=test
nTSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(OA;;WP;736e4812-af31-11d2-b7df-00805f48caeb;bf967ab8-0de6-11d0-a285-00aa003049e2;CO)(A;;SD;;;CO)
gcuuid: 4592c428-0dff-11eb-8275-d1d29acf4d90
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer DEBUG New cookie is: master1.testrelm.test:389#cn=Directory Manager:cn=accounts,dc=testrelm,dc=test:(|(objectClass=groupofnames)(objectClass=person))#167
2020-10-14T09:29:01Z 33836 MainThread ipaserver.globalcatalog.gcsyncer INFO Initial LDAP dump is done, now synchronizing with GC
Current tree state (rebased to FreeIPA git master):
Aug 31 09:04:50 master.ipa.test systemd[1]: Started IPA Global Catalog Sync daemon.
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: ipa: INFO: LDAP bind...
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: ipa: INFO: Commencing sync process
Aug 31 09:04:52 master.ipa.test ns-slapd[31992]: [31/Aug/2020:09:04:52.076592838 +0000] - ERR - slapi_connection_remove_operation - Can't find op 2 for conn 144
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: Traceback (most recent call last):
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: File "/usr/libexec/ipa/gc/ipa-gcsyncd", line 111, in <module>
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: while sync_conn.syncrepl_poll(all=1, msgid=ldap_search):
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: File "/usr/lib64/python3.8/site-packages/ldap/syncrepl.py", line 402, in syncrepl_poll
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: type, msg, mid, ctrls, n, v = self.result4(
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: File "/usr/lib64/python3.8/site-packages/ldap/ldapobject.py", line 756, in result4
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: File "/usr/lib64/python3.8/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: reraise(exc_type, exc_value, exc_traceback)
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: File "/usr/lib64/python3.8/site-packages/ldap/compat.py", line 44, in reraise
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: raise exc_value
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: File "/usr/lib64/python3.8/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: result = func(*args,**kwargs)
Aug 31 09:04:52 master.ipa.test ipa-gcsyncd[40513]: ldap.LDAPError: {'desc': 'Content Sync Refresh Required', 'info': 'Invalid session cookie'}
Aug 31 09:04:52 master.ipa.test systemd[1]: ipa-gcsyncd.service: Main process exited, code=exited, status=1/FAILURE
Aug 31 09:04:52 master.ipa.test systemd[1]: ipa-gcsyncd.service: Failed with result 'exit-code'.
Aug 31 09:04:52 master.ipa.test systemd[1]: ipa-gcsyncd.service: Consumed 1.981s CPU time.
Tested with autologon Windows feature (link) on AD controller and client machines.
I have also checked that all used login formats work for non-admin AD user.
| DefaultUserName | DefaultDomainName | Login works |
|---|---|---|
| logintest | testrelm.test | - |
| logintest | TESTRELM.TEST | + |
| logintest | Testrelm.Test | - |
| logintest | testrelm | - |
| logintest | TESTRELM | - |
| logintest | Testrelm | - |
| LOGINTEST | TESTRELM.TEST | + |
| Logintest | TESTRELM.TEST | + |
| DefaultUserName | Login works |
|---|---|
| [email protected] | + |
| [email protected] | + |
| [email protected] | + |
| logintest@testrelm | - |
| logintest@TESTRELM | - |
| logintest@Testrelm | - |
| testrelm.test\logintest | - |
| TESTRELM.TEST\logintest | + |
| Testrelm.Test\logintest | - |
| testrelm\logintest | - |
| TESTRELM\logintest | - |
| Testrelm\logintest | - |
| [email protected] | + |
| [email protected] | + |
| IPA.TEST\LOGINTEST | + |
| IPA.TEST\Logintest | + |
In all cases when login fails, Windows displays message "The user name or password is incorrect. Try again"
Is GC supposed to support all of those login formats?
I managed to install freeipa server from CORP repo abbra/gc-wip, but when I run ipa-server-install -a Password123 -p Password123 --domain=ipadomain.ipa --realm=IPADOMAIN.IPA --setup-dns --no-forwarders -U it fails on [16/41]: creating indices with [error] KeyError: 'REALM'.
I somehow bypassed it by editing 237th line in file /usr/lib/python3.10/site-packages/ipaserver/install/ldapupdate.py by replacing self.sub_dict["REALM"] with api.env.realm but it doesn't look like it's good idea.
Log of installation: ipaserver-install.log.
Example: Inconsistent case in “cn=users”.
dn: CN=idmgroup3,cn=users,dc=testrelm,dc=test
...
memberOf: cn=ipausers,cn=users,dc=testrelm,dc=test
...
member: CN=First User,CN=Users,dc=testrelm,dc=test
The issue was seen only once so far.
Test results: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/dbd7866a-17cf-11eb-be89-fa163e4ad552/
Test output:
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:513 RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect', '--ignore-last-of-role']
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 Updating DNS system records
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 Forcing removal of master.ipa.test
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 ------------------------------------
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 Ignoring topology connectivity errors.
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 Deleted IPA server "master.ipa.test"
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 ------------------------------------
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 Removing Global Catalog
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 Unconfiguring ipa-gcsyncd
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 Unconfiguring global catalog
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 Operations error:
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:557 The ipa-server-install command failed. See /var/log/ipaserver-uninstall.log for more information
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd704:transport.py:217 Exit code: 1
ERROR ipatests.pytest_ipa.integration.host.Host.master.cmd704:host.py:199 stderr: Forcing removal of master.ipa.test
Ignoring topology connectivity errors.
Operations error:
The ipa-server-install command failed. See /var/log/ipaserver-uninstall.log for more information
2020-10-26T22:26:36Z DEBUG Stop of ipa-gcsyncd.service complete
2020-10-26T22:26:36Z DEBUG Starting external process
2020-10-26T22:26:36Z DEBUG args=['/bin/systemctl', 'disable', 'ipa-gcsyncd.service']
2020-10-26T22:26:37Z DEBUG Process finished, return code=0
2020-10-26T22:26:37Z DEBUG stdout=
2020-10-26T22:26:37Z DEBUG stderr=
2020-10-26T22:26:37Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2020-10-26T22:26:37Z DEBUG Unconfiguring global catalog
2020-10-26T22:26:37Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2020-10-26T22:26:37Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2020-10-26T22:26:37Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2020-10-26T22:26:37Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2020-10-26T22:26:37Z DEBUG raw: dnsrecord_del(<DNS name ipa.test.>, '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs', del_all=True, version='2.239')
2020-10-26T22:26:37Z DEBUG dnsrecord_del(<DNS name ipa.test.>, <DNS name _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs>, del_all=True, structured=False, raw=False, version='2.239')
2020-10-26T22:26:37Z DEBUG raw: dnsrecord_delentry(<DNS name ipa.test.>, (<DNS name _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs>,), version='2.239')
2020-10-26T22:26:37Z DEBUG dnsrecord_delentry(<DNS name ipa.test.>, (<DNS name _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs>,), continue=False, version='2.239')
2020-10-26T22:26:37Z DEBUG flushing ldapi://%2Frun%2Fslapd-IPA-TEST.socket from SchemaCache
2020-10-26T22:26:37Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-IPA-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f5869e24370>
2020-10-26T22:26:37Z DEBUG raw: dnsrecord_del(<DNS name ipa.test.>, '_ldap._tcp.gc._msdcs', del_all=True, version='2.239')
2020-10-26T22:26:37Z DEBUG dnsrecord_del(<DNS name ipa.test.>, <DNS name _ldap._tcp.gc._msdcs>, del_all=True, structured=False, raw=False, version='2.239')
2020-10-26T22:26:37Z DEBUG raw: dnsrecord_delentry(<DNS name ipa.test.>, (<DNS name _ldap._tcp.gc._msdcs>,), version='2.239')
2020-10-26T22:26:37Z DEBUG dnsrecord_delentry(<DNS name ipa.test.>, (<DNS name _ldap._tcp.gc._msdcs>,), continue=False, version='2.239')
2020-10-26T22:26:37Z DEBUG raw: dnsrecord_del(<DNS name ipa.test.>, '_gc._tcp.Default-First-Site-Name._sites', del_all=True, version='2.239')
2020-10-26T22:26:37Z DEBUG dnsrecord_del(<DNS name ipa.test.>, <DNS name _gc._tcp.Default-First-Site-Name._sites>, del_all=True, structured=False, raw=False, version='2.239')
2020-10-26T22:26:37Z DEBUG raw: dnsrecord_delentry(<DNS name ipa.test.>, (<DNS name _gc._tcp.Default-First-Site-Name._sites>,), version='2.239')
2020-10-26T22:26:37Z DEBUG dnsrecord_delentry(<DNS name ipa.test.>, (<DNS name _gc._tcp.Default-First-Site-Name._sites>,), continue=False, version='2.239')
2020-10-26T22:28:17Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'msgtype': 107, 'msgid': 26, 'result': 1, 'desc': 'Operations error', 'ctrls': []}
2020-10-26T22:28:17Z DEBUG File "/usr/lib/python3.8/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.8/site-packages/ipapython/install/cli.py", line 340, in run
return cfgr.run()
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.8/site-packages/six.py", line 703, in reraise
raise value
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.8/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.8/site-packages/six.py", line 703, in reraise
raise value
File "/usr/lib/python3.8/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.8/site-packages/six.py", line 703, in reraise
raise value
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.8/site-packages/six.py", line 703, in reraise
raise value
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.8/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.8/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.8/site-packages/six.py", line 703, in reraise
raise value
File "/usr/lib/python3.8/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.8/site-packages/ipapython/install/common.py", line 73, in _uninstall
for unused in self._uninstaller(self.parent):
File "/usr/lib/python3.8/site-packages/ipaserver/install/server/__init__.py", line 592, in main
uninstall(self)
File "/usr/lib/python3.8/site-packages/ipaserver/install/server/install.py", line 275, in decorated
func(installer)
File "/usr/lib/python3.8/site-packages/ipaserver/install/server/install.py", line 1173, in uninstall
gc.uninstall(fstore)
File "/usr/lib/python3.8/site-packages/ipaserver/install/gc.py", line 149, in uninstall
gcinstance.GCInstance(fstore=fstore).uninstall()
File "/usr/lib/python3.8/site-packages/ipaserver/install/gcinstance.py", line 796, in uninstall
self.__remove_gc_dns_records()
File "/usr/lib/python3.8/site-packages/ipaserver/install/gcinstance.py", line 750, in __remove_gc_dns_records
api.Command.dnsrecord_del(
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 471, in __call__
return self.__do_call(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 821, in run
return self.execute(*args, **options)
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/dns.py", line 3932, in execute
result = self.obj.methods.delentry(*keys,
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 471, in __call__
return self.__do_call(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 821, in run
return self.execute(*args, **options)
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/baseldap.py", line 1603, in execute
delete_entry(pkey)
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/baseldap.py", line 1578, in delete_entry
self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn)
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/baseldap.py", line 1120, in wrapped
return func(*call_args, **call_kwargs)
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/baseldap.py", line 1128, in exc_func
return callback(
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/baseldap.py", line 1624, in exc_callback
raise exc
File "/usr/lib/python3.8/site-packages/ipaserver/plugins/baseldap.py", line 1120, in wrapped
return func(*call_args, **call_kwargs)
File "/usr/lib/python3.8/site-packages/ipapython/ipaldap.py", line 1723, in delete_entry
self.conn.delete_s(str(dn))
File "/usr/lib64/python3.8/contextlib.py", line 131, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python3.8/site-packages/ipapython/ipaldap.py", line 1161, in error_handler
raise errors.DatabaseError(desc=desc, info=info)
2020-10-26T22:28:17Z DEBUG The ipa-server-install command failed, exception: DatabaseError: Operations error:
2020-10-26T22:28:17Z ERROR Operations error:
2020-10-26T22:28:17Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-uninstall.log for more information
ipa-adtrust-install -U -a Secret123 --add-sids
...
Configuring global catalog server (globalcatalog)
[1/21]: creating global catalog instance
[2/21]: configure autobind for root
ipaserver.install.service: CRITICAL Failed to load root-autobind.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/usr/share/ipa/root-autobind.ldif', '-H', 'ldap://master1.testrelm.test:3268', '-x', '-D', 'cn=Directory Manager', '-y', '/tmp/tmpznuxzn86'] returned non-zero exit status 1: '/usr/share/ipa/root-autobind.ldif: No such file or directory\n')
[error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/usr/share/ipa/root-autobind.ldif', '-H', 'ldap://master1.testrelm.test:3268', '-x', '-D', 'cn=Directory Manager', '-y', '/tmp/tmpznuxzn86'] returned non-zero exit status 1: '/usr/share/ipa/root-autobind.ldif: No such file or directory\n')
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/usr/share/ipa/root-autobind.ldif', '-H', 'ldap://master1.testrelm.test:3268', '-x', '-D', 'cn=Directory Manager', '-y', '/tmp/tmpznuxzn86'] returned non-zero exit status 1: '/usr/share/ipa/root-autobind.ldif: No such file or directory\n')
# rpm -q freeipa-server-trust-ad
freeipa-server-trust-ad-4.9.0.dev202010051836+git-0.fc32.x86_64
The version which works: freeipa-server-trust-ad-4.9.0.dev202010011457+git-0.fc32.x86_64
The version which does not work: 4.9.0.dev202010051836+git-0.fc32
Failed to load packit config file:
Cannot parse package config. ValidationError({'jobs': {0: {'packages': defaultdict(<class 'dict'>, {'freeipa': {'value': {'files_to_sync': {0: {'dst': ['Unknown field.']}}}}})}}, 'packages': defaultdict(<class 'dict'>, {'freeipa': {'value': {'files_to_sync': {0: {'dst': ['Unknown field.']}}}}})})
For more info, please check out the documentation or contact the Packit team.
Is it possible to use the component ipa-adtrust-install without connecting to AD?
I want to use the global catalog to connect services that expect AD as LDAP.
But after running the command "ipa-adtrust-install" without attributes, the service ipa-gcsyncd does not start with an error:
ldap.OBJECT_CLASS_VIOLATION: {'msgtype': 105, 'msgid': 7, 'result': 65, 'desc': 'Object class violation', 'ctrls': [], 'info': 'attribute "gidNumber" not allowed\n'}
ipa-gcsyncd.log
I found instructions here to create custom attributes, add it to schema, and write a plugin. So I tried adding two custom attributes for netgroups: groupid and authlevel. However, when I try using the ipa netgroup-add test --addattr=groupid=1 it does not allow me. So I thought creating permissions would work but, the attributes do not show up on the Netgroup type but instead show up in User Group type.
Here is the schema I'm trying to add. I can confirm they get added.
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.XXX.XX.X.X NAME 'authlevel' DESC 'Attribute to store the authentication level of a group' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Extending FreeIPA' )
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.XXXX.XX.X.X NAME 'groupid' DESC 'Attribute to store the ID of a group' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Extending FreeIPA' )
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 2.25.XXXX.XX.X.X NAME 'netGroup' DESC 'objectClass for authlevel, and groupid' SUP ipaNISNetgroup STRUCTURAL MAY ( groupid $ authlevel ) X-ORIGIN 'Extending FreeIPA' )
ipa config-mod --addattr=ipaGroupObjectClasses=netGroup
Here is one of the plugin file that I wrote, not sure if it is correct:
from ipaserver.plugins import netgroup
from ipalib.parameters import Int
from ipalib import _
netgroup.netgroup.takes_params = netgroup.netgroup.takes_params + (
Int("authlevel?", cli_name="authlevel", label=_("Authentication Level"), doc=_("Store the authentication level of a group (default is 2)."),),
)
netgroup.netgroup.default_attributes.append("authlevel")
/var/log/ipa/globalcatalog.log:
# run ipa-adtrust-install first time
2020-10-05T14:51:43Z 34872 MainThread ipa-gcsyncd INFO LDAP bind...
2020-10-05T14:51:43Z 34872 MainThread ipa-gcsyncd INFO Commencing sync process
2020-10-05T14:51:43Z 34872 MainThread ipaserver.globalcatalog.gcsyncer ERROR Failed to create GC entry based on cn=editors,cn=groups,cn=accounts,dc=testrelm,dc=test (Unable to create SID, missing data)
2020-10-05T14:51:43Z 34872 MainThread ipaserver.globalcatalog.gcsyncer INFO Initial LDAP dump is done, now synchronizing with GC
# run ipa-adtrust-install again
2020-10-05T14:55:04Z 34872 MainThread ipa-gcsyncd ERROR syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP server"})
2020-10-05T14:56:09Z 35106 MainThread ipa-gcsyncd INFO LDAP bind...
2020-10-05T14:56:09Z 35106 MainThread ipa-gcsyncd INFO Commencing sync process
2020-10-05T14:56:09Z 35106 MainThread ipaserver.globalcatalog.gcsyncer ERROR Failed to create GC entry based on cn=editors,cn=groups,cn=accounts,dc=testrelm,dc=test (Unable to create SID, missing data)
2020-10-05T14:56:09Z 35106 MainThread ipaserver.globalcatalog.gcsyncer INFO Initial LDAP dump is done, now synchronizing with GC
There is a FreeIPA root domain (test.lan) and 2 child domains (subtest.test.lan, subtest2.test.lan). Trust has been set up between domains between Kerberos domains:
kvno ldap/[email protected]but the connection via LDAP SASL GSSAPI does not occur and the error "SASL(-14): authorization failure: " appears
3. Do I need any additional actions to be able to perform bind LDAP SASL GSSAPI?
Maybe I need to do SASL mapping?
I set up a trust relationship according to the instructions https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/using_trusts
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.