Archy's Blog

After upgrading my ipa-servers I've gotten this error when trying to delete hosts and checking certificates. I'm not sure what has caused this since the upgrades ran through as expected and returned with an RC of 0. Anyway, fixing it was straightforward after some debugging and reading other online threads. First,  try to run the upgrade again and check where it fails if it fails : [archy@ipa02 ~]$ sudo ipa-server-upgrade If the upgrade has run through and did not return any errors, continue by getting the 'requiredSecret' value from '/etc/pki/pki-tomcat/server.xml': [archy@ipa02 ~]$ egrep -i 'requiredSecret' /etc/pki/pki-tomcat/server.xml <Connector port="8009" ... requiredSecret="random_generated_string"/> Now edit the ipa-pki-proxy.conf file and make sure that in every 'ProxyPassMatch' the secret matches the 'random_generated_string' from '/etc/pki/pki-tomcat/server.xml' [archy@ipa02 ~]$ vim ...

You could harden / obfuscate your system by making important files immutable such as the '/etc/sssd/sssd.conf' or '/etc/selinux/config' to prevent automatic changes to these files. I'll template these using ansible to have a deployment workflow so that all my systems are equal and I can make changes in a deployment fashion. Here are some tasks to give you a basic idea: - name: selinux conig immutable block block: - name: configure selinux config template: src: templates/etc/selinux/config.j2 dest: /etc/selinux/config owner: root group: root mode: '0644' tags: - selinux_config - name: set immutable attribute file: path: /etc/selinux/config attr: '+i' rescue: - name: unset immutable attribute file: path: /etc/selinux/config attr:...

I've had this happen to me twice over the last month that 2FA stopped working seemingly overnight. Now there's a service in freeipa dedicated to handling otp requests which is called ' ipa-otpd ' and if that service is stopped, 2fa will not work on the ipa-server and all servers that authenticate against this particular server.  Keep in mind that even using '_srv_' in the sssd.conf will not prevent this as the server is still perfectly responding towards requests, it just won't work with 2fa. You can check if that's the case by checking the status of all ipa services [archy@ipa01 ~]$ sudo ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful If the ipa-otpd service is stopped like ...