I have recently installed FreeIPA on RHEL7. This seems to be running well for few hours and then calls to ipa starts to fail with the following error.
ipa: ERROR: No valid Negotiate header in server response
==================================================
[root ~]# ipa -v user-find --all
ipa: INFO: trying https://xxx.xxx.xxx.xxx/ipa/json
ipa: INFO: [try 1]: Forwarding 'user_find/1' to json server 'https://xxx.xxx.xxx.xxx/ipa/json'
ipa: ERROR: No valid Negotiate header in server response
-=================================================
[I have masked the hostnames with 'xxx']
In /var/log/httpd/error_log - I see the following error.
[Thu Dec 14 15:50:23.413286 2017] [auth_gssapi:error] [pid 10694] [client xxx.xxx.xxx.xxx:50198] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [Unspecified GSS failure. Minor code may provide more information ( Request ticket server HTTP/xxx.xxxx.xxxx.xxx#EC2.INTERNAL kvno 2 not found in keytab; keytab is likely out of date)], referer: https://xxx.xxx.xxx.xxx/ipa/xml
What is the possible cause? Looks like some misconfiguration.
Related
Linux Mint 21
Success install openvpn.
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Now want to connect to remote setup via openvpn.
sudo openvpn Leo.ovpn
but get error:
2022-08-15 09:29:10 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-08-15 09:29:10 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-08-15 09:29:10 WARNING: file 'client.key' is group or others accessible
2022-08-15 09:29:10 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-08-15 09:29:10 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-08-15 09:29:10 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2022-08-15 09:29:10 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2022-08-15 09:29:10 Cannot load certificate file client.crt
2022-08-15 09:29:10 Exiting due to fatal error
P.S. I check folder. Exist files: client.crt and ca.crt
On flutterfire configure command I am getting this error.
OS: Fedora 36
[debug] [2022-06-09T16:49:47.182Z] ----------------------------------------------------------------------
[debug] [2022-06-09T16:49:47.184Z] Command: /usr/local/bin/firebase /home/virendra/.cache/firebase/tools/lib/node_modules/firebase-tools/lib/bin/firebase projects:create my-notes-vcarp --json
[debug] [2022-06-09T16:49:47.185Z] CLI Version: 11.0.1
[debug] [2022-06-09T16:49:47.185Z] Platform: linux
[debug] [2022-06-09T16:49:47.185Z] Node Version: v16.15.0
[debug] [2022-06-09T16:49:47.186Z] Time: Thu Jun 09 2022 22:19:47 GMT+0530 (India Standard Time)
[debug] [2022-06-09T16:49:47.186Z] ----------------------------------------------------------------------
..
..
https://firebase.googleapis.com/v1beta1/projects/my-notes-vcarp:addFirebase {"error":{"code":403,"message":"The caller does not have permission","status":"PERMISSION_DENIED"}}
[debug] [2022-06-09T16:50:00.272Z] HTTP Error: 403, The caller does not have permission
[debug] [2022-06-09T16:50:00.277Z] FirebaseError: HTTP Error: 403, The caller does not have permission
at module.exports (/home/virendra/.cache/firebase/tools/lib/node_modules/firebase-tools/lib/responseToError.js:47:12)
at RetryOperation._fn (/home/virendra/.cache/firebase/tools/lib/node_modules/firebase-tools/lib/apiv2.js:286:39)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
[error]
[error] Error: Failed to add Firebase to Google Cloud Platform project. See firebase-debug.log for more info.
Create a project first directly on Firebase and then select it from the CLI options. Most likely, Flutterfire does not have Firebase permissions.
Thanks to Tomas Radvansky for their help.
simply just run firbase login:ci to generate access key before you run flutterfire configure command.
command:
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name demo --os-username demo token issue
error:
Discovering versions from the identity service failed when creating
the password plugin. Attempting to determine version from URL.
Internal Server Error (HTTP 500)
Error coming in keystone.log:
2018-06-12 10:40:05.888577 mod_wsgi (pid=16170): Target WSGI script '/usr/bin/keystone-wsgi-admin' cannot be loaded as Python module.
2018-06-12 10:40:05.888611 mod_wsgi (pid=16170): Exception occurred processing WSGI script '/usr/bin/keystone-wsgi-admin'.
2018-06-12 10:40:05.888634 Traceback (most recent call last):
2018-06-12 10:40:05.888656 File "/usr/bin/keystone-wsgi-admin", line 51, in <module>
2018-06-12 10:40:05.888688 application = initialize_admin_application()
2018-06-12 10:40:05.888702 File "/usr/lib/python2.7/dist-packages/keystone/server/wsgi.py", line 129, in initialize_admin_application
2018-06-12 10:40:05.888726 config_files=_get_config_files())
2018-06-12 10:40:05.888739 File "/usr/lib/python2.7/dist-packages/keystone/server/wsgi.py", line 53, in initialize_application
2018-06-12 10:40:05.888759 common.configure(config_files=config_files)
2018-06-12 10:40:05.888772 File "/usr/lib/python2.7/dist-packages/keystone/server/common.py", line 30, in configure
2018-06-12 10:40:05.888792 keystone.conf.configure()
2018-06-12 10:40:05.888805 File "/usr/lib/python2.7/dist-packages/keystone/conf/__init__.py", line 126, in configure
2018-06-12 10:40:05.888826 help='Do not monkey-patch threading system modules.'))
2018-06-12 10:40:05.888839 File "/usr/lib/python2.7/dist-packages/oslo_config/cfg.py", line 2288, in __inner
2018-06-12 10:40:05.888860 result = f(self, *args, **kwargs)
2018-06-12 10:40:05.888872 File "/usr/lib/python2.7/dist-packages/oslo_config/cfg.py", line 2478, in register_cli_opt
2018-06-12 10:40:05.888892 raise ArgsAlreadyParsedError("cannot register CLI option")
2018-06-12 10:40:05.888915 ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option
error.log:
[Tue Jun 12 10:12:18.510745 2018] [mpm_event:notice] [pid 29892:tid 139804806121344] AH00491: caught SIGTERM, shutting down
[Tue Jun 12 10:12:29.674244 2018] [wsgi:warn] [pid 16158:tid 139690338350976] mod_wsgi: Compiled for Python/2.7.11.
[Tue Jun 12 10:12:29.674304 2018] [wsgi:warn] [pid 16158:tid 139690338350976] mod_wsgi: Runtime using Python/2.7.12.
[Tue Jun 12 10:12:29.676957 2018] [mpm_event:notice] [pid 16158:tid 139690338350976] AH00489: Apache/2.4.18 (Ubuntu) mod_wsgi/4.3.0 Python/2.7.12 configured -- resuming normal operations
[Tue Jun 12 10:12:29.676985 2018] [core:notice] [pid 16158:tid 139690338350976] AH00094: Command line: '/usr/sbin/apache2'
Please can somebody help me to solve the issue.
Issue solved.
Error was in mod_wsgi according to log. Web Service Gateway Interface (WSGI) middleware pipeline for the Identity service is configured in keystone-paste.ini file, thus verified my file with the openstack docs keystone-paste.ini file available on internet thus changed pipeline configuration and issue get solved.
I have edited /etc/keystone/keystone-paste.ini file
Under [pipeline:public_api]
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id
changed above line to:
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
Same way edited [pipeline:admin_api]
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id
changed pipeline to:
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
Also made changes in [pipeline:api_v3]
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id
changed above line to:
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
By making following changes issue get solved.
I have plesk 12.5.30 on my server which is often blacklisted on Symantec Mail Security reputation.
The ip is new (I have purchased the server on 13.02.2017).
Also my ip is blacklisted on BACKSCATTERER.
Seeing the log of postfix I have a lot of entries like
Mar 22 14:51:43 server postfix/smtpd[14204]: connect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: lost connection after EHLO from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: disconnect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:50 server postfix/smtpd[14204]: connect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: lost connection after EHLO from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: disconnect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:52:19 server postfix/smtpd[14204]: connect from mail.dedeckeraccountants.be[91.183.46.186]
Mar 22 14:52:19 server postfix/smtpd[14204]: disconnect from mail.dedeckeraccountants.be[91.183.46.186]
I have
Changed the smtp port to a non standard one (9456)
Installed firewall and fail2ban on plesk and setted as in image
Setted mail settings of plesk as in image
Installed a spamassasin
I have noticed also that some days ago i have lines in log like these
Mar 19 06:47:00 server postfix/smtp[13517]: CCC1C510023D: to=<229e7dc3183452c7d3290d1ba28f073e#www.lablue.de>, relay=none, delay=235637, delays=235636/0.05/0.09/0, dsn=4.4.1, status=deferred (connect to www.lablue.de[217.22.195.26]:25: Connection refused)
Mar 19 06:47:00 server postfix/smtp[13503]: 7EDD55100138: to=<Weber226#brockel.kirche-rotenburg.de>, relay=kirche-rotenburg-verden.de[136.243.213.122]:25, delay=239980, delays=239979/0.01/0.35/0.1, dsn=4.0.0, status=deferred (host kirche-rotenburg-verden.de[136.243.213.122] said: 451 Temporary local problem - please try later (in reply to RCPT TO command))
Mar 19 06:47:00 server postfix/smtp[13504]: 97B055100233: to=<office#angerlehner.at>, relay=none, delay=222922, delays=222922/0.01/0.64/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=angerlehner.at type=MX: Host not found, try again)
Mar 19 06:47:00 server postfix/smtp[13509]: 1E15F510019B: host mx1.leventboru.com.tr[89.19.1.69] said: 450 4.7.1 Recipient address rejected: Requested action not taken: mailbox unavailable or not local (in reply to RCPT TO command)
And i noticed a very long mail queue in plesk settings (i have deleted all mail in queue)
Any advice to block this attack??
Thanks in advance
Edit: I want to share my plesk-postfix settings
[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
There is somenthing can i improve here?
You might consider to use a Fail2Ban - filter with the following regex - expressions:
failregex = ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
If you need further Fail2Ban regex - expressions, pls. consider to ADD the corresponding log - file entries, because some general standart ones may not suit your needs or/and your qmail/postfix/imap-courier/dovecot version, installed on your server. ;-)
Edit:
In order to be more precise, I now add the full suggestion, incl. the regex, that #MattiaDiGiuseppe already used in his comments - it's just a bit better formatted this way.
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: (.*?)does not resolve to address <HOST>: Name or service not known$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .* Relay access denied.*$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$
^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
Pls. consider to have a look at all standart filters ( for Fail2Ban 0.10 AND older versions), by visiting:
=> https://github.com/fail2ban/fail2ban/tree/0.10/config/filter.d
If you desire to view the standarts for older versions, just click on the "Branch: 0.10" dropdpwn - button, pls.
I'm debugging a problem with Apache, Fast-CGI and our Perl application.
The root cause is that the Perl application needs to exit and be reloaded if a certain operation was done.
Under CGI it is not a problem, as the application is being loaded for every request.
However, it seen that the Fast CGI protocol did not considered this case - there is not way to signal the WebServer that you are going to exit - you just exit.
But doing so, we ran into what seemed like a race condition on the mod_fastcgi side: it recognize that the programed exited, but then tries to send it requests. eventually it gives up and return error 500 to the browser.
I see similar error messages on the web, but these are about PHP exiting after 500 requests, and the solution is to tell fastcgi to limit requests-per-process to 500. This does not fit my problem, as I need to exit on certain request and not after fixed number of requests.
Info:
Apache module loading:
LoadModule fastcgi_module libexec/apache2/mod_fastcgi.so
Two log lines: the server detects that the app exited, but then trying to connect it
[Thu Jul 05 15:02:32 2012] [warn] FastCGI: (dynamic) server "/Users/sfomberg/Sites/cgi-bin/mt/mt.cgi" (pid 9277) terminated by calling exit with status '0'
[Thu Jul 05 15:02:32 2012] [warn] FastCGI: (dynamic) server "/Users/sfomberg/Sites/cgi-bin/mt/mt.cgi" has failed to remain running for 30 seconds given 3 attempts, its restart interval has been backed off to 600 seconds
Finally, giving up:
[Thu Jul 05 15:03:07 2012] [error] [client 127.0.0.1] FastCGI: comm with (dynamic) server "/Users/sfomberg/Sites/cgi-bin/mt/mt.cgi" aborted: (first read) idle timeout (30 sec), referer: http://localhost/~sfomberg/cgi-bin/mt/mt.cgi?__mode=cfg_plugins&blog_id=0&switched=1
[Thu Jul 05 15:03:07 2012] [error] [client 127.0.0.1] FastCGI: incomplete headers (0 bytes) received from server "/Users/sfomberg/Sites/cgi-bin/mt/mt.cgi", referer: http://localhost/~sfomberg/cgi-bin/mt/mt.cgi?__mode=cfg_plugins&blog_id=0&switched=1
I tried to close the listening socket directly before ending the request, (the listening socket is fileno 0) but that didn't work.
thanks.
The problem was because mod_fastcgi was of an old version - 2.4.2
upgrading to 2.4.6 solved it.
Also, mod_fcgid does not have this problem.