53285 2025-03-03 18:28:55 +0300 cepces: В getcert list пусто: не запрашивает и не получает сертификаты: Failed to fetch the list of supported templates 2025-10-10 15:20:16 +0300 1 1 4 Development Sisyphus cepces unstable x86_64 Linux NEW P5 normal --- 1 alimektor sin belayaav sin slev varaksaaa qa-sisyphus oldest_to_newest 260251 0 alimektor 2025-03-03 18:28:55 +0300 Версия - cepces-0.3.8-alt2 - samba-4.20.7-alt1 Шаги воспроизведения К багу прикреплён документ с более подробными шагами. 1. Развернуть Windows AD в качестве домена. 2. Настроить Службы сертификации 3. Настроить автоматической регистрации сертификата сервера - https://learn.microsoft.com/ru-ru/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment 4. Настроить общий каталога на сервере для передачи сертификатов. 5. Выполнить настройку сервера IIS. 6. Выполнить настройку клиентов: mkdir -p /mnt/adshare && mount -v -t cifs -o user=Admin //addc.windows.testdomain/share /mnt/adshare && l /mnt/adshare cp /mnt/adshare/windowsad.cer /etc/pki/ca-trust/source/anchors/ && \ update-ca-trust && \ trust list | grep windows cp /mnt/adshare/windowsad-root.cer /etc/pki/ca-trust/source/anchors/ && \ update-ca-trust && \ trust list | grep windows-addc-ca -i apt-get install -y cepces cepces-certmonger python3-module-cepces samba-gpupdate mkdir -p /etc/pki/trust/anchors 7. Настроить cepces по умолчанию: sed -i "s/^server=.*/server=addc.windows.testdomain/" /etc/cepces/cepces.conf && grep 'server=' /etc/cepces/cepces.conf 8. Убедиться, что cepces зарегистрирован в certmonger на клиенте: # getcert list-cas -c cepces 9. Выполнить команду: # samba-gpupdate --rsop 10. Запустить запрос: # samba-gpupdate --force && echo $? 11. Убедиться, что CA отображаемся в списке (OK): # getcert list-cas -c windows-ADDC-CA 12. Показать список отслеживаемых сертификатов: # getcert list Ожидаемый результат: Отображает отслеживаемые сертификаты Number of certificates and requests being tracked: 1. Request ID 'windows-ADDC-CA.Machine': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/samba/private/certs/windows-ADDC-CA.Machine.key' certificate: type=FILE,location='/var/cache/samba/certs/windows-ADDC-CA.Machine.crt' CA: windows-ADDC-CA issuer: CN=windows-ADDC-CA,DC=windows,DC=testdomain subject: CN=ieb6ahwa.windows.testdomain issued: 2025-03-03 18:06:44 MSK expires: 2026-03-03 18:06:44 MSK dns: ieb6ahwa.windows.testdomain key usage: digitalSignature,keyEncipherment eku: id-kp-clientAuth,id-kp-serverAuth certificate template/profile: Machine profile: Machine pre-save command: post-save command: track: yes auto-renew: yes Фактический результат: Ошибка: Number of certificates and requests being tracked: 0. Воспроизводится в P11. Не воспроизводится в P10: - cepces-0.3.7-alt1 - samba-4.19.9-alt4 271913 1 varaksaaa 2025-09-03 12:42:01 +0300 Воспроизводится и с samba-4.21.7-alt4.x86_64. Дополнительно: Если запустить `# samba-gpupdate --debuglevel=1 --force`, видны ошибки, хотя код выхода остаётся 0: > ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory > ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory > ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory > ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory > 2025-09-03 12:32:55.472|[E66544]| Failed to fetch the list of supported templates. | {'Error': '...'} Ошибка: > 2025-09-03 12:32:55,419 __main__:ERROR:Traceback (most recent call last): > File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 787, in urlopen > response = self._make_request( > ^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 488, in _make_request > raise new_e > File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 464, in _make_request > self._validate_conn(conn) > File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 1093, in _validate_conn > conn.connect() > File "/usr/lib/python3/site-packages/urllib3/connection.py", line 741, in connect > sock_and_verified = _ssl_wrap_socket_and_match_hostname( > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/connection.py", line 920, in _ssl_wrap_socket_and_match_hostname > ssl_sock = ssl_wrap_socket( > ^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/util/ssl_.py", line 480, in ssl_wrap_socket > ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/util/ssl_.py", line 524, in _ssl_wrap_socket_impl > return ssl_context.wrap_socket(sock, server_hostname=server_hostname) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib64/python3.12/ssl.py", line 455, in wrap_socket > return self.sslsocket_class._create( > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib64/python3.12/ssl.py", line 1041, in _create > self.do_handshake() > File "/usr/lib64/python3.12/ssl.py", line 1319, in do_handshake > self._sslobj.do_handshake() > ConnectionResetError: [Errno 104] Connection reset by peer > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "/usr/lib/python3/site-packages/requests/adapters.py", line 667, in send > resp = conn.urlopen( > ^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 841, in urlopen > retries = retries.increment( > ^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/util/retry.py", line 474, in increment > raise reraise(type(error), error, _stacktrace) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/util/util.py", line 38, in reraise > raise value.with_traceback(tb) > File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 787, in urlopen > response = self._make_request( > ^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 488, in _make_request > raise new_e > File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 464, in _make_request > self._validate_conn(conn) > File "/usr/lib/python3/site-packages/urllib3/connectionpool.py", line 1093, in _validate_conn > conn.connect() > File "/usr/lib/python3/site-packages/urllib3/connection.py", line 741, in connect > sock_and_verified = _ssl_wrap_socket_and_match_hostname( > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/connection.py", line 920, in _ssl_wrap_socket_and_match_hostname > ssl_sock = ssl_wrap_socket( > ^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/util/ssl_.py", line 480, in ssl_wrap_socket > ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/urllib3/util/ssl_.py", line 524, in _ssl_wrap_socket_impl > return ssl_context.wrap_socket(sock, server_hostname=server_hostname) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib64/python3.12/ssl.py", line 455, in wrap_socket > return self.sslsocket_class._create( > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib64/python3.12/ssl.py", line 1041, in _create > self.do_handshake() > File "/usr/lib64/python3.12/ssl.py", line 1319, in do_handshake > self._sslobj.do_handshake() > urllib3.exceptions.ProtocolError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer')) > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "/usr/libexec/certmonger/cepces-submit", line 68, in main > service = Service(config) > ^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/cepces/core.py", line 90, in __init__ > self._policies = self._xcep.get_policies() > ^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/cepces/xcep/service.py", line 52, in get_policies > response = self.send(envelope) > ^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/cepces/soap/service.py", line 82, in send > req = requests.post(url=self._endpoint, > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/requests/api.py", line 115, in post > return request("post", url, data=data, json=json, **kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/requests/api.py", line 59, in request > return session.request(method=method, url=url, **kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/requests/sessions.py", line 589, in request > resp = self.send(prep, **send_kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/requests/sessions.py", line 703, in send > r = adapter.send(request, **kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/site-packages/requests/adapters.py", line 682, in send > raise ConnectionError(err, request=request) > requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer')) --- По https://dmulder.github.io/group-policy-book/certautoenroll.html#examining-logs # cat /var/log/cepces/cepces.log | rg 'Caused by' ошибки > requests.exceptions.ConnectionError: HTTPSConnectionPool(host='ca', port=443): Max retries exceeded with url: /ADPolicyProvider_CEP_Kerberos/service.svc/CEP (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7f1ce1ad7440>: Failed to resolve 'ca' ([Errno -5] No address associated with hostname)")) но количество не увеличивается при повторном запуске `samba-gpupdate`, возможно это ошибки до корректной конфигурации `/etc/cepces/cepces.conf`. --- При ручном создании запроса по https://github.com/openSUSE/cepces/wiki/Usage запрос отображается, но "CA_UNCONFIGURED": > Request ID 'MachineCertificate': > status: CA_UNCONFIGURED > stuck: yes > key pair storage: type=FILE,location='/root/machine.key' > certificate: type=FILE,location='/root/machine.crt' > CA: windows-ADDC-CA > issuer: > subject: > issued: unknown > expires: unknown > profile: Machine > pre-save command: > post-save command: > track: yes > auto-renew: yes В Windows никаких запросов сертификатов не отображается в средстве "Центр сертификации". 271914 2 varaksaaa 2025-09-03 12:43:17 +0300 > При ручном создании запроса по https://github.com/openSUSE/cepces/wiki/Usage # getcert request -c windows-ADDC-CA -T Machine -I MachineCertificate -k machine.key -f machine.crt 274199 3 belayaav 2025-10-10 15:20:16 +0300 Ошибка актуальна samba-4.21.8-alt3 cepces-0.3.8-alt2