date:20160427

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Sean Hogan

Hi Martin,

  No joy on placing - in front of the RC4s


I modified my nss.conf  to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

#   SSL Protocol:
#   Cryptographic protocols that provide communication security.
#   NSS handles the specified protocols as "ranges", and automatically
#   negotiates the use of the strongest protocol for a connection starting
#   with the maximum specified protocol and downgrading as necessary to the
#   minimum specified protocol that can be used between two processes.
#   Since all protocol ranges are completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

dse.ldif

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
 _56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1



But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing.  Is it the fact that
I am not
offering -tls_rsa_export1024_with_rc4_56_sha?  If so.. not really
understanding where it is coming from cept the +all from DS but the -
should be negating that?

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 17:37 EDT
Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.86s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds



It seems no matter what config I put into nss.conf or dse.ldif nothing
changes with my nmap results.  Is there supposed to be a be a section to
add TLS ciphers instead of SSL



Sean Hogan







From:   Sean Hogan/Durham/IBM
To: Martin Kosek 
Cc: freeipa-users 
Date:   04/27/2016 09:59 AM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL




I ran the following:
nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT
Nmap scan report for bob
Host is up (0.78s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds


Tenable is barking about the following.. only listing 636 but the same
applies for 389

Plugin ID: 65821  Port 636

Synopsis: The remote service supports the use of the RC4 cipher.
Description The remote host supports the use of RC4 in one or more cipher
suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of
bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.


And 636 and 389 for

Plugin ID: 81606  port 389
Synopsis: The remote host supports a set of weak ciphers.
Description The remote host supports EXPORT_RSA cipher suites with keys
less than or equal to 512 bits. An attacker can factor a 512-bit RSA
modulus in a short amount of time.
A man-in-the middle attacker may be able to downgrade the session to use
EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to
remove support for weak cipher suites.


So I do see RC4 and the exports so I guess I can - those in the dse.ldif





From:   Sean Hogan/Durham/IBM
To: Martin Kosek 
Cc: freeipa-users 
Date:   04/27/2016 09:33 AM
Subject:Re:

Re: [Freeipa-users] Question regarding modifying attributes

2016-04-27 Thread Sullivan, Daniel [AAA]

Thank you.

Dan

> On Apr 27, 2016, at 3:00 PM, Alexander Bokovoy  wrote:
> 
> On Wed, 27 Apr 2016, Sullivan, Daniel [AAA] wrote:
>> Hi,
>> 
>> I have a trusted AD domain that I am enumerating object via IPA.  I
>> wanted to know if i should be able to manipulate the uidNumber and
>> gidNumber stored in the default ID view via by using the ldapmodify
>> command, for example, for this DN (not local):
>> 
>> uid=u...@domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu
>> 
>> Should it be possible to modify this via IPA’s LDAP implementation
>> (using ldapmodify)?  I appreciate you taking the time to answer my
>> question.
> No. The subtree in cn=compat,$SUFFIX is read-only and is generated every
> time you restart LDAP server.
> 
> uid/gid in default ID View are managed via
> idoverrideuser/idoverridegroup set of commands.
> 
> See 'ipa help idviews' for details.
> 
> -- 
> / Alexander Bokovoy



This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] does ptr records an admin have to take care of manually? testing!

2016-04-27 Thread sergey ivanov

sitest2
Regards,
Sergey Ivanov | serge...@gmail.com
bitmessage:  BM-NBaNYkjtB5QBtoqvNYHvoEbNQqVMPBZD
digitalnote: ddeDtD1zUPvLBsxC5K8NSiAiXJeKeGpH1fd4ad41UuBU\
EUyKzT7JoND26FrJNdsies7EwoiSTKhMi5KEqyn525ZD2LAA3JCjQ


On Wed, Apr 27, 2016 at 9:12 AM, lejeczek  wrote:
> hi,
>
> regular server install with --setup-dns
> then clients to follow, but I see there:
>
> Missing reverse record(s) for address(es):
>
> does that mean that by default server install process does not include
> reverse zones?
> These need to be set up manually/independently ?
>
> many thanks
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question regarding modifying attributes

2016-04-27 Thread Alexander Bokovoy


On Wed, 27 Apr 2016, Sullivan, Daniel [AAA] wrote:

Hi,

I have a trusted AD domain that I am enumerating object via IPA.  I
wanted to know if i should be able to manipulate the uidNumber and
gidNumber stored in the default ID view via by using the ldapmodify
command, for example, for this DN (not local):

uid=u...@domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu

Should it be possible to modify this via IPA’s LDAP implementation
(using ldapmodify)?  I appreciate you taking the time to answer my
question.

No. The subtree in cn=compat,$SUFFIX is read-only and is generated every
time you restart LDAP server.

uid/gid in default ID View are managed via
idoverrideuser/idoverridegroup set of commands.

See 'ipa help idviews' for details.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

2016-04-27 Thread Anthony Cheng

Hi list,

I am trying to renew expired certificates following the manual renewal
procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
even with resetting the system/hardware clock to a time before expires, I
am getting the error "ca-error: Error setting up ccache for local "host"
service using default keytab: Clock skew too great."

With NTP disable and clock reset why would it complain about clock skew and
how does it even know about the current time?

[root@test certs]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=62=true=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS

[Freeipa-users] Question regarding modifying attributes

2016-04-27 Thread Sullivan, Daniel [AAA]

Hi,

I have a trusted AD domain that I am enumerating object via IPA.  I wanted to 
know if i should be able to manipulate the uidNumber and gidNumber stored in 
the default ID view via by using the ldapmodify command, for example, for this 
DN (not local):

uid=u...@domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu

Should it be possible to modify this via IPA’s LDAP implementation (using 
ldapmodify)?  I appreciate you taking the time to answer my question.

Thank you,

Dan Sullivan


This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-27 Thread Bret Wortman

I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It 
looks logical to me, but I can't spot anything that looks like a root 
cause error. The selftests are all okay, I think. The debug log might 
have something, but it might also just be complaining about ldap not 
being up because it's not.



On 04/27/2016 01:11 PM, Rob Crittenden wrote:

Bret Wortman wrote:

So in lieu of fixing these certs, is there an acceptable way to dump
them all and start over /without losing the contents of the IPA
database/? Or otherwise really screwing ourselves?


I don't believe there is a way.


We have a replica that's still up and running and we've switched
everyone over to talking to it, but we're at risk with just the one.


I'd ignore the two unknown certs for now. They look like someone was 
experimenting with issuing a cert and didn't quite get things working.


The CA seems to be throwing an error. I'd check the syslog for 
messages from certmonger and look at the CA debug log and selftest log.


rob


[snip]

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Sean Hogan


Hi Alex,

   Just wanted to make sure.. needed to know if I had to upgrade or spend
more time trial and erroring this out.

So since my nmap is showing this
[bob@server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636
`hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:42 EDT
Nmap scan report for
Host is up (0.90s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds


I decided to remove TLS_RSA_EXPORT1024_WITH_RC4_56_SHA so looked up what DS
actually names this to be and it looks like these have to be removed
  
 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA rsa_rc4_56_sha
  
tls_dhe_dss_1024_rc4_sha  
  
tls_rsa_export1024_with_rc4_56_sh 
  
  
  
 I stopped IPA with ipactl stop   
 modified dse.ldif with this  
  
  


nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
 _56_sha,-tls_dhe_dss_1024_rc4_sha
allowweakcipher: off
numSubordinates: 1

Reran nmap and it still shows TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

bob@server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:48 EDT
Nmap scan report for
Host is up (0.78s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

Am I doing something wrong here?



Sean Hogan







From:   Alexander Bokovoy 
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users 
Date:   04/27/2016 10:35 AM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL



On Wed, 27 Apr 2016, Sean Hogan wrote:
>
>Hello Alexander
>
>
>I knew the below which is why I added my DS rpm version in the orig email
>which made sense to me but per 389 DS docs alloowweakcipher starts in
>1.3.3.2 in case anyone else reads this.  At least thats what the docs say
>but you may know something where it actually does not work til 1.3.4.0.  I
>dunno
>
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html
>
>
>Additionally I want to clarify the comment 4.3.1 has this as default
setup.
>Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
>stronger ssl config and that anyone who needs tighter cipher control needs
>to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7
All I said is that we fixed this particular issue to make sure defaults
in 4.3.1 reflect current status quo on SSL ciphers.

If you want to have a similar setup with 3.0.47, you are welcome to
improve the configuration based on the effort we did for 4.3.1.

Notice that I said nothing about incapability of either deployment to
handle this, not sure where you were able to read that from.

--
/ Alexander Bokovoy



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Gady Notrica

All good!!!

Gady

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: April 27, 2016 1:19 PM
To: Gady Notrica
Cc: Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

On Wed, 27 Apr 2016, Gady Notrica wrote:
>Hello Ludwig,
>
>Is there a reason why my AD show offline?
>
>[root@cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA : 
>online CD-PRD : offline
wbinfo output is irrelevant for RHEL 7.2-based IPA trusts.

You need to make sure that 'getent passwd CD-PRD\\Administrator'
resolves via SSSD.

-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Alexander Bokovoy


On Wed, 27 Apr 2016, Sean Hogan wrote:


Hello Alexander


I knew the below which is why I added my DS rpm version in the orig email
which made sense to me but per 389 DS docs alloowweakcipher starts in
1.3.3.2 in case anyone else reads this.  At least thats what the docs say
but you may know something where it actually does not work til 1.3.4.0.  I
dunno
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html


Additionally I want to clarify the comment 4.3.1 has this as default setup.
Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
stronger ssl config and that anyone who needs tighter cipher control needs
to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7

All I said is that we fixed this particular issue to make sure defaults
in 4.3.1 reflect current status quo on SSL ciphers.

If you want to have a similar setup with 3.0.47, you are welcome to
improve the configuration based on the effort we did for 4.3.1.

Notice that I said nothing about incapability of either deployment to
handle this, not sure where you were able to read that from.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Sean Hogan


Hello Alexander


I knew the below which is why I added my DS rpm version in the orig email
which made sense to me but per 389 DS docs alloowweakcipher starts in
1.3.3.2 in case anyone else reads this.  At least thats what the docs say
but you may know something where it actually does not work til 1.3.4.0.  I
dunno
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html


Additionally I want to clarify the comment 4.3.1 has this as default setup.
Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
stronger ssl config and that anyone who needs tighter cipher control needs
to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7

Sean Hogan






From:   Alexander Bokovoy 
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users 
Date:   04/26/2016 11:52 PM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL



On Tue, 26 Apr 2016, Sean Hogan wrote:
>
>
>Hello,
>
>  We currently have 7 ipa servers in multi master running:
>
>ipa-server-3.0.0-47.el6_7.1.x86_64
>389-ds-base-1.2.11.15-68.el6_7.x86_64
>
>Tenable is showing the use of weak ciphers along with freak
>vulnerabilities.  I have followed
>https://access.redhat.com/solutions/675183 however issues remain in the
>ciphers being used.
$ git log --oneline 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
5f3c87e Ticket #47838 - harden the list of ciphers available by default
$ git tag --contains 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
389-ds-base-1.3.4.0

This means allowweakcipher feature is only in 389-ds-base >= 1.3.4.0.
This should explain your failures below.


>
>I have also modified dse.ldif with the following from
>
http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports

>
>With ipa stopped I modified dse with  below
>
>odifyTimestamp: 20150420131906Z
>nsSSL3Ciphers: +all,-rsa_null_sha
>allowWeakCipher: off
>numSubordinates: 1
>
>I turn on ipa and get
>Starting Directory Service
>Starting dirsrv:
>PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry
>"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed
>
>So I go back into the file and allowWeakCipher now shows allowweakcipher
>(caps for W and C are now lower case)
attribute names are case-insensitive and normalized to a lower case.
Anyway, just don't use allowweakcipher in older 389-ds-base version.

>
>nss.conf
>
>
># new config to stop using weak ciphers.
>NSSCipherSuite
>-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha

>   SSL Protocol:
>#   Cryptographic protocols that provide communication security.
>#   NSS handles the specified protocols as "ranges", and automatically
>#   negotiates the use of the strongest protocol for a connection starting
>#   with the maximum specified protocol and downgrading as necessary to
the
>#   minimum specified protocol that can be used between two processes.
>#   Since all protocol ranges are completely inclusive, and no protocol in
>the
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
>
>server.xml
>
>   clientAuth="true"
>   sslOptions="ssl2=off,ssl3=off,tls=true"
>
>ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"

>
>ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

>
>tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

>
>
>
>
>
>Is there a config for this version of IPA/DS somewhere that will pass
>poodle, freak, null ciphers scanning or only allow strong ciphers?
FreeIPA 4.3.1 has default setup that gives A on these tests with SSL Labs.
https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org=on


Follow https://fedorahosted.org/freeipa/ticket/5589 for Apache changes
and for the script to generate proper

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Alexander Bokovoy


On Wed, 27 Apr 2016, Gady Notrica wrote:

Hello Ludwig,

Is there a reason why my AD show offline?

[root@cd-p-ipa1 /]# wbinfo --online-status
BUILTIN : online
IPA : online
CD-PRD : offline

wbinfo output is irrelevant for RHEL 7.2-based IPA trusts.

You need to make sure that 'getent passwd CD-PRD\\Administrator'
resolves via SSSD.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-27 Thread Rob Crittenden


Bret Wortman wrote:

So in lieu of fixing these certs, is there an acceptable way to dump
them all and start over /without losing the contents of the IPA
database/? Or otherwise really screwing ourselves?


I don't believe there is a way.


We have a replica that's still up and running and we've switched
everyone over to talking to it, but we're at risk with just the one.


I'd ignore the two unknown certs for now. They look like someone was 
experimenting with issuing a cert and didn't quite get things working.


The CA seems to be throwing an error. I'd check the syslog for messages 
from certmonger and look at the CA debug log and selftest log.


rob



Thanks!


On 04/27/2016 06:05 AM, Bret Wortman wrote:

Was this at all informative?

On 04/26/2016 02:06 PM, Bret Wortman wrote:



On 04/26/2016 01:45 PM, Rob Crittenden wrote:

Bret Wortman wrote:

I think I've found a deeper problem, in that I can't update these
because IPA simply won't start at all now.

I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and
2016-04-01 is actually 2036-04-01.

As for the unknowns, the first says status: CA_REJECTED and the error
says "hostname in subject of request 'zw198.private.net' does not
match
principal hostname 'private.net'", with stuck: yes.

The second is similar, but for a different host.


Is it really a different host and why? I think we'd need to see the
full output to know what's going on.



Full output:

Number of certificates and requests being tracked: 10.
Request ID '20140428181940':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PRIVATE-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=zsipa.private.net,O=PRIVATE.NET
expires: 2018-04-02 13:04:51 UTC
principal name: ldap/zsipa.private@private.net
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140428182016':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=zsipa.private.net,O=PRIVATE.NET
expires: 2018-04-02 13:04:31 UTC
principal name: HTTP/zsipa.private@private.net
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150211141945':
status: CA_REJECTED
ca-error: Server at https://zsipa.private.net/ipa/xml denied our
request, giving up: 2100 (RPC failed at server. Insufficient access:
hostname in subject of request 'zw198.private.net' does not match
principal hostname 'private.net').
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS 
Certificate
DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150816194107':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=CA Audit,O=PRIVATE.NET
expires: 2016-04-17 18:19:19 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150816194108':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=OCSP Subsystem,O=PRIVATE.NET
expires: 2016-04-17 18:19:18 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command:
post-save command:

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Sean Hogan

I ran the following:
nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT
Nmap scan report for bob
Host is up (0.78s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

Tenable is barking about the following.. only listing 636 but the same
applies for 389

Plugin ID: 65821  Port 636

Synopsis: The remote service supports the use of the RC4 cipher.
Description The remote host supports the use of RC4 in one or more cipher
suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of
bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.

And 636 and 389 for

Plugin ID: 81606  port 389
Synopsis: The remote host supports a set of weak ciphers.
Description The remote host supports EXPORT_RSA cipher suites with keys
less than or equal to 512 bits. An attacker can factor a 512-bit RSA
modulus in a short amount of time.
A man-in-the middle attacker may be able to downgrade the session to use
EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to
remove support for weak cipher suites.

So I do see RC4 and the exports so I guess I can - those in the dse.ldif

From:   Sean Hogan/Durham/IBM
To: Martin Kosek 
Cc: freeipa-users 
Date:   04/27/2016 09:33 AM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL

Hi Martin,

   Thanks for the response.  We are at RHEL 6.7... getting the hits on 389
and 636 so its the Directory server ports which I assume is dse.ldif.

Sean Hogan

From:   Martin Kosek 
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users

Date:   04/27/2016 01:43 AM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL

On 04/27/2016 07:27 AM, Sean Hogan wrote:
> Hello,
>
> We currently have 7 ipa servers in multi master running:
>
> ipa-server-3.0.0-47.el6_7.1.x86_64
> 389-ds-base-1.2.11.15-68.el6_7.x86_64
>
> Tenable is showing the use of weak ciphers along with freak
vulnerabilities. I
> have followed
> https://access.redhat.com/solutions/675183 however issues remain in the
ciphers
> being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we
are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this
bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replication error

2016-04-27 Thread Anton Rubets

Hhi all

I have issues with replication between to FreeIPA server

In maters log

[26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, 
ldap://ldap2.domain:389/o%3Dipaca) failed.
[26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, 
ldap://ldap2.domain:389/o%3Dipaca) failed.
[26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, 
ldap://ldap2.domain389/o%3Dipaca) failed.
[26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS 
request: error -1 (Can't contact LDAP server) errno 2 (No such file or 
directory)


On replica server


[26/Apr/2016:08:38:12 +] attrlist_replace - attr_replace (nsslapd-referral, 
ldap://ldap1.domain:389/o%3Dipaca) failed.
[26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace (nsslapd-referral, 
ldap://ldap1domain:389/o%3Dipaca) failed.
[26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace (nsslapd-referral, 
ldap://ldap1.domain:389/o%3Dipaca) failed.
[26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace (nsslapd-referral, 
ldap://ldap1.domain:389/o%3Dipaca) failed.


And  i can't find source of this problem. I have checked permission and etc. As 
i see replica is working but this message disturb my email every few minutes 
and i wanna somehow fix this. Also I  just migrate from 3.0 to 4.2.
Info:
Master :
 rpm -qa | grep ipa
ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64
sssd-ipa-1.13.0-40.el7_2.2.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
libipa_hbac-1.13.0-40.el7_2.2.x86_64
python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64?

Replica:
rpm -qa | grep ipa
sssd-ipa-1.13.0-40.el7_2.2.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64
libipa_hbac-1.13.0-40.el7_2.2.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64
python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64?


Best Regards
Anton Rubets

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Sean Hogan


Hi Martin,


   Thanks for the response.  We are at RHEL 6.7... getting the hits on 389
and 636 so its the Directory server ports which I assume is dse.ldif.



Sean Hogan







From:   Martin Kosek 
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users

Date:   04/27/2016 01:43 AM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL



On 04/27/2016 07:27 AM, Sean Hogan wrote:
> Hello,
>
> We currently have 7 ipa servers in multi master running:
>
> ipa-server-3.0.0-47.el6_7.1.x86_64
> 389-ds-base-1.2.11.15-68.el6_7.x86_64
>
> Tenable is showing the use of weak ciphers along with freak
vulnerabilities. I
> have followed
> https://access.redhat.com/solutions/675183 however issues remain in the
ciphers
> being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we
are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this
bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Ludwig Krispenz



On 04/27/2016 05:10 PM, Gady Notrica wrote:


Oh! No…

Is there a way I can pull those files from the secondary server and 
put them on the primary?


do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There might 
be some older states to try
If you want to use a dse.ldif from another server, it could only work if 
the other server is really the same, same backends, indexes,, and 
you would have to do a lot of editing to adapt the file to the local 
system, eg replication agreements 

And then it is not sure if something else could be broken


Or I can run the re-installation ipa-server-install with repair option 
and copy the data back from the secondary server?


I'm not so sure about the IPA reinstall/repair process, maybe soemone 
else can step in


Thanks,

Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 
416.818.4797 | gnotr...@candeal.com 


CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | 
www.candeal.com | Follow us:Description: 
Description: cid:image003.jpg@01CBD419.622CDF90 
*Description: Description: 
Description: cid:image002.jpg@01CBD419.622CDF90* 



*From:*Ludwig Krispenz [mailto:lkris...@redhat.com]
*Sent:* April 27, 2016 10:58 AM
*To:* Gady Notrica
*Cc:* Rob Crittenden; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] krb5kdc service not starting

On 04/27/2016 04:36 PM, Gady Notrica wrote:

*No changes*to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am
tailing the log file and running those commands doesn’t generate
any log, nothing.

[root@cd-p-ipa1 log]# ipactl start

Starting Directory Service

Job for dirsrv@IPA-CANDEAL-CA.service
 failed because the control
process exited with error code. See "systemctl status
dirsrv@IPA-CANDEAL-CA.service
" and "journalctl -xe" for
details.

Failed to start Directory Service: Command ''/bin/systemctl'
'start' 'dirsrv@IPA-CANDEAL-CA.service
'' returned non-zero exit
status 1

*Logs from /var/log/messages*

Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server
IPA-CANDEAL-CA

Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400]
dse - The configuration file
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from
backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1

Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400]
dse - The configuration file
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from
backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1

Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400]
config - The given config file
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed,
Netscape Portable Runtime error -5950 (File not found.)

this is BAD, looks like you completely lost your configuration file 
for DS, so it doesn't even know where to log anything. When you lost 
your VM and rebooted there must hav ebeen some data loss.

It could be only dse.ldif, but also other files.

[root@cd-p-ipa1 log]# systemctl start dirsrv@IPA-CANDEAL-CA.service 



Job for dirsrv@IPA-CANDEAL-CA.service 
 failed because the control 
process exited with error code. See "systemctl status 
dirsrv@IPA-CANDEAL-CA.service " 
and "journalctl -xe" for details.


[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service 
 -l


● dirsrv@IPA-CANDEAL-CA.service  
- 389 Directory Server IPA-CANDEAL-CA.


Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service 
; enabled; vendor 
preset: disabled)


Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 
3s ago


Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid 
(code=exited, status=1/FAILURE)


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Alexander Bokovoy


On Wed, 27 Apr 2016, Gady Notrica wrote:

Hello Ludwig,

I do have only 1 error logs for the 26th in 
/var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2
[26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" 
missing attribute "sn" required by object class "person"

[cid:image003.jpg@01D1A069.EF91B910]

I don’t know if that helps.

Your setup seem to have corruption of the data on disk of that VM. Start
from looking into whether all RPM package owned files are in correct
state.

For 389-ds-base run as root 'rpm -V 389-ds-base'. For normal install you would 
get something
like this:

# rpm -V 389-ds-base
.MG../etc/dirsrv
..5T.  c /etc/sysconfig/dirsrv
S.5T.  c /etc/sysconfig/dirsrv.systemd
.MG../var/lib/dirsrv

If you have more changes, show them.

Repeat the same for freeipa-server (or ipa-server if this is
RHEL/CentOS).

Next, compare schema files between what is in the 389-ds-base and
IPA deployment. Following shell snippet would give you output that shows
difference between the schema files, ignoring comments. In normal
situation the difference should only be in 99user.ldif.

#!/bin/bash
instance=EXAMPLE-COM
for i in /etc/dirsrv/schema/*.ldif ; do
f=/etc/dirsrv/slapd-$instance/schema/$(basename $i)
[ -f $f ] && cmp -s $i $f || diff -u $i $f | egrep -v '^\+#|^-#|^ #'
done



Gady

From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: April 27, 2016 3:18 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 09:09 PM, Gady Notrica wrote:

HERE..



[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for 
principal 
[ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL]
 in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 
(Cannot contact any KDC for requested realm)

[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (No Kerberos credentials available)) 
errno 0 (Success)

[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local 
error)

[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (No Kerberos 
credentials available))

[23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests

[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS 
requests

[23/Apr/2016:11:39:51 -0400] - Listening on 
/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests

[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the 
response for a startReplication extended operation to consumer (Can't contact LDAP 
server). Will retry later.

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Ludwig Krispenz



On 04/27/2016 04:36 PM, Gady Notrica wrote:


*No changes*to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am 
tailing the log file and running those commands doesn’t generate any 
log, nothing.


[root@cd-p-ipa1 log]# ipactl start

Starting Directory Service

Job for dirsrv@IPA-CANDEAL-CA.service failed because the control 
process exited with error code. See "systemctl status 
dirsrv@IPA-CANDEAL-CA.service" and "journalctl -xe" for details.


Failed to start Directory Service: Command ''/bin/systemctl' 'start' 
'dirsrv@IPA-CANDEAL-CA.service'' returned non-zero exit status 1


*Logs from /var/log/messages*

Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server 
IPA-CANDEAL-CA


Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - 
The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was 
not restored from backup 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1


Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - 
The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was 
not restored from backup 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1


Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] 
config - The given config file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, 
Netscape Portable Runtime error -5950 (File not found.)


this is BAD, looks like you completely lost your configuration file for 
DS, so it doesn't even know where to log anything. When you lost your VM 
and rebooted there must hav ebeen some data loss.

It could be only dse.ldif, but also other files.


[root@cd-p-ipa1 log]# systemctl start dirsrv@IPA-CANDEAL-CA.service

Job for dirsrv@IPA-CANDEAL-CA.service failed because the control 
process exited with error code. See "systemctl status 
dirsrv@IPA-CANDEAL-CA.service" and "journalctl -xe" for details.


[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service -l

● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.

Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; 
vendor preset: disabled)


Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 
3s ago


Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid 
(code=exited, status=1/FAILURE)


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema 
in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 
1) is invalid, error code 21 (Invalid syntax) - attribute type aci: 
Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the 
reported problems and then restart the server.


[root@cd-p-ipa1 log]#

Gady

*From:*Ludwig Krispenz [mailto:lkris...@redhat.com]
*Sent:* April 27, 2016 10:06 AM
*To:* Gady Notrica
*Cc:* Rob Crittenden; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] krb5kdc service not starting

On 04/27/2016 03:48 PM, Gady Notrica wrote:

Hello Ludwig,

I do have only 1 error logs for the 26^th in
/var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only
line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync
- failed to send dirsync search request: 2

[*26/Apr/2016*:00:13:01 -0400] - Entry
"uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca"
missing attribute "sn" required by

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Gady Notrica

No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log 
file and running those commands doesn’t generate any log, nothing.

[root@cd-p-ipa1 log]# ipactl start
Starting Directory Service
Job for dirsrv@IPA-CANDEAL-CA.service failed because the control process exited 
with error code. See "systemctl status dirsrv@IPA-CANDEAL-CA.service" and 
"journalctl -xe" for details.
Failed to start Directory Service: Command ''/bin/systemctl' 'start' 
'dirsrv@IPA-CANDEAL-CA.service'' returned non-zero exit status 1

Logs from /var/log/messages

Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server 
IPA-CANDEAL-CA
Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The 
configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored 
from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1
Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The 
configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored 
from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1
Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] config - The 
given config file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be 
accessed, Netscape Portable Runtime error -5950 (File not found.)

[root@cd-p-ipa1 log]# systemctl start dirsrv@IPA-CANDEAL-CA.service
Job for dirsrv@IPA-CANDEAL-CA.service failed because the control process exited 
with error code. See "systemctl status dirsrv@IPA-CANDEAL-CA.service" and 
"journalctl -xe" for details.

[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service -l
● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 3s ago
  Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, 
status=1/FAILURE)

Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, 
error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax 
OID "1.3.6.1.4.1.1466.115.121.1.15"
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.
[root@cd-p-ipa1 log]#

Gady

From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: April 27, 2016 10:06 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/27/2016 03:48 PM, Gady Notrica wrote:
Hello Ludwig,

I do have only 1 error logs for the 26th in 
/var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2
[26/Apr/2016:00:13:01 -0400] - Entry 
"uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute 
"sn" required by object class "person"

[cid:image001.jpg@01D1A06F.6FD59F60]

I don’t know if that helps.
no. And it is weird that there should be no logs, there were definitely 
messages logged around 8:50, you provided them via systemctl status dirsrv...
And at least the startup messages should b there

Can you try to start dirsrv again. and check what config settings for errorlog  
are in your

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Gady Notrica

Hello Ludwig,

I do have only 1 error logs for the 26th in 
/var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2
[26/Apr/2016:00:13:01 -0400] - Entry 
"uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute 
"sn" required by object class "person"

[cid:image003.jpg@01D1A069.EF91B910]

I don’t know if that helps.

Gady

From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: April 27, 2016 3:18 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 09:09 PM, Gady Notrica wrote:

HERE..



[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials 
for principal 
[ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL]
 in keytab [FILE:/etc/dirsrv/ds.keytab]: 
-1765328228 (Cannot contact any KDC for requested realm)

[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (No Kerberos credentials available)) 
errno 0 (Success)

[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local 
error)

[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information 
(No Kerberos credentials available))

[23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests

[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS 
requests

[23/Apr/2016:11:39:51 -0400] - Listening on 
/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests

[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the 
response for a startReplication extended operation to consumer (Can't contact 
LDAP server). Will retry later.

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2
these are old logs, the problem you were reporting was on Apr, 26:



Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, 
error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax 
OID "1.3.6.1.4.1.1466.115.121.1.15"

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.





we need the logs from that time






Gady



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 26, 2016 2:44 PM
To: Gady Notrica; Ludwig Krispenz; 
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting



Gady Notrica wrote:

> Hey world,

>

> Any ideas?



What about

Re: [Freeipa-users] does ptr records an admin have to take care of manually?

2016-04-27 Thread Martin Basti




On 27.04.2016 15:12, lejeczek wrote:

hi,

regular server install with --setup-dns
then clients to follow, but I see there:

Missing reverse record(s) for address(es):

does that mean that by default server install process does not include 
reverse zones?

These need to be set up manually/independently ?

many thanks



Hello,
well this is warning for you, it depends on you if you want to create 
reverse zone or not.


So if you need reverse records for IPA client, create the particular 
reverse zone.

Probably you will need to enable syncptr feature
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dynamic-dns-updates.html#ptr-sync

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] does ptr records an admin have to take care of manually?

2016-04-27 Thread lejeczek

hi,

regular server install with --setup-dns
then clients to follow, but I see there:

Missing reverse record(s) for address(es):

does that mean that by default server install process does not include
reverse zones?
These need to be set up manually/independently ?

many thanks##SELECTION_END##-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA & Yubikey

2016-04-27 Thread Nathaniel McCallum

On Wed, 2016-04-27 at 10:22 +0200, Martin Kosek wrote:
> On 04/22/2016 10:40 PM, Jeremy Utley wrote:
> > Hello all!
> > 
> > I'm quite close to reaching the ideal point with our new FreeIPA
> > setup, but one 
> > thing that is standing in the way is 2FA.  I know FreeIPA has
> > support for Google 
> > Auth, FreeOTP, and Yubikey.  We'd like to go with Yubikeys over the
> > phone-based 
> > systems, but a lot of the docs regarding Yubikey seem to either be
> > out-dated, or 
> > not real clear (at least to me).  So I'd like to ask a few
> > questions to make 
> > sure I'm understanding correctly.
> > 
> > 1) It looks like the normal setup of a Yubikey is to plug it into a
> > machine and 
> > run the "ipa otptoken-add-yubikey" command.  This implies that the
> > machine that 
> > sets up the Yubikey needs to be part of the FreeIPA domain, which
> > presents 
> > somewhat of a problem for us, as our current IPA setup has no
> > desktops, and is 
> > in a remote "lights-out" datacenter an hour's drive from our
> > office.  I did see 
> > a post recently in the archives of someone figuring out how to set
> > up a Yubikey 
> > via the web interface 
> > (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.
> > html) - would 
> > this be viable?
> 
> Interesting question/suggestion, CCing Nathaniel on this one, he
> authored the
> feature.

Yes, this is completely viable. The otptoken-add-yubikey is just a
convenience wrapper. It simply programs the Yubikey with the secret
that is also contained in the qr code. If you program this secret
directly yourself, there is no need to use the otptoken-add-yubikey
command.

> > 2) Does the otptoken-add-yubikey command actually change the
> > programming of the 
> > Yubikey, or does it simply read it's configuration?  We have some
> > users who are 
> > already using a Yubikey for personal stuff, and we'd like to allow
> > those users 
> > to continue to use their existing Yubikey to auth to our IPA
> > domain, but if the 
> > add command changes the programming of the key, that may not be
> > possible without 
> > using the second slot, and if users are already using the second
> > slot, they are 
> > out of luck.

The command programs the YubiKey with the secret value that is in the
QR code. You can do this yourself using Yubico's utilities if you don't
want to use our tool.

However, if users are already using both slots, you're out of luck
anyway since there is no place to store the new secret key. This is a
limitation of YubiKey, not FreeIPA. It would be most unwise to try to
share secrets with another authenticator to overcome this limitation.

> > 3) Does Yubikey auth require talking to the outside world to
> > function?  Our IPA 
> > setup is within a secure zone, with no direct connectivity to the
> > outside world, 
> > so if this is necessary, it would be a possible deal-breaker for
> > these.
> 
> None of the FreeIPA setup should require communication with the
> outside world,
> maybe except some of the current DNS checks during validation. If it
> does, it
> sounds as a bug to me, as I know about multiple deployments of
> FreeIPA in such
> environments.

No, YubiKey - when used with FreeIPA - uses the HOTP protocol. No
network connectivity is required.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

2016-04-27 Thread David Kupka


On 27/04/16 13:15, barry...@gmail.com wrote:

Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a while.

2016年4月27日 下午7:10 於 "David Kupka" > 寫道：

On 27/04/16 12:48, barry...@gmail.com  wrote:

Hi:

Without restarting dirsrv possible do that ?


thx Regards

barry




Hello Barry,

this ldapsearch should list all attributes that needs restart after
modification:

$ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
nsslapd-requiresrestart

I don't see nsslapd-security listed so it should be possible to change it in
runtime.

--
David Kupka



Yes, I mean ldapmodify.

Editing dse.ldif while dirsrv is running has no effect because it is 
read only at start and written at least before exit.


If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it 
and start dirsrv again.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

2016-04-27 Thread barrykfl

thx let me try as i dont want stop dirsrv but live disable nsslapd security.
2016年4月27日 下午7:26 於 "David Kupka"  寫道：

> On 27/04/16 13:15, barry...@gmail.com wrote:
>
>> Do u meant use ldapmodify?
>> I tried update the dse.ldif but it will fall back after a while.
>>
>> 2016年4月27日 下午7:10 於 "David Kupka" > > 寫道：
>>
>> On 27/04/16 12:48, barry...@gmail.com 
>> wrote:
>>
>> Hi:
>>
>> Without restarting dirsrv possible do that ?
>>
>>
>> thx Regards
>>
>> barry
>>
>>
>>
>>
>> Hello Barry,
>>
>> this ldapsearch should list all attributes that needs restart after
>> modification:
>>
>> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
>> nsslapd-requiresrestart
>>
>> I don't see nsslapd-security listed so it should be possible to
>> change it in
>> runtime.
>>
>> --
>> David Kupka
>>
>>
> Yes, I mean ldapmodify.
>
> Editing dse.ldif while dirsrv is running has no effect because it is read
> only at start and written at least before exit.
>
> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it
> and start dirsrv again.
>
> --
> David Kupka
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

2016-04-27 Thread barrykfl

Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a while.
2016年4月27日 下午7:10 於 "David Kupka"  寫道：

> On 27/04/16 12:48, barry...@gmail.com wrote:
>
>> Hi:
>>
>> Without restarting dirsrv possible do that ?
>>
>>
>> thx Regards
>>
>> barry
>>
>>
>>
>>
> Hello Barry,
>
> this ldapsearch should list all attributes that needs restart after
> modification:
>
> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
> nsslapd-requiresrestart
>
> I don't see nsslapd-security listed so it should be possible to change it
> in runtime.
>
> --
> David Kupka
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

2016-04-27 Thread David Kupka


On 27/04/16 12:48, barry...@gmail.com wrote:

Hi:

Without restarting dirsrv possible do that ?


thx Regards

barry





Hello Barry,

this ldapsearch should list all attributes that needs restart after 
modification:


$ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config 
nsslapd-requiresrestart


I don't see nsslapd-security listed so it should be possible to change 
it in runtime.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] can live turn off nsslapd-security: to off ?

2016-04-27 Thread barrykfl

Hi:

Without restarting dirsrv possible do that ?


thx Regards

barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-27 Thread Bret Wortman


Was this at all informative?

On 04/26/2016 02:06 PM, Bret Wortman wrote:



On 04/26/2016 01:45 PM, Rob Crittenden wrote:

Bret Wortman wrote:

I think I've found a deeper problem, in that I can't update these
because IPA simply won't start at all now.

I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and
2016-04-01 is actually 2036-04-01.

As for the unknowns, the first says status: CA_REJECTED and the error
says "hostname in subject of request 'zw198.private.net' does not match
principal hostname 'private.net'", with stuck: yes.

The second is similar, but for a different host.


Is it really a different host and why? I think we'd need to see the 
full output to know what's going on.




Full output:

Number of certificates and requests being tracked: 10.
Request ID '20140428181940':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-PRIVATE-NET/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=zsipa.private.net,O=PRIVATE.NET
expires: 2018-04-02 13:04:51 UTC
principal name: ldap/zsipa.private@private.net
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140428182016':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=zsipa.private.net,O=PRIVATE.NET
expires: 2018-04-02 13:04:31 UTC
principal name: HTTP/zsipa.private@private.net
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150211141945':
status: CA_REJECTED
ca-error: Server at https://zsipa.private.net/ipa/xml denied our 
request, giving up: 2100 (RPC failed at server. Insufficient access: 
hostname in subject of request 'zw198.private.net' does not match 
principal hostname 'private.net').

stuck: yes
key pair storage: 
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS 
Certificate DB'
certificate: 
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'

CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150816194107':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=CA Audit,O=PRIVATE.NET
expires: 2016-04-17 18:19:19 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150816194108':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=OCSP Subsystem,O=PRIVATE.NET
expires: 2016-04-17 18:19:18 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150816194109':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS 
Certificate DB',pin='424151811070'
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS 
Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PRIVATE.NET
subject: CN=CA Subsystem,O=PRIVATE.NET
expires: 2016-04-17 18:19:19 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku:

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Martin Kosek

On 04/27/2016 07:27 AM, Sean Hogan wrote:
> Hello,
> 
> We currently have 7 ipa servers in multi master running:
> 
> ipa-server-3.0.0-47.el6_7.1.x86_64
> 389-ds-base-1.2.11.15-68.el6_7.x86_64
> 
> Tenable is showing the use of weak ciphers along with freak vulnerabilities. 
> I 
> have followed
> https://access.redhat.com/solutions/675183 however issues remain in the 
> ciphers 
> being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA & Yubikey

2016-04-27 Thread Martin Kosek

On 04/22/2016 10:40 PM, Jeremy Utley wrote:
> Hello all!
> 
> I'm quite close to reaching the ideal point with our new FreeIPA setup, but 
> one 
> thing that is standing in the way is 2FA.  I know FreeIPA has support for 
> Google 
> Auth, FreeOTP, and Yubikey.  We'd like to go with Yubikeys over the 
> phone-based 
> systems, but a lot of the docs regarding Yubikey seem to either be out-dated, 
> or 
> not real clear (at least to me).  So I'd like to ask a few questions to make 
> sure I'm understanding correctly.
> 
> 1) It looks like the normal setup of a Yubikey is to plug it into a machine 
> and 
> run the "ipa otptoken-add-yubikey" command.  This implies that the machine 
> that 
> sets up the Yubikey needs to be part of the FreeIPA domain, which presents 
> somewhat of a problem for us, as our current IPA setup has no desktops, and 
> is 
> in a remote "lights-out" datacenter an hour's drive from our office.  I did 
> see 
> a post recently in the archives of someone figuring out how to set up a 
> Yubikey 
> via the web interface 
> (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.html) - 
> would 
> this be viable?

Interesting question/suggestion, CCing Nathaniel on this one, he authored the
feature.

> 2) Does the otptoken-add-yubikey command actually change the programming of 
> the 
> Yubikey, or does it simply read it's configuration?  We have some users who 
> are 
> already using a Yubikey for personal stuff, and we'd like to allow those 
> users 
> to continue to use their existing Yubikey to auth to our IPA domain, but if 
> the 
> add command changes the programming of the key, that may not be possible 
> without 
> using the second slot, and if users are already using the second slot, they 
> are 
> out of luck.
> 
> 3) Does Yubikey auth require talking to the outside world to function?  Our 
> IPA 
> setup is within a secure zone, with no direct connectivity to the outside 
> world, 
> so if this is necessary, it would be a possible deal-breaker for these.

None of the FreeIPA setup should require communication with the outside world,
maybe except some of the current DNS checks during validation. If it does, it
sounds as a bug to me, as I know about multiple deployments of FreeIPA in such
environments.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] migration user passwords from openldap to freeipa

2016-04-27 Thread David Kreitschmann

Are you sure that your bind dn has read access userPassword? A default OpenLDAP 
installation usually has a admin user.
Gosa ACLs are only applied when using the web interface, they are not used for 
direct access via LDAP.


> Am 27.04.2016 um 03:43 schrieb siology.io :
> 
> I'm having issues migrating from an openldap directory (which has gosa 
> schema) to freeipa.
> 
> To migrate i'm doing (and yes, i know);
> 
> ipa migrate-ds ldap://old.server.com:389 --bind-dn 
> "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup 
> --user-objectclass=inetOrgPerson --group-overwrite-gid 
> --user-ignore-objectclass=gosaAccount 
> --user-ignore-objectclass=gosaMailAccount 
> --user-ignore-attribute=gosaMailDeliveryMode 
> --user-ignore-attribute=gosaMailServer 
> --user-ignore-attribute=gosaSpamSortLevel 
> --user-ignore-attribute=gosaSpamMailbox --user-ignore-objectclass=sshaccount 
> --user-ignore-objectclass=gosaacl --user-ignore-attribute=sshpublickey 
> --user-ignore-attribute=sambaLMPassword 
> --user-ignore-attribute=sambaBadPasswordTime 
> --user-ignore-attribute=gosaaclentry 
> --user-ignore-attribute=sambaBadPasswordCount 
> --user-ignore-attribute=sambaNTPassword 
> --user-ignore-attribute=sambaPwdLastSet
> 
> Which seems to work to import all those users which have posix settings set, 
> however i have two problems:
> 
> - Am i right in thinking there's no way to auto-assign a gid/uid/home dir for 
> the non-posix users at migration time ? That's not a deal breaker per se, but 
> i'd need to spin up a new copy of the old ldap and then add those attributes 
> to every user, then migrate to ipa from that source, which is a real pain.
> 
> - The migration seems to be successful for the users that do have posix 
> attributes, and ends with:
> 
>  Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.
> 
> ...but i'm unable to login to that page as any of my migrated users, or bind 
> as them with ldapsearch. It seems like the passwords were not migrated ?
> 
> Because 90% of my ~350 users are only going to be using freeipa insomuch as 
> using services which are making use of the ipa server's ldap i was hoping 
> that i wouldn't need to make kerberos tickets for those users, and hence 
> avoid needing every user to login to the migration page. At the moment 
> however i'm not able to get any migrated users at all to be able to bind to 
> ldap or login to that page.
> 
> Any tips or gotchas i should know ? I've no idea how to begin debugging this.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Ludwig Krispenz



On 04/26/2016 09:09 PM, Gady Notrica wrote:


HERE..

[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial 
credentials for principal 
[ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL] in keytab 
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for 
requested realm)


[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos 
credentials available)) errno 0 (Success)


[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] authentication mechanism [GSSAPI]: 
error -2 (Local error)


[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication 
bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): 
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
may provide more information (No Kerberos credentials available))


[23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests


[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 
for LDAPS requests


[23/Apr/2016:11:39:51 -0400] - Listening on 
/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests


[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication 
bind with GSSAPI auth resumed


[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to 
receive the response for a startReplication extended operation to 
consumer (Can't contact LDAP server). Will retry later.


[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint 
is not connected)


[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] authentication mechanism [GSSAPI]: 
error -1 (Can't contact LDAP server)


[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint 
is not connected)


[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] authentication mechanism [GSSAPI]: 
error -1 (Can't contact LDAP server)


[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint 
is not connected)


[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] authentication mechanism [GSSAPI]: 
error -1 (Can't contact LDAP server)


[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication 
bind with GSSAPI auth resumed


[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - 
failed to send dirsync search request: 2



these are old logs, the problem you were reporting was on Apr, 26:

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] 
dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 
(Invalid syntax) - attribute type aci: Unknown attribute syntax OID 
"1.3.6.1.4.1.1466.115.121.1.15"
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.


we need the logs from that time




Gady

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 26, 2016 2:44 PM
To: Gady Notrica; Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

Gady Notrica wrote:

> Hey world,

>

> Any ideas?

What about the first part of Ludwig's question: Is there anything in 
the 389-ds error log?


rob

>

> Gady

>

> -Original Message-

> From: freeipa-users-boun...@redhat.com 



> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

> Sent: April 26, 2016 10:10 AM

> To: Ludwig Krispenz; freeipa-users@redhat.com 



> Subject: Re: [Freeipa-users] krb5kdc service not starting

>

> No, no changes. Lost connectivity with my VMs during the night

> (networking issues in datacenter)

>

> Reboot the server and oups, no IPA is coming up... The replica 
(secondary server) is fine though.


>

> Gady Notrica

>

> -Original Message-

> From:

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Alexander Bokovoy


On Tue, 26 Apr 2016, Sean Hogan wrote:



Hello,

 We currently have 7 ipa servers in multi master running:

ipa-server-3.0.0-47.el6_7.1.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64

Tenable is showing the use of weak ciphers along with freak
vulnerabilities.  I have followed
https://access.redhat.com/solutions/675183 however issues remain in the
ciphers being used.

$ git log --oneline 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
5f3c87e Ticket #47838 - harden the list of ciphers available by default
$ git tag --contains 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
389-ds-base-1.3.4.0

This means allowweakcipher feature is only in 389-ds-base >= 1.3.4.0.
This should explain your failures below.




I have also modified dse.ldif with the following from
http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports

With ipa stopped I modified dse with  below

odifyTimestamp: 20150420131906Z
nsSSL3Ciphers: +all,-rsa_null_sha
allowWeakCipher: off
numSubordinates: 1

I turn on ipa and get
Starting Directory Service
Starting dirsrv:
   PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry
"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed

So I go back into the file and allowWeakCipher now shows allowweakcipher
(caps for W and C are now lower case)

attribute names are case-insensitive and normalized to a lower case.
Anyway, just don't use allowweakcipher in older 389-ds-base version.



nss.conf


# new config to stop using weak ciphers.
NSSCipherSuite
-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha
  SSL Protocol:
#   Cryptographic protocols that provide communication security.
#   NSS handles the specified protocols as "ranges", and automatically
#   negotiates the use of the strongest protocol for a connection starting
#   with the maximum specified protocol and downgrading as necessary to the
#   minimum specified protocol that can be used between two processes.
#   Since all protocol ranges are completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2


server.xml

  clientAuth="true"
  sslOptions="ssl2=off,ssl3=off,tls=true"

ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"

ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"





Is there a config for this version of IPA/DS somewhere that will pass
poodle, freak, null ciphers scanning or only allow strong ciphers?

FreeIPA 4.3.1 has default setup that gives A on these tests with SSL Labs.
https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org=on

Follow https://fedorahosted.org/freeipa/ticket/5589 for Apache changes
and for the script to generate proper lists.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

2016-04-27 Thread Harald Dunkel

On 04/26/2016 05:29 PM, Timo Aaltonen wrote:
> 
> I guess 4.3.1 would need to be in sid first, and it just got rejected
> because of the minified javascript (bug #787593). Don't know when
> that'll get fixed.
> 

Is this 3rd party code?

Anyway, I was talking about a *private* backport of freeipa 4.3.1
and its dependencies to Jessie. Of course I would be glad to make
these backports available in the official jessie-backports as well,
but I would need a sponsor for uploading.

Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

2016-04-27 Thread Timo Aaltonen

27.04.2016, 09:24, Harald Dunkel kirjoitti:
> On 04/26/2016 05:29 PM, Timo Aaltonen wrote:
>>
>> I guess 4.3.1 would need to be in sid first, and it just got rejected
>> because of the minified javascript (bug #787593). Don't know when
>> that'll get fixed.
>>
> 
> Is this 3rd party code?

yes: https://fedorahosted.org/freeipa/ticket/5639

> Anyway, I was talking about a *private* backport of freeipa 4.3.1
> and its dependencies to Jessie. Of course I would be glad to make
> these backports available in the official jessie-backports as well,
> but I would need a sponsor for uploading.

Go for it, at least if the dependencies are manageable.


-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

37 matches

Mail list logo