Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

2016-04-29 Thread Anthony Cheng 
I make further progress, I managed to get it to be in NEED_TO_SUBMIT state
again after a reboot and this time klist and clock looks good.  However
getting this error while restarting IPA,

Starting dirsrv:
 PKI-IPA...[29/Apr/2016:21:41:48 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)

The error time is different than the time I changed to; after search for
all files on the computer and found some files that has that time:
var/log/dirsrv/slapd-SAMPLE-NET/access.rotationinfo
/var/tmp/DNS_25

I changed access time on them and restart and got the correct time in error
log:
Starting dirsrv:
PKI-IPA...[28/Sep/2014:14:58:15 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)
   [  OK  ]
sample-NET...[28/Sep/2014:14:58:16 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)

In looking at server cert, there is actually 2 and one is expired no matter
what time I set it to due to a time lapse between them; seems to indicate
that I need to remove one of them:

[root@test ~]# certutil -L -d /etc/httpd/alias -n Server-Cert | grep
'Issuer\|Not\|Subject\|Name'
Issuer: "CN=Certificate Authority,O=sample.NET"
Not Before: Sun Aug 02 14:09:45 2015
Not After : Fri Jan 29 14:09:45 2016
Subject: "CN=test.sample.net,O=sample.NET"
Subject Public Key Info:
Name: Certificate Authority Key Identifier
Name: Authority Information Access
Name: Certificate Key Usage
Name: Extended Key Usage
Name: Certificate Subject Key ID
Issuer: "CN=Certificate Authority,O=sample.NET"
Not Before: Sat May 03 00:20:37 2014
Not After : Thu Oct 30 00:20:37 2014
Subject: "CN=test.sample.net,O=sample.NET"
Subject Public Key Info:
Name: Certificate Authority Key Identifier
Name: Authority Information Access
Name: Certificate Key Usage
Name: Extended Key Usage
Name: Certificate Subject Key ID

On Fri, Apr 29, 2016 at 4:50 PM Anthony Cheng 
wrote:

> OK so I made process on my cert renew issue; I was able to get kinit
> working so I can follow the rest of the steps here (
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
>
> However, after using
>
> ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password
>
> and restarting apache (/sbin/service httpd restart), resubmitting 3 certs
> (ipa-getcert resubmit -i ) and restarting IPA (resubmit -i )
> (/sbin/service ipa restart), I still see:
>
> [root@test ~]# ipa-getcert list | more
>
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be compl
> eted: Unable to communicate with CMS (Not Found)).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> Certific
>
> ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
> Certificate D
> B'
> CA: IPA
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=test.sample.net,O=sample.NET
>
> expires: 2016-01-29 14:09:46 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be compl
> eted: Unable to communicate with CMS (Not Found)).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
>
>  DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=sample.NET
> subject: CN=test.sample.net,O=sample.NET
>
> expires: 2016-01-29 14:09:45 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status:

[Freeipa-users] Password Encryption Method

2016-04-29 Thread Zak Wolfinger 
Did the password encryption method change between V3.0 and newer versions?  
Where can I find out what method is being used?  I’m running into hash issues 
when using GADS to sync to Google.

Cheers,
Zak Wolfinger

Infrastructure Engineer  |  Emma®
zak.wolfin...@myemma.com 
800.595.4401 or 615.292.5888 x197
615.292.0777 (fax)

Emma helps organizations everywhere communicate & market in style.
Visit us online at www.myemma.com 



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-04-29 Thread Ben .T.George 
Hi

Anyone please help me to fix this issue.

i have created new group in AD( 4 hours back) and while i was mapping this
group as --external, i am getting below error.


*[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external
--desc "KWTTESTDC.com.KW  AD
Administrators-External"*
*--*
*Added group "ad_admins_external"*
*--*
*  Group name: ad_admins_external*
*  Description: KWTTESTDC.com.KW  AD
Administrators-External*
*[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external
--external "KWTTESTDC\test admins"*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: KWTTESTDC.com.KW  AD
Administrators-External*
*  Failed members:*
*member user:*
*member group: KWTTESTDC\test admins: Cannot find specified domain or
server name*
*-*
*Number of members added 0*
-



On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George 
wrote:

> Hi
>
> while issuing ipa trust-fetch-domains, i am getting below error.
>
> i have created new security group in AD and i want to add this to external
> group.
>
> [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"
> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
> trusted fo  rest
> failed. See details in the error_log
>
> help me to fi/expalin more about this error
>
> Regards
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Jose Alvarez R. 
Hi, Rob

Thanks for your response 

The link https://bugzilla.redhat.com/show_bug.cgi?id=719945 I not have
access.. 

I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server
PPA(Client IPA), but still shows the same error.

A moment ago I added another client server with same version xmlrpc and
installed correctly.

Thanks Regards.




[root@bk1 ~]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None,
'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname':
None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True,
'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=bk1.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: bk1.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389

Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.cyberfuel.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com
stdout=
stderr=
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
Writing Kerberos configuration to /tmp/tmp5msIum:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = CYBERFUEL.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0


[realms]
  CYBERFUEL.COM = {
kdc = freeipa.cyberfuel.com:88
master_kdc = freeipa.cyberfuel.com:88
admin_server = freeipa.cyberfuel.com:749
default_domain = cyberfuel.com
pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .cyberfuel.com = CYBERFUEL.COM
  cyberfuel.com = CYBERFUEL.COM



Password for ad...@cyberfuel.com:
args=kinit ad...@cyberfuel.com
stdout=Password for

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Rob Crittenden 

Sean Hogan wrote:

Thanks Rob... appreciate the help.. can you send me what you have in
nss.conf, server.xml as well? If I start off playing with something you
see working without issue then maybe I can come up with something or am
I wrong thinking those might affect anything?


The only config that matters in this case is in dse.ldif because you are 
only testing port 636 and this is what drives it.


My config is:

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150102143402Z
modifyTimestamp: 20150102143427Z
nsSSL3Ciphers: 
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5


,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

What did was:

# service dirsrv stop EXAMPLE-COM
# vi /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
# service dirsrv start EXAMPLE-COM
# nmap ...

rob







Inactive hide details for Rob Crittenden ---04/29/2016 01:36:02
PM---Sean Hogan wrote: > Apparently making it the master ca wilRob
Crittenden ---04/29/2016 01:36:02 PM---Sean Hogan wrote: > Apparently
making it the master ca will not work at this point since the

From: Rob Crittenden 
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users@redhat.com, Noriko Hosoi 
Date: 04/29/2016 01:36 PM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL





Sean Hogan wrote:
 > Apparently making it the master ca will not work at this point since the
 > replica is removed. So still stuck with non-changing ciphers.

Other services running on the box have zero impact on the ciphers available.

I'm not sure what is wrong because it took me just a minute to stop
dirsrv, modify dse.ldif with the list I provided, restart it and confirm
that the cipher list was better.

Entries in cn=config are not replicated.

rob

 >
 >
 > Sean Hogan
 >
 >
 >
 >
 >
 > Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob,
 > I stopped IPA, modified dse.ldif, restarted with the Sean
 > Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified
 > dse.ldif, restarted with the cipher list and it started without is
 >
 > From: Sean Hogan/Durham/IBM
 > To: Rob Crittenden 
 > Cc: freeipa-users@redhat.com, Noriko Hosoi 
 > Date: 04/29/2016 08:56 AM
 > Subject: Re: [Freeipa-users] IPA vulnerability management SSL
 >
 > 
 >
 >
 > Hi Rob,
 >
 > I stopped IPA, modified dse.ldif, restarted with the cipher list and it
 > started without issue however Same 13 ciphers. You know.. thinking about
 > this now.. I going to try something. The box I am testing on it a
 > replica master and not the first replica. I did not think this would
 > make a difference since I removed the replica from the realm before
 > testing but maybe it will not change anything thinking its stuck in the
 > old realm?
 >
 > Starting Nmap 5.51 ( http://nmap.org  ) at 2016-04-29
 > 11:51 EDT
 > Nmap scan report for
 > Host is up (0.82s latency).
 > PORT STATE SERVICE
 > 636/tcp open ldapssl
 > | ssl-enum-ciphers:
 > | TLSv1.2
 > | Ciphers (13)
 > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
 > | SSL_RSA_FIPS_WITH_DES_CBC_SHA
 > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
 > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
 > | TLS_RSA_WITH_3DES_EDE_CBC_SHA
 > | TLS_RSA_WITH_AES_128_CBC_SHA
 > | TLS_RSA_WITH_AES_128_CBC_SHA256
 > | TLS_RSA_WITH_AES_128_GCM_SHA256
 > | TLS_RSA_WITH_AES_256_CBC_SHA
 > | TLS_RSA_WITH_AES_256_CBC_SHA256
 > | TLS_RSA_WITH_DES_CBC_SHA
 > | TLS_RSA_WITH_RC4_128_MD5
 > | TLS_RSA_WITH_RC4_128_SHA
 > | Compressors (1)
 >
 > dn: cn=encryption,cn=config
 > objectClass: top
 > objectClass: nsEncryptionConfig
 > cn: encryption
 > nsSSLSessionTimeout: 0
 > nsSSLClientAuth: allowed
 > nsSSL2: off
 > nsSSL3: off
 > creatorsName: cn=server,cn=plugins,cn=config
 > modifiersName: cn=directory manager
 > createTimestamp: 20150420131850Z
 > modifyTimestamp: 20150420131906Z
 > nsSSL3Ciphers:
 > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5
 >
,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_
 >
sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 > c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
 > numSubordinates: 1
 >
 >
 >
 >
 >
 > Sean Hogan
 > Security Engineer
 > Watson Security & Risk Assurance
 > Watson Cloud Technology and Support
 > email: scho...@us.ibm.com | Tel 919 486 1397
 >
 >
 >
 >
 >
 >
 >
 > Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29
 > AM---Sean Hogan

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

2016-04-29 Thread Anthony Cheng 
OK so I made process on my cert renew issue; I was able to get kinit
working so I can follow the rest of the steps here (
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)

However, after using

ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password

and restarting apache (/sbin/service httpd restart), resubmitting 3 certs
(ipa-getcert resubmit -i ) and restarting IPA (resubmit -i )
(/sbin/service ipa restart), I still see:

[root@test ~]# ipa-getcert list | more
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certific
ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate D
B'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
 DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinf
ile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes


Here are other relevant output:

root@test ~]# /sbin/service ipa restart
Restarting Directory Service
Shutting down dirsrv:
PKI-IPA... [  OK  ]
sample-NET...  [  OK  ]
Starting dirsrv:
PKI-IPA... [  OK  ]
sample-NET...  [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:   [  OK  ]
Starting Kerberos 5 KDC:   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:  [  OK  ]
Starting Kerberos 5 Admin Server:  [  OK  ]
Restarting DNS Service
Stopping named: .  [  OK  ]
Starting named:[  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:[  OK  ]
Starting ipa_memcached:[  OK  ]
Restarting HTTP Service
Stopping httpd:[  OK  ]
Starting httpd:[  OK  ]
Restarting CA Service
Stopping pki-ca:   [  OK  ]
Starting pki-ca:   [  OK  ]

[root@test ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: t...@sample.net

Valid starting ExpiresService principal
01/28/16 14:05:01  01/29/16 14:05:01  krbtgt/sample@sample.net
01/28/16 14:08:48  01/29/16 14:05:01  HTTP/test.sample@sample.net

[root@test ~]# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

[root@caer ~]# /sbin/service httpd restart
Stopping httpd:[  OK  ]
Starting httpd:[  OK  ]


Would

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Sean Hogan 

Thanks Rob... appreciate the help.. can you send me what you have in
nss.conf, server.xml as well?  If I start off playing with something you
see working without issue then maybe I can come up with something or am I
wrong thinking those might affect anything?

IE .. can you send me the entire cn=encryption, cn=config section like this
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1


Sean Hogan







From:   Rob Crittenden 
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users@redhat.com, Noriko Hosoi 
Date:   04/29/2016 01:36 PM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL



Sean Hogan wrote:
> Apparently making it the master ca will not work at this point since the
> replica is removed. So still stuck with non-changing ciphers.

Other services running on the box have zero impact on the ciphers
available.

I'm not sure what is wrong because it took me just a minute to stop
dirsrv, modify dse.ldif with the list I provided, restart it and confirm
that the cipher list was better.

Entries in cn=config are not replicated.

rob

>
>
> Sean Hogan
>
>
>
>
>
> Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob,
> I stopped IPA, modified dse.ldif, restarted with the Sean
> Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified
> dse.ldif, restarted with the cipher list and it started without is
>
> From: Sean Hogan/Durham/IBM
> To: Rob Crittenden 
> Cc: freeipa-users@redhat.com, Noriko Hosoi 
> Date: 04/29/2016 08:56 AM
> Subject: Re: [Freeipa-users] IPA vulnerability management SSL
>
> 
>
>
> Hi Rob,
>
> I stopped IPA, modified dse.ldif, restarted with the cipher list and it
> started without issue however Same 13 ciphers. You know.. thinking about
> this now.. I going to try something. The box I am testing on it a
> replica master and not the first replica. I did not think this would
> make a difference since I removed the replica from the realm before
> testing but maybe it will not change anything thinking its stuck in the
> old realm?
>
> Starting Nmap 5.51 ( http://nmap.org  ) at 2016-04-29
> 11:51 EDT
> Nmap scan report for
> Host is up (0.82s latency).
> PORT STATE SERVICE
> 636/tcp open ldapssl
> | ssl-enum-ciphers:
> | TLSv1.2
> | Ciphers (13)
> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA256
> | TLS_RSA_WITH_AES_128_GCM_SHA256
> | TLS_RSA_WITH_AES_256_CBC_SHA
> | TLS_RSA_WITH_AES_256_CBC_SHA256
> | TLS_RSA_WITH_DES_CBC_SHA
> | TLS_RSA_WITH_RC4_128_MD5
> | TLS_RSA_WITH_RC4_128_SHA
> | Compressors (1)
>
> dn: cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionConfig
> cn: encryption
> nsSSLSessionTimeout: 0
> nsSSLClientAuth: allowed
> nsSSL2: off
> nsSSL3: off
> creatorsName: cn=server,cn=plugins,cn=config
> modifiersName: cn=directory manager
> createTimestamp: 20150420131850Z
> modifyTimestamp: 20150420131906Z
> nsSSL3Ciphers:
> -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5
> ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

>
sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r

> c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
> numSubordinates: 1
>
>
>
>
>
> Sean Hogan
> Security Engineer
> Watson Security & Risk Assurance
> Watson Cloud Technology and Support
> email: scho...@us.ibm.com | Tel 919 486 1397
>
>
>
>
>
>
>
> Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29
> AM---Sean Hogan wrote: > Hi Noriko,Rob Crittenden ---04/29/2016 08:30:29
> AM---Sean Hogan wrote: > Hi Noriko,
>
> From: Rob Crittenden 
> To: Sean Hogan/Durham/IBM@IBMUS, Noriko Hosoi 
> Cc: freeipa-users@redhat.com
> Date: 04/29/2016 08:30 AM
> Subject: Re: [Freeipa-users] IPA vulnerability management SSL
> 
>
>
>
> Sean Hogan wrote:
>  > Hi Noriko,
>  >
>  > Thanks for the suggestions,
>  >
>  > I had to trim out the GCM ciphers in order to get IPA to start back up
>  > or I would get the unknown cipher message
>
> The trick is

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Rob Crittenden 

Sean Hogan wrote:

Apparently making it the master ca will not work at this point since the
replica is removed. So still stuck with non-changing ciphers.


Other services running on the box have zero impact on the ciphers available.

I'm not sure what is wrong because it took me just a minute to stop 
dirsrv, modify dse.ldif with the list I provided, restart it and confirm 
that the cipher list was better.


Entries in cn=config are not replicated.

rob




Sean Hogan





Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob,
I stopped IPA, modified dse.ldif, restarted with the Sean
Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified
dse.ldif, restarted with the cipher list and it started without is

From: Sean Hogan/Durham/IBM
To: Rob Crittenden 
Cc: freeipa-users@redhat.com, Noriko Hosoi 
Date: 04/29/2016 08:56 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL




Hi Rob,

I stopped IPA, modified dse.ldif, restarted with the cipher list and it
started without issue however Same 13 ciphers. You know.. thinking about
this now.. I going to try something. The box I am testing on it a
replica master and not the first replica. I did not think this would
make a difference since I removed the replica from the realm before
testing but maybe it will not change anything thinking its stuck in the
old realm?

Starting Nmap 5.51 ( http://nmap.org  ) at 2016-04-29
11:51 EDT
Nmap scan report for
Host is up (0.82s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5
,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_
sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1





Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397







Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29
AM---Sean Hogan wrote: > Hi Noriko,Rob Crittenden ---04/29/2016 08:30:29
AM---Sean Hogan wrote: > Hi Noriko,

From: Rob Crittenden 
To: Sean Hogan/Durham/IBM@IBMUS, Noriko Hosoi 
Cc: freeipa-users@redhat.com
Date: 04/29/2016 08:30 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL




Sean Hogan wrote:
 > Hi Noriko,
 >
 > Thanks for the suggestions,
 >
 > I had to trim out the GCM ciphers in order to get IPA to start back up
 > or I would get the unknown cipher message

The trick is getting the cipher name right (it doesn't always follow a
pattern) and explicitly disabling some ciphers as they are enabled by
default.

Try this string:

-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha

I have an oldish install but I think it will still do what you need:
389-ds-base-1.2.11.15-68.el6_7.x86_64

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT
Nmap scan report for pacer.example.com (192.168.126.2)
Host is up (0.00053s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
|   NULL
| cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

$ sslscan pacer.example.com:636 |grep Accept
 Accepted  TLSv1  256 bits  AES256-SHA
 Accepted  TLSv1  128

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Sean Hogan 

Apparently making it the master ca will not work at this point since the
replica is removed.  So still stuck with non-changing ciphers.


Sean Hogan







From:   Sean Hogan/Durham/IBM
To: Rob Crittenden 
Cc: freeipa-users@redhat.com, Noriko Hosoi 
Date:   04/29/2016 08:56 AM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL


Hi Rob,

  I stopped IPA, modified dse.ldif, restarted with the cipher list and it
started without issue however Same 13 ciphers.  You know.. thinking about
this now.. I going to try something.  The box I am testing on it a replica
master and not the first replica.  I did not think this would make a
difference since I removed the replica from the realm before testing but
maybe it will not change anything thinking its stuck in the old realm?

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 11:51 EDT
Nmap scan report for
Host is up (0.82s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1





Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397









From:   Rob Crittenden 
To: Sean Hogan/Durham/IBM@IBMUS, Noriko Hosoi 
Cc: freeipa-users@redhat.com
Date:   04/29/2016 08:30 AM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL



Sean Hogan wrote:
> Hi Noriko,
>
> Thanks for the suggestions,
>
> I had to trim out the GCM ciphers in order to get IPA to start back up
> or I would get the unknown cipher message

The trick is getting the cipher name right (it doesn't always follow a
pattern) and explicitly disabling some ciphers as they are enabled by
default.

Try this string:

-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha


I have an oldish install but I think it will still do what you need:
389-ds-base-1.2.11.15-68.el6_7.x86_64

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT
Nmap scan report for pacer.example.com (192.168.126.2)
Host is up (0.00053s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
|   NULL
| cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

$ sslscan pacer.example.com:636 |grep Accept
 Accepted  TLSv1  256 bits  AES256-SHA
 Accepted  TLSv1  128 bits  AES128-SHA
 Accepted  TLSv1  112 bits  DES-CBC3-SHA
 Accepted  TLS11  256 bits  AES256-SHA
 Accepted  TLS11  128 bits  AES128-SHA
 Accepted  TLS11  112 bits  DES-CBC3-SHA
 Accepted  TLS12  256 bits  AES256-SHA256
 Accepted  TLS12  256 bits  AES256-SHA
 Accepted  TLS12  128 bits  AES128-GCM-SHA256
 Accepted  TLS12  128 bits  AES128-SHA256
 Accepted  TLS12  128 bits  AES128-SHA
 Accepted  TLS12  112 bits  DES-CBC3-SHA

rob

>
> Nmap is still showing the same 13 ciphers as before though like nothing
> had changed and I did ipactl stop, made modification, ipactl start
>
> tarting Nmap 5.51 ( http://nmap.org  ) at 2016-04-28
> 18:44 EDT
> Nmap scan report for
> Host is up (0.53s latency).
> PORT STATE SERVICE
> 636/tcp

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Rob Crittenden 

Jose Alvarez R. wrote:

Hi,  Rob

Thanks!!


The version the xmlrpc-c of my server IPA:
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64


The version the xmlrpc-c of my client IPA
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
libiqxmlrpc-0.12.4-0.parallels.i686
xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64


You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed 
https://bugzilla.redhat.com/show_bug.cgi?id=719945


The libcurl version on the client looks ok.

This is only a client-side issue so no changes on the servers should be 
necessary IIRC. This appears to be EL 6.1 which at this point is quite old.


rob



The versions are the same, but the libcurl is different

It's the version curl IPA server
[root@freeipa log]# rpm -qa | grep curl
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
[root@freeipa log]#


It's the version curl PPA server(IPA Client)
[root@ppa named]# rpm -qa | grep curl
curl-7.31.0-1.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.31.0-1.el6.x86_64
libcurl-7.31.0-1.el6.i686

Sorry, my english is not very well


Regards.



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: viernes 29 de abril de 2016 11:14 a.m.
To: Jose Alvarez R. ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Jose Alvarez R. wrote:

Hi Rob, Thanks for your response

Yes, It's with admin.


I assume this is a problem with your version of xmlrpc-c. We use standard
calls xmlrpc-c calls to setup authentication and IIRC that links against
libcurl which provides the Kerberos/GSSAPI support. On EL6 you need xmlrpc-c

= 1.16.24-1200.1840.2


I'm confused about the versions. You mention PPA but include what look like
RPM versions that seem to point to RHEL 6.

rob



I execute the command "ipa-client-install --debug"
--
---


[root@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain':
None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later Loading Index
file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in
"cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C
YBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p
riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA
server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN Check if naming context
'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com'
is a valid IPA context Search for (objectClass=krbRealmContainer) in
dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com,
basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com Start searching for LDAP SRV
record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com Discovery was
successful!
will use discovered realm: CYBERFUEL.COM will use discovered basedn:
dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source:

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Jose Alvarez R. 
Hi,  Rob

Thanks!!


The version the xmlrpc-c of my server IPA: 
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64


The version the xmlrpc-c of my client IPA
xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64
xmlrpc-c-1.16.24-1210.1840.el6.x86_64
libiqxmlrpc-0.12.4-0.parallels.i686
xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64

The versions are the same, but the libcurl is different

It's the version curl IPA server
[root@freeipa log]# rpm -qa | grep curl
python-pycurl-7.19.0-8.el6.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64
[root@freeipa log]#


It's the version curl PPA server(IPA Client)
[root@ppa named]# rpm -qa | grep curl
curl-7.31.0-1.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.31.0-1.el6.x86_64
libcurl-7.31.0-1.el6.i686

Sorry, my english is not very well


Regards.



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: viernes 29 de abril de 2016 11:14 a.m.
To: Jose Alvarez R. ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] HTTP response code is 401, not 200

Jose Alvarez R. wrote:
> Hi Rob, Thanks for your response
>
> Yes, It's with admin.

I assume this is a problem with your version of xmlrpc-c. We use standard
calls xmlrpc-c calls to setup authentication and IIRC that links against
libcurl which provides the Kerberos/GSSAPI support. On EL6 you need xmlrpc-c
>= 1.16.24-1200.1840.2

I'm confused about the versions. You mention PPA but include what look like
RPM versions that seem to point to RHEL 6.

rob

>
> I execute the command "ipa-client-install --debug"
> --
> ---
>
>
> [root@ppa named]# ipa-client-install --debug 
> /usr/sbin/ipa-client-install was invoked with options: {'domain': 
> None,
> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
> 'primary': False, 'mkhomedir
> ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
> 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
> False, 'principal': None
> , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
> 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
> 'conf_sudo': True, 'conf_ssh': Tr
> ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
> False, 'uninstall': False}
> missing options might be asked for interactively later Loading Index 
> file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
> [IPA Discovery]
> Starting IPA discovery with domain=None, servers=None, 
> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in 
> "cyberfuel.com" (domain of the
> hostname) and its sub-domains
> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
> DNS record found:
> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
> ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
> [Kerberos realm search]
> Search DNS for TXT record of _kerberos.cyberfuel.com.
> DNS record found:
> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C
> YBERFU
> EL.COM}
> Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
> DNS record found:
> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p
> riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
> [LDAP server check]
> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA 
> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 
> Search LDAP server for IPA base DN Check if naming context 
> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' 
> is a valid IPA context Search for (objectClass=krbRealmContainer) in 
> dc=cyberfuel,dc=com (sub)
> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
> Discovery result: Success; server=freeipa.cyberfuel.com, 
> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, 
> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com 
> will use discovered domain: cyberfuel.com Start searching for LDAP SRV 
> record in "cyberfuel.com" (Validating DNS
> Discovery) and its sub-domains
> Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
> DNS record found:
> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior
> ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.}
> DNS validated, enabling discovery
> will use discovered server: freeipa.cyberfuel.com Discovery was 
> successful!
> will use discovered realm: CYBERFUEL.COM will use discovered basedn: 
> dc=cyberfuel,dc=com
> Hostname: ppa.cyberfuel.com
> Hostname source: Machine's FQDN
> Realm: CYBERFUEL.COM
> Realm source: Discovered from LDAP DNS records in 
> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: 
> Discovered LDAP SRV records from cyberfuel.com (domain of the 
> hostname) IPA Server:

[Freeipa-users] Ldap error in ModifyPassword - 50: Insufficient access

2016-04-29 Thread Gady Notrica 
Hey guys,

After my previous issue, my password do not sync anymore with IPA. No password 
changed for the sync user. Any ideas?

Thank you,

04/29/16 13:32:56: Ldap error in ModifyPassword
50: Insufficient access
04/29/16 13:32:56: Modify password failed for remote entry: 
uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local
04/29/16 13:32:56: Deferring password change for jlaporte
04/29/16 13:32:58: Ldap error in ModifyPassword
50: Insufficient access
04/29/16 13:32:58: Modify password failed for remote entry: 
uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local
04/29/16 13:32:58: Deferring password change for jlaporte
04/29/16 13:33:02: Ldap error in ModifyPassword
50: Insufficient access
04/29/16 13:33:02: Modify password failed for remote entry: 
uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local
04/29/16 13:33:02: Deferring password change for jlaporte
04/29/16 13:33:10: Ldap error in ModifyPassword
50: Insufficient access
04/29/16 13:33:10: Modify password failed for remote entry: 
uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local
04/29/16 13:33:10: Deferring password change for jlaporte

Gady

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman 
Scratch that. Decided to be daring and run "getcert resubmit -i" for 
each cert (after verifying the first one worked), then shut ipa down, 
advanced the date, re-enabled ntpd and started it back up. Looks clean.



On 04/29/2016 01:22 PM, Bret Wortman wrote:
Of course, I just remembered that the server still thinks it's April 
4, and I still have some certs that are expiring as of 4-17-16. Before 
I screw anything else up, what's the RIGHT way to renew those certs 
and move the server back to real time?




On 04/29/2016 01:07 PM, Bret Wortman wrote:

Hot damn! It's up and running.  Web UI works. CLI works.

The chgrp did the trick.

Thank you Rob, Petr and Christian!


Bret

On 04/29/2016 01:04 PM, Rob Crittenden wrote:

Bret Wortman wrote:

We run with selinux disabled.

# getenforce
Disabled
# restorecon -R -v /etc/httpd/alias
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl
# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other
services
ipa: INFO: The ipactl command was successful
#


The problem is permissions. Try:

# chgrp apache /etc/httpd/alias/*.db

The mode is ok, Apache only needs read access.

The segfault is fixed upstream and actual usable error messages 
reported. The init system doesn't see it as a failure because this 
happens after Apache forks its children.


I'd also consider re-enabling SELinux eventually.

rob





On 04/29/2016 12:25 PM, Christian Heimes wrote:

On 2016-04-29 18:17, Bret Wortman wrote:

I'll put the results inline here, since they're short.

[root@zsipa log]# ls -laZ /etc/httpd/
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 
conf.modules.d

lrwxrwxrwx  root root ? logs ->
../../var/log/httpd
lrwxrwxrwx  root root ? modules ->
../../usr/lib64/httpd/modules
lrwxrwxrwx  root root ? run -> /run/httpd
[root@zsipa log]# ls -laZ /etc/httpd/alias
drwxr-xr-x. root root   system_u:object_r:cert_t:s0 .
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 ..
-r--r--r--  root root   ? cacert.asc
-r--r--r--  root root   ? cacert.asc.orig
-rw-r-  root root   ? cert8.db
-rw-rw  root apache ? cert8.db.20160426
-rw-rw  root apache ? cert8.db.orig
-rw---. root root   system_u:object_r:cert_t:s0 install.log
-rw-r-  root root   ? key3.db
-rw-rw  root apache ? key3.db.20160426
-rw-rw  root apache ? key3.db.orig
lrwxrwxrwx  root root   ? libnssckbi.so
-> ../../..//usr/lib64/libnssckbi.so
-rw-rw  root apache ? pwdfile.txt
-rw-rw  root apache ? pwdfile.txt.orig
-rw-rw  root apache ? secmod.db
-rw-rw  root apache ? secmod.db.orig

Some files don't have the correct SELinux context or are completely
missing a context. SELinux prevents Apache from accessing this files.
Did you replace some files or restore some from a backup? You 
should see

a bunch of SELinux violations in your audit log.

In order to restore the correct context, please run restorecon:

# restorecon -R -v /etc/httpd/alias

This should set correct contexts and allow you to start Apache 
HTTPD again.


Christian













--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman 
Of course, I just remembered that the server still thinks it's April 4, 
and I still have some certs that are expiring as of 4-17-16. Before I 
screw anything else up, what's the RIGHT way to renew those certs and 
move the server back to real time?




On 04/29/2016 01:07 PM, Bret Wortman wrote:

Hot damn! It's up and running.  Web UI works. CLI works.

The chgrp did the trick.

Thank you Rob, Petr and Christian!


Bret

On 04/29/2016 01:04 PM, Rob Crittenden wrote:

Bret Wortman wrote:

We run with selinux disabled.

# getenforce
Disabled
# restorecon -R -v /etc/httpd/alias
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl
# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other
services
ipa: INFO: The ipactl command was successful
#


The problem is permissions. Try:

# chgrp apache /etc/httpd/alias/*.db

The mode is ok, Apache only needs read access.

The segfault is fixed upstream and actual usable error messages 
reported. The init system doesn't see it as a failure because this 
happens after Apache forks its children.


I'd also consider re-enabling SELinux eventually.

rob





On 04/29/2016 12:25 PM, Christian Heimes wrote:

On 2016-04-29 18:17, Bret Wortman wrote:

I'll put the results inline here, since they're short.

[root@zsipa log]# ls -laZ /etc/httpd/
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0   ..
drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 
conf.modules.d

lrwxrwxrwx  root root ? logs ->
../../var/log/httpd
lrwxrwxrwx  root root ? modules ->
../../usr/lib64/httpd/modules
lrwxrwxrwx  root root ?run -> 
/run/httpd

[root@zsipa log]# ls -laZ /etc/httpd/alias
drwxr-xr-x. root root   system_u:object_r:cert_t:s0  .
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 ..
-r--r--r--  root root   ? cacert.asc
-r--r--r--  root root   ? cacert.asc.orig
-rw-r-  root root   ? cert8.db
-rw-rw  root apache ? cert8.db.20160426
-rw-rw  root apache ? cert8.db.orig
-rw---. root root   system_u:object_r:cert_t:s0 install.log
-rw-r-  root root   ? key3.db
-rw-rw  root apache ? key3.db.20160426
-rw-rw  root apache ? key3.db.orig
lrwxrwxrwx  root root   ? libnssckbi.so
-> ../../..//usr/lib64/libnssckbi.so
-rw-rw  root apache ? pwdfile.txt
-rw-rw  root apache ? pwdfile.txt.orig
-rw-rw  root apache ? secmod.db
-rw-rw  root apache ? secmod.db.orig

Some files don't have the correct SELinux context or are completely
missing a context. SELinux prevents Apache from accessing this files.
Did you replace some files or restore some from a backup? You 
should see

a bunch of SELinux violations in your audit log.

In order to restore the correct context, please run restorecon:

# restorecon -R -v /etc/httpd/alias

This should set correct contexts and allow you to start Apache 
HTTPD again.


Christian











--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Rob Crittenden 

Jose Alvarez R. wrote:

Hi Rob, Thanks for your response

Yes, It's with admin.


I assume this is a problem with your version of xmlrpc-c. We use 
standard calls xmlrpc-c calls to setup authentication and IIRC that 
links against libcurl which provides the Kerberos/GSSAPI support. On EL6 
you need xmlrpc-c >= 1.16.24-1200.1840.2


I'm confused about the versions. You mention PPA but include what look 
like RPM versions that seem to point to RHEL 6.


rob



I execute the command "ipa-client-install --debug"
-


[root@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389

Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@ppa named]#
[root@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd':
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain':
None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac':
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread barrykfl 
server 1:
ipa-server-3.0.0-26.el6_4.4.x86_64

server2

ipa-server-3.0.0-37.el6.x86_64

2016-04-30 1:10 GMT+08:00 :

>
> ipa-server-3.0.0-37.el6.x86_64  << here
>
> 2016-04-29 19:36 GMT+08:00 Martin Basti :
>
>> Please keep, user-list in CC
>>
>> You did not send all information I requested.
>>
>> Please use `rpm -ql ipa-server` to get exact version number
>>
>>
>> On 29.04.2016 13:32, barry...@gmail.com wrote:
>>
>> Error.is from Gss api And i m thinkbif it relate cert issue.
>>
>> Server1> server 2 fail
>> Server 2   > server1 ok
>>
>> Freeipa 3.0  both
>>
>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
>> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>> provide more information (Credentials cache file '/tmp/krb5cc_492' not
>> found)) errno 0 (Success)
>> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform
>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=
>> meTocentral02.ABC.com " (central02:389):
>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
>> code may provide more information (Credentials cache file '/tmp/krb5cc_492'
>> not found))
>> [26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All
>> Interfaces port 389 for LDAP requests
>> [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket
>> for LDAPI requests
>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
>> meTocentral02.ABC.com " (central02:389):
>> Replication bind with GSSAPI auth resumed
>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
>> meTocentral02.ABC.com " (central02:389):
>> Missing data encountered
>> [26/Apr/2016:18:40:23 +0800]
>>
>>
>> On 29.04.2016 13:02, barry...@gmail.com wrote:
>>
>> Hi All:
>>
>> Any method can fall back the default ipa cert if I didn't backup orginal?
>>
>> Now the slapd and ipa cert storage quite a mess so they cant replicate
>> even disabled nsslapd:security to off
>>
>>
>> thx
>> Barry
>>
>>
>> Hello Barry,
>>
>> Can you provide more info?
>>
>> What is your IPA version, OS?
>> What are the symptoms you are experiencing?
>> What do you mean by default ipa cert ?
>> Can you provide logs from replicas?
>> Can you provide `getcert list` command output?
>> Can you provide `ipactl status` from both server?
>>
>> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
>> certificates are involved in this.
>>
>> Martin
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread barrykfl 
ipa-server-3.0.0-37.el6.x86_64  << here

2016-04-29 19:36 GMT+08:00 Martin Basti :

> Please keep, user-list in CC
>
> You did not send all information I requested.
>
> Please use `rpm -ql ipa-server` to get exact version number
>
>
> On 29.04.2016 13:32, barry...@gmail.com wrote:
>
> Error.is from Gss api And i m thinkbif it relate cert issue.
>
> Server1> server 2 fail
> Server 2   > server1 ok
>
> Freeipa 3.0  both
>
> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
> provide more information (Credentials cache file '/tmp/krb5cc_492' not
> found)) errno 0 (Success)
> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com " (central02:389):
> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
> code may provide more information (Credentials cache file '/tmp/krb5cc_492'
> not found))
> [26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All Interfaces
> port 389 for LDAP requests
> [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket
> for LDAPI requests
> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com " (central02:389):
> Replication bind with GSSAPI auth resumed
> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com " (central02:389):
> Missing data encountered
> [26/Apr/2016:18:40:23 +0800]
>
>
> On 29.04.2016 13:02, barry...@gmail.com wrote:
>
> Hi All:
>
> Any method can fall back the default ipa cert if I didn't backup orginal?
>
> Now the slapd and ipa cert storage quite a mess so they cant replicate
> even disabled nsslapd:security to off
>
>
> thx
> Barry
>
>
> Hello Barry,
>
> Can you provide more info?
>
> What is your IPA version, OS?
> What are the symptoms you are experiencing?
> What do you mean by default ipa cert ?
> Can you provide logs from replicas?
> Can you provide `getcert list` command output?
> Can you provide `ipactl status` from both server?
>
> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
> certificates are involved in this.
>
> Martin
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman 

Hot damn! It's up and running.  Web UI works. CLI works.

The chgrp did the trick.

Thank you Rob, Petr and Christian!


Bret

On 04/29/2016 01:04 PM, Rob Crittenden wrote:

Bret Wortman wrote:

We run with selinux disabled.

# getenforce
Disabled
# restorecon -R -v /etc/httpd/alias
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl
# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other
services
ipa: INFO: The ipactl command was successful
#


The problem is permissions. Try:

# chgrp apache /etc/httpd/alias/*.db

The mode is ok, Apache only needs read access.

The segfault is fixed upstream and actual usable error messages 
reported. The init system doesn't see it as a failure because this 
happens after Apache forks its children.


I'd also consider re-enabling SELinux eventually.

rob





On 04/29/2016 12:25 PM, Christian Heimes wrote:

On 2016-04-29 18:17, Bret Wortman wrote:

I'll put the results inline here, since they're short.

[root@zsipa log]# ls -laZ /etc/httpd/
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0   ..
drwxr-xr-x. root root system_u:object_r:cert_t:s0  alias
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 
conf.modules.d

lrwxrwxrwx  root root ?logs ->
../../var/log/httpd
lrwxrwxrwx  root root ? modules ->
../../usr/lib64/httpd/modules
lrwxrwxrwx  root root ?run -> 
/run/httpd

[root@zsipa log]# ls -laZ /etc/httpd/alias
drwxr-xr-x. root root   system_u:object_r:cert_t:s0  .
drwxr-xr-x. root root   system_u:object_r:httpd_config_t:s0 ..
-r--r--r--  root root   ? cacert.asc
-r--r--r--  root root   ? cacert.asc.orig
-rw-r-  root root   ? cert8.db
-rw-rw  root apache ? cert8.db.20160426
-rw-rw  root apache ? cert8.db.orig
-rw---. root root   system_u:object_r:cert_t:s0 install.log
-rw-r-  root root   ? key3.db
-rw-rw  root apache ? key3.db.20160426
-rw-rw  root apache ? key3.db.orig
lrwxrwxrwx  root root   ? libnssckbi.so
-> ../../..//usr/lib64/libnssckbi.so
-rw-rw  root apache ? pwdfile.txt
-rw-rw  root apache ? pwdfile.txt.orig
-rw-rw  root apache ? secmod.db
-rw-rw  root apache ? secmod.db.orig

Some files don't have the correct SELinux context or are completely
missing a context. SELinux prevents Apache from accessing this files.
Did you replace some files or restore some from a backup? You should 
see

a bunch of SELinux violations in your audit log.

In order to restore the correct context, please run restorecon:

# restorecon -R -v /etc/httpd/alias

This should set correct contexts and allow you to start Apache HTTPD 
again.


Christian









--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Rob Crittenden 

Bret Wortman wrote:

We run with selinux disabled.

# getenforce
Disabled
# restorecon -R -v /etc/httpd/alias
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl
# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other
services
ipa: INFO: The ipactl command was successful
#


The problem is permissions. Try:

# chgrp apache /etc/httpd/alias/*.db

The mode is ok, Apache only needs read access.

The segfault is fixed upstream and actual usable error messages 
reported. The init system doesn't see it as a failure because this 
happens after Apache forks its children.


I'd also consider re-enabling SELinux eventually.

rob





On 04/29/2016 12:25 PM, Christian Heimes wrote:

On 2016-04-29 18:17, Bret Wortman wrote:

I'll put the results inline here, since they're short.

[root@zsipa log]# ls -laZ /etc/httpd/
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0   ..
drwxr-xr-x. root root system_u:object_r:cert_t:s0  alias
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d
lrwxrwxrwx  root root ?logs ->
../../var/log/httpd
lrwxrwxrwx  root root ?modules ->
../../usr/lib64/httpd/modules
lrwxrwxrwx  root root ?run -> /run/httpd
[root@zsipa log]# ls -laZ /etc/httpd/alias
drwxr-xr-x. root root   system_u:object_r:cert_t:s0  .
drwxr-xr-x. root root   system_u:object_r:httpd_config_t:s0 ..
-r--r--r--  root root   ?cacert.asc
-r--r--r--  root root   ?cacert.asc.orig
-rw-r-  root root   ?cert8.db
-rw-rw  root apache ?cert8.db.20160426
-rw-rw  root apache ?cert8.db.orig
-rw---. root root   system_u:object_r:cert_t:s0  install.log
-rw-r-  root root   ?key3.db
-rw-rw  root apache ?key3.db.20160426
-rw-rw  root apache ?key3.db.orig
lrwxrwxrwx  root root   ?libnssckbi.so
-> ../../..//usr/lib64/libnssckbi.so
-rw-rw  root apache ?pwdfile.txt
-rw-rw  root apache ?pwdfile.txt.orig
-rw-rw  root apache ?secmod.db
-rw-rw  root apache ?secmod.db.orig

Some files don't have the correct SELinux context or are completely
missing a context. SELinux prevents Apache from accessing this files.
Did you replace some files or restore some from a backup? You should see
a bunch of SELinux violations in your audit log.

In order to restore the correct context, please run restorecon:

# restorecon -R -v /etc/httpd/alias

This should set correct contexts and allow you to start Apache HTTPD again.

Christian







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Jose Alvarez R. 
Hi Rob, Thanks for your response 

Yes, It's with admin.

I execute the command "ipa-client-install --debug"
-


[root@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir
': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True,
'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain':
False, 'principal': None
, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,
'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False,
'conf_sudo': True, 'conf_ssh': Tr
ue, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU
EL.COM}
Search DNS for SRV record of _kerberos._udp.cyberfuel.com.
DNS record found:
DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit
y:0,port:88,weight:50,server:freeipa.cyberfuel.com.}
[LDAP server check]
Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server
Init LDAP connection with: ldap://freeipa.cyberfuel.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=cyberfuel,dc=com' is for IPA
Naming context 'dc=cyberfuel,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub)
Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com
Discovery result: Success; server=freeipa.cyberfuel.com,
domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com
Validated servers: freeipa.cyberfuel.com
will use discovered domain: cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS
Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}
DNS validated, enabling discovery
will use discovered server: freeipa.cyberfuel.com
Discovery was successful!
will use discovered realm: CYBERFUEL.COM
will use discovered basedn: dc=cyberfuel,dc=com
Hostname: ppa.cyberfuel.com
Hostname source: Machine's FQDN
Realm: CYBERFUEL.COM
Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
DNS Domain: cyberfuel.com
DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of
the hostname)
IPA Server: freeipa.cyberfuel.com
IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com
BaseDN: dc=cyberfuel,dc=com
BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389

Continue to configure the system with these values? [no]: no
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@ppa named]#
[root@ppa named]# ipa-client-install --debug
/usr/sbin/ipa-client-install was invoked with options: {'domain': None,
'force': False, 'realm_name': None, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd':
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain':
None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac':
False, 'unattended': None, 'sssd': True, 'trust_sshfp': False,
'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
True, 'force_join': False, 'ca_cert_file': None, 'server': None,
'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd':
False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=None, servers=None,
hostname=ppa.cyberfuel.com
Start searching for LDAP SRV record in "cyberfuel.com" (domain of the
hostname) and its sub-domains
Search DNS for SRV record of _ldap._tcp.cyberfuel.com.
DNS record found:
DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0,
port:389,weight:50,server:freeipa.cyberfuel.com.}

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman 

We run with selinux disabled.

# getenforce
Disabled
# restorecon -R -v /etc/httpd/alias
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl
# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other 
services

ipa: INFO: The ipactl command was successful
#



On 04/29/2016 12:25 PM, Christian Heimes wrote:

On 2016-04-29 18:17, Bret Wortman wrote:

I'll put the results inline here, since they're short.

[root@zsipa log]# ls -laZ /etc/httpd/
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0   ..
drwxr-xr-x. root root system_u:object_r:cert_t:s0  alias
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d
lrwxrwxrwx  root root ?logs ->
../../var/log/httpd
lrwxrwxrwx  root root ?modules ->
../../usr/lib64/httpd/modules
lrwxrwxrwx  root root ?run -> /run/httpd
[root@zsipa log]# ls -laZ /etc/httpd/alias
drwxr-xr-x. root root   system_u:object_r:cert_t:s0  .
drwxr-xr-x. root root   system_u:object_r:httpd_config_t:s0 ..
-r--r--r--  root root   ?cacert.asc
-r--r--r--  root root   ?cacert.asc.orig
-rw-r-  root root   ?cert8.db
-rw-rw  root apache ?cert8.db.20160426
-rw-rw  root apache ?cert8.db.orig
-rw---. root root   system_u:object_r:cert_t:s0  install.log
-rw-r-  root root   ?key3.db
-rw-rw  root apache ?key3.db.20160426
-rw-rw  root apache ?key3.db.orig
lrwxrwxrwx  root root   ?libnssckbi.so
-> ../../..//usr/lib64/libnssckbi.so
-rw-rw  root apache ?pwdfile.txt
-rw-rw  root apache ?pwdfile.txt.orig
-rw-rw  root apache ?secmod.db
-rw-rw  root apache ?secmod.db.orig

Some files don't have the correct SELinux context or are completely
missing a context. SELinux prevents Apache from accessing this files.
Did you replace some files or restore some from a backup? You should see
a bunch of SELinux violations in your audit log.

In order to restore the correct context, please run restorecon:

# restorecon -R -v /etc/httpd/alias

This should set correct contexts and allow you to start Apache HTTPD again.

Christian



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Account/password expirations

2016-04-29 Thread Anon Lister 
Yep sorry I missed that. You need to put your public keys in IPA.
On Apr 29, 2016 3:32 AM, "Jakub Hrozek"  wrote:

On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote:
> >
> > Your can still authenticate with SSH keys, but to access any NFS 4
shares
> > they will need a Kerberos ticket, which can be obtained via a 'kinit'
after
> > logging in.
> >
>
> Then how does the key authentication work if the .ssh directory on nfs4 is
> not accessible ?  Doesn't the key authentication process rely on
> .ssh/authorized keys being readable by the authentication module ?

SSSD can fetch the authorized keys from IPA, see man
sss_ssh_authorizedkeys(1)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George 
surprisingly i have created some local IPA users and added to same HBAC
rule, and removed AD grop ad applied this rule to client, and that got
worked.

How can i make this AD group with HBAC working?

Regards,
Ben

On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George 
wrote:

> HI
>
> If i disable allow_all  rule,
> i cannot able to login to client machine.
>
> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George 
> wrote:
>
>> HI
>>
>> actually i have added Domain Admins and the user ben is not part of
>> Domain Admins. But when i login to client machine, i am getting below
>>
>> -sh-4.2$ id
>> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
>> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
>> us...@kwttestdc.com.kw *),1827801105(sudo
>> adm...@kwttestdc.com.kw)
>>
>>
>>
>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George 
>> wrote:
>>
>>> HI
>>>
>>> while explaning here it went wrong. actually i did is"
>>> Added external group to POSIX group"
>>>
>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek 
>>> wrote:
>>>
 On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
 > HI,
 >
 > "The other is that the groups might not show up on the client (do
 they?)"

 id $user.

 But I think Alexander noticed the root cause.

 >
 > how can i check that.
 >
 > Thanks
 > Ben
 >
 > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek 
 wrote:
 >
 > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
 > > > Hi List,
 > > >
 > > > I have working setup of one AD, one IPA server and one client
 server. by
 > > > default i can login to client server by using AD username.
 > > >
 > > > i want to apply HBAC rules against this client server. For that i
 have
 > > done
 > > > below steps.
 > > >
 > > > 1. created External group in IPA erver
 > > > 2. created local POSIX group n IPA server
 > > > 3. Added AD group to external group
 > > > 4. added POSIX group to external group.
 > > >
 > > > After that  have created HBAC rule by adding both local and
 external IPA
 > > > groups, added sshd as service and selected service group as sudo.
 > > >
 > > > i have applied this HBAC rule to client server and from web UI
 and while
 > > > testing HBAC from web, i am getting access denied .
 > >
 > > Sorry, not enough info.
 > >
 > > One guess would be that you need to add the "sudo-i" service as
 well.
 > > The other is that the groups might not show up on the client (do
 they?)
 > >
 > > Anyway, it might be good idea to follow
 > > https://fedorahosted.org/sssd/wiki/Troubleshooting
 > >
 > > --
 > > Manage your subscription for the Freeipa-users mailing list:
 > > https://www.redhat.com/mailman/listinfo/freeipa-users
 > > Go to http://freeipa.org for more info on the project
 > >

>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Christian Heimes 
On 2016-04-29 18:17, Bret Wortman wrote:
> I'll put the results inline here, since they're short.
> 
> [root@zsipa log]# ls -laZ /etc/httpd/
> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
> drwxr-xr-x. root root system_u:object_r:etc_t:s0   ..
> drwxr-xr-x. root root system_u:object_r:cert_t:s0  alias
> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d
> lrwxrwxrwx  root root ?logs ->
> ../../var/log/httpd
> lrwxrwxrwx  root root ?modules ->
> ../../usr/lib64/httpd/modules
> lrwxrwxrwx  root root ?run -> /run/httpd
> [root@zsipa log]# ls -laZ /etc/httpd/alias
> drwxr-xr-x. root root   system_u:object_r:cert_t:s0  .
> drwxr-xr-x. root root   system_u:object_r:httpd_config_t:s0 ..
> -r--r--r--  root root   ?cacert.asc
> -r--r--r--  root root   ?cacert.asc.orig
> -rw-r-  root root   ?cert8.db
> -rw-rw  root apache ?cert8.db.20160426
> -rw-rw  root apache ?cert8.db.orig
> -rw---. root root   system_u:object_r:cert_t:s0  install.log
> -rw-r-  root root   ?key3.db
> -rw-rw  root apache ?key3.db.20160426
> -rw-rw  root apache ?key3.db.orig
> lrwxrwxrwx  root root   ?libnssckbi.so
> -> ../../..//usr/lib64/libnssckbi.so
> -rw-rw  root apache ?pwdfile.txt
> -rw-rw  root apache ?pwdfile.txt.orig
> -rw-rw  root apache ?secmod.db
> -rw-rw  root apache ?secmod.db.orig

Some files don't have the correct SELinux context or are completely
missing a context. SELinux prevents Apache from accessing this files.
Did you replace some files or restore some from a backup? You should see
a bunch of SELinux violations in your audit log.

In order to restore the correct context, please run restorecon:

# restorecon -R -v /etc/httpd/alias

This should set correct contexts and allow you to start Apache HTTPD again.

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman 

I'll put the results inline here, since they're short.

[root@zsipa log]# ls -laZ /etc/httpd/
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0   ..
drwxr-xr-x. root root system_u:object_r:cert_t:s0  alias
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d
lrwxrwxrwx  root root ?logs -> 
../../var/log/httpd
lrwxrwxrwx  root root ?modules -> 
../../usr/lib64/httpd/modules

lrwxrwxrwx  root root ?run -> /run/httpd
[root@zsipa log]# ls -laZ /etc/httpd/alias
drwxr-xr-x. root root   system_u:object_r:cert_t:s0  .
drwxr-xr-x. root root   system_u:object_r:httpd_config_t:s0 ..
-r--r--r--  root root   ? cacert.asc
-r--r--r--  root root   ? cacert.asc.orig
-rw-r-  root root   ?cert8.db
-rw-rw  root apache ? cert8.db.20160426
-rw-rw  root apache ? cert8.db.orig
-rw---. root root   system_u:object_r:cert_t:s0 install.log
-rw-r-  root root   ?key3.db
-rw-rw  root apache ? key3.db.20160426
-rw-rw  root apache ? key3.db.orig
lrwxrwxrwx  root root   ? libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so
-rw-rw  root apache ? pwdfile.txt
-rw-rw  root apache ? pwdfile.txt.orig
-rw-rw  root apache ?secmod.db
-rw-rw  root apache ? secmod.db.orig
[root@zsipa log]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust 
Attributes

SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
Server-Cert  u,u,u
ipaCert  u,u,u
PRIVATE.NET IPA CA CT,C,C
PRIVATE.NET IPA CA CT,C,C
[root@zsipa log]#


On 04/29/2016 11:02 AM, Christian Heimes wrote:

On 2016-04-29 16:51, Bret Wortman wrote:

It is contacting the correct machine. I tried again by IP with the same
results.

/etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014.

Web UI won't load. CLI won't respond either. Commands just hang.

# netstat -ln | grep 443
tcp6   0 0 :::8443
:::* LISTEN
tcp6   2 0 :::443
:::* LISTEN
# netstat -ln | grep 8009
tcp6   0 0 127.0.0.1:8009
:::* LISTEN
# curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
* Hostname was NOT found in DNS cache
*   Trying 192.168.208.53...
* Connected to zsipa.private.net (192.168.208.53) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
   CApath: none
(long hang at this point, so I ^C-ed)

# openssl s_client -connect zsipa.private.net:443 -CAfile
/etc/ipa/ca.crt -verify 10
verify depth is 10
CONNECTED(0003)
(long hang at this point, aborted again)

For the other (longer) logs, see http://pastebin.com/esBBKyGZ

Also, answering Christian's questions:

mod_ssl has not been installed.

# ss -tpln | grep 443
LISTEN  0   100:::8443   :::*
users:(("java",pid=26522,fd=84))
LISTEN  13  128:::443:::*
users:(("httpd",pid=26323,fd=6))
#

The output of ss looks sane. httpd is Apache, Java is Dogtag PKI's
Tomcat instance.

The error log of Apache is more troublesome. It looks like your NSSDB is
busted:

[Mon Apr 04 14:18:49.330238 2016] [:error] [pid 26327] NSS_Initialize
failed. Certificate database: /etc/httpd/alias.
[Mon Apr 04 14:18:49.330253 2016] [:error] [pid 26327] SSL Library
Error: -8038 SEC_ERROR_NOT_INITIALIZED
[Mon Apr 04 14:18:50.318327 2016] [core:notice] [pid 26323] AH00052:
child pid 26327 exit signal Segmentation fault (11)

Please run this commands to show us the content of your NSSDB.

# ls -laZ /etc/httpd/
# ls -laZ /etc/httpd/alias
# certutil -L -d /etc/httpd/alias


Christian



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George 
HI

If i disable allow_all  rule,
i cannot able to login to client machine.

On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George 
wrote:

> HI
>
> actually i have added Domain Admins and the user ben is not part of Domain
> Admins. But when i login to client machine, i am getting below
>
> -sh-4.2$ id
> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
> us...@kwttestdc.com.kw *),1827801105(sudo
> adm...@kwttestdc.com.kw)
>
>
>
> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George 
> wrote:
>
>> HI
>>
>> while explaning here it went wrong. actually i did is"
>> Added external group to POSIX group"
>>
>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek  wrote:
>>
>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>>> > HI,
>>> >
>>> > "The other is that the groups might not show up on the client (do
>>> they?)"
>>>
>>> id $user.
>>>
>>> But I think Alexander noticed the root cause.
>>>
>>> >
>>> > how can i check that.
>>> >
>>> > Thanks
>>> > Ben
>>> >
>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek 
>>> wrote:
>>> >
>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>>> > > > Hi List,
>>> > > >
>>> > > > I have working setup of one AD, one IPA server and one client
>>> server. by
>>> > > > default i can login to client server by using AD username.
>>> > > >
>>> > > > i want to apply HBAC rules against this client server. For that i
>>> have
>>> > > done
>>> > > > below steps.
>>> > > >
>>> > > > 1. created External group in IPA erver
>>> > > > 2. created local POSIX group n IPA server
>>> > > > 3. Added AD group to external group
>>> > > > 4. added POSIX group to external group.
>>> > > >
>>> > > > After that  have created HBAC rule by adding both local and
>>> external IPA
>>> > > > groups, added sshd as service and selected service group as sudo.
>>> > > >
>>> > > > i have applied this HBAC rule to client server and from web UI and
>>> while
>>> > > > testing HBAC from web, i am getting access denied .
>>> > >
>>> > > Sorry, not enough info.
>>> > >
>>> > > One guess would be that you need to add the "sudo-i" service as well.
>>> > > The other is that the groups might not show up on the client (do
>>> they?)
>>> > >
>>> > > Anyway, it might be good idea to follow
>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>>> > >
>>> > > --
>>> > > Manage your subscription for the Freeipa-users mailing list:
>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > > Go to http://freeipa.org for more info on the project
>>> > >
>>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George 
HI

actually i have added Domain Admins and the user ben is not part of Domain
Admins. But when i login to client machine, i am getting below

-sh-4.2$ id
uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
us...@kwttestdc.com.kw *),1827801105(sudo
adm...@kwttestdc.com.kw)



On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George 
wrote:

> HI
>
> while explaning here it went wrong. actually i did is"
> Added external group to POSIX group"
>
> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek  wrote:
>
>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>> > HI,
>> >
>> > "The other is that the groups might not show up on the client (do
>> they?)"
>>
>> id $user.
>>
>> But I think Alexander noticed the root cause.
>>
>> >
>> > how can i check that.
>> >
>> > Thanks
>> > Ben
>> >
>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek 
>> wrote:
>> >
>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>> > > > Hi List,
>> > > >
>> > > > I have working setup of one AD, one IPA server and one client
>> server. by
>> > > > default i can login to client server by using AD username.
>> > > >
>> > > > i want to apply HBAC rules against this client server. For that i
>> have
>> > > done
>> > > > below steps.
>> > > >
>> > > > 1. created External group in IPA erver
>> > > > 2. created local POSIX group n IPA server
>> > > > 3. Added AD group to external group
>> > > > 4. added POSIX group to external group.
>> > > >
>> > > > After that  have created HBAC rule by adding both local and
>> external IPA
>> > > > groups, added sshd as service and selected service group as sudo.
>> > > >
>> > > > i have applied this HBAC rule to client server and from web UI and
>> while
>> > > > testing HBAC from web, i am getting access denied .
>> > >
>> > > Sorry, not enough info.
>> > >
>> > > One guess would be that you need to add the "sudo-i" service as well.
>> > > The other is that the groups might not show up on the client (do
>> they?)
>> > >
>> > > Anyway, it might be good idea to follow
>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>> > >
>> > > --
>> > > Manage your subscription for the Freeipa-users mailing list:
>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > Go to http://freeipa.org for more info on the project
>> > >
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] oneWaySync affecting Password sync?

2016-04-29 Thread Andreas Calminder 
Hello,
The goal was that I wanted to just have passwords in sync, leaving attributes 
and what not to windows but mostly to protect from accidental deletes in IPA 
being carried out in the active directory. I've removed the onewaysync 
attribute and worked around it with limiting the permissions for the user 
handling the replication.

Thanks!
Andreas

On 29 Apr 2016 5:49 p.m., Rich Megginson  wrote:
>
> On 04/29/2016 09:44 AM, Rob Crittenden wrote:
> > Andreas Calminder wrote:
> >> Hello,
> >>
> >> I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting
> >> oneWaySync to fromWindows will affect password synchronization from IPA
> >> to AD, I.E password changes from IPA will not be replicated to Windows?
> >>
> >
> > Hmm, interesting question, I'm not sure. What is your goal here? Do 
> > you want to disallow attribute changes in IPA to be replicated but you 
> > DO want passwords, or you don't want anything?
> >
> > ccing Rich to see what he thinks.
>
> AFAIK, there is no way to sync only passwords from IPA to AD.  So if you 
> set oneWaySync: fromWindows, you will not sync password changes from IPA 
> to AD.
>
> >
> > rob
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George 
HI

while explaning here it went wrong. actually i did is"
Added external group to POSIX group"

On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek  wrote:

> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
> > HI,
> >
> > "The other is that the groups might not show up on the client (do they?)"
>
> id $user.
>
> But I think Alexander noticed the root cause.
>
> >
> > how can i check that.
> >
> > Thanks
> > Ben
> >
> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek 
> wrote:
> >
> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> > > > Hi List,
> > > >
> > > > I have working setup of one AD, one IPA server and one client
> server. by
> > > > default i can login to client server by using AD username.
> > > >
> > > > i want to apply HBAC rules against this client server. For that i
> have
> > > done
> > > > below steps.
> > > >
> > > > 1. created External group in IPA erver
> > > > 2. created local POSIX group n IPA server
> > > > 3. Added AD group to external group
> > > > 4. added POSIX group to external group.
> > > >
> > > > After that  have created HBAC rule by adding both local and external
> IPA
> > > > groups, added sshd as service and selected service group as sudo.
> > > >
> > > > i have applied this HBAC rule to client server and from web UI and
> while
> > > > testing HBAC from web, i am getting access denied .
> > >
> > > Sorry, not enough info.
> > >
> > > One guess would be that you need to add the "sudo-i" service as well.
> > > The other is that the groups might not show up on the client (do they?)
> > >
> > > Anyway, it might be good idea to follow
> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Sean Hogan 

Hi Rob,

  I stopped IPA, modified dse.ldif, restarted with the cipher list and it
started without issue however Same 13 ciphers.  You know.. thinking about
this now.. I going to try something.  The box I am testing on it a replica
master and not the first replica.  I did not think this would make a
difference since I removed the replica from the realm before testing but
maybe it will not change anything thinking its stuck in the old realm?

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 11:51 EDT
Nmap scan report for
Host is up (0.82s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1





Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397









From:   Rob Crittenden 
To: Sean Hogan/Durham/IBM@IBMUS, Noriko Hosoi 
Cc: freeipa-users@redhat.com
Date:   04/29/2016 08:30 AM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL



Sean Hogan wrote:
> Hi Noriko,
>
> Thanks for the suggestions,
>
> I had to trim out the GCM ciphers in order to get IPA to start back up
> or I would get the unknown cipher message

The trick is getting the cipher name right (it doesn't always follow a
pattern) and explicitly disabling some ciphers as they are enabled by
default.

Try this string:

-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha


I have an oldish install but I think it will still do what you need:
389-ds-base-1.2.11.15-68.el6_7.x86_64

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT
Nmap scan report for pacer.example.com (192.168.126.2)
Host is up (0.00053s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
|   NULL
| cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

$ sslscan pacer.example.com:636 |grep Accept
 Accepted  TLSv1  256 bits  AES256-SHA
 Accepted  TLSv1  128 bits  AES128-SHA
 Accepted  TLSv1  112 bits  DES-CBC3-SHA
 Accepted  TLS11  256 bits  AES256-SHA
 Accepted  TLS11  128 bits  AES128-SHA
 Accepted  TLS11  112 bits  DES-CBC3-SHA
 Accepted  TLS12  256 bits  AES256-SHA256
 Accepted  TLS12  256 bits  AES256-SHA
 Accepted  TLS12  128 bits  AES128-GCM-SHA256
 Accepted  TLS12  128 bits  AES128-SHA256
 Accepted  TLS12  128 bits  AES128-SHA
 Accepted  TLS12  112 bits  DES-CBC3-SHA

rob

>
> Nmap is still showing the same 13 ciphers as before though like nothing
> had changed and I did ipactl stop, made modification, ipactl start
>
> tarting Nmap 5.51 ( http://nmap.org  ) at 2016-04-28
> 18:44 EDT
> Nmap scan report for
> Host is up (0.53s latency).
> PORT STATE SERVICE
> 636/tcp open ldapssl
> | ssl-enum-ciphers:
> | TLSv1.2
> | Ciphers (13)
> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA256
> | TLS_RSA_WITH_AES_128_GCM_SHA256
> | TLS_RSA_WITH_AES_256_CBC_SHA
> |

[Freeipa-users] DNS reverse Zones on other server

2016-04-29 Thread Wanka, Silvio 
Hi,

if I search in the web for this problem I don’t find an useable solution, maybe 
my search pattern is wrong. ;-)

I have setup an IPA domain with integrated DNS but because the most systems 
here are Windows servers and clients the IPA clients must use the same IP 
ranges. So the reverse zones are located on AD domain controllers. These 
reverse zones are of course configured as forward zones on the IPA DNS server. 
So reverse lookup works properly for all AD computers but I miss a possibility 
that if we join a computer to IPA which adds a DNS record or manually add a DNS 
record that the reverse record will be automatically added on AD site as it 
would be done if the reverse zone would be located on IPA site.
Is there the only possibility to manage the reverse record on AD site manually 
or update/refresh it per regular running script?

I have a one-way trust to AD but won’t change it to two-way, if necessary and 
possible I would use a special AD account for that.

TIA,
Silvio

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht 
gestattet.



Wir arbeiten ausschließlich auf Grundlage der Allgemeinen Deutschen 
Spediteurbedingungen, jeweils neuester Fassung. Diese beschränken in Ziffer 23 
ADSp die gesetzliche Haftung für Güterschäden nach § 431 HGB für Schäden im 
speditionellen Gewahrsam auf 5,-- Euro/kg, bei multimodalen Transporten unter 
Einschluss einer Seebeförderung auf 2 SZR/kg sowie ferner je Schadenfall bzw. 
-ereignis auf 1 Mio. bzw. 2 Mio. Euro oder 2 SZR/kg, je nachdem, welcher Betrag 
höher ist. Ergänzend wird vereinbart, dass (1) Ziffer 27 ADSp weder die Haftung 
des Spediteurs noch die Zurechnung des Verschuldens von Leuten und sonstigen 
Dritten abweichend von gesetzlichen Vorschriften wie § 507 HGB, Art. 25 MÜ, 
Art. 36 CIM, Art. 20, 21 CMNI zu Gunsten des Auftraggebers erweitert, (2) der 
Spediteur als Verfrachter in den in § 512 Abs. 2 Nr. 1 HGB aufgeführten Fällen 
des nautischen Verschulden oder Feuer an Bord nur für eigenes Verschulden 
haftet und (3) der Spediteur als Frachtführer im Sinne der CMNI unter den in 
Art. 25 Abs. 2 CMNI genannten Voraussetzungen nicht für nautisches Verschulden, 
Feuer an Bord oder Mängel des Schiffes haftet.



All our business is transacted exclusively on the basis of the German Freight 
Forwarders' Standard Terms and Conditions (ADSp), and, to the extent these do 
not apply to logistics services, in accordance with the General Terms and 
Conditions for Logistics (Logistik-AGB) most recent edition. Under Clause 23 
ADSp, liability for damage/loss to goods according to § 431 HGB (German 
Commercial Code) is limited - to 5 EUR/kg whilst in the custody of the freight 
forwarder - to 2 SDR/kg (Special Drawing Rights) for multimodal carriage incl. 
sea transport - to 1 million EUR or 2 SDR/kg per claim or to 2 million EUR or 2 
SDR/kg per event, irrespective of the number of claims per event, in each case 
whichever is higher. If we are liable according to the provisions of the 
Montreal Convention, clause 27 ADSp shall not apply. Clause 27 ADSp shall also 
not be considered as an extension of our liability through imputation of 
default by agents, representatives, employees, subcontractors or other third 
parties in the cases of Art. 36 CIM, Art. 21 CMNI or section 660 HGB. Otherwise 
clause 27 ADSp shall remain unaffected.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Jakub Hrozek 
On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
> HI,
> 
> "The other is that the groups might not show up on the client (do they?)"

id $user.

But I think Alexander noticed the root cause.

> 
> how can i check that.
> 
> Thanks
> Ben
> 
> On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek  wrote:
> 
> > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> > > Hi List,
> > >
> > > I have working setup of one AD, one IPA server and one client server. by
> > > default i can login to client server by using AD username.
> > >
> > > i want to apply HBAC rules against this client server. For that i have
> > done
> > > below steps.
> > >
> > > 1. created External group in IPA erver
> > > 2. created local POSIX group n IPA server
> > > 3. Added AD group to external group
> > > 4. added POSIX group to external group.
> > >
> > > After that  have created HBAC rule by adding both local and external IPA
> > > groups, added sshd as service and selected service group as sudo.
> > >
> > > i have applied this HBAC rule to client server and from web UI and while
> > > testing HBAC from web, i am getting access denied .
> >
> > Sorry, not enough info.
> >
> > One guess would be that you need to add the "sudo-i" service as well.
> > The other is that the groups might not show up on the client (do they?)
> >
> > Anyway, it might be good idea to follow
> > https://fedorahosted.org/sssd/wiki/Troubleshooting
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] oneWaySync affecting Password sync?

2016-04-29 Thread Rich Megginson 

On 04/29/2016 09:44 AM, Rob Crittenden wrote:

Andreas Calminder wrote:

Hello,

I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting
oneWaySync to fromWindows will affect password synchronization from IPA
to AD, I.E password changes from IPA will not be replicated to Windows?



Hmm, interesting question, I'm not sure. What is your goal here? Do 
you want to disallow attribute changes in IPA to be replicated but you 
DO want passwords, or you don't want anything?


ccing Rich to see what he thinks.


AFAIK, there is no way to sync only passwords from IPA to AD.  So if you 
set oneWaySync: fromWindows, you will not sync password changes from IPA 
to AD.




rob


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] oneWaySync affecting Password sync?

2016-04-29 Thread Rob Crittenden 

Andreas Calminder wrote:

Hello,

I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting
oneWaySync to fromWindows will affect password synchronization from IPA
to AD, I.E password changes from IPA will not be replicated to Windows?



Hmm, interesting question, I'm not sure. What is your goal here? Do you 
want to disallow attribute changes in IPA to be replicated but you DO 
want passwords, or you don't want anything?


ccing Rich to see what he thinks.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Server Web UI multiple network access

2016-04-29 Thread Martin Basti 



On 29.04.2016 15:34, GOLDBERG, RUSSELL J GG-12 USAF ACC 453 EWS/EWP wrote:

I'm attempting to figure out if it's possible to configure IPA's web UI in such 
a way that it can be accessed from both a private and a public network 
infrastructure.

I've installed IPA server (version 3.0.0) on a RHEL 6.7 host (ipa.dev.internal) 
and configured an IPA domain (dev.internal). Our client machines reside on a 
separate domain (dev.external) and network, which the IPA server is 
additionally connected to.

>From hosts on the internal network (10.1.0.0/16), I am able to access the IPA 
web UI without issue, as expected.

>From hosts on the external network (192.168.1.0/24), I was initially presented 
with a blank screen when attempting to access the web UI.

I attempted to disable the httpd rewrite rules located in 
/etc/httpd/conf.d/ipa-rewrite.conf and restarted the httpd server: this allowed 
me to see the login page, but immediately presented me with a web app error 
dialog.

Lastly, I attempted to modify the ipa-rewrite.conf, replacing all instances of 
the initial FQDN (ipa.dev.internal) with the public FQDN (ipa.dev.external): 
this allowed me to see the login page and even to successfully submit login 
credentials. However, upon entered valid login credentials I am immediately 
redirected back to the login page in an infinite redirect loop.

Are there any glaring oversights I'm making? I imagine that the problem 
ultimately lies with Kerberos (and possibly my external client's HTTP 
referrer), but admittedly I lack expertise in that area.

Any help in getting this issue solved would be greatly appreciated.

Thanks,

Russell



I'm not sure if this is possible do safely. Please read following links, 
it may help, I'm not expert in this area.

https://ssimo.org/blog/id_019.html
https://www.redhat.com/archives/freeipa-users/2015-May/msg00026.html

Martin



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George 
Hi

I have created 2 fresh users now and i was running below,

[root@freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname`
--service sshd
ipa: ERROR: trusted domain user not found
[root@freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host
`hostname` --service sshd
ipa: ERROR: trusted domain user not found

but i can able to test with old users,

[root@freeipa log]# ipa hbactest --user "KWTTESTDC\Administrator" --host
`hostname` --service sshd

Access granted: True

  Matched rules: allow_all
  Not matched rules: ad_can_login
  Not matched rules: local_admin_can_login
[root@freeipa log]# ipa hbactest --user "KWTTESTDC\ben" --host `hostname`
--service sshd

Access granted: True

  Matched rules: ad_can_login
  Matched rules: allow_all
  Not matched rules: local_admin_can_login


Is there any sync time for trust.?

when i was trying ipa trust-fetch-domains, i am getting below

[root@freeipa log]# ipa trust-fetch-domains "kwttestdc.com.kw"
ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
trusted forest failed. See details in the error_log

Thanks & Regards,
Ben

On Fri, Apr 29, 2016 at 6:33 PM, Ben .T.George 
wrote:

> Hi Alex,
>
> yea my mistake.
>
> i was following u this
>
>
> http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources
>
>
>
> On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy 
> wrote:
>
>> On Fri, 29 Apr 2016, Ben .T.George wrote:
>>
>>> Hi List,
>>>
>>> I have working setup of one AD, one IPA server and one client server. by
>>> default i can login to client server by using AD username.
>>>
>>> i want to apply HBAC rules against this client server. For that i have
>>> done
>>> below steps.
>>>
>>> 1. created External group in IPA erver
>>> 2. created local POSIX group n IPA server
>>> 3. Added AD group to external group
>>> 4. added POSIX group to external group.
>>>
>> You should have added external group to POSIX group, not the other way
>> around.
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Rob Crittenden 

Jose Alvarez R. wrote:

Hi Users

You can help me?

I have the problem for join a client to my FREEIPA Server. The version
IPA Server is 3.0 and IP client is 3.0

When I join my client to IPA server show these errors:

[root@ppa ~]# tail –f /var/log/ipaclient-install.log

2016-04-28T17:26:41Z DEBUG stderr=

2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com

2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
identical

2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s
freeipa.cyberfuel.com -b dc=cyberfuel,dc=com

2016-04-28T17:26:41Z DEBUG stdout=

2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200

2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is
401, not 200

2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.

2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.


I'd look in the 389-ds access and error logs on the IPA server to see if 
there are any more details. Look for the BIND from the client and see 
what happens.


More context from the log file might be helpful. I believe if you run 
the client installer with --debug then additional flags are passed to 
ipa-join to include the XML-RPC conversation and that might be useful too.


What account are you using to enroll with, admin?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George 
Hi Alex,

yea my mistake.

i was following u this

http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources



On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy 
wrote:

> On Fri, 29 Apr 2016, Ben .T.George wrote:
>
>> Hi List,
>>
>> I have working setup of one AD, one IPA server and one client server. by
>> default i can login to client server by using AD username.
>>
>> i want to apply HBAC rules against this client server. For that i have
>> done
>> below steps.
>>
>> 1. created External group in IPA erver
>> 2. created local POSIX group n IPA server
>> 3. Added AD group to external group
>> 4. added POSIX group to external group.
>>
> You should have added external group to POSIX group, not the other way
> around.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George 
HI,

"The other is that the groups might not show up on the client (do they?)"

how can i check that.

Thanks
Ben

On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek  wrote:

> On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> > Hi List,
> >
> > I have working setup of one AD, one IPA server and one client server. by
> > default i can login to client server by using AD username.
> >
> > i want to apply HBAC rules against this client server. For that i have
> done
> > below steps.
> >
> > 1. created External group in IPA erver
> > 2. created local POSIX group n IPA server
> > 3. Added AD group to external group
> > 4. added POSIX group to external group.
> >
> > After that  have created HBAC rule by adding both local and external IPA
> > groups, added sshd as service and selected service group as sudo.
> >
> > i have applied this HBAC rule to client server and from web UI and while
> > testing HBAC from web, i am getting access denied .
>
> Sorry, not enough info.
>
> One guess would be that you need to add the "sudo-i" service as well.
> The other is that the groups might not show up on the client (do they?)
>
> Anyway, it might be good idea to follow
> https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Server Web UI multiple network access

2016-04-29 Thread GOLDBERG, RUSSELL J GG-12 USAF ACC 453 EWS/EWP 
I'm attempting to figure out if it's possible to configure IPA's web UI in such 
a way that it can be accessed from both a private and a public network 
infrastructure.

I've installed IPA server (version 3.0.0) on a RHEL 6.7 host (ipa.dev.internal) 
and configured an IPA domain (dev.internal). Our client machines reside on a 
separate domain (dev.external) and network, which the IPA server is 
additionally connected to.

>From hosts on the internal network (10.1.0.0/16), I am able to access the IPA 
>web UI without issue, as expected.

>From hosts on the external network (192.168.1.0/24), I was initially presented 
>with a blank screen when attempting to access the web UI.

I attempted to disable the httpd rewrite rules located in 
/etc/httpd/conf.d/ipa-rewrite.conf and restarted the httpd server: this allowed 
me to see the login page, but immediately presented me with a web app error 
dialog.

Lastly, I attempted to modify the ipa-rewrite.conf, replacing all instances of 
the initial FQDN (ipa.dev.internal) with the public FQDN (ipa.dev.external): 
this allowed me to see the login page and even to successfully submit login 
credentials. However, upon entered valid login credentials I am immediately 
redirected back to the login page in an infinite redirect loop.

Are there any glaring oversights I'm making? I imagine that the problem 
ultimately lies with Kerberos (and possibly my external client's HTTP 
referrer), but admittedly I lack expertise in that area.

Any help in getting this issue solved would be greatly appreciated.

Thanks,

Russell



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Rob Crittenden 

Sean Hogan wrote:

Hi Noriko,

Thanks for the suggestions,

I had to trim out the GCM ciphers in order to get IPA to start back up
or I would get the unknown cipher message


The trick is getting the cipher name right (it doesn't always follow a 
pattern) and explicitly disabling some ciphers as they are enabled by 
default.


Try this string:

-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha

I have an oldish install but I think it will still do what you need: 
389-ds-base-1.2.11.15-68.el6_7.x86_64


Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT
Nmap scan report for pacer.example.com (192.168.126.2)
Host is up (0.00053s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
|   NULL
| cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

$ sslscan pacer.example.com:636 |grep Accept
Accepted  TLSv1  256 bits  AES256-SHA
Accepted  TLSv1  128 bits  AES128-SHA
Accepted  TLSv1  112 bits  DES-CBC3-SHA
Accepted  TLS11  256 bits  AES256-SHA
Accepted  TLS11  128 bits  AES128-SHA
Accepted  TLS11  112 bits  DES-CBC3-SHA
Accepted  TLS12  256 bits  AES256-SHA256
Accepted  TLS12  256 bits  AES256-SHA
Accepted  TLS12  128 bits  AES128-GCM-SHA256
Accepted  TLS12  128 bits  AES128-SHA256
Accepted  TLS12  128 bits  AES128-SHA
Accepted  TLS12  112 bits  DES-CBC3-SHA

rob



Nmap is still showing the same 13 ciphers as before though like nothing
had changed and I did ipactl stop, made modification, ipactl start

tarting Nmap 5.51 ( http://nmap.org  ) at 2016-04-28
18:44 EDT
Nmap scan report for
Host is up (0.53s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Current Config:

dse.ldif
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_
rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha
,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_
aes_256_sha,+rsa_aes_256_sha
numSubordinates: 1


nss.conf
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2


Does nss.conf have anything to do with the dir srv ciphers? I know the
389 docs says they are tied together so the way I have been looking at
it is nss.conf lists the allowed ciphers where dse.ldif lists which ones
to use for 389 from nss.conf. Is that correct? Is there any other place
where ciphers would be ignored?

nss-3.19.1-8.el6_7.x86_64
sssd-ipa-1.12.4-47.el6_7.4.x86_64
ipa-client-3.0.0-47.el6_7.1.x86_64
ipa-server-selinux-3.0.0-47.el6_7.1.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-47.el6_7.1.x86_64
ipa-server-3.0.0-47.el6_7.1.x86_64
libipa_hbac-python-1.12.4-47.el6_7.4.x86_64
ipa-admintools-3.0.0-47.el6_7.1.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64


I need to get rid of any rc4s

Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397






Inactive hide details for Noriko Hosoi

Re: [Freeipa-users] Replication error

2016-04-29 Thread Anton Rubets 
Hi
Yeap now request: error -1 (Can't contact LDAP server) errno 2 (No such file or 
directory) gone 
But still i have 
attrlist_replace - attr_replace (nsslapd-referral, 
ldap://ldap2.domain389/o%3Dipaca) failed.
Maybe you can help to find out were i need to go? dirsrv, ldap, client, sssd 
etc 
Best Regards
Anton Rubets



From: Petr Vobornik 
Sent: Thursday, April 28, 2016 1:49 PM
To: Anton Rubets; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Replication error

On 04/26/2016 02:02 PM, Anton Rubets wrote:
> Hhi all
>
> I have issues with replication between to FreeIPA server
>
> In maters log
>
> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace 
> (nsslapd-referral,
> ldap://ldap2.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace 
> (nsslapd-referral,
> ldap://ldap2.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace 
> (nsslapd-referral,
> ldap://ldap2.domain389/o%3Dipaca) failed.
> [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS
> request: error -1 (Can't contact LDAP server) errno 2 (No such file or 
> directory)
>
>
> On replica server
>
>
> [26/Apr/2016:08:38:12 +] attrlist_replace - attr_replace 
> (nsslapd-referral,
> ldap://ldap1.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace 
> (nsslapd-referral,
> ldap://ldap1domain:389/o%3Dipaca) failed.
> [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace 
> (nsslapd-referral,
> ldap://ldap1.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace 
> (nsslapd-referral,
> ldap://ldap1.domain:389/o%3Dipaca) failed.

This is a symptom of dangling RUVs (replica update vector) of previously
removed replicas.

It happens when replica is removed using:
  # ipa-replica-manage del $replica
  # ipa-server-install --uninstall (on replica)

without running:
  # ipa-csreplica-manage del $replica
first

resolution is to clear the RUVs manually using clean ruv DS task becase
ipa-csreplica-manage doesn't have support for it. FreeIPA 4.4 will
receive a new command which will handle bot suffixes automatically - #5411.

The instructions can found on the list:
* https://www.redhat.com/archives/freeipa-users/2015-June/msg00386.html
* https://www.redhat.com/archives/freeipa-users/2015-June/msg00416.html

and
* http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html
* or general procedure for future feature:
https://fedorahosted.org/freeipa/ticket/5411#comment:7


Important: Be very careful not to remove RUVs of existing replicas.


>
>
> And  i can't find source of this problem. I have checked permission and etc. 
> As
> i see replica is working but this message disturb my email every few minutes 
> and
> i wanna somehow fix this. Also I  just migrate from 3.0 to 4.2.
> Info:
> Master :
>   rpm -qa | grep ipa
> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64
> ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64
> sssd-ipa-1.13.0-40.el7_2.2.x86_64
> ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
> libipa_hbac-1.13.0-40.el7_2.2.x86_64
> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
> python-iniparse-0.4-9.el7.noarch
> ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
> ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64​
>
> Replica:
> rpm -qa | grep ipa
> sssd-ipa-1.13.0-40.el7_2.2.x86_64
> ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64
> libipa_hbac-1.13.0-40.el7_2.2.x86_64
> ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64
> ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64
> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64
> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
> python-iniparse-0.4-9.el7.noarch
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64​
>
>
> Best Regards
> Anton Rubets
--
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Alexander Bokovoy 

On Fri, 29 Apr 2016, Ben .T.George wrote:

Hi List,

I have working setup of one AD, one IPA server and one client server. by
default i can login to client server by using AD username.

i want to apply HBAC rules against this client server. For that i have done
below steps.

1. created External group in IPA erver
2. created local POSIX group n IPA server
3. Added AD group to external group
4. added POSIX group to external group.

You should have added external group to POSIX group, not the other way
around.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Christian Heimes 
On 2016-04-29 16:51, Bret Wortman wrote:
> It is contacting the correct machine. I tried again by IP with the same
> results.
> 
> /etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014.
> 
> Web UI won't load. CLI won't respond either. Commands just hang.
> 
> # netstat -ln | grep 443
> tcp6   0 0 :::8443  
> :::* LISTEN
> tcp6   2 0 :::443   
> :::* LISTEN
> # netstat -ln | grep 8009
> tcp6   0 0 127.0.0.1:8009   
> :::* LISTEN
> # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
> * Hostname was NOT found in DNS cache
> *   Trying 192.168.208.53...
> * Connected to zsipa.private.net (192.168.208.53) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>   CApath: none
> (long hang at this point, so I ^C-ed)
> 
> # openssl s_client -connect zsipa.private.net:443 -CAfile
> /etc/ipa/ca.crt -verify 10
> verify depth is 10
> CONNECTED(0003)
> (long hang at this point, aborted again)
> 
> For the other (longer) logs, see http://pastebin.com/esBBKyGZ
> 
> Also, answering Christian's questions:
> 
> mod_ssl has not been installed.
> 
> # ss -tpln | grep 443
> LISTEN  0   100:::8443   :::*
> users:(("java",pid=26522,fd=84))
> LISTEN  13  128:::443:::*
> users:(("httpd",pid=26323,fd=6))
> #

The output of ss looks sane. httpd is Apache, Java is Dogtag PKI's
Tomcat instance.

The error log of Apache is more troublesome. It looks like your NSSDB is
busted:

[Mon Apr 04 14:18:49.330238 2016] [:error] [pid 26327] NSS_Initialize
failed. Certificate database: /etc/httpd/alias.
[Mon Apr 04 14:18:49.330253 2016] [:error] [pid 26327] SSL Library
Error: -8038 SEC_ERROR_NOT_INITIALIZED
[Mon Apr 04 14:18:50.318327 2016] [core:notice] [pid 26323] AH00052:
child pid 26327 exit signal Segmentation fault (11)

Please run this commands to show us the content of your NSSDB.

# ls -laZ /etc/httpd/
# ls -laZ /etc/httpd/alias
# certutil -L -d /etc/httpd/alias


Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Jakub Hrozek 
On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> Hi List,
> 
> I have working setup of one AD, one IPA server and one client server. by
> default i can login to client server by using AD username.
> 
> i want to apply HBAC rules against this client server. For that i have done
> below steps.
> 
> 1. created External group in IPA erver
> 2. created local POSIX group n IPA server
> 3. Added AD group to external group
> 4. added POSIX group to external group.
> 
> After that  have created HBAC rule by adding both local and external IPA
> groups, added sshd as service and selected service group as sudo.
> 
> i have applied this HBAC rule to client server and from web UI and while
> testing HBAC from web, i am getting access denied .

Sorry, not enough info.

One guess would be that you need to add the "sudo-i" service as well.
The other is that the groups might not show up on the client (do they?)

Anyway, it might be good idea to follow
https://fedorahosted.org/sssd/wiki/Troubleshooting

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman 
It is contacting the correct machine. I tried again by IP with the same 
results.


/etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014.

Web UI won't load. CLI won't respond either. Commands just hang.

# netstat -ln | grep 443
tcp6   0 0 :::8443 :::* LISTEN
tcp6   2 0 :::443:::* LISTEN
# netstat -ln | grep 8009
tcp6   0 0 127.0.0.1:8009 :::* LISTEN
# curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
* Hostname was NOT found in DNS cache
*   Trying 192.168.208.53...
* Connected to zsipa.private.net (192.168.208.53) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
(long hang at this point, so I ^C-ed)

# openssl s_client -connect zsipa.private.net:443 -CAfile 
/etc/ipa/ca.crt -verify 10

verify depth is 10
CONNECTED(0003)
(long hang at this point, aborted again)

For the other (longer) logs, see http://pastebin.com/esBBKyGZ

Also, answering Christian's questions:

mod_ssl has not been installed.

# ss -tpln | grep 443
LISTEN  0   100:::8443   :::*
users:(("java",pid=26522,fd=84))
LISTEN  13  128:::443:::*
users:(("httpd",pid=26323,fd=6))
#

On 04/29/2016 10:08 AM, Petr Vobornik wrote:

On 04/29/2016 02:53 PM, Bret Wortman wrote:

Despite "ipactl status" indicating that all processes were running after
step 1, step 2 produces "Unable to establish SSL connection."

Full terminal session is at http://pastebin.com/ZuNBHPy0

Hm, it doesn't help me much.

Does it contact the correct machine? I.e., is IP address OK?

What is the result of:

netstat -ln | grep 443
netstat -ln | grep 8009

Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf

Try to run curl, maybe it will be more verbose, but probably not:

   # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus

Christian(CCd), do you have any ideas?

Could you look into /var/log/httpd/error_log or syslog(would try
/var/log/message and journalctl), There might be more information about the:
"""
status: NEED_TO_SUBMIT
ca-error: Internal error
"""
Which may help us with root culprit.

Do web ui or CLI work?


On 04/29/2016 07:29 AM, Petr Vobornik wrote:

On 04/29/2016 12:03 PM, Bret Wortman wrote:

The date change was due (I think) to me changing the date back to 4/1
yesterday, though I left it there and haven't updated it again until
this morning, when I went back to 4/1 again.

I put the results of the commands you requested at
https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really
appreciate it.


Bret

If I combine this and the previous output, it seems that:

- PKI starts normally
- ipactl has troubles with determining that PKI started and after 5mins
of failed attempts it stops whole IPA (expected behavior when a service
doesn't start)

The failed attempt is:
"""
ipa: DEBUG: Waiting until the CA is running
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://zsipa.private.net:443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=4
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-04-01 09:39:50--
https://zsipa.private.net/ca/admin/ca/getStatus
Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53
Connecting to zsipa.private.net
(zsipa.private.net)|192.168.208.53|:443... connected.
Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero
exit status 4
"""

It says "Unable to establish SSL connection", it would be good to get
more details.

Also given that the CA cert was renewed on April 3rd and that all certs
expires after that date, we should rather use date April 4th when moving
the date back.

So first start IPA again (date April 4th) but force it to not stop
services

1. ipactl start --force
wait until all is started
2. wget -v -d -S -O - --timeout=30 --no-check-certificate
https://zsipa.private.net:443/ca/admin/ca/getStatus

optionally (assuming that CA won't be turned of)
3. getcert list





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George 
Hi List,

I have working setup of one AD, one IPA server and one client server. by
default i can login to client server by using AD username.

i want to apply HBAC rules against this client server. For that i have done
below steps.

1. created External group in IPA erver
2. created local POSIX group n IPA server
3. Added AD group to external group
4. added POSIX group to external group.

After that  have created HBAC rule by adding both local and external IPA
groups, added sshd as service and selected service group as sudo.

i have applied this HBAC rule to client server and from web UI and while
testing HBAC from web, i am getting access denied .

How can i implement HBAC with Active directory user group.

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Christian Heimes 
On 2016-04-29 16:08, Petr Vobornik wrote:
> On 04/29/2016 02:53 PM, Bret Wortman wrote:
>> Despite "ipactl status" indicating that all processes were running after
>> step 1, step 2 produces "Unable to establish SSL connection."
>>
>> Full terminal session is at http://pastebin.com/ZuNBHPy0
> 
> Hm, it doesn't help me much.
> 
> Does it contact the correct machine? I.e., is IP address OK?
> 
> What is the result of:
> 
> netstat -ln | grep 443
> netstat -ln | grep 8009
> 
> Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf
> 
> Try to run curl, maybe it will be more verbose, but probably not:
> 
>   # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
> 
> Christian(CCd), do you have any ideas?

Is Apache HTTPD running and listening on 443/TCP?

$ ss -tpln | grep 443

Did you install mod_ssl by any chance? FreeIPA uses mod_nss. mod_ssl can
disrupt TLS services.


The openssl client tool shows more debug information than curl:

openssl s_client -connect zsipa.private.net:443 -CAfile /etc/ipa/ca.crt
-verify 10

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client password authentication failed

2016-04-29 Thread Petr Vobornik 
On 04/29/2016 12:44 AM, siology.io wrote:
> On a clean centos 7 VM, after installation of ipa-server browsing to the ipa 
> web 
> UI gets me in the httpd error_logs:
> 
> [Thu Apr 28 18:41:11.826134 2016] [:error] [pid 10162] [remote 10.0.4.10:244 
> ] mod_wsgi (pid=10162): Target WSGI script 
> '/usr/share/ipa/wsgi/plugins.py' does not contain WSGI application 
> 'application'.
> 
> Is this a known issue ? I didn't get much out of google.
> 

I don't see this issue on RHEL 7.2 nor FreeIPA 4.3.x on F23. Could you
paste here content of your /usr/share/ipa/wsgi/plugins.py file?

Does it prevent to load Web UI?
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Petr Vobornik 
On 04/29/2016 02:53 PM, Bret Wortman wrote:
> Despite "ipactl status" indicating that all processes were running after
> step 1, step 2 produces "Unable to establish SSL connection."
> 
> Full terminal session is at http://pastebin.com/ZuNBHPy0

Hm, it doesn't help me much.

Does it contact the correct machine? I.e., is IP address OK?

What is the result of:

netstat -ln | grep 443
netstat -ln | grep 8009

Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf

Try to run curl, maybe it will be more verbose, but probably not:

  # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus

Christian(CCd), do you have any ideas?

Could you look into /var/log/httpd/error_log or syslog(would try
/var/log/message and journalctl), There might be more information about the:
"""
status: NEED_TO_SUBMIT
ca-error: Internal error
"""
Which may help us with root culprit.

Do web ui or CLI work?

> 
> On 04/29/2016 07:29 AM, Petr Vobornik wrote:
>> On 04/29/2016 12:03 PM, Bret Wortman wrote:
>>> The date change was due (I think) to me changing the date back to 4/1
>>> yesterday, though I left it there and haven't updated it again until
>>> this morning, when I went back to 4/1 again.
>>>
>>> I put the results of the commands you requested at
>>> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really
>>> appreciate it.
>>>
>>>
>>> Bret
>> If I combine this and the previous output, it seems that:
>>
>> - PKI starts normally
>> - ipactl has troubles with determining that PKI started and after 5mins
>> of failed attempts it stops whole IPA (expected behavior when a service
>> doesn't start)
>>
>> The failed attempt is:
>> """
>> ipa: DEBUG: Waiting until the CA is running
>> ipa: DEBUG: Starting external process
>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>> '--no-check-certificate'
>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'
>> ipa: DEBUG: Process finished, return code=4
>> ipa: DEBUG: stdout=
>> ipa: DEBUG: stderr=--2016-04-01 09:39:50--
>> https://zsipa.private.net/ca/admin/ca/getStatus
>> Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53
>> Connecting to zsipa.private.net
>> (zsipa.private.net)|192.168.208.53|:443... connected.
>> Unable to establish SSL connection.
>>
>> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero
>> exit status 4
>> """
>>
>> It says "Unable to establish SSL connection", it would be good to get
>> more details.
>>
>> Also given that the CA cert was renewed on April 3rd and that all certs
>> expires after that date, we should rather use date April 4th when moving
>> the date back.
>>
>> So first start IPA again (date April 4th) but force it to not stop
>> services
>>
>> 1. ipactl start --force
>> wait until all is started
>> 2. wget -v -d -S -O - --timeout=30 --no-check-certificate
>> https://zsipa.private.net:443/ca/admin/ca/getStatus
>>
>> optionally (assuming that CA won't be turned of)
>> 3. getcert list
>>
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa trust-fetch-domains failing.

2016-04-29 Thread Ben .T.George 
Hi

while issuing ipa trust-fetch-domains, i am getting below error.

i have created new security group in AD and i want to add this to external
group.

[root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"
ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
trusted fo  rest
failed. See details in the error_log

help me to fi/expalin more about this error

Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] oneWaySync affecting Password sync?

2016-04-29 Thread Andreas Calminder 

Hello,

I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting 
oneWaySync to fromWindows will affect password synchronization from IPA 
to AD, I.E password changes from IPA will not be replicated to Windows?


Best regards,

Andreas

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Jose Alvarez R. 
Hi Users

 

You can help me?

 

I have the problem for join a client to my FREEIPA Server. The version IPA
Server is 3.0 and IP client is 3.0 

 

When I join my client to IPA server show these errors:   

[root@ppa ~]# tail -f /var/log/ipaclient-install.log

 

2016-04-28T17:26:41Z DEBUG stderr=

2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from
ldap://freeipa.cyberfuel.com

2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are
identical

2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com
-b dc=cyberfuel,dc=com

2016-04-28T17:26:41Z DEBUG stdout=

2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200

 

2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is 401,
not 200

 

2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes.

2016-04-28T17:26:41Z ERROR IPA client is not configured on this system.

 

 

My client have installed a
PPA(http://www.odin.com/es/products/plesk-automation
 ) and the version curl
is:

 

curl-7.31.0-1.el6.x86_64

python-pycurl-7.19.0-8.el6.x86_64

libcurl-7.31.0-1.el6.x86_64

libcurl-7.31.0-1.el6.i686

 

 

The version curl in my server FREEIPA is: 

 

python-pycurl-7.19.0-8.el6.x86_64

curl-7.19.7-46.el6.x86_64

libcurl-7.19.7-46.el6.x86_64

 

Can you help me ?

 

Thanks, Regards 

 

Jose Alvarez R.

 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Petr Vobornik 
On 04/29/2016 02:53 PM, Bret Wortman wrote:
> Despite "ipactl status" indicating that all processes were running after
> step 1, step 2 produces "Unable to establish SSL connection."
> 
> Full terminal session is at http://pastebin.com/ZuNBHPy0
> 
> On 04/29/2016 07:29 AM, Petr Vobornik wrote:
>> On 04/29/2016 12:03 PM, Bret Wortman wrote:
>>> The date change was due (I think) to me changing the date back to 4/1
>>> yesterday, though I left it there and haven't updated it again until
>>> this morning, when I went back to 4/1 again.
>>>
>>> I put the results of the commands you requested at
>>> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really
>>> appreciate it.

I cannot view the pastebin:
"""
This is a private paste. If you created this paste, please login to view it.
"""

>>>
>>>
>>> Bret
>> If I combine this and the previous output, it seems that:
>>
>> - PKI starts normally
>> - ipactl has troubles with determining that PKI started and after 5mins
>> of failed attempts it stops whole IPA (expected behavior when a service
>> doesn't start)
>>
>> The failed attempt is:
>> """
>> ipa: DEBUG: Waiting until the CA is running
>> ipa: DEBUG: Starting external process
>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>> '--no-check-certificate'
>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'
>> ipa: DEBUG: Process finished, return code=4
>> ipa: DEBUG: stdout=
>> ipa: DEBUG: stderr=--2016-04-01 09:39:50--
>> https://zsipa.private.net/ca/admin/ca/getStatus
>> Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53
>> Connecting to zsipa.private.net
>> (zsipa.private.net)|192.168.208.53|:443... connected.
>> Unable to establish SSL connection.
>>
>> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero
>> exit status 4
>> """
>>
>> It says "Unable to establish SSL connection", it would be good to get
>> more details.
>>
>> Also given that the CA cert was renewed on April 3rd and that all certs
>> expires after that date, we should rather use date April 4th when moving
>> the date back.
>>
>> So first start IPA again (date April 4th) but force it to not stop
>> services
>>
>> 1. ipactl start --force
>> wait until all is started
>> 2. wget -v -d -S -O - --timeout=30 --no-check-certificate
>> https://zsipa.private.net:443/ca/admin/ca/getStatus
>>
>> optionally (assuming that CA won't be turned of)
>> 3. getcert list
>>
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman 
Despite "ipactl status" indicating that all processes were running after 
step 1, step 2 produces "Unable to establish SSL connection."


Full terminal session is at http://pastebin.com/ZuNBHPy0

On 04/29/2016 07:29 AM, Petr Vobornik wrote:

On 04/29/2016 12:03 PM, Bret Wortman wrote:

The date change was due (I think) to me changing the date back to 4/1
yesterday, though I left it there and haven't updated it again until
this morning, when I went back to 4/1 again.

I put the results of the commands you requested at
https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really
appreciate it.


Bret

If I combine this and the previous output, it seems that:

- PKI starts normally
- ipactl has troubles with determining that PKI started and after 5mins
of failed attempts it stops whole IPA (expected behavior when a service
doesn't start)

The failed attempt is:
"""
ipa: DEBUG: Waiting until the CA is running
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://zsipa.private.net:443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=4
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-04-01 09:39:50--
https://zsipa.private.net/ca/admin/ca/getStatus
Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53
Connecting to zsipa.private.net
(zsipa.private.net)|192.168.208.53|:443... connected.
Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero
exit status 4
"""

It says "Unable to establish SSL connection", it would be good to get
more details.

Also given that the CA cert was renewed on April 3rd and that all certs
expires after that date, we should rather use date April 4th when moving
the date back.

So first start IPA again (date April 4th) but force it to not stop services

1. ipactl start --force
wait until all is started
2. wget -v -d -S -O - --timeout=30 --no-check-certificate
https://zsipa.private.net:443/ca/admin/ca/getStatus

optionally (assuming that CA won't be turned of)
3. getcert list



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa update changed my cipher set

2016-04-29 Thread Martin Basti 



On 29.04.2016 14:13, Roderick Johnstone wrote:

On 29/04/2016 10:27, Martin Basti wrote:



On 29.04.2016 11:02, Martin Basti wrote:



On 28.04.2016 19:16, Roderick Johnstone wrote:

Hi

RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64

A couple of months ago I updated
/etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite
in use by freeipa (see previous thread on this list).

When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on
April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and
reverted some, but not all of, my changed settings in dse.ldif.

I'd like to understand what is expected to happen to this file on a
package upgrade (rpm reports that this file is not owned by any
package so I guess its manipulated by a scriplet) since at least one
of my changes was preserved.

Also, if I need to maintain a customised cipher suite for ipa, am I
required to only do yum updates of the ipa-server package by hand and
manually merge back in my changes, or is there a better way?

Thanks

Roderick Johnstone


Hello,

probably IPA upgrade did this change

if you need custom ciphers to be preserved, you have to put your own
upgrade file (number must be higher than 20) to IPA
'/usr/share/ipa/updates/'

something like:

$ cat 99-myciphers.update
dn: cn=encryption,cn=config
only:nsSSL3Ciphers: default
only:allowWeakCipher: off

update default value with your own required ciphers

Martin



I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater
/usr/share/ipa/updates/99-myciphers.update to apply changes.
Martin


Martin

Thats the perfect solution, and works well for me. Thank you very much.

I didn't see this info documented in the RHEL7 IdM Guide (apart from a 
reference to the directory in the list of configuration files in 
section 28.1) or on the freeipa wiki. Did I miss it somewhere?


Thanks again.

Roderick


You are welcome,
well, I don't think that this is documented in the guide, it is quite 
hackish.


I created ticket https://fedorahosted.org/freeipa/ticket/5863

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa update changed my cipher set

2016-04-29 Thread Roderick Johnstone 

On 29/04/2016 10:27, Martin Basti wrote:



On 29.04.2016 11:02, Martin Basti wrote:



On 28.04.2016 19:16, Roderick Johnstone wrote:

Hi

RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64

A couple of months ago I updated
/etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite
in use by freeipa (see previous thread on this list).

When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on
April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and
reverted some, but not all of, my changed settings in dse.ldif.

I'd like to understand what is expected to happen to this file on a
package upgrade (rpm reports that this file is not owned by any
package so I guess its manipulated by a scriplet) since at least one
of my changes was preserved.

Also, if I need to maintain a customised cipher suite for ipa, am I
required to only do yum updates of the ipa-server package by hand and
manually merge back in my changes, or is there a better way?

Thanks

Roderick Johnstone


Hello,

probably IPA upgrade did this change

if you need custom ciphers to be preserved, you have to put your own
upgrade file (number must be higher than 20) to IPA
'/usr/share/ipa/updates/'

something like:

$ cat 99-myciphers.update
dn: cn=encryption,cn=config
only:nsSSL3Ciphers: default
only:allowWeakCipher: off

update default value with your own required ciphers

Martin



I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater
/usr/share/ipa/updates/99-myciphers.update to apply changes.
Martin


Martin

Thats the perfect solution, and works well for me. Thank you very much.

I didn't see this info documented in the RHEL7 IdM Guide (apart from a 
reference to the directory in the list of configuration files in section 
28.1) or on the freeipa wiki. Did I miss it somewhere?


Thanks again.

Roderick

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC implementation help

2016-04-29 Thread Martin Basti 



On 29.04.2016 13:27, Ben .T.George wrote:

HI

Thanks for your reply.

can i do this external group mapping from web UI?


You can create External Group using webUI (user groups/ add group/ 
choose external radio button)


More doc about HBAC: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html


Martin


On Fri, Apr 29, 2016 at 10:50 AM, Jakub Hrozek > wrote:


On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote:
> Hi List,
>
> i have a working setup of IPA with AD integrated and one client
joined.
>
> i want to implement HBAC rules against this client. can anyone
please share
> me good articles of implementing HBAC from web UI.

I'm not sure about the web UI, but as a general rule you'll want
to add
an external group (created with --external) as a member of a POSIX
group
and reference the POSIX group in the HBAC rule. The AD members
should be
added as members of the external group.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread Martin Basti 

Please keep, user-list in CC

You did not send all information I requested.

Please use `rpm -ql ipa-server` to get exact version number

On 29.04.2016 13:32, barry...@gmail.com wrote:


Error.is from Gss api And i m thinkbif it relate cert issue.

Server1> server 2 fail
Server 2   > server1 ok

Freeipa 3.0  both

slapd_ldap_sasl_interactive_bind - Error: could not perform 
interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) 
(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Credentials cache file 
'/tmp/krb5cc_492' not found)) errno 0 (Success)
[26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - 
agmt="cn=meTocentral02.ABC.com " 
(central02:389): Replication bind with GSSAPI auth failed: LDAP error 
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Credentials 
cache file '/tmp/krb5cc_492' not found))
[26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[26/Apr/2016:18:40:19 +0800] - Listening on 
/var/run/slapd-ABC-COM.socket for LDAPI requests
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - 
agmt="cn=meTocentral02.ABC.com " 
(central02:389): Replication bind with GSSAPI auth resumed
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - 
agmt="cn=meTocentral02.ABC.com " 
(central02:389): Missing data encountered

[26/Apr/2016:18:40:23 +0800]



On 29.04.2016 13:02, barry...@gmail.com  wrote:

Hi All:

Any method can fall back the default ipa cert if I didn't backup orginal?

Now the slapd and ipa cert storage quite a mess so they cant 
replicate even disabled nsslapd:security to off



thx
Barry



Hello Barry,

Can you provide more info?

What is your IPA version, OS?
What are the symptoms you are experiencing?
What do you mean by default ipa cert ?
Can you provide logs from replicas?
Can you provide `getcert list` command output?
Can you provide `ipactl status` from both server?

Replication uses GSSAPI, at least on new IPA versions, I'm not sure if 
certificates are involved in this.


Martin


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP and time step size

2016-04-29 Thread Petr Vobornik 
On 04/29/2016 12:37 PM, Prashant Bapat wrote:
> Hi Petr,
> 
> Thanks for the response. But my question was more towards the cases where 
> there 
> is a slight delay in entering the OTP in the web UI and it reaching the IPA 
> server. This actually can happen with ANY time window.
> 
> There are couple of scenarios.
> 
> 1. Network delays.
> 2. User enters the OTP token and takes a few seconds before pressing submit.

> 3. User has to enter OTP first and then the password. This is the case when 
> changing password in IPA at the moment when OTP is on.

Actually password change scenario is:
1. oldpassword + otp
2. old password + otp2 + new password + confirm new password

> 
> Is there a way to make IPA honor either the current token (obviously!) or 1 
> elapsed token?

Actually it may be done this way, but I'm not sure.

> 
> This will go a long way in making FreeIPA's OTP implementation much more 
> usable.

Either way, as I said in the previous mail, try HOTP tokens. They don't
use time windows and therefore the above is not an issue.

> 
> Thanks.
> --Prashant
> 
> On 25 April 2016 at 21:48, Petr Vobornik  > wrote:
> 
> On 04/22/2016 08:55 AM, Prashant Bapat wrote:
> > Hi,
> >
> > We have been using the OTP feature of FreeIPA extensively for users to 
> login to
> > the web UI. Now we are rolling out an external service using the LDAP
> > authentication based on FreeIPA and OTP.
> >
> > End users typically login rarely to the web UI. Only to update their 
> SSH keys
> > once in 90 days.
> >
> > However to the new service based on FreeIPA's LDAP they would be 
> logging in
> > multiple times daily.
> >
> > Here is an observation: FreeIPA's OTP mechanism is very stringent in 
> requiring
> > the current token to be inside the 30 second window. Because of this 
> there might
> > be a sizable percentage of users who will have to retry login. 
> Obviously, this
> > is a bad user experience.
> >
>  > As per the RFC-6238  section
> 5.2, we
> > could allow 1 time step and make the user experience better.
> >
> > Can this be done by changing a config or does it involve a 
> patch/code-change.
> > Any pointers to this appreciated.
> >
> > Thanks.
> > --Prashant
> >
> 
> FreeIPA works with both time based OTP tokens(TOTP) and counter based
> OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator
> can set custom clock interval during creation of a token. But
> self-service Web UI doesn't show this option. Users can still use it in
> CLI though.
> 
> Alternative is HOTP which doesn't use time interval and there the UX
> issue is not there. It can be also created in user self service.
> --
> Petr Vobornik
> 
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] WinSync: The correct method for unbinding some users from synchronization

2016-04-29 Thread cac2s 

Hello ALL.

In our organization it became necessary to:

- replicate all user accounts from AD to FreeIPA preserving user 
passwords (the passwords will appear in FreeIPA when changing these in 
AD using WinSync)

- unbind the part of the migrated accounts from synchronization
- remove unbindedusers from the AD(they should remainwith password on 
the FreeIPA side)
- the remaining accounts (onthe AD side) should continue to be 
synchronized/replicated (add/change/delete on the AD side)


In some circumstances that do not depend on me, the use of a trust does 
not approach us...


The question is whether the rightfollowing method to unbind part of the 
user accounts from the Syncby removing:


- objectClass: ntUser
- ntUniqueId: *
- ntUserAcctExpires: *
- ntUserCodePage: *
- ntUserDeleteAccount: *

or perhaps there is a more correct method?

Thanks.

p.s.: sorry for my English

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Petr Vobornik 
On 04/29/2016 12:03 PM, Bret Wortman wrote:
> The date change was due (I think) to me changing the date back to 4/1
> yesterday, though I left it there and haven't updated it again until
> this morning, when I went back to 4/1 again.
> 
> I put the results of the commands you requested at
> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really
> appreciate it.
> 
> 
> Bret

If I combine this and the previous output, it seems that:

- PKI starts normally
- ipactl has troubles with determining that PKI started and after 5mins
of failed attempts it stops whole IPA (expected behavior when a service
doesn't start)

The failed attempt is:
"""
ipa: DEBUG: Waiting until the CA is running
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://zsipa.private.net:443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=4
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-04-01 09:39:50--
https://zsipa.private.net/ca/admin/ca/getStatus
Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53
Connecting to zsipa.private.net
(zsipa.private.net)|192.168.208.53|:443... connected.
Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero
exit status 4
"""

It says "Unable to establish SSL connection", it would be good to get
more details.

Also given that the CA cert was renewed on April 3rd and that all certs
expires after that date, we should rather use date April 4th when moving
the date back.

So first start IPA again (date April 4th) but force it to not stop services

1. ipactl start --force
wait until all is started
2. wget -v -d -S -O - --timeout=30 --no-check-certificate
https://zsipa.private.net:443/ca/admin/ca/getStatus

optionally (assuming that CA won't be turned of)
3. getcert list

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC implementation help

2016-04-29 Thread Ben .T.George 
HI

Thanks for your reply.

can i do this external group mapping from web UI?

On Fri, Apr 29, 2016 at 10:50 AM, Jakub Hrozek  wrote:

> On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote:
> > Hi List,
> >
> > i have a working setup of IPA with AD integrated and one client joined.
> >
> > i want to implement HBAC rules against this client. can anyone please
> share
> > me good articles of implementing HBAC from web UI.
>
> I'm not sure about the web UI, but as a general rule you'll want to add
> an external group (created with --external) as a member of a POSIX group
> and reference the POSIX group in the HBAC rule. The AD members should be
> added as members of the external group.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread Martin Basti 



On 29.04.2016 13:02, barry...@gmail.com wrote:

Hi All:

Any method can fall back the default ipa cert if I didn't backup orginal?

Now the slapd and ipa cert storage quite a mess so they cant replicate 
even disabled nsslapd:security to off



thx
Barry



Hello Barry,

Can you provide more info?

What is your IPA version, OS?
What are the symptoms you are experiencing?
What do you mean by default ipa cert ?
Can you provide logs from replicas?
Can you provide `getcert list` command output?
Can you provide `ipactl status` from both server?

Replication uses GSSAPI, at least on new IPA versions, I'm not sure if 
certificates are involved in this.


Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread barrykfl 
Hi All:

Any method can fall back the default ipa cert if I didn't backup orginal?

Now the slapd and ipa cert storage quite a mess so they cant replicate even
disabled nsslapd:security to off


thx
Barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP and time step size

2016-04-29 Thread Prashant Bapat 
Hi Petr,

Thanks for the response. But my question was more towards the cases where
there is a slight delay in entering the OTP in the web UI and it reaching
the IPA server. This actually can happen with ANY time window.

There are couple of scenarios.

1. Network delays.
2. User enters the OTP token and takes a few seconds before pressing
submit.
3. User has to enter OTP first and then the password. This is the case when
changing password in IPA at the moment when OTP is on.

Is there a way to make IPA honor either the current token (obviously!) or 1
elapsed token?

This will go a long way in making FreeIPA's OTP implementation much more
usable.

Thanks.
--Prashant

On 25 April 2016 at 21:48, Petr Vobornik  wrote:

> On 04/22/2016 08:55 AM, Prashant Bapat wrote:
> > Hi,
> >
> > We have been using the OTP feature of FreeIPA extensively for users to
> login to
> > the web UI. Now we are rolling out an external service using the LDAP
> > authentication based on FreeIPA and OTP.
> >
> > End users typically login rarely to the web UI. Only to update their SSH
> keys
> > once in 90 days.
> >
> > However to the new service based on FreeIPA's LDAP they would be logging
> in
> > multiple times daily.
> >
> > Here is an observation: FreeIPA's OTP mechanism is very stringent in
> requiring
> > the current token to be inside the 30 second window. Because of this
> there might
> > be a sizable percentage of users who will have to retry login.
> Obviously, this
> > is a bad user experience.
> >
> > As per the RFC-6238  section
> 5.2, we
> > could allow 1 time step and make the user experience better.
> >
> > Can this be done by changing a config or does it involve a
> patch/code-change.
> > Any pointers to this appreciated.
> >
> > Thanks.
> > --Prashant
> >
>
> FreeIPA works with both time based OTP tokens(TOTP) and counter based
> OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator
> can set custom clock interval during creation of a token. But
> self-service Web UI doesn't show this option. Users can still use it in
> CLI though.
>
> Alternative is HOTP which doesn't use time interval and there the UX
> issue is not there. It can be also created in user self service.
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman 
The date change was due (I think) to me changing the date back to 4/1 
yesterday, though I left it there and haven't updated it again until 
this morning, when I went back to 4/1 again.


I put the results of the commands you requested at 
https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really 
appreciate it.



Bret

On 04/29/2016 04:59 AM, Petr Vobornik wrote:

comments inline

On 04/28/2016 06:30 PM, Bret Wortman wrote:

Look, I'll be honest. When IPA is in this much of a knot, I don't know how to do
the simplest things with its various components. For example, I've no clue how
to search the ldap database for anything. Or even how to authenticate since
Kerberos isn't running. IPA has sheltered me from ldap for so long that it's a
problem at times like this.

That being said, here are the things I /was/ able to handle:

Apr 01 11:02:40 zsipa.private.net server[6896]: Java virtual machine used:
/usr/lib/jvm/jre/bin/java
Apr 01 11:02:40 zsipa.private.net server[6896]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.j
Apr 01 11:02:40 zsipa.private.net server[6896]: main class used:
org.apache.catalina.startup.Bootstrap
Apr 01 11:02:40 zsipa.private.net server[6896]: flags used:
-DRESTEASY_LIB=/usr/share/java/resteasy
Apr 01 11:02:40 zsipa.private.net server[6896]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.
Apr 01 11:02:40 zsipa.private.net server[6896]: arguments used: start
Apr 01 11:02:40 zsipa.private.net server[6896]: Apr 01, 2016 11:02:40 AM
org.apache.catalina.startup.ClassLoaderFactory validateFile
Apr 01 11:02:40 zsipa.private.net server[6896]: WARNING: Problem with JAR file
[/var/lib/pki/pki-tomcat/lib/log4j.jar], exists: [false], canRead: [false]
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP'
to 'false' did not find a matchi
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderURL' to 'http://zsipa.private.net:9
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderCertNickname' to 'ocspSigningCe
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspCacheSize' to '1000' did not find a matc
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMinCacheEntryDuration' to '60' did not f
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMaxCacheEntryDuration' to '120' did not
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout'
to '10' did not find a matching
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'strictCiphers' to 'true' did not find a matc
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions'
to 'ssl2=true,ssl3=true,tls=true
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers'
to '-SSL2_RC4_128_WITH_MD5,-SSL
Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Apr 01 11:02:41 zsipa.private.net server[6896]:

Re: [Freeipa-users] Free IPA Client in Docker

2016-04-29 Thread Martin Kosek 
On 04/28/2016 08:14 PM, Hosakote Nagesh, Pawan wrote:
> Hi,
>   I am planning to deploy FreeIPA Client in a docker where my Apps are
> running. However I hit a road block as there seems to be problem with the
> docker’s hostname settings
> In DNS records.  

CCing Jan on this one. Did you try to use SSSD Docker container we already have
instead?

https://hub.docker.com/r/fedora/sssd/
https://www.adelton.com/docs/docker/fedora-sssd-container

Martin

> Debug Log
> ———
> 
> ipa-client-install --hostname=`hostname -f` --mkhomedir -N --force-join 
> —debug 
> 
> .
> 
> .
> 
> .
> 
> .
> 
> debug
> 
> zone phx01.eaz.ebayc3.com.
> 
> update delete . IN A
> 
> show
> 
> send
> 
> update add . 1200 IN A 172.17.0.3
> 
> show
> 
> send
> 
> 
> Starting external process
> 
> args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
> 
> Process execution failed
> 
> Traceback (most recent call last):
> 
>   File "/usr/sbin/ipa-client-install", line 2603, in 
> 
> sys.exit(main())
> 
>   File "/usr/sbin/ipa-client-install", line 2584, in main
> 
> rval = install(options, env, fstore, statestore)
> 
>   File "/usr/sbin/ipa-client-install", line 2387, in install
> 
> client_dns(cli_server[0], hostname, options.dns_updates)
> 
>   File "/usr/sbin/ipa-client-install", line 1423, in client_dns
> 
> update_dns(server, hostname)
> 
>   File "/usr/sbin/ipa-client-install", line 1410, in update_dns
> 
> if do_nsupdate(update_txt):
> 
>   File "/usr/sbin/ipa-client-install", line 1346, in do_nsupdate
> 
> ipautil.run(['/usr/bin/nsupdate', '-g', UPDATE_FILE])
> 
>   File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 303, in 
> run
> 
> close_fds=True, env=env, cwd=cwd)
> 
>   File "/usr/lib/python2.7/subprocess.py", line 710, in __init__
> 
> errread, errwrite)
> 
>   File "/usr/lib/python2.7/subprocess.py", line 1327, in _execute_child
> 
> raise child_exception
> 
> OSError: [Errno 2] No such file or directory
> 
> 
> 
> As a Follow up question I also wanted to know why is absolutely necessary for
> Kerberos Client to have hostname? Wont Client initiate the connection and
> FreeIPA server can take it from there.
> If so what is the need of FQDN for FreeIPA client at all?
> 
> -
> Best,
> Pawan
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa update changed my cipher set

2016-04-29 Thread Martin Basti 



On 29.04.2016 11:02, Martin Basti wrote:



On 28.04.2016 19:16, Roderick Johnstone wrote:

Hi

RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64

A couple of months ago I updated 
/etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite 
in use by freeipa (see previous thread on this list).


When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on 
April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and 
reverted some, but not all of, my changed settings in dse.ldif.


I'd like to understand what is expected to happen to this file on a 
package upgrade (rpm reports that this file is not owned by any 
package so I guess its manipulated by a scriplet) since at least one 
of my changes was preserved.


Also, if I need to maintain a customised cipher suite for ipa, am I 
required to only do yum updates of the ipa-server package by hand and 
manually merge back in my changes, or is there a better way?


Thanks

Roderick Johnstone


Hello,

probably IPA upgrade did this change

if you need custom ciphers to be preserved, you have to put your own 
upgrade file (number must be higher than 20) to IPA 
'/usr/share/ipa/updates/'


something like:

$ cat 99-myciphers.update
dn: cn=encryption,cn=config
only:nsSSL3Ciphers: default
only:allowWeakCipher: off

update default value with your own required ciphers

Martin


I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater 
/usr/share/ipa/updates/99-myciphers.update to apply changes.

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa update changed my cipher set

2016-04-29 Thread Martin Basti 



On 28.04.2016 19:16, Roderick Johnstone wrote:

Hi

RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64

A couple of months ago I updated 
/etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite 
in use by freeipa (see previous thread on this list).


When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on 
April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and 
reverted some, but not all of, my changed settings in dse.ldif.


I'd like to understand what is expected to happen to this file on a 
package upgrade (rpm reports that this file is not owned by any 
package so I guess its manipulated by a scriplet) since at least one 
of my changes was preserved.


Also, if I need to maintain a customised cipher suite for ipa, am I 
required to only do yum updates of the ipa-server package by hand and 
manually merge back in my changes, or is there a better way?


Thanks

Roderick Johnstone


Hello,

probably IPA upgrade did this change

if you need custom ciphers to be preserved, you have to put your own 
upgrade file (number must be higher than 20) to IPA 
'/usr/share/ipa/updates/'


something like:

$ cat 99-myciphers.update

dn: cn=encryption,cn=config
only:nsSSL3Ciphers: default
only:allowWeakCipher: off


update default value with your own required ciphers

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Petr Vobornik 
comments inline

On 04/28/2016 06:30 PM, Bret Wortman wrote:
> Look, I'll be honest. When IPA is in this much of a knot, I don't know how to 
> do 
> the simplest things with its various components. For example, I've no clue 
> how 
> to search the ldap database for anything. Or even how to authenticate since 
> Kerberos isn't running. IPA has sheltered me from ldap for so long that it's 
> a 
> problem at times like this.
> 
> That being said, here are the things I /was/ able to handle:
> 
> Apr 01 11:02:40 zsipa.private.net server[6896]: Java virtual machine used: 
> /usr/lib/jvm/jre/bin/java
> Apr 01 11:02:40 zsipa.private.net server[6896]: classpath used: 
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.j
> Apr 01 11:02:40 zsipa.private.net server[6896]: main class used: 
> org.apache.catalina.startup.Bootstrap
> Apr 01 11:02:40 zsipa.private.net server[6896]: flags used: 
> -DRESTEASY_LIB=/usr/share/java/resteasy
> Apr 01 11:02:40 zsipa.private.net server[6896]: options used: 
> -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat 
> -Djava.endorsed.dirs= -Djava.io.
> Apr 01 11:02:40 zsipa.private.net server[6896]: arguments used: start
> Apr 01 11:02:40 zsipa.private.net server[6896]: Apr 01, 2016 11:02:40 AM 
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> Apr 01 11:02:40 zsipa.private.net server[6896]: WARNING: Problem with JAR 
> file 
> [/var/lib/pki/pki-tomcat/lib/log4j.jar], exists: [false], canRead: [false]
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'enableOCSP' 
> to 'false' did not find a matchi
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'ocspResponderURL' to 'http://zsipa.private.net:9
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'ocspResponderCertNickname' to 'ocspSigningCe
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'ocspCacheSize' to '1000' did not find a matc
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'ocspMinCacheEntryDuration' to '60' did not f
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'ocspMaxCacheEntryDuration' to '120' did not
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'ocspTimeout' 
> to '10' did not find a matching
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'strictCiphers' to 'true' did not find a matc
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'sslOptions' 
> to 'ssl2=true,ssl3=true,tls=true
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'ssl2Ciphers' 
> to '-SSL2_RC4_128_WITH_MD5,-SSL
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM 
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: 
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
> 'ssl3Ciphers' 
> to '-SSL3_FORTEZZA_DMS_WITH_NUL
> Apr 01 11:02:41

Re: [Freeipa-users] FreeIPA with smart card using LightDM

2016-04-29 Thread Sumit Bose 
On Thu, Apr 28, 2016 at 04:09:16PM -0500, Michael Rainey (Contractor) wrote:
> I am wondering if anyone out there is currently using freeIPA with smart
> cards along with LightDM.  I have systems running SL7.2 with GDM and I have
> users that prefer to use XFCE or KDE over the default GNOME-Shell.  The
> problem with GDM is I am not able to get screen lock feature to work across
> multiple desktop environments.  If anyone uses XFCE, xscreensaver will need
> to be installed so they can lock their screen.  This choice also makes using
> the smart card useless when logging back into the system.  Also, I haven't
> been able call the lock screen from the command-line.  What examples I have
> found do not work due to a missing ScreenSaver object.
> 
> If anyone has any good solutions to this problem I would enjoy hearing them.

Since Smartcard authentication does not make sense for all PAM services
SSSD uses a list of services where it would offer Smartcard
authentication. Currently this list is static and based on a default RHEL
or Fedora setup. We already have
https://fedorahosted.org/sssd/ticket/2926 to make this list configurable
and Lukas already wrote an initial patch for it
https://lists.fedorahosted.org/archives/list/sssd-de...@lists.fedorahosted.org/message/FQWOBQV6FFCBKZS2EXKIJU74473E7R7Y/

If you are interested I can provide you with a test build where XFCE,
KDM and xscreensaver are included, just let me know for which platform
you will need it.

bye,
Sumit

> 
> Thanks in advance.
> -- 
> *Michael Rainey*

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC implementation help

2016-04-29 Thread Jakub Hrozek 
On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote:
> Hi List,
> 
> i have a working setup of IPA with AD integrated and one client joined.
> 
> i want to implement HBAC rules against this client. can anyone please share
> me good articles of implementing HBAC from web UI.

I'm not sure about the web UI, but as a general rule you'll want to add
an external group (created with --external) as a member of a POSIX group
and reference the POSIX group in the HBAC rule. The AD members should be
added as members of the external group.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free IPA Client in Docker

2016-04-29 Thread Jakub Hrozek 
On Thu, Apr 28, 2016 at 06:14:30PM +, Hosakote Nagesh, Pawan wrote:
> Hi,
>   I am planning to deploy FreeIPA Client in a docker where my Apps are 
> running. However I hit a road block as there seems to be problem with the 
> docker’s hostname settings
> In DNS records.
> 
> Debug Log
> ———
> 
> ipa-client-install --hostname=`hostname -f` --mkhomedir -N --force-join —debug
> 
> .
> 
> .
> 
> .
> 
> .
> 
> debug
> 
> zone phx01.eaz.ebayc3.com.
> 
> update delete . IN A
> 
> show
> 
> send
> 
> update add . 1200 IN A 172.17.0.3
> 
> show
> 
> send
> 
> 
> Starting external process
> 
> args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
> 
> Process execution failed
> 
> Traceback (most recent call last):
> 
>   File "/usr/sbin/ipa-client-install", line 2603, in 
> 
> sys.exit(main())
> 
>   File "/usr/sbin/ipa-client-install", line 2584, in main
> 
> rval = install(options, env, fstore, statestore)
> 
>   File "/usr/sbin/ipa-client-install", line 2387, in install
> 
> client_dns(cli_server[0], hostname, options.dns_updates)
> 
>   File "/usr/sbin/ipa-client-install", line 1423, in client_dns
> 
> update_dns(server, hostname)
> 
>   File "/usr/sbin/ipa-client-install", line 1410, in update_dns
> 
> if do_nsupdate(update_txt):
> 
>   File "/usr/sbin/ipa-client-install", line 1346, in do_nsupdate
> 
> ipautil.run(['/usr/bin/nsupdate', '-g', UPDATE_FILE])
> 
>   File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 303, in 
> run
> 
> close_fds=True, env=env, cwd=cwd)
> 
>   File "/usr/lib/python2.7/subprocess.py", line 710, in __init__
> 
> errread, errwrite)
> 
>   File "/usr/lib/python2.7/subprocess.py", line 1327, in _execute_child
> 
> raise child_exception
> 
> OSError: [Errno 2] No such file or directory

Looks like nsupdate is missing from the container?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Account/password expirations

2016-04-29 Thread Jakub Hrozek 
On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote:
> >
> > Your can still authenticate with SSH keys, but to access any NFS 4 shares
> > they will need a Kerberos ticket, which can be obtained via a 'kinit' after
> > logging in.
> >
> 
> Then how does the key authentication work if the .ssh directory on nfs4 is
> not accessible ?  Doesn't the key authentication process rely on
> .ssh/authorized keys being readable by the authentication module ?

SSSD can fetch the authorized keys from IPA, see man
sss_ssh_authorizedkeys(1)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Quick question regarding modifying attributes

2016-04-29 Thread Jakub Hrozek 
On Thu, Apr 28, 2016 at 06:31:20PM +, Sullivan, Daniel [AAA] wrote:
> Jakub,
> 
> Thank you for your reply.  I did not know that the compat tree was
> populated from sssd; Do you have any experience and or recommendation on
> using the full_name_format variable of sssd.conf to manipulate how cn’s are
> populated in anchor records?  Basically I’m interested in trying to get
> IPA to provision anchor records for a trusted domain without the @f.d.q.n
> appended to usernames.  It seems like having a custom full_name_format
> (sssd.conf) possibly in conjunction with default_domain_suffix (sssd.conf)
> might achieve this (have already done some internal testing with partial
> results, running into some issues but interested in yours and the groups
> opinion on the viability of this).

It's not possible at the moment to change the output format of the sssd
on the server or the format of the entries in the compat tree. Several
pieces of the stack (including the extdom plugin that serves requests to
the sssd clients) rely on the name being qualified at least on the
server side to function properly.

What should be possible starting with 7.3 is to have the shortnames
in the output of SSSD clients with id_provider=ipa.

But I'm not sure legacy clients would work either with shortnames
because with the legacy clients, we typically treat the whole
qualified string as a "name":


[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P.+) <---


the re_expression tells sssd that the whole input string, qualified or not
is a "name", there is no separate IPA and AD domain in these setups. This
is because with the legacy clients, those clients must use the "ldap"
id_provider pointed to the compat tree and the 'ldap' provider, unlike the
'ipa' or 'ad' providers has no notion of trusted domains internally.

So if you want to use shortnames on the output, I think the best bet is
to wait for sssd-1.14 (coming in RHEL-7.3) with the ipa provider.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project