Re: [Freeipa-users] Creating roles tutorial/how-to
Larry Rosen wrote: Are there any tutorials/how tos to guide how to create roles? The docs simply go through filling out the forms, but is there any resource about how roles are generally used and the required relationships? This is the closest thing I have found: http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ I dont understand how to limit various permissions/privileges to specific users or groups. I want a role to manage only the users of a certain group: i.e. a user that can add, modify, delete user accounts and set/reset/unlock passwords for one group. The order of access control looks like permissions -> privileges -> roles. The associated privileges provide a set of permissions (actions a role can take) to the role. Users, groups, hosts, hostgroups and services (depending on version of IPA) can be members of a role, thus having the capabilities of that role. You add the privileges you want that role to have, then you add the groups you want, and that should do it. A permission is a low-level "task". A privilege is usually 1-1 to a permission. It may contain multiple permissions. An example of a privilege with multiple permissions is adding a user, where you need to be able to write the user and set the password. For the permissions shipped with IPA there is always an associated privilege available for that so you typically don't need to mess with these. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC rules for NFS
Hi Alexander, Thanks for the link. I read through it again, and I am still stuck on the rpcgss service on the server...I don't know how to properly restart it. The service in the documents is service nfs-secure-server enable (FC16), or rpcsvcgssd.service (RH7), but I cannot enable using those. I killed rpc.gssd process on the client and restarted manually with rpc.gssd -vvv, which gave me more output. There is a flag set in /etc/sysconfig/nfs which should have already been giving that output, but it never took effect, even though I restarted nfs-server and nfs-secure-server. What is the right way to restart rpcgssd.service and rpcsvcgssd.service? Anyway, after manually killing and executing rpc.gssd, the homedir automounts with krb5p when I ssh to the machine (yay - first time!), but the files are owned by nobody. I cannot access the files as the owner. The UID of the file owner is low (between 500-1000), so I had to change the user's UID just to be able to login (<1000 is blocked by PAM). Maybe the fact that the user with a matching UID doesn't exist is causing a problem in mapping the files' owner to a user? If so, how do I most efficiently map the name of the file owner to the user with a different numerical UID? I had hoped the kerberos auth might handle this for me. The homedir does not mount when I su from root (not particularly a problem, but it was muddling the issue). This clued me in: rpc.gssd[9928]: No key table entry found for root/nfsclient.domain.tld. Thank you! Joanna On Fri, Jul 1, 2016 at 3:59 PM, Alexander Bokovoywrote: > On Fri, 01 Jul 2016, Joanna Delaporte wrote: > >> I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am >> starting to wonder if I don't have HBAC rules set up correctly. I >> installed freeIPA with --no_hbac_allow. >> >> I have an HBAC service defined as an nfs service: >> $ ipa hbacsvc-add --desc="NFS service" nfs >> >> I have an HBAC rule that allows all users to access all services on a >> group >> of hosts. My nfsclient is in that group. >> >> Is that enough to allow users rights to mount nfs shares? Do I need some >> sort of HBAC between the nfsclient and the nfsserver? >> > HBAC is not involved at all for NFS use. Remember, HBAC checks are run > by SSSD when it is called by PAM session setup. There is nothing like > that for NFS mounts. > > Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ? > > > -- > / Alexander Bokovoy > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC rules for NFS
On Fri, 01 Jul 2016, Joanna Delaporte wrote: I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am starting to wonder if I don't have HBAC rules set up correctly. I installed freeIPA with --no_hbac_allow. I have an HBAC service defined as an nfs service: $ ipa hbacsvc-add --desc="NFS service" nfs I have an HBAC rule that allows all users to access all services on a group of hosts. My nfsclient is in that group. Is that enough to allow users rights to mount nfs shares? Do I need some sort of HBAC between the nfsclient and the nfsserver? HBAC is not involved at all for NFS use. Remember, HBAC checks are run by SSSD when it is called by PAM session setup. There is nothing like that for NFS mounts. Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] HBAC rules for NFS
I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am starting to wonder if I don't have HBAC rules set up correctly. I installed freeIPA with --no_hbac_allow. I have an HBAC service defined as an nfs service: $ ipa hbacsvc-add --desc="NFS service" nfs I have an HBAC rule that allows all users to access all services on a group of hosts. My nfsclient is in that group. Is that enough to allow users rights to mount nfs shares? Do I need some sort of HBAC between the nfsclient and the nfsserver? Thanks! Joanna -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Creating roles tutorial/how-to
Are there any tutorials/how to's to guide how to create roles? The docs simply go through filling out the forms, but is there any resource about how roles are generally used and the required relationships? This is the closest thing I have found: http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ I don't understand how to limit various permissions/privileges to specific users or groups. I want a role to manage only the users of a certain group: i.e. a user that can add, modify, delete user accounts and set/reset/unlock passwords for one group. Larry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and NFSv4 with krb5 security
Which services actually need to be running for Kerberized NFS? On the server and client sides? What needs to be enabled? When I go through the list in the RHEL 7 Domain Auth guide (p 271), I cannot get rpcsvcgssd.service to start. It doesn't give any errors when I send it a start command, but status always shows it as condition failed, and inactive (dead). I also cannot enable it, with the error "No such file or directory." Is this deprecated/replaced with some other service for rpc gss server-side service? On Thu, Jun 30, 2016 at 3:05 PM, Youenn PIOLETwrote: > Hi, > First questions (sorry if it's obvious): > - Do you have a valid token on the client? (obtained with kinit) > - Did you import the keytab for NFS service on the server? > - Did you put "domain = yourdomain.tld" in your NFS server config file? On > your client? > - Depending on your (ipa? nfs?) version you may have to enable weak crypto > (I saw this everywhere but never had to do it for a reason I still ignore) > > I'm far from being the most informed people on this list, but I think it > may be the first things to check. > > Hope this helps, > Regards > -- > Youenn Piolet > piole...@gmail.com > > > 2016-06-30 21:47 GMT+02:00 Joanna Delaporte : > >> I need some pointers for getting NFSv4 to use krb5 authorization in my >> IPA realm. >> >> My realm is new. I have just migrated some users from an NIS domain to >> the IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS >> server and client, and automaps using the recommended methods in the RHEL 7 >> Storage and Domain Auth/Policy guides. >> >> In the exports file on the nfsserver, as long as I >> have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount. >> However, when I remove sys, I no longer am able to mount. I have >> root_squash set. >> >> Automount hangs when I restart it, while trying to mount the first NFS >> directory. >> >> If I try to mount on the command line, I get this: >> root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt >> mount.nfs4: access denied by server while mounting arcturus:/ >> >> If I take out sec=krb5, it works. It just rolls back to sec=sys >> (confirmed with mountstats). >> I am not seeing anything related to the mount attempts on the nfsserver >> logs, but I'm not sure I am looking in the right logs. >> >> I don't see anything happening in the ipaserver's krb5kdc.log, or httpd >> error or access logs. >> >> What am I missing? >> >> Thanks! >> Joanna >> >> >> >> -- >> >> >> Joanna Delaporte >> Linux Systems Administrator | Parkland College >> joannadelapo...@gmail.com >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
There were issues with 3rd party certs as of RHEL 7.2/4.2. If this is fixed in 7.3, that would be great, especially for Lets Encrypt certs (even without auto-renewal) On Fri, Jul 1, 2016 at 5:15 AM, Andreas Ladanyiwrote: > Hi, > > For the time being and as far as I can see until IPA 4.3.1, the > procedure is messy and difficult. > > The following thread will be a big help: > > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html > > > > I think I succeeded at last, but further tests remain. > Is it possible to backport the working procedure from 4.3.1 to 4.2 in > Fedora 23 ? > > > > > regards, > Andreas > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?
On 30/06/16 14:14, Rob Crittenden wrote: David Kupka wrote: On 29/06/16 19:05, Roderick Johnstone wrote: Hi If I set a kerberos principal for a user to expire on a given date using: ipa user-mod --principal-expiration=DATE is it possible to later remove this expiration date rather than just set it to a time far in the future? Thanks Roderick Johnstone Hello Roderick, AFAIK the only way to remove principal expiration at the time is remove krbPrincipalExpiration attribute from the user entry in DS. $ kinit admin Password for ad...@example.org $ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@example.org SASL SSF: 56 SASL data security layer installed. dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org changetype: modify delete: krbprincipalexpiration modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org" I think that it makes sense to expose this in API. Could you please file RFE (https://fedorahosted.org/freeipa/newticket)? You just need to pass in a blank value: $ ipa user-mod --principal-expiration= rob Thanks both. I can indeed confirm that setting --principal-expiration= does in fact remove the kerberos expiration date. Roderick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] webmaster permission
On Fri, Jul 01, 2016 at 01:35:41PM +0200, Günther J. Niederwimmer wrote: > > CentOS 7.2 IPA 4.3.1 > 1 Server (extern) with Virtual Systems (KVM) installed. > DNSserver, Mailserver, Ipaserver,Webserver.. Is the IPA server running in a VM or on the host? > Now we like to have our Websystem on this Server This server meaning yet another VM, or directly on the host? > What is the best way to allow a external Webmaster to create or modify the > websites with joomla, and have the secure from IPA. Could you be more specific about the have the secure from IPA requirement? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] webmaster permission
Hello, Am Freitag, 1. Juli 2016, 13:43:35 CEST schrieb Petr Spacek: > On 1.7.2016 13:35, Günther J. Niederwimmer wrote: > > Hello, > > > > I am a newbie with IPA and have big Problems ;-), > > the "normal" Installation is working nice. :-)) > > > > But now I have a Problem ? > > > > CentOS 7.2 IPA 4.3.1 > > 1 Server (extern) with Virtual Systems (KVM) installed. > > DNSserver, Mailserver, Ipaserver,Webserver.. > > > > Now we like to have our Websystem on this Server > > > > What is the best way to allow a external Webmaster to create or modify the > > websites with joomla, and have the secure from IPA. > > > > Have any a hint or link for this Problem. > > Hi, > > it is strongly recommended to keep FreeIPA on a separate machine / VM and do > not mix it with anything else. FreeIPA should be considered as security > centre of your network and having additional applications under the same > operating system instance is potentially opening doors to attackers. > > My recommendation is to install a seperate VM for FreeIPA and another > separate VM for other applications. hello Petr, thanks for the answer, the install Structure is a VM with FreeIPA and enrolled clients for (VM) mailserver, httpserver, host, So my Problem is, the Webmaster permission, give only the Webserver and Joomla Thanks, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA doesnt start
On Fri, Jul 01, 2016 at 09:00:03AM +0200, Andreas Ladanyi wrote: > Hi Fraser. > >>> Hi, > >>> > >>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > >>> > >>> When i want to start IPA with ipactl start i run into the situation > >>> starting pki-tomcat take a long time and ipactl aborts the starting > >>> process and shutdown services. So IPA doesnt start. > >> Sounds like > >> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ > >> > > I concur - it is likely to be the same issue. A new release of pki > > on f23 is going to happen in the next day or so. If it is the same > > issue, that will fix it. > yes it was the same issue. I could fix it. > > Andreas > Glad to hear it, Andreas. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] webmaster permission
On 1.7.2016 13:35, Günther J. Niederwimmer wrote: > Hello, > > I am a newbie with IPA and have big Problems ;-), > the "normal" Installation is working nice. :-)) > > But now I have a Problem ? > > CentOS 7.2 IPA 4.3.1 > 1 Server (extern) with Virtual Systems (KVM) installed. > DNSserver, Mailserver, Ipaserver,Webserver.. > > Now we like to have our Websystem on this Server > > What is the best way to allow a external Webmaster to create or modify the > websites with joomla, and have the secure from IPA. > > Have any a hint or link for this Problem. Hi, it is strongly recommended to keep FreeIPA on a separate machine / VM and do not mix it with anything else. FreeIPA should be considered as security centre of your network and having additional applications under the same operating system instance is potentially opening doors to attackers. My recommendation is to install a seperate VM for FreeIPA and another separate VM for other applications. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On 06/30/2016 04:56 PM, lejeczek wrote: > ... its own FQHN and its IP ? > > hi users, > > I'm fiddling with rewrites but being an amateur cannot figure it out, > it's on a multi/home-IP box. Is it possible? > > many thanks, > > L. > Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SRV records?
On 30.6.2016 17:56, Christophe TREFOIS wrote: > Hi, > > I am getting a bit confused about what is possible / advised to do and how to > setup SRV records for our existing setup. > > Currently, it looks like his: > > ipa1.domain.ltd > ipa2.domain.ltd > ipa3.domain.ltd > > I believe the installed domain and realm is domain.ltd (we added some other > realm domains later on). > > And we use ipa1 for external user access, ipa2 for services, and ipa3 for > backup (not accessed directly). > > We now want to create SRV records for this setup. > > How would they look like? > > The problem I have is that domain.ltd is also the university’s AD domain and, > according to the docs, it is not recommended to do this, in any fashion. > > Would it be however, feasible, to do this via a FreeIPA-FreeIPA migration? > > Could you please share any piece of information, or dadvice on this? Unfortunately there is no way to make this work. There will be inevitable conflicts on DNS and Kerberos level. Please make sure you fully read http://www.freeipa.org/page/Deployment_Recommendations and https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#server-prereqs After that the only option is to plan for new FreeIPA installation and migration. Unfortunately complete FreeIPA-FreeIPA migration is not supported either so it is mostly manual process (using hand-made scripts for your deployment). Do not hesitate to contact us if you have any questions. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AES reverse encryption plugin on userPassword attribute
On 30.6.2016 15:30, opensauce . wrote: > Hi All, > > I need to store user passwords with reverse encryption for an application. > > I know the AES plugin is enabled and available : > > # AES, Password Storage Schemes, plugins, config > dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config > cn: AES > nsslapd-pluginDescription: AES storage scheme plugin > nsslapd-pluginEnabled: on > nsslapd-pluginId: aes-storage-scheme > nsslapd-pluginInitfunc: aes_init > nsslapd-pluginPath: libpbe-plugin > nsslapd-pluginType: reverpwdstoragescheme > nsslapd-pluginVendor: 389 Project > nsslapd-pluginVersion: 1.3.4.0 > nsslapd-pluginarg0: nsmultiplexorcredentials > nsslapd-pluginarg1: nsds5ReplicaCredentials > nsslapd-pluginprecedence: 1 > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > > How do I apply this plugin to the userPassword attribute of a single or > multiple users? Generally FreeIPA tries to hide passwords as much as possible even from admins so this is not enabled by default. You might try to experiment using 389 DS documentation [1] but there are no guarantees. [1] http://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/ -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] webmaster permission
Hello, I am a newbie with IPA and have big Problems ;-), the "normal" Installation is working nice. :-)) But now I have a Problem ? CentOS 7.2 IPA 4.3.1 1 Server (extern) with Virtual Systems (KVM) installed. DNSserver, Mailserver, Ipaserver,Webserver.. Now we like to have our Websystem on this Server What is the best way to allow a external Webmaster to create or modify the websites with joomla, and have the secure from IPA. Have any a hint or link for this Problem. Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day
please keep the discussion on the mailing list On 07/01/2016 01:17 PM, Omar AKHAM wrote: Which package to install ? ipa-debuginfo? yes 2 other crashes last night, with a different user bind this time : rawdn = 0x7f620003a200 "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" dn = 0x7f62000238b0 "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" saslmech = 0x0 cred = {bv_len = 9, bv_val = 0x7f6200034af0 "nw_PA\250\063\065\067"} be = 0x7f6254941c20 ber_rc = rc = 0 sdn = 0x7f62000313f0 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' ... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000 \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", '\000' , "\002\000\000\000 \305\363Tb\177\000\000\377\377\37 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", '\000' bind_target_entry = 0x0 On 2016-06-30 18:16, Ludwig Krispenz wrote: On 06/30/2016 05:54 PM, d...@mdfive.dz wrote: The crash is random, sometimes the user binds without probleme, sometimes it bind and there is the error message of ipa plugin without dirsrv crash. But when it crashes, this user's bind is found in the new generated core file! ok, so the user might try or use different passwords. it could be helpful if you can install the debuginfo for the ipa-server package and get a new stack. Please post it to teh list, you can X the credentials in the core, although I think they will not be proper credentials. Ludwig On 2016-06-30 14:50, Ludwig Krispenz wrote: On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: On 06/30/2016 02:27 PM, d...@mdfive.dz wrote: Hi, Please find strace on a core file : http://pastebin.com/v9cUzau4 the crash is in an IPA plugin, ipa_pwd_extop, to get a better stack you would have to install also the debuginfo for ipa-server. but tje stack matches the error messages you have seen [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file encoding.c, line 171]: generating kerberos keys failed [Invalid argument] [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, line 225]: key encryption/encoding failed they are from the function sin the call stack. Looks like the user has a password with a \351 char: cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"} does the crash always happen with a bind from this user ? and then someone familiar with this plugin should look into it Regards On 2016-06-30 12:13, Ludwig Krispenz wrote: can you get a core file ? http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes On 06/30/2016 11:28 AM, d...@mdfive.dz wrote: Hi, The Directory Services crashes several times a day. It's installed on CentOS 7 VM : Installed Packages Name: ipa-server Arch: x86_64 Version : 4.2.0 # ipactl status Directory Service: STOPPED krb5kdc Service: RUNNING kadmin Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful Before each crash, I have these messages in /var/log/dirsrv/slapd-X/errors : [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file encoding.c, line 171]: generating kerberos keys failed [Invalid argument] [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, line 225]: key encryption/encoding failed Any help? Best regards -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
Hi, > For the time being and as far as I can see until IPA 4.3.1, the procedure is > messy and difficult. > The following thread will be a big help: > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html > > I think I succeeded at last, but further tests remain. Is it possible to backport the working procedure from 4.3.1 to 4.2 in Fedora 23 ? > > regards, Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA doesnt start
Hi Tomasz, > On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote: >> Hi, >> >> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 >> >> When i want to start IPA with ipactl start i run into the situation >> starting pki-tomcat take a long time and ipactl aborts the starting >> process and shutdown services. So IPA doesnt start. > Sounds like > https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ Thank you. You are right. The not imported certificate profiles in ldap during upgrade process is the problem. I solved this issue with the information of the above link. Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa trust-fetch-domains failing.
On Thu, 30 Jun 2016, pgb205 wrote: Ben, do you mind sharing your solution as I am affected by the exact same error when fetching AD domains. I'm currently on vacation and don't have access to my lab, but you need to check if there are any problems with SELinux. 'ipa trust-fetch-domains' calls out via DBus to another script. It is functionally equivalent to the following command run as root: # oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains ad.test where ad.test is your AD root domain. If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this run will generate a lot of debug information. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA doesnt start
Hi Fraser. >>> Hi, >>> >>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 >>> >>> When i want to start IPA with ipactl start i run into the situation >>> starting pki-tomcat take a long time and ipactl aborts the starting >>> process and shutdown services. So IPA doesnt start. >> Sounds like >> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ >> > I concur - it is likely to be the same issue. A new release of pki > on f23 is going to happen in the next day or so. If it is the same > issue, that will fix it. yes it was the same issue. I could fix it. Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project