Re: [Freeipa-users] Creating roles tutorial/how-to

[Rob Crittenden]

Larry Rosen wrote:

Are there any tutorials/how to’s to guide how to create roles?  The docs
simply go through filling out the forms, but is there any resource about
how roles are generally used and the required relationships?

This is the closest thing I have found:
http://adam.younglogic.com/2012/02/group-managers-in-freeipa/

I don’t understand how to limit various permissions/privileges to
specific users or groups.

I want a role to manage only the users of a certain group: i.e. a user
that can add, modify, delete user accounts and set/reset/unlock
passwords for one group.


The order of access control looks like permissions -> privileges -> 
roles. The associated privileges provide a set of permissions (actions a 
role can take) to the role.


Users, groups, hosts, hostgroups and services (depending on version of 
IPA) can be members of a role, thus having the capabilities of that role.


You add the privileges you want that role to have, then you add the 
groups you want, and that should do it.


A permission is a low-level "task". A privilege is usually 1-1 to a 
permission. It may contain multiple permissions.


An example of a privilege with multiple permissions is adding a user, 
where you need to be able to write the user and set the password.


For the permissions shipped with IPA there is always an associated 
privilege available for that so you typically don't need to mess with these.


rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules for NFS

[Joanna Delaporte]

Hi Alexander,

Thanks for the link. I read through it again, and I am still stuck on the
rpcgss service on the server...I don't know how to properly restart it. The
service in the documents is service nfs-secure-server enable (FC16), or
rpcsvcgssd.service (RH7), but I cannot enable using those.

I killed rpc.gssd process on the client and restarted manually with
rpc.gssd -vvv, which gave me more output. There is a flag set in
/etc/sysconfig/nfs which should have already been giving that output, but
it never took effect, even though I restarted nfs-server and
nfs-secure-server. What is the right way to restart rpcgssd.service and
rpcsvcgssd.service?

Anyway, after manually killing and executing rpc.gssd, the homedir
automounts with krb5p when I ssh to the machine (yay - first time!), but
the files are owned by nobody. I cannot access the files as the owner. The
UID of the file owner is low (between 500-1000), so I had to change the
user's UID just to be able to login (<1000 is blocked by PAM). Maybe the
fact that the user with a matching UID doesn't exist is causing a problem
in mapping the files' owner to a user? If so, how do I most efficiently map
the name of the file owner to the user with a different numerical UID? I
had hoped the kerberos auth might handle this for me.

The homedir does not mount when I su from root (not particularly a problem,
but it was muddling the issue). This clued me in: rpc.gssd[9928]: No key
table entry found for root/nfsclient.domain.tld.

Thank you!
Joanna

On Fri, Jul 1, 2016 at 3:59 PM, Alexander Bokovoy 
wrote:

> On Fri, 01 Jul 2016, Joanna Delaporte wrote:
>
>> I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am
>> starting to wonder if I don't have HBAC rules set up correctly.  I
>> installed freeIPA with --no_hbac_allow.
>>
>> I have an HBAC service defined as an nfs service:
>> $ ipa hbacsvc-add --desc="NFS service" nfs
>>
>> I have an HBAC rule that allows all users to access all services on a
>> group
>> of hosts. My nfsclient is in that group.
>>
>> Is that enough to allow users rights to mount nfs shares? Do I need some
>> sort of HBAC between the nfsclient and the nfsserver?
>>
> HBAC is not involved at all for NFS use. Remember, HBAC checks are run
> by SSSD when it is called by PAM session setup. There is nothing like
> that for NFS mounts.
>
> Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ?
>
>
> --
> / Alexander Bokovoy
>



-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules for NFS

[Alexander Bokovoy]

On Fri, 01 Jul 2016, Joanna Delaporte wrote:

I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am
starting to wonder if I don't have HBAC rules set up correctly.  I
installed freeIPA with --no_hbac_allow.

I have an HBAC service defined as an nfs service:
$ ipa hbacsvc-add --desc="NFS service" nfs

I have an HBAC rule that allows all users to access all services on a group
of hosts. My nfsclient is in that group.

Is that enough to allow users rights to mount nfs shares? Do I need some
sort of HBAC between the nfsclient and the nfsserver?

HBAC is not involved at all for NFS use. Remember, HBAC checks are run
by SSSD when it is called by PAM session setup. There is nothing like
that for NFS mounts.

Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ?


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HBAC rules for NFS

[Joanna Delaporte]

I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am
starting to wonder if I don't have HBAC rules set up correctly.  I
installed freeIPA with --no_hbac_allow.

I have an HBAC service defined as an nfs service:
$ ipa hbacsvc-add --desc="NFS service" nfs

I have an HBAC rule that allows all users to access all services on a group
of hosts. My nfsclient is in that group.

Is that enough to allow users rights to mount nfs shares? Do I need some
sort of HBAC between the nfsclient and the nfsserver?

Thanks! Joanna

-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Creating roles tutorial/how-to

[Larry Rosen]

Are there any tutorials/how to's to guide how to create roles?  The docs simply 
go through filling out the forms, but is there any resource about how roles are 
generally used and the required relationships?

This is the closest thing I have found:  
http://adam.younglogic.com/2012/02/group-managers-in-freeipa/

I don't understand how to limit various permissions/privileges to specific 
users or groups.

I want a role to manage only the users of a certain group: i.e. a user that can 
add, modify, delete user accounts and set/reset/unlock passwords for one group.

Larry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and NFSv4 with krb5 security

[Joanna Delaporte]

Which services actually need to be running for Kerberized NFS? On the
server and client sides? What needs to be enabled?

When I go through the list in the RHEL 7 Domain Auth guide (p 271), I
cannot get rpcsvcgssd.service to start. It doesn't give any errors when I
send it a start command, but status always shows it as condition failed,
and inactive (dead). I also cannot enable it, with the error "No such file
or directory." Is this deprecated/replaced with some other service for rpc
gss server-side service?


On Thu, Jun 30, 2016 at 3:05 PM, Youenn PIOLET  wrote:

> Hi,
> First questions (sorry if it's obvious):
> - Do you have a valid token on the client? (obtained with kinit)
> - Did you import the keytab for NFS service on the server?
> - Did you put "domain = yourdomain.tld" in your NFS server config file? On
> your client?
> - Depending on your (ipa? nfs?) version you may have to enable weak crypto
> (I saw this everywhere but never had to do it for a reason I still ignore)
>
> I'm far from being the most informed people on this list, but I think it
> may be the first things to check.
>
> Hope this helps,
> Regards
> --
> Youenn Piolet
> piole...@gmail.com
>
>
> 2016-06-30 21:47 GMT+02:00 Joanna Delaporte :
>
>> I need some pointers for getting NFSv4 to use krb5 authorization in my
>> IPA realm.
>>
>> My realm is new. I have just migrated some users from an NIS domain to
>> the IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS
>> server and client, and automaps using the recommended methods in the RHEL 7
>> Storage and Domain Auth/Policy guides.
>>
>> In the exports file on the nfsserver, as long as I
>> have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount.
>> However, when I remove sys, I no longer am able to mount. I have
>> root_squash set.
>>
>> Automount hangs when I restart it, while trying to mount the first NFS
>> directory.
>>
>> If I try to mount on the command line, I get this:
>> root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt
>> mount.nfs4: access denied by server while mounting arcturus:/
>>
>> If I take out sec=krb5, it works. It just rolls back to sec=sys
>> (confirmed with mountstats).
>> I am not seeing anything related to the mount attempts on the nfsserver
>> logs, but I'm not sure I am looking in the right logs.
>>
>> I don't see anything happening in the ipaserver's krb5kdc.log, or httpd
>> error or access logs.
>>
>> What am I missing?
>>
>> Thanks!
>> Joanna
>>
>>
>>
>> --
>>
>>
>> Joanna Delaporte
>> Linux Systems Administrator | Parkland College
>> joannadelapo...@gmail.com
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>


-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelapo...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

[Prasun Gera]

There were issues with 3rd party certs as of RHEL 7.2/4.2. If this is fixed
in 7.3, that would be great, especially for Lets Encrypt certs (even
without auto-renewal)

On Fri, Jul 1, 2016 at 5:15 AM, Andreas Ladanyi 
wrote:

> Hi,
> > For the time being and as far as I can see until IPA 4.3.1, the
> procedure is messy and difficult.
> > The following thread will be a big help:
> > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
> >
> > I think I succeeded at last, but further tests remain.
> Is it possible to backport the working procedure from 4.3.1 to 4.2 in
> Fedora 23 ?
> >
> >
> regards,
> Andreas
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to make fIPA stick to only...

[lejeczek]

On 01/07/16 12:41, Petr Vobornik wrote:

On 06/30/2016 04:56 PM, lejeczek wrote:

... its own FQHN and its IP ?

hi users,

I'm fiddling with rewrites but being an amateur cannot figure it out,
it's on a multi/home-IP box. Is it possible?

many thanks,

L.


Hi L.

Could you describe your environment and use case in more details. It is
not clear to me what you are trying to achieve or what doesn't work for you.

Thank you

gee, I though my scenario would be quite common among users,
take a box with more then one net ifs, or even multiple IPs 
- what would be nice to have is fIPA webui resides/runs only 
on that FQHN and that IP to which hostname resolves. Eg, 
here is one single system:

box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/)
ipa.my.dom.local 10.10.1.2
currently I get fIPA's webui everywhere, but I'd like it to 
be only at

ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP)
I think it would be great to have included (maybe as 
comments/options) this in Apache's configs of IPA furure 
releases, if possible.
Is it possible to construct such rules? Or there is 
different, simpler way?

thanks!

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?

[Roderick Johnstone]

On 30/06/16 14:14, Rob Crittenden wrote:

David Kupka wrote:

On 29/06/16 19:05, Roderick Johnstone wrote:

Hi

If I set a kerberos principal for a user to expire on a given date
using:
ipa user-mod  --principal-expiration=DATE
is it possible to later remove this expiration date rather than just set
it to a time far in the future?

Thanks

Roderick Johnstone



Hello Roderick,
AFAIK the only way to remove principal expiration at the time is remove
krbPrincipalExpiration attribute from the user entry in DS.

$ kinit admin
Password for ad...@example.org
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.org
SASL SSF: 56
SASL data security layer installed.
dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org
changetype: modify
delete: krbprincipalexpiration
modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org"

I think that it makes sense to expose this in API. Could you please file
RFE (https://fedorahosted.org/freeipa/newticket)?



You just need to pass in a blank value:

$ ipa user-mod  --principal-expiration=

rob


Thanks both.

I can indeed confirm that setting --principal-expiration= does in fact 
remove the kerberos expiration date.


Roderick

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] webmaster permission

[Jan Pazdziora]

On Fri, Jul 01, 2016 at 01:35:41PM +0200, Günther J. Niederwimmer wrote:
> 
> CentOS 7.2 IPA 4.3.1
> 1 Server (extern) with Virtual Systems (KVM) installed.
> DNSserver, Mailserver, Ipaserver,Webserver..

Is the IPA server running in a VM or on the host?

> Now we like to have our Websystem on this Server

This server meaning yet another VM, or directly on the host?

> What is the best way to allow a external Webmaster to create or modify the 
> websites with joomla, and have the secure from IPA.

Could you be more specific about the

have the secure from IPA

requirement?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] webmaster permission

[Günther J . Niederwimmer]

Hello,

Am Freitag, 1. Juli 2016, 13:43:35 CEST schrieb Petr Spacek:
> On 1.7.2016 13:35, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > I am a newbie with IPA and have big Problems ;-),
> > the "normal" Installation is working nice. :-))
> > 
> > But now I have a Problem ?
> > 
> > CentOS 7.2 IPA 4.3.1
> > 1 Server (extern) with Virtual Systems (KVM) installed.
> > DNSserver, Mailserver, Ipaserver,Webserver..
> > 
> > Now we like to have our Websystem on this Server
> > 
> > What is the best way to allow a external Webmaster to create or modify the
> > websites with joomla, and have the secure from IPA.
> > 
> > Have any a hint or link for this Problem.
> 
> Hi,
> 
> it is strongly recommended to keep FreeIPA on a separate machine / VM and do
> not mix it with anything else. FreeIPA should be considered as security
> centre of your network and having additional applications under the same
> operating system instance is potentially opening doors to attackers.
> 
> My recommendation is to install a seperate VM for FreeIPA and another
> separate VM for other applications.

hello Petr, thanks for the answer, the install Structure is a VM with FreeIPA 
and enrolled clients for (VM) mailserver, httpserver, host, 

 So my Problem is, the Webmaster permission, give only the Webserver and 
Joomla  

Thanks,
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

[Fraser Tweedale]

On Fri, Jul 01, 2016 at 09:00:03AM +0200, Andreas Ladanyi wrote:
> Hi Fraser.
> >>> Hi,
> >>>
> >>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
> >>>
> >>> When i want to start IPA with ipactl start i run into the situation
> >>> starting pki-tomcat take a long time and ipactl aborts the starting
> >>> process and shutdown services. So IPA doesnt start.
> >> Sounds like 
> >> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/
> >>
> > I concur - it is likely to be the same issue.  A new release of pki
> > on f23 is going to happen in the next day or so.  If it is the same
> > issue, that will fix it.
> yes it was the same issue. I could fix it.
> 
> Andreas
> 
Glad to hear it, Andreas.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] webmaster permission

[Petr Spacek]

On 1.7.2016 13:35, Günther J. Niederwimmer wrote:
> Hello,
> 
> I am a newbie with IPA and have big Problems ;-),
> the "normal" Installation is working nice. :-))
> 
> But now I have a Problem ?
> 
> CentOS 7.2 IPA 4.3.1
> 1 Server (extern) with Virtual Systems (KVM) installed.
> DNSserver, Mailserver, Ipaserver,Webserver..
> 
> Now we like to have our Websystem on this Server
> 
> What is the best way to allow a external Webmaster to create or modify the 
> websites with joomla, and have the secure from IPA.
> 
> Have any a hint or link for this Problem. 

Hi,

it is strongly recommended to keep FreeIPA on a separate machine / VM and do
not mix it with anything else. FreeIPA should be considered as security centre
of your network and having additional applications under the same operating
system instance is potentially opening doors to attackers.

My recommendation is to install a seperate VM for FreeIPA and another separate
VM for other applications.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to make fIPA stick to only...

[Petr Vobornik]

On 06/30/2016 04:56 PM, lejeczek wrote:
> ... its own FQHN and its IP ?
> 
> hi users,
> 
> I'm fiddling with rewrites but being an amateur cannot figure it out,
> it's on a multi/home-IP box. Is it possible?
> 
> many thanks,
> 
> L.
> 

Hi L.

Could you describe your environment and use case in more details. It is
not clear to me what you are trying to achieve or what doesn't work for you.

Thank you
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV records?

[Petr Spacek]

On 30.6.2016 17:56, Christophe TREFOIS wrote:
> Hi,
> 
> I am getting a bit confused about what is possible / advised to do and how to 
> setup SRV records for our existing setup.
> 
> Currently, it looks like his:
> 
> ipa1.domain.ltd
> ipa2.domain.ltd
> ipa3.domain.ltd
> 
> I believe the installed domain and realm is domain.ltd (we added some other 
> realm domains later on).
> 
> And we use ipa1 for external user access, ipa2 for services, and ipa3 for 
> backup (not accessed directly).
> 
> We now want to create SRV records for this setup.
> 
> How would they look like?
> 
> The problem I have is that domain.ltd is also the university’s AD domain and, 
> according to the docs, it is not recommended to do this, in any fashion.
> 
> Would it be however, feasible, to do this via a FreeIPA-FreeIPA migration?
> 
> Could you please share any piece of information, or dadvice on this?

Unfortunately there is no way to make this work. There will be inevitable
conflicts on DNS and Kerberos level.

Please make sure you fully read
http://www.freeipa.org/page/Deployment_Recommendations
and
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#server-prereqs

After that the only option is to plan for new FreeIPA installation and
migration. Unfortunately complete FreeIPA-FreeIPA migration is not supported
either so it is mostly manual process (using hand-made scripts for your
deployment).

Do not hesitate to contact us if you have any questions.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AES reverse encryption plugin on userPassword attribute

[Petr Spacek]

On 30.6.2016 15:30, opensauce . wrote:
> Hi All,
> 
> I need to store user passwords with reverse encryption for an application.
> 
> I know the AES plugin is enabled and available :
> 
> # AES, Password Storage Schemes, plugins, config
> dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
> cn: AES
> nsslapd-pluginDescription: AES storage scheme plugin
> nsslapd-pluginEnabled: on
> nsslapd-pluginId: aes-storage-scheme
> nsslapd-pluginInitfunc: aes_init
> nsslapd-pluginPath: libpbe-plugin
> nsslapd-pluginType: reverpwdstoragescheme
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginVersion: 1.3.4.0
> nsslapd-pluginarg0: nsmultiplexorcredentials
> nsslapd-pluginarg1: nsds5ReplicaCredentials
> nsslapd-pluginprecedence: 1
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> 
> How do I apply this plugin to the userPassword attribute of a single or
> multiple users?

Generally FreeIPA tries to hide passwords as much as possible even from admins
so this is not enabled by default. You might try to experiment using 389 DS
documentation [1] but there are no guarantees.

[1] 
http://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] webmaster permission

[Günther J . Niederwimmer]

Hello,

I am a newbie with IPA and have big Problems ;-),
the "normal" Installation is working nice. :-))

But now I have a Problem ?

CentOS 7.2 IPA 4.3.1
1 Server (extern) with Virtual Systems (KVM) installed.
DNSserver, Mailserver, Ipaserver,Webserver..

Now we like to have our Websystem on this Server

What is the best way to allow a external Webmaster to create or modify the 
websites with joomla, and have the secure from IPA.

Have any a hint or link for this Problem. 

Thanks for a answer,

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

[Ludwig Krispenz]

please keep the discussion on the mailing list
On 07/01/2016 01:17 PM, Omar AKHAM wrote:

Which package to install ? ipa-debuginfo?

yes


2 other crashes last night, with a different user bind this time :

rawdn = 0x7f620003a200 
"uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"

dn = 0x7f62000238b0 "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
saslmech = 0x0
cred = {bv_len = 9, bv_val = 0x7f6200034af0 
"nw_PA\250\063\065\067"}

be = 0x7f6254941c20
ber_rc = 
rc = 0
sdn = 0x7f62000313f0
bind_sdn_in_pb = 1
referral = 0x0
errorbuf = '\000' ...
supported = 
pmech = 
authtypebuf = 
"\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000
\000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ 

000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 

0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", '\000' 
, "\002\000\000\000 \305\363Tb\177\000\000\377\377\37
7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", 
'\000' 

bind_target_entry = 0x0



On 2016-06-30 18:16, Ludwig Krispenz wrote:

On 06/30/2016 05:54 PM, d...@mdfive.dz wrote:
The crash is random, sometimes the user binds without probleme, 
sometimes it bind and there is the error message of ipa plugin 
without dirsrv crash. But when it crashes, this user's bind is found 
in the new  generated core file!

ok, so the user might try or use different passwords. it could be
helpful if you can install the debuginfo for the ipa-server package
and get a new stack. Please post it to teh list, you can X the
credentials in the core, although I think they will not be proper
credentials.

Ludwig


On 2016-06-30 14:50, Ludwig Krispenz wrote:

On 06/30/2016 02:45 PM, Ludwig Krispenz wrote:


On 06/30/2016 02:27 PM, d...@mdfive.dz wrote:

Hi,

Please find strace on a core file : http://pastebin.com/v9cUzau4

the crash is in an IPA plugin, ipa_pwd_extop,
to get a better stack you would have to install also the debuginfo 
for ipa-server.

but tje stack matches the error messages you have seen
[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file
encoding.c, line 171]: generating kerberos keys failed [Invalid
argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c,
line 225]: key encryption/encoding failed
they are from the function sin the call stack.

Looks like the user has a password with a \351 char:
cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"}

does the crash always happen with a bind from this user ?


and then someone familiar with this plugin should look into it


Regards


On 2016-06-30 12:13, Ludwig Krispenz wrote:

can you get a core file ?
http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes


On 06/30/2016 11:28 AM, d...@mdfive.dz wrote:

Hi,

The Directory Services crashes several times a day. It's 
installed on CentOS 7 VM :


Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.2.0

# ipactl status
Directory Service: STOPPED
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful


Before each crash, I have these messages in 
/var/log/dirsrv/slapd-X/errors :


[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - 
[file encoding.c, line 171]: generating kerberos keys failed 
[Invalid argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file 
encoding.c, line 225]: key encryption/encoding failed



Any help?
Best regards



-- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: 
Grasbrunn,

Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander




-- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: 
Grasbrunn,

Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander


--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

[Andreas Ladanyi]

Hi,
> For the time being and as far as I can see until IPA 4.3.1, the procedure is 
> messy and difficult.
> The following thread will be a big help:
> https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
>
> I think I succeeded at last, but further tests remain.
Is it possible to backport the working procedure from 4.3.1 to 4.2 in
Fedora 23 ?
>
>
regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

[Andreas Ladanyi]

Hi Tomasz,
> On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote:
>> Hi,
>>
>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
>>
>> When i want to start IPA with ipactl start i run into the situation
>> starting pki-tomcat take a long time and ipactl aborts the starting
>> process and shutdown services. So IPA doesnt start.
> Sounds like 
> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/
Thank you. You are right. The not imported certificate profiles in ldap
during upgrade process is the problem. I solved this issue with the
information of the above link.


Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

[Alexander Bokovoy]

On Thu, 30 Jun 2016, pgb205 wrote:

Ben, do you mind sharing your solution as I am affected by the exact same error 
when fetching AD domains.

I'm currently on vacation and don't have access to my lab, but you need
to check if there are any problems with SELinux. 'ipa
trust-fetch-domains' calls out via DBus to another script. It is
functionally equivalent to the following command run as root:

# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust 
com.redhat.idm.trust.fetch_domains ad.test

where ad.test is your AD root domain.

If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this
run will generate a lot of debug information.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

[Andreas Ladanyi]

Hi Fraser.
>>> Hi,
>>>
>>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
>>>
>>> When i want to start IPA with ipactl start i run into the situation
>>> starting pki-tomcat take a long time and ipactl aborts the starting
>>> process and shutdown services. So IPA doesnt start.
>> Sounds like 
>> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/
>>
> I concur - it is likely to be the same issue.  A new release of pki
> on f23 is going to happen in the next day or so.  If it is the same
> issue, that will fix it.
yes it was the same issue. I could fix it.

Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project