Sean Hogan wrote: > Hi Robert, > > No I did not cut it off ....there was no reason listed.. that was the > last line about the issue. > > I did find this to be my issue however > https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat > guys see if they can pull the new selinux policy packages as I do not > see them avail right now for my boxes. > > [root@server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts recent > ---- > type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root > auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received > setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root > hostname=? addr=? terminal=?' > ---- > type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0 > name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root > ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL > type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64 > syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK > a2=0x4000 a3=0xfffffffffffff8e8 items=1 ppid=1 pid=2875 auid=unset > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root > fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger > subj=system_u:system_r:certmonger_t:s0 key=(null) > type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write } > for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:etc_t:s0 tclass=dir > ---- > type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0 > name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644 > ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 > objtype=NORMAL > type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64 > syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180 > a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root > suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset > comm=certmonger exe=/usr/sbin/certmonger > subj=system_u:system_r:certmonger_t:s0 key=(null) > type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write } > for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
Good catch, that seems like the issue. > [root@server2 log]# rpm -qf /etc/ipa/nssdb > ipa-python-4.1.0-18.el7_1.4.x86_64 IIRC it is just ghosted, all files should be owned by something. > Encryption types.. thanks for the command.. good to know but hate seeing > the arcfour and des options as I know DISA will not like that. No DES, Triple DES. You can always remove them if you want, just be aware of interoperability. rob > > [root@ipa1 ~]# ldapsearch -x -D 'cn=directory manager' -W -s base -b > cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local> with scope baseObject > # filter: (objectclass=*) > # requesting: krbSupportedEncSaltTypes > # > > # IPA.LOCAL, kerberos, ipa.local > dn: cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local > krbSupportedEncSaltTypes: aes256-cts:normal > krbSupportedEncSaltTypes: aes256-cts:special > krbSupportedEncSaltTypes: aes128-cts:normal > krbSupportedEncSaltTypes: aes128-cts:special > krbSupportedEncSaltTypes: des3-hmac-sha1:normal > krbSupportedEncSaltTypes: des3-hmac-sha1:special > krbSupportedEncSaltTypes: arcfour-hmac:normal > krbSupportedEncSaltTypes: arcfour-hmac:special > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > > > Sean Hogan > > > > Inactive hide details for Rob Crittenden ---11/17/2016 07:59:55 > AM---Sean Hogan wrote: > Hi Jakub,Rob Crittenden ---11/17/2016 07:59:55 > AM---Sean Hogan wrote: > Hi Jakub, > > From: Rob Crittenden <rcrit...@redhat.com> > To: Sean Hogan/Durham/IBM@IBMUS, Jakub Hrozek <jhro...@redhat.com> > Cc: freeipa-users@redhat.com, Martin Babinsky <mbabi...@redhat.com> > Date: 11/17/2016 07:59 AM > Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server > > ------------------------------------------------------------------------ > > > > Sean Hogan wrote: >> Hi Jakub, >> >> I ended up re-enrolling the box and it is behaving as expected except I >> am not getting a host cert. Robert indicated auto host cert no longer >> avail with rhel 7 but using the --request -cert option on enroll to get >> a host cert if I wanted one. I did so and get this in the install log >> >> >> *2016-11-16T22:00:53Z DEBUG Starting external process* >> *2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active' >> 'certmonger.service'* >> *2016-11-16T22:00:53Z DEBUG Process finished, return code=0* >> *2016-11-16T22:00:53Z DEBUG stdout=active* >> >> *2016-11-16T22:00:53Z DEBUG stderr=* >> *2016-11-16T22:00:53Z ERROR certmonger request for host certificate > failed* > > Did you cut off the reason reported for the request failing? > >> Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x) >> IPA server? > > You could look in the server logs for details. > >> As for crypto on RHEL 6 IPA I have (if this is what you looking for). >> However this is modified version as it took me a while to get this list >> to pass tenable scans by modding the dse files. >> [root@ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname` > > These are the TLS settings for LDAP, not the Kerberos encryption types > supported. You instead want to run: > > $ ldapsearch -x -D 'cn=directory manager' -W -s base -b > cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes > > rob > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project