date:20130502

Re: [Freeipa-users] users account functionality

2013-05-02 Thread Dmitri Pal

On 05/02/2013 09:49 AM, John Dennis wrote:
> On 05/02/2013 04:42 AM, Juan Armario wrote:
>> Hi,
>>
>> I'm Juan and I'm building a freeipa application and need to know if it
>> possible integrate a module or if is already developed, the typical
>> functionality when we want an authentication service for our users, like
>> remember password, create users, and send an email for confirmation, or
>> send a account delete  request.
>>
>> We have installed the basic freeipa and we need to incorporate this
>> functionality.
>>
>> Exist this or have I to implement it?
>
> It's a little hard to understand exactly what you're looking to
> accomplish, for instance what does "remember password" mean?
>
> It doesn't sound like what you're looking for requires adding a plugin
> module, rather you're looking to add a front-end to IPA which is easy
> to do with scripts. IPA is quite amenable to scripting because we
> provide a command line interface. You can either call the ipa command
> from a shell script or you can write your own Python scripts and
> invoke the IPA API directly. Be careful though, the type of operations
> you've described all require administrator privileges, it's not
> something a general user can do.
>
>
It looks like Juan is looking for some kind of more advanced self
service portal.
But it is not clear what the specific requirements are.
Juan can you please be more detailed in what are the workflows you have
in mind.
Are you looking for the self service registration with mail
confirmation? If yes this does not exist now and generally IPA is the
domain controller for the controlled environment it is not a good fit
for a general purpose accounting service unless you explicitly extend
it. If this is what you are looking for you can script the addition
flows with CLI or contribute code however you need to be sure your
security mode is sound. We do not want to add functionality that would
allow anyone to self register to any instance of IPA that would be a
security disaster.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

2013-05-02 Thread Rob Crittenden

Toasted Penguin wrote:

Yes that helped fix 2012092520027 (thank you!!)

But I am still seeing an error with:

Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local "host" service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes

I noticed that the request ID doesn't show up
in /var/lib/certmonger/requests/, does that make a difference?

The request ID usually, but not always matches the name of the request 
files.

We don't usually issue a Server-Cert for an IPA server. Could this be a 
remnant of an older client install?

Is there a Server-Cert in /etc/pki/nssdb? certutil -L -d /etc/pki/nssdb

rob

David

On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai mailto:na...@redhat.com>> wrote:

On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
 > /etc/ipa/ca.crt was issued by O=CTIDATA.NET ,
CN=Certificate Authority
 >
 > All the certs monitored by Certmonger show the same issuer.

Ok, good.  (If that hadn't been the case, I wouldn't have had an
explanation to offer.)

 > Wasn't getting anything back when running the ipahost script you
provided,
 > ran  ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=`
and echo
 > $ipahost shows nothing so I just ran the openssl section manually:

Hmm.  Curious.  That might be a leftover from having different releases
installed at various times on my test box.  Thanks for continuing on.

 > openssl s_client -CAfile /etc/ipa/ca.crt -connect
ipa01.ctidata.net:https
 > -showcerts < /dev/null
 >
 > Results:
 > CONNECTED(0003)
 > depth=1 O = CTIDATA.NET , CN = Certificate
Authority
 > verify return:1
 > depth=0 O = CTIDATA.NET , CN =
ipa01.ctidata.net 
 > verify error:num=10:certificate has expired
 > notAfter=Mar 24 19:56:36 2013 GMT
 > verify return:1
 > depth=0 O = CTIDATA.NET , CN =
ipa01.ctidata.net 
 > notAfter=Mar 24 19:56:36 2013 GMT
 > verify return:1
 > ---
 > Certificate chain
 >  0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net

 >i:/O=CTIDATA.NET/CN=Certificate
 Authority
 > -BEGIN CERTIFICATE-
 > #
 > -END CERTIFICATE-
 >  1 s:/O=CTIDATA.NET/CN=Certificate
 Authority
 >i:/O=CTIDATA.NET/CN=Certificate
 Authority
 > -BEGIN CERTIFICATE-
 > 
 > -END CERTIFICATE-
 > ---
 > Server certificate
 > subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net

 > issuer=/O=CTIDATA.NET/CN=Certificate
 Authority
 > ---
 > No client certificate CA names sent
 > ---
 > SSL handshake has read 1959 bytes and written 463 bytes
 > ---
 > New, TLSv1/SSLv3, Cipher is AES256-SHA
 > Server public key is 2048 bit
 > Secure Renegotiation IS supported
 > Compression: NONE
 > Expansion: NONE
 > SSL-Session:
 > Protocol  : TLSv1
 > Cipher: AES256-SHA
 > Session-ID: #
 > Session-ID-ctx:
 > Master-Key: 
 > Key-Arg   : None
 > Krb5 Principal: None
 > PSK identity: None
 > PSK identity hint: None
 > Start Time: 1367518514
 > Timeout   : 300 (sec)
 > Verify return code: 10 (certificate has expired)
 > ---
 > DONE

Yup, that's the problem: the IPA server's certificate wasn't able to be
replaced while it was still valid, and now it can no longer ask itself
for a new one.

With 2.1.4, I think the simplest way to sort this is to stop the
services (ipactl stop; service certmonger stop), roll the system date
back, start the services up again, possibly use 'ipa-getcert resubmit'
to force updating (it should happen automatically, but forcing it to
happen a second time won't hurt).  Then shut things down, set the
correct time on the clock, and bring everything back up again.

Hopefully there's a smarter way to do it, but I'm blanking on it if
there is one.

HTH,

Nalin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

2013-05-02 Thread Toasted Penguin

Yes that helped fix 2012092520027 (thank you!!)

But I am still seeing an error with:

Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local "host" service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes

I noticed that the request ID doesn't show up
in /var/lib/certmonger/requests/, does that make a difference?

David


On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai  wrote:

> On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
> > /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority
> >
> > All the certs monitored by Certmonger show the same issuer.
>
> Ok, good.  (If that hadn't been the case, I wouldn't have had an
> explanation to offer.)
>
> > Wasn't getting anything back when running the ipahost script you
> provided,
> > ran  ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo
> > $ipahost shows nothing so I just ran the openssl section manually:
>
> Hmm.  Curious.  That might be a leftover from having different releases
> installed at various times on my test box.  Thanks for continuing on.
>
> > openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:
> https
> > -showcerts < /dev/null
> >
> > Results:
> > CONNECTED(0003)
> > depth=1 O = CTIDATA.NET, CN = Certificate Authority
> > verify return:1
> > depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
> > verify error:num=10:certificate has expired
> > notAfter=Mar 24 19:56:36 2013 GMT
> > verify return:1
> > depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
> > notAfter=Mar 24 19:56:36 2013 GMT
> > verify return:1
> > ---
> > Certificate chain
> >  0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net
> >i:/O=CTIDATA.NET/CN=Certificate Authority
> > -BEGIN CERTIFICATE-
> > #
> > -END CERTIFICATE-
> >  1 s:/O=CTIDATA.NET/CN=Certificate Authority
> >i:/O=CTIDATA.NET/CN=Certificate Authority
> > -BEGIN CERTIFICATE-
> > 
> > -END CERTIFICATE-
> > ---
> > Server certificate
> > subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net
> > issuer=/O=CTIDATA.NET/CN=Certificate Authority
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1959 bytes and written 463 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> > Protocol  : TLSv1
> > Cipher: AES256-SHA
> > Session-ID: #
> > Session-ID-ctx:
> > Master-Key: 
> > Key-Arg   : None
> > Krb5 Principal: None
> > PSK identity: None
> > PSK identity hint: None
> > Start Time: 1367518514
> > Timeout   : 300 (sec)
> > Verify return code: 10 (certificate has expired)
> > ---
> > DONE
>
> Yup, that's the problem: the IPA server's certificate wasn't able to be
> replaced while it was still valid, and now it can no longer ask itself
> for a new one.
>
> With 2.1.4, I think the simplest way to sort this is to stop the
> services (ipactl stop; service certmonger stop), roll the system date
> back, start the services up again, possibly use 'ipa-getcert resubmit'
> to force updating (it should happen automatically, but forcing it to
> happen a second time won't hurt).  Then shut things down, set the
> correct time on the clock, and bring everything back up again.
>
> Hopefully there's a smarter way to do it, but I'm blanking on it if
> there is one.
>
> HTH,
>
> Nalin
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Rob Crittenden


Nathan wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 05/02/2013 02:48 PM, Rob Crittenden wrote:

Nathan wrote:

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1



On 05/02/2013 01:56 PM, Rob Crittenden wrote:

$ ldapsearch -LLL -x -b
cn=oldmaster.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com



dn


Then carefully paste each dn, minus the dn:, in REVERSE order,
to:

$ ldapdelete -x -D 'cn=Directory Manager' -w cn=HTTP...
cn=ldap...

^D to exit


My ipa domain is "systems.lafayette.edu", so I had to work that
into your search string, but I think I have it.

So, here's some output.

[root@caroline0 PROD ~]# ldapsearch -LLL -x -b
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu




dn

dn:
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayett




e,dc=edu


So, from your ldapdelete example, would I.

$ ldapdelete -x -D 'cn=Directory Manager' -w
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu




^D


Yup, use -W to prompt, or -w  to pass on cli.

Note that this confirms that IPA doesn't think this server is
actually providing any services.

rob



This seems to have done the trick!

[root@caroline0 PROD ~]# ldapdelete -x -D 'cn=Directory Manager' -W
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu

Enter LDAP Password:
[root@caroline0 PROD ~]# ldapsearch -LLL -x -b
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu
dn
No such object (32)
Matched DN: cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu
[root@caroline0 PROD ~]# ls
anaconda-ks.cfg  ca-agent.p12  cacert.p12  cobbler.ks  install.log
install.log.syslog  ks-rhn-post.log  RPM-GPG-KEY-lafayette
[root@caroline0 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master
caroline2.lafayette.edu: master



Great, glad it worked.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

2013-05-02 Thread Nalin Dahyabhai

On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
> /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority
> 
> All the certs monitored by Certmonger show the same issuer.

Ok, good.  (If that hadn't been the case, I wouldn't have had an
explanation to offer.)

> Wasn't getting anything back when running the ipahost script you provided,
> ran  ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo
> $ipahost shows nothing so I just ran the openssl section manually:

Hmm.  Curious.  That might be a leftover from having different releases
installed at various times on my test box.  Thanks for continuing on.

> openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https
> -showcerts < /dev/null
> 
> Results:
> CONNECTED(0003)
> depth=1 O = CTIDATA.NET, CN = Certificate Authority
> verify return:1
> depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
> verify error:num=10:certificate has expired
> notAfter=Mar 24 19:56:36 2013 GMT
> verify return:1
> depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
> notAfter=Mar 24 19:56:36 2013 GMT
> verify return:1
> ---
> Certificate chain
>  0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net
>i:/O=CTIDATA.NET/CN=Certificate Authority
> -BEGIN CERTIFICATE-
> #
> -END CERTIFICATE-
>  1 s:/O=CTIDATA.NET/CN=Certificate Authority
>i:/O=CTIDATA.NET/CN=Certificate Authority
> -BEGIN CERTIFICATE-
> 
> -END CERTIFICATE-
> ---
> Server certificate
> subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net
> issuer=/O=CTIDATA.NET/CN=Certificate Authority
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1959 bytes and written 463 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol  : TLSv1
> Cipher: AES256-SHA
> Session-ID: #
> Session-ID-ctx:
> Master-Key: 
> Key-Arg   : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> Start Time: 1367518514
> Timeout   : 300 (sec)
> Verify return code: 10 (certificate has expired)
> ---
> DONE

Yup, that's the problem: the IPA server's certificate wasn't able to be
replaced while it was still valid, and now it can no longer ask itself
for a new one.

With 2.1.4, I think the simplest way to sort this is to stop the
services (ipactl stop; service certmonger stop), roll the system date
back, start the services up again, possibly use 'ipa-getcert resubmit'
to force updating (it should happen automatically, but forcing it to
happen a second time won't hurt).  Then shut things down, set the
correct time on the clock, and bring everything back up again.

Hopefully there's a smarter way to do it, but I'm blanking on it if
there is one.

HTH,

Nalin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Nathan

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 05/02/2013 02:48 PM, Rob Crittenden wrote:
> Nathan wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> 
>> 
>> On 05/02/2013 01:56 PM, Rob Crittenden wrote:
>>> $ ldapsearch -LLL -x -b 
>>> cn=oldmaster.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
>>>
>>> 
dn
>>> 
>>> Then carefully paste each dn, minus the dn:, in REVERSE order,
>>> to:
>>> 
>>> $ ldapdelete -x -D 'cn=Directory Manager' -w cn=HTTP...
>>> cn=ldap...
>>> 
>>> ^D to exit
>> 
>> My ipa domain is "systems.lafayette.edu", so I had to work that
>> into your search string, but I think I have it.
>> 
>> So, here's some output.
>> 
>> [root@caroline0 PROD ~]# ldapsearch -LLL -x -b 
>> cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu
>>
>>
>> 
dn
>> dn: 
>> cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayett
>>
>>
>> 
e,dc=edu
>> 
>> So, from your ldapdelete example, would I.
>> 
>> $ ldapdelete -x -D 'cn=Directory Manager' -w 
>> cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu
>>
>>
>> 
^D
> 
> Yup, use -W to prompt, or -w  to pass on cli.
> 
> Note that this confirms that IPA doesn't think this server is
> actually providing any services.
> 
> rob
> 

This seems to have done the trick!

[root@caroline0 PROD ~]# ldapdelete -x -D 'cn=Directory Manager' -W
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu

Enter LDAP Password:
[root@caroline0 PROD ~]# ldapsearch -LLL -x -b
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu
dn
No such object (32)
Matched DN: cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu
[root@caroline0 PROD ~]# ls
anaconda-ks.cfg  ca-agent.p12  cacert.p12  cobbler.ks  install.log
install.log.syslog  ks-rhn-post.log  RPM-GPG-KEY-lafayette
[root@caroline0 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master
caroline2.lafayette.edu: master


Thanks a bunch!


This is the second or third time you've helped me out of a bind, I owe
you a beer.

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGCuiIACgkQsZqG4IN3sul5VQCdHxqnYgV6WHHRQXG/RivTLcnN
F60AoKCoQAVXs99K0rcKhtkkefcAlQo4
=v07c
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Rob Crittenden


Nathan wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 05/02/2013 01:56 PM, Rob Crittenden wrote:

$ ldapsearch -LLL -x -b
cn=oldmaster.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
dn

Then carefully paste each dn, minus the dn:, in REVERSE order, to:

$ ldapdelete -x -D 'cn=Directory Manager' -w cn=HTTP... cn=ldap...

^D to exit


My ipa domain is "systems.lafayette.edu", so I had to work that into
your search string, but I think I have it.

So, here's some output.

[root@caroline0 PROD ~]# ldapsearch -LLL -x -b
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu
dn
dn:
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayett
  e,dc=edu

So, from your ldapdelete example, would I.

$ ldapdelete -x -D 'cn=Directory Manager' -w
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu
^D


Yup, use -W to prompt, or -w  to pass on cli.

Note that this confirms that IPA doesn't think this server is actually 
providing any services.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Nathan

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 05/02/2013 01:56 PM, Rob Crittenden wrote:
> $ ldapsearch -LLL -x -b 
> cn=oldmaster.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
> dn
> 
> Then carefully paste each dn, minus the dn:, in REVERSE order, to:
> 
> $ ldapdelete -x -D 'cn=Directory Manager' -w cn=HTTP... cn=ldap...
> 
> ^D to exit

My ipa domain is "systems.lafayette.edu", so I had to work that into
your search string, but I think I have it.

So, here's some output.

[root@caroline0 PROD ~]# ldapsearch -LLL -x -b
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu
dn
dn:
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayett
 e,dc=edu

So, from your ldapdelete example, would I.

$ ldapdelete -x -D 'cn=Directory Manager' -w
cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu
^D

?
Thanks again!

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGCtLQACgkQsZqG4IN3suk/kgCfV1C+tJC9FjEQPudU1nffqgSJ
/EYAn0pa23SIwgzdaqXqqfO+keS6bt1y
=UF1L
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

2013-05-02 Thread Toasted Penguin

/etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority

All the certs monitored by Certmonger show the same issuer.

Wasn't getting anything back when running the ipahost script you provided,
ran  ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo
$ipahost shows nothing so I just ran the openssl section manually:

openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https
-showcerts < /dev/null

Results:
CONNECTED(0003)
depth=1 O = CTIDATA.NET, CN = Certificate Authority
verify return:1
depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
verify error:num=10:certificate has expired
notAfter=Mar 24 19:56:36 2013 GMT
verify return:1
depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
notAfter=Mar 24 19:56:36 2013 GMT
verify return:1
---
Certificate chain
 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net
   i:/O=CTIDATA.NET/CN=Certificate Authority
-BEGIN CERTIFICATE-
#
-END CERTIFICATE-
 1 s:/O=CTIDATA.NET/CN=Certificate Authority
   i:/O=CTIDATA.NET/CN=Certificate Authority
-BEGIN CERTIFICATE-

-END CERTIFICATE-
---
Server certificate
subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net
issuer=/O=CTIDATA.NET/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1959 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: AES256-SHA
Session-ID: #
Session-ID-ctx:
Master-Key: 
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1367518514
Timeout   : 300 (sec)
Verify return code: 10 (certificate has expired)
---
DONE




On Thu, May 2, 2013 at 12:53 PM, Nalin Dahyabhai  wrote:

> On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote:
> > Here is the output from the submit:
> >
> >  /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
> > Submitting request to "https://ipa01.ctidata.net/ipa/xml";.
> > Fault -504: (libcurl failed to execute the HTTP POST transaction,
> > explaining:  Peer certificate cannot be authenticated with known CA
> > certificates).
> > Server failed request, will retry: -504 (libcurl failed to execute the
> HTTP
> > POST transaction, explaining:  Peer certificate cannot be authenticated
> > with known CA certificates).
> >
> > Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July
> > 6, 2019.
>
> Hmm, so for both cases, you're seeing errors verifying the IPA server's
> certificate.  Can you double-check the certificates and that the
> server's looks like it was issued by the CA?
>
> This should more or less repeat the part of the process that's giving
> libcurl trouble, and show us the certificates, too:
>
> ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=`
> openssl s_client -CAfile /etc/ipa/ca.crt \
> -connect $ipahost:https -showcerts < /dev/null
>
> Nalin
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Rob Crittenden


Nathan wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 05/02/2013 01:07 PM, Rob Crittenden wrote:

Nathan wrote: ipa-replica-manage does not seem to have a --cleanup
option...  Can you give me more detail about how it's used?


--cleanup was introduced in FreeIPA 3.0.



It sounds like you just have a masters entry left over in
cn=masters,cn=ipa,cn=etc,dc=example,dc=com. If that is the case
then you can simply remove those entries.



You should also check out CLEANRUV at
http://directory.fedoraproject.org/wiki/Howto:CLEANRUV (skip past
the CLEANALLRUV part, it probably isn't available if you are
still using IPA 2.2).



root@caroline2 PROD ~]# rpm -qa ipa-server
ipa-server-2.2.0-17.el6_3.1.x86_64


This is on RHEL 6.3.

Thanks!  I'll look into the doc you mentioned.

How easy is it to check for, and remove the ldap entry you mentioned?
I'm not an ldap admin, but I have some at my disposal if needed.


$ ldapsearch -LLL -x -b 
cn=oldmaster.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com dn


Then carefully paste each dn, minus the dn:, in REVERSE order, to:

$ ldapdelete -x -D 'cn=Directory Manager' -w
cn=HTTP...
cn=ldap...

^D to exit

rob



Thanks!



rob





On 05/02/2013 12:07 PM, Petr Viktorin wrote:

On 05/02/2013 05:21 PM, Nathan wrote:

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1

List still shows caroline1.

[root@caroline2 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master caroline2.lafayette.edu:
master caroline1.lafayette.edu: master


- -v does not seem to change the output at all. I even
tried moving the - -v around in the command line, to see if
placement mattered.

[root@caroline2 PROD ~]# ipa-replica-manage -v  del
--force caroline1.lafayette.edu 'caroline2.lafayette.edu'
has no replication agreement for 'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage del -v --force
caroline1.lafayette.edu 'caroline2.lafayette.edu' has no
replication agreement for 'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage del --force -v
caroline1.lafayette.edu 'caroline2.lafayette.edu' has no
replication agreement for 'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master caroline2.lafayette.edu:
master caroline1.lafayette.edu: master


Is --cleanup destructive?  Is there some reason that it
should not try it?


Looking at the code, it only cleans up the Kerberos info and
host entry, not DNS records or RUV.





___ Freeipa-users
mailing list Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users





- --
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGCossACgkQsZqG4IN3sunlrwCfVQy+yNXmf7HzBCFGn4drUJia
lHcAn0XdEKth/TGZOLmqTe9SNvxLDwch
=5I0n
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

2013-05-02 Thread Nalin Dahyabhai

On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote:
> Here is the output from the submit:
> 
>  /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
> Submitting request to "https://ipa01.ctidata.net/ipa/xml";.
> Fault -504: (libcurl failed to execute the HTTP POST transaction,
> explaining:  Peer certificate cannot be authenticated with known CA
> certificates).
> Server failed request, will retry: -504 (libcurl failed to execute the HTTP
> POST transaction, explaining:  Peer certificate cannot be authenticated
> with known CA certificates).
> 
> Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July
> 6, 2019.

Hmm, so for both cases, you're seeing errors verifying the IPA server's
certificate.  Can you double-check the certificates and that the
server's looks like it was issued by the CA?

This should more or less repeat the part of the process that's giving
libcurl trouble, and show us the certificates, too:

ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=`
openssl s_client -CAfile /etc/ipa/ca.crt \
-connect $ipahost:https -showcerts < /dev/null

Nalin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

2013-05-02 Thread Toasted Penguin

Here is the output from the submit:

 /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Submitting request to "https://ipa01.ctidata.net/ipa/xml";.
Fault -504: (libcurl failed to execute the HTTP POST transaction,
explaining:  Peer certificate cannot be authenticated with known CA
certificates).
Server failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining:  Peer certificate cannot be authenticated
with known CA certificates).

Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July
6, 2019.


On Thu, May 2, 2013 at 12:30 PM, Nalin Dahyabhai  wrote:

> On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
> > Nalin,
> >
> > Thanks for your response.  Running `hostname` does result in
> > ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
> >
> > I ran ` ipa-getcert resubmit -i 20120925200227  -K HTTP/
> > ipa01.ctidata@ctidata.net`
> >
> > and it resulted in this:
> >
> > Request ID '20120615190133':
> > status: CA_UNCONFIGURED
> > ca-error: Error setting up ccache for local "host" service using default
> keytab.
> > stuck: yes
> > key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> Certificate DB'
> > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
> > CA: IPA
> > issuer:
> > subject:
> > expires: unknown
> > track: yes
> > auto-renew: yes
>
> Can you retrieve the contents of the request and save it to a temporary
> file, like so:
>   reqfile=`grep -l '^id=20120615190133' /var/lib/certmonger/requests/*`
>   awk '/BEGIN .*REQ/,/END .*REQ/ {sub("^( |csr=)","");print}' $reqfile >\
>   ~/req.csr
>
> And then try to manually submit it to the server for signing, in the way
> that certmonger would, like so:
>   /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
>
> Hopefully the error output there will give us more information about
> what's going on when the submission helper's failing to set up a ccache.
>
> If it manages to get past that point, I expect it to fail because you
> hopefully don't have a principal named "bogus" defined on the local
> host.  But at that point we'll have gotten past errors creating the
> ccache, and we'll have to find another way to figure out why it failed
> here.
>
> As an aside, we provide better information for this error in the
> "ca-error" note with later versions than you appear to have, so tracking
> down this information won't always be this complicated.
>
> > Request ID '20120925200227':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl failed to
> > execute the HTTP POST transaction, explaining:  Peer certificate cannot
> be
> > authenticated with known CA certificates).
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=CTIDATA.NET
> > subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
> > expires: 2013-03-24 19:56:36 UTC
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
>
> There's an error verifying the server's certificate using the local copy
> of the CA certificate in /etc/ipa/ca.crt.  Is it also expired?
>
> Nalin
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Nathan

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 05/02/2013 01:07 PM, Rob Crittenden wrote:
> Nathan wrote: ipa-replica-manage does not seem to have a --cleanup
> option...  Can you give me more detail about how it's used?
> 
>> --cleanup was introduced in FreeIPA 3.0.
> 
>> It sounds like you just have a masters entry left over in 
>> cn=masters,cn=ipa,cn=etc,dc=example,dc=com. If that is the case
>> then you can simply remove those entries.
> 
>> You should also check out CLEANRUV at 
>> http://directory.fedoraproject.org/wiki/Howto:CLEANRUV (skip past
>> the CLEANALLRUV part, it probably isn't available if you are
>> still using IPA 2.2).
> 
root@caroline2 PROD ~]# rpm -qa ipa-server
ipa-server-2.2.0-17.el6_3.1.x86_64


This is on RHEL 6.3.

Thanks!  I'll look into the doc you mentioned.

How easy is it to check for, and remove the ldap entry you mentioned?
I'm not an ldap admin, but I have some at my disposal if needed.

Thanks!


>> rob
> 
> 
> 
> 
> On 05/02/2013 12:07 PM, Petr Viktorin wrote:
 On 05/02/2013 05:21 PM, Nathan wrote:
> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
> 
> List still shows caroline1.
> 
> [root@caroline2 PROD ~]# ipa-replica-manage list 
> caroline0.lafayette.edu: master caroline2.lafayette.edu:
> master caroline1.lafayette.edu: master
> 
> 
> - -v does not seem to change the output at all. I even
> tried moving the - -v around in the command line, to see if
> placement mattered.
> 
> [root@caroline2 PROD ~]# ipa-replica-manage -v  del
> --force caroline1.lafayette.edu 'caroline2.lafayette.edu'
> has no replication agreement for 'caroline1.lafayette.edu' 
> [root@caroline2 PROD ~]# ipa-replica-manage del -v --force 
> caroline1.lafayette.edu 'caroline2.lafayette.edu' has no 
> replication agreement for 'caroline1.lafayette.edu' 
> [root@caroline2 PROD ~]# ipa-replica-manage del --force -v 
> caroline1.lafayette.edu 'caroline2.lafayette.edu' has no 
> replication agreement for 'caroline1.lafayette.edu' 
> [root@caroline2 PROD ~]# ipa-replica-manage list 
> caroline0.lafayette.edu: master caroline2.lafayette.edu:
> master caroline1.lafayette.edu: master
> 
> 
> Is --cleanup destructive?  Is there some reason that it
> should not try it?
 
 Looking at the code, it only cleans up the Kerberos info and
 host entry, not DNS records or RUV.
 
> 
>> 
>> ___ Freeipa-users
>> mailing list Freeipa-users@redhat.com 
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
> 

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGCossACgkQsZqG4IN3sunlrwCfVQy+yNXmf7HzBCFGn4drUJia
lHcAn0XdEKth/TGZOLmqTe9SNvxLDwch
=5I0n
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

2013-05-02 Thread Nalin Dahyabhai

On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
> Nalin,
> 
> Thanks for your response.  Running `hostname` does result in
> ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
> 
> I ran ` ipa-getcert resubmit -i 20120925200227  -K HTTP/
> ipa01.ctidata@ctidata.net`
> 
> and it resulted in this:
> 
> Request ID '20120615190133':
> status: CA_UNCONFIGURED
> ca-error: Error setting up ccache for local "host" service using default 
> keytab.
> stuck: yes
> key pair storage: 
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS 
> Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> track: yes
> auto-renew: yes

Can you retrieve the contents of the request and save it to a temporary
file, like so:
  reqfile=`grep -l '^id=20120615190133' /var/lib/certmonger/requests/*`
  awk '/BEGIN .*REQ/,/END .*REQ/ {sub("^( |csr=)","");print}' $reqfile >\
  ~/req.csr

And then try to manually submit it to the server for signing, in the way
that certmonger would, like so:
  /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr

Hopefully the error output there will give us more information about
what's going on when the submission helper's failing to set up a ccache.

If it manages to get past that point, I expect it to fail because you
hopefully don't have a principal named "bogus" defined on the local
host.  But at that point we'll have gotten past errors creating the
ccache, and we'll have to find another way to figure out why it failed
here.

As an aside, we provide better information for this error in the
"ca-error" note with later versions than you appear to have, so tracking
down this information won't always be this complicated.

> Request ID '20120925200227':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction, explaining:  Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=CTIDATA.NET
> subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
> expires: 2013-03-24 19:56:36 UTC
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes

There's an error verifying the server's certificate using the local copy
of the CA certificate in /etc/ipa/ca.crt.  Is it also expired?

Nalin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Rob Crittenden


Nathan wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ipa-replica-manage does not seem to have a --cleanup option...  Can
you give me more detail about how it's used?


--cleanup was introduced in FreeIPA 3.0.

It sounds like you just have a masters entry left over in 
cn=masters,cn=ipa,cn=etc,dc=example,dc=com. If that is the case then you 
can simply remove those entries.


You should also check out CLEANRUV at 
http://directory.fedoraproject.org/wiki/Howto:CLEANRUV (skip past the 
CLEANALLRUV part, it probably isn't available if you are still using IPA 
2.2).


rob





On 05/02/2013 12:07 PM, Petr Viktorin wrote:

On 05/02/2013 05:21 PM, Nathan wrote:

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1

List still shows caroline1.

[root@caroline2 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master caroline2.lafayette.edu: master
caroline1.lafayette.edu: master


- -v does not seem to change the output at all. I even tried
moving the - -v around in the command line, to see if placement
mattered.

[root@caroline2 PROD ~]# ipa-replica-manage -v  del --force
caroline1.lafayette.edu 'caroline2.lafayette.edu' has no
replication agreement for 'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage del -v --force
caroline1.lafayette.edu 'caroline2.lafayette.edu' has no
replication agreement for 'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage del --force -v
caroline1.lafayette.edu 'caroline2.lafayette.edu' has no
replication agreement for 'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master caroline2.lafayette.edu: master
caroline1.lafayette.edu: master


Is --cleanup destructive?  Is there some reason that it should
not try it?


Looking at the code, it only cleans up the Kerberos info and host
entry, not DNS records or RUV.



- --
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGCkkwACgkQsZqG4IN3sulyFwCfYizz9TOWlbFwKhel+zv7vsks
HrUAn2ezKtOJvKzK3VoYILAKdJtdPWEJ
=2KL+
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

2013-05-02 Thread Nalin Dahyabhai

On Thu, May 02, 2013 at 10:59:11AM -0500, Toasted Penguin wrote:
> Running FreeIPA 2.1.4 and ran into an issue where a Server-Cert did not
> auto-renew.
> 
> ipa-getcert list
> Number of certificates and requests being tracked: 4.
[snip]
> Request ID '20120615190133':
> status: CA_UNCONFIGURED
> ca-error: Error setting up ccache for local "host" service using default 
> keytab.
> stuck: yes
> key pair storage: 
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS 
> Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> track: yes
> auto-renew: yes

That error's not expected.  Assuming there aren't any permissions-
related problems (due to SELinux policy or regular filesystem
permissions) preventing the submission helper from reading the keytab,
can you verify that "hostname" prints "ipa01.ctidata.net", and that
"kinit -k host/ipa01.ctidata.net" succeeds?

> Request ID '20120925200227':
> status: GENERATING_CSR
> ca-error: Unable to determine principal name for signing request.
> stuck: no
> key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=CTIDATA.NET
> subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
> expires: 2013-03-24 19:56:36 UTC
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
> 
> I verified that the IPA keytab is populated:
> 
> klist -kt /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp Principal
>  -
> 
>2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
>2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
>2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
>2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
>2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
>2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
>4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net
>4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net
>4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net
>4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net
>5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net
>5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net
>5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net
>5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net
>6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net
>6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net
>6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net
>6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net
> 
> and ran kvno host/ipa01.ctidata.net to see what the KDC shows for this
> principle:
> host/ipa01.ctidata@ctidata.net: kvno = 6
> 
> Not sure what caused the ca_errors but I need to at least manually renew
> the certs and then figure out what went wrong.
> 
> Any advice on what the ca_errors mean and how I can fix the issue?

The "Unable to determine principal name for signing request." stems from
IPA's certificate submission API's requirement that each certificate
request include the associated Kerberos principal name, and certmonger
not knowing what value to send.

I'm guessing that there wasn't one specified with the -K option when
certmonger was told to keep an eye on the certificate, and if there was
already a certificate there, a principla name couldn't be read from it.

Based on where the certificate's being stored, it's probably intended to
be used for the "HTTP" service on the host, so its principal name would
be "HTTP/ipa01.ctidata@ctidata.net".  If you run:
ipa-getcert resubmit -i 20120925200227 \
-K HTTP/ipa01.ctidata@ctidata.net
that should provide certmonger with the missing information and get
things going again.

HTH,

Nalin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Nathan

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ipa-replica-manage does not seem to have a --cleanup option...  Can
you give me more detail about how it's used?



On 05/02/2013 12:07 PM, Petr Viktorin wrote:
> On 05/02/2013 05:21 PM, Nathan wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> List still shows caroline1.
>> 
>> [root@caroline2 PROD ~]# ipa-replica-manage list 
>> caroline0.lafayette.edu: master caroline2.lafayette.edu: master 
>> caroline1.lafayette.edu: master
>> 
>> 
>> - -v does not seem to change the output at all. I even tried
>> moving the - -v around in the command line, to see if placement
>> mattered.
>> 
>> [root@caroline2 PROD ~]# ipa-replica-manage -v  del --force 
>> caroline1.lafayette.edu 'caroline2.lafayette.edu' has no
>> replication agreement for 'caroline1.lafayette.edu' 
>> [root@caroline2 PROD ~]# ipa-replica-manage del -v --force 
>> caroline1.lafayette.edu 'caroline2.lafayette.edu' has no
>> replication agreement for 'caroline1.lafayette.edu' 
>> [root@caroline2 PROD ~]# ipa-replica-manage del --force -v 
>> caroline1.lafayette.edu 'caroline2.lafayette.edu' has no
>> replication agreement for 'caroline1.lafayette.edu' 
>> [root@caroline2 PROD ~]# ipa-replica-manage list 
>> caroline0.lafayette.edu: master caroline2.lafayette.edu: master 
>> caroline1.lafayette.edu: master
>> 
>> 
>> Is --cleanup destructive?  Is there some reason that it should
>> not try it?
> 
> Looking at the code, it only cleans up the Kerberos info and host
> entry, not DNS records or RUV.
> 

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGCkkwACgkQsZqG4IN3sulyFwCfYizz9TOWlbFwKhel+zv7vsks
HrUAn2ezKtOJvKzK3VoYILAKdJtdPWEJ
=2KL+
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Petr Viktorin


On 05/02/2013 05:21 PM, Nathan wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

List still shows caroline1.

[root@caroline2 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master
caroline2.lafayette.edu: master
caroline1.lafayette.edu: master


- -v does not seem to change the output at all. I even tried moving the
- -v around in the command line, to see if placement mattered.

[root@caroline2 PROD ~]# ipa-replica-manage -v  del --force
caroline1.lafayette.edu
'caroline2.lafayette.edu' has no replication agreement for
'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage del -v --force
caroline1.lafayette.edu
'caroline2.lafayette.edu' has no replication agreement for
'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage del --force -v
caroline1.lafayette.edu
'caroline2.lafayette.edu' has no replication agreement for
'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master
caroline2.lafayette.edu: master
caroline1.lafayette.edu: master


Is --cleanup destructive?  Is there some reason that it should not try it?


Looking at the code, it only cleans up the Kerberos info and host entry, 
not DNS records or RUV.


--
Petr³

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Expired certs not auto renewed by Cermonger

2013-05-02 Thread Toasted Penguin

Running FreeIPA 2.1.4 and ran into an issue where a Server-Cert did not
auto-renew.

ipa-getcert list
Number of certificates and requests being tracked: 4.
Request ID '20110706215109':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CTIDATA.NET
subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
expires: 2013-08-23 20:20:10 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110706215129':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CTIDATA.NET
subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
expires: 2013-08-23 20:30:21 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local "host" service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
Request ID '20120925200227':
status: GENERATING_CSR
ca-error: Unable to determine principal name for signing request.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CTIDATA.NET
subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
expires: 2013-03-24 19:56:36 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes

I verified that the IPA keytab is populated:

klist -kt /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp Principal
 -

   2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
   2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
   2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
   2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
   2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
   2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net
   4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net
   4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net
   4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net
   4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net
   5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net
   5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net
   5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net
   5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net
   6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net
   6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net
   6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net
   6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net

and ran kvno host/ipa01.ctidata.net to see what the KDC shows for this
principle:
host/ipa01.ctidata@ctidata.net: kvno = 6

Not sure what caused the ca_errors but I need to at least manually renew
the certs and then figure out what went wrong.

Any advice on what the ca_errors mean and how I can fix the issue?

Thanks,
David
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Nathan

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

List still shows caroline1.

[root@caroline2 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master
caroline2.lafayette.edu: master
caroline1.lafayette.edu: master


- -v does not seem to change the output at all. I even tried moving the
- -v around in the command line, to see if placement mattered.

[root@caroline2 PROD ~]# ipa-replica-manage -v  del --force
caroline1.lafayette.edu
'caroline2.lafayette.edu' has no replication agreement for
'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage del -v --force
caroline1.lafayette.edu
'caroline2.lafayette.edu' has no replication agreement for
'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage del --force -v
caroline1.lafayette.edu
'caroline2.lafayette.edu' has no replication agreement for
'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master
caroline2.lafayette.edu: master
caroline1.lafayette.edu: master


Is --cleanup destructive?  Is there some reason that it should not try it?


On 05/02/2013 10:29 AM, Petr Viktorin wrote:
> On 05/02/2013 04:17 PM, Nathan wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> I'm sorry, I should have mentioned that I've tried that already. 
>> Here's the ouput.
>> 
>> [root@caroline2 PROD ~]# ipa-replica-manage del --force 
>> caroline1.lafayette.edu 'caroline2.lafayette.edu' has no
>> replication agreement for 'caroline1.lafayette.edu'
>> 
>> Thanks!
> 
> Hmm. The error should be displayed, but the command should continue
> on if there is info about the replica... Try running the command
> with -v to get more info. You can use the --cleanup option as a
> last resort.
> 
> Also, could you check ipa-replica-manage list again, to make sure
> it's still there? Sometimes it's not clear if the command worked.
> 
> 
> 

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGChJIACgkQsZqG4IN3sunhswCdGyA/edGn7n3uI0giqciE8cto
a9QAn18zDqcsmlDX2YAxsCGMCFOAIISd
=sRLv
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Petr Viktorin


On 05/02/2013 04:17 PM, Nathan wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm sorry, I should have mentioned that I've tried that already.
Here's the ouput.

[root@caroline2 PROD ~]# ipa-replica-manage del --force
caroline1.lafayette.edu
'caroline2.lafayette.edu' has no replication agreement for
'caroline1.lafayette.edu'

Thanks!


Hmm. The error should be displayed, but the command should continue on 
if there is info about the replica...

Try running the command with -v to get more info.
You can use the --cleanup option as a last resort.

Also, could you check ipa-replica-manage list again, to make sure it's 
still there? Sometimes it's not clear if the command worked.




--
Petr³

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Nathan

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm sorry, I should have mentioned that I've tried that already.
Here's the ouput.

[root@caroline2 PROD ~]# ipa-replica-manage del --force
caroline1.lafayette.edu
'caroline2.lafayette.edu' has no replication agreement for
'caroline1.lafayette.edu'

Thanks!


On 05/02/2013 10:00 AM, Petr Viktorin wrote:
> Use the --force:
> 
> ipa-replica-manage del --force caroline1.lafayette.edu
> 
> The command tries severs replication agreements before deleting
> info about the replica. With --force it will ignore the fact that
> there's no agreement and continue on.

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGCdVwACgkQsZqG4IN3sunx7QCgl43MeBr0LHjbG7lXNn/TPDEU
Y1UAoKRoPk4LDF+7J92N4VjrxMlq4n93
=wqIg
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Petr Viktorin


On 05/02/2013 03:49 PM, Lager, Nathan T. wrote:

I have an IPA server that i'm rebuilding.  It was part of a 3 server 
replication.  That is, three ipa replicas. Caroline0 through 2.

I have the server rebuilt, the problem is, it wasn't cleanly removed from the 
ipa replication in the first place, so the other two replicas still think it 
exists.  I thought it should be a simple matter of deleting the down replica on 
the other two, but thats not working out.

Yes, I understand that it should have been cleanly uninstalled, and that would 
have avoided this.  Live and learn.

Here's some detail. Caroline1 is the server which is to be rebuilt.

[root@caroline2 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master
caroline2.lafayette.edu: master
caroline1.lafayette.edu: master
[root@caroline2 PROD ~]# ipa-replica-manage del caroline1.lafayette.edu
'caroline2.lafayette.edu' has no replication agreement for 
'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa host-del caroline1.lafayette.edu
ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled

I have tried the same commands from Caroline0, which is the first ipa server i 
built, thinking that maybe it was in some way authoritative in some matters 
because it was the first. Same deal there.

I've tried simply re-adding my rebuilt caroline1, hoping it would replace the 
old, no luck there.

The host caroline1.lafayette.edu already exists on the master server.
You should remove it before proceeding:
 % ipa host-del caroline1.lafayette.edu

I think the key here is to convince the other two ipa servers, that caroline1 
is no longer a master, but I haven't found a way to do that yet.


Use the --force:

ipa-replica-manage del --force caroline1.lafayette.edu

The command tries severs replication agreements before deleting info 
about the replica. With --force it will ignore the fact that there's no 
agreement and continue on.


--
Petr³

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] users account functionality

2013-05-02 Thread John Dennis


On 05/02/2013 04:42 AM, Juan Armario wrote:

Hi,

I'm Juan and I'm building a freeipa application and need to know if it
possible integrate a module or if is already developed, the typical
functionality when we want an authentication service for our users, like
remember password, create users, and send an email for confirmation, or
send a account delete  request.

We have installed the basic freeipa and we need to incorporate this
functionality.

Exist this or have I to implement it?


It's a little hard to understand exactly what you're looking to 
accomplish, for instance what does "remember password" mean?


It doesn't sound like what you're looking for requires adding a plugin 
module, rather you're looking to add a front-end to IPA which is easy to 
do with scripts. IPA is quite amenable to scripting because we provide a 
command line interface. You can either call the ipa command from a shell 
script or you can write your own Python scripts and invoke the IPA API 
directly. Be careful though, the type of operations you've described all 
require administrator privileges, it's not something a general user can do.



--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Deleting a down ipa master?

2013-05-02 Thread Lager, Nathan T.

I have an IPA server that i'm rebuilding.  It was part of a 3 server 
replication.  That is, three ipa replicas. Caroline0 through 2.  

I have the server rebuilt, the problem is, it wasn't cleanly removed from the 
ipa replication in the first place, so the other two replicas still think it 
exists.  I thought it should be a simple matter of deleting the down replica on 
the other two, but thats not working out. 

Yes, I understand that it should have been cleanly uninstalled, and that would 
have avoided this.  Live and learn. 

Here's some detail. Caroline1 is the server which is to be rebuilt. 

[root@caroline2 PROD ~]# ipa-replica-manage list
caroline0.lafayette.edu: master
caroline2.lafayette.edu: master
caroline1.lafayette.edu: master
[root@caroline2 PROD ~]# ipa-replica-manage del caroline1.lafayette.edu
'caroline2.lafayette.edu' has no replication agreement for 
'caroline1.lafayette.edu'
[root@caroline2 PROD ~]# ipa host-del caroline1.lafayette.edu
ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled

I have tried the same commands from Caroline0, which is the first ipa server i 
built, thinking that maybe it was in some way authoritative in some matters 
because it was the first. Same deal there. 

I've tried simply re-adding my rebuilt caroline1, hoping it would replace the 
old, no luck there.  

The host caroline1.lafayette.edu already exists on the master server.
You should remove it before proceeding:
% ipa host-del caroline1.lafayette.edu

I think the key here is to convince the other two ipa servers, that caroline1 
is no longer a master, but I haven't found a way to do that yet. 


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] users account functionality

2013-05-02 Thread Juan Armario


Hi,

I'm Juan and I'm building a freeipa application and need to know if it 
possible integrate a module or if is already developed, the typical 
functionality when we want an authentication service for our users, like 
remember password, create users, and send an email for confirmation, or 
send a account delete  request.


We have installed the basic freeipa and we need to incorporate this 
functionality.


Exist this or have I to implement it?

Thanks so much!

--
Juan Armario Muñoz
Departamento de Aplicaciones
Centro Informático Científico de Andalucía
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía
Avenida de la Reina Mercedes s/n
41012 - Sevilla (España)
Teléfono: (+34) 955.056.600
Email: juan.arma...@cica.es

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

2013-05-02 Thread Axel Berlin

It dont come anything in the logs when i do it on the client.

Got any other tips?


2013/5/2 Jakub Hrozek 

> On Thu, May 02, 2013 at 11:46:16AM +0200, Axel Berlin wrote:
> > On the client it dont return anything but on the server is returns
> following
> >
> > kinit: Keytab contains no suitable keys for host/
> > seadv-237-100.d1.gameop@d1.gameop.net while getting initial
> credentials
> >
> > But It is on the client that i should run it? The server dont have the
> > 237-100 krb5.keytab flie
> >
>
> Yes, on the client.
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

2013-05-02 Thread Jakub Hrozek

On Thu, May 02, 2013 at 11:46:16AM +0200, Axel Berlin wrote:
> On the client it dont return anything but on the server is returns following
> 
> kinit: Keytab contains no suitable keys for host/
> seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials
> 
> But It is on the client that i should run it? The server dont have the
> 237-100 krb5.keytab flie
> 

Yes, on the client.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

2013-05-02 Thread Axel Berlin

On the client it dont return anything but on the server is returns following

kinit: Keytab contains no suitable keys for host/
seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials

But It is on the client that i should run it? The server dont have the
237-100 krb5.keytab flie


2013/5/2 Jakub Hrozek 

> On Thu, May 02, 2013 at 10:55:40AM +0200, Axel Berlin wrote:
> > Here is the logs output when I do
> >
> > id username
> >
> > sssd_d1.gameop.net.log
> >
> > (Thu May  2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send]
> (4):
> > Executing sasl bind mech: GSSAPI, user: host/seadv-237-100.d1.gameop.net
> > (Thu May  2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send]
> (1):
> > ldap_sasl_bind failed (-2)[Local error]
> > (Thu May  2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [child_sig_handler]
> > (7): Waiting for child [20277].
>
> I think here is the problem. "Local error" is not much descriptive, but
> the issue is most probably in the keytab.
>
> Does the following work:
> kinit -k host/seadv-237-100.d1.gameop.net
>
> I bet it would print the same error message.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

2013-05-02 Thread Jakub Hrozek

On Thu, May 02, 2013 at 10:55:40AM +0200, Axel Berlin wrote:
> Here is the logs output when I do
> 
> id username
> 
> sssd_d1.gameop.net.log
> 
> (Thu May  2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (4):
> Executing sasl bind mech: GSSAPI, user: host/seadv-237-100.d1.gameop.net
> (Thu May  2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (1):
> ldap_sasl_bind failed (-2)[Local error]
> (Thu May  2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [child_sig_handler]
> (7): Waiting for child [20277].

I think here is the problem. "Local error" is not much descriptive, but
the issue is most probably in the keytab.

Does the following work:
kinit -k host/seadv-237-100.d1.gameop.net

I bet it would print the same error message.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA dual stacked

2013-05-02 Thread Arturo Borrero


On 15/04/13 17:45, Adam Bishop wrote:

Hi,

I've just had a go at deploying FreeIPA v3.1.3 and have hit a minor road bump.

   The server hostname resolves to more than one address:
 :::::4
 xxx.xxx.xxx.180
   Please provide the IP address to be used for this host name:

The answer I would like to give here is both - is this a limitation of the 
installation script that I can fix up later, or is FreeIPA incompatible with 
dual-stacked hosts at the moment?


Hi there!

We have a full dual stacked network.
I installed the FreeIPA server only with IPv4 and then switched to dual 
stack, updating the DNS and the local server networking config to handle 
the new IPv6.

And all is working fine.

This with: ipa-server 3.0.0-26.el6_4.2 (x86_64)

Regards.

--
Arturo Borrero González
Departamento de Seguridad Informática (n...@cica.es)
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía




smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] users account functionality

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Deleting a down ipa master?

[Freeipa-users] Expired certs not auto renewed by Cermonger

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] Deleting a down ipa master?

Re: [Freeipa-users] users account functionality

[Freeipa-users] Deleting a down ipa master?

[Freeipa-users] users account functionality

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir

Re: [Freeipa-users] FreeIPA dual stacked

31 matches

Site Navigation

Mail list logo

Footer information