[Freeipa-users] ipa-replica-install command failed, exception: NotFound: ldap service not found

[shahriar52--- via FreeIPA-users]

Trying to create a replica server with ipa-replica-install, but it breaks 
during installation while restarting the directory service saying that LDAP 
service not found. But I can see LDAP server is running.

I have created around 3 replicas using the same procedure about 4 months ago, 
but now it is failing. I cannot find any obvious reason for this issue.
All the machines are on CentOS 7.x.

Master ipa package versions:
ipa-common-4.4.0-14.el7.centos.6.noarch
ipa-client-common-4.4.0-14.el7.centos.6.noarch
ipa-server-dns-4.4.0-14.el7.centos.6.noarch
ipa-admintools-4.4.0-14.el7.centos.6.noarch
ipa-server-4.4.0-14.el7.centos.6.x86_64

Also tried after updating above to el7.centos.7 packages

Replica ipa package versions:
ipa-common-4.4.0-14.el7.centos.7.noarch
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-client-4.4.0-14.el7.centos.7.x86_64
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
ipa-server-dns-4.4.0-14.el7.centos.7.noarch

Actual results:
[root@auth03-esy1 ~]# ipa-replica-install --principal admin --admin-password 
 --server=auth02-esy1.srv.symbionetworks.com 
--domain=auth.mnfgroup.limited --setup-ca
Configuring client side components
Client hostname: auth03-esy1.srv.symbionetworks.com
Realm: AUTH.MNFGROUP.LIMITED
DNS Domain: auth.mnfgroup.limited
IPA Server: auth02-esy1.srv.symbionetworks.com
BaseDN: dc=auth,dc=mnfgroup,dc=limited

Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=AUTH.MNFGROUP.LIMITED
Issuer:  CN=Certificate Authority,O=AUTH.MNFGROUP.LIMITED
Valid From:  Wed Mar 15 01:04:16 2017 UTC
Valid Until: Sun Mar 15 01:04:16 2037 UTC

Enrolled in IPA realm AUTH.MNFGROUP.LIMITED
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm AUTH.MNFGROUP.LIMITED
trying https://auth02-esy1.srv.symbionetworks.com/ipa/json
Forwarding 'ping' to json server 
'https://auth02-esy1.srv.symbionetworks.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 
'https://auth02-esy1.srv.symbionetworks.com/ipa/json'
Systemwide CA database updated.
Hostname (auth03-esy1.srv.symbionetworks.com) does not have A/ record.
Failed to update DNS records.
Missing A/ record(s) for host auth03-esy1.srv.symbionetworks.com: 10.53.1.3.
Missing reverse record(s) for address(es): 10.53.1.3.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to json server 
'https://auth02-esy1.srv.symbionetworks.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring auth.mnfgroup.limited as NIS domain.
Client configuration complete.

WARNING: conflicting time synchronization service 'chronyd' will
be disabled in favor of ntpd

ipa : ERRORCould not resolve hostname 
auth02-esy1.srv.symbionetworks.com using DNS. Clients may not function 
properly. Please check your DNS setup. (Note that this check queries IPA DNS 
directly and ignores /etc/hosts.)
Continue? [no]: yes
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: updating configuration in dse.ldif
  [4/44]: restarting directory server
  [5/44]: adding default schema
  [6/44]: enabling memberof plugin
  [7/44]: enabling winsync plugin
  [8/44]: configuring replication version plugin
  [9/44]: enabling IPA enrollment plugin
  [10/44]: enabling ldapi
  [11/44]: configuring uniqueness plugin
  [12/44]: configuring uuid plugin
  [13/44]: configuring modrdn plugin
  [14/44]: configuring DNS plugin
  [15/44]: enabling entryUSN plugin
  [16/44]: configuring lockout plugin
  [17/44]: configuring topology plugin
  [18/44]: creating indices
  [19/44]: enabling referential integrity plugin
  [20/44]: configuring certmap.conf
  [21/44]: configure autobind for root
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: creating DS keytab
  [error] NotFound: 
ldap/auth03-esy1.srv.symbionetworks.com@AUTH.MNFGROUP.LIMITED: service not found
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR
ldap/auth03-esy1.srv.symbionetworks.com@AUTH.MNFGROUP.LIMITED: service not 

[Freeipa-users] Re: Changing CA certificate subject name post-install

[Rob Crittenden via FreeIPA-users]

Rob Foehl via FreeIPA-users wrote:
> Noting that it's now possible to modify the CA certificate subject name
> at install time in 4.5 and 4.6, is there any provision for doing so
> after an upgrade to one of those releases with a cert that originated in
> a 4.4 instance?  Possibly involving renewal of the (externally signed)
> CA cert, if necessary?

I'm not authoritative on this but I don't think so.

Using an external CA would probably the only way this would work but
even then I have my doubts. Some other things would also need to change
like the LDAP certificate profile(s), existing certs would probably need
to be re-issued (I'm particularly fuzzy on this part b/c while the
issuers wouldn't match the CA private key would) and maybe some other
corner cases.

It would be an interesting exercise if you wanted to give it a go on
some test system(s).

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Restoring DNS Grants

[Rob Crittenden via FreeIPA-users]

None via FreeIPA-users wrote:
> Hello,
> 
> I have two questions:
> 
> 1. How can the default DNS grants be restored, or fixed, without
>knowing what they were?
> 2. Where can I get information about grants? I can't seem to find where
>they're documented.
> 
> I was trying to get DDNS updates to work from DHCP server, and the
> documentation doesn't mention executing 'ipa dnszone-mod example.com.
> --update-policy="grant rndc-key wildcard * ANY;"' will overwrite the
> current grants breaking the DNS portion of ipa-client-install.
> 
> Environment:
> 
>  * Fedora 26
>  * FreeIPA 4.4.4 from Fedora repos
>  * ISC DHCP server 4.3.5 from Fedora repos

This will reset it:

$ ipa dnszone-mod example.com. --update-policy="grant EXAMPLE.COM
krb5-self * A; grant EXAMPLE.COM krb5-self * ; grant EXAMPLE.COM
krb5-self * SSHFP;"

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dynamic-dns-updates.html#dns-policies

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Nginx in front of IPA?

[Alston, David via FreeIPA-users]

Greetings!

 Password changes will use Kerberos port 464.  Is Nginx forwarding port 464 
to whatever domain controllers are managing the users who want to change their 
password?

--David Alston

From: doug.kelly--- via FreeIPA-users 
[mailto:freeipa-users@lists.fedorahosted.org]
Sent: Monday, September 11, 2017 10:16 AM
To: freeipa-users@lists.fedorahosted.org
Cc: doug.ke...@wipro.com
Subject: [Freeipa-users] Nginx in front of IPA?


Hi,



We have an "interesting" set up here and ultimately it means that some of our 
users are on a network that can't access the domain that the IPA servers are on 
so can't reset their passwords. However, they do have access to a domain that 
we can proxy requests through to get to IPA.



Through googling a bit I saw people mention changing 'xmlrpc_uri' in 
/etc/ipa/default.conf along with some proxy settings for nginx but couldn't 
really see anything "official".



Has anyone successfully put nginx in front of a cluster of IPA servers? Is 
there any documentation to detail the steps involved?



Thanks,



Doug
Wipro Limited (Company Regn No in UK FC 019088) Address: Level 2, West wing, 3 
Sheldon Square, London W2 6PS, United Kingdom. Tel +44 20 7432 8500 Fax: +44 20 
7286 5703 VAT Number: 563 1964 27 (Branch of Wipro Limited (Incorporated in 
India at Bangalore with limited liability vide Reg no L9KA1945PLC02800 with 
Registrar of Companies at Bangalore, India. Authorized share capital Rs 5550 
mn)) Please do not print this email unless it is absolutely necessary. The 
information contained in this electronic message and any attachments to this 
message are intended for the exclusive use of the addressee(s) and may contain 
proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. WARNING: Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any virus 
transmitted by this email. www.wipro.com
__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Restoring DNS Grants

[None via FreeIPA-users]

Hello,

I have two questions:

1. How can the default DNS grants be restored, or fixed, without
   knowing what they were?
2. Where can I get information about grants? I can't seem to find where
   they're documented.

I was trying to get DDNS updates to work from DHCP server, and the 
documentation doesn't mention executing 'ipa dnszone-mod example.com. 
--update-policy="grant rndc-key wildcard * ANY;"' will overwrite the 
current grants breaking the DNS portion of ipa-client-install.


Environment:

 * Fedora 26
 * FreeIPA 4.4.4 from Fedora repos
 * ISC DHCP server 4.3.5 from Fedora repos

Ryan
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Nginx in front of IPA?

[doug.kelly--- via FreeIPA-users]

Hi,


We have an "interesting" set up here and ultimately it means that some of our 
users are on a network that can't access the domain that the IPA servers are on 
so can't reset their passwords. However, they do have access to a domain that 
we can proxy requests through to get to IPA.


Through googling a bit I saw people mention changing 'xmlrpc_uri' in 
/etc/ipa/default.conf along with some proxy settings for nginx but couldn't 
really see anything "official".


Has anyone successfully put nginx in front of a cluster of IPA servers? Is 
there any documentation to detail the steps involved?


Thanks,


Doug

Wipro Limited (Company Regn No in UK FC 019088) Address: Level 2, West wing, 3 
Sheldon Square, London W2 6PS, United Kingdom. Tel +44 20 7432 8500 Fax: +44 20 
7286 5703 VAT Number: 563 1964 27 (Branch of Wipro Limited (Incorporated in 
India at Bangalore with limited liability vide Reg no L9KA1945PLC02800 with 
Registrar of Companies at Bangalore, India. Authorized share capital Rs 5550 
mn)) Please do not print this email unless it is absolutely necessary. The 
information contained in this electronic message and any attachments to this 
message are intended for the exclusive use of the addressee(s) and may contain 
proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. WARNING: Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any virus 
transmitted by this email. www.wipro.com

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
_
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start

[Florence Blanc-Renaud via FreeIPA-users]

On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote:
CS.cfg was modified so pki-tomcat can login using a password and 
non-secure LDAP. At least it is working now:


< internaldb.ldapauth.authtype=BasicAuth
< internaldb.ldapauth.bindDN=cn=Directory Manager
---
 > internaldb.ldapauth.authtype=SslClientAuth
 > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
780,781c780,781
< internaldb.ldapconn.port=389
< internaldb.ldapconn.secureConn=false
---
 > internaldb.ldapconn.port=636
 > internaldb.ldapconn.secureConn=true

Reversed to the old config, stop/started ipa, debug  shows pki-tomcatd 
cannot login:


11/Sep/2017:16:51:41][localhost-startStop-1]: 
SSLClientCertificatSelectionCB: Entering!
[11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert: 
subsystemCert cert-pki-ca
[11/Sep/2017:16:51:41][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: desired cert found in list: 
subsystemCert cert-pki-ca
[11/Sep/2017:16:51:41][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca

[11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host ipa.blabla.bla port 636 Error 
netscape.ldap.LDAPException: Authentication failed (49)
     at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
     at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
     at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)

     at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
     at 
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
     at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)

     at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
     at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
     at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)

Winfried

Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users:

Winfried de Heiden via FreeIPA-users wrote:

Hi All,

Somewhere after an update (I guess) I have issues;
pki-tomcatd@pki-tomcat.service  will not start since it cannot login to
LDAP. It seems I have some certificate isues:

getcert list shows:

Request ID '20170129002017':
 status: CA_UNREACHABLE
 ca-error: Server athttps://ipa.example.com/ipa/xml  failed request,
will retry: 4035 (RPC failed at server.  Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
 subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
 expires: 2017-09-27 17:26:00 CEST
 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA
 track: yes
 auto-renew: yes
Request ID '20170129002024':
 status: CA_UNREACHABLE
 ca-error: Server athttps://ipa.example.com/ipa/xml  failed request,
will retry: 4035 (RPC failed at server.  Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
 subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
 expires: 2017-09-27 17:41:26 CEST
 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command: /usr/libexec/ipa/certmonger/restart_httpd
 track: yes
 auto-renew: yes

(I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg)
How to fix this. Something seems wrong with de DIRSRV certificate and
http:(

What did you modify?


How to fix? What could have caused this issue?

This is likely not a problem with the certificates but with the
certificate profiles. The dogtag debug log may have more information.

rob
___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 

[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start

[Winfried de Heiden via FreeIPA-users]

  
  
CS.cfg was modified so pki-tomcat can login
  using a password and non-secure LDAP. At least it is working
  now:
  
  < internaldb.ldapauth.authtype=BasicAuth 
  < internaldb.ldapauth.bindDN=cn=Directory Manager 
  ---
  > internaldb.ldapauth.authtype=SslClientAuth
  > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
  780,781c780,781
  < internaldb.ldapconn.port=389
  < internaldb.ldapconn.secureConn=false
  ---
  > internaldb.ldapconn.port=636
  > internaldb.ldapconn.secureConn=true
  
  Reversed to the old config, stop/started ipa, debug  shows
  pki-tomcatd cannot login:
  
  11/Sep/2017:16:51:41][localhost-startStop-1]:
  SSLClientCertificatSelectionCB: Entering!
  [11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert:
  subsystemCert cert-pki-ca
  [11/Sep/2017:16:51:41][localhost-startStop-1]:
  SSLClientCertificateSelectionCB: desired cert found in list:
  subsystemCert cert-pki-ca
  [11/Sep/2017:16:51:41][localhost-startStop-1]:
  SSLClientCertificateSelectionCB: returning: subsystemCert
  cert-pki-ca
  [11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake
  happened
  Could not connect to LDAP server host ipa.blabla.bla port 636
  Error netscape.ldap.LDAPException: Authentication failed (49)
      at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
      at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
      at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
      at
  com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
      at
  com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
      at
  com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
      at
  com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
      at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
      at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)
  
  Winfried

Op 11-09-17 om 16:18 schreef Rob
  Crittenden via FreeIPA-users:


  Winfried de Heiden via FreeIPA-users wrote:

  
Hi All,

Somewhere after an update (I guess) I have issues;
pki-tomcatd@pki-tomcat.service will not start since it cannot login to
LDAP. It seems I have some certificate isues:

getcert list shows:

Request ID '20170129002017':
status: CA_UNREACHABLE
ca-error: Server at https://ipa.example.com/ipa/xml failed request,
will retry: 4035 (RPC failed at server.  Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
expires: 2017-09-27 17:26:00 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA
track: yes
auto-renew: yes
Request ID '20170129002024':
status: CA_UNREACHABLE
ca-error: Server at https://ipa.example.com/ipa/xml failed request,
will retry: 4035 (RPC failed at server.  Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
expires: 2017-09-27 17:41:26 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

(I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg)
How to fix this. Something seems wrong with de DIRSRV certificate and
http:(

  
  
What did you modify?


  
How to fix? What could have caused this issue?

  
  
This is likely not a problem with the certificates but with the
certificate profiles. The dogtag debug log may have more information.

rob
___
FreeIPA-users mailing list -- 

[Freeipa-users] Re: Missing CSNs after upgrade

[Ludwig Krispenz via FreeIPA-users]

would be nice to include the problem description again, but if you are 
referring to:


[26/Aug/2017:21:39:32.891818412 +] NSMMReplicationPlugin - changelog 
program - agmt="cn=meTo**.com" (**:389): CSN 
597276fb0005000a not found, we aren't as up to date, or we purged
[26/Aug/2017:21:39:32.893279073 +] NSMMReplicationPlugin - 
agmt="cn=meTo**.com" (**:389): Data required to update replica 
has been purged from the changelog. The replica must be reinitialized.


there is no magic command to resolve it.
In a replication session the supplier compares its own RUV with that of 
the consumer and for each replicaid in the RUV decides if there are 
changes to send and what is the starting point to send changes and the 
minimal starting csn is used to position a cursor in the changelog.
If this change is not found you get an error like the one reported. The 
message is from Aug,26th and the missing csn is from Jul,21st - so it 
could very likely be that the csn was purged or the changelog recreated 
in between. Maybe the replica with replicaid "000a" == 10 was 
remomed/recreated or ...


Now, why do you see these messages now ? In previous releases 389-ds, if 
a csn could not be found silently chose another starting csn, or if that 
failed stopped replication. Now we handle the missing csn as transient 
error, the missing changes could be sent to the consumer by another 
server and the staring csn would move and could eventually be found.


What to do. Investigate the RUVs of the servers, check what is the 
status of replica 10, eventually a cleanallruv for this replica would 
resolve the problem. If 10 is still a valid replica ID probaly servers 
have to be reinitialized.


There is also a possibility to enforce the previous behaviour and pick 
another starting csn, add the following to teh replication agreement 
failing:

replace: nsds5ReplicaIgnoreMissingChange
nsds5ReplicaIgnoreMissingChange: once



On 09/09/2017 06:58 AM, John Jeffers via FreeIPA-users wrote:
Reaching out one more time to see if anyone has any suggestions on my 
missing CSN problem. Thank you!!



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start

[Rob Crittenden via FreeIPA-users]

Winfried de Heiden via FreeIPA-users wrote:
> Hi All,
> 
> Somewhere after an update (I guess) I have issues;
> pki-tomcatd@pki-tomcat.service will not start since it cannot login to
> LDAP. It seems I have some certificate isues:
> 
> getcert list shows:
> 
> Request ID '20170129002017':
> status: CA_UNREACHABLE
> ca-error: Server at https://ipa.example.com/ipa/xml failed request,
> will retry: 4035 (RPC failed at server.  Request failed with status 500:
> Non-2xx response from CA REST API: 500. Policy Set Not Found).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
> subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
> expires: 2017-09-27 17:26:00 CEST
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA
> track: yes
> auto-renew: yes
> Request ID '20170129002024':
> status: CA_UNREACHABLE
> ca-error: Server at https://ipa.example.com/ipa/xml failed request,
> will retry: 4035 (RPC failed at server.  Request failed with status 500:
> Non-2xx response from CA REST API: 500. Policy Set Not Found).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
> subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
> expires: 2017-09-27 17:41:26 CEST
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> 
> (I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg)
> How to fix this. Something seems wrong with de DIRSRV certificate and
> http:(

What did you modify?

> How to fix? What could have caused this issue?

This is likely not a problem with the certificates but with the
certificate profiles. The dogtag debug log may have more information.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start

[Winfried de Heiden via FreeIPA-users]

  
  
Hi All,
  
  Somewhere after an update (I guess) I have issues;
  pki-tomcatd@pki-tomcat.service will not start since it cannot
  login to LDAP. It seems I have some certificate isues:
  
  getcert list shows:
  
  Request ID '20170129002017':
      status: CA_UNREACHABLE
      ca-error: Server at https://ipa.example.com/ipa/xml failed
  request, will retry: 4035 (RPC failed at server.  Request failed
  with status 500: Non-2xx response from CA REST API: 500. Policy
  Set Not Found).
      stuck: no
      key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
  Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
      certificate:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
  Certificate DB'
      CA: IPA
      issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
      subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
      expires: 2017-09-27 17:26:00 CEST
      key usage:
  digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
      eku: id-kp-serverAuth,id-kp-clientAuth
      pre-save command: 
      post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
  BLABLA-BLA
      track: yes
      auto-renew: yes
  Request ID '20170129002024':
      status: CA_UNREACHABLE
      ca-error: Server at https://ipa.example.com/ipa/xml failed
  request, will retry: 4035 (RPC failed at server.  Request failed
  with status 500: Non-2xx response from CA REST API: 500. Policy
  Set Not Found).
      stuck: no
      key pair storage:
  type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
  Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
      certificate:
  type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
  Certificate DB'
      CA: IPA
      issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
      subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
      expires: 2017-09-27 17:41:26 CEST
      key usage:
  digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
      eku: id-kp-serverAuth,id-kp-clientAuth
      pre-save command: 
      post-save command: /usr/libexec/ipa/certmonger/restart_httpd
      track: yes
      auto-renew: yes
  
  (I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg)
  How to fix this. Something seems wrong with de DIRSRV certificate
  and http:(
  
  How to fix? What could have caused this issue?
  
  Winfried
  
  

  
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: AD trust setup woes

[Lukas Slebodnik via FreeIPA-users]

On (11/09/17 07:42), Igor Sever via FreeIPA-users wrote:
>Can I use FreeIPA as Kerberos and LDAP provider (not as IPA) and still use 
>policies somehow?

Yes you can, but sssd-1.11.5.1 was quite broken and contained many bugs.
1.11.8 should be much better but from sssd upstream POV 1.13 is long term
maintenance branch. Older branches are not supported by upstream anymore.

LS
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Missing CSNs after upgrade

[John Jeffers via FreeIPA-users]

Reaching out one more time to see if anyone has any suggestions on my
missing CSN problem. Thank you!!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Clients cant login in - cant access home mounted via autofs

[Tobi Berninger via FreeIPA-users]

Hello,

i have an freeipa server running and 10 clients. Every client is an copy
from a pc. And everybody works just perfectly except the original pc where
i tested and installed the system at the beginning. I allready copyed the
system over with the one that i used on every client around here, but after
one week he allready shows errors again.

Now the problem is that i cant login in with any account. When login in
over the greeter (lightdm) he just turns to a black screen shortly and then
switches back. When u try to login in over tty, u will get the following
error:

/net/laufer/user: change directory failed: no such file or directory

I run in this error before and normaly it was connected to autofs not
running. But autofs is running and prints out the following errors:

dev_ioctl_send_fail: token = 76
handle_packet: type= 3
handle_packet_missing_indirect: token 77, name user, request pid 3085
dev_ioctl_send_fail: token = 77
handle_packet: type = 3
handle_packet_missing_indirect. toke 78, name user, request pid 3085
dev_ioctl_send_fail: toke 78
handle:packet: type = 3
handle_packet_missing_indirect: toke 79, name user, request pid 3085
dev_ioctl_send_fail: toke = 79

Any ideas?

thank u very much
greetings tobi
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: AD trust setup woes

[Igor Sever via FreeIPA-users]

Can I use FreeIPA as Kerberos and LDAP provider (not as IPA) and still use 
policies somehow?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: AD trust setup woes

[Igor Sever via FreeIPA-users]

sssd-krb5-common-1.11.5.1-14.1.x86_64
sssd-32bit-1.11.5.1-28.1.x86_64
sssd-ad-1.11.5.1-14.1.x86_64
sssd-ipa-1.11.5.1-14.1.x86_64
python-sssd-config-1.11.5.1-14.1.x86_64
sssd-1.11.5.1-14.1.x86_64
sssd-tools-1.11.5.1-14.1.x86_64
sssd-krb5-1.11.5.1-14.1.x86_64
sssd-ldap-1.11.5.1-14.1.x86_64
ipa-client:~ # rpm -qa | grep krb5
sssd-krb5-common-1.11.5.1-14.1.x86_64
krb5-plugin-preauth-pkinit-1.12.1-19.1.x86_64
libndr-krb5pac0-4.2.4-28.3.1.x86_64
krb5-1.12.1-36.4.x86_64
libndr-krb5pac0-32bit-4.2.4-28.3.1.x86_64
krb5-client-1.12.1-19.1.x86_64
sssd-krb5-1.11.5.1-14.1.x86_64
krb5-32bit-1.12.1-36.4.x86_64

On Suse site there is no any info about integration with FreeIPA. They are 
mostly focused on LDAP authentication. No mention of sssd_pac existing in their 
sssd packages. I think I am out of luck with this.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org