date:20170928

[Freeipa-users] Duplicate Certificate on master.

2017-09-28 Thread Bhavin Vaidya via FreeIPA-users

Hello,

On our master FreeIPA I see multiple (which are duplicate) entries for 
certificates with different NSS Database.
Some are from /var/lib/pji/pki-tomcat/alias instead of 
/etc/pki/pki-tomcat/alias. As I inherited the setup and was new to FreeIPA, now 
don't know which are right.
A set of entries are highlighted below.

As per the ID /var/lib/pki/pki-tomcat was the original and others came up after 
we had some issue with certificates after upgrade to FreeIPA 4.4.

1. how can I find out which are right? Per FreeIPA doc, it should be 
/etc/pki/pki-tomcat/alias.

2. how can I remove duplicated, unwanted certificate? Will following will work?
ipa-getcert stop-tracking -i "Request ID"


Thank you,
Bhavin


Number of certificates and requests being tracked: 11.
Request ID '20150203054229':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2018-06-15 23:16:43 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert 
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150203054325':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2018-06-15 23:15:10 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert 
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150203054400':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/var/lib/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2018-06-15 23:16:21 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert 
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170726022825':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2018-06-15 23:16:43 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert 
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170726022826':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2018-06-15 23:15:10 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert 
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170726022827':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2018-06-15 23:16:21 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

2017-09-28 Thread Steve Weeks via FreeIPA-users

Progress, but still not using the smartcard and falling back to the
password.

I changed to change the pam_sss line in common-auth too:

auth[default=1 success=ok]  pam_localuser.so
auth [success=2 default=ignore] pam_unix.so nullok_secure
#auth [success=1 default=ignore] pam_sss.so use_first_pass
authsufficient  pam_sss.so forward_pass

Now p11_child is called, but doesn't validate the certificate.  On Fedora
the final line in p11_child.log is "Ceritificate verified and validated".
On Ubuntu that line is missing.

The root certificate is in the certdb.  (certutil -d /etc/pki/nssdb -L).

Is there a way to do what p11_child does from the command line or with
better logging so I can what it doesn't like?  I have debug_level = 9 on
everything at the moment.

Thanks,
Steve


On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose  wrote:

> On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
> > In all cases on both system pam_unix comes before pam_sss.  For example
> in
> > Fedora system-auth it is:
>
> On recent Fedora systems you should have
>
> auth[default=1 success=ok] pam_localuser.so
>
> before the lines below. This will call pam_unix only for users from
> /etc/passwd and skip the line it otherwise (default=1). Maybe something
> like this would help on Ubuntu as well?
>
> bye,
> Sumit
>
> >
> > auth[success=done ignore=ignore default=die] pam_unix.so nullok
> > try_first_pass
> > authrequisite pam_succeed_if.so uid >= 1000 quiet_success
> > authsufficientpam_sss.so forward_pass
> >
> > and in Ubuntu common-auth it is:
> >
> > auth [success=2 default=ignore] pam_unix.so nullok_secure
> > auth [success=1 default=ignore] pam_sss.so use_first_pass
> >
> > I tried reversing the lines and get a pam error about user not know (it
> is
> > an AD user which works fine on fedora).
> >
> > Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora.
> > Don't know if this is relevant or not.
> >
> > Steve
> >
> >
> > On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users <
> > freeipa-users@lists.fedorahosted.org> wrote:
> >
> > > On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users
> > > wrote:
> > > > We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
> > > client
> > > > version 4.4.4 (SSSD 1.14.2).  However on Ubuntu 16.04, FreeIPA client
> > > > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
> > > >
> > > > The smartcard is readable using pkcs11-tools and pkcs15-tools on both
> > > > systems.
> > > >
> > > > On both systems sssd.conf contains:
> > > > [pam]
> > > > pam_cert_auth = True
> > > >
> > > > I've turned the sssd logging up to 9 on both systems and it looks
> like
> > > > p11_child is never called on the Ubuntu system.  On the Ubuntu system
> > > > p11_child.log is empty and there is no sign of it being started in
> the
> > > > sssd_pam.log.
> > > >
> > > > Any suggestions on what I should look at next?
> > >
> > > How does your PAM configuration looks like? You have to make sure that
> > > pam_sss.so is the first module called for SSSD users. If pam_unix comes
> > > first it will ask for a Password and pass it on to pam_sss.so which
> will
> > > try password authentication in this case.
> > >
> > > HTH
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > Thanks,
> > > > Steve
> > >
> > > > ___
> > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > To unsubscribe send an email to freeipa-users-leave@lists.
> > > fedorahosted.org
> > > ___
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org
> > >
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

2017-09-28 Thread Sumit Bose via FreeIPA-users

On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
> In all cases on both system pam_unix comes before pam_sss.  For example in
> Fedora system-auth it is:

On recent Fedora systems you should have

auth[default=1 success=ok] pam_localuser.so

before the lines below. This will call pam_unix only for users from
/etc/passwd and skip the line it otherwise (default=1). Maybe something
like this would help on Ubuntu as well?

bye,
Sumit

> 
> auth[success=done ignore=ignore default=die] pam_unix.so nullok
> try_first_pass
> authrequisite pam_succeed_if.so uid >= 1000 quiet_success
> authsufficientpam_sss.so forward_pass
> 
> and in Ubuntu common-auth it is:
> 
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> auth [success=1 default=ignore] pam_sss.so use_first_pass
> 
> I tried reversing the lines and get a pam error about user not know (it is
> an AD user which works fine on fedora).
> 
> Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora.
> Don't know if this is relevant or not.
> 
> Steve
> 
> 
> On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> 
> > On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users
> > wrote:
> > > We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
> > client
> > > version 4.4.4 (SSSD 1.14.2).  However on Ubuntu 16.04, FreeIPA client
> > > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
> > >
> > > The smartcard is readable using pkcs11-tools and pkcs15-tools on both
> > > systems.
> > >
> > > On both systems sssd.conf contains:
> > > [pam]
> > > pam_cert_auth = True
> > >
> > > I've turned the sssd logging up to 9 on both systems and it looks like
> > > p11_child is never called on the Ubuntu system.  On the Ubuntu system
> > > p11_child.log is empty and there is no sign of it being started in the
> > > sssd_pam.log.
> > >
> > > Any suggestions on what I should look at next?
> >
> > How does your PAM configuration looks like? You have to make sure that
> > pam_sss.so is the first module called for SSSD users. If pam_unix comes
> > first it will ask for a Password and pass it on to pam_sss.so which will
> > try password authentication in this case.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > >
> > > Thanks,
> > > Steve
> >
> > > ___
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-leave@lists.
> > fedorahosted.org
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> >
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

2017-09-28 Thread Steve Weeks via FreeIPA-users

In all cases on both system pam_unix comes before pam_sss.  For example in
Fedora system-auth it is:

auth[success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass

and in Ubuntu common-auth it is:

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass

I tried reversing the lines and get a pam error about user not know (it is
an AD user which works fine on fedora).

Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora.
Don't know if this is relevant or not.

Steve


On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users
> wrote:
> > We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
> client
> > version 4.4.4 (SSSD 1.14.2).  However on Ubuntu 16.04, FreeIPA client
> > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
> >
> > The smartcard is readable using pkcs11-tools and pkcs15-tools on both
> > systems.
> >
> > On both systems sssd.conf contains:
> > [pam]
> > pam_cert_auth = True
> >
> > I've turned the sssd logging up to 9 on both systems and it looks like
> > p11_child is never called on the Ubuntu system.  On the Ubuntu system
> > p11_child.log is empty and there is no sign of it being started in the
> > sssd_pam.log.
> >
> > Any suggestions on what I should look at next?
>
> How does your PAM configuration looks like? You have to make sure that
> pam_sss.so is the first module called for SSSD users. If pam_unix comes
> first it will ask for a Password and pass it on to pam_sss.so which will
> try password authentication in this case.
>
> HTH
>
> bye,
> Sumit
>
> >
> > Thanks,
> > Steve
>
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

2017-09-28 Thread Sumit Bose via FreeIPA-users

On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote:
> We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA client
> version 4.4.4 (SSSD 1.14.2).  However on Ubuntu 16.04, FreeIPA client
> 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
> 
> The smartcard is readable using pkcs11-tools and pkcs15-tools on both
> systems.
> 
> On both systems sssd.conf contains:
> [pam]
> pam_cert_auth = True
> 
> I've turned the sssd logging up to 9 on both systems and it looks like
> p11_child is never called on the Ubuntu system.  On the Ubuntu system
> p11_child.log is empty and there is no sign of it being started in the
> sssd_pam.log.
> 
> Any suggestions on what I should look at next?

How does your PAM configuration looks like? You have to make sure that
pam_sss.so is the first module called for SSSD users. If pam_unix comes
first it will ask for a Password and pass it on to pam_sss.so which will
try password authentication in this case.

HTH

bye,
Sumit

> 
> Thanks,
> Steve

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Smartcard not working on Ubuntu 16.04

2017-09-28 Thread Steve Weeks via FreeIPA-users

We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA client
version 4.4.4 (SSSD 1.14.2).  However on Ubuntu 16.04, FreeIPA client
4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.

The smartcard is readable using pkcs11-tools and pkcs15-tools on both
systems.

On both systems sssd.conf contains:
[pam]
pam_cert_auth = True

I've turned the sssd logging up to 9 on both systems and it looks like
p11_child is never called on the Ubuntu system.  On the Ubuntu system
p11_child.log is empty and there is no sign of it being started in the
sssd_pam.log.

Any suggestions on what I should look at next?

Thanks,
Steve
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Apache Group Based Authorization for AD users

2017-09-28 Thread Alexander Bokovoy via FreeIPA-users

On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote:

On 2017-09-28 11:37, Alexander Bokovoy wrote:

You need to define HBAC rules that target system-auth PAM service on
this host then.

But yes, any practical PAM service would work as long as you have
appropriate HBAC rules for this service.

Is an HBAC Service in IPA the counterpart to the PAM file on an ipa
client residing in /etc/pam.d/ ?

Yes. You can always get help by running 'ipa help ' command:

-
$ ipa help hbacsvc
HBAC Services

The PAM services that HBAC can control access to. The name used here
must match the service name that PAM is evaluating.

EXAMPLES:

Add a new HBAC service:
ipa hbacsvc-add tftp

Modify an existing HBAC service:
ipa hbacsvc-mod --desc="TFTP service" tftp

Search for HBAC services. This example will return two results, the FTP
service and the newly-added tftp service:
ipa hbacsvc-find ftp

Delete an HBAC service:
ipa hbacsvc-del tftp

Topic commands:
hbacsvc-add Add a new HBAC service.
hbacsvc-del Delete an existing HBAC service.
hbacsvc-find Search for HBAC services.
hbacsvc-mod Modify an HBAC service.
hbacsvc-show Display information about an HBAC service.

To get command help, use:
ipa --help
-

There is also a section in the documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/hbac-add-service.html
--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Apache Group Based Authorization for AD users

2017-09-28 Thread Rob Crittenden via FreeIPA-users

Ronald Wimmer via FreeIPA-users wrote:
> On 2017-09-28 11:37, Alexander Bokovoy wrote:
>> You need to define HBAC rules that target system-auth PAM service on
>> this host then.
>>
>> But yes, any practical PAM service would work as long as you have
>> appropriate HBAC rules for this service.
> 
> Is an HBAC Service in IPA the counterpart to the PAM file on an ipa
> client residing in /etc/pam.d/ ?

Yes.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Apache Group Based Authorization for AD users

2017-09-28 Thread Ronald Wimmer via FreeIPA-users


On 2017-09-28 11:37, Alexander Bokovoy wrote:

You need to define HBAC rules that target system-auth PAM service on
this host then.

But yes, any practical PAM service would work as long as you have
appropriate HBAC rules for this service.


Is an HBAC Service in IPA the counterpart to the PAM file on an ipa 
client residing in /etc/pam.d/ ?


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA Server Upgrade Error

2017-09-28 Thread Alka Murali via FreeIPA-users

Hi Florence,

Thanks for the email.

I am on CentOS 7 system and would like to use yum to go for the Upgrade. I
beleive dnf is intended for Fedora. Can you please provide me a solution
for CentOS on the Upgrade process.

Regards,
Alka Murali


On Thu, Sep 28, 2017 at 4:58 PM, Florence Blanc-Renaud 
wrote:

> On 09/28/2017 09:52 AM, Alka Murali wrote:
>
>> Hi Florence,
>>
>> Thanks for the reply.
>>
>> However do you mean that I need to create a new repo file for Version 4.6
>> and try the Upgrade? Or do you mean that I need to remove the current
>> installation and go for a fresh install?
>>
>> Hi,
>
> the easiest path is to do:
> sudo dnf copr enable @freeipa/freeipa-4-6
> sudo dnf update freeipa-server
>
> This will upgrade your existing installation to FreeIPA 4.6.
>
> HTH,
> Flo
>
> Regards,
>> Alka Murali
>>
>>
>> On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud > > wrote:
>>
>> On 09/28/2017 04:12 AM, Alka Murali wrote:
>>
>> Hi Florence,
>>
>> Thanks for the email. As you have mentioned, I tried updating
>> the corresponding python files under IPA Server and tried for
>> the Upgrade.
>>
>> Hi,
>>
>> do you mean that you manually edited the python files? In this case
>> it is likely that some files were forgotten. The patch for 4-5
>> branch is
>> https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
>> > >
>> but may depend on other commits applied on the branch between the
>> 4.5.3 release and the patch.
>>
>> For consistency, I'd rather recommend to upgrade the packages to 4.6
>> (available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
>> fedora27).
>>
>> Flo
>>
>> However I was getting the error below:
>>
>> -
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
>> File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>> line 172, in execute
>>
>> return_value = self.run()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_
>> server_upgrade.py",
>> line 46, in run
>>
>> server.upgrade()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 1913, in upgrade
>>
>> upgrade_configuration()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 1788, in upgrade_configuration
>>
>> certificate_renewal_update(ca, ds, http),
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 966, in certificate_renewal_update
>>
>> 'cert-nickname': ds.get_server_cert_nickname(serverid),
>>
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
>> The ipa-server-upgrade command failed, exception:
>> AttributeError: 'DsInstance' object has no attribute
>> 'get_server_cert_nickname'
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>>
>> AttributeError: 'DsInstance' object has no attribute
>> 'get_server_cert_nickname'
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
>> The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
>>
>> --
>>
>> So do I need to define "get_server_cert_nickname"  in certs.py
>> script too.
>>
>>
>> Awaiting your reply.
>>
>>
>> Thanks and Regards,
>>
>> Alka Murali
>>
>>
>> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
>>  >
>> >> wrote:
>>
>>  On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
>>
>>  Hello,
>>
>>  Currently my server is running on IPA Server Version
>> 4.4. I have
>>  tried to upgrade the Version to 4.5 using the
>> ipa-server-upgrade
>>  command and got ended with the following error:
>>
>>
>>  
>>
>>  2017-09-26T02:27:32Z DEBUG stderr=
>>
>>  2017-09-26T02:27:50Z DEBUG Loading Index file from
>>  '/var/lib/ipa/sysrestore/sysrestore.index'
>>
>>  2017-09-26T02:27:53Z DEBUG Starting external process
>>
>>  2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
>>  /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
>>  /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>>
>>  2017-09-26T02:27:56Z DEBUG Process finished, return
>>

[Freeipa-users] Re: IPA Server Upgrade Error

2017-09-28 Thread Florence Blanc-Renaud via FreeIPA-users


On 09/28/2017 09:52 AM, Alka Murali wrote:

Hi Florence,

Thanks for the reply.

However do you mean that I need to create a new repo file for Version 
4.6 and try the Upgrade? Or do you mean that I need to remove the 
current installation and go for a fresh install?



Hi,

the easiest path is to do:
sudo dnf copr enable @freeipa/freeipa-4-6
sudo dnf update freeipa-server

This will upgrade your existing installation to FreeIPA 4.6.

HTH,
Flo


Regards,
Alka Murali

On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud > wrote:


On 09/28/2017 04:12 AM, Alka Murali wrote:

Hi Florence,

Thanks for the email. As you have mentioned, I tried updating
the corresponding python files under IPA Server and tried for
the Upgrade.

Hi,

do you mean that you manually edited the python files? In this case
it is likely that some files were forgotten. The patch for 4-5
branch is
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044

but may depend on other commits applied on the branch between the
4.5.3 release and the patch.

For consistency, I'd rather recommend to upgrade the packages to 4.6
(available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
fedora27).

Flo

However I was getting the error below:

-

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 172, in execute

return_value = self.run()

File

"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run

server.upgrade()

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade

upgrade_configuration()

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration

certificate_renewal_update(ca, ds, http),

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 966, in certificate_renewal_update

'cert-nickname': ds.get_server_cert_nickname(serverid),


ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
The ipa-server-upgrade command failed, exception:
AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
Unexpected error - see /var/log/ipaupgrade.log for details:

AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information

--

So do I need to define "get_server_cert_nickname"  in certs.py
script too.


Awaiting your reply.


Thanks and Regards,

Alka Murali


On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
 >> wrote:

     On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:

         Hello,

         Currently my server is running on IPA Server Version
4.4. I have
         tried to upgrade the Version to 4.5 using the
ipa-server-upgrade
         command and got ended with the following error:


         

         2017-09-26T02:27:32Z DEBUG stderr=

         2017-09-26T02:27:50Z DEBUG Loading Index file from
         '/var/lib/ipa/sysrestore/sysrestore.index'

         2017-09-26T02:27:53Z DEBUG Starting external process

         2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
         /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
         /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt

         2017-09-26T02:27:56Z DEBUG Process finished, return
code=255

         2017-09-26T02:27:56Z DEBUG stdout=

         2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not
find cert:
         Server-Cert

         : PR_FILE_NOT_FOUND_ERROR: File not found


         2017-09-26T02:27:56Z ERROR IPA server upgrade failed:
Inspect
         /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.

         2017-09-26T02:27:56Z DEBUG File

"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line

         172, in execute

         return_value = self.run()

         File

[Freeipa-users] Re: Apache Group Based Authorization for AD users

2017-09-28 Thread Alexander Bokovoy via FreeIPA-users


On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote:

Hi,

I was reading 
https://www.freeipa.org/page/Apache_Group_Based_Authorization but 
failed to implement that for AD users. The problem is that Kerberos 
authenticates myuser0...@mywindows.domain.at but there is no 
corresponding entry in on the AD domain controller. The available user 
attributes in the LDAP directory look like 'myuser0815' 
(samaccountname) or 'myuser0...@someupnsuffix.domain.at' 
(userprincipalname).


GssapiLocalName or KrbLocalUserMapping would only map to locally 
existing users, right? I tried them both and still saw 
'myuser0...@mywindows.domain.at' leading to:


[Tue Sep 26 17:14:40.758545 2017] [authnz_ldap:debug] [pid 11160] 
mod_authnz_ldap.c(824): [client 10.66.58.176:32402] AH01710: ldap 
authorize: Creating LDAP req structure
[Tue Sep 26 17:14:40.793095 2017] [authnz_ldap:debug] [pid 11160] 
mod_authnz_ldap.c(838): [client 10.66.58.176:32402] AH01711: auth_ldap 
authorise: User DN not found, User not found


Any ideas what I could try next?

Don't use mod_authnz_ldap, it doesn't have any clue about real
complexity like the above.

A proper solution would be to use mod_authnz_pam and allow pam_sss to
handle actual HBAC checks. See https://www.adelton.com/apache/mod_authnz_pam/




--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA Server Upgrade Error

2017-09-28 Thread Alka Murali via FreeIPA-users

Hi Florence,

Thanks for the reply.

However do you mean that I need to create a new repo file for Version 4.6
and try the Upgrade? Or do you mean that I need to remove the current
installation and go for a fresh install?

Regards,
Alka Murali

On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud 
wrote:

> On 09/28/2017 04:12 AM, Alka Murali wrote:
>
>> Hi Florence,
>>
>> Thanks for the email. As you have mentioned, I tried updating the
>> corresponding python files under IPA Server and tried for the Upgrade.
>>
> Hi,
>
> do you mean that you manually edited the python files? In this case it is
> likely that some files were forgotten. The patch for 4-5 branch is
> https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044 but
> may depend on other commits applied on the branch between the 4.5.3 release
> and the patch.
>
> For consistency, I'd rather recommend to upgrade the packages to 4.6
> (available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
> fedora27).
>
> Flo
>
> However I was getting the error below:
>>
>> -
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
>> execute
>>
>> return_value = self.run()
>>
>> File 
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 46, in run
>>
>> server.upgrade()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1913, in upgrade
>>
>> upgrade_configuration()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1788, in upgrade_configuration
>>
>> certificate_renewal_update(ca, ds, http),
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 966, in certificate_renewal_update
>>
>> 'cert-nickname': ds.get_server_cert_nickname(serverid),
>>
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
>> ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance'
>> object has no attribute 'get_server_cert_nickname'
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>>
>> AttributeError: 'DsInstance' object has no attribute
>> 'get_server_cert_nickname'
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
>> information
>>
>> --
>>
>> So do I need to define "get_server_cert_nickname"  in certs.py script too.
>>
>>
>> Awaiting your reply.
>>
>>
>> Thanks and Regards,
>>
>> Alka Murali
>>
>>
>> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud > > wrote:
>>
>> On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
>>
>> Hello,
>>
>> Currently my server is running on IPA Server Version 4.4. I have
>> tried to upgrade the Version to 4.5 using the ipa-server-upgrade
>> command and got ended with the following error:
>>
>>
>> 
>>
>> 2017-09-26T02:27:32Z DEBUG stderr=
>>
>> 2017-09-26T02:27:50Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>
>> 2017-09-26T02:27:53Z DEBUG Starting external process
>>
>> 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
>> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>>
>> 2017-09-26T02:27:56Z DEBUG Process finished, return code=255
>>
>> 2017-09-26T02:27:56Z DEBUG stdout=
>>
>> 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
>> Server-Cert
>>
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>>
>> 2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade
>> manually.
>>
>> 2017-09-26T02:27:56Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>> 172, in execute
>>
>> return_value = self.run()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_
>> server_upgrade.py",
>> line 46, in run
>>
>> server.upgrade()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 1913, in upgrade
>>
>> upgrade_configuration()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 1788, in upgrade_configuration
>>
>> certificate_renewal_update(ca, ds, http),
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 1018, in certificate_renewal_update
>>
>> ds.start_tracking_certificates(serverid)
>>
>> File
>>

[Freeipa-users] Re: IPA Server Upgrade Error

2017-09-28 Thread Florence Blanc-Renaud via FreeIPA-users


On 09/28/2017 04:12 AM, Alka Murali wrote:

Hi Florence,

Thanks for the email. As you have mentioned, I tried updating the 
corresponding python files under IPA Server and tried for the Upgrade. 

Hi,

do you mean that you manually edited the python files? In this case it 
is likely that some files were forgotten. The patch for 4-5 branch is 
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044 but 
may depend on other commits applied on the branch between the 4.5.3 
release and the patch.


For consistency, I'd rather recommend to upgrade the packages to 4.6 
(available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and 
fedora27).


Flo


However I was getting the error below:

-

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in 
execute


return_value = self.run()

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 46, in run


server.upgrade()

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1913, in upgrade


upgrade_configuration()

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1788, in upgrade_configuration


certificate_renewal_update(ca, ds, http),

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 966, in certificate_renewal_update


'cert-nickname': ds.get_server_cert_nickname(serverid),


ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The 
ipa-server-upgrade command failed, exception: AttributeError: 
'DsInstance' object has no attribute 'get_server_cert_nickname'


ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: 
Unexpected error - see /var/log/ipaupgrade.log for details:


AttributeError: 'DsInstance' object has no attribute 
'get_server_cert_nickname'


ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The 
ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more 
information


--

So do I need to define "get_server_cert_nickname"  in certs.py script too.


Awaiting your reply.


Thanks and Regards,

Alka Murali


On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud > wrote:


On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:

Hello,

Currently my server is running on IPA Server Version 4.4. I have
tried to upgrade the Version to 4.5 using the ipa-server-upgrade
command and got ended with the following error:




2017-09-26T02:27:32Z DEBUG stderr=

2017-09-26T02:27:50Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'

2017-09-26T02:27:53Z DEBUG Starting external process

2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
/etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt

2017-09-26T02:27:56Z DEBUG Process finished, return code=255

2017-09-26T02:27:56Z DEBUG stdout=

2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
Server-Cert

: PR_FILE_NOT_FOUND_ERROR: File not found


2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.

2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
172, in execute

return_value = self.run()

File

"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run

server.upgrade()

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade

upgrade_configuration()

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration

certificate_renewal_update(ca, ds, http),

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1018, in certificate_renewal_update

ds.start_tracking_certificates(serverid)

File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 1046, in start_tracking_certificates

'restart_dirsrv %s' % serverid)

File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 362, in track_server_cert

cert_obj = x509.load_certificate(cert)

File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
119, in load_certificate

return cryptography.x509.load_der_x509_certificate(data,
default_backend())

File
"/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
line 47, in load_der_x509_certificate

return backend.load_der_x509_certificate(data)

[Freeipa-users] Re: AD trust setup woes

2017-09-28 Thread Igor Sever via FreeIPA-users

There is IPA provider, but no sssd_pac module.
[service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac
--debug-to-files, reason: No such file or directory
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Duplicate Certificate on master.

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

[Freeipa-users] Smartcard not working on Ubuntu 16.04

[Freeipa-users] Re: Apache Group Based Authorization for AD users

[Freeipa-users] Re: Apache Group Based Authorization for AD users

[Freeipa-users] Re: Apache Group Based Authorization for AD users

[Freeipa-users] Re: IPA Server Upgrade Error

[Freeipa-users] Re: IPA Server Upgrade Error

[Freeipa-users] Re: Apache Group Based Authorization for AD users

[Freeipa-users] Re: IPA Server Upgrade Error

[Freeipa-users] Re: IPA Server Upgrade Error

[Freeipa-users] Re: AD trust setup woes

15 matches

Site Navigation

Mail list logo

Footer information