[Freeipa-users] Enrolling SLE 12 SP2 hosts with FreeIPA

2017-10-23 Thread Aaron Hicks via FreeIPA-users 
Hello the FreeIPA List,

 

We've got a FreeIPA directory set up and running. That's all good.

 

The difficult part is that we also have a number (many) of SLE 12 SP2 hosts
that need to be enrolled.

 

I can see that the freeipa-client package has not been available to SLE/SUSE
since 2015 or so, so the ipa-client-install, ipa-join, and ipa-getkeytab
tools are unavailable. They would be nice, we'd just do a check and execute
it when host is redeployed to enroll and configure the host.

 

We've manage to figure out the static parts of the required configuration
(/etc/nsswitch.conf /etc/sssd/sssd.conf and /etc/krb5.conf) as well as
deploying the FreeIPA server's certificate to /etc/ipa/ca.crt. We can also
enroll the hosts 'remotely' by scripting over their hostnames and IP
addresses from a CSV file, so the exist in the FreeIPA directory and even
join them to some hostgroups.

 

The bit we're a bit stuck at is retrieving the host's Kerberos keytab. There
does not seem to be a getkeytab request for the FreeIPA API, and the use of
kadmin and ktutil to process the keytab is not recommended.

 

We need a stepwise process to run on the host being enrolled that gets the
keytab from the FreeIPA directory and installs it into the host.

 

At the moment the method that looks like it's going to work is to write a
script that ssh to the FreeIPA server, kinit as a user who can retrieve
keytabs, get the keytab and write to a temporary file, scp the keytab back
to the host, tidy up temp files, then return to the host, validate the
keytab, install it, and restart Kerberos/sshd/sssd.

 

This seems less than ideal, alternatively should we look a compiling the
ipa-client into a package?

 

Regards,

 

Aaron Hicks

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-23 Thread Bhavin Vaidya via FreeIPA-users 
Hello,


is it possible to get 3rd CA (we were thinking of doing so) and following 
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP will 
help me resolve this?


thank you,

regards,

Bhavin

Using 3rd part certificates for HTTP/LDAP - 
FreeIPA
www.freeipa.org
Procedure in current IPA Prerequisite. The certificate in mysite.crt must be 
signed by a CA known by the service you are loading the certificate into.





From: Bhavin Vaidya via FreeIPA-users 
Sent: Monday, October 23, 2017 11:59 AM
To: Rob Crittenden; Anvar Kuchkartaev; Bhavin Vaidya via FreeIPA-users
Cc: John Dennis; Bhavin Vaidya
Subject: [Freeipa-users] Re: several IPA CA certificate entries


Hello Rob,


here what we have. Looks like /etc/http/alias certificate is different, as it 
is from Sug 03 2014 through Aug 03 2034, which is original date.


[root@ds01 alias]# certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

ipaCert  u,u,u
Server-Cert  u,u,u
EXAMPLE.COM IPA CA   CT,C,C

[root@ds01 alias]# certutil -d /etc/httpd/alias/ -L -n "EXAMPLE.COM IPA CA"
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=EXAMPLE.COM"
Validity:
Not Before: Sun Aug 03 19:28:18 2014
Not After : Thu Aug 03 19:28:18 2034
Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c3:9d:33:68:81:3a:7e:83:15:ba:bd:54:1c:a3:28:6a:


Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Authority Key Identifier
Key ID:
48:da:13:cd:37:06:74:ac:
da:f7:6d:c6

Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.

Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Certificate Signing
CRL Signing

Name: Certificate Subject Key ID
Data:
48:da:13:cd:37:06:74:ac:
da:f7:6d:c6

Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ipa01.example.com:80/ca/ocsp;

Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
7e:bb:1e:d8:f7:2c:57:45:57:2a:cb:a9:43:a9:1e:88:

Fingerprint (SHA-256):
64::1C
Fingerprint (SHA1):
28:
Sent: Monday, October 23, 2017 11:14 AM
To: Anvar Kuchkartaev; Bhavin Vaidya via FreeIPA-users
Cc: John Dennis; Bhavin Vaidya
Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries

Anvar Kuchkartaev wrote:
> Have you tried to add CA to systemwide database?

It gets added as part of ipa-client-install, after the point where it is
failing.

This leads me to believe you don't have the "right" CA certificate after
all.

Is your Apache web cert signed by the IPA CA or a 3rd party? If by IPA
then I'd compare the CA cert in the NSS db in /etc/httpd/alias with the
one you have in LDAP.

mod_nss won't let Apache start with a bad cert chain.

rob

>
> Anvar Kuchkartaev
> an...@aegisnet.eu
> *From: *Bhavin Vaidya via FreeIPA-users
> *Sent: *lunes, 23 de octubre de 2017 07:46 p.m.
> *To: *Rob Crittenden; FreeIPA users list
> *Reply To: *FreeIPA users list
> *Cc: *John Dennis; Bhavin Vaidya
> *Subject: *[Freeipa-users] Re: several IPA CA certificate entries
>
>
> Thank you everyone.
>
>
> We did manage to delete the certificates, all but the right one (we
> figured out looking at clients' /etc/ipa/ca.crt)
>
>
> But on client installation we now get different message, which is
> related to certificate too. tried another IPA server too, same message.
>
>
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=EXAMPLE.COM
> Issuer:  CN=Certificate Authority,O=EXAMPLE.COM
> Valid From:  Thu Jun 01 12:55:08 2017 UTC
> Valid Until: Mon Jun 01 12:55:08 2037 UTC
>
> Joining realm failed: libcurl failed to execute the HTTP POST
> transaction.  Peer certificate cannot be authenticated with known CA
> certificates
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> I have attached the log file.
>
> thank

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-23 Thread Bhavin Vaidya via FreeIPA-users 
Hello Rob,


here what we have. Looks like /etc/http/alias certificate is different, as it 
is from Sug 03 2014 through Aug 03 2034, which is original date.


[root@ds01 alias]# certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

ipaCert  u,u,u
Server-Cert  u,u,u
EXAMPLE.COM IPA CA   CT,C,C

[root@ds01 alias]# certutil -d /etc/httpd/alias/ -L -n "EXAMPLE.COM IPA CA"
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=EXAMPLE.COM"
Validity:
Not Before: Sun Aug 03 19:28:18 2014
Not After : Thu Aug 03 19:28:18 2034
Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c3:9d:33:68:81:3a:7e:83:15:ba:bd:54:1c:a3:28:6a:


Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Authority Key Identifier
Key ID:
48:da:13:cd:37:06:74:ac:
da:f7:6d:c6

Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.

Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Certificate Signing
CRL Signing

Name: Certificate Subject Key ID
Data:
48:da:13:cd:37:06:74:ac:
da:f7:6d:c6

Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ipa01.example.com:80/ca/ocsp;

Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
7e:bb:1e:d8:f7:2c:57:45:57:2a:cb:a9:43:a9:1e:88:

Fingerprint (SHA-256):
64::1C
Fingerprint (SHA1):
28:
Sent: Monday, October 23, 2017 11:14 AM
To: Anvar Kuchkartaev; Bhavin Vaidya via FreeIPA-users
Cc: John Dennis; Bhavin Vaidya
Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries

Anvar Kuchkartaev wrote:
> Have you tried to add CA to systemwide database?

It gets added as part of ipa-client-install, after the point where it is
failing.

This leads me to believe you don't have the "right" CA certificate after
all.

Is your Apache web cert signed by the IPA CA or a 3rd party? If by IPA
then I'd compare the CA cert in the NSS db in /etc/httpd/alias with the
one you have in LDAP.

mod_nss won't let Apache start with a bad cert chain.

rob

>
> Anvar Kuchkartaev
> an...@aegisnet.eu
> *From: *Bhavin Vaidya via FreeIPA-users
> *Sent: *lunes, 23 de octubre de 2017 07:46 p.m.
> *To: *Rob Crittenden; FreeIPA users list
> *Reply To: *FreeIPA users list
> *Cc: *John Dennis; Bhavin Vaidya
> *Subject: *[Freeipa-users] Re: several IPA CA certificate entries
>
>
> Thank you everyone.
>
>
> We did manage to delete the certificates, all but the right one (we
> figured out looking at clients' /etc/ipa/ca.crt)
>
>
> But on client installation we now get different message, which is
> related to certificate too. tried another IPA server too, same message.
>
>
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=EXAMPLE.COM
> Issuer:  CN=Certificate Authority,O=EXAMPLE.COM
> Valid From:  Thu Jun 01 12:55:08 2017 UTC
> Valid Until: Mon Jun 01 12:55:08 2037 UTC
>
> Joining realm failed: libcurl failed to execute the HTTP POST
> transaction.  Peer certificate cannot be authenticated with known CA
> certificates
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> I have attached the log file.
>
> thank you all once again.
> regards,
> Bhavin
>
>
>
>
>
>
> 
> *From:* Rob Crittenden 
> *Sent:* Monday, October 16, 2017 5:09 AM
> *To:* FreeIPA users list
> *Cc:* John Dennis; Bhavin Vaidya
> *Subject:* Re: [Freeipa-users] Re: several IPA CA certificate entries
>
> Bhavin Vaidya via FreeIPA-users wrote:
>> Thank you. your help is appreciated. We are still out of luck and this
>> is becoming very critical for us.
>>
>>
>> Please help.
>>
>>
>> We did remove all but 1 certificate, restarted master (ds01) but
>> clientinstallation, connection check and replica installation still fails.
>>
>>
>> certutil -D -d /etc/pki/nssdb -n 'ARTERIS.COM IPA CA'
>>
>>
>> the log messages are,
>>
>>
>> /var/log/ipaclient-install.log
>>
>>

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-23 Thread Marius Bjørnstad via FreeIPA-users 
On 23. okt. 2017 19:45, Bhavin Vaidya via FreeIPA-users wrote:
> We did manage to delete the certificates, all but the right one (we
> figured out looking at clients' /etc/ipa/ca.crt)
>
>
I have seen /etc/ipa/ca.crt get out of date before. It wasn't updated
automatically when renewing the CA cert, though I was using 3.x versions
at the time. Thankfully, it's easy to check. You can open up the Web UI
and check what the expiry date is in the browser. If it matches the
below, just ignore this message.
> Successfully retrieved CA cert
>     Subject:     CN=Certificate Authority,O=EXAMPLE.COM
>     Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
>     Valid From:  Thu Jun 01 12:55:08 2017 UTC
>     Valid Until: Mon Jun 01 12:55:08 2037 UTC
>
> Joining realm failed: libcurl failed to execute the HTTP POST
> transaction.  Peer certificate cannot be authenticated with known CA
> certificates
>
>

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-23 Thread Rob Crittenden via FreeIPA-users 
Anvar Kuchkartaev wrote:
> Peer certificate cannot be authenticated with known CA certificates
> This error shows that your system cannot authenticate remote host (curl
> probably trying to authenticate using systemwide database rather than
> the CA certificate obtained from server). Try to add CA to the CA
> database of operating system on client.
> 
> In redhat based linux:
> Add ca.crt file to folder:
> /etc/pki/ca-trust/source/anchors
> And‎ execute:
> update-ca-trust extract
> 
> On debian:
> https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/

As I said, this will be done automatically by ipa-client-install. The
one in LDAP does not match the one that signed the web cert, though I
assume it is the same private key so things are a bit odd.

rob

> 
> 
> Anvar Kuchkartaev 
> an...@aegisnet.eu 
> *From: *Bhavin Vaidya
> *Sent: *lunes, 23 de octubre de 2017 08:07 p.m.
> *To: *Anvar Kuchkartaev; Bhavin Vaidya via FreeIPA-users; Rob
> Crittenden; Bhavin Vaidya via FreeIPA-users
> *Cc: *John Dennis
> *Subject: *Re: [Freeipa-users] Re: several IPA CA certificate entries
> 
> 
> Thank you Anvar.
> 
> 
> Yes earlier when we had certificate issue, we added new certificates and
> we ended up having multiple certificates. Which we had to clean up.
> 
> Is this the question you asked?
> 
> 
> after deleting extras certificates,  we have not touch /etc/pki/nssdb.
> 
> 
> regards,
> 
> Bhavin
> 
> 
> 
> 
> *From:* Anvar Kuchkartaev 
> *Sent:* Monday, October 23, 2017 10:53 AM
> *To:* Bhavin Vaidya via FreeIPA-users; Rob Crittenden; FreeIPA users list
> *Cc:* John Dennis; Bhavin Vaidya
> *Subject:* Re: [Freeipa-users] Re: several IPA CA certificate entries
>  
> Have you tried to add CA to systemwide database?
> 
> Anvar Kuchkartaev 
> an...@aegisnet.eu 
> *From: *Bhavin Vaidya via FreeIPA-users
> *Sent: *lunes, 23 de octubre de 2017 07:46 p.m.
> *To: *Rob Crittenden; FreeIPA users list
> *Reply To: *FreeIPA users list
> *Cc: *John Dennis; Bhavin Vaidya
> *Subject: *[Freeipa-users] Re: several IPA CA certificate entries
> 
> 
> Thank you everyone.
> 
> 
> We did manage to delete the certificates, all but the right one (we
> figured out looking at clients' /etc/ipa/ca.crt)
> 
> 
> But on client installation we now get different message, which is
> related to certificate too. tried another IPA server too, same message.
> 
> 
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=EXAMPLE.COM
> Issuer:  CN=Certificate Authority,O=EXAMPLE.COM
> Valid From:  Thu Jun 01 12:55:08 2017 UTC
> Valid Until: Mon Jun 01 12:55:08 2037 UTC
> 
> Joining realm failed: libcurl failed to execute the HTTP POST
> transaction.  Peer certificate cannot be authenticated with known CA
> certificates
> 
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> 
> I have attached the log file.
> 
> thank you all once again.
> regards,
> Bhavin
> 
> 
> 
> 
> 
> 
> 
> *From:* Rob Crittenden 
> *Sent:* Monday, October 16, 2017 5:09 AM
> *To:* FreeIPA users list
> *Cc:* John Dennis; Bhavin Vaidya
> *Subject:* Re: [Freeipa-users] Re: several IPA CA certificate entries
>  
> Bhavin Vaidya via FreeIPA-users wrote:
>> Thank you. your help is appreciated. We are still out of luck and this
>> is becoming very critical for us.
>>
>>
>> Please help.
>>
>>
>> We did remove all but 1 certificate, restarted master (ds01) but
>> clientinstallation, connection check and replica installation still fails.
>>
>>
>> certutil -D -d /etc/pki/nssdb -n 'ARTERIS.COM IPA CA'
>>
>>
>> the log messages are,
>>
>>
>> /var/log/ipaclient-install.log
>>
>> 2017-10-13T06:25:31Z DEBUG Starting external process
>> 2017-10-13T06:25:31Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A
>> -n ARTERIS.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt
>> 2017-10-13T06:25:31Z DEBUG Process finished, return code=255
>> 2017-10-13T06:25:31Z DEBUG stdout=
>> 2017-10-13T06:25:31Z DEBUG stderr=certutil: could not add certificate to
>> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
>> database.
>>
>> 2017-10-13T06:25:31Z ERROR Installation failed. Rolling back changes.
>>
>> /var/log/ipareplica-conncheck.log
>>
>> 2017-10-13T01:56:19Z DEBUG Starting external process
>> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
>> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
>> /tmp/tmpbrAYYO/pwdfile.txt
>> 2017-10-13T01:56:19Z DEBUG Process finished, return code=0
>> 2017-10-13T01:56:19Z DEBUG stdout=
>> 2017-10-13T01:56:19Z DEBUG stderr=
>> 2017-10-13T01:56:19Z DEBUG Starting external process
>> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
>> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
>> /tmp/tmpbrAYYO/pwdfile.txt
>> 2017-10-13T01:56:19Z

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-23 Thread Anvar Kuchkartaev via FreeIPA-users 
  Peer certificate cannot be authenticated with known CA certificatesThis error shows that your system cannot authenticate remote host (curl probably trying to authenticate using systemwide database rather than the CA certificate obtained from server). Try to add CA to the CA database of operating system on client.In redhat based linux:Add ca.crt file to folder:/etc/pki/ca-trust/source/anchorsAnd‎ execute:update-ca-trust extractOn debian:https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/   Anvar Kuchkartaev an...@aegisnet.eu From: Bhavin VaidyaSent: lunes, 23 de octubre de 2017 08:07 p.m.To: Anvar Kuchkartaev; Bhavin Vaidya via FreeIPA-users; Rob Crittenden; Bhavin Vaidya via FreeIPA-usersCc: John DennisSubject: Re: [Freeipa-users] Re: several IPA CA certificate entries






Thank you Anvar.


Yes earlier when we had certificate issue, we added new certificates and we ended up having multiple certificates. Which we had to clean up.
Is this the question you asked?


after deleting extras certificates,  we have not touch /etc/pki/nssdb.


regards,
Bhavin




From: Anvar Kuchkartaev 
Sent: Monday, October 23, 2017 10:53 AM
To: Bhavin Vaidya via FreeIPA-users; Rob Crittenden; FreeIPA users list
Cc: John Dennis; Bhavin Vaidya
Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries
 



Have you tried to add CA to systemwide database?




Anvar Kuchkartaev 
an...@aegisnet.eu 





From: Bhavin Vaidya via FreeIPA-users
Sent: lunes, 23 de octubre de 2017 07:46 p.m.
To: Rob Crittenden; FreeIPA users list
Reply To: FreeIPA users list
Cc: John Dennis; Bhavin Vaidya
Subject: [Freeipa-users] Re: several IPA CA certificate entries










Thank you everyone.


We did manage to delete the certificates, all but the right one (we figured out looking at clients' /etc/ipa/ca.crt)


But on client installation we now get different message, which is related to certificate too. tried another IPA server too, same message.



Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Thu Jun 01 12:55:08 2017 UTC
    Valid Until: Mon Jun 01 12:55:08 2037 UTC


Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates


Installation failed. Rolling back changes.
IPA client is not configured on this system.


I have attached the log file.


thank you all once again.
regards,
Bhavin













From: Rob Crittenden 
Sent: Monday, October 16, 2017 5:09 AM
To: FreeIPA users list
Cc: John Dennis; Bhavin Vaidya
Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries
 



Bhavin Vaidya via FreeIPA-users wrote:
> Thank you. your help is appreciated. We are still out of luck and this
> is becoming very critical for us.
>
>
> Please help.
>
>
> We did remove all but 1 certificate, restarted master (ds01) but
> clientinstallation, connection check and replica installation still fails.
>
>
> certutil -D -d /etc/pki/nssdb -n 'ARTERIS.COM IPA CA'
>
>
> the log messages are,
>
>
> /var/log/ipaclient-install.log
>
> 2017-10-13T06:25:31Z DEBUG Starting external process
> 2017-10-13T06:25:31Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A
> -n ARTERIS.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt
> 2017-10-13T06:25:31Z DEBUG Process finished, return code=255
> 2017-10-13T06:25:31Z DEBUG stdout=
> 2017-10-13T06:25:31Z DEBUG stderr=certutil: could not add certificate to
> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
> database.
>
> 2017-10-13T06:25:31Z ERROR Installation failed. Rolling back changes.
>
> /var/log/ipareplica-conncheck.log
>
> 2017-10-13T01:56:19Z DEBUG Starting external process
> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
> /tmp/tmpbrAYYO/pwdfile.txt
> 2017-10-13T01:56:19Z DEBUG Process finished, return code=0
> 2017-10-13T01:56:19Z DEBUG stdout=
> 2017-10-13T01:56:19Z DEBUG stderr=
> 2017-10-13T01:56:19Z DEBUG Starting external process
> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
> /tmp/tmpbrAYYO/pwdfile.txt
> 2017-10-13T01:56:19Z DEBUG Process finished, return code=255
> 2017-10-13T01:56:19Z DEBUG stdout=
> 2017-10-13T01:56:19Z DEBUG stderr=certutil: could not add certificate to
> token or

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-23 Thread Rob Crittenden via FreeIPA-users 
Anvar Kuchkartaev wrote:
> Have you tried to add CA to systemwide database?

It gets added as part of ipa-client-install, after the point where it is
failing.

This leads me to believe you don't have the "right" CA certificate after
all.

Is your Apache web cert signed by the IPA CA or a 3rd party? If by IPA
then I'd compare the CA cert in the NSS db in /etc/httpd/alias with the
one you have in LDAP.

mod_nss won't let Apache start with a bad cert chain.

rob

> 
> Anvar Kuchkartaev 
> an...@aegisnet.eu 
> *From: *Bhavin Vaidya via FreeIPA-users
> *Sent: *lunes, 23 de octubre de 2017 07:46 p.m.
> *To: *Rob Crittenden; FreeIPA users list
> *Reply To: *FreeIPA users list
> *Cc: *John Dennis; Bhavin Vaidya
> *Subject: *[Freeipa-users] Re: several IPA CA certificate entries
> 
> 
> Thank you everyone.
> 
> 
> We did manage to delete the certificates, all but the right one (we
> figured out looking at clients' /etc/ipa/ca.crt)
> 
> 
> But on client installation we now get different message, which is
> related to certificate too. tried another IPA server too, same message.
> 
> 
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=EXAMPLE.COM
> Issuer:  CN=Certificate Authority,O=EXAMPLE.COM
> Valid From:  Thu Jun 01 12:55:08 2017 UTC
> Valid Until: Mon Jun 01 12:55:08 2037 UTC
> 
> Joining realm failed: libcurl failed to execute the HTTP POST
> transaction.  Peer certificate cannot be authenticated with known CA
> certificates
> 
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> 
> I have attached the log file.
> 
> thank you all once again.
> regards,
> Bhavin
> 
> 
> 
> 
> 
> 
> 
> *From:* Rob Crittenden 
> *Sent:* Monday, October 16, 2017 5:09 AM
> *To:* FreeIPA users list
> *Cc:* John Dennis; Bhavin Vaidya
> *Subject:* Re: [Freeipa-users] Re: several IPA CA certificate entries
>  
> Bhavin Vaidya via FreeIPA-users wrote:
>> Thank you. your help is appreciated. We are still out of luck and this
>> is becoming very critical for us.
>>
>>
>> Please help.
>>
>>
>> We did remove all but 1 certificate, restarted master (ds01) but
>> clientinstallation, connection check and replica installation still fails.
>>
>>
>> certutil -D -d /etc/pki/nssdb -n 'ARTERIS.COM IPA CA'
>>
>>
>> the log messages are,
>>
>>
>> /var/log/ipaclient-install.log
>>
>> 2017-10-13T06:25:31Z DEBUG Starting external process
>> 2017-10-13T06:25:31Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A
>> -n ARTERIS.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt
>> 2017-10-13T06:25:31Z DEBUG Process finished, return code=255
>> 2017-10-13T06:25:31Z DEBUG stdout=
>> 2017-10-13T06:25:31Z DEBUG stderr=certutil: could not add certificate to
>> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
>> database.
>>
>> 2017-10-13T06:25:31Z ERROR Installation failed. Rolling back changes.
>>
>> /var/log/ipareplica-conncheck.log
>>
>> 2017-10-13T01:56:19Z DEBUG Starting external process
>> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
>> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
>> /tmp/tmpbrAYYO/pwdfile.txt
>> 2017-10-13T01:56:19Z DEBUG Process finished, return code=0
>> 2017-10-13T01:56:19Z DEBUG stdout=
>> 2017-10-13T01:56:19Z DEBUG stderr=
>> 2017-10-13T01:56:19Z DEBUG Starting external process
>> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
>> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
>> /tmp/tmpbrAYYO/pwdfile.txt
>> 2017-10-13T01:56:19Z DEBUG Process finished, return code=255
>> 2017-10-13T01:56:19Z DEBUG stdout=
>> 2017-10-13T01:56:19Z DEBUG stderr=certutil: could not add certificate to
>> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
>> database.
>>
>> Here is the Red Hat thread https://access.redhat.com/solutions/1143193.
> IdM/IPA server install error with external CA, "certutil ...
> 
> access.redhat.com
> Register. If you are a new customer, register now for access to product
> evaluations and purchasing capabilities. Need access to an account? If
> your company has an ...
> 
> 
> 
> 
> This issue is unrelated.
> 
> IPA pulls the list of CA's to add from LDAP so pre-deleting the entries
> locally won't do anything: they will be re-added by ipa-client-install.
> 
> You'll need to look in ARTERIS.COM IPA
> CA,cn=cn=certificates,cn=ipa,cn=etc,dc=ateris,dc=com for
> userCertificate. It is a multi-valued attribute. I'm guessing it occurs
> 5 times. It seems only one of them is problematic, you'll need to figure
> out which one is the "bad" one, or figure out which is the most recent
> and remove the others. I'd be sure to save a copy of whatever is there
> at the moment to be on the safe side.
> 
> rob
> 
>>
>> regards,
>> Bhavin
>>
>> 
>>

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-23 Thread Bhavin Vaidya via FreeIPA-users 
Thank you Anvar.


Yes earlier when we had certificate issue, we added new certificates and we 
ended up having multiple certificates. Which we had to clean up.

Is this the question you asked?


after deleting extras certificates,  we have not touch /etc/pki/nssdb.


regards,

Bhavin



From: Anvar Kuchkartaev 
Sent: Monday, October 23, 2017 10:53 AM
To: Bhavin Vaidya via FreeIPA-users; Rob Crittenden; FreeIPA users list
Cc: John Dennis; Bhavin Vaidya
Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries

Have you tried to add CA to systemwide database?

Anvar Kuchkartaev
an...@aegisnet.eu
From: Bhavin Vaidya via FreeIPA-users
Sent: lunes, 23 de octubre de 2017 07:46 p.m.
To: Rob Crittenden; FreeIPA users list
Reply To: FreeIPA users list
Cc: John Dennis; Bhavin Vaidya
Subject: [Freeipa-users] Re: several IPA CA certificate entries



Thank you everyone.


We did manage to delete the certificates, all but the right one (we figured out 
looking at clients' /etc/ipa/ca.crt)


But on client installation we now get different message, which is related to 
certificate too. tried another IPA server too, same message.


Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer:  CN=Certificate Authority,O=EXAMPLE.COM
Valid From:  Thu Jun 01 12:55:08 2017 UTC
Valid Until: Mon Jun 01 12:55:08 2037 UTC

Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

I have attached the log file.

thank you all once again.
regards,
Bhavin







From: Rob Crittenden 
Sent: Monday, October 16, 2017 5:09 AM
To: FreeIPA users list
Cc: John Dennis; Bhavin Vaidya
Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries

Bhavin Vaidya via FreeIPA-users wrote:
> Thank you. your help is appreciated. We are still out of luck and this
> is becoming very critical for us.
>
>
> Please help.
>
>
> We did remove all but 1 certificate, restarted master (ds01) but
> clientinstallation, connection check and replica installation still fails.
>
>
> certutil -D -d /etc/pki/nssdb -n 'ARTERIS.COM IPA CA'
>
>
> the log messages are,
>
>
> /var/log/ipaclient-install.log
>
> 2017-10-13T06:25:31Z DEBUG Starting external process
> 2017-10-13T06:25:31Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A
> -n ARTERIS.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt
> 2017-10-13T06:25:31Z DEBUG Process finished, return code=255
> 2017-10-13T06:25:31Z DEBUG stdout=
> 2017-10-13T06:25:31Z DEBUG stderr=certutil: could not add certificate to
> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
> database.
>
> 2017-10-13T06:25:31Z ERROR Installation failed. Rolling back changes.
>
> /var/log/ipareplica-conncheck.log
>
> 2017-10-13T01:56:19Z DEBUG Starting external process
> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
> /tmp/tmpbrAYYO/pwdfile.txt
> 2017-10-13T01:56:19Z DEBUG Process finished, return code=0
> 2017-10-13T01:56:19Z DEBUG stdout=
> 2017-10-13T01:56:19Z DEBUG stderr=
> 2017-10-13T01:56:19Z DEBUG Starting external process
> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
> /tmp/tmpbrAYYO/pwdfile.txt
> 2017-10-13T01:56:19Z DEBUG Process finished, return code=255
> 2017-10-13T01:56:19Z DEBUG stdout=
> 2017-10-13T01:56:19Z DEBUG stderr=certutil: could not add certificate to
> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
> database.
>
> Here is the Red Hat thread https://access.redhat.com/solutions/1143193.
IdM/IPA server install error with external CA, "certutil 
...
access.redhat.com
Register. If you are a new customer, register now for access to product 
evaluations and purchasing capabilities. Need access to an account? If your 
company has an ...




This issue is unrelated.

IPA pulls the list of CA's to add from LDAP so pre-deleting the entries
locally won't do anything: they will be re-added by ipa-client-install.

You'll need to look in ARTERIS.COM IPA
CA,cn=cn=certificates,cn=ipa,cn=etc,dc=ateris,dc=com for
userCertificate. It is a multi-valued attribute. I'm guessing it occurs
5 times. It seems only one of them is problematic, you'll need to figure
out which one is the "bad" one, or figure out which is the most recent
and remove the others. I'd be sure to save a copy of whatever is there
at the moment to be on the safe side.

rob

>
> regards,
> Bhavin
>
> 
> *From:* Rob Crittenden 
> *Sent:* Friday, October 13, 2017 5:38 AM
> *To:* FreeIPA users list;

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-23 Thread Anvar Kuchkartaev via FreeIPA-users 
  Have you tried to add CA to systemwide database?Anvar Kuchkartaev an...@aegisnet.eu From: Bhavin Vaidya via FreeIPA-usersSent: lunes, 23 de octubre de 2017 07:46 p.m.To: Rob Crittenden; FreeIPA users listReply To: FreeIPA users listCc: John Dennis; Bhavin VaidyaSubject: [Freeipa-users] Re: several IPA CA certificate entries






Thank you everyone.


We did manage to delete the certificates, all but the right one (we figured out looking at clients' /etc/ipa/ca.crt)


But on client installation we now get different message, which is related to certificate too. tried another IPA server too, same message.



Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Thu Jun 01 12:55:08 2017 UTC
    Valid Until: Mon Jun 01 12:55:08 2037 UTC


Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates


Installation failed. Rolling back changes.
IPA client is not configured on this system.


I have attached the log file.


thank you all once again.
regards,
Bhavin













From: Rob Crittenden 
Sent: Monday, October 16, 2017 5:09 AM
To: FreeIPA users list
Cc: John Dennis; Bhavin Vaidya
Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries
 



Bhavin Vaidya via FreeIPA-users wrote:
> Thank you. your help is appreciated. We are still out of luck and this
> is becoming very critical for us.
>
>
> Please help.
>
>
> We did remove all but 1 certificate, restarted master (ds01) but
> clientinstallation, connection check and replica installation still fails.
>
>
> certutil -D -d /etc/pki/nssdb -n 'ARTERIS.COM IPA CA'
>
>
> the log messages are,
>
>
> /var/log/ipaclient-install.log
>
> 2017-10-13T06:25:31Z DEBUG Starting external process
> 2017-10-13T06:25:31Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A
> -n ARTERIS.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt
> 2017-10-13T06:25:31Z DEBUG Process finished, return code=255
> 2017-10-13T06:25:31Z DEBUG stdout=
> 2017-10-13T06:25:31Z DEBUG stderr=certutil: could not add certificate to
> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
> database.
>
> 2017-10-13T06:25:31Z ERROR Installation failed. Rolling back changes.
>
> /var/log/ipareplica-conncheck.log
>
> 2017-10-13T01:56:19Z DEBUG Starting external process
> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
> /tmp/tmpbrAYYO/pwdfile.txt
> 2017-10-13T01:56:19Z DEBUG Process finished, return code=0
> 2017-10-13T01:56:19Z DEBUG stdout=
> 2017-10-13T01:56:19Z DEBUG stderr=
> 2017-10-13T01:56:19Z DEBUG Starting external process
> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
> /tmp/tmpbrAYYO/pwdfile.txt
> 2017-10-13T01:56:19Z DEBUG Process finished, return code=255
> 2017-10-13T01:56:19Z DEBUG stdout=
> 2017-10-13T01:56:19Z DEBUG stderr=certutil: could not add certificate to
> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
> database.
>
> Here is the Red Hat thread 
https://access.redhat.com/solutions/1143193.







IdM/IPA server install error with external CA, "certutil ...

access.redhat.com

Register. If you are a new customer, register now for access to product evaluations and purchasing capabilities. Need access to an account? If your company has an ...








This issue is unrelated.

IPA pulls the list of CA's to add from LDAP so pre-deleting the entries 
locally won't do anything: they will be re-added by ipa-client-install.

You'll need to look in ARTERIS.COM IPA 
CA,cn=cn=certificates,cn=ipa,cn=etc,dc=ateris,dc=com for 
userCertificate. It is a multi-valued attribute. I'm guessing it occurs 
5 times. It seems only one of them is problematic, you'll need to figure 
out which one is the "bad" one, or figure out which is the most recent 
and remove the others. I'd be sure to save a copy of whatever is there 
at the moment to be on the safe side.

rob

>
> regards,
> Bhavin
>
> 
> *From:* Rob Crittenden 
> *Sent:* Friday, October 13, 2017 5:38 AM
> *To:* FreeIPA users list; Bhavin

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-23 Thread Bhavin Vaidya via FreeIPA-users 
Thank you everyone.


We did manage to delete the certificates, all but the right one (we figured out 
looking at clients' /etc/ipa/ca.crt)


But on client installation we now get different message, which is related to 
certificate too. tried another IPA server too, same message.


Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer:  CN=Certificate Authority,O=EXAMPLE.COM
Valid From:  Thu Jun 01 12:55:08 2017 UTC
Valid Until: Mon Jun 01 12:55:08 2037 UTC

Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

I have attached the log file.

thank you all once again.
regards,
Bhavin







From: Rob Crittenden 
Sent: Monday, October 16, 2017 5:09 AM
To: FreeIPA users list
Cc: John Dennis; Bhavin Vaidya
Subject: Re: [Freeipa-users] Re: several IPA CA certificate entries

Bhavin Vaidya via FreeIPA-users wrote:
> Thank you. your help is appreciated. We are still out of luck and this
> is becoming very critical for us.
>
>
> Please help.
>
>
> We did remove all but 1 certificate, restarted master (ds01) but
> clientinstallation, connection check and replica installation still fails.
>
>
> certutil -D -d /etc/pki/nssdb -n 'ARTERIS.COM IPA CA'
>
>
> the log messages are,
>
>
> /var/log/ipaclient-install.log
>
> 2017-10-13T06:25:31Z DEBUG Starting external process
> 2017-10-13T06:25:31Z DEBUG args=/usr/bin/certutil -d /etc/ipa/nssdb -A
> -n ARTERIS.COM IPA CA -t CT,C,C -f /etc/ipa/nssdb/pwdfile.txt
> 2017-10-13T06:25:31Z DEBUG Process finished, return code=255
> 2017-10-13T06:25:31Z DEBUG stdout=
> 2017-10-13T06:25:31Z DEBUG stderr=certutil: could not add certificate to
> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
> database.
>
> 2017-10-13T06:25:31Z ERROR Installation failed. Rolling back changes.
>
> /var/log/ipareplica-conncheck.log
>
> 2017-10-13T01:56:19Z DEBUG Starting external process
> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
> /tmp/tmpbrAYYO/pwdfile.txt
> 2017-10-13T01:56:19Z DEBUG Process finished, return code=0
> 2017-10-13T01:56:19Z DEBUG stdout=
> 2017-10-13T01:56:19Z DEBUG stderr=
> 2017-10-13T01:56:19Z DEBUG Starting external process
> 2017-10-13T01:56:19Z DEBUG args=/usr/bin/certutil -d /tmp/tmpbrAYYO -A
> -n CN=Certificate Authority,O=ARTERIS.COM -t C,, -f
> /tmp/tmpbrAYYO/pwdfile.txt
> 2017-10-13T01:56:19Z DEBUG Process finished, return code=255
> 2017-10-13T01:56:19Z DEBUG stdout=
> 2017-10-13T01:56:19Z DEBUG stderr=certutil: could not add certificate to
> token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to
> database.
>
> Here is the Red Hat thread https://access.redhat.com/solutions/1143193.
IdM/IPA server install error with external CA, "certutil 
...
access.redhat.com
Register. If you are a new customer, register now for access to product 
evaluations and purchasing capabilities. Need access to an account? If your 
company has an ...




This issue is unrelated.

IPA pulls the list of CA's to add from LDAP so pre-deleting the entries
locally won't do anything: they will be re-added by ipa-client-install.

You'll need to look in ARTERIS.COM IPA
CA,cn=cn=certificates,cn=ipa,cn=etc,dc=ateris,dc=com for
userCertificate. It is a multi-valued attribute. I'm guessing it occurs
5 times. It seems only one of them is problematic, you'll need to figure
out which one is the "bad" one, or figure out which is the most recent
and remove the others. I'd be sure to save a copy of whatever is there
at the moment to be on the safe side.

rob

>
> regards,
> Bhavin
>
> 
> *From:* Rob Crittenden 
> *Sent:* Friday, October 13, 2017 5:38 AM
> *To:* FreeIPA users list; Bhavin Vaidya
> *Cc:* John Dennis
> *Subject:* Re: [Freeipa-users] Re: several IPA CA certificate entries
>
> John Dennis via FreeIPA-users wrote:
>> On 10/12/2017 05:06 PM, Bhavin Vaidya wrote:
>>> Hello Jon,
>>>
>>>
>>> thank you for your help. responded to main thread, and just sending
>>> you the actual output for certutil.
>>>
>>>
>>> [root@ds01 log]#  certutil -d /etc/pki/nssdb -L
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>>   SSL,S/MIME,JAR/XPI
>>>
>>> ARTERIS.COM IPA CA   CT,C,C
>>> ARTERIS.COM IPA CA   CT,C,C
>>> ARTERIS.COM IPA CA   CT,C,C
>>> ARTERIS.COM IPA CA   CT,C,C
>>
>> These nicknames do not look unique to me, I'm assuming you're still
>> editing them for inclusion in this

[Freeipa-users] Re: sudo not working with hostgroups

2017-10-23 Thread Bjoern Klimpel via FreeIPA-users 
Hi thanks for your tips support,
I follow your tips and also find a RedHat document -> 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/config-sudo-clients.html

In short words: 
- follow the instructions
- enable logging (sudoers_debug 2)
-> got the following result:  sudo rule for host group does not match because 
ldap search for hosts instead of host groups :-(

ipa-lx-test-debian9% sudo -l
sudo: LDAP Config Summary
sudo: ===
sudo: uri ldaps://ipa-lx-test-01.example.world.com
sudo: uri ldap://ipa-prod-01.example.world.com
sudo: ldap_version 3
sudo: sudoers_base ou=SUDOers,dc=example,dc=world,dc=com
sudo: search_filter (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=world,dc=com
sudo: bindpw MySecurePassword
sudo: bind_timelimit 5
sudo: timelimit 15
sudo: ssl (no)
sudo: tls_checkpeer (yes)
sudo: tls_cacertfile /etc/ipa/ca.crt
sudo: ===
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_initialize(ld, ldaps://ipa-lx-test-01.example.world.com 
ldap://ipa-prod-01.example.world.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: no default options found in ou=SUDOers,dc=example,dc=world,dc=com
sudo: ldap search 
'(&(objectClass=sudoRole)(|(sudoUser=webtrekk)(sudoUser=%webtrekk)(sudoUser=%#299801104)(sudoUser=%domänen-benutzer)(sudoUser=%mitarbeiter)(sudoUser=%wt-it-warp)(sudoUser=%wt-it)(sudoUser=%ad_users)(sudoUser=%wt-it-warp)(sudoUser=%#299800513)(sudoUser=%#299801109)(sudoUser=%#299801114)(sudoUser=%#299801116)(sudoUser=%#55688)(sudoUser=%#556800012)(sudoUser=ALL)))'
sudo: searching from base 'ou=SUDOers,dc=example,dc=world,dc=com'
sudo: adding search result
sudo: ldap sudoHost '+centos_group' ... not
sudo: ldap sudoHost '+debian_group' ... not
sudo: ldap sudoHost '+ubuntu_group' ... not
sudo: result now has 0 entries
sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=)(sudoUser=+))'
sudo: searching from base 'ou=SUDOers,dc=example,dc=world,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: perform search for pwflag 54
sudo: done with LDAP searches
sudo: user_matches=true
sudo: host_matches=false
sudo: sudo_ldap_lookup(54)=0x84
[sudo] Password for user:
 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org