[Freeipa-users] Freeipa connecting to Redhat IPA server.

2017-12-14 Thread Tony Delov via FreeIPA-users 
I've been having difficulties connecting a freeipa-client on Ubuntu 16.06
LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD
server.

Ssh authentications are pretty slow, however, once I do get on, I find sudo
commands often do not work for several minutes saying I am not in the "not
in the sudoers file.". This is even though, I am in the same group on the
access.conf file and a sudoers file.

I think the initial slowness is due to the fact that our AD system has lots
of groups and I am part of many large groups with many users. I've been
checking the sssd cache file, and I can see that ssh authentication does
not even start until almost all groups I am a member of have been added to
the cache. However, that does not explain why sudo is being delayed as the
groups are already cached.

Has anyone got any advice about setting up a freeipa-client on Ubuntu to
connect to a Redhat IPA server?

Has anyone else experienced difficulties with sudo commands?

Group membership not listing all the groups a person is a member off all
the time.
id 




*IPA Client.*

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"

# dpkg --list | grep freeipa
ii  freeipa-client
4.3.1-0ubuntu1 amd64FreeIPA centralized
identity framework -- client
ii  freeipa-common
4.3.1-0ubuntu1 all  FreeIPA centralized
identity framework -- common files

*IPA Server*

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)


# rpm -qa | grep "ipa-"
sssd-ipa-1.15.2-50.el7_4.6.x86_64
ipa-common-4.5.0-21.el7_4.2.2.noarch
ipa-server-4.5.0-21.el7_4.2.2.x86_64
ipa-client-common-4.5.0-21.el7_4.2.2.noarch
ipa-client-4.5.0-21.el7_4.2.2.x86_64
ipa-server-common-4.5.0-21.el7_4.2.2.noarch
ipa-server-trust-ad-4.5.0-21.el7_4.2.2.x86_64




Regards
Tony D
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] DNS Reverse Zone Error (UPDATE)

2017-12-14 Thread Auerbach, Steven via FreeIPA-users 
We perform monthly patching of our IPA servers on consecutive weeks.  We have a 
realm member server that loses it's 'A' record in DNS after every monthly 
patching cycle on the first of our 2 IPA servers. And this member server is the 
ONLY machine to have such a problem.

Using the DNS Admin GUI I can make the 'A' record on one of the IPA servers and 
it shows up immediately in the DNS Admin GUI of the other.  There is no reverse 
record for that member server in the DNS Admin GUI and it will not allow me to 
add a reverse zone record for the server.  I receive a message that the reverse 
record for this server already exists.

It there a way to clean this up?  Is this glitch regarding the reverse zone 
record the reason the 'A' record falls away?

UPDATE: We rebooted the member server to test which post-patch reboot might be 
the point of loss for the 'A' record (we did not reboot either IPA server).  
The 'A' record for the member server is gone again.

Steven Auerbach
Assistant Director of Information Systems
Information Technology & Security
State University System of Florida
Board of Governors
325 W. Gaines Street, Suite 1625
Tallahassee, Florida 32399
(850) 245-9592
steven.auerb...@flbog.edu | 
www.flbog.edu
[email_sig]

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Replica setup options

2017-12-14 Thread Gordon Messmer via FreeIPA-users 
I've set up a replica in an IPA domain, and was surprised that it did 
not have DNS configured the same way that the first IPA server does.  Of 
the following options that I specified on the first install, which do I 
need to provide to a replica in order to get identical functionality, 
and where is that documented?


    --mkhomedir --setup-dns --forwarder --reverse-zone 
--allow-zone-overlap --setup-adtrust

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

2017-12-14 Thread David Harvey via FreeIPA-users 
On 13 December 2017 at 23:29, Timo Aaltonen via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On 28.11.2017 22:58, Peter Fern via FreeIPA-users wrote:
> > On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
> >> Not sure why tomcat is more resilient when launched as root, but the
> >> pki seems to work ok at issuing certs after the above and a reboot for
> >> good measure.
> >
> > This sounds like there are broken permissions in the current Ubuntu
> > packages.  You should be aware that last time I checked, FreeIPA on
> > Ubuntu was subtly yet severely broken, mostly due to the NSS libs
> > missing PEM support, which will stop your CA from renewing, amongst
> > other things.
>
> I'd like to get a bug filed for each issue you find. For instance that
> upgrade thing should already be fixed but sounds like it isn't?
>

It's absolutely possible that the state of my upgrade didn't take in or
countered your fixes due to my hacking around issues that reared their
heads during the initial 17.04 install i upgraded from.
Now that I'm upgraded it's a little harder to find out, but will see if I
have any backups hanging around from the before upgrade state.


>
> And yes, not being able to package nss-pem does mean the CA is less than
> useful. Maybe I should try to gently force the libnss maintainer to ship
> the needed (static) libs to be able to finish packaging nss-pem..
>
> > Does anyone know what the state of packaging for deb distros is
> > currently?  Now that the OpenSSL migration is complete(?), the barriers
> > to functional packages should be removed, but it looks like that only
> > happened in 4.5, and it appears only 4.4 is packaged, which is likely
> > still broken?
>
> Freeipa is/was stuck at 4.4 because getting bind9 9.11 in the archive
> took a year. That's now fixed, and I'm working on 4.6.x. But I need to
> update the whole stack, so right now I'm stuck with Dogtag 10.5.3 not
> building because it needed a newer (and patched) ldapjdk. Uploaded it
> today but it won't build before the (Debian) archive is otherwise
> untangled.
>
> Anyway, for Ubuntu 18.04 I might be forced to drop support for the CA
> altogether, as it looks like Dogtag won't get fixed to support Tomcat
> 8.5 and RESTEasy 3.1 (and maybe others I haven't found out about yet) in
> time. Oh and I need to package the JBOSS version of jaxrs-api too, since
> the current alternative broke things when it got updated.. fun times
> ahead, as always.
>
> Oh crikey, that sounds like as much fun as pulling teeth.
I can hold out a bit longer on the (as far as I can tell), very functional
17.10 install. Will make a call on it nearer the 18.04 time, but might make
the jump to Fedora or the Docker based installs if things aren't looking
good for the state of Ubuntu by then..

Thanks for the taking the time to explain the state of affairs. Appreciate
your work as ever.

David

t
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] DNS Reverse Zone Error

2017-12-14 Thread Auerbach, Steven via FreeIPA-users 
We perform monthly patching of our IPA servers on consecutive weeks.  We have a 
realm member server that loses it's 'A' record in DNS after every monthly 
patching cycle on the first of our 2 IPA servers. And this member server is the 
ONLY machine to have such a problem.

Using the DNS Admin GUI I can make the 'A' record on one of the IPA servers and 
it shows up immediately in the DNS Admin GUI of the other.  There is no reverse 
record for that member server in the DNS Admin GUI and it will not allow me to 
add a reverse zone record for the server.  I receive a message that the reverse 
record for this server already exists.

It there a way to clean this up?  Is this glitch regarding the reverse zone 
record the reason the 'A' record falls away?

Steven Auerbach
Assistant Director of Information Systems
Information Technology & Security
State University System of Florida
Board of Governors
325 W. Gaines Street, Suite 1625
Tallahassee, Florida 32399
(850) 245-9592
steven.auerb...@flbog.edu | 
www.flbog.edu
[email_sig]

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-14 Thread Harald Dunkel via FreeIPA-users 

Hi Flo, Rob,

On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote:


The files should contain multiple certificates (IPA CA and the external CA 
certificates). If it is not the case, please check first if there were AVC 
issues (if running in SElinux enforcing mode), and feel free to file a bug.



You are right, its a set of certificates.

One last question: Is it safe to drop the old root CA from the
certutil database? Its no longer in LDAP, anyway. "getcert list"
doesn't mention any certificates derived from the old PKI, either.


I highly appreciate your support and patience

Regards
Harri
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: server configuration missing

2017-12-14 Thread James Harrison via FreeIPA-users 
Hello,I'm reinstalling a replica FreeIPA server in a CA-less environment.
I'm looked online and found: 
https://www.redhat.com/archives/freeipa-users/2016-December/msg00391.html which 
is similar (or exactly the problem), but theres no solid resolution. I recopied 
/etc/ipa/ca.crt to the new server from an existing ipa server. 
[root@cro-lv-ipa-01 log]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
[root@cro-lv-ipa-01 log]# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core) 

Not sure what to do. 
Really appreciate any help.
Many thanksJames

Below is a snip from log files:Dec 14 15:34:34 cro-lv-ipa-01.int.DOMAIN.com 
ns-slapd[19065]: [14/Dec/2017:15:34:34.546670082 +] - NOTICE - 
NSMMReplicationPlugin - multimaster_be_state_change - Replica 
dc=int,dc=DOMAIN,dc=com is going offline; disabling replication
Dec 14 15:34:34 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:34.756581200 +] - INFO - dblayer_instance_start - Import 
is running with nsslapd-db-private-import-mem on; No other process is allowed 
to access the database
Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server 
step 1
Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server 
step 2
Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server 
step 3
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.608407982 +] - INFO - import_monitor_threads - import 
userRoot: Workers finished; cleaning up...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.845823301 +] - INFO - import_monitor_threads - import 
userRoot: Workers cleaned up.
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.862303717 +] - INFO - import_main_offline - import 
userRoot: Indexing complete.  Post-processing...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.879128392 +] - INFO - import_main_offline - import 
userRoot: Generating numsubordinates (this may take several minutes to 
complete)...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.926416316 +] - INFO - import_main_offline - import 
userRoot: Generating numSubordinates complete.
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.937805159 +] - INFO - ldbm_get_nonleaf_ids - import 
userRoot: Gathering ancestorid non-leaf IDs...
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.954558879 +] - INFO - ldbm_get_nonleaf_ids - import 
userRoot: Finished gathering ancestorid non-leaf IDs.
Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:37.988095437 +] - INFO - 
ldbm_ancestorid_new_idl_create_index - import userRoot: Creating ancestorid 
index (new idl)...
Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:38.037871941 +] - INFO - 
ldbm_ancestorid_new_idl_create_index - import userRoot: Created ancestorid 
index (new idl).
Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:38.054977988 +] - INFO - import_main_offline - import 
userRoot: Flushing caches...
Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:38.071740106 +] - INFO - import_main_offline - import 
userRoot: Closing files...
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:39.087512816 +] - INFO - import_main_offline - import 
userRoot: Import complete.  Processed 2258 entries in 5 seconds. (451.60 
entries/sec)
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:39.108388854 +] - ERR - ipa-topology-plugin - 
ipa_topo_be_state_change - backend userRoot is coming online; checking domain 
level and init shared topology
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:39.144415357 +] - NOTICE - NSMMReplicationPlugin - 
multimaster_be_state_change - Replica dc=int,dc=DOMAIN,dc=com is coming online; 
enabling replication
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client 
step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:39.194223235 +] - ERR - cos-plugin - cos_dn_defs_cb - 
Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=int,dc=DOMAIN,dc=com--no CoS Templates found, which 
should be added before the CoS Definition.
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client 
step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client 
step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client 
step 1
Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: 
[14/Dec/2017:15:34:39.216305850 +] - ERR - NSACLPlugin - acl_parse - The 
ACL target cn=groups,cn=compat,dc=int,dc=DOMAIN,dc=com does not exist
Dec 14

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-14 Thread Florence Blanc-Renaud via FreeIPA-users 

On 12/13/2017 04:39 PM, Harald Dunkel via FreeIPA-users wrote:

Hi Flo,

On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote:


My concern is, it looks much more restricted than the old root CA
cerificate:

# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname Trust 
Attributes
  
SSL,S/MIME,JAR/XPI


Server-Cert cert-pki-ca  u,u,u
subsystemCert cert-pki-ca    u,u,u
caSigningCert cert-pki-ca    CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca  u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE 
CT,C,C

CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  C,,

Shouldn't it be "CT,C,C" as well?


:
:

Hi,

the flags here will be the same as the ones used with the command 
ipa-cacert-manage install -t . If I recall correctly, in most 
cases you need only C,, but if your deployment requires more flags (for 
instance the external CA is used to sign Smart Card certificates), you 
can tune this by providing the required flags in ipa-cacert-manage install.




ipa-cert-update said

# ipa-certupdate
trying https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'schema' to json server 
'https://ipa1.example.de/ipa/json'

trying https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'ca_is_enabled' to json server 
'https://ipa1.example.de/ipa/json'
[try 1]: Forwarding 'ca_find/1' to json server 
'https://ipa1.example.de/ipa/json'

Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

dmesg shows that there was a core dump:

[108604.869633] ns-slapd[23051]: segfault at 10 ip 7fb60841dc30 sp 
7fb60af56c88 error 4 in libpthread-2.17.so[7fb608414000+17000]


Problem: The certificate in /etc/ipa/ca.crt and /usr/share/ipa/html/\
ca.crt is still old. The files have been touched, but not replaced
by the new certificate.



AFAICT this is not as documented. Would you suggest to file a bug
report?

The files should contain multiple certificates (IPA CA and the external 
CA certificates). If it is not the case, please check first if there 
were AVC issues (if running in SElinux enforcing mode), and feel free to 
file a bug.


Flo


Regards
Harri
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org