[Freeipa-users] Re: ca replication for hosts with different dns domains
Hi Thanks for taking a look at this. 'IDM domain replication group'. I mean it is the "Topology suffix" to connect two replicas. "Domain" suffix works for host2, it can receive and send updates with host1. "CA"suffix failed during install, ### Imported certificates into /etc/pki/pki-tomcat/alias: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Installation failed: server failed to restart 2020-03-23T14:33:18Z DEBUG stderr=pkispawn :ERROR ... server failed to restart 2020-03-23T14:33:18Z CRITICAL Failed to configure CAinstance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpV8jHPQ' returnednon-zero exit status 1 2020-03-23T14:33:18Z CRITICAL See the installation logs andthe following files/directories for more information: 2020-03-23T14:33:18Z CRITICAL /var/log/pki/pki-tomcat 2020-03-23T14:33:18Z DEBUG Traceback (most recent calllast): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",line 567, in start_creation run_step(full_msg, method) File"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 675, in __spawn_instance pki_pin) File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 167, in spawn_instance self.handle_setup_error(e) File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 407, in handle_setup_error raise RuntimeError("%s configurationfailed." % self.subsystem) RuntimeError: CA configuration failed. 2020-03-23T14:33:18Z DEBUG [error] RuntimeError:CA configuration failed. 2020-03-23T14:33:18Z DEBUG File"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",line 1015, in run_script return_value = main_function() File "/usr/sbin/ipa-ca-install", line 341,in main promote(safe_options, options, filename) File "/usr/sbin/ipa-ca-install", line 309,in promote install_replica(safe_options, options,filename) File "/usr/sbin/ipa-ca-install", line 233,in install_replica ca.install(True, config, options,custodia=custodia) File"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 254,in install install_step_0(standalone, replica_config,options, custodia=custodia) File"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 334,in install_step_0 use_ldaps=standalone) File"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 490, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",line 567, in start_creation run_step(full_msg, method) File"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line557, in run_step method() File"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 675, in __spawn_instance pki_pin) File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 167, in spawn_instance self.handle_setup_error(e) File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 407, in handle_setup_error raise RuntimeError("%s configurationfailed." % self.subsystem) 2020-03-23T14:33:18Z DEBUG The ipa-ca-install commandfailed, exception: RuntimeError: CA configuration failed. ### On Tuesday, April 7, 2020, 02:38:35 AM EDT, Alexander Bokovoy wrote: On ma, 06 huhti 2020, askstack--- via FreeIPA-users wrote: >Hi > >IDM domain: "fist.domain" >Host name: host1.first.domain > host2.second.domain >I was able to run "ipa-client-install" on host2 and promoted it to a domain >replica. After I verified domain replication was working, I tried to run >ipa-ca-install. It failed on host2. >Redhat support said host1 and host2 are on two different dns domains so >replication is not supported. I am not sure that is the case since two hosts >are in the same and onlyIDM domain replication group. >Is redhat support correct? I think there is not enough details in your request to answer that question. I also don't know what do you mean by 'IDM domain replication group'. In particular, what are the errors you are seeing, exactly? If you have a case open, please share the number and communicate within the case, not with with an anonymous account on a public mailing list. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
[Freeipa-users] Re: Domain controllers switch to LDAPS
On ke, 08 huhti 2020, Christopher Paul via FreeIPA-users wrote: On 4/8/20 12:57 AM, Ronald Wimmer via FreeIPA-users wrote: > On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote: > > On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote: > > > On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: > > > > [...] > > > > Some people are panicking and want to switch everything to LDAPS. For > > > > those there is additional enhancement in works. For everyone > > > > else there > > > > is no need to do anything. > > > > > > As AD people in our organization start "panicking" we will need > > > the additional enhancement very soon. Where can I find more > > > about it? > > > > I don't think there's any reason anyone needs to panic. Microsoft > > updated their ADV190023 a few weeks ago to add this: "The March 10, > > 2020 and updates in the foreseeable future will *not* make changes > > to LDAP signing or LDAP channel binding policies or their registry > > equivalent on new or existing domain controllers." > > > > If you or they do still have questions, give me a call or email and > > I'll be happy to talk to you > > > AD guys do not stop to talk about "everything LDAPS" in our company. Is > it possible that they switch domain controllers to LDAPS only from a > technical point of view? Because if it is they will do so and IPA needs > to be prepared for that. In that case I really need to know what is "in > the works" and how to adapt our IPA servers to the new situation... > > Cheers, > Ronald > Hey Ronald, Yes it's possible. Everything is possible, with the time and money, and the right experts on the job. Correct. The work is happening in corresponding upstreams. If you are curious about channel bindings, follow the thread on krbdev@ for starters (it goes over months): http://mailman.mit.edu/pipermail/krbdev/2020-February/013215.html PR: https://github.com/krb5/krb5/pull/1047 On samba-technical@: https://lists.samba.org/archive/samba-technical/2020-February/134845.html MR: https://gitlab.com/samba-team/samba/-/merge_requests/1262 CyrusSASL: https://github.com/cyrusimap/cyrus-sasl/pull/601 OpenLDAP: https://lists.openldap.org/hyperkitty/list/openldap-de...@openldap.org/thread/ACLFYWEWIQVUUF3JDDSV3HZZQWXKB7N7/ Eventually it all converges in 1) upstream releases, 2) distribution releases. As Microsoft mentioned in the revision notes to ADV190023, they are not planning to enforce any of the LDAP channel bindings and LDAP signing settings any foreseeable future. We can only speculate what caused this turnaround. FreeIPA defaults, as they are, already enforce signing and sealing with SASL GSSAPI over normal LDAP port for trusted forest domain controllers' communication. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 4/8/20 12:57 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote: On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it? I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers." If you or they do still have questions, give me a call or email and I'll be happy to talk to you AD guys do not stop to talk about "everything LDAPS" in our company. Is it possible that they switch domain controllers to LDAPS only from a technical point of view? Because if it is they will do so and IPA needs to be prepared for that. In that case I really need to know what is "in the works" and how to adapt our IPA servers to the new situation... Cheers, Ronald Hey Ronald, Yes it's possible. Everything is possible, with the time and money, and the right experts on the job. CP ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ca replication for hosts with different dns domains
On ke, 08 huhti 2020, Ask Stack via FreeIPA-users wrote: Hi Thanks for taking a look at this. 'IDM domain replication group'. I mean it is the "Topology suffix" to connect two replicas. "Domain" suffix works for host2, it can receive and send updates with host1. "CA"suffix failed during install, Ok, thanks for additional details. They are still not enough but for the list -- I received more details about the case in a private email and it seems there is an issue during the CA replica promotion for the second replica. I advised the support team where to look. Since more details can only be provided through the customer case communication, I think we can stop this mailing thread. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Domain controllers switch to LDAPS
On 25.03.20 20:01, Christopher Paul via FreeIPA-users wrote: On 3/25/20 4:44 AM, Ronald Wimmer via FreeIPA-users wrote: On 25.02.20 17:26, Alexander Bokovoy via FreeIPA-users wrote: [...] Some people are panicking and want to switch everything to LDAPS. For those there is additional enhancement in works. For everyone else there is no need to do anything. As AD people in our organization start "panicking" we will need the additional enhancement very soon. Where can I find more about it? I don't think there's any reason anyone needs to panic. Microsoft updated their ADV190023 a few weeks ago to add this: "The March 10, 2020 and updates in the foreseeable future will *not* make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers." If you or they do still have questions, give me a call or email and I'll be happy to talk to you AD guys do not stop to talk about "everything LDAPS" in our company. Is it possible that they switch domain controllers to LDAPS only from a technical point of view? Because if it is they will do so and IPA needs to be prepared for that. In that case I really need to know what is "in the works" and how to adapt our IPA servers to the new situation... Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org