Re: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8
On Thu, 20 Jan 2011 11:03:12 +0530 Aravind GV aravind...@gmail.com wrote: Hi Simo, Great repossess from you but still issue is not solved completely. After applying your patch iam getting below mention error [root@dirsrv ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --cacert /root/bgkerb.cer 10.0.65.28 --passsync asd312ASD --bindpw asd312ASD -v Added CA certificate /root/bgkerb.cer to certificate database for dirsrv.agv.com *unexpected error: basic_replication_setup() takes exactly 5 arguments (3 given)* I am sorry Aravind, but at the moment I do not have a test environment that lets me test winsync replication. Hopefully this new patch should fix the remaining regressions. Simo. -- Simo Sorce * Red Hat, Inc * New York From 5c9952b5e166dde222bc8c5433ca97480432a980 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Wed, 19 Jan 2011 09:53:59 -0500 Subject: [PATCH] Fix ipa-replica-manage regressions with winsync Avoids ipa-replica-manage to throw up errors. Fixes: https://fedorahosted.org/freeipa/ticket/807 --- install/tools/ipa-replica-manage |7 ++- ipaserver/install/dsinstance.py |1 + ipaserver/install/replication.py |8 +--- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 80974545761399cec46032c8ae2b6689aa4ff7fd..20eb93c26748c71e097a38f40cb58c0215a643e1 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -26,7 +26,7 @@ from ipapython import ipautil from ipaserver.install import replication, dsinstance, installutils from ipaserver import ipaldap from ipapython import version -from ipalib import errors, util +from ipalib import api, errors, util CACERT = /etc/ipa/ca.crt @@ -355,6 +355,11 @@ def force_sync(realm, thishost, fromhost, dirman_passwd): def main(): options, args = parse_options() +# Just initialize the environment. This is so the installer can have +# access to the plugin environment +api.bootstrap(in_server=True) +api.finalize() + dirman_passwd = None realm = krbV.default_context().default_realm diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 378e0123405ed1222129d899573974fba9089a55..5da9d17d4417031920495254ff566ee235234bfb 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -180,6 +180,7 @@ class DsInstance(service.Service): self.dercert = None self.idstart = None self.idmax = None +self.subject_base = None if realm_name: self.suffix = util.realm_to_suffix(self.realm_name) self.__setup_sub_dict() diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 21e6bcc4970f5d534df882f98327ace9119db983..756bb5595226d49e31edf5ce5afd12d26ac26758 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -625,7 +625,8 @@ class ReplicationManager: # there is no other side to get a replica ID from # So we generate one locally replica_id = self._get_replica_id(self.conn, self.conn) -self.basic_replication_setup(self.conn, replica_id) +self.basic_replication_setup(self.conn, replica_id, + self.repl_man_dn, self.repl_man_passwd) #now add a passync user allowed to access the AD server self.add_passsync_user(self.conn, passsync_pw) @@ -638,8 +639,9 @@ class ReplicationManager: logging.info(Agreement is ready, starting replication . . .) #Finally start replication -return self.start_replication(self.conn, ad_conn, - self.repl_man_dn, self.repl_man_passwd) +ret = self.start_replication(ad_conn) +if ret != 0: +raise RuntimeError(Failed to start replication) def convert_to_gssapi_replication(self, r_hostname, r_binddn, r_bindpw): r_conn = ipaldap.IPAdmin(r_hostname, port=PORT, cacert=CACERT) -- 1.7.3.4 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8
Hi Simon Iam traveling this week will test and let u know in a weeks time. Sent from my iPhone On Jan 20, 2011, at 7:28 PM, Simo Sorce sso...@redhat.com wrote: On Thu, 20 Jan 2011 11:03:12 +0530 Aravind GV aravind...@gmail.com wrote: Hi Simo, Great repossess from you but still issue is not solved completely. After applying your patch iam getting below mention error [root@dirsrv ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --cacert /root/bgkerb.cer 10.0.65.28 --passsync asd312ASD --bindpw asd312ASD -v Added CA certificate /root/bgkerb.cer to certificate database for dirsrv.agv.com *unexpected error: basic_replication_setup() takes exactly 5 arguments (3 given)* I am sorry Aravind, but at the moment I do not have a test environment that lets me test winsync replication. Hopefully this new patch should fix the remaining regressions. Simo. -- Simo Sorce * Red Hat, Inc * New York freeipa-simo-0062-2-Fix-ipa-replica-manage-regressions-with-winsync.patch ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA server certificate update and Directory Manager password
Hello, We have a deployment of IPA that we have been using successfully for 185 days. We are 3 days past the "half year" mark, and the self-signed cert that was created with the original IPA install (FreeIPA v2 alpha) has expired. I have created a new self-signed cert, PKCS#12 format, but I cannot load it using the command: ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap When I try this, I am asked for: Directory Manager password: And I have no idea what this would be. I've tried the Kerberos "admin" password (used with "kinit admin"), and the root password. I don't know what other passwords would work. Is there some way to force this, or reset it, without starting from scratch? The added challenge is that the person who setup this version of FreeIPA went on vacation for 2 weeks, so I have minimal background with FreeIPA from an admin/install perspective. TIA, Ian -- Ian Stokes-Rees, PhD W: http://hkl.hms.harvard.edu ijsto...@hkl.hms.harvard.edu T: +1 617 432-5608 x75 NEBioGrid, Harvard Medical School C: +1 617 331-5993 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
Ian Stokes-Rees wrote: Hello, We have a deployment of IPA that we have been using successfully for 185 days. We are 3 days past the half year mark, and the self-signed cert that was created with the original IPA install (FreeIPA v2 alpha) has expired. I have created a new self-signed cert, PKCS#12 format, but I cannot load it using the command: ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap When I try this, I am asked for: Directory Manager password: And I have no idea what this would be. I've tried the Kerberos admin password (used with kinit admin), and the root password. I don't know what other passwords would work. Is there some way to force this, or reset it, without starting from scratch? The added challenge is that the person who setup this version of FreeIPA went on vacation for 2 weeks, so I have minimal background with FreeIPA from an admin/install perspective. Just so I have the full context, where did the original self-signed cert come from? The initial cert should have been good for 12 months so I'm a little confused. Do you know where the initial certificate came from? You're running a pretty old build so maybe we didn't have this quite working but we use a tool named certmonger to keep the SSL certificates valid. It could be that we weren't using certmonger then, or not enabling it correctly, I'm not sure. If you want to see then as root run: ipa-getcert list. This will show you the certificates that certmonger is monitoring (and I suppose it could be none or you could get a DBus error. Since your infrastructure is probably down because of this here are the instructions you need to get going again. I hesitate because I don't want to make things worse for you by not understanding the history. The Directory Manager is essentially the super-user of 389-ds. It gets a separate password when IPA is installed. See these instructions for resetting it: http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword I'm also curious why only the 389-ds cert has expired and not the Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d /etc/httpd/alias -n Server-Cert' will show you. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
Some more info: 1. certmonger wasn't running, so I started it. Then I can execute "ipa-getcert list" but it doesn't return anything. 2. /var/log/ipa/default.log (the only log file in that dir) appears to show the *new* cert being imported successfully (the latest timestamps are from about 1000 seconds ago, or less than 20 minutes): 1295559526.007954 10650 MainThread INFO skipping plugin module ipaserver.plugins.selfsign: selfsign is not selected as RA plugin, it is dogtag 1295559526.060926 10650 MainThread INFO Mounting ipaserver.rpcserver.xmlserver() at 'xml' 1295559526.064243 10650 MainThread INFO Mounting ipaserver.rpcserver.jsonserver() at 'json' 1295559528.905495 10650 MainThread INFO args=/usr/bin/certutil -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ -N -f /etc/dirsrv/slapd-NEBIOGRID-ORG//pwdfile.txt 1295559528.906025 10650 MainThread INFO stdout= 1295559528.906155 10650 MainThread INFO stderr= 1295559528.922699 10650 MainThread INFO args=/usr/bin/pk12util -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ -i ldap-selfsigned-to20120120.pkcs12 -k /etc/dirsrv/slapd-NEBIOGRID-ORG//pwdfile.txt -w /tmp/tmpglOV1H 1295559528.923025 10650 MainThread INFO stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 1295559528.923120 10650 MainThread INFO stderr= 1295559528.932131 10650 MainThread INFO args=/usr/bin/pk12util -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ -l ldap-selfsigned-to20120120.pkcs12 -k /tmp/tmpglOV1H -w /tmp/tmpglOV1H 1295559528.932373 10650 MainThread INFO stdout=Certificate(has private key): Data: Version: 3 (0x2) Serial Number: 00:a2:6f:63:17:17:c3:28:60 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=nebio-directory.in.hwlab,O=IPA" Validity: Not Before: Thu Jan 20 16:46:31 2011 Not After : Fri Jan 20 16:46:31 2012 Subject: "CN=nebio-directory.in.hwlab,O=IPA" 3. dirsrv errors has this as its last log entries: /var/log/dirsrv/slapd-NEBIOGRID-ORG/errors: [20/Jan/2011:16:55:22 -0500] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [20/Jan/2011:16:55:22 -0500] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [20/Jan/2011:16:55:22 -0500] - SSL failure: None of the cipher are valid [20/Jan/2011:16:55:22 -0500] - ERROR: SSL Initialization phase 2 Failed. 4. httpd reports lots of errors: /var/log/httpd/error_log [Thu Jan 20 17:05:43 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Thu Jan 20 17:05:43 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Jan 20 17:05:44 2011] [error] Certificate not verified: 'Server-Cert' [Thu Jan 20 17:05:44 2011] [error] SSL Library Error: -8181 Certificate has expired [Thu Jan 20 17:05:44 2011] [error] Server certificate is expired: 'Server-Cert' [Thu Jan 20 17:05:44 2011] [notice] Digest: generating secret for digest authentication ... [Thu Jan 20 17:05:44 2011] [notice] Digest: done [Thu Jan 20 17:05:44 2011] [error] python_init: Python version mismatch, expected '2.6', found '2.6.4'. [Thu Jan 20 17:05:44 2011] [error] python_init: Python executable found '/usr/bin/python'. [Thu Jan 20 17:05:44 2011] [error] python_init: Python path being used '/usr/lib64/python26.zip:/usr/lib64/python2.6/:/usr/lib64/python2.6/plat-linux2:/usr/lib64/python2.6/lib-tk:/usr/lib64/python2.6/lib-old:/usr/lib64/python2.6/lib-dynload'. [Thu Jan 20 17:05:44 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Thu Jan 20 17:05:44 2011] [notice] mod_python: using mutex_directory /tmp [Thu Jan 20 17:05:44 2011] [notice] Apache/2.2.16 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.6.2 mod_python/3.3.1 Python/2.6.4 mod_wsgi/3.1 configured -- resuming normal operations [Thu Jan 20 17:05:44 2011] [error] Certificate not verified: 'Server-Cert' [Thu Jan 20 17:05:44 2011] [error] SSL Library Error: -8181 Certificate has expired [Thu Jan 20 17:05:44 2011] [error] Server certificate is expired: 'Server-Cert' ... [Thu Jan 20 17:05:45 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/nebio-directory.in.hw...@nebiogrid.org in /etc/httpd/conf/ipa.keytab: (-1765328324, 'Generic error (see e-text)')
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
Ian Stokes-Rees wrote: Just so I have the full context, where did the original self-signed cert come from? The initial cert should have been good for 12 months so I'm a little confused. Do you know where the initial certificate came from? I have to plead ignorance, since it was our regular sys admin (away on vacation for 2 weeks) who installed this summer of 2010. I'm a user stuck with managing the system while he's away. I assume this cert came from the default installation process. He chimed in with a quick comment on our internal ticket, and said he doesn't know any details about the cert infrastructure of FreeIPA. Ouch, you have my sympathies. You're running a pretty old build so maybe we didn't have this quite working but we use a tool named certmonger to keep the SSL certificates valid. It could be that we weren't using certmonger then, or not enabling it correctly, I'm not sure.If you want to see then as root run: ipa-getcert list. This will show you the certificates that certmonger is monitoring (and I suppose it could be none or you could get a DBus error. Probably not running it: # ipa-getcert list Error org.freedesktop.DBus.Error.ServiceUnknown: The name org.fedorahosted.certmonger was not provided by any .service files Ok, that's fine. Maybe we can use it once you get up and running again, but first things first. Since your infrastructure is probably down because of this here are the instructions you need to get going again. I hesitate because I don't want to make things worse for you by not understanding the history. The Directory Manager is essentially the super-user of 389-ds. It gets a separate password when IPA is installed. See these instructions for resetting it: http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword Seemed straight forward, but it hasn't worked. After changing the password in the dse.ldif file I can't restart dirsrv successfully: our instance won't restart, but the PKI-IPA one will restart just fine. In either case, I can't execute the ipa-server-certinstall, as I get an error: # ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap Directory Manager password: an unexpected error occurred: Can't contact LDAP server: [stacktrace] DatabaseError: Can't contact LDAP server: /me smacks head Ok, of course you can't contact the LDAP server because it isn't up because the cert is expired! Also, I should reiterate that the PKCS#12 file is *self signed*, but I notice in /etc/ipa/ca.crt there is a cert (just public) for the IPA CA -- perhaps my cert needs to be signed by this CA? Yes, that was going to be my next question. While throwing any old self-signed cert in there might get the server up other things won't work, notably replication. Ok, here are some steps I worked out that I think will get you back in business. I'm going to try to renew your 389-ds certificate using IPA. First we need to get 389-ds back up and running. I'm going to use REALM in place of the instance name for your 399-ds install. 1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif 2. Make a backup of your dirsrv NSS database (so /etc/dirsrv/slapd-REALM/*.db) 2. Edit dse.ldif and set nsslapd-security to off 3. Try starting dirsrv: service start dirsrv REALM 4. Get a kerberos ticket for admin: kinit admin 5. Generate a new CSR for your directory server: certutil -R -k 'NSS Certificate DB:Server-Cert' -s 'cn=nebio-directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f /etc/dirsrv/slapd-REALM/pwdfile.txt -a renew.csr 6. Get a new certificate: ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab 7. Paste the value in the output for Certificate into a file. This is a base64-encoded blob of text probably starting with MII and ending with ==. 8. Add this new cert to your 389-ds database certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a cert.txt 9. service dirsrv stop REALM 10. edit dse.ldif and set nsslapd-security to on 11. service dirsrv start REALM I ran the majority of these steps against my own IPA installation and nothing caught on fire. I hope you have equal success. I'm also curious why only the 389-ds cert has expired and not the Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d /etc/httpd/alias -n Server-Cert' will show you. Here you can see the expired cert and the 6 month lifespan: # certutil -L -d /etc/httpd/alias -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: CN=Certificate Authority,O=IPA Validity: Not Before: Wed Jul 21 18:13:52 2010 Not After : Mon Jan 17 18:13:52 2011 Subject: CN=nebio-directory.in.hwlab,O=IPA Wow, not sure why it would do a 6 month cert but seeing is believing. regards rob ___ Freeipa-users mailing list
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
Ian Stokes-Rees wrote: Some more info: 1. certmonger wasn't running, so I started it. Then I can execute ipa-getcert list but it doesn't return anything. Ok, your install must have pre-dated our implementation of it. 2. /var/log/ipa/default.log (the only log file in that dir) appears to show the *new* cert being imported successfully (the latest timestamps are from about 1000 seconds ago, or less than 20 minutes): As one might expect the Apache cert has also expired. Apache needs a valid cert and needs to contact 389-ds to start IPA. 3. dirsrv errors has this as its last log entries: /var/log/dirsrv/slapd-NEBIOGRID-ORG/errors: It doesn't seem to like the self-signed cert you installed. The key used to initially generate the 389-ds certificate should still be in your NSS database, certutil -K -d /etc/dirsrv/slapd-REALM should have it. We should be able to use that to get things working again. I think the fastest way to get back up would be to set your system clock back to Jan 15. Disable security in 389-ds and start that, then restart Apache. This should be enough to get part of your infrastructure back up and running long enough to renew the certs. Once you renew the 389-ds certificate and get that working you can do pretty much the same thing to Apache. The Apache NSS database is in /etc/httpd/alias. You won't need to disable security for this at all. Otherwise we may have to set up a sort of temporary CA, issue new certificates for Apache and 389-ds to get them back up and running, then renew things. If you try going back in time don't forget to reset the date. You'll have to stop ntpd when going back in time. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
