Re: [Freeipa-users] IPv6
On 04/26/2012 11:42 PM, Simo Sorce wrote: On Thu, 2012-04-26 at 21:18 +, Steven Jones wrote: Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt workslight oops there... Hi Steve, can you be more explicit on how you 'shutdown' IPv6 ? And can you please tell exactly how IPA breaks in that case ? Is this after IPA is fully installed ? Or does the installer fail ? Simo. Is it same issue as described in https://www.redhat.com/archives/freeipa-users/2012-April/msg00160.html ? Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPv6
On 04/27/2012 04:45 AM, Petr Spacek wrote: On 04/26/2012 11:42 PM, Simo Sorce wrote: On Thu, 2012-04-26 at 21:18 +, Steven Jones wrote: Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt workslight oops there... Hi Steve, can you be more explicit on how you 'shutdown' IPv6 ? And can you please tell exactly how IPA breaks in that case ? Is this after IPA is fully installed ? Or does the installer fail ? Simo. Is it same issue as described in https://www.redhat.com/archives/freeipa-users/2012-April/msg00160.html ? We do IPv6 in several places, but a while ago I noticed the way we iterate over address families in nsslib in conjunction with getaddrinfo (the io.AddrInfo class) looks dubious, it seems overly complex as if it's trying to force a family selection (not sure, I would have to go back and really look at the code again). In any event getaddrinfo is designed to return a list of possible addresses sorted in priority order by the system. You're supposed to start at the first address in the list and see if you can connect, if not try the next address. You're not supposed to take addresses in the list based on some other criteria (which is what we seem to be doing with the family). FWIW, the raw c lib getaddrinfo allows one to specify constraints (such as family), unfortunately NSPR (the wrapper around getaddrinfo in nsslib) does not permit this, not sure why (probably because NSPR has to fallback to other mechanisms if getaddrinfo is not available) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, kerberos ticket issue for web admin.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/23/2012 11:58 AM, Rob Crittenden wrote: Nathan Lager wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/20/2012 02:26 PM, Rob Crittenden wrote: Have you configured the browser for Kerberos? http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html That error seems to indicate that the domain isn't defined in network.negotiate-auth.trusted-uris regards rob I've been through the clicky-clicky that ipa's web gui sends you through (accepting the certs, and configuring the browser), a number of times. I just confirmed the trusted uri's and delegation uris. They are both correct, they look like: .my.ipa.domain.com I even tried resetting delegation-uris, and trusted-uri's to the default, and then allowing the ipa web gui to re-configure them, it hasnt helped. Thanks for the response. Sorry for the delay in mine. Hmm, that is very strange. The code in question in Firefox looks like: bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs); if (!allowed) { LOG((nsHttpNegotiateAuth::ChallengeReceived URI blocked\n)); return NS_ERROR_ABORT; } which seems to be the error you are seeing. It's a shame there isn't more logging around the uris. I see that you had enabled debug logging on the Apache side. Can you provide some more context on the failed request? thanks rob Again, sorry for the delay. This is just one in my long list of current projects. Here's the requested log data. Its a tail -f of the access and error logs. Server nanme, and client ip stripped. == error_log == [Fri Apr 27 11:47:04 2012] [info] Connection to child 0 established (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) == access_log == xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:04 -0400] POST /ca/ocsp HTTP/1.1 200 2326 - Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 == error_log == [Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request received for child 0 (server ipaserver.domain.com:443) [Fri Apr 27 11:47:05 2012] [error] [client xxx.xxx.xxx.xxx] File does not exist: /usr/share/ipa/ui/develop.js, referer: https://ipaserver.domain.com/ipa/ui/ == access_log == xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] GET /ipa/ui/develop.js HTTP/1.1 404 306 == error_log == [Fri Apr 27 11:47:05 2012] [info] Connection to child 0 closed (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) [Fri Apr 27 11:47:05 2012] [info] Connection to child 6 established (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) [Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request received for child 6 (server ipaserver.domain.com:443) [Fri Apr 27 11:47:05 2012] [debug] src/mod_auth_kerb.c(1578): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://ipaserver.domain.com/ipa/ui/ == access_log == xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] POST /ipa/json HTTP/1.1 401 1771 == error_log == [Fri Apr 27 11:47:05 2012] [info] Connection to child 6 closed (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+awMsACgkQsZqG4IN3sulfnACfWNbbddw5ALIW4J9X+nLrovU+ Lg8AmQExUXpbs8LDPiwN4SMKefjF0KaB =o2KT -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA
On 04/26/2012 04:51 PM, hshhs caca wrote: Hi folks, When evaluating migration from existing seperate LDAP/Kerberos solution to integrated IPA, I got confused on the purposes of Dogtag Certificate system inside IPA. What are the main purposes of it? or what value it brings in to IPA? I can see the points of KDC and 389 Directory server parts, even NTP and DNS, but not for Dogtag. Frankly, I am not sure where I should put it. Say, For Kerberos authentication, I need only /etc/krb5.conf and /etc/krb5.keytab locally on client and then krb5 tools/libs will do their work happily. Then why should I authenticate a machine with certificate, or certificate+keytab -- either way the certificate part is a MUST -- see document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html ( at the very bottom). A close question is: what are the main points/benefits of machine authentication? because of with traditional keytab based kerberos setup, the users, machines and services can authenticate no problem, then why we need an extra authentication with machine certificate as a must? Please help me clarify the question of why the statement 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after running ipa-client-install script? what is its purposes? Last problem is: after I following the steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html to setup my Linux client manually, I still can not run 'ipa user-find' command on the client; when another same type linux client installed with 'ipa-client-install' has no problem to run it. Does there are any difference between manual and automatic installations? Sorry I got too many questions and probably more, as I read though the Redhat IPA document serveral times, and every time more questions pop up. :) Thanks a lot. Let us teake one a time. Dogtag is the certificate system. Web services and many other servers use certificates for SSL/TLS peer-to-peer confidentiality and authentication. The certificates needs to be issued so IPA can issue certs for those services in your environment. There is a client component called certmonger. Certmonger can track the expiration of the certs and connects to IPA automatically to acquire a new cert. There will be more certificate related features over time. They would include support of pkinit, issuance and management of the user certificates and many others. Some of the work started but not complete, this why you might notice pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file. Hope it clarifies things. What is the reason for manually configuring the client? --Robinson ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Bug??: IPA replica installation problem on IPV4-only nodes
On 04/26/2012 07:10 PM, David Copperfield wrote: IPA Replica installation fails on IPV4 Linux box, The exception/messages on screen are: ... error: [Errno 97] Address family not supported by protocol ... After looking into the python code, it is found out that the IPA program tried to test both IPV4 and IPv6 address families, and it failed there when IPV6 is turned off. So I turn on IPV6 again, try ipa-conncheck again and it works this time. This rings the bell, I think we already have a ticket for that. --David *From:* hshhs caca cao2...@yahoo.com *To:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Thursday, April 26, 2012 1:51 PM *Subject:* [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA Hi folks, When evaluating migration from existing seperate LDAP/Kerberos solution to integrated IPA, I got confused on the purposes of Dogtag Certificate system inside IPA. What are the main purposes of it? or what value it brings in to IPA? I can see the points of KDC and 389 Directory server parts, even NTP and DNS, but not for Dogtag. Frankly, I am not sure where I should put it. Say, For Kerberos authentication, I need only /etc/krb5.conf and /etc/krb5.keytab locally on client and then krb5 tools/libs will do their work happily. Then why should I authenticate a machine with certificate, or certificate+keytab -- either way the certificate part is a MUST -- see document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html ( at the very bottom). A close question is: what are the main points/benefits of machine authentication? because of with traditional keytab based kerberos setup, the users, machines and services can authenticate no problem, then why we need an extra authentication with machine certificate as a must? Please help me clarify the question of why the statement 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after running ipa-client-install script? what is its purposes? Last problem is: after I following the steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html to setup my Linux client manually, I still can not run 'ipa user-find' command on the client; when another same type linux client installed with 'ipa-client-install' has no problem to run it. Does there are any difference between manual and automatic installations? Sorry I got too many questions and probably more, as I read though the Redhat IPA document serveral times, and every time more questions pop up. :) Thanks a lot. --Robinson ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one??
On 04/26/2012 10:58 PM, David Copperfield wrote: Hi, Just have a silly case where I've to download the existing version keytab for a service principal. It is download only -- not recreate a new version and download the new version which ipa-getkeytab does. -- ipa-getkeytab command name seems a little bit misleading because it does both 'set' and 'get' operations. I've overheard that there is way to get it from underlying 389 directory server but not sure how to do it. Any one please shed a light on this? Similarly, how to download a host certificate form Dogtag because 'ipa-getcert request' also resetting it -- I may be wrong and so please feel free to correct me :); or how about a user principal's keytab from 389 too? Thanks a lot. --David Is it a one time operation? If so you can use ldapsearch utility. The object that will have ipaHost object class in IPA. You can use a Directory Manager credential to authenticate. I suggest you do it on the server and then deliver the key and the cert manually. I thought that there was a flag for ipa-getkeytab to fetch existing key but my knowledge in this area is rusty. Same with the cert. May be someone else would chime in. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA
From: Dmitri Pal d...@redhat.com Let us teake one a time. Dogtag is the certificate system. Web services and many other servers use certificates for SSL/TLS peer-to-peer confidentiality and authentication. The certificates needs to be issued so IPA can issue certs for those services in your environment. There is a client component called certmonger. Certmonger can track the expiration of the certs and connects to IPA automatically to acquire a new cert.There will be more certificate related features over time. They would include support of pkinit, issuance and management of the user certificates and many others. Some of the work started but not complete, this why you might notice pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file. Hope it clarifies things. Thanks. That's pretty clear. certmonger and Dogtag could be a very useful combination. For my case, where internal/outside company web servers already have external certified 3-year wildcard certificates, and IPA/LDAP servers have the dogtag/certmonger installed for them, maybe I can put off installing host certificates and certmonger services on other IPA clients to save a few CPU cycles now? Sure I can turn certmonger on and create host certificates anytime as long as needs pop up later. What is the reason for manually configuring the client? The main purposes here is company policy. we use central config management systems to push out config files and etc. Basically we did it for seperate Kerberos and LDAP solutions, and not it is required to do that for IPA solution as well. Another benefit is, as long as I know how to do it manually, hen in case the compo script ipa-client-install is a overkill, I can do subcomponent only. Thanks. --David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA
On 04/27/2012 03:05 PM, David Copperfield wrote: From: Dmitri Pal d...@redhat.com Let us teake one a time. Dogtag is the certificate system. Web services and many other servers use certificates for SSL/TLS peer-to-peer confidentiality and authentication. The certificates needs to be issued so IPA can issue certs for those services in your environment. There is a client component called certmonger. Certmonger can track the expiration of the certs and connects to IPA automatically to acquire a new cert.There will be more certificate related features over time. They would include support of pkinit, issuance and management of the user certificates and many others. Some of the work started but not complete, this why you might notice pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file. Hope it clarifies things. Thanks. That's pretty clear. certmonger and Dogtag could be a very useful combination. For my case, where internal/outside company web servers already have external certified 3-year wildcard certificates, and IPA/LDAP servers have the dogtag/certmonger installed for them, maybe I can put off installing host certificates and certmonger services on other IPA clients to save a few CPU cycles now? Up to you. Sure I can turn certmonger on and create host certificates anytime as long as needs pop up later. What is the reason for manually configuring the client? The main purposes here is company policy. we use central config management systems to push out config files and etc. Basically we did it for seperate Kerberos and LDAP solutions, and not it is required to do that for IPA solution as well. Another benefit is, as long as I know how to do it manually, hen in case the compo script ipa-client-install is a overkill, I can do subcomponent only. May be it would be helpful to share your experience on a IPA wiki page for others for follow with the similar use cases? Do you have something that I can post there? If you found anything missing in the documentation please file a BZ or ticket in upstream trac. Thanks. --David -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one??
On Thu, 2012-04-26 at 19:58 -0700, David Copperfield wrote: Hi, Just have a silly case where I've to download the existing version keytab for a service principal. It is download only -- not recreate a new version and download the new version which ipa-getkeytab does. -- ipa-getkeytab command name seems a little bit misleading because it does both 'set' and 'get' operations. Well, this is actually intentional. I'm curious what your reasoning is for wanting to access the original key. There really isn't any downside to just pulling a brand-new one for a host, and the upside is that you just rolled your keys, so if they happened to be compromised, you're safe now. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one??
On Fri, Apr 27, 2012 at 02:52:20PM -0400, Dmitri Pal wrote: I thought that there was a flag for ipa-getkeytab to fetch existing key but my knowledge in this area is rusty. Same with the cert. May be someone else would chime in. There's a way for certificates, at least. If you still have the matching private key on the host (unless I'm mistaken, we don't have optional escrow yet, so if you don't have the private key, you're out of luck, and there's no point in bothering with any of this), you should be able to dig up the corresponding certificate. Since the regular IPA machinery already knows how to pull up a certificate if you know its serial number, we just need to figure out the serial number. On the server, we search Dogtag's directory server instance by running: DOMAIN=EXAMPLE.COM FQDN=clientbox1.example.com ldapsearch -h localhost:7389 -x -D cn=Directory Manager -W \ -b ou=certificateRepository,ou=ca,o=ipaca \ subjectname=cn=$FQDN,o=$DOMAIN cn serialno We'll need to supply the directory server administrator password. We'll get back the cn and serialno values for any matching entries. The cn values appear to be the serial numbers. If multiple certificates were issued to the host, we'll get more than one serial number back. We can pass any of them to ipa cert-show to retrieve the certificate with that was issued with that serial number. The Certificate: value is base64 without a header or footer, but we can pipe the whole value through OpenSSL's utility to both make sure we have the whole thing, and clean it up in the process. Run this command, and copy/paste the value into it: openssl base64 -d | openssl x509 -inform der The result can be stored in the relevant file for use with OpenSSL, or imported into the relevant database for use with NSS. Like Stephen noted about keytabs, though, there should be no harm in just issuing a new certificate for the host in question. Certificates are always issued with limited validity periods, so anything that breaks when if/when a certificate is replaced needs to be fixed anyway. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Confused/lost at promoting a replica into a master
Hi follks, I'm completely lost at reading the IPA document on how to promote a IPA replica into master IPA. When I'm try to follow the steps listed in the chapter '16.8.1 Promoting a Replica with a Dogtag Certificate System CA' at the link http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, the last steps 'g' said: g. Disable the redirect settings for CRL generation requests: master.ca.agent.host=hostname master.ca.agent.port=port number The above instructions don't give any hints of 'hostname', or 'port number'. users don't have any clues about them, should them be this replica's name, or the original master's name? and what is the por t number? it is a TCP port, or a UDP port? As a serious evaluator of IPA, I have to think more above just for fun. So it is a natural thought to think about disaster recovery and smooth/continuous operations(simulation and real case): how to back up data, how to promote replica into master, etc. But this document just post quite way too much challenges for me. :) Any one who have successfuly passed this test, please shed a light here. Thanks a lot. --Guolin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users