Re: [Freeipa-users] Trying out ipa on zlinux
On fre, 2012-05-04 at 10:25 -0400, Simo Sorce wrote: On Fri, 2012-05-04 at 16:04 +0200, David Juran wrote: [04/May/2012:15:22:27 +0200] conn=8 fd=66 slot=66 connection from local to /var/run/slapd-SRV-VOLVO-COM.socket [04/May/2012:15:22:27 +0200] conn=8 op=0 BIND dn=uid=kdc,cn=sysaccounts,cn=etc,dc=srv,dc=volvo,dc=com method=128 version=3 [04/May/2012:15:22:27 +0200] conn=8 op=0 RESULT err=7 tag=97 nentries=0 etime=0 [04/May/2012:15:22:27 +0200] conn=8 op=-1 fd=66 closed - B1 Would anyone have a clue what could be wrong? err=7 seem LDAP_AUTH_METHOD_NOT_SUPPORTED are you lacking sasl dependencies in 389 by chance ? I think I got SASL support in: root@zlin2011:/var/log/dirsrv/slapd-SRV-VOLVO-COM# ldapsearch -D cn=directory manager -w secret -x -s base -b supportedSASLMechanisms # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: supportedSASLMechanisms # # dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: PLAIN supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: DIGEST-MD5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying out ipa on zlinux
On Fri, 2012-05-04 at 16:44 +0200, David Juran wrote: On fre, 2012-05-04 at 10:25 -0400, Simo Sorce wrote: On Fri, 2012-05-04 at 16:04 +0200, David Juran wrote: [04/May/2012:15:22:27 +0200] conn=8 fd=66 slot=66 connection from local to /var/run/slapd-SRV-VOLVO-COM.socket [04/May/2012:15:22:27 +0200] conn=8 op=0 BIND dn=uid=kdc,cn=sysaccounts,cn=etc,dc=srv,dc=volvo,dc=com method=128 version=3 [04/May/2012:15:22:27 +0200] conn=8 op=0 RESULT err=7 tag=97 nentries=0 etime=0 [04/May/2012:15:22:27 +0200] conn=8 op=-1 fd=66 closed - B1 Would anyone have a clue what could be wrong? err=7 seem LDAP_AUTH_METHOD_NOT_SUPPORTED are you lacking sasl dependencies in 389 by chance ? I think I got SASL support in: root@zlin2011:/var/log/dirsrv/slapd-SRV-VOLVO-COM# ldapsearch -D cn=directory manager -w secret -x -s base -b supportedSASLMechanisms # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: supportedSASLMechanisms # # dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: PLAIN supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: DIGEST-MD5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 please run: rpm -qa |grep cyrus-sasl Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Integrate with Samba
On Fri, 04 May 2012, Matthew Davidson wrote: Hello, Does anyone have any pointers or documentation on integrating Samba or file shares with IPA? http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ Some aspects of this instruction could be done a bit better and also IPAv3 will have a bit different schema (supported by native IPA passdb module for Samba) but the state as it is at least should work as a stop gap for file server cases. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying out ipa on zlinux
On fre, 2012-05-04 at 10:52 -0400, Simo Sorce wrote: please run: rpm -qa |grep cyrus-sasl root@zlin2011:/var/log/dirsrv/slapd-SRV-VOLVO-COM# rpm -qa |grep cyrus-sasl cyrus-sasl-lib-2.1.23-13.el6.s390x cyrus-sasl-md5-2.1.23-13.el6.s390x cyrus-sasl-2.1.23-13.el6.s390x cyrus-sasl-plain-2.1.23-13.el6.s390x cyrus-sasl-gssapi-2.1.23-13.el6.s390x -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does FreeIPA support web services SSO gracefully?
cee1 wrote: 2012/5/4 Paul Robert Marinoprmari...@gmail.com: There is a apache module for kerberos auth that works well two notes about it turn on credential caching because it significantly reduces the load on the kerberos server and keep in mind that internet explorer leaves native kerberos on (you won't get prompted for a user name or password if you hve a valid kerberos ticket) but firefox turns it off by default and I'm not sure about crome. In other words if you leave the default setting in firefox it will use basic auth (clear text password unless you use ssl) to interact with apache and subsequently kerberos. This is a wonderfull way to make a secure authentication mechanisim insecure if you don't use ssl. That said I know for a fact track does work well with kerberos auth. That means if user's browser doesn't support kerberos or with kerberos off by default, it will break SSO, right? Maybe I should try FreeIPA in conjunction with CoSign? Firefox needs to be configured to be allowed to perform Kerberos SSO in a domain. FreeIPA 2.2 introduced a forms-based login so you don't have to fall back to basic authentication (with KrbMethodK5Passwd on). In practice all web-based Kerberos should be protected by SSL. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-replica-prepare Certificate issuance failed
Hi, I've got a FreeIPA setup at home I just built the other week on Fedora 16. It's a very small/basic setup I'm mainly using for secure NFS+Kerberos and automount. Today, I updated everything and rebooted, and all seemed to be working okay (even /var/log/ipaupgrade.log). I'm now running: freeipa-python-2.1.4-7.fc16.x86_64 freeipa-client-2.1.4-7.fc16.x86_64 freeipa-admintools-2.1.4-7.fc16.x86_64 freeipa-server-2.1.4-7.fc16.x86_64 freeipa-server-selinux-2.1.4-7.fc16.x86_64 dogtag-pki-common-theme-9.0.11-1.fc16.noarch dogtag-pki-ca-theme-9.0.11-1.fc16.noarch pki-symkey-9.0.19-1.fc16.x86_64 pki-java-tools-9.0.19-1.fc16.noarch pki-setup-9.0.19-1.fc16.noarch pki-common-9.0.19-1.fc16.noarch pki-silent-9.0.19-1.fc16.noarch pki-util-9.0.19-1.fc16.noarch pki-selinux-9.0.19-1.fc16.noarch pki-ca-9.0.19-1.fc16.noarch I went to try and setup a replica following the docs at http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html and ran into a problem I can't figure out (after checking logs, list, google, and BZ searches): [root@master log]# ipa-replica-prepare replica fqdn Directory Manager (existing master) password: Preparing replica for replica fqdn from master fqdn Creating SSL certificate for the Directory Server Certificate issuance failed I just ran it again, with a tail on /var/log/pki-ca/debug and this is what it spat out: [04/May/2012:14:44:09][http-9444-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitSSLClient [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='cert_request' value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... H3dNbe4A ' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='xmlOutput' value='true' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [04/May/2012:14:44:09][http-9444-1]: CMSServlet: caProfileSubmitSSLClient start to service. [04/May/2012:14:44:09][http-9444-1]: xmlOutput true [04/May/2012:14:44:09][http-9444-1]: Start of ProfileSubmitServlet Input Parameters [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... H3dNbe4A ' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter xmlOutput='true' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [04/May/2012:14:44:09][http-9444-1]: End of ProfileSubmitServlet Input Parameters [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: start serving [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: SubId=profile [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: isRenewal false [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: profileId caIPAserviceCert [04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04 14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11 Which also looks normal (to me). Though I've done nothing intentional with anything certificate related, again this is mainly a setup for kerberos. Where else can I look, or what can I run to get more clues why ipa-replica-prepare is failing? Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed
Chris Evich wrote: Hi, I've got a FreeIPA setup at home I just built the other week on Fedora 16. It's a very small/basic setup I'm mainly using for secure NFS+Kerberos and automount. Today, I updated everything and rebooted, and all seemed to be working okay (even /var/log/ipaupgrade.log). I'm now running: freeipa-python-2.1.4-7.fc16.x86_64 freeipa-client-2.1.4-7.fc16.x86_64 freeipa-admintools-2.1.4-7.fc16.x86_64 freeipa-server-2.1.4-7.fc16.x86_64 freeipa-server-selinux-2.1.4-7.fc16.x86_64 dogtag-pki-common-theme-9.0.11-1.fc16.noarch dogtag-pki-ca-theme-9.0.11-1.fc16.noarch pki-symkey-9.0.19-1.fc16.x86_64 pki-java-tools-9.0.19-1.fc16.noarch pki-setup-9.0.19-1.fc16.noarch pki-common-9.0.19-1.fc16.noarch pki-silent-9.0.19-1.fc16.noarch pki-util-9.0.19-1.fc16.noarch pki-selinux-9.0.19-1.fc16.noarch pki-ca-9.0.19-1.fc16.noarch I went to try and setup a replica following the docs at http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html and ran into a problem I can't figure out (after checking logs, list, google, and BZ searches): [root@master log]# ipa-replica-prepare replica fqdn Directory Manager (existing master) password: Preparing replica for replica fqdn from master fqdn Creating SSL certificate for the Directory Server Certificate issuance failed I just ran it again, with a tail on /var/log/pki-ca/debug and this is what it spat out: [04/May/2012:14:44:09][http-9444-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitSSLClient [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='cert_request' value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... H3dNbe4A ' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='xmlOutput' value='true' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [04/May/2012:14:44:09][http-9444-1]: CMSServlet: caProfileSubmitSSLClient start to service. [04/May/2012:14:44:09][http-9444-1]: xmlOutput true [04/May/2012:14:44:09][http-9444-1]: Start of ProfileSubmitServlet Input Parameters [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... H3dNbe4A ' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter xmlOutput='true' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [04/May/2012:14:44:09][http-9444-1]: End of ProfileSubmitServlet Input Parameters [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: start serving [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: SubId=profile [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: isRenewal false [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: profileId caIPAserviceCert [04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04 14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11 Which also looks normal (to me). Though I've done nothing intentional with anything certificate related, again this is mainly a setup for kerberos. Where else can I look, or what can I run to get more clues why ipa-replica-prepare is failing? I think we'll need to get more info out of dogtag. If you edit /etc/ipa/default.conf and add debug=True, restart httpd, re-run the replica-prepare, there should be more information on the failure in /var/log/httpd/error_log. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed
On 05/04/2012 03:18 PM, Rob Crittenden wrote: Chris Evich wrote: Hi, I've got a FreeIPA setup at home I just built the other week on Fedora 16. It's a very small/basic setup I'm mainly using for secure NFS+Kerberos and automount. Today, I updated everything and rebooted, ...cut... [04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04 14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11 Which also looks normal (to me). Though I've done nothing intentional with anything certificate related, again this is mainly a setup for kerberos. Where else can I look, or what can I run to get more clues why ipa-replica-prepare is failing? I think we'll need to get more info out of dogtag. If you edit /etc/ipa/default.conf and add debug=True, restart httpd, re-run the replica-prepare, there should be more information on the failure in /var/log/httpd/error_log. rob Whoa, okay, a WHOLE lot more info.: [Fri May 04 15:43:19 2012] [notice] Apache/2.2.22 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.3 Python/2.7.2 configured -- resuming normal operations [Fri May 04 15:43:22 2012] [error] ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... [Fri May 04 15:43:22 2012] [error] ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' ...lots more import plugin messages... [Fri May 04 15:43:24 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at 'xml' [Fri May 04 15:43:24 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver() at 'json' [Fri May 04 15:43:25 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at 'xml' [Fri May 04 15:43:25 2012] [error] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver() at 'json' [Fri May 04 15:43:28 2012] [error] ipa: INFO: *** PROCESS START *** [Fri May 04 15:43:28 2012] [error] ipa: INFO: *** PROCESS START *** Then I run ipa-replica-prepare fqdn of replica, put in my Directory Manager password, and it outputs the same Certificate issuance failed. I had a tailf on /var/log/httpd/error_log but nothing new was logged (nothing logged at all in fact) :S In /var/log/pki-ca/debug I see (what appears similar to before): [04/May/2012:15:46:31][Timer-0]: In LdapBoundConnFactory::getConn() [04/May/2012:15:46:31][Timer-0]: masterConn is connected: true [04/May/2012:15:46:31][Timer-0]: getConn: conn is connected true [04/May/2012:15:46:31][Timer-0]: getConn: mNumConns now 2 [04/May/2012:15:46:31][Timer-0]: SecurityDomainSessionTable: getSessionIds(): no sessions have been created [04/May/2012:15:46:31][Timer-0]: returnConn: mNumConns now 3 [04/May/2012:15:48:11][http-9444-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitSSLClient [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='cert_request' value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... vAUbEmg/ ' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='xmlOutput' value='true' [04/May/2012:15:48:11][http-9444-1]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [04/May/2012:15:48:11][http-9444-1]: CMSServlet: caProfileSubmitSSLClient start to service. [04/May/2012:15:48:11][http-9444-1]: xmlOutput true [04/May/2012:15:48:11][http-9444-1]: Start of ProfileSubmitServlet Input Parameters [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n ...cut... vAUbEmg/ ' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter xmlOutput='true' [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [04/May/2012:15:48:11][http-9444-1]: End of ProfileSubmitServlet Input Parameters [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: start serving [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: SubId=profile [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: isRenewal false [04/May/2012:15:48:11][http-9444-1]: ProfileSubmitServlet: profileId caIPAserviceCert [04/May/2012:15:48:11][http-9444-1]: CMSServlet: curDate=Fri May 04 15:48:11 EDT 2012 id=caProfileSubmitSSLClient time=9 I think the 3-minute time difference is expected - I was checking through other logs. Nothing that appears relevant shows up in audit.log, messages, http/access.log, dirsrv/slapd-PKI-IPA/errors or access: [04/May/2012:15:46:30 -0400] conn=2 op=58 SRCH base=ou=sessions,ou=Security