Re: [Freeipa-users] ipa-* tools throws errors

2013-03-11 Thread Rob Crittenden 

David Fitzgerald wrote:


Here is the output of the dig command.  Cyclone does show up here , but our 
networking people say there are no srv records in our current db.  I still 
think the trouble I am having has to do with the Internal Server Error I get 
when I run ipa commands.


There are two problems here. The first is the server error which is 
causing the client to try the next server which is cyclone.  There are 
records for this somewhere.


I think the next place to look is /var/log/krb5kdc.log to see what is 
happening when you try to contact the web server. You may also want to 
add debug = True to /etc/ipa/default.conf and restart httpd. This will 
provide very verbose output on the client and server and may provide 
additional clues.


rob




; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv 
_ldap._tcp.esci.millersville.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.esci.millersville.edu. IN   SRV

;; ANSWER SECTION:
_ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 
cyclone.esci.millersville.edu.

;; AUTHORITY SECTION:
_tcp.esci.millersville.edu. 3600 IN NS  corsair.millersville.edu.
_tcp.esci.millersville.edu. 3600 IN NS  garfield.millersville.edu.

;; ADDITIONAL SECTION:
corsair.millersville.edu. 3600  IN  A   192.206.29.2
garfield.millersville.edu. 3600 IN  A   166.66.86.144

;; Query time: 1 msec
;; SERVER: 166.66.86.144#53(166.66.86.144)
;; WHEN: Mon Mar 11 13:55:36 2013
;; MSG SIZE  rcvd: 176

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald
Sent: Friday, March 08, 2013 12:04 PM
To: Martin Kosek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa 
command with the verbose flags -vv and found that it IS trying to contact 
aurora.esci.millersville.edu, it fails then tries to contact 
cyclone.esci.millersville.edu (still don't know where that comes from).   I am 
getting an 'Internal Server Error' in the output when connecting to aurora.  
Here is the output:

% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost: 
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:  
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
  ...
send: "\n\nping\n\n\n\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate 
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz

pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service 
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:
 Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server 
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?

-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Ok. Can you try if this hostname is not returned in a SRV DNS record discovery 
run on the host where you execute the ipa commands?

# dig -t srv _ldap._tcp.esci.millersville.edu

Does it return the right results?

Martin

On 03/05/2013 07:26 PM, David Fitzgerald wrote:

The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.

-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

On 03/05/2013 04:21 PM, David Fitzgerald wrote:

Hello everyone,



I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
Yesterday I  started not being able to run any "ipa-" commands.
Running kinit admin gives me the proper tickets, but when I run any
ipa- command I get the following error:



ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.



I have no idea where the cyclone

Re: [Freeipa-users] ipa-* tools throws errors

2013-03-11 Thread John Dennis 

On 03/11/2013 02:05 PM, David Fitzgerald wrote:


Here is the output of the dig command.  Cyclone does show up here , but our 
networking people say there are no srv records in our current db.  I still 
think the trouble I am having has to do with the Internal Server Error I get 
when I run ipa commands.


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv 
_ldap._tcp.esci.millersville.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.esci.millersville.edu. IN   SRV

;; ANSWER SECTION:
_ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 
cyclone.esci.millersville.edu.

;; AUTHORITY SECTION:
_tcp.esci.millersville.edu. 3600 IN NS  corsair.millersville.edu.
_tcp.esci.millersville.edu. 3600 IN NS  garfield.millersville.edu.

;; ADDITIONAL SECTION:
corsair.millersville.edu. 3600  IN  A   192.206.29.2
garfield.millersville.edu. 3600 IN  A   166.66.86.144

;; Query time: 1 msec
;; SERVER: 166.66.86.144#53(166.66.86.144)
;; WHEN: Mon Mar 11 13:55:36 2013
;; MSG SIZE  rcvd: 176

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald
Sent: Friday, March 08, 2013 12:04 PM
To: Martin Kosek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa 
command with the verbose flags -vv and found that it IS trying to contact 
aurora.esci.millersville.edu, it fails then tries to contact 
cyclone.esci.millersville.edu (still don't know where that comes from).   I am 
getting an 'Internal Server Error' in the output when connecting to aurora.  
Here is the output:

% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost: 
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:  
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
  ...
send: "\n\nping\n\n\n\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate 
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz

pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service 
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:
 Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server 
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?


It looks like the web server on aurora isn't configured for kerberos 
auth on the ipa/xml location. If it were it would have created a 
KRBCCAME before handing the request to IPA. IPA is complaining it can't 
find the kerberos credentials. Your client then falls back the server it 
found in your dns srv record. I can't explain that srv record or whether 
you've got a valid IPA server running there or not.


I would check the apache config on aurora.

Do you have a:

/etc/httpd/conf.d/ipa.conf

file?

Are there any .rpmew files under /etc/httpd?

Have you restarted httpd on aurora?

What are the contents of /etc/httpd/conf.d/ipa.conf?


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-* tools throws errors

2013-03-11 Thread David Fitzgerald 

Here is the output of the dig command.  Cyclone does show up here , but our 
networking people say there are no srv records in our current db.  I still 
think the trouble I am having has to do with the Internal Server Error I get 
when I run ipa commands.


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3 <<>> -t srv 
_ldap._tcp.esci.millersville.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.esci.millersville.edu. IN   SRV

;; ANSWER SECTION:
_ldap._tcp.esci.millersville.edu. 600 IN SRV0 100 389 
cyclone.esci.millersville.edu.

;; AUTHORITY SECTION:
_tcp.esci.millersville.edu. 3600 IN NS  corsair.millersville.edu.
_tcp.esci.millersville.edu. 3600 IN NS  garfield.millersville.edu.

;; ADDITIONAL SECTION:
corsair.millersville.edu. 3600  IN  A   192.206.29.2
garfield.millersville.edu. 3600 IN  A   166.66.86.144

;; Query time: 1 msec
;; SERVER: 166.66.86.144#53(166.66.86.144)
;; WHEN: Mon Mar 11 13:55:36 2013
;; MSG SIZE  rcvd: 176

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald
Sent: Friday, March 08, 2013 12:04 PM
To: Martin Kosek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa 
command with the verbose flags -vv and found that it IS trying to contact 
aurora.esci.millersville.edu, it fails then tries to contact 
cyclone.esci.millersville.edu (still don't know where that comes from).   I am 
getting an 'Internal Server Error' in the output when connecting to aurora.  
Here is the output:

% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost: 
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:  
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
  ...
send: "\n\nping\n\n\n\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate 
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz

pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service 
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:  
 Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server 
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?

-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Ok. Can you try if this hostname is not returned in a SRV DNS record discovery 
run on the host where you execute the ipa commands?

# dig -t srv _ldap._tcp.esci.millersville.edu

Does it return the right results?

Martin

On 03/05/2013 07:26 PM, David Fitzgerald wrote:
> The host command returns the correct name:
> #host 166.66.65.39
> 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.
> 
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Tuesday, March 05, 2013 10:26 AM
> To: David Fitzgerald
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-* tools throws errors
> 
> On 03/05/2013 04:21 PM, David Fitzgerald wrote:
>> Hello everyone,
>>
>>  
>>
>> I have been running a freeIPA server on Scientific Linux 6.2 for about a 
>> year. 
>> Yesterday I  started not being able to run any "ipa-" commands.  
>> Running kinit admin gives me the proper tickets, but when I run any
>> ipa- command I get the following error:
>>
>>  
>>
>> ipa: ERROR: Kerberos error: Service
>> u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.
>>
>>  
>>
>> I have no idea where the cyclone.esci.millersville.edu is coming 
>> from, as that used to be a Windows Domain server that was 
>> decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
>> I even grep -R all of the files in /etc and none refer to cyclone.  I 
>> checked the ipa config and krb5.conf files and they are pointing at the 
>> proper ipa server.
>>
>>  
>>
>> Checking log files I get these messages when I try to run ipa commands:
>>
>>

Re: [Freeipa-users] Web UI Error after upgrade

2013-03-11 Thread Rob Crittenden 

Uzor Ide wrote:

Hi All

I upgraded fedora 17 with freeipa server to fedora 18, afterwards the
webui now comes back with error for every login attempt.
Error dialog box reports IPA Error 903
description: An internal error has occured.

Checking the /var/log/httpd/error_log, shows


7451 2013] [:error] [pid 29533] ipa: INFO: ad...@mydomain.com
: batch: i18n_messages(): SUCCESS
[Sun Mar 10 23:39:09.013825 2013] [:error] [pid 29533] ipa: INFO:
ad...@mydomain.com : batch: config_show():
SUCCESS
[Sun Mar 10 23:39:09.137789 2013] [:error] [pid 29533] ipa: INFO:
ad...@mydomain.com : batch: user_find(None,
whoami=True, all=True): SUCCESS
[Sun Mar 10 23:39:09.140607 2013] [:error] [pid 29533] ipa: INFO:
ad...@mydomain.com : batch: env(None): SUCCESS
[Sun Mar 10 23:39:09.151762 2013] [:error] [pid 29533] ipa: INFO:
ad...@mydomain.com : batch: dns_is_enabled():
SUCCESS
[Sun Mar 10 23:39:09.153293 2013] [:error] [pid 29533] ipa: INFO:
ad...@mydomain.com : batch(({u'params': [[],
{}], u'method': u'i18n_messages'}, {u'params': [[], {}], u'method':
u'config_show'}, {u'params': [[], {u'all': True, u'whoami': True}],
u'method': u'user_find'}, {u'params': [[], {}], u'method': u'env'},
{u'params': [[], {}], u'method': u'dns_is_enabled'})): SUCCESS
[Sun Mar 10 23:39:12.272579 2013] [:error] [pid 29534] ipa: ERROR:
non-public: KeyError: 'ipadnszone'
[Sun Mar 10 23:39:12.272737 2013] [:error] [pid 29534] Traceback (most
recent call last):
[Sun Mar 10 23:39:12.272757 2013] [:error] [pid 29534]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334, in
wsgi_execute
[Sun Mar 10 23:39:12.272775 2013] [:error] [pid 29534] result =
self.Command[name](*args, **options)
[Sun Mar 10 23:39:12.272791 2013] [:error] [pid 29534]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__
[Sun Mar 10 23:39:12.272808 2013] [:error] [pid 29534] ret =
self.run(*args, **options)
[Sun Mar 10 23:39:12.272825 2013] [:error] [pid 29534]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run
[Sun Mar 10 23:39:12.272841 2013] [:error] [pid 29534] return
self.execute(*args, **options)
[Sun Mar 10 23:39:12.272858 2013] [:error] [pid 29534]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 119,
in execute
[Sun Mar 10 23:39:12.272874 2013] [:error] [pid 29534] (o.name
, json_serialize(o)) for o in self.api.Object()
[Sun Mar 10 23:39:12.272892 2013] [:error] [pid 29534]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 119,
in 
[Sun Mar 10 23:39:12.272908 2013] [:error] [pid 29534] (o.name
, json_serialize(o)) for o in self.api.Object()
[Sun Mar 10 23:39:12.272924 2013] [:error] [pid 29534]   File
"/usr/lib/python2.7/site-packages/ipalib/util.py", line 56, in
json_serialize
[Sun Mar 10 23:39:12.272941 2013] [:error] [pid 29534] return
json_serialize(obj.__json__())
[Sun Mar 10 23:39:12.272956 2013] [:error] [pid 29534]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 600,
in __json__
[Sun Mar 10 23:39:12.272973 2013] [:error] [pid 29534] attrs =
self.api.Backend.ldap2.schema.attribute_types(objectclasses)
[Sun Mar 10 23:39:12.272989 2013] [:error] [pid 29534]   File
"/usr/lib/python2.7/site-packages/ldap/schema/subentry.py", line 377, in
attribute_types
[Sun Mar 10 23:39:12.273006 2013] [:error] [pid 29534] object_class
= self.sed[ObjectClass][object_class_oid]
[Sun Mar 10 23:39:12.273022 2013] [:error] [pid 29534] KeyError:
'ipadnszone'
[Sun Mar 10 23:39:12.278460 2013] [:error] [pid 29534] ipa: INFO:
ad...@mydomain.com : json_metadata(None,
None, object=u'all'): KeyError
[Sun Mar 10 23:39:14.201686 2013] [:error] [pid 29533] ipa: INFO:
ad...@mydomain.com : json_metadata(None,
None, command=u'all'): SUCCESS



I will appreciate any help I can get.

Thanks

Ide



The problem is that your schema was not upgraded properly. Can you look 
in /var/log/ipaupgrade.log for any errors?


What version did you upgrade from?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

2013-03-11 Thread Dmitri Pal 
On 03/11/2013 07:43 AM, Dale Macartney wrote:
>
>
> On 03/11/2013 11:39 AM, Christian Horn wrote:
>
>
>
> > Dale Macartneyさんが書きました:
> >>
> >> On 03/11/2013 11:04 AM, Christian Horn wrote:
> >>>
> >>> How about having service-add/ipa-getkeytab done on the server,
> >>> and having the keytab deployed onto the clientsystem using scp from
> >>> the server, or via configmanagement?
> >> That definitely gets around security concerns, however still requires
> >> some manual intervention... the keytab could be pushed using config
> >> management, but generating it in the first place still requires work as
> >> a trusted user.
>
> > Yes, but this could be automated.
> > If you deploy i.e. with cobbler there were IIRC hooks so one can do
> > serverside tasks, as soon as a system gets added. So the secret could
> > be embedded in a script there.
> In my current lab, I just use my own script which pushes api calls to
> rhev to deploy machines. I know there is a way to use a user keytab to
> auth to IPA. I could do that and have my provisioning script push the
> necessary admin commands and leave the client to pull to the client
> during %post...
>
> I guess it depends on the provisioning model within the organisation.


For the things to work right the provisioning service MUST have some
behind the scenes interaction with IPA. This is what we always had in mind.
Let us say that provisioning system is called P.

Setup:
1) Create a principal for P
2) Provision keytab for P
3) Make P use IPA interfaces authenticating as P rpincipal using keytab
4) Make sure P has the right permissions to manage other hosts
5) Make P store IPA public cert

Provisioning sequence:
1) User/script requests provisioning of a system
2) P connects to IPA and creates a host entry in IPA, an OTP is returned
back
3) P provides IPA public cert for the new machine
4) P inserts OTP into the kickstart for the system to join IPA
5) If provision of the identity fails P should disable host in IPA to
make sure that the OTP has not been stolen and used to provision some
other fake system.

This is how things "should work" in a prefect world.


>
>
>
> > Christian
>
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone

2013-03-11 Thread Rob Crittenden 

Tim Hildred wrote:

It definately wasn't a policy problem. I couldn't even use ipa passwd as admin 
from the command line, there was a connection error. The upgrade meant my IPA 
server was straight borked. The solution? Revert to a previous snapshot, and 
continue using the old, working IPA (2.0.0-23.el6_1.2).

And I learned a valuable lesson: if it ain't broke, don't upgrade.


Sorry that you had problems with the upgrade. We'd be happy to work with 
you to try to figure out where things went sideways. Others would likely 
benefit from this work too.


rob



Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

- Original Message -

From: "Dmitri Pal" 
To: freeipa-users@redhat.com
Sent: Saturday, March 9, 2013 5:19:51 AM
Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh 
token manipulation gone


On 03/07/2013 11:47 PM, Tim Hildred wrote:

Hello,

I have been using IPA for authentication with a RHEV environment.

Quite a while ago, I got help from this list in making it so that my
users could access the WebUI with their login and passwords, no
Kerberos ticket required. I also had it working that when their
passwords expired, they would ssh to the IPA server as themselves,
get challenged for their current password, and then the opportunity
to provide a new one.

The update to ipa-server 3.0.0-25.el6 means that I can no longer log
into the WebUI with just a login and password (see attached
screenshot) and that users who try and update expired passwords get:

  You must change your password now and login again!
  Changing password for user juwu.
  Current Password:
  New password:
  Retype new password:
  Password change failed. Server message: Password not changed.
It seems that password might have not matched the server policy.
Have you tried different users and different passwords?

What does kerberos log on the server show? It will give you some hint
about the reason why the password was rejected.
It might be that the password you are trying to use already in the
history of passwords. AFAIR there was a bug that we did not handle
history of passwords properly in some cases. Now as it is fixed you
might see a proper policy enforcement.



Insufficient access to perform requested operation while trying to
change password.
  passwd: Authentication token manipulation error
  Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.

Can anyone help me restore that functionality? Please?

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

___
Freeipa-users mailing list Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

2013-03-11 Thread Dale Macartney 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/11/2013 11:39 AM, Christian Horn wrote:
>
>
>
> Dale Macartneyさんが書きました:
>>
>> On 03/11/2013 11:04 AM, Christian Horn wrote:
>>>
>>> How about having service-add/ipa-getkeytab done on the server,
>>> and having the keytab deployed onto the clientsystem using scp from
>>> the server, or via configmanagement?
>> That definitely gets around security concerns, however still requires
>> some manual intervention... the keytab could be pushed using config
>> management, but generating it in the first place still requires work as
>> a trusted user.
>
> Yes, but this could be automated.
> If you deploy i.e. with cobbler there were IIRC hooks so one can do
> serverside tasks, as soon as a system gets added. So the secret could
> be embedded in a script there.
In my current lab, I just use my own script which pushes api calls to
rhev to deploy machines. I know there is a way to use a user keytab to
auth to IPA. I could do that and have my provisioning script push the
necessary admin commands and leave the client to pull to the client
during %post...

I guess it depends on the provisioning model within the organisation.

>
>
> Christian
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRPcNdAAoJEAJsWS61tB+qjuUQAK34npb0p8M0U64499r/Y/ZP
RswnOiTLgylGv/Lwt3Tb5aNQvA75Qu2i45BBB3q5NuqN6/m7c2Re7HkMQpfzdEhz
l72Iytz1m9WG802Ibd77MmTGNX1rapYv9JKb1K9QhQVoPCZHwWye6pXGuGAbacab
LXmm0hR3ajZhJwYBh7/6oqaZwXv01qI8Xv/vYmD+ZtDevxmHWeaTGiwUq7gUDCeo
B/McDGd6SiT0juPuAzr694eqryRN1qMDsQu9rv8FsBmFaTtW0WQ0JUMrJKdvYNCm
O6zCdqJKRI536JNUxm49Zot1K8PnlTgkE0jBHkQJn9XeCt63nr2NUuVRgWjEuoXK
FfYsDSEM7SZ3b69WuOnmhKuk697Yn8lMolvWKOFQR/RNa8wa+gNo3uaAXyTnulBv
ba0S2Iehd6pBknuyDN8c1xmGcTSaDIgFeXUnKCVYw5rTo4pfLO/g/zTQwK4wvlJB
ODhOy/n2BiLh/zDu5qadYdPUTbbKZyrYV/ulrhSiMBqFzc7plsFyMQ1uEnvrRFyE
9VgX92u5h2Vw6+mURWZLdFYp3jTMgOsKe+IX6g85hcNyg7JkuP732FCNPkEjoX4O
OSLvx3i2dtSkrKOXKnnf2pHoiRKnzRZ/NVFmOvYHy8Js2WO8TPBXyTkL6bf/Y8QH
z/tB69rCpBy80wyTWAKn
=B5hc
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

2013-03-11 Thread Christian Horn 



Dale Macartneyさんが書きました:
> 
> On 03/11/2013 11:04 AM, Christian Horn wrote:
> >
> > How about having service-add/ipa-getkeytab done on the server,
> > and having the keytab deployed onto the clientsystem using scp from
> > the server, or via configmanagement?
> That definitely gets around security concerns, however still requires
> some manual intervention... the keytab could be pushed using config
> management, but generating it in the first place still requires work as
> a trusted user.

Yes, but this could be automated.
If you deploy i.e. with cobbler there were IIRC hooks so one can do
serverside tasks, as soon as a system gets added.  So the secret could
be embedded in a script there.

Christian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

2013-03-11 Thread Dale Macartney 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 03/11/2013 11:04 AM, Christian Horn wrote:
> Hoi,
>
> Dale Macartneyさんが書きました:
>>
>> I'm open to hear some opinions and thoughts on what the best way to
>> auto-provision service principles in an environment with a 100%
>> autonomous build process..
>>
>> Lets say for example, I wanted to provision a mail server and configure
>> dovecot SSO in the same process.
>>
>> Obviously something like this would be terrible in a production
>> environment as having this in the %post of a kickstart gives away the
>> admin password
>>
>> %post
>> echo redhat123 | kinit admin --
>> ipa service-add imap/$(hostname)
>> ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
>> /etc/dovecot/krb5.keytab
>>
>> Is there are more secure way to perform such a task via kickstart or
>> other provisioning method?
>
> How about having service-add/ipa-getkeytab done on the server,
> and having the keytab deployed onto the clientsystem using scp from
> the server, or via configmanagement?
That definitely gets around security concerns, however still requires
some manual intervention... the keytab could be pushed using config
management, but generating it in the first place still requires work as
a trusted user.

>
>
> Christian
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRPcFCAAoJEAJsWS61tB+qqZMP/RM51shHoYGwK+L91OKru61c
aJc/ubBt1sCLcnxazDC5nAsuRrKtwGg3b76r2B8FE1Mhi4gBYOm/G5+lLITjiDTx
3BR7Uh9ruTpRkdt1YE1Cptj0aFSL8MUdb/I3f8yPaGbBdLmJL/pXNg44Oz8Kmc2Q
ZVxIar5aMpMG+gkHPNNS5jeay867dyV+P3r1RUuYhDQX0ALGBnE69OxZnwdiFkDE
G+ZqS8SNORndyMKb+jIzfuasdrL831sfwT7xpODQUzyTGT9OWO1PE6PRfm5wkdpi
pWvLE3tvKiokb+fEuQnC6PTCjZfEIR0HWNF1J6eeAYQJ3827dKvA2nISQBD10GUc
R3eIVgUszW+8GUpAt9vVqu0PKiTPCUNGV+JCuCBLVVHXlHxkd1PpfMDPtmOCh8Y1
Nk46AyAqJ7UIY45piJTgoRUhYR/sQzcXYSjyQlL4UTFxLE/7iK2DE+GJsdywlWOB
qfgWTyWnWjLd9+FJHUe1vSNw/C8VO+eT0mh+s4yIN32QmgdieoHShKQ6eAAh+m46
vXM7YFi+UdUFuMb0lSeCu+DOkASpm4AhoHDQULqQdusQO8orG0vV8JxJtGKa/E/n
icBUjTt2IJvV1pNMUKRDNfjqVx7NPulDszOIjaOJ/Y7ohMtFkhpuGQaX/NIQ+zqJ
MzQPcBAy1pxeJuJWYJTN
=CQBx
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

2013-03-11 Thread Christian Horn 
Hoi,

Dale Macartneyさんが書きました:
> 
> I'm open to hear some opinions and thoughts on what the best way to
> auto-provision service principles in an environment with a 100%
> autonomous build process..
> 
> Lets say for example, I wanted to provision a mail server and configure
> dovecot SSO in the same process.
> 
> Obviously something like this would be terrible in a production
> environment as having this in the %post of a kickstart gives away the
> admin password
> 
> %post
> echo redhat123 | kinit admin --
> ipa service-add imap/$(hostname)
> ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
> /etc/dovecot/krb5.keytab
> 
> Is there are more secure way to perform such a task via kickstart or
> other provisioning method?

How about having service-add/ipa-getkeytab done on the server,
and having the keytab deployed onto the clientsystem using scp from 
the server, or via configmanagement?

Christian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-* tools throws errors

2013-03-11 Thread Martin Kosek 

Hello David,

I am still not convinced that this issue is not caused by a DNS. This is what 
we do in "ipa" command:


1) We try to primarily connect to server that is defined in 
/etc/ipa/default.conf in "server" option
2) If it is not available, we try to fallback to other IPA servers which are 
resolved via DNS SRV query "_ldap._tcp.DOMAIN" where DOMAIN is also read from 
/etc/ipa/default.con


I do not see any other path how this server could get to "ipa". This is why I 
suggested running the DNS query on the machine where you run the client:


# dig -t srv _ldap._tcp.esci.millersville.edu

It could help us see if the server is getting from this direction.



As for the KRB5CCNAME appearing on your real IPA server, AFAIU, this 
environment variable is set by "mod_auth_kerb" plugin for httpd (we configure 
it in /etc/httpd/conf.d/ipa.conf, "KrbSaveCredentials" should be "on" so that 
we can get the KRB5CCNAME. You can also try restarting httpd and see if that 
changes anything.


Martin

On 03/08/2013 06:03 PM, David Fitzgerald wrote:

Thanks for getting back to me!

I don't think the problem has anything to do with DNS.  I (finally) ran an ipa 
command with the verbose flags -vv and found that it IS trying to contact 
aurora.esci.millersville.edu, it fails then tries to contact 
cyclone.esci.millersville.edu (still don't know where that comes from).   I am 
getting an 'Internal Server Error' in the output when connecting to aurora.  
Here is the output:

% ipa -vv passwd
ipa: INFO: trying https://aurora.esci.millersville.edu/ipa/xml
send: u'POST /ipa/xml HTTP/1.0\r\nHost: 
aurora.esci.millersville.edu\r\nAccept-Language: en-us\r\nReferer:  
https://aurora.esci.millersville.edu/ipa/xml\r\nAuthorization: negotiate
  ...
send: "\n\nping\n\n\n\n"
reply: 'HTTP/1.1 500 Internal Server Error\r\n'
header: Date: Fri, 08 Mar 2013 16:52:48 GMT
header: Server: Apache/2.2.15 (Scientific Linux)
header: WWW-Authenticate: Negotiate 
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjoEMIFJxPVNU4jtl/7S+eC6fM0rlJWpV1fJdhoVTKwiR2pa2OHQWRtCjQDfz

pBNwNBpt1fMY7M4Bfrqs860toAT6jMfS8Jkqh3Aj9OeuEmpEVHys5pbErjj14OPHxbxTmLdPxFE8eV4ZIDQg40a8
header: Content-Length: 311
header: Connection: close
header: Content-Type: text/html; charset=utf-8
ipa: INFO: trying https://cyclone.esci.millersville.edu/ipa/xml
ipa: ERROR: Kerberos error: Service 
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/

The apache error log gives this:
 Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server 
Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment.

I have no idea what that means.  Can you help?

-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, March 06, 2013 3:05 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

Ok. Can you try if this hostname is not returned in a SRV DNS record discovery 
run on the host where you execute the ipa commands?

# dig -t srv _ldap._tcp.esci.millersville.edu

Does it return the right results?

Martin

On 03/05/2013 07:26 PM, David Fitzgerald wrote:

The host command returns the correct name:
#host 166.66.65.39
39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu.

-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, March 05, 2013 10:26 AM
To: David Fitzgerald
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-* tools throws errors

On 03/05/2013 04:21 PM, David Fitzgerald wrote:

Hello everyone,



I have been running a freeIPA server on Scientific Linux 6.2 for about a year.
Yesterday I  started not being able to run any "ipa-" commands.
Running kinit admin gives me the proper tickets, but when I run any
ipa- command I get the following error:



ipa: ERROR: Kerberos error: Service
u'h...@cyclone.esci.millersville.edu' not found in Kerberos database/.



I have no idea where the cyclone.esci.millersville.edu is coming
from, as that used to be a Windows Domain server that was
decommissioned years ago and is no longer in DNS, nor in /etc/hosts.
I even grep -R all of the files in /etc and none refer to cyclone.  I
checked the ipa config and krb5.conf files and they are pointing at the proper 
ipa server.



Checking log files I get these messages when I try to run ipa commands:



/var/log/httpd/error log:

Tue Mar 05 08:57:54 2013] [error] ipa: ERROR: 500 Internal Server Error:
xmlserver.__call__: KRB5CCNAME not defined in HTTP request
environment



/var/log/ipa

Mar 05 09:57:00 aurora.esci.millersville.edu krb5kdc[12534](info):
TGS_REQ (4 etypes {18 17 16 23}) 166.66.65.39: ISSUE: authtime
1362491436, etypes {rep=18
tkt=18 ses=18}, admin@LINUX.DIRSRV.LOCAL for
krbtgt/LINUX.DIRSRV.LOCAL@LINUX.DIRSRV.LOCAL

Mar 05 09:57:00 aurora.esci.millersvil

Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone

2013-03-11 Thread Sumit Bose 
On Mon, Mar 11, 2013 at 01:21:26AM -0400, Tim Hildred wrote:
> It definately wasn't a policy problem. I couldn't even use ipa passwd as 
> admin from the command line, there was a connection error. The upgrade meant 
> my IPA server was straight borked. The solution? Revert to a previous 
> snapshot, and continue using the old, working IPA (2.0.0-23.el6_1.2). 

Maybe instead of trying to upgrade directly from 2.0 to 3.0 a step in
between like 2.0->2.1->3.0 would be better? To be on the safe side you
might want to include 2.2 as well in the upgrade path.

HTH

bye,
Sumit

> 
> And I learned a valuable lesson: if it ain't broke, don't upgrade. 
> 
> Tim Hildred, RHCE
> Content Author II - Engineering Content Services, Red Hat, Inc.
> Brisbane, Australia
> Email: thild...@redhat.com
> Internal: 8588287
> Mobile: +61 4 666 25242
> IRC: thildred
> 
> - Original Message -
> > From: "Dmitri Pal" 
> > To: freeipa-users@redhat.com
> > Sent: Saturday, March 9, 2013 5:19:51 AM
> > Subject: Re: [Freeipa-users] Upgraded, login + password webui auth and ssh 
> > token manipulation gone
> > 
> > 
> > On 03/07/2013 11:47 PM, Tim Hildred wrote:
> > 
> > Hello,
> > 
> > I have been using IPA for authentication with a RHEV environment.
> > 
> > Quite a while ago, I got help from this list in making it so that my
> > users could access the WebUI with their login and passwords, no
> > Kerberos ticket required. I also had it working that when their
> > passwords expired, they would ssh to the IPA server as themselves,
> > get challenged for their current password, and then the opportunity
> > to provide a new one.
> > 
> > The update to ipa-server 3.0.0-25.el6 means that I can no longer log
> > into the WebUI with just a login and password (see attached
> > screenshot) and that users who try and update expired passwords get:
> > 
> >  You must change your password now and login again!
> >  Changing password for user juwu.
> >  Current Password:
> >  New password:
> >  Retype new password:
> >  Password change failed. Server message: Password not changed.
> > It seems that password might have not matched the server policy.
> > Have you tried different users and different passwords?
> > 
> > What does kerberos log on the server show? It will give you some hint
> > about the reason why the password was rejected.
> > It might be that the password you are trying to use already in the
> > history of passwords. AFAIR there was a bug that we did not handle
> > history of passwords properly in some cases. Now as it is fixed you
> > might see a proper policy enforcement.
> > 
> > 
> > 
> > Insufficient access to perform requested operation while trying to
> > change password.
> >  passwd: Authentication token manipulation error
> >  Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
> > 
> > Can anyone help me restore that functionality? Please?
> > 
> > Tim Hildred, RHCE
> > Content Author II - Engineering Content Services, Red Hat, Inc.
> > Brisbane, Australia
> > Email: thild...@redhat.com Internal: 8588287
> > Mobile: +61 4 666 25242
> > IRC: thildred
> > 
> > ___
> > Freeipa-users mailing list Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > --
> > Thank you,
> > Dmitri Pal
> > 
> > Sr. Engineering Manager for IdM portfolio
> > Red Hat Inc.
> > 
> > 
> > ---
> > Looking to carve out IT costs? www.redhat.com/carveoutcosts/
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

2013-03-11 Thread Dale Macartney 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all

I'm open to hear some opinions and thoughts on what the best way to
auto-provision service principles in an environment with a 100%
autonomous build process..

Lets say for example, I wanted to provision a mail server and configure
dovecot SSO in the same process.

Obviously something like this would be terrible in a production
environment as having this in the %post of a kickstart gives away the
admin password

%post
echo redhat123 | kinit admin --
ipa service-add imap/$(hostname)
ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
/etc/dovecot/krb5.keytab


Is there are more secure way to perform such a task via kickstart or
other provisioning method?

Thanks all

Dale

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRPaOtAAoJEAJsWS61tB+qzXQQAJr7M1CR+P0lLsxy7gM3/twG
FJNCyPdaOgMwVP83R2i2X3WlnNI2nCAF3b+ANBm4SBhseA1Xmidn1+CUltDw20/w
wO+NzNBdMYVyQXVr0LziBZPWcdScHuJWp1fAC2DPKI5DmKeWdNf5nmWfBgiRKb6X
Xdo2cRbLmxkbqbJvTdVGTOz8LujGuiTHsHXPertB3QKob7tvkZDoSBGI3ZoYckFO
dgg7lqaMBeaflOb/uuxV4evjmLIrI48jfKPAVXlp7m8jw47aNgFRxPn0YJxrQXAF
9uV/Y61jVsI5HqW9ofcLeYdKFfWCx1VZwQqpqZRv0Ge0X7npnbMomcTOpSli8Moz
4GVbRLa9YcuXX2AYCJ6F6SpL7M77ogw7CyxgQNGu3LAnGDs8EkN7iwreGrvVF0p3
xx0w9WD0PXLMPpaQxTDba1hO+Lxa/rtAhTHw5/J4qk1sjPjEP4SI/ZlbXeESaEPK
XN1WVYV9pbm2j1KRYMM6WsSCWigNg7PMrk7otPiZZQK3XexQzVpsOawfaDcWQoUH
YCCb/fBdKHr57wzv93nV4LYhI/vnM/9CV4tI82Vrv3rlQJa0TJJeZKdNvWyKW2WA
ldIFpA+Tf3TSBVa+i2fnD8Rp0flWRg7HcX+uMYrmh36qTXvdgF5dlxtRMnmpToQl
MBoHhPn6fuGVVdVsNSS/
=0ONW
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users