Re: [Freeipa-users] FreeIPA dual stacked
On 15/04/13 17:45, Adam Bishop wrote: Hi, I've just had a go at deploying FreeIPA v3.1.3 and have hit a minor road bump. The server hostname resolves to more than one address: :::::4 xxx.xxx.xxx.180 Please provide the IP address to be used for this host name: The answer I would like to give here is both - is this a limitation of the installation script that I can fix up later, or is FreeIPA incompatible with dual-stacked hosts at the moment? Hi there! We have a full dual stacked network. I installed the FreeIPA server only with IPv4 and then switched to dual stack, updating the DNS and the local server networking config to handle the new IPv6. And all is working fine. This with: ipa-server 3.0.0-26.el6_4.2 (x86_64) Regards. -- Arturo Borrero González Departamento de Seguridad Informática (n...@cica.es) Centro Informático Científico de Andalucía (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
On Thu, May 02, 2013 at 10:55:40AM +0200, Axel Berlin wrote: Here is the logs output when I do id username sssd_d1.gameop.net.log (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/seadv-237-100.d1.gameop.net (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error] (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [child_sig_handler] (7): Waiting for child [20277]. I think here is the problem. Local error is not much descriptive, but the issue is most probably in the keytab. Does the following work: kinit -k host/seadv-237-100.d1.gameop.net I bet it would print the same error message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
On the client it dont return anything but on the server is returns following kinit: Keytab contains no suitable keys for host/ seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials But It is on the client that i should run it? The server dont have the 237-100 krb5.keytab flie 2013/5/2 Jakub Hrozek jhro...@redhat.com On Thu, May 02, 2013 at 10:55:40AM +0200, Axel Berlin wrote: Here is the logs output when I do id username sssd_d1.gameop.net.log (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/seadv-237-100.d1.gameop.net (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error] (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [child_sig_handler] (7): Waiting for child [20277]. I think here is the problem. Local error is not much descriptive, but the issue is most probably in the keytab. Does the following work: kinit -k host/seadv-237-100.d1.gameop.net I bet it would print the same error message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
On Thu, May 02, 2013 at 11:46:16AM +0200, Axel Berlin wrote: On the client it dont return anything but on the server is returns following kinit: Keytab contains no suitable keys for host/ seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials But It is on the client that i should run it? The server dont have the 237-100 krb5.keytab flie Yes, on the client. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
It dont come anything in the logs when i do it on the client. Got any other tips? 2013/5/2 Jakub Hrozek jhro...@redhat.com On Thu, May 02, 2013 at 11:46:16AM +0200, Axel Berlin wrote: On the client it dont return anything but on the server is returns following kinit: Keytab contains no suitable keys for host/ seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials But It is on the client that i should run it? The server dont have the 237-100 krb5.keytab flie Yes, on the client. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] users account functionality
Hi, I'm Juan and I'm building a freeipa application and need to know if it possible integrate a module or if is already developed, the typical functionality when we want an authentication service for our users, like remember password, create users, and send an email for confirmation, or send a account delete request. We have installed the basic freeipa and we need to incorporate this functionality. Exist this or have I to implement it? Thanks so much! -- Juan Armario Muñoz Departamento de Aplicaciones Centro Informático Científico de Andalucía Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía Avenida de la Reina Mercedes s/n 41012 - Sevilla (España) Teléfono: (+34) 955.056.600 Email: juan.arma...@cica.es ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Deleting a down ipa master?
I have an IPA server that i'm rebuilding. It was part of a 3 server replication. That is, three ipa replicas. Caroline0 through 2. I have the server rebuilt, the problem is, it wasn't cleanly removed from the ipa replication in the first place, so the other two replicas still think it exists. I thought it should be a simple matter of deleting the down replica on the other two, but thats not working out. Yes, I understand that it should have been cleanly uninstalled, and that would have avoided this. Live and learn. Here's some detail. Caroline1 is the server which is to be rebuilt. [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master [root@caroline2 PROD ~]# ipa-replica-manage del caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa host-del caroline1.lafayette.edu ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled I have tried the same commands from Caroline0, which is the first ipa server i built, thinking that maybe it was in some way authoritative in some matters because it was the first. Same deal there. I've tried simply re-adding my rebuilt caroline1, hoping it would replace the old, no luck there. The host caroline1.lafayette.edu already exists on the master server. You should remove it before proceeding: % ipa host-del caroline1.lafayette.edu I think the key here is to convince the other two ipa servers, that caroline1 is no longer a master, but I haven't found a way to do that yet. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] users account functionality
On 05/02/2013 04:42 AM, Juan Armario wrote: Hi, I'm Juan and I'm building a freeipa application and need to know if it possible integrate a module or if is already developed, the typical functionality when we want an authentication service for our users, like remember password, create users, and send an email for confirmation, or send a account delete request. We have installed the basic freeipa and we need to incorporate this functionality. Exist this or have I to implement it? It's a little hard to understand exactly what you're looking to accomplish, for instance what does remember password mean? It doesn't sound like what you're looking for requires adding a plugin module, rather you're looking to add a front-end to IPA which is easy to do with scripts. IPA is quite amenable to scripting because we provide a command line interface. You can either call the ipa command from a shell script or you can write your own Python scripts and invoke the IPA API directly. Be careful though, the type of operations you've described all require administrator privileges, it's not something a general user can do. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
On 05/02/2013 03:49 PM, Lager, Nathan T. wrote: I have an IPA server that i'm rebuilding. It was part of a 3 server replication. That is, three ipa replicas. Caroline0 through 2. I have the server rebuilt, the problem is, it wasn't cleanly removed from the ipa replication in the first place, so the other two replicas still think it exists. I thought it should be a simple matter of deleting the down replica on the other two, but thats not working out. Yes, I understand that it should have been cleanly uninstalled, and that would have avoided this. Live and learn. Here's some detail. Caroline1 is the server which is to be rebuilt. [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master [root@caroline2 PROD ~]# ipa-replica-manage del caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa host-del caroline1.lafayette.edu ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled I have tried the same commands from Caroline0, which is the first ipa server i built, thinking that maybe it was in some way authoritative in some matters because it was the first. Same deal there. I've tried simply re-adding my rebuilt caroline1, hoping it would replace the old, no luck there. The host caroline1.lafayette.edu already exists on the master server. You should remove it before proceeding: % ipa host-del caroline1.lafayette.edu I think the key here is to convince the other two ipa servers, that caroline1 is no longer a master, but I haven't found a way to do that yet. Use the --force: ipa-replica-manage del --force caroline1.lafayette.edu The command tries severs replication agreements before deleting info about the replica. With --force it will ignore the fact that there's no agreement and continue on. -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm sorry, I should have mentioned that I've tried that already. Here's the ouput. [root@caroline2 PROD ~]# ipa-replica-manage del --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' Thanks! On 05/02/2013 10:00 AM, Petr Viktorin wrote: Use the --force: ipa-replica-manage del --force caroline1.lafayette.edu The command tries severs replication agreements before deleting info about the replica. With --force it will ignore the fact that there's no agreement and continue on. - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGCdVwACgkQsZqG4IN3sunx7QCgl43MeBr0LHjbG7lXNn/TPDEU Y1UAoKRoPk4LDF+7J92N4VjrxMlq4n93 =wqIg -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
On 05/02/2013 04:17 PM, Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm sorry, I should have mentioned that I've tried that already. Here's the ouput. [root@caroline2 PROD ~]# ipa-replica-manage del --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' Thanks! Hmm. The error should be displayed, but the command should continue on if there is info about the replica... Try running the command with -v to get more info. You can use the --cleanup option as a last resort. Also, could you check ipa-replica-manage list again, to make sure it's still there? Sometimes it's not clear if the command worked. -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 List still shows caroline1. [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master - -v does not seem to change the output at all. I even tried moving the - -v around in the command line, to see if placement mattered. [root@caroline2 PROD ~]# ipa-replica-manage -v del --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del -v --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del --force -v caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master Is --cleanup destructive? Is there some reason that it should not try it? On 05/02/2013 10:29 AM, Petr Viktorin wrote: On 05/02/2013 04:17 PM, Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm sorry, I should have mentioned that I've tried that already. Here's the ouput. [root@caroline2 PROD ~]# ipa-replica-manage del --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' Thanks! Hmm. The error should be displayed, but the command should continue on if there is info about the replica... Try running the command with -v to get more info. You can use the --cleanup option as a last resort. Also, could you check ipa-replica-manage list again, to make sure it's still there? Sometimes it's not clear if the command worked. - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGChJIACgkQsZqG4IN3sunhswCdGyA/edGn7n3uI0giqciE8cto a9QAn18zDqcsmlDX2YAxsCGMCFOAIISd =sRLv -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Expired certs not auto renewed by Cermonger
Running FreeIPA 2.1.4 and ran into an issue where a Server-Cert did not auto-renew. ipa-getcert list Number of certificates and requests being tracked: 4. Request ID '20110706215109': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=CTIDATA.NET subject: CN=ipa01.ctidata.net,O=CTIDATA.NET expires: 2013-08-23 20:20:10 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215129': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=CTIDATA.NET subject: CN=ipa01.ctidata.net,O=CTIDATA.NET expires: 2013-08-23 20:30:21 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20120615190133': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes Request ID '20120925200227': status: GENERATING_CSR ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=CTIDATA.NET subject: CN=ipa01.ctidata.net,O=CTIDATA.NET expires: 2013-03-24 19:56:36 UTC eku: id-kp-serverAuth track: yes auto-renew: yes I verified that the IPA keytab is populated: klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net and ran kvno host/ipa01.ctidata.net to see what the KDC shows for this principle: host/ipa01.ctidata@ctidata.net: kvno = 6 Not sure what caused the ca_errors but I need to at least manually renew the certs and then figure out what went wrong. Any advice on what the ca_errors mean and how I can fix the issue? Thanks, David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
On 05/02/2013 05:21 PM, Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 List still shows caroline1. [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master - -v does not seem to change the output at all. I even tried moving the - -v around in the command line, to see if placement mattered. [root@caroline2 PROD ~]# ipa-replica-manage -v del --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del -v --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del --force -v caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master Is --cleanup destructive? Is there some reason that it should not try it? Looking at the code, it only cleans up the Kerberos info and host entry, not DNS records or RUV. -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ipa-replica-manage does not seem to have a --cleanup option... Can you give me more detail about how it's used? On 05/02/2013 12:07 PM, Petr Viktorin wrote: On 05/02/2013 05:21 PM, Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 List still shows caroline1. [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master - -v does not seem to change the output at all. I even tried moving the - -v around in the command line, to see if placement mattered. [root@caroline2 PROD ~]# ipa-replica-manage -v del --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del -v --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del --force -v caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master Is --cleanup destructive? Is there some reason that it should not try it? Looking at the code, it only cleans up the Kerberos info and host entry, not DNS records or RUV. - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGCkkwACgkQsZqG4IN3sulyFwCfYizz9TOWlbFwKhel+zv7vsks HrUAn2ezKtOJvKzK3VoYILAKdJtdPWEJ =2KL+ -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
On Thu, May 02, 2013 at 10:59:11AM -0500, Toasted Penguin wrote: Running FreeIPA 2.1.4 and ran into an issue where a Server-Cert did not auto-renew. ipa-getcert list Number of certificates and requests being tracked: 4. [snip] Request ID '20120615190133': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes That error's not expected. Assuming there aren't any permissions- related problems (due to SELinux policy or regular filesystem permissions) preventing the submission helper from reading the keytab, can you verify that hostname prints ipa01.ctidata.net, and that kinit -k host/ipa01.ctidata.net succeeds? Request ID '20120925200227': status: GENERATING_CSR ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=CTIDATA.NET subject: CN=ipa01.ctidata.net,O=CTIDATA.NET expires: 2013-03-24 19:56:36 UTC eku: id-kp-serverAuth track: yes auto-renew: yes I verified that the IPA keytab is populated: klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net and ran kvno host/ipa01.ctidata.net to see what the KDC shows for this principle: host/ipa01.ctidata@ctidata.net: kvno = 6 Not sure what caused the ca_errors but I need to at least manually renew the certs and then figure out what went wrong. Any advice on what the ca_errors mean and how I can fix the issue? The Unable to determine principal name for signing request. stems from IPA's certificate submission API's requirement that each certificate request include the associated Kerberos principal name, and certmonger not knowing what value to send. I'm guessing that there wasn't one specified with the -K option when certmonger was told to keep an eye on the certificate, and if there was already a certificate there, a principla name couldn't be read from it. Based on where the certificate's being stored, it's probably intended to be used for the HTTP service on the host, so its principal name would be HTTP/ipa01.ctidata@ctidata.net. If you run: ipa-getcert resubmit -i 20120925200227 \ -K HTTP/ipa01.ctidata@ctidata.net that should provide certmonger with the missing information and get things going again. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ipa-replica-manage does not seem to have a --cleanup option... Can you give me more detail about how it's used? --cleanup was introduced in FreeIPA 3.0. It sounds like you just have a masters entry left over in cn=masters,cn=ipa,cn=etc,dc=example,dc=com. If that is the case then you can simply remove those entries. You should also check out CLEANRUV at http://directory.fedoraproject.org/wiki/Howto:CLEANRUV (skip past the CLEANALLRUV part, it probably isn't available if you are still using IPA 2.2). rob On 05/02/2013 12:07 PM, Petr Viktorin wrote: On 05/02/2013 05:21 PM, Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 List still shows caroline1. [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master - -v does not seem to change the output at all. I even tried moving the - -v around in the command line, to see if placement mattered. [root@caroline2 PROD ~]# ipa-replica-manage -v del --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del -v --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del --force -v caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master Is --cleanup destructive? Is there some reason that it should not try it? Looking at the code, it only cleans up the Kerberos info and host entry, not DNS records or RUV. - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGCkkwACgkQsZqG4IN3sulyFwCfYizz9TOWlbFwKhel+zv7vsks HrUAn2ezKtOJvKzK3VoYILAKdJtdPWEJ =2KL+ -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
Nalin,
Thanks for your response. Running `hostname` does result in
ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
I ran ` ipa-getcert resubmit -i 20120925200227 -K HTTP/
ipa01.ctidata@ctidata.net`
and it resulted in this:
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local host service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
Can you retrieve the contents of the request and save it to a temporary
file, like so:
reqfile=`grep -l '^id=20120615190133' /var/lib/certmonger/requests/*`
awk '/BEGIN .*REQ/,/END .*REQ/ {sub(^( |csr=),);print}' $reqfile \
~/req.csr
And then try to manually submit it to the server for signing, in the way
that certmonger would, like so:
/usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Hopefully the error output there will give us more information about
what's going on when the submission helper's failing to set up a ccache.
If it manages to get past that point, I expect it to fail because you
hopefully don't have a principal named bogus defined on the local
host. But at that point we'll have gotten past errors creating the
ccache, and we'll have to find another way to figure out why it failed
here.
As an aside, we provide better information for this error in the
ca-error note with later versions than you appear to have, so tracking
down this information won't always be this complicated.
Request ID '20120925200227':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: Peer certificate cannot be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CTIDATA.NET
subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
expires: 2013-03-24 19:56:36 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
There's an error verifying the server's certificate using the local copy
of the CA certificate in /etc/ipa/ca.crt. Is it also expired?
Nalin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/02/2013 01:07 PM, Rob Crittenden wrote: Nathan wrote: ipa-replica-manage does not seem to have a --cleanup option... Can you give me more detail about how it's used? --cleanup was introduced in FreeIPA 3.0. It sounds like you just have a masters entry left over in cn=masters,cn=ipa,cn=etc,dc=example,dc=com. If that is the case then you can simply remove those entries. You should also check out CLEANRUV at http://directory.fedoraproject.org/wiki/Howto:CLEANRUV (skip past the CLEANALLRUV part, it probably isn't available if you are still using IPA 2.2). root@caroline2 PROD ~]# rpm -qa ipa-server ipa-server-2.2.0-17.el6_3.1.x86_64 This is on RHEL 6.3. Thanks! I'll look into the doc you mentioned. How easy is it to check for, and remove the ldap entry you mentioned? I'm not an ldap admin, but I have some at my disposal if needed. Thanks! rob On 05/02/2013 12:07 PM, Petr Viktorin wrote: On 05/02/2013 05:21 PM, Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 List still shows caroline1. [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master - -v does not seem to change the output at all. I even tried moving the - -v around in the command line, to see if placement mattered. [root@caroline2 PROD ~]# ipa-replica-manage -v del --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del -v --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del --force -v caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master Is --cleanup destructive? Is there some reason that it should not try it? Looking at the code, it only cleans up the Kerberos info and host entry, not DNS records or RUV. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGCossACgkQsZqG4IN3sunlrwCfVQy+yNXmf7HzBCFGn4drUJia lHcAn0XdEKth/TGZOLmqTe9SNvxLDwch =5I0n -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
Here is the output from the submit:
/usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Submitting request to https://ipa01.ctidata.net/ipa/xml;.
Fault -504: (libcurl failed to execute the HTTP POST transaction,
explaining: Peer certificate cannot be authenticated with known CA
certificates).
Server failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: Peer certificate cannot be authenticated
with known CA certificates).
Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July
6, 2019.
On Thu, May 2, 2013 at 12:30 PM, Nalin Dahyabhai na...@redhat.com wrote:
On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
Nalin,
Thanks for your response. Running `hostname` does result in
ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
I ran ` ipa-getcert resubmit -i 20120925200227 -K HTTP/
ipa01.ctidata@ctidata.net`
and it resulted in this:
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local host service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
Can you retrieve the contents of the request and save it to a temporary
file, like so:
reqfile=`grep -l '^id=20120615190133' /var/lib/certmonger/requests/*`
awk '/BEGIN .*REQ/,/END .*REQ/ {sub(^( |csr=),);print}' $reqfile \
~/req.csr
And then try to manually submit it to the server for signing, in the way
that certmonger would, like so:
/usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Hopefully the error output there will give us more information about
what's going on when the submission helper's failing to set up a ccache.
If it manages to get past that point, I expect it to fail because you
hopefully don't have a principal named bogus defined on the local
host. But at that point we'll have gotten past errors creating the
ccache, and we'll have to find another way to figure out why it failed
here.
As an aside, we provide better information for this error in the
ca-error note with later versions than you appear to have, so tracking
down this information won't always be this complicated.
Request ID '20120925200227':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: Peer certificate cannot
be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CTIDATA.NET
subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
expires: 2013-03-24 19:56:36 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
There's an error verifying the server's certificate using the local copy
of the CA certificate in /etc/ipa/ca.crt. Is it also expired?
Nalin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote: Here is the output from the submit: /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr Submitting request to https://ipa01.ctidata.net/ipa/xml;. Fault -504: (libcurl failed to execute the HTTP POST transaction, explaining: Peer certificate cannot be authenticated with known CA certificates). Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer certificate cannot be authenticated with known CA certificates). Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July 6, 2019. Hmm, so for both cases, you're seeing errors verifying the IPA server's certificate. Can you double-check the certificates and that the server's looks like it was issued by the CA? This should more or less repeat the part of the process that's giving libcurl trouble, and show us the certificates, too: ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` openssl s_client -CAfile /etc/ipa/ca.crt \ -connect $ipahost:https -showcerts /dev/null Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/02/2013 01:07 PM, Rob Crittenden wrote: Nathan wrote: ipa-replica-manage does not seem to have a --cleanup option... Can you give me more detail about how it's used? --cleanup was introduced in FreeIPA 3.0. It sounds like you just have a masters entry left over in cn=masters,cn=ipa,cn=etc,dc=example,dc=com. If that is the case then you can simply remove those entries. You should also check out CLEANRUV at http://directory.fedoraproject.org/wiki/Howto:CLEANRUV (skip past the CLEANALLRUV part, it probably isn't available if you are still using IPA 2.2). root@caroline2 PROD ~]# rpm -qa ipa-server ipa-server-2.2.0-17.el6_3.1.x86_64 This is on RHEL 6.3. Thanks! I'll look into the doc you mentioned. How easy is it to check for, and remove the ldap entry you mentioned? I'm not an ldap admin, but I have some at my disposal if needed. $ ldapsearch -LLL -x -b cn=oldmaster.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com dn Then carefully paste each dn, minus the dn:, in REVERSE order, to: $ ldapdelete -x -D 'cn=Directory Manager' -w cn=HTTP... cn=ldap... ^D to exit rob Thanks! rob On 05/02/2013 12:07 PM, Petr Viktorin wrote: On 05/02/2013 05:21 PM, Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 List still shows caroline1. [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master - -v does not seem to change the output at all. I even tried moving the - -v around in the command line, to see if placement mattered. [root@caroline2 PROD ~]# ipa-replica-manage -v del --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del -v --force caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage del --force -v caroline1.lafayette.edu 'caroline2.lafayette.edu' has no replication agreement for 'caroline1.lafayette.edu' [root@caroline2 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master caroline1.lafayette.edu: master Is --cleanup destructive? Is there some reason that it should not try it? Looking at the code, it only cleans up the Kerberos info and host entry, not DNS records or RUV. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGCossACgkQsZqG4IN3sunlrwCfVQy+yNXmf7HzBCFGn4drUJia lHcAn0XdEKth/TGZOLmqTe9SNvxLDwch =5I0n -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
/etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority All the certs monitored by Certmonger show the same issuer. Wasn't getting anything back when running the ipahost script you provided, ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo $ipahost shows nothing so I just ran the openssl section manually: openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https -showcerts /dev/null Results: CONNECTED(0003) depth=1 O = CTIDATA.NET, CN = Certificate Authority verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net verify error:num=10:certificate has expired notAfter=Mar 24 19:56:36 2013 GMT verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net notAfter=Mar 24 19:56:36 2013 GMT verify return:1 --- Certificate chain 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- # -END CERTIFICATE- 1 s:/O=CTIDATA.NET/CN=Certificate Authority i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- -END CERTIFICATE- --- Server certificate subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net issuer=/O=CTIDATA.NET/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1959 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: # Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1367518514 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- DONE On Thu, May 2, 2013 at 12:53 PM, Nalin Dahyabhai na...@redhat.com wrote: On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote: Here is the output from the submit: /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr Submitting request to https://ipa01.ctidata.net/ipa/xml;. Fault -504: (libcurl failed to execute the HTTP POST transaction, explaining: Peer certificate cannot be authenticated with known CA certificates). Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer certificate cannot be authenticated with known CA certificates). Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July 6, 2019. Hmm, so for both cases, you're seeing errors verifying the IPA server's certificate. Can you double-check the certificates and that the server's looks like it was issued by the CA? This should more or less repeat the part of the process that's giving libcurl trouble, and show us the certificates, too: ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` openssl s_client -CAfile /etc/ipa/ca.crt \ -connect $ipahost:https -showcerts /dev/null Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/02/2013 01:56 PM, Rob Crittenden wrote: $ ldapsearch -LLL -x -b cn=oldmaster.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com dn Then carefully paste each dn, minus the dn:, in REVERSE order, to: $ ldapdelete -x -D 'cn=Directory Manager' -w cn=HTTP... cn=ldap... ^D to exit My ipa domain is systems.lafayette.edu, so I had to work that into your search string, but I think I have it. So, here's some output. [root@caroline0 PROD ~]# ldapsearch -LLL -x -b cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu dn dn: cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayett e,dc=edu So, from your ldapdelete example, would I. $ ldapdelete -x -D 'cn=Directory Manager' -w cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu ^D ? Thanks again! - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGCtLQACgkQsZqG4IN3suk/kgCfV1C+tJC9FjEQPudU1nffqgSJ /EYAn0pa23SIwgzdaqXqqfO+keS6bt1y =UF1L -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/02/2013 01:56 PM, Rob Crittenden wrote: $ ldapsearch -LLL -x -b cn=oldmaster.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com dn Then carefully paste each dn, minus the dn:, in REVERSE order, to: $ ldapdelete -x -D 'cn=Directory Manager' -w cn=HTTP... cn=ldap... ^D to exit My ipa domain is systems.lafayette.edu, so I had to work that into your search string, but I think I have it. So, here's some output. [root@caroline0 PROD ~]# ldapsearch -LLL -x -b cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu dn dn: cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayett e,dc=edu So, from your ldapdelete example, would I. $ ldapdelete -x -D 'cn=Directory Manager' -w cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu ^D Yup, use -W to prompt, or -w password to pass on cli. Note that this confirms that IPA doesn't think this server is actually providing any services. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/02/2013 02:48 PM, Rob Crittenden wrote: Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/02/2013 01:56 PM, Rob Crittenden wrote: $ ldapsearch -LLL -x -b cn=oldmaster.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com dn Then carefully paste each dn, minus the dn:, in REVERSE order, to: $ ldapdelete -x -D 'cn=Directory Manager' -w cn=HTTP... cn=ldap... ^D to exit My ipa domain is systems.lafayette.edu, so I had to work that into your search string, but I think I have it. So, here's some output. [root@caroline0 PROD ~]# ldapsearch -LLL -x -b cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu dn dn: cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayett e,dc=edu So, from your ldapdelete example, would I. $ ldapdelete -x -D 'cn=Directory Manager' -w cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu ^D Yup, use -W to prompt, or -w password to pass on cli. Note that this confirms that IPA doesn't think this server is actually providing any services. rob This seems to have done the trick! [root@caroline0 PROD ~]# ldapdelete -x -D 'cn=Directory Manager' -W cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu Enter LDAP Password: [root@caroline0 PROD ~]# ldapsearch -LLL -x -b cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu dn No such object (32) Matched DN: cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu [root@caroline0 PROD ~]# ls anaconda-ks.cfg ca-agent.p12 cacert.p12 cobbler.ks install.log install.log.syslog ks-rhn-post.log RPM-GPG-KEY-lafayette [root@caroline0 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master Thanks a bunch! This is the second or third time you've helped me out of a bind, I owe you a beer. - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGCuiIACgkQsZqG4IN3sul5VQCdHxqnYgV6WHHRQXG/RivTLcnN F60AoKCoQAVXs99K0rcKhtkkefcAlQo4 =v07c -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote: /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority All the certs monitored by Certmonger show the same issuer. Ok, good. (If that hadn't been the case, I wouldn't have had an explanation to offer.) Wasn't getting anything back when running the ipahost script you provided, ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo $ipahost shows nothing so I just ran the openssl section manually: Hmm. Curious. That might be a leftover from having different releases installed at various times on my test box. Thanks for continuing on. openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https -showcerts /dev/null Results: CONNECTED(0003) depth=1 O = CTIDATA.NET, CN = Certificate Authority verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net verify error:num=10:certificate has expired notAfter=Mar 24 19:56:36 2013 GMT verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net notAfter=Mar 24 19:56:36 2013 GMT verify return:1 --- Certificate chain 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- # -END CERTIFICATE- 1 s:/O=CTIDATA.NET/CN=Certificate Authority i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- -END CERTIFICATE- --- Server certificate subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net issuer=/O=CTIDATA.NET/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1959 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: # Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1367518514 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- DONE Yup, that's the problem: the IPA server's certificate wasn't able to be replaced while it was still valid, and now it can no longer ask itself for a new one. With 2.1.4, I think the simplest way to sort this is to stop the services (ipactl stop; service certmonger stop), roll the system date back, start the services up again, possibly use 'ipa-getcert resubmit' to force updating (it should happen automatically, but forcing it to happen a second time won't hurt). Then shut things down, set the correct time on the clock, and bring everything back up again. Hopefully there's a smarter way to do it, but I'm blanking on it if there is one. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deleting a down ipa master?
Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/02/2013 02:48 PM, Rob Crittenden wrote: Nathan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/02/2013 01:56 PM, Rob Crittenden wrote: $ ldapsearch -LLL -x -b cn=oldmaster.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com dn Then carefully paste each dn, minus the dn:, in REVERSE order, to: $ ldapdelete -x -D 'cn=Directory Manager' -w cn=HTTP... cn=ldap... ^D to exit My ipa domain is systems.lafayette.edu, so I had to work that into your search string, but I think I have it. So, here's some output. [root@caroline0 PROD ~]# ldapsearch -LLL -x -b cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu dn dn: cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayett e,dc=edu So, from your ldapdelete example, would I. $ ldapdelete -x -D 'cn=Directory Manager' -w cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu ^D Yup, use -W to prompt, or -w password to pass on cli. Note that this confirms that IPA doesn't think this server is actually providing any services. rob This seems to have done the trick! [root@caroline0 PROD ~]# ldapdelete -x -D 'cn=Directory Manager' -W cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu Enter LDAP Password: [root@caroline0 PROD ~]# ldapsearch -LLL -x -b cn=caroline1.lafayette.edu,cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu dn No such object (32) Matched DN: cn=masters,cn=ipa,cn=etc,dc=systems,dc=lafayette,dc=edu [root@caroline0 PROD ~]# ls anaconda-ks.cfg ca-agent.p12 cacert.p12 cobbler.ks install.log install.log.syslog ks-rhn-post.log RPM-GPG-KEY-lafayette [root@caroline0 PROD ~]# ipa-replica-manage list caroline0.lafayette.edu: master caroline2.lafayette.edu: master Great, glad it worked. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
Yes that helped fix 2012092520027 (thank you!!) But I am still seeing an error with: Request ID '20120615190133': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes I noticed that the request ID doesn't show up in /var/lib/certmonger/requests/, does that make a difference? David On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai na...@redhat.com wrote: On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote: /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority All the certs monitored by Certmonger show the same issuer. Ok, good. (If that hadn't been the case, I wouldn't have had an explanation to offer.) Wasn't getting anything back when running the ipahost script you provided, ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo $ipahost shows nothing so I just ran the openssl section manually: Hmm. Curious. That might be a leftover from having different releases installed at various times on my test box. Thanks for continuing on. openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net: https -showcerts /dev/null Results: CONNECTED(0003) depth=1 O = CTIDATA.NET, CN = Certificate Authority verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net verify error:num=10:certificate has expired notAfter=Mar 24 19:56:36 2013 GMT verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net notAfter=Mar 24 19:56:36 2013 GMT verify return:1 --- Certificate chain 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- # -END CERTIFICATE- 1 s:/O=CTIDATA.NET/CN=Certificate Authority i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- -END CERTIFICATE- --- Server certificate subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net issuer=/O=CTIDATA.NET/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1959 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: # Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1367518514 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- DONE Yup, that's the problem: the IPA server's certificate wasn't able to be replaced while it was still valid, and now it can no longer ask itself for a new one. With 2.1.4, I think the simplest way to sort this is to stop the services (ipactl stop; service certmonger stop), roll the system date back, start the services up again, possibly use 'ipa-getcert resubmit' to force updating (it should happen automatically, but forcing it to happen a second time won't hurt). Then shut things down, set the correct time on the clock, and bring everything back up again. Hopefully there's a smarter way to do it, but I'm blanking on it if there is one. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
Toasted Penguin wrote: Yes that helped fix 2012092520027 (thank you!!) But I am still seeing an error with: Request ID '20120615190133': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes I noticed that the request ID doesn't show up in /var/lib/certmonger/requests/, does that make a difference? The request ID usually, but not always matches the name of the request files. We don't usually issue a Server-Cert for an IPA server. Could this be a remnant of an older client install? Is there a Server-Cert in /etc/pki/nssdb? certutil -L -d /etc/pki/nssdb rob David On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai na...@redhat.com mailto:na...@redhat.com wrote: On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote: /etc/ipa/ca.crt was issued by O=CTIDATA.NET http://CTIDATA.NET, CN=Certificate Authority All the certs monitored by Certmonger show the same issuer. Ok, good. (If that hadn't been the case, I wouldn't have had an explanation to offer.) Wasn't getting anything back when running the ipahost script you provided, ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo $ipahost shows nothing so I just ran the openssl section manually: Hmm. Curious. That might be a leftover from having different releases installed at various times on my test box. Thanks for continuing on. openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https -showcerts /dev/null Results: CONNECTED(0003) depth=1 O = CTIDATA.NET http://CTIDATA.NET, CN = Certificate Authority verify return:1 depth=0 O = CTIDATA.NET http://CTIDATA.NET, CN = ipa01.ctidata.net http://ipa01.ctidata.net verify error:num=10:certificate has expired notAfter=Mar 24 19:56:36 2013 GMT verify return:1 depth=0 O = CTIDATA.NET http://CTIDATA.NET, CN = ipa01.ctidata.net http://ipa01.ctidata.net notAfter=Mar 24 19:56:36 2013 GMT verify return:1 --- Certificate chain 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net http://CTIDATA.NET/CN=ipa01.ctidata.net i:/O=CTIDATA.NET/CN=Certificate http://CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- # -END CERTIFICATE- 1 s:/O=CTIDATA.NET/CN=Certificate http://CTIDATA.NET/CN=Certificate Authority i:/O=CTIDATA.NET/CN=Certificate http://CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- -END CERTIFICATE- --- Server certificate subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net http://CTIDATA.NET/CN=ipa01.ctidata.net issuer=/O=CTIDATA.NET/CN=Certificate http://CTIDATA.NET/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1959 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: # Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1367518514 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- DONE Yup, that's the problem: the IPA server's certificate wasn't able to be replaced while it was still valid, and now it can no longer ask itself for a new one. With 2.1.4, I think the simplest way to sort this is to stop the services (ipactl stop; service certmonger stop), roll the system date back, start the services up again, possibly use 'ipa-getcert resubmit' to force updating (it should happen automatically, but forcing it to happen a second time won't hurt). Then shut things down, set the correct time on the clock, and bring everything back up again. Hopefully there's a smarter way to do it, but I'm blanking on it if there is one. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] users account functionality
On 05/02/2013 09:49 AM, John Dennis wrote: On 05/02/2013 04:42 AM, Juan Armario wrote: Hi, I'm Juan and I'm building a freeipa application and need to know if it possible integrate a module or if is already developed, the typical functionality when we want an authentication service for our users, like remember password, create users, and send an email for confirmation, or send a account delete request. We have installed the basic freeipa and we need to incorporate this functionality. Exist this or have I to implement it? It's a little hard to understand exactly what you're looking to accomplish, for instance what does remember password mean? It doesn't sound like what you're looking for requires adding a plugin module, rather you're looking to add a front-end to IPA which is easy to do with scripts. IPA is quite amenable to scripting because we provide a command line interface. You can either call the ipa command from a shell script or you can write your own Python scripts and invoke the IPA API directly. Be careful though, the type of operations you've described all require administrator privileges, it's not something a general user can do. It looks like Juan is looking for some kind of more advanced self service portal. But it is not clear what the specific requirements are. Juan can you please be more detailed in what are the workflows you have in mind. Are you looking for the self service registration with mail confirmation? If yes this does not exist now and generally IPA is the domain controller for the controlled environment it is not a good fit for a general purpose accounting service unless you explicitly extend it. If this is what you are looking for you can script the addition flows with CLI or contribute code however you need to be sure your security mode is sound. We do not want to add functionality that would allow anyone to self register to any instance of IPA that would be a security disaster. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
