Re: [Freeipa-users] IPA winsync replication

[Rich Megginson]

On 11/25/2013 04:57 PM, Rich Megginson wrote:

On 11/25/2013 11:51 AM, Emil Petersson wrote:
On 25 Nov 2013, at 17:21, Rich Megginson > wrote:



On 11/25/2013 08:14 AM, Emil Petersson wrote:

Hi,

I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some unexpected 
behaviour with winsync replication.


1. I have a working winsync agreement, and users are synced correctly.

2. If a user already exists in in IPA when I sync it from AD, I'm 
seeing the following in the dirsrv error logs:


[25/Nov/2013:14:29:03 +] NSMMReplicationPlugin - 
windows_update_local_entry: failed to modify entry 
uid=username,cn=users,cn=accounts,dc=domain,dc=net - error 
21:Invalid syntax


I assume this is because the user already exists in dirsrv? Fine.


No.  Error 21 is Invalid Syntax.  This means the format of the data 
in the attribute in AD is not correct for the given syntax.  For 
example, if the syntax is Integer, this means the data should be a 
valid integer.  However, AD allows data that violates LDAP syntax.


Can you post the data from the AD entry that corresponds to 
uid=username,cn=users,cn=accounts,dc=domain,dc=net? Please be sure 
to obscure any sensitive data.  I'd like to identify the data that 
is causing this problem.


Certainly, here goes:

dn: CN=Firstname 
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=

 domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Firstname Lastname
sn: Lastname
title: Sysadmin
description: Employee
physicalDeliveryOfficeName: XX-XX-XX
telephoneNumber: +00 00 000 0
facsimileTelephoneNumber: +00 00 000 0
givenName: Firstname
distinguishedName: CN=Firstname 
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=O

 rganization,DC=domain,DC=com
instanceType: 4
whenCreated: 20110321122858.0Z
whenChanged: 20131120104224.0Z
displayName: Firstname Lastname
uSNCreated: 76590
 ngame,DC=com
memberOf: CN=All,OU=OrgGroups,OU=Organization,DC=domain,DC=com
memberOf: CN=sysadmins,OU=OrgGroups,OU=Organization,DC=domain,DC=com
uSNChanged: 66378160
department: Infrastructure
company: Company name
homeMTA: CN=Microsoft MTA,CN=MBX,CN=Servers,CN=Exchange 
Administrative Group (
 FYDIBOHF23SPDLT),CN=Administrative Groups,CN=globalmail,CN=Microsoft 
Exchange

 ,CN=Services,CN=Configuration,DC=domain,DC=com
proxyAddresses: SMTP:first.l...@domain.com 
proxyAddresses: smtp:first.l...@domain2.com 
proxyAddresses: smtp:first.l...@domain3.com 
proxyAddresses: sip:first.l...@domain.com
proxyAddresses: X400:C=SE;A= 
;P=globalmail;O=Exchange;S=Lastname;G=Firstname;
homeMDB: CN=DB3,CN=SG03 - 
2GB,CN=InformationStore,CN=MBX,CN=Servers,CN=Exchang
 e Administrative Group (FYDIBOHF23SPDLT),CN=Administrative 
Groups,CN=globalma

 il,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
garbageCollPeriod: 1209600
mDBUseDefaults: TRUE
extensionAttribute8: Companyname
mailNickname: username
protocolSettings:: SFRUUMKnMcKnMcKnwqfCp8KnwqfCpw==
protocolSettings:: T1dBwqcx
internetEncoding: 0
name: Firstnam Lastname
objectGUID:: pDdL7yY7gEuqRdQLTjLo0w==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: \\path\to\home 
homeDrive: H:
badPasswordTime: 130295283826410995
lastLogoff: 0
lastLogon: 130297464093469882
pwdLastSet: 130294130189116476
primaryGroupID: 513
objectSid:: AQUAAAoiadjfojdfojsodijfQkAH5TsrAA==
accountExpires: 0
logonCount: 6909
sAMAccountName: username
sAMAccountType: 805306368
showInAddressBook: CN=Default Global Address List,CN=All Global 
Address Lists,
 CN=Address Lists Container,CN=globalmail,CN=Microsoft 
Exchange,CN=Services,CN

 =Configuration,DC=domain,DC=com
showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists 
Containe
 r,CN=globalmail,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=domain,

 DC=com
legacyExchangeDN: /o=globalmail/ou=Exchange Administrative Group 
(FYDIBOHF23SP

 DLT)/cn=Recipients/cn=username
userPrincipalName: fi...@domain.com 
lockoutTime: 0
ipPhone: +00 00 00 00
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
dSCorePropagationData: 20131118102944.0Z
dSCorePropagationData: 20131118102934.0Z
dSCorePropagationData: 20130313150036.0Z
dSCorePropagationData: 20120821144903.0Z
dSCorePropagationData: 16010101181216.0Z
lastLogonTimestamp: 130294177442871790
textEncodedORAddress: c=XX;a= 
;p=globalmail;o=Exchange;s=Lastname;g=Firstname;

mail: first.l...@domain.com 
manager: CN=Manager 
Name,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=o

 ngame,DC=com
mobile:: KzQ2NzI3mjMEMTEwwqAJ


I think this may be the problem.  mobile contains non printable characters:
$ python
>>> import base64
>>> base64.b64decode('KzQ2NzI3mjMEMTEwwqAJ')
'+46727\x9a3\x04110\xc2\xa0\t'

Looks like the mobile phone number contains utf8 characters.  It must not:
/* Per RFC4517:
 *
 * Telephone

Re: [Freeipa-users] IPA winsync replication

[Rich Megginson]

On 11/25/2013 11:51 AM, Emil Petersson wrote:
On 25 Nov 2013, at 17:21, Rich Megginson > wrote:



On 11/25/2013 08:14 AM, Emil Petersson wrote:

Hi,

I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some unexpected 
behaviour with winsync replication.


1. I have a working winsync agreement, and users are synced correctly.

2. If a user already exists in in IPA when I sync it from AD, I'm 
seeing the following in the dirsrv error logs:


[25/Nov/2013:14:29:03 +] NSMMReplicationPlugin - 
windows_update_local_entry: failed to modify entry 
uid=username,cn=users,cn=accounts,dc=domain,dc=net - error 
21:Invalid syntax


I assume this is because the user already exists in dirsrv? Fine.


No.  Error 21 is Invalid Syntax.  This means the format of the data 
in the attribute in AD is not correct for the given syntax.  For 
example, if the syntax is Integer, this means the data should be a 
valid integer.  However, AD allows data that violates LDAP syntax.


Can you post the data from the AD entry that corresponds to 
uid=username,cn=users,cn=accounts,dc=domain,dc=net?  Please be sure 
to obscure any sensitive data.  I'd like to identify the data that is 
causing this problem.


Certainly, here goes:

dn: CN=Firstname 
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=

 domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Firstname Lastname
sn: Lastname
title: Sysadmin
description: Employee
physicalDeliveryOfficeName: XX-XX-XX
telephoneNumber: +00 00 000 0
facsimileTelephoneNumber: +00 00 000 0
givenName: Firstname
distinguishedName: CN=Firstname 
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=O

 rganization,DC=domain,DC=com
instanceType: 4
whenCreated: 20110321122858.0Z
whenChanged: 20131120104224.0Z
displayName: Firstname Lastname
uSNCreated: 76590
 ngame,DC=com
memberOf: CN=All,OU=OrgGroups,OU=Organization,DC=domain,DC=com
memberOf: CN=sysadmins,OU=OrgGroups,OU=Organization,DC=domain,DC=com
uSNChanged: 66378160
department: Infrastructure
company: Company name
homeMTA: CN=Microsoft MTA,CN=MBX,CN=Servers,CN=Exchange Administrative 
Group (
 FYDIBOHF23SPDLT),CN=Administrative Groups,CN=globalmail,CN=Microsoft 
Exchange

 ,CN=Services,CN=Configuration,DC=domain,DC=com
proxyAddresses: SMTP:first.l...@domain.com 
proxyAddresses: smtp:first.l...@domain2.com 
proxyAddresses: smtp:first.l...@domain3.com 
proxyAddresses: sip:first.l...@domain.com
proxyAddresses: X400:C=SE;A= 
;P=globalmail;O=Exchange;S=Lastname;G=Firstname;
homeMDB: CN=DB3,CN=SG03 - 
2GB,CN=InformationStore,CN=MBX,CN=Servers,CN=Exchang
 e Administrative Group (FYDIBOHF23SPDLT),CN=Administrative 
Groups,CN=globalma

 il,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
garbageCollPeriod: 1209600
mDBUseDefaults: TRUE
extensionAttribute8: Companyname
mailNickname: username
protocolSettings:: SFRUUMKnMcKnMcKnwqfCp8KnwqfCpw==
protocolSettings:: T1dBwqcx
internetEncoding: 0
name: Firstnam Lastname
objectGUID:: pDdL7yY7gEuqRdQLTjLo0w==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: \\path\to\home 
homeDrive: H:
badPasswordTime: 130295283826410995
lastLogoff: 0
lastLogon: 130297464093469882
pwdLastSet: 130294130189116476
primaryGroupID: 513
objectSid:: AQUAAAoiadjfojdfojsodijfQkAH5TsrAA==
accountExpires: 0
logonCount: 6909
sAMAccountName: username
sAMAccountType: 805306368
showInAddressBook: CN=Default Global Address List,CN=All Global 
Address Lists,
 CN=Address Lists Container,CN=globalmail,CN=Microsoft 
Exchange,CN=Services,CN

 =Configuration,DC=domain,DC=com
showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists 
Containe
 r,CN=globalmail,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=domain,

 DC=com
legacyExchangeDN: /o=globalmail/ou=Exchange Administrative Group 
(FYDIBOHF23SP

 DLT)/cn=Recipients/cn=username
userPrincipalName: fi...@domain.com 
lockoutTime: 0
ipPhone: +00 00 00 00
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
dSCorePropagationData: 20131118102944.0Z
dSCorePropagationData: 20131118102934.0Z
dSCorePropagationData: 20130313150036.0Z
dSCorePropagationData: 20120821144903.0Z
dSCorePropagationData: 16010101181216.0Z
lastLogonTimestamp: 130294177442871790
textEncodedORAddress: c=XX;a= 
;p=globalmail;o=Exchange;s=Lastname;g=Firstname;

mail: first.l...@domain.com 
manager: CN=Manager Name,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=o
 ngame,DC=com
mobile:: KzQ2NzI3mjMEMTEwwqAJ
thumbnailPhoto:: 
/9j/4QAYRXhpZgAASUkqAAgAAP/sABFEdWNreQABAAQAAABkA

 -snip-
 uaC3IbWlp5cQtpnwnCmjkd9LrDoNFIUDThZwzyrwJbl21//9k=
msExchHomeServerName: /o=globalmail/ou=Exchange Administrative Group 
(FYDIBOHF

 23SPDLT)/cn=Configuration/cn=Servers/cn=MBX
msExchMailboxSecurityDescriptor:: 
AQAUjBQgLFwBAQAABQoB

Re: [Freeipa-users] Intermittent Issues changing passwords since updating to ipa v3 and sasl_bind timeouts ..

[Matt Bryant]

After some further digging I tend to agree that its in the LDAP arena 
where the issue lies .. but there is nothing in the ldap_child log thats 
helping out .. (btw the other replica IPA servers dont seem to encounter 
this issue just the master (ie the server with CA responsibility) ...


Also more logs (sigh) dont understand though how a server can be marked 
as working and in the same second fail ... or what call is causing an 
input/output error ... :(



(Tue Nov 26 09:14:58 2013) [sssd[be[ipa.server-noc.com]]] 
[sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: 
host/tardis.ipa.server-noc.com
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sasl_bind_send] (0x0020): ldap_sasl_bind failed (-5)[Timed out]
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sasl_bind_send] (0x0080): Extended failure message: [unknown error]
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[fo_set_port_status] (0x0100): Marking port 0 of server 
'tardis.ipa.server-noc.com' as 'not working'
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sdap_handle_release] (0x2000): Trace: sh[0x17dcf50], connected[1], 
ops[(nil)], ldap[0x17d6920], destructor_lock[0], release_memory[0]
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[remove_connection_callback] (0x4000): Successfully removed connection 
callback.
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sdap_id_op_connect_done] (0x4000): notify error to op #1: 5 
[Input/output error]
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[acctinfo_callback] (0x0100): Request processed. Returned 3,5,User 
lookup failed
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sdap_id_release_conn_data] (0x4000): releasing unused connection
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sbus_dispatch] (0x4000): dbus conn: 174A470
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sbus_dispatch] (0x4000): Dispatching.
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[be_get_account_info] (0x0100): Got request for [4097][1][name=nobody]
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[get_server_status] (0x1000): Status of server 
'tardis.ipa.server-noc.com' is 'working'
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[get_port_status] (0x1000): Port status of port 0 for server 
'tardis.ipa.server-noc.com' is 'not working'
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[fo_resolve_service_send] (0x0020): No available servers for service 'IPA'
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 
[Input/output error])
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[be_mark_offline] (0x2000): Going offline!
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline
(Tue Nov 26 09:15:04 2013) [sssd[be[ipa.server-noc.com]]] 
[sdap_id_release_conn_data] (0x4000): releasing unused connection

...
...
(Tue Nov 26 09:16:12 2013) [sssd[be[ipa.server-noc.com]]] 
[sbus_dispatch] (0x4000): dbus conn: 171FDB0
(Tue Nov 26 09:16:12 2013) [sssd[be[ipa.server-noc.com]]] 
[sbus_dispatch] (0x4000): Dispatching.
(Tue Nov 26 09:16:12 2013) [sssd[be[ipa.server-noc.com]]] 
[sbus_message_handler] (0x4000): Received SBUS method [ping]
(Tue Nov 26 09:16:21 2013) [sssd[be[ipa.server-noc.com]]] 
[sbus_dispatch] (0x4000): dbus conn: 174A470
(Tue Nov 26 09:16:21 2013) [sssd[be[ipa.server-noc.com]]] 
[sbus_dispatch] (0x4000): Dispatching.
(Tue Nov 26 09:16:21 2013) [sssd[be[ipa.server-noc.com]]] 
[sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
(Tue Nov 26 09:16:21 2013) [sssd[be[ipa.server-noc.com]]] 
[be_get_account_info] (0x0100): Got request for [4097][1][idnumber=493]
(Tue Nov 26 09:16:21 2013) [sssd[be[ipa.server-noc.com]]] 
[be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast 
reply - offline
(Tue Nov 26 09:16:21 2013) [sssd[be[ipa.server-noc.com]]] 
[sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Nov 26 09:16:21 2013) [sssd[be[ipa.server-noc.com]]] 
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Tue Nov 

Re: [Freeipa-users] Certificates not renewed [SOLVED]

[Thomas Sailer]

Great, thanks for the follow-up.


I was a bit too soon.

After sending the mail, I saw that the freeipa web GUI no longer worked.

It turned out that I ended up with two certificates with the name 
Server-Cert in both the httpd and slapd certificate databases. It 
doesn't seem to be possible using certutil to selectively delete one of 
the two certificates, so I exported both, deleted both, and used an 
ASCII editor to extract the correct one and reimport it.


After restarting httpd, the web gui now works again.

Tom

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Certificates not renewed [SOLVED]

[Rob Crittenden]

Thomas Sailer wrote:

I seem to be a victim of BZ 675742


I've fixed this, now I get the following error:
Request ID '2016140151':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed: FAILURE
(Profile caIPAserviceCert Not Found)).


chown pkiuser.pkiuser /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg

and

systemctl restart pki-cad@pki-ca.service

has fixed it, all tracked certs are now in MONITORING state


Great, thanks for the follow-up.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Certificates not renewed

[Thomas Sailer]

I seem to be a victim of BZ 675742


I've fixed this, now I get the following error:
Request ID '2016140151':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed 
at server.  Certificate operation cannot be completed: FAILURE 
(Profile caIPAserviceCert Not Found)).


chown pkiuser.pkiuser /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg

and

systemctl restart pki-cad@pki-ca.service

has fixed it, all tracked certs are now in MONITORING state

Thanks
Tom

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA winsync replication

[Emil Petersson]

On 25 Nov 2013, at 17:21, Rich Megginson  wrote:

> On 11/25/2013 08:14 AM, Emil Petersson wrote:
>> Hi,
>> 
>> I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some unexpected behaviour 
>> with winsync replication.
>> 
>> 1. I have a working winsync agreement, and users are synced correctly.
>> 
>> 2. If a user already exists in in IPA when I sync it from AD, I'm seeing the 
>> following in the dirsrv error logs:
>> 
>> [25/Nov/2013:14:29:03 +] NSMMReplicationPlugin - 
>> windows_update_local_entry: failed to modify entry 
>> uid=username,cn=users,cn=accounts,dc=domain,dc=net - error 21:Invalid syntax
>> 
>> I assume this is because the user already exists in dirsrv? Fine.
> 
> No.  Error 21 is Invalid Syntax.  This means the format of the data in the 
> attribute in AD is not correct for the given syntax.  For example, if the 
> syntax is Integer, this means the data should be a valid integer.  However, 
> AD allows data that violates LDAP syntax.
> 
> Can you post the data from the AD entry that corresponds to 
> uid=username,cn=users,cn=accounts,dc=domain,dc=net?  Please be sure to 
> obscure any sensitive data.  I'd like to identify the data that is causing 
> this problem.

Certainly, here goes:

dn: CN=Firstname 
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=
 domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Firstname Lastname
sn: Lastname
title: Sysadmin
description: Employee
physicalDeliveryOfficeName: XX-XX-XX
telephoneNumber: +00 00 000 0
facsimileTelephoneNumber: +00 00 000 0
givenName: Firstname
distinguishedName: CN=Firstname 
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=O
 rganization,DC=domain,DC=com
instanceType: 4
whenCreated: 20110321122858.0Z
whenChanged: 20131120104224.0Z
displayName: Firstname Lastname
uSNCreated: 76590
 ngame,DC=com
memberOf: CN=All,OU=OrgGroups,OU=Organization,DC=domain,DC=com
memberOf: CN=sysadmins,OU=OrgGroups,OU=Organization,DC=domain,DC=com
uSNChanged: 66378160
department: Infrastructure
company: Company name
homeMTA: CN=Microsoft MTA,CN=MBX,CN=Servers,CN=Exchange Administrative Group (
 FYDIBOHF23SPDLT),CN=Administrative Groups,CN=globalmail,CN=Microsoft Exchange
 ,CN=Services,CN=Configuration,DC=domain,DC=com
proxyAddresses: SMTP:first.l...@domain.com
proxyAddresses: smtp:first.l...@domain2.com
proxyAddresses: smtp:first.l...@domain3.com
proxyAddresses: sip:first.l...@domain.com
proxyAddresses: X400:C=SE;A= ;P=globalmail;O=Exchange;S=Lastname;G=Firstname;
homeMDB: CN=DB3,CN=SG03 - 2GB,CN=InformationStore,CN=MBX,CN=Servers,CN=Exchang
 e Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=globalma
 il,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
garbageCollPeriod: 1209600
mDBUseDefaults: TRUE
extensionAttribute8: Companyname
mailNickname: username
protocolSettings:: SFRUUMKnMcKnMcKnwqfCp8KnwqfCpw==
protocolSettings:: T1dBwqcx
internetEncoding: 0
name: Firstnam Lastname
objectGUID:: pDdL7yY7gEuqRdQLTjLo0w==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: \\path\to\home
homeDrive: H:
badPasswordTime: 130295283826410995
lastLogoff: 0
lastLogon: 130297464093469882
pwdLastSet: 130294130189116476
primaryGroupID: 513
objectSid:: AQUAAAoiadjfojdfojsodijfQkAH5TsrAA==
accountExpires: 0
logonCount: 6909
sAMAccountName: username
sAMAccountType: 805306368
showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,
 CN=Address Lists Container,CN=globalmail,CN=Microsoft Exchange,CN=Services,CN
 =Configuration,DC=domain,DC=com
showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists Containe
 r,CN=globalmail,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,
 DC=com
legacyExchangeDN: /o=globalmail/ou=Exchange Administrative Group (FYDIBOHF23SP
 DLT)/cn=Recipients/cn=username
userPrincipalName: fi...@domain.com
lockoutTime: 0
ipPhone: +00 00 00 00
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
dSCorePropagationData: 20131118102944.0Z
dSCorePropagationData: 20131118102934.0Z
dSCorePropagationData: 20130313150036.0Z
dSCorePropagationData: 20120821144903.0Z
dSCorePropagationData: 16010101181216.0Z
lastLogonTimestamp: 130294177442871790
textEncodedORAddress: c=XX;a= ;p=globalmail;o=Exchange;s=Lastname;g=Firstname;
mail: first.l...@domain.com
manager: CN=Manager Name,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=o
 ngame,DC=com
mobile:: KzQ2NzI3mjMEMTEwwqAJ
thumbnailPhoto:: /9j/4QAYRXhpZgAASUkqAAgAAP/sABFEdWNreQABAAQAAABkA
 -snip-
 uaC3IbWlp5cQtpnwnCmjkd9LrDoNFIUDThZwzyrwJbl21//9k=
msExchHomeServerName: /o=globalmail/ou=Exchange Administrative Group (FYDIBOHF
 23SPDLT)/cn=Configuration/cn=Servers/cn=MBX
msExchMailboxSecurityDescriptor:: AQAUjBQgLFwBAQAABQoB
 -snip-
 AQAABQoCADAAAgLQFAADAA0AAQEAAAEAAtoUAGsBDQABAQAAAQAAA
msExchUserAccountControl: 0
msExchMailboxGuid:: uWv8V7HNHUiyda0z/FRc+w==
msEx

Re: [Freeipa-users] Certificates not renewed

[Thomas Sailer]

Hi Rob,

thanks for the quick answer!


Does this work?

# ipa cert-show 1

I'm geussing it doesn't.


You're correct, it doesn't.

You are correct, the serial numbers didn't match.

I've fixed this, now I get the following error:
Request ID '2016140151':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed 
at server.  Certificate operation cannot be completed: FAILURE (Profile 
caIPAserviceCert Not Found)).


Thanks,
Tom

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Certificates not renewed

[Rob Crittenden]

Thomas Sailer wrote:

I have a few certificates that fail to be updated, for example the ldap
and http certificates. If I read the error message from getcert list
(see below) correctly, then the contents of the pinfiles are incorrect.
How do I fix this?

Thanks,
Tom



Does this work?

# ipa cert-show 1

I'm geussing it doesn't.

The nickname ipaCert in /etc/httpd/alias is the RA agent cert used to 
authenticate to dogtag when doing certificate operations. I suspect that 
its value hasn't been updated in the dogtag LDAP database.


A quick way to tell is:

# certutil -L -d /etc/httpd/alias -n ipaCert | grep -i serial

# ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b 
uid=ipara,ou=People,o=ipaca description


This is assuming you've got a 2-instance installation where there is a 
separate 389-ds instance for IPA and the CA. If you have a newer install 
then the port isn't necessary.


If the serial number from certutil doesn't match the second 
colon-separated value then that explains it.


You can see how to update this value at 
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] CA expiration and renewal

[Rob Crittenden]

Erinn Looney-Triggs wrote:

Folks just wanted to touch base again before the American holiday season
starts. My CA, which is subordinate to AD CS will be expiring on
December 9th, I submitted a bug, y'all drew up docs etc for a plan
(thanks). Now I just wanted to see how it was going and if need be what
manual steps I will need to take to renew the certificate.

Thanks again for the great work,


We're working on an a set of tools to make this easier. For now I've 
appended some manual instructions onto a page still in progress.


http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0

Some parts may be still be a little rough or hard to understand. Let me 
know if you have any problems or corrections.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Certificates not renewed

[Thomas Sailer]

I have a few certificates that fail to be updated, for example the ldap 
and http certificates. If I read the error message from getcert list 
(see below) correctly, then the contents of the pinfiles are incorrect. 
How do I fix this?


Thanks,
Tom

Number of certificates and requests being tracked: 8.
Request ID '2016140151':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at 
server.  Certificate operation cannot be completed: EXCEPTION (Invalid 
Credential.)).

stuck: yes
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd--COM',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd--COM//pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd--COM',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=.COM
subject: CN=server..com,O=.COM
expires: 2013-11-16 14:01:50 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '2016140217':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at 
server.  Certificate operation cannot be completed: EXCEPTION (Invalid 
Credential.)).

stuck: yes
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=.COM
subject: CN=server..com,O=.COM
expires: 2013-11-16 14:02:17 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '2016140238':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at 
server.  Certificate operation cannot be completed: EXCEPTION (Invalid 
Credential.)).

stuck: yes
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=.COM
subject: CN=server..com,O=.COM
expires: 2013-11-16 14:02:38 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130424090625':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='399557979284'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=.COM
subject: CN=CA Audit,O=.COM
expires: 2015-09-29 09:22:17 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20130424090626':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='399557979284'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=.COM
subject: CN=OCSP Subsystem,O=.COM
expires: 2015-09-29 09:21:17 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20130424090627':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin='399557979284'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=.COM
subject: CN=CA Subsystem,O=.COM
expires: 2015-09-29 09:21:17 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/cer

Re: [Freeipa-users] IPA winsync replication

[Rich Megginson]

On 11/25/2013 08:14 AM, Emil Petersson wrote:

Hi,

I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some unexpected 
behaviour with winsync replication.


1. I have a working winsync agreement, and users are synced correctly.

2. If a user already exists in in IPA when I sync it from AD, I'm 
seeing the following in the dirsrv error logs:


[25/Nov/2013:14:29:03 +] NSMMReplicationPlugin - 
windows_update_local_entry: failed to modify entry 
uid=username,cn=users,cn=accounts,dc=domain,dc=net - error 21:Invalid 
syntax


I assume this is because the user already exists in dirsrv? Fine.


No.  Error 21 is Invalid Syntax.  This means the format of the data in 
the attribute in AD is not correct for the given syntax.  For example, 
if the syntax is Integer, this means the data should be a valid 
integer.  However, AD allows data that violates LDAP syntax.


Can you post the data from the AD entry that corresponds to 
uid=username,cn=users,cn=accounts,dc=domain,dc=net?  Please be sure to 
obscure any sensitive data.  I'd like to identify the data that is 
causing this problem.




3. Then I remove the corresponding user from IPA and force another 
sync from AD, hoping that the user will sync properly this time, and 
thus have its ntUser* attributes created:


[25/Nov/2013:14:29:09 +] NSMMReplicationPlugin - 
agmt="cn=meToAD.domain.com" (dc03:389): map_entry_dn_inbound: looking 
for local entry by uid [username]
[25/Nov/2013:14:29:09 +] - Windows sync entry: Adding new 
local entry dn: uid=username,cn=users,cn=accounts,dc=domain,dc=net
[25/Nov/2013:14:29:09 +] NSMMReplicationPlugin - add operation 
of entry uid=username,cn=users,cn=accounts,dc=domain,dc=net returned: 21


It's like something (either AD or IPA) remembers that a user have 
failed once, and then refuse to sync it any more. Removing the winsync 
agreement and recreating it completely doesn't help. The user is still 
not synced, and leaves error code 21.


Anyone have any idea on why this is, and how I can sync the user even 
though it has failed once?





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA winsync replication

[Emil Petersson]

Hi,

I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some unexpected 
behaviour with winsync replication.


1. I have a working winsync agreement, and users are synced correctly.

2. If a user already exists in in IPA when I sync it from AD, I'm seeing 
the following in the dirsrv error logs:


[25/Nov/2013:14:29:03 +] NSMMReplicationPlugin - 
windows_update_local_entry: failed to modify entry 
uid=username,cn=users,cn=accounts,dc=domain,dc=net - error 21:Invalid syntax


I assume this is because the user already exists in dirsrv? Fine.

3. Then I remove the corresponding user from IPA and force another sync 
from AD, hoping that the user will sync properly this time, and thus 
have its ntUser* attributes created:


[25/Nov/2013:14:29:09 +] NSMMReplicationPlugin - 
agmt="cn=meToAD.domain.com" (dc03:389): map_entry_dn_inbound: looking 
for local entry by uid [username]
[25/Nov/2013:14:29:09 +] - Windows sync entry: Adding new local 
entry dn: uid=username,cn=users,cn=accounts,dc=domain,dc=net
[25/Nov/2013:14:29:09 +] NSMMReplicationPlugin - add operation 
of entry uid=username,cn=users,cn=accounts,dc=domain,dc=net returned: 21


It's like something (either AD or IPA) remembers that a user have failed 
once, and then refuse to sync it any more. Removing the winsync 
agreement and recreating it completely doesn't help. The user is still 
not synced, and leaves error code 21.


Anyone have any idea on why this is, and how I can sync the user even 
though it has failed once?



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Intermittent Issues changing passwords since updating to ipa v3 and sasl_bind timeouts ..

[Sumit Bose]

On Mon, Nov 25, 2013 at 09:23:22AM +1000, Matt Bryant wrote:
> All,
> 
> Was wondering if anyone can help out or point us the in right
> direction. Ever since we updated from IPA v2.1 to IPA v3.0 have been
> seeing some intermittent errors when trying to change passwords etc.
> Getting the error cannot change password since system offline.
> 
> Have increased the logging and found that quite frequently the
> sasl_bind using the host principle is timing out and failing ...
> (whether this is red herring or not dont know but cant be good
> anyhow)
> 
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [sdap_kinit_send] (0x0400): Attempting kinit (default,
> host/tardis.ipa.server-noc.com, SERVER-IPA, 86400)
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [get_server_status] (0x1000): Status of server
> 'tardis.ipa.server-noc.com' is 'working'
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set
> to 10 seconds
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [get_server_status] (0x1000): Status of server
> 'tardis.ipa.server-noc.com' is 'working'
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [be_resolve_server_process] (0x1000): Saving the first resolved
> server
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [be_resolve_server_process] (0x0200): Found address for server
> tardis.ipa.server-noc.com: [203.147.190.30] TTL 7200
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
> TGT...
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [create_tgt_req_send_buffer] (0x1000): buffer size: 56
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [child_handler_setup] (0x2000): Setting up signal handler up for pid
> [3734]
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [child_handler_setup] (0x2000): Signal handler set up for pid [3734]
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt
> child
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [sdap_process_result] (0x2000): Trace: sh[0xa45960], connected[1],
> ops[(nil)], ldap[0xa12200]
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [write_pipe_handler] (0x0400): All data has been sent!
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [child_sig_handler] (0x1000): Waiting for child [3734].
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [child_sig_handler] (0x0100): child [3734] finished successfully.
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [sss_child_handler] (0x2000): waitpid failed [10]: No child
> processes
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [read_pipe_handler] (0x0400): EOF received, client finished
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [sdap_get_tgt_recv] (0x0400): Child responded: 0
> [FILE:/var/lib/sss/db/ccache_SERVER-IPA], expired on [1385420045]
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [sdap_cli_auth_step] (0x0100): expire timeout is 900
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [sdap_cli_auth_step] (0x1000): the connection will expire at
> 1385334545
> (Mon Nov 25 08:54:05 2013) [sssd[be[ipa.server-noc.com]]]
> [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user:
> host/tardis.ipa.server-noc.com
> (Mon Nov 25 08:54:11 2013) [sssd[be[ipa.server-noc.com]]]
> [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-5)[Timed out]
> (Mon Nov 25 08:54:11 2013) [sssd[be[ipa.server-noc.com]]]
> [sasl_bind_send] (0x0080): Extended failure message: [unknown error]
> (Mon Nov 25 08:54:11 2013) [sssd[be[ipa.server-noc.com]]]
> [fo_set_port_status] (0x0100): Marking port 0 of server
> 'tardis.ipa.server-noc.com' as 'not working'
> (Mon Nov 25 08:54:11 2013) [sssd[be[ipa.server-noc.com]]]
> [sdap_handle_release] (0x2000): Trace: sh[0xa45960], connected[1],
> ops[(nil)], ldap[0xa12200], destructor_lock[0], release_memory[0]
> ..
> ..
> 
> it then goes on to connect to fail over server and succeed and
> shortly after the master server is tested and marked as working
> again ... works for a couple of times then time out again .. any
> pointers gratefully received.

According to the logs I would say that this timeout happens on the
LDAP server side. Do you have a chance to check the server logs to see
what happens at this time on the server?

You can increase the timeout value on the cl