Re: [Freeipa-users] Globalsign External CA Certificate Import Failure
Hi, On 3.1.2014 22:13, James Scollard wrote: Thanks for the reply, Version: Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and latest version... I'm not sure I understand the answer. I created the CSR and they signed it using their automation, and returned the new ones to me for installation, which failed. SUN.WEATHER.COM is a valid Kerberos domain name, but not a valid O=. The node itself is x.sun.weather.com, we have a wildcard certificate for sun.weather.com, and this domain controller needs the certificate for the domain for setup to complete. What am I doing wrong here? I sense some confusion about ipa-server-install options here. You use a wildcard server certificate as IPA's CA certificate, which is obviously not correct. It seems to me you are trying to do one of the following: a) Set up IPA using your own server certificate. This is achieved using the --*_pkcs12 options. You must create a PKCS#12 file with the certificate and its private key in order to do this. Assuming you save the PKCS#12 file to /root/ldapm6x00.sun.weather.com.p12, the command line should look something like: # ipa-server-install --dirsrv_pkcs12=/root/ldapm6x00.sun.weather.com.p12 --http_pkcs12=/root/ldapm6x00.sun.weather.com.p12 --root-ca-file=/root/sun.weather.com.crt b) Set up IPA including a IPA-managed CA, with the CA being a subordinate of some external CA. This is where you should use the --external* options. First run ipa-server-install with --external-ca, which will create a CSR for IPA CA certificate in /root/ipa.csr. Then sign the CSR with the external CA to get the IPA CA certificate. Finally, run ipa-server-install with --external_cert_file pointing to the IPA CA certificate and --external_ca_file pointing to CA certificate of the external CA. On 1/3/14 3:58 PM, Rob Crittenden wrote: James Scollard wrote: When attempting to run the second part of the installation with an external CA (Globalsign) using my signed certificate and CA certificate chain I get the following; [root@ldapm6x00 ~]# ipa-server-install --external_cert_file=/root/ldapm6x00.sun.weather.com.crt --external_ca_file=/root/sun.weather.com.crt The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: Subject of the external certificate is not correct (got CN=*.sun.weather.com,O=The Weather Channel Interactive\, Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate Authority,O=SUN.WEATHER.COM). CN= and O= are correct, so why is IPA refusing to use the certificate? It appears to be expecting bogus data instead of using the provided identity. This doesnt appear to be an issue with the certificate, although I have never installed FreeIPA with a Globalsign certificate. I did nto see this problem with Network Solutions wildcard certificates though. Any suggestions would be appreciated. This isn't related to the external CA, it just can't modify the subject of the IPA CA, which it did in this case. I'm not even entirely sure what it would mean to have the CA certificate itself be a wildcard cert. Doesn't seem to be a valid use-case though. Looks like this validation was added in in v3. rob Honza -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, Jan 03, 2014 at 02:05:58PM +, Andrew Holway wrote: To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I truncated all of the files in /var/log/samba and then make a single login attempt. These are the files that were non zero after the event. log.smbd.epmd - https://gist.github.com/anonymous/663be9204d24bf3e915c log.wb-PRATTLE - https://gist.github.com/anonymous/069c9931b1c66a2da85e log.wb-WIBBLE - https://gist.github.com/anonymous/c60754ec956df30f2c60 log.winbindd - https://gist.github.com/anonymous/25995d07c20ef5f3926a log.winbindd-dc-connect - https://gist.github.com/anonymous/9b6a1b736f1266ddc37f Thank you, I can see some errors in the winbind log and the fact you can't resolve users with wbinfo -u confirms there is an issue, but I'not really a winbind expert. I'm sure Alexander will chime in once he's done with his post-holiday travelling :-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] named failure: REQUIRE(pthread_kill(ldap_inst-watcher...) failed
Hello! On 1.1.2014 00:45, Dmitri Pal wrote: On 12/30/2013 04:48 AM, Alexandre Ellert wrote: This night, named crashed on my IPA server (Centos 6.5) : Dec 29 02:27:02 ipa-master named[1537]: received control channel command 'reload' Dec 29 02:27:03 ipa-master named[1537]: ldap_helper.c:640: REQUIRE(pthread_kill(ldap_inst-watcher, 10) == 0) failed, back trace Dec 29 02:27:03 ipa-master named[1537]: #0 0x7f6f443a0eff in ?? Dec 29 02:27:03 ipa-master named[1537]: #1 0x7f6f42d0c89a in ?? Dec 29 02:27:03 ipa-master named[1537]: #2 0x7f6f3e48acbf in ?? Dec 29 02:27:03 ipa-master named[1537]: #3 0x7f6f3e48efd6 in ?? Dec 29 02:27:03 ipa-master named[1537]: #4 0x7f6f3e48f591 in ?? Dec 29 02:27:03 ipa-master named[1537]: #5 0x7f6f43bfca54 in ?? Dec 29 02:27:03 ipa-master named[1537]: #6 0x7f6f443c1b87 in ?? Dec 29 02:27:03 ipa-master named[1537]: #7 0x7f6f443c4726 in ?? Dec 29 02:27:03 ipa-master named[1537]: #8 0x7f6f443c4b36 in ?? Dec 29 02:27:03 ipa-master named[1537]: #9 0x7f6f443c4cf8 in ?? Dec 29 02:27:03 ipa-master named[1537]: #10 0x7f6f44399f55 in ?? Dec 29 02:27:03 ipa-master named[1537]: #11 0x7f6f4439d616 in ?? Dec 29 02:27:03 ipa-master named[1537]: #12 0x7f6f42d2b2f8 in ?? Dec 29 02:27:03 ipa-master named[1537]: #13 0x7f6f426e09d1 in ?? Dec 29 02:27:03 ipa-master named[1537]: #14 0x7f6f41c41b6d in ?? Dec 29 02:27:03 ipa-master named[1537]: exiting (due to assertion failure) DNS was setup during installation time and didn't notify any problem since this server is in production (several months). Can you please advice about how to investigate to find the root cause of this crash ? Should I worry about that or is this just a isolated case ? This crash happens if something goes seriously wrong with the LDAP connection between named and LDAP server. (It should not crash but I feel that this part of code is not bullet-proof.) Do you see any messages complaining about broken connection or something like that? Did the server worked fine before the reload? We need more information about your configuration. Please add details mentioned at https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#Aboutyouroperatingsystemdistribution and https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#Abouttheplugin Have a nice day! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA Server Install - Why --no-ntp?
On Mon, 2014-01-06 at 09:08 +0100, Petr Spacek wrote: On 23.12.2013 21:57, Simo Sorce wrote: On Mon, 2013-12-23 at 12:57 -0700, Jason Becker wrote: Section 2.1.4.5. NTP in the Fedora 18 / 3.1.5 Guide states: If a server is being installed on a virtual machine, that server *should not* run an NTP server. To disable NTP for FreeIPA, use the *--no-ntp*option. There is no further explanation. I would like to install FreeIPA Server on a vSphere VM where NTP is recommended as part of their timekeeping best practices for Linux guests. Often happens that VMs do not do very good time keeping, so using a VM as the central NTP server is not really advised, you should instead get a good source for NTP external to the virtualized environment and you that one as the time source for your network. Of course if your virtualization environment guarantees a good clock, go for it. The recommendation is in the spirit of avoiding issues in the common case, that up to the time of the writing was not very good :) Would the option --no-ntp-server be better? I think just the Docs need to be clearer on the VM thing. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Globalsign External CA Certificate Import Failure
That makes absolute perfect sense. Thanks for the clarification. Unfortunately I have an new issue now. Globalsign has issued me a pkcs7 certificate. FreeIPA does not recognize the format: [root@ldapm6x00 ~]# ipa-server-install --dirsrv_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --http_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --root-ca-file=/root/STAR_CA-2048.crt Usage: ipa-server-install [options] ipa-server-install: error: no such option: --dirsrv_pkcs7 I need to convert it to pkcs12 using the converter here (awesome free tool): https://www.sslshopper.com/ssl-converter.html I need the server's private key file to convert from pkcs7 to pkcs12, but cant find it anywhere. Is there a command to export it or does it live in /var/lib or /etc somewhere? Thanks. On 1/6/14 4:09 AM, Jan Cholasta wrote: ipa-server-install --dirsrv_pkcs -- James E. Scollard III Senior Cloud Systems Architect c: 615.730.4387 www.weather.com View my profile on LinkedIn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Globalsign External CA Certificate Import Failure
James Scollard wrote: That makes absolute perfect sense. Thanks for the clarification. Unfortunately I have an new issue now. Globalsign has issued me a pkcs7 certificate. FreeIPA does not recognize the format: [root@ldapm6x00 ~]# ipa-server-install --dirsrv_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --http_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --root-ca-file=/root/STAR_CA-2048.crt Usage: ipa-server-install [options] ipa-server-install: error: no such option: --dirsrv_pkcs7 I need to convert it to pkcs12 using the converter here (awesome free tool): https://www.sslshopper.com/ssl-converter.html I need the server's private key file to convert from pkcs7 to pkcs12, but cant find it anywhere. Is there a command to export it or does it live in /var/lib or /etc somewhere? The private exists wherever you generated the CSR. If you used openssl then it would be in a flat file somewhere. If you used NSS then it would be in that database. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Globalsign External CA Certificate Import Failure
I have it now. The --dirsrv_pkcs12 option seems to like pkcs7 formatted certificates, but the person who issued it did not set a password, so FreeIPA will not let me install it to know if it works for sure. I am having the certificate reissued again with a password in pkcs12 format and all should be well with the world again. Thanks for your help and guidance on this. Your level of support is better than I could have expected. On 1/6/14 11:01 AM, Rob Crittenden wrote: James Scollard wrote: That makes absolute perfect sense. Thanks for the clarification. Unfortunately I have an new issue now. Globalsign has issued me a pkcs7 certificate. FreeIPA does not recognize the format: [root@ldapm6x00 ~]# ipa-server-install --dirsrv_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --http_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --root-ca-file=/root/STAR_CA-2048.crt Usage: ipa-server-install [options] ipa-server-install: error: no such option: --dirsrv_pkcs7 I need to convert it to pkcs12 using the converter here (awesome free tool): https://www.sslshopper.com/ssl-converter.html I need the server's private key file to convert from pkcs7 to pkcs12, but cant find it anywhere. Is there a command to export it or does it live in /var/lib or /etc somewhere? The private exists wherever you generated the CSR. If you used openssl then it would be in a flat file somewhere. If you used NSS then it would be in that database. rob -- James E. Scollard III Senior Cloud Systems Architect c: 615.730.4387 www.weather.com View my profile on LinkedIn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Nope, ypbind was stopped when those errors came up. Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, January 02, 2014 2:58 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. On the IPA master you should be able to run something like: $ ypcat -h `hostname` -d your nis domain name passwd This will confirm basic operation on the server. If you can run the same on a client it will rule out firewall issues. Is a ypbind process already running on these clients? That might explain the 'address in use' error. rob The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Please check if the IPA is running, the DS is running. Check the logs that the compat plugin is loaded and working. You can also try looking at the compat tree from the server itself to verify that the plugin, at least the DS part is functional. This generally smells as a firewall issue but I have not way to prove or disprove the theory. Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] named failure: REQUIRE(pthread_kill(ldap_inst-watcher...) failed
We need more information about your configuration. Please add details
mentioned at
https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#Aboutyouroperatingsystemdistribution
and
https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#Abouttheplugin
What distribution/version/architecture you use?
Centos 6.5 (2.6.32-431.el6.x86_64) up to date
What plugin version you use?
bind-dyndb-ldap-2.3-5.el6.x86_64
Do you use bind-dyndb-ldap as part of FreeIPA installation?
Yes
Which version of BIND you use ?
bind-9.8.2-0.17.rc1.el6_4.6.x86_64
Please provide dynamic-db section from configuration file /etc/named.conf :
dynamic-db ipa {
library ldap.so;
arg uri ldapi://%2fvar%2frun%2fslapd-IVSCLOUD-LOCAL.socket;
arg base cn=dns, dc=ivscloud,dc=local;
arg fake_mname ipa-master.ivscloud.local.;
arg auth_method sasl;
arg sasl_mech GSSAPI;
arg sasl_user DNS/ipa-master.ivscloud.local;
arg zone_refresh 0;
arg psearch yes;
arg serial_autoincrement yes;
arg connections 4;
};
Do you have some other text based or DLZ zones configured?
no
Do you have some global forwarders configured in BIND configuration file?
no
options {
[…]
forward first;
forwarders { };
[…]
};
Do you have some settings in global configuration object in LDAP?
no (not sure)
$ ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com'
'(objectClass=idnsConfigObject)'
SASL/GSSAPI authentication started
SASL username: admin@IVSCLOUD.LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=dns,dc=example,dc=com with scope subtree
# filter: (objectClass=idnsConfigObject)
# requesting: ALL
#
# search result
search: 4
result: 32 No such object
# numResponses: 1
Do you see any messages complaining about broken connection or something like
that? Did the server worked fine before the reload?
The server worked fine before reload (caused by logrotate).
I've searched in log file /var/log/dirsrv/*, /var/log/messages but didn't find
anything interesting.
Thanks for your help
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] named failure: REQUIRE(pthread_kill(ldap_inst-watcher...) failed
On 06/01/14 21:53, Alexandre Ellert wrote: Do you see any messages complaining about broken connection or something like that? Did the server worked fine before the reload? The server worked fine before reload (caused by logrotate). I've searched in log file /var/log/dirsrv/*, /var/log/messages but didn't find anything interesting. Some of the named crashes I had at first with bind-dyndb-ldap when I started using IPA in production a few years ago also happened at the exact time logrotate rotated the log files. I've not had any issues with bind-dyndb-ldap for a while now, however the most busy dns servers are still running flat files generated from IPA's LDAP tree, but the similarity was too close not to mention it. :) Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, 03 Jan 2014, Andrew Holway wrote: To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I truncated all of the files in /var/log/samba and then make a single login attempt. These are the files that were non zero after the event. log.smbd.epmd - https://gist.github.com/anonymous/663be9204d24bf3e915c log.wb-PRATTLE - https://gist.github.com/anonymous/069c9931b1c66a2da85e I can see multiples of: [2014/01/03 07:48:08.789374, 10, pid=2662, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:806(cm_prepare_connection) cm_prepare_connection: connecting to DC WIN-5UGLHAK7RIN for domain PRATTLE [2014/01/03 07:48:08.789437, 1, pid=2662, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:839(cm_prepare_connection) cli_negprot failed: NT_STATUS_INVALID_PARAMETER_MIX This means some internal mishandling in winbindd, NT_STATUS_INVALID_PARAMETER_MIX can only appear at this path if the connection (which has just been created, few calls before cli_negprot) has outstanding outstanding calls in outgoing queue at the point when cli_negprot is attempted. As result, cli_negprot can't start until they are finished. log.wb-WIBBLE - https://gist.github.com/anonymous/c60754ec956df30f2c60 log.winbindd - https://gist.github.com/anonymous/25995d07c20ef5f3926a log.winbindd-dc-connect - https://gist.github.com/anonymous/9b6a1b736f1266ddc37f At this point I need to know exact version of the samba package (samba4 if this is RHEL 6.x) to continue investigations with the exact source code at hand. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
sssd_example.com.log after changing the debug level: https://gist.github.com/anonymous/8290381#file-sssd_example-com-log [genadi@ipaserver root]$ wbinfo -u (no output) [genadi@ipaserver root]$ wbinfo -g admins editors default smb group ad_users ad_admins [genadi@ipaserver root]$ wbinfo --trusted-domains BUILTIN EXAMPLE ADDC [genadi@ipaserver root]$ wbinfo -i Administrator failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user Administrator [genadi@ipaserver root]$ wbinfo --domain-info ADDC.COM Name : ADDC Alt_Name : addc.com SID : S-1-5-21-33789592-1708006097-2663368750 Active Directory : No Native: No Primary : No 2014/1/6 Jakub Hrozek jhro...@redhat.com On Fri, Jan 03, 2014 at 07:29:54PM +0200, Genadi Postrilko wrote: Here are the other logs as well (ldap_child.log, sssd_pac.log, sssd_ssh.log). https://gist.github.com/anonymous/8242061 I attempted to log in (as administra...@addc.com) at 9:04. Thanks for the help. You need the *domain* log. According to the logs, your domain is called example.com, do you need to put debug_level=6 (or higher, but 6 should be enough) to the section called [domain/example.com] in sssd.conf, restart sssd, attempt the login and then attach /var/log/sssd/sssd_example.com.log Given that SSSD is complaining about not being able to find the user, I suspect a similar problem as in the other thread, that is, Winbind on the server not being able to talk to the AD. Does wbinfo -u $user work on the server? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
Joseph, Matthew (EXP) wrote: Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Can't run them how? Nope, ypbind was stopped when those errors came up. Can you confirm that nothing else is bound to the port? rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, January 02, 2014 2:58 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. On the IPA master you should be able to run something like: $ ypcat -h `hostname` -d your nis domain name passwd This will confirm basic operation on the server. If you can run the same on a client it will rule out firewall issues. Is a ypbind process already running on these clients? That might explain the 'address in use' error. rob The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Please check if the IPA is running, the DS is running. Check the logs that the compat plugin is loaded and working. You can also try looking at the compat tree from the server itself to verify that the plugin, at least the DS part is functional. This generally smells as a firewall issue but I have not way to prove or disprove the theory. Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating
I’m not too concerned on the default as long as the user is warned (or even maybe asked) at install time. Kind regards, Will Sheldon +1.778-689-1244 On Monday, January 6, 2014 at 1:57 PM, Sigbjorn Lie wrote: On 03/01/14 20:33, Stephen Ingram wrote: On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal d...@redhat.com (mailto:d...@redhat.com) wrote: On 01/03/2014 12:50 PM, Will Sheldon wrote: Thanks Petr, that certainly makes sense from the point of view of functionality. I do think the default is sane, but there are a lot of possible deployment scenarios and my concern is that a junior or time poor admin looking to implement a trusted, secure solution should be made aware of any potential data leakage during configuration, (preferably in big red letters in the documentation, or better still, the install script). Though I am reluctant to draw comparisons between IPA and MS AD they do seem inevitable. AD restricts anonymous binds to the rootDSE entry by default and as such this may be considered by many to be the expected default. Extra care should therefore be made to point out this difference. To do otherwise risks undermining the confidence of users in the security of the solution. It is a double edge sword. We compared IPA to LDAP based solutions and with those you have (had) anonymous bind enabled by default. IMO it is the question of a migration. The field of centralized authentication is crowded with all sorts of different solutions, though not that integrated as AD or IdM. It seems that migrating and then tightening security to the level you need is the way to go. The default you suggest might be a barrier to migration as people usually tackle problems one step at a time. I am not against changing the default eventually but I am not sure it is the time to. But may be I am wrong. Are there any opinions on the matter? I think traditionally LDAP-based solutions have been used as true directories where one might be able to search for people through say a Web-based interface, for example at a university. Whereas AD can also be deployed as a directory, but more often than not though say an email Interface (e.g. Outlook) where the user has already gained access via their own credentials so there was not a need to allow anonymous binds. I like following the tradition of LDAP-based directories where anonymous access is allowed by default, however, it would be really nice as the OP requested to have controls available via the WebUI where the admin could apply ACLs to the directory to restrict access to various areas. As changing the overall access scheme requires a directory restart, I'm not too sure how easy it would be to incorporate that into the WebUI, but maybe a notice somewhere to re-enforce the open nature of the directory if the default is retained. Not to start a flame war here - but I would like to say I disagree with you. :) The traditional LDAP-based solutions you're mentioning keep information that would be open to the public, such as a phone directory. However IPA (like AD) keep sensitive information that should not be open to the public. From a security standpoint it's much easier to forget to secure a piece of information in an open directory, than to simply close the directory off and only open for known entities. In my point of view, it's better to keep these directories closed by default, to anything but authenticated requests. It's a great thing that IPA can easily be configured to either be open or closed to anonymous requests by default. :) Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com) https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Enrolling client to second IPA server
For testing purposes, I'd like to enroll my already IPA-enrolled client to another IPA server, with different domain. My goal is to then use Kerberos authencation in applications to use the second realm and PAM authentication in applications to go to the second domain in sssd while leaving the first realm/domain solely for OS-level authentication. I was able to copy and tweak /etc/sssd/sssd.conf, add a realm to /etc/krb5.conf, but I'm not sure where my second keytab is supposed to go. Reading http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/enrolling-machines.html suggests having the keytab from the IPA server is essential ... but where do I specify its location? Ideally I'd like to just run ipa-client-install with proper parameters but I always get IPA client is already configured on this system. While that is technically correct, it does not move me forward enrolling the system to another IPA server. Does anyone have example steps that need to be done to have my system enrolled to two IPA servers? Thank you, -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, 03 Jan 2014, Simo Sorce wrote: On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: /var/log/sssd/* this is using bob@host (prattle.com is the windows domain) https://gist.github.com/anonymous/ff817a251948ff58bdb1 this is using b...@prattle.com@host (prattle.com is the windows domain) Thanks, these logs have somewhat more info than those in the other thread. It seems that Winbind on the IPA server has trouble talking to the AD server: (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (The s2n exop does a special LDAP call to IPA which in turn calls winbind on the server). To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* Don't use debug level 100, it will litter the tmp with packet dumps and [possibly fill the disk. Log level 10 is the max that is ever useful. No, you are not right. It looks in this case that there are some unfinished async tasks associated with the outgoing socket and they prevent cli_negprot from starting. On debug level 100 we see content of the packets sent by smbd/winbindd in the log itself which will help to identify what happens. On debug level 10 we simply have two lines in succession telling that winbindd attempted to start cli_negprot and then failed it. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Enrolling client to second IPA server
On Tue, 07 Jan 2014, Jan Pazdziora wrote: For testing purposes, I'd like to enroll my already IPA-enrolled client to another IPA server, with different domain. My goal is to then use Kerberos authencation in applications to use the second realm and PAM authentication in applications to go to the second domain in sssd while leaving the first realm/domain solely for OS-level authentication. I was able to copy and tweak /etc/sssd/sssd.conf, add a realm to /etc/krb5.conf, but I'm not sure where my second keytab is supposed to go. Reading http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/enrolling-machines.html suggests having the keytab from the IPA server is essential ... but where do I specify its location? Ideally I'd like to just run ipa-client-install with proper parameters but I always get IPA client is already configured on this system. While that is technically correct, it does not move me forward enrolling the system to another IPA server. Does anyone have example steps that need to be done to have my system enrolled to two IPA servers? The problem here is that you would have the same host name assigned to two different realms which means there would be a single principal but two different keys associated with it from different realms. A single keytab could contain only principals from the single realm. Thus, you need to use different keytabs and make sure that access to a non-default KDC is always using non-default keytab. You'd also need to fetch IPA2's CA certificate and trust it. Here might be a problem since it will have the same nickname, 'IPA CA' and thus cannot be placed in the same /etc/pki/nssdb database. You can, however, put the cert file in a separate file somewhere, for example, /etc/ipa/ipa2-ca.crt. Now, suppose you have a non-default keytab set at /etc/krb5.keytab.IPA2. # kinit admin@IPA2 # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab.IPA2 would fetch the host keytab there. Then SSSD would need to be configured to use a different location for the keytab for this realm and a different TLS cert. [domain/example.com] ... krb5_keytab = /etc/krb5.keytab.IPA2 ldap_tls_cacert = /etc/ipa/ipa2-ca.crt ... So, off my head (not tested): 1. Set up krb5.conf to have realm and domain_realm mappings for the second realm. You can only have one of the realms as default one. 2. Set up sssd.conf to have a second domain which points krb5_keytab to a different keytab, /etc/krb5.keytab.IPA2, and a different TLS CA certificate. 3. kinit as a principal from the second realm 4. Use ipa-getkeytab to fetch the keytab to /etc/krb5.keytab.IPA2 Finally, for LDAP operations you can't have profiles in ldap.conf, so defaults will only point to the original one. You can create another one in /etc/openldap and then use LDAPCONF environmental variable to point to the second config file for the defaults. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
