Re: [Freeipa-users] IPA Replica Issues

[Choudhury, Suhail]

Hi,

Check your GSSAPIAuthentication settings in sshd.conf and restart sshd:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Last week I had some replication problems between replicas which were fixed 
after re-enabling GSSAPI.

Regards,
Suhail Choudhury.
DevOps | Recommendations Team | BSkyB


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Joseph, Matthew (EXP) [matthew.jos...@lmco.com]
Sent: 28 July 2014 17:46
To: freeipa-users@redhat.com
Subject: [Freeipa-users] IPA Replica Issues

Hello,

I’m currently running into some issues with my replica server.
I noticed it wasn’t getting any updates from the master server so I tried to do 
a force-sync but it states that it is an “invalid password” which I know it is 
not the case.

I tried doing an ipa-replica-manager list replica_server but it gives me the 
SASL(-13) authentication failure: GSSAPI Failure: gss_accept_sec_context, 
‘desc’ Invalid Credentials

I’ve tried doing a kdestroy and have it prompt me for the password but again, 
same error.

Any idea what this would be?

Thanks,

Matt
Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and 
Sky International AG and are used under licence. British Sky Broadcasting 
Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration 
No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) 
are direct or indirect subsidiaries of British Sky Broadcasting Group plc 
(Registration No. 2247735). All of the companies mentioned in this paragraph 
are incorporated in England and Wales and share the same registered office at 
Grant Way, Isleworth, Middlesex TW7 5QD.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Replica Issues

[Joseph, Matthew (EXP)]

Hey Suhail,

Issue has been resolved; it was actually my replica server being about 10 
minutes out of sync from the master which was causing the credential errors.

Matt

From: Choudhury, Suhail [mailto:suhail.choudh...@bskyb.com]
Sent: Wednesday, July 30, 2014 9:00 AM
To: Joseph, Matthew (EXP); freeipa-users@redhat.com
Subject: EXTERNAL: RE: IPA Replica Issues

Hi,

Check your GSSAPIAuthentication settings in sshd.conf and restart sshd:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Last week I had some replication problems between replicas which were fixed 
after re-enabling GSSAPI.

Regards,
Suhail Choudhury.
DevOps | Recommendations Team | BSkyB

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Joseph, Matthew (EXP) [matthew.jos...@lmco.com]
Sent: 28 July 2014 17:46
To: freeipa-users@redhat.com
Subject: [Freeipa-users] IPA Replica Issues
Hello,

I'm currently running into some issues with my replica server.
I noticed it wasn't getting any updates from the master server so I tried to do 
a force-sync but it states that it is an invalid password which I know it is 
not the case.

I tried doing an ipa-replica-manager list replica_server but it gives me the 
SASL(-13) authentication failure: GSSAPI Failure: gss_accept_sec_context, 
'desc' Invalid Credentials

I've tried doing a kdestroy and have it prompt me for the password but again, 
same error.

Any idea what this would be?

Thanks,

Matt
Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and 
Sky International AG and are used under licence. British Sky Broadcasting 
Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration 
No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) 
are direct or indirect subsidiaries of British Sky Broadcasting Group plc 
(Registration No. 2247735). All of the companies mentioned in this paragraph 
are incorporated in England and Wales and share the same registered office at 
Grant Way, Isleworth, Middlesex TW7 5QD.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Replica Issues

[Rob Crittenden]

Choudhury, Suhail wrote:
 Hi,
 
 Check your GSSAPIAuthentication settings in sshd.conf and restart sshd:
 
 GSSAPIAuthentication yes
 GSSAPICleanupCredentials yes
 
 Last week I had some replication problems between replicas which were
 fixed after re-enabling GSSAPI.

I have the feeling this was just coincidence as replication doesn't use ssh.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA + Ipsilon

[Simo Sorce]

On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote:
 On 07/29/2014 03:47 PM, Luca Tartarini wrote:
  Hi everyone,
  
  I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The
  configuration is the following: Service Provider (host with Scientific
  Linux 6) with ipsilon-client and Identity Provider (another host with
  Scientific Linux 6) with FreeIPA and ipsilon-server, is the configuration
  feasible and/or correct?
  If it is, then I am stuck in the installation of ipsilon-client because
  after I installed lasso-2.3.6 and all the ipsilon-client prerequisites,
  when I finally run:
  
  ipsilon-client-install --saml-idp-metadata
  https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki
  
  I get this error about lasso:
  
  Traceback (most recent call last):
File /usr/bin/ipsilon-client-install, line 20, in module
  from ipsilon.tools.saml2metadata import Metadata
File /usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py,
  line 22, in module
  import lasso
File /usr/lib/python2.6/site-packages/lasso.py, line 3, in module
  import _lasso
  ImportError: No module named _lasso
  
  Does anyone know if it's a problem about lasso's configuration or I forgot
  something about ipsilon-client?
  
  Thanks in advance.
  
  Luca Tartarini
 
 Not sure, _lasso.so should be provided by lasso-python package:
 
 # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so
 lasso-python-2.4.0-4.el6.x86_64
 
 CCing Simo to advise.

Sounds like lasso-python is missing indeed.

Simo.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Local users/groups to IPA Transition

[Baird, Josh]

Hi,

We are evaluating RHEL7 IdM (FreeIPA 3.3) for identity management for our UNIX 
infrastructure.  All of our Linux hosts currently have standard and consistent 
UID/GIDs for at least all of our administrative users.  I'm looking for advice 
on how to migrate these users into IPA.

Since we already have consistent UID/GID numbering for our local users, would 
it be advisable to use these same UID/GIDs for the IPA users?  The local users 
and groups with the same UID/GIDs would still exist on the host during the IPA 
transition.  I assume that if we decided to do this, we would need to modify 
/etc/nsswitch.conf on each host so sss is queried before files for 
passwd/shadow/group.

Eventually we plan to configure a kerberos trust with our AD domain where we 
could configure these UID/GIDs via AD's POSIX UID/GID settings.

How have others handled local to IPA migrations?  Any advice or input would be 
greatly appreciated.

Thanks,

Josh

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Troubleshooting a webui login error

[Robert Walker]

Hi,

I've got 2 IPA servers running in a relationship. One is ok as far as
logging into the webui and the other will only let me kinit admin on the
console of the server. When I try to login into the webui Your session has
expired. Please re-login. and

Please re-enter your username or password  The password or username you
entered is incorrect. Please try again (make sure your caps lock is off).  If
the problem persists, contact your administrator.

The server still seems to authenticate users by remote LDAP requests ok.

Any pointers much appreciated.

Thanks
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

[Ade Lee]

On Tue, 2014-07-29 at 17:49 -0700, Erinn Looney-Triggs wrote:
  
 
  Ok, well I tried deleting it using certutil it deletes both, I
  tried using keytool to see if it would work any better, no dice
  there. I'll try the rename, but at this point I am not holding my
  breath on that, it seems all operation are a bit too coarse. It
  seems the assumption was being made that there would only be one
  of each nickname. Which frankly makes me wonder how any of this
  kept running after the renewal.
  
  For now I'll see what I can do on a copy of the db using python.
  
  It is a little strange that there are multiple 'caSigningCert 
  cert-pki-ca' as this is the CA itself. It should be good for 20
  years and isn't something that the current renewal code handles
  yet.
  
  You probably won't have much luck with python-nss. It can handle
  reading PKCS#12 files but I don't believe it can write them (access
  to key material).
  
  I'm not sure why certutil didn't do the trick. This should work, if
  you want to give it another try. I'm assuming that /root/cacert.p12
  has the latest exported certs, adjust as necessary:
  
  # certutil -N -d /tmp/test # pk12util -i /root/cacert.p12 -d
  /tmp/test # certutil -D -d /tmp/test -n 'nickname'
  
  certutil should delete the oldest cert first, it always has for
  me.
  
  rob
  
 
 Ok folks I managed to clean up the certificate DB so there is only one
 valid certificate for each service. Installation continued pass that
 step and then failed shortly thereafter on configuring the ca. So here
 is my new error:
 
 
 pkispawn: ERROR... Exception from Java Configuration
 Servlet: Error while updating security domain: java.io.IOException: 2
 pkispawn: DEBUG... Error Type: HTTPError
 pkispawn: DEBUG... Error Message: 500 Server Error:
 Internal Server Error
 pkispawn: DEBUG...   File /usr/sbin/pkispawn, line 374,
 in main
 rv = instance.spawn()
   File
 /usr/lib/python2.7/site-packages/pki/deployment/configuration.py,
 line 128, in spawn
 json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
   File /usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py,
 line 2998, in configure_pki_data
 response = client.configure(data)
   File /usr/lib/python2.7/site-packages/pki/system.py, line 80, in
 configure
 r = self.connection.post('/rest/installer/configure', data, headers)
   File /usr/lib/python2.7/site-packages/pki/client.py, line 64, in post
 r.raise_for_status()
   File /usr/lib/python2.7/site-packages/requests/models.py, line
 638, in raise_for_status
 raise http_error
 
 
 2014-07-30T00:27:48Z CRITICAL failed to configure ca instance Command
 '/usr/sbin/pkispawn -vv -s CA -f /tmp/tmpqX9SGx' returned non-zero
 exit status 1
 2014-07-30T00:27:48Z DEBUG   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line 638, in run_script
 return_value = main_function()
 
   File /usr/sbin/ipa-replica-install, line 667, in main
 CA = cainstance.install_replica_ca(config)
 
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
 line 1678, in install_replica_ca
 subject_base=config.subject_base)
 
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
 line 478, in configure_instance
 self.start_creation(runtime=210)
 
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line
 364, in start_creation
 method()
 
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
 line 604, in __spawn_instance
 raise RuntimeError('Configuration of CA failed')
 
 2014-07-30T00:27:48Z DEBUG The ipa-replica-install command failed,
 exception: RuntimeError: Configuration of CA failed
 
 And from the pki-tomcat/ca debug log:
 isSDHostDomainMaster(): Getting domain.xml from CA...
 [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: getDomainXML start
 [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: getDomainXML: status=0
 [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: getDomainXML:
 domainInfo=?xml version=1.0 encoding=UTF-8
 standalone=no?DomainInfoNameIPA/NameCAListCAHostipa.example.com/HostSecurePort443/SecurePortSecureAgentPort443/SecureAgentPortSecureAdminPort443/SecureAdminPortSecureEEClientAuthPort443/SecureEEClientAuthPortUnSecurePort80/UnSecurePortCloneFALSE/CloneSubsystemNamepki-cad/SubsystemNameDomainManagerTRUE/DomainManager/CASubsystemCount1/SubsystemCount/CAListOCSPListSubsystemCount0/SubsystemCount/OCSPListKRAListSubsystemCount0/SubsystemCount/KRAListRAListSubsystemCount0/SubsystemCount/RAListTKSListSubsystemCount0/SubsystemCount/TKSListTPSListSubsystemCount0/SubsystemCount/TPSList/DomainInfo
 [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: Cloning a domain master
 [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: WizardPanelBase
 updateDomainXML start hostname=ipa.example.com port=443
 [30/Jul/2014:00:27:48][http-bio-8443-exec-3]: updateSecurityDomain:
 failed to update security domain using admin port 

Re: [Freeipa-users] Local users/groups to IPA Transition

[Nordgren, Bryce L -FS]

 We are evaluating RHEL7 IdM (FreeIPA 3.3) for identity management for our
 UNIX infrastructure.  All of our Linux hosts currently have standard and
 consistent UID/GIDs for at least all of our administrative users.  I'm looking
 for advice on how to migrate these users into IPA.
...
 Eventually we plan to configure a kerberos trust with our AD domain where
 we could configure these UID/GIDs via AD's POSIX UID/GID settings.

So if I understand this right, you're planning on two back to back user 
migrations? First is local-FreeIPA, then eventually FreeIPA-AD? Are your 
current local users coincidentally the same as your current AD users?

I'm probably a bad example. I centralized authentication for web apps about 
four years ago. I'm adopting FreeIPA because my desktops are every machine for 
itself. I have the same username everywhere, but UIDs/GIDs are uncoordinated. 
More important to me is the fact that my passwords are related to whatever was 
in vogue when I set up the machine, and the machines were set up any time from 
this month to ten years ago. Converting to FreeIPA happened because I started 
thinking of my little domain as a place to manage collections of desktops 
instead of just collections of web applications.

I'm also feverishly trying to setup an isolation layer between myself and AD, 
because my CIO is migrating from an agency directory to a department 
directory, with users migrating in batches not aligned to the projects I 
support. The isolation layer also allows me to continue to form groups composed 
of both AD and FreeIPA users, allows me to supplement or override user 
attributes for the local environment, and (cross-fingers) will allow for NFS 
file sharing with kerberos authenticated principals from more than one realm 
(assuming the Kerberos trust comes thru). Four birds with one stone.

Bryce




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Replica Cert failed to renew ...

[Matt Bryant]

All,

Got an issue with an IPA replica in that the certs in /etc/httpd/alias  
/etc/dirsrv/slapd-IPA-REALM have expired.


Have tried setting date back before expiry on the replica and doing an 
'ipa-getcert resubmit -i id' but that hasn't worked it looks like the 
CA master is actually rejecting it since the havent set the date back on 
that server.


Error am getting on replica is ...

Request ID '20120719044839':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed 
to execute the HTTP POST transaction.  Peer certificate cannot be 
authenticated with known CA certificates).


is there any way of forcing a re-newel or manual process for updating 
these certs .. ???


thx  rgds

Matt Bryant

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project