Re: [Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-13 Thread Les Stott 


 -Original Message-
 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
 boun...@redhat.com] On Behalf Of Les Stott
 Sent: Saturday, 7 February 2015 9:39 AM
 To: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
 workaround/solution
 
 
 
  -Original Message-
  From: Endi Sukma Dewata [mailto:edew...@redhat.com]
  Sent: Saturday, 7 February 2015 1:53 AM
  To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen
  Subject: Re: [Freeipa-users] bug in pki during install of CA replica
  and workaround/solution
 
  On 2/6/2015 8:39 AM, Martin Kosek wrote:
   Reinstalling the pki-selinux rpm (found references in some other
   forum
  posts) via yum reinstall pki-selinux is not enough to help.
  
   The solution is as follows:
  
   yum downgrade pki-selinux pki-ca pki-common pki-setup pki-silent
   pki-java-tools pki-symkey pki-util pki-native-tools which takes
   components back to 9.0.3-32 then yum -y update  pki-selinux pki-ca
   pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util
   pki-native-tools then (after cleaning up half installed pki
   components) ipa-ca-install
   /var/lib/ipa/replica-info-sb1sys02.mydomain.gpg
  
   Then, the CA replication completes successfully.
  
   Regards,
  
   Les
  
   I saw this one around, e.g. in:
  
   http://www.redhat.com/archives/freeipa-devel/2014-
  May/msg00507.html
  
   Did you try reinstalling pki-selinux before ipa-server-install?
  
   Endi/Matthew, do we have a bug/fix for this?
  
   Thanks,
   Martin
  
 
  Yes, we have a ticket for this:
  https://fedorahosted.org/pki/ticket/1243
  The default selinux-policy is version 3.7.19-231. It needs to be
  updated to at least version 3.7.19-260.
 
  --
  Endi S. Dewata
 
 I will test this out (update to 3.7.19-260) next week as I've got a few more 
 CA
 replicas to setup.
 

I'm still having issues. Different one this time.

As I have previously worked around the install of CA replicas in my production 
Production environment as above, I went to setup CA replication in DR (both 
environments are completely separate).

Make sure I did a yum update for all packages, including selinux-policy, and 
also making sure all needed modules were loaded in httpd.conf I proceeded to 
retry installation of CA replication. However, it failed with the following:

Note: sb2sys01.domain.com is the replica I am trying to install

(abbreviated below)

#
Attempting to connect to: sb2sys01.domain.com:9445
Connected.
Posting Query = 
https://sb2sys01.domain.com:9445//ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12
RESPONSE STATUS:  HTTP/1.1 200 OK
RESPONSE HEADER:  Server: Apache-Coyote/1.1
RESPONSE HEADER:  Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER:  Date: Fri, 13 Feb 2015 08:09:35 GMT
RESPONSE HEADER:  Connection: close
?xml version=1.0 encoding=UTF-8?
!-- BEGIN COPYRIGHT BLOCK
 
 END COPYRIGHT BLOCK --
response
  paneladmin/console/config/restorekeycertpanel.vm/panel
  res/
  updateStatusfailure/updateStatus
  password/
  errorStringThe pkcs12 file is not correct./errorString
  size19/size
Error in RestoreKeyCertPanel(): updateStatus returns failure
ERROR: ConfigureCA: RestoreKeyCertPanel() failure
ERROR: unable to create CA



In /var/log/pki-ca/catalina.out I see...

CMS Warning: FAILURE: Cannot build CA chain. Error 
java.security.cert.CertificateException: Certificate is not a PKCS #11 
certificate|FAILURE: authz instance DirAclAuthz initialization failed and 
skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.

Nothing gets populated in /etc/pki-ca/CS.cfg (based on comparison with a 
working system).

grep DirAclAuthz /etc/pki-ca/CS.cfg
authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz
authz.instance.DirAclAuthz.ldap=internaldb
authz.instance.DirAclAuthz.pluginName=DirAclAuthz
authz.instance.DirAclAuthz.ldap._000=##
authz.instance.DirAclAuthz.ldap._001=## Internal Database
authz.instance.DirAclAuthz.ldap._002=##
authz.instance.DirAclAuthz.ldap.basedn=
authz.instance.DirAclAuthz.ldap.maxConns=15
authz.instance.DirAclAuthz.ldap.minConns=3
authz.instance.DirAclAuthz.ldap.ldapauth.authtype=BasicAuth
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=cn=Directory Manager
authz.instance.DirAclAuthz.ldap.ldapauth.bindPWPrompt=Internal LDAP Database
authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=
authz.instance.DirAclAuthz.ldap.ldapconn.host=
authz.instance.DirAclAuthz.ldap.ldapconn.port=
authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=false
authz.instance.DirAclAuthz.ldap.multipleSuffix.enable=false

The CA cert looks ok to me on the master. It does get copied to the replica in 
/usr/share/ipa/html/ca.crt

I don't see any errors in httpd error or access logs on the master or the 
intended replica.

The

Re: [Freeipa-users] chrony support

2015-02-13 Thread Bryan Pearson 
Is installing chrony first a requirement or can it be installed after
machine has been setup and is running ipa?

Bryan

On Fri, Feb 13, 2015 at 9:01 AM, Martin Kosek mko...@redhat.com wrote:

 On 02/13/2015 01:32 PM, David Kupka wrote:
  Hello Bryan,
  I'm currently working on this. This feature should be available in
 freeipa-4.2.

 Right. Until this is done, you should be anyway able to setup chrony
 yourself
 before running ipa-client-install. It would respect your choice (unless you
 pass --force-ntpd).

 Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] chrony support

2015-02-13 Thread Martin Kosek 
On 02/13/2015 01:32 PM, David Kupka wrote:
 Hello Bryan,
 I'm currently working on this. This feature should be available in 
 freeipa-4.2.

Right. Until this is done, you should be anyway able to setup chrony yourself
before running ipa-client-install. It would respect your choice (unless you
pass --force-ntpd).

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] chrony support

2015-02-13 Thread Martin Kosek 
If is not a requirement, but you would need to stop and disable ntpd firs as
those 2 services would conflict otherwise.

Note that this is still only for clients, servers still require ntpd (subject
to change).

On 02/13/2015 03:18 PM, Bryan Pearson wrote:
 Is installing chrony first a requirement or can it be installed after
 machine has been setup and is running ipa?
 
 Bryan
 
 On Fri, Feb 13, 2015 at 9:01 AM, Martin Kosek mko...@redhat.com wrote:
 
 On 02/13/2015 01:32 PM, David Kupka wrote:
 Hello Bryan,
 I'm currently working on this. This feature should be available in
 freeipa-4.2.

 Right. Until this is done, you should be anyway able to setup chrony
 yourself
 before running ipa-client-install. It would respect your choice (unless you
 pass --force-ntpd).

 Martin

 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] chrony support

2015-02-13 Thread Bryan Pearson 
One of our IPA servers, is in a virtualized environment and is continuously
losing time, resulting in invalid credentials and breaking replication.

We are interested in using chrony instead of ntpd, while ipa start up and
use chrony instead of ntp?

Bryan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] chrony support

2015-02-13 Thread David Kupka 

Hello Bryan,
I'm currently working on this. This feature should be available in 
freeipa-4.2.


--
David Kupka

On 02/13/2015 01:25 PM, Bryan Pearson wrote:

One of our IPA servers, is in a virtualized environment and is continuously
losing time, resulting in invalid credentials and breaking replication.

We are interested in using chrony instead of ntpd, while ipa start up and
use chrony instead of ntp?

Bryan





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project